@kyro-cms/core 0.1.5 → 0.1.7

package/dist/chunk-E63IF3MD.cjs

@@ -0,0 +1,951 @@
+'use strict';
+
+var chunkHVSQDZZJ_cjs = require('./chunk-HVSQDZZJ.cjs');
+var chunkVIONYQ2K_cjs = require('./chunk-VIONYQ2K.cjs');
+var hono = require('hono');
+var jwt = require('jsonwebtoken');
+
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+
+var jwt__default = /*#__PURE__*/_interopDefault(jwt);
+
+function createAuthMiddleware(config) {
+  const {
+    secret,
+    issuer,
+    audience,
+    db,
+    userLookup,
+    extractToken = defaultExtractToken
+  } = config;
+  return async function authMiddleware(req) {
+    const apiKeyRaw = chunkVIONYQ2K_cjs.extractApiKeyFromRequest(req);
+    if (apiKeyRaw && db) {
+      const result = await chunkVIONYQ2K_cjs.validateApiKey(apiKeyRaw, db, userLookup);
+      if (result.valid && result.user) {
+        return {
+          user: result.user,
+          tenantContext: createTenantContextFromUser(result.user),
+          apiKeyContext: chunkVIONYQ2K_cjs.createApiKeyContext(result),
+          status: 200,
+          authType: "apikey"
+        };
+      }
+      if (result.error) {
+        return {
+          status: 401,
+          error: result.error
+        };
+      }
+    }
+    const token = extractToken(req);
+    if (!token) {
+      return {
+        status: 401,
+        error: "No authentication token provided"
+      };
+    }
+    try {
+      const payload = jwt__default.default.verify(token, secret, {
+        issuer,
+        audience
+      });
+      const user = {
+        id: payload.sub,
+        email: payload.email,
+        role: payload.role,
+        tenantId: payload.tenantId
+      };
+      return {
+        user,
+        token,
+        tenantContext: createTenantContextFromUser(user),
+        status: 200,
+        authType: "jwt"
+      };
+    } catch (error) {
+      if (error instanceof jwt__default.default.TokenExpiredError) {
+        return {
+          status: 401,
+          error: "Token has expired"
+        };
+      }
+      if (error instanceof jwt__default.default.JsonWebTokenError) {
+        return {
+          status: 401,
+          error: "Invalid token"
+        };
+      }
+      return {
+        status: 401,
+        error: "Authentication failed"
+      };
+    }
+  };
+}
+function defaultExtractToken(req) {
+  const authHeader = req.headers.get("Authorization");
+  if (authHeader?.startsWith("Bearer ")) {
+    return authHeader.slice(7);
+  }
+  const cookieHeader = req.headers.get("Cookie");
+  if (cookieHeader) {
+    const cookies = Object.fromEntries(
+      cookieHeader.split("; ").map((c) => {
+        const [key, ...val] = c.split("=");
+        return [key.trim(), val.join("=")];
+      })
+    );
+    return cookies["auth_token"] || null;
+  }
+  return null;
+}
+function createTenantContextFromUser(user) {
+  return {
+    tenantId: user.tenantId || "default",
+    userId: user.id || "anonymous",
+    role: user.role || "guest",
+    roles: [user.role || "guest"],
+    permissions: [],
+    isSuperAdmin: user.role === "super_admin"
+  };
+}
+function generateToken(payload, secret, options = {}) {
+  return jwt__default.default.sign(payload, secret, {
+    expiresIn: options.expiresIn || "24h",
+    issuer: options.issuer,
+    audience: options.audience
+  });
+}
+
+// src/auth/security/in-memory-rate-limit.ts
+var InMemoryRateLimiter = class {
+  storage = /* @__PURE__ */ new Map();
+  userStorage = /* @__PURE__ */ new Map();
+  limits;
+  userLimits;
+  constructor(limits, userLimits) {
+    this.limits = { ...DEFAULT_RATE_LIMITS, ...limits };
+    this.userLimits = userLimits || {
+      "user:api": { window: 6e4, max: 500 },
+      "user:write": { window: 36e5, max: 100 }
+    };
+  }
+  getKey(type, identifier) {
+    return `${type}:${identifier}`;
+  }
+  getUserKey(type, userId, identifier) {
+    return `user:${type}:${userId}:${identifier}`;
+  }
+  cleanupOldEntries(entries, window) {
+    const now = Date.now();
