@kyro-cms/admin 0.1.2

package/dist/server/chunks/config_CPXslElD.mjs

@@ -0,0 +1,4221 @@
+import 'ws';
+import 'hono';
+import bcrypt from 'bcryptjs';
+import { pgTable, timestamp, jsonb, integer, boolean, uuid, varchar, uniqueIndex, index, text } from 'drizzle-orm/pg-core';
+import 'postgres';
+import 'bcrypt';
+import jwt from 'jsonwebtoken';
+import Redis2 from 'ioredis';
+import nodemailer from 'nodemailer';
+import { randomBytes } from 'crypto';
+
+const users = pgTable(
+  "users",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    email: varchar("email", { length: 255 }).notNull(),
+    passwordHash: varchar("password_hash", { length: 255 }),
+    role: varchar("role", { length: 50 }).notNull().default("customer"),
+    tenantId: uuid("tenant_id"),
+    emailVerified: boolean("email_verified").default(false),
+    locked: boolean("locked").default(false),
+    lastLogin: timestamp("last_login"),
+    failedLoginAttempts: integer("failed_login_attempts").default(0),
+    metadata: jsonb("metadata").$type(),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at").defaultNow().notNull()
+  },
+  (table) => [
+    uniqueIndex("users_email_idx").on(table.email),
+    index("users_tenant_idx").on(table.tenantId),
+    index("users_role_idx").on(table.role)
+  ]
+);
+const roles = pgTable(
+  "roles",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    name: varchar("name", { length: 100 }).notNull().unique(),
+    level: integer("level").notNull().default(0),
+    inherits: text("inherits").array(),
+    description: text("description"),
+    permissions: jsonb("permissions").$type().default([]),
+    isSystem: boolean("is_system").default(false),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at").defaultNow().notNull()
+  },
+  (table) => [index("roles_level_idx").on(table.level)]
+);
+pgTable(
+  "permissions",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    roleId: uuid("role_id").references(() => roles.id, { onDelete: "cascade" }),
+    resource: varchar("resource", { length: 100 }).notNull(),
+    action: varchar("action", { length: 50 }).notNull(),
+    conditions: jsonb("conditions").$type(),
+    createdAt: timestamp("created_at").defaultNow().notNull()
+  },
+  (table) => [
+    index("permissions_role_idx").on(table.roleId),
+    index("permissions_resource_idx").on(table.resource)
+  ]
+);
+pgTable(
+  "sessions",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    userId: uuid("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    token: varchar("token", { length: 512 }).notNull().unique(),
+    refreshToken: varchar("refresh_token", { length: 512 }),
+    ipAddress: varchar("ip_address", { length: 45 }),
+    userAgent: text("user_agent"),
+    expiresAt: timestamp("expires_at").notNull(),
+    createdAt: timestamp("created_at").defaultNow().notNull()
+  },
+  (table) => [
+    index("sessions_user_idx").on(table.userId),
+    index("sessions_token_idx").on(table.token),
+    index("sessions_expires_idx").on(table.expiresAt)
+  ]
+);
+pgTable(
+  "audit_logs",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    action: varchar("action", { length: 100 }).notNull(),
+    userId: uuid("user_id").references(() => users.id, {
+      onDelete: "set null"
+    }),
+    userEmail: varchar("user_email", { length: 255 }),
+    role: varchar("role", { length: 50 }),
+    resource: varchar("resource", { length: 100 }).notNull(),
+    resourceId: uuid("resource_id"),
+    changes: jsonb("changes").$type(),
+    ipAddress: varchar("ip_address", { length: 45 }),
+    userAgent: text("user_agent"),
+    success: boolean("success").notNull().default(true),
+    error: text("error"),
+    metadata: jsonb("metadata").$type(),
+    timestamp: timestamp("timestamp").defaultNow().notNull()
+  },
+  (table) => [
+    index("audit_logs_user_idx").on(table.userId),
+    index("audit_logs_action_idx").on(table.action),
+    index("audit_logs_resource_idx").on(table.resource),
+    index("audit_logs_timestamp_idx").on(table.timestamp)
+  ]
+);
+pgTable(
+  "tenants",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    name: varchar("name", { length: 255 }).notNull(),
+    slug: varchar("slug", { length: 100 }).notNull().unique(),
+    settings: jsonb("settings").$type().default({}),
+    isActive: boolean("is_active").default(true),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at").defaultNow().notNull()
+  },
+  (table) => [uniqueIndex("tenants_slug_idx").on(table.slug)]
+);
+pgTable(
+  "api_keys",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    userId: uuid("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    name: varchar("name", { length: 255 }).notNull(),
+    key: varchar("key", { length: 64 }).notNull().unique(),
+    keyPrefix: varchar("key_prefix", { length: 8 }).notNull(),
+    permissions: jsonb("permissions").$type().default([]),
+    lastUsedAt: timestamp("last_used_at"),
+    expiresAt: timestamp("expires_at"),
+    createdAt: timestamp("created_at").defaultNow().notNull()
+  },
+  (table) => [
+    index("api_keys_user_idx").on(table.userId),
+    index("api_keys_key_idx").on(table.key)
+  ]
+);
+pgTable(
+  "email_verifications",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    userId: uuid("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    token: varchar("token", { length: 64 }).notNull().unique(),
+    expiresAt: timestamp("expires_at").notNull(),
+    createdAt: timestamp("created_at").defaultNow().notNull()
+  },
+  (table) => [
+    index("email_verifications_token_idx").on(table.token),
+    index("email_verifications_user_idx").on(table.userId)
+  ]
+);
+pgTable(
+  "password_resets",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    userId: uuid("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    token: varchar("token", { length: 64 }).notNull().unique(),
+    expiresAt: timestamp("expires_at").notNull(),
+    usedAt: timestamp("used_at"),
+    createdAt: timestamp("created_at").defaultNow().notNull()
+  },
+  (table) => [
+    index("password_resets_token_idx").on(table.token),
+    index("password_resets_user_idx").on(table.userId)
+  ]
+);
+pgTable(
+  "password_history",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    userId: uuid("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    passwordHash: varchar("password_hash", { length: 255 }).notNull(),
+    createdAt: timestamp("created_at").defaultNow().notNull()
+  },
+  (table) => [index("password_history_user_idx").on(table.userId)]
+);
+pgTable(
+  "lockouts",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    userId: uuid("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    ipAddress: varchar("ip_address", { length: 45 }),
+    reason: varchar("reason", { length: 255 }),
+    lockedUntil: timestamp("locked_until").notNull(),
+    releasedAt: timestamp("released_at"),
+    createdAt: timestamp("created_at").defaultNow().notNull()
+  },
+  (table) => [
+    index("lockouts_user_idx").on(table.userId),
+    index("lockouts_ip_idx").on(table.ipAddress),
+    index("lockouts_locked_until_idx").on(table.lockedUntil)
+  ]
+);
+
+const DEFAULT_PREFIX = "kyro:auth:";
+const DEFAULT_TOKEN_EXPIRATION = 86400;
+const DEFAULT_REFRESH_EXPIRATION = 604800;
+class RedisAuthAdapter {
+  redis;
+  prefix;
+  tokenExpiration;
+  refreshExpiration;
+  constructor(options = {}) {
+    const url = options.url || `redis://${options.host || "localhost"}:${options.port || 6379}`;
+    this.redis = new Redis2(url, {
+      password: options.password,
+      db: options.db,
+      lazyConnect: true,
+      tls: options.tls ? {} : void 0
+    });
+    this.prefix = options.keyPrefix || DEFAULT_PREFIX;
+    this.tokenExpiration = options.tokenExpiration || DEFAULT_TOKEN_EXPIRATION;
+    this.refreshExpiration = options.refreshTokenExpiration || DEFAULT_REFRESH_EXPIRATION;
+  }
+  async connect() {
+    await this.redis.connect();
+  }
+  async disconnect() {
+    await this.redis.quit();
+  }
+  userKey(userId) {
+    return `${this.prefix}users:${userId}`;
+  }
+  sessionKey(sessionId) {
+    return `${this.prefix}sessions:${sessionId}`;
+  }
+  refreshKey(token) {
+    return `${this.prefix}refresh:${token}`;
+  }
+  userByEmailKey(email) {
+    return `${this.prefix}users:email:${email.toLowerCase()}`;
+  }
+  passwordHistoryKey(userId) {
+    return `${this.prefix}users:${userId}:password_history`;
+  }
+  async createUser(data) {
+    const userId = randomBytes(16).toString("hex");
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const user = {
+      id: userId,
+      email: data.email.toLowerCase(),
+      passwordHash: data.passwordHash,
+      role: data.role || "customer",
+      tenantId: data.tenantId,
+      createdAt: now,
+      updatedAt: now
+    };
+    const pipeline = this.redis.pipeline();
+    pipeline.hset(this.userKey(userId), this.userToHash(user));
+    pipeline.set(this.userByEmailKey(data.email), userId);
+    await pipeline.exec();
+    return user;
+  }
+  async findUserByEmail(email) {
+    const userId = await this.redis.get(
+      this.userByEmailKey(email.toLowerCase())
+    );
+    if (!userId) return null;
+    return this.findUserById(userId);
+  }
+  async findUserById(userId) {
+    const data = await this.redis.hgetall(this.userKey(userId));
+    if (!data || Object.keys(data).length === 0) return null;
+    return this.hashToUser(data);
+  }
+  async updateUser(userId, data) {
+    const existing = await this.findUserById(userId);
+    if (!existing) return null;
+    const updated = {
+      ...existing,
+      ...data,
+      id: userId,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    if (data.email && data.email !== existing.email) {
+      const pipeline = this.redis.pipeline();
+      pipeline.del(this.userByEmailKey(existing.email));
+      pipeline.set(this.userByEmailKey(data.email), userId);
+      await pipeline.exec();
+    }
+    await this.redis.hset(this.userKey(userId), this.userToHash(updated));
+    return updated;
+  }
+  async deleteUser(userId) {
+    const user = await this.findUserById(userId);
+    if (!user) return false;
+    const pipeline = this.redis.pipeline();
+    pipeline.del(this.userKey(userId));
+    pipeline.del(this.userByEmailKey(user.email));
+    pipeline.del(this.passwordHistoryKey(userId));
+    await pipeline.exec();
+    return true;
+  }
+  async hashPassword(password) {
+    return bcrypt.hash(password, 12);
+  }
+  async verifyPassword(password, hash) {
+    return bcrypt.compare(password, hash);
+  }
+  async createSession(userId, data = {}) {
+    const sessionId = randomBytes(32).toString("hex");
+    const token = randomBytes(32).toString("base64url");
+    const refreshToken = randomBytes(32).toString("base64url");
+    const now = /* @__PURE__ */ new Date();
+    const session = {
+      id: sessionId,
+      userId,
+      token,
+      refreshToken,
+      expiresAt: new Date(
+        now.getTime() + this.tokenExpiration * 1e3
+      ).toISOString(),
+      createdAt: now.toISOString(),
+      ipAddress: data.ipAddress,
+      userAgent: data.userAgent
+    };
+    const pipeline = this.redis.pipeline();
+    pipeline.hset(this.sessionKey(sessionId), this.sessionToHash(session));
+    pipeline.setex(
+      this.refreshKey(refreshToken),
+      this.refreshExpiration,
+      sessionId
+    );
+    await pipeline.exec();
+    return session;
+  }
+  async findSessionByToken(token) {
+    const data = await this.redis.hgetall(this.sessionKey(token));
+    if (!data || Object.keys(data).length === 0) return null;
+    return this.hashToSession(data);
+  }
+  async deleteSession(sessionId) {
+    const session = await this.redis.hgetall(this.sessionKey(sessionId));
+    if (!session || Object.keys(session).length === 0) return false;
+    const pipeline = this.redis.pipeline();
+    pipeline.del(this.sessionKey(sessionId));
+    if (session.refreshToken) {
+      pipeline.del(this.refreshKey(session.refreshToken));
+    }
+    await pipeline.exec();
+    return true;
+  }
+  async deleteUserSessions(userId) {
+    const pattern = `${this.prefix}sessions:*`;
+    let cursor = "0";
+    let deleted = 0;
+    do {
+      const [nextCursor, keys] = await this.redis.scan(
+        cursor,
+        "MATCH",
+        pattern,
+        "COUNT",
+        100
+      );
+      cursor = nextCursor;
+      for (const key of keys) {
+        const sessionData = await this.redis.hgetall(key);
+        if (sessionData.userId === userId) {
+          const sessionId = key.replace(`${this.prefix}sessions:`, "");
+          await this.deleteSession(sessionId);
+          deleted++;
+        }
+      }
+    } while (cursor !== "0");
+    return deleted;
+  }
+  async addPasswordToHistory(userId, passwordHash) {
+    await this.redis.lpush(this.passwordHistoryKey(userId), passwordHash);
+    await this.redis.ltrim(this.passwordHistoryKey(userId), 0, 4);
+  }
+  async getPasswordHistory(userId, count = 5) {
+    return this.redis.lrange(this.passwordHistoryKey(userId), 0, count - 1);
+  }
+  async isPasswordInHistory(password, userId, historyCount = 5) {
+    const history = await this.getPasswordHistory(userId, historyCount);
+    for (const hash of history) {
+      if (await this.verifyPassword(password, hash)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  userToHash(user) {
+    const hash = {
+      id: user.id,
+      email: user.email,
+      passwordHash: user.passwordHash || "",
+      role: user.role,
+      createdAt: user.createdAt,
+      updatedAt: user.updatedAt
+    };
+    if (user.tenantId) hash.tenantId = user.tenantId;
+    if (user.emailVerified !== void 0)
+      hash.emailVerified = String(user.emailVerified);
+    if (user.locked !== void 0) hash.locked = String(user.locked);
+    if (user.lastLogin) hash.lastLogin = user.lastLogin;
+    if (user.failedLoginAttempts !== void 0)
+      hash.failedLoginAttempts = String(user.failedLoginAttempts);
+    return hash;
+  }
+  hashToUser(hash) {
+    return {
+      id: hash.id,
+      email: hash.email,
+      passwordHash: hash.passwordHash,
+      role: hash.role,
+      tenantId: hash.tenantId,
+      createdAt: hash.createdAt,
+      updatedAt: hash.updatedAt,
+      emailVerified: hash.emailVerified === "true",
+      locked: hash.locked === "true",
+      lastLogin: hash.lastLogin,
+      failedLoginAttempts: hash.failedLoginAttempts ? parseInt(hash.failedLoginAttempts, 10) : 0
+    };
+  }
+  sessionToHash(session) {
+    const hash = {
+      id: session.id,
+      userId: session.userId,
+      token: session.token,
+      expiresAt: session.expiresAt,
+      createdAt: session.createdAt
+    };
+    if (session.refreshToken) hash.refreshToken = session.refreshToken;
+    if (session.ipAddress) hash.ipAddress = session.ipAddress;
+    if (session.userAgent) hash.userAgent = session.userAgent;
+    return hash;
+  }
+  hashToSession(hash) {
+    return {
+      id: hash.id,
+      userId: hash.userId,
+      token: hash.token,
+      refreshToken: hash.refreshToken,
+      expiresAt: hash.expiresAt,
+      createdAt: hash.createdAt,
+      ipAddress: hash.ipAddress,
+      userAgent: hash.userAgent
+    };
+  }
+}
+
+const defaultTemplates = {
+  verifyEmail: (link, userName = "User") => ({
+    subject: "Verify your email address",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Verify Email</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .button { display: inline-block; padding: 12px 24px; background: #0b1222; color: white; text-decoration: none; border-radius: 6px; font-weight: 600; }
+          .footer { margin-top: 30px; font-size: 12px; color: #666; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>Welcome, ${userName}!</h1>
+          <p>Please verify your email address by clicking the button below:</p>
+          <p style="text-align: center; margin: 30px 0;">
+            <a href="${link}" class="button">Verify Email</a>
+          </p>
+          <p>Or copy and paste this link into your browser:</p>
+          <p style="word-break: break-all; color: #666;">${link}</p>
+          <p>This link will expire in 24 hours.</p>
+          <div class="footer">
+            <p>If you didn't create an account, you can safely ignore this email.</p>
+          </div>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `Welcome ${userName}!
