npm - @intranefr/superbackend - Versions diffs - 1.4.3 - Mend

@intranefr/superbackend 1.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (188) hide show

package/.commiat +4 -0
package/.env.example +47 -0
package/README.md +110 -0
package/index.js +94 -0
package/package.json +67 -0
package/public/css/styles.css +139 -0
package/public/js/animations.js +41 -0
package/sdk/error-tracking/browser/package.json +16 -0
package/sdk/error-tracking/browser/src/core.js +270 -0
package/sdk/error-tracking/browser/src/embed.js +18 -0
package/sdk/error-tracking/browser/src/index.js +1 -0
package/server.js +5 -0
package/src/admin/endpointRegistry.js +300 -0
package/src/controllers/admin.controller.js +321 -0
package/src/controllers/adminAssets.controller.js +530 -0
package/src/controllers/adminAssetsStorage.controller.js +260 -0
package/src/controllers/adminEjsVirtual.controller.js +354 -0
package/src/controllers/adminFeatureFlags.controller.js +155 -0
package/src/controllers/adminHeadless.controller.js +1071 -0
package/src/controllers/adminI18n.controller.js +604 -0
package/src/controllers/adminJsonConfigs.controller.js +97 -0
package/src/controllers/adminLlm.controller.js +273 -0
package/src/controllers/adminMigration.controller.js +257 -0
package/src/controllers/adminSeoConfig.controller.js +515 -0
package/src/controllers/adminStats.controller.js +121 -0
package/src/controllers/adminUploadNamespaces.controller.js +208 -0
package/src/controllers/assets.controller.js +248 -0
package/src/controllers/auth.controller.js +93 -0
package/src/controllers/billing.controller.js +223 -0
package/src/controllers/featureFlags.controller.js +35 -0
package/src/controllers/forms.controller.js +217 -0
package/src/controllers/globalSettings.controller.js +252 -0
package/src/controllers/headlessCrud.controller.js +126 -0
package/src/controllers/i18n.controller.js +12 -0
package/src/controllers/invite.controller.js +249 -0
package/src/controllers/jsonConfigs.controller.js +19 -0
package/src/controllers/metrics.controller.js +149 -0
package/src/controllers/notificationAdmin.controller.js +264 -0
package/src/controllers/notifications.controller.js +131 -0
package/src/controllers/org.controller.js +357 -0
package/src/controllers/orgAdmin.controller.js +491 -0
package/src/controllers/stripeAdmin.controller.js +410 -0
package/src/controllers/user.controller.js +361 -0
package/src/controllers/userAdmin.controller.js +277 -0
package/src/controllers/waitingList.controller.js +167 -0
package/src/controllers/webhook.controller.js +200 -0
package/src/middleware/auth.js +66 -0
package/src/middleware/errorCapture.js +170 -0
package/src/middleware/headlessApiTokenAuth.js +57 -0
package/src/middleware/org.js +108 -0
package/src/middleware.js +901 -0
package/src/models/ActionEvent.js +31 -0
package/src/models/ActivityLog.js +41 -0
package/src/models/Asset.js +84 -0
package/src/models/AuditEvent.js +93 -0
package/src/models/EmailLog.js +28 -0
package/src/models/ErrorAggregate.js +72 -0
package/src/models/FormSubmission.js +41 -0
package/src/models/GlobalSetting.js +38 -0
package/src/models/HeadlessApiToken.js +24 -0
package/src/models/HeadlessModelDefinition.js +41 -0
package/src/models/I18nEntry.js +77 -0
package/src/models/I18nLocale.js +33 -0
package/src/models/Invite.js +70 -0
package/src/models/JsonConfig.js +46 -0
package/src/models/Notification.js +60 -0
package/src/models/Organization.js +57 -0
package/src/models/OrganizationMember.js +43 -0
package/src/models/StripeCatalogItem.js +77 -0
package/src/models/StripeWebhookEvent.js +57 -0
package/src/models/User.js +89 -0
package/src/models/VirtualEjsFile.js +60 -0
package/src/models/VirtualEjsFileVersion.js +43 -0
package/src/models/VirtualEjsGroupChange.js +32 -0
package/src/models/WaitingList.js +41 -0
package/src/models/Webhook.js +63 -0
package/src/models/Workflow.js +29 -0
package/src/models/WorkflowExecution.js +12 -0
package/src/routes/admin.routes.js +26 -0
package/src/routes/adminAssets.routes.js +28 -0
package/src/routes/adminAssetsStorage.routes.js +13 -0
package/src/routes/adminAudit.routes.js +196 -0
