@kyro-cms/admin 0.1.2 → 0.1.3

package/dist/server/chunks/index_CVqOkerS.mjs

@@ -1,2960 +0,0 @@
-import Redis2 from 'ioredis';
-import bcrypt from 'bcryptjs';
-import { randomBytes } from 'crypto';
-import nodemailer from 'nodemailer';
-import 'hono';
-import 'ws';
-import { pgTable, timestamp, jsonb, integer, boolean, uuid, varchar, uniqueIndex, index, text } from 'drizzle-orm/pg-core';
-import 'postgres';
-import { z } from 'zod';
-export { z } from 'zod';
-import 'bcrypt';
-import jwt from 'jsonwebtoken';
-
-// src/auth/bootstrap.ts
-var DEFAULT_PREFIX = "kyro:auth:";
-var DEFAULT_TOKEN_EXPIRATION = 86400;
-var DEFAULT_REFRESH_EXPIRATION = 604800;
-var RedisAuthAdapter = class {
-  redis;
-  prefix;
-  tokenExpiration;
-  refreshExpiration;
-  constructor(options = {}) {
-    const url = options.url || `redis://${options.host || "localhost"}:${options.port || 6379}`;
-    this.redis = new Redis2(url, {
-      password: options.password,
-      db: options.db,
-      lazyConnect: true,
-      tls: options.tls ? {} : void 0
-    });
-    this.prefix = options.keyPrefix || DEFAULT_PREFIX;
-    this.tokenExpiration = options.tokenExpiration || DEFAULT_TOKEN_EXPIRATION;
-    this.refreshExpiration = options.refreshTokenExpiration || DEFAULT_REFRESH_EXPIRATION;
-  }
-  async connect() {
-    await this.redis.connect();
-  }
-  async disconnect() {
-    await this.redis.quit();
-  }
-  userKey(userId) {
-    return `${this.prefix}users:${userId}`;
-  }
-  sessionKey(sessionId) {
-    return `${this.prefix}sessions:${sessionId}`;
-  }
-  refreshKey(token) {
-    return `${this.prefix}refresh:${token}`;
-  }
-  userByEmailKey(email) {
-    return `${this.prefix}users:email:${email.toLowerCase()}`;
-  }
-  passwordHistoryKey(userId) {
-    return `${this.prefix}users:${userId}:password_history`;
-  }
-  async createUser(data) {
-    const userId = randomBytes(16).toString("hex");
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    const user = {
-      id: userId,
-      email: data.email.toLowerCase(),
-      passwordHash: data.passwordHash,
-      role: data.role || "customer",
-      tenantId: data.tenantId,
-      createdAt: now,
-      updatedAt: now
-    };
-    const pipeline = this.redis.pipeline();
-    pipeline.hset(this.userKey(userId), this.userToHash(user));
-    pipeline.set(this.userByEmailKey(data.email), userId);
-    await pipeline.exec();
-    return user;
-  }
-  async findUserByEmail(email) {
-    const userId = await this.redis.get(
-      this.userByEmailKey(email.toLowerCase())
-    );
-    if (!userId) return null;
-    return this.findUserById(userId);
-  }
-  async findUserById(userId) {
-    const data = await this.redis.hgetall(this.userKey(userId));
-    if (!data || Object.keys(data).length === 0) return null;
-    return this.hashToUser(data);
-  }
-  async updateUser(userId, data) {
-    const existing = await this.findUserById(userId);
-    if (!existing) return null;
-    const updated = {
-      ...existing,
-      ...data,
-      id: userId,
-      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    };
-    if (data.email && data.email !== existing.email) {
-      const pipeline = this.redis.pipeline();
-      pipeline.del(this.userByEmailKey(existing.email));
-      pipeline.set(this.userByEmailKey(data.email), userId);
-      await pipeline.exec();
-    }
-    await this.redis.hset(this.userKey(userId), this.userToHash(updated));
-    return updated;
-  }
-  async deleteUser(userId) {
-    const user = await this.findUserById(userId);
-    if (!user) return false;
-    const pipeline = this.redis.pipeline();
-    pipeline.del(this.userKey(userId));
-    pipeline.del(this.userByEmailKey(user.email));
-    pipeline.del(this.passwordHistoryKey(userId));
-    await pipeline.exec();
-    return true;
-  }
-  async hashPassword(password) {
-    return bcrypt.hash(password, 12);
-  }
-  async verifyPassword(password, hash) {
-    return bcrypt.compare(password, hash);
-  }
-  async createSession(userId, data = {}) {
-    const sessionId = randomBytes(32).toString("hex");
-    const token = randomBytes(32).toString("base64url");
-    const refreshToken = randomBytes(32).toString("base64url");
-    const now = /* @__PURE__ */ new Date();
-    const session = {
-      id: sessionId,
-      userId,
-      token,
-      refreshToken,
-      expiresAt: new Date(
-        now.getTime() + this.tokenExpiration * 1e3
-      ).toISOString(),
-      createdAt: now.toISOString(),
-      ipAddress: data.ipAddress,
-      userAgent: data.userAgent
-    };
-    const pipeline = this.redis.pipeline();
-    pipeline.hset(this.sessionKey(sessionId), this.sessionToHash(session));
-    pipeline.setex(
-      this.refreshKey(refreshToken),
-      this.refreshExpiration,
-      sessionId
-    );
-    await pipeline.exec();
-    return session;
-  }
-  async findSessionByToken(token) {
-    const data = await this.redis.hgetall(this.sessionKey(token));
-    if (!data || Object.keys(data).length === 0) return null;
-    return this.hashToSession(data);
-  }
-  async deleteSession(sessionId) {
-    const session = await this.redis.hgetall(this.sessionKey(sessionId));
-    if (!session || Object.keys(session).length === 0) return false;
-    const pipeline = this.redis.pipeline();
-    pipeline.del(this.sessionKey(sessionId));
-    if (session.refreshToken) {
-      pipeline.del(this.refreshKey(session.refreshToken));
-    }
-    await pipeline.exec();
-    return true;
-  }
-  async deleteUserSessions(userId) {
-    const pattern = `${this.prefix}sessions:*`;
-    let cursor = "0";
-    let deleted = 0;
-    do {
-      const [nextCursor, keys] = await this.redis.scan(
-        cursor,
-        "MATCH",
-        pattern,
-        "COUNT",
-        100
-      );
-      cursor = nextCursor;
-      for (const key of keys) {
-        const sessionData = await this.redis.hgetall(key);
-        if (sessionData.userId === userId) {
-          const sessionId = key.replace(`${this.prefix}sessions:`, "");
-          await this.deleteSession(sessionId);
-          deleted++;
-        }
-      }
-    } while (cursor !== "0");
-    return deleted;
-  }
-  async addPasswordToHistory(userId, passwordHash) {
-    await this.redis.lpush(this.passwordHistoryKey(userId), passwordHash);
-    await this.redis.ltrim(this.passwordHistoryKey(userId), 0, 4);
-  }
-  async getPasswordHistory(userId, count = 5) {
-    return this.redis.lrange(this.passwordHistoryKey(userId), 0, count - 1);
-  }
-  async isPasswordInHistory(password, userId, historyCount = 5) {
-    const history = await this.getPasswordHistory(userId, historyCount);
-    for (const hash of history) {
-      if (await this.verifyPassword(password, hash)) {
-        return true;
-      }
-    }
-    return false;
-  }
-  userToHash(user) {
-    const hash = {
-      id: user.id,
-      email: user.email,
-      passwordHash: user.passwordHash || "",
-      role: user.role,
-      createdAt: user.createdAt,
-      updatedAt: user.updatedAt
-    };
-    if (user.tenantId) hash.tenantId = user.tenantId;
-    if (user.emailVerified !== void 0)
-      hash.emailVerified = String(user.emailVerified);
-    if (user.locked !== void 0) hash.locked = String(user.locked);
-    if (user.lastLogin) hash.lastLogin = user.lastLogin;
-    if (user.failedLoginAttempts !== void 0)
-      hash.failedLoginAttempts = String(user.failedLoginAttempts);
-    return hash;
-  }
-  hashToUser(hash) {
-    return {
-      id: hash.id,
-      email: hash.email,
-      passwordHash: hash.passwordHash,
-      role: hash.role,
-      tenantId: hash.tenantId,
-      createdAt: hash.createdAt,
-      updatedAt: hash.updatedAt,
-      emailVerified: hash.emailVerified === "true",
-      locked: hash.locked === "true",
-      lastLogin: hash.lastLogin,
-      failedLoginAttempts: hash.failedLoginAttempts ? parseInt(hash.failedLoginAttempts, 10) : 0
-    };
-  }
-  sessionToHash(session) {
-    const hash = {
-      id: session.id,
-      userId: session.userId,
-      token: session.token,
-      expiresAt: session.expiresAt,
-      createdAt: session.createdAt
-    };
-    if (session.refreshToken) hash.refreshToken = session.refreshToken;
-    if (session.ipAddress) hash.ipAddress = session.ipAddress;
-    if (session.userAgent) hash.userAgent = session.userAgent;
-    return hash;
-  }
-  hashToSession(hash) {
-    return {
-      id: hash.id,
-      userId: hash.userId,
-      token: hash.token,
-      refreshToken: hash.refreshToken,
-      expiresAt: hash.expiresAt,
-      createdAt: hash.createdAt,
-      ipAddress: hash.ipAddress,
-      userAgent: hash.userAgent
-    };
-  }
-};
-var defaultTemplates = {
-  verifyEmail: (link, userName = "User") => ({
-    subject: "Verify your email address",
-    html: `
-      <!DOCTYPE html>
-      <html>
-      <head>
-        <meta charset="utf-8">
-        <meta name="viewport" content="width=device-width, initial-scale=1">
-        <title>Verify Email</title>
-        <style>
-          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
-          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
-          .button { display: inline-block; padding: 12px 24px; background: #0b1222; color: white; text-decoration: none; border-radius: 6px; font-weight: 600; }
-          .footer { margin-top: 30px; font-size: 12px; color: #666; }
-        </style>
-      </head>
-      <body>
-        <div class="container">
-          <h1>Welcome, ${userName}!</h1>
-          <p>Please verify your email address by clicking the button below:</p>
-          <p style="text-align: center; margin: 30px 0;">
-            <a href="${link}" class="button">Verify Email</a>
-          </p>
-          <p>Or copy and paste this link into your browser:</p>
-          <p style="word-break: break-all; color: #666;">${link}</p>
-          <p>This link will expire in 24 hours.</p>
-          <div class="footer">
-            <p>If you didn't create an account, you can safely ignore this email.</p>
-          </div>
-        </div>
-      </body>
-      </html>
-    `,
-    text: `Welcome ${userName}!
-
-Please verify your email by clicking this link: ${link}
-
-This link will expire in 24 hours.
-
-If you didn't create an account, you can safely ignore this email.`
-  }),
-  resetPassword: (link, userName = "User") => ({
-    subject: "Reset your password",
-    html: `
-      <!DOCTYPE html>
-      <html>
-      <head>
-        <meta charset="utf-8">
-        <meta name="viewport" content="width=device-width, initial-scale=1">
-        <title>Reset Password</title>
-        <style>
-          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
-          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
-          .button { display: inline-block; padding: 12px 24px; background: #dc2626; color: white; text-decoration: none; border-radius: 6px; font-weight: 600; }
-          .warning { background: #fef3c7; border: 1px solid #f59e0b; padding: 12px; border-radius: 6px; margin: 20px 0; }
-          .footer { margin-top: 30px; font-size: 12px; color: #666; }
-        </style>
-      </head>
-      <body>
-        <div class="container">
-          <h1>Password Reset Request</h1>
-          <p>Hello ${userName},</p>
-          <p>We received a request to reset your password. Click the button below to create a new password:</p>
-          <p style="text-align: center; margin: 30px 0;">
-            <a href="${link}" class="button">Reset Password</a>
-          </p>
-          <p>Or copy and paste this link into your browser:</p>
-          <p style="word-break: break-all; color: #666;">${link}</p>
-          <div class="warning">
-            <strong>\u26A0\uFE0F Important:</strong> This link will expire in 1 hour. If you didn't request a password reset, please ignore this email or contact support if you have concerns.
-          </div>
-          <div class="footer">
-            <p>For security reasons, please don't share this email with anyone.</p>
-          </div>
-        </div>
-      </body>
-      </html>
-    `,
-    text: `Password Reset Request
-
-Hello ${userName},
-
-We received a request to reset your password. Click this link to create a new password: ${link}
-
-This link will expire in 1 hour.
