@kyro-cms/core 0.8.0 → 0.9.1

package/dist/{chunk-5KVM3WEY.cjs → chunk-RSF3UU7H.cjs}

@@ -1,16 +1,16 @@
 'use strict';
 
-var chunkIA6AU5PI_cjs = require('./chunk-IA6AU5PI.cjs');
-var chunkI7HHI6QV_cjs = require('./chunk-I7HHI6QV.cjs');
+var chunkWNCYAKF3_cjs = require('./chunk-WNCYAKF3.cjs');
+var chunkKC2GDBLS_cjs = require('./chunk-KC2GDBLS.cjs');
+var chunkIDVRRRAK_cjs = require('./chunk-IDVRRRAK.cjs');
 var chunkADLJSJSN_cjs = require('./chunk-ADLJSJSN.cjs');
-var chunkIBG6V56E_cjs = require('./chunk-IBG6V56E.cjs');
-var chunkVJT6P4N6_cjs = require('./chunk-VJT6P4N6.cjs');
-var chunkR3XIBBAW_cjs = require('./chunk-R3XIBBAW.cjs');
-var chunk2KVHZE6O_cjs = require('./chunk-2KVHZE6O.cjs');
-var chunk2OL4O2TH_cjs = require('./chunk-2OL4O2TH.cjs');
-var chunkPDYFVNUX_cjs = require('./chunk-PDYFVNUX.cjs');
-var chunk4DA7QPLA_cjs = require('./chunk-4DA7QPLA.cjs');
-var chunkSA7NSSIQ_cjs = require('./chunk-SA7NSSIQ.cjs');
+var chunkQFLB4EIJ_cjs = require('./chunk-QFLB4EIJ.cjs');
+var chunk4M7X5HAB_cjs = require('./chunk-4M7X5HAB.cjs');
+var chunkCOIASRDK_cjs = require('./chunk-COIASRDK.cjs');
+var chunkC36TMDTY_cjs = require('./chunk-C36TMDTY.cjs');
+var chunkV2TVSCV5_cjs = require('./chunk-V2TVSCV5.cjs');
+var chunkGXFOGU7N_cjs = require('./chunk-GXFOGU7N.cjs');
+var chunkNKPKR5BW_cjs = require('./chunk-NKPKR5BW.cjs');
 var chunkG7VZBCD6_cjs = require('./chunk-G7VZBCD6.cjs');
 var crypto = require('crypto');
 var unstorage = require('unstorage');
@@ -19,11 +19,12 @@ var hono = require('hono');
 var path = require('path');
 var fs = require('fs');
 var sharp = require('sharp');
-var graphql = require('graphql');
 var promises = require('fs/promises');
+var process2 = require('process');
 var clientS3 = require('@aws-sdk/client-s3');
 var stream = require('stream');
 var basicFtp = require('basic-ftp');
+var zodToJsonSchema = require('zod-to-json-schema');
 
 function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
 
@@ -31,6 +32,7 @@ var crypto__default = /*#__PURE__*/_interopDefault(crypto);
 var fsDriver__default = /*#__PURE__*/_interopDefault(fsDriver);
 var path__default = /*#__PURE__*/_interopDefault(path);
 var sharp__default = /*#__PURE__*/_interopDefault(sharp);
+var process2__default = /*#__PURE__*/_interopDefault(process2);
 
 function setDbAdapter(adapter) {
   dbAdapter = adapter;
@@ -388,14 +390,14 @@ function createAuthMiddleware(config) {
     userLookup
   } = config;
   return async function authMiddleware(req) {
-    const apiKeyRaw = chunkIBG6V56E_cjs.extractApiKeyFromRequest(req);
+    const apiKeyRaw = chunk4M7X5HAB_cjs.extractApiKeyFromRequest(req);
     if (apiKeyRaw && db) {
-      const result = await chunkIBG6V56E_cjs.validateApiKey(apiKeyRaw, db, userLookup);
+      const result = await chunk4M7X5HAB_cjs.validateApiKey(apiKeyRaw, db, userLookup);
       if (result.valid && result.user) {
         return {
           user: result.user,
           tenantContext: createTenantContextFromUser(result.user),
-          apiKeyContext: chunkIBG6V56E_cjs.createApiKeyContext(result),
+          apiKeyContext: chunk4M7X5HAB_cjs.createApiKeyContext(result),
           status: 200,
           authType: "apikey"
         };
@@ -782,7 +784,7 @@ var AuditLogger = class {
   serializeLog(log) {
     const result = {
       id: log.id,
-      timestamp: log.timestamp.toISOString(),
+      timestamp: new Date(log.timestamp).toISOString(),
       action: log.action,
       resource: log.resource,
       success: log.success ? "1" : "0"
@@ -957,7 +959,7 @@ var AuthRoutes = class {
   constructor(config) {
     this.authAdapter = config.redis;
     this.email = config.email;
-    this.passwordPolicy = config.passwordPolicy || new chunkIA6AU5PI_cjs.PasswordPolicy();
+    this.passwordPolicy = config.passwordPolicy || new chunkWNCYAKF3_cjs.PasswordPolicy();
     this.lockout = config.lockout;
     this.rateLimiter = config.rateLimiter;
     this.auditLogger = config.auditLogger;
@@ -1177,23 +1179,19 @@ var AuthRoutes = class {
     }
   }
   async me(req) {
-    try {
-      const session = await getCurrentUser(req);
-      if (!session) {
-        return this.errorResponse("Not authenticated", 401);
-      }
-      const user = await this.authAdapter.findUserById(session.userId);
-      if (!user) {
-        return this.errorResponse("User not found", 404);
-      }
-      return this.jsonResponse({
-        success: true,
-        user: this.sanitizeUser(user)
-      });
-    } catch (error) {
-      console.error("[AuthRoutes.me] Authentication failed:", error.message);
-      return this.errorResponse("Authentication failed", 401);
+    const session = await getCurrentUser(req);
+    if (!session) {
+      return this.errorResponse("Not authenticated", 401);
     }
+    return this.jsonResponse({
+      success: true,
+      user: {
+        id: session.userId,
+        email: session.email,
+        role: session.role,
+        tenantId: session.tenantId
+      }
+    });
   }
   async changePassword(req) {
     const session = await getCurrentUser(req);
@@ -1303,7 +1301,7 @@ var AuthRoutes = class {
       }
       if (this.auditLogger) {
         await this.auditLogger.log({
-          action: "password_reset_request",
+          action: "password_reset",
           userId: user.id,
           userEmail: user.email,
           resource: "auth",
@@ -1491,7 +1489,7 @@ var AuthRoutes = class {
   }
 };
 function createLocalStorage(config) {
-  const { uploadDir, baseUrl = "/uploads" } = config;
+  const { uploadDir = path.join(process2__default.default.cwd(), "public", "uploads"), baseUrl = "/uploads" } = config;
   async function ensureDir(dir) {
     if (!fs.existsSync(dir)) {
       await promises.mkdir(dir, { recursive: true });
@@ -1679,6 +1677,467 @@ function createLocalStorage(config) {
     }
   };
 }
+
+// src/storage/imgix.ts
+function createImgixStorage(config) {
+  const signUrl = (path3, params) => {
+    if (!config.signKey) return path3;
+    const signer = new TextEncoder();
+    const key = signer.encode(config.signKey);
+    const data = signer.encode(path3 + params.toString());
+    let hash = 0;
+    const combined = new Uint8Array(key.length + data.length);
+    combined.set(key);
+    combined.set(data, key.length);
+    for (let i = 0; i < combined.length; i++) {
+      hash = (hash << 5) - hash + combined[i] | 0;
+    }
+    params.set("s", Math.abs(hash).toString(16));
+    return path3;
+  };
+  return {
+    name: "imgix",
+    displayName: "Imgix",
+    supportsDynamicResize: true,
+    async upload(_file, _options) {
+      throw new Error(
+        "Imgix is a transformation service. Use another provider for uploads."
+      );
+    },
+    async uploadFromUrl(url, options) {
+      const filename = options?.filename || url.split("/").pop() || "file";
+      const response = await fetch(url);
+      if (!response.ok) {
+        throw new Error(`Failed to fetch: ${response.statusText}`);
+      }
+      const blob = await response.blob();
+      new File([blob], filename, { type: blob.type });
+      return {
+        id: Buffer.from(url).toString("base64").slice(0, 20),
+        filename,
+        originalName: filename,
+        mimeType: blob.type,
+        size: blob.size,
+        url: this.getImageUrl(url),
+        thumbnailUrl: this.getImageUrl(url, {
+          width: 200,
+          height: 200,
+          fit: "crop"
+        }),
+        provider: "imgix",
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    },
+    async delete(_url) {
+    },
+    async rename(_oldUrl, newKey) {
+      return `https://${config.domain}/${newKey}`;
+    },
+    getImageUrl(url, transforms) {
+      const parsed = new URL(url);
+      const params = new URLSearchParams(parsed.search);
+      if (config.defaultParameters) {
+        Object.entries(config.defaultParameters).forEach(([key, value]) => {
+          if (!params.has(key)) {
+            params.set(key, value);
+          }
+        });
+      }
+      if (transforms) {
+        if (transforms.width) params.set("w", String(transforms.width));
+        if (transforms.height) params.set("h", String(transforms.height));
+        if (transforms.quality) params.set("q", String(transforms.quality));
+        if (transforms.format) params.set("fm", transforms.format);
+        if (transforms.fit) params.set("fit", transforms.fit);
+        if (transforms.blur) params.set("blur", String(transforms.blur));
+        if (transforms.sharpen) params.set("sharp", String(transforms.sharpen));
+      }
+      params.set("auto", "compress,format");
+      parsed.pathname + "?" + params.toString();
+      if (config.signKey) {
+        signUrl(parsed.pathname + params.toString(), params);
+      }
+      return `https://${config.domain}${parsed.pathname}${params.toString() ? "?" + params.toString() : ""}`;
+    },
+    async generateThumbnail(file) {
+      return this.getImageUrl(file.url, {
+        width: 200,
+        height: 200,
+        fit: "crop"
+      });
+    },
+    async list() {
+      return [];
+    },
+    async exists(url) {
+      try {
+        const response = await fetch(url, { method: "HEAD" });
+        return response.ok;
+      } catch {
+        return false;
+      }
+    },
+    async createFolder() {
+    },
+    async deleteFolder() {
+    }
+  };
+}
+
+// src/storage/bunny.ts
+function getUrl(key, config) {
+  if (config.cdnUrl) {
+    return `${config.cdnUrl.replace(/\/$/, "")}/${key}`;
+  }
+  return `https://${config.storageZone}.b-cdn.net/${key}`;
+}
+function getUrlPrefix(config) {
+  if (config.cdnUrl) {
+    return config.cdnUrl.replace(/\/$/, "") + "/";
+  }
+  return `https://${config.storageZone}.b-cdn.net/`;
+}
+function createBunnyStorage(config) {
+  const baseUrl = `https://storage.bunnycdn.com/${config.storageZone}`;
+  const getKey = (path3) => {
+    const prefix = config.prefix ? `${config.prefix}/` : "";
+    return `${prefix}${path3}`.replace(/\/+/g, "/");
+  };
+  return {
+    name: "bunny",
+    displayName: "Bunny.net Storage",
+    supportsDynamicResize: true,
+    async upload(file, options) {
+      const key = getKey(
+        `${options?.folder ? `${options.folder}/` : ""}${options?.filename || file.name}`
+      );
+      const buffer = Buffer.from(await file.arrayBuffer());
+      const response = await fetch(`${baseUrl}/${key}`, {
+        method: "PUT",
+        headers: {
+          AccessKey: config.apiKey,
+          "Content-Type": file.type
+        },
+        body: buffer
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(
+          `Bunny.net upload failed: ${response.status} ${errorText}`
+        );
+      }
+      return {
+        id: Buffer.from(key).toString("base64url"),
+        filename: options?.filename || file.name,
+        originalName: file.name,
+        mimeType: file.type,
+        size: buffer.length,
+        url: getUrl(key, config),
+        thumbnailUrl: file.type.startsWith("image/") ? getUrl(key, config) : void 0,
+        folder: options?.folder,
+        provider: "bunny",
+        metadata: options?.metadata,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    },
+    async uploadFromUrl(url) {
+      const response = await fetch(url);
+      if (!response.ok) {
+        throw new Error(`Failed to fetch: ${response.statusText}`);
+      }
+      const blob = await response.blob();
+      const filename = url.split("/").pop() || "file";
+      const file = new File([blob], filename, { type: blob.type });
+      return this.upload(file);
+    },
+    async delete(url) {
+      const key = url.replace(getUrlPrefix(config), "");
+      const response = await fetch(`${baseUrl}/${key}`, {
+        method: "DELETE",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+      if (!response.ok && response.status !== 404) {
+        const errorText = await response.text();
+        throw new Error(
+          `Bunny.net delete failed: ${response.status} ${errorText}`
+        );
+      }
+    },
+    async rename(oldUrl, newKey) {
+      const oldKey = oldUrl.replace(getUrlPrefix(config), "");
+      const fullPath = config.prefix ? `${config.prefix}/${newKey}` : newKey;
+      const response = await fetch(`${baseUrl}/${oldKey}`, {
+        method: "GET",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+      if (!response.ok) {
+        throw new Error(`Bunny.net rename failed: could not read old file`);
+      }
+      const content = await response.arrayBuffer();
+      await fetch(`${baseUrl}/${fullPath}`, {
+        method: "PUT",
+        headers: {
+          AccessKey: config.apiKey,
+          "Content-Type": response.headers.get("Content-Type") || "application/octet-stream"
+        },
+        body: content
+      });
+      await this.delete(oldUrl);
+      return getUrl(fullPath, config);
+    },
+    getImageUrl(url, transforms) {
+      if (!transforms || Object.keys(transforms).length === 0) return url;
+      const params = new URLSearchParams({ url });
+      if (transforms.width) params.set("w", String(transforms.width));
+      if (transforms.height) params.set("h", String(transforms.height));
+      if (transforms.quality) params.set("q", String(transforms.quality));
+      if (transforms.format) params.set("f", transforms.format);
+      return `/api/media/resize?${params.toString()}`;
+    },
+    async generateThumbnail(file) {
