@infuro/cms-core 1.0.9 → 1.0.10

package/dist/api.cjs

@@ -30,105 +30,91 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
-// src/plugins/email/email-service.ts
-var email_service_exports = {};
-__export(email_service_exports, {
-  EmailService: () => EmailService,
-  emailTemplates: () => emailTemplates
+// src/plugins/email/email-queue.ts
+var email_queue_exports = {};
+__export(email_queue_exports, {
+  queueEmail: () => queueEmail,
+  queueOrderPlacedEmails: () => queueOrderPlacedEmails,
+  registerEmailQueueProcessor: () => registerEmailQueueProcessor
 });
-var import_client_ses, import_nodemailer, EmailService, emailTemplates;
-var init_email_service = __esm({
-  "src/plugins/email/email-service.ts"() {
-    "use strict";
-    import_client_ses = require("@aws-sdk/client-ses");
-    import_nodemailer = __toESM(require("nodemailer"), 1);
-    EmailService = class {
-      config;
-      sesClient;
-      transporter;
-      constructor(config) {
-        this.config = config;
-        if (config.type === "AWS") {
-          if (!config.region || !config.accessKeyId || !config.secretAccessKey) {
-            throw new Error("AWS SES configuration incomplete");
-          }
-          this.sesClient = new import_client_ses.SESClient({
-            region: config.region,
-            credentials: { accessKeyId: config.accessKeyId, secretAccessKey: config.secretAccessKey }
-          });
-        } else if (config.type === "SMTP" || config.type === "GMAIL") {
-          if (!config.user || !config.password) throw new Error("SMTP configuration incomplete");
-          this.transporter = import_nodemailer.default.createTransport({
-            host: config.type === "GMAIL" ? "smtp.gmail.com" : void 0,
-            port: 587,
-            secure: false,
-            auth: { user: config.user, pass: config.password }
-          });
-        } else {
-          throw new Error(`Unsupported email type: ${config.type}`);
-        }
-      }
-      async send(emailData) {
-        try {
-          if (this.config.type === "AWS" && this.sesClient) {
-            await this.sesClient.send(
-              new import_client_ses.SendEmailCommand({
-                Source: emailData.from || this.config.from,
-                Destination: { ToAddresses: [emailData.to || this.config.to] },
-                Message: {
-                  Subject: { Data: emailData.subject, Charset: "UTF-8" },
-                  Body: {
-                    Html: { Data: emailData.html, Charset: "UTF-8" },
-                    ...emailData.text && { Text: { Data: emailData.text, Charset: "UTF-8" } }
-                  }
-                }
-              })
-            );
-            return true;
-          }
-          if ((this.config.type === "SMTP" || this.config.type === "GMAIL") && this.transporter) {
-            await this.transporter.sendMail({
-              from: emailData.from || this.config.from,
-              to: emailData.to || this.config.to,
-              subject: emailData.subject,
-              html: emailData.html,
-              text: emailData.text
-            });
-            return true;
-          }
-          return false;
-        } catch (error) {
-          console.error("Email sending failed:", error);
-          return false;
+function registerEmailQueueProcessor(cms) {
+  const queue = cms.getPlugin("queue");
+  const email = cms.getPlugin("email");
+  if (!queue || !email) return;
+  queue.registerProcessor(EMAIL_QUEUE_NAME, async (data) => {
+    const payload = data;
+    const { to, templateName, ctx, subject, html, text } = payload;
+    if (!to) return;
+    if (templateName && ctx) {
+      const rendered = email.renderTemplate(templateName, ctx);
+      await email.send({ to, subject: rendered.subject, html: rendered.html, text: rendered.text });
+    } else if (subject != null && html != null) {
+      await email.send({ to, subject, html, text });
+    }
+  });
+}
+async function queueEmail(cms, payload) {
+  const queue = cms.getPlugin("queue");
+  if (queue) {
+    await queue.add(EMAIL_QUEUE_NAME, payload);
+    return;
+  }
+  const email = cms.getPlugin("email");
+  if (email && payload.templateName && payload.ctx) {
+    const rendered = email.renderTemplate(payload.templateName, payload.ctx);
+    await email.send({ to: payload.to, subject: rendered.subject, html: rendered.html, text: rendered.text });
+  } else if (email && payload.subject != null && payload.html != null) {
+    await email.send({ to: payload.to, subject: payload.subject, html: payload.html, text: payload.text });
+  }
+}
+async function queueOrderPlacedEmails(cms, payload) {
+  const { orderNumber: orderNumber2, total, currency, customerName, customerEmail, salesTeamEmails, companyDetails, lineItems } = payload;
+  const base = {
+    orderNumber: orderNumber2,
+    total: total != null ? String(total) : void 0,
+    currency,
+    customerName,
+    companyDetails: companyDetails ?? {},
+    lineItems: lineItems ?? []
+  };
+  const customerLower = customerEmail?.trim().toLowerCase() ?? "";
+  const jobs = [];
+  if (customerEmail?.trim()) {
+    jobs.push(
+      queueEmail(cms, {
+        to: customerEmail.trim(),
+        templateName: "orderPlaced",
+        ctx: { ...base, audience: "customer" }
+      })
+    );
+  }
+  const seen = /* @__PURE__ */ new Set();
+  for (const raw of salesTeamEmails) {
+    const to = raw.trim();
+    if (!to) continue;
+    const key = to.toLowerCase();
+    if (seen.has(key)) continue;
+    seen.add(key);
+    if (customerLower && key === customerLower) continue;
+    jobs.push(
+      queueEmail(cms, {
+        to,
+        templateName: "orderPlaced",
+        ctx: {
+          ...base,
+          audience: "sales",
+          internalCustomerEmail: customerEmail?.trim() || void 0
         }
-      }
-    };
-    emailTemplates = {
-      formSubmission: (data) => ({
-        subject: `New Form Submission: ${data.formName}`,
-        html: `<h2>New Form Submission</h2><p><strong>Form:</strong> ${data.formName}</p><p><strong>Contact:</strong> ${data.contactName} (${data.contactEmail})</p><pre>${JSON.stringify(data.formData, null, 2)}</pre>`,
-        text: `New Form Submission
-Form: ${data.formName}
-Contact: ${data.contactName} (${data.contactEmail})
-${JSON.stringify(data.formData, null, 2)}`
-      }),
-      contactSubmission: (data) => ({
-        subject: `New Contact Form Submission from ${data.name}`,
-        html: `<h2>New Contact Form Submission</h2><p><strong>Name:</strong> ${data.name}</p><p><strong>Email:</strong> ${data.email}</p>${data.phone ? `<p><strong>Phone:</strong> ${data.phone}</p>` : ""}${data.message ? `<p><strong>Message:</strong></p><p>${data.message}</p>` : ""}`,
-        text: `New Contact Form Submission
-Name: ${data.name}
-Email: ${data.email}
-${data.phone ? `Phone: ${data.phone}
-` : ""}${data.message ? `Message: ${data.message}` : ""}`
-      }),
-      passwordReset: (data) => ({
-        subject: "Reset your password",
-        html: `<h2>Reset your password</h2><p>Click the link below to set a new password. This link expires in 1 hour.</p><p><a href="${data.resetLink}">${data.resetLink}</a></p>`,
-        text: `Reset your password: ${data.resetLink}
-
-This link expires in 1 hour.`
       })
-    };
+    );
+  }
+  await Promise.all(jobs);
+}
+var EMAIL_QUEUE_NAME;
+var init_email_queue = __esm({
+  "src/plugins/email/email-queue.ts"() {
+    "use strict";
+    EMAIL_QUEUE_NAME = "email";
   }
 });
 
@@ -147,6 +133,7 @@ __export(api_exports, {
   createInviteAcceptHandler: () => createInviteAcceptHandler,
   createSetPasswordHandler: () => createSetPasswordHandler,
   createSettingsApiHandlers: () => createSettingsApiHandlers,
+  createStorefrontApiHandler: () => createStorefrontApiHandler,
   createUploadHandler: () => createUploadHandler,
   createUserAuthApiRouter: () => createUserAuthApiRouter,
   createUserAvatarHandler: () => createUserAvatarHandler,
@@ -191,11 +178,38 @@ function sanitizeBodyForEntity(repo, body) {
     }
   }
 }
+function pickColumnUpdates(repo, body) {
+  const cols = new Set(repo.metadata.columns.map((c) => c.propertyName));
+  const out = {};
+  for (const k of Object.keys(body)) {
+    if (cols.has(k)) out[k] = body[k];
+  }
+  return out;
+}
+function buildSearchWhereClause(repo, search) {
+  const cols = new Set(repo.metadata.columns.map((c) => c.propertyName));
+  const term = (0, import_typeorm.ILike)(`%${search}%`);
+  const ors = [];
+  for (const field of ["name", "title", "slug", "email", "filename"]) {
+    if (cols.has(field)) ors.push({ [field]: term });
+  }
+  if (ors.length === 0) return {};
+  return ors.length === 1 ? ors[0] : ors;
+}
 function createCrudHandler(dataSource, entityMap, options) {
-  const { requireAuth, json } = options;
+  const { requireAuth, json, requireEntityPermission: reqPerm } = options;
+  async function authz(req, resource, action) {
+    const authError = await requireAuth(req);
+    if (authError) return authError;
+    if (reqPerm) {
+      const pe = await reqPerm(req, resource, action);
+      if (pe) return pe;
+    }
+    return null;
+  }
   return {
     async GET(req, resource) {
-      const authError = await requireAuth(req);
+      const authError = await authz(req, resource, "read");
       if (authError) return authError;
       const entity = entityMap[resource];
       if (!resource || !entity) {
@@ -211,7 +225,7 @@ function createCrudHandler(dataSource, entityMap, options) {
       if (resource === "orders") {
         const repo2 = dataSource.getRepository(entity);
         const allowedSort = ["id", "orderNumber", "contactId", "status", "total", "currency", "createdAt", "updatedAt"];
-        const sortField = allowedSort.includes(sortFieldRaw) ? sortFieldRaw : "createdAt";
+        const sortField2 = allowedSort.includes(sortFieldRaw) ? sortFieldRaw : "createdAt";
         const sortOrderOrders = searchParams.get("sortOrder") === "asc" ? "ASC" : "DESC";
         const statusFilter = searchParams.get("status")?.trim();
         const dateFrom = searchParams.get("dateFrom")?.trim();
@@ -226,7 +240,7 @@ function createCrudHandler(dataSource, entityMap, options) {
             return json({ total: 0, page, limit, totalPages: 0, data: [] });
           }
         }
-        const qb = repo2.createQueryBuilder("order").leftJoinAndSelect("order.contact", "contact").leftJoinAndSelect("order.items", "items").leftJoinAndSelect("items.product", "product").leftJoinAndSelect("product.collection", "collection").orderBy(`order.${sortField}`, sortOrderOrders).skip(skip).take(limit);
+        const qb = repo2.createQueryBuilder("order").leftJoinAndSelect("order.contact", "contact").leftJoinAndSelect("order.items", "items").leftJoinAndSelect("items.product", "product").leftJoinAndSelect("product.collection", "collection").orderBy(`order.${sortField2}`, sortOrderOrders).skip(skip).take(limit);
         if (search && typeof search === "string" && search.trim()) {
           const term = `%${search.trim()}%`;
           qb.andWhere(
@@ -257,14 +271,14 @@ function createCrudHandler(dataSource, entityMap, options) {
       if (resource === "payments") {
         const repo2 = dataSource.getRepository(entity);
         const allowedSort = ["id", "orderId", "amount", "currency", "status", "method", "paidAt", "createdAt", "updatedAt"];
-        const sortField = allowedSort.includes(sortFieldRaw) ? sortFieldRaw : "createdAt";
+        const sortField2 = allowedSort.includes(sortFieldRaw) ? sortFieldRaw : "createdAt";
         const sortOrderPayments = searchParams.get("sortOrder") === "asc" ? "ASC" : "DESC";
         const statusFilter = searchParams.get("status")?.trim();
         const dateFrom = searchParams.get("dateFrom")?.trim();
         const dateTo = searchParams.get("dateTo")?.trim();
         const methodFilter = searchParams.get("method")?.trim();
         const orderNumberParam = searchParams.get("orderNumber")?.trim();
-        const qb = repo2.createQueryBuilder("payment").leftJoinAndSelect("payment.order", "ord").leftJoinAndSelect("ord.contact", "orderContact").leftJoinAndSelect("payment.contact", "contact").orderBy(`payment.${sortField}`, sortOrderPayments).skip(skip).take(limit);
+        const qb = repo2.createQueryBuilder("payment").leftJoinAndSelect("payment.order", "ord").leftJoinAndSelect("ord.contact", "orderContact").leftJoinAndSelect("payment.contact", "contact").orderBy(`payment.${sortField2}`, sortOrderPayments).skip(skip).take(limit);
         if (search && typeof search === "string" && search.trim()) {
           const term = `%${search.trim()}%`;
           qb.andWhere(
@@ -313,12 +327,12 @@ function createCrudHandler(dataSource, entityMap, options) {
       if (resource === "contacts") {
         const repo2 = dataSource.getRepository(entity);
         const allowedSort = ["id", "name", "email", "createdAt", "type"];