-
-If you didn't request a password reset, please ignore this email.`
-  }),
-  welcome: (userName = "User") => ({
-    subject: "Welcome to Kyro CMS",
-    html: `
-      <!DOCTYPE html>
-      <html>
-      <head>
-        <meta charset="utf-8">
-        <meta name="viewport" content="width=device-width, initial-scale=1">
-        <title>Welcome</title>
-        <style>
-          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
-          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
-          .button { display: inline-block; padding: 12px 24px; background: #0b1222; color: white; text-decoration: none; border-radius: 6px; font-weight: 600; }
-        </style>
-      </head>
-      <body>
-        <div class="container">
-          <h1>Welcome to Kyro CMS, ${userName}!</h1>
-          <p>Your account has been created successfully.</p>
-          <p>You can now:</p>
-          <ul>
-            <li>Manage your content collections</li>
-            <li>Upload and organize media</li>
-            <li>Configure settings</li>
-            <li>And much more...</li>
-          </ul>
-          <p style="text-align: center; margin: 30px 0;">
-            <a href="#" class="button">Get Started</a>
-          </p>
-          <p>If you have any questions, feel free to reach out to our support team.</p>
-        </div>
-      </body>
-      </html>
-    `,
-    text: `Welcome to Kyro CMS, ${userName}!
-
-Your account has been created successfully.
-
-You can now:
-- Manage your content collections
-- Upload and organize media
-- Configure settings
-- And much more...
-
-Get started by logging into your dashboard.`
-  }),
-  accountLocked: (attempts, duration, userName = "User") => ({
-    subject: "Account Security Alert - Account Locked",
-    html: `
-      <!DOCTYPE html>
-      <html>
-      <head>
-        <meta charset="utf-8">
-        <meta name="viewport" content="width=device-width, initial-scale=1">
-        <title>Account Locked</title>
-        <style>
-          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
-          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
-          .alert { background: #fef2f2; border: 1px solid #ef4444; padding: 16px; border-radius: 8px; margin: 20px 0; }
-          .footer { margin-top: 30px; font-size: 12px; color: #666; }
-        </style>
-      </head>
-      <body>
-        <div class="container">
-          <h1>Account Security Alert</h1>
-          <p>Hello ${userName},</p>
-          <div class="alert">
-            <p><strong>\u26A0\uFE0F Your account has been temporarily locked due to multiple failed login attempts.</strong></p>
-            <p>Failed attempts: ${attempts}</p>
-            <p>Lockout duration: ${Math.round(duration / 6e4)} minutes</p>
-          </div>
-          <p>Your account will automatically unlock after the lockout period expires.</p>
-          <p>If this wasn't you, we recommend:</p>
-          <ul>
-            <li>Using a strong, unique password</li>
-            <li>Enabling two-factor authentication (coming soon)</li>
-            <li>Reviewing your recent account activity</li>
-          </ul>
-          <div class="footer">
-            <p>If you need immediate assistance, please contact support.</p>
-          </div>
-        </div>
-      </body>
-      </html>
-    `,
-    text: `Account Security Alert
-
-Hello ${userName},
-
-Your account has been temporarily locked due to multiple failed login attempts (${attempts}).
-
-Lockout duration: ${Math.round(duration / 6e4)} minutes
-
-Your account will automatically unlock after this period.
-
-If this wasn't you, we recommend using a strong, unique password.`
-  }),
-  passwordChanged: (userName = "User") => ({
-    subject: "Your password has been changed",
-    html: `
-      <!DOCTYPE html>
-      <html>
-      <head>
-        <meta charset="utf-8">
-        <meta name="viewport" content="width=device-width, initial-scale=1">
-        <title>Password Changed</title>
-        <style>
-          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
-          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
-          .info { background: #f0fdf4; border: 1px solid #22c55e; padding: 12px; border-radius: 6px; margin: 20px 0; }
-        </style>
-      </head>
-      <body>
-        <div class="container">
-          <h1>Password Changed</h1>
-          <p>Hello ${userName},</p>
-          <div class="info">
-            <p>Your password was recently changed.</p>
-          </div>
-          <p>If you did this, you can safely ignore this email.</p>
-          <p><strong>If you didn't change your password</strong>, please contact our support team immediately as your account may have been compromised.</p>
-        </div>
-      </body>
-      </html>
-    `,
-    text: `Password Changed
-
-Hello ${userName},
-
-Your password was recently changed.
-
-If you did this, you can safely ignore this email.
-
-If you didn't change your password, please contact support immediately.`
-  }),
-  newLogin: (location, time, userName = "User") => ({
-    subject: "New login to your account",
-    html: `
-      <!DOCTYPE html>
-      <html>
-      <head>
-        <meta charset="utf-8">
-        <meta name="viewport" content="width=device-width, initial-scale=1">
-        <title>New Login</title>
-        <style>
-          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
-          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
-          .info-box { background: #f8fafc; border: 1px solid #e2e8f0; padding: 16px; border-radius: 8px; margin: 20px 0; }
-          .footer { margin-top: 30px; font-size: 12px; color: #666; }
-        </style>
-      </head>
-      <body>
-        <div class="container">
-          <h1>New Login Detected</h1>
-          <p>Hello ${userName},</p>
-          <p>We detected a new login to your account:</p>
-          <div class="info-box">
-            <p><strong>Location:</strong> ${location}</p>
-            <p><strong>Time:</strong> ${time}</p>
-          </div>
-          <p><strong>If this was you</strong>, no action is needed.</p>
-          <p><strong>If this wasn't you</strong>, your account may be compromised. Please:</p>
-          <ol>
-            <li>Change your password immediately</li>
-            <li>Review your recent account activity</li>
-            <li>Contact support if needed</li>
-          </ol>
-          <div class="footer">
-            <p>This is an automated security notification.</p>
-          </div>
-        </div>
-      </body>
-      </html>
-    `,
-    text: `New Login Detected
-
-Hello ${userName},
-
-We detected a new login to your account:
-
-Location: ${location}
-Time: ${time}
-
-If this wasn't you, please change your password immediately and contact support.`
-  })
-};
-var EmailTransport = class _EmailTransport {
-  transporter;
-  from;
-  fromName;
-  templates;
-  constructor(config, templates) {
-    this.transporter = nodemailer.createTransport({
-      host: config.host,
-      port: config.port,
-      secure: config.secure,
-      auth: config.auth
-    });
-    this.from = config.from;
-    this.fromName = config.fromName || "Kyro CMS";
-    this.templates = { ...defaultTemplates, ...templates };
-  }
-  async send(options) {
-    return this.transporter.sendMail({
-      from: `"${this.fromName}" <${this.from}>`,
-      to: Array.isArray(options.to) ? options.to.join(", ") : options.to,
-      subject: options.subject,
-      html: options.html,
-      text: options.text
-    });
-  }
-  getTemplates() {
-    return this.templates;
-  }
-  async verifyConnection() {
-    try {
-      await this.transporter.verify();
-      return true;
-    } catch {
-      return false;
-    }
-  }
-  static fromEnv() {
-    const host = process.env.SMTP_HOST;
-    const port = parseInt(process.env.SMTP_PORT || "587", 10);
-    const secure = process.env.SMTP_SECURE === "true";
-    const user = process.env.SMTP_USER;
-    const pass = process.env.SMTP_PASS;
-    const from = process.env.SMTP_FROM || process.env.DEFAULT_FROM || "noreply@example.com";
-    const fromName = process.env.SMTP_FROM_NAME || "Kyro CMS";
-    if (!host || !user || !pass) {
-      return null;
-    }
-    return new _EmailTransport({
-      host,
-      port,
-      secure,
-      auth: { user, pass },
-      from,
-      fromName
-    });
-  }
-};
-
-// src/auth/security/password-policy.ts
-var DEFAULT_PASSWORD_POLICY = {
-  minLength: 12,
-  requireUppercase: true,
-  requireLowercase: true,
-  requireNumbers: true,
-  requireSpecialChars: true,
-  preventReuse: 5,
-  maxLength: 128
-};
-var PasswordPolicy = class {
-  config;
-  constructor(config = {}) {
-    this.config = { ...DEFAULT_PASSWORD_POLICY, ...config };
-  }
-  validate(password) {
-    const errors = [];
-    if (this.config.maxLength && password.length > this.config.maxLength) {
-      errors.push(
-        `Password must not exceed ${this.config.maxLength} characters`
-      );
-    }
-    if (password.length < this.config.minLength) {
-      errors.push(
-        `Password must be at least ${this.config.minLength} characters`
-      );
-    }
-    if (this.config.requireUppercase && !/[A-Z]/.test(password)) {
-      errors.push("Password must contain at least one uppercase letter");
-    }
-    if (this.config.requireLowercase && !/[a-z]/.test(password)) {
-      errors.push("Password must contain at least one lowercase letter");
-    }
-    if (this.config.requireNumbers && !/[0-9]/.test(password)) {
-      errors.push("Password must contain at least one number");
-    }
-    if (this.config.requireSpecialChars && !/[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(password)) {
-      errors.push("Password must contain at least one special character");
-    }
-    const commonPasswords = [
-      "password",
-      "123456",
-      "12345678",
-      "qwerty",
-      "abc123",
-      "monkey",
-      "1234567",
-      "letmein",
-      "trustno1",
-      "dragon",
-      "baseball",
-      "iloveyou",
-      "master",
-      "sunshine",
-      "ashley",
-      "football",
-      "password1",
-      "shadow",
-      "123123",
-      "654321"
-    ];
-    if (commonPasswords.includes(password.toLowerCase())) {
-      errors.push(
-        "This password is too common. Please choose a more secure password"
-      );
-    }
-    if (/^[a-zA-Z]+$/.test(password) || /^[0-9]+$/.test(password)) {
-      errors.push(
-        "Password must contain a mix of letters, numbers, and/or special characters"
-      );
-    }
-    if (/(.)\1{2,}/.test(password)) {
-      errors.push(
-        "Password must not contain more than 2 consecutive identical characters"
-      );
-    }
-    if (/^(012|123|234|345|456|567|678|789|890|098|987|876|765|654|543|432|321|210)+$/i.test(
-      password
-    )) {
-      errors.push("Password must not contain sequential numbers or letters");
-    }
-    return {
-      valid: errors.length === 0,
-      errors
-    };
-  }
-  async checkReuse(passwordHash, history, verifyFn) {
-    return {
-      valid: true,
-      errors: []
-    };
-  }
-  async isInHistory(password, history, verifyFn) {
-    for (const hash of history) {
-      if (await verifyFn(password, hash)) {
-        return true;
-      }
-    }
-    return false;
-  }
-  generatePassword(length = 16) {
-    const uppercase = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
-    const lowercase = "abcdefghijklmnopqrstuvwxyz";
-    const numbers = "0123456789";
-    const special = "!@#$%^&*()_+-=[]{}|;:,.<>?";
-    let password = "";
-    password += uppercase[Math.floor(Math.random() * uppercase.length)];
-    password += lowercase[Math.floor(Math.random() * lowercase.length)];
-    password += numbers[Math.floor(Math.random() * numbers.length)];
-    password += special[Math.floor(Math.random() * special.length)];
-    const allChars = uppercase + lowercase + numbers + special;
-    for (let i = password.length; i < length; i++) {
-      password += allChars[Math.floor(Math.random() * allChars.length)];
-    }
-    return password.split("").sort(() => Math.random() - 0.5).join("");
-  }
-  getStrength(password) {
-    let score = 0;
-    const feedback = [];
-    if (password.length >= 8) score += 1;
-    if (password.length >= 12) score += 1;
-    if (password.length >= 16) score += 1;
-    if (/[a-z]/.test(password)) score += 1;
-    if (/[A-Z]/.test(password)) score += 1;
