@infuro/cms-core 1.0.8 → 1.0.10

package/dist/index.js

@@ -17,105 +17,91 @@ var __decorateClass = (decorators, target, key, kind) => {
   return result;
 };
 
-// src/plugins/email/email-service.ts
-var email_service_exports = {};
-__export(email_service_exports, {
-  EmailService: () => EmailService,
-  emailTemplates: () => emailTemplates
+// src/plugins/email/email-queue.ts
+var email_queue_exports = {};
+__export(email_queue_exports, {
+  queueEmail: () => queueEmail,
+  queueOrderPlacedEmails: () => queueOrderPlacedEmails,
+  registerEmailQueueProcessor: () => registerEmailQueueProcessor
 });
-import { SESClient, SendEmailCommand } from "@aws-sdk/client-ses";
-import nodemailer from "nodemailer";
-var EmailService, emailTemplates;
-var init_email_service = __esm({
-  "src/plugins/email/email-service.ts"() {
-    "use strict";
-    EmailService = class {
-      config;
-      sesClient;
-      transporter;
-      constructor(config) {
-        this.config = config;
-        if (config.type === "AWS") {
-          if (!config.region || !config.accessKeyId || !config.secretAccessKey) {
-            throw new Error("AWS SES configuration incomplete");
-          }
-          this.sesClient = new SESClient({
-            region: config.region,
-            credentials: { accessKeyId: config.accessKeyId, secretAccessKey: config.secretAccessKey }
-          });
-        } else if (config.type === "SMTP" || config.type === "GMAIL") {
-          if (!config.user || !config.password) throw new Error("SMTP configuration incomplete");
-          this.transporter = nodemailer.createTransport({
-            host: config.type === "GMAIL" ? "smtp.gmail.com" : void 0,
-            port: 587,
-            secure: false,
-            auth: { user: config.user, pass: config.password }
-          });
-        } else {
-          throw new Error(`Unsupported email type: ${config.type}`);
-        }
-      }
-      async send(emailData) {
-        try {
-          if (this.config.type === "AWS" && this.sesClient) {
-            await this.sesClient.send(
-              new SendEmailCommand({
-                Source: emailData.from || this.config.from,
-                Destination: { ToAddresses: [emailData.to || this.config.to] },
-                Message: {
-                  Subject: { Data: emailData.subject, Charset: "UTF-8" },
-                  Body: {
-                    Html: { Data: emailData.html, Charset: "UTF-8" },
-                    ...emailData.text && { Text: { Data: emailData.text, Charset: "UTF-8" } }
-                  }
-                }
-              })
-            );
-            return true;
-          }
-          if ((this.config.type === "SMTP" || this.config.type === "GMAIL") && this.transporter) {
-            await this.transporter.sendMail({
-              from: emailData.from || this.config.from,
-              to: emailData.to || this.config.to,
-              subject: emailData.subject,
-              html: emailData.html,
-              text: emailData.text
-            });
-            return true;
-          }
-          return false;
-        } catch (error) {
-          console.error("Email sending failed:", error);
-          return false;
+function registerEmailQueueProcessor(cms) {
+  const queue = cms.getPlugin("queue");
+  const email = cms.getPlugin("email");
+  if (!queue || !email) return;
+  queue.registerProcessor(EMAIL_QUEUE_NAME, async (data) => {
+    const payload = data;
+    const { to, templateName, ctx, subject, html, text } = payload;
+    if (!to) return;
+    if (templateName && ctx) {
+      const rendered = email.renderTemplate(templateName, ctx);
+      await email.send({ to, subject: rendered.subject, html: rendered.html, text: rendered.text });
+    } else if (subject != null && html != null) {
+      await email.send({ to, subject, html, text });
+    }
+  });
+}
+async function queueEmail(cms, payload) {
+  const queue = cms.getPlugin("queue");
+  if (queue) {
+    await queue.add(EMAIL_QUEUE_NAME, payload);
+    return;
+  }
+  const email = cms.getPlugin("email");
+  if (email && payload.templateName && payload.ctx) {
+    const rendered = email.renderTemplate(payload.templateName, payload.ctx);
+    await email.send({ to: payload.to, subject: rendered.subject, html: rendered.html, text: rendered.text });
+  } else if (email && payload.subject != null && payload.html != null) {
+    await email.send({ to: payload.to, subject: payload.subject, html: payload.html, text: payload.text });
+  }
+}
+async function queueOrderPlacedEmails(cms, payload) {
+  const { orderNumber: orderNumber2, total, currency, customerName, customerEmail, salesTeamEmails, companyDetails, lineItems } = payload;
+  const base = {
+    orderNumber: orderNumber2,
+    total: total != null ? String(total) : void 0,
+    currency,
+    customerName,
+    companyDetails: companyDetails ?? {},
+    lineItems: lineItems ?? []
+  };
+  const customerLower = customerEmail?.trim().toLowerCase() ?? "";
+  const jobs = [];
+  if (customerEmail?.trim()) {
+    jobs.push(
+      queueEmail(cms, {
+        to: customerEmail.trim(),
+        templateName: "orderPlaced",
+        ctx: { ...base, audience: "customer" }
+      })
+    );
+  }
+  const seen = /* @__PURE__ */ new Set();
+  for (const raw of salesTeamEmails) {
+    const to = raw.trim();
+    if (!to) continue;
+    const key = to.toLowerCase();
+    if (seen.has(key)) continue;
+    seen.add(key);
+    if (customerLower && key === customerLower) continue;
+    jobs.push(
+      queueEmail(cms, {
+        to,
+        templateName: "orderPlaced",
+        ctx: {
+          ...base,
+          audience: "sales",
+          internalCustomerEmail: customerEmail?.trim() || void 0
         }
-      }
-    };
-    emailTemplates = {
-      formSubmission: (data) => ({
-        subject: `New Form Submission: ${data.formName}`,
-        html: `<h2>New Form Submission</h2><p><strong>Form:</strong> ${data.formName}</p><p><strong>Contact:</strong> ${data.contactName} (${data.contactEmail})</p><pre>${JSON.stringify(data.formData, null, 2)}</pre>`,
-        text: `New Form Submission
-Form: ${data.formName}
-Contact: ${data.contactName} (${data.contactEmail})
-${JSON.stringify(data.formData, null, 2)}`
-      }),
-      contactSubmission: (data) => ({
-        subject: `New Contact Form Submission from ${data.name}`,
-        html: `<h2>New Contact Form Submission</h2><p><strong>Name:</strong> ${data.name}</p><p><strong>Email:</strong> ${data.email}</p>${data.phone ? `<p><strong>Phone:</strong> ${data.phone}</p>` : ""}${data.message ? `<p><strong>Message:</strong></p><p>${data.message}</p>` : ""}`,
-        text: `New Contact Form Submission
-Name: ${data.name}
-Email: ${data.email}
-${data.phone ? `Phone: ${data.phone}
-` : ""}${data.message ? `Message: ${data.message}` : ""}`
-      }),
-      passwordReset: (data) => ({
-        subject: "Reset your password",
-        html: `<h2>Reset your password</h2><p>Click the link below to set a new password. This link expires in 1 hour.</p><p><a href="${data.resetLink}">${data.resetLink}</a></p>`,
-        text: `Reset your password: ${data.resetLink}
-
-This link expires in 1 hour.`
       })
-    };
+    );
+  }
+  await Promise.all(jobs);
+}
+var EMAIL_QUEUE_NAME;
+var init_email_queue = __esm({
+  "src/plugins/email/email-queue.ts"() {
+    "use strict";
+    EMAIL_QUEUE_NAME = "email";
   }
 });
 
@@ -179,7 +165,7 @@ __export(razorpay_exports, {
   RazorpayPaymentService: () => RazorpayPaymentService
 });
 import Razorpay from "razorpay";
-import crypto from "crypto";
+import crypto2 from "crypto";
 var RazorpayPaymentService;
 var init_razorpay = __esm({
   "src/plugins/payment/razorpay.ts"() {
@@ -220,8 +206,8 @@ var init_razorpay = __esm({
       }
       verifyWebhookSignature(payload, signature) {
         const secret = this.webhookSecret || this.keySecret;
-        const expectedSignature = crypto.createHmac("sha256", secret).update(typeof payload === "string" ? payload : payload.toString("utf8")).digest("hex");
-        return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSignature));
+        const expectedSignature = crypto2.createHmac("sha256", secret).update(typeof payload === "string" ? payload : payload.toString("utf8")).digest("hex");
+        return crypto2.timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSignature));
       }
     };
   }
@@ -475,9 +461,569 @@ function erpPlugin(config) {
   };
 }
 