-        const sortField = allowedSort.includes(sortFieldRaw) ? sortFieldRaw : "createdAt";
+        const sortField2 = allowedSort.includes(sortFieldRaw) ? sortFieldRaw : "createdAt";
         const sortOrderContacts = searchParams.get("sortOrder") === "asc" ? "ASC" : "DESC";
         const typeFilter2 = searchParams.get("type")?.trim();
         const orderIdParam = searchParams.get("orderId")?.trim();
         const includeSummary = searchParams.get("includeSummary") === "1";
-        const qb = repo2.createQueryBuilder("contact").orderBy(`contact.${sortField}`, sortOrderContacts).skip(skip).take(limit);
+        const qb = repo2.createQueryBuilder("contact").orderBy(`contact.${sortField2}`, sortOrderContacts).skip(skip).take(limit);
         if (search && typeof search === "string" && search.trim()) {
           const term = `%${search.trim()}%`;
           qb.andWhere("(contact.name ILIKE :term OR contact.email ILIKE :term OR contact.phone ILIKE :term)", { term });
@@ -352,6 +366,8 @@ function createCrudHandler(dataSource, entityMap, options) {
       }
       const repo = dataSource.getRepository(entity);
       const typeFilter = searchParams.get("type");
+      const columnNames = new Set(repo.metadata.columns.map((c) => c.propertyName));
+      const sortField = columnNames.has(sortFieldRaw) ? sortFieldRaw : "createdAt";
       let where = {};
       if (resource === "media") {
         const mediaWhere = {};
@@ -359,18 +375,18 @@ function createCrudHandler(dataSource, entityMap, options) {
         if (typeFilter) mediaWhere.mimeType = (0, import_typeorm.Like)(`${typeFilter}/%`);
         where = Object.keys(mediaWhere).length > 0 ? mediaWhere : {};
       } else if (search) {
-        where = [{ name: (0, import_typeorm.ILike)(`%${search}%`) }, { title: (0, import_typeorm.ILike)(`%${search}%`) }];
+        where = buildSearchWhereClause(repo, search);
       }
       const [data, total] = await repo.findAndCount({
         skip,
         take: limit,
-        order: { [sortFieldRaw]: sortOrder },
+        order: { [sortField]: sortOrder },
         where
       });
       return json({ total, page, limit, totalPages: Math.ceil(total / limit), data });
     },
     async POST(req, resource) {
-      const authError = await requireAuth(req);
+      const authError = await authz(req, resource, "create");
       if (authError) return authError;
       const entity = entityMap[resource];
       if (!resource || !entity) {
@@ -386,7 +402,7 @@ function createCrudHandler(dataSource, entityMap, options) {
       return json(created, { status: 201 });
     },
     async GET_METADATA(req, resource) {
-      const authError = await requireAuth(req);
+      const authError = await authz(req, resource, "read");
       if (authError) return authError;
       const entity = entityMap[resource];
       if (!resource || !entity) {
@@ -417,7 +433,7 @@ function createCrudHandler(dataSource, entityMap, options) {
       return json({ columns, uniqueColumns });
     },
     async BULK_POST(req, resource) {
-      const authError = await requireAuth(req);
+      const authError = await authz(req, resource, "update");
       if (authError) return authError;
       const entity = entityMap[resource];
       if (!resource || !entity) {
@@ -448,7 +464,7 @@ function createCrudHandler(dataSource, entityMap, options) {
       }
     },
     async GET_EXPORT(req, resource) {
-      const authError = await requireAuth(req);
+      const authError = await authz(req, resource, "read");
       if (authError) return authError;
       const entity = entityMap[resource];
       if (!resource || !entity) {
@@ -489,10 +505,19 @@ function createCrudHandler(dataSource, entityMap, options) {
   };
 }
 function createCrudByIdHandler(dataSource, entityMap, options) {
-  const { requireAuth, json } = options;
+  const { requireAuth, json, requireEntityPermission: reqPerm } = options;
+  async function authz(req, resource, action) {
+    const authError = await requireAuth(req);
+    if (authError) return authError;
+    if (reqPerm) {
+      const pe = await reqPerm(req, resource, action);
+      if (pe) return pe;
+    }
+    return null;
+  }
   return {
     async GET(req, resource, id) {
-      const authError = await requireAuth(req);
+      const authError = await authz(req, resource, "read");
       if (authError) return authError;
       const entity = entityMap[resource];
       if (!entity) return json({ error: "Invalid resource" }, { status: 400 });
@@ -535,23 +560,111 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
         if (!payment) return json({ message: "Not found" }, { status: 404 });
         return json(payment);
       }
+      if (resource === "blogs") {
+        const blog = await repo.findOne({
+          where: { id: Number(id) },
+          relations: ["category", "seo", "tags"]
+        });
+        return blog ? json(blog) : json({ message: "Not found" }, { status: 404 });
+      }
       const item = await repo.findOne({ where: { id: Number(id) } });
       return item ? json(item) : json({ message: "Not found" }, { status: 404 });
     },
     async PUT(req, resource, id) {
-      const authError = await requireAuth(req);
+      const authError = await authz(req, resource, "update");
       if (authError) return authError;
       const entity = entityMap[resource];
       if (!entity) return json({ error: "Invalid resource" }, { status: 400 });
-      const body = await req.json();
+      const rawBody = await req.json();
       const repo = dataSource.getRepository(entity);
-      if (body && typeof body === "object") sanitizeBodyForEntity(repo, body);
-      await repo.update(Number(id), body);
-      const updated = await repo.findOne({ where: { id: Number(id) } });
+      const numericId = Number(id);
+      if (resource === "blogs" && rawBody && typeof rawBody === "object" && entityMap.categories && entityMap.seos && entityMap.tags) {
+        const existing = await repo.findOne({ where: { id: numericId } });
+        if (!existing) return json({ message: "Not found" }, { status: 404 });
+        const updatePayload2 = pickColumnUpdates(repo, rawBody);
+        if ("category" in rawBody) {
+          const c = rawBody.category;
+          if (typeof c === "string" && c.trim()) {
+            const cat = await dataSource.getRepository(entityMap.categories).findOne({ where: { name: c.trim() } });
+            updatePayload2.categoryId = cat?.id ?? null;
+          } else {
+            updatePayload2.categoryId = null;
+          }
+        }
+        const blogSlug = typeof updatePayload2.slug === "string" && updatePayload2.slug || existing.slug;
+        const seoRepo = dataSource.getRepository(entityMap.seos);
+        const seoField = (k) => {
+          if (!(k in rawBody)) return void 0;
+          const v = rawBody[k];
+          if (v == null || v === "") return null;
+          return String(v);
+        };
+        if ("metaTitle" in rawBody || "metaDescription" in rawBody || "metaKeywords" in rawBody || "ogImage" in rawBody) {
+          const title = seoField("metaTitle");
+          const description = seoField("metaDescription");
+          const keywords = seoField("metaKeywords");
+          const ogImage = seoField("ogImage");
+          const exSeoId = existing.seoId;
+          if (exSeoId) {
+            const seo = await seoRepo.findOne({ where: { id: exSeoId } });
+            if (seo) {
+              const s = seo;
+              if (title !== void 0) s.title = title;
+              if (description !== void 0) s.description = description;
+              if (keywords !== void 0) s.keywords = keywords;
+              if (ogImage !== void 0) s.ogImage = ogImage;
+              s.slug = blogSlug;
+              await seoRepo.save(seo);
+            }
+          } else {
+            let seoSlug = blogSlug;
+            const taken = await seoRepo.findOne({ where: { slug: seoSlug } });
+            if (taken) seoSlug = `blog-${numericId}-${blogSlug}`;
+            const seo = await seoRepo.save(
+              seoRepo.create({
+                slug: seoSlug,
+                title: title ?? null,
+                description: description ?? null,
+                keywords: keywords ?? null,
+                ogImage: ogImage ?? null
+              })
+            );
+            updatePayload2.seoId = seo.id;
+          }
+        }
+        sanitizeBodyForEntity(repo, updatePayload2);
+        await repo.update(numericId, updatePayload2);
+        if (Array.isArray(rawBody.tags)) {
+          const tagNames = rawBody.tags.map((t) => String(t).trim()).filter(Boolean);
+          const tagRepo = dataSource.getRepository(entityMap.tags);
+          const tagEntities = [];
+          for (const name of tagNames) {
+            let tag = await tagRepo.findOne({ where: { name } });
+            if (!tag) tag = await tagRepo.save(tagRepo.create({ name }));
+            tagEntities.push(tag);
+          }
+          const blog = await repo.findOne({ where: { id: numericId }, relations: ["tags"] });
+          if (blog) {
+            blog.tags = tagEntities;
+            await repo.save(blog);
+          }
+        }
+        const updated2 = await repo.findOne({
+          where: { id: numericId },
+          relations: ["tags", "category", "seo"]
+        });
+        return updated2 ? json(updated2) : json({ message: "Not found" }, { status: 404 });
+      }
+      const updatePayload = rawBody && typeof rawBody === "object" ? pickColumnUpdates(repo, rawBody) : {};
+      if (Object.keys(updatePayload).length > 0) {
+        sanitizeBodyForEntity(repo, updatePayload);
+        await repo.update(numericId, updatePayload);
+      }
+      const updated = await repo.findOne({ where: { id: numericId } });
       return updated ? json(updated) : json({ message: "Not found" }, { status: 404 });
     },
     async DELETE(req, resource, id) {
-      const authError = await requireAuth(req);
+      const authError = await authz(req, resource, "delete");
       if (authError) return authError;
       const entity = entityMap[resource];
       if (!entity) return json({ error: "Invalid resource" }, { status: 400 });
@@ -563,6 +676,16 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
   };
 }
 
+// src/lib/link-contact-to-user.ts
+var import_typeorm2 = require("typeorm");
+async function linkUnclaimedContactToUser(dataSource, contactsEntity, userId, email) {
+  const repo = dataSource.getRepository(contactsEntity);
+  const found = await repo.findOne({
+    where: { email, userId: (0, import_typeorm2.IsNull)(), deleted: false }
+  });
+  if (found) await repo.update(found.id, { userId });
+}
+
 // src/api/auth-handlers.ts
 function createForgotPasswordHandler(config) {
   const { dataSource, entityMap, json, baseUrl, sendEmail, resetExpiryHours = 1, afterCreateToken } = config;
@@ -575,13 +698,20 @@ function createForgotPasswordHandler(config) {
       const user = await userRepo.findOne({ where: { email }, select: ["email"] });
       const msg = "If an account exists with this email, you will receive a reset link shortly.";
       if (!user) return json({ message: msg }, { status: 200 });
-      const crypto = await import("crypto");
-      const token = crypto.randomBytes(32).toString("hex");
+      const crypto2 = await import("crypto");
+      const token = crypto2.randomBytes(32).toString("hex");
       const expiresAt = new Date(Date.now() + resetExpiryHours * 60 * 60 * 1e3);
       const tokenRepo = dataSource.getRepository(entityMap.password_reset_tokens);
       await tokenRepo.save(tokenRepo.create({ email: user.email, token, expiresAt }));
       const resetLink = `${baseUrl}/admin/reset-password?token=${token}`;
-      if (sendEmail) await sendEmail({ to: user.email, subject: "Password reset", html: `<a href="${resetLink}">Reset password</a>`, text: resetLink });
+      if (sendEmail)
+        await sendEmail({
+          to: user.email,
+          subject: "Password reset",
+          html: `<a href="${resetLink}">Reset password</a>`,
+          text: resetLink,
+          resetLink
+        });
       if (afterCreateToken) await afterCreateToken(user.email, resetLink);
       return json({ message: msg }, { status: 200 });
     } catch (err) {
@@ -630,6 +760,9 @@ function createInviteAcceptHandler(config) {
       const user = await userRepo.findOne({ where: { email }, select: ["id", "blocked"] });
       if (!user) return json({ error: "User not found" }, { status: 400 });
       if (!user.blocked) return json({ error: "User is already active" }, { status: 400 });
+      if (entityMap.contacts) {
+        await linkUnclaimedContactToUser(dataSource, entityMap.contacts, user.id, email);
+      }
       if (beforeActivate) await beforeActivate(email, user.id);
       const hashedPassword = await hashPassword(password);
       await userRepo.update(user.id, { password: hashedPassword, blocked: false });
