npm - @kyro-cms/core - Versions diffs - 0.8.0 → 0.9.1 - Mend

@kyro-cms/core 0.8.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (248) hide show

package/README.md +57 -589
package/dist/{WebhookService-118ZTFis.d.ts → WebhookService-CUTb9XOy.d.ts} +1 -1
package/dist/{WebhookService-AefJfqX0.d.cts → WebhookService-Yg2UEOB4.d.cts} +1 -1
package/dist/api-handler-graphql.cjs +44 -0
package/dist/api-handler-graphql.cjs.map +1 -0
package/dist/api-handler-graphql.d.cts +6 -0
package/dist/api-handler-graphql.d.ts +6 -0
package/dist/api-handler-graphql.js +41 -0
package/dist/api-handler-graphql.js.map +1 -0
package/dist/api-handler-trpc.cjs +38 -0
package/dist/api-handler-trpc.cjs.map +1 -0
package/dist/api-handler-trpc.d.cts +5 -0
package/dist/api-handler-trpc.d.ts +5 -0
package/dist/api-handler-trpc.js +36 -0
package/dist/api-handler-trpc.js.map +1 -0
package/dist/api-handler.cjs +31 -97
package/dist/api-handler.cjs.map +1 -1
package/dist/api-handler.d.cts +2 -1
package/dist/api-handler.d.ts +2 -1
package/dist/api-handler.js +19 -95
package/dist/api-handler.js.map +1 -1
package/dist/{tenant-B1YB0Jy8.d.ts → base-B71y_EAF.d.cts} +6 -12
package/dist/{tenant-Cpeveji6.d.cts → base-DaqY2GhA.d.ts} +6 -12
package/dist/bootstrap-5NLASFOG.cjs +32 -0
package/dist/{bootstrap-AKAUP6F6.cjs.map → bootstrap-5NLASFOG.cjs.map} +1 -1
package/dist/bootstrap-T5BK77LD.js +7 -0
package/dist/{bootstrap-JCML6NFO.js.map → bootstrap-T5BK77LD.js.map} +1 -1
package/dist/{chunk-35U3FROB.js → chunk-22M4O4ZJ.js} +607 -63
package/dist/chunk-22M4O4ZJ.js.map +1 -0
package/dist/chunk-2HZRBATX.cjs +253 -0
package/dist/chunk-2HZRBATX.cjs.map +1 -0
package/dist/{chunk-VJT6P4N6.cjs → chunk-3HR772HI.cjs} +199 -32
package/dist/chunk-3HR772HI.cjs.map +1 -0
package/dist/chunk-3KTWGODI.cjs +178 -0
package/dist/chunk-3KTWGODI.cjs.map +1 -0
package/dist/{chunk-QXIQWPAP.js → chunk-3UK5XBVJ.js} +4 -134
package/dist/chunk-3UK5XBVJ.js.map +1 -0
package/dist/{chunk-FXYP2HA6.js → chunk-4AO3A3JM.js} +48 -4
package/dist/chunk-4AO3A3JM.js.map +1 -0
package/dist/chunk-4M7X5HAB.cjs +173 -0
package/dist/chunk-4M7X5HAB.cjs.map +1 -0
package/dist/chunk-5EPFQUQD.js +3243 -0
package/dist/chunk-5EPFQUQD.js.map +1 -0
package/dist/{chunk-Y3N7UUDO.js → chunk-7OGPN7MP.js} +5 -2
package/dist/chunk-7OGPN7MP.js.map +1 -0
package/dist/{chunk-WOWUL7ZY.js → chunk-AL5KX63J.js} +4 -3
package/dist/chunk-AL5KX63J.js.map +1 -0
package/dist/{chunk-2OL4O2TH.cjs → chunk-C36TMDTY.cjs} +66 -61
package/dist/chunk-C36TMDTY.cjs.map +1 -0
package/dist/{chunk-ES5HNFFT.js → chunk-CF7OL6HR.js} +4 -2
package/dist/chunk-CF7OL6HR.js.map +1 -0
package/dist/chunk-CJONKRHJ.js +162 -0
package/dist/chunk-CJONKRHJ.js.map +1 -0
package/dist/{chunk-2KVHZE6O.cjs → chunk-COIASRDK.cjs} +202 -46
package/dist/chunk-COIASRDK.cjs.map +1 -0
package/dist/chunk-DEVFAKCQ.cjs +3291 -0
package/dist/chunk-DEVFAKCQ.cjs.map +1 -0
package/dist/{chunk-3ZFYL34R.js → chunk-DYTZ6FQ7.js} +12 -185
package/dist/chunk-DYTZ6FQ7.js.map +1 -0
package/dist/{chunk-QPPDLRNR.js → chunk-EJN2PAOE.js} +197 -41
package/dist/chunk-EJN2PAOE.js.map +1 -0
package/dist/chunk-FAXU7BMP.js +220 -0
package/dist/chunk-FAXU7BMP.js.map +1 -0
package/dist/{chunk-OHVB4AJ7.js → chunk-FOPGUM27.js} +22 -17
package/dist/chunk-FOPGUM27.js.map +1 -0
package/dist/chunk-GAOXD3XT.js +175 -0
package/dist/chunk-GAOXD3XT.js.map +1 -0
package/dist/{chunk-4DA7QPLA.cjs → chunk-GXFOGU7N.cjs} +5 -2
package/dist/chunk-GXFOGU7N.cjs.map +1 -0
package/dist/{chunk-I7HHI6QV.cjs → chunk-IDVRRRAK.cjs} +17 -9
package/dist/chunk-IDVRRRAK.cjs.map +1 -0
package/dist/{chunk-WQBRWOQT.cjs → chunk-JOPVMWTM.cjs} +3 -2
package/dist/chunk-JOPVMWTM.cjs.map +1 -0
package/dist/chunk-KC2GDBLS.cjs +84 -0
package/dist/chunk-KC2GDBLS.cjs.map +1 -0
package/dist/{chunk-K7JPTH3G.cjs → chunk-KNRSROWB.cjs} +132 -74
package/dist/chunk-KNRSROWB.cjs.map +1 -0
package/dist/{chunk-3AJE4SEG.js → chunk-KPA4AN4R.js} +125 -67
package/dist/chunk-KPA4AN4R.js.map +1 -0
package/dist/{chunk-QUW2RZTM.cjs → chunk-L46ROHUS.cjs} +51 -7
package/dist/chunk-L46ROHUS.cjs.map +1 -0
package/dist/chunk-L4EZKIEX.js +185 -0
package/dist/chunk-L4EZKIEX.js.map +1 -0
package/dist/{chunk-REK7AYOC.js → chunk-L5UKKZQN.js} +199 -32
package/dist/chunk-L5UKKZQN.js.map +1 -0
package/dist/chunk-NKPKR5BW.cjs +188 -0
package/dist/chunk-NKPKR5BW.cjs.map +1 -0
package/dist/{chunk-Y3QQN7PN.js → chunk-P2HKJ7P5.js} +13 -4
package/dist/chunk-P2HKJ7P5.js.map +1 -0
package/dist/{chunk-SA7NSSIQ.cjs → chunk-PI73NNOK.cjs} +13 -187
package/dist/chunk-PI73NNOK.cjs.map +1 -0
package/dist/{chunk-HXRD4B37.js → chunk-PU2Z5VWF.js} +1279 -556
package/dist/chunk-PU2Z5VWF.js.map +1 -0
package/dist/{chunk-H727JIG7.js → chunk-Q72BOAPK.js} +16 -8
package/dist/chunk-Q72BOAPK.js.map +1 -0
package/dist/{chunk-IBG6V56E.cjs → chunk-QFLB4EIJ.cjs} +2 -139
package/dist/chunk-QFLB4EIJ.cjs.map +1 -0
package/dist/{chunk-YVUJBEXE.cjs → chunk-RAMGUDJN.cjs} +16 -7
package/dist/chunk-RAMGUDJN.cjs.map +1 -0
package/dist/{chunk-LINKCEG4.cjs → chunk-ROJHKAQ4.cjs} +617 -73
package/dist/chunk-ROJHKAQ4.cjs.map +1 -0
package/dist/{chunk-5KVM3WEY.cjs → chunk-RSF3UU7H.cjs} +1330 -602
package/dist/chunk-RSF3UU7H.cjs.map +1 -0
package/dist/{chunk-V3LKPM3O.cjs → chunk-SHTTJMLT.cjs} +4 -2
package/dist/chunk-SHTTJMLT.cjs.map +1 -0
package/dist/chunk-SPBTLUN6.js +92 -0
package/dist/chunk-SPBTLUN6.js.map +1 -0
package/dist/{chunk-57P6MJKC.js → chunk-TXSZFA4G.js} +3 -3
package/dist/chunk-TXSZFA4G.js.map +1 -0
package/dist/chunk-UERVXYVK.cjs +99 -0
package/dist/chunk-UERVXYVK.cjs.map +1 -0
package/dist/{chunk-PDYFVNUX.cjs → chunk-V2TVSCV5.cjs} +16 -23
package/dist/chunk-V2TVSCV5.cjs.map +1 -0
package/dist/{chunk-DXHRBMGB.js → chunk-VO35MNPH.js} +12 -19
package/dist/chunk-VO35MNPH.js.map +1 -0
package/dist/{chunk-IA6AU5PI.cjs → chunk-WNCYAKF3.cjs} +3 -3
package/dist/chunk-WNCYAKF3.cjs.map +1 -0
package/dist/chunk-XEB7PH2E.js +81 -0
package/dist/chunk-XEB7PH2E.js.map +1 -0
package/dist/cli/index.cjs +5 -5
package/dist/cli/index.cjs.map +1 -1
package/dist/cli/index.js +5 -5
package/dist/cli/index.js.map +1 -1
package/dist/client.cjs +3 -3
package/dist/client.d.cts +3 -3
package/dist/client.d.ts +3 -3
package/dist/client.js +1 -1
package/dist/drizzle/index.cjs +14 -13
package/dist/drizzle/index.d.cts +9 -7
package/dist/drizzle/index.d.ts +9 -7
package/dist/drizzle/index.js +5 -4
package/dist/fields/index.cjs +21 -37
package/dist/fields/index.d.cts +2 -22
package/dist/fields/index.d.ts +2 -22
package/dist/fields/index.js +1 -1
package/dist/graphql/index.cjs +5 -4
package/dist/graphql/index.d.cts +5 -3
package/dist/graphql/index.d.ts +5 -3
package/dist/graphql/index.js +3 -2
package/dist/index-CJXPB_ot.d.ts +276 -0
package/dist/index-CaTNnLGd.d.cts +276 -0
package/dist/index.cjs +304 -162
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +129 -205
package/dist/index.d.ts +129 -205
package/dist/index.js +172 -33
package/dist/index.js.map +1 -1
package/dist/integration.cjs +2 -2
package/dist/integration.js +1 -1
package/dist/mongo-auth-adapter-ISOM7FSS.cjs +17 -0
package/dist/{mongo-auth-adapter-NHHUJHVH.cjs.map → mongo-auth-adapter-ISOM7FSS.cjs.map} +1 -1
package/dist/mongo-auth-adapter-MO6STCV3.js +4 -0
package/dist/{mongo-auth-adapter-NJQUUCTP.js.map → mongo-auth-adapter-MO6STCV3.js.map} +1 -1
package/dist/mongodb/index.cjs +8 -7
package/dist/mongodb/index.d.cts +5 -7
package/dist/mongodb/index.d.ts +5 -7
package/dist/mongodb/index.js +4 -3
package/dist/postgres-auth-adapter-DWDR7P5G.js +5 -0
package/dist/{postgres-auth-adapter-3T2NKTSE.js.map → postgres-auth-adapter-DWDR7P5G.js.map} +1 -1
package/dist/postgres-auth-adapter-WRWSJD4E.cjs +14 -0
package/dist/{postgres-auth-adapter-7IEENCKQ.cjs.map → postgres-auth-adapter-WRWSJD4E.cjs.map} +1 -1
package/dist/redis-adapter-HGTPWIGV.js +4 -0
package/dist/{redis-adapter-VQXD7ESY.js.map → redis-adapter-HGTPWIGV.js.map} +1 -1
package/dist/redis-adapter-KJ3YOOT6.cjs +13 -0
package/dist/{redis-adapter-D2E2S3GB.cjs.map → redis-adapter-KJ3YOOT6.cjs.map} +1 -1
package/dist/rest/index.cjs +15 -14
package/dist/rest/index.d.cts +4 -4
package/dist/rest/index.d.ts +4 -4
package/dist/rest/index.js +13 -12
package/dist/{schema-5PHL5IVB.js → schema-6I5OFR4Z.js} +3 -3
package/dist/{schema-5PHL5IVB.js.map → schema-6I5OFR4Z.js.map} +1 -1
package/dist/{schema-37SE2F4B.cjs → schema-TTFE4467.cjs} +14 -14
package/dist/{schema-37SE2F4B.cjs.map → schema-TTFE4467.cjs.map} +1 -1
package/dist/sqlite-adapter-6GEUSVXQ.js +4 -0
package/dist/{sqlite-adapter-TR3U3W6Q.js.map → sqlite-adapter-6GEUSVXQ.js.map} +1 -1
package/dist/sqlite-adapter-CSIZE5SX.cjs +13 -0
package/dist/{sqlite-adapter-LVK5PS4T.cjs.map → sqlite-adapter-CSIZE5SX.cjs.map} +1 -1