+      return this.getImageUrl(file.url, { width: 400, height: 400 });
+    },
+    async list(prefix) {
+      const key = getKey(prefix || "");
+      const response = await fetch(`${baseUrl}/${key}`, {
+        method: "GET",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(
+          `Bunny.net list failed: ${response.status} ${errorText}`
+        );
+      }
+      const items = await response.json();
+      return items.map((item) => ({
+        id: Buffer.from(item.ObjectName || "").toString("base64url"),
+        filename: item.ObjectName?.split("/").pop() || "",
+        originalName: item.ObjectName?.split("/").pop() || "",
+        mimeType: "application/octet-stream",
+        size: item.Length || 0,
+        url: getUrl(item.ObjectName || "", config),
+        provider: "bunny",
+        createdAt: item.LastChanged || (/* @__PURE__ */ new Date()).toISOString()
+      }));
+    },
+    async exists(url) {
+      const key = url.replace(getUrlPrefix(config), "");
+      const response = await fetch(`${baseUrl}/${key}`, {
+        method: "HEAD",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+      return response.ok;
+    },
+    async createFolder(folder) {
+      const key = getKey(`${folder}/`);
+      await fetch(`${baseUrl}/${key}`, {
+        method: "PUT",
+        headers: {
+          AccessKey: config.apiKey,
+          "Content-Length": "0"
+        },
+        body: ""
+      });
+    },
+    async deleteFolder(folder) {
+      const key = getKey(`${folder}/`);
+      await fetch(`${baseUrl}/${key}`, {
+        method: "DELETE",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+    }
+  };
+}
+var StorageProviderRegistry = class {
+  providers = /* @__PURE__ */ new Map();
+  providerToPlugin = /* @__PURE__ */ new Map();
+  disabledPlugins = /* @__PURE__ */ new Set();
+  constructor() {
+    this.registerLocal();
+    this.registerImgix();
+    this.registerBunny();
+  }
+  registerLocal() {
+    this.register({
+      type: "local",
+      displayName: "Local Server",
+      configKey: "local",
+      configFields: [
+        {
+          name: "uploadDir",
+          type: "text",
+          label: "Upload Directory",
+          defaultValue: "./public/uploads"
+        },
+        {
+          name: "baseUrl",
+          type: "text",
+          label: "Base URL",
+          defaultValue: "/uploads"
+        }
+      ],
+      extractConfig: (sc, key) => sc[key] || {},
+      extractRawConfig: (c) => {
+        const localConfig = c?.local || c;
+        const savedUploadDir = (localConfig?.uploadDir || "").trim();
+        let uploadDir;
+        if (savedUploadDir) {
+          if (path__default.default.isAbsolute(savedUploadDir)) {
+            uploadDir = savedUploadDir;
+          } else if (savedUploadDir.includes("/") || savedUploadDir.includes("\\")) {
+            uploadDir = path__default.default.resolve(process.cwd(), savedUploadDir);
+          } else {
+            uploadDir = path__default.default.join(process.cwd(), "public", savedUploadDir);
+          }
+        } else {
+          uploadDir = path__default.default.join(process.cwd(), "public", "uploads");
+        }
+        const savedBaseUrl = (localConfig?.baseUrl || "").trim();
+        let baseUrl;
+        if (savedBaseUrl) {
+          baseUrl = savedBaseUrl.startsWith("/") ? savedBaseUrl : `/${savedBaseUrl}`;
+        } else {
+          baseUrl = "/uploads";
+        }
+        return { uploadDir, baseUrl };
+      },
+      factory: (c) => createLocalStorage(c)
+    });
+  }
+  registerImgix() {
+    this.register({
+      type: "imgix",
+      displayName: "Imgix",
+      configKey: "imgix",
+      configFields: [
+        { name: "domain", type: "text", label: "Domain", required: true },
+        { name: "signKey", type: "password", label: "Sign Key" }
+      ],
+      extractConfig: (sc, key) => sc[key] || {},
+      extractRawConfig: (c) => c?.imgix || c,
+      factory: (c) => createImgixStorage(c)
+    });
+  }
+  registerBunny() {
+    this.register({
+      type: "bunny",
+      displayName: "Bunny.net",
+      configKey: "bunny",
+      configFields: [
+        {
+          name: "storageZone",
+          type: "text",
+          label: "Storage Zone",
+          required: true
+        },
+        { name: "apiKey", type: "password", label: "API Key", required: true },
+        { name: "cdnUrl", type: "text", label: "CDN URL" },
+        { name: "prefix", type: "text", label: "Path Prefix" }
+      ],
+      extractConfig: (sc, key) => sc[key] || {},
+      extractRawConfig: (c) => c?.bunny || c,
+      factory: (c) => createBunnyStorage(c)
+    });
+  }
+  register(registration) {
+    if (this.providers.has(registration.type)) {
+      console.warn(
+        `[StorageRegistry] Provider "${registration.type}" already registered, skipping`
+      );
+      return;
+    }
+    if (registration.pluginName) {
+      this.providerToPlugin.set(registration.type, registration.pluginName);
+    }
+    this.providers.set(registration.type, registration);
+  }
+  unregister(type) {
+    this.providers.delete(type);
+    this.providerToPlugin.delete(type);
+  }
+  get(type) {
+    return this.providers.get(type);
+  }
+  getAll() {
+    return Array.from(this.providers.values());
+  }
+  getAllAvailable(isPluginEnabled) {
+    const all = this.getAll();
+    if (!isPluginEnabled) return all;
+    return all.filter((p) => {
+      if (!p.pluginName) return true;
+      return isPluginEnabled(p.pluginName);
+    });
+  }
+  has(type) {
+    return this.providers.has(type);
+  }
+  async resolve(type, storageConfig) {
+    const reg = this.providers.get(type);
+    if (!reg) {
+      throw new Error(
+        `Unknown storage provider type: "${type}". Is the plugin that provides it enabled?`
+      );
+    }
+    if (reg.pluginName && this.disabledPlugins.has(reg.pluginName)) {
+      throw new Error(
+        `Storage provider "${type}" is not available (plugin "${reg.pluginName}" is disabled)`
+      );
+    }
+    const configKey = reg.configKey || type;
+    const config = reg.extractConfig(storageConfig, configKey);
+    return reg.factory(config);
+  }
+  async resolveWithConfig(type, config) {
+    const reg = this.providers.get(type);
+    if (!reg) {
+      throw new Error(
+        `Unknown storage provider type: "${type}". Is the plugin that provides it enabled?`
+      );
+    }
+    if (reg.pluginName && this.disabledPlugins.has(reg.pluginName)) {
+      throw new Error(
+        `Storage provider "${type}" is not available (plugin "${reg.pluginName}" is disabled)`
+      );
+    }
+    const providerConfig = reg.extractRawConfig(config);
+    return reg.factory(providerConfig);
+  }
+  getProviderPluginName(type) {
+    return this.providerToPlugin.get(type);
+  }
+  getAllPluginNames() {
+    return Array.from(new Set(this.providerToPlugin.values()));
+  }
+  setPluginEnabled(name, enabled) {
+    if (enabled) {
+      this.disabledPlugins.delete(name);
+    } else {
+      this.disabledPlugins.add(name);
+    }
+  }
+  isPluginEnabled(name) {
+    return !this.disabledPlugins.has(name);
+  }
+};
+var instance = null;
+function getDefaultRegistry() {
+  if (!instance) {
+    instance = new StorageProviderRegistry();
+  }
+  return instance;
+}
 function extractPublicDevUrlId(url) {
   if (!url) return "";
   if (url.startsWith("pub-")) return url;
@@ -1712,7 +2171,7 @@ function getPublicUrl(key, config) {
       return `https://${config.bucket}.s3.${config.region}.amazonaws.com/${normalizedKey}`;
   }
 }
-function getUrlPrefix(config) {
+function getUrlPrefix2(config) {
   if (config.cdnUrl) {
     return config.cdnUrl.replace(/\/$/, "") + "/";
   }
@@ -1780,11 +2239,11 @@ function createS3Storage(config) {
       })
     }
   });
-  const getKey = (path2) => {
+  const getKey = (path3) => {
     const prefix = config.prefix ? `${config.prefix}/` : "";
-    return `${prefix}${path2}`.replace(/\/+/g, "/");
+    return `${prefix}${path3}`.replace(/\/+/g, "/");
   };
-  const getUrl = (key) => getPublicUrl(key, config);
+  const getUrl2 = (key) => getPublicUrl(key, config);
   return {
     name: config.provider,
     displayName: getDisplayName(config.provider),
@@ -1815,8 +2274,8 @@ function createS3Storage(config) {
         originalName: file.name,
         mimeType: file.type,
         size: buffer.length,
-        url: getUrl(key),
-        thumbnailUrl: file.type.startsWith("image/") ? getUrl(key) : void 0,
+        url: getUrl2(key),
+        thumbnailUrl: file.type.startsWith("image/") ? getUrl2(key) : void 0,
         folder: options?.folder,
         provider: config.provider,
         metadata: {
@@ -1837,7 +2296,7 @@ function createS3Storage(config) {
       return this.upload(file);
     },
     async delete(url) {
-      const key = url.replace(getUrlPrefix(config), "");
+      const key = url.replace(getUrlPrefix2(config), "");
       await client.send(
         new clientS3.DeleteObjectCommand({
           Bucket: config.bucket,
@@ -1846,7 +2305,7 @@ function createS3Storage(config) {
       );
     },
     async rename(oldUrl, newKey) {
-      const oldKey = oldUrl.replace(getUrlPrefix(config), "");
+      const oldKey = oldUrl.replace(getUrlPrefix2(config), "");
       const newKeyWithPrefix = config.prefix ? `${config.prefix}/${newKey}` : newKey;
       await client.send(
         new clientS3.CopyObjectCommand({
@@ -1861,7 +2320,7 @@ function createS3Storage(config) {
           Key: oldKey
         })
       );
-      return getUrl(newKeyWithPrefix);
+      return getUrl2(newKeyWithPrefix);
     },
     getImageUrl(url, transforms) {
       if (!transforms || Object.keys(transforms).length === 0) return url;
@@ -1889,14 +2348,14 @@ function createS3Storage(config) {
         originalName: item.Key?.split("/").pop() || "",
         mimeType: "application/octet-stream",
         size: item.Size || 0,
-        url: getUrl(item.Key || ""),
+        url: getUrl2(item.Key || ""),
         provider: config.provider,
         createdAt: item.LastModified?.toISOString() || (/* @__PURE__ */ new Date()).toISOString()
       }));
     },
     async exists(url) {
       try {
-        const key = url.replace(getUrlPrefix(config), "");
+        const key = url.replace(getUrlPrefix2(config), "");
         await client.send(
           new clientS3.HeadObjectCommand({
             Bucket: config.bucket,
@@ -1956,9 +2415,9 @@ function createS3Storage(config) {
 function createCloudinaryStorage(config) {
   const getBaseUrl = () => `https://api.cloudinary.com/v1_1/${config.cloudName}/upload`;
   const generateSignature = async (params) => {
-    const crypto3 = await import('crypto');
+    const crypto4 = await import('crypto');
     const sortedParams = Object.keys(params).sort().map((key) => `${key}=${params[key]}`).join("&");
-    return crypto3.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
+    return crypto4.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
   };
   return {
     name: "cloudinary",
@@ -2060,8 +2519,8 @@ function createCloudinaryStorage(config) {
           public_id: publicId
         };
         const sortedParams = Object.keys(signatureParams).sort().map((key) => `${key}=${signatureParams[key]}`).join("&");
-        const crypto3 = await import('crypto');
-        const signature = crypto3.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
+        const crypto4 = await import('crypto');
+        const signature = crypto4.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
         const deleteUrl = `https://api.cloudinary.com/v1_1/${config.cloudName}/image/destroy`;
         const formData = new FormData();
         formData.append("public_id", publicId);
@@ -2112,8 +2571,8 @@ function createCloudinaryStorage(config) {
           timestamp: String(timestamp)
         };
         const sortedParams = Object.keys(signatureParams).sort().map((key) => `${key}=${signatureParams[key]}`).join("&");
-        const crypto3 = await import('crypto');
-        const signature = crypto3.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
+        const crypto4 = await import('crypto');
+        const signature = crypto4.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
         const formData = new FormData();
         formData.append("from_public_id", publicIdWithoutVersion);
         formData.append("to_public_id", newPublicId);
@@ -2184,112 +2643,6 @@ function createCloudinaryStorage(config) {
     }
   };
 }
-
-// src/storage/imgix.ts
-function createImgixStorage(config) {
-  const signUrl = (path2, params) => {
-    if (!config.signKey) return path2;
-    const signer = new TextEncoder();
-    const key = signer.encode(config.signKey);
-    const data = signer.encode(path2 + params.toString());
-    let hash = 0;
-    const combined = new Uint8Array(key.length + data.length);
-    combined.set(key);
-    combined.set(data, key.length);
-    for (let i = 0; i < combined.length; i++) {
-      hash = (hash << 5) - hash + combined[i] | 0;
-    }
-    params.set("s", Math.abs(hash).toString(16));
-    return path2;
-  };
-  return {
-    name: "imgix",
-    displayName: "Imgix",
-    supportsDynamicResize: true,
-    async upload(_file, _options) {
-      throw new Error(
-        "Imgix is a transformation service. Use another provider for uploads."