+    const windowStart = now - window;
+    while (entries.length > 0 && entries[0].timestamp < windowStart) {
+      entries.shift();
+    }
+  }
+  async check(type, identifier) {
+    const config = this.limits[type] || this.limits["api:general"];
+    const key = this.getKey(type, identifier);
+    let entries = this.storage.get(key);
+    if (!entries) {
+      entries = [];
+      this.storage.set(key, entries);
+    }
+    this.cleanupOldEntries(entries, config.window);
+    const now = Date.now();
+    const count = entries.reduce((sum, entry) => sum + entry.count, 0);
+    entries.push({ timestamp: now, count: 1 });
+    if (count >= config.max) {
+      const oldestEntry = entries.reduce(
+        (oldest, current) => oldest.timestamp < current.timestamp ? oldest : current,
+        entries[0]
+      );
+      const resetAt = oldestEntry.timestamp + config.window;
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt,
+        retryAfter: Math.ceil((resetAt - now) / 1e3)
+      };
+    }
+    return {
+      allowed: true,
+      remaining: config.max - count - 1,
+      resetAt: now + config.window
+    };
+  }
+  async checkUser(type, userId, identifier) {
+    const config = this.userLimits[type] || this.userLimits["user:api"];
+    const userMap = this.userStorage.get(userId);
+    let entries = [];
+    if (userMap) {
+      entries = userMap.get(this.getKey(type, identifier)) || [];
+    } else {
+      if (!this.userStorage.has(userId)) {
+        this.userStorage.set(userId, /* @__PURE__ */ new Map());
+      }
+      this.userStorage.get(userId).set(this.getKey(type, identifier), entries);
+    }
+    this.cleanupOldEntries(entries, config.window);
+    const now = Date.now();
+    const count = entries.reduce((sum, entry) => sum + entry.count, 0);
+    entries.push({ timestamp: now, count: 1 });
+    if (count >= config.max) {
+      const oldestEntry = entries.reduce(
+        (oldest, current) => oldest.timestamp < current.timestamp ? oldest : current,
+        entries[0]
+      );
+      const resetAt = oldestEntry.timestamp + config.window;
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt,
+        retryAfter: Math.ceil((resetAt - now) / 1e3)
+      };
+    }
+    return {
+      allowed: true,
+      remaining: config.max - count - 1,
+      resetAt: now + config.window
+    };
+  }
+  async reset(type, identifier) {
+    const key = this.getKey(type, identifier);
+    this.storage.delete(key);
+  }
+  async resetUser(type, userId, identifier) {
+    const userMap = this.userStorage.get(userId);
+    if (userMap) {
+      const key = this.getKey(type, identifier);
+      userMap.delete(key);
+    }
+  }
+  async getStatus(type, identifier) {
+    const config = this.limits[type] || this.limits["api:general"];
+    const key = this.getKey(type, identifier);
+    let entries = this.storage.get(key);
+    if (!entries) {
+      entries = [];
+      this.storage.set(key, entries);
+    }
+    this.cleanupOldEntries(entries, config.window);
+    const now = Date.now();
+    const count = entries.reduce((sum, entry) => sum + entry.count, 0);
+    return {
+      count,
+      limit: config.max,
+      remaining: Math.max(0, config.max - count),
+      resetAt: now + config.window
+    };
+  }
+  setLimit(type, config) {
+    this.limits[type] = config;
+  }
+  setUserLimit(type, config) {
+    this.userLimits[type] = config;
+  }
+};
+var DEFAULT_RATE_LIMITS = {
+  "auth:login": { window: 9e5, max: 5 },
+  "auth:register": { window: 36e5, max: 3 },
+  "auth:forgot": { window: 36e5, max: 3 },
+  "auth:reset": { window: 36e5, max: 5 },
+  "auth:verify": { window: 36e5, max: 5 },
+  "api:general": { window: 6e4, max: 100 },
+  "api:authenticated": { window: 6e4, max: 200 }
+};
+
+// src/api/rest/hono-app.ts
+var COLLECTION_EVENT_MAP = {
+  _media: {
+    create: chunkVIONYQ2K_cjs.WEBHOOK_EVENTS.MEDIA_UPLOAD,
+    update: chunkVIONYQ2K_cjs.WEBHOOK_EVENTS.MEDIA_UPLOAD,
+    delete: chunkVIONYQ2K_cjs.WEBHOOK_EVENTS.MEDIA_DELETE