package/dist/templates/index.cjs +133 -31
package/dist/templates/index.d.cts +52 -9
package/dist/templates/index.d.ts +52 -9
package/dist/templates/index.js +3 -1
package/dist/trpc/index.cjs +13 -12
package/dist/trpc/index.d.cts +55 -49
package/dist/trpc/index.d.ts +55 -49
package/dist/trpc/index.js +4 -3
package/dist/{types-D6ZLRGbH.d.cts → types-CpjuXbe7.d.cts} +2 -0
package/dist/{types-D6ZLRGbH.d.ts → types-CpjuXbe7.d.ts} +2 -0
package/dist/{types-Bs1up4yP.d.ts → types-CyCQ6SAI.d.ts} +28 -2
package/dist/{types-J3R9nVsZ.d.cts → types-DJxD9394.d.cts} +28 -2
package/dist/{types-VtjUxIMp.d.cts → types-Z6FBiqa2.d.cts} +35 -14
package/dist/{types-VtjUxIMp.d.ts → types-Z6FBiqa2.d.ts} +35 -14
package/package.json +22 -4
package/dist/bootstrap-AKAUP6F6.cjs +0 -32
package/dist/bootstrap-JCML6NFO.js +0 -7
package/dist/chunk-2KVHZE6O.cjs.map +0 -1
package/dist/chunk-2OL4O2TH.cjs.map +0 -1
package/dist/chunk-35U3FROB.js.map +0 -1
package/dist/chunk-3AJE4SEG.js.map +0 -1
package/dist/chunk-3J4MFTI3.js +0 -3872
package/dist/chunk-3J4MFTI3.js.map +0 -1
package/dist/chunk-3ZFYL34R.js.map +0 -1
package/dist/chunk-4DA7QPLA.cjs.map +0 -1
package/dist/chunk-57P6MJKC.js.map +0 -1
package/dist/chunk-5KVM3WEY.cjs.map +0 -1
package/dist/chunk-6IMPH6WV.cjs +0 -3897
package/dist/chunk-6IMPH6WV.cjs.map +0 -1
package/dist/chunk-ATBOUGQP.cjs +0 -513
package/dist/chunk-ATBOUGQP.cjs.map +0 -1
package/dist/chunk-DXHRBMGB.js.map +0 -1
package/dist/chunk-ES5HNFFT.js.map +0 -1
package/dist/chunk-FXYP2HA6.js.map +0 -1
package/dist/chunk-H727JIG7.js.map +0 -1
package/dist/chunk-HXRD4B37.js.map +0 -1
package/dist/chunk-I7HHI6QV.cjs.map +0 -1
package/dist/chunk-IA6AU5PI.cjs.map +0 -1
package/dist/chunk-IBG6V56E.cjs.map +0 -1
package/dist/chunk-K7JPTH3G.cjs.map +0 -1
package/dist/chunk-LINKCEG4.cjs.map +0 -1
package/dist/chunk-OHVB4AJ7.js.map +0 -1
package/dist/chunk-PDYFVNUX.cjs.map +0 -1
package/dist/chunk-Q23JB3KL.js +0 -488
package/dist/chunk-Q23JB3KL.js.map +0 -1
package/dist/chunk-QPPDLRNR.js.map +0 -1
package/dist/chunk-QUW2RZTM.cjs.map +0 -1
package/dist/chunk-QXIQWPAP.js.map +0 -1
package/dist/chunk-R3XIBBAW.cjs +0 -34
package/dist/chunk-R3XIBBAW.cjs.map +0 -1
package/dist/chunk-REK7AYOC.js.map +0 -1
package/dist/chunk-SA7NSSIQ.cjs.map +0 -1
package/dist/chunk-SDMNUYVU.js +0 -30
package/dist/chunk-SDMNUYVU.js.map +0 -1
package/dist/chunk-V3LKPM3O.cjs.map +0 -1
package/dist/chunk-VJT6P4N6.cjs.map +0 -1
package/dist/chunk-WOWUL7ZY.js.map +0 -1
package/dist/chunk-WQBRWOQT.cjs.map +0 -1
package/dist/chunk-Y3N7UUDO.js.map +0 -1
package/dist/chunk-Y3QQN7PN.js.map +0 -1
package/dist/chunk-YVUJBEXE.cjs.map +0 -1
package/dist/index-CLp-DRKA.d.ts +0 -64
package/dist/index-DfO7G4kN.d.cts +0 -64
package/dist/mongo-auth-adapter-NHHUJHVH.cjs +0 -17
package/dist/mongo-auth-adapter-NJQUUCTP.js +0 -4
package/dist/postgres-auth-adapter-3T2NKTSE.js +0 -5
package/dist/postgres-auth-adapter-7IEENCKQ.cjs +0 -14
package/dist/redis-adapter-D2E2S3GB.cjs +0 -13
package/dist/redis-adapter-VQXD7ESY.js +0 -4
package/dist/sqlite-adapter-LVK5PS4T.cjs +0 -13
package/dist/sqlite-adapter-TR3U3W6Q.js +0 -4

package/dist/{chunk-HXRD4B37.js → chunk-PU2Z5VWF.js} RENAMED Viewed

@@ -1,14 +1,14 @@
-import { PasswordPolicy, ConfigService, EmailTransport } from './chunk-57P6MJKC.js';
-import { SQLiteAuthAdapter } from './chunk-H727JIG7.js';
+import { PasswordPolicy, ConfigService, EmailTransport } from './chunk-TXSZFA4G.js';
+import { usersCollection } from './chunk-XEB7PH2E.js';
+import { SQLiteAuthAdapter } from './chunk-Q72BOAPK.js';
 import { createAuditContext } from './chunk-P2YW545G.js';
-import { WEBHOOK_EVENTS, extractApiKeyFromRequest, validateApiKey, createApiKeyContext, API_KEY_COLLECTION, generateApiKey, generateApiKeyPrefix, hasApiKeyPermission } from './chunk-QXIQWPAP.js';
-import { buildGraphQLSchema } from './chunk-REK7AYOC.js';
-import { evaluateAccess } from './chunk-SDMNUYVU.js';
-import { genId, DrizzleAdapter } from './chunk-QPPDLRNR.js';
-import { PostgresAuthAdapter } from './chunk-OHVB4AJ7.js';
-import { MongoDBAdapter } from './chunk-DXHRBMGB.js';
-import { MongoDBAuthAdapter } from './chunk-Y3N7UUDO.js';
-import { hasPermission } from './chunk-3ZFYL34R.js';
+import { WEBHOOK_EVENTS } from './chunk-3UK5XBVJ.js';
+import { API_KEY_COLLECTION, generateApiKey, generateApiKeyPrefix, evaluateAccess, hasApiKeyPermission, extractApiKeyFromRequest, validateApiKey, createApiKeyContext } from './chunk-CJONKRHJ.js';
+import { genId, DrizzleAdapter } from './chunk-EJN2PAOE.js';
+import { PostgresAuthAdapter } from './chunk-FOPGUM27.js';
+import { MongoDBAdapter } from './chunk-VO35MNPH.js';
+import { MongoDBAuthAdapter } from './chunk-7OGPN7MP.js';
+import { hasPermission } from './chunk-L4EZKIEX.js';
 import { __esm, __export, __toCommonJS, __require } from './chunk-Z6ZWNWWR.js';
 import crypto, { randomBytes, createHash } from 'crypto';
 import { createStorage } from 'unstorage';
@@ -17,11 +17,12 @@ import { Hono } from 'hono';
 import path, { join, basename, extname, resolve } from 'path';
 import { existsSync, readFileSync } from 'fs';
 import sharp from 'sharp';
-import { parse, execute } from 'graphql';
 import { mkdir, readdir, stat, rename, unlink, writeFile } from 'fs/promises';
+import process2 from 'process';
 import { S3Client, ListObjectsV2Command, DeleteObjectsCommand, DeleteObjectCommand, PutObjectCommand, HeadObjectCommand, CopyObjectCommand } from '@aws-sdk/client-s3';
 import { Readable } from 'stream';
 import { Client } from 'basic-ftp';
+import { zodToJsonSchema } from 'zod-to-json-schema';
 function setDbAdapter(adapter) {
   dbAdapter = adapter;
@@ -773,7 +774,7 @@ var AuditLogger = class {
   serializeLog(log) {
     const result = {
       id: log.id,
-      timestamp: log.timestamp.toISOString(),
+      timestamp: new Date(log.timestamp).toISOString(),
       action: log.action,
       resource: log.resource,
       success: log.success ? "1" : "0"
@@ -1168,23 +1169,19 @@ var AuthRoutes = class {
     }
   }
   async me(req) {
-    try {
-      const session = await getCurrentUser(req);
-      if (!session) {
-        return this.errorResponse("Not authenticated", 401);
-      }
-      const user = await this.authAdapter.findUserById(session.userId);
-      if (!user) {
-        return this.errorResponse("User not found", 404);
-      }
-      return this.jsonResponse({
-        success: true,
-        user: this.sanitizeUser(user)
-      });
-    } catch (error) {
-      console.error("[AuthRoutes.me] Authentication failed:", error.message);
-      return this.errorResponse("Authentication failed", 401);
+    const session = await getCurrentUser(req);
+    if (!session) {
+      return this.errorResponse("Not authenticated", 401);
     }
+    return this.jsonResponse({
+      success: true,
+      user: {
+        id: session.userId,
+        email: session.email,
+        role: session.role,
+        tenantId: session.tenantId
+      }
+    });
   }
   async changePassword(req) {
     const session = await getCurrentUser(req);
@@ -1294,7 +1291,7 @@ var AuthRoutes = class {
       }
       if (this.auditLogger) {
         await this.auditLogger.log({
-          action: "password_reset_request",
+          action: "password_reset",
           userId: user.id,
           userEmail: user.email,
           resource: "auth",
@@ -1482,7 +1479,7 @@ var AuthRoutes = class {
   }
 };
 function createLocalStorage(config) {
-  const { uploadDir, baseUrl = "/uploads" } = config;
+  const { uploadDir = join(process2.cwd(), "public", "uploads"), baseUrl = "/uploads" } = config;
   async function ensureDir(dir) {
     if (!existsSync(dir)) {
       await mkdir(dir, { recursive: true });
@@ -1670,6 +1667,467 @@ function createLocalStorage(config) {
     }
   };
 }
+// src/storage/imgix.ts
+function createImgixStorage(config) {
+  const signUrl = (path3, params) => {
+    if (!config.signKey) return path3;
+    const signer = new TextEncoder();
+    const key = signer.encode(config.signKey);
+    const data = signer.encode(path3 + params.toString());
+    let hash = 0;
+    const combined = new Uint8Array(key.length + data.length);
+    combined.set(key);
+    combined.set(data, key.length);
+    for (let i = 0; i < combined.length; i++) {
+      hash = (hash << 5) - hash + combined[i] | 0;
+    }
+    params.set("s", Math.abs(hash).toString(16));
+    return path3;
+  };
+  return {
+    name: "imgix",
+    displayName: "Imgix",
+    supportsDynamicResize: true,
+    async upload(_file, _options) {
+      throw new Error(
+        "Imgix is a transformation service. Use another provider for uploads."