+// src/plugins/email/email-service.ts
+import { SESClient, SendEmailCommand } from "@aws-sdk/client-ses";
+import nodemailer from "nodemailer";
+
+// src/plugins/email/templates/layout.ts
+function escapeHtml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+function socialLinkInnerHtml(s) {
+  if (s.iconUrl?.trim()) {
+    return `<img src="${escapeHtml(s.iconUrl.trim())}" alt="" width="20" height="20" style="display:inline-block;vertical-align:middle;border:0;" />`;
+  }
+  const label = s.icon && s.icon.trim() || "\u{1F517}";
+  return escapeHtml(label);
+}
+function supportLinesHtml(supportEmail, supportPhone, opts) {
+  const parts = [];
+  const top = opts?.tightTop ? "margin-top:0;" : "margin-top:4px;";
+  if (supportEmail) {
+    parts.push(`<div style="font-size:13px;color:#444;${top}">&#128231; ${escapeHtml(supportEmail)}</div>`);
+  }
+  if (supportPhone) {
+    parts.push(`<div style="font-size:13px;color:#444;margin-top:2px;">&#128222; ${escapeHtml(supportPhone)}</div>`);
+  }
+  return parts.join("");
+}
+function renderLayout(options) {
+  const { bodyHtml, companyDetails } = options;
+  const {
+    logoUrl,
+    companyName,
+    supportEmail,
+    supportPhone,
+    socialLinks,
+    footerDisclaimer,
+    followUsTitle = "Follow Us"
+  } = companyDetails;
+  const supportFooterHtml = supportLinesHtml(supportEmail, supportPhone, { tightTop: true });
+  const hasSocial = Boolean(socialLinks?.length);
+  const brandFooterInner = [];
+  if (logoUrl) {
+    brandFooterInner.push(
+      `<img src="${escapeHtml(logoUrl)}" alt="" width="36" style="max-height:28px;display:inline-block;vertical-align:middle;margin-right:10px;border:0;" />`
+    );
+  }
+  if (companyName) {
+    brandFooterInner.push(
+      `<span style="font-size:14px;font-weight:600;color:#111;vertical-align:middle;">${escapeHtml(companyName)}</span>`
+    );
+  }
+  const brandFooterHtml = brandFooterInner.length ? `<div style="line-height:1.4;">${brandFooterInner.join("")}</div>` : "";
+  const followTitleHtml = hasSocial && followUsTitle ? `<div class="footer-follow-title" style="font-size:13px;font-weight:600;color:#555;">${escapeHtml(followUsTitle)}</div>` : "";
+  const socialRowHtml = hasSocial && socialLinks ? `<div class="footer-social-icons" style="margin-top:8px;text-align:right;font-size:0;line-height:0;">${socialLinks.map(
+    (s) => `<a href="${escapeHtml(s.url)}" style="display:inline-block;margin-left:12px;text-decoration:none;color:#333;font-size:18px;line-height:1;vertical-align:middle;">${socialLinkInnerHtml(s)}</a>`
+  ).join("")}</div>` : "";
+  const rowSupport = supportFooterHtml ? `<tr><td class="footer-support-cell" colspan="2" valign="top" style="padding:0 0 10px 0;">${supportFooterHtml}</td></tr>` : "";
+  let footerBlock = "";
+  if (brandFooterHtml || followTitleHtml || socialRowHtml || footerDisclaimer || rowSupport) {
+    let rowBrandFollow = "";
+    if (brandFooterHtml && followTitleHtml) {
+      rowBrandFollow = `<tr>
+<td class="footer-brand-cell" valign="top" style="padding:0 0 10px 0;vertical-align:top;">${brandFooterHtml}</td>
+<td class="footer-follow-cell" valign="top" style="padding:0 0 10px 0;vertical-align:top;text-align:right;">${followTitleHtml}</td>
+</tr>`;
+    } else if (brandFooterHtml) {
+      rowBrandFollow = `<tr><td class="footer-brand-cell" colspan="2" valign="top" style="padding:0 0 10px 0;">${brandFooterHtml}</td></tr>`;
+    } else if (followTitleHtml) {
+      rowBrandFollow = `<tr><td class="footer-follow-cell" colspan="2" valign="top" style="padding:0 0 10px 0;text-align:right;">${followTitleHtml}</td></tr>`;
+    }
+    const rowSocial = socialRowHtml ? `<tr><td class="footer-social-cell" colspan="2" style="padding:0;text-align:right;">${socialRowHtml}</td></tr>` : "";
+    footerBlock = `<table role="presentation" class="footer-main" width="100%" cellpadding="0" cellspacing="0" style="margin-top:28px;padding-top:16px;">${rowBrandFollow}${rowSupport}${rowSocial}</table>`;
+  }
+  const disclaimerBlock = footerDisclaimer ? `<div style="margin-top:20px;padding-top:12px;font-size:11px;line-height:1.5;color:#888;">${escapeHtml(footerDisclaimer).replace(/\n/g, "<br/>")}</div>` : "";
+  const responsiveCss = `
+@media only screen and (max-width: 600px) {
+  .email-wrap { padding-left: 12px !important; padding-right: 12px !important; }
+  .footer-brand-cell, .footer-follow-cell { display: block !important; width: 100% !important; box-sizing: border-box; }
+  .footer-follow-cell { text-align: left !important; padding-top: 12px !important; padding-bottom: 0 !important; }
+  .footer-social-cell { text-align: left !important; }
+  .footer-social-icons { text-align: left !important; }
+  .footer-social-icons a:first-child { margin-left: 0 !important; }
+}
+`;
+  return `<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<style type="text/css">${responsiveCss}</style>
+</head>
+<body style="margin:0;padding:0;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;font-size:14px;line-height:1.5;color:#333;background:#fff;">
+  <table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="background:#fff;">
+    <tr><td class="email-wrap" style="padding:16px;">
+          <div>
+            ${bodyHtml}
+          </div>
+          ${footerBlock}
+          ${disclaimerBlock}
+    </td></tr>
+  </table>
+</body>
+</html>`;
+}
+
+// src/plugins/email/templates/types.ts
+function normalizeSocialLinkItem(o) {
+  const url = String(o.url ?? "").trim();
+  if (!url) return null;
+  let iconUrl = String(o.iconUrl ?? o.icon_image ?? "").trim();
+  let icon = String(o.icon ?? "").trim();
+  if (!iconUrl && /^https?:\/\//i.test(icon)) {
+    iconUrl = icon;
+    icon = "";
+  }
+  const item = { url };
+  if (iconUrl) item.iconUrl = iconUrl;
+  if (icon) item.icon = icon;
+  return item;
+}
+function parseSocialLinksJson(raw) {
+  if (raw == null || raw.trim() === "") return void 0;
+  try {
+    const parsed = JSON.parse(raw);
+    if (!Array.isArray(parsed)) return void 0;
+    const out = [];
+    for (const item of parsed) {
+      if (item && typeof item === "object" && "url" in item) {
+        const n = normalizeSocialLinkItem(item);
+        if (n) out.push(n);
+      }
+    }
+    return out.length ? out : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function mergeEmailLayoutCompanyDetails(branding, emailSettings) {
+  const fromBranding = getCompanyDetailsFromSettings(branding);
+  const pick = (emailVal, fallback) => {
+    const t = emailVal?.trim();
+    return t || fallback?.trim() || void 0;
+  };
+  const logoUrl = pick(emailSettings.logoUrl ?? emailSettings.emailLogoUrl, fromBranding.logoUrl);
+  const companyName = pick(emailSettings.companyName ?? emailSettings.emailCompanyName, fromBranding.companyName);
+  const supportEmail = pick(emailSettings.supportEmail ?? emailSettings.emailSupportEmail, fromBranding.supportEmail);
+  const supportPhone = pick(emailSettings.supportPhone, void 0);
+  const footerDisclaimer = pick(emailSettings.footerDisclaimer, void 0);
+  const followUsTitle = pick(emailSettings.followUsTitle, "Follow Us") || "Follow Us";
+  const socialFromEmail = parseSocialLinksJson(emailSettings.socialLinks);
+  const socialLinks = socialFromEmail?.length ? socialFromEmail : fromBranding.socialLinks;
+  return {
+    logoUrl,
+    companyName,
+    supportEmail,
+    supportPhone,
+    socialLinks,
+    footerDisclaimer,
+    followUsTitle
+  };
+}
+function getCompanyDetailsFromSettings(settingsGroup) {
+  const logoUrl = settingsGroup.logo ?? settingsGroup.logoUrl ?? "";
+  const companyName = settingsGroup.companyName ?? settingsGroup.company_name ?? "";
+  const supportEmail = settingsGroup.supportEmail ?? settingsGroup.support_email ?? "";
+  let socialLinks = [];
+  const raw = settingsGroup.socialLinks ?? settingsGroup.social_links;
+  if (typeof raw === "string") {
+    try {
+      const arr = JSON.parse(raw);
+      if (Array.isArray(arr)) {
+        for (const item of arr) {
+          if (item && typeof item === "object") {
+            const n = normalizeSocialLinkItem(item);
+            if (n) socialLinks.push(n);
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  return { logoUrl: logoUrl || void 0, companyName: companyName || void 0, supportEmail: supportEmail || void 0, socialLinks: socialLinks.length ? socialLinks : void 0 };
+}
+
+// src/plugins/email/templates/inline-cta.ts
+function escapeHtml2(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+function escapeAttr(s) {
+  return escapeHtml2(s);
+}
+function primaryCtaButton(href, label) {
+  return `<table role="presentation" cellpadding="0" cellspacing="0" style="margin:20px 0;">
+<tr><td style="border-radius:6px;background:#1a1a1a;">
+<a href="${escapeAttr(href)}" style="display:inline-block;padding:12px 22px;font-size:14px;font-weight:600;color:#ffffff;text-decoration:none;">${escapeHtml2(label)}</a>
+</td></tr>
+</table>`;
+}
+
+// src/plugins/email/templates/signup.ts
+function render(ctx) {
+  const { name, loginUrl, verifyEmailUrl, companyDetails } = ctx;
+  if (verifyEmailUrl) {
+    const subject2 = "Confirm your email";
+    const greeting = name && name.trim() ? `Hi ${escapeHtml2(name.trim())},` : "Hi,";
+    const bodyHtml2 = `<p style="margin:0 0 12px 0;font-size:15px;line-height:1.5;color:#333;">${greeting}</p>
+<p style="margin:0 0 12px 0;font-size:15px;line-height:1.5;color:#333;">Thanks for signing up. Please confirm your email address to activate your account. Until you confirm, you won\u2019t be able to sign in.</p>
+${primaryCtaButton(verifyEmailUrl, "Confirm email address")}
+<p style="margin:16px 0 0 0;font-size:12px;line-height:1.5;color:#888;">This link expires in a few days. If you didn\u2019t create an account, you can ignore this message.<br/><span style="word-break:break-all;">${escapeHtml2(verifyEmailUrl)}</span></p>`;
+    const text2 = [
+      greeting,
+      "",
+      "Confirm your email to activate your account:",
+      verifyEmailUrl,
+      "",
+      "You cannot sign in until your email is confirmed."
+    ].join("\n");
+    const html2 = renderLayout({ bodyHtml: bodyHtml2, companyDetails });
+    return { subject: subject2, html: html2, text: text2 };
+  }
+  const subject = "Welcome";
+  const bodyHtml = `<p style="margin:0 0 12px 0;font-size:15px;line-height:1.5;color:#333;">Welcome${name ? `, ${escapeHtml2(name)}` : ""}.</p><p style="margin:0 0 12px 0;font-size:15px;line-height:1.5;color:#333;">Your account has been created.</p>${loginUrl ? `${primaryCtaButton(loginUrl, "Sign in")}` : ""}`;
+  const text = `Welcome${name ? `, ${name}` : ""}. Your account has been created.${loginUrl ? ` Sign in: ${loginUrl}` : ""}`;
+  const html = renderLayout({ bodyHtml, companyDetails });
+  return { subject, html, text };
+}
+
+// src/plugins/email/templates/passwordReset.ts
+function render2(ctx) {
+  const { resetLink, companyDetails } = ctx;
+  const subject = "Reset your password";
+  const bodyHtml = `<p style="margin:0 0 12px 0;font-size:15px;line-height:1.5;color:#333;">Hello,</p>
+<p style="margin:0 0 12px 0;font-size:15px;line-height:1.5;color:#333;">We received a request to reset the password for your account. If you made this request, use the button below to choose a new password.</p>
+<p style="margin:0 0 8px 0;font-size:14px;line-height:1.5;color:#555;">For your security, this link will stop working after a short time. If it expires, request a new reset from the sign-in page.</p>
+${primaryCtaButton(resetLink, "Reset password")}
+<p style="margin:16px 0 0 0;font-size:12px;line-height:1.5;color:#888;">If you did not request a password reset, you can safely ignore this email\u2014your password will stay the same.</p>
+<p style="margin:12px 0 0 0;font-size:12px;line-height:1.5;color:#888;">If the button does not work, copy and paste this URL into your browser:<br/><span style="word-break:break-all;">${escapeHtml2(resetLink)}</span></p>`;
+  const text = [
+    "Hello,",
+    "",
+    "We received a request to reset your password. Open the link below to set a new password:",
+    resetLink,
+    "",
+    "This link expires after a limited time.",
+    "",
+    "If you did not request this, you can ignore this email."
+  ].join("\n");
+  const html = renderLayout({ bodyHtml, companyDetails });
+  return { subject, html, text };
+}
+
+// src/plugins/email/templates/passwordChange.ts
+function render3(ctx) {
+  const { name, companyDetails } = ctx;
+  const subject = "Password changed";
+  const bodyHtml = `<h2>Password changed</h2><p>Your password has been updated successfully${name ? `, ${escapeHtml3(name)}` : ""}.</p>`;
+  const text = `Your password has been updated successfully${name ? `, ${name}` : ""}.`;
+  const html = renderLayout({ bodyHtml, companyDetails });
+  return { subject, html, text };
+}
+function escapeHtml3(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+
+// src/plugins/email/templates/orderPlaced.ts
+function formatMoney(amount, currency) {
+  const v = typeof amount === "string" ? parseFloat(amount) : amount;
+  const num = Number.isFinite(v) ? Number(v).toFixed(2) : String(amount);
+  return currency ? `${num} ${currency}` : num;
+}
+function renderLineItemsHtml(items, currency) {
+  if (!items.length) {
+    return '<p style="margin:12px 0 0 0;font-size:14px;color:#666;">No line items.</p>';
+  }
+  const rows = items.map((it) => {
+    const name = escapeHtml2(it.productName);
+    const sku = it.sku && String(it.sku).trim() ? `<span style="font-size:12px;color:#888;"> (${escapeHtml2(String(it.sku).trim())})</span>` : "";
+    return `<tr>
+<td style="padding:10px 8px 10px 0;border-bottom:1px solid #eee;vertical-align:top;font-size:14px;color:#333;">${name}${sku}</td>
+<td align="right" style="padding:10px 8px;border-bottom:1px solid #eee;vertical-align:top;font-size:14px;color:#333;white-space:nowrap;">${escapeHtml2(String(it.quantity))}</td>
+<td align="right" style="padding:10px 8px;border-bottom:1px solid #eee;vertical-align:top;font-size:14px;color:#333;white-space:nowrap;">${escapeHtml2(formatMoney(it.unitPrice, currency))}</td>
+<td align="right" style="padding:10px 0 10px 8px;border-bottom:1px solid #eee;vertical-align:top;font-size:14px;color:#333;white-space:nowrap;">${escapeHtml2(formatMoney(it.lineTotal, currency))}</td>
+</tr>`;
+  }).join("");
+  return `<p style="margin:16px 0 8px 0;font-size:14px;font-weight:600;color:#111;">Order items</p>
+<table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="border-collapse:collapse;">
+<tr>
+<td style="padding:0 8px 8px 0;font-size:12px;font-weight:600;color:#555;text-transform:uppercase;letter-spacing:0.02em;">Item</td>
+<td align="right" style="padding:0 8px 8px 8px;font-size:12px;font-weight:600;color:#555;text-transform:uppercase;">Qty</td>
+<td align="right" style="padding:0 8px 8px 8px;font-size:12px;font-weight:600;color:#555;text-transform:uppercase;">Price</td>
+<td align="right" style="padding:0 0 8px 8px;font-size:12px;font-weight:600;color:#555;text-transform:uppercase;">Total</td>
+</tr>
+${rows}
+</table>`;
+}
+function renderLineItemsText(items, currency) {
+  if (!items.length) return "";
+  const lines = items.map(
+    (it) => `- ${it.productName} \xD7 ${it.quantity} @ ${formatMoney(it.unitPrice, currency)} = ${formatMoney(it.lineTotal, currency)}${it.sku ? ` [${it.sku}]` : ""}`
+  );
+  return ["Items:", ...lines].join("\n");
+}
+function render4(ctx) {
+  const {
+    orderNumber: orderNumber2,
+    total,
+    currency,
+    customerName,
+    companyDetails,
+    audience = "customer",
+    internalCustomerEmail,
+    lineItems = []
+  } = ctx;
+  const itemsHtml = renderLineItemsHtml(lineItems, currency);
+  const itemsText = renderLineItemsText(lineItems, currency);
+  const totalLine = total != null && String(total).trim() !== "" ? `<p style="margin:12px 0 0 0;font-size:15px;line-height:1.5;color:#333;"><strong>Order total:</strong> ${escapeHtml2(String(total))}${currency ? ` ${escapeHtml2(currency)}` : ""}</p>` : "";
+  let subject;
+  let bodyHtml;
+  let text;
+  if (audience === "sales") {
+    subject = `New order #${orderNumber2}`;
+    const who = customerName || internalCustomerEmail ? `<p style="margin:0 0 12px 0;font-size:15px;line-height:1.5;color:#333;"><strong>Customer:</strong> ${escapeHtml2(customerName || "\u2014")}${internalCustomerEmail ? ` <span style="color:#555;">(${escapeHtml2(internalCustomerEmail)})</span>` : ""}</p>` : "";
+    bodyHtml = `<p style="margin:0 0 12px 0;font-size:15px;line-height:1.5;color:#333;">A new order has been placed and payment completed.</p>
+<p style="margin:0 0 8px 0;font-size:15px;line-height:1.5;color:#333;"><strong>Order number:</strong> ${escapeHtml2(orderNumber2)}</p>
+${who}
+${itemsHtml}
+${totalLine}`;
+    text = [
+      `New order #${orderNumber2}`,
+      customerName ? `Customer: ${customerName}` : "",
+      internalCustomerEmail ? `Email: ${internalCustomerEmail}` : "",
+      itemsText,
+      total != null ? `Order total: ${total}${currency ? ` ${currency}` : ""}` : ""
+    ].filter(Boolean).join("\n\n");
+  } else {
+    subject = `Order confirmed #${orderNumber2}`;
+    const thanksPlain = customerName && customerName.trim() ? `Thank you, ${customerName.trim()}.` : "Thank you for your order.";
+    const thanksHtml = `${escapeHtml2(thanksPlain)} We\u2019ve received your order and will process it shortly.`;
+    bodyHtml = `<p style="margin:0 0 12px 0;font-size:15px;line-height:1.5;color:#333;">${thanksHtml}</p>
+<p style="margin:0 0 8px 0;font-size:15px;line-height:1.5;color:#333;"><strong>Order number:</strong> ${escapeHtml2(orderNumber2)}</p>
+${itemsHtml}
+${totalLine}
+<p style="margin:16px 0 0 0;font-size:13px;line-height:1.5;color:#666;">If you have questions, reply to this email or contact us using the details below.</p>`;
+    text = [
+      `Order confirmed #${orderNumber2}`,
+      `${thanksPlain} We\u2019ve received your order and will process it shortly.`,
+      "",
+      itemsText,
+      total != null ? `Order total: ${total}${currency ? ` ${currency}` : ""}` : "",
+      "",
+      "We will process your order shortly."
+    ].filter((line, i, arr) => !(line === "" && arr[i - 1] === "")).join("\n");
+  }
+  const html = renderLayout({ bodyHtml, companyDetails });
+  return { subject, html, text };
+}
+
+// src/plugins/email/templates/returnInitiated.ts
+function render5(ctx) {
+  const { returnId, orderNumber: orderNumber2, companyDetails } = ctx;
+  const subject = "Return initiated";
+  const bodyHtml = `<h2>Return initiated</h2><p>Your return request has been received.</p>${orderNumber2 ? `<p><strong>Order:</strong> ${escapeHtml4(orderNumber2)}</p>` : ""}${returnId ? `<p><strong>Return ID:</strong> ${escapeHtml4(returnId)}</p>` : ""}`;
+  const text = `Return initiated.${orderNumber2 ? ` Order: ${orderNumber2}` : ""}${returnId ? ` Return ID: ${returnId}` : ""}`;
+  const html = renderLayout({ bodyHtml, companyDetails });
+  return { subject, html, text };
+}
+function escapeHtml4(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+
+// src/plugins/email/templates/shippingUpdate.ts
+function render6(ctx) {
+  const { orderNumber: orderNumber2, status, trackingUrl, companyDetails } = ctx;
+  const subject = status ? `Shipping update: ${status}` : "Shipping update";
+  const bodyHtml = `<h2>Shipping update</h2>${status ? `<p><strong>Status:</strong> ${escapeHtml5(status)}</p>` : ""}${orderNumber2 ? `<p><strong>Order:</strong> ${escapeHtml5(orderNumber2)}</p>` : ""}${trackingUrl ? `<p><a href="${escapeHtml5(trackingUrl)}">Track your order</a></p>` : ""}`;
+  const text = `Shipping update.${status ? ` Status: ${status}` : ""}${orderNumber2 ? ` Order: ${orderNumber2}` : ""}${trackingUrl ? ` Track: ${trackingUrl}` : ""}`;
+  const html = renderLayout({ bodyHtml, companyDetails });
+  return { subject, html, text };
+}
+function escapeHtml5(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+
+// src/plugins/email/templates/invite.ts
+function render7(ctx) {
+  const { inviteLink, email, inviteeName, companyDetails } = ctx;
+  const subject = "You're invited";
+  const greeting = inviteeName && inviteeName.trim() ? `Hello ${escapeHtml2(inviteeName.trim())},` : "Hello,";
+  const bodyHtml = `<p style="margin:0 0 12px 0;font-size:15px;line-height:1.5;color:#333;">${greeting}</p>
+<p style="margin:0 0 12px 0;font-size:15px;line-height:1.5;color:#333;">You have been invited to create your account for <strong>${escapeHtml2(email)}</strong>. Use the secure link below to choose your password and activate access.</p>
+<p style="margin:0 0 8px 0;font-size:14px;line-height:1.5;color:#555;">This link is personal to you. If you did not expect this invitation, you can ignore this message.</p>
+${primaryCtaButton(inviteLink, "Accept invitation & set password")}
+<p style="margin:16px 0 0 0;font-size:12px;line-height:1.5;color:#888;">If the button does not work, copy and paste this URL into your browser:<br/><span style="word-break:break-all;">${escapeHtml2(inviteLink)}</span></p>`;
+  const text = [
+    inviteeName?.trim() ? `Hello ${inviteeName.trim()},` : "Hello,",
+    "",
+    `You have been invited to create your account (${email}).`,
+    "Open this link to set your password:",
+    inviteLink,
+    "",
+    "If you did not expect this invitation, you can ignore this email."
+  ].join("\n");
+  const html = renderLayout({ bodyHtml, companyDetails });
+  return { subject, html, text };
+}
+
+// src/plugins/email/templates/formSubmission.ts
+function render8(ctx) {
+  const { formName, contactName, contactEmail, formData, formFieldRows, companyDetails } = ctx;
+  const subject = `New Form Submission: ${formName}`;
+  const fieldsBlock = formFieldRows && formFieldRows.length > 0 ? formFieldRows.map(
+    (r) => `<p style="margin:10px 0 0 0;line-height:1.5;"><strong>${escapeHtml6(r.label)}</strong><br/>${escapeHtml6(r.value)}</p>`
+  ).join("") : `<p style="margin:10px 0 0 0;font-size:13px;white-space:pre-wrap;">${escapeHtml6(JSON.stringify(formData, null, 2))}</p>`;
+  const bodyHtml = `<p style="margin:0 0 6px 0;font-size:18px;font-weight:600;color:#111;">New Form Submission</p>
+<p style="margin:0 0 4px 0;"><strong>Form:</strong> ${escapeHtml6(formName)}</p>
+<p style="margin:0 0 8px 0;"><strong>Contact:</strong> ${escapeHtml6(contactName)}${contactEmail ? ` (${escapeHtml6(contactEmail)})` : ""}</p>
+${fieldsBlock}`;
+  const textLines = [
+    "New Form Submission",
+    `Form: ${formName}`,
+    `Contact: ${contactName}${contactEmail ? ` (${contactEmail})` : ""}`,
+    "",
+    ...formFieldRows?.length ? formFieldRows.map((r) => `${r.label}: ${r.value}`) : [JSON.stringify(formData, null, 2)]
+  ];
+  const text = textLines.join("\n");
+  const html = renderLayout({ bodyHtml, companyDetails });
+  return { subject, html, text };
+}
+function escapeHtml6(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+
+// src/plugins/email/templates/index.ts
+var templateRenderMap = {
+  signup: render,
+  passwordReset: render2,
+  passwordChange: render3,
+  orderPlaced: render4,
+  returnInitiated: render5,
+  shippingUpdate: render6,
+  invite: render7,
+  formSubmission: render8
+};
+function getTemplateRenderer(name) {
+  return templateRenderMap[name];
+}
+
+// src/plugins/email/renderer.ts
+function renderEmail(templateName, ctx, options) {
+  const layoutFn = options?.renderLayout ?? renderLayout;
+  const getBody = options?.getBody;
+  if (getBody) {
+    const custom = getBody(templateName, ctx);
+    if (custom != null) {
+      const html = layoutFn({ bodyHtml: custom.bodyHtml, companyDetails: ctx.companyDetails });
+      return { subject: custom.subject, html, text: custom.text };
+    }
+  }
+  const render9 = getTemplateRenderer(templateName);
+  if (!render9) {
+    throw new Error(`Unknown email template: ${templateName}`);
+  }
+  return render9(ctx);
+}
+
+// src/plugins/email/email-service.ts
+var EmailService = class {
+  config;
+  templateOptions;
+  sesClient;
+  transporter;
+  constructor(config) {
+    this.config = config;
+    this.templateOptions = config.templateOptions;
+    if (config.type === "AWS") {
+      if (!config.region || !config.accessKeyId || !config.secretAccessKey) {
+        throw new Error("AWS SES configuration incomplete");
+      }
+      this.sesClient = new SESClient({
+        region: config.region,
+        credentials: { accessKeyId: config.accessKeyId, secretAccessKey: config.secretAccessKey }
+      });
+    } else if (config.type === "SMTP" || config.type === "GMAIL") {
+      if (!config.user || !config.password) throw new Error("SMTP configuration incomplete");
+      const host = config.type === "GMAIL" ? "smtp.gmail.com" : config.host || void 0;
+      const port = config.port ?? 587;
+      const secure = config.secure ?? false;
+      this.transporter = nodemailer.createTransport({
+        ...host ? { host } : {},
+        port,
+        secure,
+        auth: { user: config.user, pass: config.password }
+      });
+    } else {
+      throw new Error(`Unsupported email type: ${config.type}`);
+    }
+  }
+  async send(emailData) {
+    try {
+      if (this.config.type === "AWS" && this.sesClient) {
+        await this.sesClient.send(
+          new SendEmailCommand({
+            Source: emailData.from || this.config.from,
+            Destination: { ToAddresses: [emailData.to || this.config.to] },
+            Message: {
+              Subject: { Data: emailData.subject, Charset: "UTF-8" },
+              Body: {
+                Html: { Data: emailData.html, Charset: "UTF-8" },
+                ...emailData.text && { Text: { Data: emailData.text, Charset: "UTF-8" } }
+              }
+            }
+          })
+        );
+        return true;
+      }
+      if ((this.config.type === "SMTP" || this.config.type === "GMAIL") && this.transporter) {
+        await this.transporter.sendMail({
+          from: emailData.from || this.config.from,
+          to: emailData.to || this.config.to,
+          subject: emailData.subject,
+          html: emailData.html,
+          text: emailData.text
+        });
+        return true;
+      }
+      return false;
+    } catch (error) {
+      console.error("Email sending failed:", error);
+      return false;
+    }
+  }
+  renderTemplate(templateName, ctx) {
+    return renderEmail(templateName, ctx, this.templateOptions);
+  }
+};
+var emailTemplates = {
+  formSubmission: (data) => ({
+    subject: `New Form Submission: ${data.formName}`,
+    html: `<h2>New Form Submission</h2><p><strong>Form:</strong> ${data.formName}</p><p><strong>Contact:</strong> ${data.contactName} (${data.contactEmail})</p><pre>${JSON.stringify(data.formData, null, 2)}</pre>`,
+    text: `New Form Submission
+Form: ${data.formName}
+Contact: ${data.contactName} (${data.contactEmail})
+${JSON.stringify(data.formData, null, 2)}`
+  }),
+  contactSubmission: (data) => ({
+    subject: `New Contact Form Submission from ${data.name}`,
+    html: `<h2>New Contact Form Submission</h2><p><strong>Name:</strong> ${data.name}</p><p><strong>Email:</strong> ${data.email}</p>${data.phone ? `<p><strong>Phone:</strong> ${data.phone}</p>` : ""}${data.message ? `<p><strong>Message:</strong></p><p>${data.message}</p>` : ""}`,
+    text: `New Contact Form Submission
+Name: ${data.name}
+Email: ${data.email}
+${data.phone ? `Phone: ${data.phone}
+` : ""}${data.message ? `Message: ${data.message}` : ""}`
+  }),
+  passwordReset: (data) => ({
+    subject: "Reset your password",
+    html: `<h2>Reset your password</h2><p>Click the link below to set a new password. This link expires in 1 hour.</p><p><a href="${data.resetLink}">${data.resetLink}</a></p>`,
+    text: `Reset your password: ${data.resetLink}
+
+This link expires in 1 hour.`
+  })
+};
+
 // src/plugins/email/index.ts
-init_email_service();
-init_email_service();
+init_email_queue();
 function emailPlugin(config) {
   return {
     name: "email",
@@ -486,6 +1032,8 @@ function emailPlugin(config) {
       const from = config.from || context.config.SMTP_FROM || "no-reply@example.com";
       const to = config.to || context.config.SMTP_TO || "info@example.com";
       const type = config.type || context.config.SMTP_TYPE || "SMTP";
+      const portEnv = context.config.SMTP_PORT;
+      const portParsed = portEnv ? parseInt(portEnv, 10) : void 0;
       const merged = {
         ...config,
         from,
@@ -493,6 +1041,9 @@ function emailPlugin(config) {
         type,
         user: config.user ?? context.config.SMTP_USER,
         password: config.password ?? context.config.SMTP_PASSWORD,
+        host: config.host ?? context.config.SMTP_HOST,
+        port: config.port ?? (Number.isFinite(portParsed) ? portParsed : void 0),
+        secure: config.secure ?? context.config.SMTP_SECURE === "true",
         region: config.region ?? context.config.AWS_REGION,
         accessKeyId: config.accessKeyId ?? context.config.AWS_ACCESS_KEY_ID,
         secretAccessKey: config.secretAccessKey ?? context.config.AWS_SECRET_ACCESS_KEY
@@ -926,6 +1477,161 @@ function llmPlugin(config = {}) {
   };
 }
 