-      );
-    },
-    async uploadFromUrl(url, options) {
-      const filename = options?.filename || url.split("/").pop() || "file";
-      const response = await fetch(url);
-      if (!response.ok) {
-        throw new Error(`Failed to fetch: ${response.statusText}`);
-      }
-      const blob = await response.blob();
-      new File([blob], filename, { type: blob.type });
-      return {
-        id: Buffer.from(url).toString("base64").slice(0, 20),
-        filename,
-        originalName: filename,
-        mimeType: blob.type,
-        size: blob.size,
-        url: this.getImageUrl(url),
-        thumbnailUrl: this.getImageUrl(url, {
-          width: 200,
-          height: 200,
-          fit: "crop"
-        }),
-        provider: "imgix",
-        createdAt: (/* @__PURE__ */ new Date()).toISOString()
-      };
-    },
-    async delete(_url) {
-    },
-    async rename(_oldUrl, newKey) {
-      return `https://${config.domain}/${newKey}`;
-    },
-    getImageUrl(url, transforms) {
-      const parsed = new URL(url);
-      const params = new URLSearchParams(parsed.search);
-      if (config.defaultParameters) {
-        Object.entries(config.defaultParameters).forEach(([key, value]) => {
-          if (!params.has(key)) {
-            params.set(key, value);
-          }
-        });
-      }
-      if (transforms) {
-        if (transforms.width) params.set("w", String(transforms.width));
-        if (transforms.height) params.set("h", String(transforms.height));
-        if (transforms.quality) params.set("q", String(transforms.quality));
-        if (transforms.format) params.set("fm", transforms.format);
-        if (transforms.fit) params.set("fit", transforms.fit);
-        if (transforms.blur) params.set("blur", String(transforms.blur));
-        if (transforms.sharpen) params.set("sharp", String(transforms.sharpen));
-      }
-      params.set("auto", "compress,format");
-      parsed.pathname + "?" + params.toString();
-      if (config.signKey) {
-        signUrl(parsed.pathname + params.toString(), params);
-      }
-      return `https://${config.domain}${parsed.pathname}${params.toString() ? "?" + params.toString() : ""}`;
-    },
-    async generateThumbnail(file) {
-      return this.getImageUrl(file.url, {
-        width: 200,
-        height: 200,
-        fit: "crop"
-      });
-    },
-    async list() {
-      return [];
-    },
-    async exists(url) {
-      try {
-        const response = await fetch(url, { method: "HEAD" });
-        return response.ok;
-      } catch {
-        return false;
-      }
-    },
-    async createFolder() {
-    },
-    async deleteFolder() {
-    }
-  };
-}
 function createFtpStorage(config) {
   let client = null;
   async function getClient() {
@@ -2307,15 +2660,15 @@ function createFtpStorage(config) {
     }
     return client;
   }
-  const getKey = (path2) => {
+  const getKey = (path3) => {
     const prefix = config.prefix ? `${config.prefix}/` : "";
-    return `${prefix}${path2}`.replace(/\/+/g, "/");
+    return `${prefix}${path3}`.replace(/\/+/g, "/");
   };
-  const getUrl = (key) => {
+  const getUrl2 = (key) => {
     const base = config.baseUrl.replace(/\/$/, "");
     return `${base}/${key}`;
   };
-  const getUrlPrefix2 = () => {
+  const getUrlPrefix3 = () => {
     const base = config.baseUrl.replace(/\/$/, "");
     return base + "/";
   };
@@ -2346,8 +2699,8 @@ function createFtpStorage(config) {
         originalName: file.name,
         mimeType: file.type,
         size: buffer.length,
-        url: getUrl(key),
-        thumbnailUrl: file.type.startsWith("image/") ? getUrl(key) : void 0,
+        url: getUrl2(key),
+        thumbnailUrl: file.type.startsWith("image/") ? getUrl2(key) : void 0,
         folder: options?.folder,
         provider: config.type,
         metadata: options?.metadata,
@@ -2366,15 +2719,15 @@ function createFtpStorage(config) {
     },
     async delete(url) {
       const ftp = await getClient();
-      const key = url.replace(getUrlPrefix2(), "");
+      const key = url.replace(getUrlPrefix3(), "");
       await ftp.remove(key);
     },
     async rename(oldUrl, newKey) {
       const ftp = await getClient();
-      const oldKey = oldUrl.replace(getUrlPrefix2(), "");
+      const oldKey = oldUrl.replace(getUrlPrefix3(), "");
       const fullPath = config.prefix ? `${config.prefix}/${newKey}` : newKey;
       await ftp.rename(oldKey, fullPath);
-      return getUrl(fullPath);
+      return getUrl2(fullPath);
     },
     getImageUrl(url, transforms) {
       if (!transforms || Object.keys(transforms).length === 0) return url;
@@ -2403,14 +2756,14 @@ function createFtpStorage(config) {
         originalName: item.name,
         mimeType: "application/octet-stream",
         size: Number(item.size) || 0,
-        url: getUrl(`${key}/${item.name}`.replace(/\/+/g, "/")),
+        url: getUrl2(`${key}/${item.name}`.replace(/\/+/g, "/")),
         provider: config.type,
         createdAt: item.modifiedAt ? item.modifiedAt.toISOString() : (/* @__PURE__ */ new Date()).toISOString()
       }));
     },
     async exists(url) {
       const ftp = await getClient();
-      const key = url.replace(getUrlPrefix2(), "");
+      const key = url.replace(getUrlPrefix3(), "");
       try {
         await ftp.size(key);
         return true;
@@ -2434,105 +2787,17 @@ function createFtpStorage(config) {
 // src/storage/index.ts
 async function resolveProvider(configService) {
   const config = configService.getStorageConfig();
-  switch (config.type) {
-    case "aws":
-      return createS3Storage({
-        provider: "aws",
-        bucket: config.s3.bucket || "",
-        region: config.s3.region || "us-east-1",
-        accessKeyId: config.s3.accessKeyId || "",
-        secretAccessKey: config.s3.secretAccessKey || "",
-        endpoint: config.s3.endpoint,
-        cdnUrl: config.s3.cdnUrl,
-        prefix: config.s3.prefix
-      });
-    case "r2":
-      return createS3Storage({
-        provider: "r2",
-        bucket: config.r2.bucket || "",
-        region: "auto",
-        accessKeyId: config.r2.accessKeyId || "",
-        secretAccessKey: config.r2.secretAccessKey || "",
-        accountId: config.r2.accountId || "",
-        publicDevUrl: config.r2.publicDevUrl,
-        endpoint: `https://${config.r2.accountId || ""}.r2.cloudflarestorage.com`,
-        cdnUrl: config.r2.cdnUrl,
-        prefix: config.r2.prefix
-      });
-    case "gcs":
-      return createS3Storage({
-        provider: "gcs",
-        bucket: config.gcs.bucket || "",
-        region: config.gcs.projectId || "auto",
-        accessKeyId: config.gcs.clientEmail || "",
-        secretAccessKey: config.gcs.privateKey || "",
-        cdnUrl: config.gcs.cdnUrl,
-        prefix: config.gcs.prefix
-      });
-    case "digitalocean":
-      return createS3Storage({
-        provider: "digitalocean",
-        bucket: config.digitalocean.bucket || "",
-        region: config.digitalocean.region || "nyc3",
-        accessKeyId: config.digitalocean.accessKeyId || "",
-        secretAccessKey: config.digitalocean.secretAccessKey || "",
-        endpoint: `https://${config.digitalocean.region || "nyc3"}.digitaloceanspaces.com`,
-        cdnUrl: config.digitalocean.cdnUrl,
-        prefix: config.digitalocean.prefix
-      });
-    case "backblaze":
-      return createS3Storage({
-        provider: "backblaze",
-        bucket: config.backblaze.bucket || "",
-        region: "auto",
-        accessKeyId: config.backblaze.applicationKeyId || "",
-        secretAccessKey: config.backblaze.applicationKey || "",
-        accountId: config.backblaze.accountId || "",
-        endpoint: `https://s3.backblazeb2.com`,
-        cdnUrl: config.backblaze.cdnUrl,
-        prefix: config.backblaze.prefix
-      });
-    case "wasabi":
-      return createS3Storage({
-        provider: "wasabi",
-        bucket: config.wasabi.bucket || "",
-        region: config.wasabi.region || "us-east-1",
-        accessKeyId: config.wasabi.accessKeyId || "",
-        secretAccessKey: config.wasabi.secretAccessKey || "",
-        endpoint: `https://s3.${config.wasabi.region || "us-east-1"}.wasabisys.com`,
-        cdnUrl: config.wasabi.cdnUrl,
-        prefix: config.wasabi.prefix
-      });
-    case "ftp":
-    case "sftp":
-      return createFtpStorage({
-        host: config.ftp?.host || "",
-        port: config.ftp?.port || 21,
-        user: config.ftp?.user || "",
-        password: config.ftp?.password || "",
-        secure: config.ftp?.secure || false,
-        baseUrl: config.ftp?.baseUrl || "",
-        prefix: config.ftp?.prefix,
-        type: "ftp"
-      });
-    case "cloudinary":
-      return createCloudinaryStorage({
-        cloudName: config.cloudinary.cloudName || "",
-        apiKey: config.cloudinary.apiKey || "",
-        apiSecret: config.cloudinary.apiSecret || "",
-        folder: config.cloudinary.folder
-      });
-    case "imgix":
-      return createImgixStorage({
-        domain: config.imgix.domain || "",
-        signKey: config.imgix.signKey
-      });
-    case "local":
-    default:
-      return createLocalStorage({
-        uploadDir: config.local.uploadDir || path__default.default.join(process.cwd(), "public", "uploads"),
-        baseUrl: config.local.baseUrl || "/uploads"
-      });
+  const registry = getDefaultRegistry();
+  try {
+    return await registry.resolve(config.type, config);
+  } catch (err) {
+    console.warn(
+      `[resolveProvider] ${err.message} \u2014 falling back to local storage`
+    );
+    return createLocalStorage({
+      uploadDir: path__default.default.join(process.cwd(), "public", "uploads"),
+      baseUrl: "/uploads"
+    });
   }
 }
 async function resolveProviderWithConfig(config) {
@@ -2543,121 +2808,18 @@ async function resolveProviderWithConfig(config) {
       baseUrl: "/uploads"
     });
   }
-  console.log("[resolveProviderWithConfig] Creating provider:", config.type);
-  switch (config.type) {
-    case "aws":
-      return createS3Storage({
-        provider: "aws",
-        bucket: config.s3?.bucket || "",
-        region: config.s3?.region || "us-east-1",
-        accessKeyId: config.s3?.accessKeyId || "",
-        secretAccessKey: config.s3?.secretAccessKey || "",
-        endpoint: config.s3?.endpoint,
-        cdnUrl: config.s3?.cdnUrl,
-        prefix: config.s3?.prefix
-      });
-    case "r2":
-      return createS3Storage({
-        provider: "r2",
-        bucket: config.r2?.bucket || "",
-        region: "auto",
-        accessKeyId: config.r2?.accessKeyId || "",
-        secretAccessKey: config.r2?.secretAccessKey || "",
-        accountId: config.r2?.accountId || "",
-        publicDevUrl: config.r2?.publicDevUrl,
-        endpoint: `https://${config.r2?.accountId || ""}.r2.cloudflarestorage.com`,
-        cdnUrl: config.r2?.cdnUrl,
-        prefix: config.r2?.prefix
-      });
-    case "gcs":
-      return createS3Storage({
-        provider: "gcs",
-        bucket: config.gcs?.bucket || "",
-        region: config.gcs?.projectId || "auto",
-        accessKeyId: config.gcs?.clientEmail || "",
-        secretAccessKey: config.gcs?.privateKey || "",
-        cdnUrl: config.gcs?.cdnUrl,
-        prefix: config.gcs?.prefix
-      });
-    case "digitalocean":
-      return createS3Storage({
-        provider: "digitalocean",
-        bucket: config.digitalocean?.bucket || "",
-        region: config.digitalocean?.region || "nyc3",
-        accessKeyId: config.digitalocean?.accessKeyId || "",
-        secretAccessKey: config.digitalocean?.secretAccessKey || "",
-        cdnUrl: config.digitalocean?.cdnUrl,
-        prefix: config.digitalocean?.prefix
-      });
-    case "backblaze":
-      return createS3Storage({
-        provider: "backblaze",
-        bucket: config.backblaze?.bucket || "",
-        region: "auto",
-        accessKeyId: config.backblaze?.applicationKeyId || "",
-        secretAccessKey: config.backblaze?.applicationKey || "",
-        cdnUrl: config.backblaze?.cdnUrl,
-        prefix: config.backblaze?.prefix
-      });
-    case "wasabi":
-      return createS3Storage({
-        provider: "wasabi",
-        bucket: config.wasabi?.bucket || "",
-        region: config.wasabi?.region || "us-east-1",
-        accessKeyId: config.wasabi?.accessKeyId || "",
-        secretAccessKey: config.wasabi?.secretAccessKey || "",
-        cdnUrl: config.wasabi?.cdnUrl,
-        prefix: config.wasabi?.prefix
-      });
-    case "cloudinary":
-      return createCloudinaryStorage({
-        cloudName: config.cloudinary?.cloudName || "",
-        apiKey: config.cloudinary?.apiKey || "",
-        apiSecret: config.cloudinary?.apiSecret || "",
-        folder: config.cloudinary?.folder
-      });
-    case "ftp":
-    case "sftp": {
-      const ftpConf = config.ftp || config;
-      return createFtpStorage({
-        type: "ftp",
-        host: ftpConf.host || "",
-        port: ftpConf.port || 21,
-        user: ftpConf.user || "",
-        password: ftpConf.password || "",
-        secure: ftpConf.secure || false,
-        baseUrl: ftpConf.baseUrl || "",
-        prefix: ftpConf.prefix
-      });
-    }
-    case "local":
-    default: {
-      const localConfig = config.local || {
-        uploadDir: config["local.uploadDir"],
-        baseUrl: config["local.baseUrl"]
-      };
-      const savedUploadDir = (localConfig?.uploadDir || "").trim();
-      let uploadDir;
-      if (savedUploadDir) {
-        if (path__default.default.isAbsolute(savedUploadDir)) {
-          uploadDir = savedUploadDir;
