@kyro-cms/core 0.3.4 → 0.4.0

package/dist/{chunk-2SJATAN4.js → chunk-OJBK3JYF.js}

@@ -1,8 +1,9 @@
 import { PasswordPolicy, ConfigService, SQLiteAuthAdapter, EmailTransport } from './chunk-RYDGMBIG.js';
 import { createAuditContext } from './chunk-P2YW545G.js';
-import { WEBHOOK_EVENTS, API_KEY_COLLECTION, generateApiKey, generateApiKeyPrefix, hasApiKeyPermission, extractApiKeyFromRequest, validateApiKey, createApiKeyContext } from './chunk-QXIQWPAP.js';
+import { WEBHOOK_EVENTS, extractApiKeyFromRequest, validateApiKey, createApiKeyContext, API_KEY_COLLECTION, generateApiKey, generateApiKeyPrefix, hasApiKeyPermission } from './chunk-QXIQWPAP.js';
+import { buildGraphQLSchema } from './chunk-REK7AYOC.js';
 import { evaluateAccess } from './chunk-SDMNUYVU.js';
-import { genId } from './chunk-RGIQKTZ7.js';
+import { genId } from './chunk-YMG55RSX.js';
 import { __esm, __export, __toCommonJS, __require } from './chunk-Z6ZWNWWR.js';
 import crypto, { randomBytes, createHash } from 'crypto';
 import { createStorage } from 'unstorage';
@@ -11,6 +12,7 @@ import { Hono } from 'hono';
 import path, { join, basename, extname, resolve } from 'path';
 import { existsSync, readFileSync } from 'fs';
 import sharp from 'sharp';
+import { parse, execute } from 'graphql';
 import { mkdir, readdir, stat, rename, unlink, writeFile } from 'fs/promises';
 import { S3Client, ListObjectsV2Command, DeleteObjectsCommand, DeleteObjectCommand, PutObjectCommand, HeadObjectCommand, CopyObjectCommand } from '@aws-sdk/client-s3';
 import { Readable } from 'stream';
@@ -1351,7 +1353,7 @@ var AuthRoutes = class {
     }
     try {
       const sessions = await getUserSessions(session.userId, getSessionIdFromRequest(req) ?? void 0);
-      return this.jsonResponse({ success: true, sessions });
+      return this.jsonResponse({ sessions });
     } catch (error) {
       console.error("[AuthRoutes.listSessions] Error:", error);
       return this.errorResponse("Failed to list sessions", 500);
@@ -2842,7 +2844,7 @@ var MediaService = class _MediaService {
         ]
       );
     } else {
-      const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-CDZUS7YX.js') : import('./media-HOT3O7RW.js'));
+      const { media: mediaSchema } = await import('./media-HOT3O7RW.js');
       await this.db.insert(mediaSchema).values({
         id,
         filename: storageResult.filename,
@@ -2898,7 +2900,7 @@ var MediaService = class _MediaService {
         id
       ]);
     } else {
-      const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-CDZUS7YX.js') : import('./media-HOT3O7RW.js'));
+      const { media: mediaSchema } = await import('./media-HOT3O7RW.js');
       const [row] = await this.db.select().from(mediaSchema).where(mediaSchema.id.equals(id));
       if (row) item = this.rowToMedia(row);
     }
@@ -2913,7 +2915,7 @@ var MediaService = class _MediaService {
     if (this.dialect === "sqlite") {
       await this.sqliteRun(`DELETE FROM ${this.mediaTable} WHERE id = ?`, [id]);
     } else {
-      const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-CDZUS7YX.js') : import('./media-HOT3O7RW.js'));
+      const { media: mediaSchema } = await import('./media-HOT3O7RW.js');
       await this.db.delete(mediaSchema).where(mediaSchema.id.equals(id));
     }
   }
@@ -2927,7 +2929,7 @@ var MediaService = class _MediaService {
         id
       ]);
     } else {
-      const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-CDZUS7YX.js') : import('./media-HOT3O7RW.js'));
+      const { media: mediaSchema } = await import('./media-HOT3O7RW.js');
       const [row] = await this.db.select().from(mediaSchema).where(mediaSchema.id.equals(id));
       if (row) item = this.rowToMedia(row);
     }
@@ -2961,7 +2963,7 @@ var MediaService = class _MediaService {
         [...vals, this.now(), id]
       );
     } else {
-      const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-CDZUS7YX.js') : import('./media-HOT3O7RW.js'));
+      const { media: mediaSchema } = await import('./media-HOT3O7RW.js');