+
+Please verify your email by clicking this link: ${link}
+
+This link will expire in 24 hours.
+
+If you didn't create an account, you can safely ignore this email.`
+  }),
+  resetPassword: (link, userName = "User") => ({
+    subject: "Reset your password",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Reset Password</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .button { display: inline-block; padding: 12px 24px; background: #dc2626; color: white; text-decoration: none; border-radius: 6px; font-weight: 600; }
+          .warning { background: #fef3c7; border: 1px solid #f59e0b; padding: 12px; border-radius: 6px; margin: 20px 0; }
+          .footer { margin-top: 30px; font-size: 12px; color: #666; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>Password Reset Request</h1>
+          <p>Hello ${userName},</p>
+          <p>We received a request to reset your password. Click the button below to create a new password:</p>
+          <p style="text-align: center; margin: 30px 0;">
+            <a href="${link}" class="button">Reset Password</a>
+          </p>
+          <p>Or copy and paste this link into your browser:</p>
+          <p style="word-break: break-all; color: #666;">${link}</p>
+          <div class="warning">
+            <strong>⚠️ Important:</strong> This link will expire in 1 hour. If you didn't request a password reset, please ignore this email or contact support if you have concerns.
+          </div>
+          <div class="footer">
+            <p>For security reasons, please don't share this email with anyone.</p>
+          </div>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `Password Reset Request
+
+Hello ${userName},
+
+We received a request to reset your password. Click this link to create a new password: ${link}
+
+This link will expire in 1 hour.
+
+If you didn't request a password reset, please ignore this email.`
+  }),
+  welcome: (userName = "User") => ({
+    subject: "Welcome to Kyro CMS",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Welcome</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .button { display: inline-block; padding: 12px 24px; background: #0b1222; color: white; text-decoration: none; border-radius: 6px; font-weight: 600; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>Welcome to Kyro CMS, ${userName}!</h1>
+          <p>Your account has been created successfully.</p>
+          <p>You can now:</p>
+          <ul>
+            <li>Manage your content collections</li>
+            <li>Upload and organize media</li>
+            <li>Configure settings</li>
+            <li>And much more...</li>
+          </ul>
+          <p style="text-align: center; margin: 30px 0;">
+            <a href="#" class="button">Get Started</a>
+          </p>
+          <p>If you have any questions, feel free to reach out to our support team.</p>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `Welcome to Kyro CMS, ${userName}!
+
+Your account has been created successfully.
+
+You can now:
+- Manage your content collections
+- Upload and organize media
+- Configure settings
+- And much more...
+
+Get started by logging into your dashboard.`
+  }),
+  accountLocked: (attempts, duration, userName = "User") => ({
+    subject: "Account Security Alert - Account Locked",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Account Locked</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .alert { background: #fef2f2; border: 1px solid #ef4444; padding: 16px; border-radius: 8px; margin: 20px 0; }
+          .footer { margin-top: 30px; font-size: 12px; color: #666; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>Account Security Alert</h1>
+          <p>Hello ${userName},</p>
+          <div class="alert">
+            <p><strong>⚠️ Your account has been temporarily locked due to multiple failed login attempts.</strong></p>
+            <p>Failed attempts: ${attempts}</p>
+            <p>Lockout duration: ${Math.round(duration / 6e4)} minutes</p>
+          </div>
+          <p>Your account will automatically unlock after the lockout period expires.</p>
+          <p>If this wasn't you, we recommend:</p>
+          <ul>
+            <li>Using a strong, unique password</li>
+            <li>Enabling two-factor authentication (coming soon)</li>
+            <li>Reviewing your recent account activity</li>
+          </ul>
+          <div class="footer">
+            <p>If you need immediate assistance, please contact support.</p>
+          </div>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `Account Security Alert
+
+Hello ${userName},
+
+Your account has been temporarily locked due to multiple failed login attempts (${attempts}).
+
+Lockout duration: ${Math.round(duration / 6e4)} minutes
+
+Your account will automatically unlock after this period.
+
+If this wasn't you, we recommend using a strong, unique password.`
+  }),
+  passwordChanged: (userName = "User") => ({
+    subject: "Your password has been changed",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Password Changed</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .info { background: #f0fdf4; border: 1px solid #22c55e; padding: 12px; border-radius: 6px; margin: 20px 0; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>Password Changed</h1>
+          <p>Hello ${userName},</p>
+          <div class="info">
+            <p>Your password was recently changed.</p>
+          </div>
+          <p>If you did this, you can safely ignore this email.</p>
+          <p><strong>If you didn't change your password</strong>, please contact our support team immediately as your account may have been compromised.</p>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `Password Changed
+
+Hello ${userName},
+
+Your password was recently changed.
+
+If you did this, you can safely ignore this email.
+
+If you didn't change your password, please contact support immediately.`
+  }),
+  newLogin: (location, time, userName = "User") => ({
+    subject: "New login to your account",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>New Login</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .info-box { background: #f8fafc; border: 1px solid #e2e8f0; padding: 16px; border-radius: 8px; margin: 20px 0; }
+          .footer { margin-top: 30px; font-size: 12px; color: #666; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>New Login Detected</h1>
+          <p>Hello ${userName},</p>
+          <p>We detected a new login to your account:</p>
+          <div class="info-box">
+            <p><strong>Location:</strong> ${location}</p>
+            <p><strong>Time:</strong> ${time}</p>
+          </div>
+          <p><strong>If this was you</strong>, no action is needed.</p>
+          <p><strong>If this wasn't you</strong>, your account may be compromised. Please:</p>
+          <ol>
+            <li>Change your password immediately</li>
+            <li>Review your recent account activity</li>
+            <li>Contact support if needed</li>
+          </ol>
+          <div class="footer">
+            <p>This is an automated security notification.</p>
+          </div>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `New Login Detected
+
+Hello ${userName},
+
+We detected a new login to your account:
+
+Location: ${location}
+Time: ${time}
+
+If this wasn't you, please change your password immediately and contact support.`
+  })
+};
+class EmailTransport {
+  transporter;
+  from;
+  fromName;
+  templates;
+  constructor(config, templates) {
+    this.transporter = nodemailer.createTransport({
+      host: config.host,
+      port: config.port,
+      secure: config.secure,
+      auth: config.auth
+    });
+    this.from = config.from;
+    this.fromName = config.fromName || "Kyro CMS";
+    this.templates = { ...defaultTemplates, ...templates };
+  }
+  async send(options) {
+    return this.transporter.sendMail({
+      from: `"${this.fromName}" <${this.from}>`,
+      to: Array.isArray(options.to) ? options.to.join(", ") : options.to,
+      subject: options.subject,
+      html: options.html,
+      text: options.text
+    });
+  }
+  getTemplates() {
+    return this.templates;
+  }
+  async verifyConnection() {
+    try {
+      await this.transporter.verify();
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  static fromEnv() {
+    const host = process.env.SMTP_HOST;
+    const port = parseInt(process.env.SMTP_PORT || "587", 10);
+    const secure = process.env.SMTP_SECURE === "true";
+    const user = process.env.SMTP_USER;
+    const pass = process.env.SMTP_PASS;
+    const from = process.env.SMTP_FROM || process.env.DEFAULT_FROM || "noreply@example.com";
+    const fromName = process.env.SMTP_FROM_NAME || "Kyro CMS";
+    if (!host || !user || !pass) {
+      return null;
+    }
+    return new EmailTransport({
+      host,
+      port,
+      secure,
+      auth: { user, pass },
+      from,
+      fromName
+    });
+  }
+}
+
+const DEFAULT_PASSWORD_POLICY = {
+  minLength: 12,
+  requireUppercase: true,
+  requireLowercase: true,
+  requireNumbers: true,
+  requireSpecialChars: true,
+  preventReuse: 5,
+  maxLength: 128
+};
+class PasswordPolicy {
+  config;
+  constructor(config = {}) {
+    this.config = { ...DEFAULT_PASSWORD_POLICY, ...config };
+  }
+  validate(password) {
+    const errors = [];
+    if (this.config.maxLength && password.length > this.config.maxLength) {
+      errors.push(
+        `Password must not exceed ${this.config.maxLength} characters`
+      );
+    }
+    if (password.length < this.config.minLength) {
+      errors.push(
+        `Password must be at least ${this.config.minLength} characters`
+      );
+    }
+    if (this.config.requireUppercase && !/[A-Z]/.test(password)) {
+      errors.push("Password must contain at least one uppercase letter");
+    }
+    if (this.config.requireLowercase && !/[a-z]/.test(password)) {
+      errors.push("Password must contain at least one lowercase letter");
+    }
+    if (this.config.requireNumbers && !/[0-9]/.test(password)) {
+      errors.push("Password must contain at least one number");
+    }
+    if (this.config.requireSpecialChars && !/[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(password)) {
+      errors.push("Password must contain at least one special character");
+    }
+    const commonPasswords = [
+      "password",
+      "123456",
+      "12345678",
+      "qwerty",
+      "abc123",
+      "monkey",
+      "1234567",
+      "letmein",
+      "trustno1",
+      "dragon",
+      "baseball",
+      "iloveyou",
+      "master",
+      "sunshine",
+      "ashley",
+      "football",
+      "password1",
+      "shadow",
+      "123123",
+      "654321"
+    ];
+    if (commonPasswords.includes(password.toLowerCase())) {
+      errors.push(
+        "This password is too common. Please choose a more secure password"
+      );
+    }
+    if (/^[a-zA-Z]+$/.test(password) || /^[0-9]+$/.test(password)) {
+      errors.push(
+        "Password must contain a mix of letters, numbers, and/or special characters"
+      );
+    }
+    if (/(.)\1{2,}/.test(password)) {
+      errors.push(
+        "Password must not contain more than 2 consecutive identical characters"
+      );
+    }
+    if (/^(012|123|234|345|456|567|678|789|890|098|987|876|765|654|543|432|321|210)+$/i.test(
+      password
+    )) {
+      errors.push("Password must not contain sequential numbers or letters");
+    }
+    return {
+      valid: errors.length === 0,
+      errors
+    };
+  }
+  async checkReuse(passwordHash, history, verifyFn) {
+    return {
+      valid: true,
+      errors: []
+    };
+  }
+  async isInHistory(password, history, verifyFn) {
+    for (const hash of history) {
+      if (await verifyFn(password, hash)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  generatePassword(length = 16) {
+    const uppercase = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    const lowercase = "abcdefghijklmnopqrstuvwxyz";
+    const numbers = "0123456789";
+    const special = "!@#$%^&*()_+-=[]{}|;:,.<>?";
+    let password = "";
+    password += uppercase[Math.floor(Math.random() * uppercase.length)];
+    password += lowercase[Math.floor(Math.random() * lowercase.length)];
+    password += numbers[Math.floor(Math.random() * numbers.length)];
+    password += special[Math.floor(Math.random() * special.length)];
+    const allChars = uppercase + lowercase + numbers + special;
+    for (let i = password.length; i < length; i++) {
+      password += allChars[Math.floor(Math.random() * allChars.length)];
+    }
+    return password.split("").sort(() => Math.random() - 0.5).join("");
+  }
+  getStrength(password) {
+    let score = 0;
+    const feedback = [];
+    if (password.length >= 8) score += 1;
+    if (password.length >= 12) score += 1;
+    if (password.length >= 16) score += 1;
+    if (/[a-z]/.test(password)) score += 1;
+    if (/[A-Z]/.test(password)) score += 1;
+    if (/[0-9]/.test(password)) score += 1;
+    if (/[!@#$%^&*()_+\-=\[\]{}|;:,.<>?]/.test(password)) score += 1;
+    if (password.length > 8) score += 1;
+    if (password.length > 12) score += 1;
+    const uniqueChars = new Set(password).size;
+    if (uniqueChars > 6) score += 1;
+    if (uniqueChars > 10) score += 1;
+    let label;
+    if (score <= 3) {
+      label = "Weak";
+      feedback.push("Add more characters");
+      feedback.push("Include uppercase and lowercase letters");
+    } else if (score <= 5) {
+      label = "Fair";
+      feedback.push("Add special characters");
+      feedback.push("Consider making it longer");
+    } else if (score <= 7) {
+      label = "Good";
+      feedback.push("Consider making it longer for extra security");
+    } else {
+      label = "Strong";
