@kyro-cms/core 0.3.4 → 0.4.0

package/dist/{chunk-MMYAIYHJ.cjs → chunk-M4GFA2UQ.cjs}

@@ -3,8 +3,9 @@
 var chunkDLHUQO25_cjs = require('./chunk-DLHUQO25.cjs');
 var chunkADLJSJSN_cjs = require('./chunk-ADLJSJSN.cjs');
 var chunkIBG6V56E_cjs = require('./chunk-IBG6V56E.cjs');
+var chunkVJT6P4N6_cjs = require('./chunk-VJT6P4N6.cjs');
 var chunkR3XIBBAW_cjs = require('./chunk-R3XIBBAW.cjs');
-var chunkX3CU27OO_cjs = require('./chunk-X3CU27OO.cjs');
+var chunk3FW6WVVP_cjs = require('./chunk-3FW6WVVP.cjs');
 var chunkG7VZBCD6_cjs = require('./chunk-G7VZBCD6.cjs');
 var crypto = require('crypto');
 var unstorage = require('unstorage');
@@ -13,6 +14,7 @@ var hono = require('hono');
 var path = require('path');
 var fs = require('fs');
 var sharp = require('sharp');
+var graphql = require('graphql');
 var promises = require('fs/promises');
 var clientS3 = require('@aws-sdk/client-s3');
 var stream = require('stream');
@@ -1360,7 +1362,7 @@ var AuthRoutes = class {
     }
     try {
       const sessions = await getUserSessions(session.userId, getSessionIdFromRequest(req) ?? void 0);
-      return this.jsonResponse({ success: true, sessions });
+      return this.jsonResponse({ sessions });
     } catch (error) {
       console.error("[AuthRoutes.listSessions] Error:", error);
       return this.errorResponse("Failed to list sessions", 500);
@@ -2677,7 +2679,7 @@ var MediaService = class _MediaService {
     this.db = db;
     this.storage = storage2;
     this.dialect = options?.dialect || "sqlite";
-    this.genId = options?.genId || chunkX3CU27OO_cjs.genId;
+    this.genId = options?.genId || chunk3FW6WVVP_cjs.genId;
   }
   static async init(db, options) {
     let storage2;
@@ -2851,7 +2853,7 @@ var MediaService = class _MediaService {
         ]
       );
     } else {
-      const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-AI6YK767.cjs') : import('./media-WKP5AOX2.cjs'));
+      const { media: mediaSchema } = await import('./media-WKP5AOX2.cjs');
       await this.db.insert(mediaSchema).values({
         id,
         filename: storageResult.filename,
@@ -2907,7 +2909,7 @@ var MediaService = class _MediaService {
         id
       ]);
     } else {
-      const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-AI6YK767.cjs') : import('./media-WKP5AOX2.cjs'));
+      const { media: mediaSchema } = await import('./media-WKP5AOX2.cjs');
       const [row] = await this.db.select().from(mediaSchema).where(mediaSchema.id.equals(id));
       if (row) item = this.rowToMedia(row);
     }
@@ -2922,7 +2924,7 @@ var MediaService = class _MediaService {
     if (this.dialect === "sqlite") {
       await this.sqliteRun(`DELETE FROM ${this.mediaTable} WHERE id = ?`, [id]);
     } else {
-      const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-AI6YK767.cjs') : import('./media-WKP5AOX2.cjs'));
+      const { media: mediaSchema } = await import('./media-WKP5AOX2.cjs');
       await this.db.delete(mediaSchema).where(mediaSchema.id.equals(id));
     }
   }
@@ -2936,7 +2938,7 @@ var MediaService = class _MediaService {
         id
       ]);
     } else {
-      const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-AI6YK767.cjs') : import('./media-WKP5AOX2.cjs'));
+      const { media: mediaSchema } = await import('./media-WKP5AOX2.cjs');
       const [row] = await this.db.select().from(mediaSchema).where(mediaSchema.id.equals(id));
       if (row) item = this.rowToMedia(row);
     }
@@ -2970,7 +2972,7 @@ var MediaService = class _MediaService {
         [...vals, this.now(), id]
       );
     } else {
-      const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-AI6YK767.cjs') : import('./media-WKP5AOX2.cjs'));
+      const { media: mediaSchema } = await import('./media-WKP5AOX2.cjs');
       await this.db.update(mediaSchema).set({ ...updateData, updatedAt: this.now() }).where(mediaSchema.id.equals(id));
     }
     return {
@@ -2988,7 +2990,7 @@ var MediaService = class _MediaService {
       );
       return row2 ? this.rowToMedia(row2) : null;
     }