       await this.db.update(mediaSchema).set({ ...updateData, updatedAt: this.now() }).where(mediaSchema.id.equals(id));
     }
     return {
@@ -2979,7 +2981,7 @@ var MediaService = class _MediaService {
       );
       return row2 ? this.rowToMedia(row2) : null;
     }
-    const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-CDZUS7YX.js') : import('./media-HOT3O7RW.js'));
+    const { media: mediaSchema } = await import('./media-HOT3O7RW.js');
     const [row] = await this.db.select().from(mediaSchema).where(mediaSchema.id.equals(id));
     return row ? this.rowToMedia(row) : null;
   }
@@ -3026,8 +3028,8 @@ var MediaService = class _MediaService {
         totalPages: Math.ceil(totalDocs2 / limit)
       };
     }
-    const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-CDZUS7YX.js') : import('./media-HOT3O7RW.js'));
-    const { like, or, and, asc, desc, eq, sql } = await (this.dialect === "mysql" ? import('drizzle-orm/mysql-core') : import('drizzle-orm/pg-core'));
+    const { media: mediaSchema } = await import('./media-HOT3O7RW.js');
+    const { like, or, and, asc, desc, eq, sql } = await import('drizzle-orm/pg-core');
     const conditions = [];
     if (search) {
       conditions.push(
@@ -3095,7 +3097,7 @@ var MediaService = class _MediaService {
       );
       return row ? this.rowToMedia(row) : null;
     }
-    const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-CDZUS7YX.js') : import('./media-HOT3O7RW.js'));
+    const { media: mediaSchema } = await import('./media-HOT3O7RW.js');
     const [updated] = await this.db.update(mediaSchema).set({ ...data, updatedAt: /* @__PURE__ */ new Date() }).where(mediaSchema.id.equals(id)).returning();
     return updated ? this.rowToMedia(updated) : null;
   }
@@ -3116,7 +3118,7 @@ var MediaService = class _MediaService {
         );
       }
     } else {
-      const { media: mediaSchema } = await (this.dialect === "mysql" ? import('./mysql-media-CDZUS7YX.js') : import('./media-HOT3O7RW.js'));
+      const { media: mediaSchema } = await import('./media-HOT3O7RW.js');
       for (const id of ids) {
         await this.db.update(mediaSchema).set({ ...data, updatedAt: /* @__PURE__ */ new Date() }).where(mediaSchema.id.equals(id));
       }
@@ -3130,8 +3132,8 @@ var MediaService = class _MediaService {
       );
       return rows.map((r) => r.path).filter((f) => f && f !== "").sort();
     }
-    const { media: mediaSchema, mediaFolders: folderSchema } = await (this.dialect === "mysql" ? import('./mysql-media-CDZUS7YX.js') : import('./media-HOT3O7RW.js'));
-    const { eq, sql } = await (this.dialect === "mysql" ? import('drizzle-orm/mysql-core') : import('drizzle-orm/pg-core'));
+    const { media: mediaSchema, mediaFolders: folderSchema } = await import('./media-HOT3O7RW.js');
+    const { eq, sql } = await import('drizzle-orm/pg-core');
     const fromMedia = await this.db.select({ folder: mediaSchema.folder }).from(mediaSchema).groupBy(mediaSchema.folder);
     const fromFolders = await this.db.select({ path: folderSchema.path }).from(folderSchema);
     const allPaths = /* @__PURE__ */ new Set([
@@ -3150,7 +3152,7 @@ var MediaService = class _MediaService {
         [fullPath, name, parentPath || null, now]
       );
     } else {
-      const { mediaFolders: folderSchema } = await (this.dialect === "mysql" ? import('./mysql-media-CDZUS7YX.js') : import('./media-HOT3O7RW.js'));
+      const { mediaFolders: folderSchema } = await import('./media-HOT3O7RW.js');
       await this.db.insert(folderSchema).values({
         path: fullPath,
         name,
@@ -3171,8 +3173,8 @@ var MediaService = class _MediaService {
         [folder, `${folder}/%`]
       );
     } else {
-      const { mediaFolders: folderSchema } = await (this.dialect === "mysql" ? import('./mysql-media-CDZUS7YX.js') : import('./media-HOT3O7RW.js'));
-      const { like, or, eq } = await (this.dialect === "mysql" ? import('drizzle-orm/mysql-core') : import('drizzle-orm/pg-core'));
+      const { mediaFolders: folderSchema } = await import('./media-HOT3O7RW.js');
+      const { like, or, eq } = await import('./media-HOT3O7RW.js');