@@ -690,12 +823,17 @@ function createUserAuthApiRouter(config) {
 }
 
 // src/api/cms-handlers.ts
-var import_typeorm2 = require("typeorm");
+var import_typeorm3 = require("typeorm");
+init_email_queue();
 function createDashboardStatsHandler(config) {
-  const { dataSource, entityMap, json, requireAuth, requirePermission } = config;
+  const { dataSource, entityMap, json, requireAuth, requirePermission, requireEntityPermission } = config;
   return async function GET(req) {
     const authErr = await requireAuth(req);
     if (authErr) return authErr;
+    if (requireEntityPermission) {
+      const pe = await requireEntityPermission(req, "dashboard", "read");
+      if (pe) return pe;
+    }
     if (requirePermission) {
       const permErr = await requirePermission(req, "view_dashboard");
       if (permErr) return permErr;
@@ -709,8 +847,8 @@ function createDashboardStatsHandler(config) {
         repo("form_submissions")?.count() ?? 0,
         repo("users")?.count({ where: { deleted: false } }) ?? 0,
         repo("blogs")?.count({ where: { deleted: false } }) ?? 0,
-        repo("contacts")?.count({ where: { createdAt: (0, import_typeorm2.MoreThanOrEqual)(sevenDaysAgo) } }) ?? 0,
-        repo("form_submissions")?.count({ where: { createdAt: (0, import_typeorm2.MoreThanOrEqual)(sevenDaysAgo) } }) ?? 0
+        repo("contacts")?.count({ where: { createdAt: (0, import_typeorm3.MoreThanOrEqual)(sevenDaysAgo) } }) ?? 0,
+        repo("form_submissions")?.count({ where: { createdAt: (0, import_typeorm3.MoreThanOrEqual)(sevenDaysAgo) } }) ?? 0
       ]);
       return json({
         contacts: { total: contactsCount, recent: recentContacts },
@@ -754,11 +892,15 @@ function createAnalyticsHandlers(config) {
   };
 }
 function createUploadHandler(config) {
-  const { json, requireAuth, storage, localUploadDir = "public/uploads", allowedTypes, maxSizeBytes = 10 * 1024 * 1024 } = config;
+  const { json, requireAuth, requireEntityPermission, storage, localUploadDir = "public/uploads", allowedTypes, maxSizeBytes = 10 * 1024 * 1024 } = config;
   const allowed = allowedTypes ?? ["image/jpeg", "image/png", "image/gif", "image/webp", "application/pdf", "text/plain"];
   return async function POST(req) {
     const authErr = await requireAuth(req);
     if (authErr) return authErr;
+    if (requireEntityPermission) {
+      const pe = await requireEntityPermission(req, "upload", "create");
+      if (pe) return pe;
+    }
     try {
       const formData = await req.formData();
       const file = formData.get("file");
@@ -839,13 +981,17 @@ function normalizeFieldRow(f, formId) {
   };
 }
 function createFormSaveHandlers(config) {
-  const { dataSource, entityMap, json, requireAuth } = config;
+  const { dataSource, entityMap, json, requireAuth, requireEntityPermission } = config;
   const formRepo = () => dataSource.getRepository(entityMap.forms);
   const fieldRepo = () => dataSource.getRepository(entityMap.form_fields);
   return {
     async GET(req, id) {
       const authErr = await requireAuth(req);
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(req, "forms", "read");
+        if (pe) return pe;
+      }
       try {
         const formId = Number(id);
         if (!Number.isInteger(formId) || formId <= 0) return json({ error: "Invalid form id" }, { status: 400 });
@@ -865,6 +1011,10 @@ function createFormSaveHandlers(config) {
     async POST(req) {
       const authErr = await requireAuth(req);
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(req, "forms", "create");
+        if (pe) return pe;
+      }
       try {
         const body = await req.json();
         if (!body || typeof body !== "object") return json({ error: "Invalid request payload" }, { status: 400 });
@@ -885,6 +1035,10 @@ function createFormSaveHandlers(config) {
     async PUT(req, id) {
       const authErr = await requireAuth(req);
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(req, "forms", "update");
+        if (pe) return pe;
+      }
       try {
         const formId = Number(id);
         if (!Number.isInteger(formId) || formId <= 0) return json({ error: "Invalid form id" }, { status: 400 });
@@ -913,10 +1067,14 @@ function createFormSaveHandlers(config) {
   };
 }
 function createFormSubmissionGetByIdHandler(config) {
-  const { dataSource, entityMap, json, requireAuth } = config;
+  const { dataSource, entityMap, json, requireAuth, requireEntityPermission } = config;
   return async function GET(req, id) {
     const authErr = await requireAuth(req);
     if (authErr) return authErr;
+    if (requireEntityPermission) {
+      const pe = await requireEntityPermission(req, "form_submissions", "read");
+      if (pe) return pe;
+    }
     try {
       const submissionId = Number(id);
       if (!Number.isInteger(submissionId) || submissionId <= 0) return json({ error: "Invalid id" }, { status: 400 });
@@ -943,10 +1101,14 @@ function createFormSubmissionGetByIdHandler(config) {
   };
 }
 function createFormSubmissionListHandler(config) {
-  const { dataSource, entityMap, json, requireAuth } = config;
+  const { dataSource, entityMap, json, requireAuth, requireEntityPermission } = config;
   return async function GET(req) {
     const authErr = await requireAuth(req);
     if (authErr) return authErr;
+    if (requireEntityPermission) {
+      const pe = await requireEntityPermission(req, "form_submissions", "read");
+      if (pe) return pe;
+    }
     try {
       const repo = dataSource.getRepository(entityMap.form_submissions);
       const { searchParams } = new URL(req.url);
@@ -967,6 +1129,11 @@ function createFormSubmissionListHandler(config) {
     }
   };
 }
+function formatSubmissionFieldValue(raw) {
+  if (raw == null || raw === "") return "\u2014";
+  if (typeof raw === "object") return JSON.stringify(raw);
+  return String(raw);
+}
 function pickContactFromSubmission(fields, data) {
   let email = null;
   let name = null;
@@ -1042,6 +1209,50 @@ function createFormSubmissionHandler(config) {
           userAgent: userAgent?.slice(0, 500) ?? null
         })
       );
+      const formWithName = form;
+      const formName = formWithName.name ?? "Form";
+      let contactName = "Unknown";
+      let contactEmail = "";
+      if (Number.isInteger(contactId)) {
+        const contactRepo = dataSource.getRepository(entityMap.contacts);
+        const contact = await contactRepo.findOne({ where: { id: contactId }, select: ["name", "email"] });
+        if (contact) {
+          contactName = contact.name ?? contactName;
+          contactEmail = contact.email ?? contactEmail;
+        }
+      } else {
+        const contactData = pickContactFromSubmission(activeFields, data);
+        if (contactData) {
+          contactName = contactData.name;
+          contactEmail = contactData.email;
+        }
+      }
+      if (config.getCms && config.getCompanyDetails && config.getRecipientForChannel) {
+        try {
+          const cms = await config.getCms();
+          const to = await config.getRecipientForChannel("crm");
+          if (to) {
+            const companyDetails = await config.getCompanyDetails();
+            const formFieldRows = activeFields.map((f) => ({
+              label: f.label && String(f.label).trim() || `Field ${f.id}`,
+              value: formatSubmissionFieldValue(data[String(f.id)])
+            }));
+            await queueEmail(cms, {
+              to,
+              templateName: "formSubmission",
+              ctx: {
+                formName,
+                contactName,
+                contactEmail,
+                formData: data,
+                formFieldRows,
+                companyDetails: companyDetails ?? {}
+              }
+            });
+          }
+        } catch {
+        }
+      }
       return json(created, { status: 201 });
     } catch {
       return json({ error: "Server Error" }, { status: 500 });
@@ -1049,12 +1260,34 @@ function createFormSubmissionHandler(config) {
   };
 }
 function createUsersApiHandlers(config) {
-  const { dataSource, entityMap, json, requireAuth, baseUrl } = config;
+  const { dataSource, entityMap, json, requireAuth, requireEntityPermission, baseUrl, getCms, getCompanyDetails } = config;
+  async function trySendInviteEmail(toEmail, inviteLink, inviteeName) {
+    if (!getCms) return;
+    try {
+      const cms = await getCms();
+      const companyDetails = getCompanyDetails ? await getCompanyDetails() : {};
+      await queueEmail(cms, {
+        to: toEmail,
+        templateName: "invite",
+        ctx: {
+          inviteLink,
+          email: toEmail,
+          inviteeName: inviteeName.trim(),
+          companyDetails: companyDetails ?? {}
+        }
+      });
+    } catch {
+    }
+  }
   const userRepo = () => dataSource.getRepository(entityMap.users);
   return {
     async list(req) {
       const authErr = await requireAuth(req);
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(req, "users", "read");
+        if (pe) return pe;
+      }
       try {
         const url = new URL(req.url);
         const page = Math.max(1, parseInt(url.searchParams.get("page") || "1", 10));
@@ -1063,7 +1296,7 @@ function createUsersApiHandlers(config) {
         const sortField = url.searchParams.get("sortField") || "createdAt";
         const sortOrder = url.searchParams.get("sortOrder") === "desc" ? "DESC" : "ASC";
         const search = url.searchParams.get("search");
-        const where = search ? [{ name: (0, import_typeorm2.ILike)(`%${search}%`) }, { email: (0, import_typeorm2.ILike)(`%${search}%`) }] : {};
+        const where = search ? [{ name: (0, import_typeorm3.ILike)(`%${search}%`) }, { email: (0, import_typeorm3.ILike)(`%${search}%`) }] : {};
         const [data, total] = await userRepo().findAndCount({
           skip,
           take: limit,
@@ -1080,16 +1313,40 @@ function createUsersApiHandlers(config) {
     async create(req) {
       const authErr = await requireAuth(req);
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(req, "users", "create");
+        if (pe) return pe;
+      }
       try {
         const body = await req.json();
         if (!body?.name || !body?.email) return json({ error: "Name and email are required" }, { status: 400 });
         const existing = await userRepo().findOne({ where: { email: body.email } });
         if (existing) return json({ error: "User with this email already exists" }, { status: 400 });
+        const groupRepo = dataSource.getRepository(entityMap.user_groups);
+        const customerG = await groupRepo.findOne({ where: { name: "Customer", deleted: false } });
+        const gid = body.groupId ?? null;
+        const isCustomer = !!(customerG && gid === customerG.id);
+        const adminAccess = isCustomer ? false : body.adminAccess === false ? false : true;
         const newUser = await userRepo().save(
-          userRepo().create({ name: body.name, email: body.email, password: null, blocked: true, groupId: body.groupId ?? null })
+          userRepo().create({
+            name: body.name,
+            email: body.email,
+            password: null,
+            blocked: true,
+            groupId: gid,
+            adminAccess
+          })
         );
+        if (entityMap.contacts) {
+          await linkUnclaimedContactToUser(dataSource, entityMap.contacts, newUser.id, newUser.email);
+        }
         const emailToken = Buffer.from(newUser.email).toString("base64");
         const inviteLink = `${baseUrl}/admin/invite?token=${emailToken}`;
+        await trySendInviteEmail(
+          newUser.email,
+          inviteLink,
+          newUser.name ?? ""
+        );
         return json({ message: "User created successfully (blocked until password is set)", user: newUser, inviteLink }, { status: 201 });
       } catch {
         return json({ error: "Server Error" }, { status: 500 });
@@ -1098,6 +1355,10 @@ function createUsersApiHandlers(config) {
     async getById(_req, id) {
       const authErr = await requireAuth(new Request(_req.url));
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(_req, "users", "read");
+        if (pe) return pe;
+      }
       try {
         const user = await userRepo().findOne({
           where: { id: parseInt(id, 10) },
@@ -1113,6 +1374,10 @@ function createUsersApiHandlers(config) {
     async update(req, id) {
       const authErr = await requireAuth(req);
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(req, "users", "update");
+        if (pe) return pe;
+      }
       try {
         const body = await req.json();
         const { password: _p, ...safe } = body;
@@ -1130,6 +1395,10 @@ function createUsersApiHandlers(config) {
     async delete(_req, id) {
       const authErr = await requireAuth(new Request(_req.url));
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(_req, "users", "delete");
+        if (pe) return pe;
+      }