+      );
+    },
+    async uploadFromUrl(url, options) {
+      const filename = options?.filename || url.split("/").pop() || "file";
+      const response = await fetch(url);
+      if (!response.ok) {
+        throw new Error(`Failed to fetch: ${response.statusText}`);
+      }
+      const blob = await response.blob();
+      new File([blob], filename, { type: blob.type });
+      return {
+        id: Buffer.from(url).toString("base64").slice(0, 20),
+        filename,
+        originalName: filename,
+        mimeType: blob.type,
+        size: blob.size,
+        url: this.getImageUrl(url),
+        thumbnailUrl: this.getImageUrl(url, {
+          width: 200,
+          height: 200,
+          fit: "crop"
+        }),
+        provider: "imgix",
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    },
+    async delete(_url) {
+    },
+    async rename(_oldUrl, newKey) {
+      return `https://${config.domain}/${newKey}`;
+    },
+    getImageUrl(url, transforms) {
+      const parsed = new URL(url);
+      const params = new URLSearchParams(parsed.search);
+      if (config.defaultParameters) {
+        Object.entries(config.defaultParameters).forEach(([key, value]) => {
+          if (!params.has(key)) {
+            params.set(key, value);
+          }
+        });
+      }
+      if (transforms) {
+        if (transforms.width) params.set("w", String(transforms.width));
+        if (transforms.height) params.set("h", String(transforms.height));
+        if (transforms.quality) params.set("q", String(transforms.quality));
+        if (transforms.format) params.set("fm", transforms.format);
+        if (transforms.fit) params.set("fit", transforms.fit);
+        if (transforms.blur) params.set("blur", String(transforms.blur));
+        if (transforms.sharpen) params.set("sharp", String(transforms.sharpen));
+      }
+      params.set("auto", "compress,format");
+      parsed.pathname + "?" + params.toString();
+      if (config.signKey) {
+        signUrl(parsed.pathname + params.toString(), params);
+      }
+      return `https://${config.domain}${parsed.pathname}${params.toString() ? "?" + params.toString() : ""}`;
+    },
+    async generateThumbnail(file) {
+      return this.getImageUrl(file.url, {
+        width: 200,
+        height: 200,
+        fit: "crop"
+      });
+    },
+    async list() {
+      return [];
+    },
+    async exists(url) {
+      try {
+        const response = await fetch(url, { method: "HEAD" });
+        return response.ok;
+      } catch {
+        return false;
+      }
+    },
+    async createFolder() {
+    },
+    async deleteFolder() {
+    }
+  };
+}
+// src/storage/bunny.ts
+function getUrl(key, config) {
+  if (config.cdnUrl) {
+    return `${config.cdnUrl.replace(/\/$/, "")}/${key}`;
+  }
+  return `https://${config.storageZone}.b-cdn.net/${key}`;
+}
+function getUrlPrefix(config) {
+  if (config.cdnUrl) {
+    return config.cdnUrl.replace(/\/$/, "") + "/";
+  }
+  return `https://${config.storageZone}.b-cdn.net/`;
+}
+function createBunnyStorage(config) {
+  const baseUrl = `https://storage.bunnycdn.com/${config.storageZone}`;
+  const getKey = (path3) => {
+    const prefix = config.prefix ? `${config.prefix}/` : "";
+    return `${prefix}${path3}`.replace(/\/+/g, "/");
+  };
+  return {
+    name: "bunny",
+    displayName: "Bunny.net Storage",
+    supportsDynamicResize: true,
+    async upload(file, options) {
+      const key = getKey(
+        `${options?.folder ? `${options.folder}/` : ""}${options?.filename || file.name}`
+      );
+      const buffer = Buffer.from(await file.arrayBuffer());
+      const response = await fetch(`${baseUrl}/${key}`, {
+        method: "PUT",
+        headers: {
+          AccessKey: config.apiKey,
+          "Content-Type": file.type
+        },
+        body: buffer
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(
+          `Bunny.net upload failed: ${response.status} ${errorText}`
+        );
+      }
+      return {
+        id: Buffer.from(key).toString("base64url"),
+        filename: options?.filename || file.name,
+        originalName: file.name,
+        mimeType: file.type,
+        size: buffer.length,
+        url: getUrl(key, config),
+        thumbnailUrl: file.type.startsWith("image/") ? getUrl(key, config) : void 0,
+        folder: options?.folder,
+        provider: "bunny",
+        metadata: options?.metadata,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    },
+    async uploadFromUrl(url) {
+      const response = await fetch(url);
+      if (!response.ok) {
+        throw new Error(`Failed to fetch: ${response.statusText}`);
+      }
+      const blob = await response.blob();
+      const filename = url.split("/").pop() || "file";
+      const file = new File([blob], filename, { type: blob.type });
+      return this.upload(file);
+    },
+    async delete(url) {
+      const key = url.replace(getUrlPrefix(config), "");
+      const response = await fetch(`${baseUrl}/${key}`, {
+        method: "DELETE",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+      if (!response.ok && response.status !== 404) {
+        const errorText = await response.text();
+        throw new Error(
+          `Bunny.net delete failed: ${response.status} ${errorText}`
+        );
+      }
+    },
+    async rename(oldUrl, newKey) {
+      const oldKey = oldUrl.replace(getUrlPrefix(config), "");
+      const fullPath = config.prefix ? `${config.prefix}/${newKey}` : newKey;
+      const response = await fetch(`${baseUrl}/${oldKey}`, {
+        method: "GET",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+      if (!response.ok) {
+        throw new Error(`Bunny.net rename failed: could not read old file`);
+      }
+      const content = await response.arrayBuffer();
+      await fetch(`${baseUrl}/${fullPath}`, {
+        method: "PUT",
+        headers: {
+          AccessKey: config.apiKey,
+          "Content-Type": response.headers.get("Content-Type") || "application/octet-stream"
+        },
+        body: content
+      });
+      await this.delete(oldUrl);
+      return getUrl(fullPath, config);
+    },
+    getImageUrl(url, transforms) {
+      if (!transforms || Object.keys(transforms).length === 0) return url;
+      const params = new URLSearchParams({ url });
+      if (transforms.width) params.set("w", String(transforms.width));
+      if (transforms.height) params.set("h", String(transforms.height));
+      if (transforms.quality) params.set("q", String(transforms.quality));
+      if (transforms.format) params.set("f", transforms.format);
+      return `/api/media/resize?${params.toString()}`;
+    },
+    async generateThumbnail(file) {
+      return this.getImageUrl(file.url, { width: 400, height: 400 });
+    },
+    async list(prefix) {
+      const key = getKey(prefix || "");
+      const response = await fetch(`${baseUrl}/${key}`, {
+        method: "GET",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(
+          `Bunny.net list failed: ${response.status} ${errorText}`
+        );
+      }
+      const items = await response.json();
+      return items.map((item) => ({
+        id: Buffer.from(item.ObjectName || "").toString("base64url"),
+        filename: item.ObjectName?.split("/").pop() || "",
+        originalName: item.ObjectName?.split("/").pop() || "",
+        mimeType: "application/octet-stream",
+        size: item.Length || 0,
+        url: getUrl(item.ObjectName || "", config),
+        provider: "bunny",
+        createdAt: item.LastChanged || (/* @__PURE__ */ new Date()).toISOString()
+      }));
+    },
+    async exists(url) {
+      const key = url.replace(getUrlPrefix(config), "");
+      const response = await fetch(`${baseUrl}/${key}`, {
+        method: "HEAD",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+      return response.ok;
+    },
+    async createFolder(folder) {
+      const key = getKey(`${folder}/`);
+      await fetch(`${baseUrl}/${key}`, {
+        method: "PUT",
+        headers: {
+          AccessKey: config.apiKey,
+          "Content-Length": "0"
+        },
+        body: ""
+      });
+    },
+    async deleteFolder(folder) {
+      const key = getKey(`${folder}/`);
+      await fetch(`${baseUrl}/${key}`, {
+        method: "DELETE",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+    }
+  };
+}
+var StorageProviderRegistry = class {
+  providers = /* @__PURE__ */ new Map();
+  providerToPlugin = /* @__PURE__ */ new Map();
+  disabledPlugins = /* @__PURE__ */ new Set();
+  constructor() {
+    this.registerLocal();
+    this.registerImgix();
+    this.registerBunny();
+  }
+  registerLocal() {
+    this.register({
+      type: "local",
+      displayName: "Local Server",
+      configKey: "local",
+      configFields: [
+        {
+          name: "uploadDir",
+          type: "text",
+          label: "Upload Directory",
+          defaultValue: "./public/uploads"
+        },
+        {
+          name: "baseUrl",
+          type: "text",
+          label: "Base URL",
+          defaultValue: "/uploads"
+        }
+      ],
+      extractConfig: (sc, key) => sc[key] || {},
+      extractRawConfig: (c) => {
+        const localConfig = c?.local || c;
+        const savedUploadDir = (localConfig?.uploadDir || "").trim();
+        let uploadDir;
+        if (savedUploadDir) {
+          if (path.isAbsolute(savedUploadDir)) {
+            uploadDir = savedUploadDir;
+          } else if (savedUploadDir.includes("/") || savedUploadDir.includes("\\")) {
+            uploadDir = path.resolve(process.cwd(), savedUploadDir);
+          } else {
+            uploadDir = path.join(process.cwd(), "public", savedUploadDir);
+          }
+        } else {
+          uploadDir = path.join(process.cwd(), "public", "uploads");
+        }
+        const savedBaseUrl = (localConfig?.baseUrl || "").trim();
+        let baseUrl;
+        if (savedBaseUrl) {
+          baseUrl = savedBaseUrl.startsWith("/") ? savedBaseUrl : `/${savedBaseUrl}`;
+        } else {
+          baseUrl = "/uploads";
+        }
+        return { uploadDir, baseUrl };
+      },
+      factory: (c) => createLocalStorage(c)
+    });
+  }
+  registerImgix() {
+    this.register({
+      type: "imgix",
+      displayName: "Imgix",
+      configKey: "imgix",
+      configFields: [
+        { name: "domain", type: "text", label: "Domain", required: true },
+        { name: "signKey", type: "password", label: "Sign Key" }
+      ],
+      extractConfig: (sc, key) => sc[key] || {},
+      extractRawConfig: (c) => c?.imgix || c,
+      factory: (c) => createImgixStorage(c)
+    });
+  }
+  registerBunny() {
+    this.register({
+      type: "bunny",
+      displayName: "Bunny.net",
+      configKey: "bunny",
+      configFields: [
+        {
+          name: "storageZone",
+          type: "text",
+          label: "Storage Zone",
+          required: true
+        },
+        { name: "apiKey", type: "password", label: "API Key", required: true },
+        { name: "cdnUrl", type: "text", label: "CDN URL" },
+        { name: "prefix", type: "text", label: "Path Prefix" }
+      ],
+      extractConfig: (sc, key) => sc[key] || {},
+      extractRawConfig: (c) => c?.bunny || c,
+      factory: (c) => createBunnyStorage(c)
+    });
+  }
+  register(registration) {
+    if (this.providers.has(registration.type)) {
+      console.warn(
+        `[StorageRegistry] Provider "${registration.type}" already registered, skipping`
+      );
+      return;
+    }
+    if (registration.pluginName) {
+      this.providerToPlugin.set(registration.type, registration.pluginName);
+    }
+    this.providers.set(registration.type, registration);
+  }
+  unregister(type) {
+    this.providers.delete(type);
+    this.providerToPlugin.delete(type);
+  }
+  get(type) {
+    return this.providers.get(type);
+  }
+  getAll() {
+    return Array.from(this.providers.values());
+  }
+  getAllAvailable(isPluginEnabled) {
+    const all = this.getAll();
+    if (!isPluginEnabled) return all;
+    return all.filter((p) => {
+      if (!p.pluginName) return true;
+      return isPluginEnabled(p.pluginName);
+    });
+  }
+  has(type) {
+    return this.providers.has(type);
+  }
+  async resolve(type, storageConfig) {
+    const reg = this.providers.get(type);
+    if (!reg) {
+      throw new Error(
+        `Unknown storage provider type: "${type}". Is the plugin that provides it enabled?`
+      );
+    }
+    if (reg.pluginName && this.disabledPlugins.has(reg.pluginName)) {
+      throw new Error(
+        `Storage provider "${type}" is not available (plugin "${reg.pluginName}" is disabled)`
+      );
+    }
+    const configKey = reg.configKey || type;
+    const config = reg.extractConfig(storageConfig, configKey);
+    return reg.factory(config);
+  }
+  async resolveWithConfig(type, config) {
+    const reg = this.providers.get(type);
+    if (!reg) {
+      throw new Error(
+        `Unknown storage provider type: "${type}". Is the plugin that provides it enabled?`
+      );
+    }
+    if (reg.pluginName && this.disabledPlugins.has(reg.pluginName)) {
+      throw new Error(
+        `Storage provider "${type}" is not available (plugin "${reg.pluginName}" is disabled)`
+      );
+    }
+    const providerConfig = reg.extractRawConfig(config);
+    return reg.factory(providerConfig);
+  }
+  getProviderPluginName(type) {
+    return this.providerToPlugin.get(type);
+  }
+  getAllPluginNames() {
+    return Array.from(new Set(this.providerToPlugin.values()));
+  }
+  setPluginEnabled(name, enabled) {
+    if (enabled) {
+      this.disabledPlugins.delete(name);
+    } else {
+      this.disabledPlugins.add(name);
+    }
+  }
+  isPluginEnabled(name) {
+    return !this.disabledPlugins.has(name);
+  }
+};
+var instance = null;
+function getDefaultRegistry() {
+  if (!instance) {
+    instance = new StorageProviderRegistry();
+  }
+  return instance;
+}
 function extractPublicDevUrlId(url) {
   if (!url) return "";
   if (url.startsWith("pub-")) return url;
@@ -1703,7 +2161,7 @@ function getPublicUrl(key, config) {
       return `https://${config.bucket}.s3.${config.region}.amazonaws.com/${normalizedKey}`;
   }
 }
-function getUrlPrefix(config) {
+function getUrlPrefix2(config) {
   if (config.cdnUrl) {
     return config.cdnUrl.replace(/\/$/, "") + "/";
   }
@@ -1771,11 +2229,11 @@ function createS3Storage(config) {
       })
     }
   });
-  const getKey = (path2) => {
+  const getKey = (path3) => {
     const prefix = config.prefix ? `${config.prefix}/` : "";
-    return `${prefix}${path2}`.replace(/\/+/g, "/");
+    return `${prefix}${path3}`.replace(/\/+/g, "/");
   };
-  const getUrl = (key) => getPublicUrl(key, config);
+  const getUrl2 = (key) => getPublicUrl(key, config);
   return {
     name: config.provider,
     displayName: getDisplayName(config.provider),
@@ -1806,8 +2264,8 @@ function createS3Storage(config) {
         originalName: file.name,
         mimeType: file.type,
         size: buffer.length,
-        url: getUrl(key),
-        thumbnailUrl: file.type.startsWith("image/") ? getUrl(key) : void 0,
+        url: getUrl2(key),
+        thumbnailUrl: file.type.startsWith("image/") ? getUrl2(key) : void 0,
         folder: options?.folder,
         provider: config.provider,
         metadata: {
@@ -1828,7 +2286,7 @@ function createS3Storage(config) {
       return this.upload(file);
     },
     async delete(url) {
-      const key = url.replace(getUrlPrefix(config), "");
+      const key = url.replace(getUrlPrefix2(config), "");
       await client.send(
         new DeleteObjectCommand({
           Bucket: config.bucket,
@@ -1837,7 +2295,7 @@ function createS3Storage(config) {
       );
     },
     async rename(oldUrl, newKey) {
-      const oldKey = oldUrl.replace(getUrlPrefix(config), "");
+      const oldKey = oldUrl.replace(getUrlPrefix2(config), "");
       const newKeyWithPrefix = config.prefix ? `${config.prefix}/${newKey}` : newKey;
       await client.send(
         new CopyObjectCommand({
@@ -1852,7 +2310,7 @@ function createS3Storage(config) {
           Key: oldKey
         })
       );
-      return getUrl(newKeyWithPrefix);
+      return getUrl2(newKeyWithPrefix);
     },
     getImageUrl(url, transforms) {
       if (!transforms || Object.keys(transforms).length === 0) return url;
@@ -1880,14 +2338,14 @@ function createS3Storage(config) {
         originalName: item.Key?.split("/").pop() || "",
         mimeType: "application/octet-stream",
         size: item.Size || 0,
-        url: getUrl(item.Key || ""),
+        url: getUrl2(item.Key || ""),
         provider: config.provider,
         createdAt: item.LastModified?.toISOString() || (/* @__PURE__ */ new Date()).toISOString()
       }));
     },
     async exists(url) {
       try {
-        const key = url.replace(getUrlPrefix(config), "");
+        const key = url.replace(getUrlPrefix2(config), "");
         await client.send(
           new HeadObjectCommand({
             Bucket: config.bucket,
@@ -1947,9 +2405,9 @@ function createS3Storage(config) {
 function createCloudinaryStorage(config) {
   const getBaseUrl = () => `https://api.cloudinary.com/v1_1/${config.cloudName}/upload`;
   const generateSignature = async (params) => {
-    const crypto3 = await import('crypto');
+    const crypto4 = await import('crypto');
     const sortedParams = Object.keys(params).sort().map((key) => `${key}=${params[key]}`).join("&");
-    return crypto3.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
+    return crypto4.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
   };
   return {
     name: "cloudinary",
@@ -2051,8 +2509,8 @@ function createCloudinaryStorage(config) {
           public_id: publicId
         };
         const sortedParams = Object.keys(signatureParams).sort().map((key) => `${key}=${signatureParams[key]}`).join("&");
-        const crypto3 = await import('crypto');
-        const signature = crypto3.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
+        const crypto4 = await import('crypto');
+        const signature = crypto4.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
         const deleteUrl = `https://api.cloudinary.com/v1_1/${config.cloudName}/image/destroy`;
         const formData = new FormData();
         formData.append("public_id", publicId);
@@ -2103,8 +2561,8 @@ function createCloudinaryStorage(config) {
           timestamp: String(timestamp)
         };
         const sortedParams = Object.keys(signatureParams).sort().map((key) => `${key}=${signatureParams[key]}`).join("&");
-        const crypto3 = await import('crypto');
-        const signature = crypto3.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
+        const crypto4 = await import('crypto');
+        const signature = crypto4.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
         const formData = new FormData();
         formData.append("from_public_id", publicIdWithoutVersion);
         formData.append("to_public_id", newPublicId);
@@ -2175,112 +2633,6 @@ function createCloudinaryStorage(config) {
     }
   };
 }
-// src/storage/imgix.ts
-function createImgixStorage(config) {
-  const signUrl = (path2, params) => {
-    if (!config.signKey) return path2;
-    const signer = new TextEncoder();
-    const key = signer.encode(config.signKey);
-    const data = signer.encode(path2 + params.toString());
-    let hash = 0;
-    const combined = new Uint8Array(key.length + data.length);
-    combined.set(key);
-    combined.set(data, key.length);
-    for (let i = 0; i < combined.length; i++) {
-      hash = (hash << 5) - hash + combined[i] | 0;
-    }
-    params.set("s", Math.abs(hash).toString(16));
-    return path2;
-  };
-  return {
-    name: "imgix",
-    displayName: "Imgix",
-    supportsDynamicResize: true,
-    async upload(_file, _options) {
-      throw new Error(
-        "Imgix is a transformation service. Use another provider for uploads."