package/src/routes/adminEjsVirtual.routes.js +17 -0
package/src/routes/adminErrors.routes.js +164 -0
package/src/routes/adminFeatureFlags.routes.js +12 -0
package/src/routes/adminHeadless.routes.js +38 -0
package/src/routes/adminI18n.routes.js +22 -0
package/src/routes/adminJsonConfigs.routes.js +15 -0
package/src/routes/adminLlm.routes.js +12 -0
package/src/routes/adminMigration.routes.js +81 -0
package/src/routes/adminSeoConfig.routes.js +20 -0
package/src/routes/adminUploadNamespaces.routes.js +13 -0
package/src/routes/assets.routes.js +21 -0
package/src/routes/auth.routes.js +12 -0
package/src/routes/billing.routes.js +11 -0
package/src/routes/errorTracking.routes.js +31 -0
package/src/routes/featureFlags.routes.js +9 -0
package/src/routes/forms.routes.js +9 -0
package/src/routes/formsAdmin.routes.js +13 -0
package/src/routes/globalSettings.routes.js +18 -0
package/src/routes/headless.routes.js +15 -0
package/src/routes/i18n.routes.js +8 -0
package/src/routes/invite.routes.js +9 -0
package/src/routes/jsonConfigs.routes.js +8 -0
package/src/routes/log.routes.js +111 -0
package/src/routes/metrics.routes.js +9 -0
package/src/routes/notificationAdmin.routes.js +15 -0
package/src/routes/notifications.routes.js +12 -0
package/src/routes/org.routes.js +31 -0
package/src/routes/orgAdmin.routes.js +20 -0
package/src/routes/publicAssets.routes.js +7 -0
package/src/routes/stripeAdmin.routes.js +20 -0
package/src/routes/user.routes.js +22 -0
package/src/routes/userAdmin.routes.js +15 -0
package/src/routes/waitingList.routes.js +13 -0
package/src/routes/waitingListAdmin.routes.js +9 -0
package/src/routes/webhook.routes.js +32 -0
package/src/routes/workflowWebhook.routes.js +54 -0
package/src/routes/workflows.routes.js +110 -0
package/src/services/assets.service.js +110 -0
package/src/services/audit.service.js +62 -0
package/src/services/auditLogger.js +165 -0
package/src/services/ejsVirtual.service.js +614 -0
package/src/services/email.service.js +351 -0
package/src/services/errorLogger.js +221 -0
package/src/services/featureFlags.service.js +202 -0
package/src/services/forms.service.js +214 -0
package/src/services/globalSettings.service.js +49 -0
package/src/services/headlessApiTokens.service.js +158 -0
package/src/services/headlessCrypto.service.js +31 -0
package/src/services/headlessModels.service.js +356 -0
package/src/services/i18n.service.js +314 -0
package/src/services/i18nInferredKeys.service.js +337 -0
package/src/services/jsonConfigs.service.js +392 -0
package/src/services/llm.service.js +749 -0
package/src/services/migration.service.js +581 -0
package/src/services/migrationAssets/fsLocal.js +58 -0
package/src/services/migrationAssets/index.js +134 -0
package/src/services/migrationAssets/s3.js +75 -0
package/src/services/migrationAssets/sftp.js +92 -0
package/src/services/notification.service.js +212 -0
package/src/services/objectStorage.service.js +514 -0
package/src/services/seoConfig.service.js +402 -0
package/src/services/storage.js +150 -0
package/src/services/stripe.service.js +185 -0
package/src/services/stripeHelper.service.js +264 -0
package/src/services/uploadNamespaces.service.js +326 -0
package/src/services/webhook.service.js +157 -0
package/src/services/workflow.service.js +271 -0
package/src/utils/asyncHandler.js +5 -0
package/src/utils/encryption.js +80 -0
package/src/utils/jwt.js +40 -0
package/src/utils/orgRoles.js +156 -0
package/src/utils/validation.js +26 -0
package/src/utils/webhookRetry.js +93 -0
package/views/admin-assets.ejs +444 -0
package/views/admin-audit.ejs +283 -0
package/views/admin-coolify-deploy.ejs +207 -0
package/views/admin-dashboard-home.ejs +291 -0
package/views/admin-dashboard.ejs +397 -0
package/views/admin-ejs-virtual.ejs +280 -0
package/views/admin-errors.ejs +368 -0
package/views/admin-feature-flags.ejs +390 -0
package/views/admin-forms.ejs +526 -0
package/views/admin-global-settings.ejs +436 -0
package/views/admin-headless.ejs +2020 -0
package/views/admin-i18n-locales.ejs +221 -0
package/views/admin-i18n.ejs +728 -0
package/views/admin-json-configs.ejs +410 -0