+  }
+};
+function getWebhookEvent(collection, operation) {
+  const mapped = COLLECTION_EVENT_MAP[collection];
+  if (mapped) return mapped[operation];
+  return `collection.${operation}`;
+}
+async function checkCollectionAccess(collection, operation, req, ctxUser, ctxTenantID, apiKeyContext, enablePublicAccess = true, defaultCollectionAccess = "read") {
+  const accessRule = collection.access?.[operation];
+  if (accessRule) {
+    const allowed = await chunkVIONYQ2K_cjs.evaluateAccess(accessRule, {
+      req,
+      user: ctxUser,
+      tenantID: ctxTenantID
+    });
+    if (allowed === false) {
+      return { allowed: false, error: "Access denied", status: 403 };
+    }
+  } else if (!ctxUser) {
+    const accessLevels = {
+      none: false,
+      read: operation === "read",
+      create: operation === "read" || operation === "create",
+      update: operation === "read" || operation === "create" || operation === "update",
+      admin: true
+    };
+    const allowed = enablePublicAccess && accessLevels[defaultCollectionAccess];
+    if (!allowed) {
+      return {
+        allowed: false,
+        error: "Authentication required",
+        status: 401
+      };
+    }
+  }
+  if (apiKeyContext?.permissions?.length > 0) {
+    const resource = collection.slug;
+    const action = operation === "read" ? "read" : operation === "create" ? "create" : "update";
+    const permission = `${resource}:${action}`;
+    if (!chunkVIONYQ2K_cjs.hasApiKeyPermission(apiKeyContext.permissions, permission) && !chunkVIONYQ2K_cjs.hasApiKeyPermission(apiKeyContext.permissions, `${resource}:admin`)) {
+      return {
+        allowed: false,
+        error: `Missing permission: ${permission}`,
+        status: 403
+      };
+    }
+  }
+  return { allowed: true };
+}
+async function checkGlobalAccess(global, operation, req, ctxUser, ctxTenantID, enablePublicAccess = true) {
+  const accessRule = global.access?.[operation];
+  if (accessRule) {
+    const allowed = await chunkVIONYQ2K_cjs.evaluateAccess(accessRule, {
+      req,
+      user: ctxUser,
+      tenantID: ctxTenantID
+    });
+    if (allowed === false) {
+      return { allowed: false, error: "Access denied", status: 403 };
+    }
+  } else if (!ctxUser) {
+    const accessLevels = {
+      none: false,
+      read: operation === "read",
+      update: operation === "read" || operation === "update"
+    };
+    const allowed = enablePublicAccess && accessLevels[operation === "read" ? "read" : "admin"];
+    if (!allowed) {
+      return {
+        allowed: false,
+        error: "Authentication required",
+        status: 401
+      };
+    }
+  }
+  return { allowed: true };
+}
+async function resolveAuthContext(req, authMw, staticUser, staticTenantID) {
+  if (!authMw) {
+    return {
+      user: staticUser,
+      tenantID: staticTenantID,
+      apiKeyContext: void 0
+    };
+  }
+  const result = await authMw(req);
+  if (result.status === 401) {
+    return { user: void 0, tenantID: void 0, apiKeyContext: void 0 };
+  }
+  return {
+    user: result.user || staticUser,
+    tenantID: result.tenantContext?.tenantId || staticTenantID,
+    apiKeyContext: result.apiKeyContext
+  };
+}
+function createHonoApp(options) {
+  const {
+    registry,
+    db,
+    authSecret,
+    user,
+    tenantID,
+    cors,
+    webhookService,
+    settings
+  } = options;
+  const app = new hono.Hono();
+  const apiAccess = settings?.access?.apiAccess;
+  if (apiAccess?.restEnabled === false) {
+    app.all("/api/*", (c) => {
+      return c.json({ error: "REST API is disabled" }, 503);
+    });
+    return app;
+  }
+  const enablePublicAccess = settings?.access?.enablePublicAccess ?? true;
+  const defaultCollectionAccess = settings?.access?.defaultCollectionAccess ?? "read";
+  const requireAuth = apiAccess?.requireAuth;
+  if (requireAuth && !authSecret) {
+    throw new Error(
+      "authSecret is required when requireAuth is enabled in access settings"
+    );
+  }