-    if (/[0-9]/.test(password)) score += 1;
-    if (/[!@#$%^&*()_+\-=\[\]{}|;:,.<>?]/.test(password)) score += 1;
-    if (password.length > 8) score += 1;
-    if (password.length > 12) score += 1;
-    const uniqueChars = new Set(password).size;
-    if (uniqueChars > 6) score += 1;
-    if (uniqueChars > 10) score += 1;
-    let label;
-    if (score <= 3) {
-      label = "Weak";
-      feedback.push("Add more characters");
-      feedback.push("Include uppercase and lowercase letters");
-    } else if (score <= 5) {
-      label = "Fair";
-      feedback.push("Add special characters");
-      feedback.push("Consider making it longer");
-    } else if (score <= 7) {
-      label = "Good";
-      feedback.push("Consider making it longer for extra security");
-    } else {
-      label = "Strong";
-    }
-    return { score, label, feedback };
-  }
-  setConfig(config) {
-    this.config = { ...this.config, ...config };
-  }
-  getConfig() {
-    return { ...this.config };
-  }
-};
-
-var __defProp = Object.defineProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-
-// src/database/drizzle/schema/auth.ts
-var auth_exports = {};
-__export(auth_exports, {
-  apiKeys: () => apiKeys,
-  auditLogs: () => auditLogs,
-  emailVerifications: () => emailVerifications,
-  lockouts: () => lockouts,
-  passwordHistory: () => passwordHistory,
-  passwordResets: () => passwordResets,
-  permissions: () => permissions,
-  roles: () => roles,
-  sessions: () => sessions,
-  tenants: () => tenants,
-  users: () => users
-});
-var users = pgTable(
-  "users",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    email: varchar("email", { length: 255 }).notNull(),
-    passwordHash: varchar("password_hash", { length: 255 }),
-    role: varchar("role", { length: 50 }).notNull().default("customer"),
-    tenantId: uuid("tenant_id"),
-    emailVerified: boolean("email_verified").default(false),
-    locked: boolean("locked").default(false),
-    lastLogin: timestamp("last_login"),
-    failedLoginAttempts: integer("failed_login_attempts").default(0),
-    metadata: jsonb("metadata").$type(),
-    createdAt: timestamp("created_at").defaultNow().notNull(),
-    updatedAt: timestamp("updated_at").defaultNow().notNull()
-  },
-  (table) => [
-    uniqueIndex("users_email_idx").on(table.email),
-    index("users_tenant_idx").on(table.tenantId),
-    index("users_role_idx").on(table.role)
-  ]
-);
-var roles = pgTable(
-  "roles",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    name: varchar("name", { length: 100 }).notNull().unique(),
-    level: integer("level").notNull().default(0),
-    inherits: text("inherits").array(),
-    description: text("description"),
-    permissions: jsonb("permissions").$type().default([]),
-    isSystem: boolean("is_system").default(false),
-    createdAt: timestamp("created_at").defaultNow().notNull(),
-    updatedAt: timestamp("updated_at").defaultNow().notNull()
-  },
-  (table) => [index("roles_level_idx").on(table.level)]
-);
-var permissions = pgTable(
-  "permissions",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    roleId: uuid("role_id").references(() => roles.id, { onDelete: "cascade" }),
-    resource: varchar("resource", { length: 100 }).notNull(),
-    action: varchar("action", { length: 50 }).notNull(),
-    conditions: jsonb("conditions").$type(),
-    createdAt: timestamp("created_at").defaultNow().notNull()
-  },
-  (table) => [
-    index("permissions_role_idx").on(table.roleId),
-    index("permissions_resource_idx").on(table.resource)
-  ]
-);
-var sessions = pgTable(
-  "sessions",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    userId: uuid("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
-    token: varchar("token", { length: 512 }).notNull().unique(),
-    refreshToken: varchar("refresh_token", { length: 512 }),
-    ipAddress: varchar("ip_address", { length: 45 }),
-    userAgent: text("user_agent"),
-    expiresAt: timestamp("expires_at").notNull(),
-    createdAt: timestamp("created_at").defaultNow().notNull()
-  },
-  (table) => [
-    index("sessions_user_idx").on(table.userId),
-    index("sessions_token_idx").on(table.token),
-    index("sessions_expires_idx").on(table.expiresAt)
-  ]
-);
-var auditLogs = pgTable(
-  "audit_logs",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    action: varchar("action", { length: 100 }).notNull(),
-    userId: uuid("user_id").references(() => users.id, {
-      onDelete: "set null"
-    }),
-    userEmail: varchar("user_email", { length: 255 }),
-    role: varchar("role", { length: 50 }),
-    resource: varchar("resource", { length: 100 }).notNull(),
-    resourceId: uuid("resource_id"),
-    changes: jsonb("changes").$type(),
-    ipAddress: varchar("ip_address", { length: 45 }),
-    userAgent: text("user_agent"),
-    success: boolean("success").notNull().default(true),
-    error: text("error"),
-    metadata: jsonb("metadata").$type(),
-    timestamp: timestamp("timestamp").defaultNow().notNull()
-  },
-  (table) => [
-    index("audit_logs_user_idx").on(table.userId),
-    index("audit_logs_action_idx").on(table.action),
-    index("audit_logs_resource_idx").on(table.resource),
-    index("audit_logs_timestamp_idx").on(table.timestamp)
-  ]
-);
-var tenants = pgTable(
-  "tenants",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    name: varchar("name", { length: 255 }).notNull(),
-    slug: varchar("slug", { length: 100 }).notNull().unique(),
-    settings: jsonb("settings").$type().default({}),
-    isActive: boolean("is_active").default(true),
-    createdAt: timestamp("created_at").defaultNow().notNull(),
-    updatedAt: timestamp("updated_at").defaultNow().notNull()
-  },
-  (table) => [uniqueIndex("tenants_slug_idx").on(table.slug)]
-);
-var apiKeys = pgTable(
-  "api_keys",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    userId: uuid("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
-    name: varchar("name", { length: 255 }).notNull(),
-    key: varchar("key", { length: 64 }).notNull().unique(),
-    keyPrefix: varchar("key_prefix", { length: 8 }).notNull(),
-    permissions: jsonb("permissions").$type().default([]),
-    lastUsedAt: timestamp("last_used_at"),
-    expiresAt: timestamp("expires_at"),
-    createdAt: timestamp("created_at").defaultNow().notNull()
-  },
-  (table) => [
-    index("api_keys_user_idx").on(table.userId),
-    index("api_keys_key_idx").on(table.key)
-  ]
-);
-var emailVerifications = pgTable(
-  "email_verifications",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    userId: uuid("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
-    token: varchar("token", { length: 64 }).notNull().unique(),
-    expiresAt: timestamp("expires_at").notNull(),
-    createdAt: timestamp("created_at").defaultNow().notNull()
-  },
-  (table) => [
-    index("email_verifications_token_idx").on(table.token),
-    index("email_verifications_user_idx").on(table.userId)
-  ]
-);
-var passwordResets = pgTable(
-  "password_resets",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    userId: uuid("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
-    token: varchar("token", { length: 64 }).notNull().unique(),
-    expiresAt: timestamp("expires_at").notNull(),
-    usedAt: timestamp("used_at"),
-    createdAt: timestamp("created_at").defaultNow().notNull()
-  },
-  (table) => [
-    index("password_resets_token_idx").on(table.token),
-    index("password_resets_user_idx").on(table.userId)
-  ]
-);
-var passwordHistory = pgTable(
-  "password_history",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    userId: uuid("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
-    passwordHash: varchar("password_hash", { length: 255 }).notNull(),
-    createdAt: timestamp("created_at").defaultNow().notNull()
-  },
-  (table) => [index("password_history_user_idx").on(table.userId)]
-);
-var lockouts = pgTable(
-  "lockouts",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    userId: uuid("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
-    ipAddress: varchar("ip_address", { length: 45 }),
-    reason: varchar("reason", { length: 255 }),
-    lockedUntil: timestamp("locked_until").notNull(),
-    releasedAt: timestamp("released_at"),
-    createdAt: timestamp("created_at").defaultNow().notNull()
-  },
-  (table) => [
-    index("lockouts_user_idx").on(table.userId),
-    index("lockouts_ip_idx").on(table.ipAddress),
-    index("lockouts_locked_until_idx").on(table.lockedUntil)
-  ]
-);
-
-// src/registry/validator.ts
-var ConfigValidationError = class extends Error {
-  errors;
-  constructor(errors) {
-    super(`Configuration validation failed:
-${errors.join("\n")}`);
-    this.name = "ConfigValidationError";
-    this.errors = errors;
-  }
-};
-function validateCollection(config) {
-  const errors = [];
-  if (!config.slug) {
-    errors.push(`Collection is missing a "slug" property`);
-  } else if (!/^[a-z][a-z0-9_-]*$/.test(config.slug)) {
-    errors.push(`Collection slug "${config.slug}" must be lowercase alphanumeric with dashes`);
-  }
-  if (!config.fields || config.fields.length === 0) {
-    errors.push(`Collection "${config.slug}" has no fields defined`);
-  } else {
-    const fieldErrors = validateFields(config.fields, config.slug);
-    errors.push(...fieldErrors);
-  }
-  if (config.access) {
-    for (const [action, handler] of Object.entries(config.access)) {
-      if (typeof handler !== "boolean" && typeof handler !== "function") {
-        errors.push(`Collection "${config.slug}" has invalid access.${action} (must be boolean or function)`);
-      }
-    }
-  }
-  if (config.admin?.useAsTitle) {
-    const fieldExists = config.fields.some((f) => f.name === config.admin.useAsTitle);
-    if (!fieldExists) {
-      errors.push(`Collection "${config.slug}" admin.useAsTitle references unknown field "${config.admin.useAsTitle}"`);
-    }
-  }
-  if (config.admin?.defaultColumns) {
-    for (const col of config.admin.defaultColumns) {
-      const fieldExists = config.fields.some((f) => f.name === col);
-      if (!fieldExists) {
-        errors.push(`Collection "${config.slug}" admin.defaultColumns references unknown field "${col}"`);
-      }
-    }
-  }
-  if (config.upload) {
-    if (config.upload.fileSize && config.upload.fileSize <= 0) {
-      errors.push(`Collection "${config.slug}" upload.fileSize must be positive`);
-    }
-  }
-  if (config.versions) {
-    if (config.versions.maxPerDoc && config.versions.maxPerDoc <= 0) {
-      errors.push(`Collection "${config.slug}" versions.maxPerDoc must be positive`);
-    }
-  }
-  if (config.auth) {
-    const hasEmailField = config.fields.some((f) => f.name === "email");
-    const hasPasswordField = config.fields.some((f) => f.name === "password");
-    if (!hasEmailField) {
-      errors.push(`Collection "${config.slug}" with auth enabled requires an "email" field`);
-    }
-    if (!hasPasswordField) {
-      errors.push(`Collection "${config.slug}" with auth enabled requires a "password" field`);
-    }
-  }
-  return errors;
-}
-function validateGlobal(config) {
-  const errors = [];
-  if (!config.slug) {
-    errors.push(`Global is missing a "slug" property`);
-  } else if (!/^[a-z][a-z0-9_-]*$/.test(config.slug)) {
-    errors.push(`Global slug "${config.slug}" must be lowercase alphanumeric with dashes`);
-  }
-  if (!config.fields || config.fields.length === 0) {
-    errors.push(`Global "${config.slug}" has no fields defined`);
-  } else {
-    const fieldErrors = validateFields(config.fields, `global:${config.slug}`);
-    errors.push(...fieldErrors);
-  }
-  return errors;
-}
-function validateFields(fields, context) {
-  const errors = [];
-  const fieldNames = /* @__PURE__ */ new Set();
-  for (let i = 0; i < fields.length; i++) {
-    const field = fields[i];
-    if (field.type === "row" || field.type === "collapsible" || field.type === "tabs") {
-      if ("fields" in field && field.fields) {
-        const nestedErrors = validateFields(field.fields, context);
-        errors.push(...nestedErrors);
-      } else if ("tabs" in field) {
-        for (const tab of field.tabs) {
-          const tabErrors = validateFields(tab.fields, context);
-          errors.push(...tabErrors);
-        }
-      }
-      continue;
-    }
-    const fieldName = field.name;
-    if (!fieldName) {
-      errors.push(`${context}: Field at index ${i} is missing a "name" property`);