-        } else if (savedUploadDir.includes("/") || savedUploadDir.includes("\\")) {
-          uploadDir = path__default.default.resolve(process.cwd(), savedUploadDir);
-        } else {
-          uploadDir = path__default.default.join(process.cwd(), "public", savedUploadDir);
-        }
-      } else {
-        uploadDir = path__default.default.join(process.cwd(), "public", "uploads");
-      }
-      const savedBaseUrl = (localConfig?.baseUrl || "").trim();
-      let baseUrl;
-      if (savedBaseUrl) {
-        baseUrl = savedBaseUrl.startsWith("/") ? savedBaseUrl : `/${savedBaseUrl}`;
-      } else {
-        baseUrl = "/uploads";
-      }
-      return createLocalStorage({ uploadDir, baseUrl });
-    }
+  const type = config.type || "local";
+  const registry = getDefaultRegistry();
+  try {
+    return await registry.resolveWithConfig(type, config);
+  } catch (err) {
+    console.warn(
+      `[resolveProviderWithConfig] ${err.message} \u2014 falling back to local storage`
+    );
+    return createLocalStorage({
+      uploadDir: path__default.default.join(process.cwd(), "public", "uploads"),
+      baseUrl: "/uploads"
+    });
   }
 }
 async function processImage(buffer) {
@@ -2686,14 +2848,14 @@ var MediaService = class _MediaService {
     this.db = db;
     this.storage = storage2;
     this.dialect = options?.dialect || "sqlite";
-    this.genId = options?.genId || chunk2KVHZE6O_cjs.genId;
+    this.genId = options?.genId || chunkCOIASRDK_cjs.genId;
   }
   static async init(db, options) {
     let storage2;
     if (options?.storageConfig) {
       storage2 = await resolveProviderWithConfig(options.storageConfig);
     } else {
-      const configService = new chunkIA6AU5PI_cjs.ConfigService(db);
+      const configService = new chunkWNCYAKF3_cjs.ConfigService(db);
       if (typeof db?.select === "function") {
         await configService.load();
       }
@@ -3261,13 +3423,38 @@ var MediaService = class _MediaService {
     }
   }
 };
-
-// src/api/rest/hono-app.ts
+function formatZodErrors(errors) {
+  return errors.map((e) => `${e.path.join(".")}: ${e.message}`).join(", ");
+}
+function convertRichtextFields(fields, data) {
+  if (!data || typeof data !== "object") return;
+  for (const field of fields) {
+    if (field.type === "richtext" && field.name) {
+      const val = data[field.name];
+      if (typeof val === "string") {
+        data[field.name] = [{ type: "paragraph", children: [{ text: val }] }];
+      } else if (val && typeof val === "object" && !Array.isArray(val) && val.type === "doc" && Array.isArray(val.content)) {
+        data[field.name] = val.content;
+      }
+    }
+    if (field.type === "tabs" && field.name && Array.isArray(field.tabs) && data[field.name] && typeof data[field.name] === "object") {
+      for (const tab of field.tabs) {
+        if (Array.isArray(tab.fields)) convertRichtextFields(tab.fields, data[field.name]);
+      }
+    } else if ((field.type === "group" || field.type === "collapsible") && field.name && Array.isArray(field.fields) && data[field.name] && typeof data[field.name] === "object") {
+      convertRichtextFields(field.fields, data[field.name]);
+    } else if (field.type === "array" && field.name && Array.isArray(field.fields) && Array.isArray(data[field.name])) {
+      for (const item of data[field.name]) {
+        if (item && typeof item === "object") convertRichtextFields(field.fields, item);
+      }
+    }
+  }
+}
 var COLLECTION_EVENT_MAP = {
   _media: {
-    create: chunkIBG6V56E_cjs.WEBHOOK_EVENTS.MEDIA_UPLOAD,
-    update: chunkIBG6V56E_cjs.WEBHOOK_EVENTS.MEDIA_UPLOAD,
-    delete: chunkIBG6V56E_cjs.WEBHOOK_EVENTS.MEDIA_DELETE
+    create: chunkQFLB4EIJ_cjs.WEBHOOK_EVENTS.MEDIA_UPLOAD,
+    update: chunkQFLB4EIJ_cjs.WEBHOOK_EVENTS.MEDIA_UPLOAD,
+    delete: chunkQFLB4EIJ_cjs.WEBHOOK_EVENTS.MEDIA_DELETE
   }
 };
 function getWebhookEvent(collection, operation) {
@@ -3326,7 +3513,7 @@ async function checkCollectionAccess(collection, operation, req, ctxUser, ctxTen
   };
   const isDefaultAllowed = accessLevels[defaultCollectionAccess] || false;
   if (accessRule) {
-    const allowed = await chunkR3XIBBAW_cjs.evaluateAccess(accessRule, {
+    const allowed = await chunk4M7X5HAB_cjs.evaluateAccess(accessRule, {
       req,
       user: ctxUser,
       tenantID: ctxTenantID
@@ -3348,7 +3535,7 @@ async function checkCollectionAccess(collection, operation, req, ctxUser, ctxTen
     const resource = collection.slug;
     const action = operation === "read" ? "read" : operation === "create" ? "create" : "update";
     const permission = `${resource}:${action}`;
-    if (!chunkIBG6V56E_cjs.hasApiKeyPermission(apiKeyContext.permissions, permission) && !chunkIBG6V56E_cjs.hasApiKeyPermission(apiKeyContext.permissions, `${resource}:admin`)) {
+    if (!chunk4M7X5HAB_cjs.hasApiKeyPermission(apiKeyContext.permissions, permission) && !chunk4M7X5HAB_cjs.hasApiKeyPermission(apiKeyContext.permissions, `${resource}:admin`)) {
       return {
         allowed: false,
         error: `Missing permission: ${permission}`,
@@ -3362,14 +3549,14 @@ async function checkCollectionAccess(collection, operation, req, ctxUser, ctxTen
     const permission = `${resource}:${action}`;
     let rbacAllowed = false;
     if (ctxUser.role) {
-      const userHasPermission = chunkSA7NSSIQ_cjs.hasPermission(
+      const userHasPermission = chunkNKPKR5BW_cjs.hasPermission(
         { id: ctxUser.id, email: ctxUser.email, role: ctxUser.role },
         permission
       );
       if (userHasPermission) {
         rbacAllowed = true;
       } else {
-        const adminPermission = chunkSA7NSSIQ_cjs.hasPermission(
+        const adminPermission = chunkNKPKR5BW_cjs.hasPermission(
           { id: ctxUser.id, email: ctxUser.email, role: ctxUser.role },
           `${resource}:admin`
         );
@@ -3389,7 +3576,7 @@ async function checkCollectionAccess(collection, operation, req, ctxUser, ctxTen
 async function checkGlobalAccess(global, operation, req, ctxUser, ctxTenantID, enablePublicAccess = true) {
   const accessRule = global.access?.[operation];
   if (accessRule) {
-    const allowed = await chunkR3XIBBAW_cjs.evaluateAccess(accessRule, {
+    const allowed = await chunk4M7X5HAB_cjs.evaluateAccess(accessRule, {
       req,
       user: ctxUser,
       tenantID: ctxTenantID
@@ -3415,42 +3602,41 @@ async function checkGlobalAccess(global, operation, req, ctxUser, ctxTenantID, e
   return { allowed: true };
 }
 async function resolveAuthContext(req, authMw, staticUser, staticTenantID) {
-  if (!authMw) {
+  if (staticUser) {
     return {
       user: staticUser,
       tenantID: staticTenantID,
-      apiKeyContext: void 0
+      apiKeyContext: void 0,
+      authType: "static"
     };
   }
-  let result;
-  try {
-    result = await authMw(req);
-  } catch (err) {
-    return {
-      user: staticUser,
-      tenantID: staticTenantID,
-      apiKeyContext: void 0
-    };
-  }
-  if (result.status === 401) {
-    return { user: void 0, tenantID: void 0, apiKeyContext: void 0 };
+  if (authMw) {
+    const res = await authMw(req);
+    if (res.status === 200 && res.user) {
+      return {
+        user: res.user,
+        tenantID: res.tenantContext?.tenantId,
+        apiKeyContext: res.apiKeyContext,
+        authType: res.authType
+      };
+    }
   }
   return {
-    user: result.user || staticUser,
-    tenantID: result.tenantContext?.tenantId || staticTenantID,
-    apiKeyContext: result.apiKeyContext,
-    authType: result.authType
+    user: void 0,
+    tenantID: void 0,
+    apiKeyContext: void 0,
+    authType: void 0
   };
 }
 function createDefaultAuthAdapter(db, rootDir) {
-  if (db instanceof chunk2KVHZE6O_cjs.DrizzleAdapter && db.dialect === "postgres") {
-    return new chunk2OL4O2TH_cjs.PostgresAuthAdapter({ db: db.client });
+  if (db instanceof chunkCOIASRDK_cjs.DrizzleAdapter && db.dialect === "postgres") {
+    return new chunkC36TMDTY_cjs.PostgresAuthAdapter({ db: db.client });
   }
-  if (db instanceof chunkPDYFVNUX_cjs.MongoDBAdapter) {
-    return new chunk4DA7QPLA_cjs.MongoDBAuthAdapter({ db: db.db });
+  if (db instanceof chunkV2TVSCV5_cjs.MongoDBAdapter) {
+    return new chunkGXFOGU7N_cjs.MongoDBAuthAdapter({ db: db.db });
   }
   const defaultAuthDbPath = path.resolve(rootDir, "data", "kyro.db");
-  return new chunkI7HHI6QV_cjs.SQLiteAuthAdapter({
+  return new chunkIDVRRRAK_cjs.SQLiteAuthAdapter({
     path: process.env.KYRO_AUTH_DB_PATH || defaultAuthDbPath
   });
 }
@@ -3554,78 +3740,15 @@ function createHonoApp(options) {
     rateLimiter
   });
   app.post("/api/auth/login", async (c) => authRoutes.login(c.req.raw));
-  app.post("/api/auth/register", async (c) => authRoutes.register(c.req.raw));
-  app.post("/api/auth/logout", async (c) => authRoutes.logout(c.req.raw));
-  app.post("/api/auth/refresh", async (c) => authRoutes.refresh(c.req.raw));
-  app.get("/api/auth/me", async (c) => authRoutes.me(c.req.raw));
-  app.get("/api/auth/sessions", async (c) => authRoutes.listSessions(c.req.raw));
-  app.post("/api/auth/sessions/refresh", async (c) => authRoutes.refreshSession(c.req.raw));
-  app.delete("/api/auth/sessions", async (c) => authRoutes.revokeOtherSessions(c.req.raw));
-  app.delete("/api/auth/sessions/:id", async (c) => authRoutes.revokeSession(c.req.raw, c.req.param("id")));
-  app.put("/api/auth/sessions/:id/name", async (c) => authRoutes.renameSession(c.req.raw, c.req.param("id")));
-  app.post("/api/graphql", async (c) => {
-    try {
-      const req = c.req.raw;
-      const apiKeyRaw = chunkIBG6V56E_cjs.extractApiKeyFromRequest(req);
-      if (apiKeyRaw && db) {
-        const apiKeyResult = await chunkIBG6V56E_cjs.validateApiKey(apiKeyRaw, db);
-        if (!apiKeyResult.valid) {
-          return c.json({ errors: [{ message: apiKeyResult.error || "Invalid API key" }] }, 401);
-        }
-        const apiKeyId = apiKeyResult.apiKeyId || "";
-        await sessionAuthAdapter?.createAuditLog({
-          action: "api_key_request",
-          userId: apiKeyResult.userId || "",
-          resource: "api_key",
-          resourceId: apiKeyId,
-          success: true,
-          metadata: {
-            endpoint: "/api/graphql",
-            method: "POST",
-            ip: extractIp(req)
-          }
-        });
-      }
-      const body = await req.json().catch(() => ({}));
-      const { query, variables } = body;
-      if (!query) {
-        return c.json({ errors: [{ message: "No query provided" }] }, 400);
-      }
-      let gqlUser;
-      let apiKeyCtx;
-      if (apiKeyRaw && db) {
-        const apiKeyResult = await chunkIBG6V56E_cjs.validateApiKey(apiKeyRaw, db);
-        if (apiKeyResult.valid && apiKeyResult.user) {
-          gqlUser = apiKeyResult.user;
-          apiKeyCtx = chunkIBG6V56E_cjs.createApiKeyContext(apiKeyResult);
-        }
-      }
-      const schema = chunkVJT6P4N6_cjs.buildGraphQLSchema({
-        registry,
-        db,
-        user: gqlUser,
-        req,
-        settings
-      });
-      const document = graphql.parse(query);
-      const result = await graphql.execute({
-        schema,
-        document,
-        variableValues: variables,
-        contextValue: { user: gqlUser, apiKeyContext: apiKeyCtx, req, db }
-      });
-      return c.json(result);
-    } catch (error) {
-      if (error.message?.includes("GraphQL is disabled")) {
-        return c.json({ errors: [{ message: "GraphQL API is disabled" }] }, 403);
-      }
-      if (error instanceof SyntaxError) {
-        return c.json({ errors: [{ message: "Invalid request body" }] }, 400);
-      }
-      console.error("[GraphQL] execution error:", error);
-      return c.json({ errors: [{ message: error.message || "GraphQL execution failed" }] }, 500);
-    }
-  });
+  app.post("/api/auth/register", async (c) => authRoutes.register(c.req.raw));
+  app.post("/api/auth/logout", async (c) => authRoutes.logout(c.req.raw));
+  app.post("/api/auth/refresh", async (c) => authRoutes.refresh(c.req.raw));
+  app.get("/api/auth/me", async (c) => authRoutes.me(c.req.raw));
+  app.get("/api/auth/sessions", async (c) => authRoutes.listSessions(c.req.raw));
+  app.post("/api/auth/sessions/refresh", async (c) => authRoutes.refreshSession(c.req.raw));
+  app.delete("/api/auth/sessions", async (c) => authRoutes.revokeOtherSessions(c.req.raw));
+  app.delete("/api/auth/sessions/:id", async (c) => authRoutes.revokeSession(c.req.raw, c.req.param("id")));
+  app.put("/api/auth/sessions/:id/name", async (c) => authRoutes.renameSession(c.req.raw, c.req.param("id")));
   app.get("/api/auth/access", async (c) => {
     try {
       const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(
@@ -3710,7 +3833,13 @@ function createHonoApp(options) {
       return c.json({ error: error.message }, 500);
     }
   });
-  const usersCollection = registry.getCollection("users");
+  const usersCollection2 = typeof registry.hasCollection === "function" && registry.hasCollection("users") ? registry.getCollection("users") : (() => {
+    try {
+      return registry.getCollection("users");
+    } catch {
+      return chunkKC2GDBLS_cjs.usersCollection;
+    }
+  })();
   app.get("/api/users", async (c) => {
     try {
       const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(
@@ -3720,7 +3849,7 @@ function createHonoApp(options) {
         tenantID
       );
       const access = await checkCollectionAccess(
-        usersCollection,
+        usersCollection2,
         "read",
         c.req.raw,
         ctxUser,
@@ -3765,19 +3894,6 @@ function createHonoApp(options) {
         user,