+  const authMw = authSecret ? createAuthMiddleware({ secret: authSecret, db }) : null;
+  const settingsCorsRaw = apiAccess?.cors?.allowedOrigins;
+  const optionsCors = cors?.origins;
+  const settingsCors = Array.isArray(settingsCorsRaw) ? settingsCorsRaw : typeof settingsCorsRaw === "string" && settingsCorsRaw ? settingsCorsRaw.split("\n").map((s) => s.trim()).filter(Boolean) : [];
+  const allowedOrigins = settingsCors.length > 0 ? settingsCors : optionsCors || [];
+  const corsEnabled = allowedOrigins.length > 0 || !!cors;
+  if (corsEnabled) {
+    app.use("*", async (c, next) => {
+      const origin = c.req.header("Origin") || "*";
+      if (allowedOrigins.length > 0 && !allowedOrigins.includes(origin)) {
+        return c.json({ error: "Origin not allowed" }, 403);
+      }
+      const allowOrigin = allowedOrigins.length > 0 ? origin : "*";
+      c.header("Access-Control-Allow-Origin", allowOrigin);
+      c.header(
+        "Access-Control-Allow-Methods",
+        "GET, POST, PATCH, DELETE, OPTIONS"
+      );
+      c.header(
+        "Access-Control-Allow-Headers",
+        "Content-Type, Authorization, X-API-Key"
+      );
+      if (cors?.credentials) {
+        c.header("Access-Control-Allow-Credentials", "true");
+      }
+      if (c.req.method === "OPTIONS") {
+        return c.text("");
+      }
+      await next();
+    });
+  }
+  const rateLimiting = settings?.access?.rateLimiting;
+  let rateLimiter;
+  if (rateLimiting?.enabled) {
+    const maxRequests = rateLimiting.maxRequests || 100;
+    const windowMs = rateLimiting.windowMs || 6e4;
+    rateLimiter = new InMemoryRateLimiter({
+      "api:general": { window: windowMs, max: maxRequests }
+    });
+    app.use("/api/*", async (c, next) => {
+      if (!rateLimiter) {
+        return next();
+      }
+      const ip = c.req.header("CF-Connecting-IP") || c.req.header("X-Forwarded-For")?.split(",")[0]?.trim() || c.req.header("X-Real-IP") || "unknown";
+      const result = await rateLimiter.check("api:general", ip);
+      c.header("X-RateLimit-Limit", String(maxRequests));
+      c.header("X-RateLimit-Remaining", String(result.remaining));
+      c.header("X-RateLimit-Reset", String(result.resetAt));
+      if (!result.allowed) {
+        return c.json(
+          {
+            error: "Too many requests",
+            retryAfter: result.retryAfter
+          },
+          429
+        );
+      }
+      await next();
+    });
+  }
+  app.get("/api/health", (c) => {
+    return c.json({
+      status: "ok",
+      version: "0.1.0",
+      collections: registry.getCollectionSlugs(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  });
+  app.get("/api/collections", (c) => {
+    const collections2 = registry.getCollections().map((col) => ({
+      slug: col.slug,
+      label: col.label || col.slug,
+      fields: col.fields.filter((f) => f.name).map((f) => ({
+        name: f.name,
+        type: f.type,
+        required: f.required,
+        label: f.label
+      }))
+    }));
+    return c.json(collections2);
+  });
+  app.get("/api/search", async (c) => {
+    try {
+      const query = c.req.query("q") || "";
+      const collectionsParam = c.req.query("collections") || "";
+      const limit = Math.min(parseInt(c.req.query("limit") || "10"), 50);
+      if (!query || query.length < 2) {
+        return c.json({ results: [], message: "Query too short" });
+      }
+      console.log("[API /api/search] Query:", query);
+      const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(
+        c.req.raw,
+        authMw,
+        user,
+        tenantID
+      );
+      const targetCollections = collectionsParam ? collectionsParam.split(",").filter(Boolean) : registry.getCollectionSlugs();
+      const results = [];
+      const regex = new RegExp(
+        query.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"),
+        "i"
+      );
+      for (const collection of registry.getCollections()) {
+        if (!targetCollections.includes(collection.slug)) continue;