-      continue;
-    }
-    if (fieldNames.has(fieldName)) {
-      errors.push(`${context}: Duplicate field name "${fieldName}"`);
-    }
-    fieldNames.add(fieldName);
-    if (!/^[a-zA-Z][a-zA-Z0-9_]*$/.test(fieldName)) {
-      errors.push(`${context}: Field name "${fieldName}" must be alphanumeric with underscores`);
-    }
-    if (!field.type) {
-      errors.push(`${context}: Field "${fieldName}" is missing a "type" property`);
-      continue;
-    }
-    switch (field.type) {
-      case "relationship":
-        if (!field.relationTo) {
-          errors.push(`${context}: Relationship field "${fieldName}" is missing "relationTo"`);
-        }
-        break;
-      case "array":
-        if (!field.fields || field.fields.length === 0) {
-          errors.push(`${context}: Array field "${fieldName}" has no fields defined`);
-        } else {
-          const arrayErrors = validateFields(field.fields, `${context}.${fieldName}`);
-          errors.push(...arrayErrors);
-        }
-        break;
-      case "group":
-        if (!field.fields || field.fields.length === 0) {
-          errors.push(`${context}: Group field "${fieldName}" has no fields defined`);
-        } else {
-          const groupErrors = validateFields(field.fields, `${context}.${fieldName}`);
-          errors.push(...groupErrors);
-        }
-        break;
-      case "blocks":
-        if (!field.blocks || field.blocks.length === 0) {
-          errors.push(`${context}: Blocks field "${fieldName}" has no blocks defined`);
-        } else {
-          const blockErrors = validateBlocks(field.blocks, `${context}.${fieldName}`);
-          errors.push(...blockErrors);
-        }
-        break;
-      case "select":
-      case "radio":
-        if (!field.options || field.options.length === 0) {
-          errors.push(`${context}: ${field.type} field "${fieldName}" has no options defined`);
-        } else {
-          const values = field.options.map((o) => o.value);
-          const uniqueValues = new Set(values);
-          if (values.length !== uniqueValues.size) {
-            errors.push(`${context}: ${field.type} field "${fieldName}" has duplicate option values`);
-          }
-        }
-        break;
-      case "upload":
-        if (!field.relationTo) {
-          errors.push(`${context}: Upload field "${fieldName}" is missing "relationTo"`);
-        }
-        break;
-    }
-    if ("min" in field && "max" in field && field.min > field.max) {
-      errors.push(`${context}: Field "${fieldName}" has min greater than max`);
-    }
-    if ("minLength" in field && "maxLength" in field && field.minLength > field.maxLength) {
-      errors.push(`${context}: Field "${fieldName}" has minLength greater than maxLength`);
-    }
-    if ("minRows" in field && "maxRows" in field && field.minRows > field.maxRows) {
-      errors.push(`${context}: Field "${fieldName}" has minRows greater than maxRows`);
-    }
-  }
-  return errors;
-}
-function validateBlocks(blocks, context) {
-  const errors = [];
-  const slugs = /* @__PURE__ */ new Set();
-  for (const block of blocks) {
-    if (!block.slug) {
-      errors.push(`${context}: Block is missing a "slug" property`);
-      continue;
-    }
-    if (slugs.has(block.slug)) {
-      errors.push(`${context}: Duplicate block slug "${block.slug}"`);
-    }
-    slugs.add(block.slug);
-    if (!block.label) {
-      errors.push(`${context}: Block "${block.slug}" is missing a "label" property`);
-    }
-    if (!block.fields || block.fields.length === 0) {
-      errors.push(`${context}: Block "${block.slug}" has no fields defined`);
-    } else {
-      const blockErrors = validateFields(block.fields, `${context}.${block.slug}`);
-      errors.push(...blockErrors);
-    }
-  }
-  return errors;
-}
-function validateConfig(collections, globals = []) {
-  const errors = [];
-  const slugs = /* @__PURE__ */ new Set();
-  for (const collection of collections) {
-    if (slugs.has(collection.slug)) {
-      errors.push(`Duplicate collection slug "${collection.slug}"`);
-    }
-    slugs.add(collection.slug);
-  }
-  for (const global of globals) {
-    if (slugs.has(global.slug)) {
-      errors.push(`Duplicate global slug "${global.slug}"`);
-    }
-    slugs.add(global.slug);
-  }
-  for (const collection of collections) {
-    const collectionErrors = validateCollection(collection);
-    errors.push(...collectionErrors);
-  }
-  for (const global of globals) {
-    const globalErrors = validateGlobal(global);
-    errors.push(...globalErrors);
-  }
-  for (const collection of collections) {
-    const relationshipErrors = validateRelationships(collection.fields, collections);
-    errors.push(...relationshipErrors);
-  }
-  if (errors.length > 0) {
-    throw new ConfigValidationError(errors);
-  }
-}
-function validateRelationships(fields, collections) {
-  const errors = [];
-  const collectionSlugs = new Set(collections.map((c) => c.slug));
-  for (const field of fields) {
-    if (field.type === "relationship") {
-      const targets = Array.isArray(field.relationTo) ? field.relationTo : [field.relationTo];
-      for (const target of targets) {
-        if (!collectionSlugs.has(target)) {
-          errors.push(`Relationship field "${field.name}" references unknown collection "${target}"`);
-        }
-      }
-    }
-    if (field.type === "upload") {
-      const targets = Array.isArray(field.relationTo) ? field.relationTo : [field.relationTo];
-      for (const target of targets) {
-        if (!collectionSlugs.has(target)) {
-          errors.push(`Upload field "${field.name}" references unknown collection "${target}"`);
-        }
-      }
-    }
-    if ("fields" in field && field.fields) {
-      const nestedErrors = validateRelationships(field.fields, collections);
-      errors.push(...nestedErrors);
-    }
-    if ("tabs" in field) {
-      for (const tab of field.tabs) {
-        const tabErrors = validateRelationships(tab.fields, collections);
-        errors.push(...tabErrors);
-      }
-    }
-    if ("blocks" in field) {
-      for (const block of field.blocks) {
-        const blockErrors = validateRelationships(block.fields, collections);
-        errors.push(...blockErrors);
-      }
-    }
-  }
-  return errors;
-}
-function fieldToZod(field) {
-  switch (field.type) {
-    case "text":
-      return textToZod(field);
-    case "number":
-      return numberToZod(field);
-    case "checkbox":
-      return checkboxToZod(field);
-    case "date":
-      return dateToZod(field);
-    case "email":
-      return emailToZod(field);
-    case "password":
-      return passwordToZod(field);
-    case "textarea":
-      return textareaToZod(field);
-    case "select":
-      return selectToZod(field);
-    case "radio":
-      return radioToZod(field);
-    case "color":
-      return colorToZod(field);
-    case "richtext":
-      return richTextToZod(field);
-    case "json":
-      return jsonToZod(field);
-    case "code":
-      return codeToZod(field);
-    case "upload":
-      return uploadToZod(field);
-    case "markdown":
-      return markdownToZod(field);
-    case "relationship":
-      return relationshipToZod(field);
-    case "array":
-      return arrayToZod(field);
-    case "group":
-      return groupToZod(field);
-    case "blocks":
-      return blocksToZod(field);
-    case "row":
-      return rowToZod(field);
-    case "collapsible":
-      return collapsibleToZod(field);
-    case "tabs":
-      return tabsToZod(field);
-    default:
-      return z.any();
-  }
-}
-function textToZod(field) {
-  let schema = z.string();
-  if (field.minLength) schema = schema.min(field.minLength);
-  if (field.maxLength) schema = schema.max(field.maxLength);
-  if (field.pattern) schema = schema.regex(new RegExp(field.pattern));
-  if (field.variant === "email") schema = schema.email();
-  if (field.variant === "url") schema = schema.url();
-  if (field.hasMany) schema = z.array(schema);
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function numberToZod(field) {
-  let schema = field.integer ? z.number().int() : z.number();
-  if (field.min !== void 0) schema = schema.min(field.min);
-  if (field.max !== void 0) schema = schema.max(field.max);
-  if (field.step) {
-    schema = schema.refine(
-      (val) => Number.isInteger(val / field.step),
-      `Value must be divisible by ${field.step}`
-    );
-  }
-  if (field.hasMany) schema = z.array(schema);
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function checkboxToZod(field) {
-  let schema = z.boolean();
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function dateToZod(field) {
-  let schema = z.string().refine(
-    (val) => !isNaN(Date.parse(val)),
-    "Invalid date format"
-  );
-  if (field.minDate) {
-    schema = schema.refine(
-      (val) => new Date(val) >= new Date(field.minDate),
-      `Date must be after ${field.minDate}`
-    );
-  }
-  if (field.maxDate) {
-    schema = schema.refine(
-      (val) => new Date(val) <= new Date(field.maxDate),
-      `Date must be before ${field.maxDate}`
-    );
-  }
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function emailToZod(field) {
-  let schema = z.string().email("Invalid email");
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function passwordToZod(field) {
-  let schema = z.string().min(6, "Password must be at least 6 characters");
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function textareaToZod(field) {
-  let schema = z.string();
-  if (field.minLength) schema = schema.min(field.minLength);
-  if (field.maxLength) schema = schema.max(field.maxLength);
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function selectToZod(field) {
-  const values = field.options.map((opt) => opt.value);
-  let schema;
-  if (field.hasMany) {
-    schema = z.array(z.enum(values));
-  } else {
-    schema = z.enum(values);
-  }
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function radioToZod(field) {
-  const values = field.options.map((opt) => opt.value);
-  let schema = z.enum(values);
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function colorToZod(field) {
-  let schema = z.string();
-  if (field.format === "hex") schema = schema.regex(/^#[0-9A-Fa-f]{6}$/);
-  if (field.format === "rgb") schema = schema.regex(/^rgb\(\s*\d{1,3}\s*,\s*\d{1,3}\s*,\s*\d{1,3}\s*\)$/);
-  if (field.format === "hsl") schema = schema.regex(/^hsl\(\s*\d{1,3}\s*,\s*\d{1,3}%\s*,\s*\d{1,3}%\s*\)$/);
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function richTextToZod(field) {
-  let schema = z.array(z.object({
-    type: z.string(),
-    data: z.record(z.any()),
-    children: z.array(z.any()).optional()
-  }));
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function jsonToZod(field) {
-  let schema = z.record(z.any());
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function codeToZod(field) {
-  let schema = z.string();
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function uploadToZod(field) {
-  let schema = z.string();
-  if (field.hasMany) schema = z.array(z.string());
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function markdownToZod(field) {
-  let schema = z.string();
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function relationshipToZod(field) {
-  let schema = z.string();
-  if (Array.isArray(field.relationTo)) {
-    schema = z.object({
-      relationTo: z.enum(field.relationTo),
-      value: z.string()
-    });
-  }
-  if (field.hasMany) schema = z.array(schema);
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function arrayToZod(field) {
-  const itemSchema = z.object(
-    Object.fromEntries(
-      field.fields.filter((f) => f.name).map((f) => [f.name, fieldToZod(f)])
-    )
-  );
-  let schema = z.array(itemSchema);
-  if (field.minRows) schema = schema.min(field.minRows);
-  if (field.maxRows) schema = schema.max(field.maxRows);
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function groupToZod(field) {
-  const schema = z.object(
-    Object.fromEntries(
-      field.fields.filter((f) => f.name).map((f) => [f.name, fieldToZod(f)])
-    )
-  );
-  if (!field.required) return schema.optional();
-  return schema;
-}
-function blocksToZod(field) {
-  const blockSchemas = field.blocks.map((block) => {
-    return z.object({
-      blockType: z.literal(block.slug),
-      ...Object.fromEntries(
-        block.fields.filter((f) => f.name).map((f) => [f.name, fieldToZod(f)])
