@kyro-cms/core 0.3.2 → 0.3.5

package/dist/chunk-6MSSF46R.js

@@ -1,941 +0,0 @@
-import { EmailTransport } from './chunk-HYC4GNHX.js';
-import { WEBHOOK_EVENTS, evaluateAccess, hasApiKeyPermission, extractApiKeyFromRequest, validateApiKey, createApiKeyContext } from './chunk-E5X75WNB.js';
-import { Hono } from 'hono';
-import jwt from 'jsonwebtoken';
-
-function createAuthMiddleware(config) {
-  const {
-    secret,
-    issuer,
-    audience,
-    db,
-    userLookup,
-    extractToken = defaultExtractToken
-  } = config;
-  return async function authMiddleware(req) {
-    const apiKeyRaw = extractApiKeyFromRequest(req);
-    if (apiKeyRaw && db) {
-      const result = await validateApiKey(apiKeyRaw, db, userLookup);
-      if (result.valid && result.user) {
-        return {
-          user: result.user,
-          tenantContext: createTenantContextFromUser(result.user),
-          apiKeyContext: createApiKeyContext(result),
-          status: 200,
-          authType: "apikey"
-        };
-      }
-      if (result.error) {
-        return {
-          status: 401,
-          error: result.error
-        };
-      }
-    }
-    const token = extractToken(req);
-    if (!token) {
-      return {
-        status: 401,
-        error: "No authentication token provided"
-      };
-    }
-    try {
-      const payload = jwt.verify(token, secret, {
-        issuer,
-        audience
-      });
-      const user = {
-        id: payload.sub,
-        email: payload.email,
-        role: payload.role,
-        tenantId: payload.tenantId
-      };
-      return {
-        user,
-        token,
-        tenantContext: createTenantContextFromUser(user),
-        status: 200,
-        authType: "jwt"
-      };
-    } catch (error) {
-      if (error instanceof jwt.TokenExpiredError) {
-        return {
-          status: 401,
-          error: "Token has expired"
-        };
-      }
-      if (error instanceof jwt.JsonWebTokenError) {
-        return {
-          status: 401,
-          error: "Invalid token"
-        };
-      }
-      return {
-        status: 401,
-        error: "Authentication failed"
-      };
-    }
-  };
-}
-function defaultExtractToken(req) {
-  const authHeader = req.headers.get("Authorization");
-  if (authHeader?.startsWith("Bearer ")) {
-    return authHeader.slice(7);
-  }
-  const cookieHeader = req.headers.get("Cookie");
-  if (cookieHeader) {
-    const cookies = Object.fromEntries(
-      cookieHeader.split("; ").map((c) => {
-        const [key, ...val] = c.split("=");
-        return [key.trim(), val.join("=")];
-      })
-    );
-    return cookies["auth_token"] || null;
-  }
-  return null;
-}
-function createTenantContextFromUser(user) {
-  return {
-    tenantId: user.tenantId || "default",
-    userId: user.id || "anonymous",
-    role: user.role || "guest",
-    roles: [user.role || "guest"],
-    permissions: [],
-    isSuperAdmin: user.role === "super_admin"
-  };
-}
-function generateToken(payload, secret, options = {}) {
-  return jwt.sign(payload, secret, {
-    expiresIn: options.expiresIn || "24h",
-    issuer: options.issuer,
-    audience: options.audience
-  });
-}
-
-// src/auth/security/in-memory-rate-limit.ts
-var InMemoryRateLimiter = class {
-  storage = /* @__PURE__ */ new Map();
-  userStorage = /* @__PURE__ */ new Map();
-  limits;
-  userLimits;
-  constructor(limits, userLimits) {
-    this.limits = { ...DEFAULT_RATE_LIMITS, ...limits };
-    this.userLimits = userLimits || {
-      "user:api": { window: 6e4, max: 500 },
-      "user:write": { window: 36e5, max: 100 }
-    };
-  }
-  getKey(type, identifier) {
-    return `${type}:${identifier}`;
-  }
-  getUserKey(type, userId, identifier) {
-    return `user:${type}:${userId}:${identifier}`;
-  }
-  cleanupOldEntries(entries, window) {
-    const now = Date.now();
-    const windowStart = now - window;
-    while (entries.length > 0 && entries[0].timestamp < windowStart) {