         tenantID
       );
-      const access = await checkCollectionAccess(
-        usersCollection,
-        "read",
-        c.req.raw,
-        ctxUser,
-        ctxTenantID,
-        void 0,
-        enablePublicAccess,
-        defaultCollectionAccess
-      );
-      if (!access.allowed) {
-        return c.json({ error: access.error }, access.status || 403);
-      }
       const id = c.req.param("id");
       const found = await sessionAuthAdapter.findUserById(id);
       if (!found) {
@@ -3797,7 +3913,7 @@ function createHonoApp(options) {
         tenantID
       );
       const access = await checkCollectionAccess(
-        usersCollection,
+        usersCollection2,
         "create",
         c.req.raw,
         ctxUser,
@@ -3822,8 +3938,18 @@ function createHonoApp(options) {
         password: body.password,
         name: body.name,
         role: body.role || "customer",
+        avatar: body.avatar,
         tenantId: body.tenantId
       });
+      if (ctxUser) {
+        sessionAuthAdapter?.createAuditLog({
+          action: "user_create",
+          userId: ctxUser.id,
+          resource: "users",
+          resourceId: created.id,
+          success: true
+        });
+      }
       return c.json(
         { data: created, message: "User created successfully" },
         201
@@ -3841,7 +3967,7 @@ function createHonoApp(options) {
         tenantID
       );
       const access = await checkCollectionAccess(
-        usersCollection,
+        usersCollection2,
         "update",
         c.req.raw,
         ctxUser,
@@ -3863,6 +3989,9 @@ function createHonoApp(options) {
       if (body.name !== void 0) updateData.name = body.name;
       if (body.email !== void 0) updateData.email = body.email;
       if (body.role !== void 0) updateData.role = body.role;
+      if (body.avatar !== void 0) {
+        updateData.avatar = typeof body.avatar === "object" && body.avatar !== null ? body.avatar.id || String(body.avatar) : body.avatar;
+      }
       if (body.tenantId !== void 0) updateData.tenantId = body.tenantId;
       if (body.emailVerified !== void 0)
         updateData.emailVerified = body.emailVerified;
@@ -3874,6 +4003,25 @@ function createHonoApp(options) {
       if (!updated) {
         return c.json({ error: "User update failed" }, 500);
       }
+      if (ctxUser) {
+        sessionAuthAdapter?.createAuditLog({
+          action: "user_update",
+          userId: ctxUser.id,
+          resource: "users",
+          resourceId: id,
+          success: true
+        });
+        if (body.role && existing.role !== body.role) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "role_change",
+            userId: ctxUser.id,
+            resource: "users",
+            resourceId: id,
+            success: true,
+            metadata: { oldRole: existing.role, newRole: body.role }
+          });
+        }
+      }
       return c.json({ data: updated, message: "User updated successfully" });
     } catch (error) {
       return c.json({ error: error.message }, 500);
@@ -3888,7 +4036,7 @@ function createHonoApp(options) {
         tenantID
       );
       const access = await checkCollectionAccess(
-        usersCollection,
+        usersCollection2,
         "delete",
         c.req.raw,
         ctxUser,
@@ -3912,6 +4060,15 @@ function createHonoApp(options) {
       if (!deleted) {
         return c.json({ error: "User deletion failed" }, 500);
       }
+      if (ctxUser) {
+        sessionAuthAdapter?.createAuditLog({
+          action: "user_delete",
+          userId: ctxUser.id,
+          resource: "users",
+          resourceId: id,
+          success: true
+        });
+      }
       return c.json({ data: existing, message: "User deleted successfully" });
     } catch (error) {
       return c.json({ error: error.message }, 500);
@@ -3980,8 +4137,8 @@ function createHonoApp(options) {
     }
     if (!mediaService) {
       try {
-        const dialect = db instanceof chunk2KVHZE6O_cjs.DrizzleAdapter ? db.dialect : "sqlite";
-        const mediaDb = dialect === "postgres" && db instanceof chunk2KVHZE6O_cjs.DrizzleAdapter ? db.client : db;
+        const dialect = db instanceof chunkCOIASRDK_cjs.DrizzleAdapter ? db.dialect : "sqlite";
+        const mediaDb = dialect === "postgres" && db instanceof chunkCOIASRDK_cjs.DrizzleAdapter ? db.client : db;
         mediaService = await MediaService.init(mediaDb, { dialect });
       } catch (error) {
         console.error("[getMedia] Init error:", error);
@@ -4068,11 +4225,11 @@ function createHonoApp(options) {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
       if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
       const service = await getMedia();
-      const path2 = c.req.query("path");
-      if (!path2) {
+      const path3 = c.req.query("path");
+      if (!path3) {
         return c.json({ error: "Path is required" }, 400);
       }
-      await service.deleteFolder(path2);
+      await service.deleteFolder(path3);
       return c.json({ message: "Folder deleted" });
     } catch (error) {
       console.error("[Media] delete folder error:", error);
@@ -4225,6 +4382,119 @@ function createHonoApp(options) {
       return c.json({ error: error.message }, 500);
     }
   });
+  app.get("/api/plugins", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
+      const plugins = registry.getPlugins();
+      const storageRegistry = registry.storageProviders;
+      const pluginList = await Promise.all(
+        plugins.map(async (p) => {
+          let enabled = true;
+          const pluginName = p.name;
+          let states = {};
+          try {
+            const doc = await db.findOne({
+              collection: "_globals_plugin-settings",
+              where: {}
+            });
+            if (doc && doc.states) states = doc.states;
+          } catch {
+          }
+          if (states[pluginName] !== void 0) {
+            enabled = states[pluginName];
+          }
+          storageRegistry.setPluginEnabled(pluginName, enabled);
+          return {
+            id: pluginName,
+            name: pluginName,
+            version: p.version || "1.0.0",
+            description: p.description || "",
+            enabled,
+            status: enabled ? "active" : "disabled"
+          };
+        })
+      );
+      return c.json(pluginList);
+    } catch (error) {
+      console.error("[Plugins] list error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.put("/api/plugins/:name/toggle", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
+      const pluginName = c.req.param("name");
+      const storageRegistry = registry.storageProviders;
+      const currentEnabled = storageRegistry.isPluginEnabled(pluginName);
+      const newEnabled = !currentEnabled;
+      const affectedProviders = [];
+      if (!newEnabled) {
+        for (const p of storageRegistry.getAll()) {
+          if (p.pluginName === pluginName) {
+            affectedProviders.push(p.type);
+          }
+        }
+      }
+      const force = c.req.query("force") === "1";
+      if (!force && !newEnabled && affectedProviders.length > 0) {
+        let activeProvider = "local";
+        try {
+          const row = db?.prepare?.(`SELECT provider FROM "_globals_storage-settings" LIMIT 1`)?.get();
+          if (row?.provider) activeProvider = row.provider;
+        } catch {
+          try {
+            const result = await db?.findOne?.({
+              collection: "_globals_storage-settings",
+              where: {}
+            });
+            if (result?.provider) activeProvider = result.provider;
+          } catch {
+          }
+        }
+        if (affectedProviders.includes(activeProvider)) {
+          return c.json({
+            error: `Cannot disable "${pluginName}" \u2014 storage provider "${activeProvider}" is currently active. Switch to Local storage first.`,
+            requiresAction: true,
+            activeProvider
+          }, 409);
+        }
+      }
+      try {
+        let states = {};
+        let docId = "global";
+        const doc = await db.findOne({
+          collection: "_globals_plugin-settings",
+          where: {}
+        });
+        if (doc) {
+          states = doc.states || {};
+          docId = doc.id;
+        }
+        states[pluginName] = newEnabled;
+        if (doc) {
+          await db.update({
+            collection: "_globals_plugin-settings",
+            id: docId,
+            data: { states }
+          });
+        } else {
+          await db.create({
+            collection: "_globals_plugin-settings",
+            data: { states, id: "global" }
+          });
+        }
+      } catch (e) {
+        console.warn(`[Plugins] Could not persist state for "${pluginName}":`, e);
+      }
+      storageRegistry.setPluginEnabled(pluginName, newEnabled);
+      return c.json({ name: pluginName, enabled: newEnabled });
+    } catch (error) {
+      console.error("[Plugins] toggle error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
   app.get("/api/health", (c) => {
     return c.json({
       status: "ok",
@@ -4233,6 +4503,102 @@ function createHonoApp(options) {
       timestamp: (/* @__PURE__ */ new Date()).toISOString()
     });
   });
+  app.get("/api/kyro/schema", async (c) => {
+    const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+    if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
+    const extractFields = (fields) => fields.map((f) => {
+      const meta = {
+        name: f.name,
+        type: f.type,
+        label: f.label,
+        required: f.required ?? false,
+        unique: f.unique ?? false,
+        indexed: f.indexed ?? false,
+        defaultValue: f.defaultValue,
+        admin: f.admin ? { ...f.admin } : void 0
+      };
+      if (f.minLength !== void 0) meta.minLength = f.minLength;
+      if (f.maxLength !== void 0) meta.maxLength = f.maxLength;
+      if (f.pattern !== void 0) meta.pattern = f.pattern;
+      if (f.variant !== void 0) meta.variant = f.variant;
+      if (f.hasMany !== void 0) meta.hasMany = f.hasMany;
+      if (f.min !== void 0) meta.min = f.min;
+      if (f.max !== void 0) meta.max = f.max;
+      if (f.step !== void 0) meta.step = f.step;
+      if (f.integer !== void 0) meta.integer = f.integer;
+      if (f.options) meta.options = f.options;
+      if (f.relationTo) meta.relationTo = f.relationTo;
+      if (f.maxDepth !== void 0) meta.maxDepth = f.maxDepth;
+      if (f.minRows !== void 0) meta.minRows = f.minRows;
+      if (f.maxRows !== void 0) meta.maxRows = f.maxRows;
+      if (f.localized !== void 0) meta.localized = f.localized;
+      if (f.language) meta.language = f.language;
+      if (f.format) meta.format = f.format;
+      if (f.allowedTypes) meta.allowedTypes = f.allowedTypes;
+      if (f.maxSize) meta.maxSize = f.maxSize;
+      if (f.type === "group" || f.type === "row" || f.type === "collapsible" && f.fields) {
+        meta.fields = extractFields(f.fields);
+      }
+      if (f.type === "array" && f.fields) {
+        meta.fields = extractFields(f.fields);
+      }
+      if (f.type === "blocks" && f.blocks) {
+        meta.blocks = f.blocks.map((b) => ({
+          slug: b.slug,
+          label: b.label,
+          fields: extractFields(b.fields)
+        }));
+      }
+      if (f.type === "tabs" && f.tabs) {
+        meta.tabs = f.tabs.map((t) => ({
+          label: t.label,
+          name: t.name,
+          fields: extractFields(t.fields)
+        }));
+      }
+      return meta;
+    });
+    const data = { collections: {}, globals: {} };
+    for (const col of registry.getCollections()) {
+      const slug = col.slug;
+      try {
+        data.collections[slug] = {
+          slug,
+          label: col.label || slug,
+          fields: extractFields(col.fields),
+          jsonSchema: zodToJsonSchema.zodToJsonSchema(registry.getZodSchema(slug), { target: "openApi3" }),
+          createSchema: zodToJsonSchema.zodToJsonSchema(registry.getCreateZodSchema(slug), { target: "openApi3" }),
+          updateSchema: zodToJsonSchema.zodToJsonSchema(registry.getUpdateZodSchema(slug), { target: "openApi3" }),
+          procedures: {
+            find: { collection: slug, where: "Record<string,any>", sort: "string", limit: "number", page: "number", depth: "number", select: "string[]", draft: "boolean" },
+            findByID: { collection: slug, id: "string", depth: "number", select: "string[]", draft: "boolean" },
+            create: { collection: slug, data: "Record<string,any>", depth: "number", select: "string[]" },
+            update: { collection: slug, id: "string", data: "Record<string,any>", depth: "number", select: "string[]", baseUpdatedAt: "string" },
+            delete: { collection: slug, id: "string" },
+            count: { collection: slug, where: "Record<string,any>" }
+          }
+        };
+      } catch {
+      }
+    }
+    for (const global of registry.getGlobals()) {
+      const slug = global.slug;
+      try {
+        data.globals[slug] = {
+          slug,
+          label: global.label || slug,
+          fields: extractFields(global.fields),
+          jsonSchema: zodToJsonSchema.zodToJsonSchema(registry.getZodSchema(slug), { target: "openApi3" }),
+          procedures: {
+            get: {},
+            update: { data: "Record<string,any>" }
+          }
+        };
+      } catch {
+      }
+    }
+    return c.json(data);
+  });
   app.get("/api/collections", async (c) => {
     const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