+        if (collection.slug === "users") continue;
+        const access = await checkCollectionAccess(
+          collection,
+          "read",
+          c.req.raw,
+          ctxUser,
+          ctxTenantID,
+          void 0,
+          enablePublicAccess,
+          defaultCollectionAccess
+        );
+        if (!access.allowed) continue;
+        const searchableFields = collection.fields.filter(
+          (f) => f.name && f.name !== "id" && (f.type === "text" || f.type === "email" || f.type === "textarea" || f.type === "richtext" || f.indexed) && !f.admin?.hidden
+        ).map((f) => f.name);
+        if (searchableFields.length === 0) continue;
+        try {
+          const orConditions = searchableFields.map(
+            (field) => {
+              const condition = {};
+              condition[field] = { like: `%${query}%` };
+              return condition;
+            }
+          );
+          const searchResult = await db.find({
+            collection: collection.slug,
+            where: { OR: orConditions },
+            limit,
+            tenantID: ctxTenantID
+          });
+          for (const doc of searchResult.docs) {
+            const titleField = collection.admin?.useAsTitle || searchableFields.find(
+              (f) => f === "title" || f === "name" || f === "heading" || f === "slug"
+            );
+            const title = titleField ? doc[titleField] : doc.id;
+            results.push({
+              collection: collection.slug,
+              label: collection.label || collection.slug,
+              id: doc.id,
+              title: String(title || "Untitled"),
+              doc
+            });
+          }
+        } catch (err) {
+          console.error(`Search error for ${collection.slug}:`, err);
+        }
+      }
+      results.sort((a, b) => a.label.localeCompare(b.label));
+      return c.json({ results });
+    } catch (error) {
+      return c.json({ error: error.message, results: [] }, 500);
+    }
+  });
+  const collections = registry.getCollections();
+  for (const collection of collections) {
+    const slug = collection.slug;
+    const basePath = `/api/${slug}`;
+    app.get(basePath, async (c) => {
+      try {
+        const {
+          user: ctxUser,
+          tenantID: ctxTenantID,
+          apiKeyContext
+        } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+        const access = await checkCollectionAccess(
+          collection,
+          "read",
+          c.req.raw,
+          ctxUser,
+          ctxTenantID,
+          apiKeyContext
+        );
+        if (!access.allowed) {
+          return c.json({ error: access.error }, access.status || 403);
+        }
+        const url = new URL(c.req.url);
+        const page = parseInt(url.searchParams.get("page") || "1");
+        const limit = Math.min(
+          parseInt(url.searchParams.get("limit") || "10"),
+          100
+        );
+        const sort = url.searchParams.get("sort") || void 0;
+        const depth = parseInt(url.searchParams.get("depth") || "0");
+        const select = url.searchParams.get("select")?.split(",") || void 0;
+        let where = {};
+        const whereParam = url.searchParams.get("where");
+        if (whereParam) {
+          try {
+            where = JSON.parse(whereParam);
+          } catch {
+          }
+        }
+        const result = await db.find({
+          collection: slug,
+          where,
+          sort,
+          limit,
+          page,
+          depth,
+          tenantID: ctxTenantID,
+          select
+        });
+        return c.json(result);
+      } catch (error) {
+        return c.json({ error: error.message }, 500);
+      }
+    });
+    app.get(`${basePath}/:id`, async (c) => {
+      try {
+        const {
+          user: ctxUser,
+          tenantID: ctxTenantID,
+          apiKeyContext
+        } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+        const access = await checkCollectionAccess(
