npm - @kyro-cms/core - Versions diffs - 0.9.0 → 0.9.2 - Mend

@kyro-cms/core 0.9.0 → 0.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (265) hide show

package/README.md +55 -593
package/dist/{WebhookService-AefJfqX0.d.cts → WebhookService-BKszZlG0.d.cts} +1 -1
package/dist/{WebhookService-118ZTFis.d.ts → WebhookService-Ccf1j-IN.d.ts} +1 -1
package/dist/api-handler-graphql.cjs +44 -0
package/dist/api-handler-graphql.cjs.map +1 -0
package/dist/api-handler-graphql.d.cts +6 -0
package/dist/api-handler-graphql.d.ts +6 -0
package/dist/api-handler-graphql.js +41 -0
package/dist/api-handler-graphql.js.map +1 -0
package/dist/api-handler-trpc.cjs +38 -0
package/dist/api-handler-trpc.cjs.map +1 -0
package/dist/api-handler-trpc.d.cts +5 -0
package/dist/api-handler-trpc.d.ts +5 -0
package/dist/api-handler-trpc.js +36 -0
package/dist/api-handler-trpc.js.map +1 -0
package/dist/api-handler.cjs +33 -99
package/dist/api-handler.cjs.map +1 -1
package/dist/api-handler.d.cts +2 -1
package/dist/api-handler.d.ts +2 -1
package/dist/api-handler.js +21 -97
package/dist/api-handler.js.map +1 -1
package/dist/{tenant-B1YB0Jy8.d.ts → base-CIuXkrH4.d.cts} +7 -15
package/dist/{tenant-Cpeveji6.d.cts → base-fFo4lqER.d.ts} +7 -15
package/dist/bootstrap-3PV3GJ3S.js +7 -0
package/dist/{bootstrap-JCML6NFO.js.map → bootstrap-3PV3GJ3S.js.map} +1 -1
package/dist/bootstrap-4CELFLJO.cjs +32 -0
package/dist/{bootstrap-AKAUP6F6.cjs.map → bootstrap-4CELFLJO.cjs.map} +1 -1
package/dist/{chunk-VJT6P4N6.cjs → chunk-3HR772HI.cjs} +199 -32
package/dist/chunk-3HR772HI.cjs.map +1 -0
package/dist/chunk-3KTWGODI.cjs +178 -0
package/dist/chunk-3KTWGODI.cjs.map +1 -0
package/dist/{chunk-QXIQWPAP.js → chunk-3UK5XBVJ.js} +4 -134
package/dist/chunk-3UK5XBVJ.js.map +1 -0
package/dist/{chunk-FXYP2HA6.js → chunk-4AO3A3JM.js} +48 -4
package/dist/chunk-4AO3A3JM.js.map +1 -0
package/dist/{chunk-Z6ZWNWWR.js → chunk-4CV4JOE5.js} +3 -9
package/dist/{chunk-Z6ZWNWWR.js.map → chunk-4CV4JOE5.js.map} +1 -1
package/dist/chunk-4M7X5HAB.cjs +173 -0
package/dist/chunk-4M7X5HAB.cjs.map +1 -0
package/dist/chunk-53NYVYVX.js +3243 -0
package/dist/chunk-53NYVYVX.js.map +1 -0
package/dist/{chunk-35U3FROB.js → chunk-5H3MWQJS.js} +714 -184
package/dist/chunk-5H3MWQJS.js.map +1 -0
package/dist/{chunk-YVUJBEXE.cjs → chunk-5PMQQFRE.cjs} +16 -7
package/dist/chunk-5PMQQFRE.cjs.map +1 -0
package/dist/{chunk-57P6MJKC.js → chunk-6UNONDW7.js} +94 -10
package/dist/chunk-6UNONDW7.js.map +1 -0
package/dist/{chunk-Y3N7UUDO.js → chunk-7OGPN7MP.js} +5 -2
package/dist/chunk-7OGPN7MP.js.map +1 -0
package/dist/{chunk-2OL4O2TH.cjs → chunk-7OS7TX2Q.cjs} +68 -62
package/dist/chunk-7OS7TX2Q.cjs.map +1 -0
package/dist/{chunk-3TPQ2BU6.js → chunk-BYBMTIMT.js} +2 -6
package/dist/chunk-BYBMTIMT.js.map +1 -0
package/dist/{chunk-ES5HNFFT.js → chunk-CF7OL6HR.js} +4 -2
package/dist/chunk-CF7OL6HR.js.map +1 -0
package/dist/chunk-CJONKRHJ.js +162 -0
package/dist/chunk-CJONKRHJ.js.map +1 -0
package/dist/{chunk-OHVB4AJ7.js → chunk-CJX74IYK.js} +24 -18
package/dist/chunk-CJX74IYK.js.map +1 -0
package/dist/{chunk-5KVM3WEY.cjs → chunk-CNKT4PME.cjs} +1592 -868
package/dist/chunk-CNKT4PME.cjs.map +1 -0
package/dist/{chunk-G7VZBCD6.cjs → chunk-CZLDE2OZ.cjs} +2 -9
package/dist/{chunk-G7VZBCD6.cjs.map → chunk-CZLDE2OZ.cjs.map} +1 -1
package/dist/{chunk-WQBRWOQT.cjs → chunk-DPA3KWPY.cjs} +4 -3
package/dist/chunk-DPA3KWPY.cjs.map +1 -0
package/dist/{chunk-LINKCEG4.cjs → chunk-E2763JUP.cjs} +726 -196
package/dist/chunk-E2763JUP.cjs.map +1 -0
package/dist/chunk-E5UJBLQ7.js +220 -0
package/dist/chunk-E5UJBLQ7.js.map +1 -0
package/dist/{chunk-DVD5P72E.cjs → chunk-EEJUFDMF.cjs} +2 -6
package/dist/chunk-EEJUFDMF.cjs.map +1 -0
package/dist/chunk-FSKONGCX.cjs +253 -0
package/dist/chunk-FSKONGCX.cjs.map +1 -0
package/dist/{chunk-Y3QQN7PN.js → chunk-GAAHG2Z4.js} +13 -4
package/dist/chunk-GAAHG2Z4.js.map +1 -0
package/dist/chunk-GAOXD3XT.js +175 -0
package/dist/chunk-GAOXD3XT.js.map +1 -0
package/dist/{chunk-SA7NSSIQ.cjs → chunk-GUUB5EAG.cjs} +13 -187
package/dist/chunk-GUUB5EAG.cjs.map +1 -0
package/dist/{chunk-4DA7QPLA.cjs → chunk-GXFOGU7N.cjs} +5 -2
package/dist/chunk-GXFOGU7N.cjs.map +1 -0
package/dist/{chunk-I7HHI6QV.cjs → chunk-IDVRRRAK.cjs} +17 -9
package/dist/chunk-IDVRRRAK.cjs.map +1 -0
package/dist/{chunk-HXRD4B37.js → chunk-IPTZM3VE.js} +1423 -704
package/dist/chunk-IPTZM3VE.js.map +1 -0
package/dist/chunk-KC2GDBLS.cjs +84 -0
package/dist/chunk-KC2GDBLS.cjs.map +1 -0
package/dist/{chunk-QUW2RZTM.cjs → chunk-L46ROHUS.cjs} +51 -7
package/dist/chunk-L46ROHUS.cjs.map +1 -0
package/dist/chunk-L4EZKIEX.js +185 -0
package/dist/chunk-L4EZKIEX.js.map +1 -0
package/dist/{chunk-REK7AYOC.js → chunk-L5UKKZQN.js} +199 -32
package/dist/chunk-L5UKKZQN.js.map +1 -0
package/dist/chunk-NKPKR5BW.cjs +188 -0
package/dist/chunk-NKPKR5BW.cjs.map +1 -0
package/dist/chunk-NWUEVLQT.cjs +99 -0
package/dist/chunk-NWUEVLQT.cjs.map +1 -0
package/dist/{chunk-3AJE4SEG.js → chunk-OHC6UHFY.js} +208 -76
package/dist/chunk-OHC6UHFY.js.map +1 -0
package/dist/chunk-PHJRNPHY.cjs +3291 -0
package/dist/chunk-PHJRNPHY.cjs.map +1 -0
package/dist/{chunk-DXHRBMGB.js → chunk-PQ72Z6WC.js} +67 -112
package/dist/chunk-PQ72Z6WC.js.map +1 -0
package/dist/{chunk-K7JPTH3G.cjs → chunk-PV2I2KMI.cjs} +214 -82
package/dist/chunk-PV2I2KMI.cjs.map +1 -0
package/dist/{chunk-PDYFVNUX.cjs → chunk-Q23GAMLE.cjs} +71 -116
package/dist/chunk-Q23GAMLE.cjs.map +1 -0
package/dist/{chunk-H727JIG7.js → chunk-Q72BOAPK.js} +16 -8
package/dist/chunk-Q72BOAPK.js.map +1 -0
package/dist/{chunk-IBG6V56E.cjs → chunk-QFLB4EIJ.cjs} +2 -139
package/dist/chunk-QFLB4EIJ.cjs.map +1 -0
package/dist/{chunk-2KVHZE6O.cjs → chunk-RFFSZSCL.cjs} +282 -190
package/dist/chunk-RFFSZSCL.cjs.map +1 -0
package/dist/{chunk-V3LKPM3O.cjs → chunk-SHTTJMLT.cjs} +4 -2
package/dist/chunk-SHTTJMLT.cjs.map +1 -0
package/dist/{chunk-WOWUL7ZY.js → chunk-UUDTPZX6.js} +5 -4
package/dist/chunk-UUDTPZX6.js.map +1 -0
package/dist/{chunk-QPPDLRNR.js → chunk-V7KZQIZ6.js} +277 -185
package/dist/chunk-V7KZQIZ6.js.map +1 -0
package/dist/{chunk-3ZFYL34R.js → chunk-WXVB364T.js} +12 -185
package/dist/chunk-WXVB364T.js.map +1 -0
package/dist/chunk-XEB7PH2E.js +81 -0
package/dist/chunk-XEB7PH2E.js.map +1 -0
package/dist/{chunk-IA6AU5PI.cjs → chunk-Y7AQK4R4.cjs} +94 -10
package/dist/chunk-Y7AQK4R4.cjs.map +1 -0
package/dist/chunk-YFAVQQTU.js +92 -0
package/dist/chunk-YFAVQQTU.js.map +1 -0
package/dist/cli/index.cjs +6 -6
package/dist/cli/index.cjs.map +1 -1
package/dist/cli/index.js +6 -6
package/dist/cli/index.js.map +1 -1
package/dist/client.cjs +4 -4
package/dist/client.d.cts +3 -3
package/dist/client.d.ts +3 -3
package/dist/client.js +2 -2
package/dist/drizzle/index.cjs +15 -14
package/dist/drizzle/index.d.cts +10 -14
package/dist/drizzle/index.d.ts +10 -14
package/dist/drizzle/index.js +6 -5
package/dist/fields/index.cjs +22 -38
package/dist/fields/index.d.cts +2 -22
package/dist/fields/index.d.ts +2 -22
package/dist/fields/index.js +2 -2
package/dist/graphql/index.cjs +6 -5
package/dist/graphql/index.d.cts +5 -3
package/dist/graphql/index.d.ts +5 -3
package/dist/graphql/index.js +4 -3
package/dist/index-BKta3cBH.d.cts +277 -0
package/dist/index-ClOqnkTO.d.ts +277 -0
package/dist/index.cjs +310 -168
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +130 -211
package/dist/index.d.ts +130 -211
package/dist/index.js +174 -35
package/dist/index.js.map +1 -1
package/dist/integration.cjs +3 -3
package/dist/integration.js +2 -2
package/dist/media-7WDX4BDJ.js +4 -0
package/dist/{media-GPPTZ43E.js.map → media-7WDX4BDJ.js.map} +1 -1
package/dist/{media-XNTUFJZR.cjs → media-TUSLVRQ6.cjs} +3 -3
package/dist/{media-XNTUFJZR.cjs.map → media-TUSLVRQ6.cjs.map} +1 -1
package/dist/mongo-auth-adapter-GT4S7SCU.cjs +17 -0
package/dist/{mongo-auth-adapter-NHHUJHVH.cjs.map → mongo-auth-adapter-GT4S7SCU.cjs.map} +1 -1
package/dist/mongo-auth-adapter-M7VV4LNB.js +4 -0
package/dist/{mongo-auth-adapter-NJQUUCTP.js.map → mongo-auth-adapter-M7VV4LNB.js.map} +1 -1
package/dist/mongodb/index.cjs +9 -8
package/dist/mongodb/index.d.cts +6 -13
package/dist/mongodb/index.d.ts +6 -13
package/dist/mongodb/index.js +5 -4
package/dist/postgres-auth-adapter-AFAPISH7.js +5 -0
package/dist/{postgres-auth-adapter-3T2NKTSE.js.map → postgres-auth-adapter-AFAPISH7.js.map} +1 -1
package/dist/postgres-auth-adapter-SFDTLONT.cjs +14 -0
package/dist/{postgres-auth-adapter-7IEENCKQ.cjs.map → postgres-auth-adapter-SFDTLONT.cjs.map} +1 -1
package/dist/redis-adapter-UQX4EE3B.cjs +13 -0
package/dist/{redis-adapter-D2E2S3GB.cjs.map → redis-adapter-UQX4EE3B.cjs.map} +1 -1
package/dist/redis-adapter-XALOGWY3.js +4 -0
package/dist/{redis-adapter-VQXD7ESY.js.map → redis-adapter-XALOGWY3.js.map} +1 -1
package/dist/rest/index.cjs +16 -15
package/dist/rest/index.d.cts +4 -4
package/dist/rest/index.d.ts +4 -4
package/dist/rest/index.js +14 -13
package/dist/{schema-37SE2F4B.cjs → schema-6QL3USNB.cjs} +15 -15
package/dist/{schema-37SE2F4B.cjs.map → schema-6QL3USNB.cjs.map} +1 -1
package/dist/{schema-5PHL5IVB.js → schema-FNNWEAAW.js} +4 -4
package/dist/{schema-5PHL5IVB.js.map → schema-FNNWEAAW.js.map} +1 -1
package/dist/sqlite-adapter-AQB5TCGV.cjs +13 -0
package/dist/{sqlite-adapter-LVK5PS4T.cjs.map → sqlite-adapter-AQB5TCGV.cjs.map} +1 -1
package/dist/sqlite-adapter-N5H6IM2X.js +4 -0
package/dist/{sqlite-adapter-TR3U3W6Q.js.map → sqlite-adapter-N5H6IM2X.js.map} +1 -1
package/dist/templates/index.cjs +134 -32
package/dist/templates/index.d.cts +52 -9
package/dist/templates/index.d.ts +52 -9
package/dist/templates/index.js +4 -2
package/dist/trpc/index.cjs +14 -13
package/dist/trpc/index.d.cts +55 -49
package/dist/trpc/index.d.ts +55 -49
package/dist/trpc/index.js +5 -4
package/dist/{types-D6ZLRGbH.d.cts → types-CpjuXbe7.d.cts} +2 -0
package/dist/{types-D6ZLRGbH.d.ts → types-CpjuXbe7.d.ts} +2 -0
package/dist/{types-VtjUxIMp.d.cts → types-DeSApf9T.d.cts} +36 -14
package/dist/{types-VtjUxIMp.d.ts → types-DeSApf9T.d.ts} +36 -14
package/dist/{types-J3R9nVsZ.d.cts → types-Dgzlftb7.d.ts} +32 -28
package/dist/{types-Bs1up4yP.d.ts → types-Ds0tCA3L.d.cts} +32 -28
package/dist/ws/index.cjs +6 -6
package/dist/ws/index.js +2 -2
package/package.json +22 -4
package/dist/bootstrap-AKAUP6F6.cjs +0 -32
package/dist/bootstrap-JCML6NFO.js +0 -7
package/dist/chunk-2KVHZE6O.cjs.map +0 -1
package/dist/chunk-2OL4O2TH.cjs.map +0 -1
package/dist/chunk-35U3FROB.js.map +0 -1
package/dist/chunk-3AJE4SEG.js.map +0 -1
package/dist/chunk-3J4MFTI3.js +0 -3872
package/dist/chunk-3J4MFTI3.js.map +0 -1
package/dist/chunk-3TPQ2BU6.js.map +0 -1
package/dist/chunk-3ZFYL34R.js.map +0 -1
package/dist/chunk-4DA7QPLA.cjs.map +0 -1
package/dist/chunk-57P6MJKC.js.map +0 -1
package/dist/chunk-5KVM3WEY.cjs.map +0 -1
package/dist/chunk-6IMPH6WV.cjs +0 -3897
package/dist/chunk-6IMPH6WV.cjs.map +0 -1
package/dist/chunk-ATBOUGQP.cjs +0 -513
package/dist/chunk-ATBOUGQP.cjs.map +0 -1
package/dist/chunk-DVD5P72E.cjs.map +0 -1
package/dist/chunk-DXHRBMGB.js.map +0 -1
package/dist/chunk-ES5HNFFT.js.map +0 -1
package/dist/chunk-FXYP2HA6.js.map +0 -1
package/dist/chunk-H727JIG7.js.map +0 -1
package/dist/chunk-HXRD4B37.js.map +0 -1
package/dist/chunk-I7HHI6QV.cjs.map +0 -1
package/dist/chunk-IA6AU5PI.cjs.map +0 -1
package/dist/chunk-IBG6V56E.cjs.map +0 -1
package/dist/chunk-K7JPTH3G.cjs.map +0 -1
package/dist/chunk-LINKCEG4.cjs.map +0 -1
package/dist/chunk-OHVB4AJ7.js.map +0 -1
package/dist/chunk-PDYFVNUX.cjs.map +0 -1
package/dist/chunk-Q23JB3KL.js +0 -488
package/dist/chunk-Q23JB3KL.js.map +0 -1
package/dist/chunk-QPPDLRNR.js.map +0 -1
package/dist/chunk-QUW2RZTM.cjs.map +0 -1
package/dist/chunk-QXIQWPAP.js.map +0 -1
package/dist/chunk-R3XIBBAW.cjs +0 -34
package/dist/chunk-R3XIBBAW.cjs.map +0 -1
package/dist/chunk-REK7AYOC.js.map +0 -1
package/dist/chunk-SA7NSSIQ.cjs.map +0 -1
package/dist/chunk-SDMNUYVU.js +0 -30
package/dist/chunk-SDMNUYVU.js.map +0 -1
package/dist/chunk-V3LKPM3O.cjs.map +0 -1
package/dist/chunk-VJT6P4N6.cjs.map +0 -1
package/dist/chunk-WOWUL7ZY.js.map +0 -1
package/dist/chunk-WQBRWOQT.cjs.map +0 -1
package/dist/chunk-Y3N7UUDO.js.map +0 -1
package/dist/chunk-Y3QQN7PN.js.map +0 -1
package/dist/chunk-YVUJBEXE.cjs.map +0 -1
package/dist/index-CLp-DRKA.d.ts +0 -64
package/dist/index-DfO7G4kN.d.cts +0 -64
package/dist/media-GPPTZ43E.js +0 -4
package/dist/mongo-auth-adapter-NHHUJHVH.cjs +0 -17
package/dist/mongo-auth-adapter-NJQUUCTP.js +0 -4
package/dist/postgres-auth-adapter-3T2NKTSE.js +0 -5
package/dist/postgres-auth-adapter-7IEENCKQ.cjs +0 -14
package/dist/redis-adapter-D2E2S3GB.cjs +0 -13
package/dist/redis-adapter-VQXD7ESY.js +0 -4
package/dist/sqlite-adapter-LVK5PS4T.cjs +0 -13
package/dist/sqlite-adapter-TR3U3W6Q.js +0 -4

package/dist/{chunk-5KVM3WEY.cjs → chunk-CNKT4PME.cjs} RENAMED Viewed

@@ -1,17 +1,17 @@
 'use strict';
-var chunkIA6AU5PI_cjs = require('./chunk-IA6AU5PI.cjs');
-var chunkI7HHI6QV_cjs = require('./chunk-I7HHI6QV.cjs');
+var chunkY7AQK4R4_cjs = require('./chunk-Y7AQK4R4.cjs');
+var chunkKC2GDBLS_cjs = require('./chunk-KC2GDBLS.cjs');
+var chunkIDVRRRAK_cjs = require('./chunk-IDVRRRAK.cjs');
 var chunkADLJSJSN_cjs = require('./chunk-ADLJSJSN.cjs');
-var chunkIBG6V56E_cjs = require('./chunk-IBG6V56E.cjs');
-var chunkVJT6P4N6_cjs = require('./chunk-VJT6P4N6.cjs');
-var chunkR3XIBBAW_cjs = require('./chunk-R3XIBBAW.cjs');
-var chunk2KVHZE6O_cjs = require('./chunk-2KVHZE6O.cjs');
-var chunk2OL4O2TH_cjs = require('./chunk-2OL4O2TH.cjs');
-var chunkPDYFVNUX_cjs = require('./chunk-PDYFVNUX.cjs');
-var chunk4DA7QPLA_cjs = require('./chunk-4DA7QPLA.cjs');
-var chunkSA7NSSIQ_cjs = require('./chunk-SA7NSSIQ.cjs');
-var chunkG7VZBCD6_cjs = require('./chunk-G7VZBCD6.cjs');
+var chunkQFLB4EIJ_cjs = require('./chunk-QFLB4EIJ.cjs');
+var chunk4M7X5HAB_cjs = require('./chunk-4M7X5HAB.cjs');
+var chunkRFFSZSCL_cjs = require('./chunk-RFFSZSCL.cjs');
+var chunk7OS7TX2Q_cjs = require('./chunk-7OS7TX2Q.cjs');
+var chunkQ23GAMLE_cjs = require('./chunk-Q23GAMLE.cjs');
+var chunkGXFOGU7N_cjs = require('./chunk-GXFOGU7N.cjs');
+var chunkNKPKR5BW_cjs = require('./chunk-NKPKR5BW.cjs');
+var chunkCZLDE2OZ_cjs = require('./chunk-CZLDE2OZ.cjs');
 var crypto = require('crypto');
 var unstorage = require('unstorage');
 var fsDriver = require('unstorage/drivers/fs');
@@ -19,11 +19,13 @@ var hono = require('hono');
 var path = require('path');
 var fs = require('fs');
 var sharp = require('sharp');
-var graphql = require('graphql');
 var promises = require('fs/promises');
+var process2 = require('process');
 var clientS3 = require('@aws-sdk/client-s3');
+var nodeHttpHandler = require('@smithy/node-http-handler');
 var stream = require('stream');
 var basicFtp = require('basic-ftp');
+var zodToJsonSchema = require('zod-to-json-schema');
 function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
@@ -31,6 +33,7 @@ var crypto__default = /*#__PURE__*/_interopDefault(crypto);
 var fsDriver__default = /*#__PURE__*/_interopDefault(fsDriver);
 var path__default = /*#__PURE__*/_interopDefault(path);
 var sharp__default = /*#__PURE__*/_interopDefault(sharp);
+var process2__default = /*#__PURE__*/_interopDefault(process2);
 function setDbAdapter(adapter) {
   dbAdapter = adapter;
@@ -39,8 +42,8 @@ async function loadSecrets() {
   if (dbAdapter) {
     try {
       const result = await dbAdapter.findOne({
-        collection: "_globals",
-        where: { slug: "system" }
+        collection: "_globals_system",
+        where: {}
       });
       if (result) {
         cachedSecrets = {
@@ -89,7 +92,7 @@ function getSessionConfig() {
   };
 }
 var dbAdapter, cachedSecrets;
-var init_secret = chunkG7VZBCD6_cjs.__esm({
+var init_secret = chunkCZLDE2OZ_cjs.__esm({
   "src/lib/secret.ts"() {
     dbAdapter = null;
     cachedSecrets = null;
@@ -98,7 +101,7 @@ var init_secret = chunkG7VZBCD6_cjs.__esm({
 // src/api/rest/auth-session.ts
 var auth_session_exports = {};
-chunkG7VZBCD6_cjs.__export(auth_session_exports, {
+chunkCZLDE2OZ_cjs.__export(auth_session_exports, {
   SESSION_CONFIG: () => SESSION_CONFIG,
   clearSessionCookie: () => clearSessionCookie,
   createSession: () => createSession,
@@ -364,7 +367,7 @@ async function getCurrentUser(request) {
   return session;
 }
 var sessionConfig, SESSION_CONFIG, SESSION_COOKIE_NAME, storage;
-var init_auth_session = chunkG7VZBCD6_cjs.__esm({
+var init_auth_session = chunkCZLDE2OZ_cjs.__esm({
   "src/api/rest/auth-session.ts"() {
     init_secret();
     sessionConfig = getSessionConfig();
@@ -388,14 +391,14 @@ function createAuthMiddleware(config) {
     userLookup
   } = config;
   return async function authMiddleware(req) {
-    const apiKeyRaw = chunkIBG6V56E_cjs.extractApiKeyFromRequest(req);
+    const apiKeyRaw = chunk4M7X5HAB_cjs.extractApiKeyFromRequest(req);
     if (apiKeyRaw && db) {
-      const result = await chunkIBG6V56E_cjs.validateApiKey(apiKeyRaw, db, userLookup);
+      const result = await chunk4M7X5HAB_cjs.validateApiKey(apiKeyRaw, db, userLookup);
       if (result.valid && result.user) {
         return {
           user: result.user,
           tenantContext: createTenantContextFromUser(result.user),
-          apiKeyContext: chunkIBG6V56E_cjs.createApiKeyContext(result),