+    }
+    return { score, label, feedback };
+  }
+  setConfig(config) {
+    this.config = { ...this.config, ...config };
+  }
+  getConfig() {
+    return { ...this.config };
+  }
+}
+
+const DEFAULT_LOCKOUT_CONFIG = {
+  maxAttempts: 5,
+  lockDuration: 9e5,
+  notifyUser: true,
+  notifyAdmin: true,
+  adminNotifyAfter: 3
+};
+class AccountLockout {
+  redis;
+  prefix;
+  config;
+  constructor(redis, config = {}, prefix = "kyro:lockout:") {
+    this.redis = redis;
+    this.prefix = prefix;
+    this.config = { ...DEFAULT_LOCKOUT_CONFIG, ...config };
+  }
+  lockKey(userId) {
+    return `${this.prefix}${userId}`;
+  }
+  historyKey(userId) {
+    return `${this.prefix}${userId}:history`;
+  }
+  async checkLockout(userId) {
+    const key = this.lockKey(userId);
+    const data = await this.redis.hgetall(key);
+    if (!data || Object.keys(data).length === 0) {
+      return {
+        locked: false,
+        attemptsRemaining: this.config.maxAttempts,
+        totalAttempts: 0
+      };
+    }
+    const attempts = parseInt(data.attempts, 10);
+    const lockedUntil = data.lockedUntil ? new Date(parseInt(data.lockedUntil, 10)) : void 0;
+    if (lockedUntil && lockedUntil > /* @__PURE__ */ new Date()) {
+      return {
+        locked: true,
+        attemptsRemaining: 0,
+        lockedUntil,
+        totalAttempts: attempts
+      };
+    }
+    if (lockedUntil && lockedUntil <= /* @__PURE__ */ new Date()) {
+      await this.unlockAccount(userId);
+      return {
+        locked: false,
+        attemptsRemaining: this.config.maxAttempts,
+        totalAttempts: 0
+      };
+    }
+    return {
+      locked: false,
+      attemptsRemaining: Math.max(0, this.config.maxAttempts - attempts),
+      totalAttempts: attempts
+    };
+  }
+  async recordFailedAttempt(userId) {
+    const key = this.lockKey(userId);
+    const historyKey = this.historyKey(userId);
+    const now = Date.now();
+    const current = await this.redis.hincrby(key, "attempts", 1);
+    await this.redis.hset(key, "lastAttempt", now.toString());
+    await this.redis.lpush(historyKey, now.toString());
+    await this.redis.ltrim(historyKey, 0, 99);
+    if (current >= this.config.maxAttempts) {
+      const lockedUntil = new Date(now + this.config.lockDuration);
+      await this.redis.hset(key, {
+        lockedAt: now.toString(),
+        lockedUntil: lockedUntil.getTime().toString()
+      });
+      await this.redis.expire(
+        key,
+        Math.ceil(this.config.lockDuration / 1e3) + 3600
+      );
+      return {
+        locked: true,
+        attemptsRemaining: 0,
+        lockedUntil,
+        totalAttempts: current
+      };
+    }
+    return {
+      locked: false,
+      attemptsRemaining: Math.max(0, this.config.maxAttempts - current),
+      totalAttempts: current
+    };
+  }
+  async lockAccount(userId, duration) {
+    const key = this.lockKey(userId);
+    const now = Date.now();
+    const lockDuration = duration || this.config.lockDuration;
+    const lockedUntil = new Date(now + lockDuration);
+    const pipeline = this.redis.pipeline();
+    pipeline.hset(key, {
+      attempts: this.config.maxAttempts.toString(),
+      lockedAt: now.toString(),
+      lockedUntil: lockedUntil.getTime().toString()
+    });
+    pipeline.expire(key, Math.ceil(lockDuration / 1e3) + 3600);
+    await pipeline.exec();
+  }
+  async unlockAccount(userId) {
+    const key = this.lockKey(userId);
+    await this.redis.del(key);
+  }
+  async resetAttempts(userId) {
+    const key = this.lockKey(userId);
+    const data = await this.redis.hgetall(key);
+    if (data.lockedAt) {
+      await this.redis.hset(key, {
+        attempts: "0",
+        lockedAt: "",
+        lockedUntil: ""
+      });
+    } else {
+      await this.redis.del(key);
+    }
+  }
+  async getLockoutHistory(userId, limit = 10) {
+    const historyKey = this.historyKey(userId);
+    const timestamps = await this.redis.lrange(historyKey, 0, limit - 1);
+    return timestamps.map((ts) => new Date(parseInt(ts, 10)));
+  }
+  async getLockoutStats(userId) {
+    const historyKey = this.historyKey(userId);
+    const timestamps = await this.redis.lrange(historyKey, 0, -1);
+    const lockouts = timestamps.filter((_, i) => {
+      const attemptNum = i + 1;
+      return attemptNum % this.config.maxAttempts === 0;
+    }).length;
+    const lastLockoutData = await this.redis.hget(
+      this.lockKey(userId),
+      "lockedAt"
+    );
+    return {
+      totalFailedAttempts: timestamps.length,
+      lockoutCount: lockouts,
+      lastLockout: lastLockoutData ? new Date(parseInt(lastLockoutData, 10)) : null,
+      averageAttemptsBeforeLockout: lockouts > 0 ? this.config.maxAttempts : 0
+    };
+  }
+  shouldNotifyAdmin(currentAttempts) {
+    return this.config.notifyAdmin && currentAttempts >= this.config.adminNotifyAfter;
+  }
+  getConfig() {
+    return { ...this.config };
+  }
+  setConfig(config) {
+    this.config = { ...this.config, ...config };
+  }
+}
+
+const DEFAULT_RATE_LIMITS = {
+  "auth:login": { window: 9e5, max: 5 },
+  "auth:register": { window: 36e5, max: 3 },
+  "auth:forgot": { window: 36e5, max: 3 },
+  "auth:reset": { window: 36e5, max: 5 },
+  "auth:verify": { window: 36e5, max: 5 },
+  "api:general": { window: 6e4, max: 100 },
+  "api:authenticated": { window: 6e4, max: 200 }
+};
+class RateLimiter {
+  redis;
+  prefix;
+  limits;
+  userLimits;
+  constructor(redis, limits, userLimits, prefix = "kyro:ratelimit:") {
+    this.redis = redis;
+    this.prefix = prefix;
+    this.limits = { ...DEFAULT_RATE_LIMITS, ...limits };
+    this.userLimits = userLimits || {
+      "user:api": { window: 6e4, max: 500 },
+      "user:write": { window: 36e5, max: 100 }
+    };
+  }
+  getKey(type, identifier) {
+    return `${this.prefix}${type}:${identifier}`;
+  }
+  async check(type, identifier) {
+    const config = this.limits[type] || this.limits["api:general"];
+    const key = this.getKey(type, identifier);
+    const now = Date.now();
+    const windowStart = now - config.window;
+    const pipeline = this.redis.pipeline();
+    pipeline.zremrangebyscore(key, 0, windowStart);
+    pipeline.zcard(key);
+    pipeline.zadd(key, now, `${now}:${Math.random()}`);
+    pipeline.expire(key, Math.ceil(config.window / 1e3) + 1);
+    const results = await pipeline.exec();
+    const count = results?.[1]?.[1] || 0;
+    if (count >= config.max) {
+      const oldestTimestamp = await this.redis.zrange(key, 0, 0, "WITHSCORES");
+      const resetAt = oldestTimestamp.length > 1 ? parseInt(oldestTimestamp[1], 10) + config.window : now + config.window;
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt,
+        retryAfter: Math.ceil((resetAt - now) / 1e3)
+      };
+    }
+    return {
+      allowed: true,
+      remaining: config.max - count - 1,
+      resetAt: now + config.window
+    };
+  }
+  async checkUser(type, userId, identifier) {
+    const config = this.userLimits[type] || this.userLimits["user:api"];
+    const key = this.getKey(`user:${type}:${userId}`, identifier);
+    const now = Date.now();
+    const windowStart = now - config.window;
+    const pipeline = this.redis.pipeline();
+    pipeline.zremrangebyscore(key, 0, windowStart);
+    pipeline.zcard(key);
+    pipeline.zadd(key, now, `${now}:${Math.random()}`);
+    pipeline.expire(key, Math.ceil(config.window / 1e3) + 1);
+    const results = await pipeline.exec();
+    const count = results?.[1]?.[1] || 0;
+    if (count >= config.max) {
+      const oldestTimestamp = await this.redis.zrange(key, 0, 0, "WITHSCORES");
+      const resetAt = oldestTimestamp.length > 1 ? parseInt(oldestTimestamp[1], 10) + config.window : now + config.window;
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt,
+        retryAfter: Math.ceil((resetAt - now) / 1e3)
+      };
+    }
+    return {
+      allowed: true,
+      remaining: config.max - count - 1,
+      resetAt: now + config.window
+    };
+  }
+  async reset(type, identifier) {
+    const key = this.getKey(type, identifier);
+    await this.redis.del(key);
+  }
+  async resetUser(type, userId, identifier) {
+    const key = this.getKey(`user:${type}:${userId}`, identifier);
+    await this.redis.del(key);
+  }
+  async getStatus(type, identifier) {
+    const config = this.limits[type] || this.limits["api:general"];
+    const key = this.getKey(type, identifier);
+    const now = Date.now();
+    const windowStart = now - config.window;
+    await this.redis.zremrangebyscore(key, 0, windowStart);
+    const count = await this.redis.zcard(key);
+    return {
+      count,
+      limit: config.max,
+      remaining: Math.max(0, config.max - count),
+      resetAt: now + config.window
+    };
+  }
+  setLimit(type, config) {
+    this.limits[type] = config;
+  }
+  setUserLimit(type, config) {
+    this.userLimits[type] = config;
+  }
+}
+
+class AuditLogger {
+  redis;
+  prefix;
+  retentionDays;
+  constructor(redis, retentionDays = 30, prefix = "kyro:audit:") {
+    this.redis = redis;
+    this.prefix = prefix;
+    this.retentionDays = retentionDays;
+  }
+  async log(data) {
+    const id = randomBytes(16).toString("hex");
+    const timestamp = /* @__PURE__ */ new Date();
+    const log = {
+      ...data,
+      id,
+      timestamp
+    };
+    const key = this.getKeyForDate(timestamp);
+    const hashKey = `${this.prefix}log:${id}`;
+    await this.redis.hset(hashKey, this.serializeLog(log));
+    await this.redis.expire(hashKey, this.retentionDays * 24 * 60 * 60 + 3600);
+    await this.redis.zadd(key, timestamp.getTime(), id);
+    await this.redis.expire(key, this.retentionDays * 24 * 60 * 60 + 3600);
+    const userIndex = data.userId ? `${this.prefix}user:${data.userId}` : null;
+    if (userIndex) {
+      await this.redis.zadd(userIndex, timestamp.getTime(), id);
+      await this.redis.expire(
+        userIndex,
+        this.retentionDays * 24 * 60 * 60 + 3600
+      );
+    }
+    return id;
+  }
+  async get(id) {
+    const hashKey = `${this.prefix}log:${id}`;
+    const data = await this.redis.hgetall(hashKey);
+    if (!data || Object.keys(data).length === 0) {
+      return null;
+    }
+    return this.deserializeLog(data);
+  }
+  async query(filter = {}) {
+    const { limit = 50, offset = 0 } = filter;
+    let keys = [];
+    if (filter.userId) {
+      keys.push(`${this.prefix}user:${filter.userId}`);
+    } else if (filter.startDate || filter.endDate) {
+      keys = this.getKeysForDateRange(filter.startDate, filter.endDate);
+    } else {
+      const now = /* @__PURE__ */ new Date();
+      keys = this.getKeysForDateRange(
+        new Date(now.getTime() - this.retentionDays * 24 * 60 * 60 * 1e3),
+        now
+      );
+    }
+    let idScores = [];
+    for (const key of keys) {
+      const items = await this.redis.zrange(key, 0, -1, "WITHSCORES");
+      for (let i = 0; i < items.length; i += 2) {
+        idScores.push([items[i], parseInt(items[i + 1], 10)]);
+      }
+    }
+    idScores.sort((a, b) => b[1] - a[1]);
+    const total = idScores.length;
+    idScores = idScores.slice(offset, offset + limit);
+    const logs = [];
+    for (const [id] of idScores) {
+      const log = await this.get(id);
+      if (log) {
+        if (this.matchesFilter(log, filter)) {
+          logs.push(log);
+        }
+      }
+    }
+    return { logs, total };
+  }
+  async getRecent(limit = 50) {
+    const logs = [];
+    const now = /* @__PURE__ */ new Date();
+    const keys = this.getKeysForDateRange(
+      new Date(now.getTime() - 7 * 24 * 60 * 60 * 1e3),
+      now
+    );
+    let allIds = [];
+    for (const key of keys) {
+      const items = await this.redis.zrange(key, 0, -1, "WITHSCORES");
+      for (let i = 0; i < items.length; i += 2) {
+        allIds.push([items[i], parseInt(items[i + 1], 10)]);
+      }
+    }
+    allIds.sort((a, b) => b[1] - a[1]);
+    for (const [id] of allIds.slice(0, limit)) {
+      const log = await this.get(id);
+      if (log) logs.push(log);
+    }
+    return logs;
+  }
+  async getUserActivity(userId, limit = 50) {
+    const key = `${this.prefix}user:${userId}`;
+    const ids = await this.redis.zrange(key, 0, limit - 1);
+    const logs = [];
+    for (const id of ids) {
+      const log = await this.get(id);
+      if (log) logs.push(log);
+    }
+    return logs;
+  }
+  async getStats(startDate, endDate) {
+    const keys = this.getKeysForDateRange(
+      startDate || new Date(Date.now() - 30 * 24 * 60 * 60 * 1e3),
+      endDate || /* @__PURE__ */ new Date()
+    );
+    const byAction = {};
+    let totalEvents = 0;
+    let failedLogins = 0;
+    let successCount = 0;
+    const uniqueUsers = /* @__PURE__ */ new Set();
+    for (const key of keys) {
+      const ids = await this.redis.zrange(key, 0, -1);
+      for (const id of ids) {
+        const log = await this.get(id);
+        if (log) {
+          totalEvents++;
+          byAction[log.action] = (byAction[log.action] || 0) + 1;
+          if (log.success) {
+            successCount++;
+          }
+          if (log.action === "login_failed") {
+            failedLogins++;
+          }
+          if (log.userId) {
+            uniqueUsers.add(log.userId);
+          }
+        }
+      }
+    }
+    return {
+      totalEvents,
+      byAction,
+      successRate: totalEvents > 0 ? successCount / totalEvents : 1,
+      failedLogins,
+      uniqueUsers
+    };
+  }
+  async cleanup() {
+    const cutoff = Date.now() - this.retentionDays * 24 * 60 * 60 * 1e3;
+    const keys = await this.redis.keys(`${this.prefix}date:*`);
+    let deleted = 0;
+    for (const key of keys) {
+      const timestamp = await this.redis.zrangebyscore(key, 0, cutoff);
+      for (const id of timestamp) {
