@kyro-cms/core 0.1.0 → 0.1.2

package/dist/index.js

@@ -1,3 +1,6 @@
+export { allSettingsGlobals, blogCollections, blogGlobals, coreSettingsGlobals, createTemplateConfig, ecommerceCollections, ecommerceGlobals, ecommerceSettingsGlobals, kitchenSinkCollections, mediaCollections, minimalCollections } from './chunk-3QX6KG2S.js';
+import { RedisAuthAdapter, EmailTransport, PasswordPolicy } from './chunk-V67YXRBT.js';
+export { EmailTransport, PasswordPolicy, RedisAuthAdapter, autoBootstrap, bootstrapAdmin, getBootstrapFromEnv } from './chunk-V67YXRBT.js';
 import { createKyroServer } from './chunk-UEYC46RL.js';
 export { createContext, createCountProcedure, createCreateProcedure, createDeleteProcedure, createDynamicRouter, createFindByIDProcedure, createFindProcedure, createKyroServer, createUpdateProcedure } from './chunk-UEYC46RL.js';
 import { buildGraphQLSchema } from './chunk-OG3KX56O.js';
@@ -7,15 +10,19 @@ export { createHonoApp, createRESTAPI } from './chunk-YPAFJ7EV.js';
 export { evaluateAccess, getWhereClause, mergeWhereClauses } from './chunk-SDMNUYVU.js';
 import { KyroPubSub, createWSServer } from './chunk-3TPQ2BU6.js';
 export { KyroPubSub, KyroWSServer, PubSub, createWSServer } from './chunk-3TPQ2BU6.js';
-export { DrizzleAdapter, collectionToDrizzleSchema, createDrizzleAdapter, fieldToDrizzleType } from './chunk-DKSMFC3L.js';
+export { DrizzleAdapter, collectionToDrizzleSchema, createDrizzleAdapter, fieldToDrizzleType } from './chunk-EINVJPFM.js';
+export { PostgresAuthAdapter } from './chunk-M4JFHQ5J.js';
+export { createDatabase, runMigrations, seedDefaultRoles } from './chunk-XLMVCGXA.js';
+import './chunk-KA3UOIFC.js';
 export { MongoDBAdapter, createMongoDBAdapter } from './chunk-DIC236EW.js';
 import { AbstractBaseAdapter } from './chunk-BXMWDUED.js';
 export { AbstractBaseAdapter } from './chunk-BXMWDUED.js';
+import './chunk-PZ5AY32C.js';
 import { z } from 'zod';
 export { z } from 'zod';
 import bcrypt from 'bcrypt';
-import jwt from 'jsonwebtoken';
-import { randomUUID } from 'crypto';
+import jwt2 from 'jsonwebtoken';
+import { randomBytes } from 'crypto';
 
 // src/registry/validator.ts
 var ConfigValidationError = class extends Error {
@@ -645,10 +652,6 @@ var Registry = class {
     if (this.initialized) {
       throw new Error("Cannot add collections after Registry has been initialized");
     }
-    const errors = validateCollection(config);
-    if (errors.length > 0) {
-      throw new Error(`Invalid collection config: ${errors.join(", ")}`);
-    }
     let finalConfig = { ...config };
     for (const plugin of this.plugins) {
       if (plugin.extendCollection) {
@@ -656,6 +659,10 @@ var Registry = class {
       }
     }
     finalConfig.fields = this.applyFieldDefaults(finalConfig);
+    const errors = validateCollection(finalConfig);
+    if (errors.length > 0) {
+      throw new Error(`Invalid collection config: ${errors.join(", ")}`);
+    }
     this.collections.set(finalConfig.slug, finalConfig);
     this.clearSchemaCache(finalConfig.slug);
   }
@@ -1143,13 +1150,13 @@ async function runFieldHooks(hooks, args) {
 // src/database/local/adapter.ts
 var LocalAdapter = class extends AbstractBaseAdapter {
   db;
+  path;
   migrations = /* @__PURE__ */ new Map();
   constructor(options) {
     super();
+    this.path = options.path;
     if (options.db) {
       this.db = options.db;
-    } else if (options.path) {
-      this.db = null;
     } else {
       this.db = null;
     }
@@ -1157,12 +1164,12 @@ var LocalAdapter = class extends AbstractBaseAdapter {
   async connect() {
     if (!this.db) {
       const Database = (await import('better-sqlite3')).default;
-      this.db = new Database(":memory:");
+      this.db = new Database(this.path || ":memory:");
     }
     this.db.pragma("journal_mode = WAL");
     this.db.pragma("foreign_keys = ON");
     this.connected = true;
-    console.log("[LocalAdapter] Connected to SQLite");
+    console.log(`[LocalAdapter] Connected to SQLite (${this.path || "memory"})`);
   }
   async disconnect() {
     if (this.db) {
@@ -1992,6 +1999,1062 @@ var defaultFieldStyling = {
     }
   }
 };
+
+// src/auth/security/lockout.ts
+var DEFAULT_LOCKOUT_CONFIG = {
+  maxAttempts: 5,
+  lockDuration: 9e5,
+  notifyUser: true,
+  notifyAdmin: true,
+  adminNotifyAfter: 3
+};
+var AccountLockout = class {
+  redis;
+  prefix;
+  config;
+  constructor(redis, config = {}, prefix = "kyro:lockout:") {
+    this.redis = redis;
+    this.prefix = prefix;
+    this.config = { ...DEFAULT_LOCKOUT_CONFIG, ...config };
+  }
+  lockKey(userId) {
+    return `${this.prefix}${userId}`;
+  }
+  historyKey(userId) {
+    return `${this.prefix}${userId}:history`;
+  }
+  async checkLockout(userId) {
+    const key = this.lockKey(userId);
+    const data = await this.redis.hgetall(key);
+    if (!data || Object.keys(data).length === 0) {
+      return {
+        locked: false,
+        attemptsRemaining: this.config.maxAttempts,
+        totalAttempts: 0
+      };
+    }
+    const attempts = parseInt(data.attempts, 10);
+    const lockedUntil = data.lockedUntil ? new Date(parseInt(data.lockedUntil, 10)) : void 0;
+    if (lockedUntil && lockedUntil > /* @__PURE__ */ new Date()) {
+      return {
+        locked: true,
+        attemptsRemaining: 0,
+        lockedUntil,
+        totalAttempts: attempts
+      };
+    }
+    if (lockedUntil && lockedUntil <= /* @__PURE__ */ new Date()) {
+      await this.unlockAccount(userId);
+      return {
+        locked: false,
+        attemptsRemaining: this.config.maxAttempts,