+          apiKeyContext: chunk4M7X5HAB_cjs.createApiKeyContext(result),
           status: 200,
           authType: "apikey"
         };
@@ -450,6 +453,9 @@ function createTenantContextFromUser(user) {
   };
 }
+// src/api/rest/hono-app.ts
+init_secret();
 // src/auth/security/in-memory-rate-limit.ts
 var InMemoryRateLimiter = class {
   storage = /* @__PURE__ */ new Map();
@@ -782,7 +788,7 @@ var AuditLogger = class {
   serializeLog(log) {
     const result = {
       id: log.id,
-      timestamp: log.timestamp.toISOString(),
+      timestamp: new Date(log.timestamp).toISOString(),
       action: log.action,
       resource: log.resource,
       success: log.success ? "1" : "0"
@@ -957,7 +963,7 @@ var AuthRoutes = class {
   constructor(config) {
     this.authAdapter = config.redis;
     this.email = config.email;
-    this.passwordPolicy = config.passwordPolicy || new chunkIA6AU5PI_cjs.PasswordPolicy();
+    this.passwordPolicy = config.passwordPolicy || new chunkY7AQK4R4_cjs.PasswordPolicy();
     this.lockout = config.lockout;
     this.rateLimiter = config.rateLimiter;
     this.auditLogger = config.auditLogger;
@@ -1177,23 +1183,19 @@ var AuthRoutes = class {
     }
   }
   async me(req) {
-    try {
-      const session = await getCurrentUser(req);
-      if (!session) {
-        return this.errorResponse("Not authenticated", 401);
-      }
-      const user = await this.authAdapter.findUserById(session.userId);
-      if (!user) {
-        return this.errorResponse("User not found", 404);
-      }
-      return this.jsonResponse({
-        success: true,
-        user: this.sanitizeUser(user)
-      });
-    } catch (error) {
-      console.error("[AuthRoutes.me] Authentication failed:", error.message);
-      return this.errorResponse("Authentication failed", 401);
+    const session = await getCurrentUser(req);
+    if (!session) {
+      return this.errorResponse("Not authenticated", 401);
     }
+    return this.jsonResponse({
+      success: true,
+      user: {
+        id: session.userId,
+        email: session.email,
+        role: session.role,
+        tenantId: session.tenantId
+      }
+    });
   }
   async changePassword(req) {
     const session = await getCurrentUser(req);
@@ -1303,7 +1305,7 @@ var AuthRoutes = class {
       }
       if (this.auditLogger) {
         await this.auditLogger.log({
-          action: "password_reset_request",
+          action: "password_reset",
           userId: user.id,
           userEmail: user.email,
           resource: "auth",
@@ -1452,7 +1454,7 @@ var AuthRoutes = class {
       return this.errorResponse("No session", 401);
     }
     try {
-      const updatedSession = await (init_auth_session(), chunkG7VZBCD6_cjs.__toCommonJS(auth_session_exports)).refreshSession(sessionId, req);
+      const updatedSession = await (init_auth_session(), chunkCZLDE2OZ_cjs.__toCommonJS(auth_session_exports)).refreshSession(sessionId, req);
       if (!updatedSession) {
         return this.errorResponse("Session not found", 404);
       }
@@ -1491,7 +1493,7 @@ var AuthRoutes = class {
   }
 };
 function createLocalStorage(config) {
-  const { uploadDir, baseUrl = "/uploads" } = config;
+  const { uploadDir = path.join(process2__default.default.cwd(), "public", "uploads"), baseUrl = "/uploads" } = config;
   async function ensureDir(dir) {
     if (!fs.existsSync(dir)) {
       await promises.mkdir(dir, { recursive: true });
@@ -1679,150 +1681,166 @@ function createLocalStorage(config) {
     }
   };
 }
-function extractPublicDevUrlId(url) {
-  if (!url) return "";
-  if (url.startsWith("pub-")) return url;
-  const match = url.match(/pub-[a-zA-Z0-9]+/i);
-  return match ? match[0] : "";
-}
-function getPublicUrl(key, config) {
-  const normalizedKey = key.startsWith("/") ? key.slice(1) : key;
-  if (config.cdnUrl) {
-    const cdn = config.cdnUrl.replace(/\/$/, "");
-    return `${cdn}/${normalizedKey}`;
-  }
-  switch (config.provider) {
-    case "r2": {
-      const pubId = extractPublicDevUrlId(config.publicDevUrl);
-      if (pubId) {
-        return `https://${pubId}.r2.dev/${normalizedKey}`;
+// src/storage/imgix.ts
+function createImgixStorage(config) {
+  const signUrl = (path3, params) => {
+    if (!config.signKey) return path3;
+    const signer = new TextEncoder();
+    const key = signer.encode(config.signKey);
+    const data = signer.encode(path3 + params.toString());
+    let hash = 0;
+    const combined = new Uint8Array(key.length + data.length);
+    combined.set(key);
+    combined.set(data, key.length);
+    for (let i = 0; i < combined.length; i++) {
+      hash = (hash << 5) - hash + combined[i] | 0;
+    }
+    params.set("s", Math.abs(hash).toString(16));
+    return path3;
+  };
+  return {
+    name: "imgix",
+    displayName: "Imgix",
+    supportsDynamicResize: true,
+    async upload(_file, _options) {
+      throw new Error(
+        "Imgix is a transformation service. Use another provider for uploads."
+      );
+    },
+    async uploadFromUrl(url, options) {
+      const filename = options?.filename || url.split("/").pop() || "file";
+      const response = await fetch(url);
+      if (!response.ok) {
+        throw new Error(`Failed to fetch: ${response.statusText}`);
       }
-      return `https://${config.bucket}.${config.accountId}.r2.cloudflarestorage.com/${normalizedKey}`;
+      const blob = await response.blob();
+      new File([blob], filename, { type: blob.type });
+      return {
+        id: Buffer.from(url).toString("base64").slice(0, 20),
+        filename,
+        originalName: filename,
+        mimeType: blob.type,
+        size: blob.size,
+        url: this.getImageUrl(url),
+        thumbnailUrl: this.getImageUrl(url, {
+          width: 200,
+          height: 200,
+          fit: "crop"
+        }),
+        provider: "imgix",
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    },
+    async delete(_url) {
+    },
+    async rename(_oldUrl, newKey) {
+      return `https://${config.domain}/${newKey}`;
+    },
+    getImageUrl(url, transforms) {
+      const parsed = new URL(url);
+      const params = new URLSearchParams(parsed.search);
+      if (config.defaultParameters) {
+        Object.entries(config.defaultParameters).forEach(([key, value]) => {
+          if (!params.has(key)) {
+            params.set(key, value);
+          }
+        });
+      }
+      if (transforms) {
+        if (transforms.width) params.set("w", String(transforms.width));
+        if (transforms.height) params.set("h", String(transforms.height));
+        if (transforms.quality) params.set("q", String(transforms.quality));
+        if (transforms.format) params.set("fm", transforms.format);
+        if (transforms.fit) params.set("fit", transforms.fit);
+        if (transforms.blur) params.set("blur", String(transforms.blur));
+        if (transforms.sharpen) params.set("sharp", String(transforms.sharpen));
+      }
+      params.set("auto", "compress,format");
+      parsed.pathname + "?" + params.toString();
+      if (config.signKey) {
+        signUrl(parsed.pathname + params.toString(), params);
+      }
+      return `https://${config.domain}${parsed.pathname}${params.toString() ? "?" + params.toString() : ""}`;
+    },
+    async generateThumbnail(file) {
+      return this.getImageUrl(file.url, {
+        width: 200,
+        height: 200,
+        fit: "crop"
+      });
+    },
+    async list() {
+      return [];
+    },
+    async exists(url) {
+      try {
+        const response = await fetch(url, { method: "HEAD" });
+        return response.ok;
+      } catch {
+        return false;
+      }
+    },
+    async createFolder() {
+    },
+    async deleteFolder() {
     }
-    case "gcs":
-      return `https://storage.googleapis.com/${config.bucket}/${normalizedKey}`;
-    case "digitalocean":
-      return `https://${config.bucket}.${config.region}.cdn.digitaloceanspaces.com/${normalizedKey}`;
-    case "backblaze":
-      return `https://${config.bucket}.s3.backblazeb2.com/${normalizedKey}`;
-    case "wasabi":
-      return `https://${config.bucket}.s3.wasabisys.com/${normalizedKey}`;
-    case "aws":
-    default:
-      return `https://${config.bucket}.s3.${config.region}.amazonaws.com/${normalizedKey}`;
+  };
+}
+// src/storage/bunny.ts
+function getUrl(key, config) {
+  if (config.cdnUrl) {
+    return `${config.cdnUrl.replace(/\/$/, "")}/${key}`;
   }
+  return `https://${config.storageZone}.b-cdn.net/${key}`;
 }
 function getUrlPrefix(config) {
   if (config.cdnUrl) {
     return config.cdnUrl.replace(/\/$/, "") + "/";
   }
-  switch (config.provider) {
-    case "r2": {
-      const pubId = extractPublicDevUrlId(config.publicDevUrl);
-      if (pubId) {
-        return `https://${pubId}.r2.dev/`;
-      }
-      return `https://${config.bucket}.${config.accountId}.r2.cloudflarestorage.com/`;
-    }
-    case "gcs":
-      return `https://storage.googleapis.com/${config.bucket}/`;
-    case "digitalocean":
-      return `https://${config.bucket}.${config.region}.cdn.digitaloceanspaces.com/`;
-    case "backblaze":
-      return `https://${config.bucket}.s3.backblazeb2.com/`;
-    case "wasabi":
-      return `https://${config.bucket}.s3.wasabisys.com/`;
-    case "aws":
-    default:
-      return `https://${config.bucket}.s3.${config.region}.amazonaws.com/`;
-  }
-}
-function getDisplayName(provider) {
-  switch (provider) {
-    case "r2":
-      return "Cloudflare R2";
-    case "gcs":
-      return "Google Cloud Storage";
-    case "digitalocean":
-      return "DigitalOcean Spaces";
-    case "backblaze":
-      return "Backblaze B2";
-    case "wasabi":
-      return "Wasabi";
-    case "aws":
-    default:
-      return "AWS S3";
-  }
+  return `https://${config.storageZone}.b-cdn.net/`;
 }
-function createS3Storage(config) {
-  console.log("[createS3Storage] Creating provider:", config.provider);
-  console.log("[createS3Storage] Credentials:", {
-    accessKeyId: config.accessKeyId ? "SET" : "UNDEFINED",
-    secretAccessKey: config.secretAccessKey ? "SET" : "UNDEFINED",
-    bucket: config.bucket,
-    accountId: config.accountId,
-    endpoint: config.endpoint
-  });
-  const client = new clientS3.S3Client({
-    region: config.region || "auto",
-    endpoint: config.endpoint,
-    credentials: {
-      accessKeyId: config.accessKeyId,
-      secretAccessKey: config.secretAccessKey
-    },
-    forcePathStyle: true,
-    tls: true,
-    // R2 requires specific SSL configuration
-    ...config.provider === "r2" && {
-      requestHandler: new (chunkG7VZBCD6_cjs.__require("@smithy/node-http-handler")).NodeHttpHandler({
-        connectionTimeout: 1e4,
-        socketTimeout: 1e4
-      })
-    }
-  });
-  const getKey = (path2) => {
+function createBunnyStorage(config) {
+  const baseUrl = `https://storage.bunnycdn.com/${config.storageZone}`;
+  const getKey = (path3) => {
     const prefix = config.prefix ? `${config.prefix}/` : "";
-    return `${prefix}${path2}`.replace(/\/+/g, "/");
+    return `${prefix}${path3}`.replace(/\/+/g, "/");
   };
-  const getUrl = (key) => getPublicUrl(key, config);
   return {
-    name: config.provider,
-    displayName: getDisplayName(config.provider),
+    name: "bunny",
+    displayName: "Bunny.net Storage",
     supportsDynamicResize: true,
     async upload(file, options) {
       const key = getKey(
         `${options?.folder ? `${options.folder}/` : ""}${options?.filename || file.name}`
       );
       const buffer = Buffer.from(await file.arrayBuffer());
-      await client.send(
-        new clientS3.PutObjectCommand({
-          Bucket: config.bucket,
-          Key: key,
-          Body: buffer,
-          ContentType: file.type,
-          Metadata: options?.metadata
-        })
-      );
-      const head = await client.send(
-        new clientS3.HeadObjectCommand({
-          Bucket: config.bucket,
-          Key: key
-        })
-      );
+      const response = await fetch(`${baseUrl}/${key}`, {
+        method: "PUT",
+        headers: {
+          AccessKey: config.apiKey,
+          "Content-Type": file.type
+        },
+        body: buffer
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(
+          `Bunny.net upload failed: ${response.status} ${errorText}`
+        );
+      }
       return {
         id: Buffer.from(key).toString("base64url"),
         filename: options?.filename || file.name,
         originalName: file.name,
         mimeType: file.type,
         size: buffer.length,
-        url: getUrl(key),
-        thumbnailUrl: file.type.startsWith("image/") ? getUrl(key) : void 0,
+        url: getUrl(key, config),
+        thumbnailUrl: file.type.startsWith("image/") ? getUrl(key, config) : void 0,
         folder: options?.folder,
-        provider: config.provider,
-        metadata: {
-          ...options?.metadata,
-          etag: head.ETag
-        },
+        provider: "bunny",
+        metadata: options?.metadata,
         createdAt: (/* @__PURE__ */ new Date()).toISOString()
       };
     },
@@ -1838,15 +1856,460 @@ function createS3Storage(config) {
     },
     async delete(url) {
       const key = url.replace(getUrlPrefix(config), "");
-      await client.send(
-        new clientS3.DeleteObjectCommand({
-          Bucket: config.bucket,
-          Key: key
-        })
-      );
+      const response = await fetch(`${baseUrl}/${key}`, {
+        method: "DELETE",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+      if (!response.ok && response.status !== 404) {
+        const errorText = await response.text();
+        throw new Error(
+          `Bunny.net delete failed: ${response.status} ${errorText}`
+        );
+      }
     },
     async rename(oldUrl, newKey) {
       const oldKey = oldUrl.replace(getUrlPrefix(config), "");
+      const fullPath = config.prefix ? `${config.prefix}/${newKey}` : newKey;
+      const response = await fetch(`${baseUrl}/${oldKey}`, {
+        method: "GET",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+      if (!response.ok) {
+        throw new Error(`Bunny.net rename failed: could not read old file`);
+      }
+      const content = await response.arrayBuffer();
+      await fetch(`${baseUrl}/${fullPath}`, {
+        method: "PUT",
+        headers: {
+          AccessKey: config.apiKey,
+          "Content-Type": response.headers.get("Content-Type") || "application/octet-stream"
+        },
+        body: content
+      });
+      await this.delete(oldUrl);
+      return getUrl(fullPath, config);
+    },
+    getImageUrl(url, transforms) {
+      if (!transforms || Object.keys(transforms).length === 0) return url;
+      const params = new URLSearchParams({ url });
+      if (transforms.width) params.set("w", String(transforms.width));
+      if (transforms.height) params.set("h", String(transforms.height));
+      if (transforms.quality) params.set("q", String(transforms.quality));
+      if (transforms.format) params.set("f", transforms.format);
+      return `/api/media/resize?${params.toString()}`;
+    },
+    async generateThumbnail(file) {
+      return this.getImageUrl(file.url, { width: 400, height: 400 });
+    },
+    async list(prefix) {
+      const key = getKey(prefix || "");
+      const response = await fetch(`${baseUrl}/${key}`, {
+        method: "GET",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(
+          `Bunny.net list failed: ${response.status} ${errorText}`
+        );
+      }
+      const items = await response.json();
+      return items.map((item) => ({
+        id: Buffer.from(item.ObjectName || "").toString("base64url"),
+        filename: item.ObjectName?.split("/").pop() || "",
+        originalName: item.ObjectName?.split("/").pop() || "",
+        mimeType: "application/octet-stream",
+        size: item.Length || 0,
+        url: getUrl(item.ObjectName || "", config),
+        provider: "bunny",
+        createdAt: item.LastChanged || (/* @__PURE__ */ new Date()).toISOString()
+      }));
+    },
+    async exists(url) {
+      const key = url.replace(getUrlPrefix(config), "");
+      const response = await fetch(`${baseUrl}/${key}`, {
+        method: "HEAD",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+      return response.ok;
+    },
+    async createFolder(folder) {
+      const key = getKey(`${folder}/`);
+      await fetch(`${baseUrl}/${key}`, {
+        method: "PUT",
+        headers: {
+          AccessKey: config.apiKey,
+          "Content-Length": "0"
+        },
+        body: ""
+      });
+    },
+    async deleteFolder(folder) {
+      const key = getKey(`${folder}/`);
+      await fetch(`${baseUrl}/${key}`, {
+        method: "DELETE",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+    }
+  };
+}
+var StorageProviderRegistry = class {
+  providers = /* @__PURE__ */ new Map();
+  providerToPlugin = /* @__PURE__ */ new Map();
+  disabledPlugins = /* @__PURE__ */ new Set();
+  constructor() {
+    this.registerLocal();
+    this.registerImgix();
+    this.registerBunny();
+  }
+  registerLocal() {
+    this.register({
+      type: "local",
+      displayName: "Local Server",