       try {
         const r = await userRepo().delete(parseInt(id, 10));
         if (r.affected === 0) return json({ error: "User not found" }, { status: 404 });
@@ -1141,11 +1410,16 @@ function createUsersApiHandlers(config) {
     async regenerateInvite(_req, id) {
       const authErr = await requireAuth(new Request(_req.url));
       if (authErr) return authErr;
+      if (requireEntityPermission) {
+        const pe = await requireEntityPermission(_req, "users", "update");
+        if (pe) return pe;
+      }
       try {
-        const user = await userRepo().findOne({ where: { id: parseInt(id, 10) }, select: ["email"] });
+        const user = await userRepo().findOne({ where: { id: parseInt(id, 10) }, select: ["email", "name"] });
         if (!user) return json({ error: "User not found" }, { status: 404 });
         const emailToken = Buffer.from(user.email).toString("base64");
         const inviteLink = `${baseUrl}/admin/invite?token=${emailToken}`;
+        await trySendInviteEmail(user.email, inviteLink, user.name ?? "");
         return json({ message: "New invite link generated successfully", inviteLink });
       } catch {
         return json({ error: "Server Error" }, { status: 500 });
@@ -1357,7 +1631,7 @@ function createChatHandlers(config) {
         if (contextParts.length === 0) {
           const terms = getQueryTerms(message);
           if (terms.length > 0) {
-            const conditions = terms.map((t) => ({ content: (0, import_typeorm2.ILike)(`%${t}%`) }));
+            const conditions = terms.map((t) => ({ content: (0, import_typeorm3.ILike)(`%${t}%`) }));
             const chunks = await chunkRepo().find({
               where: conditions,
               take: KB_CHUNK_LIMIT,
@@ -1395,8 +1669,207 @@ ${contextParts.join("\n\n")}` : "You are a helpful assistant for the company. If
   };
 }
 
+// src/auth/permission-entities.ts
+var PERMISSION_ENTITY_INTERNAL_EXCLUDE = /* @__PURE__ */ new Set([
+  "users",
+  "password_reset_tokens",
+  "user_groups",
+  "permissions",
+  "comments",
+  "form_fields",
+  "configs",
+  "knowledge_base_chunks",
+  "carts",
+  "cart_items",
+  "wishlists",
+  "wishlist_items"
+]);
+var PERMISSION_LOGICAL_ENTITIES = [
+  "users",
+  "forms",
+  "form_submissions",
+  "dashboard",
+  "upload",
+  "settings",
+  "analytics",
+  "chat"
+];
+var ADMIN_GROUP_NAME = "Administrator";
+function isSuperAdminGroupName(name) {
+  return name === ADMIN_GROUP_NAME;
+}
+function getPermissionableEntityKeys(entityMap) {
+  const fromMap = Object.keys(entityMap).filter((k) => !PERMISSION_ENTITY_INTERNAL_EXCLUDE.has(k));
+  const logical = PERMISSION_LOGICAL_ENTITIES.filter((k) => !fromMap.includes(k));
+  return [...fromMap.sort(), ...logical].filter((k, i, a) => a.indexOf(k) === i);
+}
+
+// src/auth/helpers.ts
+function canManageRoles(user) {
+  return !!(user?.email && user.isRBACAdmin);
+}
+
+// src/api/admin-roles-handlers.ts
+function createAdminRolesHandlers(config) {
+  const { dataSource, entityMap, json, getSessionUser } = config;
+  const baseEntities = getPermissionableEntityKeys(entityMap);
+  const allowEntities = /* @__PURE__ */ new Set([...baseEntities, "users"]);
+  const groupRepo = () => dataSource.getRepository(entityMap.user_groups);
+  const permRepo = () => dataSource.getRepository(entityMap.permissions);
+  const userRepo = () => dataSource.getRepository(entityMap.users);
+  async function gate() {
+    const u = await getSessionUser();
+    if (!u?.email) return json({ error: "Unauthorized" }, { status: 401 });
+    if (!canManageRoles(u)) return json({ error: "Forbidden" }, { status: 403 });
+    return null;
+  }
+  return {
+    async list() {
+      const err = await gate();
+      if (err) return err;
+      const groups = await groupRepo().find({
+        where: { deleted: false },
+        order: { id: "ASC" },
+        relations: ["permissions"]
+      });
+      const entities = [...allowEntities].sort();
+      return json({
+        entities,
+        groups: groups.map((g) => ({
+          id: g.id,
+          name: g.name,
+          permissions: (g.permissions ?? []).filter((p) => !p.deleted).map((p) => ({
+            entity: p.entity,
+            canCreate: p.canCreate,
+            canRead: p.canRead,
+            canUpdate: p.canUpdate,
+            canDelete: p.canDelete
+          }))
+        }))
+      });
+    },
+    async createGroup(req) {
+      const err = await gate();
+      if (err) return err;
+      try {
+        const body = await req.json();
+        const name = body?.name?.trim();
+        if (!name) return json({ error: "Name is required" }, { status: 400 });
+        const repo = groupRepo();
+        const existing = await repo.findOne({ where: { name } });
+        if (existing) return json({ error: "Group name already exists" }, { status: 400 });
+        const g = await repo.save(repo.create({ name }));
+        return json({ id: g.id, name: g.name, permissions: [] }, { status: 201 });
+      } catch {
+        return json({ error: "Server error" }, { status: 500 });
+      }
+    },
+    async patchGroup(req, idStr) {
+      const err = await gate();
+      if (err) return err;
+      const id = parseInt(idStr, 10);
+      if (!Number.isFinite(id)) return json({ error: "Invalid id" }, { status: 400 });
+      try {
+        const body = await req.json();
+        const name = body?.name?.trim();
+        if (!name) return json({ error: "Name is required" }, { status: 400 });
+        const repo = groupRepo();
+        const g = await repo.findOne({ where: { id, deleted: false } });
+        if (!g) return json({ error: "Not found" }, { status: 404 });
+        if (isSuperAdminGroupName(g.name) && !isSuperAdminGroupName(name)) {
+          return json({ error: "Cannot rename the administrator group" }, { status: 400 });
+        }
+        const dup = await repo.findOne({ where: { name } });
+        if (dup && dup.id !== id) return json({ error: "Name already in use" }, { status: 400 });
+        g.name = name;
+        await repo.save(g);
+        return json({ id: g.id, name: g.name });
+      } catch {
+        return json({ error: "Server error" }, { status: 500 });
+      }
+    },
+    async deleteGroup(idStr) {
+      const err = await gate();
+      if (err) return err;
+      const id = parseInt(idStr, 10);
+      if (!Number.isFinite(id)) return json({ error: "Invalid id" }, { status: 400 });
+      const repo = groupRepo();
+      const g = await repo.findOne({ where: { id, deleted: false } });
+      if (!g) return json({ error: "Not found" }, { status: 404 });
+      if (isSuperAdminGroupName(g.name)) return json({ error: "Cannot delete the administrator group" }, { status: 400 });
+      const userCount = await userRepo().count({ where: { groupId: id } });
+      if (userCount > 0) return json({ error: "Reassign users before deleting this group" }, { status: 409 });
+      await permRepo().delete({ groupId: id });
+      await repo.update(id, { deleted: true, deletedAt: /* @__PURE__ */ new Date() });
+      return json({ ok: true });
+    },
+    async putPermissions(req, idStr) {
+      const err = await gate();
+      if (err) return err;
+      const groupId = parseInt(idStr, 10);
+      if (!Number.isFinite(groupId)) return json({ error: "Invalid id" }, { status: 400 });
+      const groupRepository = groupRepo();
+      const g = await groupRepository.findOne({ where: { id: groupId, deleted: false } });
+      if (!g) return json({ error: "Group not found" }, { status: 404 });
+      try {
+        const body = await req.json();
+        const rows = body?.permissions;
+        if (!Array.isArray(rows)) return json({ error: "permissions array required" }, { status: 400 });
+        for (const r of rows) {
+          if (!r?.entity || !allowEntities.has(r.entity)) {
+            return json({ error: `Invalid entity: ${r?.entity ?? ""}` }, { status: 400 });
+          }
+        }
+        await dataSource.transaction(async (em) => {
+          await em.getRepository(entityMap.permissions).delete({ groupId });
+          for (const r of rows) {
+            await em.getRepository(entityMap.permissions).save(
+              em.getRepository(entityMap.permissions).create({
+                groupId,
+                entity: r.entity,
+                canCreate: !!r.canCreate,
+                canRead: !!r.canRead,
+                canUpdate: !!r.canUpdate,
+                canDelete: !!r.canDelete
+              })
+            );
+          }
+        });
+        const updated = await groupRepository.findOne({
+          where: { id: groupId },
+          relations: ["permissions"]
+        });
+        return json({
+          id: groupId,
+          permissions: (updated?.permissions ?? []).map((p) => ({
+            entity: p.entity,
+            canCreate: p.canCreate,
+            canRead: p.canRead,
+            canUpdate: p.canUpdate,
+            canDelete: p.canDelete
+          }))
+        });
+      } catch {
+        return json({ error: "Server error" }, { status: 500 });
+      }
+    }
+  };
+}
+
 // src/api/cms-api-handler.ts
-var DEFAULT_EXCLUDE = /* @__PURE__ */ new Set(["users", "password_reset_tokens", "user_groups", "permissions", "comments", "form_fields", "configs"]);
+var DEFAULT_EXCLUDE = /* @__PURE__ */ new Set([
+  "users",
+  "password_reset_tokens",
+  "user_groups",
+  "permissions",
+  "comments",
+  "form_fields",
+  "configs",
+  "carts",
+  "cart_items",
+  "wishlists",
+  "wishlist_items"
+]);
 function createCmsApiHandler(config) {
   const {
     dataSource,
@@ -1417,7 +1890,9 @@ function createCmsApiHandler(config) {
     userAvatar,
     userProfile,
     settings: settingsConfig,
-    chat: chatConfig
+    chat: chatConfig,
+    requireEntityPermission: reqEntityPerm,
+    getSessionUser
   } = config;
   const analytics = analyticsConfig ?? (getCms ? {
     json: config.json,
@@ -1438,27 +1913,51 @@ function createCmsApiHandler(config) {
     ...userAuthConfig,
     sendEmail: async (opts) => {
       const cms = await getCms();
+      const queue = cms.getPlugin("queue");
+      const companyDetails = config.getCompanyDetails ? await config.getCompanyDetails() : {};
+      const resetLink = typeof opts.resetLink === "string" && opts.resetLink.trim() || typeof opts.text === "string" && opts.text.trim() || (typeof opts.html === "string" ? opts.html.match(/href\s*=\s*["']([^"']+)["']/)?.[1] ?? "" : "");
+      const ctx = { resetLink, companyDetails };
+      if (queue) {
+        const { queueEmail: queueEmail2 } = await Promise.resolve().then(() => (init_email_queue(), email_queue_exports));
+        await queueEmail2(cms, { to: opts.to, templateName: "passwordReset", ctx });
+        return;
+      }
       const email = cms.getPlugin("email");
       if (!email?.send) return;
-      const { emailTemplates: emailTemplates2 } = await Promise.resolve().then(() => (init_email_service(), email_service_exports));
-      const { subject, html, text } = emailTemplates2.passwordReset({ resetLink: opts.text || opts.html });
-      await email.send({ subject, html, text, to: opts.to });
+      const rendered = email.renderTemplate("passwordReset", ctx);
+      await email.send({ subject: rendered.subject, html: rendered.html, text: rendered.text, to: opts.to });
     }
   } : userAuthConfig;
-  const crudOpts = { requireAuth: config.requireAuth, json: config.json };
+  const crudOpts = {
+    requireAuth: config.requireAuth,
+    json: config.json,
+    requireEntityPermission: reqEntityPerm
+  };
   const crud = createCrudHandler(dataSource, entityMap, crudOpts);
   const crudById = createCrudByIdHandler(dataSource, entityMap, crudOpts);
+  const mergePerm = (c) => !c ? void 0 : reqEntityPerm ? { ...c, requireEntityPermission: reqEntityPerm } : c;
+  const adminRoles = getSessionUser && createAdminRolesHandlers({
+    dataSource,
+    entityMap,
+    json: config.json,
+    getSessionUser
+  });
   const userAuthRouter = userAuth ? createUserAuthApiRouter(userAuth) : null;
-  const dashboardGet = dashboard ? createDashboardStatsHandler(dashboard) : null;
+  const dashboardGet = dashboard ? createDashboardStatsHandler(mergePerm(dashboard) ?? dashboard) : null;
   const analyticsHandlers = analytics ? createAnalyticsHandlers(analytics) : null;
-  const uploadPost = upload ? createUploadHandler(upload) : null;
+  const uploadPost = upload ? createUploadHandler(mergePerm(upload) ?? upload) : null;
   const blogBySlugGet = blogBySlug ? createBlogBySlugHandler(blogBySlug) : null;
   const formBySlugGet = formBySlug ? createFormBySlugHandler(formBySlug) : null;
-  const formSaveHandlers = formSaveConfig ? createFormSaveHandlers(formSaveConfig) : null;
+  const formSaveHandlers = formSaveConfig ? createFormSaveHandlers(mergePerm(formSaveConfig) ?? formSaveConfig) : null;
   const formSubmissionPost = formSubmissionConfig ? createFormSubmissionHandler(formSubmissionConfig) : null;