+        await this.redis.del(`${this.prefix}log:${id}`);
+        deleted++;
+      }
+      await this.redis.zremrangebyscore(key, 0, cutoff);
+    }
+    return deleted;
+  }
+  getKeyForDate(date) {
+    const year = date.getFullYear();
+    const month = String(date.getMonth() + 1).padStart(2, "0");
+    const day = String(date.getDate()).padStart(2, "0");
+    return `${this.prefix}date:${year}-${month}-${day}`;
+  }
+  getKeysForDateRange(start, end) {
+    const keys = [];
+    const startDate = start || new Date(Date.now() - this.retentionDays * 24 * 60 * 60 * 1e3);
+    const endDate = end || /* @__PURE__ */ new Date();
+    const current = new Date(startDate);
+    while (current <= endDate) {
+      keys.push(this.getKeyForDate(current));
+      current.setDate(current.getDate() + 1);
+    }
+    return keys;
+  }
+  matchesFilter(log, filter) {
+    if (filter.action) {
+      const actions = Array.isArray(filter.action) ? filter.action : [filter.action];
+      if (!actions.includes(log.action)) return false;
+    }
+    if (filter.resource && log.resource !== filter.resource) return false;
+    if (filter.resourceId && log.resourceId !== filter.resourceId) return false;
+    if (filter.success !== void 0 && log.success !== filter.success)
+      return false;
+    return true;
+  }
+  serializeLog(log) {
+    const result = {
+      id: log.id,
+      timestamp: log.timestamp.toISOString(),
+      action: log.action,
+      resource: log.resource,
+      success: log.success ? "1" : "0"
+    };
+    if (log.userId) result.userId = log.userId;
+    if (log.userEmail) result.userEmail = log.userEmail;
+    if (log.role) result.role = log.role;
+    if (log.resourceId) result.resourceId = log.resourceId;
+    if (log.ipAddress) result.ipAddress = log.ipAddress;
+    if (log.userAgent) result.userAgent = log.userAgent;
+    if (log.error) result.error = log.error;
+    if (log.changes) result.changes = JSON.stringify(log.changes);
+    if (log.metadata) result.metadata = JSON.stringify(log.metadata);
+    return result;
+  }
+  deserializeLog(data) {
+    return {
+      id: data.id,
+      timestamp: new Date(data.timestamp),
+      action: data.action,
+      userId: data.userId,
+      userEmail: data.userEmail,
+      role: data.role,
+      resource: data.resource,
+      resourceId: data.resourceId,
+      ipAddress: data.ipAddress,
+      userAgent: data.userAgent,
+      success: data.success === "1",
+      error: data.error,
+      changes: data.changes ? JSON.parse(data.changes) : void 0,
+      metadata: data.metadata ? JSON.parse(data.metadata) : void 0
+    };
+  }
+}
+function createAuditContext(req) {
+  return {
+    ipAddress: req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || req.headers.get("x-real-ip") || "unknown",
+    userAgent: req.headers.get("user-agent") || "unknown"
+  };
+}
+
+function defaultExtractToken(req) {
+  const authHeader = req.headers.get("Authorization");
+  if (authHeader?.startsWith("Bearer ")) {
+    return authHeader.slice(7);
+  }
+  const cookieHeader = req.headers.get("Cookie");
+  if (cookieHeader) {
+    const cookies = Object.fromEntries(
+      cookieHeader.split("; ").map((c) => {
+        const [key, ...val] = c.split("=");
+        return [key.trim(), val.join("=")];
+      })
+    );
+    return cookies["auth_token"] || null;
+  }
+  return null;
+}
+function generateToken(payload, secret, options = {}) {
+  return jwt.sign(payload, secret, {
+    expiresIn: options.expiresIn || "24h",
+    issuer: options.issuer,
+    audience: options.audience
+  });
+}
+
+class AuthRoutes {
+  redis;
+  email;
+  jwtSecret;
+  jwtExpiresIn;
+  jwtIssuer;
+  jwtAudience;
+  passwordPolicy;
+  lockout;
+  rateLimiter;
+  auditLogger;
+  baseUrl;
+  emailVerificationRequired;
+  constructor(config) {
+    this.redis = config.redis;
+    this.email = config.email;
+    this.jwtSecret = config.jwtSecret;
+    this.jwtExpiresIn = config.jwtExpiresIn || "24h";
+    this.jwtIssuer = config.jwtIssuer;
+    this.jwtAudience = config.jwtAudience;
+    this.passwordPolicy = config.passwordPolicy || new PasswordPolicy();
+    this.lockout = config.lockout;
+    this.rateLimiter = config.rateLimiter;
+    this.auditLogger = config.auditLogger;
+    this.baseUrl = config.baseUrl || "http://localhost:3000";
+    this.emailVerificationRequired = config.emailVerificationRequired ?? true;
+  }
+  async register(req) {
+    const { ipAddress, userAgent } = createAuditContext(req);
+    if (this.rateLimiter) {
+      const limit = await this.rateLimiter.check("auth:register", ipAddress);
+      if (!limit.allowed) {
+        return this.rateLimitResponse(limit);
+      }
+    }
+    try {
+      const body = await req.json();
+      if (!body.email || !body.password) {
+        return this.errorResponse("Email and password are required", 400);
+      }
+      if (body.password !== body.confirmPassword) {
+        return this.errorResponse("Passwords do not match", 400);
+      }
+      const passwordValidation = this.passwordPolicy.validate(body.password);
+      if (!passwordValidation.valid) {
+        return this.errorResponse(passwordValidation.errors.join(". "), 400);
+      }
+      const existingUser = await this.redis.findUserByEmail(body.email);
+      if (existingUser) {
+        return this.errorResponse("Email already registered", 400);
+      }
+      const passwordHash = await this.redis.hashPassword(body.password);
+      const user = await this.redis.createUser({
+        email: body.email,
+        passwordHash,
+        role: body.role || "customer",
+        tenantId: body.tenantId
+      });
+      if (this.emailVerificationRequired && this.email) {
+        const verificationToken = randomBytes(32).toString("hex");
+        const verificationUrl = `${this.baseUrl}/api/auth/verify?token=${verificationToken}`;
+        await this.redis.createSession(user.id, { ipAddress, userAgent });
+        const template = this.email.getTemplates().verifyEmail(verificationUrl, body.email);
+        await this.email.send({ to: body.email, ...template });
+      }
+      if (this.auditLogger) {
+        await this.auditLogger.log({
+          action: "register",
+          userId: user.id,
+          userEmail: user.email,
+          resource: "auth",
+          ipAddress,
+          userAgent,
+          success: true
+        });
+      }
+      return this.jsonResponse(
+        {
+          success: true,
+          message: "Registration successful",
+          user: this.sanitizeUser(user),
+          requiresVerification: this.emailVerificationRequired && !!this.email
+        },
+        201
+      );
+    } catch (error) {
+      return this.errorResponse("Registration failed", 500);
+    }
+  }
+  async login(req) {
+    const { ipAddress, userAgent } = createAuditContext(req);
+    if (this.rateLimiter) {
+      const limit = await this.rateLimiter.check("auth:login", ipAddress);
+      if (!limit.allowed) {
+        return this.rateLimitResponse(limit);
+      }
+    }
+    try {
+      const body = await req.json();
+      if (!body.email || !body.password) {
+        return this.errorResponse("Email and password are required", 400);
+      }
+      const user = await this.redis.findUserByEmail(body.email);
+      if (!user) {
+        await this.recordFailedLogin(ipAddress, userAgent);
+        return this.errorResponse("Invalid credentials", 401);
+      }
+      if (this.lockout) {
+        const lockoutStatus = await this.lockout.checkLockout(user.id);
+        if (lockoutStatus.locked) {
+          if (this.auditLogger) {
+            await this.auditLogger.log({
+              action: "login_failed",
+              userId: user.id,
+              userEmail: user.email,
+              resource: "auth",
+              ipAddress,
+              userAgent,
+              success: false,
+              error: "Account locked"
+            });
+          }
+          return this.errorResponse(
+            `Account locked. Try again in ${Math.ceil((lockoutStatus.lockedUntil.getTime() - Date.now()) / 6e4)} minutes`,
+            423
+          );
+        }
+      }
+      const validPassword = user.passwordHash ? await this.redis.verifyPassword(body.password, user.passwordHash) : false;
+      if (!validPassword) {
+        await this.recordFailedLogin(ipAddress, userAgent, user.id, user.email);
+        return this.errorResponse("Invalid credentials", 401);
+      }
+      if (this.lockout) {
+        await this.lockout.resetAttempts(user.id);
+      }
+      const session = await this.redis.createSession(user.id, {
+        ipAddress,
+        userAgent
+      });
+      const payload = {
+        sub: user.id,
+        email: user.email,
+        role: user.role,
+        tenantId: user.tenantId,
+        iat: Math.floor(Date.now() / 1e3),
+        exp: Math.floor(Date.now() / 1e3) + 86400
+      };
+      const accessToken = generateToken(payload, this.jwtSecret, {
+        expiresIn: this.jwtExpiresIn,
+        issuer: this.jwtIssuer,
+        audience: this.jwtAudience
+      });
+      if (this.auditLogger) {
+        await this.auditLogger.log({
+          action: "login",
+          userId: user.id,
+          userEmail: user.email,
+          role: user.role,
+          resource: "auth",
+          ipAddress,
+          userAgent,
+          success: true
+        });
+      }
+      await this.redis.updateUser(user.id, {
+        lastLogin: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      return this.jsonResponse({
+        success: true,
+        user: this.sanitizeUser(user),
+        accessToken,
+        refreshToken: session.refreshToken,
+        expiresIn: this.jwtExpiresIn
+      });
+    } catch (error) {
+      return this.errorResponse("Login failed", 500);
+    }
+  }
+  async logout(req) {
+    const token = defaultExtractToken(req);
+    if (!token) {
+      return this.errorResponse("No session to logout", 401);
+    }
+    const { ipAddress, userAgent } = createAuditContext(req);
+    try {
+      const payload = jwt.decode(token);
+      if (payload && payload.sub) {
+        await this.redis.deleteUserSessions(payload.sub);
+        if (this.auditLogger) {
+          await this.auditLogger.log({
+            action: "logout",
+            userId: payload.sub,
+            userEmail: payload.email,
+            resource: "auth",
+            ipAddress,
+            userAgent,
+            success: true
+          });
+        }
+      }
+      return this.jsonResponse({
+        success: true,
+        message: "Logged out successfully"
+      });
+    } catch (error) {
+      return this.errorResponse("Logout failed", 500);
+    }
+  }
+  async refresh(req) {
+    try {
+      const body = await req.json();
+      const { refreshToken } = body;
+      if (!refreshToken) {
+        return this.errorResponse("Refresh token required", 400);
+      }
+      return this.jsonResponse({ success: true, accessToken: "" });
+    } catch (error) {
+      return this.errorResponse("Token refresh failed", 500);
+    }
+  }
+  async me(req) {
+    const token = defaultExtractToken(req);
+    if (!token) {
+      return this.errorResponse("Not authenticated", 401);
+    }
+    try {
+      const payload = jwt.verify(token, this.jwtSecret, {
+        issuer: this.jwtIssuer,
+        audience: this.jwtAudience
+      });
+      const user = await this.redis.findUserById(payload.sub);
+      if (!user) {
+        return this.errorResponse("User not found", 404);
+      }
+      return this.jsonResponse({
+        success: true,
+        user: this.sanitizeUser(user)
+      });
+    } catch (error) {
+      return this.errorResponse("Authentication failed", 401);
+    }
+  }
+  async changePassword(req) {
+    const token = defaultExtractToken(req);
+    if (!token) {
+      return this.errorResponse("Not authenticated", 401);
+    }
+    const { ipAddress, userAgent } = createAuditContext(req);
+    try {
+      const payload = jwt.verify(token, this.jwtSecret);
+      const body = await req.json();
+      const { currentPassword, newPassword, confirmPassword } = body;
+      if (!currentPassword || !newPassword) {
+        return this.errorResponse("Current and new password required", 400);
+      }
+      if (newPassword !== confirmPassword) {
+        return this.errorResponse("Passwords do not match", 400);
+      }
+      const passwordValidation = this.passwordPolicy.validate(newPassword);
+      if (!passwordValidation.valid) {
+        return this.errorResponse(passwordValidation.errors.join(". "), 400);
+      }
+      const user = await this.redis.findUserById(payload.sub);
+      if (!user) {
+        return this.errorResponse("User not found", 404);
+      }
+      const validPassword = user.passwordHash ? await this.redis.verifyPassword(currentPassword, user.passwordHash) : false;
+      if (!validPassword) {
+        return this.errorResponse("Current password is incorrect", 401);
+      }
+      const passwordHistory = await this.redis.getPasswordHistory(user.id, 5);
+      const isReused = await this.redis.isPasswordInHistory(
+        newPassword,
+        user.id,
+        5
+      );
+      if (isReused) {
+        return this.errorResponse(
+          "Password was recently used. Please choose a different password",
+          400
+        );
+      }
+      const newPasswordHash = await this.redis.hashPassword(newPassword);
+      if (user.passwordHash) {
+        await this.redis.addPasswordToHistory(user.id, user.passwordHash);
+      }
+      await this.redis.updateUser(user.id, { passwordHash: newPasswordHash });
+      await this.redis.deleteUserSessions(user.id);