+      configKey: "local",
+      configFields: [
+        {
+          name: "uploadDir",
+          type: "text",
+          label: "Upload Directory",
+          defaultValue: "./public/uploads"
+        },
+        {
+          name: "baseUrl",
+          type: "text",
+          label: "Base URL",
+          defaultValue: "/uploads"
+        }
+      ],
+      extractConfig: (sc, key) => sc[key] || {},
+      extractRawConfig: (c) => {
+        const localConfig = c?.local || c;
+        const savedUploadDir = (localConfig?.uploadDir || "").trim();
+        let uploadDir;
+        if (savedUploadDir) {
+          if (path__default.default.isAbsolute(savedUploadDir)) {
+            uploadDir = savedUploadDir;
+          } else if (savedUploadDir.includes("/") || savedUploadDir.includes("\\")) {
+            uploadDir = path__default.default.resolve(process.cwd(), savedUploadDir);
+          } else {
+            uploadDir = path__default.default.join(process.cwd(), "public", savedUploadDir);
+          }
+        } else {
+          uploadDir = path__default.default.join(process.cwd(), "public", "uploads");
+        }
+        const savedBaseUrl = (localConfig?.baseUrl || "").trim();
+        let baseUrl;
+        if (savedBaseUrl) {
+          baseUrl = savedBaseUrl.startsWith("/") ? savedBaseUrl : `/${savedBaseUrl}`;
+        } else {
+          baseUrl = "/uploads";
+        }
+        return { uploadDir, baseUrl };
+      },
+      factory: (c) => createLocalStorage(c)
+    });
+  }
+  registerImgix() {
+    this.register({
+      type: "imgix",
+      displayName: "Imgix",
+      configKey: "imgix",
+      configFields: [
+        { name: "domain", type: "text", label: "Domain", required: true },
+        { name: "signKey", type: "password", label: "Sign Key" }
+      ],
+      extractConfig: (sc, key) => sc[key] || {},
+      extractRawConfig: (c) => c?.imgix || c,
+      factory: (c) => createImgixStorage(c)
+    });
+  }
+  registerBunny() {
+    this.register({
+      type: "bunny",
+      displayName: "Bunny.net",
+      configKey: "bunny",
+      configFields: [
+        {
+          name: "storageZone",
+          type: "text",
+          label: "Storage Zone",
+          required: true
+        },
+        { name: "apiKey", type: "password", label: "API Key", required: true },
+        { name: "cdnUrl", type: "text", label: "CDN URL" },
+        { name: "prefix", type: "text", label: "Path Prefix" }
+      ],
+      extractConfig: (sc, key) => sc[key] || {},
+      extractRawConfig: (c) => c?.bunny || c,
+      factory: (c) => createBunnyStorage(c)
+    });
+  }
+  register(registration) {
+    if (this.providers.has(registration.type)) {
+      console.warn(
+        `[StorageRegistry] Provider "${registration.type}" already registered, skipping`
+      );
+      return;
+    }
+    if (registration.pluginName) {
+      this.providerToPlugin.set(registration.type, registration.pluginName);
+    }
+    this.providers.set(registration.type, registration);
+  }
+  unregister(type) {
+    this.providers.delete(type);
+    this.providerToPlugin.delete(type);
+  }
+  get(type) {
+    return this.providers.get(type);
+  }
+  getAll() {
+    return Array.from(this.providers.values());
+  }
+  getAllAvailable(isPluginEnabled) {
+    const all = this.getAll();
+    if (!isPluginEnabled) return all;
+    return all.filter((p) => {
+      if (!p.pluginName) return true;
+      return isPluginEnabled(p.pluginName);
+    });
+  }
+  has(type) {
+    return this.providers.has(type);
+  }
+  async resolve(type, storageConfig) {
+    const reg = this.providers.get(type);
+    if (!reg) {
+      throw new Error(
+        `Unknown storage provider type: "${type}". Is the plugin that provides it enabled?`
+      );
+    }
+    if (reg.pluginName && this.disabledPlugins.has(reg.pluginName)) {
+      throw new Error(
+        `Storage provider "${type}" is not available (plugin "${reg.pluginName}" is disabled)`
+      );
+    }
+    const configKey = reg.configKey || type;
+    const config = reg.extractConfig(storageConfig, configKey);
+    return reg.factory(config);
+  }
+  async resolveWithConfig(type, config) {
+    const reg = this.providers.get(type);
+    if (!reg) {
+      throw new Error(
+        `Unknown storage provider type: "${type}". Is the plugin that provides it enabled?`
+      );
+    }
+    if (reg.pluginName && this.disabledPlugins.has(reg.pluginName)) {
+      throw new Error(
+        `Storage provider "${type}" is not available (plugin "${reg.pluginName}" is disabled)`
+      );
+    }
+    const providerConfig = reg.extractRawConfig(config);
+    return reg.factory(providerConfig);
+  }
+  getProviderPluginName(type) {
+    return this.providerToPlugin.get(type);
+  }
+  getAllPluginNames() {
+    return Array.from(new Set(this.providerToPlugin.values()));
+  }
+  setPluginEnabled(name, enabled) {
+    if (enabled) {
+      this.disabledPlugins.delete(name);
+    } else {
+      this.disabledPlugins.add(name);
+    }
+  }
+  isPluginEnabled(name) {
+    return !this.disabledPlugins.has(name);
+  }
+};
+var instance = null;
+function getDefaultRegistry() {
+  if (!instance) {
+    instance = new StorageProviderRegistry();
+  }
+  return instance;
+}
+function extractPublicDevUrlId(url) {
+  if (!url) return "";
+  if (url.startsWith("pub-")) return url;
+  const match = url.match(/pub-[a-zA-Z0-9]+/i);
+  return match ? match[0] : "";
+}
+function getPublicUrl(key, config) {
+  const normalizedKey = key.startsWith("/") ? key.slice(1) : key;
+  if (config.cdnUrl) {
+    const cdn = config.cdnUrl.replace(/\/$/, "");
+    return `${cdn}/${normalizedKey}`;
+  }
+  switch (config.provider) {
+    case "r2": {
+      const pubId = extractPublicDevUrlId(config.publicDevUrl);
+      if (pubId) {
+        return `https://${pubId}.r2.dev/${normalizedKey}`;
+      }
+      return `https://${config.bucket}.${config.accountId}.r2.cloudflarestorage.com/${normalizedKey}`;
+    }
+    case "gcs":
+      return `https://storage.googleapis.com/${config.bucket}/${normalizedKey}`;
+    case "digitalocean":
+      return `https://${config.bucket}.${config.region}.cdn.digitaloceanspaces.com/${normalizedKey}`;
+    case "backblaze":
+      return `https://${config.bucket}.s3.backblazeb2.com/${normalizedKey}`;
+    case "wasabi":
+      return `https://${config.bucket}.s3.wasabisys.com/${normalizedKey}`;
+    case "aws":
+    default:
+      return `https://${config.bucket}.s3.${config.region}.amazonaws.com/${normalizedKey}`;
+  }
+}
+function getUrlPrefix2(config) {
+  if (config.cdnUrl) {
+    return config.cdnUrl.replace(/\/$/, "") + "/";
+  }
+  switch (config.provider) {
+    case "r2": {
+      const pubId = extractPublicDevUrlId(config.publicDevUrl);
+      if (pubId) {
+        return `https://${pubId}.r2.dev/`;
+      }
+      return `https://${config.bucket}.${config.accountId}.r2.cloudflarestorage.com/`;
+    }
+    case "gcs":
+      return `https://storage.googleapis.com/${config.bucket}/`;
+    case "digitalocean":
+      return `https://${config.bucket}.${config.region}.cdn.digitaloceanspaces.com/`;
+    case "backblaze":
+      return `https://${config.bucket}.s3.backblazeb2.com/`;
+    case "wasabi":
+      return `https://${config.bucket}.s3.wasabisys.com/`;
+    case "aws":
+    default:
+      return `https://${config.bucket}.s3.${config.region}.amazonaws.com/`;
+  }
+}
+function getDisplayName(provider) {
+  switch (provider) {
+    case "r2":
+      return "Cloudflare R2";
+    case "gcs":
+      return "Google Cloud Storage";
+    case "digitalocean":
+      return "DigitalOcean Spaces";
+    case "backblaze":
+      return "Backblaze B2";
+    case "wasabi":
+      return "Wasabi";
+    case "aws":
+    default:
+      return "AWS S3";
+  }
+}
+function createS3Storage(config) {
+  console.log("[createS3Storage] Creating provider:", config.provider);
+  console.log("[createS3Storage] Credentials:", {
+    accessKeyId: config.accessKeyId ? "SET" : "UNDEFINED",
+    secretAccessKey: config.secretAccessKey ? "SET" : "UNDEFINED",
+    bucket: config.bucket,
+    accountId: config.accountId,
+    endpoint: config.endpoint
+  });
+  const client = new clientS3.S3Client({
+    region: config.region || "auto",
+    endpoint: config.endpoint,
+    credentials: {
+      accessKeyId: config.accessKeyId,
+      secretAccessKey: config.secretAccessKey
+    },
+    forcePathStyle: true,
+    tls: true,
+    // R2 requires specific SSL configuration
+    ...config.provider === "r2" && {
+      requestHandler: new nodeHttpHandler.NodeHttpHandler({
+        connectionTimeout: 1e4,
+        socketTimeout: 1e4
+      })
+    }
+  });
+  const getKey = (path3) => {
+    const prefix = config.prefix ? `${config.prefix}/` : "";
+    return `${prefix}${path3}`.replace(/\/+/g, "/");
+  };
+  const getUrl2 = (key) => getPublicUrl(key, config);
+  return {
+    name: config.provider,
+    displayName: getDisplayName(config.provider),
+    supportsDynamicResize: true,
+    async upload(file, options) {
+      const key = getKey(
+        `${options?.folder ? `${options.folder}/` : ""}${options?.filename || file.name}`
+      );
+      const buffer = Buffer.from(await file.arrayBuffer());
+      await client.send(
+        new clientS3.PutObjectCommand({
+          Bucket: config.bucket,
+          Key: key,
+          Body: buffer,
+          ContentType: file.type,
+          Metadata: options?.metadata
+        })
+      );
+      const head = await client.send(
+        new clientS3.HeadObjectCommand({
+          Bucket: config.bucket,
+          Key: key
+        })
+      );
+      return {
+        id: Buffer.from(key).toString("base64url"),
+        filename: options?.filename || file.name,
+        originalName: file.name,
+        mimeType: file.type,
+        size: buffer.length,
+        url: getUrl2(key),
+        thumbnailUrl: file.type.startsWith("image/") ? getUrl2(key) : void 0,
+        folder: options?.folder,
+        provider: config.provider,
+        metadata: {
+          ...options?.metadata,
+          etag: head.ETag
+        },
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    },
+    async uploadFromUrl(url) {
+      const response = await fetch(url);
+      if (!response.ok) {
+        throw new Error(`Failed to fetch: ${response.statusText}`);
+      }
+      const blob = await response.blob();
+      const filename = url.split("/").pop() || "file";
+      const file = new File([blob], filename, { type: blob.type });
+      return this.upload(file);
+    },
+    async delete(url) {
+      const key = url.replace(getUrlPrefix2(config), "");
+      await client.send(
+        new clientS3.DeleteObjectCommand({
+          Bucket: config.bucket,
+          Key: key
+        })
+      );
+    },
+    async rename(oldUrl, newKey) {
+      const oldKey = oldUrl.replace(getUrlPrefix2(config), "");
       const newKeyWithPrefix = config.prefix ? `${config.prefix}/${newKey}` : newKey;
       await client.send(
         new clientS3.CopyObjectCommand({
@@ -1861,7 +2324,7 @@ function createS3Storage(config) {
           Key: oldKey
         })
       );
-      return getUrl(newKeyWithPrefix);
+      return getUrl2(newKeyWithPrefix);
     },
     getImageUrl(url, transforms) {
       if (!transforms || Object.keys(transforms).length === 0) return url;
@@ -1889,14 +2352,14 @@ function createS3Storage(config) {
         originalName: item.Key?.split("/").pop() || "",
         mimeType: "application/octet-stream",
         size: item.Size || 0,
-        url: getUrl(item.Key || ""),
+        url: getUrl2(item.Key || ""),
         provider: config.provider,
         createdAt: item.LastModified?.toISOString() || (/* @__PURE__ */ new Date()).toISOString()
       }));
     },
     async exists(url) {
       try {
-        const key = url.replace(getUrlPrefix(config), "");
+        const key = url.replace(getUrlPrefix2(config), "");
         await client.send(
           new clientS3.HeadObjectCommand({
             Bucket: config.bucket,
@@ -1956,9 +2419,9 @@ function createS3Storage(config) {
 function createCloudinaryStorage(config) {
   const getBaseUrl = () => `https://api.cloudinary.com/v1_1/${config.cloudName}/upload`;
   const generateSignature = async (params) => {
-    const crypto3 = await import('crypto');
+    const crypto4 = await import('crypto');
     const sortedParams = Object.keys(params).sort().map((key) => `${key}=${params[key]}`).join("&");
-    return crypto3.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
+    return crypto4.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
   };
   return {
     name: "cloudinary",
@@ -2060,8 +2523,8 @@ function createCloudinaryStorage(config) {
           public_id: publicId
         };
         const sortedParams = Object.keys(signatureParams).sort().map((key) => `${key}=${signatureParams[key]}`).join("&");
-        const crypto3 = await import('crypto');
-        const signature = crypto3.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
+        const crypto4 = await import('crypto');
+        const signature = crypto4.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
         const deleteUrl = `https://api.cloudinary.com/v1_1/${config.cloudName}/image/destroy`;
         const formData = new FormData();
         formData.append("public_id", publicId);
@@ -2112,8 +2575,8 @@ function createCloudinaryStorage(config) {
           timestamp: String(timestamp)
         };
         const sortedParams = Object.keys(signatureParams).sort().map((key) => `${key}=${signatureParams[key]}`).join("&");
-        const crypto3 = await import('crypto');
-        const signature = crypto3.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
+        const crypto4 = await import('crypto');
+        const signature = crypto4.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
         const formData = new FormData();
         formData.append("from_public_id", publicIdWithoutVersion);
         formData.append("to_public_id", newPublicId);
@@ -2131,140 +2594,38 @@ function createCloudinaryStorage(config) {
           const data = await response.json();
           console.log("[Cloudinary rename] Success:", data.secure_url);
           return data.secure_url;
-        } else {
-          const error = await response.json();
-          console.warn("[Cloudinary rename] Failed:", error);
-          const versionStr = version ? `/${version}/` : "/";
-          return `https://res.cloudinary.com/${config.cloudName}/image/upload${versionStr}${newPublicId}.${newKey.split(".").pop()}`;
-        }
-      } catch (e) {
-        console.warn("[Cloudinary rename] Error:", e.message);
-        const versionStr = version ? `/${version}/` : "/";
-        return `https://res.cloudinary.com/${config.cloudName}/image/upload${versionStr}${newPublicId}.${newKey.split(".").pop()}`;
-      }
-    },
-    getImageUrl(url, transforms) {
-      if (!transforms) return url;
-      const parts = url.split("/upload/");
-      if (parts.length !== 2) return url;
-      const transformationArr = [];
-      if (transforms.width) transformationArr.push(`w_${transforms.width}`);
-      if (transforms.height) transformationArr.push(`h_${transforms.height}`);
-      if (transforms.fit) {
-        const fitMap = {
-          crop: "c_fill",
-          clip: "c_fit",
-          scale: "c_scale",
-          fill: "c_fill"
-        };
-        transformationArr.push(fitMap[transforms.fit] || "c_limit");
-      }
-      if (transforms.quality) transformationArr.push(`q_${transforms.quality}`);
-      if (transforms.format) transformationArr.push(`f_${transforms.format}`);
-      const transformationStr = transformationArr.join(",");
-      return `${parts[0]}/upload/${transformationStr}/${parts[1]}`;
-    },
-    async generateThumbnail(file) {
-      return this.getImageUrl(file.url, {
-        width: 200,
-        height: 200,
-        fit: "crop"
-      });
-    },
-    async list() {
-      return [];
-    },
-    async exists(url) {
-      const response = await fetch(url, { method: "HEAD" });
-      return response.ok;
-    },
-    async createFolder() {
-    },
-    async deleteFolder() {
-    }
-  };
-}
-// src/storage/imgix.ts
-function createImgixStorage(config) {
-  const signUrl = (path2, params) => {
-    if (!config.signKey) return path2;
-    const signer = new TextEncoder();
-    const key = signer.encode(config.signKey);
-    const data = signer.encode(path2 + params.toString());
-    let hash = 0;
-    const combined = new Uint8Array(key.length + data.length);
-    combined.set(key);
-    combined.set(data, key.length);
-    for (let i = 0; i < combined.length; i++) {
-      hash = (hash << 5) - hash + combined[i] | 0;
-    }
-    params.set("s", Math.abs(hash).toString(16));
-    return path2;
-  };
-  return {
-    name: "imgix",
-    displayName: "Imgix",
-    supportsDynamicResize: true,
-    async upload(_file, _options) {
-      throw new Error(
-        "Imgix is a transformation service. Use another provider for uploads."