-      entries.shift();
-    }
-  }
-  async check(type, identifier) {
-    const config = this.limits[type] || this.limits["api:general"];
-    const key = this.getKey(type, identifier);
-    let entries = this.storage.get(key);
-    if (!entries) {
-      entries = [];
-      this.storage.set(key, entries);
-    }
-    this.cleanupOldEntries(entries, config.window);
-    const now = Date.now();
-    const count = entries.reduce((sum, entry) => sum + entry.count, 0);
-    entries.push({ timestamp: now, count: 1 });
-    if (count >= config.max) {
-      const oldestEntry = entries.reduce(
-        (oldest, current) => oldest.timestamp < current.timestamp ? oldest : current,
-        entries[0]
-      );
-      const resetAt = oldestEntry.timestamp + config.window;
-      return {
-        allowed: false,
-        remaining: 0,
-        resetAt,
-        retryAfter: Math.ceil((resetAt - now) / 1e3)
-      };
-    }
-    return {
-      allowed: true,
-      remaining: config.max - count - 1,
-      resetAt: now + config.window
-    };
-  }
-  async checkUser(type, userId, identifier) {
-    const config = this.userLimits[type] || this.userLimits["user:api"];
-    const userMap = this.userStorage.get(userId);
-    let entries = [];
-    if (userMap) {
-      entries = userMap.get(this.getKey(type, identifier)) || [];
-    } else {
-      if (!this.userStorage.has(userId)) {
-        this.userStorage.set(userId, /* @__PURE__ */ new Map());
-      }
-      this.userStorage.get(userId).set(this.getKey(type, identifier), entries);
-    }
-    this.cleanupOldEntries(entries, config.window);
-    const now = Date.now();
-    const count = entries.reduce((sum, entry) => sum + entry.count, 0);
-    entries.push({ timestamp: now, count: 1 });
-    if (count >= config.max) {
-      const oldestEntry = entries.reduce(
-        (oldest, current) => oldest.timestamp < current.timestamp ? oldest : current,
-        entries[0]
-      );
-      const resetAt = oldestEntry.timestamp + config.window;
-      return {
-        allowed: false,
-        remaining: 0,
-        resetAt,
-        retryAfter: Math.ceil((resetAt - now) / 1e3)
-      };
-    }
-    return {
-      allowed: true,
-      remaining: config.max - count - 1,
-      resetAt: now + config.window
-    };
-  }
-  async reset(type, identifier) {
-    const key = this.getKey(type, identifier);
-    this.storage.delete(key);
-  }
-  async resetUser(type, userId, identifier) {
-    const userMap = this.userStorage.get(userId);
-    if (userMap) {
-      const key = this.getKey(type, identifier);
-      userMap.delete(key);
-    }
-  }
-  async getStatus(type, identifier) {
-    const config = this.limits[type] || this.limits["api:general"];
-    const key = this.getKey(type, identifier);
-    let entries = this.storage.get(key);
-    if (!entries) {
-      entries = [];
-      this.storage.set(key, entries);
-    }
-    this.cleanupOldEntries(entries, config.window);
-    const now = Date.now();
-    const count = entries.reduce((sum, entry) => sum + entry.count, 0);
-    return {
-      count,
-      limit: config.max,
-      remaining: Math.max(0, config.max - count),
-      resetAt: now + config.window
-    };
-  }
-  setLimit(type, config) {
-    this.limits[type] = config;
-  }
-  setUserLimit(type, config) {
-    this.userLimits[type] = config;
-  }
-};
-var DEFAULT_RATE_LIMITS = {
-  "auth:login": { window: 9e5, max: 5 },
-  "auth:register": { window: 36e5, max: 3 },
-  "auth:forgot": { window: 36e5, max: 3 },
-  "auth:reset": { window: 36e5, max: 5 },
-  "auth:verify": { window: 36e5, max: 5 },
-  "api:general": { window: 6e4, max: 100 },
-  "api:authenticated": { window: 6e4, max: 200 }
-};
-
-// src/api/rest/hono-app.ts
-var COLLECTION_EVENT_MAP = {
-  _media: {
-    create: WEBHOOK_EVENTS.MEDIA_UPLOAD,
-    update: WEBHOOK_EVENTS.MEDIA_UPLOAD,