+// src/plugins/cache/index.ts
+import Redis from "ioredis";
+
+// src/plugins/cache/memory-cache.ts
+import { LRUCache } from "lru-cache";
+var DEFAULT_MAX = 500;
+var DEFAULT_TTL_MS = 60 * 1e3;
+var MemoryCache = class {
+  cache;
+  constructor(options) {
+    const max = options?.max ?? DEFAULT_MAX;
+    const ttlMs = options?.ttlMs ?? DEFAULT_TTL_MS;
+    this.cache = new LRUCache({ max, ttl: ttlMs });
+  }
+  async get(key) {
+    const value = this.cache.get(key);
+    return value ?? null;
+  }
+  async set(key, value, ttlSeconds) {
+    const ttlMs = ttlSeconds != null && ttlSeconds > 0 ? ttlSeconds * 1e3 : void 0;
+    this.cache.set(key, value, { ttl: ttlMs });
+  }
+  async del(key) {
+    this.cache.delete(key);
+  }
+};
+
+// src/plugins/cache/redis-cache.ts
+var RedisCache = class {
+  constructor(client) {
+    this.client = client;
+  }
+  async get(key) {
+    return this.client.get(key);
+  }
+  async set(key, value, ttlSeconds) {
+    if (ttlSeconds != null && ttlSeconds > 0) {
+      await this.client.set(key, value, "EX", ttlSeconds);
+    } else {
+      await this.client.set(key, value);
+    }
+  }
+  async del(key) {
+    await this.client.del(key);
+  }
+};
+
+// src/plugins/cache/index.ts
+function cachePlugin(config) {
+  return {
+    name: "cache",
+    version: "1.0.0",
+    async init(context) {
+      const redisUrl = config?.redisUrl ?? context.config.REDIS_URL ?? "";
+      const url = typeof redisUrl === "string" ? redisUrl.trim() : "";
+      if (url) {
+        const client = new Redis(url);
+        return new RedisCache(client);
+      }
+      return new MemoryCache();
+    }
+  };
+}
+
+// src/plugins/queue/bullmq-queue.ts
+import { Queue, Worker } from "bullmq";
+function connectionFromUrl(redisUrl) {
+  const u = new URL(redisUrl);
+  return {
+    host: u.hostname,
+    port: u.port ? parseInt(u.port, 10) : 6379,
+    ...u.username && { username: u.username },
+    ...u.password && { password: u.password },
+    maxRetriesPerRequest: null
+  };
+}
+var BullMQQueue = class {
+  connectionOptions;
+  queues = /* @__PURE__ */ new Map();
+  workers = /* @__PURE__ */ new Map();
+  constructor(redisUrl) {
+    this.connectionOptions = connectionFromUrl(redisUrl);
+  }
+  async add(queueName, data) {
+    const queue = this.getOrCreateQueue(queueName);
+    await queue.add(queueName, data);
+  }
+  registerProcessor(queueName, processor) {
+    if (this.workers.has(queueName)) return;
+    const worker = new Worker(
+      queueName,
+      async (job) => {
+        await processor(job.data);
+      },
+      { connection: this.connectionOptions }
+    );
+    this.workers.set(queueName, worker);
+  }
+  getOrCreateQueue(queueName) {
+    let queue = this.queues.get(queueName);
+    if (!queue) {
+      queue = new Queue(queueName, { connection: this.connectionOptions });
+      this.queues.set(queueName, queue);
+    }
+    return queue;
+  }
+  async destroy() {
+    for (const w of this.workers.values()) await w.close();
+    this.workers.clear();
+    for (const q of this.queues.values()) await q.close();
+    this.queues.clear();
+  }
+};
+
+// src/plugins/queue/memory-queue.ts
+import fastq from "fastq";
+var MemoryQueue = class {
+  queues = /* @__PURE__ */ new Map();
+  async add(queueName, data) {
+    const q = this.queues.get(queueName);
+    if (!q) throw new Error(`No processor registered for queue: ${queueName}`);
+    void Promise.resolve(q.push(data)).catch(() => void 0);
+  }
+  registerProcessor(queueName, processor) {
+    if (this.queues.has(queueName)) return;
+    const worker = async (task) => processor(task);
+    const q = fastq.promise(worker, 1);
+    this.queues.set(queueName, q);
+  }
+};
+
+// src/plugins/queue/index.ts
+function queuePlugin(config) {
+  let instance;
+  return {
+    name: "queue",
+    version: "1.0.0",
+    async init(context) {
+      const redisUrl = config?.redisUrl ?? context.config.REDIS_URL ?? "";
+      const url = typeof redisUrl === "string" ? redisUrl.trim() : "";
+      if (url) {
+        instance = new BullMQQueue(url);
+        return instance;
+      }
+      instance = new MemoryQueue();
+      return instance;
+    },
+    async destroy() {
+      if (instance && "destroy" in instance && typeof instance.destroy === "function") {
+        await instance.destroy();
+      }
+    }
+  };
+}
+
 // src/lib/utils.ts
 import { clsx } from "clsx";
 import { twMerge } from "tailwind-merge";
@@ -962,6 +1668,39 @@ function truncateText(text, maxLength) {
   return text.substring(0, maxLength).trim() + "...";
 }
 
+// src/lib/link-contact-to-user.ts
+import { IsNull } from "typeorm";
+async function linkUnclaimedContactToUser(dataSource, contactsEntity, userId, email) {
+  const repo = dataSource.getRepository(contactsEntity);
+  const found = await repo.findOne({
+    where: { email, userId: IsNull(), deleted: false }
+  });
+  if (found) await repo.update(found.id, { userId });
+}
+
+// src/lib/email-recipients.ts
+function parseEmailRecipientsFromConfig(raw) {
+  if (raw == null || raw === "") return [];
+  const trimmed = raw.trim();
+  if (trimmed.startsWith("[")) {
+    try {
+      const parsed = JSON.parse(trimmed);
+      if (Array.isArray(parsed)) {
+        return parsed.map((e) => String(e).trim()).filter(Boolean);
+      }
+    } catch {
+    }
+  }
+  return trimmed.split(/[,;]+/).map((s) => s.trim()).filter(Boolean);
+}
+function serializeEmailRecipients(emails) {
+  return JSON.stringify(emails);
+}
+function joinRecipientsForSend(emails) {
+  if (!emails.length) return null;
+  return emails.join(", ");
+}
+
 // src/entities/user.entity.ts
 import { Entity as Entity3, PrimaryGeneratedColumn as PrimaryGeneratedColumn3, Column as Column3, ManyToOne as ManyToOne2, JoinColumn as JoinColumn2 } from "typeorm";
 
@@ -1095,6 +1834,7 @@ var User = class {
   email;
   password;
   blocked;
+  adminAccess;
   groupId;
   createdAt;
   updatedAt;
@@ -1120,6 +1860,9 @@ __decorateClass([
 __decorateClass([
   Column3("boolean", { default: false })
 ], User.prototype, "blocked", 2);
+__decorateClass([
+  Column3("boolean", { default: false })
+], User.prototype, "adminAccess", 2);
 __decorateClass([
   Column3("int", { nullable: true })
 ], User.prototype, "groupId", 2);
@@ -1522,7 +2265,7 @@ Blog = __decorateClass([
 ], Blog);
 
 // src/entities/contact.entity.ts
-import { Entity as Entity18, PrimaryGeneratedColumn as PrimaryGeneratedColumn18, Column as Column18, OneToMany as OneToMany8 } from "typeorm";
+import { Entity as Entity18, PrimaryGeneratedColumn as PrimaryGeneratedColumn18, Column as Column18, OneToMany as OneToMany8, ManyToOne as ManyToOne12, JoinColumn as JoinColumn12 } from "typeorm";
 
 // src/entities/form-submission.entity.ts
 import { Entity as Entity12, PrimaryGeneratedColumn as PrimaryGeneratedColumn12, Column as Column12, ManyToOne as ManyToOne6, JoinColumn as JoinColumn6 } from "typeorm";
@@ -2066,6 +2809,8 @@ var Contact = class {
   createdBy;
   updatedBy;
   deletedBy;
+  userId;
+  user;
   form_submissions;
   addresses;
   orders;
@@ -2117,6 +2862,13 @@ __decorateClass([
 __decorateClass([
   Column18("int", { nullable: true })
 ], Contact.prototype, "deletedBy", 2);
+__decorateClass([
+  Column18("int", { nullable: true })
+], Contact.prototype, "userId", 2);
+__decorateClass([
+  ManyToOne12(() => User, { onDelete: "SET NULL" }),
+  JoinColumn12({ name: "userId" })
+], Contact.prototype, "user", 2);
 __decorateClass([
   OneToMany8(() => FormSubmission, (fs) => fs.contact)
 ], Contact.prototype, "form_submissions", 2);
@@ -2250,7 +3002,7 @@ Media = __decorateClass([
 ], Media);
 
 // src/entities/page.entity.ts
-import { Entity as Entity21, PrimaryGeneratedColumn as PrimaryGeneratedColumn21, Column as Column21, ManyToOne as ManyToOne12, JoinColumn as JoinColumn12 } from "typeorm";
+import { Entity as Entity21, PrimaryGeneratedColumn as PrimaryGeneratedColumn21, Column as Column21, ManyToOne as ManyToOne13, JoinColumn as JoinColumn13 } from "typeorm";
 var Page = class {
   id;
   title;
@@ -2292,15 +3044,15 @@ __decorateClass([
   Column21("int", { nullable: true })
 ], Page.prototype, "parentId", 2);
 __decorateClass([
-  ManyToOne12(() => Page, { onDelete: "SET NULL" }),
-  JoinColumn12({ name: "parentId" })
+  ManyToOne13(() => Page, { onDelete: "SET NULL" }),
+  JoinColumn13({ name: "parentId" })
 ], Page.prototype, "parent", 2);
 __decorateClass([
   Column21("int", { nullable: true })
 ], Page.prototype, "seoId", 2);
 __decorateClass([
-  ManyToOne12(() => Seo, { onDelete: "SET NULL" }),
-  JoinColumn12({ name: "seoId" })
+  ManyToOne13(() => Seo, { onDelete: "SET NULL" }),
+  JoinColumn13({ name: "seoId" })
 ], Page.prototype, "seo", 2);
 __decorateClass([
   Column21({ type: "timestamp", default: () => "CURRENT_TIMESTAMP" })
@@ -2328,7 +3080,7 @@ Page = __decorateClass([
 ], Page);
 
 // src/entities/product-category.entity.ts
-import { Entity as Entity22, PrimaryGeneratedColumn as PrimaryGeneratedColumn22, Column as Column22, ManyToOne as ManyToOne13, OneToMany as OneToMany9, JoinColumn as JoinColumn13 } from "typeorm";
+import { Entity as Entity22, PrimaryGeneratedColumn as PrimaryGeneratedColumn22, Column as Column22, ManyToOne as ManyToOne14, OneToMany as OneToMany9, JoinColumn as JoinColumn14 } from "typeorm";
 var ProductCategory = class {
   id;
   name;
@@ -2400,8 +3152,8 @@ __decorateClass([
   Column22("int", { nullable: true })
 ], ProductCategory.prototype, "deletedBy", 2);
 __decorateClass([
-  ManyToOne13(() => ProductCategory, (c) => c.children, { onDelete: "SET NULL" }),
-  JoinColumn13({ name: "parentId" })
+  ManyToOne14(() => ProductCategory, (c) => c.children, { onDelete: "SET NULL" }),
+  JoinColumn14({ name: "parentId" })
 ], ProductCategory.prototype, "parent", 2);
 __decorateClass([
   OneToMany9(() => ProductCategory, (c) => c.parent)
@@ -2417,10 +3169,10 @@ ProductCategory = __decorateClass([
 ], ProductCategory);
 
 // src/entities/collection.entity.ts
-import { Entity as Entity24, PrimaryGeneratedColumn as PrimaryGeneratedColumn24, Column as Column24, ManyToOne as ManyToOne15, OneToMany as OneToMany11, JoinColumn as JoinColumn15 } from "typeorm";
+import { Entity as Entity24, PrimaryGeneratedColumn as PrimaryGeneratedColumn24, Column as Column24, ManyToOne as ManyToOne16, OneToMany as OneToMany11, JoinColumn as JoinColumn16 } from "typeorm";
 
 // src/entities/brand.entity.ts
-import { Entity as Entity23, PrimaryGeneratedColumn as PrimaryGeneratedColumn23, Column as Column23, OneToMany as OneToMany10, ManyToOne as ManyToOne14, JoinColumn as JoinColumn14 } from "typeorm";
+import { Entity as Entity23, PrimaryGeneratedColumn as PrimaryGeneratedColumn23, Column as Column23, OneToMany as OneToMany10, ManyToOne as ManyToOne15, JoinColumn as JoinColumn15 } from "typeorm";
 var Brand = class {
   id;
   name;
@@ -2491,8 +3243,8 @@ __decorateClass([
   Column23("int", { nullable: true })
 ], Brand.prototype, "seoId", 2);
 __decorateClass([
-  ManyToOne14(() => Seo, { onDelete: "SET NULL" }),
-  JoinColumn14({ name: "seoId" })
+  ManyToOne15(() => Seo, { onDelete: "SET NULL" }),
+  JoinColumn15({ name: "seoId" })
 ], Brand.prototype, "seo", 2);
 __decorateClass([
   OneToMany10("Product", "brand")
@@ -2511,6 +3263,7 @@ var Collection = class {
   brandId;
   name;
   slug;
+  hsn;
   description;
   image;
   metadata;
@@ -2544,6 +3297,9 @@ __decorateClass([
 __decorateClass([
   Column24("varchar", { unique: true })
 ], Collection.prototype, "slug", 2);
+__decorateClass([
+  Column24("varchar", { nullable: true })
+], Collection.prototype, "hsn", 2);
 __decorateClass([
   Column24("text", { nullable: true })
 ], Collection.prototype, "description", 2);
@@ -2584,16 +3340,16 @@ __decorateClass([
   Column24("int", { nullable: true })
 ], Collection.prototype, "seoId", 2);
 __decorateClass([
-  ManyToOne15(() => Seo, { onDelete: "SET NULL" }),
-  JoinColumn15({ name: "seoId" })
+  ManyToOne16(() => Seo, { onDelete: "SET NULL" }),
+  JoinColumn16({ name: "seoId" })
 ], Collection.prototype, "seo", 2);
 __decorateClass([
-  ManyToOne15(() => ProductCategory, (c) => c.collections, { onDelete: "SET NULL" }),
-  JoinColumn15({ name: "categoryId" })
+  ManyToOne16(() => ProductCategory, (c) => c.collections, { onDelete: "SET NULL" }),
+  JoinColumn16({ name: "categoryId" })
 ], Collection.prototype, "category", 2);
 __decorateClass([
-  ManyToOne15(() => Brand, (b) => b.collections, { onDelete: "SET NULL" }),
-  JoinColumn15({ name: "brandId" })
+  ManyToOne16(() => Brand, (b) => b.collections, { onDelete: "SET NULL" }),
+  JoinColumn16({ name: "brandId" })
 ], Collection.prototype, "brand", 2);
 __decorateClass([
   OneToMany11("Product", "collection")
@@ -2603,13 +3359,14 @@ Collection = __decorateClass([
 ], Collection);
 
 // src/entities/product.entity.ts
-import { Entity as Entity25, PrimaryGeneratedColumn as PrimaryGeneratedColumn25, Column as Column25, ManyToOne as ManyToOne16, OneToMany as OneToMany12, JoinColumn as JoinColumn16 } from "typeorm";
+import { Entity as Entity25, PrimaryGeneratedColumn as PrimaryGeneratedColumn25, Column as Column25, ManyToOne as ManyToOne17, OneToMany as OneToMany12, JoinColumn as JoinColumn17 } from "typeorm";
 var Product = class {
   id;
   collectionId;
   brandId;
   categoryId;
   sku;
+  hsn;
   slug;
   name;
   price;
@@ -2648,6 +3405,9 @@ __decorateClass([
 __decorateClass([
   Column25("varchar", { nullable: true })
 ], Product.prototype, "sku", 2);
+__decorateClass([
+  Column25("varchar", { nullable: true })
+], Product.prototype, "hsn", 2);
 __decorateClass([
   Column25("varchar", { unique: true, nullable: true })
 ], Product.prototype, "slug", 2);
@@ -2697,20 +3457,20 @@ __decorateClass([
   Column25("int", { nullable: true })
 ], Product.prototype, "seoId", 2);
 __decorateClass([
-  ManyToOne16(() => Seo, { onDelete: "SET NULL" }),
-  JoinColumn16({ name: "seoId" })
+  ManyToOne17(() => Seo, { onDelete: "SET NULL" }),
+  JoinColumn17({ name: "seoId" })
 ], Product.prototype, "seo", 2);
 __decorateClass([
-  ManyToOne16(() => Collection, (c) => c.products, { onDelete: "SET NULL" }),
-  JoinColumn16({ name: "collectionId" })
+  ManyToOne17(() => Collection, (c) => c.products, { onDelete: "SET NULL" }),
+  JoinColumn17({ name: "collectionId" })
 ], Product.prototype, "collection", 2);
 __decorateClass([
-  ManyToOne16(() => Brand, (b) => b.products, { onDelete: "SET NULL" }),
-  JoinColumn16({ name: "brandId" })
+  ManyToOne17(() => Brand, (b) => b.products, { onDelete: "SET NULL" }),
+  JoinColumn17({ name: "brandId" })
 ], Product.prototype, "brand", 2);
 __decorateClass([
-  ManyToOne16(() => ProductCategory, (c) => c.products, { onDelete: "SET NULL" }),
-  JoinColumn16({ name: "categoryId" })
+  ManyToOne17(() => ProductCategory, (c) => c.products, { onDelete: "SET NULL" }),
+  JoinColumn17({ name: "categoryId" })
 ], Product.prototype, "category", 2);
 __decorateClass([
   OneToMany12("ProductAttribute", "product")
@@ -2791,7 +3551,7 @@ Attribute = __decorateClass([
 ], Attribute);
 
 // src/entities/product-attribute.entity.ts
-import { Entity as Entity27, PrimaryGeneratedColumn as PrimaryGeneratedColumn27, Column as Column27, ManyToOne as ManyToOne17, JoinColumn as JoinColumn17 } from "typeorm";
+import { Entity as Entity27, PrimaryGeneratedColumn as PrimaryGeneratedColumn27, Column as Column27, ManyToOne as ManyToOne18, JoinColumn as JoinColumn18 } from "typeorm";
 var ProductAttribute = class {
   id;
   productId;
@@ -2825,12 +3585,12 @@ __decorateClass([
   Column27({ type: "timestamp", default: () => "CURRENT_TIMESTAMP" })
 ], ProductAttribute.prototype, "updatedAt", 2);
 __decorateClass([
-  ManyToOne17(() => Product, (p) => p.attributes, { onDelete: "CASCADE" }),
-  JoinColumn17({ name: "productId" })
+  ManyToOne18(() => Product, (p) => p.attributes, { onDelete: "CASCADE" }),
+  JoinColumn18({ name: "productId" })
 ], ProductAttribute.prototype, "product", 2);
 __decorateClass([
-  ManyToOne17(() => Attribute, { onDelete: "CASCADE" }),
-  JoinColumn17({ name: "attributeId" })
+  ManyToOne18(() => Attribute, { onDelete: "CASCADE" }),
+  JoinColumn18({ name: "attributeId" })
 ], ProductAttribute.prototype, "attribute", 2);
 ProductAttribute = __decorateClass([
   Entity27("product_attributes")
@@ -2905,7 +3665,7 @@ Tax = __decorateClass([
 ], Tax);
 
 // src/entities/product-tax.entity.ts
-import { Entity as Entity29, PrimaryGeneratedColumn as PrimaryGeneratedColumn29, Column as Column29, ManyToOne as ManyToOne18, JoinColumn as JoinColumn18 } from "typeorm";
+import { Entity as Entity29, PrimaryGeneratedColumn as PrimaryGeneratedColumn29, Column as Column29, ManyToOne as ManyToOne19, JoinColumn as JoinColumn19 } from "typeorm";
 var ProductTax = class {
   id;
   productId;
@@ -2935,19 +3695,19 @@ __decorateClass([
   Column29({ type: "timestamp", default: () => "CURRENT_TIMESTAMP" })
 ], ProductTax.prototype, "updatedAt", 2);
 __decorateClass([
-  ManyToOne18(() => Product, (p) => p.taxes, { onDelete: "CASCADE" }),
-  JoinColumn18({ name: "productId" })
+  ManyToOne19(() => Product, (p) => p.taxes, { onDelete: "CASCADE" }),
+  JoinColumn19({ name: "productId" })
 ], ProductTax.prototype, "product", 2);
 __decorateClass([
-  ManyToOne18(() => Tax, { onDelete: "CASCADE" }),
-  JoinColumn18({ name: "taxId" })
+  ManyToOne19(() => Tax, { onDelete: "CASCADE" }),
+  JoinColumn19({ name: "taxId" })
 ], ProductTax.prototype, "tax", 2);
 ProductTax = __decorateClass([
   Entity29("product_taxes")
 ], ProductTax);
 
 // src/entities/order-item.entity.ts
-import { Entity as Entity30, PrimaryGeneratedColumn as PrimaryGeneratedColumn30, Column as Column30, ManyToOne as ManyToOne19, JoinColumn as JoinColumn19 } from "typeorm";
+import { Entity as Entity30, PrimaryGeneratedColumn as PrimaryGeneratedColumn30, Column as Column30, ManyToOne as ManyToOne20, JoinColumn as JoinColumn20 } from "typeorm";
 var OrderItem = class {
   id;
   orderId;
@@ -2993,12 +3753,12 @@ __decorateClass([
   Column30({ type: "timestamp", default: () => "CURRENT_TIMESTAMP" })
 ], OrderItem.prototype, "updatedAt", 2);
 __decorateClass([
-  ManyToOne19(() => Order, (o) => o.items, { onDelete: "CASCADE" }),
-  JoinColumn19({ name: "orderId" })
+  ManyToOne20(() => Order, (o) => o.items, { onDelete: "CASCADE" }),
+  JoinColumn20({ name: "orderId" })
 ], OrderItem.prototype, "order", 2);
 __decorateClass([
-  ManyToOne19(() => Product, { onDelete: "CASCADE" }),
-  JoinColumn19({ name: "productId" })
+  ManyToOne20(() => Product, { onDelete: "CASCADE" }),
+  JoinColumn20({ name: "productId" })
 ], OrderItem.prototype, "product", 2);
 OrderItem = __decorateClass([
   Entity30("order_items")
@@ -3008,7 +3768,7 @@ OrderItem = __decorateClass([
 import { Entity as Entity32, PrimaryGeneratedColumn as PrimaryGeneratedColumn32, Column as Column32, OneToMany as OneToMany13 } from "typeorm";
 