package/views/admin-llm.ejs +884 -0
package/views/admin-metrics.ejs +274 -0
package/views/admin-migration.ejs +814 -0
package/views/admin-notifications.ejs +430 -0
package/views/admin-organizations.ejs +984 -0
package/views/admin-seo-config.ejs +673 -0
package/views/admin-stripe-pricing.ejs +558 -0
package/views/admin-test.ejs +342 -0
package/views/admin-users.ejs +452 -0
package/views/admin-waiting-list.ejs +547 -0
package/views/admin-webhooks.ejs +329 -0
package/views/admin-workflows.ejs +310 -0
package/views/partials/admin-assets-script.ejs +2022 -0
package/views/partials/admin-test-sidebar.ejs +14 -0
package/views/partials/dashboard/nav-items.ejs +66 -0
package/views/partials/dashboard/palette.ejs +63 -0
package/views/partials/dashboard/sidebar.ejs +21 -0
package/views/partials/dashboard/tab-bar.ejs +26 -0
package/views/partials/footer.ejs +3 -0

package/src/controllers/adminAssets.controller.js ADDED Viewed

@@ -0,0 +1,530 @@
+const Asset = require('../models/Asset');
+const objectStorage = require('../services/objectStorage.service');
+const uploadNamespacesService = require('../services/uploadNamespaces.service');
+const buildPublicUrl = (key) => {
+  return `/public/assets/${key}`;
+};
+const formatAssetResponse = (asset) => {
+  const obj = asset.toObject ? asset.toObject() : asset;
+  const response = {
+    _id: obj._id,
+    key: obj.key,
+    provider: obj.provider,
+    bucket: obj.bucket,
+    originalName: obj.originalName,
+    contentType: obj.contentType,
+    sizeBytes: obj.sizeBytes,
+    visibility: obj.visibility,
+    namespace: obj.namespace,
+    visibilityEnforced: obj.visibilityEnforced,
+    tags: Array.isArray(obj.tags) ? obj.tags : [],
+    ownerUserId: obj.ownerUserId,
+    orgId: obj.orgId,
+    status: obj.status,
+    createdAt: obj.createdAt,
+    updatedAt: obj.updatedAt
+  };
+  if (Object.prototype.hasOwnProperty.call(obj, 'storageExists')) {
+    response.storageExists = obj.storageExists;
+  }
+  if (Object.prototype.hasOwnProperty.call(obj, 'storageCheckedBackend')) {
+    response.storageCheckedBackend = obj.storageCheckedBackend;
+  }
+  if (Object.prototype.hasOwnProperty.call(obj, 'storageExistsError')) {
+    response.storageExistsError = obj.storageExistsError;
+  }
+  if (obj.visibility === 'public') {
+    response.publicUrl = buildPublicUrl(obj.key);
+  }
+  return response;
+};
+const normalizeTags = (value) => {
+  if (value === undefined) return undefined;
+  const raw = Array.isArray(value)
+    ? value
+    : typeof value === 'string'
+      ? value.split(',')
+      : [value];
+  const tags = raw
+    .map((t) => String(t).trim().toLowerCase())
+    .filter(Boolean);
+  return Array.from(new Set(tags));
+};
+exports.list = async (req, res) => {
+  try {
+    const page = Math.max(1, parseInt(req.query.page) || 1);
+    const limit = Math.min(100, Math.max(1, parseInt(req.query.limit) || 20));
+    const skip = (page - 1) * limit;
+    const filter = {};
+    if (req.query.status) {
+      filter.status = req.query.status;
+    } else {
+      filter.status = 'uploaded';
+    }
+    if (req.query.visibility) {
+      filter.visibility = req.query.visibility;
+    }
+    if (req.query.contentType) {
+      filter.contentType = { $regex: req.query.contentType, $options: 'i' };
+    }
+    if (req.query.ownerUserId) {
+      filter.ownerUserId = req.query.ownerUserId;
+    }
+    if (req.query.orgId) {
+      filter.orgId = req.query.orgId;
+    }
+    if (req.query.namespace) {
+      filter.namespace = String(req.query.namespace);
+    }
+    if (req.query.tag) {
+      const tag = String(req.query.tag).trim().toLowerCase();
+      if (tag) {
+        filter.tags = tag;
+      }
+    }
+    const [assets, total] = await Promise.all([
+      Asset.find(filter).sort({ updatedAt: -1, createdAt: -1 }).skip(skip).limit(limit).lean(),
+      Asset.countDocuments(filter)
+    ]);
+    const assetsWithStorage = await Promise.all(
+      assets.map(async (a) => {
+        const backend = a?.provider === 's3' ? 's3' : 'fs';
+        try {