-      )
-    });
-  });
-  let schema = z.array(z.discriminatedUnion("blockType", blockSchemas));
-  if (field.minRows) schema = schema.min(field.minRows);
-  if (field.maxRows) schema = schema.max(field.maxRows);
-  if (!field.required) schema = schema.optional();
-  if (field.validate) schema = addCustomValidation(schema, field.validate);
-  return schema;
-}
-function rowToZod(field) {
-  const schema = z.object(
-    Object.fromEntries(
-      field.fields.filter((f) => f.name).map((f) => [f.name, fieldToZod(f)])
-    )
-  );
-  return schema;
-}
-function collapsibleToZod(field) {
-  const schema = z.object(
-    Object.fromEntries(
-      field.fields.filter((f) => f.name).map((f) => [f.name, fieldToZod(f)])
-    )
-  );
-  return schema;
-}
-function tabsToZod(field) {
-  const schemas = {};
-  for (const tab of field.tabs) {
-    for (const f of tab.fields) {
-      if (f.name) {
-        schemas[f.name] = fieldToZod(f);
-      }
-    }
-  }
-  return z.object(schemas);
-}
-function addCustomValidation(schema, validate) {
-  return schema.refine(
-    async (val) => {
-      const result = await validate(val, { required: false });
-      return result === true;
-    },
-    {
-      message: "Custom validation failed"
-    }
-  );
-}
-function collectionToZod(collection) {
-  const shape = {};
-  for (const field of collection.fields) {
-    if (field.name) {
-      shape[field.name] = fieldToZod(field);
-    }
-  }
-  if (collection.timestamps) {
-    shape["createdAt"] = z.string().optional();
-    shape["updatedAt"] = z.string().optional();
-  }
-  if (collection.tenantScoped) {
-    shape["tenantID"] = z.string().optional();
-  }
-  shape["id"] = z.string().optional();
-  return z.object(shape);
-}
-function collectionToCreateZod(collection) {
-  const shape = {};
-  for (const field of collection.fields) {
-    if (field.name) {
-      shape[field.name] = fieldToZod(field);
-    }
-  }
-  return z.object(shape);
-}
-function collectionToUpdateZod(collection) {
-  const shape = {};
-  for (const field of collection.fields) {
-    if (field.name) {
-      shape[field.name] = fieldToZod(field).optional();
-    }
-  }
-  return z.object(shape);
-}
-function collectionToWhereZod(collection) {
-  const shape = {};
-  for (const field of collection.fields) {
-    if (field.name) {
-      shape[field.name] = z.object({
-        equals: z.any().optional(),
-        not_equals: z.any().optional(),
-        in: z.array(z.any()).optional(),
-        not_in: z.array(z.any()).optional(),
-        greater_than: z.number().optional(),
-        greater_than_equal: z.number().optional(),
-        less_than: z.number().optional(),
-        less_than_equal: z.number().optional(),
-        like: z.string().optional(),
-        not_like: z.string().optional(),
-        contains: z.string().optional(),
-        exists: z.boolean().optional()
-      }).optional();
-    }
-  }
-  shape["AND"] = z.array(z.lazy(() => z.object(shape))).optional();
-  shape["OR"] = z.array(z.lazy(() => z.object(shape))).optional();
-  return z.object(shape).optional();
-}
-function globalToZod(global) {
-  const shape = {};
-  for (const field of global.fields) {
-    if (field.name) {
-      shape[field.name] = fieldToZod(field);
-    }
-  }
-  shape["id"] = z.string().optional();
-  return z.object(shape);
-}
-
-// src/registry/index.ts
-var Registry = class {
-  collections = /* @__PURE__ */ new Map();
-  globals = /* @__PURE__ */ new Map();
-  plugins = [];
-  schemaCache = /* @__PURE__ */ new Map();
-  initialized = false;
-  // ========================================================================
-  // Collection Management
-  // ========================================================================
-  addCollection(config) {
-    if (this.initialized) {
-      throw new Error("Cannot add collections after Registry has been initialized");
-    }
-    let finalConfig = { ...config };
-    for (const plugin of this.plugins) {
-      if (plugin.extendCollection) {
-        finalConfig = plugin.extendCollection(finalConfig.slug, finalConfig);
-      }
-    }
-    finalConfig.fields = this.applyFieldDefaults(finalConfig);
-    const errors = validateCollection(finalConfig);
-    if (errors.length > 0) {
-      throw new Error(`Invalid collection config: ${errors.join(", ")}`);
-    }
-    this.collections.set(finalConfig.slug, finalConfig);
-    this.clearSchemaCache(finalConfig.slug);
-  }
-  addCollections(configs) {
-    for (const config of configs) {
-      this.addCollection(config);
-    }
-  }
-  getCollection(slug) {
-    return this.collections.get(slug);
-  }
-  getCollections() {
-    return Array.from(this.collections.values());
-  }
-  getCollectionSlugs() {
-    return Array.from(this.collections.keys());
-  }
-  hasCollection(slug) {
-    return this.collections.has(slug);
-  }
-  removeCollection(slug) {
-    if (this.initialized) {
-      throw new Error("Cannot remove collections after Registry has been initialized");
-    }
-    this.clearSchemaCache(slug);
-    return this.collections.delete(slug);
-  }
-  // ========================================================================
-  // Global Management
-  // ========================================================================
-  addGlobal(config) {
-    if (this.initialized) {
-      throw new Error("Cannot add globals after Registry has been initialized");
-    }
-    const errors = validateGlobal(config);
-    if (errors.length > 0) {
-      throw new Error(`Invalid global config: ${errors.join(", ")}`);
-    }
-    let finalConfig = { ...config };
-    for (const plugin of this.plugins) {
-      if (plugin.extendGlobal) {
-        finalConfig = plugin.extendGlobal(finalConfig.slug, finalConfig);
-      }
-    }
-    this.globals.set(finalConfig.slug, finalConfig);
-    this.clearSchemaCache(`global:${finalConfig.slug}`);
-  }
-  addGlobals(configs) {
-    for (const config of configs) {
-      this.addGlobal(config);
-    }
-  }
-  getGlobal(slug) {
-    return this.globals.get(slug);
-  }
-  getGlobals() {
-    return Array.from(this.globals.values());
-  }
-  getGlobalSlugs() {
-    return Array.from(this.globals.keys());
-  }
-  hasGlobal(slug) {
-    return this.globals.has(slug);
-  }
-  removeGlobal(slug) {
-    if (this.initialized) {
-      throw new Error("Cannot remove globals after Registry has been initialized");
-    }
-    this.clearSchemaCache(`global:${slug}`);
-    return this.globals.delete(slug);
-  }
-  // ========================================================================
-  // Plugin Management
-  // ========================================================================
-  addPlugin(plugin) {
-    if (this.initialized) {
-      throw new Error("Cannot add plugins after Registry has been initialized");
-    }
-    this.plugins.push(plugin);
-  }
-  getPlugins() {
-    return [...this.plugins];
-  }
-  // ========================================================================
-  // Schema Generation
-  // ========================================================================
-  getZodSchema(slug) {
-    const cached = this.schemaCache.get(slug);
-    if (cached) return cached;
-    const collection = this.collections.get(slug);
-    if (collection) {
-      const schema = collectionToZod(collection);
-      this.schemaCache.set(slug, schema);
-      return schema;
-    }
-    const global = this.globals.get(slug);
-    if (global) {
-      const schema = globalToZod(global);
-      this.schemaCache.set(`global:${slug}`, schema);
-      return schema;
-    }
-    throw new Error(`No collection or global found with slug "${slug}"`);
-  }
-  getCreateZodSchema(slug) {
-    const cacheKey = `${slug}:create`;
-    const cached = this.schemaCache.get(cacheKey);
-    if (cached) return cached;
-    const collection = this.collections.get(slug);
-    if (collection) {
-      const schema = collectionToCreateZod(collection);
-      this.schemaCache.set(cacheKey, schema);
-      return schema;
-    }
-    throw new Error(`No collection found with slug "${slug}"`);
-  }
-  getUpdateZodSchema(slug) {
-    const cacheKey = `${slug}:update`;
-    const cached = this.schemaCache.get(cacheKey);
-    if (cached) return cached;
-    const collection = this.collections.get(slug);
-    if (collection) {
-      const schema = collectionToUpdateZod(collection);
-      this.schemaCache.set(cacheKey, schema);
-      return schema;
-    }
-    throw new Error(`No collection found with slug "${slug}"`);
-  }
-  getWhereZodSchema(slug) {
-    const cacheKey = `${slug}:where`;
-    const cached = this.schemaCache.get(cacheKey);
-    if (cached) return cached;
-    const collection = this.collections.get(slug);
-    if (collection) {
-      const schema = collectionToWhereZod(collection);
-      this.schemaCache.set(cacheKey, schema);
-      return schema;
-    }
-    throw new Error(`No collection found with slug "${slug}"`);
-  }
-  getFieldZodSchema(field) {
-    return fieldToZod(field);
-  }
-  clearSchemaCache(slug) {
-    this.schemaCache.delete(slug);
-    this.schemaCache.delete(`${slug}:create`);
-    this.schemaCache.delete(`${slug}:update`);
-    this.schemaCache.delete(`${slug}:where`);
-  }
-  // ========================================================================
-  // Field Helpers
-  // ========================================================================
-  applyFieldDefaults(config) {
-    const fields = [...config.fields];
-    if (!fields.some((f) => f.name === "id")) {
-      fields.unshift({
-        name: "id",
-        type: "text",
-        admin: { readOnly: true, hidden: true }
-      });
-    }
-    if (config.tenantScoped && !fields.some((f) => f.name === "tenantID")) {
-      fields.push({
-        name: "tenantID",
-        type: "text",
-        required: true,
-        admin: { readOnly: true, hidden: true }
-      });
-    }
-    if (config.timestamps && !fields.some((f) => f.name === "createdAt")) {
-      fields.push({
-        name: "createdAt",
-        type: "date",
-        admin: { readOnly: true, hidden: true }
-      });
-      fields.push({
-        name: "updatedAt",
-        type: "date",
-        admin: { readOnly: true, hidden: true }
-      });
-    }
-    return fields;
-  }
-  getFields(slug) {
-    const collection = this.collections.get(slug);
-    if (collection) return collection.fields;
-    const global = this.globals.get(slug);
-    if (global) return global.fields;
-    throw new Error(`No collection or global found with slug "${slug}"`);
-  }
-  getFieldMap(slug) {
-    const fields = this.getFields(slug);
-    const map = /* @__PURE__ */ new Map();
-    const addFields = (fields2) => {
-      for (const field of fields2) {
-        if (field.name) {
-          map.set(field.name, field);
-        }
-        if ("fields" in field && field.fields) {
-          addFields(field.fields);
-        }
-        if ("tabs" in field) {
-          for (const tab of field.tabs) {
-            addFields(tab.fields);
-          }
-        }
-        if ("blocks" in field) {
-          for (const block of field.blocks) {
-            addFields(block.fields);
-          }
-        }
-      }
-    };
-    addFields(fields);
-    return map;
-  }
-  getVisibleFields(slug) {
-    const fields = this.getFields(slug);
-    return fields.filter((f) => !f.admin?.hidden);
-  }
-  // ========================================================================
-  // Initialization
-  // ========================================================================
-  validate() {
-    const collections = this.getCollections();
-    const globals = this.getGlobals();
-    validateConfig(collections, globals);
-  }
-  async init() {
-    this.validate();
-    for (const plugin of this.plugins) {
-      if (plugin.init) {
-        await plugin.init(this);
-      }
-    }
-    this.initialized = true;
-  }
-  isInitialized() {
-    return this.initialized;
-  }
-  // ========================================================================
-  // Query Helpers
-  // ========================================================================
-  getPaginationDefaults(slug) {
-    const collection = this.collections.get(slug);
-    return {
-      defaultLimit: collection?.admin?.pagination?.defaultLimit || 10,
-      limits: collection?.admin?.pagination?.limits || [10, 25, 50, 100]
-    };
-  }
-  getDefaultSort(slug) {