-      );
-    },
-    async uploadFromUrl(url, options) {
-      const filename = options?.filename || url.split("/").pop() || "file";
-      const response = await fetch(url);
-      if (!response.ok) {
-        throw new Error(`Failed to fetch: ${response.statusText}`);
-      }
-      const blob = await response.blob();
-      new File([blob], filename, { type: blob.type });
-      return {
-        id: Buffer.from(url).toString("base64").slice(0, 20),
-        filename,
-        originalName: filename,
-        mimeType: blob.type,
-        size: blob.size,
-        url: this.getImageUrl(url),
-        thumbnailUrl: this.getImageUrl(url, {
-          width: 200,
-          height: 200,
-          fit: "crop"
-        }),
-        provider: "imgix",
-        createdAt: (/* @__PURE__ */ new Date()).toISOString()
-      };
-    },
-    async delete(_url) {
-    },
-    async rename(_oldUrl, newKey) {
-      return `https://${config.domain}/${newKey}`;
-    },
-    getImageUrl(url, transforms) {
-      const parsed = new URL(url);
-      const params = new URLSearchParams(parsed.search);
-      if (config.defaultParameters) {
-        Object.entries(config.defaultParameters).forEach(([key, value]) => {
-          if (!params.has(key)) {
-            params.set(key, value);
-          }
-        });
-      }
-      if (transforms) {
-        if (transforms.width) params.set("w", String(transforms.width));
-        if (transforms.height) params.set("h", String(transforms.height));
-        if (transforms.quality) params.set("q", String(transforms.quality));
-        if (transforms.format) params.set("fm", transforms.format);
-        if (transforms.fit) params.set("fit", transforms.fit);
-        if (transforms.blur) params.set("blur", String(transforms.blur));
-        if (transforms.sharpen) params.set("sharp", String(transforms.sharpen));
-      }
-      params.set("auto", "compress,format");
-      parsed.pathname + "?" + params.toString();
-      if (config.signKey) {
-        signUrl(parsed.pathname + params.toString(), params);
-      }
-      return `https://${config.domain}${parsed.pathname}${params.toString() ? "?" + params.toString() : ""}`;
-    },
-    async generateThumbnail(file) {
-      return this.getImageUrl(file.url, {
-        width: 200,
-        height: 200,
-        fit: "crop"
-      });
-    },
-    async list() {
-      return [];
-    },
-    async exists(url) {
-      try {
-        const response = await fetch(url, { method: "HEAD" });
-        return response.ok;
-      } catch {
-        return false;
-      }
-    },
-    async createFolder() {
-    },
-    async deleteFolder() {
-    }
-  };
-}
 function createFtpStorage(config) {
   let client = null;
   async function getClient() {
@@ -2298,15 +2650,15 @@ function createFtpStorage(config) {
     }
     return client;
   }
-  const getKey = (path2) => {
+  const getKey = (path3) => {
     const prefix = config.prefix ? `${config.prefix}/` : "";
-    return `${prefix}${path2}`.replace(/\/+/g, "/");
+    return `${prefix}${path3}`.replace(/\/+/g, "/");
   };
-  const getUrl = (key) => {
+  const getUrl2 = (key) => {
     const base = config.baseUrl.replace(/\/$/, "");
     return `${base}/${key}`;
   };
-  const getUrlPrefix2 = () => {
+  const getUrlPrefix3 = () => {
     const base = config.baseUrl.replace(/\/$/, "");
     return base + "/";
   };
@@ -2337,8 +2689,8 @@ function createFtpStorage(config) {
         originalName: file.name,
         mimeType: file.type,
         size: buffer.length,
-        url: getUrl(key),
-        thumbnailUrl: file.type.startsWith("image/") ? getUrl(key) : void 0,
+        url: getUrl2(key),
+        thumbnailUrl: file.type.startsWith("image/") ? getUrl2(key) : void 0,
         folder: options?.folder,
         provider: config.type,
         metadata: options?.metadata,
@@ -2357,15 +2709,15 @@ function createFtpStorage(config) {
     },
     async delete(url) {
       const ftp = await getClient();
-      const key = url.replace(getUrlPrefix2(), "");
+      const key = url.replace(getUrlPrefix3(), "");
       await ftp.remove(key);
     },
     async rename(oldUrl, newKey) {
       const ftp = await getClient();
-      const oldKey = oldUrl.replace(getUrlPrefix2(), "");
+      const oldKey = oldUrl.replace(getUrlPrefix3(), "");
       const fullPath = config.prefix ? `${config.prefix}/${newKey}` : newKey;
       await ftp.rename(oldKey, fullPath);
-      return getUrl(fullPath);
+      return getUrl2(fullPath);
     },
     getImageUrl(url, transforms) {
       if (!transforms || Object.keys(transforms).length === 0) return url;
@@ -2394,14 +2746,14 @@ function createFtpStorage(config) {
         originalName: item.name,
         mimeType: "application/octet-stream",
         size: Number(item.size) || 0,
-        url: getUrl(`${key}/${item.name}`.replace(/\/+/g, "/")),
+        url: getUrl2(`${key}/${item.name}`.replace(/\/+/g, "/")),
         provider: config.type,
         createdAt: item.modifiedAt ? item.modifiedAt.toISOString() : (/* @__PURE__ */ new Date()).toISOString()
       }));
     },
     async exists(url) {
       const ftp = await getClient();
-      const key = url.replace(getUrlPrefix2(), "");
+      const key = url.replace(getUrlPrefix3(), "");
       try {
         await ftp.size(key);
         return true;
@@ -2425,105 +2777,17 @@ function createFtpStorage(config) {
 // src/storage/index.ts
 async function resolveProvider(configService) {
   const config = configService.getStorageConfig();
-  switch (config.type) {
-    case "aws":
-      return createS3Storage({
-        provider: "aws",
-        bucket: config.s3.bucket || "",
-        region: config.s3.region || "us-east-1",
-        accessKeyId: config.s3.accessKeyId || "",
-        secretAccessKey: config.s3.secretAccessKey || "",
-        endpoint: config.s3.endpoint,
-        cdnUrl: config.s3.cdnUrl,
-        prefix: config.s3.prefix
-      });
-    case "r2":
-      return createS3Storage({
-        provider: "r2",
-        bucket: config.r2.bucket || "",
-        region: "auto",
-        accessKeyId: config.r2.accessKeyId || "",
-        secretAccessKey: config.r2.secretAccessKey || "",
-        accountId: config.r2.accountId || "",
-        publicDevUrl: config.r2.publicDevUrl,
-        endpoint: `https://${config.r2.accountId || ""}.r2.cloudflarestorage.com`,
-        cdnUrl: config.r2.cdnUrl,
-        prefix: config.r2.prefix
-      });
-    case "gcs":
-      return createS3Storage({
-        provider: "gcs",
-        bucket: config.gcs.bucket || "",
-        region: config.gcs.projectId || "auto",
-        accessKeyId: config.gcs.clientEmail || "",
-        secretAccessKey: config.gcs.privateKey || "",
-        cdnUrl: config.gcs.cdnUrl,
-        prefix: config.gcs.prefix
-      });
-    case "digitalocean":
-      return createS3Storage({
-        provider: "digitalocean",
-        bucket: config.digitalocean.bucket || "",
-        region: config.digitalocean.region || "nyc3",
-        accessKeyId: config.digitalocean.accessKeyId || "",
-        secretAccessKey: config.digitalocean.secretAccessKey || "",
-        endpoint: `https://${config.digitalocean.region || "nyc3"}.digitaloceanspaces.com`,
-        cdnUrl: config.digitalocean.cdnUrl,
-        prefix: config.digitalocean.prefix
-      });
-    case "backblaze":
-      return createS3Storage({
-        provider: "backblaze",
-        bucket: config.backblaze.bucket || "",
-        region: "auto",
-        accessKeyId: config.backblaze.applicationKeyId || "",
-        secretAccessKey: config.backblaze.applicationKey || "",
-        accountId: config.backblaze.accountId || "",
-        endpoint: `https://s3.backblazeb2.com`,
-        cdnUrl: config.backblaze.cdnUrl,
-        prefix: config.backblaze.prefix
-      });
-    case "wasabi":
-      return createS3Storage({
-        provider: "wasabi",
-        bucket: config.wasabi.bucket || "",
-        region: config.wasabi.region || "us-east-1",
-        accessKeyId: config.wasabi.accessKeyId || "",
-        secretAccessKey: config.wasabi.secretAccessKey || "",
-        endpoint: `https://s3.${config.wasabi.region || "us-east-1"}.wasabisys.com`,
-        cdnUrl: config.wasabi.cdnUrl,
-        prefix: config.wasabi.prefix
-      });
-    case "ftp":
-    case "sftp":
-      return createFtpStorage({
-        host: config.ftp?.host || "",
-        port: config.ftp?.port || 21,
-        user: config.ftp?.user || "",
-        password: config.ftp?.password || "",
-        secure: config.ftp?.secure || false,
-        baseUrl: config.ftp?.baseUrl || "",
-        prefix: config.ftp?.prefix,
-        type: "ftp"
-      });
-    case "cloudinary":
-      return createCloudinaryStorage({
-        cloudName: config.cloudinary.cloudName || "",
-        apiKey: config.cloudinary.apiKey || "",
-        apiSecret: config.cloudinary.apiSecret || "",
-        folder: config.cloudinary.folder
-      });
-    case "imgix":
-      return createImgixStorage({
-        domain: config.imgix.domain || "",
-        signKey: config.imgix.signKey
-      });
-    case "local":
-    default:
-      return createLocalStorage({
-        uploadDir: config.local.uploadDir || path.join(process.cwd(), "public", "uploads"),
-        baseUrl: config.local.baseUrl || "/uploads"
-      });
+  const registry = getDefaultRegistry();
+  try {
+    return await registry.resolve(config.type, config);
+  } catch (err) {
+    console.warn(
+      `[resolveProvider] ${err.message} \u2014 falling back to local storage`
+    );
+    return createLocalStorage({
+      uploadDir: path.join(process.cwd(), "public", "uploads"),
+      baseUrl: "/uploads"
+    });
   }
 }
 async function resolveProviderWithConfig(config) {
@@ -2534,121 +2798,18 @@ async function resolveProviderWithConfig(config) {
       baseUrl: "/uploads"
     });
   }
-  console.log("[resolveProviderWithConfig] Creating provider:", config.type);
-  switch (config.type) {
-    case "aws":
-      return createS3Storage({
-        provider: "aws",
-        bucket: config.s3?.bucket || "",
-        region: config.s3?.region || "us-east-1",
-        accessKeyId: config.s3?.accessKeyId || "",
-        secretAccessKey: config.s3?.secretAccessKey || "",
-        endpoint: config.s3?.endpoint,
-        cdnUrl: config.s3?.cdnUrl,
-        prefix: config.s3?.prefix
-      });
-    case "r2":
-      return createS3Storage({
-        provider: "r2",
-        bucket: config.r2?.bucket || "",
-        region: "auto",
-        accessKeyId: config.r2?.accessKeyId || "",
-        secretAccessKey: config.r2?.secretAccessKey || "",
-        accountId: config.r2?.accountId || "",
-        publicDevUrl: config.r2?.publicDevUrl,
-        endpoint: `https://${config.r2?.accountId || ""}.r2.cloudflarestorage.com`,
-        cdnUrl: config.r2?.cdnUrl,
-        prefix: config.r2?.prefix
-      });
-    case "gcs":
-      return createS3Storage({
-        provider: "gcs",
-        bucket: config.gcs?.bucket || "",
-        region: config.gcs?.projectId || "auto",
-        accessKeyId: config.gcs?.clientEmail || "",
-        secretAccessKey: config.gcs?.privateKey || "",
-        cdnUrl: config.gcs?.cdnUrl,
-        prefix: config.gcs?.prefix
-      });
-    case "digitalocean":
-      return createS3Storage({
-        provider: "digitalocean",
-        bucket: config.digitalocean?.bucket || "",
-        region: config.digitalocean?.region || "nyc3",
-        accessKeyId: config.digitalocean?.accessKeyId || "",
-        secretAccessKey: config.digitalocean?.secretAccessKey || "",
-        cdnUrl: config.digitalocean?.cdnUrl,
-        prefix: config.digitalocean?.prefix
-      });
-    case "backblaze":
-      return createS3Storage({
-        provider: "backblaze",
-        bucket: config.backblaze?.bucket || "",
-        region: "auto",
-        accessKeyId: config.backblaze?.applicationKeyId || "",
-        secretAccessKey: config.backblaze?.applicationKey || "",
-        cdnUrl: config.backblaze?.cdnUrl,
-        prefix: config.backblaze?.prefix
-      });
-    case "wasabi":
-      return createS3Storage({
-        provider: "wasabi",
-        bucket: config.wasabi?.bucket || "",
-        region: config.wasabi?.region || "us-east-1",
-        accessKeyId: config.wasabi?.accessKeyId || "",
-        secretAccessKey: config.wasabi?.secretAccessKey || "",
-        cdnUrl: config.wasabi?.cdnUrl,
-        prefix: config.wasabi?.prefix
-      });
-    case "cloudinary":
-      return createCloudinaryStorage({
-        cloudName: config.cloudinary?.cloudName || "",
-        apiKey: config.cloudinary?.apiKey || "",
-        apiSecret: config.cloudinary?.apiSecret || "",
-        folder: config.cloudinary?.folder
-      });
-    case "ftp":
-    case "sftp": {
-      const ftpConf = config.ftp || config;
-      return createFtpStorage({
-        type: "ftp",
-        host: ftpConf.host || "",
-        port: ftpConf.port || 21,
-        user: ftpConf.user || "",
-        password: ftpConf.password || "",
-        secure: ftpConf.secure || false,
-        baseUrl: ftpConf.baseUrl || "",
-        prefix: ftpConf.prefix
-      });
-    }
-    case "local":
-    default: {
-      const localConfig = config.local || {
-        uploadDir: config["local.uploadDir"],
-        baseUrl: config["local.baseUrl"]
-      };
-      const savedUploadDir = (localConfig?.uploadDir || "").trim();
-      let uploadDir;
-      if (savedUploadDir) {
-        if (path.isAbsolute(savedUploadDir)) {
-          uploadDir = savedUploadDir;
-        } else if (savedUploadDir.includes("/") || savedUploadDir.includes("\\")) {