+        totalAttempts: 0
+      };
+    }
+    return {
+      locked: false,
+      attemptsRemaining: Math.max(0, this.config.maxAttempts - attempts),
+      totalAttempts: attempts
+    };
+  }
+  async recordFailedAttempt(userId) {
+    const key = this.lockKey(userId);
+    const historyKey = this.historyKey(userId);
+    const now = Date.now();
+    const current = await this.redis.hincrby(key, "attempts", 1);
+    await this.redis.hset(key, "lastAttempt", now.toString());
+    await this.redis.lpush(historyKey, now.toString());
+    await this.redis.ltrim(historyKey, 0, 99);
+    if (current >= this.config.maxAttempts) {
+      const lockedUntil = new Date(now + this.config.lockDuration);
+      await this.redis.hset(key, {
+        lockedAt: now.toString(),
+        lockedUntil: lockedUntil.getTime().toString()
+      });
+      await this.redis.expire(
+        key,
+        Math.ceil(this.config.lockDuration / 1e3) + 3600
+      );
+      return {
+        locked: true,
+        attemptsRemaining: 0,
+        lockedUntil,
+        totalAttempts: current
+      };
+    }
+    return {
+      locked: false,
+      attemptsRemaining: Math.max(0, this.config.maxAttempts - current),
+      totalAttempts: current
+    };
+  }
+  async lockAccount(userId, duration) {
+    const key = this.lockKey(userId);
+    const now = Date.now();
+    const lockDuration = duration || this.config.lockDuration;
+    const lockedUntil = new Date(now + lockDuration);
+    const pipeline = this.redis.pipeline();
+    pipeline.hset(key, {
+      attempts: this.config.maxAttempts.toString(),
+      lockedAt: now.toString(),
+      lockedUntil: lockedUntil.getTime().toString()
+    });
+    pipeline.expire(key, Math.ceil(lockDuration / 1e3) + 3600);
+    await pipeline.exec();
+  }
+  async unlockAccount(userId) {
+    const key = this.lockKey(userId);
+    await this.redis.del(key);
+  }
+  async resetAttempts(userId) {
+    const key = this.lockKey(userId);
+    const data = await this.redis.hgetall(key);
+    if (data.lockedAt) {
+      await this.redis.hset(key, {
+        attempts: "0",
+        lockedAt: "",
+        lockedUntil: ""
+      });
+    } else {
+      await this.redis.del(key);
+    }
+  }
+  async getLockoutHistory(userId, limit = 10) {
+    const historyKey = this.historyKey(userId);
+    const timestamps = await this.redis.lrange(historyKey, 0, limit - 1);
+    return timestamps.map((ts) => new Date(parseInt(ts, 10)));
+  }
+  async getLockoutStats(userId) {
+    const historyKey = this.historyKey(userId);
+    const timestamps = await this.redis.lrange(historyKey, 0, -1);
+    const lockouts = timestamps.filter((_, i) => {
+      const attemptNum = i + 1;
+      return attemptNum % this.config.maxAttempts === 0;
+    }).length;
+    const lastLockoutData = await this.redis.hget(
+      this.lockKey(userId),
+      "lockedAt"
+    );
+    return {
+      totalFailedAttempts: timestamps.length,
+      lockoutCount: lockouts,
+      lastLockout: lastLockoutData ? new Date(parseInt(lastLockoutData, 10)) : null,
+      averageAttemptsBeforeLockout: lockouts > 0 ? this.config.maxAttempts : 0
+    };
+  }
+  shouldNotifyAdmin(currentAttempts) {
+    return this.config.notifyAdmin && currentAttempts >= this.config.adminNotifyAfter;
+  }
+  getConfig() {
+    return { ...this.config };
+  }
+  setConfig(config) {
+    this.config = { ...this.config, ...config };
+  }
+};
+
+// src/auth/security/rate-limit.ts
+var DEFAULT_RATE_LIMITS = {
+  "auth:login": { window: 9e5, max: 5 },
+  "auth:register": { window: 36e5, max: 3 },
+  "auth:forgot": { window: 36e5, max: 3 },
+  "auth:reset": { window: 36e5, max: 5 },
+  "auth:verify": { window: 36e5, max: 5 },
+  "api:general": { window: 6e4, max: 100 },
+  "api:authenticated": { window: 6e4, max: 200 }
+};
+var RateLimiter = class {
+  redis;
+  prefix;
+  limits;
+  userLimits;
+  constructor(redis, limits, userLimits, prefix = "kyro:ratelimit:") {
+    this.redis = redis;
+    this.prefix = prefix;
+    this.limits = { ...DEFAULT_RATE_LIMITS, ...limits };
+    this.userLimits = userLimits || {
+      "user:api": { window: 6e4, max: 500 },
+      "user:write": { window: 36e5, max: 100 }
+    };
+  }
+  getKey(type, identifier) {
+    return `${this.prefix}${type}:${identifier}`;
+  }
+  async check(type, identifier) {
+    const config = this.limits[type] || this.limits["api:general"];
+    const key = this.getKey(type, identifier);
+    const now = Date.now();
+    const windowStart = now - config.window;
+    const pipeline = this.redis.pipeline();
+    pipeline.zremrangebyscore(key, 0, windowStart);
+    pipeline.zcard(key);
+    pipeline.zadd(key, now, `${now}:${Math.random()}`);
+    pipeline.expire(key, Math.ceil(config.window / 1e3) + 1);
+    const results = await pipeline.exec();
+    const count = results?.[1]?.[1] || 0;
+    if (count >= config.max) {
+      const oldestTimestamp = await this.redis.zrange(key, 0, 0, "WITHSCORES");
+      const resetAt = oldestTimestamp.length > 1 ? parseInt(oldestTimestamp[1], 10) + config.window : now + config.window;
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt,
+        retryAfter: Math.ceil((resetAt - now) / 1e3)
+      };
+    }
+    return {
+      allowed: true,
+      remaining: config.max - count - 1,
+      resetAt: now + config.window
+    };
+  }
+  async checkUser(type, userId, identifier) {
+    const config = this.userLimits[type] || this.userLimits["user:api"];
+    const key = this.getKey(`user:${type}:${userId}`, identifier);
+    const now = Date.now();
+    const windowStart = now - config.window;