 // src/entities/knowledge-base-chunk.entity.ts
-import { Entity as Entity31, PrimaryGeneratedColumn as PrimaryGeneratedColumn31, Column as Column31, ManyToOne as ManyToOne20, JoinColumn as JoinColumn20 } from "typeorm";
+import { Entity as Entity31, PrimaryGeneratedColumn as PrimaryGeneratedColumn31, Column as Column31, ManyToOne as ManyToOne21, JoinColumn as JoinColumn21 } from "typeorm";
 var KnowledgeBaseChunk = class {
   id;
   documentId;
@@ -3033,8 +3793,8 @@ __decorateClass([
   Column31({ type: "timestamp", default: () => "CURRENT_TIMESTAMP" })
 ], KnowledgeBaseChunk.prototype, "createdAt", 2);
 __decorateClass([
-  ManyToOne20(() => KnowledgeBaseDocument, (d) => d.chunks, { onDelete: "CASCADE" }),
-  JoinColumn20({ name: "documentId" })
+  ManyToOne21(() => KnowledgeBaseDocument, (d) => d.chunks, { onDelete: "CASCADE" }),
+  JoinColumn21({ name: "documentId" })
 ], KnowledgeBaseChunk.prototype, "document", 2);
 KnowledgeBaseChunk = __decorateClass([
   Entity31("knowledge_base_chunks")
@@ -3075,24 +3835,198 @@ KnowledgeBaseDocument = __decorateClass([
   Entity32("knowledge_base_documents")
 ], KnowledgeBaseDocument);
 
-// src/entities/index.ts
-var CMS_ENTITY_MAP = {
-  users: User,
-  password_reset_tokens: PasswordResetToken,
-  user_groups: UserGroup,
-  permissions: Permission,
-  blogs: Blog,
-  tags: Tag,
-  categories: Category,
-  comments: Comment,
-  contacts: Contact,
-  addresses: Address,
-  forms: Form,
-  form_fields: FormField,
-  form_submissions: FormSubmission,
-  seos: Seo,
-  configs: Config,
-  media: Media,
+// src/entities/cart.entity.ts
+import { Entity as Entity33, PrimaryGeneratedColumn as PrimaryGeneratedColumn33, Column as Column33, ManyToOne as ManyToOne22, OneToMany as OneToMany14, JoinColumn as JoinColumn22 } from "typeorm";
+var Cart = class {
+  id;
+  guestToken;
+  contactId;
+  currency;
+  expiresAt;
+  createdAt;
+  updatedAt;
+  contact;
+  items;
+};
+__decorateClass([
+  PrimaryGeneratedColumn33()
+], Cart.prototype, "id", 2);
+__decorateClass([
+  Column33("varchar", { nullable: true })
+], Cart.prototype, "guestToken", 2);
+__decorateClass([
+  Column33("int", { nullable: true })
+], Cart.prototype, "contactId", 2);
+__decorateClass([
+  Column33("varchar", { default: "INR" })
+], Cart.prototype, "currency", 2);
+__decorateClass([
+  Column33({ type: "timestamp", nullable: true })
+], Cart.prototype, "expiresAt", 2);
+__decorateClass([
+  Column33({ type: "timestamp", default: () => "CURRENT_TIMESTAMP" })
+], Cart.prototype, "createdAt", 2);
+__decorateClass([
+  Column33({ type: "timestamp", default: () => "CURRENT_TIMESTAMP" })
+], Cart.prototype, "updatedAt", 2);
+__decorateClass([
+  ManyToOne22(() => Contact, { onDelete: "CASCADE" }),
+  JoinColumn22({ name: "contactId" })
+], Cart.prototype, "contact", 2);
+__decorateClass([
+  OneToMany14("CartItem", "cart")
+], Cart.prototype, "items", 2);
+Cart = __decorateClass([
+  Entity33("carts")
+], Cart);
+
+// src/entities/cart-item.entity.ts
+import { Entity as Entity34, PrimaryGeneratedColumn as PrimaryGeneratedColumn34, Column as Column34, ManyToOne as ManyToOne23, JoinColumn as JoinColumn23 } from "typeorm";
+var CartItem = class {
+  id;
+  cartId;
+  productId;
+  quantity;
+  metadata;
+  createdAt;
+  updatedAt;
+  cart;
+  product;
+};
+__decorateClass([
+  PrimaryGeneratedColumn34()
+], CartItem.prototype, "id", 2);
+__decorateClass([
+  Column34("int")
+], CartItem.prototype, "cartId", 2);
+__decorateClass([
+  Column34("int")
+], CartItem.prototype, "productId", 2);
+__decorateClass([
+  Column34("int", { default: 1 })
+], CartItem.prototype, "quantity", 2);
+__decorateClass([
+  Column34("jsonb", { nullable: true })
+], CartItem.prototype, "metadata", 2);
+__decorateClass([
+  Column34({ type: "timestamp", default: () => "CURRENT_TIMESTAMP" })
+], CartItem.prototype, "createdAt", 2);
+__decorateClass([
+  Column34({ type: "timestamp", default: () => "CURRENT_TIMESTAMP" })
+], CartItem.prototype, "updatedAt", 2);
+__decorateClass([
+  ManyToOne23(() => Cart, (c) => c.items, { onDelete: "CASCADE" }),
+  JoinColumn23({ name: "cartId" })
+], CartItem.prototype, "cart", 2);
+__decorateClass([
+  ManyToOne23(() => Product, { onDelete: "CASCADE" }),
+  JoinColumn23({ name: "productId" })
+], CartItem.prototype, "product", 2);
+CartItem = __decorateClass([
+  Entity34("cart_items")
+], CartItem);
+
+// src/entities/wishlist.entity.ts
+import { Entity as Entity35, PrimaryGeneratedColumn as PrimaryGeneratedColumn35, Column as Column35, ManyToOne as ManyToOne24, OneToMany as OneToMany15, JoinColumn as JoinColumn24 } from "typeorm";
+var Wishlist = class {
+  id;
+  guestId;
+  contactId;
+  name;
+  createdAt;
+  updatedAt;
+  contact;
+  items;
+};
+__decorateClass([
+  PrimaryGeneratedColumn35()
+], Wishlist.prototype, "id", 2);
+__decorateClass([
+  Column35("varchar", { nullable: true })
+], Wishlist.prototype, "guestId", 2);
+__decorateClass([
+  Column35("int", { nullable: true })
+], Wishlist.prototype, "contactId", 2);
+__decorateClass([
+  Column35("varchar", { default: "default" })
+], Wishlist.prototype, "name", 2);
+__decorateClass([
+  Column35({ type: "timestamp", default: () => "CURRENT_TIMESTAMP" })
+], Wishlist.prototype, "createdAt", 2);
+__decorateClass([
+  Column35({ type: "timestamp", default: () => "CURRENT_TIMESTAMP" })
+], Wishlist.prototype, "updatedAt", 2);
+__decorateClass([
+  ManyToOne24(() => Contact, { onDelete: "CASCADE" }),
+  JoinColumn24({ name: "contactId" })
+], Wishlist.prototype, "contact", 2);
+__decorateClass([
+  OneToMany15("WishlistItem", "wishlist")
+], Wishlist.prototype, "items", 2);
+Wishlist = __decorateClass([
+  Entity35("wishlists")
+], Wishlist);
+
+// src/entities/wishlist-item.entity.ts
+import { Entity as Entity36, PrimaryGeneratedColumn as PrimaryGeneratedColumn36, Column as Column36, ManyToOne as ManyToOne25, JoinColumn as JoinColumn25 } from "typeorm";
+var WishlistItem = class {
+  id;
+  wishlistId;
+  productId;
+  metadata;
+  createdAt;
+  updatedAt;
+  wishlist;
+  product;
+};
+__decorateClass([
+  PrimaryGeneratedColumn36()
+], WishlistItem.prototype, "id", 2);
+__decorateClass([
+  Column36("int")
+], WishlistItem.prototype, "wishlistId", 2);
+__decorateClass([
+  Column36("int")
+], WishlistItem.prototype, "productId", 2);
+__decorateClass([
+  Column36("jsonb", { nullable: true })
+], WishlistItem.prototype, "metadata", 2);
+__decorateClass([
+  Column36({ type: "timestamp", default: () => "CURRENT_TIMESTAMP" })
+], WishlistItem.prototype, "createdAt", 2);
+__decorateClass([
+  Column36({ type: "timestamp", default: () => "CURRENT_TIMESTAMP" })
+], WishlistItem.prototype, "updatedAt", 2);
+__decorateClass([
+  ManyToOne25(() => Wishlist, (w) => w.items, { onDelete: "CASCADE" }),
+  JoinColumn25({ name: "wishlistId" })
+], WishlistItem.prototype, "wishlist", 2);
+__decorateClass([
+  ManyToOne25(() => Product, { onDelete: "CASCADE" }),
+  JoinColumn25({ name: "productId" })
+], WishlistItem.prototype, "product", 2);
+WishlistItem = __decorateClass([
+  Entity36("wishlist_items")
+], WishlistItem);
+
+// src/entities/index.ts
+var CMS_ENTITY_MAP = {
+  users: User,
+  password_reset_tokens: PasswordResetToken,
+  user_groups: UserGroup,
+  permissions: Permission,
+  blogs: Blog,
+  tags: Tag,
+  categories: Category,
+  comments: Comment,
+  contacts: Contact,
+  addresses: Address,
+  forms: Form,
+  form_fields: FormField,
+  form_submissions: FormSubmission,
+  seos: Seo,
+  configs: Config,
+  media: Media,
   pages: Page,
   product_categories: ProductCategory,
   collections: Collection,
@@ -3108,10 +4042,79 @@ var CMS_ENTITY_MAP = {
   knowledge_base_documents: KnowledgeBaseDocument,
   knowledge_base_chunks: KnowledgeBaseChunk,
   chat_conversations: ChatConversation,
-  chat_messages: ChatMessage
+  chat_messages: ChatMessage,
+  carts: Cart,
+  cart_items: CartItem,
+  wishlists: Wishlist,
+  wishlist_items: WishlistItem
 };
 
+// src/auth/permission-entities.ts
+var PERMISSION_ENTITY_INTERNAL_EXCLUDE = /* @__PURE__ */ new Set([
+  "users",
+  "password_reset_tokens",
+  "user_groups",
+  "permissions",
+  "comments",
+  "form_fields",
+  "configs",
+  "knowledge_base_chunks",
+  "carts",
+  "cart_items",
+  "wishlists",
+  "wishlist_items"
+]);
+var PERMISSION_LOGICAL_ENTITIES = [
+  "users",
+  "forms",
+  "form_submissions",
+  "dashboard",
+  "upload",
+  "settings",
+  "analytics",
+  "chat"
+];
+var ADMIN_GROUP_NAME = "Administrator";
+function isSuperAdminGroupName(name) {
+  return name === ADMIN_GROUP_NAME;
+}
+function getPermissionableEntityKeys(entityMap) {
+  const fromMap = Object.keys(entityMap).filter((k) => !PERMISSION_ENTITY_INTERNAL_EXCLUDE.has(k));
+  const logical = PERMISSION_LOGICAL_ENTITIES.filter((k) => !fromMap.includes(k));
+  return [...fromMap.sort(), ...logical].filter((k, i, a) => a.indexOf(k) === i);
+}
+function permissionRowsToRecord(rows) {
+  const out = {};
+  if (!rows?.length) return out;
+  for (const p of rows) {
+    out[p.entity] = {
+      c: !!p.canCreate,
+      r: !!p.canRead,
+      u: !!p.canUpdate,
+      d: !!p.canDelete
+    };
+  }
+  return out;
+}
+function hasEntityPermission(record, entity, action) {
+  const p = record?.[entity];
+  if (!p) return false;
+  if (action === "create") return p.c;
+  if (action === "read") return p.r;
+  if (action === "update") return p.u;
+  return p.d;
+}
+
 // src/auth/helpers.ts
+var RBAC_ADMIN_ONLY_ENTITIES = /* @__PURE__ */ new Set(["users", "user_groups", "permissions"]);
+function sessionHasEntityAccess(user, entity, action) {
+  if (!user?.email) return false;
+  if (user.isRBACAdmin && RBAC_ADMIN_ONLY_ENTITIES.has(entity)) return true;
+  return hasEntityPermission(user.entityPerms, entity, action);
+}
+function canManageRoles(user) {
+  return !!(user?.email && user.isRBACAdmin);
+}
 var OPEN_ENDPOINTS = [
   { "/api/contacts": ["POST"] },
   { "/api/form-submissions": ["POST"] },
@@ -3147,6 +4150,25 @@ function createAuthHelpers(getSession, NextResponse) {
       }
       return null;
     },
+    async requireEntityPermission(_req, entity, action) {
+      const session = await getSession();
+      if (!session?.user?.email) {
+        return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+      }
+      const u = session.user;
+      if (sessionHasEntityAccess(u, entity, action)) return null;
+      return NextResponse.json({ error: "Forbidden", entity, action }, { status: 403 });
+    },
+    async requireAdminAccess() {
+      const session = await getSession();
+      if (!session?.user?.email) {
+        return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+      }
+      const u = session.user;
+      if (u.isRBACAdmin) return null;
+      if (u.adminAccess === false) return NextResponse.json({ error: "Forbidden", reason: "admin_access" }, { status: 403 });
+      return null;
+    },
     async getAuthenticatedUser() {
       const session = await getSession();
       return session?.user ?? null;
@@ -3154,6 +4176,36 @@ function createAuthHelpers(getSession, NextResponse) {
   };
 }
 