-          uploadDir = path.resolve(process.cwd(), savedUploadDir);
-        } else {
-          uploadDir = path.join(process.cwd(), "public", savedUploadDir);
-        }
-      } else {
-        uploadDir = path.join(process.cwd(), "public", "uploads");
-      }
-      const savedBaseUrl = (localConfig?.baseUrl || "").trim();
-      let baseUrl;
-      if (savedBaseUrl) {
-        baseUrl = savedBaseUrl.startsWith("/") ? savedBaseUrl : `/${savedBaseUrl}`;
-      } else {
-        baseUrl = "/uploads";
-      }
-      return createLocalStorage({ uploadDir, baseUrl });
-    }
+  const type = config.type || "local";
+  const registry = getDefaultRegistry();
+  try {
+    return await registry.resolveWithConfig(type, config);
+  } catch (err) {
+    console.warn(
+      `[resolveProviderWithConfig] ${err.message} \u2014 falling back to local storage`
+    );
+    return createLocalStorage({
+      uploadDir: path.join(process.cwd(), "public", "uploads"),
+      baseUrl: "/uploads"
+    });
   }
 }
 async function processImage(buffer) {
@@ -3252,8 +3413,33 @@ var MediaService = class _MediaService {
     }
   }
 };
-// src/api/rest/hono-app.ts
+function formatZodErrors(errors) {
+  return errors.map((e) => `${e.path.join(".")}: ${e.message}`).join(", ");
+}
+function convertRichtextFields(fields, data) {
+  if (!data || typeof data !== "object") return;
+  for (const field of fields) {
+    if (field.type === "richtext" && field.name) {
+      const val = data[field.name];
+      if (typeof val === "string") {
+        data[field.name] = [{ type: "paragraph", children: [{ text: val }] }];
+      } else if (val && typeof val === "object" && !Array.isArray(val) && val.type === "doc" && Array.isArray(val.content)) {
+        data[field.name] = val.content;
+      }
+    }
+    if (field.type === "tabs" && field.name && Array.isArray(field.tabs) && data[field.name] && typeof data[field.name] === "object") {
+      for (const tab of field.tabs) {
+        if (Array.isArray(tab.fields)) convertRichtextFields(tab.fields, data[field.name]);
+      }
+    } else if ((field.type === "group" || field.type === "collapsible") && field.name && Array.isArray(field.fields) && data[field.name] && typeof data[field.name] === "object") {
+      convertRichtextFields(field.fields, data[field.name]);
+    } else if (field.type === "array" && field.name && Array.isArray(field.fields) && Array.isArray(data[field.name])) {
+      for (const item of data[field.name]) {
+        if (item && typeof item === "object") convertRichtextFields(field.fields, item);
+      }
+    }
+  }
+}
 var COLLECTION_EVENT_MAP = {
   _media: {
     create: WEBHOOK_EVENTS.MEDIA_UPLOAD,
@@ -3406,31 +3592,30 @@ async function checkGlobalAccess(global, operation, req, ctxUser, ctxTenantID, e
   return { allowed: true };
 }
 async function resolveAuthContext(req, authMw, staticUser, staticTenantID) {
-  if (!authMw) {
+  if (staticUser) {
     return {
       user: staticUser,
       tenantID: staticTenantID,
-      apiKeyContext: void 0
+      apiKeyContext: void 0,
+      authType: "static"
     };
   }
-  let result;
-  try {
-    result = await authMw(req);
-  } catch (err) {
-    return {
-      user: staticUser,
-      tenantID: staticTenantID,
-      apiKeyContext: void 0
-    };
-  }
-  if (result.status === 401) {
-    return { user: void 0, tenantID: void 0, apiKeyContext: void 0 };
+  if (authMw) {
+    const res = await authMw(req);
+    if (res.status === 200 && res.user) {
+      return {
+        user: res.user,
+        tenantID: res.tenantContext?.tenantId,
+        apiKeyContext: res.apiKeyContext,
+        authType: res.authType
+      };
+    }
   }
   return {
-    user: result.user || staticUser,
-    tenantID: result.tenantContext?.tenantId || staticTenantID,
-    apiKeyContext: result.apiKeyContext,
-    authType: result.authType
+    user: void 0,
+    tenantID: void 0,
+    apiKeyContext: void 0,
+    authType: void 0
   };
 }
 function createDefaultAuthAdapter(db, rootDir) {
@@ -3545,78 +3730,15 @@ function createHonoApp(options) {
     rateLimiter
   });
   app.post("/api/auth/login", async (c) => authRoutes.login(c.req.raw));
-  app.post("/api/auth/register", async (c) => authRoutes.register(c.req.raw));
-  app.post("/api/auth/logout", async (c) => authRoutes.logout(c.req.raw));
-  app.post("/api/auth/refresh", async (c) => authRoutes.refresh(c.req.raw));
-  app.get("/api/auth/me", async (c) => authRoutes.me(c.req.raw));
-  app.get("/api/auth/sessions", async (c) => authRoutes.listSessions(c.req.raw));
-  app.post("/api/auth/sessions/refresh", async (c) => authRoutes.refreshSession(c.req.raw));
-  app.delete("/api/auth/sessions", async (c) => authRoutes.revokeOtherSessions(c.req.raw));
-  app.delete("/api/auth/sessions/:id", async (c) => authRoutes.revokeSession(c.req.raw, c.req.param("id")));
-  app.put("/api/auth/sessions/:id/name", async (c) => authRoutes.renameSession(c.req.raw, c.req.param("id")));
-  app.post("/api/graphql", async (c) => {
-    try {
-      const req = c.req.raw;
-      const apiKeyRaw = extractApiKeyFromRequest(req);
-      if (apiKeyRaw && db) {
-        const apiKeyResult = await validateApiKey(apiKeyRaw, db);
-        if (!apiKeyResult.valid) {
-          return c.json({ errors: [{ message: apiKeyResult.error || "Invalid API key" }] }, 401);
-        }
-        const apiKeyId = apiKeyResult.apiKeyId || "";
-        await sessionAuthAdapter?.createAuditLog({
-          action: "api_key_request",
-          userId: apiKeyResult.userId || "",
-          resource: "api_key",
-          resourceId: apiKeyId,
-          success: true,
-          metadata: {
-            endpoint: "/api/graphql",
-            method: "POST",
-            ip: extractIp(req)
-          }
-        });
-      }
-      const body = await req.json().catch(() => ({}));
-      const { query, variables } = body;
-      if (!query) {
-        return c.json({ errors: [{ message: "No query provided" }] }, 400);
-      }
-      let gqlUser;
-      let apiKeyCtx;
-      if (apiKeyRaw && db) {
-        const apiKeyResult = await validateApiKey(apiKeyRaw, db);
-        if (apiKeyResult.valid && apiKeyResult.user) {
-          gqlUser = apiKeyResult.user;
-          apiKeyCtx = createApiKeyContext(apiKeyResult);
-        }
-      }
-      const schema = buildGraphQLSchema({
-        registry,
-        db,
-        user: gqlUser,
-        req,
-        settings
-      });
-      const document = parse(query);
-      const result = await execute({
-        schema,
-        document,
-        variableValues: variables,
-        contextValue: { user: gqlUser, apiKeyContext: apiKeyCtx, req, db }
-      });
-      return c.json(result);
-    } catch (error) {
-      if (error.message?.includes("GraphQL is disabled")) {
-        return c.json({ errors: [{ message: "GraphQL API is disabled" }] }, 403);
-      }
-      if (error instanceof SyntaxError) {
-        return c.json({ errors: [{ message: "Invalid request body" }] }, 400);
-      }
-      console.error("[GraphQL] execution error:", error);
-      return c.json({ errors: [{ message: error.message || "GraphQL execution failed" }] }, 500);
-    }
-  });
+  app.post("/api/auth/register", async (c) => authRoutes.register(c.req.raw));
+  app.post("/api/auth/logout", async (c) => authRoutes.logout(c.req.raw));
+  app.post("/api/auth/refresh", async (c) => authRoutes.refresh(c.req.raw));
+  app.get("/api/auth/me", async (c) => authRoutes.me(c.req.raw));
+  app.get("/api/auth/sessions", async (c) => authRoutes.listSessions(c.req.raw));
+  app.post("/api/auth/sessions/refresh", async (c) => authRoutes.refreshSession(c.req.raw));
+  app.delete("/api/auth/sessions", async (c) => authRoutes.revokeOtherSessions(c.req.raw));
+  app.delete("/api/auth/sessions/:id", async (c) => authRoutes.revokeSession(c.req.raw, c.req.param("id")));
+  app.put("/api/auth/sessions/:id/name", async (c) => authRoutes.renameSession(c.req.raw, c.req.param("id")));
   app.get("/api/auth/access", async (c) => {
     try {
       const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(
@@ -3701,7 +3823,13 @@ function createHonoApp(options) {
       return c.json({ error: error.message }, 500);
     }
   });
-  const usersCollection = registry.getCollection("users");
+  const usersCollection2 = typeof registry.hasCollection === "function" && registry.hasCollection("users") ? registry.getCollection("users") : (() => {
+    try {
+      return registry.getCollection("users");
+    } catch {
+      return usersCollection;
+    }
+  })();
   app.get("/api/users", async (c) => {
     try {
       const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(
@@ -3711,7 +3839,7 @@ function createHonoApp(options) {
         tenantID
       );
       const access = await checkCollectionAccess(
-        usersCollection,
+        usersCollection2,
         "read",
         c.req.raw,
         ctxUser,
@@ -3756,19 +3884,6 @@ function createHonoApp(options) {
         user,
         tenantID
       );
-      const access = await checkCollectionAccess(
-        usersCollection,
-        "read",
-        c.req.raw,
-        ctxUser,
-        ctxTenantID,
-        void 0,
-        enablePublicAccess,
-        defaultCollectionAccess
-      );
-      if (!access.allowed) {
-        return c.json({ error: access.error }, access.status || 403);
-      }
       const id = c.req.param("id");
       const found = await sessionAuthAdapter.findUserById(id);
       if (!found) {
@@ -3788,7 +3903,7 @@ function createHonoApp(options) {
         tenantID
       );
       const access = await checkCollectionAccess(
-        usersCollection,
+        usersCollection2,
         "create",
         c.req.raw,
         ctxUser,
@@ -3813,8 +3928,18 @@ function createHonoApp(options) {
         password: body.password,
         name: body.name,
         role: body.role || "customer",
+        avatar: body.avatar,
         tenantId: body.tenantId
       });
+      if (ctxUser) {
+        sessionAuthAdapter?.createAuditLog({
+          action: "user_create",
+          userId: ctxUser.id,
+          resource: "users",
+          resourceId: created.id,
+          success: true
+        });
+      }
       return c.json(
         { data: created, message: "User created successfully" },
         201
@@ -3832,7 +3957,7 @@ function createHonoApp(options) {
         tenantID
       );
       const access = await checkCollectionAccess(
-        usersCollection,
+        usersCollection2,
         "update",
         c.req.raw,
         ctxUser,
@@ -3854,6 +3979,9 @@ function createHonoApp(options) {
       if (body.name !== void 0) updateData.name = body.name;
       if (body.email !== void 0) updateData.email = body.email;
       if (body.role !== void 0) updateData.role = body.role;
+      if (body.avatar !== void 0) {
+        updateData.avatar = typeof body.avatar === "object" && body.avatar !== null ? body.avatar.id || String(body.avatar) : body.avatar;
+      }
       if (body.tenantId !== void 0) updateData.tenantId = body.tenantId;
       if (body.emailVerified !== void 0)
         updateData.emailVerified = body.emailVerified;
@@ -3865,6 +3993,25 @@ function createHonoApp(options) {
       if (!updated) {
         return c.json({ error: "User update failed" }, 500);
       }
+      if (ctxUser) {
+        sessionAuthAdapter?.createAuditLog({
+          action: "user_update",
+          userId: ctxUser.id,
+          resource: "users",
+          resourceId: id,
+          success: true
+        });
+        if (body.role && existing.role !== body.role) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "role_change",
+            userId: ctxUser.id,
+            resource: "users",
+            resourceId: id,
+            success: true,
+            metadata: { oldRole: existing.role, newRole: body.role }
+          });
+        }
+      }
       return c.json({ data: updated, message: "User updated successfully" });
     } catch (error) {
       return c.json({ error: error.message }, 500);
@@ -3879,7 +4026,7 @@ function createHonoApp(options) {
         tenantID
       );
       const access = await checkCollectionAccess(
-        usersCollection,
+        usersCollection2,
         "delete",
         c.req.raw,
         ctxUser,
@@ -3903,6 +4050,15 @@ function createHonoApp(options) {
       if (!deleted) {
         return c.json({ error: "User deletion failed" }, 500);
       }
+      if (ctxUser) {
+        sessionAuthAdapter?.createAuditLog({
+          action: "user_delete",
+          userId: ctxUser.id,
+          resource: "users",
+          resourceId: id,
+          success: true
+        });
+      }
       return c.json({ data: existing, message: "User deleted successfully" });
     } catch (error) {
       return c.json({ error: error.message }, 500);
@@ -4059,11 +4215,11 @@ function createHonoApp(options) {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
       if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
       const service = await getMedia();
-      const path2 = c.req.query("path");
-      if (!path2) {
+      const path3 = c.req.query("path");
+      if (!path3) {
         return c.json({ error: "Path is required" }, 400);
       }
-      await service.deleteFolder(path2);
+      await service.deleteFolder(path3);
       return c.json({ message: "Folder deleted" });
     } catch (error) {
       console.error("[Media] delete folder error:", error);
@@ -4216,6 +4372,119 @@ function createHonoApp(options) {
       return c.json({ error: error.message }, 500);
     }
   });
+  app.get("/api/plugins", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