+          const exists = await objectStorage.objectExists({ key: a.key, backend });
+          return {
+            ...a,
+            storageCheckedBackend: backend,
+            storageExists: Boolean(exists),
+          };
+        } catch (e) {
+          return {
+            ...a,
+            storageCheckedBackend: backend,
+            storageExists: null,
+            storageExistsError: e?.message ? String(e.message) : 'storage check failed',
+          };
+        }
+      })
+    );
+    res.json({
+      assets: assetsWithStorage.map(formatAssetResponse),
+      pagination: {
+        page,
+        limit,
+        total,
+        pages: Math.ceil(total / limit)
+      }
+    });
+  } catch (error) {
+    console.error('Error listing assets:', error);
+    res.status(500).json({ error: 'Failed to list assets' });
+  }
+};
+exports.bulkSetTags = async (req, res) => {
+  try {
+    const assetIds = Array.isArray(req.body?.assetIds) ? req.body.assetIds : [];
+    const normalizedIds = assetIds
+      .map((id) => String(id || '').trim())
+      .filter(Boolean);
+    if (!normalizedIds.length) {
+      return res.status(400).json({ error: 'assetIds must be a non-empty array' });
+    }
+    if (normalizedIds.length > 200) {
+      return res.status(400).json({ error: 'Too many assets. Max 200 per request.' });
+    }
+    const tags = normalizeTags(req.body?.tags) || [];
+    const assets = await Asset.find({
+      _id: { $in: normalizedIds },
+      status: 'uploaded',
+    });
+    const results = {
+      ok: true,
+      requested: normalizedIds.length,
+      found: assets.length,
+      updated: 0,
+      failed: [],
+      tags,
+    };
+    for (const asset of assets) {
+      try {
+        asset.tags = tags;
+        await asset.save();
+        results.updated += 1;
+      } catch (e) {
+        results.failed.push({
+          assetId: String(asset._id),
+          error: e?.message ? String(e.message) : 'Failed to update tags',
+        });
+      }
+    }
+    return res.json(results);
+  } catch (error) {
+    console.error('Error bulk setting tags:', error);
+    return res.status(500).json({ error: 'Failed to bulk set tags' });
+  }
+};
+exports.replace = async (req, res) => {
+  try {
+    const asset = await Asset.findById(req.params.id);
+    if (!asset) {
+      return res.status(404).json({ error: 'Asset not found' });
+    }
+    if (asset.status === 'deleted') {
+      return res.status(400).json({ error: 'Cannot replace a deleted asset' });
+    }
+    if (!req.file && !req.files?.file) {
+      return res.status(400).json({ error: 'No file provided' });
+    }
+    const file = req.file || req.files.file;
+    const buffer = file.buffer || (file.data ? file.data : null);
+    if (!buffer) {
+      return res.status(400).json({ error: 'Unable to read file buffer' });
+    }
+    const contentType = file.mimetype;
+    const sizeBytes = buffer.length;
+    const namespaceConfig = await uploadNamespacesService.resolveNamespace(asset.namespace || 'default');
+    const hardCapMaxFileSizeBytes = await uploadNamespacesService.getEffectiveHardCapMaxFileSizeBytes();
+    const validation = uploadNamespacesService.validateUpload({
+      namespaceConfig,
+      contentType,
+      sizeBytes,
+      hardCapMaxFileSizeBytes,
+    });
+    if (!validation.ok) {
+      return res.status(400).json({
+        error: 'Upload rejected by namespace policy',
+        namespace: namespaceConfig.key,
+        hardCapMaxFileSizeBytes,
+        errors: validation.errors,
+      });
+    }
+    const { provider, bucket } = await objectStorage.putObject({
+      key: asset.key,
+      body: buffer,
+      contentType,
+    });
+    asset.contentType = contentType;
+    asset.sizeBytes = sizeBytes;
+    asset.provider = provider;
+    asset.bucket = bucket;
+    await asset.save();
+    res.json({ asset: formatAssetResponse(asset) });
+  } catch (error) {
+    console.error('Error replacing asset:', error);
+    res.status(500).json({ error: 'Failed to replace asset' });
+  }
+};