-  const formSubmissionGetById = formSubmissionGetByIdConfig ? createFormSubmissionGetByIdHandler(formSubmissionGetByIdConfig) : null;
-  const formSubmissionList = formSubmissionGetByIdConfig ? createFormSubmissionListHandler(formSubmissionGetByIdConfig) : null;
-  const usersHandlers = usersApi ? createUsersApiHandlers(usersApi) : null;
+  const formSubmissionGetById = formSubmissionGetByIdConfig ? createFormSubmissionGetByIdHandler(mergePerm(formSubmissionGetByIdConfig) ?? formSubmissionGetByIdConfig) : null;
+  const formSubmissionList = formSubmissionGetByIdConfig ? createFormSubmissionListHandler(mergePerm(formSubmissionGetByIdConfig) ?? formSubmissionGetByIdConfig) : null;
+  const usersApiMerged = usersApi && getCms ? {
+    ...usersApi,
+    getCms: usersApi.getCms ?? getCms,
+    getCompanyDetails: usersApi.getCompanyDetails ?? config.getCompanyDetails
+  } : usersApi;
+  const usersHandlers = usersApiMerged ? createUsersApiHandlers(mergePerm(usersApiMerged) ?? usersApiMerged) : null;
   const avatarPost = userAvatar ? createUserAvatarHandler(userAvatar) : null;
   const profilePut = userProfile ? createUserProfileHandler(userProfile) : null;
   const settingsHandlers = settingsConfig ? createSettingsApiHandlers(settingsConfig) : null;
@@ -1469,13 +1968,41 @@ function createCmsApiHandler(config) {
   }
   return {
     async handle(method, path, req) {
+      const perm = reqEntityPerm;
+      async function analyticsGate() {
+        const a = await config.requireAuth(req);
+        if (a) return a;
+        if (perm) return perm(req, "analytics", "read");
+        return null;
+      }
+      if (path[0] === "admin" && path[1] === "roles") {
+        if (!adminRoles) return config.json({ error: "Not found" }, { status: 404 });
+        if (path.length === 2 && method === "GET") return adminRoles.list();
+        if (path.length === 2 && method === "POST") return adminRoles.createGroup(req);
+        if (path.length === 3 && method === "PATCH") return adminRoles.patchGroup(req, path[2]);
+        if (path.length === 3 && method === "DELETE") return adminRoles.deleteGroup(path[2]);
+        if (path.length === 4 && path[3] === "permissions" && method === "PUT") return adminRoles.putPermissions(req, path[2]);
+        return config.json({ error: "Not found" }, { status: 404 });
+      }
       if (path[0] === "dashboard" && path[1] === "stats" && path.length === 2 && method === "GET" && dashboardGet) {
         return dashboardGet(req);
       }
       if (path[0] === "analytics" && analyticsHandlers) {
-        if (path.length === 1 && method === "GET") return analyticsHandlers.GET(req);
-        if (path.length === 2 && path[1] === "property-id" && method === "GET") return analyticsHandlers.propertyId();
-        if (path.length === 2 && path[1] === "permissions" && method === "GET") return analyticsHandlers.permissions();
+        if (path.length === 1 && method === "GET") {
+          const g = await analyticsGate();
+          if (g) return g;
+          return analyticsHandlers.GET(req);
+        }
+        if (path.length === 2 && path[1] === "property-id" && method === "GET") {
+          const g = await analyticsGate();
+          if (g) return g;
+          return analyticsHandlers.propertyId();
+        }
+        if (path.length === 2 && path[1] === "permissions" && method === "GET") {
+          const g = await analyticsGate();
+          if (g) return g;
+          return analyticsHandlers.permissions();
+        }
       }
       if (path[0] === "upload" && path.length === 1 && method === "POST" && uploadPost) return uploadPost(req);
       if (path[0] === "blogs" && path[1] === "slug" && path.length === 3 && method === "GET" && blogBySlugGet) {
@@ -1519,8 +2046,24 @@ function createCmsApiHandler(config) {
         return userAuthRouter.POST(req, path[1]);
       }
       if (path[0] === "settings" && path.length === 2 && settingsHandlers) {
-        if (method === "GET") return settingsHandlers.GET(req, path[1]);
-        if (method === "PUT") return settingsHandlers.PUT(req, path[1]);
+        const group = path[1];
+        const isPublic = settingsConfig?.publicGetGroups?.includes(group);
+        if (method === "GET") {
+          if (!isPublic && perm) {
+            const a = await config.requireAuth(req);
+            if (a) return a;
+            const pe = await perm(req, "settings", "read");
+            if (pe) return pe;
+          }
+          return settingsHandlers.GET(req, group);
+        }
+        if (method === "PUT") {
+          if (perm) {
+            const pe = await perm(req, "settings", "update");
+            if (pe) return pe;
+          }
+          return settingsHandlers.PUT(req, group);
+        }
       }
       if (path[0] === "chat" && chatHandlers) {
         if (path.length === 2 && path[1] === "identify" && method === "POST") return chatHandlers.identify(req);
@@ -1557,6 +2100,1006 @@ function createCmsApiHandler(config) {
     }
   };
 }
+
+// src/api/storefront-handlers.ts
+var import_typeorm4 = require("typeorm");
+
+// src/lib/is-valid-signup-email.ts
+var MAX_EMAIL = 254;
+var MAX_LOCAL = 64;
+function isValidSignupEmail(email) {
+  if (!email || email.length > MAX_EMAIL) return false;
+  const at = email.indexOf("@");
+  if (at <= 0 || at !== email.lastIndexOf("@")) return false;
+  const local = email.slice(0, at);
+  const domain = email.slice(at + 1);
+  if (!local || local.length > MAX_LOCAL || !domain || domain.length > 253) return false;
+  if (local.startsWith(".") || local.endsWith(".") || local.includes("..")) return false;
+  if (domain.startsWith(".") || domain.endsWith(".") || domain.includes("..")) return false;
+  if (!/^[a-z0-9._%+-]+$/i.test(local)) return false;
+  if (!/^[a-z0-9](?:[a-z0-9-]*[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]*[a-z0-9])?)+$/i.test(domain)) return false;
+  const tld = domain.split(".").pop();
+  return tld.length >= 2;
+}
+
+// src/api/storefront-handlers.ts
+init_email_queue();
+var GUEST_COOKIE = "guest_id";
+var ONE_YEAR = 60 * 60 * 24 * 365;
+function parseCookies(header) {
+  const out = {};
+  if (!header) return out;
+  for (const part of header.split(";")) {
+    const i = part.indexOf("=");
+    if (i === -1) continue;
+    const k = part.slice(0, i).trim();
+    const v = part.slice(i + 1).trim();
+    out[k] = decodeURIComponent(v);
+  }
+  return out;
+}
+function guestCookieHeader(name, token) {
+  return `${name}=${encodeURIComponent(token)}; Path=/; HttpOnly; SameSite=Lax; Max-Age=${ONE_YEAR}`;
+}
+function orderNumber() {
+  return `ORD-${Date.now()}-${Math.random().toString(36).slice(2, 10)}`;
+}
+var SIGNUP_VERIFY_EXPIRY_HOURS = 72;
+function createStorefrontApiHandler(config) {
+  const { dataSource, entityMap, json, getSessionUser, getCms, getCompanyDetails, publicSiteUrl } = config;
+  const cookieName = config.guestCookieName ?? GUEST_COOKIE;
+  const cartRepo = () => dataSource.getRepository(entityMap.carts);
+  const cartItemRepo = () => dataSource.getRepository(entityMap.cart_items);
+  const productRepo = () => dataSource.getRepository(entityMap.products);
+  const contactRepo = () => dataSource.getRepository(entityMap.contacts);
+  const addressRepo = () => dataSource.getRepository(entityMap.addresses);
+  const orderRepo = () => dataSource.getRepository(entityMap.orders);
+  const orderItemRepo = () => dataSource.getRepository(entityMap.order_items);
+  const wishlistRepo = () => dataSource.getRepository(entityMap.wishlists);
+  const wishlistItemRepo = () => dataSource.getRepository(entityMap.wishlist_items);
+  const userRepo = () => dataSource.getRepository(entityMap.users);
+  const tokenRepo = () => dataSource.getRepository(entityMap.password_reset_tokens);
+  const collectionRepo = () => dataSource.getRepository(entityMap.collections);
+  const groupRepo = () => dataSource.getRepository(entityMap.user_groups);
+  async function ensureContactForUser(userId) {
+    let c = await contactRepo().findOne({ where: { userId, deleted: false } });
+    if (c) return c;
+    const u = await userRepo().findOne({ where: { id: userId } });
+    if (!u) return null;
+    const unclaimed = await contactRepo().findOne({
+      where: { email: u.email, userId: (0, import_typeorm4.IsNull)(), deleted: false }
+    });
+    if (unclaimed) {
+      await contactRepo().update(unclaimed.id, { userId });
+      return { id: unclaimed.id };
+    }
+    const created = await contactRepo().save(
+      contactRepo().create({
+        name: u.name,
+        email: u.email,
+        phone: null,
+        userId,
+        deleted: false
+      })
+    );
+    return { id: created.id };
+  }
+  async function getOrCreateCart(req) {
+    const u = await getSessionUser();
+    const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+    if (Number.isFinite(uid)) {
+      const contact = await ensureContactForUser(uid);
+      if (!contact) return { cart: {}, setCookie: null, err: json({ error: "User not found" }, { status: 400 }) };
+      let cart2 = await cartRepo().findOne({
+        where: { contactId: contact.id },
+        relations: ["items", "items.product"]
+      });
+      if (!cart2) {
+        cart2 = await cartRepo().save(
+          cartRepo().create({ contactId: contact.id, guestToken: null, currency: "INR" })
+        );
+        cart2 = await cartRepo().findOne({
+          where: { id: cart2.id },
+          relations: ["items", "items.product"]
+        });
+      }
+      return { cart: cart2, setCookie: null, err: null };
+    }
+    const cookies = parseCookies(req.headers.get("cookie"));
+    let token = cookies[cookieName] || "";
+    if (!token) {
+      token = crypto.randomUUID();
+      let cart2 = await cartRepo().findOne({
+        where: { guestToken: token },
+        relations: ["items", "items.product"]
+      });
+      if (!cart2) {
+        cart2 = await cartRepo().save(
+          cartRepo().create({ guestToken: token, contactId: null, currency: "INR" })
+        );
+        cart2 = await cartRepo().findOne({
+          where: { id: cart2.id },
+          relations: ["items", "items.product"]
+        });
+      }
+      return { cart: cart2, setCookie: guestCookieHeader(cookieName, token), err: null };
+    }
+    let cart = await cartRepo().findOne({
+      where: { guestToken: token },
+      relations: ["items", "items.product"]
+    });
+    if (!cart) {
+      cart = await cartRepo().save(
+        cartRepo().create({ guestToken: token, contactId: null, currency: "INR" })
+      );
+      cart = await cartRepo().findOne({
+        where: { id: cart.id },
+        relations: ["items", "items.product"]
+      });
+    }
+    return { cart, setCookie: null, err: null };
+  }
+  function primaryProductImageUrl(metadata) {
+    const meta = metadata;
+    const images = meta?.images;
+    if (!Array.isArray(images) || !images.length) return null;
+    const sorted = images.filter((i) => i?.url);
+    if (!sorted.length) return null;
+    const di = sorted.findIndex((i) => i.isDefault);
+    if (di > 0) {
+      const [d] = sorted.splice(di, 1);
+      sorted.unshift(d);
+    }
+    return sorted[0].url;
+  }
+  function serializeCart(cart) {
+    const items = cart.items || [];
+    return {
+      id: cart.id,
+      currency: cart.currency,
+      items: items.map((it) => {
+        const p = it.product;
+        return {
+          id: it.id,
+          productId: it.productId,
+          quantity: it.quantity,
+          metadata: it.metadata,
+          product: p ? {
+            id: p.id,
+            name: p.name,
+            slug: p.slug,
+            price: p.price,
+            sku: p.sku,
+            image: primaryProductImageUrl(p.metadata)
+          } : null
+        };
+      })
+    };
+  }
+  function serializeProduct(p) {
+    return {
+      id: p.id,
+      name: p.name,
+      slug: p.slug,
+      sku: p.sku,
+      hsn: p.hsn,
+      price: p.price,
+      compareAtPrice: p.compareAtPrice,
+      status: p.status,
+      collectionId: p.collectionId,
+      metadata: p.metadata
+    };
+  }
+  return {
+    async handle(method, path, req) {
+      try {
+        let serializeAddress2 = function(a) {
+          return {
+            id: a.id,
+            contactId: a.contactId,
+            tag: a.tag,
+            line1: a.line1,
+            line2: a.line2,
+            city: a.city,
+            state: a.state,
+            postalCode: a.postalCode,
+            country: a.country
+          };
+        };
+        var serializeAddress = serializeAddress2;
+        if (path[0] === "products" && path.length === 1 && method === "GET") {
+          const url = new URL(req.url || "", "http://localhost");
+          const collectionSlug = url.searchParams.get("collection")?.trim();
+          const collectionId = url.searchParams.get("collectionId");