+      const plugins = registry.getPlugins();
+      const storageRegistry = registry.storageProviders;
+      const pluginList = await Promise.all(
+        plugins.map(async (p) => {
+          let enabled = true;
+          const pluginName = p.name;
+          let states = {};
+          try {
+            const doc = await db.findOne({
+              collection: "_globals_plugin-settings",
+              where: {}
+            });
+            if (doc && doc.states) states = doc.states;
+          } catch {
+          }
+          if (states[pluginName] !== void 0) {
+            enabled = states[pluginName];
+          }
+          storageRegistry.setPluginEnabled(pluginName, enabled);
+          return {
+            id: pluginName,
+            name: pluginName,
+            version: p.version || "1.0.0",
+            description: p.description || "",
+            enabled,
+            status: enabled ? "active" : "disabled"
+          };
+        })
+      );
+      return c.json(pluginList);
+    } catch (error) {
+      console.error("[Plugins] list error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.put("/api/plugins/:name/toggle", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
+      const pluginName = c.req.param("name");
+      const storageRegistry = registry.storageProviders;
+      const currentEnabled = storageRegistry.isPluginEnabled(pluginName);
+      const newEnabled = !currentEnabled;
+      const affectedProviders = [];
+      if (!newEnabled) {
+        for (const p of storageRegistry.getAll()) {
+          if (p.pluginName === pluginName) {
+            affectedProviders.push(p.type);
+          }
+        }
+      }
+      const force = c.req.query("force") === "1";
+      if (!force && !newEnabled && affectedProviders.length > 0) {
+        let activeProvider = "local";
+        try {
+          const row = db?.prepare?.(`SELECT provider FROM "_globals_storage-settings" LIMIT 1`)?.get();
+          if (row?.provider) activeProvider = row.provider;
+        } catch {
+          try {
+            const result = await db?.findOne?.({
+              collection: "_globals_storage-settings",
+              where: {}
+            });
+            if (result?.provider) activeProvider = result.provider;
+          } catch {
+          }
+        }
+        if (affectedProviders.includes(activeProvider)) {
+          return c.json({
+            error: `Cannot disable "${pluginName}" \u2014 storage provider "${activeProvider}" is currently active. Switch to Local storage first.`,
+            requiresAction: true,
+            activeProvider
+          }, 409);
+        }
+      }
+      try {
+        let states = {};
+        let docId = "global";
+        const doc = await db.findOne({
+          collection: "_globals_plugin-settings",
+          where: {}
+        });
+        if (doc) {
+          states = doc.states || {};
+          docId = doc.id;
+        }
+        states[pluginName] = newEnabled;
+        if (doc) {
+          await db.update({
+            collection: "_globals_plugin-settings",
+            id: docId,
+            data: { states }
+          });
+        } else {
+          await db.create({
+            collection: "_globals_plugin-settings",
+            data: { states, id: "global" }
+          });
+        }
+      } catch (e) {
+        console.warn(`[Plugins] Could not persist state for "${pluginName}":`, e);
+      }
+      storageRegistry.setPluginEnabled(pluginName, newEnabled);
+      return c.json({ name: pluginName, enabled: newEnabled });
+    } catch (error) {
+      console.error("[Plugins] toggle error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
   app.get("/api/health", (c) => {
     return c.json({
       status: "ok",
@@ -4224,6 +4493,102 @@ function createHonoApp(options) {
       timestamp: (/* @__PURE__ */ new Date()).toISOString()
     });
   });
+  app.get("/api/kyro/schema", async (c) => {
+    const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+    if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
+    const extractFields = (fields) => fields.map((f) => {
+      const meta = {
+        name: f.name,
+        type: f.type,
+        label: f.label,
+        required: f.required ?? false,
+        unique: f.unique ?? false,
+        indexed: f.indexed ?? false,
+        defaultValue: f.defaultValue,
+        admin: f.admin ? { ...f.admin } : void 0
+      };
+      if (f.minLength !== void 0) meta.minLength = f.minLength;
+      if (f.maxLength !== void 0) meta.maxLength = f.maxLength;
+      if (f.pattern !== void 0) meta.pattern = f.pattern;
+      if (f.variant !== void 0) meta.variant = f.variant;
+      if (f.hasMany !== void 0) meta.hasMany = f.hasMany;
+      if (f.min !== void 0) meta.min = f.min;
+      if (f.max !== void 0) meta.max = f.max;
+      if (f.step !== void 0) meta.step = f.step;
+      if (f.integer !== void 0) meta.integer = f.integer;
+      if (f.options) meta.options = f.options;
+      if (f.relationTo) meta.relationTo = f.relationTo;
+      if (f.maxDepth !== void 0) meta.maxDepth = f.maxDepth;
+      if (f.minRows !== void 0) meta.minRows = f.minRows;
+      if (f.maxRows !== void 0) meta.maxRows = f.maxRows;
+      if (f.localized !== void 0) meta.localized = f.localized;
+      if (f.language) meta.language = f.language;
+      if (f.format) meta.format = f.format;
+      if (f.allowedTypes) meta.allowedTypes = f.allowedTypes;
+      if (f.maxSize) meta.maxSize = f.maxSize;
+      if (f.type === "group" || f.type === "row" || f.type === "collapsible" && f.fields) {
+        meta.fields = extractFields(f.fields);
+      }
+      if (f.type === "array" && f.fields) {
+        meta.fields = extractFields(f.fields);
+      }
+      if (f.type === "blocks" && f.blocks) {
+        meta.blocks = f.blocks.map((b) => ({
+          slug: b.slug,
+          label: b.label,
+          fields: extractFields(b.fields)
+        }));
+      }
+      if (f.type === "tabs" && f.tabs) {
+        meta.tabs = f.tabs.map((t) => ({
+          label: t.label,
+          name: t.name,
+          fields: extractFields(t.fields)
+        }));
+      }
+      return meta;
+    });
+    const data = { collections: {}, globals: {} };
+    for (const col of registry.getCollections()) {
+      const slug = col.slug;
+      try {
+        data.collections[slug] = {
+          slug,
+          label: col.label || slug,
+          fields: extractFields(col.fields),
+          jsonSchema: zodToJsonSchema(registry.getZodSchema(slug), { target: "openApi3" }),
+          createSchema: zodToJsonSchema(registry.getCreateZodSchema(slug), { target: "openApi3" }),
+          updateSchema: zodToJsonSchema(registry.getUpdateZodSchema(slug), { target: "openApi3" }),
+          procedures: {
+            find: { collection: slug, where: "Record<string,any>", sort: "string", limit: "number", page: "number", depth: "number", select: "string[]", draft: "boolean" },
+            findByID: { collection: slug, id: "string", depth: "number", select: "string[]", draft: "boolean" },
+            create: { collection: slug, data: "Record<string,any>", depth: "number", select: "string[]" },
+            update: { collection: slug, id: "string", data: "Record<string,any>", depth: "number", select: "string[]", baseUpdatedAt: "string" },
+            delete: { collection: slug, id: "string" },
+            count: { collection: slug, where: "Record<string,any>" }
+          }
+        };
+      } catch {
+      }
+    }
+    for (const global of registry.getGlobals()) {
+      const slug = global.slug;
+      try {
+        data.globals[slug] = {
+          slug,
+          label: global.label || slug,
+          fields: extractFields(global.fields),
+          jsonSchema: zodToJsonSchema(registry.getZodSchema(slug), { target: "openApi3" }),
+          procedures: {
+            get: {},
+            update: { data: "Record<string,any>" }
+          }
+        };
+      } catch {
+      }
+    }
+    return c.json(data);
+  });
   app.get("/api/collections", async (c) => {
     const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
     if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
@@ -4239,6 +4604,129 @@ function createHonoApp(options) {
     }));
     return c.json(collections2);
   });
+  function resolveDocField(fields, doc, fieldName) {
+    if (fieldName in doc) return doc[fieldName];
+    for (const field of fields) {
+      if (!field.name) continue;
+      if (field.type === "tabs" && field.tabs) {
+        const data = doc[field.name];
+        if (data && typeof data === "object" && fieldName in data) return data[fieldName];
+      }
+      if ((field.type === "group" || field.type === "collapsible") && field.fields) {
+        const data = doc[field.name];
+        if (data && typeof data === "object") {
+          if (fieldName in data) return data[fieldName];
+          const nested = resolveDocField(field.fields, data, fieldName);
+          if (nested !== void 0) return nested;
+        }
+      }
+    }
+    return void 0;
+  }
+  function flattenRelationshipFields(fields) {
+    const relFields = [];
+    for (const field of fields) {
+      if (field.type === "relationship") {
+        relFields.push(field);
+      } else if (field.type === "tabs" && field.tabs) {
+        for (const tab of field.tabs) {
+          relFields.push(...flattenRelationshipFields(tab.fields || []));
+        }
+      } else if ((field.type === "group" || field.type === "collapsible") && field.fields) {
+        relFields.push(...flattenRelationshipFields(field.fields || []));
+      }
+    }
+    return relFields;
+  }
+  function extractRelValue(value) {
+    if (!value) return [];
+    if (typeof value === "string") return [value];
+    if (Array.isArray(value)) return value.map((v) => typeof v === "object" ? v.value ?? v : v);
+    if (typeof value === "object") {
+      const v = value.value ?? value;
+      return typeof v === "string" ? [v] : Array.isArray(v) ? v : [];
+    }
+    return [];
+  }
+  async function populateRelationships(docs, collection, db2, registry2) {
+    if (docs.length === 0) return;
+    const relFields = flattenRelationshipFields(collection.fields);
+    if (relFields.length === 0) return;
+    for (const relField of relFields) {
+      const targetSlugs = Array.isArray(relField.relationTo) ? relField.relationTo : [relField.relationTo];
+      const idsBySlug = {};
+      for (const slug of targetSlugs) {
+        idsBySlug[slug] = /* @__PURE__ */ new Set();
+      }
+      for (const doc of docs) {
+        const raw = resolveDocField(collection.fields, doc, relField.name);
+        const ids = extractRelValue(raw);
+        for (const id of ids) {
+          if (!id) continue;
+          if (targetSlugs.length === 1) {
+            idsBySlug[targetSlugs[0]].add(id);
+          } else {
+            for (const slug of targetSlugs) {
+              idsBySlug[slug].add(id);
+            }
+          }
+        }
+      }
+      for (const [targetSlug, idSet] of Object.entries(idsBySlug)) {
+        if (idSet.size === 0) continue;
+        const targetCollection = registry2.getCollection(targetSlug);
+        if (!targetCollection) continue;
+        const titleField = targetCollection.admin?.useAsTitle || "title";
+        const idArr = Array.from(idSet);
+        const relatedDocs = [];
+        for (const id of idArr) {
+          try {
+            const relDoc = await db2.findByID({ collection: targetSlug, id, draft: true });
+            if (relDoc) {
+              const title = resolveDocField(targetCollection.fields, relDoc, titleField) ?? id;
+              relatedDocs.push({ id, title: String(title) });
+            }
+          } catch {
+            relatedDocs.push({ id, title: id });
+          }
+        }
+        const titleMap = new Map(relatedDocs.map((d) => [d.id, d.title]));
+        for (const doc of docs) {
+          const raw = resolveDocField(collection.fields, doc, relField.name);
+          if (!raw) continue;
+          const setValue = (val) => {
+            if (relField.name in doc) {
+              doc[relField.name] = val;
+            } else {
+              for (const f of collection.fields) {
+                if (f.type === "tabs" && f.tabs) {
+                  for (const tab of f.tabs) {
+                    if (tab.fields?.some((tf) => tf.name === relField.name)) {
+                      const tabData = doc[f.name];
+                      if (tabData && typeof tabData === "object") {
+                        tabData[relField.name] = val;
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          };
+          if (typeof raw === "string") {
+            setValue({ id: raw, title: titleMap.get(raw) || raw });
+          } else if (Array.isArray(raw)) {
+            setValue(raw.map((v) => {
+              const id = typeof v === "object" ? v.value ?? v.id : v;
+              return { id, title: titleMap.get(id) || id };
+            }));
+          } else if (typeof raw === "object") {
+            const id = raw.value ?? raw.id;
+            setValue({ id, title: titleMap.get(id) || id });
+          }
+        }
+      }
+    }
+  }
   app.get("/api/search", async (c) => {
     try {
       const query = c.req.query("q") || "";
@@ -4290,11 +4778,12 @@ function createHonoApp(options) {
             limit,
             tenantID: ctxTenantID
           });
+          await populateRelationships(searchResult.docs, collection, db, registry);
           for (const doc of searchResult.docs) {
             const titleField = collection.admin?.useAsTitle || searchableFields.find(