-    const collection = this.collections.get(slug);
-    const useAsTitle = collection?.admin?.useAsTitle;
-    if (useAsTitle) return useAsTitle;
-    return "createdAt";
-  }
-  getDefaultColumns(slug) {
-    const collection = this.collections.get(slug);
-    if (collection?.admin?.defaultColumns) {
-      return collection.admin.defaultColumns;
-    }
-    const fields = this.getVisibleFields(slug);
-    return fields.slice(0, 4).map((f) => f.name);
-  }
-  // ========================================================================
-  // Admin Helpers
-  // ========================================================================
-  getAdminTitle(slug) {
-    const collection = this.collections.get(slug);
-    return collection?.label || collection?.admin?.description || slug;
-  }
-  getAdminLabel(slug) {
-    const collection = this.collections.get(slug);
-    return collection?.singularLabel || collection?.label || slug;
-  }
-  getAdminGroup(slug) {
-    return this.collections.get(slug)?.admin?.group;
-  }
-  // ========================================================================
-  // Debug / Stats
-  // ========================================================================
-  getStats() {
-    let totalFields = 0;
-    for (const collection of this.collections.values()) {
-      totalFields += collection.fields.length;
-    }
-    for (const global of this.globals.values()) {
-      totalFields += global.fields.length;
-    }
-    return {
-      collections: this.collections.size,
-      globals: this.globals.size,
-      plugins: this.plugins.length,
-      fields: totalFields
-    };
-  }
-  toJSON() {
-    return {
-      collections: this.getCollections(),
-      globals: this.getGlobals()
-    };
-  }
-};
-var instance = null;
-function getRegistry() {
-  if (!instance) {
-    instance = new Registry();
-  }
-  return instance;
-}
-
-// src/auth/security/lockout.ts
-var DEFAULT_LOCKOUT_CONFIG = {
-  maxAttempts: 5,
-  lockDuration: 9e5,
-  notifyUser: true,
-  notifyAdmin: true,
-  adminNotifyAfter: 3
-};
-var AccountLockout = class {
-  redis;
-  prefix;
-  config;
-  constructor(redis, config = {}, prefix = "kyro:lockout:") {
-    this.redis = redis;
-    this.prefix = prefix;
-    this.config = { ...DEFAULT_LOCKOUT_CONFIG, ...config };
-  }
-  lockKey(userId) {
-    return `${this.prefix}${userId}`;
-  }
-  historyKey(userId) {
-    return `${this.prefix}${userId}:history`;
-  }
-  async checkLockout(userId) {
-    const key = this.lockKey(userId);
-    const data = await this.redis.hgetall(key);
-    if (!data || Object.keys(data).length === 0) {
-      return {
-        locked: false,
-        attemptsRemaining: this.config.maxAttempts,
-        totalAttempts: 0
-      };
-    }
-    const attempts = parseInt(data.attempts, 10);
-    const lockedUntil = data.lockedUntil ? new Date(parseInt(data.lockedUntil, 10)) : void 0;
-    if (lockedUntil && lockedUntil > /* @__PURE__ */ new Date()) {
-      return {
-        locked: true,
-        attemptsRemaining: 0,
-        lockedUntil,
-        totalAttempts: attempts
-      };
-    }
-    if (lockedUntil && lockedUntil <= /* @__PURE__ */ new Date()) {
-      await this.unlockAccount(userId);
-      return {
-        locked: false,
-        attemptsRemaining: this.config.maxAttempts,
-        totalAttempts: 0
-      };
-    }
-    return {
-      locked: false,
-      attemptsRemaining: Math.max(0, this.config.maxAttempts - attempts),
-      totalAttempts: attempts
-    };
-  }
-  async recordFailedAttempt(userId) {
-    const key = this.lockKey(userId);
-    const historyKey = this.historyKey(userId);
-    const now = Date.now();
-    const current = await this.redis.hincrby(key, "attempts", 1);
-    await this.redis.hset(key, "lastAttempt", now.toString());
-    await this.redis.lpush(historyKey, now.toString());
-    await this.redis.ltrim(historyKey, 0, 99);
-    if (current >= this.config.maxAttempts) {
-      const lockedUntil = new Date(now + this.config.lockDuration);
-      await this.redis.hset(key, {
-        lockedAt: now.toString(),
-        lockedUntil: lockedUntil.getTime().toString()
-      });
-      await this.redis.expire(
-        key,
-        Math.ceil(this.config.lockDuration / 1e3) + 3600
-      );
-      return {
-        locked: true,
-        attemptsRemaining: 0,
-        lockedUntil,
-        totalAttempts: current
-      };
-    }
-    return {
-      locked: false,
-      attemptsRemaining: Math.max(0, this.config.maxAttempts - current),
-      totalAttempts: current
-    };
-  }
-  async lockAccount(userId, duration) {
-    const key = this.lockKey(userId);
-    const now = Date.now();
-    const lockDuration = duration || this.config.lockDuration;
-    const lockedUntil = new Date(now + lockDuration);
-    const pipeline = this.redis.pipeline();
-    pipeline.hset(key, {
-      attempts: this.config.maxAttempts.toString(),
-      lockedAt: now.toString(),
-      lockedUntil: lockedUntil.getTime().toString()
-    });
-    pipeline.expire(key, Math.ceil(lockDuration / 1e3) + 3600);
-    await pipeline.exec();
-  }
-  async unlockAccount(userId) {
-    const key = this.lockKey(userId);
-    await this.redis.del(key);
-  }
-  async resetAttempts(userId) {
-    const key = this.lockKey(userId);
-    const data = await this.redis.hgetall(key);
-    if (data.lockedAt) {
-      await this.redis.hset(key, {
-        attempts: "0",
-        lockedAt: "",
-        lockedUntil: ""
-      });
-    } else {
-      await this.redis.del(key);
-    }
-  }
-  async getLockoutHistory(userId, limit = 10) {
-    const historyKey = this.historyKey(userId);
-    const timestamps = await this.redis.lrange(historyKey, 0, limit - 1);
-    return timestamps.map((ts) => new Date(parseInt(ts, 10)));
-  }
-  async getLockoutStats(userId) {
-    const historyKey = this.historyKey(userId);
-    const timestamps = await this.redis.lrange(historyKey, 0, -1);
-    const lockouts = timestamps.filter((_, i) => {
-      const attemptNum = i + 1;
-      return attemptNum % this.config.maxAttempts === 0;
-    }).length;
-    const lastLockoutData = await this.redis.hget(
-      this.lockKey(userId),
-      "lockedAt"
-    );
-    return {
-      totalFailedAttempts: timestamps.length,
-      lockoutCount: lockouts,
-      lastLockout: lastLockoutData ? new Date(parseInt(lastLockoutData, 10)) : null,
-      averageAttemptsBeforeLockout: lockouts > 0 ? this.config.maxAttempts : 0
-    };
-  }
-  shouldNotifyAdmin(currentAttempts) {
-    return this.config.notifyAdmin && currentAttempts >= this.config.adminNotifyAfter;
-  }
-  getConfig() {
-    return { ...this.config };
-  }
-  setConfig(config) {
-    this.config = { ...this.config, ...config };
-  }
-};
-
-// src/auth/security/rate-limit.ts
-var DEFAULT_RATE_LIMITS = {
-  "auth:login": { window: 9e5, max: 5 },
-  "auth:register": { window: 36e5, max: 3 },
-  "auth:forgot": { window: 36e5, max: 3 },
-  "auth:reset": { window: 36e5, max: 5 },
-  "auth:verify": { window: 36e5, max: 5 },
-  "api:general": { window: 6e4, max: 100 },
-  "api:authenticated": { window: 6e4, max: 200 }
-};
-var RateLimiter = class {
-  redis;
-  prefix;
-  limits;
-  userLimits;
-  constructor(redis, limits, userLimits, prefix = "kyro:ratelimit:") {
-    this.redis = redis;
-    this.prefix = prefix;
-    this.limits = { ...DEFAULT_RATE_LIMITS, ...limits };
-    this.userLimits = userLimits || {
-      "user:api": { window: 6e4, max: 500 },
-      "user:write": { window: 36e5, max: 100 }
-    };
-  }
-  getKey(type, identifier) {
-    return `${this.prefix}${type}:${identifier}`;
-  }
-  async check(type, identifier) {
-    const config = this.limits[type] || this.limits["api:general"];
-    const key = this.getKey(type, identifier);
-    const now = Date.now();
-    const windowStart = now - config.window;
-    const pipeline = this.redis.pipeline();
-    pipeline.zremrangebyscore(key, 0, windowStart);
-    pipeline.zcard(key);
-    pipeline.zadd(key, now, `${now}:${Math.random()}`);
-    pipeline.expire(key, Math.ceil(config.window / 1e3) + 1);
-    const results = await pipeline.exec();
-    const count = results?.[1]?.[1] || 0;
-    if (count >= config.max) {
-      const oldestTimestamp = await this.redis.zrange(key, 0, 0, "WITHSCORES");
-      const resetAt = oldestTimestamp.length > 1 ? parseInt(oldestTimestamp[1], 10) + config.window : now + config.window;
-      return {
-        allowed: false,
-        remaining: 0,
-        resetAt,
-        retryAfter: Math.ceil((resetAt - now) / 1e3)
-      };
-    }
-    return {
-      allowed: true,
-      remaining: config.max - count - 1,
-      resetAt: now + config.window
-    };
-  }
-  async checkUser(type, userId, identifier) {
-    const config = this.userLimits[type] || this.userLimits["user:api"];
-    const key = this.getKey(`user:${type}:${userId}`, identifier);
-    const now = Date.now();
-    const windowStart = now - config.window;
-    const pipeline = this.redis.pipeline();
-    pipeline.zremrangebyscore(key, 0, windowStart);
-    pipeline.zcard(key);
-    pipeline.zadd(key, now, `${now}:${Math.random()}`);
-    pipeline.expire(key, Math.ceil(config.window / 1e3) + 1);
-    const results = await pipeline.exec();
-    const count = results?.[1]?.[1] || 0;
-    if (count >= config.max) {
-      const oldestTimestamp = await this.redis.zrange(key, 0, 0, "WITHSCORES");
-      const resetAt = oldestTimestamp.length > 1 ? parseInt(oldestTimestamp[1], 10) + config.window : now + config.window;
-      return {
-        allowed: false,
-        remaining: 0,
-        resetAt,
-        retryAfter: Math.ceil((resetAt - now) / 1e3)
-      };
-    }
-    return {
-      allowed: true,
-      remaining: config.max - count - 1,
-      resetAt: now + config.window
-    };
-  }
-  async reset(type, identifier) {
-    const key = this.getKey(type, identifier);
-    await this.redis.del(key);
-  }
-  async resetUser(type, userId, identifier) {
-    const key = this.getKey(`user:${type}:${userId}`, identifier);
-    await this.redis.del(key);
-  }
-  async getStatus(type, identifier) {
-    const config = this.limits[type] || this.limits["api:general"];
-    const key = this.getKey(type, identifier);
-    const now = Date.now();
-    const windowStart = now - config.window;
-    await this.redis.zremrangebyscore(key, 0, windowStart);
-    const count = await this.redis.zcard(key);
-    return {
-      count,
-      limit: config.max,
-      remaining: Math.max(0, config.max - count),
-      resetAt: now + config.window
-    };
-  }
-  setLimit(type, config) {
-    this.limits[type] = config;
-  }
-  setUserLimit(type, config) {
-    this.userLimits[type] = config;
-  }
-};
-var AuditLogger = class {
-  redis;
-  prefix;
-  retentionDays;
-  constructor(redis, retentionDays = 30, prefix = "kyro:audit:") {
-    this.redis = redis;
-    this.prefix = prefix;
-    this.retentionDays = retentionDays;
-  }
-  async log(data) {
-    const id = randomBytes(16).toString("hex");
-    const timestamp = /* @__PURE__ */ new Date();
-    const log = {
-      ...data,
-      id,
-      timestamp
-    };
-    const key = this.getKeyForDate(timestamp);
-    const hashKey = `${this.prefix}log:${id}`;
-    await this.redis.hset(hashKey, this.serializeLog(log));
-    await this.redis.expire(hashKey, this.retentionDays * 24 * 60 * 60 + 3600);
-    await this.redis.zadd(key, timestamp.getTime(), id);
-    await this.redis.expire(key, this.retentionDays * 24 * 60 * 60 + 3600);
-    const userIndex = data.userId ? `${this.prefix}user:${data.userId}` : null;
-    if (userIndex) {
-      await this.redis.zadd(userIndex, timestamp.getTime(), id);
-      await this.redis.expire(
-        userIndex,
-        this.retentionDays * 24 * 60 * 60 + 3600
-      );
-    }
-    return id;
-  }
-  async get(id) {
-    const hashKey = `${this.prefix}log:${id}`;
-    const data = await this.redis.hgetall(hashKey);
-    if (!data || Object.keys(data).length === 0) {
-      return null;
-    }
-    return this.deserializeLog(data);
-  }
-  async query(filter = {}) {
-    const { limit = 50, offset = 0 } = filter;
-    let keys = [];
-    if (filter.userId) {
-      keys.push(`${this.prefix}user:${filter.userId}`);
-    } else if (filter.startDate || filter.endDate) {
-      keys = this.getKeysForDateRange(filter.startDate, filter.endDate);
-    } else {
-      const now = /* @__PURE__ */ new Date();
-      keys = this.getKeysForDateRange(