+exports.get = async (req, res) => {
+  try {
+    const asset = await Asset.findById(req.params.id).lean();
+    if (!asset) {
+      return res.status(404).json({ error: 'Asset not found' });
+    }
+    res.json({ asset: formatAssetResponse(asset) });
+  } catch (error) {
+    console.error('Error getting asset:', error);
+    res.status(500).json({ error: 'Failed to get asset' });
+  }
+};
+exports.upload = async (req, res) => {
+  try {
+    if (!req.file && !req.files?.file) {
+      return res.status(400).json({ error: 'No file provided' });
+    }
+    const file = req.file || req.files.file;
+    const buffer = file.buffer || (file.data ? file.data : null);
+    if (!buffer) {
+      return res.status(400).json({ error: 'Unable to read file buffer' });
+    }
+    const contentType = file.mimetype;
+    const originalName = file.originalname || file.name;
+    const sizeBytes = buffer.length;
+    const namespaceKey = req.body?.namespace ? String(req.body.namespace).trim() : 'default';
+    const namespaceConfig = await uploadNamespacesService.resolveNamespace(namespaceKey);
+    const hardCapMaxFileSizeBytes = await uploadNamespacesService.getEffectiveHardCapMaxFileSizeBytes();
+    const validation = uploadNamespacesService.validateUpload({
+      namespaceConfig,
+      contentType,
+      sizeBytes,
+      hardCapMaxFileSizeBytes,
+    });
+    if (!validation.ok) {
+      return res.status(400).json({
+        error: 'Upload rejected by namespace policy',
+        namespace: namespaceConfig.key,
+        hardCapMaxFileSizeBytes,
+        errors: validation.errors,
+      });
+    }
+    const key = uploadNamespacesService.generateObjectKey({
+      namespaceConfig,
+      originalName,
+    });
+    const visibility = uploadNamespacesService.computeVisibility({
+      namespaceConfig,
+      requestedVisibility: req.body?.visibility,
+    });
+    const { provider, bucket } = await objectStorage.putObject({
+      key,
+      body: buffer,
+      contentType
+    });
+    const asset = await Asset.create({
+      key,
+      provider,
+      bucket,
+      originalName,
+      contentType,
+      sizeBytes,
+      visibility,
+      namespace: namespaceConfig.key,
+      visibilityEnforced: Boolean(namespaceConfig.enforceVisibility),
+      ownerUserId: null,
+      orgId: null,
+      status: 'uploaded'
+    });
+    res.status(201).json({ asset: formatAssetResponse(asset) });
+  } catch (error) {
+    console.error('Error uploading asset:', error);
+    res.status(500).json({ error: 'Failed to upload asset' });
+  }
+};
+exports.update = async (req, res) => {
+  try {
+    const asset = await Asset.findById(req.params.id);
+    if (!asset) {
+      return res.status(404).json({ error: 'Asset not found' });
+    }
+    const allowedFields = ['visibility', 'orgId', 'tags'];
+    const updates = {};
+    for (const field of allowedFields) {
+      if (req.body[field] !== undefined) {
+        updates[field] = req.body[field];
+      }
+    }
+    if (updates.tags !== undefined) {
+      updates.tags = normalizeTags(updates.tags) || [];
+    }
+    if (updates.visibility && !['public', 'private'].includes(updates.visibility)) {
+      return res.status(400).json({ error: 'Invalid visibility value' });
+    }
+    if (updates.visibility && asset.visibilityEnforced) {
+      return res.status(400).json({ error: 'Visibility is enforced by the upload namespace for this asset' });
+    }
+    Object.assign(asset, updates);
+    await asset.save();
+    res.json({ asset: formatAssetResponse(asset) });
+  } catch (error) {
+    console.error('Error updating asset:', error);
+    res.status(500).json({ error: 'Failed to update asset' });
+  }
+};
+exports.delete = async (req, res) => {
+  try {
+    const asset = await Asset.findById(req.params.id);
+    if (!asset) {
+      return res.status(404).json({ error: 'Asset not found' });
+    }
+    await objectStorage.deleteObject({ key: asset.key });
+    asset.status = 'deleted';
+    await asset.save();
+    res.json({ success: true });
+  } catch (error) {