     if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
@@ -4248,6 +4614,129 @@ function createHonoApp(options) {
     }));
     return c.json(collections2);
   });
+  function resolveDocField(fields, doc, fieldName) {
+    if (fieldName in doc) return doc[fieldName];
+    for (const field of fields) {
+      if (!field.name) continue;
+      if (field.type === "tabs" && field.tabs) {
+        const data = doc[field.name];
+        if (data && typeof data === "object" && fieldName in data) return data[fieldName];
+      }
+      if ((field.type === "group" || field.type === "collapsible") && field.fields) {
+        const data = doc[field.name];
+        if (data && typeof data === "object") {
+          if (fieldName in data) return data[fieldName];
+          const nested = resolveDocField(field.fields, data, fieldName);
+          if (nested !== void 0) return nested;
+        }
+      }
+    }
+    return void 0;
+  }
+  function flattenRelationshipFields(fields) {
+    const relFields = [];
+    for (const field of fields) {
+      if (field.type === "relationship") {
+        relFields.push(field);
+      } else if (field.type === "tabs" && field.tabs) {
+        for (const tab of field.tabs) {
+          relFields.push(...flattenRelationshipFields(tab.fields || []));
+        }
+      } else if ((field.type === "group" || field.type === "collapsible") && field.fields) {
+        relFields.push(...flattenRelationshipFields(field.fields || []));
+      }
+    }
+    return relFields;
+  }
+  function extractRelValue(value) {
+    if (!value) return [];
+    if (typeof value === "string") return [value];
+    if (Array.isArray(value)) return value.map((v) => typeof v === "object" ? v.value ?? v : v);
+    if (typeof value === "object") {
+      const v = value.value ?? value;
+      return typeof v === "string" ? [v] : Array.isArray(v) ? v : [];
+    }
+    return [];
+  }
+  async function populateRelationships(docs, collection, db2, registry2) {
+    if (docs.length === 0) return;
+    const relFields = flattenRelationshipFields(collection.fields);
+    if (relFields.length === 0) return;
+    for (const relField of relFields) {
+      const targetSlugs = Array.isArray(relField.relationTo) ? relField.relationTo : [relField.relationTo];
+      const idsBySlug = {};
+      for (const slug of targetSlugs) {
+        idsBySlug[slug] = /* @__PURE__ */ new Set();
+      }
+      for (const doc of docs) {
+        const raw = resolveDocField(collection.fields, doc, relField.name);
+        const ids = extractRelValue(raw);
+        for (const id of ids) {
+          if (!id) continue;
+          if (targetSlugs.length === 1) {
+            idsBySlug[targetSlugs[0]].add(id);
+          } else {
+            for (const slug of targetSlugs) {
+              idsBySlug[slug].add(id);
+            }
+          }
+        }
+      }
+      for (const [targetSlug, idSet] of Object.entries(idsBySlug)) {
+        if (idSet.size === 0) continue;
+        const targetCollection = registry2.getCollection(targetSlug);
+        if (!targetCollection) continue;
+        const titleField = targetCollection.admin?.useAsTitle || "title";
+        const idArr = Array.from(idSet);
+        const relatedDocs = [];
+        for (const id of idArr) {
+          try {
+            const relDoc = await db2.findByID({ collection: targetSlug, id, draft: true });
+            if (relDoc) {
+              const title = resolveDocField(targetCollection.fields, relDoc, titleField) ?? id;
+              relatedDocs.push({ id, title: String(title) });
+            }
+          } catch {
+            relatedDocs.push({ id, title: id });
+          }
+        }
+        const titleMap = new Map(relatedDocs.map((d) => [d.id, d.title]));
+        for (const doc of docs) {
+          const raw = resolveDocField(collection.fields, doc, relField.name);
+          if (!raw) continue;
+          const setValue = (val) => {
+            if (relField.name in doc) {
+              doc[relField.name] = val;
+            } else {
+              for (const f of collection.fields) {
+                if (f.type === "tabs" && f.tabs) {
+                  for (const tab of f.tabs) {
+                    if (tab.fields?.some((tf) => tf.name === relField.name)) {
+                      const tabData = doc[f.name];
+                      if (tabData && typeof tabData === "object") {
+                        tabData[relField.name] = val;
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          };
+          if (typeof raw === "string") {
+            setValue({ id: raw, title: titleMap.get(raw) || raw });
+          } else if (Array.isArray(raw)) {
+            setValue(raw.map((v) => {
+              const id = typeof v === "object" ? v.value ?? v.id : v;
+              return { id, title: titleMap.get(id) || id };
+            }));
+          } else if (typeof raw === "object") {
+            const id = raw.value ?? raw.id;
+            setValue({ id, title: titleMap.get(id) || id });
+          }
+        }
+      }
+    }
+  }
   app.get("/api/search", async (c) => {
     try {
       const query = c.req.query("q") || "";
@@ -4299,11 +4788,12 @@ function createHonoApp(options) {
             limit,
             tenantID: ctxTenantID
           });
+          await populateRelationships(searchResult.docs, collection, db, registry);
           for (const doc of searchResult.docs) {
             const titleField = collection.admin?.useAsTitle || searchableFields.find(
               (f) => f === "title" || f === "name" || f === "heading" || f === "slug"
             );
-            const title = titleField ? doc[titleField] : doc.id;
+            const title = titleField ? resolveDocField(collection.fields, doc, titleField) ?? doc.id : doc.id;
             results.push({
               collection: collection.slug,
               label: collection.label || collection.slug,
@@ -4325,13 +4815,13 @@ function createHonoApp(options) {
   app.get("/api/keys", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:read")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:read")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       const page = parseInt(c.req.query("page") || "1");
       const limit = Math.min(parseInt(c.req.query("limit") || "50"), 100);
-      console.log("[ApiKeys] Querying", chunkIBG6V56E_cjs.API_KEY_COLLECTION, { page, limit });
-      const result = await db.find({ collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION, where: {}, page, limit });
+      console.log("[ApiKeys] Querying", chunk4M7X5HAB_cjs.API_KEY_COLLECTION, { page, limit });
+      const result = await db.find({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, where: {}, page, limit });
       console.log("[ApiKeys] Result:", result);
       const docs = (result.docs || []).map((doc) => ({
         id: doc.id,
@@ -4350,21 +4840,21 @@ function createHonoApp(options) {
   app.post("/api/keys", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:admin")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:admin")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       const body = await c.req.json();
       if (!body.name || typeof body.name !== "string") {
         return c.json({ error: "name is required" }, 400);
       }
-      const rawKey = chunkIBG6V56E_cjs.generateApiKey();
+      const rawKey = chunk4M7X5HAB_cjs.generateApiKey();
       const doc = await db.create({
-        collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION,
+        collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION,
         data: {
           userId: ctxUser.id,
           name: body.name,
           key: rawKey,
-          keyPrefix: chunkIBG6V56E_cjs.generateApiKeyPrefix(rawKey),
+          keyPrefix: chunk4M7X5HAB_cjs.generateApiKeyPrefix(rawKey),
           permissions: Array.isArray(body.permissions) ? body.permissions : ["*"],
           expiresAt: body.expiresAt || null,
           createdAt: (/* @__PURE__ */ new Date()).toISOString()
@@ -4391,13 +4881,13 @@ function createHonoApp(options) {
   app.delete("/api/keys/:id", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:admin")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:admin")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       const id = c.req.param("id");
-      const existing = await db.findByID({ collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION, id });
+      const existing = await db.findByID({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, id });
       if (!existing) return c.json({ error: "API key not found" }, 404);
-      await db.delete({ collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION, id });
+      await db.delete({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, id });
       await sessionAuthAdapter?.createAuditLog({
         action: "api_key_delete",
         userId: ctxUser.id,
@@ -4415,19 +4905,19 @@ function createHonoApp(options) {
   app.patch("/api/keys/:id", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:admin")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:admin")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       const id = c.req.param("id");
       const body = await c.req.json();
-      const existing = await db.findByID({ collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION, id });
+      const existing = await db.findByID({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, id });
       if (!existing) return c.json({ error: "API key not found" }, 404);
       const updateData = {};
       if (typeof body.name === "string" && body.name.trim()) updateData.name = body.name.trim();
       if (Array.isArray(body.permissions)) updateData.permissions = body.permissions;
       if (body.expiresAt !== void 0) updateData.expiresAt = body.expiresAt || null;
       if (Object.keys(updateData).length === 0) return c.json({ error: "Nothing to update" }, 400);
-      const updated = await db.update({ collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION, id, data: updateData });
+      const updated = await db.update({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, id, data: updateData });
       return c.json({ ...updated, keyPrefix: existing.keyPrefix });
     } catch (error) {
       console.error("[ApiKeys] PATCH error:", error);
@@ -4437,19 +4927,19 @@ function createHonoApp(options) {
   app.post("/api/keys/:id/rotate", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:admin")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:admin")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       const id = c.req.param("id");
-      const existing = await db.findByID({ collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION, id });
+      const existing = await db.findByID({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, id });
       if (!existing) return c.json({ error: "API key not found" }, 404);
-      const rawKey = chunkIBG6V56E_cjs.generateApiKey();
+      const rawKey = chunk4M7X5HAB_cjs.generateApiKey();
       const updated = await db.update({
-        collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION,
+        collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION,
         id,
         data: {
           key: rawKey,
-          keyPrefix: chunkIBG6V56E_cjs.generateApiKeyPrefix(rawKey),
+          keyPrefix: chunk4M7X5HAB_cjs.generateApiKeyPrefix(rawKey),
           lastUsedAt: null
         }
       });
@@ -4475,7 +4965,7 @@ function createHonoApp(options) {
   app.get("/api/webhooks", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:read")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:read")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
@@ -4489,7 +4979,7 @@ function createHonoApp(options) {
   app.post("/api/webhooks", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:admin")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:admin")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
@@ -4512,7 +5002,7 @@ function createHonoApp(options) {
   app.get("/api/webhooks/:id", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:read")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:read")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
@@ -4528,7 +5018,7 @@ function createHonoApp(options) {
   app.patch("/api/webhooks/:id", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:admin")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:admin")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
@@ -4553,7 +5043,7 @@ function createHonoApp(options) {
   app.delete("/api/webhooks/:id", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:admin")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:admin")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
@@ -4578,7 +5068,7 @@ function createHonoApp(options) {
   app.post("/api/webhooks/:id/test", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:admin")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:admin")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
@@ -4594,7 +5084,7 @@ function createHonoApp(options) {
   app.get("/api/webhooks/:id/history", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:read")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:read")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
@@ -4643,37 +5133,31 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
-        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, basePath, "GET", c.req.raw);
+        if (ctxTenantID) {
+          db.setTenantContext({ tenantId: ctxTenantID, userId: ctxUser?.id ?? "", role: ctxUser?.role, isSuperAdmin: ctxUser?.role === "super_admin" });