-        new Date(now.getTime() - this.retentionDays * 24 * 60 * 60 * 1e3),
-        now
-      );
-    }
-    let idScores = [];
-    for (const key of keys) {
-      const items = await this.redis.zrange(key, 0, -1, "WITHSCORES");
-      for (let i = 0; i < items.length; i += 2) {
-        idScores.push([items[i], parseInt(items[i + 1], 10)]);
-      }
-    }
-    idScores.sort((a, b) => b[1] - a[1]);
-    const total = idScores.length;
-    idScores = idScores.slice(offset, offset + limit);
-    const logs = [];
-    for (const [id] of idScores) {
-      const log = await this.get(id);
-      if (log) {
-        if (this.matchesFilter(log, filter)) {
-          logs.push(log);
-        }
-      }
-    }
-    return { logs, total };
-  }
-  async getRecent(limit = 50) {
-    const logs = [];
-    const now = /* @__PURE__ */ new Date();
-    const keys = this.getKeysForDateRange(
-      new Date(now.getTime() - 7 * 24 * 60 * 60 * 1e3),
-      now
-    );
-    let allIds = [];
-    for (const key of keys) {
-      const items = await this.redis.zrange(key, 0, -1, "WITHSCORES");
-      for (let i = 0; i < items.length; i += 2) {
-        allIds.push([items[i], parseInt(items[i + 1], 10)]);
-      }
-    }
-    allIds.sort((a, b) => b[1] - a[1]);
-    for (const [id] of allIds.slice(0, limit)) {
-      const log = await this.get(id);
-      if (log) logs.push(log);
-    }
-    return logs;
-  }
-  async getUserActivity(userId, limit = 50) {
-    const key = `${this.prefix}user:${userId}`;
-    const ids = await this.redis.zrange(key, 0, limit - 1);
-    const logs = [];
-    for (const id of ids) {
-      const log = await this.get(id);
-      if (log) logs.push(log);
-    }
-    return logs;
-  }
-  async getStats(startDate, endDate) {
-    const keys = this.getKeysForDateRange(
-      startDate || new Date(Date.now() - 30 * 24 * 60 * 60 * 1e3),
-      endDate || /* @__PURE__ */ new Date()
-    );
-    const byAction = {};
-    let totalEvents = 0;
-    let failedLogins = 0;
-    let successCount = 0;
-    const uniqueUsers = /* @__PURE__ */ new Set();
-    for (const key of keys) {
-      const ids = await this.redis.zrange(key, 0, -1);
-      for (const id of ids) {
-        const log = await this.get(id);
-        if (log) {
-          totalEvents++;
-          byAction[log.action] = (byAction[log.action] || 0) + 1;
-          if (log.success) {
-            successCount++;
-          }
-          if (log.action === "login_failed") {
-            failedLogins++;
-          }
-          if (log.userId) {
-            uniqueUsers.add(log.userId);
-          }
-        }
-      }
-    }
-    return {
-      totalEvents,
-      byAction,
-      successRate: totalEvents > 0 ? successCount / totalEvents : 1,
-      failedLogins,
-      uniqueUsers
-    };
-  }
-  async cleanup() {
-    const cutoff = Date.now() - this.retentionDays * 24 * 60 * 60 * 1e3;
-    const keys = await this.redis.keys(`${this.prefix}date:*`);
-    let deleted = 0;
-    for (const key of keys) {
-      const timestamp = await this.redis.zrangebyscore(key, 0, cutoff);
-      for (const id of timestamp) {
-        await this.redis.del(`${this.prefix}log:${id}`);
-        deleted++;
-      }
-      await this.redis.zremrangebyscore(key, 0, cutoff);
-    }
-    return deleted;
-  }
-  getKeyForDate(date) {
-    const year = date.getFullYear();
-    const month = String(date.getMonth() + 1).padStart(2, "0");
-    const day = String(date.getDate()).padStart(2, "0");
-    return `${this.prefix}date:${year}-${month}-${day}`;
-  }
-  getKeysForDateRange(start, end) {
-    const keys = [];
-    const startDate = start || new Date(Date.now() - this.retentionDays * 24 * 60 * 60 * 1e3);
-    const endDate = end || /* @__PURE__ */ new Date();
-    const current = new Date(startDate);
-    while (current <= endDate) {
-      keys.push(this.getKeyForDate(current));
-      current.setDate(current.getDate() + 1);
-    }
-    return keys;
-  }
-  matchesFilter(log, filter) {
-    if (filter.action) {
-      const actions = Array.isArray(filter.action) ? filter.action : [filter.action];
-      if (!actions.includes(log.action)) return false;
-    }
-    if (filter.resource && log.resource !== filter.resource) return false;
-    if (filter.resourceId && log.resourceId !== filter.resourceId) return false;
-    if (filter.success !== void 0 && log.success !== filter.success)
-      return false;
-    return true;
-  }
-  serializeLog(log) {
-    const result = {
-      id: log.id,
-      timestamp: log.timestamp.toISOString(),
-      action: log.action,
-      resource: log.resource,
-      success: log.success ? "1" : "0"
-    };
-    if (log.userId) result.userId = log.userId;
-    if (log.userEmail) result.userEmail = log.userEmail;
-    if (log.role) result.role = log.role;
-    if (log.resourceId) result.resourceId = log.resourceId;
-    if (log.ipAddress) result.ipAddress = log.ipAddress;
-    if (log.userAgent) result.userAgent = log.userAgent;
-    if (log.error) result.error = log.error;
-    if (log.changes) result.changes = JSON.stringify(log.changes);
-    if (log.metadata) result.metadata = JSON.stringify(log.metadata);
-    return result;
-  }
-  deserializeLog(data) {
-    return {
-      id: data.id,
-      timestamp: new Date(data.timestamp),
-      action: data.action,
-      userId: data.userId,
-      userEmail: data.userEmail,
-      role: data.role,
-      resource: data.resource,
-      resourceId: data.resourceId,
-      ipAddress: data.ipAddress,
-      userAgent: data.userAgent,
-      success: data.success === "1",
-      error: data.error,
-      changes: data.changes ? JSON.parse(data.changes) : void 0,
-      metadata: data.metadata ? JSON.parse(data.metadata) : void 0
-    };
-  }
-};
-function createAuditContext(req) {
-  return {
-    ipAddress: req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || req.headers.get("x-real-ip") || "unknown",
-    userAgent: req.headers.get("user-agent") || "unknown"
-  };
-}
-function defaultExtractToken(req) {
-  const authHeader = req.headers.get("Authorization");
-  if (authHeader?.startsWith("Bearer ")) {
-    return authHeader.slice(7);
-  }
-  const cookieHeader = req.headers.get("Cookie");
-  if (cookieHeader) {
-    const cookies = Object.fromEntries(
-      cookieHeader.split("; ").map((c) => {
-        const [key, ...val] = c.split("=");
-        return [key.trim(), val.join("=")];
-      })
-    );
-    return cookies["auth_token"] || null;
-  }
-  return null;
-}
-function generateToken(payload, secret, options = {}) {
-  return jwt.sign(payload, secret, {
-    expiresIn: options.expiresIn || "24h",
-    issuer: options.issuer,
-    audience: options.audience
-  });
-}
-
-// src/api/rest/auth-routes.ts
-var AuthRoutes = class {
-  redis;
-  email;
-  jwtSecret;
-  jwtExpiresIn;
-  jwtIssuer;
-  jwtAudience;
-  passwordPolicy;
-  lockout;
-  rateLimiter;
-  auditLogger;
-  baseUrl;
-  emailVerificationRequired;
-  constructor(config) {
-    this.redis = config.redis;
-    this.email = config.email;
-    this.jwtSecret = config.jwtSecret;
-    this.jwtExpiresIn = config.jwtExpiresIn || "24h";
-    this.jwtIssuer = config.jwtIssuer;
-    this.jwtAudience = config.jwtAudience;
-    this.passwordPolicy = config.passwordPolicy || new PasswordPolicy();
-    this.lockout = config.lockout;
-    this.rateLimiter = config.rateLimiter;
-    this.auditLogger = config.auditLogger;
-    this.baseUrl = config.baseUrl || "http://localhost:3000";
-    this.emailVerificationRequired = config.emailVerificationRequired ?? true;
-  }
-  async register(req) {
-    const { ipAddress, userAgent } = createAuditContext(req);
-    if (this.rateLimiter) {
-      const limit = await this.rateLimiter.check("auth:register", ipAddress);
-      if (!limit.allowed) {
-        return this.rateLimitResponse(limit);
-      }
-    }
-    try {
-      const body = await req.json();
-      if (!body.email || !body.password) {
-        return this.errorResponse("Email and password are required", 400);
-      }
-      if (body.password !== body.confirmPassword) {
-        return this.errorResponse("Passwords do not match", 400);
-      }
-      const passwordValidation = this.passwordPolicy.validate(body.password);
-      if (!passwordValidation.valid) {
-        return this.errorResponse(passwordValidation.errors.join(". "), 400);
-      }
-      const existingUser = await this.redis.findUserByEmail(body.email);
-      if (existingUser) {
-        return this.errorResponse("Email already registered", 400);
-      }
-      const passwordHash = await this.redis.hashPassword(body.password);
-      const user = await this.redis.createUser({
-        email: body.email,
-        passwordHash,
-        role: body.role || "customer",
-        tenantId: body.tenantId
-      });
-      if (this.emailVerificationRequired && this.email) {
-        const verificationToken = randomBytes(32).toString("hex");
-        const verificationUrl = `${this.baseUrl}/api/auth/verify?token=${verificationToken}`;
-        await this.redis.createSession(user.id, { ipAddress, userAgent });
-        const template = this.email.getTemplates().verifyEmail(verificationUrl, body.email);
-        await this.email.send({ to: body.email, ...template });
-      }
-      if (this.auditLogger) {
-        await this.auditLogger.log({
-          action: "register",
-          userId: user.id,
-          userEmail: user.email,
-          resource: "auth",
-          ipAddress,
-          userAgent,
-          success: true
-        });
-      }
-      return this.jsonResponse(
-        {
-          success: true,
-          message: "Registration successful",
-          user: this.sanitizeUser(user),
-          requiresVerification: this.emailVerificationRequired && !!this.email
-        },
-        201
-      );
-    } catch (error) {
-      return this.errorResponse("Registration failed", 500);
-    }
-  }
-  async login(req) {
-    const { ipAddress, userAgent } = createAuditContext(req);
-    if (this.rateLimiter) {
-      const limit = await this.rateLimiter.check("auth:login", ipAddress);
-      if (!limit.allowed) {
-        return this.rateLimitResponse(limit);
-      }
-    }
-    try {
-      const body = await req.json();
-      if (!body.email || !body.password) {
-        return this.errorResponse("Email and password are required", 400);
-      }
-      const user = await this.redis.findUserByEmail(body.email);
-      if (!user) {
-        await this.recordFailedLogin(ipAddress, userAgent);
-        return this.errorResponse("Invalid credentials", 401);
-      }
-      if (this.lockout) {
-        const lockoutStatus = await this.lockout.checkLockout(user.id);
-        if (lockoutStatus.locked) {
-          if (this.auditLogger) {
-            await this.auditLogger.log({
-              action: "login_failed",
-              userId: user.id,
-              userEmail: user.email,
-              resource: "auth",
-              ipAddress,
-              userAgent,
-              success: false,
-              error: "Account locked"
-            });
-          }
-          return this.errorResponse(
-            `Account locked. Try again in ${Math.ceil((lockoutStatus.lockedUntil.getTime() - Date.now()) / 6e4)} minutes`,
-            423
-          );
-        }
-      }
-      const validPassword = user.passwordHash ? await this.redis.verifyPassword(body.password, user.passwordHash) : false;
-      if (!validPassword) {
-        await this.recordFailedLogin(ipAddress, userAgent, user.id, user.email);
-        return this.errorResponse("Invalid credentials", 401);
-      }
-      if (this.lockout) {
-        await this.lockout.resetAttempts(user.id);
-      }
-      const session = await this.redis.createSession(user.id, {
-        ipAddress,
-        userAgent
-      });
-      const payload = {
-        sub: user.id,
-        email: user.email,
-        role: user.role,
-        tenantId: user.tenantId,
-        iat: Math.floor(Date.now() / 1e3),
-        exp: Math.floor(Date.now() / 1e3) + 86400
-      };
-      const accessToken = generateToken(payload, this.jwtSecret, {
-        expiresIn: this.jwtExpiresIn,
-        issuer: this.jwtIssuer,
-        audience: this.jwtAudience
-      });
-      if (this.auditLogger) {
-        await this.auditLogger.log({
-          action: "login",
-          userId: user.id,
-          userEmail: user.email,