+    console.error('Error deleting asset:', error);
+    res.status(500).json({ error: 'Failed to delete asset' });
+  }
+};
+exports.getStorageInfo = async (req, res) => {
+  try {
+    const multerCeilingMaxFileSizeBytes = Number(process.env.MULTER_FILE_SIZE_LIMIT || '1073741824');
+    const envFallbackHardCapMaxFileSizeBytes = uploadNamespacesService.getEnvHardCapMaxFileSizeBytes();
+    const configuredHardCapMaxFileSizeBytes = await uploadNamespacesService.getConfiguredHardCapMaxFileSizeBytes();
+    const hardCapMaxFileSizeBytes = await uploadNamespacesService.getEffectiveHardCapMaxFileSizeBytes();
+    const [provider, bucket, s3Enabled] = await Promise.all([
+      objectStorage.getProvider(),
+      objectStorage.getBucket(),
+      objectStorage.isS3Enabled(),
+    ]);
+    res.json({
+      provider,
+      bucket,
+      s3Enabled,
+      maxFileSize: objectStorage.getMaxFileSize(),
+      multerCeilingMaxFileSizeBytes,
+      envFallbackHardCapMaxFileSizeBytes,
+      configuredHardCapMaxFileSizeBytes,
+      hardCapMaxFileSizeBytes,
+      allowedContentTypes: objectStorage.getAllowedContentTypes()
+    });
+  } catch (error) {
+    console.error('Error getting storage info:', error);
+    res.status(500).json({ error: 'Failed to get storage info' });
+  }
+};
+exports.bulkMoveNamespace = async (req, res) => {
+  try {
+    const assetIds = Array.isArray(req.body?.assetIds) ? req.body.assetIds : [];
+    const targetNamespaceRaw = req.body?.targetNamespace;
+    const targetNamespaceKey = String(targetNamespaceRaw || '').trim();
+    if (!targetNamespaceKey) {
+      return res.status(400).json({ error: 'targetNamespace is required' });
+    }
+    const normalizedIds = assetIds
+      .map((id) => String(id || '').trim())
+      .filter(Boolean);
+    if (!normalizedIds.length) {
+      return res.status(400).json({ error: 'assetIds must be a non-empty array' });
+    }
+    if (normalizedIds.length > 100) {
+      return res.status(400).json({ error: 'Too many assets. Max 100 per request.' });
+    }
+    const namespaceConfig = await uploadNamespacesService.resolveNamespace(targetNamespaceKey);
+    if (!namespaceConfig?.enabled) {
+      return res.status(400).json({ error: 'Target namespace is disabled' });
+    }
+    const assets = await Asset.find({
+      _id: { $in: normalizedIds },
+      status: 'uploaded',
+    });
+    const results = {
+      ok: true,
+      targetNamespace: namespaceConfig.key,
+      requested: normalizedIds.length,
+      found: assets.length,
+      moved: 0,
+      skipped: 0,
+      failed: [],
+    };
+    for (const asset of assets) {
+      try {
+        const currentNamespace = String(asset.namespace || 'default');
+        if (currentNamespace === namespaceConfig.key) {
+          results.skipped += 1;
+          continue;
+        }
+        const newKey = uploadNamespacesService.generateObjectKey({
+          namespaceConfig,
+          originalName: asset.originalName,
+        });
+        const backend = asset?.provider === 's3' ? 's3' : 'fs';
+        const oldKey = asset.key;
+        await objectStorage.moveObject({
+          sourceKey: oldKey,
+          destKey: newKey,
+          backend,
+        });
+        const movedProvider = backend;
+        const movedBucket = backend === 's3'
+          ? (await objectStorage.getS3Config())?.bucket
+          : 'fs';
+        asset.key = newKey;
+        asset.namespace = namespaceConfig.key;
+        asset.provider = movedProvider;
+        asset.bucket = movedBucket || asset.bucket;
+        asset.visibilityEnforced = Boolean(namespaceConfig.enforceVisibility);
+        await asset.save();
+        results.moved += 1;
+      } catch (e) {
+        results.failed.push({
+          assetId: String(asset._id),
+          error: e?.message ? String(e.message) : 'Failed to move asset',
+        });
+      }
+    }
+    return res.json(results);
+  } catch (error) {
+    console.error('Error bulk moving assets:', error);
+    return res.status(500).json({ error: 'Failed to bulk move assets' });
+  }
+};