+// src/auth/seed-permissions.ts
+async function seedAdministratorPermissions(dataSource, entityMap) {
+  const entities = getPermissionableEntityKeys(entityMap);
+  const groupRepo = dataSource.getRepository(entityMap.user_groups);
+  const permRepo = dataSource.getRepository(entityMap.permissions);
+  const adminGroup = await groupRepo.findOne({ where: { name: ADMIN_GROUP_NAME, deleted: false } });
+  if (!adminGroup) return;
+  const fullCrud = { canCreate: true, canRead: true, canUpdate: true, canDelete: true };
+  for (const entity of entities) {
+    const existing = await permRepo.findOne({
+      where: { groupId: adminGroup.id, entity }
+    });
+    if (existing) {
+      existing.canCreate = true;
+      existing.canRead = true;
+      existing.canUpdate = true;
+      existing.canDelete = true;
+      await permRepo.save(existing);
+    } else {
+      await permRepo.save(
+        permRepo.create({
+          groupId: adminGroup.id,
+          entity,
+          ...fullCrud
+        })
+      );
+    }
+  }
+}
+
 // src/auth/middleware.ts
 var defaultPublicApiMethods = {
   "/api/contacts": ["POST"],
@@ -3228,12 +4280,18 @@ function getNextAuthOptions(config) {
             if (!user || user.blocked || user.deleted || !user.password) return null;
             const valid = await comparePassword(credentials.password, user.password);
             if (!valid) return null;
+            const g = user.group;
+            const isRBACAdmin = isSuperAdminGroupName(g?.name);
+            const entityPerms = permissionRowsToRecord(g?.permissions);
+            const adminAccess = user.adminAccess === true;
             return {
               id: user.id.toString(),
               email: user.email,
               name: user.name,
               groupId: user.groupId ?? void 0,
-              permissions: ["admin"]
+              isRBACAdmin,
+              entityPerms,
+              adminAccess
             };
           } catch {
             return null;
@@ -3257,17 +4315,23 @@ function getNextAuthOptions(config) {
     callbacks: {
       async jwt({ token, user }) {
         if (user) {
-          token.id = user.id;
-          token.groupId = user.groupId;
-          token.permissions = user.permissions;
+          const u = user;
+          token.id = u.id;
+          token.groupId = u.groupId;
+          token.isRBACAdmin = u.isRBACAdmin;
+          token.entityPerms = u.entityPerms;
+          token.adminAccess = u.adminAccess;
         }
         return token;
       },
       async session({ session, token }) {
         if (session.user) {
-          session.user.id = token.id;
-          session.user.groupId = token.groupId;
-          session.user.permissions = token.permissions;
+          const t = token;
+          session.user.id = t.id;
+          session.user.groupId = t.groupId;
+          session.user.isRBACAdmin = t.isRBACAdmin;
+          session.user.entityPerms = t.entityPerms;
+          session.user.adminAccess = t.adminAccess;
         }
         return session;
       }
@@ -3312,11 +4376,38 @@ function sanitizeBodyForEntity(repo, body) {
     }
   }
 }
+function pickColumnUpdates(repo, body) {
+  const cols = new Set(repo.metadata.columns.map((c) => c.propertyName));
+  const out = {};
+  for (const k of Object.keys(body)) {
+    if (cols.has(k)) out[k] = body[k];
+  }
+  return out;
+}
+function buildSearchWhereClause(repo, search) {
+  const cols = new Set(repo.metadata.columns.map((c) => c.propertyName));
+  const term = ILike(`%${search}%`);
+  const ors = [];
+  for (const field of ["name", "title", "slug", "email", "filename"]) {
+    if (cols.has(field)) ors.push({ [field]: term });
+  }
+  if (ors.length === 0) return {};
+  return ors.length === 1 ? ors[0] : ors;
+}
 function createCrudHandler(dataSource, entityMap, options) {
-  const { requireAuth, json } = options;
+  const { requireAuth, json, requireEntityPermission: reqPerm } = options;
+  async function authz(req, resource, action) {
+    const authError = await requireAuth(req);
+    if (authError) return authError;
+    if (reqPerm) {
+      const pe = await reqPerm(req, resource, action);
+      if (pe) return pe;
+    }
+    return null;
+  }
   return {
     async GET(req, resource) {
-      const authError = await requireAuth(req);
+      const authError = await authz(req, resource, "read");
       if (authError) return authError;
       const entity = entityMap[resource];
       if (!resource || !entity) {
@@ -3332,7 +4423,7 @@ function createCrudHandler(dataSource, entityMap, options) {
       if (resource === "orders") {
         const repo2 = dataSource.getRepository(entity);
         const allowedSort = ["id", "orderNumber", "contactId", "status", "total", "currency", "createdAt", "updatedAt"];
-        const sortField = allowedSort.includes(sortFieldRaw) ? sortFieldRaw : "createdAt";
+        const sortField2 = allowedSort.includes(sortFieldRaw) ? sortFieldRaw : "createdAt";
         const sortOrderOrders = searchParams.get("sortOrder") === "asc" ? "ASC" : "DESC";
         const statusFilter = searchParams.get("status")?.trim();
         const dateFrom = searchParams.get("dateFrom")?.trim();
@@ -3347,7 +4438,7 @@ function createCrudHandler(dataSource, entityMap, options) {
             return json({ total: 0, page, limit, totalPages: 0, data: [] });
           }
         }
-        const qb = repo2.createQueryBuilder("order").leftJoinAndSelect("order.contact", "contact").leftJoinAndSelect("order.items", "items").leftJoinAndSelect("items.product", "product").leftJoinAndSelect("product.collection", "collection").orderBy(`order.${sortField}`, sortOrderOrders).skip(skip).take(limit);
+        const qb = repo2.createQueryBuilder("order").leftJoinAndSelect("order.contact", "contact").leftJoinAndSelect("order.items", "items").leftJoinAndSelect("items.product", "product").leftJoinAndSelect("product.collection", "collection").orderBy(`order.${sortField2}`, sortOrderOrders).skip(skip).take(limit);
         if (search && typeof search === "string" && search.trim()) {
           const term = `%${search.trim()}%`;
           qb.andWhere(
@@ -3378,14 +4469,14 @@ function createCrudHandler(dataSource, entityMap, options) {
       if (resource === "payments") {
         const repo2 = dataSource.getRepository(entity);
         const allowedSort = ["id", "orderId", "amount", "currency", "status", "method", "paidAt", "createdAt", "updatedAt"];
-        const sortField = allowedSort.includes(sortFieldRaw) ? sortFieldRaw : "createdAt";
+        const sortField2 = allowedSort.includes(sortFieldRaw) ? sortFieldRaw : "createdAt";
         const sortOrderPayments = searchParams.get("sortOrder") === "asc" ? "ASC" : "DESC";
         const statusFilter = searchParams.get("status")?.trim();
         const dateFrom = searchParams.get("dateFrom")?.trim();
         const dateTo = searchParams.get("dateTo")?.trim();
         const methodFilter = searchParams.get("method")?.trim();
         const orderNumberParam = searchParams.get("orderNumber")?.trim();
-        const qb = repo2.createQueryBuilder("payment").leftJoinAndSelect("payment.order", "ord").leftJoinAndSelect("ord.contact", "orderContact").leftJoinAndSelect("payment.contact", "contact").orderBy(`payment.${sortField}`, sortOrderPayments).skip(skip).take(limit);
+        const qb = repo2.createQueryBuilder("payment").leftJoinAndSelect("payment.order", "ord").leftJoinAndSelect("ord.contact", "orderContact").leftJoinAndSelect("payment.contact", "contact").orderBy(`payment.${sortField2}`, sortOrderPayments).skip(skip).take(limit);
         if (search && typeof search === "string" && search.trim()) {
           const term = `%${search.trim()}%`;
           qb.andWhere(
@@ -3434,12 +4525,12 @@ function createCrudHandler(dataSource, entityMap, options) {
       if (resource === "contacts") {
         const repo2 = dataSource.getRepository(entity);
         const allowedSort = ["id", "name", "email", "createdAt", "type"];
-        const sortField = allowedSort.includes(sortFieldRaw) ? sortFieldRaw : "createdAt";
+        const sortField2 = allowedSort.includes(sortFieldRaw) ? sortFieldRaw : "createdAt";
         const sortOrderContacts = searchParams.get("sortOrder") === "asc" ? "ASC" : "DESC";
         const typeFilter2 = searchParams.get("type")?.trim();
         const orderIdParam = searchParams.get("orderId")?.trim();
         const includeSummary = searchParams.get("includeSummary") === "1";
-        const qb = repo2.createQueryBuilder("contact").orderBy(`contact.${sortField}`, sortOrderContacts).skip(skip).take(limit);
+        const qb = repo2.createQueryBuilder("contact").orderBy(`contact.${sortField2}`, sortOrderContacts).skip(skip).take(limit);
         if (search && typeof search === "string" && search.trim()) {
           const term = `%${search.trim()}%`;
           qb.andWhere("(contact.name ILIKE :term OR contact.email ILIKE :term OR contact.phone ILIKE :term)", { term });
@@ -3473,6 +4564,8 @@ function createCrudHandler(dataSource, entityMap, options) {
       }
       const repo = dataSource.getRepository(entity);
       const typeFilter = searchParams.get("type");
+      const columnNames = new Set(repo.metadata.columns.map((c) => c.propertyName));
+      const sortField = columnNames.has(sortFieldRaw) ? sortFieldRaw : "createdAt";
       let where = {};
       if (resource === "media") {
         const mediaWhere = {};
@@ -3480,18 +4573,18 @@ function createCrudHandler(dataSource, entityMap, options) {
         if (typeFilter) mediaWhere.mimeType = Like(`${typeFilter}/%`);
         where = Object.keys(mediaWhere).length > 0 ? mediaWhere : {};
       } else if (search) {
-        where = [{ name: ILike(`%${search}%`) }, { title: ILike(`%${search}%`) }];
+        where = buildSearchWhereClause(repo, search);
       }
       const [data, total] = await repo.findAndCount({
         skip,
         take: limit,
-        order: { [sortFieldRaw]: sortOrder },
+        order: { [sortField]: sortOrder },
         where
       });
       return json({ total, page, limit, totalPages: Math.ceil(total / limit), data });
     },
     async POST(req, resource) {
-      const authError = await requireAuth(req);
+      const authError = await authz(req, resource, "create");
       if (authError) return authError;
       const entity = entityMap[resource];
       if (!resource || !entity) {
@@ -3507,7 +4600,7 @@ function createCrudHandler(dataSource, entityMap, options) {
       return json(created, { status: 201 });
     },
     async GET_METADATA(req, resource) {
-      const authError = await requireAuth(req);
+      const authError = await authz(req, resource, "read");
       if (authError) return authError;
       const entity = entityMap[resource];
       if (!resource || !entity) {
@@ -3538,7 +4631,7 @@ function createCrudHandler(dataSource, entityMap, options) {
       return json({ columns, uniqueColumns });
     },
     async BULK_POST(req, resource) {
-      const authError = await requireAuth(req);
+      const authError = await authz(req, resource, "update");
       if (authError) return authError;
       const entity = entityMap[resource];
       if (!resource || !entity) {
@@ -3569,7 +4662,7 @@ function createCrudHandler(dataSource, entityMap, options) {
       }
     },
     async GET_EXPORT(req, resource) {
-      const authError = await requireAuth(req);
+      const authError = await authz(req, resource, "read");
       if (authError) return authError;
       const entity = entityMap[resource];
       if (!resource || !entity) {
@@ -3610,10 +4703,19 @@ function createCrudHandler(dataSource, entityMap, options) {
   };
 }
 function createCrudByIdHandler(dataSource, entityMap, options) {
-  const { requireAuth, json } = options;
+  const { requireAuth, json, requireEntityPermission: reqPerm } = options;
+  async function authz(req, resource, action) {
+    const authError = await requireAuth(req);
+    if (authError) return authError;
+    if (reqPerm) {
+      const pe = await reqPerm(req, resource, action);
+      if (pe) return pe;
+    }
+    return null;
+  }
   return {
     async GET(req, resource, id) {
-      const authError = await requireAuth(req);
+      const authError = await authz(req, resource, "read");
       if (authError) return authError;
       const entity = entityMap[resource];
       if (!entity) return json({ error: "Invalid resource" }, { status: 400 });
@@ -3656,23 +4758,111 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
         if (!payment) return json({ message: "Not found" }, { status: 404 });
         return json(payment);
       }
+      if (resource === "blogs") {
+        const blog = await repo.findOne({
+          where: { id: Number(id) },
+          relations: ["category", "seo", "tags"]
+        });
+        return blog ? json(blog) : json({ message: "Not found" }, { status: 404 });
+      }
       const item = await repo.findOne({ where: { id: Number(id) } });
       return item ? json(item) : json({ message: "Not found" }, { status: 404 });
     },
     async PUT(req, resource, id) {
-      const authError = await requireAuth(req);
+      const authError = await authz(req, resource, "update");
       if (authError) return authError;
       const entity = entityMap[resource];
       if (!entity) return json({ error: "Invalid resource" }, { status: 400 });
-      const body = await req.json();
+      const rawBody = await req.json();
       const repo = dataSource.getRepository(entity);
-      if (body && typeof body === "object") sanitizeBodyForEntity(repo, body);
-      await repo.update(Number(id), body);
-      const updated = await repo.findOne({ where: { id: Number(id) } });
+      const numericId = Number(id);
+      if (resource === "blogs" && rawBody && typeof rawBody === "object" && entityMap.categories && entityMap.seos && entityMap.tags) {
+        const existing = await repo.findOne({ where: { id: numericId } });
+        if (!existing) return json({ message: "Not found" }, { status: 404 });
+        const updatePayload2 = pickColumnUpdates(repo, rawBody);
+        if ("category" in rawBody) {
+          const c = rawBody.category;
+          if (typeof c === "string" && c.trim()) {
+            const cat = await dataSource.getRepository(entityMap.categories).findOne({ where: { name: c.trim() } });
+            updatePayload2.categoryId = cat?.id ?? null;
+          } else {
+            updatePayload2.categoryId = null;
+          }
+        }
+        const blogSlug = typeof updatePayload2.slug === "string" && updatePayload2.slug || existing.slug;
+        const seoRepo = dataSource.getRepository(entityMap.seos);
+        const seoField = (k) => {
+          if (!(k in rawBody)) return void 0;
+          const v = rawBody[k];
+          if (v == null || v === "") return null;
+          return String(v);
+        };
+        if ("metaTitle" in rawBody || "metaDescription" in rawBody || "metaKeywords" in rawBody || "ogImage" in rawBody) {
+          const title = seoField("metaTitle");
+          const description = seoField("metaDescription");
+          const keywords = seoField("metaKeywords");
+          const ogImage = seoField("ogImage");
+          const exSeoId = existing.seoId;
+          if (exSeoId) {
+            const seo = await seoRepo.findOne({ where: { id: exSeoId } });
+            if (seo) {
+              const s = seo;
+              if (title !== void 0) s.title = title;
+              if (description !== void 0) s.description = description;
+              if (keywords !== void 0) s.keywords = keywords;
+              if (ogImage !== void 0) s.ogImage = ogImage;
+              s.slug = blogSlug;
+              await seoRepo.save(seo);
+            }
+          } else {
+            let seoSlug = blogSlug;
+            const taken = await seoRepo.findOne({ where: { slug: seoSlug } });
+            if (taken) seoSlug = `blog-${numericId}-${blogSlug}`;
+            const seo = await seoRepo.save(
+              seoRepo.create({
+                slug: seoSlug,
+                title: title ?? null,
+                description: description ?? null,
+                keywords: keywords ?? null,
+                ogImage: ogImage ?? null
+              })
+            );
+            updatePayload2.seoId = seo.id;
+          }
+        }
+        sanitizeBodyForEntity(repo, updatePayload2);
+        await repo.update(numericId, updatePayload2);
+        if (Array.isArray(rawBody.tags)) {
+          const tagNames = rawBody.tags.map((t) => String(t).trim()).filter(Boolean);
+          const tagRepo = dataSource.getRepository(entityMap.tags);
+          const tagEntities = [];
+          for (const name of tagNames) {
+            let tag = await tagRepo.findOne({ where: { name } });
+            if (!tag) tag = await tagRepo.save(tagRepo.create({ name }));
+            tagEntities.push(tag);
+          }
+          const blog = await repo.findOne({ where: { id: numericId }, relations: ["tags"] });
+          if (blog) {
+            blog.tags = tagEntities;
+            await repo.save(blog);
+          }
+        }
+        const updated2 = await repo.findOne({
+          where: { id: numericId },
+          relations: ["tags", "category", "seo"]
+        });
+        return updated2 ? json(updated2) : json({ message: "Not found" }, { status: 404 });
+      }
+      const updatePayload = rawBody && typeof rawBody === "object" ? pickColumnUpdates(repo, rawBody) : {};
+      if (Object.keys(updatePayload).length > 0) {
+        sanitizeBodyForEntity(repo, updatePayload);
+        await repo.update(numericId, updatePayload);
+      }
+      const updated = await repo.findOne({ where: { id: numericId } });
       return updated ? json(updated) : json({ message: "Not found" }, { status: 404 });
     },
     async DELETE(req, resource, id) {
-      const authError = await requireAuth(req);
+      const authError = await authz(req, resource, "delete");
       if (authError) return authError;
       const entity = entityMap[resource];
       if (!entity) return json({ error: "Invalid resource" }, { status: 400 });
@@ -3696,13 +4886,20 @@ function createForgotPasswordHandler(config) {
       const user = await userRepo.findOne({ where: { email }, select: ["email"] });
       const msg = "If an account exists with this email, you will receive a reset link shortly.";
       if (!user) return json({ message: msg }, { status: 200 });
-      const crypto2 = await import("crypto");
-      const token = crypto2.randomBytes(32).toString("hex");
+      const crypto3 = await import("crypto");
+      const token = crypto3.randomBytes(32).toString("hex");
       const expiresAt = new Date(Date.now() + resetExpiryHours * 60 * 60 * 1e3);
       const tokenRepo = dataSource.getRepository(entityMap.password_reset_tokens);
       await tokenRepo.save(tokenRepo.create({ email: user.email, token, expiresAt }));
       const resetLink = `${baseUrl}/admin/reset-password?token=${token}`;
-      if (sendEmail) await sendEmail({ to: user.email, subject: "Password reset", html: `<a href="${resetLink}">Reset password</a>`, text: resetLink });
+      if (sendEmail)
+        await sendEmail({
+          to: user.email,
+          subject: "Password reset",
+          html: `<a href="${resetLink}">Reset password</a>`,
+          text: resetLink,
+          resetLink
+        });
       if (afterCreateToken) await afterCreateToken(user.email, resetLink);
       return json({ message: msg }, { status: 200 });
     } catch (err) {
@@ -3751,6 +4948,9 @@ function createInviteAcceptHandler(config) {
       const user = await userRepo.findOne({ where: { email }, select: ["id", "blocked"] });
       if (!user) return json({ error: "User not found" }, { status: 400 });
       if (!user.blocked) return json({ error: "User is already active" }, { status: 400 });
+      if (entityMap.contacts) {
+        await linkUnclaimedContactToUser(dataSource, entityMap.contacts, user.id, email);
+      }
       if (beforeActivate) await beforeActivate(email, user.id);
       const hashedPassword = await hashPassword(password);
       await userRepo.update(user.id, { password: hashedPassword, blocked: false });
@@ -3811,12 +5011,17 @@ function createUserAuthApiRouter(config) {
 }
 
 // src/api/cms-handlers.ts
+init_email_queue();
 import { MoreThanOrEqual, ILike as ILike2 } from "typeorm";
 function createDashboardStatsHandler(config) {
-  const { dataSource, entityMap, json, requireAuth, requirePermission } = config;
+  const { dataSource, entityMap, json, requireAuth, requirePermission, requireEntityPermission } = config;
   return async function GET(req) {
     const authErr = await requireAuth(req);
     if (authErr) return authErr;
+    if (requireEntityPermission) {
+      const pe = await requireEntityPermission(req, "dashboard", "read");
+      if (pe) return pe;
+    }
     if (requirePermission) {
       const permErr = await requirePermission(req, "view_dashboard");
       if (permErr) return permErr;
@@ -3875,11 +5080,15 @@ function createAnalyticsHandlers(config) {
   };
 }
 function createUploadHandler(config) {
-  const { json, requireAuth, storage, localUploadDir = "public/uploads", allowedTypes, maxSizeBytes = 10 * 1024 * 1024 } = config;
+  const { json, requireAuth, requireEntityPermission, storage, localUploadDir = "public/uploads", allowedTypes, maxSizeBytes = 10 * 1024 * 1024 } = config;
   const allowed = allowedTypes ?? ["image/jpeg", "image/png", "image/gif", "image/webp", "application/pdf", "text/plain"];
   return async function POST(req) {
     const authErr = await requireAuth(req);
     if (authErr) return authErr;
+    if (requireEntityPermission) {
+      const pe = await requireEntityPermission(req, "upload", "create");
+      if (pe) return pe;
+    }
     try {
       const formData = await req.formData();
       const file = formData.get("file");
@@ -3960,13 +5169,17 @@ function normalizeFieldRow(f, formId) {
   };
 }
 function createFormSaveHandlers(config) {
-  const { dataSource, entityMap, json, requireAuth } = config;
+  const { dataSource, entityMap, json, requireAuth, requireEntityPermission } = config;
   const formRepo = () => dataSource.getRepository(entityMap.forms);
   const fieldRepo = () => dataSource.getRepository(entityMap.form_fields);
   return {
     async GET(req, id) {
       const authErr = await requireAuth(req);
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(req, "forms", "read");
+        if (pe) return pe;
+      }
       try {
         const formId = Number(id);
         if (!Number.isInteger(formId) || formId <= 0) return json({ error: "Invalid form id" }, { status: 400 });
@@ -3986,6 +5199,10 @@ function createFormSaveHandlers(config) {
     async POST(req) {
       const authErr = await requireAuth(req);
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(req, "forms", "create");
+        if (pe) return pe;
+      }
       try {
         const body = await req.json();
         if (!body || typeof body !== "object") return json({ error: "Invalid request payload" }, { status: 400 });
@@ -4006,6 +5223,10 @@ function createFormSaveHandlers(config) {
     async PUT(req, id) {
       const authErr = await requireAuth(req);
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(req, "forms", "update");
+        if (pe) return pe;
+      }
       try {
         const formId = Number(id);
         if (!Number.isInteger(formId) || formId <= 0) return json({ error: "Invalid form id" }, { status: 400 });
@@ -4034,10 +5255,14 @@ function createFormSaveHandlers(config) {
   };
 }
 function createFormSubmissionGetByIdHandler(config) {
-  const { dataSource, entityMap, json, requireAuth } = config;
+  const { dataSource, entityMap, json, requireAuth, requireEntityPermission } = config;
   return async function GET(req, id) {
     const authErr = await requireAuth(req);
     if (authErr) return authErr;
+    if (requireEntityPermission) {
+      const pe = await requireEntityPermission(req, "form_submissions", "read");
+      if (pe) return pe;
+    }
     try {
       const submissionId = Number(id);
       if (!Number.isInteger(submissionId) || submissionId <= 0) return json({ error: "Invalid id" }, { status: 400 });
@@ -4064,10 +5289,14 @@ function createFormSubmissionGetByIdHandler(config) {
   };
 }
 function createFormSubmissionListHandler(config) {
-  const { dataSource, entityMap, json, requireAuth } = config;
+  const { dataSource, entityMap, json, requireAuth, requireEntityPermission } = config;
   return async function GET(req) {
     const authErr = await requireAuth(req);
     if (authErr) return authErr;
+    if (requireEntityPermission) {
+      const pe = await requireEntityPermission(req, "form_submissions", "read");
+      if (pe) return pe;
+    }
     try {
       const repo = dataSource.getRepository(entityMap.form_submissions);
       const { searchParams } = new URL(req.url);
@@ -4088,6 +5317,11 @@ function createFormSubmissionListHandler(config) {
     }
   };
 }
+function formatSubmissionFieldValue(raw) {
+  if (raw == null || raw === "") return "\u2014";
+  if (typeof raw === "object") return JSON.stringify(raw);
+  return String(raw);
+}
 function pickContactFromSubmission(fields, data) {
   let email = null;
   let name = null;
@@ -4163,6 +5397,50 @@ function createFormSubmissionHandler(config) {
           userAgent: userAgent?.slice(0, 500) ?? null
         })
       );
+      const formWithName = form;
+      const formName = formWithName.name ?? "Form";
+      let contactName = "Unknown";
+      let contactEmail = "";
+      if (Number.isInteger(contactId)) {
+        const contactRepo = dataSource.getRepository(entityMap.contacts);
+        const contact = await contactRepo.findOne({ where: { id: contactId }, select: ["name", "email"] });
+        if (contact) {
+          contactName = contact.name ?? contactName;
+          contactEmail = contact.email ?? contactEmail;
+        }
+      } else {
+        const contactData = pickContactFromSubmission(activeFields, data);
+        if (contactData) {
+          contactName = contactData.name;
+          contactEmail = contactData.email;
+        }
+      }
+      if (config.getCms && config.getCompanyDetails && config.getRecipientForChannel) {
+        try {
+          const cms = await config.getCms();
+          const to = await config.getRecipientForChannel("crm");
+          if (to) {
+            const companyDetails = await config.getCompanyDetails();
+            const formFieldRows = activeFields.map((f) => ({
+              label: f.label && String(f.label).trim() || `Field ${f.id}`,
+              value: formatSubmissionFieldValue(data[String(f.id)])
+            }));
+            await queueEmail(cms, {
+              to,
+              templateName: "formSubmission",
+              ctx: {
+                formName,
+                contactName,
+                contactEmail,
+                formData: data,
+                formFieldRows,
+                companyDetails: companyDetails ?? {}
+              }
+            });
+          }
+        } catch {
+        }
+      }
       return json(created, { status: 201 });
     } catch {
       return json({ error: "Server Error" }, { status: 500 });
@@ -4170,12 +5448,34 @@ function createFormSubmissionHandler(config) {
   };
 }
 function createUsersApiHandlers(config) {
-  const { dataSource, entityMap, json, requireAuth, baseUrl } = config;
+  const { dataSource, entityMap, json, requireAuth, requireEntityPermission, baseUrl, getCms, getCompanyDetails } = config;
+  async function trySendInviteEmail(toEmail, inviteLink, inviteeName) {
+    if (!getCms) return;
+    try {
+      const cms = await getCms();
+      const companyDetails = getCompanyDetails ? await getCompanyDetails() : {};
+      await queueEmail(cms, {
+        to: toEmail,
+        templateName: "invite",
+        ctx: {
+          inviteLink,
+          email: toEmail,
+          inviteeName: inviteeName.trim(),
+          companyDetails: companyDetails ?? {}
+        }
+      });
+    } catch {
+    }
+  }
   const userRepo = () => dataSource.getRepository(entityMap.users);
   return {
     async list(req) {
       const authErr = await requireAuth(req);
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(req, "users", "read");
+        if (pe) return pe;
+      }
       try {
         const url = new URL(req.url);
         const page = Math.max(1, parseInt(url.searchParams.get("page") || "1", 10));
@@ -4201,16 +5501,40 @@ function createUsersApiHandlers(config) {
     async create(req) {
       const authErr = await requireAuth(req);
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(req, "users", "create");
+        if (pe) return pe;
+      }
       try {
         const body = await req.json();
         if (!body?.name || !body?.email) return json({ error: "Name and email are required" }, { status: 400 });
         const existing = await userRepo().findOne({ where: { email: body.email } });
         if (existing) return json({ error: "User with this email already exists" }, { status: 400 });
+        const groupRepo = dataSource.getRepository(entityMap.user_groups);
+        const customerG = await groupRepo.findOne({ where: { name: "Customer", deleted: false } });
+        const gid = body.groupId ?? null;
+        const isCustomer = !!(customerG && gid === customerG.id);
+        const adminAccess = isCustomer ? false : body.adminAccess === false ? false : true;
         const newUser = await userRepo().save(
-          userRepo().create({ name: body.name, email: body.email, password: null, blocked: true, groupId: body.groupId ?? null })
+          userRepo().create({
+            name: body.name,
+            email: body.email,
+            password: null,
+            blocked: true,
+            groupId: gid,
+            adminAccess
+          })
         );
+        if (entityMap.contacts) {
+          await linkUnclaimedContactToUser(dataSource, entityMap.contacts, newUser.id, newUser.email);
+        }
         const emailToken = Buffer.from(newUser.email).toString("base64");
         const inviteLink = `${baseUrl}/admin/invite?token=${emailToken}`;
+        await trySendInviteEmail(
+          newUser.email,
+          inviteLink,
+          newUser.name ?? ""
+        );
         return json({ message: "User created successfully (blocked until password is set)", user: newUser, inviteLink }, { status: 201 });
       } catch {
         return json({ error: "Server Error" }, { status: 500 });
@@ -4219,6 +5543,10 @@ function createUsersApiHandlers(config) {
     async getById(_req, id) {
       const authErr = await requireAuth(new Request(_req.url));
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(_req, "users", "read");
+        if (pe) return pe;
+      }
       try {
         const user = await userRepo().findOne({
           where: { id: parseInt(id, 10) },
@@ -4234,6 +5562,10 @@ function createUsersApiHandlers(config) {
     async update(req, id) {
       const authErr = await requireAuth(req);
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(req, "users", "update");
+        if (pe) return pe;
+      }
       try {
         const body = await req.json();
         const { password: _p, ...safe } = body;
@@ -4251,6 +5583,10 @@ function createUsersApiHandlers(config) {
     async delete(_req, id) {
       const authErr = await requireAuth(new Request(_req.url));
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(_req, "users", "delete");
+        if (pe) return pe;
+      }
       try {
         const r = await userRepo().delete(parseInt(id, 10));
         if (r.affected === 0) return json({ error: "User not found" }, { status: 404 });
@@ -4262,11 +5598,16 @@ function createUsersApiHandlers(config) {
     async regenerateInvite(_req, id) {
       const authErr = await requireAuth(new Request(_req.url));
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(_req, "users", "update");
+        if (pe) return pe;
+      }
       try {
-        const user = await userRepo().findOne({ where: { id: parseInt(id, 10) }, select: ["email"] });
+        const user = await userRepo().findOne({ where: { id: parseInt(id, 10) }, select: ["email", "name"] });
         if (!user) return json({ error: "User not found" }, { status: 404 });
         const emailToken = Buffer.from(user.email).toString("base64");
         const inviteLink = `${baseUrl}/admin/invite?token=${emailToken}`;
+        await trySendInviteEmail(user.email, inviteLink, user.name ?? "");
         return json({ message: "New invite link generated successfully", inviteLink });
       } catch {
         return json({ error: "Server Error" }, { status: 500 });
@@ -4516,8 +5857,167 @@ ${contextParts.join("\n\n")}` : "You are a helpful assistant for the company. If
   };
 }
 