-    delete: WEBHOOK_EVENTS.MEDIA_DELETE
-  }
-};
-function getWebhookEvent(collection, operation) {
-  const mapped = COLLECTION_EVENT_MAP[collection];
-  if (mapped) return mapped[operation];
-  return `collection.${operation}`;
-}
-async function checkCollectionAccess(collection, operation, req, ctxUser, ctxTenantID, apiKeyContext, enablePublicAccess = true, defaultCollectionAccess = "read") {
-  const accessRule = collection.access?.[operation];
-  if (accessRule) {
-    const allowed = await evaluateAccess(accessRule, {
-      req,
-      user: ctxUser,
-      tenantID: ctxTenantID
-    });
-    if (allowed === false) {
-      return { allowed: false, error: "Access denied", status: 403 };
-    }
-  } else if (!ctxUser) {
-    const accessLevels = {
-      none: false,
-      read: operation === "read",
-      create: operation === "read" || operation === "create",
-      update: operation === "read" || operation === "create" || operation === "update",
-      admin: true
-    };
-    const allowed = enablePublicAccess && accessLevels[defaultCollectionAccess];
-    if (!allowed) {
-      return {
-        allowed: false,
-        error: "Authentication required",
-        status: 401
-      };
-    }
-  }
-  if (apiKeyContext?.permissions?.length > 0) {
-    const resource = collection.slug;
-    const action = operation === "read" ? "read" : operation === "create" ? "create" : "update";
-    const permission = `${resource}:${action}`;
-    if (!hasApiKeyPermission(apiKeyContext.permissions, permission) && !hasApiKeyPermission(apiKeyContext.permissions, `${resource}:admin`)) {
-      return {
-        allowed: false,
-        error: `Missing permission: ${permission}`,
-        status: 403
-      };
-    }
-  }
-  return { allowed: true };
-}
-async function checkGlobalAccess(global, operation, req, ctxUser, ctxTenantID, enablePublicAccess = true) {
-  const accessRule = global.access?.[operation];
-  if (accessRule) {
-    const allowed = await evaluateAccess(accessRule, {
-      req,
-      user: ctxUser,
-      tenantID: ctxTenantID
-    });
-    if (allowed === false) {
-      return { allowed: false, error: "Access denied", status: 403 };
-    }
-  } else if (!ctxUser) {
-    const accessLevels = {
-      none: false,
-      read: operation === "read",
-      update: operation === "read" || operation === "update"
-    };
-    const allowed = enablePublicAccess && accessLevels[operation === "read" ? "read" : "admin"];
-    if (!allowed) {
-      return {
-        allowed: false,
-        error: "Authentication required",
-        status: 401
-      };
-    }
-  }
-  return { allowed: true };
-}
-async function resolveAuthContext(req, authMw, staticUser, staticTenantID) {
-  if (!authMw) {
-    return {
-      user: staticUser,
-      tenantID: staticTenantID,
-      apiKeyContext: void 0
-    };
-  }
-  const result = await authMw(req);
-  if (result.status === 401) {
-    return { user: void 0, tenantID: void 0, apiKeyContext: void 0 };
-  }
-  return {
-    user: result.user || staticUser,
-    tenantID: result.tenantContext?.tenantId || staticTenantID,
-    apiKeyContext: result.apiKeyContext
-  };
-}
-function createHonoApp(options) {
-  const {
-    registry,
-    db,
-    authSecret,
-    user,
-    tenantID,
-    cors,
-    webhookService,
-    settings
-  } = options;
-  const app = new Hono();
-  const apiAccess = settings?.access?.apiAccess;
-  if (apiAccess?.restEnabled === false) {
-    app.all("/api/*", (c) => {
-      return c.json({ error: "REST API is disabled" }, 503);
-    });
-    return app;
-  }
-  const enablePublicAccess = settings?.access?.enablePublicAccess ?? true;
-  const defaultCollectionAccess = settings?.access?.defaultCollectionAccess ?? "read";
-  const requireAuth = apiAccess?.requireAuth;
-  if (requireAuth && !authSecret) {
-    throw new Error(
-      "authSecret is required when requireAuth is enabled in access settings"