+    const pipeline = this.redis.pipeline();
+    pipeline.zremrangebyscore(key, 0, windowStart);
+    pipeline.zcard(key);
+    pipeline.zadd(key, now, `${now}:${Math.random()}`);
+    pipeline.expire(key, Math.ceil(config.window / 1e3) + 1);
+    const results = await pipeline.exec();
+    const count = results?.[1]?.[1] || 0;
+    if (count >= config.max) {
+      const oldestTimestamp = await this.redis.zrange(key, 0, 0, "WITHSCORES");
+      const resetAt = oldestTimestamp.length > 1 ? parseInt(oldestTimestamp[1], 10) + config.window : now + config.window;
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt,
+        retryAfter: Math.ceil((resetAt - now) / 1e3)
+      };
+    }
+    return {
+      allowed: true,
+      remaining: config.max - count - 1,
+      resetAt: now + config.window
+    };
+  }
+  async reset(type, identifier) {
+    const key = this.getKey(type, identifier);
+    await this.redis.del(key);
+  }
+  async resetUser(type, userId, identifier) {
+    const key = this.getKey(`user:${type}:${userId}`, identifier);
+    await this.redis.del(key);
+  }
+  async getStatus(type, identifier) {
+    const config = this.limits[type] || this.limits["api:general"];
+    const key = this.getKey(type, identifier);
+    const now = Date.now();
+    const windowStart = now - config.window;
+    await this.redis.zremrangebyscore(key, 0, windowStart);
+    const count = await this.redis.zcard(key);
+    return {
+      count,
+      limit: config.max,
+      remaining: Math.max(0, config.max - count),
+      resetAt: now + config.window
+    };
+  }
+  setLimit(type, config) {
+    this.limits[type] = config;
+  }
+  setUserLimit(type, config) {
+    this.userLimits[type] = config;
+  }
+};
+var AuditLogger = class {
+  redis;
+  prefix;
+  retentionDays;
+  constructor(redis, retentionDays = 30, prefix = "kyro:audit:") {
+    this.redis = redis;
+    this.prefix = prefix;
+    this.retentionDays = retentionDays;
+  }
+  async log(data) {
+    const id = randomBytes(16).toString("hex");
+    const timestamp = /* @__PURE__ */ new Date();
+    const log = {
+      ...data,
+      id,
+      timestamp
+    };
+    const key = this.getKeyForDate(timestamp);
+    const hashKey = `${this.prefix}log:${id}`;
+    await this.redis.hset(hashKey, this.serializeLog(log));
+    await this.redis.expire(hashKey, this.retentionDays * 24 * 60 * 60 + 3600);
+    await this.redis.zadd(key, timestamp.getTime(), id);
+    await this.redis.expire(key, this.retentionDays * 24 * 60 * 60 + 3600);
+    const userIndex = data.userId ? `${this.prefix}user:${data.userId}` : null;
+    if (userIndex) {
+      await this.redis.zadd(userIndex, timestamp.getTime(), id);
+      await this.redis.expire(
+        userIndex,
+        this.retentionDays * 24 * 60 * 60 + 3600
+      );
+    }
+    return id;
+  }
+  async get(id) {
+    const hashKey = `${this.prefix}log:${id}`;
+    const data = await this.redis.hgetall(hashKey);
+    if (!data || Object.keys(data).length === 0) {
+      return null;
+    }
+    return this.deserializeLog(data);
+  }
+  async query(filter = {}) {
+    const { limit = 50, offset = 0 } = filter;
+    let keys = [];
+    if (filter.userId) {
+      keys.push(`${this.prefix}user:${filter.userId}`);
+    } else if (filter.startDate || filter.endDate) {
+      keys = this.getKeysForDateRange(filter.startDate, filter.endDate);
+    } else {
+      const now = /* @__PURE__ */ new Date();
+      keys = this.getKeysForDateRange(
+        new Date(now.getTime() - this.retentionDays * 24 * 60 * 60 * 1e3),
+        now
+      );
+    }
+    let idScores = [];
+    for (const key of keys) {
+      const items = await this.redis.zrange(key, 0, -1, "WITHSCORES");
+      for (let i = 0; i < items.length; i += 2) {
+        idScores.push([items[i], parseInt(items[i + 1], 10)]);
+      }
+    }
+    idScores.sort((a, b) => b[1] - a[1]);
+    const total = idScores.length;
+    idScores = idScores.slice(offset, offset + limit);
+    const logs = [];
+    for (const [id] of idScores) {
+      const log = await this.get(id);
+      if (log) {
+        if (this.matchesFilter(log, filter)) {
+          logs.push(log);
+        }
+      }
+    }
+    return { logs, total };
+  }
+  async getRecent(limit = 50) {
+    const logs = [];
+    const now = /* @__PURE__ */ new Date();
+    const keys = this.getKeysForDateRange(
+      new Date(now.getTime() - 7 * 24 * 60 * 60 * 1e3),
+      now
+    );
+    let allIds = [];
+    for (const key of keys) {
+      const items = await this.redis.zrange(key, 0, -1, "WITHSCORES");
+      for (let i = 0; i < items.length; i += 2) {
+        allIds.push([items[i], parseInt(items[i + 1], 10)]);
+      }
+    }
+    allIds.sort((a, b) => b[1] - a[1]);
+    for (const [id] of allIds.slice(0, limit)) {
+      const log = await this.get(id);
+      if (log) logs.push(log);
+    }
+    return logs;
+  }
+  async getUserActivity(userId, limit = 50) {
+    const key = `${this.prefix}user:${userId}`;
+    const ids = await this.redis.zrange(key, 0, limit - 1);
+    const logs = [];
+    for (const id of ids) {
+      const log = await this.get(id);
+      if (log) logs.push(log);
+    }
+    return logs;
+  }
+  async getStats(startDate, endDate) {
+    const keys = this.getKeysForDateRange(
+      startDate || new Date(Date.now() - 30 * 24 * 60 * 60 * 1e3),
+      endDate || /* @__PURE__ */ new Date()
+    );
+    const byAction = {};
+    let totalEvents = 0;
+    let failedLogins = 0;
+    let successCount = 0;
+    const uniqueUsers = /* @__PURE__ */ new Set();