+      if (this.email && this.email.getTemplates) {
+        const template = this.email.getTemplates().passwordChanged(user.email);
+        await this.email.send({ to: user.email, ...template });
+      }
+      if (this.auditLogger) {
+        await this.auditLogger.log({
+          action: "password_change",
+          userId: user.id,
+          userEmail: user.email,
+          resource: "auth",
+          ipAddress,
+          userAgent,
+          success: true
+        });
+      }
+      return this.jsonResponse({
+        success: true,
+        message: "Password changed successfully"
+      });
+    } catch (error) {
+      return this.errorResponse("Password change failed", 500);
+    }
+  }
+  async forgotPassword(req) {
+    const { ipAddress, userAgent } = createAuditContext(req);
+    if (this.rateLimiter) {
+      const limit = await this.rateLimiter.check("auth:forgot", ipAddress);
+      if (!limit.allowed) {
+        return this.rateLimitResponse(limit);
+      }
+    }
+    try {
+      const body = await req.json();
+      const { email } = body;
+      if (!email) {
+        return this.errorResponse("Email required", 400);
+      }
+      const user = await this.redis.findUserByEmail(email);
+      if (!user) {
+        return this.jsonResponse({
+          success: true,
+          message: "If the email exists, a reset link has been sent"
+        });
+      }
+      if (this.email) {
+        const resetToken = randomBytes(32).toString("hex");
+        const resetUrl = `${this.baseUrl}/api/auth/reset-password?token=${resetToken}`;
+        const template = this.email.getTemplates().resetPassword(resetUrl, user.email);
+        await this.email.send({ to: user.email, ...template });
+      }
+      if (this.auditLogger) {
+        await this.auditLogger.log({
+          action: "password_reset_request",
+          userId: user.id,
+          userEmail: user.email,
+          resource: "auth",
+          ipAddress,
+          userAgent,
+          success: true
+        });
+      }
+      return this.jsonResponse({
+        success: true,
+        message: "If the email exists, a reset link has been sent"
+      });
+    } catch (error) {
+      return this.errorResponse("Password reset request failed", 500);
+    }
+  }
+  async verifyEmail(req) {
+    const url = new URL(req.url);
+    const token = url.searchParams.get("token");
+    if (!token) {
+      return this.errorResponse("Verification token required", 400);
+    }
+    try {
+      return this.jsonResponse({ success: true, message: "Email verified" });
+    } catch (error) {
+      return this.errorResponse("Email verification failed", 500);
+    }
+  }
+  async recordFailedLogin(ipAddress, userAgent, userId, userEmail) {
+    if (this.lockout) {
+      await this.lockout.recordFailedAttempt(userId || ipAddress);
+    }
+    if (this.auditLogger) {
+      await this.auditLogger.log({
+        action: "login_failed",
+        userId,
+        userEmail,
+        resource: "auth",
+        ipAddress,
+        userAgent,
+        success: false,
+        error: "Invalid credentials"
+      });
+    }
+  }
+  sanitizeUser(user) {
+    const { passwordHash, ...sanitized } = user;
+    return sanitized;
+  }
+  jsonResponse(data, status = 200) {
+    return new Response(JSON.stringify(data), {
+      status,
+      headers: {
+        "Content-Type": "application/json"
+      }
+    });
+  }
+  errorResponse(message, status) {
+    return new Response(JSON.stringify({ success: false, error: message }), {
+      status,
+      headers: {
+        "Content-Type": "application/json"
+      }
+    });
+  }
+  rateLimitResponse(limit) {
+    return new Response(
+      JSON.stringify({
+        success: false,
+        error: "Too many requests",
+        retryAfter: limit.retryAfter
+      }),
+      {
+        status: 429,
+        headers: {
+          "Content-Type": "application/json",
+          "Retry-After": String(limit.retryAfter || 60)
+        }
+      }
+    );
+  }
+}
+
+function getEnv(key, fallback = "") {
+  return process.env[key] || fallback;
+}
+function getEnvBool(key, fallback = false) {
+  const val = process.env[key];
+  if (!val) return fallback;
+  return val.toLowerCase() === "true";
+}
+function getEnvNum(key, fallback = 0) {
+  const val = process.env[key];
+  if (!val) return fallback;
+  return parseInt(val, 10);
+}
+async function createAuthConfig() {
+  const redisUrl = getEnv("REDIS_URL", "redis://localhost:6379");
+  const redisKeyPrefix = getEnv("REDIS_KEY_PREFIX", "kyro:auth:");
+  const redisSessionTTL = getEnvNum("REDIS_SESSION_TTL", 86400);
+  const redisRefreshTTL = getEnvNum("REDIS_REFRESH_TOKEN_TTL", 604800);
+  const redisAdapter = new RedisAuthAdapter({
+    url: redisUrl,
+    keyPrefix: redisKeyPrefix,
+    tokenExpiration: redisSessionTTL,
+    refreshTokenExpiration: redisRefreshTTL,
+    tls: getEnvBool("REDIS_TLS", false)
+  });
+  await redisAdapter.connect();
+  const redisClient = redisAdapter.redis;
+  const emailConfig = getEmailConfig();
+  const email = emailConfig ? new EmailTransport(emailConfig) : void 0;
+  const passwordPolicy = new PasswordPolicy({
+    minLength: getEnvNum("PASSWORD_MIN_LENGTH", 12),
+    requireUppercase: getEnvBool("PASSWORD_REQUIRE_UPPERCASE", true),
+    requireLowercase: getEnvBool("PASSWORD_REQUIRE_LOWERCASE", true),
+    requireNumbers: getEnvBool("PASSWORD_REQUIRE_NUMBERS", true),
+    requireSpecialChars: getEnvBool("PASSWORD_REQUIRE_SPECIAL", true),
+    preventReuse: getEnvNum("PASSWORD_PREVENT_REUSE", 5),
+    maxLength: getEnvNum("PASSWORD_MAX_LENGTH", 128)
+  });
+  let lockout;
+  if (getEnvBool("LOCKOUT_ENABLED", true)) {
+    lockout = new AccountLockout(redisClient, {
+      maxAttempts: getEnvNum("LOCKOUT_MAX_ATTEMPTS", 5),
+      lockDuration: getEnvNum("LOCKOUT_DURATION_MINUTES", 15) * 60 * 1e3
+    });
+  }
+  let rateLimiter;
+  if (getEnvBool("RATE_LIMIT_ENABLED", true)) {
+    rateLimiter = new RateLimiter(redisClient, {
+      "auth:login": {
+        window: getEnvNum("RATE_LIMIT_AUTH_WINDOW_MS", 9e5),
+        max: getEnvNum("RATE_LIMIT_AUTH_MAX_REQUESTS", 10)
+      },
+      "api:general": {
+        window: getEnvNum("RATE_LIMIT_WINDOW_MS", 6e4),
+        max: getEnvNum("RATE_LIMIT_MAX_REQUESTS", 100)
+      }
+    });
+  }
+  let auditLogger;
+  if (getEnvBool("AUDIT_LOG_ENABLED", true)) {
+    auditLogger = new AuditLogger(
+      redisClient,
+      getEnvNum("AUDIT_LOG_RETENTION_DAYS", 30)
+    );
+  }
+  const routes = new AuthRoutes({
+    redis: redisAdapter,
+    email,
+    jwtSecret: getEnv("JWT_SECRET", "change-me"),
+    jwtExpiresIn: getEnv("JWT_EXPIRES_IN", "24h"),
+    jwtIssuer: getEnv("JWT_ISSUER", "kyro-cms"),
+    jwtAudience: getEnv("JWT_AUDIENCE", "kyro-cms-client"),
+    passwordPolicy,
+    lockout,
+    rateLimiter,
+    auditLogger,
+    baseUrl: getEnv("EMAIL_BASE_URL", "http://localhost:4321"),
+    emailVerificationRequired: getEnvBool("EMAIL_VERIFICATION_REQUIRED", true)
+  });
+  return {
+    redis: redisAdapter,
+    redisClient,
+    email,
+    passwordPolicy,
+    lockout,
+    rateLimiter,
+    auditLogger,
+    routes
+  };
+}
+function getEmailConfig() {
+  const host = getEnv("SMTP_HOST");
+  if (!host) return void 0;
+  return {
+    host,
+    port: getEnvNum("SMTP_PORT", 587),
+    secure: getEnvBool("SMTP_SECURE", false),
+    auth: {
+      user: getEnv("SMTP_USER"),
+      pass: getEnv("SMTP_PASS")
+    },
+    from: getEnv("SMTP_FROM", "noreply@example.com"),
+    fromName: getEnv("SMTP_FROM_NAME", "Kyro CMS")
+  };
+}
+createAuthConfig();
+
+const minimalCollections = {
+  posts: {
+    slug: "posts",
+    label: "Posts",
+    labelPlural: "Posts",
+    singularLabel: "Post",
+    admin: {
+      useAsTitle: "title",
+      defaultColumns: ["title", "status", "createdAt"],
+      description: "Blog posts and articles"
+    },
+    fields: [
+      {
+        name: "title",
+        type: "text",
+        required: true,
+        label: "Title",
+        admin: { description: "The post title" }
+      },
+      {
+        name: "slug",
+        type: "text",
+        required: true,
+        label: "Slug",
+        admin: { description: "URL-friendly identifier" }
+      },
+      {
+        name: "content",
+        type: "richtext",
+        label: "Content"
+      },
+      {
+        name: "status",
+        type: "select",
+        label: "Status",
+        options: [
+          { label: "Draft", value: "draft" },
+          { label: "Published", value: "published" }
+        ],
+        defaultValue: "draft",
+        admin: {
+          description: "Publication status"
+        }
+      },
+      {
+        name: "publishedAt",
+        type: "date",
+        label: "Published At",
+        admin: { description: "When to publish this post" }
+      }
+    ],
+    timestamps: true
+  }
+};
+
+const blogCollections = {
+  posts: {
+    slug: "posts",
+    label: "Posts",
+    labelPlural: "Posts",
+    singularLabel: "Post",
+    admin: {
+      useAsTitle: "title",
+      defaultColumns: ["title", "category", "status", "createdAt"],
+      description: "Blog posts and articles"
+    },
+    fields: [
+      {
+        name: "title",
+        type: "text",
+        required: true,
+        label: "Title",
+        admin: {
+          description: "The main title of the post as it will appear publicly."
+        }
+      },
+      {
+        name: "slug",
+        type: "text",
+        required: true,
+        label: "Slug",
+        admin: { description: "The URL-friendly identifier for the post." }
+      },
+      {
+        name: "excerpt",
+        type: "textarea",
+        label: "Excerpt",
+        admin: {
+          description: "A brief summary of the post used in listings and SEO meta tags."
+        }
+      },
+      {
+        name: "content",
+        type: "richtext",
+        label: "Content",
+        admin: {
+          description: "The comprehensive body content of the blog post."
+        }
+      },
+      {
+        name: "featuredImage",
+        type: "upload",
+        label: "Featured Image",
+        relationTo: "media",
+        admin: {
+          description: "The primary visual used to represent this post."
+        }
+      },
+      {
+        name: "category",
+        type: "relationship",
+        label: "Category",
+        relationTo: "categories",
+        admin: {
+          description: "Select the primary category this post belongs to."
+        }
+      },
+      {
+        name: "tags",
+        type: "array",
+        label: "Tags",
+        fields: [{ name: "tag", type: "text" }]
+      },
+      {
+        name: "status",
+        type: "select",
+        label: "Status",
+        options: [
+          { label: "Draft", value: "draft" },
+          { label: "Published", value: "published" }
+        ],
+        defaultValue: "draft"
+      },
+      {
+        name: "publishedAt",
+        type: "date",
+        label: "Published At"
+      }
+    ],
+    timestamps: true
+  },
+  categories: {
+    slug: "categories",
+    label: "Categories",
+    labelPlural: "Categories",
+    singularLabel: "Category",
+    admin: {
+      useAsTitle: "name",
+      defaultColumns: ["name", "slug"],
+      description: "Post categories"
+    },
+    fields: [
+      {
+        name: "name",
+        type: "text",
+        required: true,
+        label: "Name"
+      },
+      {
+        name: "slug",
+        type: "text",
+        required: true,
+        label: "Slug"
+      },
+      {
+        name: "description",
+        type: "textarea",
+        label: "Description"
+      },
+      {
+        name: "parent",
+        type: "relationship",
+        label: "Parent Category",
+        relationTo: "categories"
+      }
+    ],
+    timestamps: true
+  }
+};
+
+const ecommerceCollections = {
+  products: {
+    slug: "products",
+    label: "Products",
+    labelPlural: "Products",
+    singularLabel: "Product",
+    admin: {
+      useAsTitle: "title",
+      defaultColumns: ["title", "price", "status", "inventory"],
+      description: "Product catalog"
+    },
+    fields: [
+      {
+        name: "title",
+        type: "text",
+        required: true,
+        label: "Title"
+      },
+      {
+        name: "slug",
+        type: "text",
+        required: true,
+        label: "Slug"
+      },
+      {
+        name: "description",
+        type: "richtext",
+        label: "Description"
+      },
+      {
+        name: "price",
+        type: "number",
+        required: true,
+        label: "Price"
+      },
+      {
+        name: "compareAtPrice",
+        type: "number",
+        label: "Compare at Price",
+        admin: { description: "Original price for sale display" }
+      },
+      {
+        name: "costPrice",
+        type: "number",
+        label: "Cost Price",
+        admin: { description: "For profit calculation" }
+      },
+      {
+        name: "sku",
+        type: "text",
+        required: true,
+        label: "SKU"
+      },
+      {
+        name: "barcode",
+        type: "text",
+        label: "Barcode"
+      },
+      {
+        name: "status",
+        type: "select",
+        label: "Status",
+        options: [
+          { label: "Draft", value: "draft" },
+          { label: "Active", value: "active" },
+          { label: "Archived", value: "archived" }
+        ],
+        defaultValue: "draft"
+      },
+      {
+        name: "images",
+        type: "array",
+        label: "Images",
+        fields: [
+          { name: "url", type: "text", label: "URL" },
+          { name: "alt", type: "text", label: "Alt Text" }
+        ]
+      },
+      {
+        name: "category",