       await this.db.delete(folderSchema).where(
         or(
           eq(folderSchema.path, folder),
@@ -3373,6 +3375,27 @@ function getWebhookEvent(collection, operation) {
   if (mapped) return mapped[operation];
   return `collection.${operation}`;
 }
+function extractIp(req) {
+  const forwarded = req.headers.get("x-forwarded-for");
+  if (forwarded) return forwarded.split(",")[0].trim();
+  return req.headers.get("x-real-ip") || "unknown";
+}
+function auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, endpoint, method, req) {
+  if (apiKeyContext?.apiKeyId && sessionAuthAdapter) {
+    sessionAuthAdapter.createAuditLog({
+      action: "api_request",
+      userId: apiKeyContext.userId || "",
+      resource: "api_key",
+      resourceId: apiKeyContext.apiKeyId,
+      success: true,
+      metadata: {
+        endpoint,
+        method,
+        ip: extractIp(req)
+      }
+    });
+  }
+}
 function readBaseUpdatedAt(body) {
   return body.baseUpdatedAt ?? body._baseUpdatedAt;
 }
@@ -3515,7 +3538,8 @@ async function resolveAuthContext(req, authMw, staticUser, staticTenantID) {
   return {
     user: result.user || staticUser,
     tenantID: result.tenantContext?.tenantId || staticTenantID,
-    apiKeyContext: result.apiKeyContext
+    apiKeyContext: result.apiKeyContext,
+    authType: result.authType
   };
 }
 function createHonoApp(options) {
@@ -3630,6 +3654,69 @@ function createHonoApp(options) {
   app.delete("/api/auth/sessions", async (c) => authRoutes.revokeOtherSessions(c.req.raw));
   app.delete("/api/auth/sessions/:id", async (c) => authRoutes.revokeSession(c.req.raw, c.req.param("id")));
   app.put("/api/auth/sessions/:id/name", async (c) => authRoutes.renameSession(c.req.raw, c.req.param("id")));
+  app.post("/api/graphql", async (c) => {
+    try {
+      const req = c.req.raw;
+      const apiKeyRaw = extractApiKeyFromRequest(req);
+      if (apiKeyRaw && db) {
+        const apiKeyResult = await validateApiKey(apiKeyRaw, db);
+        if (!apiKeyResult.valid) {
+          return c.json({ errors: [{ message: apiKeyResult.error || "Invalid API key" }] }, 401);
+        }
+        const apiKeyId = apiKeyResult.apiKeyId || "";
+        await sessionAuthAdapter?.createAuditLog({
+          action: "api_key_request",
+          userId: apiKeyResult.userId || "",
+          resource: "api_key",
+          resourceId: apiKeyId,
+          success: true,
+          metadata: {
+            endpoint: "/api/graphql",
+            method: "POST",
+            ip: extractIp(req)
+          }
+        });
+      }
+      const body = await req.json().catch(() => ({}));
+      const { query, variables } = body;
+      if (!query) {
+        return c.json({ errors: [{ message: "No query provided" }] }, 400);
+      }
+      let gqlUser;
+      let apiKeyCtx;
+      if (apiKeyRaw && db) {
+        const apiKeyResult = await validateApiKey(apiKeyRaw, db);
+        if (apiKeyResult.valid && apiKeyResult.user) {
+          gqlUser = apiKeyResult.user;
+          apiKeyCtx = createApiKeyContext(apiKeyResult);
+        }
+      }
+      const schema = buildGraphQLSchema({
+        registry,
+        db,
+        user: gqlUser,
+        req,
+        settings
+      });
+      const document = parse(query);
+      const result = await execute({
+        schema,
+        document,
+        variableValues: variables,
+        contextValue: { user: gqlUser, apiKeyContext: apiKeyCtx, req, db }
+      });
+      return c.json(result);
+    } catch (error) {
+      if (error.message?.includes("GraphQL is disabled")) {
+        return c.json({ errors: [{ message: "GraphQL API is disabled" }] }, 403);
+      }
+      if (error instanceof SyntaxError) {
+        return c.json({ errors: [{ message: "Invalid request body" }] }, 400);
+      }
+      console.error("[GraphQL] execution error:", error);
+      return c.json({ errors: [{ message: error.message || "GraphQL execution failed" }] }, 500);
+    }
+  });
   app.get("/api/auth/access", async (c) => {
     try {
       const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(