-    );
-  }
-  const authMw = authSecret ? createAuthMiddleware({ secret: authSecret, db }) : null;
-  const settingsCorsRaw = apiAccess?.cors?.allowedOrigins;
-  const optionsCors = cors?.origins;
-  const settingsCors = Array.isArray(settingsCorsRaw) ? settingsCorsRaw : typeof settingsCorsRaw === "string" && settingsCorsRaw ? settingsCorsRaw.split("\n").map((s) => s.trim()).filter(Boolean) : [];
-  const allowedOrigins = settingsCors.length > 0 ? settingsCors : optionsCors || [];
-  const corsEnabled = allowedOrigins.length > 0 || !!cors;
-  if (corsEnabled) {
-    app.use("*", async (c, next) => {
-      const origin = c.req.header("Origin") || "*";
-      if (allowedOrigins.length > 0 && !allowedOrigins.includes(origin)) {
-        return c.json({ error: "Origin not allowed" }, 403);
-      }
-      const allowOrigin = allowedOrigins.length > 0 ? origin : "*";
-      c.header("Access-Control-Allow-Origin", allowOrigin);
-      c.header(
-        "Access-Control-Allow-Methods",
-        "GET, POST, PATCH, DELETE, OPTIONS"
-      );
-      c.header(
-        "Access-Control-Allow-Headers",
-        "Content-Type, Authorization, X-API-Key"
-      );
-      if (cors?.credentials) {
-        c.header("Access-Control-Allow-Credentials", "true");
-      }
-      if (c.req.method === "OPTIONS") {
-        return c.text("");
-      }
-      await next();
-    });
-  }
-  const rateLimiting = settings?.access?.rateLimiting;
-  let rateLimiter;
-  if (rateLimiting?.enabled) {
-    const maxRequests = rateLimiting.maxRequests || 100;
-    const windowMs = rateLimiting.windowMs || 6e4;
-    rateLimiter = new InMemoryRateLimiter({
-      "api:general": { window: windowMs, max: maxRequests }
-    });
-    app.use("/api/*", async (c, next) => {
-      if (!rateLimiter) {
-        return next();
-      }
-      const ip = c.req.header("CF-Connecting-IP") || c.req.header("X-Forwarded-For")?.split(",")[0]?.trim() || c.req.header("X-Real-IP") || "unknown";
-      const result = await rateLimiter.check("api:general", ip);
-      c.header("X-RateLimit-Limit", String(maxRequests));
-      c.header("X-RateLimit-Remaining", String(result.remaining));
-      c.header("X-RateLimit-Reset", String(result.resetAt));
-      if (!result.allowed) {
-        return c.json(
-          {
-            error: "Too many requests",
-            retryAfter: result.retryAfter
-          },
-          429
-        );
-      }
-      await next();
-    });
-  }
-  app.get("/api/health", (c) => {
-    return c.json({
-      status: "ok",
-      version: "0.1.0",
-      collections: registry.getCollectionSlugs(),
-      timestamp: (/* @__PURE__ */ new Date()).toISOString()
-    });
-  });
-  app.get("/api/collections", (c) => {
-    const collections2 = registry.getCollections().map((col) => ({
-      slug: col.slug,
-      label: col.label || col.slug,
-      fields: col.fields.filter((f) => f.name).map((f) => ({
-        name: f.name,
-        type: f.type,
-        required: f.required,
-        label: f.label
-      }))
-    }));
-    return c.json(collections2);
-  });
-  app.get("/api/search", async (c) => {
-    try {
-      const query = c.req.query("q") || "";
-      const collectionsParam = c.req.query("collections") || "";
-      const limit = Math.min(parseInt(c.req.query("limit") || "10"), 50);
-      if (!query || query.length < 2) {
-        return c.json({ results: [], message: "Query too short" });
-      }
-      console.log("[API /api/search] Query:", query);
-      const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(
-        c.req.raw,
-        authMw,
-        user,
-        tenantID
-      );
-      const targetCollections = collectionsParam ? collectionsParam.split(",").filter(Boolean) : registry.getCollectionSlugs();
-      const results = [];
-      const regex = new RegExp(
-        query.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"),
-        "i"