-      );
-    },
-    async uploadFromUrl(url, options) {
-      const filename = options?.filename || url.split("/").pop() || "file";
-      const response = await fetch(url);
-      if (!response.ok) {
-        throw new Error(`Failed to fetch: ${response.statusText}`);
+        } else {
+          const error = await response.json();
+          console.warn("[Cloudinary rename] Failed:", error);
+          const versionStr = version ? `/${version}/` : "/";
+          return `https://res.cloudinary.com/${config.cloudName}/image/upload${versionStr}${newPublicId}.${newKey.split(".").pop()}`;
+        }
+      } catch (e) {
+        console.warn("[Cloudinary rename] Error:", e.message);
+        const versionStr = version ? `/${version}/` : "/";
+        return `https://res.cloudinary.com/${config.cloudName}/image/upload${versionStr}${newPublicId}.${newKey.split(".").pop()}`;
       }
-      const blob = await response.blob();
-      new File([blob], filename, { type: blob.type });
-      return {
-        id: Buffer.from(url).toString("base64").slice(0, 20),
-        filename,
-        originalName: filename,
-        mimeType: blob.type,
-        size: blob.size,
-        url: this.getImageUrl(url),
-        thumbnailUrl: this.getImageUrl(url, {
-          width: 200,
-          height: 200,
-          fit: "crop"
-        }),
-        provider: "imgix",
-        createdAt: (/* @__PURE__ */ new Date()).toISOString()
-      };
-    },
-    async delete(_url) {
-    },
-    async rename(_oldUrl, newKey) {
-      return `https://${config.domain}/${newKey}`;
     },
     getImageUrl(url, transforms) {
-      const parsed = new URL(url);
-      const params = new URLSearchParams(parsed.search);
-      if (config.defaultParameters) {
-        Object.entries(config.defaultParameters).forEach(([key, value]) => {
-          if (!params.has(key)) {
-            params.set(key, value);
-          }
-        });
-      }
-      if (transforms) {
-        if (transforms.width) params.set("w", String(transforms.width));
-        if (transforms.height) params.set("h", String(transforms.height));
-        if (transforms.quality) params.set("q", String(transforms.quality));
-        if (transforms.format) params.set("fm", transforms.format);
-        if (transforms.fit) params.set("fit", transforms.fit);
-        if (transforms.blur) params.set("blur", String(transforms.blur));
-        if (transforms.sharpen) params.set("sharp", String(transforms.sharpen));
-      }
-      params.set("auto", "compress,format");
-      parsed.pathname + "?" + params.toString();
-      if (config.signKey) {
-        signUrl(parsed.pathname + params.toString(), params);
+      if (!transforms) return url;
+      const parts = url.split("/upload/");
+      if (parts.length !== 2) return url;
+      const transformationArr = [];
+      if (transforms.width) transformationArr.push(`w_${transforms.width}`);
+      if (transforms.height) transformationArr.push(`h_${transforms.height}`);
+      if (transforms.fit) {
+        const fitMap = {
+          crop: "c_fill",
+          clip: "c_fit",
+          scale: "c_scale",
+          fill: "c_fill"
+        };
+        transformationArr.push(fitMap[transforms.fit] || "c_limit");
       }
-      return `https://${config.domain}${parsed.pathname}${params.toString() ? "?" + params.toString() : ""}`;
+      if (transforms.quality) transformationArr.push(`q_${transforms.quality}`);
+      if (transforms.format) transformationArr.push(`f_${transforms.format}`);
+      const transformationStr = transformationArr.join(",");
+      return `${parts[0]}/upload/${transformationStr}/${parts[1]}`;
     },
     async generateThumbnail(file) {
       return this.getImageUrl(file.url, {
@@ -2277,12 +2638,8 @@ function createImgixStorage(config) {
       return [];
     },
     async exists(url) {
-      try {
-        const response = await fetch(url, { method: "HEAD" });
-        return response.ok;
-      } catch {
-        return false;
-      }
+      const response = await fetch(url, { method: "HEAD" });
+      return response.ok;
     },
     async createFolder() {
     },
@@ -2307,15 +2664,15 @@ function createFtpStorage(config) {
     }
     return client;
   }
-  const getKey = (path2) => {
+  const getKey = (path3) => {
     const prefix = config.prefix ? `${config.prefix}/` : "";
-    return `${prefix}${path2}`.replace(/\/+/g, "/");
+    return `${prefix}${path3}`.replace(/\/+/g, "/");
   };
-  const getUrl = (key) => {
+  const getUrl2 = (key) => {
     const base = config.baseUrl.replace(/\/$/, "");
     return `${base}/${key}`;
   };
-  const getUrlPrefix2 = () => {
+  const getUrlPrefix3 = () => {
     const base = config.baseUrl.replace(/\/$/, "");
     return base + "/";
   };
@@ -2346,8 +2703,8 @@ function createFtpStorage(config) {
         originalName: file.name,
         mimeType: file.type,
         size: buffer.length,
-        url: getUrl(key),
-        thumbnailUrl: file.type.startsWith("image/") ? getUrl(key) : void 0,
+        url: getUrl2(key),
+        thumbnailUrl: file.type.startsWith("image/") ? getUrl2(key) : void 0,
         folder: options?.folder,
         provider: config.type,
         metadata: options?.metadata,
@@ -2366,15 +2723,15 @@ function createFtpStorage(config) {
     },
     async delete(url) {
       const ftp = await getClient();
-      const key = url.replace(getUrlPrefix2(), "");
+      const key = url.replace(getUrlPrefix3(), "");
       await ftp.remove(key);
     },
     async rename(oldUrl, newKey) {
       const ftp = await getClient();
-      const oldKey = oldUrl.replace(getUrlPrefix2(), "");
+      const oldKey = oldUrl.replace(getUrlPrefix3(), "");
       const fullPath = config.prefix ? `${config.prefix}/${newKey}` : newKey;
       await ftp.rename(oldKey, fullPath);
-      return getUrl(fullPath);
+      return getUrl2(fullPath);
     },
     getImageUrl(url, transforms) {
       if (!transforms || Object.keys(transforms).length === 0) return url;
@@ -2403,14 +2760,14 @@ function createFtpStorage(config) {
         originalName: item.name,
         mimeType: "application/octet-stream",
         size: Number(item.size) || 0,
-        url: getUrl(`${key}/${item.name}`.replace(/\/+/g, "/")),
+        url: getUrl2(`${key}/${item.name}`.replace(/\/+/g, "/")),
         provider: config.type,
         createdAt: item.modifiedAt ? item.modifiedAt.toISOString() : (/* @__PURE__ */ new Date()).toISOString()
       }));
     },
     async exists(url) {
       const ftp = await getClient();
-      const key = url.replace(getUrlPrefix2(), "");
+      const key = url.replace(getUrlPrefix3(), "");
       try {
         await ftp.size(key);
         return true;
@@ -2434,105 +2791,17 @@ function createFtpStorage(config) {
 // src/storage/index.ts
 async function resolveProvider(configService) {
   const config = configService.getStorageConfig();
-  switch (config.type) {
-    case "aws":
-      return createS3Storage({
-        provider: "aws",
-        bucket: config.s3.bucket || "",
-        region: config.s3.region || "us-east-1",
-        accessKeyId: config.s3.accessKeyId || "",
-        secretAccessKey: config.s3.secretAccessKey || "",
-        endpoint: config.s3.endpoint,
-        cdnUrl: config.s3.cdnUrl,
-        prefix: config.s3.prefix
-      });
-    case "r2":
-      return createS3Storage({
-        provider: "r2",
-        bucket: config.r2.bucket || "",
-        region: "auto",
-        accessKeyId: config.r2.accessKeyId || "",
-        secretAccessKey: config.r2.secretAccessKey || "",
-        accountId: config.r2.accountId || "",
-        publicDevUrl: config.r2.publicDevUrl,
-        endpoint: `https://${config.r2.accountId || ""}.r2.cloudflarestorage.com`,
-        cdnUrl: config.r2.cdnUrl,
-        prefix: config.r2.prefix
-      });
-    case "gcs":
-      return createS3Storage({
-        provider: "gcs",
-        bucket: config.gcs.bucket || "",
-        region: config.gcs.projectId || "auto",
-        accessKeyId: config.gcs.clientEmail || "",
-        secretAccessKey: config.gcs.privateKey || "",
-        cdnUrl: config.gcs.cdnUrl,
-        prefix: config.gcs.prefix
-      });
-    case "digitalocean":
-      return createS3Storage({
-        provider: "digitalocean",
-        bucket: config.digitalocean.bucket || "",
-        region: config.digitalocean.region || "nyc3",
-        accessKeyId: config.digitalocean.accessKeyId || "",
-        secretAccessKey: config.digitalocean.secretAccessKey || "",
-        endpoint: `https://${config.digitalocean.region || "nyc3"}.digitaloceanspaces.com`,
-        cdnUrl: config.digitalocean.cdnUrl,
-        prefix: config.digitalocean.prefix
-      });
-    case "backblaze":
-      return createS3Storage({
-        provider: "backblaze",
-        bucket: config.backblaze.bucket || "",
-        region: "auto",
-        accessKeyId: config.backblaze.applicationKeyId || "",
-        secretAccessKey: config.backblaze.applicationKey || "",
-        accountId: config.backblaze.accountId || "",
-        endpoint: `https://s3.backblazeb2.com`,
-        cdnUrl: config.backblaze.cdnUrl,
-        prefix: config.backblaze.prefix
-      });
-    case "wasabi":
-      return createS3Storage({
-        provider: "wasabi",
-        bucket: config.wasabi.bucket || "",
-        region: config.wasabi.region || "us-east-1",
-        accessKeyId: config.wasabi.accessKeyId || "",
-        secretAccessKey: config.wasabi.secretAccessKey || "",
-        endpoint: `https://s3.${config.wasabi.region || "us-east-1"}.wasabisys.com`,
-        cdnUrl: config.wasabi.cdnUrl,
-        prefix: config.wasabi.prefix
-      });
-    case "ftp":
-    case "sftp":
-      return createFtpStorage({
-        host: config.ftp?.host || "",
-        port: config.ftp?.port || 21,
-        user: config.ftp?.user || "",
-        password: config.ftp?.password || "",
-        secure: config.ftp?.secure || false,
-        baseUrl: config.ftp?.baseUrl || "",
-        prefix: config.ftp?.prefix,
-        type: "ftp"
-      });
-    case "cloudinary":
-      return createCloudinaryStorage({
-        cloudName: config.cloudinary.cloudName || "",
-        apiKey: config.cloudinary.apiKey || "",
-        apiSecret: config.cloudinary.apiSecret || "",
-        folder: config.cloudinary.folder
-      });
-    case "imgix":
-      return createImgixStorage({
-        domain: config.imgix.domain || "",
-        signKey: config.imgix.signKey
-      });
-    case "local":
-    default:
-      return createLocalStorage({
-        uploadDir: config.local.uploadDir || path__default.default.join(process.cwd(), "public", "uploads"),
-        baseUrl: config.local.baseUrl || "/uploads"
-      });
+  const registry = getDefaultRegistry();
+  try {
+    return await registry.resolve(config.type, config);
+  } catch (err) {
+    console.warn(
+      `[resolveProvider] ${err.message} \u2014 falling back to local storage`
+    );
+    return createLocalStorage({
+      uploadDir: path__default.default.join(process.cwd(), "public", "uploads"),
+      baseUrl: "/uploads"
+    });
   }
 }
 async function resolveProviderWithConfig(config) {
@@ -2543,121 +2812,18 @@ async function resolveProviderWithConfig(config) {
       baseUrl: "/uploads"
     });
   }
-  console.log("[resolveProviderWithConfig] Creating provider:", config.type);
-  switch (config.type) {
-    case "aws":
-      return createS3Storage({
-        provider: "aws",
-        bucket: config.s3?.bucket || "",
-        region: config.s3?.region || "us-east-1",
-        accessKeyId: config.s3?.accessKeyId || "",
-        secretAccessKey: config.s3?.secretAccessKey || "",
-        endpoint: config.s3?.endpoint,
-        cdnUrl: config.s3?.cdnUrl,
-        prefix: config.s3?.prefix
-      });
-    case "r2":
-      return createS3Storage({
-        provider: "r2",
-        bucket: config.r2?.bucket || "",
-        region: "auto",
-        accessKeyId: config.r2?.accessKeyId || "",
-        secretAccessKey: config.r2?.secretAccessKey || "",
-        accountId: config.r2?.accountId || "",
-        publicDevUrl: config.r2?.publicDevUrl,
-        endpoint: `https://${config.r2?.accountId || ""}.r2.cloudflarestorage.com`,
-        cdnUrl: config.r2?.cdnUrl,
-        prefix: config.r2?.prefix
-      });
-    case "gcs":
-      return createS3Storage({
-        provider: "gcs",
-        bucket: config.gcs?.bucket || "",
-        region: config.gcs?.projectId || "auto",
-        accessKeyId: config.gcs?.clientEmail || "",
-        secretAccessKey: config.gcs?.privateKey || "",
-        cdnUrl: config.gcs?.cdnUrl,
-        prefix: config.gcs?.prefix
-      });
-    case "digitalocean":
-      return createS3Storage({
-        provider: "digitalocean",
-        bucket: config.digitalocean?.bucket || "",
-        region: config.digitalocean?.region || "nyc3",
-        accessKeyId: config.digitalocean?.accessKeyId || "",
-        secretAccessKey: config.digitalocean?.secretAccessKey || "",
-        cdnUrl: config.digitalocean?.cdnUrl,
-        prefix: config.digitalocean?.prefix
-      });
-    case "backblaze":
-      return createS3Storage({
-        provider: "backblaze",
-        bucket: config.backblaze?.bucket || "",
-        region: "auto",
-        accessKeyId: config.backblaze?.applicationKeyId || "",
-        secretAccessKey: config.backblaze?.applicationKey || "",
-        cdnUrl: config.backblaze?.cdnUrl,
-        prefix: config.backblaze?.prefix
-      });
-    case "wasabi":
-      return createS3Storage({
-        provider: "wasabi",
-        bucket: config.wasabi?.bucket || "",
-        region: config.wasabi?.region || "us-east-1",
-        accessKeyId: config.wasabi?.accessKeyId || "",
-        secretAccessKey: config.wasabi?.secretAccessKey || "",
-        cdnUrl: config.wasabi?.cdnUrl,
-        prefix: config.wasabi?.prefix
-      });
-    case "cloudinary":
-      return createCloudinaryStorage({
-        cloudName: config.cloudinary?.cloudName || "",
-        apiKey: config.cloudinary?.apiKey || "",
-        apiSecret: config.cloudinary?.apiSecret || "",
-        folder: config.cloudinary?.folder
-      });
-    case "ftp":
-    case "sftp": {
-      const ftpConf = config.ftp || config;
-      return createFtpStorage({
-        type: "ftp",
-        host: ftpConf.host || "",
-        port: ftpConf.port || 21,
-        user: ftpConf.user || "",
-        password: ftpConf.password || "",
-        secure: ftpConf.secure || false,
-        baseUrl: ftpConf.baseUrl || "",
-        prefix: ftpConf.prefix
-      });
-    }
-    case "local":
-    default: {
-      const localConfig = config.local || {
-        uploadDir: config["local.uploadDir"],
-        baseUrl: config["local.baseUrl"]
-      };
-      const savedUploadDir = (localConfig?.uploadDir || "").trim();
-      let uploadDir;
-      if (savedUploadDir) {
-        if (path__default.default.isAbsolute(savedUploadDir)) {
-          uploadDir = savedUploadDir;
-        } else if (savedUploadDir.includes("/") || savedUploadDir.includes("\\")) {
-          uploadDir = path__default.default.resolve(process.cwd(), savedUploadDir);
-        } else {
-          uploadDir = path__default.default.join(process.cwd(), "public", savedUploadDir);
-        }
-      } else {
-        uploadDir = path__default.default.join(process.cwd(), "public", "uploads");
-      }
-      const savedBaseUrl = (localConfig?.baseUrl || "").trim();
-      let baseUrl;
-      if (savedBaseUrl) {
-        baseUrl = savedBaseUrl.startsWith("/") ? savedBaseUrl : `/${savedBaseUrl}`;
-      } else {
-        baseUrl = "/uploads";
-      }
-      return createLocalStorage({ uploadDir, baseUrl });
-    }
+  const type = config.type || "local";
+  const registry = getDefaultRegistry();
+  try {
+    return await registry.resolveWithConfig(type, config);
+  } catch (err) {
+    console.warn(
+      `[resolveProviderWithConfig] ${err.message} \u2014 falling back to local storage`
+    );
+    return createLocalStorage({
+      uploadDir: path__default.default.join(process.cwd(), "public", "uploads"),
+      baseUrl: "/uploads"
+    });
   }
 }
 async function processImage(buffer) {
@@ -2686,17 +2852,15 @@ var MediaService = class _MediaService {
     this.db = db;
     this.storage = storage2;
     this.dialect = options?.dialect || "sqlite";
-    this.genId = options?.genId || chunk2KVHZE6O_cjs.genId;
+    this.genId = options?.genId || chunkRFFSZSCL_cjs.genId;
   }
   static async init(db, options) {
     let storage2;
     if (options?.storageConfig) {
       storage2 = await resolveProviderWithConfig(options.storageConfig);
     } else {
-      const configService = new chunkIA6AU5PI_cjs.ConfigService(db);
-      if (typeof db?.select === "function") {
-        await configService.load();
-      }
+      const configService = new chunkY7AQK4R4_cjs.ConfigService(db);
+      await configService.load();
       storage2 = await resolveProvider(configService);
     }
     const service = new _MediaService(db, storage2, options);
@@ -2898,7 +3062,7 @@ var MediaService = class _MediaService {
         ]
       );
     } else {
-      const { media: mediaSchema } = await import('./media-XNTUFJZR.cjs');
+      const { media: mediaSchema } = await import('./media-TUSLVRQ6.cjs');
       const mime = storageResult.mimeType;
       const mediaType = mime.startsWith("image/") ? "image" : mime.startsWith("video/") ? "video" : mime.startsWith("audio/") ? "audio" : mime.startsWith("application/pdf") ? "document" : ["application/zip", "application/x-zip", "application/x-tar", "application/gzip", "application/x-7z"].includes(mime) ? "archive" : "other";
       await this.db.insert(mediaSchema).values({
@@ -2960,7 +3124,7 @@ var MediaService = class _MediaService {
         id
       ]);
     } else {
-      const { media: mediaSchema } = await import('./media-XNTUFJZR.cjs');
+      const { media: mediaSchema } = await import('./media-TUSLVRQ6.cjs');
       const { eq } = await import('drizzle-orm');
       const [row] = await this.db.select().from(mediaSchema).where(eq(mediaSchema.id, id));
       if (row) item = this.rowToMedia(row);
@@ -2976,7 +3140,7 @@ var MediaService = class _MediaService {
     if (this.dialect === "sqlite") {
       await this.sqliteRun(`DELETE FROM ${this.mediaTable} WHERE id = ?`, [id]);
     } else {
-      const { media: mediaSchema } = await import('./media-XNTUFJZR.cjs');
+      const { media: mediaSchema } = await import('./media-TUSLVRQ6.cjs');
       const { eq } = await import('drizzle-orm');
       await this.db.delete(mediaSchema).where(eq(mediaSchema.id, id));
     }
@@ -2991,7 +3155,7 @@ var MediaService = class _MediaService {
         id
       ]);
     } else {
-      const { media: mediaSchema } = await import('./media-XNTUFJZR.cjs');
+      const { media: mediaSchema } = await import('./media-TUSLVRQ6.cjs');
       const { eq } = await import('drizzle-orm');
       const [row] = await this.db.select().from(mediaSchema).where(eq(mediaSchema.id, id));
       if (row) item = this.rowToMedia(row);
@@ -3026,7 +3190,7 @@ var MediaService = class _MediaService {
         [...vals, this.now(), id]
       );
     } else {
-      const { media: mediaSchema } = await import('./media-XNTUFJZR.cjs');
+      const { media: mediaSchema } = await import('./media-TUSLVRQ6.cjs');
       const { eq } = await import('drizzle-orm');