+// src/api/admin-roles-handlers.ts
+function createAdminRolesHandlers(config) {
+  const { dataSource, entityMap, json, getSessionUser } = config;
+  const baseEntities = getPermissionableEntityKeys(entityMap);
+  const allowEntities = /* @__PURE__ */ new Set([...baseEntities, "users"]);
+  const groupRepo = () => dataSource.getRepository(entityMap.user_groups);
+  const permRepo = () => dataSource.getRepository(entityMap.permissions);
+  const userRepo = () => dataSource.getRepository(entityMap.users);
+  async function gate() {
+    const u = await getSessionUser();
+    if (!u?.email) return json({ error: "Unauthorized" }, { status: 401 });
+    if (!canManageRoles(u)) return json({ error: "Forbidden" }, { status: 403 });
+    return null;
+  }
+  return {
+    async list() {
+      const err = await gate();
+      if (err) return err;
+      const groups = await groupRepo().find({
+        where: { deleted: false },
+        order: { id: "ASC" },
+        relations: ["permissions"]
+      });
+      const entities = [...allowEntities].sort();
+      return json({
+        entities,
+        groups: groups.map((g) => ({
+          id: g.id,
+          name: g.name,
+          permissions: (g.permissions ?? []).filter((p) => !p.deleted).map((p) => ({
+            entity: p.entity,
+            canCreate: p.canCreate,
+            canRead: p.canRead,
+            canUpdate: p.canUpdate,
+            canDelete: p.canDelete
+          }))
+        }))
+      });
+    },
+    async createGroup(req) {
+      const err = await gate();
+      if (err) return err;
+      try {
+        const body = await req.json();
+        const name = body?.name?.trim();
+        if (!name) return json({ error: "Name is required" }, { status: 400 });
+        const repo = groupRepo();
+        const existing = await repo.findOne({ where: { name } });
+        if (existing) return json({ error: "Group name already exists" }, { status: 400 });
+        const g = await repo.save(repo.create({ name }));
+        return json({ id: g.id, name: g.name, permissions: [] }, { status: 201 });
+      } catch {
+        return json({ error: "Server error" }, { status: 500 });
+      }
+    },
+    async patchGroup(req, idStr) {
+      const err = await gate();
+      if (err) return err;
+      const id = parseInt(idStr, 10);
+      if (!Number.isFinite(id)) return json({ error: "Invalid id" }, { status: 400 });
+      try {
+        const body = await req.json();
+        const name = body?.name?.trim();
+        if (!name) return json({ error: "Name is required" }, { status: 400 });
+        const repo = groupRepo();
+        const g = await repo.findOne({ where: { id, deleted: false } });
+        if (!g) return json({ error: "Not found" }, { status: 404 });
+        if (isSuperAdminGroupName(g.name) && !isSuperAdminGroupName(name)) {
+          return json({ error: "Cannot rename the administrator group" }, { status: 400 });
+        }
+        const dup = await repo.findOne({ where: { name } });
+        if (dup && dup.id !== id) return json({ error: "Name already in use" }, { status: 400 });
+        g.name = name;
+        await repo.save(g);
+        return json({ id: g.id, name: g.name });
+      } catch {
+        return json({ error: "Server error" }, { status: 500 });
+      }
+    },
+    async deleteGroup(idStr) {
+      const err = await gate();
+      if (err) return err;
+      const id = parseInt(idStr, 10);
+      if (!Number.isFinite(id)) return json({ error: "Invalid id" }, { status: 400 });
+      const repo = groupRepo();
+      const g = await repo.findOne({ where: { id, deleted: false } });
+      if (!g) return json({ error: "Not found" }, { status: 404 });
+      if (isSuperAdminGroupName(g.name)) return json({ error: "Cannot delete the administrator group" }, { status: 400 });
+      const userCount = await userRepo().count({ where: { groupId: id } });
+      if (userCount > 0) return json({ error: "Reassign users before deleting this group" }, { status: 409 });
+      await permRepo().delete({ groupId: id });
+      await repo.update(id, { deleted: true, deletedAt: /* @__PURE__ */ new Date() });
+      return json({ ok: true });
+    },
+    async putPermissions(req, idStr) {
+      const err = await gate();
+      if (err) return err;
+      const groupId = parseInt(idStr, 10);
+      if (!Number.isFinite(groupId)) return json({ error: "Invalid id" }, { status: 400 });
+      const groupRepository = groupRepo();
+      const g = await groupRepository.findOne({ where: { id: groupId, deleted: false } });
+      if (!g) return json({ error: "Group not found" }, { status: 404 });
+      try {
+        const body = await req.json();
+        const rows = body?.permissions;
+        if (!Array.isArray(rows)) return json({ error: "permissions array required" }, { status: 400 });
+        for (const r of rows) {
+          if (!r?.entity || !allowEntities.has(r.entity)) {
+            return json({ error: `Invalid entity: ${r?.entity ?? ""}` }, { status: 400 });
+          }
+        }
+        await dataSource.transaction(async (em) => {
+          await em.getRepository(entityMap.permissions).delete({ groupId });
+          for (const r of rows) {
+            await em.getRepository(entityMap.permissions).save(
+              em.getRepository(entityMap.permissions).create({
+                groupId,
+                entity: r.entity,
+                canCreate: !!r.canCreate,
+                canRead: !!r.canRead,
+                canUpdate: !!r.canUpdate,
+                canDelete: !!r.canDelete
+              })
+            );
+          }
+        });
+        const updated = await groupRepository.findOne({
+          where: { id: groupId },
+          relations: ["permissions"]
+        });
+        return json({
+          id: groupId,
+          permissions: (updated?.permissions ?? []).map((p) => ({
+            entity: p.entity,
+            canCreate: p.canCreate,
+            canRead: p.canRead,
+            canUpdate: p.canUpdate,
+            canDelete: p.canDelete
+          }))
+        });
+      } catch {
+        return json({ error: "Server error" }, { status: 500 });
+      }
+    }
+  };
+}
+
 // src/api/cms-api-handler.ts
-var DEFAULT_EXCLUDE = /* @__PURE__ */ new Set(["users", "password_reset_tokens", "user_groups", "permissions", "comments", "form_fields", "configs"]);
+var DEFAULT_EXCLUDE = /* @__PURE__ */ new Set([
+  "users",
+  "password_reset_tokens",
+  "user_groups",
+  "permissions",
+  "comments",
+  "form_fields",
+  "configs",
+  "carts",
+  "cart_items",
+  "wishlists",
+  "wishlist_items"
+]);
 function createCmsApiHandler(config) {
   const {
     dataSource,
@@ -4538,7 +6038,9 @@ function createCmsApiHandler(config) {
     userAvatar,
     userProfile,
     settings: settingsConfig,
-    chat: chatConfig
+    chat: chatConfig,
+    requireEntityPermission: reqEntityPerm,
+    getSessionUser
   } = config;
   const analytics = analyticsConfig ?? (getCms ? {
     json: config.json,
@@ -4559,27 +6061,51 @@ function createCmsApiHandler(config) {
     ...userAuthConfig,
     sendEmail: async (opts) => {
       const cms = await getCms();
+      const queue = cms.getPlugin("queue");
+      const companyDetails = config.getCompanyDetails ? await config.getCompanyDetails() : {};
+      const resetLink = typeof opts.resetLink === "string" && opts.resetLink.trim() || typeof opts.text === "string" && opts.text.trim() || (typeof opts.html === "string" ? opts.html.match(/href\s*=\s*["']([^"']+)["']/)?.[1] ?? "" : "");
+      const ctx = { resetLink, companyDetails };
+      if (queue) {
+        const { queueEmail: queueEmail2 } = await Promise.resolve().then(() => (init_email_queue(), email_queue_exports));
+        await queueEmail2(cms, { to: opts.to, templateName: "passwordReset", ctx });
+        return;
+      }
       const email = cms.getPlugin("email");
       if (!email?.send) return;
-      const { emailTemplates: emailTemplates2 } = await Promise.resolve().then(() => (init_email_service(), email_service_exports));
-      const { subject, html, text } = emailTemplates2.passwordReset({ resetLink: opts.text || opts.html });
-      await email.send({ subject, html, text, to: opts.to });
+      const rendered = email.renderTemplate("passwordReset", ctx);
+      await email.send({ subject: rendered.subject, html: rendered.html, text: rendered.text, to: opts.to });
     }
   } : userAuthConfig;
-  const crudOpts = { requireAuth: config.requireAuth, json: config.json };
+  const crudOpts = {
+    requireAuth: config.requireAuth,
+    json: config.json,
+    requireEntityPermission: reqEntityPerm
+  };
   const crud = createCrudHandler(dataSource, entityMap, crudOpts);
   const crudById = createCrudByIdHandler(dataSource, entityMap, crudOpts);
+  const mergePerm = (c) => !c ? void 0 : reqEntityPerm ? { ...c, requireEntityPermission: reqEntityPerm } : c;
+  const adminRoles = getSessionUser && createAdminRolesHandlers({
+    dataSource,
+    entityMap,
+    json: config.json,
+    getSessionUser
+  });
   const userAuthRouter = userAuth ? createUserAuthApiRouter(userAuth) : null;
-  const dashboardGet = dashboard ? createDashboardStatsHandler(dashboard) : null;
+  const dashboardGet = dashboard ? createDashboardStatsHandler(mergePerm(dashboard) ?? dashboard) : null;
   const analyticsHandlers = analytics ? createAnalyticsHandlers(analytics) : null;
-  const uploadPost = upload ? createUploadHandler(upload) : null;
+  const uploadPost = upload ? createUploadHandler(mergePerm(upload) ?? upload) : null;
   const blogBySlugGet = blogBySlug ? createBlogBySlugHandler(blogBySlug) : null;
   const formBySlugGet = formBySlug ? createFormBySlugHandler(formBySlug) : null;
-  const formSaveHandlers = formSaveConfig ? createFormSaveHandlers(formSaveConfig) : null;
+  const formSaveHandlers = formSaveConfig ? createFormSaveHandlers(mergePerm(formSaveConfig) ?? formSaveConfig) : null;
   const formSubmissionPost = formSubmissionConfig ? createFormSubmissionHandler(formSubmissionConfig) : null;
-  const formSubmissionGetById = formSubmissionGetByIdConfig ? createFormSubmissionGetByIdHandler(formSubmissionGetByIdConfig) : null;
-  const formSubmissionList = formSubmissionGetByIdConfig ? createFormSubmissionListHandler(formSubmissionGetByIdConfig) : null;
-  const usersHandlers = usersApi ? createUsersApiHandlers(usersApi) : null;
+  const formSubmissionGetById = formSubmissionGetByIdConfig ? createFormSubmissionGetByIdHandler(mergePerm(formSubmissionGetByIdConfig) ?? formSubmissionGetByIdConfig) : null;
+  const formSubmissionList = formSubmissionGetByIdConfig ? createFormSubmissionListHandler(mergePerm(formSubmissionGetByIdConfig) ?? formSubmissionGetByIdConfig) : null;
+  const usersApiMerged = usersApi && getCms ? {
+    ...usersApi,
+    getCms: usersApi.getCms ?? getCms,
+    getCompanyDetails: usersApi.getCompanyDetails ?? config.getCompanyDetails
+  } : usersApi;
+  const usersHandlers = usersApiMerged ? createUsersApiHandlers(mergePerm(usersApiMerged) ?? usersApiMerged) : null;
   const avatarPost = userAvatar ? createUserAvatarHandler(userAvatar) : null;
   const profilePut = userProfile ? createUserProfileHandler(userProfile) : null;
   const settingsHandlers = settingsConfig ? createSettingsApiHandlers(settingsConfig) : null;
@@ -4590,13 +6116,41 @@ function createCmsApiHandler(config) {
   }
   return {
     async handle(method, path, req) {
+      const perm = reqEntityPerm;
+      async function analyticsGate() {
+        const a = await config.requireAuth(req);
+        if (a) return a;
+        if (perm) return perm(req, "analytics", "read");
+        return null;
+      }
+      if (path[0] === "admin" && path[1] === "roles") {
+        if (!adminRoles) return config.json({ error: "Not found" }, { status: 404 });
+        if (path.length === 2 && method === "GET") return adminRoles.list();
+        if (path.length === 2 && method === "POST") return adminRoles.createGroup(req);
+        if (path.length === 3 && method === "PATCH") return adminRoles.patchGroup(req, path[2]);
+        if (path.length === 3 && method === "DELETE") return adminRoles.deleteGroup(path[2]);
+        if (path.length === 4 && path[3] === "permissions" && method === "PUT") return adminRoles.putPermissions(req, path[2]);
+        return config.json({ error: "Not found" }, { status: 404 });
+      }
       if (path[0] === "dashboard" && path[1] === "stats" && path.length === 2 && method === "GET" && dashboardGet) {
         return dashboardGet(req);
       }
       if (path[0] === "analytics" && analyticsHandlers) {
-        if (path.length === 1 && method === "GET") return analyticsHandlers.GET(req);
-        if (path.length === 2 && path[1] === "property-id" && method === "GET") return analyticsHandlers.propertyId();
-        if (path.length === 2 && path[1] === "permissions" && method === "GET") return analyticsHandlers.permissions();
+        if (path.length === 1 && method === "GET") {
+          const g = await analyticsGate();
+          if (g) return g;
+          return analyticsHandlers.GET(req);
+        }
+        if (path.length === 2 && path[1] === "property-id" && method === "GET") {
+          const g = await analyticsGate();
+          if (g) return g;
+          return analyticsHandlers.propertyId();
+        }
+        if (path.length === 2 && path[1] === "permissions" && method === "GET") {
+          const g = await analyticsGate();
+          if (g) return g;
+          return analyticsHandlers.permissions();
+        }
       }
       if (path[0] === "upload" && path.length === 1 && method === "POST" && uploadPost) return uploadPost(req);
       if (path[0] === "blogs" && path[1] === "slug" && path.length === 3 && method === "GET" && blogBySlugGet) {
@@ -4640,8 +6194,24 @@ function createCmsApiHandler(config) {
         return userAuthRouter.POST(req, path[1]);
       }
       if (path[0] === "settings" && path.length === 2 && settingsHandlers) {
-        if (method === "GET") return settingsHandlers.GET(req, path[1]);
-        if (method === "PUT") return settingsHandlers.PUT(req, path[1]);
+        const group = path[1];
+        const isPublic = settingsConfig?.publicGetGroups?.includes(group);
+        if (method === "GET") {
+          if (!isPublic && perm) {
+            const a = await config.requireAuth(req);
+            if (a) return a;
+            const pe = await perm(req, "settings", "read");
+            if (pe) return pe;
+          }
+          return settingsHandlers.GET(req, group);
+        }
+        if (method === "PUT") {
+          if (perm) {
+            const pe = await perm(req, "settings", "update");
+            if (pe) return pe;
+          }
+          return settingsHandlers.PUT(req, group);
+        }
       }
       if (path[0] === "chat" && chatHandlers) {
         if (path.length === 2 && path[1] === "identify" && method === "POST") return chatHandlers.identify(req);
@@ -4679,21 +6249,1025 @@ function createCmsApiHandler(config) {
   };
 }
 