-      );
-      for (const collection of registry.getCollections()) {
-        if (!targetCollections.includes(collection.slug)) continue;
-        if (collection.slug === "users") continue;
-        const access = await checkCollectionAccess(
-          collection,
-          "read",
-          c.req.raw,
-          ctxUser,
-          ctxTenantID,
-          void 0,
-          enablePublicAccess,
-          defaultCollectionAccess
-        );
-        if (!access.allowed) continue;
-        const searchableFields = collection.fields.filter(
-          (f) => f.name && f.name !== "id" && (f.type === "text" || f.type === "email" || f.type === "textarea" || f.type === "richtext" || f.indexed) && !f.admin?.hidden
-        ).map((f) => f.name);
-        if (searchableFields.length === 0) continue;
-        try {
-          const orConditions = searchableFields.map(
-            (field) => {
-              const condition = {};
-              condition[field] = { like: `%${query}%` };
-              return condition;
-            }
-          );
-          const searchResult = await db.find({
-            collection: collection.slug,
-            where: { OR: orConditions },
-            limit,
-            tenantID: ctxTenantID
-          });
-          for (const doc of searchResult.docs) {
-            const titleField = collection.admin?.useAsTitle || searchableFields.find(
-              (f) => f === "title" || f === "name" || f === "heading" || f === "slug"
-            );
-            const title = titleField ? doc[titleField] : doc.id;
-            results.push({
-              collection: collection.slug,
-              label: collection.label || collection.slug,
-              id: doc.id,
-              title: String(title || "Untitled"),
-              doc
-            });
-          }
-        } catch (err) {
-          console.error(`Search error for ${collection.slug}:`, err);
-        }
-      }
-      results.sort((a, b) => a.label.localeCompare(b.label));
-      return c.json({ results });
-    } catch (error) {
-      return c.json({ error: error.message, results: [] }, 500);
-    }
-  });
-  const collections = registry.getCollections();
-  for (const collection of collections) {
-    const slug = collection.slug;
-    const basePath = `/api/${slug}`;
-    app.get(basePath, async (c) => {
-      try {
-        const {
-          user: ctxUser,
-          tenantID: ctxTenantID,
-          apiKeyContext
-        } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
-          collection,
-          "read",
-          c.req.raw,
-          ctxUser,
-          ctxTenantID,
-          apiKeyContext
-        );
-        if (!access.allowed) {
-          return c.json({ error: access.error }, access.status || 403);
-        }
-        const url = new URL(c.req.url);
-        const page = parseInt(url.searchParams.get("page") || "1");
-        const limit = Math.min(
-          parseInt(url.searchParams.get("limit") || "10"),
-          100
-        );
-        const sort = url.searchParams.get("sort") || void 0;
-        const depth = parseInt(url.searchParams.get("depth") || "0");
-        const select = url.searchParams.get("select")?.split(",") || void 0;
-        let where = {};
-        const whereParam = url.searchParams.get("where");
-        if (whereParam) {
-          try {
-            where = JSON.parse(whereParam);
-          } catch {
-          }
-        }
-        const result = await db.find({
-          collection: slug,
-          where,
-          sort,
-          limit,
-          page,
-          depth,
-          tenantID: ctxTenantID,
-          select
-        });
-        return c.json(result);
-      } catch (error) {
-        return c.json({ error: error.message }, 500);
-      }
-    });
-    app.get(`${basePath}/:id`, async (c) => {
-      try {
-        const {
-          user: ctxUser,
-          tenantID: ctxTenantID,