@@ -4344,6 +4431,7 @@ function createHonoApp(options) {
           key: rawKey,
           keyPrefix: generateApiKeyPrefix(rawKey),
           permissions: Array.isArray(body.permissions) ? body.permissions : ["*"],
+          expiresAt: body.expiresAt || null,
           createdAt: (/* @__PURE__ */ new Date()).toISOString()
         }
       });
@@ -4389,6 +4477,201 @@ function createHonoApp(options) {
       return c.json({ error: error.message }, 500);
     }
   });
+  app.patch("/api/keys/:id", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:admin")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      const id = c.req.param("id");
+      const body = await c.req.json();
+      const existing = await db.findByID({ collection: API_KEY_COLLECTION, id });
+      if (!existing) return c.json({ error: "API key not found" }, 404);
+      const updateData = {};
+      if (typeof body.name === "string" && body.name.trim()) updateData.name = body.name.trim();
+      if (Array.isArray(body.permissions)) updateData.permissions = body.permissions;
+      if (body.expiresAt !== void 0) updateData.expiresAt = body.expiresAt || null;
+      if (Object.keys(updateData).length === 0) return c.json({ error: "Nothing to update" }, 400);
+      const updated = await db.update({ collection: API_KEY_COLLECTION, id, data: updateData });
+      return c.json({ ...updated, keyPrefix: existing.keyPrefix });
+    } catch (error) {
+      console.error("[ApiKeys] PATCH error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.post("/api/keys/:id/rotate", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:admin")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      const id = c.req.param("id");
+      const existing = await db.findByID({ collection: API_KEY_COLLECTION, id });
+      if (!existing) return c.json({ error: "API key not found" }, 404);
+      const rawKey = generateApiKey();
+      const updated = await db.update({
+        collection: API_KEY_COLLECTION,
+        id,
+        data: {
+          key: rawKey,
+          keyPrefix: generateApiKeyPrefix(rawKey),
+          lastUsedAt: null
+        }
+      });
+      await sessionAuthAdapter?.createAuditLog({
+        action: "api_key_rotate",
+        userId: ctxUser.id,
+        resource: "api_key",
+        resourceId: id,
+        success: true,
+        metadata: { keyName: existing.name }
+      });
+      return c.json({
+        ...updated,
+        key: rawKey,
+        permissions: existing.permissions,
+        expiresAt: existing.expiresAt
+      });
+    } catch (error) {
+      console.error("[ApiKeys] rotate error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.get("/api/webhooks", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:read")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
+      const webhooks = await webhookService.getWebhooks();
+      return c.json({ docs: webhooks });
+    } catch (error) {
+      console.error("[Webhooks] GET error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.post("/api/webhooks", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:admin")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
+      const body = await c.req.json();
+      const webhook = await webhookService.createWebhook(body);
+      await sessionAuthAdapter?.createAuditLog({
+        action: "webhook_create",
+        userId: ctxUser.id,
+        resource: "webhook",
+        resourceId: webhook.id,
+        success: true,
+        metadata: { name: webhook.name, url: webhook.url }
+      });
+      return c.json(webhook, 201);
+    } catch (error) {
+      console.error("[Webhooks] POST error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.get("/api/webhooks/:id", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:read")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
+      const id = c.req.param("id");
+      const webhook = await webhookService.getWebhookById(id);
+      if (!webhook) return c.json({ error: "Webhook not found" }, 404);
+      return c.json(webhook);
+    } catch (error) {