       await this.db.update(mediaSchema).set({ ...updateData, updatedAt: this.now() }).where(eq(mediaSchema.id, id));
     }
@@ -3045,7 +3209,7 @@ var MediaService = class _MediaService {
       );
       return row2 ? this.rowToMedia(row2) : null;
     }
-    const { media: mediaSchema } = await import('./media-XNTUFJZR.cjs');
+    const { media: mediaSchema } = await import('./media-TUSLVRQ6.cjs');
     const { eq } = await import('drizzle-orm');
     const [row] = await this.db.select().from(mediaSchema).where(eq(mediaSchema.id, id));
     return row ? this.rowToMedia(row) : null;
@@ -3093,7 +3257,7 @@ var MediaService = class _MediaService {
         totalPages: Math.ceil(totalDocs2 / limit)
       };
     }
-    const { media: mediaSchema } = await import('./media-XNTUFJZR.cjs');
+    const { media: mediaSchema } = await import('./media-TUSLVRQ6.cjs');
     const { like, or, and, asc, desc, eq, sql } = await import('drizzle-orm');
     const conditions = [];
     if (search) {
@@ -3172,7 +3336,7 @@ var MediaService = class _MediaService {
       );
       return row ? this.rowToMedia(row) : null;
     }
-    const { media: mediaSchema } = await import('./media-XNTUFJZR.cjs');
+    const { media: mediaSchema } = await import('./media-TUSLVRQ6.cjs');
     const { eq } = await import('drizzle-orm');
     const [updated] = await this.db.update(mediaSchema).set({ ...data, updatedAt: /* @__PURE__ */ new Date() }).where(eq(mediaSchema.id, id)).returning();
     return updated ? this.rowToMedia(updated) : null;
@@ -3194,7 +3358,7 @@ var MediaService = class _MediaService {
         );
       }
     } else {
-      const { media: mediaSchema } = await import('./media-XNTUFJZR.cjs');
+      const { media: mediaSchema } = await import('./media-TUSLVRQ6.cjs');
       const { eq } = await import('drizzle-orm');
       for (const id of ids) {
         await this.db.update(mediaSchema).set({ ...data, updatedAt: /* @__PURE__ */ new Date() }).where(eq(mediaSchema.id, id));
@@ -3209,7 +3373,7 @@ var MediaService = class _MediaService {
       );
       return rows.map((r) => r.path).filter((f) => f && f !== "").sort();
     }
-    const { media: mediaSchema, mediaFolders: folderSchema } = await import('./media-XNTUFJZR.cjs');
+    const { media: mediaSchema, mediaFolders: folderSchema } = await import('./media-TUSLVRQ6.cjs');
     const { eq, sql } = await import('drizzle-orm');
     const fromMedia = await this.db.select({ folder: mediaSchema.folder }).from(mediaSchema).groupBy(mediaSchema.folder);
     const fromFolders = await this.db.select({ path: folderSchema.path }).from(folderSchema);
@@ -3229,7 +3393,7 @@ var MediaService = class _MediaService {
         [fullPath, name, parentPath || null, now]
       );
     } else {
-      const { mediaFolders: folderSchema } = await import('./media-XNTUFJZR.cjs');
+      const { mediaFolders: folderSchema } = await import('./media-TUSLVRQ6.cjs');
       await this.db.insert(folderSchema).values({
         path: fullPath,
         name,
@@ -3250,7 +3414,7 @@ var MediaService = class _MediaService {
         [folder, `${folder}/%`]
       );
     } else {
-      const { mediaFolders: folderSchema } = await import('./media-XNTUFJZR.cjs');
+      const { mediaFolders: folderSchema } = await import('./media-TUSLVRQ6.cjs');
       const { like, or, eq } = await import('drizzle-orm');
       await this.db.delete(folderSchema).where(
         or(
@@ -3261,13 +3425,80 @@ var MediaService = class _MediaService {
     }
   }
 };
-// src/api/rest/hono-app.ts
+function formatZodErrors(errors) {
+  return errors.map((e) => `${e.path.join(".")}: ${e.message}`).join(", ");
+}
+function normalizeEmptyStrings(data, fields) {
+  if (!data || typeof data !== "object") return;
+  for (const field of fields) {
+    if (!field.name || !(field.name in data)) continue;
+    const val = data[field.name];
+    if (val === "") {
+      const isTextual = field.type === "text" || field.type === "textarea" || field.type === "code" || field.type === "markdown" || field.type === "email" || field.type === "password" || field.type === "color";
+      if (!isTextual) data[field.name] = null;
+    }
+    if (field.type === "tabs" && field.name && Array.isArray(field.tabs) && data[field.name] && typeof data[field.name] === "object") {
+      for (const tab of field.tabs) {
+        if (Array.isArray(tab.fields)) normalizeEmptyStrings(data[field.name], tab.fields);
+      }
+    } else if ((field.type === "group" || field.type === "collapsible") && field.name && Array.isArray(field.fields) && data[field.name] && typeof data[field.name] === "object") {
+      normalizeEmptyStrings(data[field.name], field.fields);
+    } else if (field.type === "array" && field.name && Array.isArray(field.fields) && Array.isArray(data[field.name])) {
+      for (const item of data[field.name]) {
+        if (item && typeof item === "object") normalizeEmptyStrings(item, field.fields);
+      }
+    } else if (field.type === "blocks" && field.name && Array.isArray(field.blocks) && Array.isArray(data[field.name])) {
+      for (const item of data[field.name]) {
+        if (!item || typeof item !== "object") continue;
+        const blockTypeStr = item.type || item.blockType;
+        if (!blockTypeStr) continue;
+        const blockDef = field.blocks.find((b) => b.slug === blockTypeStr);
+        if (!blockDef || !Array.isArray(blockDef.fields)) continue;
+        const target = item.data && typeof item.data === "object" ? item.data : item;
+        normalizeEmptyStrings(target, blockDef.fields);
+      }
+    }
+  }
+}
+function convertRichtextFields(fields, data) {
+  if (!data || typeof data !== "object") return;
+  for (const field of fields) {
+    if (field.type === "richtext" && field.name) {
+      const val = data[field.name];
+      if (typeof val === "string") {
+        data[field.name] = [{ type: "paragraph", children: [{ text: val }] }];
+      } else if (val && typeof val === "object" && !Array.isArray(val) && val.type === "doc" && Array.isArray(val.content)) {
+        data[field.name] = val.content;
+      }
+    }
+    if (field.type === "tabs" && field.name && Array.isArray(field.tabs) && data[field.name] && typeof data[field.name] === "object") {
+      for (const tab of field.tabs) {
+        if (Array.isArray(tab.fields)) convertRichtextFields(tab.fields, data[field.name]);
+      }
+    } else if ((field.type === "group" || field.type === "collapsible") && field.name && Array.isArray(field.fields) && data[field.name] && typeof data[field.name] === "object") {
+      convertRichtextFields(field.fields, data[field.name]);
+    } else if (field.type === "array" && field.name && Array.isArray(field.fields) && Array.isArray(data[field.name])) {
+      for (const item of data[field.name]) {
+        if (item && typeof item === "object") convertRichtextFields(field.fields, item);
+      }
+    } else if (field.type === "blocks" && field.name && Array.isArray(field.blocks) && Array.isArray(data[field.name])) {
+      for (const item of data[field.name]) {
+        if (!item || typeof item !== "object") continue;
+        const blockTypeStr = item.type || item.blockType;
+        if (!blockTypeStr) continue;
+        const blockDef = field.blocks.find((b) => b.slug === blockTypeStr);
+        if (!blockDef || !Array.isArray(blockDef.fields)) continue;
+        const target = item.data && typeof item.data === "object" ? item.data : item;
+        convertRichtextFields(blockDef.fields, target);
+      }
+    }
+  }
+}
 var COLLECTION_EVENT_MAP = {
   _media: {
-    create: chunkIBG6V56E_cjs.WEBHOOK_EVENTS.MEDIA_UPLOAD,
-    update: chunkIBG6V56E_cjs.WEBHOOK_EVENTS.MEDIA_UPLOAD,
-    delete: chunkIBG6V56E_cjs.WEBHOOK_EVENTS.MEDIA_DELETE
+    create: chunkQFLB4EIJ_cjs.WEBHOOK_EVENTS.MEDIA_UPLOAD,
+    update: chunkQFLB4EIJ_cjs.WEBHOOK_EVENTS.MEDIA_UPLOAD,
+    delete: chunkQFLB4EIJ_cjs.WEBHOOK_EVENTS.MEDIA_DELETE
   }
 };
 function getWebhookEvent(collection, operation) {
@@ -3326,7 +3557,7 @@ async function checkCollectionAccess(collection, operation, req, ctxUser, ctxTen
   };
   const isDefaultAllowed = accessLevels[defaultCollectionAccess] || false;
   if (accessRule) {
-    const allowed = await chunkR3XIBBAW_cjs.evaluateAccess(accessRule, {
+    const allowed = await chunk4M7X5HAB_cjs.evaluateAccess(accessRule, {
       req,
       user: ctxUser,
       tenantID: ctxTenantID
@@ -3348,7 +3579,7 @@ async function checkCollectionAccess(collection, operation, req, ctxUser, ctxTen
     const resource = collection.slug;
     const action = operation === "read" ? "read" : operation === "create" ? "create" : "update";
     const permission = `${resource}:${action}`;
-    if (!chunkIBG6V56E_cjs.hasApiKeyPermission(apiKeyContext.permissions, permission) && !chunkIBG6V56E_cjs.hasApiKeyPermission(apiKeyContext.permissions, `${resource}:admin`)) {
+    if (!chunk4M7X5HAB_cjs.hasApiKeyPermission(apiKeyContext.permissions, permission) && !chunk4M7X5HAB_cjs.hasApiKeyPermission(apiKeyContext.permissions, `${resource}:admin`)) {
       return {
         allowed: false,
         error: `Missing permission: ${permission}`,
@@ -3356,20 +3587,20 @@ async function checkCollectionAccess(collection, operation, req, ctxUser, ctxTen
       };
     }
   }
-  if (ctxUser) {
+  if (ctxUser && !(apiKeyContext?.permissions?.length > 0)) {
     const resource = collection.slug;
     const action = operation === "read" ? "read" : operation === "create" ? "create" : operation === "update" ? "update" : "delete";
     const permission = `${resource}:${action}`;
     let rbacAllowed = false;
     if (ctxUser.role) {
-      const userHasPermission = chunkSA7NSSIQ_cjs.hasPermission(
+      const userHasPermission = chunkNKPKR5BW_cjs.hasPermission(
         { id: ctxUser.id, email: ctxUser.email, role: ctxUser.role },
         permission
       );
       if (userHasPermission) {
         rbacAllowed = true;
       } else {
-        const adminPermission = chunkSA7NSSIQ_cjs.hasPermission(
+        const adminPermission = chunkNKPKR5BW_cjs.hasPermission(
           { id: ctxUser.id, email: ctxUser.email, role: ctxUser.role },
           `${resource}:admin`
         );
@@ -3389,7 +3620,7 @@ async function checkCollectionAccess(collection, operation, req, ctxUser, ctxTen
 async function checkGlobalAccess(global, operation, req, ctxUser, ctxTenantID, enablePublicAccess = true) {
   const accessRule = global.access?.[operation];
   if (accessRule) {
-    const allowed = await chunkR3XIBBAW_cjs.evaluateAccess(accessRule, {
+    const allowed = await chunk4M7X5HAB_cjs.evaluateAccess(accessRule, {
       req,
       user: ctxUser,
       tenantID: ctxTenantID
@@ -3415,42 +3646,41 @@ async function checkGlobalAccess(global, operation, req, ctxUser, ctxTenantID, e
   return { allowed: true };
 }
 async function resolveAuthContext(req, authMw, staticUser, staticTenantID) {
-  if (!authMw) {
-    return {
-      user: staticUser,
-      tenantID: staticTenantID,
-      apiKeyContext: void 0
-    };
-  }
-  let result;
-  try {
-    result = await authMw(req);
-  } catch (err) {
+  if (staticUser) {
     return {
       user: staticUser,
       tenantID: staticTenantID,
-      apiKeyContext: void 0
+      apiKeyContext: void 0,
+      authType: "static"
     };
   }
-  if (result.status === 401) {
-    return { user: void 0, tenantID: void 0, apiKeyContext: void 0 };
+  if (authMw) {
+    const res = await authMw(req);
+    if (res.status === 200 && res.user) {
+      return {
+        user: res.user,
+        tenantID: res.tenantContext?.tenantId,
+        apiKeyContext: res.apiKeyContext,
+        authType: res.authType
+      };
+    }
   }
   return {
-    user: result.user || staticUser,
-    tenantID: result.tenantContext?.tenantId || staticTenantID,
-    apiKeyContext: result.apiKeyContext,
-    authType: result.authType
+    user: void 0,
+    tenantID: void 0,
+    apiKeyContext: void 0,
+    authType: void 0
   };
 }
 function createDefaultAuthAdapter(db, rootDir) {
-  if (db instanceof chunk2KVHZE6O_cjs.DrizzleAdapter && db.dialect === "postgres") {
-    return new chunk2OL4O2TH_cjs.PostgresAuthAdapter({ db: db.client });
+  if (db instanceof chunkRFFSZSCL_cjs.DrizzleAdapter && db.dialect === "postgres") {
+    return new chunk7OS7TX2Q_cjs.PostgresAuthAdapter({ db: db.client });
   }
-  if (db instanceof chunkPDYFVNUX_cjs.MongoDBAdapter) {
-    return new chunk4DA7QPLA_cjs.MongoDBAuthAdapter({ db: db.db });
+  if (db instanceof chunkQ23GAMLE_cjs.MongoDBAdapter) {
+    return new chunkGXFOGU7N_cjs.MongoDBAuthAdapter({ db: db.db });
   }
   const defaultAuthDbPath = path.resolve(rootDir, "data", "kyro.db");
-  return new chunkI7HHI6QV_cjs.SQLiteAuthAdapter({
+  return new chunkIDVRRRAK_cjs.SQLiteAuthAdapter({
     path: process.env.KYRO_AUTH_DB_PATH || defaultAuthDbPath
   });
 }
@@ -3553,6 +3783,13 @@ function createHonoApp(options) {
     baseUrl: process.env.KYRO_BASE_URL || "http://localhost:4321",
     rateLimiter
   });
+  chunkY7AQK4R4_cjs.EmailTransport.fromConfig(db).then((transport) => {
+    if (transport) {
+      authRoutes.email = transport;
+    }
+  }).catch((err) => {
+    console.error("[Email] Failed to initialize transport from config:", err);
+  });
   app.post("/api/auth/login", async (c) => authRoutes.login(c.req.raw));
   app.post("/api/auth/register", async (c) => authRoutes.register(c.req.raw));
   app.post("/api/auth/logout", async (c) => authRoutes.logout(c.req.raw));
@@ -3563,69 +3800,6 @@ function createHonoApp(options) {
   app.delete("/api/auth/sessions", async (c) => authRoutes.revokeOtherSessions(c.req.raw));
   app.delete("/api/auth/sessions/:id", async (c) => authRoutes.revokeSession(c.req.raw, c.req.param("id")));
   app.put("/api/auth/sessions/:id/name", async (c) => authRoutes.renameSession(c.req.raw, c.req.param("id")));
-  app.post("/api/graphql", async (c) => {
-    try {
-      const req = c.req.raw;
-      const apiKeyRaw = chunkIBG6V56E_cjs.extractApiKeyFromRequest(req);
-      if (apiKeyRaw && db) {
-        const apiKeyResult = await chunkIBG6V56E_cjs.validateApiKey(apiKeyRaw, db);
-        if (!apiKeyResult.valid) {
-          return c.json({ errors: [{ message: apiKeyResult.error || "Invalid API key" }] }, 401);
-        }
-        const apiKeyId = apiKeyResult.apiKeyId || "";
-        await sessionAuthAdapter?.createAuditLog({
-          action: "api_key_request",
-          userId: apiKeyResult.userId || "",
-          resource: "api_key",
-          resourceId: apiKeyId,
-          success: true,
-          metadata: {
-            endpoint: "/api/graphql",
-            method: "POST",
-            ip: extractIp(req)
-          }
-        });
-      }
-      const body = await req.json().catch(() => ({}));
-      const { query, variables } = body;
-      if (!query) {
-        return c.json({ errors: [{ message: "No query provided" }] }, 400);
-      }
-      let gqlUser;
-      let apiKeyCtx;
-      if (apiKeyRaw && db) {
-        const apiKeyResult = await chunkIBG6V56E_cjs.validateApiKey(apiKeyRaw, db);
-        if (apiKeyResult.valid && apiKeyResult.user) {
-          gqlUser = apiKeyResult.user;
-          apiKeyCtx = chunkIBG6V56E_cjs.createApiKeyContext(apiKeyResult);
-        }
-      }
-      const schema = chunkVJT6P4N6_cjs.buildGraphQLSchema({
-        registry,
-        db,
-        user: gqlUser,
-        req,
-        settings
-      });
-      const document = graphql.parse(query);
-      const result = await graphql.execute({
-        schema,
-        document,
-        variableValues: variables,
-        contextValue: { user: gqlUser, apiKeyContext: apiKeyCtx, req, db }
-      });
-      return c.json(result);
-    } catch (error) {
-      if (error.message?.includes("GraphQL is disabled")) {
-        return c.json({ errors: [{ message: "GraphQL API is disabled" }] }, 403);
-      }
-      if (error instanceof SyntaxError) {
-        return c.json({ errors: [{ message: "Invalid request body" }] }, 400);
-      }
-      console.error("[GraphQL] execution error:", error);
-      return c.json({ errors: [{ message: error.message || "GraphQL execution failed" }] }, 500);
-    }
-  });
   app.get("/api/auth/access", async (c) => {
     try {
       const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(
@@ -3710,7 +3884,13 @@ function createHonoApp(options) {
       return c.json({ error: error.message }, 500);
     }
   });
-  const usersCollection = registry.getCollection("users");
+  const usersCollection2 = typeof registry.hasCollection === "function" && registry.hasCollection("users") ? registry.getCollection("users") : (() => {
+    try {
+      return registry.getCollection("users");
+    } catch {
+      return chunkKC2GDBLS_cjs.usersCollection;
+    }
+  })();
   app.get("/api/users", async (c) => {
     try {
       const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(
@@ -3720,7 +3900,7 @@ function createHonoApp(options) {
         tenantID
       );
       const access = await checkCollectionAccess(
-        usersCollection,
+        usersCollection2,
         "read",
         c.req.raw,
         ctxUser,
@@ -3765,19 +3945,6 @@ function createHonoApp(options) {
         user,
         tenantID
       );
-      const access = await checkCollectionAccess(
-        usersCollection,
-        "read",
-        c.req.raw,
-        ctxUser,
-        ctxTenantID,
-        void 0,
-        enablePublicAccess,
-        defaultCollectionAccess
-      );
-      if (!access.allowed) {
-        return c.json({ error: access.error }, access.status || 403);
-      }
       const id = c.req.param("id");
       const found = await sessionAuthAdapter.findUserById(id);
       if (!found) {
@@ -3797,7 +3964,7 @@ function createHonoApp(options) {
         tenantID
       );
       const access = await checkCollectionAccess(
-        usersCollection,
+        usersCollection2,
         "create",
         c.req.raw,
         ctxUser,
@@ -3822,8 +3989,18 @@ function createHonoApp(options) {
         password: body.password,
         name: body.name,
         role: body.role || "customer",
+        avatar: body.avatar,
         tenantId: body.tenantId
       });
+      if (ctxUser) {
+        sessionAuthAdapter?.createAuditLog({
+          action: "user_create",
+          userId: ctxUser.id,
+          resource: "users",
+          resourceId: created.id,
+          success: true
+        });
+      }
       return c.json(
         { data: created, message: "User created successfully" },
         201
@@ -3841,7 +4018,7 @@ function createHonoApp(options) {
         tenantID
       );
       const access = await checkCollectionAccess(
-        usersCollection,
+        usersCollection2,
         "update",
         c.req.raw,
         ctxUser,
@@ -3863,6 +4040,9 @@ function createHonoApp(options) {
       if (body.name !== void 0) updateData.name = body.name;
       if (body.email !== void 0) updateData.email = body.email;
       if (body.role !== void 0) updateData.role = body.role;
+      if (body.avatar !== void 0) {
+        updateData.avatar = typeof body.avatar === "object" && body.avatar !== null ? body.avatar.id || String(body.avatar) : body.avatar;
+      }
       if (body.tenantId !== void 0) updateData.tenantId = body.tenantId;
       if (body.emailVerified !== void 0)
         updateData.emailVerified = body.emailVerified;