+          const limit = Math.min(100, Math.max(1, parseInt(url.searchParams.get("limit") || "20", 10)));
+          const offset = Math.max(0, parseInt(url.searchParams.get("offset") || "0", 10));
+          const where = { status: "available", deleted: false };
+          let collectionFilter = null;
+          if (collectionSlug) {
+            let col = null;
+            if (/^\d+$/.test(collectionSlug)) {
+              col = await collectionRepo().findOne({
+                where: {
+                  id: parseInt(collectionSlug, 10),
+                  active: true,
+                  deleted: false
+                }
+              });
+            } else {
+              col = await collectionRepo().createQueryBuilder("c").where("LOWER(c.slug) = LOWER(:slug)", { slug: collectionSlug }).andWhere("c.active = :a", { a: true }).andWhere("c.deleted = :d", { d: false }).getOne();
+            }
+            if (!col) {
+              return json({ products: [], total: 0, collection: null });
+            }
+            where.collectionId = col.id;
+            collectionFilter = { name: col.name, slug: col.slug };
+          } else if (collectionId) {
+            const cid = parseInt(collectionId, 10);
+            if (Number.isFinite(cid)) where.collectionId = cid;
+          }
+          const [items, total] = await productRepo().findAndCount({
+            where,
+            order: { id: "ASC" },
+            take: limit,
+            skip: offset
+          });
+          return json({
+            products: items.map(serializeProduct),
+            total,
+            ...collectionFilter && { collection: collectionFilter }
+          });
+        }
+        if (path[0] === "products" && path.length === 2 && method === "GET") {
+          const idOrSlug = path[1];
+          const byId = /^\d+$/.test(idOrSlug);
+          const product = await productRepo().findOne({
+            where: byId ? { id: parseInt(idOrSlug, 10), status: "available", deleted: false } : { slug: idOrSlug, status: "available", deleted: false },
+            relations: ["attributes", "attributes.attribute"]
+          });
+          if (!product) return json({ error: "Not found" }, { status: 404 });
+          const p = product;
+          const attrRows = p.attributes ?? [];
+          const attributeTags = attrRows.map((pa) => ({
+            name: pa.attribute?.name ?? "",
+            value: String(pa.value ?? "")
+          })).filter((t) => t.name || t.value);
+          return json({ ...serializeProduct(p), attributes: attributeTags });
+        }
+        if (path[0] === "collections" && path.length === 1 && method === "GET") {
+          const items = await collectionRepo().find({
+            where: { active: true, deleted: false },
+            order: { sortOrder: "ASC", id: "ASC" }
+          });
+          const ids = items.map((c) => c.id);
+          const countByCollection = {};
+          if (ids.length > 0) {
+            const rows = await productRepo().createQueryBuilder("p").select("p.collectionId", "collectionId").addSelect("COUNT(p.id)", "cnt").where("p.collectionId IN (:...ids)", { ids }).andWhere("p.status = :status", { status: "available" }).andWhere("p.deleted = :del", { del: false }).groupBy("p.collectionId").getRawMany();
+            for (const r of rows) {
+              const cid = r.collectionId;
+              if (cid != null) countByCollection[Number(cid)] = parseInt(String(r.cnt), 10);
+            }
+          }
+          return json({
+            collections: items.map((c) => {
+              const col = c;
+              const id = col.id;
+              return {
+                id,
+                name: col.name,
+                slug: col.slug,
+                description: col.description,
+                image: col.image,
+                productCount: countByCollection[id] ?? 0
+              };
+            })
+          });
+        }
+        if (path[0] === "collections" && path.length === 2 && method === "GET") {
+          const idOrSlug = path[1];
+          const byId = /^\d+$/.test(idOrSlug);
+          const collection = await collectionRepo().findOne({
+            where: byId ? { id: parseInt(idOrSlug, 10), active: true, deleted: false } : { slug: idOrSlug, active: true, deleted: false }
+          });
+          if (!collection) return json({ error: "Not found" }, { status: 404 });
+          const col = collection;
+          const products = await productRepo().find({
+            where: { collectionId: col.id, status: "available", deleted: false },
+            order: { id: "ASC" }
+          });
+          return json({
+            id: col.id,
+            name: col.name,
+            slug: col.slug,
+            description: col.description,
+            image: col.image,
+            products: products.map((p) => serializeProduct(p))
+          });
+        }
+        if (path[0] === "profile" && path.length === 1 && method === "GET") {
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          if (!Number.isFinite(uid)) return json({ error: "Unauthorized" }, { status: 401 });
+          const user = await userRepo().findOne({ where: { id: uid }, select: ["id", "name", "email"] });
+          if (!user) return json({ error: "Not found" }, { status: 404 });
+          const contact = await contactRepo().findOne({ where: { userId: uid, deleted: false } });
+          return json({
+            user: { id: user.id, name: user.name, email: user.email },
+            contact: contact ? {
+              id: contact.id,
+              name: contact.name,
+              email: contact.email,
+              phone: contact.phone
+            } : null
+          });
+        }
+        if (path[0] === "profile" && path.length === 1 && method === "PUT") {
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          if (!Number.isFinite(uid)) return json({ error: "Unauthorized" }, { status: 401 });
+          const b = await req.json().catch(() => ({}));
+          const contact = await contactRepo().findOne({ where: { userId: uid, deleted: false } });
+          if (contact) {
+            const updates = {};
+            if (typeof b.name === "string" && b.name.trim()) updates.name = b.name.trim();
+            if (b.phone !== void 0) updates.phone = b.phone === null || b.phone === "" ? null : String(b.phone);
+            if (Object.keys(updates).length) await contactRepo().update(contact.id, updates);
+          }
+          const user = await userRepo().findOne({ where: { id: uid }, select: ["id", "name", "email"] });
+          if (user && typeof b.name === "string" && b.name.trim()) {
+            await userRepo().update(uid, { name: b.name.trim() });
+          }
+          const updatedContact = await contactRepo().findOne({ where: { userId: uid, deleted: false } });
+          const updatedUser = await userRepo().findOne({ where: { id: uid }, select: ["id", "name", "email"] });
+          return json({
+            user: updatedUser ? { id: updatedUser.id, name: updatedUser.name, email: updatedUser.email } : null,
+            contact: updatedContact ? {
+              id: updatedContact.id,
+              name: updatedContact.name,
+              email: updatedContact.email,
+              phone: updatedContact.phone
+            } : null
+          });
+        }
+        async function getContactForAddresses() {
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          if (!Number.isFinite(uid)) return json({ error: "Unauthorized" }, { status: 401 });
+          const contact = await contactRepo().findOne({ where: { userId: uid, deleted: false } });
+          if (!contact) return json({ error: "Contact not found" }, { status: 404 });
+          return { contactId: contact.id };
+        }
+        if (path[0] === "addresses" && path.length === 1 && method === "GET") {
+          const contactOrErr = await getContactForAddresses();
+          if (contactOrErr instanceof Response) return contactOrErr;
+          const list = await addressRepo().find({
+            where: { contactId: contactOrErr.contactId },
+            order: { id: "ASC" }
+          });
+          return json({ addresses: list.map((a) => serializeAddress2(a)) });
+        }
+        if (path[0] === "addresses" && path.length === 1 && method === "POST") {
+          const contactOrErr = await getContactForAddresses();
+          if (contactOrErr instanceof Response) return contactOrErr;
+          const b = await req.json().catch(() => ({}));
+          const created = await addressRepo().save(
+            addressRepo().create({
+              contactId: contactOrErr.contactId,
+              tag: typeof b.tag === "string" ? b.tag.trim() || null : null,
+              line1: typeof b.line1 === "string" ? b.line1.trim() || null : null,
+              line2: typeof b.line2 === "string" ? b.line2.trim() || null : null,
+              city: typeof b.city === "string" ? b.city.trim() || null : null,
+              state: typeof b.state === "string" ? b.state.trim() || null : null,
+              postalCode: typeof b.postalCode === "string" ? b.postalCode.trim() || null : null,
+              country: typeof b.country === "string" ? b.country.trim() || null : null
+            })
+          );
+          return json(serializeAddress2(created));
+        }
+        if (path[0] === "addresses" && path.length === 2 && (method === "PATCH" || method === "PUT")) {
+          const contactOrErr = await getContactForAddresses();
+          if (contactOrErr instanceof Response) return contactOrErr;
+          const id = parseInt(path[1], 10);
+          if (!Number.isFinite(id)) return json({ error: "Invalid id" }, { status: 400 });
+          const existing = await addressRepo().findOne({ where: { id, contactId: contactOrErr.contactId } });
+          if (!existing) return json({ error: "Not found" }, { status: 404 });
+          const b = await req.json().catch(() => ({}));
+          const updates = {};
+          if (b.tag !== void 0) updates.tag = typeof b.tag === "string" ? b.tag.trim() || null : null;
+          if (b.line1 !== void 0) updates.line1 = typeof b.line1 === "string" ? b.line1.trim() || null : null;
+          if (b.line2 !== void 0) updates.line2 = typeof b.line2 === "string" ? b.line2.trim() || null : null;
+          if (b.city !== void 0) updates.city = typeof b.city === "string" ? b.city.trim() || null : null;
+          if (b.state !== void 0) updates.state = typeof b.state === "string" ? b.state.trim() || null : null;
+          if (b.postalCode !== void 0) updates.postalCode = typeof b.postalCode === "string" ? b.postalCode.trim() || null : null;
+          if (b.country !== void 0) updates.country = typeof b.country === "string" ? b.country.trim() || null : null;
+          if (Object.keys(updates).length) await addressRepo().update(id, updates);
+          const updated = await addressRepo().findOne({ where: { id } });
+          return json(serializeAddress2(updated));
+        }
+        if (path[0] === "addresses" && path.length === 2 && method === "DELETE") {
+          const contactOrErr = await getContactForAddresses();
+          if (contactOrErr instanceof Response) return contactOrErr;
+          const id = parseInt(path[1], 10);
+          if (!Number.isFinite(id)) return json({ error: "Invalid id" }, { status: 400 });
+          const existing = await addressRepo().findOne({ where: { id, contactId: contactOrErr.contactId } });
+          if (!existing) return json({ error: "Not found" }, { status: 404 });
+          await addressRepo().delete(id);
+          return json({ deleted: true });
+        }
+        if (path[0] === "verify-email" && path.length === 1 && method === "POST") {
+          const b = await req.json().catch(() => ({}));
+          const token = typeof b.token === "string" ? b.token.trim() : "";
+          if (!token) return json({ error: "token is required" }, { status: 400 });
+          const record = await tokenRepo().findOne({ where: { token } });
+          if (!record || record.expiresAt < /* @__PURE__ */ new Date()) {
+            return json({ error: "Invalid or expired link. Please sign up again or contact support." }, { status: 400 });
+          }
+          const email = record.email;
+          const user = await userRepo().findOne({ where: { email }, select: ["id", "blocked"] });
+          if (!user) return json({ error: "User not found" }, { status: 400 });
+          await userRepo().update(user.id, { blocked: false, updatedAt: /* @__PURE__ */ new Date() });
+          await tokenRepo().delete({ email });
+          return json({ success: true, message: "Email verified. You can sign in." });
+        }
+        if (path[0] === "register" && path.length === 1 && method === "POST") {
+          if (!config.hashPassword) return json({ error: "Registration not configured" }, { status: 501 });