+      console.error("[Webhooks] GET :id error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.patch("/api/webhooks/:id", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:admin")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
+      const id = c.req.param("id");
+      const body = await c.req.json();
+      const updated = await webhookService.updateWebhook(id, body);
+      if (!updated) return c.json({ error: "Webhook not found" }, 404);
+      await sessionAuthAdapter?.createAuditLog({
+        action: "webhook_update",
+        userId: ctxUser.id,
+        resource: "webhook",
+        resourceId: id,
+        success: true,
+        metadata: { name: updated.name }
+      });
+      return c.json(updated);
+    } catch (error) {
+      console.error("[Webhooks] PATCH error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.delete("/api/webhooks/:id", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:admin")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
+      const id = c.req.param("id");
+      const existing = await webhookService.getWebhookById(id);
+      if (!existing) return c.json({ error: "Webhook not found" }, 404);
+      await webhookService.deleteWebhook(id);
+      await sessionAuthAdapter?.createAuditLog({
+        action: "webhook_delete",
+        userId: ctxUser.id,
+        resource: "webhook",
+        resourceId: id,
+        success: true,
+        metadata: { name: existing.name }
+      });
+      return c.json({ message: "Webhook deleted" });
+    } catch (error) {
+      console.error("[Webhooks] DELETE error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.post("/api/webhooks/:id/test", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:admin")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
+      const id = c.req.param("id");
+      const result = await webhookService.testWebhook(id);
+      if (!result) return c.json({ error: "Webhook not found" }, 404);
+      return c.json(result);
+    } catch (error) {
+      console.error("[Webhooks] test error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.get("/api/webhooks/:id/history", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !hasPermission(ctxUser, "users:read")) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
+      const id = c.req.param("id");
+      const limit = Math.min(parseInt(c.req.query("limit") || "50"), 100);
+      const history = await webhookService.getDeliveryHistory(id, limit);
+      return c.json({ docs: history });
+    } catch (error) {
+      console.error("[Webhooks] history error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
   const collections = registry.getCollections();
   for (const collection of collections) {
     let computeDiff2 = function(a, b) {
@@ -4425,6 +4708,7 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
+        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, basePath, "GET", c.req.raw);
         const url = new URL(c.req.url);
         const page = parseInt(url.searchParams.get("page") || "1");
         const limit = Math.min(
@@ -4482,6 +4766,7 @@ function createHonoApp(options) {
         const url = new URL(c.req.url);
         const compareA = url.searchParams.get("compareA");
         const compareB = url.searchParams.get("compareB");
+        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, `${basePath}/${id}/versions`, "GET", c.req.raw);
         if (compareA && compareB) {
           const [versionA, versionB] = await Promise.all([
             db.findVersionByID({ collection: slug, versionId: compareA, tenantID: ctxTenantID }),
@@ -4494,7 +4779,7 @@ function createHonoApp(options) {
           return c.json({ diffs });
         }
         const page = parseInt(url.searchParams.get("page") || "1");
-        const limit = parseInt(url.searchParams.get("limit") || "10");
+        const limit = Math.min(parseInt(url.searchParams.get("limit") || "10"), 100);
         const result = await db.findVersions({
           collection: slug,
           documentId: id,
@@ -4681,6 +4966,7 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