@@ -3874,6 +4054,25 @@ function createHonoApp(options) {
       if (!updated) {
         return c.json({ error: "User update failed" }, 500);
       }
+      if (ctxUser) {
+        sessionAuthAdapter?.createAuditLog({
+          action: "user_update",
+          userId: ctxUser.id,
+          resource: "users",
+          resourceId: id,
+          success: true
+        });
+        if (body.role && existing.role !== body.role) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "role_change",
+            userId: ctxUser.id,
+            resource: "users",
+            resourceId: id,
+            success: true,
+            metadata: { oldRole: existing.role, newRole: body.role }
+          });
+        }
+      }
       return c.json({ data: updated, message: "User updated successfully" });
     } catch (error) {
       return c.json({ error: error.message }, 500);
@@ -3888,7 +4087,7 @@ function createHonoApp(options) {
         tenantID
       );
       const access = await checkCollectionAccess(
-        usersCollection,
+        usersCollection2,
         "delete",
         c.req.raw,
         ctxUser,
@@ -3912,6 +4111,15 @@ function createHonoApp(options) {
       if (!deleted) {
         return c.json({ error: "User deletion failed" }, 500);
       }
+      if (ctxUser) {
+        sessionAuthAdapter?.createAuditLog({
+          action: "user_delete",
+          userId: ctxUser.id,
+          resource: "users",
+          resourceId: id,
+          success: true
+        });
+      }
       return c.json({ data: existing, message: "User deleted successfully" });
     } catch (error) {
       return c.json({ error: error.message }, 500);
@@ -3980,8 +4188,8 @@ function createHonoApp(options) {
     }
     if (!mediaService) {
       try {
-        const dialect = db instanceof chunk2KVHZE6O_cjs.DrizzleAdapter ? db.dialect : "sqlite";
-        const mediaDb = dialect === "postgres" && db instanceof chunk2KVHZE6O_cjs.DrizzleAdapter ? db.client : db;
+        const dialect = db instanceof chunkRFFSZSCL_cjs.DrizzleAdapter ? db.dialect : "sqlite";
+        const mediaDb = dialect === "postgres" && db instanceof chunkRFFSZSCL_cjs.DrizzleAdapter ? db.client : db;
         mediaService = await MediaService.init(mediaDb, { dialect });
       } catch (error) {
         console.error("[getMedia] Init error:", error);
@@ -4068,11 +4276,11 @@ function createHonoApp(options) {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
       if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
       const service = await getMedia();
-      const path2 = c.req.query("path");
-      if (!path2) {
+      const path3 = c.req.query("path");
+      if (!path3) {
         return c.json({ error: "Path is required" }, 400);
       }
-      await service.deleteFolder(path2);
+      await service.deleteFolder(path3);
       return c.json({ message: "Folder deleted" });
     } catch (error) {
       console.error("[Media] delete folder error:", error);
@@ -4225,6 +4433,119 @@ function createHonoApp(options) {
       return c.json({ error: error.message }, 500);
     }
   });
+  app.get("/api/plugins", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
+      const plugins = registry.getPlugins();
+      const storageRegistry = registry.storageProviders;
+      const pluginList = await Promise.all(
+        plugins.map(async (p) => {
+          let enabled = true;
+          const pluginName = p.name;
+          let states = {};
+          try {
+            const doc = await db.findOne({
+              collection: "_globals_plugin-settings",
+              where: {}
+            });
+            if (doc && doc.states) states = doc.states;
+          } catch {
+          }
+          if (states[pluginName] !== void 0) {
+            enabled = states[pluginName];
+          }
+          storageRegistry.setPluginEnabled(pluginName, enabled);
+          return {
+            id: pluginName,
+            name: pluginName,
+            version: p.version || "1.0.0",
+            description: p.description || "",
+            enabled,
+            status: enabled ? "active" : "disabled"
+          };
+        })
+      );
+      return c.json(pluginList);
+    } catch (error) {
+      console.error("[Plugins] list error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.put("/api/plugins/:name/toggle", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
+      const pluginName = c.req.param("name");
+      const storageRegistry = registry.storageProviders;
+      const currentEnabled = storageRegistry.isPluginEnabled(pluginName);
+      const newEnabled = !currentEnabled;
+      const affectedProviders = [];
+      if (!newEnabled) {
+        for (const p of storageRegistry.getAll()) {
+          if (p.pluginName === pluginName) {
+            affectedProviders.push(p.type);
+          }
+        }
+      }
+      const force = c.req.query("force") === "1";
+      if (!force && !newEnabled && affectedProviders.length > 0) {
+        let activeProvider = "local";
+        try {
+          const row = db?.prepare?.(`SELECT provider FROM "_globals_storage-settings" LIMIT 1`)?.get();
+          if (row?.provider) activeProvider = row.provider;
+        } catch {
+          try {
+            const result = await db?.findOne?.({
+              collection: "_globals_storage-settings",
+              where: {}
+            });
+            if (result?.provider) activeProvider = result.provider;
+          } catch {
+          }
+        }
+        if (affectedProviders.includes(activeProvider)) {
+          return c.json({
+            error: `Cannot disable "${pluginName}" \u2014 storage provider "${activeProvider}" is currently active. Switch to Local storage first.`,
+            requiresAction: true,
+            activeProvider
+          }, 409);
+        }
+      }
+      try {
+        let states = {};
+        let docId = "global";
+        const doc = await db.findOne({
+          collection: "_globals_plugin-settings",
+          where: {}
+        });
+        if (doc) {
+          states = doc.states || {};
+          docId = doc.id;
+        }
+        states[pluginName] = newEnabled;
+        if (doc) {
+          await db.update({
+            collection: "_globals_plugin-settings",
+            id: docId,
+            data: { states }
+          });
+        } else {
+          await db.create({
+            collection: "_globals_plugin-settings",
+            data: { states, id: "global" }
+          });
+        }
+      } catch (e) {
+        console.warn(`[Plugins] Could not persist state for "${pluginName}":`, e);
+      }
+      storageRegistry.setPluginEnabled(pluginName, newEnabled);
+      return c.json({ name: pluginName, enabled: newEnabled });
+    } catch (error) {
+      console.error("[Plugins] toggle error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
   app.get("/api/health", (c) => {
     return c.json({
       status: "ok",
@@ -4233,6 +4554,102 @@ function createHonoApp(options) {
       timestamp: (/* @__PURE__ */ new Date()).toISOString()
     });
   });
+  app.get("/api/kyro/schema", async (c) => {
+    const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+    if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
+    const extractFields = (fields) => fields.map((f) => {
+      const meta = {
+        name: f.name,
+        type: f.type,
+        label: f.label,
+        required: f.required ?? false,
+        unique: f.unique ?? false,
+        indexed: f.indexed ?? false,
+        defaultValue: f.defaultValue,
+        admin: f.admin ? { ...f.admin } : void 0
+      };
+      if (f.minLength !== void 0) meta.minLength = f.minLength;
+      if (f.maxLength !== void 0) meta.maxLength = f.maxLength;
+      if (f.pattern !== void 0) meta.pattern = f.pattern;
+      if (f.variant !== void 0) meta.variant = f.variant;
+      if (f.hasMany !== void 0) meta.hasMany = f.hasMany;
+      if (f.min !== void 0) meta.min = f.min;
+      if (f.max !== void 0) meta.max = f.max;
+      if (f.step !== void 0) meta.step = f.step;
+      if (f.integer !== void 0) meta.integer = f.integer;
+      if (f.options) meta.options = f.options;
+      if (f.relationTo) meta.relationTo = f.relationTo;
+      if (f.maxDepth !== void 0) meta.maxDepth = f.maxDepth;
+      if (f.minRows !== void 0) meta.minRows = f.minRows;
+      if (f.maxRows !== void 0) meta.maxRows = f.maxRows;
+      if (f.localized !== void 0) meta.localized = f.localized;
+      if (f.language) meta.language = f.language;
+      if (f.format) meta.format = f.format;
+      if (f.allowedTypes) meta.allowedTypes = f.allowedTypes;
+      if (f.maxSize) meta.maxSize = f.maxSize;
+      if (f.type === "group" || f.type === "row" || f.type === "collapsible" && f.fields) {
+        meta.fields = extractFields(f.fields);
+      }
+      if (f.type === "array" && f.fields) {
+        meta.fields = extractFields(f.fields);
+      }
+      if (f.type === "blocks" && f.blocks) {
+        meta.blocks = f.blocks.map((b) => ({
+          slug: b.slug,
+          label: b.label,
+          fields: extractFields(b.fields)
+        }));
+      }
+      if (f.type === "tabs" && f.tabs) {
+        meta.tabs = f.tabs.map((t) => ({
+          label: t.label,
+          name: t.name,
+          fields: extractFields(t.fields)
+        }));
+      }
+      return meta;
+    });
+    const data = { collections: {}, globals: {} };
+    for (const col of registry.getCollections()) {
+      const slug = col.slug;
+      try {
+        data.collections[slug] = {
+          slug,
+          label: col.label || slug,
+          fields: extractFields(col.fields),
+          jsonSchema: zodToJsonSchema.zodToJsonSchema(registry.getZodSchema(slug), { target: "openApi3" }),
+          createSchema: zodToJsonSchema.zodToJsonSchema(registry.getCreateZodSchema(slug), { target: "openApi3" }),
+          updateSchema: zodToJsonSchema.zodToJsonSchema(registry.getUpdateZodSchema(slug), { target: "openApi3" }),
+          procedures: {
+            find: { collection: slug, where: "Record<string,any>", sort: "string", limit: "number", page: "number", depth: "number", select: "string[]", draft: "boolean" },
+            findByID: { collection: slug, id: "string", depth: "number", select: "string[]", draft: "boolean" },
+            create: { collection: slug, data: "Record<string,any>", depth: "number", select: "string[]" },
+            update: { collection: slug, id: "string", data: "Record<string,any>", depth: "number", select: "string[]", baseUpdatedAt: "string" },
+            delete: { collection: slug, id: "string" },
+            count: { collection: slug, where: "Record<string,any>" }
+          }
+        };
+      } catch {
+      }
+    }
+    for (const global of registry.getGlobals()) {
+      const slug = global.slug;
+      try {
+        data.globals[slug] = {
+          slug,
+          label: global.label || slug,
+          fields: extractFields(global.fields),
+          jsonSchema: zodToJsonSchema.zodToJsonSchema(registry.getZodSchema(slug), { target: "openApi3" }),
+          procedures: {
+            get: {},
+            update: { data: "Record<string,any>" }
+          }
+        };
+      } catch {
+      }
+    }
+    return c.json(data);
+  });
   app.get("/api/collections", async (c) => {
     const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
     if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
@@ -4248,6 +4665,129 @@ function createHonoApp(options) {
     }));
     return c.json(collections2);
   });
+  function resolveDocField(fields, doc, fieldName) {
+    if (fieldName in doc) return doc[fieldName];
+    for (const field of fields) {
+      if (!field.name) continue;
+      if (field.type === "tabs" && field.tabs) {
+        const data = doc[field.name];
+        if (data && typeof data === "object" && fieldName in data) return data[fieldName];
+      }
+      if ((field.type === "group" || field.type === "collapsible") && field.fields) {
+        const data = doc[field.name];
+        if (data && typeof data === "object") {
+          if (fieldName in data) return data[fieldName];
+          const nested = resolveDocField(field.fields, data, fieldName);
+          if (nested !== void 0) return nested;
+        }
+      }
+    }
+    return void 0;
+  }
+  function flattenRelationshipFields(fields) {
+    const relFields = [];
+    for (const field of fields) {
+      if (field.type === "relationship") {
+        relFields.push(field);
+      } else if (field.type === "tabs" && field.tabs) {
+        for (const tab of field.tabs) {
+          relFields.push(...flattenRelationshipFields(tab.fields || []));
+        }
+      } else if ((field.type === "group" || field.type === "collapsible") && field.fields) {
+        relFields.push(...flattenRelationshipFields(field.fields || []));
+      }
+    }
+    return relFields;
+  }
+  function extractRelValue(value) {
+    if (!value) return [];
+    if (typeof value === "string") return [value];
+    if (Array.isArray(value)) return value.map((v) => typeof v === "object" ? v.value ?? v : v);
+    if (typeof value === "object") {
+      const v = value.value ?? value;
+      return typeof v === "string" ? [v] : Array.isArray(v) ? v : [];
+    }
+    return [];
+  }
+  async function populateRelationships(docs, collection, db2, registry2) {
+    if (docs.length === 0) return;
+    const relFields = flattenRelationshipFields(collection.fields);
+    if (relFields.length === 0) return;
+    for (const relField of relFields) {
+      const targetSlugs = Array.isArray(relField.relationTo) ? relField.relationTo : [relField.relationTo];
+      const idsBySlug = {};
+      for (const slug of targetSlugs) {
+        idsBySlug[slug] = /* @__PURE__ */ new Set();
+      }
+      for (const doc of docs) {
+        const raw = resolveDocField(collection.fields, doc, relField.name);
+        const ids = extractRelValue(raw);
+        for (const id of ids) {
+          if (!id) continue;
+          if (targetSlugs.length === 1) {
+            idsBySlug[targetSlugs[0]].add(id);
+          } else {
+            for (const slug of targetSlugs) {
+              idsBySlug[slug].add(id);
+            }
+          }
+        }
+      }
+      for (const [targetSlug, idSet] of Object.entries(idsBySlug)) {
+        if (idSet.size === 0) continue;
+        const targetCollection = registry2.getCollection(targetSlug);
+        if (!targetCollection) continue;
+        const titleField = targetCollection.admin?.useAsTitle || "title";
+        const idArr = Array.from(idSet);
+        const relatedDocs = [];
+        for (const id of idArr) {
+          try {
+            const relDoc = await db2.findByID({ collection: targetSlug, id, draft: true });
+            if (relDoc) {
+              const title = resolveDocField(targetCollection.fields, relDoc, titleField) ?? id;
+              relatedDocs.push({ id, title: String(title) });
+            }
+          } catch {
+            relatedDocs.push({ id, title: id });
+          }
+        }
+        const titleMap = new Map(relatedDocs.map((d) => [d.id, d.title]));
+        for (const doc of docs) {
+          const raw = resolveDocField(collection.fields, doc, relField.name);
+          if (!raw) continue;
+          const setValue = (val) => {
+            if (relField.name in doc) {
+              doc[relField.name] = val;
+            } else {
+              for (const f of collection.fields) {
+                if (f.type === "tabs" && f.tabs) {
+                  for (const tab of f.tabs) {
+                    if (tab.fields?.some((tf) => tf.name === relField.name)) {
+                      const tabData = doc[f.name];
+                      if (tabData && typeof tabData === "object") {
+                        tabData[relField.name] = val;
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          };
+          if (typeof raw === "string") {
+            setValue({ id: raw, title: titleMap.get(raw) || raw });
+          } else if (Array.isArray(raw)) {
+            setValue(raw.map((v) => {
+              const id = typeof v === "object" ? v.value ?? v.id : v;
+              return { id, title: titleMap.get(id) || id };
+            }));
+          } else if (typeof raw === "object") {
+            const id = raw.value ?? raw.id;
+            setValue({ id, title: titleMap.get(id) || id });
+          }
+        }
+      }
+    }
+  }
   app.get("/api/search", async (c) => {
     try {
       const query = c.req.query("q") || "";
@@ -4299,11 +4839,12 @@ function createHonoApp(options) {
             limit,
             tenantID: ctxTenantID
           });
+          await populateRelationships(searchResult.docs, collection, db, registry);
           for (const doc of searchResult.docs) {
             const titleField = collection.admin?.useAsTitle || searchableFields.find(
               (f) => f === "title" || f === "name" || f === "heading" || f === "slug"
             );
-            const title = titleField ? doc[titleField] : doc.id;
+            const title = titleField ? resolveDocField(collection.fields, doc, titleField) ?? doc.id : doc.id;
             results.push({
               collection: collection.slug,
               label: collection.label || collection.slug,
@@ -4324,15 +4865,13 @@ function createHonoApp(options) {
   });
   app.get("/api/keys", async (c) => {
     try {
-      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:read")) {
+      const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:read")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       const page = parseInt(c.req.query("page") || "1");
       const limit = Math.min(parseInt(c.req.query("limit") || "50"), 100);
-      console.log("[ApiKeys] Querying", chunkIBG6V56E_cjs.API_KEY_COLLECTION, { page, limit });
-      const result = await db.find({ collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION, where: {}, page, limit });
-      console.log("[ApiKeys] Result:", result);
+      const result = await db.find({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, where: {}, page, limit, tenantID: ctxTenantID });
       const docs = (result.docs || []).map((doc) => ({
         id: doc.id,
         name: doc.name,
@@ -4350,21 +4889,21 @@ function createHonoApp(options) {
   app.post("/api/keys", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:admin")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:admin")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       const body = await c.req.json();
       if (!body.name || typeof body.name !== "string") {
         return c.json({ error: "name is required" }, 400);
       }
-      const rawKey = chunkIBG6V56E_cjs.generateApiKey();
+      const rawKey = chunk4M7X5HAB_cjs.generateApiKey();
       const doc = await db.create({
-        collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION,
+        collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION,
         data: {
           userId: ctxUser.id,
           name: body.name,
           key: rawKey,
-          keyPrefix: chunkIBG6V56E_cjs.generateApiKeyPrefix(rawKey),
+          keyPrefix: chunk4M7X5HAB_cjs.generateApiKeyPrefix(rawKey),
           permissions: Array.isArray(body.permissions) ? body.permissions : ["*"],
           expiresAt: body.expiresAt || null,