+        type: "relationship",
+        label: "Category",
+        relationTo: "categories"
+      },
+      {
+        name: "inventory",
+        type: "number",
+        label: "Inventory",
+        defaultValue: 0
+      }
+    ],
+    timestamps: true
+  },
+  categories: {
+    slug: "categories",
+    label: "Categories",
+    labelPlural: "Categories",
+    singularLabel: "Category",
+    admin: {
+      useAsTitle: "name",
+      defaultColumns: ["name", "slug", "productCount"],
+      description: "Product categories"
+    },
+    fields: [
+      { name: "name", type: "text", required: true, label: "Name" },
+      { name: "slug", type: "text", required: true, label: "Slug" },
+      { name: "description", type: "textarea", label: "Description" },
+      { name: "image", type: "text", label: "Image URL" },
+      {
+        name: "parent",
+        type: "relationship",
+        label: "Parent Category",
+        relationTo: "categories"
+      }
+    ],
+    timestamps: true
+  },
+  customers: {
+    slug: "customers",
+    label: "Customers",
+    labelPlural: "Customers",
+    singularLabel: "Customer",
+    admin: {
+      useAsTitle: "email",
+      defaultColumns: [
+        "email",
+        "firstName",
+        "lastName",
+        "orderCount",
+        "createdAt"
+      ],
+      description: "Customer accounts"
+    },
+    fields: [
+      { name: "email", type: "email", required: true, label: "Email" },
+      { name: "firstName", type: "text", label: "First Name" },
+      { name: "lastName", type: "text", label: "Last Name" },
+      { name: "phone", type: "text", label: "Phone" },
+      {
+        name: "addresses",
+        type: "array",
+        label: "Addresses",
+        fields: [
+          { name: "type", type: "text", label: "Type" },
+          { name: "line1", type: "text", label: "Address Line 1" },
+          { name: "line2", type: "text", label: "Address Line 2" },
+          { name: "city", type: "text", label: "City" },
+          { name: "state", type: "text", label: "State" },
+          { name: "postalCode", type: "text", label: "Postal Code" },
+          { name: "country", type: "text", label: "Country" }
+        ]
+      },
+      {
+        name: "status",
+        type: "select",
+        label: "Status",
+        options: [
+          { label: "Active", value: "active" },
+          { label: "Inactive", value: "inactive" },
+          { label: "Banned", value: "banned" }
+        ],
+        defaultValue: "active"
+      }
+    ],
+    timestamps: true
+  },
+  orders: {
+    slug: "orders",
+    label: "Orders",
+    labelPlural: "Orders",
+    singularLabel: "Order",
+    admin: {
+      useAsTitle: "orderNumber",
+      defaultColumns: [
+        "orderNumber",
+        "customer",
+        "status",
+        "total",
+        "createdAt"
+      ],
+      description: "Customer orders"
+    },
+    fields: [
+      {
+        name: "orderNumber",
+        type: "text",
+        required: true,
+        label: "Order Number"
+      },
+      {
+        name: "customer",
+        type: "relationship",
+        required: true,
+        label: "Customer",
+        relationTo: "customers"
+      },
+      {
+        name: "status",
+        type: "select",
+        label: "Status",
+        options: [
+          { label: "Pending", value: "pending" },
+          { label: "Confirmed", value: "confirmed" },
+          { label: "Processing", value: "processing" },
+          { label: "Shipped", value: "shipped" },
+          { label: "Delivered", value: "delivered" },
+          { label: "Cancelled", value: "cancelled" },
+          { label: "Refunded", value: "refunded" }
+        ],
+        defaultValue: "pending"
+      },
+      {
+        name: "paymentStatus",
+        type: "select",
+        label: "Payment Status",
+        options: [
+          { label: "Pending", value: "pending" },
+          { label: "Paid", value: "paid" },
+          { label: "Failed", value: "failed" },
+          { label: "Refunded", value: "refunded" }
+        ],
+        defaultValue: "pending"
+      },
+      {
+        name: "items",
+        type: "array",
+        label: "Items",
+        fields: [
+          { name: "product", type: "text", label: "Product" },
+          { name: "quantity", type: "number", label: "Quantity" },
+          { name: "unitPrice", type: "number", label: "Unit Price" },
+          { name: "total", type: "number", label: "Total" }
+        ]
+      },
+      { name: "subtotal", type: "number", required: true, label: "Subtotal" },
+      { name: "tax", type: "number", label: "Tax" },
+      { name: "shipping", type: "number", label: "Shipping" },
+      { name: "discount", type: "number", label: "Discount" },
+      { name: "total", type: "number", required: true, label: "Total" },
+      { name: "notes", type: "textarea", label: "Notes" }
+    ],
+    timestamps: true
+  },
+  coupons: {
+    slug: "coupons",
+    label: "Coupons",
+    labelPlural: "Coupons",
+    singularLabel: "Coupon",
+    admin: {
+      useAsTitle: "code",
+      defaultColumns: ["code", "type", "value", "active", "expiresAt"],
+      description: "Discount codes and promotions"
+    },
+    fields: [
+      { name: "code", type: "text", required: true, label: "Code" },
+      {
+        name: "type",
+        type: "select",
+        required: true,
+        label: "Type",
+        options: [
+          { label: "Percentage", value: "percentage" },
+          { label: "Fixed Amount", value: "fixed" },
+          { label: "Free Shipping", value: "freeShipping" }
+        ]
+      },
+      { name: "value", type: "number", label: "Value" },
+      { name: "minPurchase", type: "number", label: "Minimum Purchase" },
+      { name: "maxDiscount", type: "number", label: "Max Discount" },
+      { name: "usageLimit", type: "number", label: "Usage Limit" },
+      {
+        name: "usedCount",
+        type: "number",
+        defaultValue: 0,
+        label: "Used Count"
+      },
+      { name: "startsAt", type: "date", label: "Starts At" },
+      { name: "expiresAt", type: "date", label: "Expires At" },
+      { name: "active", type: "checkbox", defaultValue: true, label: "Active" }
+    ],
+    timestamps: true
+  }
+};
+
+const kitchenSinkCollections = {
+  pages: {
+    slug: "pages",
+    label: "Pages",
+    labelPlural: "Pages",
+    singularLabel: "Page",
+    admin: {
+      useAsTitle: "title",
+      defaultColumns: ["title", "slug", "status", "updatedAt"],
+      description: "Static pages with custom layouts"
+    },
+    fields: [
+      {
+        name: "title",
+        type: "text",
+        required: true,
+        label: "Title"
+      },
+      {
+        name: "slug",
+        type: "text",
+        required: true,
+        label: "Slug",
+        admin: { description: "URL-friendly identifier" }
+      },
+      {
+        name: "content",
+        type: "blocks",
+        label: "Content",
+        blocks: [
+          {
+            slug: "hero",
+            label: "Hero Section",
+            fields: [
+              { name: "heading", type: "text", label: "Heading" },
+              { name: "subheading", type: "textarea", label: "Subheading" },
+              { name: "ctaText", type: "text", label: "CTA Button Text" },
+              { name: "ctaUrl", type: "text", label: "CTA Button URL" }
+            ]
+          },
+          {
+            slug: "text",
+            label: "Text Block",
+            fields: [{ name: "content", type: "richtext", label: "Content" }]
+          },
+          {
+            slug: "image",
+            label: "Image",
+            fields: [
+              {
+                name: "image",
+                type: "upload",
+                label: "Image",
+                relationTo: "media"
+              },
+              { name: "caption", type: "text", label: "Caption" },
+              { name: "alt", type: "text", label: "Alt Text" }
+            ]
+          },
+          {
+            slug: "cta",
+            label: "Call to Action",
+            fields: [
+              { name: "heading", type: "text", label: "Heading" },
+              { name: "description", type: "textarea", label: "Description" },
+              { name: "buttonText", type: "text", label: "Button Text" },
+              { name: "buttonUrl", type: "text", label: "Button URL" }
+            ]
+          }
+        ]
+      },
+      {
+        name: "status",
+        type: "select",
+        label: "Status",
+        options: [
+          { label: "Draft", value: "draft" },
+          { label: "Published", value: "published" }
+        ],
+        defaultValue: "draft"
+      },
+      {
+        name: "publishedAt",
+        type: "date",
+        label: "Published At"
+      }
+    ],
+    timestamps: true
+  },
+  navigation: {
+    slug: "navigation",
+    label: "Navigation",
+    labelPlural: "Navigation",
+    singularLabel: "Navigation Item",
+    admin: {
+      useAsTitle: "label",
+      defaultColumns: ["label", "url", "location"],
+      description: "Site navigation menus"
+    },
+    fields: [
+      { name: "label", type: "text", required: true, label: "Label" },
+      { name: "url", type: "text", required: true, label: "URL" },
+      {
+        name: "location",
+        type: "select",
+        label: "Location",
+        options: [
+          { label: "Header", value: "header" },
+          { label: "Footer", value: "footer" },
+          { label: "Mobile", value: "mobile" }
+        ]
+      },
+      { name: "order", type: "number", label: "Sort Order", defaultValue: 0 },
+      {
+        name: "parent",
+        type: "relationship",
+        label: "Parent Item",
+        relationTo: "navigation"
+      },
+      {
+        name: "newTab",
+        type: "checkbox",
+        label: "Open in New Tab",
+        defaultValue: false
+      }
+    ],
+    timestamps: true
+  }
+};
+
+const mediaCollection = {
+  slug: "media",
+  label: "Media Library",
+  admin: {
+    useAsTitle: "title",
+    defaultColumns: ["thumbnailUrl", "title", "type", "fileSize", "createdAt"],
+    group: "content"
+  },
+  access: {
+    read: () => true,
+    create: () => true,
+    update: () => true,
+    delete: () => true
+  },
+  fields: [
+    {
+      name: "title",
+      type: "text",
+      label: "Title",
+      required: true,
+      admin: {
+        description: "Descriptive title for the file"
+      }
+    },
+    {
+      name: "filename",
+      type: "text",
+      label: "Filename",
+      required: true,
+      admin: {
+        readOnly: true,
+        description: "System filename (auto-generated)"
+      }
+    },
+    {
+      name: "originalName",
+      type: "text",
+      label: "Original Name",
+      admin: {
+        readOnly: true
+      }
+    },
+    {
+      name: "alt",
+      type: "text",
+      label: "Alt Text",
+      admin: {
+        description: "Alternative text for images (accessibility)"
+      }
+    },
+    {
+      name: "caption",
+      type: "textarea",
+      label: "Caption",
+      admin: {
+        description: "Optional caption or description"
+      }
+    },
+    {
+      name: "type",
+      type: "select",
+      label: "File Type",
+      required: true,
+      defaultValue: "document",
+      options: [
+        { label: "Image", value: "image" },
+        { label: "Video", value: "video" },
+        { label: "Audio", value: "audio" },
+        { label: "Document", value: "document" },
+        { label: "Archive", value: "archive" },
+        { label: "Other", value: "other" }
+      ],
+      admin: {
+        readOnly: true
+      }
+    },
+    {
+      name: "mimeType",
+      type: "text",
+      label: "MIME Type",
+      admin: {
+        readOnly: true
+      }
+    },
+    {
+      name: "url",
+      type: "text",
+      label: "URL",
+      required: true,
+      admin: {
+        readOnly: true,
+        description: "Public URL of the file"
+      }
+    },
+    {
+      name: "thumbnailUrl",
+      type: "text",
+      label: "Thumbnail URL",
+      admin: {
+        readOnly: true
+      }
+    },
+    {
+      name: "width",
+      type: "number",
+      label: "Width",
+      admin: {
+        readOnly: true,
+        description: "Width in pixels (for images/videos)"
+      }
+    },
+    {
+      name: "height",
+      type: "number",
+      label: "Height",
+      admin: {
+        readOnly: true,
+        description: "Height in pixels (for images/videos)"
+      }
+    },
+    {
+      name: "fileSize",
+      type: "number",
+      label: "File Size",
+      admin: {
+        readOnly: true,
+        description: "Size in bytes"
+      }
+    },
+    {
+      name: "folder",
+      type: "text",
+      label: "Folder",
+      admin: {
+        description: "Folder path for organization (e.g., /products, /blog)"
+      }
+    },
+    {
+      name: "tags",
+      type: "array",
+      label: "Tags",
+      fields: [
+        {
+          name: "tag",
+          type: "text",
+          label: "Tag"
+        }
+      ]
+    },
+    {
+      name: "focalPoint",
+      type: "group",
+      label: "Focal Point",
+      admin: {
+        description: "Point of interest for cropping"
+      },
+      fields: [
+        {
+          name: "x",
+          type: "number",
+          label: "X",
+          defaultValue: 50
+        },
+        {
+          name: "y",
+          type: "number",
+          label: "Y",
+          defaultValue: 50
+        }
+      ]
+    },
+    {
+      name: "metadata",
+      type: "json",
+      label: "Metadata",
+      admin: {
+        readOnly: true,
+        description: "Additional file metadata (EXIF, etc.)"