+          const b = await req.json().catch(() => ({}));
+          const name = typeof b.name === "string" ? b.name.trim() : "";
+          const email = typeof b.email === "string" ? b.email.trim().toLowerCase() : "";
+          const password = typeof b.password === "string" ? b.password : "";
+          if (!name || !email || !password) return json({ error: "name, email and password are required" }, { status: 400 });
+          if (!isValidSignupEmail(email)) return json({ error: "Invalid email address" }, { status: 400 });
+          const existing = await userRepo().findOne({ where: { email } });
+          if (existing) return json({ error: "User with this email already exists" }, { status: 400 });
+          const customerG = await groupRepo().findOne({ where: { name: "Customer", deleted: false } });
+          const groupId = customerG ? customerG.id : null;
+          const hashed = await config.hashPassword(password);
+          const requireEmailVerification = Boolean(getCms);
+          const newUser = await userRepo().save(
+            userRepo().create({
+              name,
+              email,
+              password: hashed,
+              blocked: requireEmailVerification,
+              groupId,
+              adminAccess: false
+            })
+          );
+          const userId = newUser.id;
+          await linkUnclaimedContactToUser(dataSource, entityMap.contacts, userId, email);
+          let emailVerificationSent = false;
+          if (requireEmailVerification && getCms) {
+            try {
+              const crypto2 = await import("crypto");
+              const rawToken = crypto2.randomBytes(32).toString("hex");
+              const expiresAt = new Date(Date.now() + SIGNUP_VERIFY_EXPIRY_HOURS * 60 * 60 * 1e3);
+              await tokenRepo().save(
+                tokenRepo().create({ email, token: rawToken, expiresAt })
+              );
+              const cms = await getCms();
+              const companyDetails = getCompanyDetails ? await getCompanyDetails() : {};
+              const base = (publicSiteUrl || "").replace(/\/$/, "").trim() || "http://localhost:3000";
+              const verifyEmailUrl = `${base}/verify-email?token=${encodeURIComponent(rawToken)}`;
+              await queueEmail(cms, {
+                to: email,
+                templateName: "signup",
+                ctx: { name, verifyEmailUrl, companyDetails: companyDetails ?? {} }
+              });
+              emailVerificationSent = true;
+            } catch {
+              await userRepo().update(userId, { blocked: false, updatedAt: /* @__PURE__ */ new Date() });
+            }
+          }
+          return json({
+            success: true,
+            userId,
+            emailVerificationSent
+          });
+        }
+        if (path[0] === "cart" && path.length === 1 && method === "GET") {
+          const { cart, setCookie, err } = await getOrCreateCart(req);
+          if (err) return err;
+          const body = serializeCart(cart);
+          if (setCookie) return json(body, { headers: { "Set-Cookie": setCookie } });
+          return json(body);
+        }
+        if (path[0] === "cart" && path[1] === "items" && path.length === 2 && method === "POST") {
+          const body = await req.json().catch(() => ({}));
+          const productId = Number(body.productId);
+          const quantity = Math.max(1, Number(body.quantity) || 1);
+          if (!Number.isFinite(productId)) return json({ error: "productId required" }, { status: 400 });
+          const product = await productRepo().findOne({ where: { id: productId, deleted: false } });
+          if (!product) return json({ error: "Product not found" }, { status: 404 });
+          const { cart, setCookie, err } = await getOrCreateCart(req);
+          if (err) return err;
+          const cartId = cart.id;
+          const existing = await cartItemRepo().findOne({ where: { cartId, productId } });
+          if (existing) {
+            await cartItemRepo().update(existing.id, {
+              quantity: existing.quantity + quantity
+            });
+          } else {
+            await cartItemRepo().save(
+              cartItemRepo().create({ cartId, productId, quantity })
+            );
+          }
+          await cartRepo().update(cartId, { updatedAt: /* @__PURE__ */ new Date() });
+          const fresh = await cartRepo().findOne({
+            where: { id: cartId },
+            relations: ["items", "items.product"]
+          });
+          const out = serializeCart(fresh);
+          if (setCookie) return json(out, { headers: { "Set-Cookie": setCookie } });
+          return json(out);
+        }
+        if (path[0] === "cart" && path[1] === "items" && path.length === 3) {
+          const itemId = parseInt(path[2], 10);
+          if (!Number.isFinite(itemId)) return json({ error: "Invalid item id" }, { status: 400 });
+          const { cart, setCookie, err } = await getOrCreateCart(req);
+          if (err) return err;
+          const cartId = cart.id;
+          const item = await cartItemRepo().findOne({ where: { id: itemId, cartId } });
+          if (!item) return json({ error: "Not found" }, { status: 404 });
+          if (method === "DELETE") {
+            await cartItemRepo().delete(itemId);
+            await cartRepo().update(cartId, { updatedAt: /* @__PURE__ */ new Date() });
+            const fresh = await cartRepo().findOne({
+              where: { id: cartId },
+              relations: ["items", "items.product"]
+            });
+            const out = serializeCart(fresh);
+            if (setCookie) return json(out, { headers: { "Set-Cookie": setCookie } });
+            return json(out);
+          }
+          if (method === "PATCH") {
+            const b = await req.json().catch(() => ({}));
+            const q = Math.max(0, Number(b.quantity) || 0);
+            if (q === 0) await cartItemRepo().delete(itemId);
+            else await cartItemRepo().update(itemId, { quantity: q });
+            await cartRepo().update(cartId, { updatedAt: /* @__PURE__ */ new Date() });
+            const fresh = await cartRepo().findOne({
+              where: { id: cartId },
+              relations: ["items", "items.product"]
+            });
+            const out = serializeCart(fresh);
+            if (setCookie) return json(out, { headers: { "Set-Cookie": setCookie } });
+            return json(out);
+          }
+        }
+        if (path[0] === "cart" && path[1] === "merge" && method === "POST") {
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          if (!Number.isFinite(uid)) return json({ error: "Unauthorized" }, { status: 401 });
+          const contact = await ensureContactForUser(uid);
+          if (!contact) return json({ error: "Contact not found" }, { status: 400 });
+          const cookies = parseCookies(req.headers.get("cookie"));
+          const guestToken = cookies[cookieName];
+          if (!guestToken) return json({ merged: false, message: "No guest cart" });
+          const guestCart = await cartRepo().findOne({
+            where: { guestToken },
+            relations: ["items"]
+          });
+          if (!guestCart || !(guestCart.items || []).length) {
+            let uc = await cartRepo().findOne({
+              where: { contactId: contact.id },
+              relations: ["items", "items.product"]
+            });
+            if (!uc) uc = { items: [] };
+            return json(
+              { merged: false, cart: serializeCart(uc) },
+              { headers: { "Set-Cookie": `${cookieName}=; Path=/; Max-Age=0` } }
+            );
+          }
+          let userCart = await cartRepo().findOne({ where: { contactId: contact.id } });
+          if (!userCart) {
+            userCart = await cartRepo().save(
+              cartRepo().create({ contactId: contact.id, guestToken: null, currency: guestCart.currency })
+            );
+          }
+          const uidCart = userCart.id;
+          const gItems = guestCart.items || [];
+          for (const gi of gItems) {
+            const existing = await cartItemRepo().findOne({
+              where: { cartId: uidCart, productId: gi.productId }
+            });
+            if (existing) {
+              await cartItemRepo().update(existing.id, {
+                quantity: existing.quantity + gi.quantity
+              });
+            } else {
+              await cartItemRepo().save(
+                cartItemRepo().create({
+                  cartId: uidCart,
+                  productId: gi.productId,
+                  quantity: gi.quantity,
+                  metadata: gi.metadata
+                })
+              );
+            }
+          }
+          await cartRepo().delete(guestCart.id);
+          await cartRepo().update(uidCart, { updatedAt: /* @__PURE__ */ new Date() });
+          const fresh = await cartRepo().findOne({
+            where: { id: uidCart },
+            relations: ["items", "items.product"]
+          });
+          const guestWishlist = await wishlistRepo().findOne({
+            where: { guestId: guestToken },
+            relations: ["items"]
+          });
+          if (guestWishlist && (guestWishlist.items || []).length > 0) {
+            const userWishlist = await getDefaultWishlist(contact.id);
+            const gItems2 = guestWishlist.items || [];
+            for (const gi of gItems2) {
+              const pid = gi.productId;
+              const ex = await wishlistItemRepo().findOne({ where: { wishlistId: userWishlist.id, productId: pid } });
+              if (!ex) await wishlistItemRepo().save(wishlistItemRepo().create({ wishlistId: userWishlist.id, productId: pid }));
+            }
+            await wishlistRepo().delete(guestWishlist.id);
+          }
+          return json({ merged: true, cart: serializeCart(fresh) }, { headers: { "Set-Cookie": `${cookieName}=; Path=/; Max-Age=0` } });
+        }
+        async function getDefaultWishlist(contactId) {
+          let w = await wishlistRepo().findOne({ where: { contactId, name: "default" } });
+          if (!w) {
+            w = await wishlistRepo().save(wishlistRepo().create({ contactId, guestId: null, name: "default" }));
+          }
+          return w;
+        }
+        async function getOrCreateWishlist(req2) {
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          if (Number.isFinite(uid)) {
+            const contact = await ensureContactForUser(uid);
+            if (!contact) return { wishlist: {}, setCookie: null, err: json({ error: "User not found" }, { status: 400 }) };
+            const w2 = await getDefaultWishlist(contact.id);
+            const wishlist = await wishlistRepo().findOne({ where: { id: w2.id } });
+            return { wishlist, setCookie: null, err: null };
+          }
+          const cookies = parseCookies(req2.headers.get("cookie"));
+          let token = cookies[cookieName] || "";
+          if (!token) {
+            token = crypto.randomUUID();
+            let w2 = await wishlistRepo().findOne({ where: { guestId: token } });
+            if (!w2) {
+              w2 = await wishlistRepo().save(wishlistRepo().create({ guestId: token, contactId: null, name: "default" }));
+            }
+            return { wishlist: w2, setCookie: guestCookieHeader(cookieName, token), err: null };
+          }
+          let w = await wishlistRepo().findOne({ where: { guestId: token } });
+          if (!w) {
+            w = await wishlistRepo().save(wishlistRepo().create({ guestId: token, contactId: null, name: "default" }));
+          }
+          return { wishlist: w, setCookie: null, err: null };
+        }
+        if (path[0] === "wishlist" && path.length === 1 && method === "GET") {
+          const { wishlist, setCookie, err } = await getOrCreateWishlist(req);
+          if (err) return err;
+          const items = await wishlistItemRepo().find({
+            where: { wishlistId: wishlist.id },
+            relations: ["product"]
+          });
+          const body = {
+            wishlistId: wishlist.id,
+            items: items.map((it) => {
+              const p = it.product;
+              return {
+                id: it.id,
+                productId: it.productId,
+                product: p ? {
+                  id: p.id,
+                  name: p.name,
+                  slug: p.slug,
+                  price: p.price,
+                  sku: p.sku,
+                  image: primaryProductImageUrl(p.metadata)
+                } : null
+              };
+            })
+          };
+          if (setCookie) return json(body, { headers: { "Set-Cookie": setCookie } });
+          return json(body);
+        }
+        if (path[0] === "wishlist" && path[1] === "items" && path.length === 2 && method === "POST") {
+          const { wishlist, setCookie, err } = await getOrCreateWishlist(req);
+          if (err) return err;