           createdAt: (/* @__PURE__ */ new Date()).toISOString()
@@ -4391,13 +4930,13 @@ function createHonoApp(options) {
   app.delete("/api/keys/:id", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:admin")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:admin")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       const id = c.req.param("id");
-      const existing = await db.findByID({ collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION, id });
+      const existing = await db.findByID({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, id });
       if (!existing) return c.json({ error: "API key not found" }, 404);
-      await db.delete({ collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION, id });
+      await db.delete({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, id });
       await sessionAuthAdapter?.createAuditLog({
         action: "api_key_delete",
         userId: ctxUser.id,
@@ -4415,19 +4954,19 @@ function createHonoApp(options) {
   app.patch("/api/keys/:id", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:admin")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:admin")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       const id = c.req.param("id");
       const body = await c.req.json();
-      const existing = await db.findByID({ collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION, id });
+      const existing = await db.findByID({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, id });
       if (!existing) return c.json({ error: "API key not found" }, 404);
       const updateData = {};
       if (typeof body.name === "string" && body.name.trim()) updateData.name = body.name.trim();
       if (Array.isArray(body.permissions)) updateData.permissions = body.permissions;
       if (body.expiresAt !== void 0) updateData.expiresAt = body.expiresAt || null;
       if (Object.keys(updateData).length === 0) return c.json({ error: "Nothing to update" }, 400);
-      const updated = await db.update({ collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION, id, data: updateData });
+      const updated = await db.update({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, id, data: updateData });
       return c.json({ ...updated, keyPrefix: existing.keyPrefix });
     } catch (error) {
       console.error("[ApiKeys] PATCH error:", error);
@@ -4437,19 +4976,19 @@ function createHonoApp(options) {
   app.post("/api/keys/:id/rotate", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:admin")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:admin")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       const id = c.req.param("id");
-      const existing = await db.findByID({ collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION, id });
+      const existing = await db.findByID({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, id });
       if (!existing) return c.json({ error: "API key not found" }, 404);
-      const rawKey = chunkIBG6V56E_cjs.generateApiKey();
+      const rawKey = chunk4M7X5HAB_cjs.generateApiKey();
       const updated = await db.update({
-        collection: chunkIBG6V56E_cjs.API_KEY_COLLECTION,
+        collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION,
         id,
         data: {
           key: rawKey,
-          keyPrefix: chunkIBG6V56E_cjs.generateApiKeyPrefix(rawKey),
+          keyPrefix: chunk4M7X5HAB_cjs.generateApiKeyPrefix(rawKey),
           lastUsedAt: null
         }
       });
@@ -4475,7 +5014,7 @@ function createHonoApp(options) {
   app.get("/api/webhooks", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:read")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:read")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
@@ -4489,7 +5028,7 @@ function createHonoApp(options) {
   app.post("/api/webhooks", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:admin")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:admin")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
@@ -4512,7 +5051,7 @@ function createHonoApp(options) {
   app.get("/api/webhooks/:id", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:read")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:read")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
@@ -4528,7 +5067,7 @@ function createHonoApp(options) {
   app.patch("/api/webhooks/:id", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:admin")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:admin")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
@@ -4553,7 +5092,7 @@ function createHonoApp(options) {
   app.delete("/api/webhooks/:id", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:admin")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:admin")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
@@ -4578,7 +5117,7 @@ function createHonoApp(options) {
   app.post("/api/webhooks/:id/test", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:admin")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:admin")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
@@ -4594,7 +5133,7 @@ function createHonoApp(options) {
   app.get("/api/webhooks/:id/history", async (c) => {
     try {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-      if (!ctxUser || !chunkSA7NSSIQ_cjs.hasPermission(ctxUser, "users:read")) {
+      if (!ctxUser || !chunkNKPKR5BW_cjs.hasPermission(ctxUser, "users:read")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       if (!webhookService) return c.json({ error: "Webhook service not available" }, 503);
@@ -4643,37 +5182,31 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
-        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, basePath, "GET", c.req.raw);
+        if (ctxTenantID) {
+          db.setTenantContext({ tenantId: ctxTenantID, userId: ctxUser?.id ?? "", role: ctxUser?.role, isSuperAdmin: ctxUser?.role === "super_admin" });
+        }
         const url = new URL(c.req.url);
         const page = parseInt(url.searchParams.get("page") || "1");
-        const limit = Math.min(
-          parseInt(url.searchParams.get("limit") || "10"),
-          100
-        );
+        const limit = Math.min(parseInt(url.searchParams.get("limit") || "10"), 100);
         const sort = url.searchParams.get("sort") || void 0;
         const depth = parseInt(url.searchParams.get("depth") || "0");
         const select = url.searchParams.get("select")?.split(",") || void 0;
-        let where = {};
-        const whereParam = url.searchParams.get("where");
-        if (whereParam) {
-          try {
-            where = JSON.parse(whereParam);
-          } catch {
-          }
-        }
+        const isDraftRequest = !!ctxUser;
         const result = await db.find({
           collection: slug,
-          where,
+          where: {},
           sort,
           limit,
           page,
           depth,
           tenantID: ctxTenantID,
-          select
+          select,
+          draft: isDraftRequest
         });
+        await populateRelationships(result.docs, collection, db, registry);
         return c.json(result);
       } catch (error) {
-        console.error(`[API] Error listing ${slug}:`, error);
+        console.error("[API] list error:", error);
         return c.json({ error: error.message }, 500);
       }
     });
@@ -4698,6 +5231,9 @@ function createHonoApp(options) {
           return c.json({ error: access.error }, access.status || 403);
         }
         const id = c.req.param("id");
+        if (!id) {
+          return c.json({ error: "Missing document ID" }, 400);
+        }
         const url = new URL(c.req.url);
         const compareA = url.searchParams.get("compareA");
         const compareB = url.searchParams.get("compareB");
@@ -4728,36 +5264,6 @@ function createHonoApp(options) {
         return c.json({ error: error.message }, 500);
       }
     });
-    app.get(`${basePath}/:id/draft`, async (c) => {
-      try {
-        const {
-          user: ctxUser,
-          tenantID: ctxTenantID,
-          apiKeyContext
-        } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
-          collection,
-          "read",
-          c.req.raw,
-          ctxUser,
-          ctxTenantID,
-          apiKeyContext,
-          enablePublicAccess,
-          defaultCollectionAccess
-        );
-        if (!access.allowed) {
-          return c.json({ error: access.error }, access.status || 403);
-        }
-        const draft = await db.findDraft({
-          collection: slug,
-          documentId: c.req.param("id"),
-          tenantID: ctxTenantID
-        });
-        return c.json({ data: draft });
-      } catch (error) {
-        return c.json({ error: error.message }, 500);
-      }
-    });
     app.put(`${basePath}/:id/draft`, async (c) => {
       try {
         const {
@@ -4781,24 +5287,39 @@ function createHonoApp(options) {
         const id = c.req.param("id");
         const body = await c.req.json();
         const baseUpdatedAt = readBaseUpdatedAt(body);
-        const data = body.data ?? omitRevisionFields(body);
         const originalDoc = await db.findByID({
           collection: slug,
           id,
-          tenantID: ctxTenantID
+          tenantID: ctxTenantID,
+          draft: true
         });
         if (!originalDoc) {
           return c.json({ error: "Document not found" }, 404);
         }
-        const draft = await db.upsertDraft({
+        let finalData;
+        if (body.delta) {
+          finalData = { ...originalDoc, ...body.delta };
+        } else {
+          finalData = body.data ?? omitRevisionFields(body);
+        }
+        const version = await db.updateLatestVersion({
           collection: slug,
           documentId: id,
-          tenantID: ctxTenantID,
-          data,
-          baseUpdatedAt,
-          draftUpdatedAt: body.draftUpdatedAt
+          data: finalData,
+          status: "draft",
+          tenantID: ctxTenantID
         });
-        return c.json({ data: draft, message: "Draft saved successfully" });
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_update",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: id,
+            success: true,
+            metadata: { type: "draft_save" }
+          });
+        }
+        return c.json({ data: version, message: "Draft saved successfully" });
       } catch (error) {
         return c.json({ error: error.message }, 500);
       }
@@ -4823,11 +5344,16 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
-        await db.deleteDraft({
-          collection: slug,
-          documentId: c.req.param("id"),
-          tenantID: ctxTenantID
-        });
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_update",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: c.req.param("id"),
+            success: true,
+            metadata: { type: "draft_discard" }
+          });
+        }
         return c.json({ message: "Draft discarded successfully" });
       } catch (error) {
         return c.json({ error: error.message }, 500);
@@ -4870,12 +5396,14 @@ function createHonoApp(options) {
           doc = await db.findOne({
             collection: slug,
             where: { slug: id },
-            tenantID: ctxTenantID
+            tenantID: ctxTenantID,
+            draft: isDraftRequest
           });
         }
         if (!doc) {
           return c.json({ error: "Document not found" }, 404);
         }
+        await populateRelationships([doc], collection, db, registry);
         return c.json({ data: doc });
       } catch (error) {
         return c.json({ error: error.message }, 500);
@@ -4901,23 +5429,81 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
+        if (ctxTenantID) {
+          db.setTenantContext({ tenantId: ctxTenantID, userId: ctxUser?.id ?? "", role: ctxUser?.role, isSuperAdmin: ctxUser?.role === "super_admin" });
+        }
         auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, basePath, "POST", c.req.raw);
         const body = await c.req.json();
+        let validated = body;
+        normalizeEmptyStrings(validated, collection.fields);
+        convertRichtextFields(collection.fields, validated);
+        const hookReq = c.req.raw;
+        if (collection.hooks?.beforeValidate) {
+          for (const hook of collection.hooks.beforeValidate) {
+            const hookResult = await hook({
+              collection: slug,
+              data: validated,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "create"
+            });
+            if (hookResult) Object.assign(validated, hookResult);
+          }
+        }
         const schema = registry.getCreateZodSchema(slug);
-        let validated;
         try {
-          validated = schema.parse(body);
+          validated = schema.parse(validated);
         } catch (zodErr) {
-          return c.json({ error: "Validation failed", details: zodErr.errors }, 400);
+          return c.json({ error: `Validation failed: ${formatZodErrors(zodErr.errors)}`, details: zodErr.errors }, 400);
         }
         if (collection.tenantScoped && ctxTenantID) {
           validated.tenantID = ctxTenantID;
         }
+        const isDraftEnabled = collection.versions?.drafts === true;
+        validated.status = isDraftEnabled ? "draft" : "published";
+        if (collection.hooks?.beforeChange) {
+          for (const hook of collection.hooks.beforeChange) {
+            const hookResult = await hook({
+              collection: slug,
+              data: validated,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "create"
+            });
+            if (hookResult) Object.assign(validated, hookResult);
+          }
+        }
         const doc = await db.create({
           collection: slug,
           data: validated,
           tenantID: ctxTenantID
         });
+        if (isDraftEnabled) {
+          await db.createVersion({
+            collection: slug,
+            documentId: doc.id,
+            data: validated,
+            status: "draft",
+            createdBy: ctxUser?.id,
+            changeDescription: "Created",
+            tenantID: ctxTenantID
+          });
+        }
+        if (collection.hooks?.afterChange) {
+          for (const hook of collection.hooks.afterChange) {
+            await hook({
+              collection: slug,
+              doc,
+              data: validated,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "create"
+            });
+          }
+        }
         if (webhookService) {
           webhookService.trigger(getWebhookEvent(slug, "create"), {
             collection: slug,
@@ -4927,11 +5513,20 @@ function createHonoApp(options) {
             tenantId: ctxTenantID
           }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
         }
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_create",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: doc.id,
+            success: true
+          });
+        }
         return c.json({ data: doc, message: "Created successfully" }, 201);
       } catch (error) {
         if (error.name === "ZodError") {
           return c.json(
-            { error: "Validation failed", details: error.errors },
+            { error: `Validation failed: ${formatZodErrors(error.errors)}`, details: error.errors },
             400
           );
         }
@@ -4961,61 +5556,92 @@ function createHonoApp(options) {
         const id = c.req.param("id");
         const body = await c.req.json();
         const baseUpdatedAt = readBaseUpdatedAt(body);
-        console.log(`[PATCH] ${slug}/${id}`, {
-          baseUpdatedAt,
-          bodyKeys: Object.keys(body),
-          tenantID: ctxTenantID
-        });
-        const cleaned = Object.fromEntries(
-          Object.entries(omitRevisionFields(body)).filter(
-            ([_, v]) => v !== "null" && v !== void 0
-          )
-        );
-        const schema = registry.getUpdateZodSchema(slug);
-        const validated = schema.parse(cleaned);
-        console.log(`[PATCH] Validated data:`, Object.keys(validated));
         const originalDoc = await db.findByID({
           collection: slug,
           id,
           tenantID: ctxTenantID,
           draft: true
-          // Always fetch current doc regardless of status
         });
-        if (originalDoc) {
-          console.log(`[PATCH] Original doc updatedAt:`, originalDoc.updatedAt);
-        }
         if (!originalDoc) {
           return c.json({ error: "Document not found" }, 404);
         }
         if (baseUpdatedAt && originalDoc.updatedAt && baseUpdatedAt !== originalDoc.updatedAt) {
           return c.json(buildConflictResponse(baseUpdatedAt, originalDoc), 409);
         }
+        let validated = Object.fromEntries(
+          Object.entries(omitRevisionFields(body)).filter(
+            ([_, v]) => v !== "null" && v !== void 0
+          )
+        );
+        normalizeEmptyStrings(validated, collection.fields);
+        convertRichtextFields(collection.fields, validated);
+        const hookReq = c.req.raw;
+        if (collection.hooks?.beforeValidate) {
+          for (const hook of collection.hooks.beforeValidate) {
+            const hookResult = await hook({
+              collection: slug,
+              data: validated,
+              originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "update"
+            });
+            if (hookResult) Object.assign(validated, hookResult);
+          }
+        }
+        const schema = registry.getUpdateZodSchema(slug);
+        validated = schema.parse(validated);
+        if (collection.hooks?.beforeChange) {
+          for (const hook of collection.hooks.beforeChange) {
+            const hookResult = await hook({
+              collection: slug,
+              data: validated,
+              originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "update"
+            });
+            if (hookResult) Object.assign(validated, hookResult);
+          }
+        }
+        const isDraft = c.req.header("X-Draft") === "true";
         const isDraftEnabled = collection.versions?.drafts === true;
-        const isAlreadyPublished = originalDoc._status === "published";
+        const isAutosave = c.req.query("autosave") === "true";
         let doc;
-        if (isDraftEnabled && isAlreadyPublished) {
+        if (isDraftEnabled && isDraft) {
           await db.createVersion({
             collection: slug,
             documentId: id,
             data: validated,
             status: "draft",
+            autosave: isAutosave,
             createdBy: ctxUser?.id,
-            changeDescription: "Manual save (Draft)",
+            changeDescription: isAutosave ? "Autosave" : "Draft saved",
             tenantID: ctxTenantID
           });
+        } else if (isDraftEnabled) {
           await db.update({
             collection: slug,
             id,
-            data: { _has_draft: true },
-            // Keep old data, just set flag
+            data: { ...validated, status: "published" },
+            tenantID: ctxTenantID
+          });
+          await db.createVersion({
+            collection: slug,
+            documentId: id,
+            data: validated,
+            status: "published",
+            createdBy: ctxUser?.id,
+            changeDescription: "Published",
             tenantID: ctxTenantID
           });
         } else {