+    for (const key of keys) {
+      const ids = await this.redis.zrange(key, 0, -1);
+      for (const id of ids) {
+        const log = await this.get(id);
+        if (log) {
+          totalEvents++;
+          byAction[log.action] = (byAction[log.action] || 0) + 1;
+          if (log.success) {
+            successCount++;
+          }
+          if (log.action === "login_failed") {
+            failedLogins++;
+          }
+          if (log.userId) {
+            uniqueUsers.add(log.userId);
+          }
+        }
+      }
+    }
+    return {
+      totalEvents,
+      byAction,
+      successRate: totalEvents > 0 ? successCount / totalEvents : 1,
+      failedLogins,
+      uniqueUsers
+    };
+  }
+  async cleanup() {
+    const cutoff = Date.now() - this.retentionDays * 24 * 60 * 60 * 1e3;
+    const keys = await this.redis.keys(`${this.prefix}date:*`);
+    let deleted = 0;
+    for (const key of keys) {
+      const timestamp = await this.redis.zrangebyscore(key, 0, cutoff);
+      for (const id of timestamp) {
+        await this.redis.del(`${this.prefix}log:${id}`);
+        deleted++;
+      }
+      await this.redis.zremrangebyscore(key, 0, cutoff);
+    }
+    return deleted;
+  }
+  getKeyForDate(date) {
+    const year = date.getFullYear();
+    const month = String(date.getMonth() + 1).padStart(2, "0");
+    const day = String(date.getDate()).padStart(2, "0");
+    return `${this.prefix}date:${year}-${month}-${day}`;
+  }
+  getKeysForDateRange(start, end) {
+    const keys = [];
+    const startDate = start || new Date(Date.now() - this.retentionDays * 24 * 60 * 60 * 1e3);
+    const endDate = end || /* @__PURE__ */ new Date();
+    const current = new Date(startDate);
+    while (current <= endDate) {
+      keys.push(this.getKeyForDate(current));
+      current.setDate(current.getDate() + 1);
+    }
+    return keys;
+  }
+  matchesFilter(log, filter) {
+    if (filter.action) {
+      const actions = Array.isArray(filter.action) ? filter.action : [filter.action];
+      if (!actions.includes(log.action)) return false;
+    }
+    if (filter.resource && log.resource !== filter.resource) return false;
+    if (filter.resourceId && log.resourceId !== filter.resourceId) return false;
+    if (filter.success !== void 0 && log.success !== filter.success)
+      return false;
+    return true;
+  }
+  serializeLog(log) {
+    const result = {
+      id: log.id,
+      timestamp: log.timestamp.toISOString(),
+      action: log.action,
+      resource: log.resource,
+      success: log.success ? "1" : "0"
+    };
+    if (log.userId) result.userId = log.userId;
+    if (log.userEmail) result.userEmail = log.userEmail;
+    if (log.role) result.role = log.role;
+    if (log.resourceId) result.resourceId = log.resourceId;
+    if (log.ipAddress) result.ipAddress = log.ipAddress;
+    if (log.userAgent) result.userAgent = log.userAgent;
+    if (log.error) result.error = log.error;
+    if (log.changes) result.changes = JSON.stringify(log.changes);
+    if (log.metadata) result.metadata = JSON.stringify(log.metadata);
+    return result;
+  }
+  deserializeLog(data) {
+    return {
+      id: data.id,
+      timestamp: new Date(data.timestamp),
+      action: data.action,
+      userId: data.userId,
+      userEmail: data.userEmail,
+      role: data.role,
+      resource: data.resource,
+      resourceId: data.resourceId,
+      ipAddress: data.ipAddress,
+      userAgent: data.userAgent,
+      success: data.success === "1",
+      error: data.error,
+      changes: data.changes ? JSON.parse(data.changes) : void 0,
+      metadata: data.metadata ? JSON.parse(data.metadata) : void 0
+    };
+  }
+};
+function createAuditContext(req) {
+  return {
+    ipAddress: req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || req.headers.get("x-real-ip") || "unknown",
+    userAgent: req.headers.get("user-agent") || "unknown"
+  };
+}
+function defaultExtractToken(req) {
+  const authHeader = req.headers.get("Authorization");
+  if (authHeader?.startsWith("Bearer ")) {
+    return authHeader.slice(7);
+  }
+  const cookieHeader = req.headers.get("Cookie");
+  if (cookieHeader) {
+    const cookies = Object.fromEntries(
+      cookieHeader.split("; ").map((c) => {
+        const [key, ...val] = c.split("=");
+        return [key.trim(), val.join("=")];
+      })
+    );
+    return cookies["auth_token"] || null;
+  }
+  return null;
+}
+function generateToken(payload, secret, options = {}) {
+  return jwt2.sign(payload, secret, {
+    expiresIn: options.expiresIn || "24h",
+    issuer: options.issuer,
+    audience: options.audience
+  });
+}
+
+// src/api/rest/auth-routes.ts
+var AuthRoutes = class {
+  redis;
+  email;
+  jwtSecret;
+  jwtExpiresIn;
+  jwtIssuer;
+  jwtAudience;
+  passwordPolicy;
+  lockout;
+  rateLimiter;
+  auditLogger;
+  baseUrl;
+  emailVerificationRequired;
+  constructor(config) {
+    this.redis = config.redis;
+    this.email = config.email;
+    this.jwtSecret = config.jwtSecret;
+    this.jwtExpiresIn = config.jwtExpiresIn || "24h";
+    this.jwtIssuer = config.jwtIssuer;
+    this.jwtAudience = config.jwtAudience;
+    this.passwordPolicy = config.passwordPolicy || new PasswordPolicy();
+    this.lockout = config.lockout;
+    this.rateLimiter = config.rateLimiter;
+    this.auditLogger = config.auditLogger;
+    this.baseUrl = config.baseUrl || "http://localhost:3000";
+    this.emailVerificationRequired = config.emailVerificationRequired ?? true;
+  }
+  async register(req) {
+    const { ipAddress, userAgent } = createAuditContext(req);