-          role: user.role,
-          resource: "auth",
-          ipAddress,
-          userAgent,
-          success: true
-        });
-      }
-      await this.redis.updateUser(user.id, {
-        lastLogin: (/* @__PURE__ */ new Date()).toISOString()
-      });
-      return this.jsonResponse({
-        success: true,
-        user: this.sanitizeUser(user),
-        accessToken,
-        refreshToken: session.refreshToken,
-        expiresIn: this.jwtExpiresIn
-      });
-    } catch (error) {
-      return this.errorResponse("Login failed", 500);
-    }
-  }
-  async logout(req) {
-    const token = defaultExtractToken(req);
-    if (!token) {
-      return this.errorResponse("No session to logout", 401);
-    }
-    const { ipAddress, userAgent } = createAuditContext(req);
-    try {
-      const payload = jwt.decode(token);
-      if (payload && payload.sub) {
-        await this.redis.deleteUserSessions(payload.sub);
-        if (this.auditLogger) {
-          await this.auditLogger.log({
-            action: "logout",
-            userId: payload.sub,
-            userEmail: payload.email,
-            resource: "auth",
-            ipAddress,
-            userAgent,
-            success: true
-          });
-        }
-      }
-      return this.jsonResponse({
-        success: true,
-        message: "Logged out successfully"
-      });
-    } catch (error) {
-      return this.errorResponse("Logout failed", 500);
-    }
-  }
-  async refresh(req) {
-    try {
-      const body = await req.json();
-      const { refreshToken } = body;
-      if (!refreshToken) {
-        return this.errorResponse("Refresh token required", 400);
-      }
-      return this.jsonResponse({ success: true, accessToken: "" });
-    } catch (error) {
-      return this.errorResponse("Token refresh failed", 500);
-    }
-  }
-  async me(req) {
-    const token = defaultExtractToken(req);
-    if (!token) {
-      return this.errorResponse("Not authenticated", 401);
-    }
-    try {
-      const payload = jwt.verify(token, this.jwtSecret, {
-        issuer: this.jwtIssuer,
-        audience: this.jwtAudience
-      });
-      const user = await this.redis.findUserById(payload.sub);
-      if (!user) {
-        return this.errorResponse("User not found", 404);
-      }
-      return this.jsonResponse({
-        success: true,
-        user: this.sanitizeUser(user)
-      });
-    } catch (error) {
-      return this.errorResponse("Authentication failed", 401);
-    }
-  }
-  async changePassword(req) {
-    const token = defaultExtractToken(req);
-    if (!token) {
-      return this.errorResponse("Not authenticated", 401);
-    }
-    const { ipAddress, userAgent } = createAuditContext(req);
-    try {
-      const payload = jwt.verify(token, this.jwtSecret);
-      const body = await req.json();
-      const { currentPassword, newPassword, confirmPassword } = body;
-      if (!currentPassword || !newPassword) {
-        return this.errorResponse("Current and new password required", 400);
-      }
-      if (newPassword !== confirmPassword) {
-        return this.errorResponse("Passwords do not match", 400);
-      }
-      const passwordValidation = this.passwordPolicy.validate(newPassword);
-      if (!passwordValidation.valid) {
-        return this.errorResponse(passwordValidation.errors.join(". "), 400);
-      }
-      const user = await this.redis.findUserById(payload.sub);
-      if (!user) {
-        return this.errorResponse("User not found", 404);
-      }
-      const validPassword = user.passwordHash ? await this.redis.verifyPassword(currentPassword, user.passwordHash) : false;
-      if (!validPassword) {
-        return this.errorResponse("Current password is incorrect", 401);
-      }
-      const passwordHistory = await this.redis.getPasswordHistory(user.id, 5);
-      const isReused = await this.redis.isPasswordInHistory(
-        newPassword,
-        user.id,
-        5
-      );
-      if (isReused) {
-        return this.errorResponse(
-          "Password was recently used. Please choose a different password",
-          400
-        );
-      }
-      const newPasswordHash = await this.redis.hashPassword(newPassword);
-      if (user.passwordHash) {
-        await this.redis.addPasswordToHistory(user.id, user.passwordHash);
-      }
-      await this.redis.updateUser(user.id, { passwordHash: newPasswordHash });
-      await this.redis.deleteUserSessions(user.id);
-      if (this.email && this.email.getTemplates) {
-        const template = this.email.getTemplates().passwordChanged(user.email);
-        await this.email.send({ to: user.email, ...template });
-      }
-      if (this.auditLogger) {
-        await this.auditLogger.log({
-          action: "password_change",
-          userId: user.id,
-          userEmail: user.email,
-          resource: "auth",
-          ipAddress,
-          userAgent,
-          success: true
-        });
-      }
-      return this.jsonResponse({
-        success: true,
-        message: "Password changed successfully"
-      });
-    } catch (error) {
-      return this.errorResponse("Password change failed", 500);
-    }
-  }
-  async forgotPassword(req) {
-    const { ipAddress, userAgent } = createAuditContext(req);
-    if (this.rateLimiter) {
-      const limit = await this.rateLimiter.check("auth:forgot", ipAddress);
-      if (!limit.allowed) {
-        return this.rateLimitResponse(limit);
-      }
-    }
-    try {
-      const body = await req.json();
-      const { email } = body;
-      if (!email) {
-        return this.errorResponse("Email required", 400);
-      }
-      const user = await this.redis.findUserByEmail(email);
-      if (!user) {
-        return this.jsonResponse({
-          success: true,
-          message: "If the email exists, a reset link has been sent"
-        });
-      }
-      if (this.email) {
-        const resetToken = randomBytes(32).toString("hex");
-        const resetUrl = `${this.baseUrl}/api/auth/reset-password?token=${resetToken}`;
-        const template = this.email.getTemplates().resetPassword(resetUrl, user.email);
-        await this.email.send({ to: user.email, ...template });
-      }
-      if (this.auditLogger) {
-        await this.auditLogger.log({
-          action: "password_reset_request",
-          userId: user.id,
-          userEmail: user.email,
-          resource: "auth",
-          ipAddress,
-          userAgent,
-          success: true
-        });
-      }
-      return this.jsonResponse({
-        success: true,
-        message: "If the email exists, a reset link has been sent"
-      });
-    } catch (error) {
-      return this.errorResponse("Password reset request failed", 500);
-    }
-  }
-  async verifyEmail(req) {
-    const url = new URL(req.url);
-    const token = url.searchParams.get("token");
-    if (!token) {
-      return this.errorResponse("Verification token required", 400);
-    }
-    try {
-      return this.jsonResponse({ success: true, message: "Email verified" });
-    } catch (error) {
-      return this.errorResponse("Email verification failed", 500);
-    }
-  }
-  async recordFailedLogin(ipAddress, userAgent, userId, userEmail) {
-    if (this.lockout) {
-      await this.lockout.recordFailedAttempt(userId || ipAddress);
-    }
-    if (this.auditLogger) {
-      await this.auditLogger.log({
-        action: "login_failed",
-        userId,
-        userEmail,
-        resource: "auth",
-        ipAddress,
-        userAgent,
-        success: false,
-        error: "Invalid credentials"
-      });
-    }
-  }
-  sanitizeUser(user) {
-    const { passwordHash, ...sanitized } = user;
-    return sanitized;
-  }
-  jsonResponse(data, status = 200) {
-    return new Response(JSON.stringify(data), {
-      status,
-      headers: {
-        "Content-Type": "application/json"
-      }
-    });
-  }
-  errorResponse(message, status) {
-    return new Response(JSON.stringify({ success: false, error: message }), {
-      status,
-      headers: {
-        "Content-Type": "application/json"
-      }
-    });
-  }
-  rateLimitResponse(limit) {
-    return new Response(
-      JSON.stringify({
-        success: false,
-        error: "Too many requests",
-        retryAfter: limit.retryAfter
-      }),
-      {
-        status: 429,
-        headers: {
-          "Content-Type": "application/json",
-          "Retry-After": String(limit.retryAfter || 60)
-        }
-      }
-    );
-  }
-};
-
-// src/auth/config.ts
-function getEnv(key, fallback = "") {
-  return process.env[key] || fallback;
-}
-function getEnvBool(key, fallback = false) {
-  const val = process.env[key];
-  if (!val) return fallback;
-  return val.toLowerCase() === "true";
-}
-function getEnvNum(key, fallback = 0) {
-  const val = process.env[key];
-  if (!val) return fallback;
-  return parseInt(val, 10);
-}
-async function createAuthConfig() {
-  const redisUrl = getEnv("REDIS_URL", "redis://localhost:6379");
-  const redisKeyPrefix = getEnv("REDIS_KEY_PREFIX", "kyro:auth:");
-  const redisSessionTTL = getEnvNum("REDIS_SESSION_TTL", 86400);
-  const redisRefreshTTL = getEnvNum("REDIS_REFRESH_TOKEN_TTL", 604800);
-  const redisAdapter = new RedisAuthAdapter({
-    url: redisUrl,
-    keyPrefix: redisKeyPrefix,
-    tokenExpiration: redisSessionTTL,
-    refreshTokenExpiration: redisRefreshTTL,
-    tls: getEnvBool("REDIS_TLS", false)
-  });
-  await redisAdapter.connect();
-  const redisClient = redisAdapter.redis;
-  const emailConfig = getEmailConfig();
-  const email = emailConfig ? new EmailTransport(emailConfig) : void 0;
-  const passwordPolicy = new PasswordPolicy({
-    minLength: getEnvNum("PASSWORD_MIN_LENGTH", 12),
-    requireUppercase: getEnvBool("PASSWORD_REQUIRE_UPPERCASE", true),
-    requireLowercase: getEnvBool("PASSWORD_REQUIRE_LOWERCASE", true),
-    requireNumbers: getEnvBool("PASSWORD_REQUIRE_NUMBERS", true),
-    requireSpecialChars: getEnvBool("PASSWORD_REQUIRE_SPECIAL", true),
-    preventReuse: getEnvNum("PASSWORD_PREVENT_REUSE", 5),
-    maxLength: getEnvNum("PASSWORD_MAX_LENGTH", 128)
-  });
-  let lockout;
-  if (getEnvBool("LOCKOUT_ENABLED", true)) {
-    lockout = new AccountLockout(redisClient, {
-      maxAttempts: getEnvNum("LOCKOUT_MAX_ATTEMPTS", 5),
-      lockDuration: getEnvNum("LOCKOUT_DURATION_MINUTES", 15) * 60 * 1e3
-    });
-  }
-  let rateLimiter;
-  if (getEnvBool("RATE_LIMIT_ENABLED", true)) {
-    rateLimiter = new RateLimiter(redisClient, {
-      "auth:login": {
-        window: getEnvNum("RATE_LIMIT_AUTH_WINDOW_MS", 9e5),
-        max: getEnvNum("RATE_LIMIT_AUTH_MAX_REQUESTS", 10)
-      },
-      "api:general": {
-        window: getEnvNum("RATE_LIMIT_WINDOW_MS", 6e4),
-        max: getEnvNum("RATE_LIMIT_MAX_REQUESTS", 100)
-      }
-    });
-  }
-  let auditLogger;
-  if (getEnvBool("AUDIT_LOG_ENABLED", true)) {
-    auditLogger = new AuditLogger(
-      redisClient,
-      getEnvNum("AUDIT_LOG_RETENTION_DAYS", 30)
-    );
-  }
-  const routes = new AuthRoutes({
-    redis: redisAdapter,
-    email,
-    jwtSecret: getEnv("JWT_SECRET", "change-me"),
-    jwtExpiresIn: getEnv("JWT_EXPIRES_IN", "24h"),
-    jwtIssuer: getEnv("JWT_ISSUER", "kyro-cms"),
-    jwtAudience: getEnv("JWT_AUDIENCE", "kyro-cms-client"),
-    passwordPolicy,
-    lockout,
-    rateLimiter,
-    auditLogger,
-    baseUrl: getEnv("EMAIL_BASE_URL", "http://localhost:4321"),
-    emailVerificationRequired: getEnvBool("EMAIL_VERIFICATION_REQUIRED", true)
-  });
-  return {
-    redis: redisAdapter,
-    redisClient,
-    email,
-    passwordPolicy,
-    lockout,
-    rateLimiter,
-    auditLogger,
-    routes
-  };
-}
-function getEmailConfig() {
-  const host = getEnv("SMTP_HOST");
-  if (!host) return void 0;
-  return {
-    host,
-    port: getEnvNum("SMTP_PORT", 587),
-    secure: getEnvBool("SMTP_SECURE", false),
-    auth: {
-      user: getEnv("SMTP_USER"),
-      pass: getEnv("SMTP_PASS")
-    },
-    from: getEnv("SMTP_FROM", "noreply@example.com"),
-    fromName: getEnv("SMTP_FROM_NAME", "Kyro CMS")
-  };
-}
-createAuthConfig();
-
-export { AccountLockout, AuditLogger, ConfigValidationError, EmailTransport, PasswordPolicy, RateLimiter, RedisAuthAdapter, Registry, collectionToCreateZod, collectionToUpdateZod, collectionToWhereZod, collectionToZod, createAuditContext, createAuthConfig, fieldToZod, getRegistry, globalToZod, validateCollection, validateConfig, validateFields, validateGlobal };