-    const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-AI6YK767.cjs') : import('./media-WKP5AOX2.cjs'));
+    const { media: mediaSchema } = await import('./media-WKP5AOX2.cjs');
     const [row] = await this.db.select().from(mediaSchema).where(mediaSchema.id.equals(id));
     return row ? this.rowToMedia(row) : null;
   }
@@ -3035,8 +3037,8 @@ var MediaService = class _MediaService {
         totalPages: Math.ceil(totalDocs2 / limit)
       };
     }
-    const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-AI6YK767.cjs') : import('./media-WKP5AOX2.cjs'));
-    const { like, or, and, asc, desc, eq, sql } = await (this.dialect === "mysql" ? import('drizzle-orm/mysql-core') : import('drizzle-orm/pg-core'));
+    const { media: mediaSchema } = await import('./media-WKP5AOX2.cjs');
+    const { like, or, and, asc, desc, eq, sql } = await import('drizzle-orm/pg-core');
     const conditions = [];
     if (search) {
       conditions.push(
@@ -3104,7 +3106,7 @@ var MediaService = class _MediaService {
       );
       return row ? this.rowToMedia(row) : null;
     }
-    const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-AI6YK767.cjs') : import('./media-WKP5AOX2.cjs'));
+    const { media: mediaSchema } = await import('./media-WKP5AOX2.cjs');
     const [updated] = await this.db.update(mediaSchema).set({ ...data, updatedAt: /* @__PURE__ */ new Date() }).where(mediaSchema.id.equals(id)).returning();
     return updated ? this.rowToMedia(updated) : null;
   }
@@ -3125,7 +3127,7 @@ var MediaService = class _MediaService {
         );
       }
     } else {
-      const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-AI6YK767.cjs') : import('./media-WKP5AOX2.cjs'));
+      const { media: mediaSchema } = await import('./media-WKP5AOX2.cjs');
       for (const id of ids) {
         await this.db.update(mediaSchema).set({ ...data, updatedAt: /* @__PURE__ */ new Date() }).where(mediaSchema.id.equals(id));
       }
@@ -3139,8 +3141,8 @@ var MediaService = class _MediaService {
       );
       return rows.map((r) => r.path).filter((f) => f && f !== "").sort();
     }
-    const { media: mediaSchema, mediaFolders: folderSchema } = await (this.dialect === "mysql" ? import('./mysql-media-AI6YK767.cjs') : import('./media-WKP5AOX2.cjs'));
-    const { eq, sql } = await (this.dialect === "mysql" ? import('drizzle-orm/mysql-core') : import('drizzle-orm/pg-core'));
+    const { media: mediaSchema, mediaFolders: folderSchema } = await import('./media-WKP5AOX2.cjs');
+    const { eq, sql } = await import('drizzle-orm/pg-core');
     const fromMedia = await this.db.select({ folder: mediaSchema.folder }).from(mediaSchema).groupBy(mediaSchema.folder);
     const fromFolders = await this.db.select({ path: folderSchema.path }).from(folderSchema);
     const allPaths = /* @__PURE__ */ new Set([
@@ -3159,7 +3161,7 @@ var MediaService = class _MediaService {
         [fullPath, name, parentPath || null, now]
       );
     } else {
-      const { mediaFolders: folderSchema } = await (this.dialect === "mysql" ? import('./mysql-media-AI6YK767.cjs') : import('./media-WKP5AOX2.cjs'));
+      const { mediaFolders: folderSchema } = await import('./media-WKP5AOX2.cjs');
       await this.db.insert(folderSchema).values({
         path: fullPath,
         name,
@@ -3180,8 +3182,8 @@ var MediaService = class _MediaService {
         [folder, `${folder}/%`]
       );
     } else {
-      const { mediaFolders: folderSchema } = await (this.dialect === "mysql" ? import('./mysql-media-AI6YK767.cjs') : import('./media-WKP5AOX2.cjs'));
-      const { like, or, eq } = await (this.dialect === "mysql" ? import('drizzle-orm/mysql-core') : import('drizzle-orm/pg-core'));
+      const { mediaFolders: folderSchema } = await import('./media-WKP5AOX2.cjs');
+      const { like, or, eq } = await import('./media-WKP5AOX2.cjs');
       await this.db.delete(folderSchema).where(
         or(
           eq(folderSchema.path, folder),
@@ -3382,6 +3384,27 @@ function getWebhookEvent(collection, operation) {
   if (mapped) return mapped[operation];