+// src/api/storefront-handlers.ts
+import { In, IsNull as IsNull2 } from "typeorm";
+
+// src/lib/is-valid-signup-email.ts
+var MAX_EMAIL = 254;
+var MAX_LOCAL = 64;
+function isValidSignupEmail(email) {
+  if (!email || email.length > MAX_EMAIL) return false;
+  const at = email.indexOf("@");
+  if (at <= 0 || at !== email.lastIndexOf("@")) return false;
+  const local = email.slice(0, at);
+  const domain = email.slice(at + 1);
+  if (!local || local.length > MAX_LOCAL || !domain || domain.length > 253) return false;
+  if (local.startsWith(".") || local.endsWith(".") || local.includes("..")) return false;
+  if (domain.startsWith(".") || domain.endsWith(".") || domain.includes("..")) return false;
+  if (!/^[a-z0-9._%+-]+$/i.test(local)) return false;
+  if (!/^[a-z0-9](?:[a-z0-9-]*[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]*[a-z0-9])?)+$/i.test(domain)) return false;
+  const tld = domain.split(".").pop();
+  return tld.length >= 2;
+}
+
+// src/api/storefront-handlers.ts
+init_email_queue();
+var GUEST_COOKIE = "guest_id";
+var ONE_YEAR = 60 * 60 * 24 * 365;
+function parseCookies(header) {
+  const out = {};
+  if (!header) return out;
+  for (const part of header.split(";")) {
+    const i = part.indexOf("=");
+    if (i === -1) continue;
+    const k = part.slice(0, i).trim();
+    const v = part.slice(i + 1).trim();
+    out[k] = decodeURIComponent(v);
+  }
+  return out;
+}
+function guestCookieHeader(name, token) {
+  return `${name}=${encodeURIComponent(token)}; Path=/; HttpOnly; SameSite=Lax; Max-Age=${ONE_YEAR}`;
+}
+function orderNumber() {
+  return `ORD-${Date.now()}-${Math.random().toString(36).slice(2, 10)}`;
+}
+var SIGNUP_VERIFY_EXPIRY_HOURS = 72;
+function createStorefrontApiHandler(config) {
+  const { dataSource, entityMap, json, getSessionUser, getCms, getCompanyDetails, publicSiteUrl } = config;
+  const cookieName = config.guestCookieName ?? GUEST_COOKIE;
+  const cartRepo = () => dataSource.getRepository(entityMap.carts);
+  const cartItemRepo = () => dataSource.getRepository(entityMap.cart_items);
+  const productRepo = () => dataSource.getRepository(entityMap.products);
+  const contactRepo = () => dataSource.getRepository(entityMap.contacts);
+  const addressRepo = () => dataSource.getRepository(entityMap.addresses);
+  const orderRepo = () => dataSource.getRepository(entityMap.orders);
+  const orderItemRepo = () => dataSource.getRepository(entityMap.order_items);
+  const wishlistRepo = () => dataSource.getRepository(entityMap.wishlists);
+  const wishlistItemRepo = () => dataSource.getRepository(entityMap.wishlist_items);
+  const userRepo = () => dataSource.getRepository(entityMap.users);
+  const tokenRepo = () => dataSource.getRepository(entityMap.password_reset_tokens);
+  const collectionRepo = () => dataSource.getRepository(entityMap.collections);
+  const groupRepo = () => dataSource.getRepository(entityMap.user_groups);
+  async function ensureContactForUser(userId) {
+    let c = await contactRepo().findOne({ where: { userId, deleted: false } });
+    if (c) return c;
+    const u = await userRepo().findOne({ where: { id: userId } });
+    if (!u) return null;
+    const unclaimed = await contactRepo().findOne({
+      where: { email: u.email, userId: IsNull2(), deleted: false }
+    });
+    if (unclaimed) {
+      await contactRepo().update(unclaimed.id, { userId });
+      return { id: unclaimed.id };
+    }
+    const created = await contactRepo().save(
+      contactRepo().create({
+        name: u.name,
+        email: u.email,
+        phone: null,
+        userId,
+        deleted: false
+      })
+    );
+    return { id: created.id };
+  }
+  async function getOrCreateCart(req) {
+    const u = await getSessionUser();
+    const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+    if (Number.isFinite(uid)) {
+      const contact = await ensureContactForUser(uid);
+      if (!contact) return { cart: {}, setCookie: null, err: json({ error: "User not found" }, { status: 400 }) };
+      let cart2 = await cartRepo().findOne({
+        where: { contactId: contact.id },
+        relations: ["items", "items.product"]
+      });
+      if (!cart2) {
+        cart2 = await cartRepo().save(
+          cartRepo().create({ contactId: contact.id, guestToken: null, currency: "INR" })
+        );
+        cart2 = await cartRepo().findOne({
+          where: { id: cart2.id },
+          relations: ["items", "items.product"]
+        });
+      }
+      return { cart: cart2, setCookie: null, err: null };
+    }
+    const cookies = parseCookies(req.headers.get("cookie"));
+    let token = cookies[cookieName] || "";
+    if (!token) {
+      token = crypto.randomUUID();
+      let cart2 = await cartRepo().findOne({
+        where: { guestToken: token },
+        relations: ["items", "items.product"]
+      });
+      if (!cart2) {
+        cart2 = await cartRepo().save(
+          cartRepo().create({ guestToken: token, contactId: null, currency: "INR" })
+        );
+        cart2 = await cartRepo().findOne({
+          where: { id: cart2.id },
+          relations: ["items", "items.product"]
+        });
+      }
+      return { cart: cart2, setCookie: guestCookieHeader(cookieName, token), err: null };
+    }
+    let cart = await cartRepo().findOne({
+      where: { guestToken: token },
+      relations: ["items", "items.product"]
+    });
+    if (!cart) {
+      cart = await cartRepo().save(
+        cartRepo().create({ guestToken: token, contactId: null, currency: "INR" })
+      );
+      cart = await cartRepo().findOne({
+        where: { id: cart.id },
+        relations: ["items", "items.product"]
+      });
+    }
+    return { cart, setCookie: null, err: null };
+  }
+  function primaryProductImageUrl(metadata) {
+    const meta = metadata;
+    const images = meta?.images;
+    if (!Array.isArray(images) || !images.length) return null;
+    const sorted = images.filter((i) => i?.url);
+    if (!sorted.length) return null;
+    const di = sorted.findIndex((i) => i.isDefault);
+    if (di > 0) {
+      const [d] = sorted.splice(di, 1);
+      sorted.unshift(d);
+    }
+    return sorted[0].url;
+  }
+  function serializeCart(cart) {
+    const items = cart.items || [];
+    return {
+      id: cart.id,
+      currency: cart.currency,
+      items: items.map((it) => {
+        const p = it.product;
+        return {
+          id: it.id,
+          productId: it.productId,
+          quantity: it.quantity,
+          metadata: it.metadata,
+          product: p ? {
+            id: p.id,
+            name: p.name,
+            slug: p.slug,
+            price: p.price,
+            sku: p.sku,
+            image: primaryProductImageUrl(p.metadata)
+          } : null
+        };
+      })
+    };
+  }
+  function serializeProduct(p) {
+    return {
+      id: p.id,
+      name: p.name,
+      slug: p.slug,
+      sku: p.sku,
+      hsn: p.hsn,
+      price: p.price,
+      compareAtPrice: p.compareAtPrice,
+      status: p.status,
+      collectionId: p.collectionId,
+      metadata: p.metadata
+    };
+  }
+  return {
+    async handle(method, path, req) {
+      try {
+        let serializeAddress2 = function(a) {
+          return {
+            id: a.id,
+            contactId: a.contactId,
+            tag: a.tag,
+            line1: a.line1,
+            line2: a.line2,
+            city: a.city,
+            state: a.state,
+            postalCode: a.postalCode,
+            country: a.country
+          };
+        };
+        var serializeAddress = serializeAddress2;
+        if (path[0] === "products" && path.length === 1 && method === "GET") {
+          const url = new URL(req.url || "", "http://localhost");
+          const collectionSlug = url.searchParams.get("collection")?.trim();
+          const collectionId = url.searchParams.get("collectionId");
+          const limit = Math.min(100, Math.max(1, parseInt(url.searchParams.get("limit") || "20", 10)));
+          const offset = Math.max(0, parseInt(url.searchParams.get("offset") || "0", 10));
+          const where = { status: "available", deleted: false };
+          let collectionFilter = null;
+          if (collectionSlug) {
+            let col = null;
+            if (/^\d+$/.test(collectionSlug)) {
+              col = await collectionRepo().findOne({
+                where: {
+                  id: parseInt(collectionSlug, 10),
+                  active: true,
+                  deleted: false
+                }
+              });
+            } else {
+              col = await collectionRepo().createQueryBuilder("c").where("LOWER(c.slug) = LOWER(:slug)", { slug: collectionSlug }).andWhere("c.active = :a", { a: true }).andWhere("c.deleted = :d", { d: false }).getOne();
+            }
+            if (!col) {
+              return json({ products: [], total: 0, collection: null });
+            }
+            where.collectionId = col.id;
+            collectionFilter = { name: col.name, slug: col.slug };
+          } else if (collectionId) {
+            const cid = parseInt(collectionId, 10);
+            if (Number.isFinite(cid)) where.collectionId = cid;
+          }
+          const [items, total] = await productRepo().findAndCount({
+            where,
+            order: { id: "ASC" },
+            take: limit,
+            skip: offset
+          });
+          return json({
+            products: items.map(serializeProduct),
+            total,
+            ...collectionFilter && { collection: collectionFilter }
+          });
+        }
+        if (path[0] === "products" && path.length === 2 && method === "GET") {
+          const idOrSlug = path[1];
+          const byId = /^\d+$/.test(idOrSlug);
+          const product = await productRepo().findOne({
+            where: byId ? { id: parseInt(idOrSlug, 10), status: "available", deleted: false } : { slug: idOrSlug, status: "available", deleted: false },
+            relations: ["attributes", "attributes.attribute"]
+          });
+          if (!product) return json({ error: "Not found" }, { status: 404 });
+          const p = product;
+          const attrRows = p.attributes ?? [];
+          const attributeTags = attrRows.map((pa) => ({
+            name: pa.attribute?.name ?? "",
+            value: String(pa.value ?? "")
+          })).filter((t) => t.name || t.value);
+          return json({ ...serializeProduct(p), attributes: attributeTags });
+        }
+        if (path[0] === "collections" && path.length === 1 && method === "GET") {
+          const items = await collectionRepo().find({
+            where: { active: true, deleted: false },
+            order: { sortOrder: "ASC", id: "ASC" }
+          });
+          const ids = items.map((c) => c.id);
+          const countByCollection = {};
+          if (ids.length > 0) {
+            const rows = await productRepo().createQueryBuilder("p").select("p.collectionId", "collectionId").addSelect("COUNT(p.id)", "cnt").where("p.collectionId IN (:...ids)", { ids }).andWhere("p.status = :status", { status: "available" }).andWhere("p.deleted = :del", { del: false }).groupBy("p.collectionId").getRawMany();
+            for (const r of rows) {
+              const cid = r.collectionId;
+              if (cid != null) countByCollection[Number(cid)] = parseInt(String(r.cnt), 10);
+            }
+          }
+          return json({
+            collections: items.map((c) => {
+              const col = c;
+              const id = col.id;
+              return {
+                id,
+                name: col.name,
+                slug: col.slug,
+                description: col.description,
+                image: col.image,
+                productCount: countByCollection[id] ?? 0
+              };
+            })
+          });
+        }
+        if (path[0] === "collections" && path.length === 2 && method === "GET") {
+          const idOrSlug = path[1];
+          const byId = /^\d+$/.test(idOrSlug);
+          const collection = await collectionRepo().findOne({
+            where: byId ? { id: parseInt(idOrSlug, 10), active: true, deleted: false } : { slug: idOrSlug, active: true, deleted: false }
+          });
+          if (!collection) return json({ error: "Not found" }, { status: 404 });
+          const col = collection;
+          const products = await productRepo().find({
+            where: { collectionId: col.id, status: "available", deleted: false },
+            order: { id: "ASC" }
+          });
+          return json({
+            id: col.id,
+            name: col.name,
+            slug: col.slug,
+            description: col.description,
+            image: col.image,
+            products: products.map((p) => serializeProduct(p))
+          });
+        }
+        if (path[0] === "profile" && path.length === 1 && method === "GET") {
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          if (!Number.isFinite(uid)) return json({ error: "Unauthorized" }, { status: 401 });
+          const user = await userRepo().findOne({ where: { id: uid }, select: ["id", "name", "email"] });
+          if (!user) return json({ error: "Not found" }, { status: 404 });
+          const contact = await contactRepo().findOne({ where: { userId: uid, deleted: false } });
+          return json({
+            user: { id: user.id, name: user.name, email: user.email },
+            contact: contact ? {
+              id: contact.id,
+              name: contact.name,
+              email: contact.email,
+              phone: contact.phone
+            } : null
+          });
+        }
+        if (path[0] === "profile" && path.length === 1 && method === "PUT") {
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          if (!Number.isFinite(uid)) return json({ error: "Unauthorized" }, { status: 401 });
+          const b = await req.json().catch(() => ({}));
+          const contact = await contactRepo().findOne({ where: { userId: uid, deleted: false } });
+          if (contact) {
+            const updates = {};
+            if (typeof b.name === "string" && b.name.trim()) updates.name = b.name.trim();
+            if (b.phone !== void 0) updates.phone = b.phone === null || b.phone === "" ? null : String(b.phone);
+            if (Object.keys(updates).length) await contactRepo().update(contact.id, updates);
+          }
+          const user = await userRepo().findOne({ where: { id: uid }, select: ["id", "name", "email"] });
+          if (user && typeof b.name === "string" && b.name.trim()) {
+            await userRepo().update(uid, { name: b.name.trim() });
+          }
+          const updatedContact = await contactRepo().findOne({ where: { userId: uid, deleted: false } });
+          const updatedUser = await userRepo().findOne({ where: { id: uid }, select: ["id", "name", "email"] });
+          return json({
+            user: updatedUser ? { id: updatedUser.id, name: updatedUser.name, email: updatedUser.email } : null,
+            contact: updatedContact ? {
+              id: updatedContact.id,
+              name: updatedContact.name,
+              email: updatedContact.email,
+              phone: updatedContact.phone
+            } : null
+          });
+        }
+        async function getContactForAddresses() {
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          if (!Number.isFinite(uid)) return json({ error: "Unauthorized" }, { status: 401 });
+          const contact = await contactRepo().findOne({ where: { userId: uid, deleted: false } });
+          if (!contact) return json({ error: "Contact not found" }, { status: 404 });
+          return { contactId: contact.id };
+        }
+        if (path[0] === "addresses" && path.length === 1 && method === "GET") {
+          const contactOrErr = await getContactForAddresses();
+          if (contactOrErr instanceof Response) return contactOrErr;
+          const list = await addressRepo().find({
+            where: { contactId: contactOrErr.contactId },
+            order: { id: "ASC" }
+          });
+          return json({ addresses: list.map((a) => serializeAddress2(a)) });
+        }
+        if (path[0] === "addresses" && path.length === 1 && method === "POST") {
+          const contactOrErr = await getContactForAddresses();
+          if (contactOrErr instanceof Response) return contactOrErr;
+          const b = await req.json().catch(() => ({}));
+          const created = await addressRepo().save(
+            addressRepo().create({
+              contactId: contactOrErr.contactId,
+              tag: typeof b.tag === "string" ? b.tag.trim() || null : null,
+              line1: typeof b.line1 === "string" ? b.line1.trim() || null : null,
+              line2: typeof b.line2 === "string" ? b.line2.trim() || null : null,
+              city: typeof b.city === "string" ? b.city.trim() || null : null,
+              state: typeof b.state === "string" ? b.state.trim() || null : null,
+              postalCode: typeof b.postalCode === "string" ? b.postalCode.trim() || null : null,
+              country: typeof b.country === "string" ? b.country.trim() || null : null
+            })
+          );
+          return json(serializeAddress2(created));
+        }
+        if (path[0] === "addresses" && path.length === 2 && (method === "PATCH" || method === "PUT")) {
+          const contactOrErr = await getContactForAddresses();
+          if (contactOrErr instanceof Response) return contactOrErr;
+          const id = parseInt(path[1], 10);
+          if (!Number.isFinite(id)) return json({ error: "Invalid id" }, { status: 400 });
+          const existing = await addressRepo().findOne({ where: { id, contactId: contactOrErr.contactId } });
+          if (!existing) return json({ error: "Not found" }, { status: 404 });
+          const b = await req.json().catch(() => ({}));
+          const updates = {};
+          if (b.tag !== void 0) updates.tag = typeof b.tag === "string" ? b.tag.trim() || null : null;
+          if (b.line1 !== void 0) updates.line1 = typeof b.line1 === "string" ? b.line1.trim() || null : null;
+          if (b.line2 !== void 0) updates.line2 = typeof b.line2 === "string" ? b.line2.trim() || null : null;
+          if (b.city !== void 0) updates.city = typeof b.city === "string" ? b.city.trim() || null : null;
+          if (b.state !== void 0) updates.state = typeof b.state === "string" ? b.state.trim() || null : null;
+          if (b.postalCode !== void 0) updates.postalCode = typeof b.postalCode === "string" ? b.postalCode.trim() || null : null;
+          if (b.country !== void 0) updates.country = typeof b.country === "string" ? b.country.trim() || null : null;
+          if (Object.keys(updates).length) await addressRepo().update(id, updates);
+          const updated = await addressRepo().findOne({ where: { id } });
+          return json(serializeAddress2(updated));
+        }
+        if (path[0] === "addresses" && path.length === 2 && method === "DELETE") {
+          const contactOrErr = await getContactForAddresses();
+          if (contactOrErr instanceof Response) return contactOrErr;
+          const id = parseInt(path[1], 10);
+          if (!Number.isFinite(id)) return json({ error: "Invalid id" }, { status: 400 });
+          const existing = await addressRepo().findOne({ where: { id, contactId: contactOrErr.contactId } });
+          if (!existing) return json({ error: "Not found" }, { status: 404 });
+          await addressRepo().delete(id);
+          return json({ deleted: true });
+        }
+        if (path[0] === "verify-email" && path.length === 1 && method === "POST") {
+          const b = await req.json().catch(() => ({}));
+          const token = typeof b.token === "string" ? b.token.trim() : "";
+          if (!token) return json({ error: "token is required" }, { status: 400 });
+          const record = await tokenRepo().findOne({ where: { token } });
+          if (!record || record.expiresAt < /* @__PURE__ */ new Date()) {
+            return json({ error: "Invalid or expired link. Please sign up again or contact support." }, { status: 400 });
+          }
+          const email = record.email;
+          const user = await userRepo().findOne({ where: { email }, select: ["id", "blocked"] });
+          if (!user) return json({ error: "User not found" }, { status: 400 });
+          await userRepo().update(user.id, { blocked: false, updatedAt: /* @__PURE__ */ new Date() });
+          await tokenRepo().delete({ email });
+          return json({ success: true, message: "Email verified. You can sign in." });
+        }
+        if (path[0] === "register" && path.length === 1 && method === "POST") {
+          if (!config.hashPassword) return json({ error: "Registration not configured" }, { status: 501 });
+          const b = await req.json().catch(() => ({}));
+          const name = typeof b.name === "string" ? b.name.trim() : "";
+          const email = typeof b.email === "string" ? b.email.trim().toLowerCase() : "";
+          const password = typeof b.password === "string" ? b.password : "";
+          if (!name || !email || !password) return json({ error: "name, email and password are required" }, { status: 400 });
+          if (!isValidSignupEmail(email)) return json({ error: "Invalid email address" }, { status: 400 });
+          const existing = await userRepo().findOne({ where: { email } });
+          if (existing) return json({ error: "User with this email already exists" }, { status: 400 });
+          const customerG = await groupRepo().findOne({ where: { name: "Customer", deleted: false } });
+          const groupId = customerG ? customerG.id : null;
+          const hashed = await config.hashPassword(password);
+          const requireEmailVerification = Boolean(getCms);
+          const newUser = await userRepo().save(
+            userRepo().create({
+              name,
+              email,
+              password: hashed,
+              blocked: requireEmailVerification,
+              groupId,
+              adminAccess: false
+            })
+          );
+          const userId = newUser.id;
+          await linkUnclaimedContactToUser(dataSource, entityMap.contacts, userId, email);
+          let emailVerificationSent = false;
+          if (requireEmailVerification && getCms) {
+            try {
+              const crypto3 = await import("crypto");
+              const rawToken = crypto3.randomBytes(32).toString("hex");
+              const expiresAt = new Date(Date.now() + SIGNUP_VERIFY_EXPIRY_HOURS * 60 * 60 * 1e3);
+              await tokenRepo().save(
+                tokenRepo().create({ email, token: rawToken, expiresAt })
+              );
+              const cms = await getCms();
+              const companyDetails = getCompanyDetails ? await getCompanyDetails() : {};
+              const base = (publicSiteUrl || "").replace(/\/$/, "").trim() || "http://localhost:3000";
+              const verifyEmailUrl = `${base}/verify-email?token=${encodeURIComponent(rawToken)}`;
+              await queueEmail(cms, {
+                to: email,
+                templateName: "signup",
+                ctx: { name, verifyEmailUrl, companyDetails: companyDetails ?? {} }
+              });
+              emailVerificationSent = true;
+            } catch {
+              await userRepo().update(userId, { blocked: false, updatedAt: /* @__PURE__ */ new Date() });
+            }
+          }
+          return json({
+            success: true,
+            userId,
+            emailVerificationSent
+          });
+        }
+        if (path[0] === "cart" && path.length === 1 && method === "GET") {
+          const { cart, setCookie, err } = await getOrCreateCart(req);
+          if (err) return err;
+          const body = serializeCart(cart);
+          if (setCookie) return json(body, { headers: { "Set-Cookie": setCookie } });
+          return json(body);
+        }
+        if (path[0] === "cart" && path[1] === "items" && path.length === 2 && method === "POST") {
+          const body = await req.json().catch(() => ({}));