+        }
         const url = new URL(c.req.url);
         const page = parseInt(url.searchParams.get("page") || "1");
-        const limit = Math.min(
-          parseInt(url.searchParams.get("limit") || "10"),
-          100
-        );
+        const limit = Math.min(parseInt(url.searchParams.get("limit") || "10"), 100);
         const sort = url.searchParams.get("sort") || void 0;
         const depth = parseInt(url.searchParams.get("depth") || "0");
         const select = url.searchParams.get("select")?.split(",") || void 0;
-        let where = {};
-        const whereParam = url.searchParams.get("where");
-        if (whereParam) {
-          try {
-            where = JSON.parse(whereParam);
-          } catch {
-          }
-        }
+        const isDraftRequest = !!ctxUser;
         const result = await db.find({
           collection: slug,
-          where,
+          where: {},
           sort,
           limit,
           page,
           depth,
           tenantID: ctxTenantID,
-          select
+          select,
+          draft: isDraftRequest
         });
+        await populateRelationships(result.docs, collection, db, registry);
         return c.json(result);
       } catch (error) {
-        console.error(`[API] Error listing ${slug}:`, error);
+        console.error("[API] list error:", error);
         return c.json({ error: error.message }, 500);
       }
     });
@@ -4698,6 +5182,9 @@ function createHonoApp(options) {
           return c.json({ error: access.error }, access.status || 403);
         }
         const id = c.req.param("id");
+        if (!id) {
+          return c.json({ error: "Missing document ID" }, 400);
+        }
         const url = new URL(c.req.url);
         const compareA = url.searchParams.get("compareA");
         const compareB = url.searchParams.get("compareB");
@@ -4781,23 +5268,39 @@ function createHonoApp(options) {
         const id = c.req.param("id");
         const body = await c.req.json();
         const baseUpdatedAt = readBaseUpdatedAt(body);
-        const data = body.data ?? omitRevisionFields(body);
         const originalDoc = await db.findByID({
           collection: slug,
           id,
-          tenantID: ctxTenantID
+          tenantID: ctxTenantID,
+          draft: true
         });
         if (!originalDoc) {
           return c.json({ error: "Document not found" }, 404);
         }
+        let finalData;
+        if (body.delta) {
+          finalData = { ...originalDoc, ...body.delta };
+        } else {
+          finalData = body.data ?? omitRevisionFields(body);
+        }
         const draft = await db.upsertDraft({
           collection: slug,
           documentId: id,
           tenantID: ctxTenantID,
-          data,
+          data: finalData,
           baseUpdatedAt,
           draftUpdatedAt: body.draftUpdatedAt
         });
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_update",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: id,
+            success: true,
+            metadata: { type: "draft_save" }
+          });
+        }
         return c.json({ data: draft, message: "Draft saved successfully" });
       } catch (error) {
         return c.json({ error: error.message }, 500);
@@ -4828,6 +5331,16 @@ function createHonoApp(options) {
           documentId: c.req.param("id"),
           tenantID: ctxTenantID
         });
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_update",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: c.req.param("id"),
+            success: true,
+            metadata: { type: "draft_discard" }
+          });
+        }
         return c.json({ message: "Draft discarded successfully" });
       } catch (error) {
         return c.json({ error: error.message }, 500);
@@ -4870,12 +5383,14 @@ function createHonoApp(options) {
           doc = await db.findOne({
             collection: slug,
             where: { slug: id },
-            tenantID: ctxTenantID
+            tenantID: ctxTenantID,
+            draft: isDraftRequest
           });
         }
         if (!doc) {
           return c.json({ error: "Document not found" }, 404);
         }
+        await populateRelationships([doc], collection, db, registry);
         return c.json({ data: doc });
       } catch (error) {
         return c.json({ error: error.message }, 500);
@@ -4901,23 +5416,80 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
+        if (ctxTenantID) {
+          db.setTenantContext({ tenantId: ctxTenantID, userId: ctxUser?.id ?? "", role: ctxUser?.role, isSuperAdmin: ctxUser?.role === "super_admin" });
+        }
         auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, basePath, "POST", c.req.raw);
         const body = await c.req.json();
+        let validated = body;
+        for (const field of collection.fields) {
+          if (field.name && validated[field.name] === "") {
+            const isTextual = field.type === "text" || field.type === "textarea" || field.type === "code" || field.type === "markdown" || field.type === "email" || field.type === "password" || field.type === "color";
+            if (!isTextual) {
+              validated[field.name] = null;
+            }
+          }
+        }
+        convertRichtextFields(collection.fields, validated);
+        const hookReq = c.req.raw;
+        if (collection.hooks?.beforeValidate) {
+          for (const hook of collection.hooks.beforeValidate) {
+            const hookResult = await hook({
+              collection: slug,
+              data: validated,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "create"
+            });
+            if (hookResult) Object.assign(validated, hookResult);
+          }
+        }
         const schema = registry.getCreateZodSchema(slug);
-        let validated;
         try {
-          validated = schema.parse(body);
+          validated = schema.parse(validated);
         } catch (zodErr) {
-          return c.json({ error: "Validation failed", details: zodErr.errors }, 400);
+          return c.json({ error: `Validation failed: ${formatZodErrors(zodErr.errors)}`, details: zodErr.errors }, 400);
         }
         if (collection.tenantScoped && ctxTenantID) {
           validated.tenantID = ctxTenantID;
         }
+        const isDraftEnabled = collection.versions?.drafts === true;
+        if (isDraftEnabled) {
+          validated.publishStatus = "draft";
+          validated.hasDraft = false;
+        }
+        if (collection.hooks?.beforeChange) {
+          for (const hook of collection.hooks.beforeChange) {
+            const hookResult = await hook({
+              collection: slug,
+              data: validated,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "create"
+            });
+            if (hookResult) Object.assign(validated, hookResult);
+          }
+        }
         const doc = await db.create({
           collection: slug,
           data: validated,
           tenantID: ctxTenantID
         });
+        if (collection.hooks?.afterChange) {
+          for (const hook of collection.hooks.afterChange) {
+            await hook({
+              collection: slug,
+              doc,
+              data: validated,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "create"
+            });
+          }
+        }
         if (webhookService) {
           webhookService.trigger(getWebhookEvent(slug, "create"), {
             collection: slug,
@@ -4927,11 +5499,20 @@ function createHonoApp(options) {
             tenantId: ctxTenantID
           }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
         }
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_create",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: doc.id,
+            success: true
+          });
+        }
         return c.json({ data: doc, message: "Created successfully" }, 201);
       } catch (error) {
         if (error.name === "ZodError") {
           return c.json(
-            { error: "Validation failed", details: error.errors },
+            { error: `Validation failed: ${formatZodErrors(error.errors)}`, details: error.errors },
             400
           );
         }
@@ -4966,32 +5547,66 @@ function createHonoApp(options) {
           bodyKeys: Object.keys(body),
           tenantID: ctxTenantID
         });
-        const cleaned = Object.fromEntries(
-          Object.entries(omitRevisionFields(body)).filter(
-            ([_, v]) => v !== "null" && v !== void 0
-          )
-        );
-        const schema = registry.getUpdateZodSchema(slug);
-        const validated = schema.parse(cleaned);
-        console.log(`[PATCH] Validated data:`, Object.keys(validated));
         const originalDoc = await db.findByID({
           collection: slug,
           id,
           tenantID: ctxTenantID,
           draft: true
-          // Always fetch current doc regardless of status
         });
-        if (originalDoc) {
-          console.log(`[PATCH] Original doc updatedAt:`, originalDoc.updatedAt);
-        }
         if (!originalDoc) {
           return c.json({ error: "Document not found" }, 404);
         }
         if (baseUpdatedAt && originalDoc.updatedAt && baseUpdatedAt !== originalDoc.updatedAt) {
           return c.json(buildConflictResponse(baseUpdatedAt, originalDoc), 409);
         }
+        let validated = Object.fromEntries(
+          Object.entries(omitRevisionFields(body)).filter(
+            ([_, v]) => v !== "null" && v !== void 0
+          )
+        );
+        for (const field of collection.fields) {
+          if (field.name && validated[field.name] === "") {
+            const isTextual = field.type === "text" || field.type === "textarea" || field.type === "code" || field.type === "markdown" || field.type === "email" || field.type === "password" || field.type === "color";
+            if (!isTextual) {
+              validated[field.name] = null;
+            }
+          }
+        }
+        convertRichtextFields(collection.fields, validated);
+        const hookReq = c.req.raw;
+        if (collection.hooks?.beforeValidate) {
+          for (const hook of collection.hooks.beforeValidate) {
+            const hookResult = await hook({
+              collection: slug,
+              data: validated,
+              originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "update"
+            });
+            if (hookResult) Object.assign(validated, hookResult);
+          }
+        }
+        const schema = registry.getUpdateZodSchema(slug);
+        validated = schema.parse(validated);
+        if (collection.hooks?.beforeChange) {
+          for (const hook of collection.hooks.beforeChange) {
+            const hookResult = await hook({
+              collection: slug,
+              data: validated,
+              originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "update"
+            });
+            if (hookResult) Object.assign(validated, hookResult);
+          }
+        }
+        console.log(`[PATCH] Validated data:`, Object.keys(validated));
         const isDraftEnabled = collection.versions?.drafts === true;
-        const isAlreadyPublished = originalDoc._status === "published";
+        const isAlreadyPublished = originalDoc.publishStatus === "published";
         let doc;
         if (isDraftEnabled && isAlreadyPublished) {
           await db.createVersion({
@@ -5006,18 +5621,20 @@ function createHonoApp(options) {
           await db.update({
             collection: slug,
             id,
-            data: { _has_draft: true },
+            data: { hasDraft: true },
             // Keep old data, just set flag
             tenantID: ctxTenantID
           });
         } else {
-          const saveData = isDraftEnabled ? { ...validated, _status: "draft", _has_draft: false } : validated;
+          const saveData = isDraftEnabled ? { ...validated, publishStatus: "draft", hasDraft: false } : validated;
+          console.log(`[PATCH] About to call db.update for ${slug}/${id} with keys:`, Object.keys(saveData));
           await db.update({
             collection: slug,
             id,
             data: saveData,
             tenantID: ctxTenantID
           });
+          console.log(`[PATCH] db.update SUCCEEDED for ${slug}/${id}`);
         }
         doc = await db.findByID({
           collection: slug,
@@ -5044,6 +5661,20 @@ function createHonoApp(options) {
             tenantID: ctxTenantID
           });
         }
+        if (collection.hooks?.afterChange) {
+          for (const hook of collection.hooks.afterChange) {
+            await hook({
+              collection: slug,
+              doc,
+              data: validated,
+              originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "update"
+            });
+          }
+        }
         if (webhookService) {
           webhookService.trigger(getWebhookEvent(slug, "update"), {
             collection: slug,
@@ -5054,16 +5685,26 @@ function createHonoApp(options) {
             tenantId: ctxTenantID
           }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
         }
-        console.log(`[PATCH] Result doc updatedAt:`, doc?.updatedAt);
+        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, `${basePath}/${id}`, "PATCH", c.req.raw);
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_update",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: id,
+            success: true
+          });
+        }
         return c.json({ data: doc, message: isDraftEnabled ? "Draft saved" : "Updated successfully" });