   return `collection.${operation}`;
 }
+function extractIp(req) {
+  const forwarded = req.headers.get("x-forwarded-for");
+  if (forwarded) return forwarded.split(",")[0].trim();
+  return req.headers.get("x-real-ip") || "unknown";
+}
+function auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, endpoint, method, req) {
+  if (apiKeyContext?.apiKeyId && sessionAuthAdapter) {
+    sessionAuthAdapter.createAuditLog({
+      action: "api_request",
+      userId: apiKeyContext.userId || "",
+      resource: "api_key",
+      resourceId: apiKeyContext.apiKeyId,
+      success: true,
+      metadata: {
+        endpoint,
+        method,
+        ip: extractIp(req)
+      }
+    });
+  }
+}
 function readBaseUpdatedAt(body) {
   return body.baseUpdatedAt ?? body._baseUpdatedAt;
 }
@@ -3524,7 +3547,8 @@ async function resolveAuthContext(req, authMw, staticUser, staticTenantID) {
   return {
     user: result.user || staticUser,
     tenantID: result.tenantContext?.tenantId || staticTenantID,
-    apiKeyContext: result.apiKeyContext
+    apiKeyContext: result.apiKeyContext,
+    authType: result.authType
   };
 }
 function createHonoApp(options) {
@@ -3639,6 +3663,69 @@ function createHonoApp(options) {
   app.delete("/api/auth/sessions", async (c) => authRoutes.revokeOtherSessions(c.req.raw));
   app.delete("/api/auth/sessions/:id", async (c) => authRoutes.revokeSession(c.req.raw, c.req.param("id")));
   app.put("/api/auth/sessions/:id/name", async (c) => authRoutes.renameSession(c.req.raw, c.req.param("id")));
+  app.post("/api/graphql", async (c) => {
+    try {
+      const req = c.req.raw;
+      const apiKeyRaw = chunkIBG6V56E_cjs.extractApiKeyFromRequest(req);
+      if (apiKeyRaw && db) {
+        const apiKeyResult = await chunkIBG6V56E_cjs.validateApiKey(apiKeyRaw, db);
+        if (!apiKeyResult.valid) {
+          return c.json({ errors: [{ message: apiKeyResult.error || "Invalid API key" }] }, 401);
+        }
+        const apiKeyId = apiKeyResult.apiKeyId || "";
+        await sessionAuthAdapter?.createAuditLog({
+          action: "api_key_request",
+          userId: apiKeyResult.userId || "",
+          resource: "api_key",
+          resourceId: apiKeyId,
+          success: true,
+          metadata: {
+            endpoint: "/api/graphql",
+            method: "POST",
+            ip: extractIp(req)
+          }
+        });
+      }
+      const body = await req.json().catch(() => ({}));
+      const { query, variables } = body;
+      if (!query) {
+        return c.json({ errors: [{ message: "No query provided" }] }, 400);
+      }
+      let gqlUser;
+      let apiKeyCtx;
+      if (apiKeyRaw && db) {
+        const apiKeyResult = await chunkIBG6V56E_cjs.validateApiKey(apiKeyRaw, db);
+        if (apiKeyResult.valid && apiKeyResult.user) {
+          gqlUser = apiKeyResult.user;
+          apiKeyCtx = chunkIBG6V56E_cjs.createApiKeyContext(apiKeyResult);
+        }
+      }
+      const schema = chunkVJT6P4N6_cjs.buildGraphQLSchema({
+        registry,
+        db,
+        user: gqlUser,
+        req,
+        settings
+      });
+      const document = graphql.parse(query);
+      const result = await graphql.execute({
+        schema,
+        document,
+        variableValues: variables,
+        contextValue: { user: gqlUser, apiKeyContext: apiKeyCtx, req, db }
+      });
+      return c.json(result);
+    } catch (error) {
+      if (error.message?.includes("GraphQL is disabled")) {
+        return c.json({ errors: [{ message: "GraphQL API is disabled" }] }, 403);
+      }
+      if (error instanceof SyntaxError) {
+        return c.json({ errors: [{ message: "Invalid request body" }] }, 400);
+      }
+      console.error("[GraphQL] execution error:", error);
+      return c.json({ errors: [{ message: error.message || "GraphQL execution failed" }] }, 500);
+    }
+  });
   app.get("/api/auth/access", async (c) => {
     try {
       const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(
@@ -4353,6 +4440,7 @@ function createHonoApp(options) {
           key: rawKey,