-          apiKeyContext
-        } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
-          collection,
-          "read",
-          c.req.raw,
-          ctxUser,
-          ctxTenantID,
-          apiKeyContext
-        );
-        if (!access.allowed) {
-          return c.json({ error: access.error }, access.status || 403);
-        }
-        const id = c.req.param("id");
-        const url = new URL(c.req.url);
-        const depth = parseInt(url.searchParams.get("depth") || "0");
-        const select = url.searchParams.get("select")?.split(",") || void 0;
-        const doc = await db.findByID({
-          collection: slug,
-          id,
-          depth,
-          tenantID: ctxTenantID,
-          select
-        });
-        if (!doc) {
-          return c.json({ error: "Document not found" }, 404);
-        }
-        return c.json(doc);
-      } catch (error) {
-        return c.json({ error: error.message }, 500);
-      }
-    });
-    app.post(basePath, async (c) => {
-      try {
-        const {
-          user: ctxUser,
-          tenantID: ctxTenantID,
-          apiKeyContext
-        } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
-          collection,
-          "read",
-          c.req.raw,
-          ctxUser,
-          ctxTenantID,
-          apiKeyContext,
-          enablePublicAccess,
-          defaultCollectionAccess
-        );
-        if (!access.allowed) {
-          return c.json({ error: access.error }, access.status || 403);
-        }
-        const body = await c.req.json();
-        const schema = registry.getCreateZodSchema(slug);
-        const validated = schema.parse(body);
-        if (collection.tenantScoped && ctxTenantID) {
-          validated.tenantID = ctxTenantID;
-        }
-        const doc = await db.create({
-          collection: slug,
-          data: validated,
-          tenantID: ctxTenantID
-        });
-        if (webhookService) {
-          webhookService.trigger(getWebhookEvent(slug, "create"), {
-            collection: slug,
-            operation: "create",
-            data: doc,
-            user: ctxUser ? { id: ctxUser.id, email: ctxUser.email, role: ctxUser.role } : void 0,
-            tenantId: ctxTenantID
-          }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
-        }
-        return c.json({ doc, message: "Created successfully" }, 201);
-      } catch (error) {
-        if (error.name === "ZodError") {
-          return c.json(
-            { error: "Validation failed", details: error.errors },
-            400
-          );
-        }
-        return c.json({ error: error.message }, 500);
-      }
-    });
-    app.patch(`${basePath}/:id`, async (c) => {
-      try {
-        const {
-          user: ctxUser,
-          tenantID: ctxTenantID,
-          apiKeyContext
-        } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
-          collection,
-          "update",
-          c.req.raw,
-          ctxUser,
-          ctxTenantID,
-          apiKeyContext,
-          enablePublicAccess,
-          defaultCollectionAccess
-        );
-        if (!access.allowed) {
-          return c.json({ error: access.error }, access.status || 403);
-        }
-        const id = c.req.param("id");
-        const body = await c.req.json();
-        const schema = registry.getUpdateZodSchema(slug);
-        const validated = schema.parse(body);
-        const originalDoc = await db.findByID({
-          collection: slug,
-          id,
-          tenantID: ctxTenantID
-        });
-        const doc = await db.update({
-          collection: slug,
-          id,
-          data: validated,
-          tenantID: ctxTenantID
-        });
-        if (webhookService) {
-          webhookService.trigger(getWebhookEvent(slug, "update"), {
-            collection: slug,
-            operation: "update",
-            data: doc,