       } catch (error) {
         if (error.name === "ZodError") {
           console.error(`[PATCH ${basePath}/:id] Validation failed:`, error.errors);
           return c.json(
-            { error: "Validation failed", details: error.errors },
+            { error: `Validation failed: ${formatZodErrors(error.errors)}`, details: error.errors },
             400
           );
         }
+        console.error(`[PATCH ${basePath}/:id] ERROR:`, error.message, `CAUSE:`, error.cause?.message || error.cause, `QUERY:`, error.query);
         return c.json({ error: error.message }, 500);
       }
     });
@@ -5087,13 +5728,33 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
+        if (ctxTenantID) {
+          db.setTenantContext({ tenantId: ctxTenantID, userId: ctxUser?.id ?? "", role: ctxUser?.role, isSuperAdmin: ctxUser?.role === "super_admin" });
+        }
         const id = c.req.param("id");
         console.log(`[DELETE] Deleting ${slug}/${id}`);
+        const hookReq = c.req.raw;
         const originalDoc = await db.findByID({
           collection: slug,
           id,
-          tenantID: ctxTenantID
+          tenantID: ctxTenantID,
+          draft: true
         });
+        if (!originalDoc) {
+          return c.json({ error: "Document not found" }, 404);
+        }
+        if (collection.hooks?.beforeDelete) {
+          for (const hook of collection.hooks.beforeDelete) {
+            await hook({
+              collection: slug,
+              doc: originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "delete"
+            });
+          }
+        }
         const doc = await db.delete({
           collection: slug,
           id,
@@ -5104,6 +5765,19 @@ function createHonoApp(options) {
           documentId: id,
           tenantID: ctxTenantID
         });
+        if (collection.hooks?.afterDelete) {
+          for (const hook of collection.hooks.afterDelete) {
+            await hook({
+              collection: slug,
+              doc,
+              originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "delete"
+            });
+          }
+        }
         if (webhookService) {
           webhookService.trigger(getWebhookEvent(slug, "delete"), {
             collection: slug,
@@ -5114,6 +5788,16 @@ function createHonoApp(options) {
             tenantId: ctxTenantID
           }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
         }
+        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, `${basePath}/${id}`, "DELETE", c.req.raw);
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_delete",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: id,
+            success: true
+          });
+        }
         return c.json({ data: doc, message: "Deleted successfully" });
       } catch (error) {
         console.error(`[DELETE] Error deleting ${slug}:`, error);
@@ -5147,7 +5831,8 @@ function createHonoApp(options) {
         const originalDoc = await db.findByID({
           collection: slug,
           id,
-          tenantID: ctxTenantID
+          tenantID: ctxTenantID,
+          draft: true
         });
         if (!originalDoc) {
           console.log("[Duplicate] Document not found");
@@ -5207,7 +5892,7 @@ function createHonoApp(options) {
         const doc = await db.update({
           collection: slug,
           id,
-          data: { ...version.data, _status: "draft", _has_draft: false },
+          data: { ...version.data, publishStatus: "draft", hasDraft: false },
           tenantID: ctxTenantID
         });
         return c.json({
@@ -5252,7 +5937,7 @@ function createHonoApp(options) {
           const doc = await db.update({
             collection: slug,
             id: c.req.param("id"),
-            data: { ...version.data, _status: "draft", _has_draft: false },
+            data: { ...version.data, publishStatus: "draft", hasDraft: false },
             tenantID: ctxTenantID
           });
           return c.json({
@@ -5285,6 +5970,9 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
+        if (ctxTenantID) {
+          db.setTenantContext({ tenantId: ctxTenantID, userId: ctxUser?.id ?? "", role: ctxUser?.role, isSuperAdmin: ctxUser?.role === "super_admin" });
+        }
         const id = c.req.param("id");
         const body = await c.req.json().catch(() => ({}));
         const baseUpdatedAt = readBaseUpdatedAt(body);
@@ -5300,9 +5988,9 @@ function createHonoApp(options) {
         if (baseUpdatedAt && originalDoc.updatedAt && baseUpdatedAt !== originalDoc.updatedAt) {
           return c.json(buildConflictResponse(baseUpdatedAt, originalDoc), 409);
         }
-        let publishData = { _status: "published", _has_draft: false };
+        let publishData = { publishStatus: "published", hasDraft: false };
         let finalContent = originalDoc;
-        if (originalDoc._has_draft) {
+        if (originalDoc.hasDraft) {
           const versions = await db.findVersions({
             collection: slug,
             documentId: id,
@@ -5325,7 +6013,7 @@ function createHonoApp(options) {
           await db.createVersion({
             collection: slug,
             documentId: id,
-            data: { ...finalContent, _status: "published" },
+            data: { ...finalContent, publishStatus: "published" },
             status: "published",
             createdBy: ctxUser?.id,
             changeDescription: "Published",
@@ -5384,7 +6072,7 @@ function createHonoApp(options) {
         const doc = await db.update({
           collection: slug,
           id,
-          data: { _status: "draft" },
+          data: { publishStatus: "draft" },
           tenantID: ctxTenantID
         });
         if (webhookService) {
@@ -5420,12 +6108,30 @@ function createHonoApp(options) {
           return c.json({ error: access.error }, access.status || 403);
         }
         const isDraftRequest = c.req.query("draft") === "true" && !!ctxUser;
-        const doc = await db.findOne({
+        let doc = await db.findOne({
           collection: `_globals_${slug}`,
           where: {},
           tenantID: ctxTenantID,
           draft: isDraftRequest
         });
+        if (slug === "system") {
+          const newSecret = crypto__default.default.randomBytes(32).toString("hex");
+          if (!doc) {
+            doc = await db.create({
+              collection: `_globals_${slug}`,
+              data: { id: slug, appSecret: newSecret },
+              tenantID: ctxTenantID
+            });
+          } else if (!doc.appSecret) {
+            await db.update({
+              collection: `_globals_${slug}`,
+              id: slug,
+              data: { appSecret: newSecret },
+              tenantID: ctxTenantID
+            });
+            doc.appSecret = newSecret;
+          }
+        }
         return c.json({ data: doc || {} });
       } catch (error) {
         return c.json({ error: error.message }, 500);
@@ -5445,18 +6151,27 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
-        const body = await c.req.json();
+        const body = omitRevisionFields(await c.req.json());
         const cleaned = Object.fromEntries(
           Object.entries(body).filter(([_, v]) => v !== null && v !== "null" && v !== void 0)
         );
+        for (const field of globalConfig.fields) {
+          if (field.name && cleaned[field.name] === "") {
+            const isTextual = field.type === "text" || field.type === "textarea" || field.type === "code" || field.type === "markdown" || field.type === "email" || field.type === "password" || field.type === "color";
+            if (!isTextual) {
+              cleaned[field.name] = null;
+            }
+          }
+        }
+        convertRichtextFields(globalConfig.fields, cleaned);
         const schema = registry.getZodSchema(slug);
         let validated;
         try {
           validated = schema.parse(cleaned);
         } catch (zodErr) {
-          return c.json({ error: "Validation failed", details: zodErr.errors }, 400);
+          return c.json({ error: `Validation failed: ${formatZodErrors(zodErr.errors)}`, details: zodErr.errors }, 400);
         }
-        const SYSTEM_FIELDS = /* @__PURE__ */ new Set(["id", "createdAt", "updatedAt", "_status", "_has_draft"]);
+        const SYSTEM_FIELDS = /* @__PURE__ */ new Set(["id", "createdAt", "updatedAt", "publishStatus", "hasDraft", "baseUpdatedAt", "_baseUpdatedAt"]);
         const userData = Object.fromEntries(
           Object.entries(validated).filter(([k]) => !SYSTEM_FIELDS.has(k))
         );
@@ -5468,7 +6183,7 @@ function createHonoApp(options) {
           draft: true
         });
         const isDraftEnabled = globalConfig.versions?.drafts === true;
-        const isAlreadyPublished = originalDoc?._status === "published";
+        const isAlreadyPublished = originalDoc?.publishStatus === "published";
         let doc;
         if (isDraftEnabled && isAlreadyPublished) {
           await db.createVersion({
@@ -5483,11 +6198,11 @@ function createHonoApp(options) {
           doc = await db.update({
             collection: collectionSlug,
             id: slug,
-            data: { _has_draft: true },
+            data: { hasDraft: true },
             tenantID: ctxTenantID
           });
         } else {
-          const saveData = isDraftEnabled ? { ...userData, _status: "draft", _has_draft: false } : { ...userData, _status: "published", _has_draft: false };
+          const saveData = isDraftEnabled ? { ...userData, publishStatus: "draft", hasDraft: false } : { ...userData, publishStatus: "published", hasDraft: false };
           if (originalDoc) {
             doc = await db.update({
               collection: collectionSlug,
@@ -5518,6 +6233,15 @@ function createHonoApp(options) {
           mediaService = null;
           mediaServiceInitError = null;
         }
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "settings_change",
+            userId: ctxUser.id,
+            resource: `global:${slug}`,
+            resourceId: slug,
+            success: true
+          });
+        }
         return c.json({ data: doc, message: "Updated successfully" });
       } catch (error) {
         console.error(`[API] Save global "${slug}" failed:`, error);
@@ -5542,9 +6266,9 @@ function createHonoApp(options) {
           draft: true
         });
         if (!originalDoc) return c.json({ error: "Global not found" }, 404);
-        let publishData = { _status: "published", _has_draft: false };
+        let publishData = { publishStatus: "published", hasDraft: false };
         let finalContent = originalDoc;
-        if (originalDoc._has_draft) {
+        if (originalDoc.hasDraft) {
           const versions = await db.findVersions({
             collection: collectionSlug,
             documentId: slug,
@@ -5567,7 +6291,7 @@ function createHonoApp(options) {
           await db.createVersion({
             collection: collectionSlug,
             documentId: slug,
-            data: { ...finalContent, _status: "published" },
+            data: { ...finalContent, publishStatus: "published" },
             status: "published",
             createdBy: ctxUser?.id,
             changeDescription: "Published",
@@ -5587,7 +6311,7 @@ function createHonoApp(options) {
         const doc = await db.update({
           collection: `_globals_${slug}`,
           id: slug,
-          data: { _status: "draft", _has_draft: false },
+          data: { publishStatus: "draft", hasDraft: false },
           tenantID: ctxTenantID
         });
         return c.json({ data: doc, message: "Unpublished successfully" });
@@ -5647,7 +6371,7 @@ function createHonoApp(options) {
         const doc = await db.update({
           collection: collectionSlug,
           id: slug,
-          data: { ...version.data, _status: "draft", _has_draft: false },
+          data: { ...version.data, publishStatus: "draft", hasDraft: false },
           tenantID: ctxTenantID
         });
         return c.json({ data: doc, message: "Restored successfully" });
@@ -5693,7 +6417,7 @@ function createHonoApp(options) {
             mailgun: body.mailgun,
             ses: body.ses
           };
-          const transport = new chunkIA6AU5PI_cjs.EmailTransport(transportConfig);
+          const transport = new chunkWNCYAKF3_cjs.EmailTransport(transportConfig);
           const recipient = body.testEmail || body.testEmailSection && body.testEmailSection.testEmail;
           if (!recipient) {
             return c.json({ error: "No test recipient email provided" }, 400);
@@ -5757,15 +6481,19 @@ exports.InMemoryAuditLogger = InMemoryAuditLogger;
 exports.InMemoryRateLimiter = InMemoryRateLimiter;
 exports.MediaService = MediaService;
 exports.createAuditContext = createAuditContext2;
+exports.createCloudinaryStorage = createCloudinaryStorage;
+exports.createFtpStorage = createFtpStorage;
 exports.createHonoApp = createHonoApp;
 exports.createLocalStorage = createLocalStorage;
 exports.createRESTAPI = createRESTAPI;
+exports.createS3Storage = createS3Storage;
 exports.getAppSecret = getAppSecret;
+exports.getDefaultRegistry = getDefaultRegistry;
 exports.getEncryptionKey = getEncryptionKey;
 exports.getSessionConfig = getSessionConfig;
 exports.init_secret = init_secret;
 exports.loadSecrets = loadSecrets;
 exports.resolveProvider = resolveProvider;
 exports.setDbAdapter = setDbAdapter;
-//# sourceMappingURL=chunk-5KVM3WEY.cjs.map
-//# sourceMappingURL=chunk-5KVM3WEY.cjs.map
+//# sourceMappingURL=chunk-RSF3UU7H.cjs.map
+//# sourceMappingURL=chunk-RSF3UU7H.cjs.map