+        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, basePath, "POST", c.req.raw);
         const body = await c.req.json();
         const schema = registry.getCreateZodSchema(slug);
         let validated;
@@ -4740,13 +5026,19 @@ function createHonoApp(options) {
         const id = c.req.param("id");
         const body = await c.req.json();
         const baseUpdatedAt = readBaseUpdatedAt(body);
+        console.log(`[PATCH] ${slug}/${id}`, {
+          baseUpdatedAt,
+          bodyKeys: Object.keys(body),
+          tenantID: ctxTenantID
+        });
         const cleaned = Object.fromEntries(
           Object.entries(omitRevisionFields(body)).filter(
-            ([_, v]) => v !== null && v !== "null" && v !== void 0
+            ([_, v]) => v !== "null" && v !== void 0
           )
         );
         const schema = registry.getUpdateZodSchema(slug);
         const validated = schema.parse(cleaned);
+        console.log(`[PATCH] Validated data:`, Object.keys(validated));
         const originalDoc = await db.findByID({
           collection: slug,
           id,
@@ -4754,6 +5046,9 @@ function createHonoApp(options) {
           draft: true
           // Always fetch current doc regardless of status
         });
+        if (originalDoc) {
+          console.log(`[PATCH] Original doc updatedAt:`, originalDoc.updatedAt);
+        }
         if (!originalDoc) {
           return c.json({ error: "Document not found" }, 404);
         }
@@ -4773,7 +5068,7 @@ function createHonoApp(options) {
             changeDescription: "Manual save (Draft)",
             tenantID: ctxTenantID
           });
-          doc = await db.update({
+          await db.update({
             collection: slug,
             id,
             data: { _has_draft: true },
@@ -4782,13 +5077,21 @@ function createHonoApp(options) {
           });
         } else {
           const saveData = isDraftEnabled ? { ...validated, _status: "draft", _has_draft: false } : validated;
-          doc = await db.update({
+          await db.update({
             collection: slug,
             id,
             data: saveData,
             tenantID: ctxTenantID
           });
-          if (isDraftEnabled) {
+        }
+        doc = await db.findByID({
+          collection: slug,
+          id,
+          tenantID: ctxTenantID,
+          draft: true
+        });
+        if (isDraftEnabled) {
+          if (!isAlreadyPublished) {
             await db.createVersion({
               collection: slug,
               documentId: id,
@@ -4798,13 +5101,13 @@ function createHonoApp(options) {
               changeDescription: "Manual save",
               tenantID: ctxTenantID
             });
-          } else {
-            await db.deleteDraft({
-              collection: slug,
-              documentId: id,
-              tenantID: ctxTenantID
-            });
           }
+        } else {
+          await db.deleteDraft({
+            collection: slug,
+            documentId: id,
+            tenantID: ctxTenantID
+          });
         }
         if (webhookService) {
           webhookService.trigger(getWebhookEvent(slug, "update"), {
@@ -4816,6 +5119,7 @@ function createHonoApp(options) {
             tenantId: ctxTenantID
           }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
         }
+        console.log(`[PATCH] Result doc updatedAt:`, doc?.updatedAt);
         return c.json({ data: doc, message: isDraftEnabled ? "Draft saved" : "Updated successfully" });
       } catch (error) {
         if (error.name === "ZodError") {
@@ -5510,5 +5814,5 @@ function createRESTAPI(registry, db, options) {
 }
 
 export { AuditLogger, AuthRoutes, InMemoryAuditLogger, InMemoryRateLimiter, MediaService, createAuditContext2 as createAuditContext, createHonoApp, createLocalStorage, createRESTAPI, getAppSecret, getEncryptionKey, getSessionConfig, init_secret, loadSecrets, resolveProvider, setDbAdapter };
-//# sourceMappingURL=chunk-2SJATAN4.js.map
-//# sourceMappingURL=chunk-2SJATAN4.js.map
+//# sourceMappingURL=chunk-OJBK3JYF.js.map
+//# sourceMappingURL=chunk-OJBK3JYF.js.map