+    if (this.rateLimiter) {
+      const limit = await this.rateLimiter.check("auth:register", ipAddress);
+      if (!limit.allowed) {
+        return this.rateLimitResponse(limit);
+      }
+    }
+    try {
+      const body = await req.json();
+      if (!body.email || !body.password) {
+        return this.errorResponse("Email and password are required", 400);
+      }
+      if (body.password !== body.confirmPassword) {
+        return this.errorResponse("Passwords do not match", 400);
+      }
+      const passwordValidation = this.passwordPolicy.validate(body.password);
+      if (!passwordValidation.valid) {
+        return this.errorResponse(passwordValidation.errors.join(". "), 400);
+      }
+      const existingUser = await this.redis.findUserByEmail(body.email);
+      if (existingUser) {
+        return this.errorResponse("Email already registered", 400);
+      }
+      const passwordHash = await this.redis.hashPassword(body.password);
+      const user = await this.redis.createUser({
+        email: body.email,
+        passwordHash,
+        role: body.role || "customer",
+        tenantId: body.tenantId
+      });
+      if (this.emailVerificationRequired && this.email) {
+        const verificationToken = randomBytes(32).toString("hex");
+        const verificationUrl = `${this.baseUrl}/api/auth/verify?token=${verificationToken}`;
+        await this.redis.createSession(user.id, { ipAddress, userAgent });
+        const template = this.email.getTemplates().verifyEmail(verificationUrl, body.email);
+        await this.email.send({ to: body.email, ...template });
+      }
+      if (this.auditLogger) {
+        await this.auditLogger.log({
+          action: "register",
+          userId: user.id,
+          userEmail: user.email,
+          resource: "auth",
+          ipAddress,
+          userAgent,
+          success: true
+        });
+      }
+      return this.jsonResponse(
+        {
+          success: true,
+          message: "Registration successful",
+          user: this.sanitizeUser(user),
+          requiresVerification: this.emailVerificationRequired && !!this.email
+        },
+        201
+      );
+    } catch (error) {
+      return this.errorResponse("Registration failed", 500);
+    }
+  }
+  async login(req) {
+    const { ipAddress, userAgent } = createAuditContext(req);
+    if (this.rateLimiter) {
+      const limit = await this.rateLimiter.check("auth:login", ipAddress);
+      if (!limit.allowed) {
+        return this.rateLimitResponse(limit);
+      }
+    }
+    try {
+      const body = await req.json();
+      if (!body.email || !body.password) {
+        return this.errorResponse("Email and password are required", 400);
+      }
+      const user = await this.redis.findUserByEmail(body.email);
+      if (!user) {
+        await this.recordFailedLogin(ipAddress, userAgent);
+        return this.errorResponse("Invalid credentials", 401);
+      }
+      if (this.lockout) {
+        const lockoutStatus = await this.lockout.checkLockout(user.id);
+        if (lockoutStatus.locked) {
+          if (this.auditLogger) {
+            await this.auditLogger.log({
+              action: "login_failed",
+              userId: user.id,
+              userEmail: user.email,
+              resource: "auth",
+              ipAddress,
+              userAgent,
+              success: false,
+              error: "Account locked"
+            });
+          }
+          return this.errorResponse(
+            `Account locked. Try again in ${Math.ceil((lockoutStatus.lockedUntil.getTime() - Date.now()) / 6e4)} minutes`,
+            423
+          );
+        }
+      }
+      const validPassword = user.passwordHash ? await this.redis.verifyPassword(body.password, user.passwordHash) : false;
+      if (!validPassword) {
+        await this.recordFailedLogin(ipAddress, userAgent, user.id, user.email);
+        return this.errorResponse("Invalid credentials", 401);
+      }
+      if (this.lockout) {
+        await this.lockout.resetAttempts(user.id);
+      }
+      const session = await this.redis.createSession(user.id, {
+        ipAddress,
+        userAgent
+      });
+      const payload = {
+        sub: user.id,
+        email: user.email,
+        role: user.role,
+        tenantId: user.tenantId,
+        iat: Math.floor(Date.now() / 1e3),
+        exp: Math.floor(Date.now() / 1e3) + 86400
+      };
+      const accessToken = generateToken(payload, this.jwtSecret, {
+        expiresIn: this.jwtExpiresIn,
+        issuer: this.jwtIssuer,
+        audience: this.jwtAudience
+      });
+      if (this.auditLogger) {
+        await this.auditLogger.log({
+          action: "login",
+          userId: user.id,
+          userEmail: user.email,
+          role: user.role,
+          resource: "auth",
+          ipAddress,
+          userAgent,
+          success: true
+        });
+      }
+      await this.redis.updateUser(user.id, {
+        lastLogin: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      return this.jsonResponse({
+        success: true,
+        user: this.sanitizeUser(user),
+        accessToken,
+        refreshToken: session.refreshToken,
+        expiresIn: this.jwtExpiresIn
+      });
+    } catch (error) {
+      return this.errorResponse("Login failed", 500);
+    }
+  }
+  async logout(req) {
+    const token = defaultExtractToken(req);
+    if (!token) {
+      return this.errorResponse("No session to logout", 401);
+    }
+    const { ipAddress, userAgent } = createAuditContext(req);
+    try {