+      }
+    },
+    {
+      name: "provider",
+      type: "select",
+      label: "Storage Provider",
+      defaultValue: "local",
+      options: [
+        { label: "Local", value: "local" },
+        { label: "AWS S3", value: "s3" },
+        { label: "Cloudinary", value: "cloudinary" },
+        { label: "Imgix", value: "imgix" }
+      ],
+      admin: {
+        readOnly: true
+      }
+    },
+    {
+      name: "status",
+      type: "select",
+      label: "Status",
+      defaultValue: "active",
+      options: [
+        { label: "Active", value: "active" },
+        { label: "Archived", value: "archived" }
+      ]
+    },
+    {
+      name: "createdAt",
+      type: "date",
+      label: "Created",
+      admin: {
+        readOnly: true
+      }
+    },
+    {
+      name: "updatedAt",
+      type: "date",
+      label: "Last Modified",
+      admin: {
+        readOnly: true
+      }
+    }
+  ]
+};
+const mediaFoldersCollection = {
+  slug: "media-folders",
+  label: "Media Folders",
+  admin: {
+    useAsTitle: "name",
+    hidden: true
+    // Only accessible via API
+  },
+  access: {
+    read: () => true,
+    create: () => true,
+    update: () => true,
+    delete: () => true
+  },
+  fields: [
+    {
+      name: "name",
+      type: "text",
+      label: "Name",
+      required: true
+    },
+    {
+      name: "slug",
+      type: "text",
+      label: "Slug",
+      required: true,
+      admin: {
+        description: "URL-friendly identifier"
+      }
+    },
+    {
+      name: "parent",
+      type: "relationship",
+      label: "Parent Folder",
+      relationTo: "media-folders"
+    },
+    {
+      name: "path",
+      type: "text",
+      label: "Full Path",
+      admin: {
+        readOnly: true,
+        description: "Complete folder path"
+      }
+    },
+    {
+      name: "fileCount",
+      type: "number",
+      label: "File Count",
+      admin: {
+        readOnly: true
+      }
+    }
+  ]
+};
+const mediaCollections = [mediaCollection, mediaFoldersCollection];
+
+const siteSettingsGlobal = {
+  slug: "site-settings",
+  label: "Site Settings",
+  admin: {
+    group: "settings"
+  },
+  access: {
+    read: () => true,
+    update: () => true
+  },
+  fields: [
+    {
+      name: "siteName",
+      type: "text",
+      label: "Site Name",
+      required: true,
+      admin: {}
+    },
+    {
+      name: "siteDescription",
+      type: "textarea",
+      label: "Site Description",
+      admin: {}
+    },
+    {
+      name: "siteLogo",
+      type: "relationship",
+      label: "Site Logo",
+      relationTo: "media",
+      admin: {}
+    },
+    {
+      name: "siteFavicon",
+      type: "relationship",
+      label: "Favicon",
+      relationTo: "media",
+      admin: {}
+    },
+    {
+      name: "siteOgImage",
+      type: "relationship",
+      label: "Default OG Image",
+      relationTo: "media",
+      admin: {}
+    },
+    {
+      name: "siteUrl",
+      type: "text",
+      label: "Site URL",
+      admin: {}
+    },
+    {
+      name: "language",
+      type: "select",
+      label: "Default Language",
+      defaultValue: "en",
+      options: [
+        { label: "English", value: "en" },
+        { label: "Spanish", value: "es" },
+        { label: "French", value: "fr" },
+        { label: "German", value: "de" },
+        { label: "Portuguese", value: "pt" },
+        { label: "Italian", value: "it" },
+        { label: "Dutch", value: "nl" },
+        { label: "Russian", value: "ru" },
+        { label: "Japanese", value: "ja" },
+        { label: "Chinese", value: "zh" },
+        { label: "Korean", value: "ko" },
+        { label: "Arabic", value: "ar" }
+      ]
+    },
+    {
+      name: "timezone",
+      type: "text",
+      label: "Timezone",
+      defaultValue: "UTC",
+      admin: {}
+    },
+    {
+      name: "logo",
+      type: "group",
+      label: "Logo Settings",
+      fields: [
+        {
+          name: "width",
+          type: "number",
+          label: "Max Width (px)"
+        },
+        {
+          name: "height",
+          type: "number",
+          label: "Max Height (px)"
+        },
+        {
+          name: "altText",
+          type: "text",
+          label: "Alt Text"
+        }
+      ]
+    },
+    {
+      name: "analytics",
+      type: "group",
+      label: "Analytics",
+      fields: [
+        {
+          name: "googleAnalyticsId",
+          type: "text",
+          label: "Google Analytics ID",
+          admin: {}
+        },
+        {
+          name: "googleTagManagerId",
+          type: "text",
+          label: "Google Tag Manager ID",
+          admin: {}
+        },
+        {
+          name: "plausibleDomain",
+          type: "text",
+          label: "Plausible Domain",
+          admin: {}
+        },
+        {
+          name: "mixpanelToken",
+          type: "password",
+          label: "Mixpanel Token"
+        }
+      ]
+    }
+  ]
+};
+
+const seoSettingsGlobal = {
+  slug: "seo-settings",
+  label: "SEO Settings",
+  admin: {
+    group: "settings"
+  },
+  access: {
+    read: () => true,
+    update: () => true
+  },
+  fields: [
+    {
+      name: "defaultTitle",
+      type: "text",
+      label: "Default Title",
+      admin: {}
+    },
+    {
+      name: "defaultDescription",
+      type: "textarea",
+      label: "Default Description",
+      admin: {}
+    },
+    {
+      name: "titleTemplate",
+      type: "text",
+      label: "Title Template",
+      defaultValue: "{{title}} | {{siteName}}",
+      admin: {}
+    },
+    {
+      name: "siteNameInTitle",
+      type: "checkbox",
+      label: "Include Site Name in Title",
+      defaultValue: true
+    },
+    {
+      name: "separator",
+      type: "text",
+      label: "Title Separator",
+      defaultValue: " | ",
+      admin: {}
+    },
+    {
+      name: "meta",
+      type: "group",
+      label: "Meta Settings",
+      fields: [
+        {
+          name: "robots",
+          type: "text",
+          label: "Robots Meta",
+          defaultValue: "index, follow",
+          admin: {}
+        },
+        {
+          name: "canonicalUrl",
+          type: "text",
+          label: "Canonical URL",
+          admin: {}
+        },
+        {
+          name: "ogType",
+          type: "select",
+          label: "Default OG Type",
+          defaultValue: "website",
+          options: [
+            { label: "Website", value: "website" },
+            { label: "Article", value: "article" },
+            { label: "Product", value: "product" },
+            { label: "Book", value: "book" },
+            { label: "Music", value: "music" },
+            { label: "Video", value: "video" }
+          ]
+        }
+      ]
+    },
+    {
+      name: "sitemap",
+      type: "checkbox",
+      label: "Enable XML Sitemap",
+      defaultValue: true,
+      admin: {}
+    },
+    {
+      name: "sitemapUrls",
+      type: "number",
+      label: "Sitemap URL Limit",
+      defaultValue: 5e4,
+      admin: {}
+    },
+    {
+      name: "robotsTxt",
+      type: "textarea",
+      label: "Custom robots.txt",
+      admin: {}
+    },
+    {
+      name: "social",
+      type: "group",
+      label: "Social Media",
+      fields: [
+        {
+          name: "twitterHandle",
+          type: "text",
+          label: "Twitter/X Handle",
+          admin: {}
+        },
+        {
+          name: "twitterCardType",
+          type: "select",
+          label: "Twitter Card Type",
+          defaultValue: "summary_large_image",
+          options: [
+            { label: "Summary", value: "summary" },
+            { label: "Summary with Large Image", value: "summary_large_image" },
+            { label: "App", value: "app" },
+            { label: "Player", value: "player" }
+          ]
+        },
+        {
+          name: "fbAppId",
+          type: "text",
+          label: "Facebook App ID"
+        }
+      ]
+    },
+    {
+      name: "advanced",
+      type: "group",
+      label: "Advanced",
+      fields: [
+        {
+          name: "jsonLdEnabled",
+          type: "checkbox",
+          label: "Enable JSON-LD",
+          defaultValue: true,
+          admin: {}
+        },
+        {
+          name: "breadcrumbsEnabled",
+          type: "checkbox",
+          label: "Enable Breadcrumbs",
+          defaultValue: true
+        },
+        {
+          name: "paginationSize",
+          type: "number",
+          label: "Default Pagination Size",
+          defaultValue: 10
+        }
+      ]
+    }
+  ]
+};
+
+const socialSettingsGlobal = {
+  slug: "social-settings",
+  label: "Social Media",
+  admin: {
+    group: "settings"
+  },
+  access: {
+    read: () => true,
+    update: () => true
+  },
+  fields: [
+    {
+      name: "facebook",
+      type: "text",
+      label: "Facebook",
+      admin: {}
+    },
+    {
+      name: "twitter",
+      type: "text",
+      label: "Twitter/X"
+    },
+    {
+      name: "instagram",
+      type: "text",
+      label: "Instagram"
+    },
+    {
+      name: "linkedin",
+      type: "text",
+      label: "LinkedIn"
+    },
+    {
+      name: "youtube",
+      type: "text",
+      label: "YouTube"
+    },
+    {
+      name: "tiktok",
+      type: "text",
+      label: "TikTok"
+    },
+    {
+      name: "pinterest",
+      type: "text",
+      label: "Pinterest"
+    },
+    {
+      name: "discord",
+      type: "text",
+      label: "Discord"
+    },
+    {
+      name: "twitch",
+      type: "text",
+      label: "Twitch"
+    },
+    {
+      name: "github",
+      type: "text",
+      label: "GitHub"
+    },
+    {
+      name: "mastodon",
+      type: "text",
+      label: "Mastodon"
+    }
+  ]
+};
+
+const emailSettingsGlobal = {
+  slug: "email-settings",
+  label: "Email Settings",
+  admin: {
+    group: "settings"
+  },
+  access: {
+    read: () => true,
+    update: () => true
+  },
+  fields: [
+    {
+      name: "fromName",
+      type: "text",
+      label: "From Name",
+      admin: {}
+    },
+    {
+      name: "fromEmail",
+      type: "email",
+      label: "From Email",
+      required: true,
+      admin: {}
+    },
+    {
+      name: "replyTo",
+      type: "email",
+      label: "Reply-To Email",
+      admin: {}
+    },
+    {
+      name: "provider",
+      type: "select",
+      label: "Email Provider",
+      defaultValue: "smtp",
+      options: [
+        { label: "SMTP", value: "smtp" },
+        { label: "SendGrid", value: "sendgrid" },
+        { label: "Mailgun", value: "mailgun" },
+        { label: "AWS SES", value: "ses" },
+        { label: "Resend", value: "resend" }
+      ]
+    },
+    {
+      name: "smtp",
+      type: "group",
+      label: "SMTP Settings",
+      fields: [
+        {
+          name: "host",
+          type: "text",
+          label: "Host",
+          admin: {
+            placeholder: "smtp.example.com"
+          }
+        },
+        {
+          name: "port",
+          type: "number",
+          label: "Port",
+          defaultValue: 587
+        },
+        {
+          name: "secure",
+          type: "checkbox",
+          label: "Use TLS/SSL",
+          defaultValue: true
+        },
+        {
+          name: "username",
+          type: "text",
+          label: "Username"
+        },
+        {
+          name: "password",
+          type: "password",
+          label: "Password"
+        }
+      ]
+    },
+    {
+      name: "api",
+      type: "group",
+      label: "API Settings",
+      admin: {},
+      fields: [
+        {
+          name: "apiKey",
+          type: "password",
+          label: "API Key"
+        },
+        {
+          name: "domain",
+          type: "text",
+          label: "Domain",
+          admin: {}
+        },
+        {
+          name: "webhookSecret",
+          type: "password",
+          label: "Webhook Secret",
+          admin: {}
+        }
+      ]
+    },
+    {
+      name: "testEmail",
+      type: "email",
+      label: "Test Email",
+      admin: {}
+    }
+  ]
+};
+
+const storageSettingsGlobal = {
+  slug: "storage-settings",
+  label: "Storage Settings",
+  admin: {
+    group: "settings"
+  },
+  access: {
+    read: () => true,
+    update: () => true
+  },
+  fields: [
+    {
+      name: "provider",
+      type: "select",
+      label: "Storage Provider",
+      defaultValue: "local",
+      options: [
+        { label: "Local Server", value: "local" },
+        { label: "AWS S3", value: "s3" },
+        { label: "Cloudinary", value: "cloudinary" },
+        { label: "Imgix (Transforms Only)", value: "imgix" }
+      ]
+    },
+    {
+      name: "local",
+      type: "group",
+      label: "Local Storage",
+      fields: [
+        {
+          name: "uploadDir",
+          type: "text",
+          label: "Upload Directory",
+          defaultValue: "./public/uploads",
+          admin: {}
+        },
+        {
+          name: "baseUrl",
+          type: "text",
+          label: "Base URL",
+          defaultValue: "/uploads",
+          admin: {}
+        }
+      ]
+    },
+    {
+      name: "s3",
+      type: "group",
+      label: "AWS S3 Settings",
+      fields: [
+        {
+          name: "bucket",
+          type: "text",
+          label: "Bucket Name"
+        },
+        {
+          name: "region",
+          type: "text",
+          label: "Region",
+          admin: {
+            placeholder: "us-east-1"
+          }
+        },
+        {
+          name: "accessKeyId",
+          type: "password",
+          label: "Access Key ID"
+        },
+        {
+          name: "secretAccessKey",
+          type: "password",
+          label: "Secret Access Key"
+        },
+        {
+          name: "cdnUrl",
+          type: "text",
+          label: "CDN URL",
+          admin: {}
+        },
+        {
+          name: "prefix",
+          type: "text",
+          label: "Path Prefix",
+          admin: {}
+        }
+      ]
+    },
+    {
+      name: "cloudinary",
+      type: "group",
+      label: "Cloudinary Settings",
+      fields: [
+        {
+          name: "cloudName",
+          type: "text",
+          label: "Cloud Name"
+        },
+        {
+          name: "apiKey",
+          type: "password",
+          label: "API Key"
+        },
+        {
+          name: "apiSecret",
+          type: "password",
+          label: "API Secret"
+        },
+        {
+          name: "folder",
+          type: "text",
+          label: "Folder",
+          admin: {}
+        }
+      ]
+    },
+    {
+      name: "imgix",
+      type: "group",
+      label: "Imgix Settings",
+      fields: [
+        {
+          name: "domain",
+          type: "text",
+          label: "Imgix Domain",
+          admin: {
+            placeholder: "your-source.imgix.net"
+          }
+        },
+        {
+          name: "signKey",
+          type: "password",
+          label: "Signing Key",
+          admin: {}
+        }
+      ]
+    },
+    {
+      name: "limits",
+      type: "group",
+      label: "Upload Limits",
+      fields: [
+        {
+          name: "maxFileSize",
+          type: "number",
+          label: "Max File Size (bytes)",
+          defaultValue: 10485760,
+          admin: {}
+        },
+        {
+          name: "allowedTypes",
+          type: "json",
+          label: "Allowed MIME Types",
+          defaultValue: ["image/*", "video/*", "audio/*", "application/pdf"],
+          admin: {}
+        },
+        {
+          name: "maxFilesPerUpload",
+          type: "number",
+          label: "Max Files per Upload",
+          defaultValue: 10
+        }
+      ]
+    }
+  ]
+};
+
+const accessSettingsGlobal = {
+  slug: "access-settings",
+  label: "Access Control",
+  admin: {
+    group: "settings"
+  },
+  access: {
+    read: () => true,
+    update: () => true
+  },
+  fields: [
+    {
+      name: "enablePublicAccess",
+      type: "checkbox",
+      label: "Enable Public Access",
+      defaultValue: true,
+      admin: {}
+    },
+    {
+      name: "defaultCollectionAccess",
+      type: "select",
+      label: "Default Collection Access",
+      defaultValue: "read",
+      options: [
+        { label: "Read Only", value: "read" },
+        { label: "Read & Create", value: "create" },
+        { label: "Read & Create & Update", value: "update" },
+        { label: "Full Access", value: "admin" },
+        { label: "No Access", value: "none" }
+      ],
+      admin: {}
+    },
+    {
+      name: "apiAccess",
+      type: "group",
+      label: "API Access",
+      fields: [
+        {
+          name: "restEnabled",
+          type: "checkbox",