               (f) => f === "title" || f === "name" || f === "heading" || f === "slug"
             );
-            const title = titleField ? doc[titleField] : doc.id;
+            const title = titleField ? resolveDocField(collection.fields, doc, titleField) ?? doc.id : doc.id;
             results.push({
               collection: collection.slug,
               label: collection.label || collection.slug,
@@ -4634,37 +5123,31 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
-        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, basePath, "GET", c.req.raw);
+        if (ctxTenantID) {
+          db.setTenantContext({ tenantId: ctxTenantID, userId: ctxUser?.id ?? "", role: ctxUser?.role, isSuperAdmin: ctxUser?.role === "super_admin" });
+        }
         const url = new URL(c.req.url);
         const page = parseInt(url.searchParams.get("page") || "1");
-        const limit = Math.min(
-          parseInt(url.searchParams.get("limit") || "10"),
-          100
-        );
+        const limit = Math.min(parseInt(url.searchParams.get("limit") || "10"), 100);
         const sort = url.searchParams.get("sort") || void 0;
         const depth = parseInt(url.searchParams.get("depth") || "0");
         const select = url.searchParams.get("select")?.split(",") || void 0;
-        let where = {};
-        const whereParam = url.searchParams.get("where");
-        if (whereParam) {
-          try {
-            where = JSON.parse(whereParam);
-          } catch {
-          }
-        }
+        const isDraftRequest = !!ctxUser;
         const result = await db.find({
           collection: slug,
-          where,
+          where: {},
           sort,
           limit,
           page,
           depth,
           tenantID: ctxTenantID,
-          select
+          select,
+          draft: isDraftRequest
         });
+        await populateRelationships(result.docs, collection, db, registry);
         return c.json(result);
       } catch (error) {
-        console.error(`[API] Error listing ${slug}:`, error);
+        console.error("[API] list error:", error);
         return c.json({ error: error.message }, 500);
       }
     });
@@ -4689,6 +5172,9 @@ function createHonoApp(options) {
           return c.json({ error: access.error }, access.status || 403);
         }
         const id = c.req.param("id");
+        if (!id) {
+          return c.json({ error: "Missing document ID" }, 400);
+        }
         const url = new URL(c.req.url);
         const compareA = url.searchParams.get("compareA");
         const compareB = url.searchParams.get("compareB");
@@ -4772,23 +5258,39 @@ function createHonoApp(options) {
         const id = c.req.param("id");
         const body = await c.req.json();
         const baseUpdatedAt = readBaseUpdatedAt(body);
-        const data = body.data ?? omitRevisionFields(body);
         const originalDoc = await db.findByID({
           collection: slug,
           id,
-          tenantID: ctxTenantID
+          tenantID: ctxTenantID,
+          draft: true
         });
         if (!originalDoc) {
           return c.json({ error: "Document not found" }, 404);
         }
+        let finalData;
+        if (body.delta) {
+          finalData = { ...originalDoc, ...body.delta };
+        } else {
+          finalData = body.data ?? omitRevisionFields(body);
+        }
         const draft = await db.upsertDraft({
           collection: slug,
           documentId: id,
           tenantID: ctxTenantID,
-          data,
+          data: finalData,
           baseUpdatedAt,
           draftUpdatedAt: body.draftUpdatedAt
         });
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_update",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: id,
+            success: true,
+            metadata: { type: "draft_save" }
+          });
+        }
         return c.json({ data: draft, message: "Draft saved successfully" });
       } catch (error) {
         return c.json({ error: error.message }, 500);
@@ -4819,6 +5321,16 @@ function createHonoApp(options) {
           documentId: c.req.param("id"),
           tenantID: ctxTenantID
         });
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_update",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: c.req.param("id"),
+            success: true,
+            metadata: { type: "draft_discard" }
+          });
+        }
         return c.json({ message: "Draft discarded successfully" });
       } catch (error) {
         return c.json({ error: error.message }, 500);
@@ -4861,12 +5373,14 @@ function createHonoApp(options) {
           doc = await db.findOne({
             collection: slug,
             where: { slug: id },
-            tenantID: ctxTenantID
+            tenantID: ctxTenantID,
+            draft: isDraftRequest
           });
         }
         if (!doc) {
           return c.json({ error: "Document not found" }, 404);
         }
+        await populateRelationships([doc], collection, db, registry);
         return c.json({ data: doc });
       } catch (error) {
         return c.json({ error: error.message }, 500);
@@ -4892,23 +5406,80 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
+        if (ctxTenantID) {
+          db.setTenantContext({ tenantId: ctxTenantID, userId: ctxUser?.id ?? "", role: ctxUser?.role, isSuperAdmin: ctxUser?.role === "super_admin" });
+        }
         auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, basePath, "POST", c.req.raw);
         const body = await c.req.json();
+        let validated = body;
+        for (const field of collection.fields) {
+          if (field.name && validated[field.name] === "") {
+            const isTextual = field.type === "text" || field.type === "textarea" || field.type === "code" || field.type === "markdown" || field.type === "email" || field.type === "password" || field.type === "color";
+            if (!isTextual) {
+              validated[field.name] = null;
+            }
+          }
+        }
+        convertRichtextFields(collection.fields, validated);
+        const hookReq = c.req.raw;
+        if (collection.hooks?.beforeValidate) {
+          for (const hook of collection.hooks.beforeValidate) {
+            const hookResult = await hook({
+              collection: slug,
+              data: validated,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "create"
+            });
+            if (hookResult) Object.assign(validated, hookResult);
+          }
+        }
         const schema = registry.getCreateZodSchema(slug);
-        let validated;
         try {
-          validated = schema.parse(body);
+          validated = schema.parse(validated);
         } catch (zodErr) {
-          return c.json({ error: "Validation failed", details: zodErr.errors }, 400);
+          return c.json({ error: `Validation failed: ${formatZodErrors(zodErr.errors)}`, details: zodErr.errors }, 400);
         }
         if (collection.tenantScoped && ctxTenantID) {
           validated.tenantID = ctxTenantID;
         }
+        const isDraftEnabled = collection.versions?.drafts === true;
+        if (isDraftEnabled) {
+          validated.publishStatus = "draft";
+          validated.hasDraft = false;
+        }
+        if (collection.hooks?.beforeChange) {
+          for (const hook of collection.hooks.beforeChange) {
+            const hookResult = await hook({
+              collection: slug,
+              data: validated,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "create"
+            });
+            if (hookResult) Object.assign(validated, hookResult);
+          }
+        }
         const doc = await db.create({
           collection: slug,
           data: validated,
           tenantID: ctxTenantID
         });
+        if (collection.hooks?.afterChange) {
+          for (const hook of collection.hooks.afterChange) {
+            await hook({
+              collection: slug,
+              doc,
+              data: validated,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "create"
+            });
+          }
+        }
         if (webhookService) {
           webhookService.trigger(getWebhookEvent(slug, "create"), {
             collection: slug,
@@ -4918,11 +5489,20 @@ function createHonoApp(options) {
             tenantId: ctxTenantID
           }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
         }
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_create",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: doc.id,
+            success: true
+          });
+        }
         return c.json({ data: doc, message: "Created successfully" }, 201);
       } catch (error) {
         if (error.name === "ZodError") {
           return c.json(
-            { error: "Validation failed", details: error.errors },
+            { error: `Validation failed: ${formatZodErrors(error.errors)}`, details: error.errors },
             400
           );
         }
@@ -4957,32 +5537,66 @@ function createHonoApp(options) {
           bodyKeys: Object.keys(body),
           tenantID: ctxTenantID
         });
-        const cleaned = Object.fromEntries(
-          Object.entries(omitRevisionFields(body)).filter(
-            ([_, v]) => v !== "null" && v !== void 0
-          )
-        );
-        const schema = registry.getUpdateZodSchema(slug);
-        const validated = schema.parse(cleaned);
-        console.log(`[PATCH] Validated data:`, Object.keys(validated));
         const originalDoc = await db.findByID({
           collection: slug,
           id,
           tenantID: ctxTenantID,
           draft: true
-          // Always fetch current doc regardless of status
         });
-        if (originalDoc) {
-          console.log(`[PATCH] Original doc updatedAt:`, originalDoc.updatedAt);
-        }
         if (!originalDoc) {
           return c.json({ error: "Document not found" }, 404);
         }
         if (baseUpdatedAt && originalDoc.updatedAt && baseUpdatedAt !== originalDoc.updatedAt) {
           return c.json(buildConflictResponse(baseUpdatedAt, originalDoc), 409);
         }
+        let validated = Object.fromEntries(
+          Object.entries(omitRevisionFields(body)).filter(
+            ([_, v]) => v !== "null" && v !== void 0
+          )
+        );
+        for (const field of collection.fields) {
+          if (field.name && validated[field.name] === "") {
+            const isTextual = field.type === "text" || field.type === "textarea" || field.type === "code" || field.type === "markdown" || field.type === "email" || field.type === "password" || field.type === "color";
+            if (!isTextual) {
+              validated[field.name] = null;
+            }
+          }
+        }
+        convertRichtextFields(collection.fields, validated);
+        const hookReq = c.req.raw;
+        if (collection.hooks?.beforeValidate) {
+          for (const hook of collection.hooks.beforeValidate) {
+            const hookResult = await hook({
+              collection: slug,
+              data: validated,
+              originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "update"
+            });
+            if (hookResult) Object.assign(validated, hookResult);
+          }
+        }
+        const schema = registry.getUpdateZodSchema(slug);
+        validated = schema.parse(validated);
+        if (collection.hooks?.beforeChange) {
+          for (const hook of collection.hooks.beforeChange) {
+            const hookResult = await hook({
+              collection: slug,
+              data: validated,
+              originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "update"
+            });
+            if (hookResult) Object.assign(validated, hookResult);
+          }
+        }
+        console.log(`[PATCH] Validated data:`, Object.keys(validated));
         const isDraftEnabled = collection.versions?.drafts === true;
-        const isAlreadyPublished = originalDoc._status === "published";
+        const isAlreadyPublished = originalDoc.publishStatus === "published";
         let doc;
         if (isDraftEnabled && isAlreadyPublished) {
           await db.createVersion({
@@ -4997,18 +5611,20 @@ function createHonoApp(options) {
           await db.update({
             collection: slug,
             id,
-            data: { _has_draft: true },
+            data: { hasDraft: true },
             // Keep old data, just set flag
             tenantID: ctxTenantID
           });
         } else {
-          const saveData = isDraftEnabled ? { ...validated, _status: "draft", _has_draft: false } : validated;
+          const saveData = isDraftEnabled ? { ...validated, publishStatus: "draft", hasDraft: false } : validated;
+          console.log(`[PATCH] About to call db.update for ${slug}/${id} with keys:`, Object.keys(saveData));
           await db.update({
             collection: slug,
             id,
             data: saveData,
             tenantID: ctxTenantID
           });
+          console.log(`[PATCH] db.update SUCCEEDED for ${slug}/${id}`);
         }
         doc = await db.findByID({
           collection: slug,
@@ -5035,6 +5651,20 @@ function createHonoApp(options) {
             tenantID: ctxTenantID
           });
         }
+        if (collection.hooks?.afterChange) {
+          for (const hook of collection.hooks.afterChange) {
+            await hook({
+              collection: slug,
+              doc,
+              data: validated,
+              originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "update"
+            });
+          }
+        }
         if (webhookService) {