-            previousData: originalDoc,
-            user: ctxUser ? { id: ctxUser.id, email: ctxUser.email, role: ctxUser.role } : void 0,
-            tenantId: ctxTenantID
-          }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
-        }
-        return c.json({ doc, message: "Updated successfully" });
-      } catch (error) {
-        if (error.name === "ZodError") {
-          return c.json(
-            { error: "Validation failed", details: error.errors },
-            400
-          );
-        }
-        return c.json({ error: error.message }, 500);
-      }
-    });
-    app.delete(`${basePath}/:id`, async (c) => {
-      try {
-        const {
-          user: ctxUser,
-          tenantID: ctxTenantID,
-          apiKeyContext
-        } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
-          collection,
-          "delete",
-          c.req.raw,
-          ctxUser,
-          ctxTenantID,
-          apiKeyContext,
-          enablePublicAccess,
-          defaultCollectionAccess
-        );
-        if (!access.allowed) {
-          return c.json({ error: access.error }, access.status || 403);
-        }
-        const id = c.req.param("id");
-        const originalDoc = await db.findByID({
-          collection: slug,
-          id,
-          tenantID: ctxTenantID
-        });
-        const doc = await db.delete({
-          collection: slug,
-          id,
-          tenantID: ctxTenantID
-        });
-        if (webhookService) {
-          webhookService.trigger(getWebhookEvent(slug, "delete"), {
-            collection: slug,
-            operation: "delete",
-            data: doc,
-            previousData: originalDoc,
-            user: ctxUser ? { id: ctxUser.id, email: ctxUser.email, role: ctxUser.role } : void 0,
-            tenantId: ctxTenantID
-          }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
-        }
-        return c.json({ doc, message: "Deleted successfully" });
-      } catch (error) {
-        return c.json({ error: error.message }, 500);
-      }
-    });
-  }
-  for (const globalConfig of registry.getGlobals()) {
-    const slug = globalConfig.slug;
-    const basePath = `/api/globals/${slug}`;
-    app.get(basePath, async (c) => {
-      try {
-        const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkGlobalAccess(
-          globalConfig,
-          "read",
-          c.req.raw,
-          ctxUser,
-          ctxTenantID,
-          enablePublicAccess
-        );
-        if (!access.allowed) {
-          return c.json({ error: access.error }, access.status || 403);
-        }
-        const doc = await db.findOne({
-          collection: `_globals_${slug}`,
-          where: {},
-          tenantID: ctxTenantID
-        });
-        return c.json(doc || {});
-      } catch (error) {
-        return c.json({ error: error.message }, 500);
-      }
-    });
-    app.post(basePath, async (c) => {
-      try {
-        const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkGlobalAccess(
-          globalConfig,
-          "update",
-          c.req.raw,
-          ctxUser,
-          ctxTenantID,
-          enablePublicAccess
-        );
-        if (!access.allowed) {
-          return c.json({ error: access.error }, access.status || 403);
-        }
-        const body = await c.req.json();
-        const schema = registry.getZodSchema(slug);
-        const validated = schema.parse(body);
-        const doc = await db.create({
-          collection: `_globals_${slug}`,
-          data: { ...validated, id: slug },
-          tenantID: ctxTenantID
-        });
-        return c.json({ doc, message: "Updated successfully" });
-      } catch (error) {
-        if (error.name === "ZodError") {
-          return c.json(
-            { error: "Validation failed", details: error.errors },
-            400
-          );
-        }
-        return c.json({ error: error.message }, 500);