           keyPrefix: chunkIBG6V56E_cjs.generateApiKeyPrefix(rawKey),
           permissions: Array.isArray(body.permissions) ? body.permissions : ["*"],
+          expiresAt: body.expiresAt || null,
           createdAt: (/* @__PURE__ */ new Date()).toISOString()
         }
       });
@@ -4398,6 +4486,201 @@ function createHonoApp(options) {
       return c.json({ error: error.message }, 500);
     }
   });
+  app.patch("/api/keys/:id", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:admin")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      const id = c.req.param("id");
+      const body = await c.req.json();
+      const existing = await db.findByID({ collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION, id });
+      if (!existing) return c.json({ error: "API key not found" }, 404);
+      const updateData = {};
+      if (typeof body.name === "string" && body.name.trim()) updateData.name = body.name.trim();
+      if (Array.isArray(body.permissions)) updateData.permissions = body.permissions;
+      if (body.expiresAt !== void 0) updateData.expiresAt = body.expiresAt || null;
+      if (Object.keys(updateData).length === 0) return c.json({ error: "Nothing to update" }, 400);
+      const updated = await db.update({ collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION, id, data: updateData });
+      return c.json({ ...updated, keyPrefix: existing.keyPrefix });
+    } catch (error) {
+      console.error("[ApiKeys] PATCH error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.post("/api/keys/:id/rotate", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:admin")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      const id = c.req.param("id");
+      const existing = await db.findByID({ collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION, id });
+      if (!existing) return c.json({ error: "API key not found" }, 404);
+      const rawKey = chunkIBG6V56E_cjs.generateApiKey();
+      const updated = await db.update({
+        collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION,
+        id,
+        data: {
+          key: rawKey,
+          keyPrefix: chunkIBG6V56E_cjs.generateApiKeyPrefix(rawKey),
+          lastUsedAt: null
+        }
+      });
+      await sessionAuthAdapter?.createAuditLog({
+        action: "api_key_rotate",
+        userId: ctxUser.id,
+        resource: "api_key",
+        resourceId: id,
+        success: true,
+        metadata: { keyName: existing.name }
+      });
+      return c.json({
+        ...updated,
+        key: rawKey,
+        permissions: existing.permissions,
+        expiresAt: existing.expiresAt
+      });
+    } catch (error) {
+      console.error("[ApiKeys] rotate error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.get("/api/webhooks", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:read")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
+      const webhooks = await webhookService.getWebhooks();
+      return c.json({ docs: webhooks });
+    } catch (error) {
+      console.error("[Webhooks] GET error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.post("/api/webhooks", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:admin")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
+      const body = await c.req.json();
+      const webhook = await webhookService.createWebhook(body);
+      await sessionAuthAdapter?.createAuditLog({
+        action: "webhook_create",
+        userId: ctxUser.id,
+        resource: "webhook",
+        resourceId: webhook.id,
+        success: true,
+        metadata: { name: webhook.name, url: webhook.url }
+      });
+      return c.json(webhook, 201);
+    } catch (error) {
+      console.error("[Webhooks] POST error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.get("/api/webhooks/:id", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:read")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
+      const id = c.req.param("id");
+      const webhook = await webhookService.getWebhookById(id);