+          const productId = Number(body.productId);
+          const quantity = Math.max(1, Number(body.quantity) || 1);
+          if (!Number.isFinite(productId)) return json({ error: "productId required" }, { status: 400 });
+          const product = await productRepo().findOne({ where: { id: productId, deleted: false } });
+          if (!product) return json({ error: "Product not found" }, { status: 404 });
+          const { cart, setCookie, err } = await getOrCreateCart(req);
+          if (err) return err;
+          const cartId = cart.id;
+          const existing = await cartItemRepo().findOne({ where: { cartId, productId } });
+          if (existing) {
+            await cartItemRepo().update(existing.id, {
+              quantity: existing.quantity + quantity
+            });
+          } else {
+            await cartItemRepo().save(
+              cartItemRepo().create({ cartId, productId, quantity })
+            );
+          }
+          await cartRepo().update(cartId, { updatedAt: /* @__PURE__ */ new Date() });
+          const fresh = await cartRepo().findOne({
+            where: { id: cartId },
+            relations: ["items", "items.product"]
+          });
+          const out = serializeCart(fresh);
+          if (setCookie) return json(out, { headers: { "Set-Cookie": setCookie } });
+          return json(out);
+        }
+        if (path[0] === "cart" && path[1] === "items" && path.length === 3) {
+          const itemId = parseInt(path[2], 10);
+          if (!Number.isFinite(itemId)) return json({ error: "Invalid item id" }, { status: 400 });
+          const { cart, setCookie, err } = await getOrCreateCart(req);
+          if (err) return err;
+          const cartId = cart.id;
+          const item = await cartItemRepo().findOne({ where: { id: itemId, cartId } });
+          if (!item) return json({ error: "Not found" }, { status: 404 });
+          if (method === "DELETE") {
+            await cartItemRepo().delete(itemId);
+            await cartRepo().update(cartId, { updatedAt: /* @__PURE__ */ new Date() });
+            const fresh = await cartRepo().findOne({
+              where: { id: cartId },
+              relations: ["items", "items.product"]
+            });
+            const out = serializeCart(fresh);
+            if (setCookie) return json(out, { headers: { "Set-Cookie": setCookie } });
+            return json(out);
+          }
+          if (method === "PATCH") {
+            const b = await req.json().catch(() => ({}));
+            const q = Math.max(0, Number(b.quantity) || 0);
+            if (q === 0) await cartItemRepo().delete(itemId);
+            else await cartItemRepo().update(itemId, { quantity: q });
+            await cartRepo().update(cartId, { updatedAt: /* @__PURE__ */ new Date() });
+            const fresh = await cartRepo().findOne({
+              where: { id: cartId },
+              relations: ["items", "items.product"]
+            });
+            const out = serializeCart(fresh);
+            if (setCookie) return json(out, { headers: { "Set-Cookie": setCookie } });
+            return json(out);
+          }
+        }
+        if (path[0] === "cart" && path[1] === "merge" && method === "POST") {
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          if (!Number.isFinite(uid)) return json({ error: "Unauthorized" }, { status: 401 });
+          const contact = await ensureContactForUser(uid);
+          if (!contact) return json({ error: "Contact not found" }, { status: 400 });
+          const cookies = parseCookies(req.headers.get("cookie"));
+          const guestToken = cookies[cookieName];
+          if (!guestToken) return json({ merged: false, message: "No guest cart" });
+          const guestCart = await cartRepo().findOne({
+            where: { guestToken },
+            relations: ["items"]
+          });
+          if (!guestCart || !(guestCart.items || []).length) {
+            let uc = await cartRepo().findOne({
+              where: { contactId: contact.id },
+              relations: ["items", "items.product"]
+            });
+            if (!uc) uc = { items: [] };
+            return json(
+              { merged: false, cart: serializeCart(uc) },
+              { headers: { "Set-Cookie": `${cookieName}=; Path=/; Max-Age=0` } }
+            );
+          }
+          let userCart = await cartRepo().findOne({ where: { contactId: contact.id } });
+          if (!userCart) {
+            userCart = await cartRepo().save(
+              cartRepo().create({ contactId: contact.id, guestToken: null, currency: guestCart.currency })
+            );
+          }
+          const uidCart = userCart.id;
+          const gItems = guestCart.items || [];
+          for (const gi of gItems) {
+            const existing = await cartItemRepo().findOne({
+              where: { cartId: uidCart, productId: gi.productId }
+            });
+            if (existing) {
+              await cartItemRepo().update(existing.id, {
+                quantity: existing.quantity + gi.quantity
+              });
+            } else {
+              await cartItemRepo().save(
+                cartItemRepo().create({
+                  cartId: uidCart,
+                  productId: gi.productId,
+                  quantity: gi.quantity,
+                  metadata: gi.metadata
+                })
+              );
+            }
+          }
+          await cartRepo().delete(guestCart.id);
+          await cartRepo().update(uidCart, { updatedAt: /* @__PURE__ */ new Date() });
+          const fresh = await cartRepo().findOne({
+            where: { id: uidCart },
+            relations: ["items", "items.product"]
+          });
+          const guestWishlist = await wishlistRepo().findOne({
+            where: { guestId: guestToken },
+            relations: ["items"]
+          });
+          if (guestWishlist && (guestWishlist.items || []).length > 0) {
+            const userWishlist = await getDefaultWishlist(contact.id);
+            const gItems2 = guestWishlist.items || [];
+            for (const gi of gItems2) {
+              const pid = gi.productId;
+              const ex = await wishlistItemRepo().findOne({ where: { wishlistId: userWishlist.id, productId: pid } });
+              if (!ex) await wishlistItemRepo().save(wishlistItemRepo().create({ wishlistId: userWishlist.id, productId: pid }));
+            }
+            await wishlistRepo().delete(guestWishlist.id);
+          }
+          return json({ merged: true, cart: serializeCart(fresh) }, { headers: { "Set-Cookie": `${cookieName}=; Path=/; Max-Age=0` } });
+        }
+        async function getDefaultWishlist(contactId) {
+          let w = await wishlistRepo().findOne({ where: { contactId, name: "default" } });
+          if (!w) {
+            w = await wishlistRepo().save(wishlistRepo().create({ contactId, guestId: null, name: "default" }));
+          }
+          return w;
+        }
+        async function getOrCreateWishlist(req2) {
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          if (Number.isFinite(uid)) {
+            const contact = await ensureContactForUser(uid);
+            if (!contact) return { wishlist: {}, setCookie: null, err: json({ error: "User not found" }, { status: 400 }) };
+            const w2 = await getDefaultWishlist(contact.id);
+            const wishlist = await wishlistRepo().findOne({ where: { id: w2.id } });
+            return { wishlist, setCookie: null, err: null };
+          }
+          const cookies = parseCookies(req2.headers.get("cookie"));
+          let token = cookies[cookieName] || "";
+          if (!token) {
+            token = crypto.randomUUID();
+            let w2 = await wishlistRepo().findOne({ where: { guestId: token } });
+            if (!w2) {
+              w2 = await wishlistRepo().save(wishlistRepo().create({ guestId: token, contactId: null, name: "default" }));
+            }
+            return { wishlist: w2, setCookie: guestCookieHeader(cookieName, token), err: null };
+          }
+          let w = await wishlistRepo().findOne({ where: { guestId: token } });
+          if (!w) {
+            w = await wishlistRepo().save(wishlistRepo().create({ guestId: token, contactId: null, name: "default" }));
+          }
+          return { wishlist: w, setCookie: null, err: null };
+        }
+        if (path[0] === "wishlist" && path.length === 1 && method === "GET") {
+          const { wishlist, setCookie, err } = await getOrCreateWishlist(req);
+          if (err) return err;
+          const items = await wishlistItemRepo().find({
+            where: { wishlistId: wishlist.id },
+            relations: ["product"]
+          });
+          const body = {
+            wishlistId: wishlist.id,
+            items: items.map((it) => {
+              const p = it.product;
+              return {
+                id: it.id,
+                productId: it.productId,
+                product: p ? {
+                  id: p.id,
+                  name: p.name,
+                  slug: p.slug,
+                  price: p.price,
+                  sku: p.sku,
+                  image: primaryProductImageUrl(p.metadata)
+                } : null
+              };
+            })
+          };
+          if (setCookie) return json(body, { headers: { "Set-Cookie": setCookie } });
+          return json(body);
+        }
+        if (path[0] === "wishlist" && path[1] === "items" && path.length === 2 && method === "POST") {
+          const { wishlist, setCookie, err } = await getOrCreateWishlist(req);
+          if (err) return err;
+          const b = await req.json().catch(() => ({}));
+          const productId = Number(b.productId);
+          if (!Number.isFinite(productId)) return json({ error: "productId required" }, { status: 400 });
+          const wid = wishlist.id;
+          const ex = await wishlistItemRepo().findOne({ where: { wishlistId: wid, productId } });
+          if (!ex) await wishlistItemRepo().save(wishlistItemRepo().create({ wishlistId: wid, productId }));
+          if (setCookie) return json({ ok: true }, { headers: { "Set-Cookie": setCookie } });
+          return json({ ok: true });
+        }
+        if (path[0] === "wishlist" && path[1] === "items" && path.length === 3 && method === "DELETE") {
+          const { wishlist, setCookie, err } = await getOrCreateWishlist(req);
+          if (err) return err;
+          const productId = parseInt(path[2], 10);
+          await wishlistItemRepo().delete({ wishlistId: wishlist.id, productId });
+          if (setCookie) return json({ ok: true }, { headers: { "Set-Cookie": setCookie } });
+          return json({ ok: true });
+        }
+        if (path[0] === "checkout" && path[1] === "order" && path.length === 2 && method === "POST") {
+          const b = await req.json().catch(() => ({}));
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          let contactId;
+          let cart;
+          if (Number.isFinite(uid)) {
+            const contact = await ensureContactForUser(uid);
+            if (!contact) return json({ error: "Contact required" }, { status: 400 });
+            contactId = contact.id;
+            cart = await cartRepo().findOne({
+              where: { contactId },
+              relations: ["items", "items.product"]
+            });
+          } else {
+            const email = (b.email || "").trim();
+            const name = (b.name || "").trim();
+            if (!email || !name) return json({ error: "name and email required for guest checkout" }, { status: 400 });
+            let contact = await contactRepo().findOne({ where: { email, deleted: false } });
+            if (contact && contact.userId != null) {
+              return json({ error: "Please sign in to complete checkout" }, { status: 400 });
+            }
+            if (!contact) {
+              contact = await contactRepo().save(
+                contactRepo().create({
+                  name,
+                  email,
+                  phone: b.phone || null,
+                  userId: null,
+                  deleted: false
+                })
+              );
+            } else if (name) await contactRepo().update(contact.id, { name, phone: b.phone || contact.phone });
+            contactId = contact.id;
+            const cookies = parseCookies(req.headers.get("cookie"));
+            const guestToken = cookies[cookieName];
+            if (!guestToken) return json({ error: "Cart not found" }, { status: 400 });
+            cart = await cartRepo().findOne({
+              where: { guestToken },
+              relations: ["items", "items.product"]
+            });
+          }
+          if (!cart || !(cart.items || []).length) {
+            return json({ error: "Cart is empty" }, { status: 400 });
+          }
+          let subtotal = 0;
+          const lines = [];
+          for (const it of cart.items || []) {
+            const p = it.product;
+            if (!p || p.deleted || p.status !== "available") continue;
+            const unit = Number(p.price);
+            const qty = it.quantity || 1;
+            const lineTotal = unit * qty;
+            subtotal += lineTotal;
+            lines.push({ productId: p.id, quantity: qty, unitPrice: unit, tax: 0, total: lineTotal });
+          }
+          if (!lines.length) return json({ error: "No available items in cart" }, { status: 400 });
+          const total = subtotal;
+          const cartId = cart.id;
+          const ord = await orderRepo().save(
+            orderRepo().create({
+              orderNumber: orderNumber(),
+              contactId,
+              billingAddressId: b.billingAddressId ?? null,
+              shippingAddressId: b.shippingAddressId ?? null,
+              status: "pending",
+              subtotal,
+              tax: 0,
+              discount: 0,
+              total,
+              currency: cart.currency || "INR",
+              metadata: { cartId }
+            })
+          );
+          const oid = ord.id;
+          for (const line of lines) {
+            await orderItemRepo().save(
+              orderItemRepo().create({
+                orderId: oid,
+                productId: line.productId,
+                quantity: line.quantity,
+                unitPrice: line.unitPrice,
+                tax: line.tax,
+                total: line.total
+              })
+            );
+          }
+          return json({
+            orderId: oid,
+            orderNumber: ord.orderNumber,
+            total,
+            currency: cart.currency || "INR"
+          });
+        }
+        if (path[0] === "checkout" && path.length === 1 && method === "POST") {
+          const b = await req.json().catch(() => ({}));
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          let contactId;
+          let cart;
+          if (Number.isFinite(uid)) {
+            const contact = await ensureContactForUser(uid);
+            if (!contact) return json({ error: "Contact required" }, { status: 400 });
+            contactId = contact.id;
+            cart = await cartRepo().findOne({
+              where: { contactId },
+              relations: ["items", "items.product"]
+            });
+          } else {
+            const email = (b.email || "").trim();
+            const name = (b.name || "").trim();
+            if (!email || !name) return json({ error: "name and email required for guest checkout" }, { status: 400 });
+            let contact = await contactRepo().findOne({ where: { email, deleted: false } });
+            if (contact && contact.userId != null) {
+              return json({ error: "Please sign in to complete checkout" }, { status: 400 });
+            }
+            if (!contact) {
+              contact = await contactRepo().save(
+                contactRepo().create({
+                  name,
+                  email,
+                  phone: b.phone || null,
+                  userId: null,
+                  deleted: false
+                })
+              );
+            } else if (name) await contactRepo().update(contact.id, { name, phone: b.phone || contact.phone });
+            contactId = contact.id;
+            const cookies = parseCookies(req.headers.get("cookie"));
+            const guestToken = cookies[cookieName];
+            if (!guestToken) return json({ error: "Cart not found" }, { status: 400 });
+            cart = await cartRepo().findOne({
+              where: { guestToken },
+              relations: ["items", "items.product"]
+            });
+          }
+          if (!cart || !(cart.items || []).length) {
+            return json({ error: "Cart is empty" }, { status: 400 });
+          }
+          let subtotal = 0;
+          const lines = [];
+          for (const it of cart.items || []) {
+            const p = it.product;
+            if (!p || p.deleted || p.status !== "available") continue;
+            const unit = Number(p.price);
+            const qty = it.quantity || 1;
+            const lineTotal = unit * qty;
+            subtotal += lineTotal;
+            lines.push({ productId: p.id, quantity: qty, unitPrice: unit, tax: 0, total: lineTotal });
+          }
+          if (!lines.length) return json({ error: "No available items in cart" }, { status: 400 });
+          const total = subtotal;
+          const ord = await orderRepo().save(
+            orderRepo().create({
+              orderNumber: orderNumber(),
+              contactId,
+              billingAddressId: b.billingAddressId ?? null,
+              shippingAddressId: b.shippingAddressId ?? null,
+              status: "pending",
+              subtotal,
+              tax: 0,
+              discount: 0,
+              total,
+              currency: cart.currency || "INR"
+            })
+          );
+          const oid = ord.id;
+          for (const line of lines) {
+            await orderItemRepo().save(
+              orderItemRepo().create({
+                orderId: oid,
+                productId: line.productId,
+                quantity: line.quantity,
+                unitPrice: line.unitPrice,
+                tax: line.tax,
+                total: line.total
+              })
+            );
+          }
+          await cartItemRepo().delete({ cartId: cart.id });
+          await cartRepo().delete(cart.id);
+          return json({
+            orderId: oid,
+            orderNumber: ord.orderNumber,
+            total
+          });
+        }
+        if (path[0] === "orders" && path.length === 1 && method === "GET") {
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          if (!Number.isFinite(uid)) return json({ error: "Unauthorized" }, { status: 401 });
+          const contact = await contactRepo().findOne({ where: { userId: uid, deleted: false } });
+          if (!contact) return json({ orders: [] });
+          const orders = await orderRepo().find({
+            where: { contactId: contact.id, deleted: false },
+            order: { createdAt: "DESC" },
+            take: 50
+          });
+          const orderIds = orders.map((o) => o.id);
+          const previewByOrder = {};
+          if (orderIds.length) {
+            const oItems = await orderItemRepo().find({
+              where: { orderId: In(orderIds) },
+              relations: ["product"],
+              order: { id: "ASC" }
+            });
+            for (const oi of oItems) {
+              const oid = oi.orderId;
+              if (!previewByOrder[oid]) previewByOrder[oid] = [];
+              if (previewByOrder[oid].length >= 4) continue;
+              const url = primaryProductImageUrl(oi.product?.metadata);
+              if (url && !previewByOrder[oid].includes(url)) previewByOrder[oid].push(url);
+            }
+          }
+          return json({
+            orders: orders.map((o) => {
+              const ol = o;
+              return {
+                id: ol.id,
+                orderNumber: ol.orderNumber,
+                status: ol.status,
+                total: ol.total,
+                currency: ol.currency,
+                createdAt: ol.createdAt,
+                previewImages: previewByOrder[ol.id] ?? []
+              };
+            })
+          });
+        }
+        if (path[0] === "orders" && path.length === 2 && method === "GET") {
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          if (!Number.isFinite(uid)) return json({ error: "Unauthorized" }, { status: 401 });
+          const contact = await contactRepo().findOne({ where: { userId: uid, deleted: false } });
+          if (!contact) return json({ error: "Not found" }, { status: 404 });
+          const orderId = parseInt(path[1], 10);
+          const order = await orderRepo().findOne({
+            where: { id: orderId, contactId: contact.id, deleted: false },
+            relations: ["items", "items.product"]
+          });
+          if (!order) return json({ error: "Not found" }, { status: 404 });
+          const o = order;
+          const lines = (o.items || []).map((line) => {
+            const p = line.product;
+            return {
+              id: line.id,
+              productId: line.productId,
+              quantity: line.quantity,
+              unitPrice: line.unitPrice,
+              tax: line.tax,
+              total: line.total,
+              product: p ? {
+                name: p.name,
+                slug: p.slug,
+                sku: p.sku,
+                image: primaryProductImageUrl(p.metadata)
+              } : null
+            };
+          });
+          return json({
+            order: {
+              id: o.id,
+              orderNumber: o.orderNumber,
+              status: o.status,
+              subtotal: o.subtotal,
+              tax: o.tax,
+              discount: o.discount,
+              total: o.total,
+              currency: o.currency,
+              createdAt: o.createdAt,
+              items: lines
+            }
+          });
+        }
+        return json({ error: "Not found" }, { status: 404 });
+      } catch {
+        return json({ error: "Server error" }, { status: 500 });
+      }
+    }
+  };
+}
+
 // src/admin/config.ts
 var DEFAULT_ADMIN_NAV = [
   { href: "/admin/dashboard", label: "Dashboard" },
   { href: "/admin/contacts", label: "Contacts" },
   { href: "/admin/blogs", label: "Blogs" },
   { href: "/admin/users", label: "Users" },
+  { href: "/admin/roles", label: "Roles" },
   { href: "/admin/forms", label: "Forms" },
   { href: "/admin/submissions", label: "Submissions" },
   { href: "/admin/pages", label: "Pages" }
 ];
 export {
+  ADMIN_GROUP_NAME,
   Attribute,
   Blog,
   Brand,
   CMS_ENTITY_MAP,
+  Cart,
+  CartItem,
   Category,
   ChatConversation,
   ChatMessage,
@@ -4722,12 +7296,17 @@ export {
   ProductAttribute,
   ProductCategory,
   ProductTax,
+  RBAC_ADMIN_ONLY_ENTITIES,
   Seo,
   Tag,
   Tax,
   User,
   UserGroup,
+  Wishlist,
+  WishlistItem,
   analyticsPlugin,
+  cachePlugin,
+  canManageRoles,
   cn,
   createAnalyticsHandlers,
   createAuthHelpers,
@@ -4744,6 +7323,7 @@ export {
   createInviteAcceptHandler,
   createSetPasswordHandler,
   createSettingsApiHandlers,
+  createStorefrontApiHandler,
   createUploadHandler,
   createUserAuthApiRouter,
   createUserAvatarHandler,
@@ -4757,14 +7337,32 @@ export {
   formatDateOnly,
   formatDateTime,
   generateSlug,
+  getCompanyDetailsFromSettings,
   getNextAuthOptions,
+  getPermissionableEntityKeys,
   getRequiredPermission,
+  hasEntityPermission,
   isOpenEndpoint,
   isPublicMethod,
+  isSuperAdminGroupName,
+  joinRecipientsForSend,
+  linkUnclaimedContactToUser,
   llmPlugin,
   localStoragePlugin,
+  mergeEmailLayoutCompanyDetails,
+  parseEmailRecipientsFromConfig,
   paymentPlugin,
+  permissionRowsToRecord,
+  queueEmail,
+  queueOrderPlacedEmails,
+  queuePlugin,
+  registerEmailQueueProcessor,
+  renderEmail,
+  renderLayout,
   s3StoragePlugin,
+  seedAdministratorPermissions,
+  serializeEmailRecipients,
+  sessionHasEntityAccess,
   smsPlugin,
   truncateText,
   validateSlug