-      }
-    });
-    if (slug === "email-settings") {
-      app.post(`${basePath}/test`, async (c) => {
-        try {
-          const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-          const access = await checkGlobalAccess(
-            globalConfig,
-            "update",
-            c.req.raw,
-            ctxUser,
-            ctxTenantID,
-            enablePublicAccess
-          );
-          if (!access.allowed) {
-            return c.json(
-              { error: access.error },
-              access.status || 403
-            );
-          }
-          const body = await c.req.json();
-          const transportConfig = {
-            provider: body.provider,
-            from: body.fromEmail || body.from,
-            fromName: body.fromName,
-            replyTo: body.replyTo,
-            smtp: body.smtp ? {
-              host: body.smtp.host,
-              port: body.smtp.port,
-              secure: body.smtp.secure,
-              auth: {
-                user: body.smtp.username || body.smtp.user,
-                pass: body.smtp.password || body.smtp.pass
-              }
-            } : void 0,
-            resend: body.resend,
-            sendgrid: body.sendgrid,
-            mailgun: body.mailgun,
-            ses: body.ses
-          };
-          const transport = new EmailTransport(transportConfig);
-          const recipient = body.testEmail || body.testEmailSection && body.testEmailSection.testEmail;
-          if (!recipient) {
-            return c.json({ error: "No test recipient email provided" }, 400);
-          }
-          await transport.send({
-            to: recipient,
-            subject: "Kyro CMS - Test Email",
-            html: `
-              <div style="font-family: sans-serif; max-width: 600px; margin: 0 auto; padding: 20px; border: 1px solid #e2e8f0; border-radius: 8px;">
-                <h1 style="color: #0b1222; margin-bottom: 16px;">Success! \u{1F680}</h1>
-                <p style="font-size: 16px; color: #334155; line-height: 1.6;">
-                  Your email settings in <b>Kyro CMS</b> are working correctly.
-                </p>
-                <div style="background: #f8fafc; padding: 16px; border-radius: 6px; margin: 24px 0;">
-                  <p style="margin: 0; font-size: 14px; color: #64748b;">
-                    <b>Provider:</b> ${body.provider.toUpperCase()}
-                  </p>
-                  <p style="margin: 8px 0 0; font-size: 14px; color: #64748b;">
-                    <b>Sent at:</b> ${(/* @__PURE__ */ new Date()).toLocaleString()}
-                  </p>
-                </div>
-                <p style="font-size: 12px; color: #94a3b8; margin-top: 32px; border-top: 1px solid #f1f5f9; padding-top: 16px;">
-                  This is a test email sent from the Kyro CMS Admin Panel.
-                </p>
-              </div>
-            `,
-            text: `Success! Your email settings in Kyro CMS are working correctly.
-
-Provider: ${body.provider}
-Sent at: ${(/* @__PURE__ */ new Date()).toLocaleString()}`
-          });
-          return c.json({ message: "Test email sent successfully!" });
-        } catch (error) {
-          console.error("[Email Test] Failed:", error);
-          return c.json(
-            { error: error.message || "Failed to send test email" },
-            500
-          );
-        }
-      });
-    }
-  }
-  return app;
-}
-function createRESTAPI(registry, db, options) {
-  return createHonoApp({
-    registry,
-    db,
-    authSecret: options?.authSecret,
-    user: options?.user,
-    req: options?.req,
-    tenantID: options?.tenantID,
-    cors: options?.cors,
-    webhookService: options?.webhookService
-  });
-}
-
-export { InMemoryRateLimiter, createHonoApp, createRESTAPI, defaultExtractToken, generateToken };
-//# sourceMappingURL=chunk-6MSSF46R.js.map
-//# sourceMappingURL=chunk-6MSSF46R.js.map