+      if (!webhook) return c.json({ error: "Webhook not found" }, 404);
+      return c.json(webhook);
+    } catch (error) {
+      console.error("[Webhooks] GET :id error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.patch("/api/webhooks/:id", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:admin")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
+      const id = c.req.param("id");
+      const body = await c.req.json();
+      const updated = await webhookService.updateWebhook(id, body);
+      if (!updated) return c.json({ error: "Webhook not found" }, 404);
+      await sessionAuthAdapter?.createAuditLog({
+        action: "webhook_update",
+        userId: ctxUser.id,
+        resource: "webhook",
+        resourceId: id,
+        success: true,
+        metadata: { name: updated.name }
+      });
+      return c.json(updated);
+    } catch (error) {
+      console.error("[Webhooks] PATCH error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.delete("/api/webhooks/:id", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:admin")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
+      const id = c.req.param("id");
+      const existing = await webhookService.getWebhookById(id);
+      if (!existing) return c.json({ error: "Webhook not found" }, 404);
+      await webhookService.deleteWebhook(id);
+      await sessionAuthAdapter?.createAuditLog({
+        action: "webhook_delete",
+        userId: ctxUser.id,
+        resource: "webhook",
+        resourceId: id,
+        success: true,
+        metadata: { name: existing.name }
+      });
+      return c.json({ message: "Webhook deleted" });
+    } catch (error) {
+      console.error("[Webhooks] DELETE error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.post("/api/webhooks/:id/test", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:admin")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
+      const id = c.req.param("id");
+      const result = await webhookService.testWebhook(id);
+      if (!result) return c.json({ error: "Webhook not found" }, 404);
+      return c.json(result);
+    } catch (error) {
+      console.error("[Webhooks] test error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.get("/api/webhooks/:id/history", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:read")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
+      const id = c.req.param("id");
+      const limit = Math.min(parseInt(c.req.query("limit") || "50"), 100);
+      const history = await webhookService.getDeliveryHistory(id, limit);
+      return c.json({ docs: history });
+    } catch (error) {
+      console.error("[Webhooks] history error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
   const collections = registry.getCollections();
   for (const collection of collections) {
     let computeDiff2 = function(a, b) {
@@ -4434,6 +4717,7 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
+        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, basePath, "GET", c.req.raw);
         const url = new URL(c.req.url);
         const page = parseInt(url.searchParams.get("page") || "1");
         const limit = Math.min(
@@ -4491,6 +4775,7 @@ function createHonoApp(options) {
         const url = new URL(c.req.url);
         const compareA = url.searchParams.get("compareA");
         const compareB = url.searchParams.get("compareB");
+        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, `${basePath}/${id}/versions`, "GET", c.req.raw);
         if (compareA && compareB) {
           const [versionA, versionB] = await Promise.all([
             db.findVersionByID({ collection: slug, versionId: compareA, tenantID: ctxTenantID }),
@@ -4503,7 +4788,7 @@ function createHonoApp(options) {
           return c.json({ diffs });
         }
         const page = parseInt(url.searchParams.get("page") || "1");
-        const limit = parseInt(url.searchParams.get("limit") || "10");
+        const limit = Math.min(parseInt(url.searchParams.get("limit") || "10"), 100);
         const result = await db.findVersions({