+          collection,
+          "read",
+          c.req.raw,
+          ctxUser,
+          ctxTenantID,
+          apiKeyContext
+        );
+        if (!access.allowed) {
+          return c.json({ error: access.error }, access.status || 403);
+        }
+        const id = c.req.param("id");
+        const url = new URL(c.req.url);
+        const depth = parseInt(url.searchParams.get("depth") || "0");
+        const select = url.searchParams.get("select")?.split(",") || void 0;
+        const doc = await db.findByID({
+          collection: slug,
+          id,
+          depth,
+          tenantID: ctxTenantID,
+          select
+        });
+        if (!doc) {
+          return c.json({ error: "Document not found" }, 404);
+        }
+        return c.json(doc);
+      } catch (error) {
+        return c.json({ error: error.message }, 500);
+      }
+    });
+    app.post(basePath, async (c) => {
+      try {
+        const {
+          user: ctxUser,
+          tenantID: ctxTenantID,
+          apiKeyContext
+        } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+        const access = await checkCollectionAccess(
+          collection,
+          "read",
+          c.req.raw,
+          ctxUser,
+          ctxTenantID,
+          apiKeyContext,
+          enablePublicAccess,
+          defaultCollectionAccess
+        );
+        if (!access.allowed) {
+          return c.json({ error: access.error }, access.status || 403);
+        }
+        const body = await c.req.json();
+        const schema = registry.getCreateZodSchema(slug);
+        const validated = schema.parse(body);
+        if (collection.tenantScoped && ctxTenantID) {
+          validated.tenantID = ctxTenantID;
+        }
+        const doc = await db.create({
+          collection: slug,
+          data: validated,
+          tenantID: ctxTenantID
+        });
+        if (webhookService) {
+          webhookService.trigger(getWebhookEvent(slug, "create"), {
+            collection: slug,
+            operation: "create",
+            data: doc,
+            user: ctxUser ? { id: ctxUser.id, email: ctxUser.email, role: ctxUser.role } : void 0,
+            tenantId: ctxTenantID
+          }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
+        }
+        return c.json({ doc, message: "Created successfully" }, 201);
+      } catch (error) {
+        if (error.name === "ZodError") {
+          return c.json(
+            { error: "Validation failed", details: error.errors },
+            400
+          );
+        }
+        return c.json({ error: error.message }, 500);
+      }
+    });
+    app.patch(`${basePath}/:id`, async (c) => {
+      try {
+        const {
+          user: ctxUser,
+          tenantID: ctxTenantID,
+          apiKeyContext
+        } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+        const access = await checkCollectionAccess(
+          collection,
+          "update",
+          c.req.raw,
+          ctxUser,
+          ctxTenantID,
+          apiKeyContext,
+          enablePublicAccess,
+          defaultCollectionAccess
+        );
+        if (!access.allowed) {
+          return c.json({ error: access.error }, access.status || 403);
+        }
+        const id = c.req.param("id");
+        const body = await c.req.json();
+        const schema = registry.getUpdateZodSchema(slug);
+        const validated = schema.parse(body);
+        const originalDoc = await db.findByID({
+          collection: slug,
+          id,
+          tenantID: ctxTenantID
+        });
+        const doc = await db.update({
+          collection: slug,
+          id,
+          data: validated,
+          tenantID: ctxTenantID
+        });
+        if (webhookService) {
+          webhookService.trigger(getWebhookEvent(slug, "update"), {
+            collection: slug,
+            operation: "update",
+            data: doc,
+            previousData: originalDoc,
+            user: ctxUser ? { id: ctxUser.id, email: ctxUser.email, role: ctxUser.role } : void 0,