+          label: "Enable REST API",
+          defaultValue: true
+        },
+        {
+          name: "graphqlEnabled",
+          type: "checkbox",
+          label: "Enable GraphQL",
+          defaultValue: false
+        },
+        {
+          name: "trpcEnabled",
+          type: "checkbox",
+          label: "Enable tRPC",
+          defaultValue: false
+        },
+        {
+          name: "wsEnabled",
+          type: "checkbox",
+          label: "Enable WebSocket",
+          defaultValue: false
+        },
+        {
+          name: "requireAuth",
+          type: "checkbox",
+          label: "Require Authentication",
+          defaultValue: false,
+          admin: {}
+        },
+        {
+          name: "allowedOrigins",
+          type: "json",
+          label: "CORS Allowed Origins",
+          admin: {}
+        }
+      ]
+    },
+    {
+      name: "rateLimiting",
+      type: "group",
+      label: "Rate Limiting",
+      fields: [
+        {
+          name: "enabled",
+          type: "checkbox",
+          label: "Enable Rate Limiting",
+          defaultValue: true
+        },
+        {
+          name: "maxRequests",
+          type: "number",
+          label: "Max Requests",
+          defaultValue: 100,
+          admin: {}
+        },
+        {
+          name: "windowMs",
+          type: "number",
+          label: "Window (ms)",
+          defaultValue: 6e4,
+          admin: {}
+        }
+      ]
+    }
+  ]
+};
+
+const countryOptions = [
+  { label: "United States", value: "US" },
+  { label: "United Kingdom", value: "GB" },
+  { label: "Canada", value: "CA" },
+  { label: "Australia", value: "AU" },
+  { label: "Germany", value: "DE" },
+  { label: "France", value: "FR" },
+  { label: "Netherlands", value: "NL" },
+  { label: "Belgium", value: "BE" },
+  { label: "Spain", value: "ES" },
+  { label: "Italy", value: "IT" },
+  { label: "Portugal", value: "PT" },
+  { label: "Sweden", value: "SE" },
+  { label: "Norway", value: "NO" },
+  { label: "Denmark", value: "DK" },
+  { label: "Finland", value: "FI" },
+  { label: "Austria", value: "AT" },
+  { label: "Switzerland", value: "CH" },
+  { label: "Japan", value: "JP" },
+  { label: "South Korea", value: "KR" },
+  { label: "China", value: "CN" },
+  { label: "India", value: "IN" },
+  { label: "Brazil", value: "BR" },
+  { label: "Mexico", value: "MX" }
+];
+const storeSettingsGlobal = {
+  slug: "store-settings",
+  label: "Store Settings",
+  admin: {
+    group: "settings"
+  },
+  access: {
+    read: () => true,
+    update: () => true
+  },
+  fields: [
+    {
+      name: "storeName",
+      type: "text",
+      label: "Store Name",
+      required: true
+    },
+    {
+      name: "storeEmail",
+      type: "email",
+      label: "Contact Email",
+      required: true
+    },
+    {
+      name: "storePhone",
+      type: "text",
+      label: "Phone Number"
+    },
+    {
+      name: "address",
+      type: "group",
+      label: "Store Address",
+      fields: [
+        {
+          name: "street",
+          type: "text",
+          label: "Street Address"
+        },
+        {
+          name: "city",
+          type: "text",
+          label: "City"
+        },
+        {
+          name: "state",
+          type: "text",
+          label: "State/Province"
+        },
+        {
+          name: "postalCode",
+          type: "text",
+          label: "Postal Code"
+        },
+        {
+          name: "country",
+          type: "select",
+          label: "Country",
+          options: countryOptions
+        }
+      ]
+    },
+    {
+      name: "currency",
+      type: "group",
+      label: "Currency",
+      fields: [
+        {
+          name: "code",
+          type: "select",
+          label: "Currency Code",
+          defaultValue: "USD",
+          options: [
+            { label: "USD - US Dollar", value: "USD" },
+            { label: "EUR - Euro", value: "EUR" },
+            { label: "GBP - British Pound", value: "GBP" },
+            { label: "CAD - Canadian Dollar", value: "CAD" },
+            { label: "AUD - Australian Dollar", value: "AUD" },
+            { label: "JPY - Japanese Yen", value: "JPY" },
+            { label: "CNY - Chinese Yuan", value: "CNY" },
+            { label: "INR - Indian Rupee", value: "INR" },
+            { label: "BRL - Brazilian Real", value: "BRL" },
+            { label: "MXN - Mexican Peso", value: "MXN" }
+          ]
+        },
+        {
+          name: "symbol",
+          type: "text",
+          label: "Symbol",
+          defaultValue: "$"
+        },
+        {
+          name: "position",
+          type: "select",
+          label: "Symbol Position",
+          defaultValue: "before",
+          options: [
+            { label: "Before amount", value: "before" },
+            { label: "After amount", value: "after" }
+          ]
+        },
+        {
+          name: "decimals",
+          type: "number",
+          label: "Decimal Places",
+          defaultValue: 2
+        }
+      ]
+    },
+    {
+      name: "tax",
+      type: "group",
+      label: "Tax Settings",
+      fields: [
+        {
+          name: "enabled",
+          type: "checkbox",
+          label: "Enable Tax",
+          defaultValue: true
+        },
+        {
+          name: "rate",
+          type: "number",
+          label: "Tax Rate (%)",
+          admin: {
+            placeholder: "10"
+          }
+        },
+        {
+          name: "includedInPrice",
+          type: "checkbox",
+          label: "Tax Included in Prices",
+          admin: {}
+        },
+        {
+          name: "taxId",
+          type: "text",
+          label: "Tax ID / VAT Number"
+        }
+      ]
+    },
+    {
+      name: "shipping",
+      type: "group",
+      label: "Shipping",
+      fields: [
+        {
+          name: "freeShippingThreshold",
+          type: "number",
+          label: "Free Shipping Minimum",
+          admin: {}
+        },
+        {
+          name: "flatRate",
+          type: "number",
+          label: "Flat Rate Shipping",
+          admin: {}
+        },
+        {
+          name: "enableLocalPickup",
+          type: "checkbox",
+          label: "Enable Local Pickup",
+          defaultValue: true
+        }
+      ]
+    },
+    {
+      name: "orders",
+      type: "group",
+      label: "Orders",
+      fields: [
+        {
+          name: "orderNumberPrefix",
+          type: "text",
+          label: "Order Number Prefix",
+          defaultValue: "ORD",
+          admin: {}
+        },
+        {
+          name: "allowGuestCheckout",
+          type: "checkbox",
+          label: "Allow Guest Checkout",
+          defaultValue: true
+        },
+        {
+          name: "requirePhone",
+          type: "checkbox",
+          label: "Require Phone Number",
+          defaultValue: true
+        }
+      ]
+    }
+  ]
+};
+
+const paymentSettingsGlobal = {
+  slug: "payment-settings",
+  label: "Payment Settings",
+  admin: {
+    group: "settings"
+  },
+  access: {
+    read: () => true,
+    update: () => true
+  },
+  fields: [
+    {
+      name: "testMode",
+      type: "checkbox",
+      label: "Test Mode",
+      defaultValue: true,
+      admin: {}
+    },
+    {
+      name: "stripe",
+      type: "group",
+      label: "Stripe",
+      fields: [
+        {
+          name: "enabled",
+          type: "checkbox",
+          label: "Enable Stripe",
+          defaultValue: false
+        },
+        {
+          name: "publishableKey",
+          type: "text",
+          label: "Publishable Key",
+          admin: {
+            placeholder: "pk_live_..."
+          }
+        },
+        {
+          name: "secretKey",
+          type: "password",
+          label: "Secret Key"
+        },
+        {
+          name: "webhookSecret",
+          type: "password",
+          label: "Webhook Secret",
+          admin: {}
+        }
+      ]
+    },
+    {
+      name: "paypal",
+      type: "group",
+      label: "PayPal",
+      fields: [
+        {
+          name: "enabled",
+          type: "checkbox",
+          label: "Enable PayPal",
+          defaultValue: false
+        },
+        {
+          name: "clientId",
+          type: "text",
+          label: "Client ID"
+        },
+        {
+          name: "clientSecret",
+          type: "password",
+          label: "Client Secret"
+        },
+        {
+          name: "mode",
+          type: "select",
+          label: "Mode",
+          defaultValue: "sandbox",
+          options: [
+            { label: "Sandbox (Test)", value: "sandbox" },
+            { label: "Live", value: "live" }
+          ]
+        }
+      ]
+    },
+    {
+      name: "square",
+      type: "group",
+      label: "Square",
+      fields: [
+        {
+          name: "enabled",
+          type: "checkbox",
+          label: "Enable Square",
+          defaultValue: false
+        },
+        {
+          name: "applicationId",
+          type: "text",
+          label: "Application ID"
+        },
+        {
+          name: "accessToken",
+          type: "password",
+          label: "Access Token"
+        },
+        {
+          name: "locationId",
+          type: "text",
+          label: "Location ID"
+        }
+      ]
+    },
+    {
+      name: "methods",
+      type: "group",
+      label: "Manual Payment Methods",
+      fields: [
+        {
+          name: "cod",
+          type: "checkbox",
+          label: "Cash on Delivery",
+          defaultValue: true
+        },
+        {
+          name: "bankTransfer",
+          type: "checkbox",
+          label: "Bank Transfer",
+          defaultValue: true
+        },
+        {
+          name: "cash",
+          type: "checkbox",
+          label: "Cash (Local Pickup)",
+          defaultValue: true
+        },
+        {
+          name: "check",
+          type: "checkbox",
+          label: "Check",
+          defaultValue: false
+        }
+      ]
+    },
+    {
+      name: "bankTransfer",
+      type: "group",
+      label: "Bank Transfer Details",
+      admin: {},
+      fields: [
+        {
+          name: "bankName",
+          type: "text",
+          label: "Bank Name"
+        },
+        {
+          name: "accountName",
+          type: "text",
+          label: "Account Name"
+        },
+        {
+          name: "accountNumber",
+          type: "text",
+          label: "Account Number"
+        },
+        {
+          name: "routingNumber",
+          type: "text",
+          label: "Routing/Sort Code"
+        },
+        {
+          name: "iban",
+          type: "text",
+          label: "IBAN"
+        },
+        {
+          name: "swift",
+          type: "text",
+          label: "SWIFT/BIC"
+        }
+      ]
+    }
+  ]
+};
+
+const allSettingsGlobals = [
+  siteSettingsGlobal,
+  seoSettingsGlobal,
+  socialSettingsGlobal,
+  emailSettingsGlobal,
+  storageSettingsGlobal,
+  accessSettingsGlobal,
+  storeSettingsGlobal,
+  paymentSettingsGlobal
+];
+const coreSettingsGlobals = [
+  siteSettingsGlobal,
+  seoSettingsGlobal,
+  socialSettingsGlobal,
+  emailSettingsGlobal,
+  storageSettingsGlobal,
+  accessSettingsGlobal
+];
+const ecommerceSettingsGlobals = [
+  storeSettingsGlobal,
+  paymentSettingsGlobal
+];
+({
+  [siteSettingsGlobal.slug]: siteSettingsGlobal,
+  [seoSettingsGlobal.slug]: seoSettingsGlobal,
+  [socialSettingsGlobal.slug]: socialSettingsGlobal,
+  [emailSettingsGlobal.slug]: emailSettingsGlobal,
+  [storageSettingsGlobal.slug]: storageSettingsGlobal,
+  [accessSettingsGlobal.slug]: accessSettingsGlobal,
+  [storeSettingsGlobal.slug]: storeSettingsGlobal,
+  [paymentSettingsGlobal.slug]: paymentSettingsGlobal
+});
+
+const usersCollection = {
+  slug: "users",
+  label: "Users",
+  singular: "User",
+  type: "singleton",
+  fields: [
+    { name: "id", type: "text", required: true, readonly: true },
+    { name: "email", type: "email", required: true },
+    {
+      name: "role",
+      type: "select",
+      options: [
+        "super_admin",
+        "admin",
+        "editor",
+        "author",
+        "customer",
+        "guest"
+      ],
+      required: true
+    },
+    { name: "tenantId", type: "text", label: "Tenant" },
+    { name: "emailVerified", type: "boolean", label: "Email Verified" },
+    { name: "locked", type: "boolean" },
+    {
+      name: "lastLogin",
+      type: "datetime",
+      label: "Last Login",
+      readonly: true
+    },
+    {
+      name: "failedLoginAttempts",
+      type: "number",
+      label: "Failed Login Attempts",
+      readonly: true
+    },
+    { name: "createdAt", type: "datetime", readonly: true },
+    { name: "updatedAt", type: "datetime", readonly: true }
+  ],
+  access: {
+    create: () => true,
+    read: () => true,
+    update: () => true,
+    delete: () => true
+  },
+  list: {
+    columns: [
+      "email",
+      "role",
+      "tenantId",
+      "emailVerified",
+      "locked",
+      "lastLogin"
+    ],
+    defaultSort: "createdAt",
+    defaultOrder: "desc"
+  }
+};
+const rolesCollection = {
+  slug: "roles",
+  label: "Roles",
+  singular: "Role",
+  type: "collection",
+  fields: [
+    { name: "name", type: "text", required: true },
+    { name: "level", type: "number", required: true },
+    {
+      name: "inherits",
+      type: "array",
+      items: { type: "text" },
+      label: "Inherits From"
+    },
+    { name: "description", type: "textarea" },
+    {
+      name: "permissions",
+      type: "array",
+      items: { type: "text" },
+      label: "Permissions"
+    }
+  ],
+  access: {
+    create: () => true,
+    read: () => true,
+    update: () => true,
+    delete: () => true
+  },
+  list: {
+    columns: ["name", "level", "inherits", "description"],
+    defaultSort: "level",
+    defaultOrder: "desc"
+  }
+};
+const auditLogsCollection = {
+  slug: "audit_logs",
+  label: "Audit Logs",
+  singular: "Audit Log",
+  type: "collection",
+  fields: [
+    { name: "id", type: "text", required: true, readonly: true },
+    { name: "action", type: "text", required: true },
+    { name: "userId", type: "text", label: "User ID" },
+    { name: "userEmail", type: "email", label: "User Email" },
+    { name: "role", type: "text" },
+    { name: "resource", type: "text", label: "Resource" },
+    { name: "ipAddress", type: "text", label: "IP Address" },
+    { name: "userAgent", type: "text", label: "User Agent" },
+    { name: "success", type: "boolean" },
+    { name: "error", type: "textarea" },
+    { name: "metadata", type: "json", label: "Metadata" },
+    { name: "timestamp", type: "datetime", required: true, readonly: true }
+  ],
+  access: {
+    create: () => false,
+    read: () => true,
+    update: () => false,
+    delete: () => false
+  },
+  list: {
+    columns: [
+      "action",
+      "userEmail",
+      "role",
+      "resource",
+      "success",
+      "timestamp"
+    ],
+    defaultSort: "timestamp",
+    defaultOrder: "desc"
+  }
+};
+const authCollections = {
+  users: usersCollection,
+  roles: rolesCollection,
+  audit_logs: auditLogsCollection
+};
+
+function getAdminConfig(template = "blog") {
+  const collections2 = [];
+  const globals2 = [];
+  collections2.push(...Object.values(mediaCollections));
+  collections2.push(...Object.values(authCollections));
+  switch (template) {
+    case "minimal":
+      collections2.push(...Object.values(minimalCollections));
+      globals2.push(...coreSettingsGlobals);
+      break;
+    case "blog":
+      collections2.push(...Object.values(blogCollections));
+      globals2.push(...coreSettingsGlobals);
+      break;
+    case "ecommerce":
+      collections2.push(...Object.values(ecommerceCollections));
+      globals2.push(...coreSettingsGlobals, ...ecommerceSettingsGlobals);
+      break;
+    case "kitchen-sink":
+      collections2.push(
+        ...Object.values(minimalCollections),
+        ...Object.values(blogCollections),
+        ...Object.values(ecommerceCollections),
+        ...Object.values(kitchenSinkCollections)
+      );
+      globals2.push(...allSettingsGlobals);
+      break;
+  }
+  const collectionsMap = collections2.reduce(
+    (acc, c) => {
+      if (c.slug) acc[c.slug] = c;
+      return acc;
+    },
+    {}
+  );
+  const globalsMap = globals2.reduce(
+    (acc, g) => {
+      if (g.slug) acc[g.slug] = g;
+      return acc;
+    },
+    {}
+  );
+  return { collections: collectionsMap, globals: globalsMap };
+}
+const adminConfig = getAdminConfig("blog");
+const collections = adminConfig.collections;
+
+export { collections as c };