+      const payload = jwt2.decode(token);
+      if (payload && payload.sub) {
+        await this.redis.deleteUserSessions(payload.sub);
+        if (this.auditLogger) {
+          await this.auditLogger.log({
+            action: "logout",
+            userId: payload.sub,
+            userEmail: payload.email,
+            resource: "auth",
+            ipAddress,
+            userAgent,
+            success: true
+          });
+        }
+      }
+      return this.jsonResponse({
+        success: true,
+        message: "Logged out successfully"
+      });
+    } catch (error) {
+      return this.errorResponse("Logout failed", 500);
+    }
+  }
+  async refresh(req) {
+    try {
+      const body = await req.json();
+      const { refreshToken } = body;
+      if (!refreshToken) {
+        return this.errorResponse("Refresh token required", 400);
+      }
+      return this.jsonResponse({ success: true, accessToken: "" });
+    } catch (error) {
+      return this.errorResponse("Token refresh failed", 500);
+    }
+  }
+  async me(req) {
+    const token = defaultExtractToken(req);
+    if (!token) {
+      return this.errorResponse("Not authenticated", 401);
+    }
+    try {
+      const payload = jwt2.verify(token, this.jwtSecret, {
+        issuer: this.jwtIssuer,
+        audience: this.jwtAudience
+      });
+      const user = await this.redis.findUserById(payload.sub);
+      if (!user) {
+        return this.errorResponse("User not found", 404);
+      }
+      return this.jsonResponse({
+        success: true,
+        user: this.sanitizeUser(user)
+      });
+    } catch (error) {
+      return this.errorResponse("Authentication failed", 401);
+    }
+  }
+  async changePassword(req) {
+    const token = defaultExtractToken(req);
+    if (!token) {
+      return this.errorResponse("Not authenticated", 401);
+    }
+    const { ipAddress, userAgent } = createAuditContext(req);
+    try {
+      const payload = jwt2.verify(token, this.jwtSecret);
+      const body = await req.json();
+      const { currentPassword, newPassword, confirmPassword } = body;
+      if (!currentPassword || !newPassword) {
+        return this.errorResponse("Current and new password required", 400);
+      }
+      if (newPassword !== confirmPassword) {
+        return this.errorResponse("Passwords do not match", 400);
+      }
+      const passwordValidation = this.passwordPolicy.validate(newPassword);
+      if (!passwordValidation.valid) {
+        return this.errorResponse(passwordValidation.errors.join(". "), 400);
+      }
+      const user = await this.redis.findUserById(payload.sub);
+      if (!user) {
+        return this.errorResponse("User not found", 404);
+      }
+      const validPassword = user.passwordHash ? await this.redis.verifyPassword(currentPassword, user.passwordHash) : false;
+      if (!validPassword) {
+        return this.errorResponse("Current password is incorrect", 401);
+      }
+      const passwordHistory = await this.redis.getPasswordHistory(user.id, 5);
+      const isReused = await this.redis.isPasswordInHistory(
+        newPassword,
+        user.id,
+        5
+      );
+      if (isReused) {
+        return this.errorResponse(
+          "Password was recently used. Please choose a different password",
+          400
+        );
+      }
+      const newPasswordHash = await this.redis.hashPassword(newPassword);
+      if (user.passwordHash) {
+        await this.redis.addPasswordToHistory(user.id, user.passwordHash);
+      }
+      await this.redis.updateUser(user.id, { passwordHash: newPasswordHash });
+      await this.redis.deleteUserSessions(user.id);
+      if (this.email && this.email.getTemplates) {
+        const template = this.email.getTemplates().passwordChanged(user.email);
+        await this.email.send({ to: user.email, ...template });
+      }
+      if (this.auditLogger) {
+        await this.auditLogger.log({
+          action: "password_change",
+          userId: user.id,
+          userEmail: user.email,
+          resource: "auth",
+          ipAddress,
+          userAgent,
+          success: true
+        });
+      }
+      return this.jsonResponse({
+        success: true,
+        message: "Password changed successfully"
+      });
+    } catch (error) {
+      return this.errorResponse("Password change failed", 500);
+    }
+  }
+  async forgotPassword(req) {
+    const { ipAddress, userAgent } = createAuditContext(req);
+    if (this.rateLimiter) {
+      const limit = await this.rateLimiter.check("auth:forgot", ipAddress);
+      if (!limit.allowed) {
+        return this.rateLimitResponse(limit);
+      }
+    }
+    try {
+      const body = await req.json();
+      const { email } = body;
+      if (!email) {
+        return this.errorResponse("Email required", 400);
+      }
+      const user = await this.redis.findUserByEmail(email);
+      if (!user) {
+        return this.jsonResponse({
+          success: true,
+          message: "If the email exists, a reset link has been sent"
+        });
+      }
+      if (this.email) {
+        const resetToken = randomBytes(32).toString("hex");
+        const resetUrl = `${this.baseUrl}/api/auth/reset-password?token=${resetToken}`;
+        const template = this.email.getTemplates().resetPassword(resetUrl, user.email);
+        await this.email.send({ to: user.email, ...template });
+      }
+      if (this.auditLogger) {
+        await this.auditLogger.log({
+          action: "password_reset_request",
+          userId: user.id,
+          userEmail: user.email,