+            tenantId: ctxTenantID
+          }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
+        }
+        return c.json({ doc, message: "Updated successfully" });
+      } catch (error) {
+        if (error.name === "ZodError") {
+          return c.json(
+            { error: "Validation failed", details: error.errors },
+            400
+          );
+        }
+        return c.json({ error: error.message }, 500);
+      }
+    });
+    app.delete(`${basePath}/:id`, async (c) => {
+      try {
+        const {
+          user: ctxUser,
+          tenantID: ctxTenantID,
+          apiKeyContext
+        } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+        const access = await checkCollectionAccess(
+          collection,
+          "delete",
+          c.req.raw,
+          ctxUser,
+          ctxTenantID,
+          apiKeyContext,
+          enablePublicAccess,
+          defaultCollectionAccess
+        );
+        if (!access.allowed) {
+          return c.json({ error: access.error }, access.status || 403);
+        }
+        const id = c.req.param("id");
+        const originalDoc = await db.findByID({
+          collection: slug,
+          id,
+          tenantID: ctxTenantID
+        });
+        const doc = await db.delete({
+          collection: slug,
+          id,
+          tenantID: ctxTenantID
+        });
+        if (webhookService) {
+          webhookService.trigger(getWebhookEvent(slug, "delete"), {
+            collection: slug,
+            operation: "delete",
+            data: doc,
+            previousData: originalDoc,
+            user: ctxUser ? { id: ctxUser.id, email: ctxUser.email, role: ctxUser.role } : void 0,
+            tenantId: ctxTenantID
+          }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
+        }
+        return c.json({ doc, message: "Deleted successfully" });
+      } catch (error) {
+        return c.json({ error: error.message }, 500);
+      }
+    });
+  }
+  for (const globalConfig of registry.getGlobals()) {
+    const slug = globalConfig.slug;
+    const basePath = `/api/globals/${slug}`;
+    app.get(basePath, async (c) => {
+      try {
+        const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+        const access = await checkGlobalAccess(
+          globalConfig,
+          "read",
+          c.req.raw,
+          ctxUser,
+          ctxTenantID,
+          enablePublicAccess
+        );
+        if (!access.allowed) {
+          return c.json({ error: access.error }, access.status || 403);
+        }
+        const doc = await db.findOne({
+          collection: `_globals_${slug}`,
+          where: {},
+          tenantID: ctxTenantID
+        });
+        return c.json(doc || {});
+      } catch (error) {
+        return c.json({ error: error.message }, 500);
+      }
+    });
+    app.post(basePath, async (c) => {
+      try {
+        const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+        const access = await checkGlobalAccess(
+          globalConfig,
+          "update",
+          c.req.raw,
+          ctxUser,
+          ctxTenantID,
+          enablePublicAccess
+        );
+        if (!access.allowed) {
+          return c.json({ error: access.error }, access.status || 403);
+        }
+        const body = await c.req.json();
+        const schema = registry.getZodSchema(slug);
+        const validated = schema.parse(body);
+        const doc = await db.create({
+          collection: `_globals_${slug}`,
+          data: { ...validated, id: slug },
+          tenantID: ctxTenantID
+        });
+        return c.json({ doc, message: "Updated successfully" });
+      } catch (error) {
+        if (error.name === "ZodError") {
+          return c.json(
+            { error: "Validation failed", details: error.errors },
+            400
+          );
+        }
+        return c.json({ error: error.message }, 500);
+      }
+    });
+    if (slug === "email-settings") {