           webhookService.trigger(getWebhookEvent(slug, "update"), {
             collection: slug,
@@ -5045,16 +5675,26 @@ function createHonoApp(options) {
             tenantId: ctxTenantID
           }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
         }
-        console.log(`[PATCH] Result doc updatedAt:`, doc?.updatedAt);
+        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, `${basePath}/${id}`, "PATCH", c.req.raw);
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_update",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: id,
+            success: true
+          });
+        }
         return c.json({ data: doc, message: isDraftEnabled ? "Draft saved" : "Updated successfully" });
       } catch (error) {
         if (error.name === "ZodError") {
           console.error(`[PATCH ${basePath}/:id] Validation failed:`, error.errors);
           return c.json(
-            { error: "Validation failed", details: error.errors },
+            { error: `Validation failed: ${formatZodErrors(error.errors)}`, details: error.errors },
             400
           );
         }
+        console.error(`[PATCH ${basePath}/:id] ERROR:`, error.message, `CAUSE:`, error.cause?.message || error.cause, `QUERY:`, error.query);
         return c.json({ error: error.message }, 500);
       }
     });
@@ -5078,13 +5718,33 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
+        if (ctxTenantID) {
+          db.setTenantContext({ tenantId: ctxTenantID, userId: ctxUser?.id ?? "", role: ctxUser?.role, isSuperAdmin: ctxUser?.role === "super_admin" });
+        }
         const id = c.req.param("id");
         console.log(`[DELETE] Deleting ${slug}/${id}`);
+        const hookReq = c.req.raw;
         const originalDoc = await db.findByID({
           collection: slug,
           id,
-          tenantID: ctxTenantID
+          tenantID: ctxTenantID,
+          draft: true
         });
+        if (!originalDoc) {
+          return c.json({ error: "Document not found" }, 404);
+        }
+        if (collection.hooks?.beforeDelete) {
+          for (const hook of collection.hooks.beforeDelete) {
+            await hook({
+              collection: slug,
+              doc: originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "delete"
+            });
+          }
+        }
         const doc = await db.delete({
           collection: slug,
           id,
@@ -5095,6 +5755,19 @@ function createHonoApp(options) {
           documentId: id,
           tenantID: ctxTenantID
         });
+        if (collection.hooks?.afterDelete) {
+          for (const hook of collection.hooks.afterDelete) {
+            await hook({
+              collection: slug,
+              doc,
+              originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "delete"
+            });
+          }
+        }
         if (webhookService) {
           webhookService.trigger(getWebhookEvent(slug, "delete"), {
             collection: slug,
@@ -5105,6 +5778,16 @@ function createHonoApp(options) {
             tenantId: ctxTenantID
           }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
         }
+        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, `${basePath}/${id}`, "DELETE", c.req.raw);
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_delete",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: id,
+            success: true
+          });
+        }
         return c.json({ data: doc, message: "Deleted successfully" });
       } catch (error) {
         console.error(`[DELETE] Error deleting ${slug}:`, error);
@@ -5138,7 +5821,8 @@ function createHonoApp(options) {
         const originalDoc = await db.findByID({
           collection: slug,
           id,
-          tenantID: ctxTenantID
+          tenantID: ctxTenantID,
+          draft: true
         });
         if (!originalDoc) {
           console.log("[Duplicate] Document not found");
@@ -5198,7 +5882,7 @@ function createHonoApp(options) {
         const doc = await db.update({
           collection: slug,
           id,
-          data: { ...version.data, _status: "draft", _has_draft: false },
+          data: { ...version.data, publishStatus: "draft", hasDraft: false },
           tenantID: ctxTenantID
         });
         return c.json({
@@ -5243,7 +5927,7 @@ function createHonoApp(options) {
           const doc = await db.update({
             collection: slug,
             id: c.req.param("id"),
-            data: { ...version.data, _status: "draft", _has_draft: false },
+            data: { ...version.data, publishStatus: "draft", hasDraft: false },
             tenantID: ctxTenantID
           });
           return c.json({
@@ -5276,6 +5960,9 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
+        if (ctxTenantID) {
+          db.setTenantContext({ tenantId: ctxTenantID, userId: ctxUser?.id ?? "", role: ctxUser?.role, isSuperAdmin: ctxUser?.role === "super_admin" });
+        }
         const id = c.req.param("id");
         const body = await c.req.json().catch(() => ({}));
         const baseUpdatedAt = readBaseUpdatedAt(body);
@@ -5291,9 +5978,9 @@ function createHonoApp(options) {
         if (baseUpdatedAt && originalDoc.updatedAt && baseUpdatedAt !== originalDoc.updatedAt) {
           return c.json(buildConflictResponse(baseUpdatedAt, originalDoc), 409);
         }
-        let publishData = { _status: "published", _has_draft: false };
+        let publishData = { publishStatus: "published", hasDraft: false };
         let finalContent = originalDoc;
-        if (originalDoc._has_draft) {
+        if (originalDoc.hasDraft) {
           const versions = await db.findVersions({
             collection: slug,
             documentId: id,
@@ -5316,7 +6003,7 @@ function createHonoApp(options) {
           await db.createVersion({
             collection: slug,
             documentId: id,
-            data: { ...finalContent, _status: "published" },
+            data: { ...finalContent, publishStatus: "published" },
             status: "published",
             createdBy: ctxUser?.id,
             changeDescription: "Published",
@@ -5375,7 +6062,7 @@ function createHonoApp(options) {
         const doc = await db.update({
           collection: slug,
           id,
-          data: { _status: "draft" },
+          data: { publishStatus: "draft" },
           tenantID: ctxTenantID
         });
         if (webhookService) {
@@ -5411,12 +6098,30 @@ function createHonoApp(options) {
           return c.json({ error: access.error }, access.status || 403);
         }
         const isDraftRequest = c.req.query("draft") === "true" && !!ctxUser;
-        const doc = await db.findOne({
+        let doc = await db.findOne({
           collection: `_globals_${slug}`,
           where: {},
           tenantID: ctxTenantID,
           draft: isDraftRequest
         });
+        if (slug === "system") {
+          const newSecret = crypto.randomBytes(32).toString("hex");
+          if (!doc) {
+            doc = await db.create({
+              collection: `_globals_${slug}`,
+              data: { id: slug, appSecret: newSecret },
+              tenantID: ctxTenantID
+            });
+          } else if (!doc.appSecret) {
+            await db.update({
+              collection: `_globals_${slug}`,
+              id: slug,
+              data: { appSecret: newSecret },
+              tenantID: ctxTenantID
+            });
+            doc.appSecret = newSecret;
+          }
+        }
         return c.json({ data: doc || {} });
       } catch (error) {
         return c.json({ error: error.message }, 500);
@@ -5436,18 +6141,27 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
-        const body = await c.req.json();
+        const body = omitRevisionFields(await c.req.json());
         const cleaned = Object.fromEntries(
           Object.entries(body).filter(([_, v]) => v !== null && v !== "null" && v !== void 0)
         );
+        for (const field of globalConfig.fields) {
+          if (field.name && cleaned[field.name] === "") {
+            const isTextual = field.type === "text" || field.type === "textarea" || field.type === "code" || field.type === "markdown" || field.type === "email" || field.type === "password" || field.type === "color";
+            if (!isTextual) {
+              cleaned[field.name] = null;
+            }
+          }
+        }
+        convertRichtextFields(globalConfig.fields, cleaned);
         const schema = registry.getZodSchema(slug);
         let validated;
         try {
           validated = schema.parse(cleaned);
         } catch (zodErr) {
-          return c.json({ error: "Validation failed", details: zodErr.errors }, 400);
+          return c.json({ error: `Validation failed: ${formatZodErrors(zodErr.errors)}`, details: zodErr.errors }, 400);
         }
-        const SYSTEM_FIELDS = /* @__PURE__ */ new Set(["id", "createdAt", "updatedAt", "_status", "_has_draft"]);
+        const SYSTEM_FIELDS = /* @__PURE__ */ new Set(["id", "createdAt", "updatedAt", "publishStatus", "hasDraft", "baseUpdatedAt", "_baseUpdatedAt"]);
         const userData = Object.fromEntries(
           Object.entries(validated).filter(([k]) => !SYSTEM_FIELDS.has(k))
         );
@@ -5459,7 +6173,7 @@ function createHonoApp(options) {
           draft: true
         });
         const isDraftEnabled = globalConfig.versions?.drafts === true;
-        const isAlreadyPublished = originalDoc?._status === "published";
+        const isAlreadyPublished = originalDoc?.publishStatus === "published";
         let doc;
         if (isDraftEnabled && isAlreadyPublished) {
           await db.createVersion({
@@ -5474,11 +6188,11 @@ function createHonoApp(options) {
           doc = await db.update({
             collection: collectionSlug,
             id: slug,
-            data: { _has_draft: true },
+            data: { hasDraft: true },
             tenantID: ctxTenantID
           });
         } else {
-          const saveData = isDraftEnabled ? { ...userData, _status: "draft", _has_draft: false } : { ...userData, _status: "published", _has_draft: false };
+          const saveData = isDraftEnabled ? { ...userData, publishStatus: "draft", hasDraft: false } : { ...userData, publishStatus: "published", hasDraft: false };
           if (originalDoc) {
             doc = await db.update({
               collection: collectionSlug,
@@ -5509,6 +6223,15 @@ function createHonoApp(options) {
           mediaService = null;
           mediaServiceInitError = null;
         }
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "settings_change",
+            userId: ctxUser.id,
+            resource: `global:${slug}`,
+            resourceId: slug,
+            success: true
+          });
+        }
         return c.json({ data: doc, message: "Updated successfully" });
       } catch (error) {
         console.error(`[API] Save global "${slug}" failed:`, error);
@@ -5533,9 +6256,9 @@ function createHonoApp(options) {
           draft: true
         });
         if (!originalDoc) return c.json({ error: "Global not found" }, 404);
-        let publishData = { _status: "published", _has_draft: false };
+        let publishData = { publishStatus: "published", hasDraft: false };
         let finalContent = originalDoc;
-        if (originalDoc._has_draft) {
+        if (originalDoc.hasDraft) {
           const versions = await db.findVersions({
             collection: collectionSlug,
             documentId: slug,
@@ -5558,7 +6281,7 @@ function createHonoApp(options) {
           await db.createVersion({
             collection: collectionSlug,
             documentId: slug,
-            data: { ...finalContent, _status: "published" },
+            data: { ...finalContent, publishStatus: "published" },
             status: "published",
             createdBy: ctxUser?.id,
             changeDescription: "Published",
@@ -5578,7 +6301,7 @@ function createHonoApp(options) {
         const doc = await db.update({
           collection: `_globals_${slug}`,
           id: slug,
-          data: { _status: "draft", _has_draft: false },
+          data: { publishStatus: "draft", hasDraft: false },
           tenantID: ctxTenantID
         });
         return c.json({ data: doc, message: "Unpublished successfully" });
@@ -5638,7 +6361,7 @@ function createHonoApp(options) {
         const doc = await db.update({
           collection: collectionSlug,
           id: slug,
-          data: { ...version.data, _status: "draft", _has_draft: false },
+          data: { ...version.data, publishStatus: "draft", hasDraft: false },
           tenantID: ctxTenantID
         });
         return c.json({ data: doc, message: "Restored successfully" });
@@ -5742,6 +6465,6 @@ function createRESTAPI(registry, db, options) {
   });
 }
-export { AuditLogger, AuthRoutes, InMemoryAuditLogger, InMemoryRateLimiter, MediaService, createAuditContext2 as createAuditContext, createHonoApp, createLocalStorage, createRESTAPI, getAppSecret, getEncryptionKey, getSessionConfig, init_secret, loadSecrets, resolveProvider, setDbAdapter };
-//# sourceMappingURL=chunk-HXRD4B37.js.map
-//# sourceMappingURL=chunk-HXRD4B37.js.map
+export { AuditLogger, AuthRoutes, InMemoryAuditLogger, InMemoryRateLimiter, MediaService, createAuditContext2 as createAuditContext, createCloudinaryStorage, createFtpStorage, createHonoApp, createLocalStorage, createRESTAPI, createS3Storage, getAppSecret, getDefaultRegistry, getEncryptionKey, getSessionConfig, init_secret, loadSecrets, resolveProvider, setDbAdapter };
+//# sourceMappingURL=chunk-PU2Z5VWF.js.map
+//# sourceMappingURL=chunk-PU2Z5VWF.js.map