           collection: slug,
           documentId: id,
@@ -4690,6 +4975,7 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
+        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, basePath, "POST", c.req.raw);
         const body = await c.req.json();
         const schema = registry.getCreateZodSchema(slug);
         let validated;
@@ -4749,13 +5035,19 @@ function createHonoApp(options) {
         const id = c.req.param("id");
         const body = await c.req.json();
         const baseUpdatedAt = readBaseUpdatedAt(body);
+        console.log(`[PATCH] ${slug}/${id}`, {
+          baseUpdatedAt,
+          bodyKeys: Object.keys(body),
+          tenantID: ctxTenantID
+        });
         const cleaned = Object.fromEntries(
           Object.entries(omitRevisionFields(body)).filter(
-            ([_, v]) => v !== null && v !== "null" && v !== void 0
+            ([_, v]) => v !== "null" && v !== void 0
           )
         );
         const schema = registry.getUpdateZodSchema(slug);
         const validated = schema.parse(cleaned);
+        console.log(`[PATCH] Validated data:`, Object.keys(validated));
         const originalDoc = await db.findByID({
           collection: slug,
           id,
@@ -4763,6 +5055,9 @@ function createHonoApp(options) {
           draft: true
           // Always fetch current doc regardless of status
         });
+        if (originalDoc) {
+          console.log(`[PATCH] Original doc updatedAt:`, originalDoc.updatedAt);
+        }
         if (!originalDoc) {
           return c.json({ error: "Document not found" }, 404);
         }
@@ -4782,7 +5077,7 @@ function createHonoApp(options) {
             changeDescription: "Manual save (Draft)",
             tenantID: ctxTenantID
           });
-          doc = await db.update({
+          await db.update({
             collection: slug,
             id,
             data: { _has_draft: true },
@@ -4791,13 +5086,21 @@ function createHonoApp(options) {
           });
         } else {
           const saveData = isDraftEnabled ? { ...validated, _status: "draft", _has_draft: false } : validated;
-          doc = await db.update({
+          await db.update({
             collection: slug,
             id,
             data: saveData,
             tenantID: ctxTenantID
           });
-          if (isDraftEnabled) {
+        }
+        doc = await db.findByID({
+          collection: slug,
+          id,
+          tenantID: ctxTenantID,
+          draft: true
+        });
+        if (isDraftEnabled) {
+          if (!isAlreadyPublished) {
             await db.createVersion({
               collection: slug,
               documentId: id,
@@ -4807,13 +5110,13 @@ function createHonoApp(options) {
               changeDescription: "Manual save",
               tenantID: ctxTenantID
             });
-          } else {
-            await db.deleteDraft({
-              collection: slug,
-              documentId: id,
-              tenantID: ctxTenantID
-            });
           }
+        } else {
+          await db.deleteDraft({
+            collection: slug,
+            documentId: id,
+            tenantID: ctxTenantID
+          });
         }
         if (webhookService) {
           webhookService.trigger(getWebhookEvent(slug, "update"), {
@@ -4825,6 +5128,7 @@ function createHonoApp(options) {
             tenantId: ctxTenantID
           }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
         }
+        console.log(`[PATCH] Result doc updatedAt:`, doc?.updatedAt);
         return c.json({ data: doc, message: isDraftEnabled ? "Draft saved" : "Updated successfully" });
       } catch (error) {
         if (error.name === "ZodError") {
@@ -5534,5 +5838,5 @@ exports.init_secret = init_secret;
 exports.loadSecrets = loadSecrets;
 exports.resolveProvider = resolveProvider;
 exports.setDbAdapter = setDbAdapter;
-//# sourceMappingURL=chunk-MMYAIYHJ.cjs.map
-//# sourceMappingURL=chunk-MMYAIYHJ.cjs.map
+//# sourceMappingURL=chunk-M4GFA2UQ.cjs.map
+//# sourceMappingURL=chunk-M4GFA2UQ.cjs.map