+          resource: "auth",
+          ipAddress,
+          userAgent,
+          success: true
+        });
+      }
+      return this.jsonResponse({
+        success: true,
+        message: "If the email exists, a reset link has been sent"
+      });
+    } catch (error) {
+      return this.errorResponse("Password reset request failed", 500);
+    }
+  }
+  async verifyEmail(req) {
+    const url = new URL(req.url);
+    const token = url.searchParams.get("token");
+    if (!token) {
+      return this.errorResponse("Verification token required", 400);
+    }
+    try {
+      return this.jsonResponse({ success: true, message: "Email verified" });
+    } catch (error) {
+      return this.errorResponse("Email verification failed", 500);
+    }
+  }
+  async recordFailedLogin(ipAddress, userAgent, userId, userEmail) {
+    if (this.lockout) {
+      await this.lockout.recordFailedAttempt(userId || ipAddress);
+    }
+    if (this.auditLogger) {
+      await this.auditLogger.log({
+        action: "login_failed",
+        userId,
+        userEmail,
+        resource: "auth",
+        ipAddress,
+        userAgent,
+        success: false,
+        error: "Invalid credentials"
+      });
+    }
+  }
+  sanitizeUser(user) {
+    const { passwordHash, ...sanitized } = user;
+    return sanitized;
+  }
+  jsonResponse(data, status = 200) {
+    return new Response(JSON.stringify(data), {
+      status,
+      headers: {
+        "Content-Type": "application/json"
+      }
+    });
+  }
+  errorResponse(message, status) {
+    return new Response(JSON.stringify({ success: false, error: message }), {
+      status,
+      headers: {
+        "Content-Type": "application/json"
+      }
+    });
+  }
+  rateLimitResponse(limit) {
+    return new Response(
+      JSON.stringify({
+        success: false,
+        error: "Too many requests",
+        retryAfter: limit.retryAfter
+      }),
+      {
+        status: 429,
+        headers: {
+          "Content-Type": "application/json",
+          "Retry-After": String(limit.retryAfter || 60)
+        }
+      }
+    );
+  }
+};
+
+// src/auth/config.ts
+function getEnv(key, fallback = "") {
+  return process.env[key] || fallback;
+}
+function getEnvBool(key, fallback = false) {
+  const val = process.env[key];
+  if (!val) return fallback;
+  return val.toLowerCase() === "true";
+}
+function getEnvNum(key, fallback = 0) {
+  const val = process.env[key];
+  if (!val) return fallback;
+  return parseInt(val, 10);
+}
+async function createAuthConfig() {
+  const redisUrl = getEnv("REDIS_URL", "redis://localhost:6379");
+  const redisKeyPrefix = getEnv("REDIS_KEY_PREFIX", "kyro:auth:");
+  const redisSessionTTL = getEnvNum("REDIS_SESSION_TTL", 86400);
+  const redisRefreshTTL = getEnvNum("REDIS_REFRESH_TOKEN_TTL", 604800);
+  const redisAdapter = new RedisAuthAdapter({
+    url: redisUrl,
+    keyPrefix: redisKeyPrefix,
+    tokenExpiration: redisSessionTTL,
+    refreshTokenExpiration: redisRefreshTTL,
+    tls: getEnvBool("REDIS_TLS", false)
+  });
+  await redisAdapter.connect();
+  const redisClient = redisAdapter.redis;
+  const emailConfig = getEmailConfig();
+  const email = emailConfig ? new EmailTransport(emailConfig) : void 0;
+  const passwordPolicy = new PasswordPolicy({
+    minLength: getEnvNum("PASSWORD_MIN_LENGTH", 12),
+    requireUppercase: getEnvBool("PASSWORD_REQUIRE_UPPERCASE", true),
+    requireLowercase: getEnvBool("PASSWORD_REQUIRE_LOWERCASE", true),
+    requireNumbers: getEnvBool("PASSWORD_REQUIRE_NUMBERS", true),
+    requireSpecialChars: getEnvBool("PASSWORD_REQUIRE_SPECIAL", true),
+    preventReuse: getEnvNum("PASSWORD_PREVENT_REUSE", 5),
+    maxLength: getEnvNum("PASSWORD_MAX_LENGTH", 128)
+  });
+  let lockout;
+  if (getEnvBool("LOCKOUT_ENABLED", true)) {
+    lockout = new AccountLockout(redisClient, {
+      maxAttempts: getEnvNum("LOCKOUT_MAX_ATTEMPTS", 5),
+      lockDuration: getEnvNum("LOCKOUT_DURATION_MINUTES", 15) * 60 * 1e3
+    });
+  }
+  let rateLimiter;
+  if (getEnvBool("RATE_LIMIT_ENABLED", true)) {
+    rateLimiter = new RateLimiter(redisClient, {
+      "auth:login": {
+        window: getEnvNum("RATE_LIMIT_AUTH_WINDOW_MS", 9e5),
+        max: getEnvNum("RATE_LIMIT_AUTH_MAX_REQUESTS", 10)
+      },
+      "api:general": {
+        window: getEnvNum("RATE_LIMIT_WINDOW_MS", 6e4),
+        max: getEnvNum("RATE_LIMIT_MAX_REQUESTS", 100)
+      }
+    });
+  }
+  let auditLogger;
+  if (getEnvBool("AUDIT_LOG_ENABLED", true)) {
+    auditLogger = new AuditLogger(
+      redisClient,
+      getEnvNum("AUDIT_LOG_RETENTION_DAYS", 30)
+    );
+  }
+  const routes = new AuthRoutes({
+    redis: redisAdapter,
+    email,
+    jwtSecret: getEnv("JWT_SECRET", "change-me"),
+    jwtExpiresIn: getEnv("JWT_EXPIRES_IN", "24h"),
+    jwtIssuer: getEnv("JWT_ISSUER", "kyro-cms"),
+    jwtAudience: getEnv("JWT_AUDIENCE", "kyro-cms-client"),
+    passwordPolicy,
+    lockout,
+    rateLimiter,
+    auditLogger,
+    baseUrl: getEnv("EMAIL_BASE_URL", "http://localhost:4321"),
+    emailVerificationRequired: getEnvBool("EMAIL_VERIFICATION_REQUIRED", true)
+  });
+  return {
+    redis: redisAdapter,
+    redisClient,
+    email,
+    passwordPolicy,
+    lockout,
+    rateLimiter,
+    auditLogger,
+    routes
+  };
+}
+function getEmailConfig() {
+  const host = getEnv("SMTP_HOST");
+  if (!host) return void 0;
+  return {
+    host,
+    port: getEnvNum("SMTP_PORT", 587),
+    secure: getEnvBool("SMTP_SECURE", false),
+    auth: {
+      user: getEnv("SMTP_USER"),
+      pass: getEnv("SMTP_PASS")
+    },