+      app.post(`${basePath}/test`, async (c) => {
+        try {
+          const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+          const access = await checkGlobalAccess(
+            globalConfig,
+            "update",
+            c.req.raw,
+            ctxUser,
+            ctxTenantID,
+            enablePublicAccess
+          );
+          if (!access.allowed) {
+            return c.json(
+              { error: access.error },
+              access.status || 403
+            );
+          }
+          const body = await c.req.json();
+          const transportConfig = {
+            provider: body.provider,
+            from: body.fromEmail || body.from,
+            fromName: body.fromName,
+            replyTo: body.replyTo,
+            smtp: body.smtp ? {
+              host: body.smtp.host,
+              port: body.smtp.port,
+              secure: body.smtp.secure,
+              auth: {
+                user: body.smtp.username || body.smtp.user,
+                pass: body.smtp.password || body.smtp.pass
+              }
+            } : void 0,
+            resend: body.resend,
+            sendgrid: body.sendgrid,
+            mailgun: body.mailgun,
+            ses: body.ses
+          };
+          const transport = new chunkHVSQDZZJ_cjs.EmailTransport(transportConfig);
+          const recipient = body.testEmail || body.testEmailSection && body.testEmailSection.testEmail;
+          if (!recipient) {
+            return c.json({ error: "No test recipient email provided" }, 400);
+          }
+          await transport.send({
+            to: recipient,
+            subject: "Kyro CMS - Test Email",
+            html: `
+              <div style="font-family: sans-serif; max-width: 600px; margin: 0 auto; padding: 20px; border: 1px solid #e2e8f0; border-radius: 8px;">
+                <h1 style="color: #0b1222; margin-bottom: 16px;">Success! \u{1F680}</h1>
+                <p style="font-size: 16px; color: #334155; line-height: 1.6;">
+                  Your email settings in <b>Kyro CMS</b> are working correctly.
+                </p>
+                <div style="background: #f8fafc; padding: 16px; border-radius: 6px; margin: 24px 0;">
+                  <p style="margin: 0; font-size: 14px; color: #64748b;">
+                    <b>Provider:</b> ${body.provider.toUpperCase()}
+                  </p>
+                  <p style="margin: 8px 0 0; font-size: 14px; color: #64748b;">
+                    <b>Sent at:</b> ${(/* @__PURE__ */ new Date()).toLocaleString()}
+                  </p>
+                </div>
+                <p style="font-size: 12px; color: #94a3b8; margin-top: 32px; border-top: 1px solid #f1f5f9; padding-top: 16px;">
+                  This is a test email sent from the Kyro CMS Admin Panel.
+                </p>
+              </div>
+            `,
+            text: `Success! Your email settings in Kyro CMS are working correctly.
+
+Provider: ${body.provider}
+Sent at: ${(/* @__PURE__ */ new Date()).toLocaleString()}`
+          });
+          return c.json({ message: "Test email sent successfully!" });
+        } catch (error) {
+          console.error("[Email Test] Failed:", error);
+          return c.json(
+            { error: error.message || "Failed to send test email" },
+            500
+          );
+        }
+      });
+    }
+  }
+  return app;
+}
+function createRESTAPI(registry, db, options) {
+  return createHonoApp({
+    registry,
+    db,
+    authSecret: options?.authSecret,
+    user: options?.user,
+    req: options?.req,
+    tenantID: options?.tenantID,
+    cors: options?.cors,
+    webhookService: options?.webhookService
+  });
+}
+
+exports.InMemoryRateLimiter = InMemoryRateLimiter;
+exports.createHonoApp = createHonoApp;
+exports.createRESTAPI = createRESTAPI;
+exports.defaultExtractToken = defaultExtractToken;
+exports.generateToken = generateToken;
+//# sourceMappingURL=chunk-E63IF3MD.cjs.map
+//# sourceMappingURL=chunk-E63IF3MD.cjs.map