+          const b = await req.json().catch(() => ({}));
+          const productId = Number(b.productId);
+          if (!Number.isFinite(productId)) return json({ error: "productId required" }, { status: 400 });
+          const wid = wishlist.id;
+          const ex = await wishlistItemRepo().findOne({ where: { wishlistId: wid, productId } });
+          if (!ex) await wishlistItemRepo().save(wishlistItemRepo().create({ wishlistId: wid, productId }));
+          if (setCookie) return json({ ok: true }, { headers: { "Set-Cookie": setCookie } });
+          return json({ ok: true });
+        }
+        if (path[0] === "wishlist" && path[1] === "items" && path.length === 3 && method === "DELETE") {
+          const { wishlist, setCookie, err } = await getOrCreateWishlist(req);
+          if (err) return err;
+          const productId = parseInt(path[2], 10);
+          await wishlistItemRepo().delete({ wishlistId: wishlist.id, productId });
+          if (setCookie) return json({ ok: true }, { headers: { "Set-Cookie": setCookie } });
+          return json({ ok: true });
+        }
+        if (path[0] === "checkout" && path[1] === "order" && path.length === 2 && method === "POST") {
+          const b = await req.json().catch(() => ({}));
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          let contactId;
+          let cart;
+          if (Number.isFinite(uid)) {
+            const contact = await ensureContactForUser(uid);
+            if (!contact) return json({ error: "Contact required" }, { status: 400 });
+            contactId = contact.id;
+            cart = await cartRepo().findOne({
+              where: { contactId },
+              relations: ["items", "items.product"]
+            });
+          } else {
+            const email = (b.email || "").trim();
+            const name = (b.name || "").trim();
+            if (!email || !name) return json({ error: "name and email required for guest checkout" }, { status: 400 });
+            let contact = await contactRepo().findOne({ where: { email, deleted: false } });
+            if (contact && contact.userId != null) {
+              return json({ error: "Please sign in to complete checkout" }, { status: 400 });
+            }
+            if (!contact) {
+              contact = await contactRepo().save(
+                contactRepo().create({
+                  name,
+                  email,
+                  phone: b.phone || null,
+                  userId: null,
+                  deleted: false
+                })
+              );
+            } else if (name) await contactRepo().update(contact.id, { name, phone: b.phone || contact.phone });
+            contactId = contact.id;
+            const cookies = parseCookies(req.headers.get("cookie"));
+            const guestToken = cookies[cookieName];
+            if (!guestToken) return json({ error: "Cart not found" }, { status: 400 });
+            cart = await cartRepo().findOne({
+              where: { guestToken },
+              relations: ["items", "items.product"]
+            });
+          }
+          if (!cart || !(cart.items || []).length) {
+            return json({ error: "Cart is empty" }, { status: 400 });
+          }
+          let subtotal = 0;
+          const lines = [];
+          for (const it of cart.items || []) {
+            const p = it.product;
+            if (!p || p.deleted || p.status !== "available") continue;
+            const unit = Number(p.price);
+            const qty = it.quantity || 1;
+            const lineTotal = unit * qty;
+            subtotal += lineTotal;
+            lines.push({ productId: p.id, quantity: qty, unitPrice: unit, tax: 0, total: lineTotal });
+          }
+          if (!lines.length) return json({ error: "No available items in cart" }, { status: 400 });
+          const total = subtotal;
+          const cartId = cart.id;
+          const ord = await orderRepo().save(
+            orderRepo().create({
+              orderNumber: orderNumber(),
+              contactId,
+              billingAddressId: b.billingAddressId ?? null,
+              shippingAddressId: b.shippingAddressId ?? null,
+              status: "pending",
+              subtotal,
+              tax: 0,
+              discount: 0,
+              total,
+              currency: cart.currency || "INR",
+              metadata: { cartId }
+            })
+          );
+          const oid = ord.id;
+          for (const line of lines) {
+            await orderItemRepo().save(
+              orderItemRepo().create({
+                orderId: oid,
+                productId: line.productId,
+                quantity: line.quantity,
+                unitPrice: line.unitPrice,
+                tax: line.tax,
+                total: line.total
+              })
+            );
+          }
+          return json({
+            orderId: oid,
+            orderNumber: ord.orderNumber,
+            total,
+            currency: cart.currency || "INR"
+          });
+        }
+        if (path[0] === "checkout" && path.length === 1 && method === "POST") {
+          const b = await req.json().catch(() => ({}));
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          let contactId;
+          let cart;
+          if (Number.isFinite(uid)) {
+            const contact = await ensureContactForUser(uid);
+            if (!contact) return json({ error: "Contact required" }, { status: 400 });
+            contactId = contact.id;
+            cart = await cartRepo().findOne({
+              where: { contactId },
+              relations: ["items", "items.product"]
+            });
+          } else {
+            const email = (b.email || "").trim();
+            const name = (b.name || "").trim();
+            if (!email || !name) return json({ error: "name and email required for guest checkout" }, { status: 400 });
+            let contact = await contactRepo().findOne({ where: { email, deleted: false } });
+            if (contact && contact.userId != null) {
+              return json({ error: "Please sign in to complete checkout" }, { status: 400 });
+            }
+            if (!contact) {
+              contact = await contactRepo().save(
+                contactRepo().create({
+                  name,
+                  email,
+                  phone: b.phone || null,
+                  userId: null,
+                  deleted: false
+                })
+              );
+            } else if (name) await contactRepo().update(contact.id, { name, phone: b.phone || contact.phone });
+            contactId = contact.id;
+            const cookies = parseCookies(req.headers.get("cookie"));
+            const guestToken = cookies[cookieName];
+            if (!guestToken) return json({ error: "Cart not found" }, { status: 400 });
+            cart = await cartRepo().findOne({
+              where: { guestToken },
+              relations: ["items", "items.product"]
+            });
+          }
+          if (!cart || !(cart.items || []).length) {
+            return json({ error: "Cart is empty" }, { status: 400 });
+          }
+          let subtotal = 0;
+          const lines = [];
+          for (const it of cart.items || []) {
+            const p = it.product;
+            if (!p || p.deleted || p.status !== "available") continue;
+            const unit = Number(p.price);
+            const qty = it.quantity || 1;
+            const lineTotal = unit * qty;
+            subtotal += lineTotal;
+            lines.push({ productId: p.id, quantity: qty, unitPrice: unit, tax: 0, total: lineTotal });
+          }
+          if (!lines.length) return json({ error: "No available items in cart" }, { status: 400 });
+          const total = subtotal;
+          const ord = await orderRepo().save(
+            orderRepo().create({
+              orderNumber: orderNumber(),
+              contactId,
+              billingAddressId: b.billingAddressId ?? null,
+              shippingAddressId: b.shippingAddressId ?? null,
+              status: "pending",
+              subtotal,
+              tax: 0,
+              discount: 0,
+              total,
+              currency: cart.currency || "INR"
+            })
+          );
+          const oid = ord.id;
+          for (const line of lines) {
+            await orderItemRepo().save(
+              orderItemRepo().create({
+                orderId: oid,
+                productId: line.productId,
+                quantity: line.quantity,
+                unitPrice: line.unitPrice,
+                tax: line.tax,
+                total: line.total
+              })
+            );
+          }
+          await cartItemRepo().delete({ cartId: cart.id });
+          await cartRepo().delete(cart.id);
+          return json({
+            orderId: oid,
+            orderNumber: ord.orderNumber,
+            total
+          });
+        }
+        if (path[0] === "orders" && path.length === 1 && method === "GET") {
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          if (!Number.isFinite(uid)) return json({ error: "Unauthorized" }, { status: 401 });
+          const contact = await contactRepo().findOne({ where: { userId: uid, deleted: false } });
+          if (!contact) return json({ orders: [] });
+          const orders = await orderRepo().find({
+            where: { contactId: contact.id, deleted: false },
+            order: { createdAt: "DESC" },
+            take: 50
+          });
+          const orderIds = orders.map((o) => o.id);
+          const previewByOrder = {};
+          if (orderIds.length) {
+            const oItems = await orderItemRepo().find({
+              where: { orderId: (0, import_typeorm4.In)(orderIds) },
+              relations: ["product"],
+              order: { id: "ASC" }
+            });
+            for (const oi of oItems) {
+              const oid = oi.orderId;
+              if (!previewByOrder[oid]) previewByOrder[oid] = [];
+              if (previewByOrder[oid].length >= 4) continue;
+              const url = primaryProductImageUrl(oi.product?.metadata);
+              if (url && !previewByOrder[oid].includes(url)) previewByOrder[oid].push(url);
+            }
+          }
+          return json({
+            orders: orders.map((o) => {
+              const ol = o;
+              return {
+                id: ol.id,
+                orderNumber: ol.orderNumber,
+                status: ol.status,
+                total: ol.total,
+                currency: ol.currency,
+                createdAt: ol.createdAt,
+                previewImages: previewByOrder[ol.id] ?? []
+              };
+            })
+          });
+        }
+        if (path[0] === "orders" && path.length === 2 && method === "GET") {
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          if (!Number.isFinite(uid)) return json({ error: "Unauthorized" }, { status: 401 });
+          const contact = await contactRepo().findOne({ where: { userId: uid, deleted: false } });
+          if (!contact) return json({ error: "Not found" }, { status: 404 });
+          const orderId = parseInt(path[1], 10);
+          const order = await orderRepo().findOne({
+            where: { id: orderId, contactId: contact.id, deleted: false },
+            relations: ["items", "items.product"]
+          });
+          if (!order) return json({ error: "Not found" }, { status: 404 });
+          const o = order;
+          const lines = (o.items || []).map((line) => {
+            const p = line.product;
+            return {
+              id: line.id,
+              productId: line.productId,
+              quantity: line.quantity,
+              unitPrice: line.unitPrice,
+              tax: line.tax,
+              total: line.total,
+              product: p ? {
+                name: p.name,
+                slug: p.slug,
+                sku: p.sku,
+                image: primaryProductImageUrl(p.metadata)
+              } : null
+            };
+          });
+          return json({
+            order: {
+              id: o.id,
+              orderNumber: o.orderNumber,
+              status: o.status,
+              subtotal: o.subtotal,
+              tax: o.tax,
+              discount: o.discount,
+              total: o.total,
+              currency: o.currency,
+              createdAt: o.createdAt,
+              items: lines
+            }
+          });
+        }
+        return json({ error: "Not found" }, { status: 404 });
+      } catch {
+        return json({ error: "Server error" }, { status: 500 });
+      }
+    }
+  };
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   createAnalyticsHandlers,
@@ -1571,6 +3114,7 @@ function createCmsApiHandler(config) {
   createInviteAcceptHandler,
   createSetPasswordHandler,
   createSettingsApiHandlers,
+  createStorefrontApiHandler,
   createUploadHandler,
   createUserAuthApiRouter,
   createUserAvatarHandler,