+    from: getEnv("SMTP_FROM", "noreply@example.com"),
+    fromName: getEnv("SMTP_FROM_NAME", "Kyro CMS")
+  };
+}
+var authConfig = createAuthConfig();
+
+// src/auth/index.ts
 var DEFAULT_SALT_ROUNDS = 12;
 var DEFAULT_EXPIRES_IN = "24h";
 var DEFAULT_REFRESH_EXPIRES_IN = "7d";
@@ -2020,7 +3083,7 @@ var Auth = class {
         email: data.email,
         passwordHash,
         role: data.role ?? "customer",
-        tenant: data.tenant
+        tenantId: data.tenantId
       });
       return this.createSessionForUser(user);
     } catch (error) {
@@ -2051,7 +3114,7 @@ var Auth = class {
   async refreshToken(refreshToken) {
     try {
       const session = await this.adapter.findSessionByToken(refreshToken);
-      if (!session || session.expiresAt < /* @__PURE__ */ new Date()) {
+      if (!session || new Date(session.expiresAt) < /* @__PURE__ */ new Date()) {
         return { success: false, error: "Invalid or expired refresh token" };
       }
       const user = await this.adapter.findUserById(session.userId);
@@ -2066,7 +3129,7 @@ var Auth = class {
   }
   async verifyToken(token) {
     try {
-      const decoded = jwt.verify(token, this.config.secret, {
+      const decoded = jwt2.verify(token, this.config.secret, {
         issuer: this.config.issuer,
         audience: this.config.audience.length > 0 ? this.config.audience[0] : void 0
       });
@@ -2130,9 +3193,7 @@ var Auth = class {
   }
   async createSessionForUser(user) {
     const token = this.generateToken(user);
-    const refreshToken = randomUUID();
-    const expiresAt = new Date(Date.now() + this.parseExpiresIn(this.config.refreshExpiresIn));
-    const session = await this.adapter.createSession(user.id, refreshToken, expiresAt);
+    const session = await this.adapter.createSession(user.id);
     return {
       success: true,
       user,
@@ -2145,7 +3206,7 @@ var Auth = class {
       sub: user.id,
       email: user.email,
       role: user.role,
-      tenant: user.tenant
+      tenantId: user.tenantId
     };
     const signOptions = {
       expiresIn: this.parseExpiresIn(this.config.expiresIn) / 1e3,
@@ -2154,7 +3215,7 @@ var Auth = class {
     if (this.config.audience.length > 0) {
       signOptions.audience = this.config.audience[0];
     }
-    return jwt.sign(payload, this.config.secret, signOptions);
+    return jwt2.sign(payload, this.config.secret, signOptions);
   }
   async hashPassword(password) {
     return bcrypt.hash(password, this.config.saltRounds);
@@ -2329,6 +3390,35 @@ function isArchived(status) {
   return status === "archived";
 }
 
-export { ALL_FIELD_TYPES, AnalyticsPlugin, Auth, COMPLEX_FIELD_TYPES, CSSGenerator, CommentsPlugin, ConfigValidationError, Kyro, KyroPlugin, LAYOUT_FIELD_TYPES, LocalAdapter, PRIMITIVE_FIELD_TYPES, PluginManager, RELATIONAL_FIELD_TYPES, Registry, ReviewsPlugin, SEOPLugin, VersionManager, WishlistPlugin, collectionToCreateZod, collectionToUpdateZod, collectionToWhereZod, collectionToZod, createAdminStyling, createAuth, createKyro, createLocalAdapter, createRegistry, createVersionManager, defaultDarkTheme, defaultFieldStyling, defaultLightTheme, ecommerce2026Theme, fieldToZod, generateCSSVariables, generateTailwindConfig, getDefaultDraftPublishConfig, getRegistry, globalToZod, isArchived, isArrayField, isBlocksField, isDraft, isGroupField, isLayoutField, isNumberField, isPublished, isRelationshipField, isRichTextField, isSelectField, isTextField, isUploadField, presetPlugins, resetRegistry, runFieldHooks, runHooks, validateCollection, validateConfig, validateFields, validateGlobal };
+// src/registry/config.ts
+function normalizeCollections(collections) {
+  if (!collections) return [];
+  if (Array.isArray(collections)) return collections;
+  return Object.values(collections);
+}
+function normalizeGlobals(globals) {
+  if (!globals) return [];
+  if (Array.isArray(globals)) return globals;
+  return Object.values(globals);
+}
+function defineConfig(config) {
+  return {
+    collections: normalizeCollections(config.collections),
+    globals: normalizeGlobals(config.globals),
+    adapter: config.adapter,
+    plugins: config.plugins,
+    auth: config.auth,
+    cors: config.cors,
+    admin: config.admin,
+    upload: config.upload,
+    graphQL: config.graphQL,
+    typescript: config.typescript,
+    localization: config.localization,
+    rateLimit: config.rateLimit,
+    debug: config.debug
+  };
+}
+
+export { ALL_FIELD_TYPES, AccountLockout, AnalyticsPlugin, AuditLogger, Auth, COMPLEX_FIELD_TYPES, CSSGenerator, CommentsPlugin, ConfigValidationError, Kyro, KyroPlugin, LAYOUT_FIELD_TYPES, LocalAdapter, PRIMITIVE_FIELD_TYPES, PluginManager, RELATIONAL_FIELD_TYPES, RateLimiter, Registry, ReviewsPlugin, SEOPLugin, VersionManager, WishlistPlugin, authConfig, collectionToCreateZod, collectionToUpdateZod, collectionToWhereZod, collectionToZod, createAdminStyling, createAuditContext, createAuth, createAuthConfig, createKyro, createLocalAdapter, createRegistry, createVersionManager, defaultDarkTheme, defaultFieldStyling, defaultLightTheme, defineConfig, ecommerce2026Theme, fieldToZod, generateCSSVariables, generateTailwindConfig, getDefaultDraftPublishConfig, getRegistry, globalToZod, isArchived, isArrayField, isBlocksField, isDraft, isGroupField, isLayoutField, isNumberField, isPublished, isRelationshipField, isRichTextField, isSelectField, isTextField, isUploadField, presetPlugins, resetRegistry, runFieldHooks, runHooks, validateCollection, validateConfig, validateFields, validateGlobal };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map