-          const saveData = isDraftEnabled ? { ...validated, _status: "draft", _has_draft: false } : validated;
           await db.update({
             collection: slug,
             id,
-            data: saveData,
+            data: validated,
             tenantID: ctxTenantID
           });
         }
@@ -5025,24 +5651,19 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           draft: true
         });
-        if (isDraftEnabled) {
-          if (!isAlreadyPublished) {
-            await db.createVersion({
+        if (collection.hooks?.afterChange) {
+          for (const hook of collection.hooks.afterChange) {
+            await hook({
               collection: slug,
-              documentId: id,
+              doc,
               data: validated,
-              status: "draft",
-              createdBy: ctxUser?.id,
-              changeDescription: "Manual save",
-              tenantID: ctxTenantID
+              originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "update"
             });
           }
-        } else {
-          await db.deleteDraft({
-            collection: slug,
-            documentId: id,
-            tenantID: ctxTenantID
-          });
         }
         if (webhookService) {
           webhookService.trigger(getWebhookEvent(slug, "update"), {
@@ -5054,16 +5675,26 @@ function createHonoApp(options) {
             tenantId: ctxTenantID
           }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
         }
-        console.log(`[PATCH] Result doc updatedAt:`, doc?.updatedAt);
+        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, `${basePath}/${id}`, "PATCH", c.req.raw);
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_update",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: id,
+            success: true
+          });
+        }
         return c.json({ data: doc, message: isDraftEnabled ? "Draft saved" : "Updated successfully" });
       } catch (error) {
         if (error.name === "ZodError") {
           console.error(`[PATCH ${basePath}/:id] Validation failed:`, error.errors);
           return c.json(
-            { error: "Validation failed", details: error.errors },
+            { error: `Validation failed: ${formatZodErrors(error.errors)}`, details: error.errors },
             400
           );
         }
+        console.error(`[PATCH ${basePath}/:id] ERROR:`, error.message, `CAUSE:`, error.cause?.message || error.cause, `QUERY:`, error.query);
         return c.json({ error: error.message }, 500);
       }
     });
@@ -5087,23 +5718,50 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
+        if (ctxTenantID) {
+          db.setTenantContext({ tenantId: ctxTenantID, userId: ctxUser?.id ?? "", role: ctxUser?.role, isSuperAdmin: ctxUser?.role === "super_admin" });
+        }
         const id = c.req.param("id");
-        console.log(`[DELETE] Deleting ${slug}/${id}`);
+        const hookReq = c.req.raw;
         const originalDoc = await db.findByID({
           collection: slug,
           id,
-          tenantID: ctxTenantID
+          tenantID: ctxTenantID,
+          draft: true
         });
+        if (!originalDoc) {
+          return c.json({ error: "Document not found" }, 404);
+        }
+        if (collection.hooks?.beforeDelete) {
+          for (const hook of collection.hooks.beforeDelete) {
+            await hook({
+              collection: slug,
+              doc: originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "delete"
+            });
+          }
+        }
         const doc = await db.delete({
           collection: slug,
           id,
           tenantID: ctxTenantID
         });
-        await db.deleteDraft({
-          collection: slug,
-          documentId: id,
-          tenantID: ctxTenantID
-        });
+        if (collection.hooks?.afterDelete) {
+          for (const hook of collection.hooks.afterDelete) {
+            await hook({
+              collection: slug,
+              doc,
+              originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "delete"
+            });
+          }
+        }
         if (webhookService) {
           webhookService.trigger(getWebhookEvent(slug, "delete"), {
             collection: slug,
@@ -5114,6 +5772,16 @@ function createHonoApp(options) {
             tenantId: ctxTenantID
           }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
         }
+        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, `${basePath}/${id}`, "DELETE", c.req.raw);
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_delete",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: id,
+            success: true
+          });
+        }
         return c.json({ data: doc, message: "Deleted successfully" });
       } catch (error) {
         console.error(`[DELETE] Error deleting ${slug}:`, error);
@@ -5122,7 +5790,6 @@ function createHonoApp(options) {
     });
     app.post(`${basePath}/:id/duplicate`, async (c) => {
       try {
-        console.log(`[Duplicate] Request for ${slug}`);
         const {
           user: ctxUser,
           tenantID: ctxTenantID,
@@ -5139,25 +5806,21 @@ function createHonoApp(options) {
           defaultCollectionAccess
         );
         if (!access.allowed) {
-          console.log("[Duplicate] Access denied:", access.error);
           return c.json({ error: access.error }, access.status || 403);
         }
         const id = c.req.param("id");
-        console.log(`[Duplicate] ID: ${id}`);
         const originalDoc = await db.findByID({
           collection: slug,
           id,
-          tenantID: ctxTenantID
+          tenantID: ctxTenantID,
+          draft: true
         });
         if (!originalDoc) {
-          console.log("[Duplicate] Document not found");
           return c.json({ error: "Document not found" }, 404);
         }
-        console.log(`[Duplicate] Original doc:`, originalDoc);
         const { id: _oldId, createdAt: _oldCreated, updatedAt: _oldUpdated, ...docData } = originalDoc;
         const timestamp = Date.now().toString(36);
         const newSlug = `${originalDoc.slug || "document"}-copy-${timestamp}`;
-        console.log(`[Duplicate] New slug: ${newSlug}`);
         const newDoc = await db.create({
           collection: slug,
           data: {
@@ -5167,7 +5830,6 @@ function createHonoApp(options) {
           },
           tenantID: ctxTenantID
         });
-        console.log(`[Duplicate] Created successfully:`, newDoc.id);
         return c.json({ data: newDoc, message: "Document duplicated successfully" });
       } catch (error) {
         console.error("[Duplicate] Error:", error);
@@ -5207,7 +5869,7 @@ function createHonoApp(options) {
         const doc = await db.update({
           collection: slug,
           id,
-          data: { ...version.data, _status: "draft", _has_draft: false },
+          data: { ...version.data, status: "draft" },
           tenantID: ctxTenantID
         });
         return c.json({
@@ -5252,7 +5914,7 @@ function createHonoApp(options) {
           const doc = await db.update({
             collection: slug,
             id: c.req.param("id"),
-            data: { ...version.data, _status: "draft", _has_draft: false },
+            data: { ...version.data, status: "draft" },
             tenantID: ctxTenantID
           });
           return c.json({
@@ -5285,6 +5947,9 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
+        if (ctxTenantID) {
+          db.setTenantContext({ tenantId: ctxTenantID, userId: ctxUser?.id ?? "", role: ctxUser?.role, isSuperAdmin: ctxUser?.role === "super_admin" });
+        }
         const id = c.req.param("id");
         const body = await c.req.json().catch(() => ({}));
         const baseUpdatedAt = readBaseUpdatedAt(body);
@@ -5300,9 +5965,9 @@ function createHonoApp(options) {
         if (baseUpdatedAt && originalDoc.updatedAt && baseUpdatedAt !== originalDoc.updatedAt) {
           return c.json(buildConflictResponse(baseUpdatedAt, originalDoc), 409);
         }
-        let publishData = { _status: "published", _has_draft: false };
+        let publishData = { status: "published" };
         let finalContent = originalDoc;
-        if (originalDoc._has_draft) {
+        if (collection.versions?.drafts) {
           const versions = await db.findVersions({
             collection: slug,
             documentId: id,
@@ -5310,9 +5975,10 @@ function createHonoApp(options) {
             sort: "-createdAt",
             tenantID: ctxTenantID
           });
-          if (versions.docs.length > 0 && versions.docs[0].status === "draft") {
-            finalContent = { ...originalDoc, ...versions.docs[0].data };
-            publishData = { ...versions.docs[0].data, ...publishData };
+          if (versions.docs.length > 0) {
+            const latestVersion = versions.docs[0];
+            finalContent = { ...originalDoc, ...latestVersion.data };
+            publishData = { ...latestVersion.data, ...publishData };
           }
         }
         const doc = await db.update({
@@ -5325,18 +5991,13 @@ function createHonoApp(options) {
           await db.createVersion({
             collection: slug,
             documentId: id,
-            data: { ...finalContent, _status: "published" },
+            data: { ...finalContent, status: "published" },
             status: "published",
             createdBy: ctxUser?.id,
             changeDescription: "Published",
             tenantID: ctxTenantID
           });
         }
-        await db.deleteDraft({
-          collection: slug,
-          documentId: id,
-          tenantID: ctxTenantID
-        });
         if (webhookService) {
           webhookService.trigger(getWebhookEvent(slug, "update"), {
             collection: slug,
@@ -5384,7 +6045,7 @@ function createHonoApp(options) {
         const doc = await db.update({
           collection: slug,
           id,
-          data: { _status: "draft" },
+          data: { status: "draft" },
           tenantID: ctxTenantID
         });
         if (webhookService) {
@@ -5419,13 +6080,31 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
-        const isDraftRequest = c.req.query("draft") === "true" && !!ctxUser;
-        const doc = await db.findOne({
+        const isDraftRequest = !!ctxUser;
+        let doc = await db.findOne({
           collection: `_globals_${slug}`,
           where: {},
           tenantID: ctxTenantID,
           draft: isDraftRequest
         });
+        if (slug === "system") {
+          const newSecret = crypto__default.default.randomBytes(32).toString("hex");
+          if (!doc) {
+            doc = await db.create({
+              collection: `_globals_${slug}`,
+              data: { id: slug, appSecret: newSecret },
+              tenantID: ctxTenantID
+            });
+          } else if (!doc.appSecret) {
+            await db.update({
+              collection: `_globals_${slug}`,
+              id: slug,
+              data: { appSecret: newSecret },
+              tenantID: ctxTenantID
+            });
+            doc.appSecret = newSecret;
+          }
+        }
         return c.json({ data: doc || {} });
       } catch (error) {
         return c.json({ error: error.message }, 500);
@@ -5445,18 +6124,20 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
-        const body = await c.req.json();
+        const body = omitRevisionFields(await c.req.json());
         const cleaned = Object.fromEntries(
           Object.entries(body).filter(([_, v]) => v !== null && v !== "null" && v !== void 0)
         );
-        const schema = registry.getZodSchema(slug);
+        normalizeEmptyStrings(cleaned, globalConfig.fields);
+        convertRichtextFields(globalConfig.fields, cleaned);
+        const schema = registry.getUpdateZodSchema(slug);
         let validated;
         try {
           validated = schema.parse(cleaned);
         } catch (zodErr) {
-          return c.json({ error: "Validation failed", details: zodErr.errors }, 400);
+          return c.json({ error: `Validation failed: ${formatZodErrors(zodErr.errors)}`, details: zodErr.errors }, 400);
         }
-        const SYSTEM_FIELDS = /* @__PURE__ */ new Set(["id", "createdAt", "updatedAt", "_status", "_has_draft"]);
+        const SYSTEM_FIELDS = /* @__PURE__ */ new Set(["id", "createdAt", "updatedAt", "status", "baseUpdatedAt", "_baseUpdatedAt"]);
         const userData = Object.fromEntries(
           Object.entries(validated).filter(([k]) => !SYSTEM_FIELDS.has(k))
         );
@@ -5467,49 +6148,68 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           draft: true
         });
+        const isDraft = c.req.header("X-Draft") === "true";
         const isDraftEnabled = globalConfig.versions?.drafts === true;
-        const isAlreadyPublished = originalDoc?._status === "published";
+        const isAutosave = c.req.query("autosave") === "true";
         let doc;
-        if (isDraftEnabled && isAlreadyPublished) {
+        if (isDraftEnabled && isDraft) {
           await db.createVersion({
             collection: collectionSlug,
             documentId: slug,
             data: userData,
             status: "draft",
+            autosave: isAutosave,
             createdBy: ctxUser?.id,
-            changeDescription: "Manual save (Draft)",
-            tenantID: ctxTenantID
-          });
-          doc = await db.update({
-            collection: collectionSlug,
-            id: slug,
-            data: { _has_draft: true },
+            changeDescription: isAutosave ? "Autosave" : "Manual save",
             tenantID: ctxTenantID
           });
-        } else {
-          const saveData = isDraftEnabled ? { ...userData, _status: "draft", _has_draft: false } : { ...userData, _status: "published", _has_draft: false };
+          if (!originalDoc) {
+            doc = await db.create({
+              collection: collectionSlug,
+              data: { ...userData, id: slug, status: "draft" },
+              tenantID: ctxTenantID
+            });
+          } else {
+            doc = originalDoc;
+          }
+        } else if (isDraftEnabled && !isDraft) {
+          const publishStatus = "published";
           if (originalDoc) {
             doc = await db.update({
               collection: collectionSlug,
               id: slug,
-              data: saveData,
+              data: { ...userData, status: publishStatus },
               tenantID: ctxTenantID
             });
           } else {
             doc = await db.create({
               collection: collectionSlug,
-              data: { ...saveData, id: slug },
+              data: { ...userData, id: slug, status: publishStatus },
               tenantID: ctxTenantID
             });
           }
-          if (isDraftEnabled) {
-            await db.createVersion({
+          await db.createVersion({
+            collection: collectionSlug,
+            documentId: slug,
+            data: userData,
+            status: publishStatus,
+            autosave: false,
+            createdBy: ctxUser?.id,
+            changeDescription: "Published",
+            tenantID: ctxTenantID
+          });
+        } else {
+          if (originalDoc) {
+            doc = await db.update({
               collection: collectionSlug,
-              documentId: slug,
+              id: slug,
               data: userData,
-              status: "draft",
-              createdBy: ctxUser?.id,
-              changeDescription: "Manual save",
+              tenantID: ctxTenantID
+            });
+          } else {
+            doc = await db.create({
+              collection: collectionSlug,
+              data: { ...userData, id: slug },
               tenantID: ctxTenantID
             });
           }
@@ -5518,6 +6218,22 @@ function createHonoApp(options) {
           mediaService = null;
           mediaServiceInitError = null;
         }
+        if (slug === "email-settings") {
+          const newEmailTransport = await chunkY7AQK4R4_cjs.EmailTransport.fromConfig(db);
+          authRoutes.email = newEmailTransport || void 0;
+        }
+        if (slug === "system") {
+          await loadSecrets();
+        }
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "settings_change",
+            userId: ctxUser.id,
+            resource: `global:${slug}`,
+            resourceId: slug,
+            success: true
+          });
+        }
         return c.json({ data: doc, message: "Updated successfully" });
       } catch (error) {
         console.error(`[API] Save global "${slug}" failed:`, error);
@@ -5542,9 +6258,9 @@ function createHonoApp(options) {
           draft: true
         });
         if (!originalDoc) return c.json({ error: "Global not found" }, 404);
-        let publishData = { _status: "published", _has_draft: false };
+        let publishData = { status: "published" };
         let finalContent = originalDoc;
-        if (originalDoc._has_draft) {
+        if (globalConfig.versions?.drafts) {
           const versions = await db.findVersions({
             collection: collectionSlug,
             documentId: slug,
@@ -5552,7 +6268,7 @@ function createHonoApp(options) {
             sort: "-createdAt",
             tenantID: ctxTenantID
           });
-          if (versions.docs.length > 0 && versions.docs[0].status === "draft") {
+          if (versions.docs.length > 0) {
             finalContent = { ...originalDoc, ...versions.docs[0].data };
             publishData = { ...versions.docs[0].data, ...publishData };
           }
@@ -5567,7 +6283,7 @@ function createHonoApp(options) {
           await db.createVersion({
             collection: collectionSlug,
             documentId: slug,
-            data: { ...finalContent, _status: "published" },
+            data: { ...finalContent, status: "published" },
             status: "published",
             createdBy: ctxUser?.id,
             changeDescription: "Published",
@@ -5587,7 +6303,7 @@ function createHonoApp(options) {
         const doc = await db.update({
           collection: `_globals_${slug}`,
           id: slug,
-          data: { _status: "draft", _has_draft: false },
+          data: { status: "draft" },
           tenantID: ctxTenantID
         });
         return c.json({ data: doc, message: "Unpublished successfully" });
@@ -5647,9 +6363,13 @@ function createHonoApp(options) {
         const doc = await db.update({
           collection: collectionSlug,
           id: slug,
-          data: { ...version.data, _status: "draft", _has_draft: false },
+          data: { ...version.data, status: "draft" },
           tenantID: ctxTenantID
         });
+        return c.json({
+          data: doc,
+          message: "Version restored successfully"
+        });
         return c.json({ data: doc, message: "Restored successfully" });
       } catch (error) {
         return c.json({ error: error.message }, 500);
@@ -5693,7 +6413,7 @@ function createHonoApp(options) {
             mailgun: body.mailgun,
             ses: body.ses
           };
-          const transport = new chunkIA6AU5PI_cjs.EmailTransport(transportConfig);
+          const transport = new chunkY7AQK4R4_cjs.EmailTransport(transportConfig);
           const recipient = body.testEmail || body.testEmailSection && body.testEmailSection.testEmail;
           if (!recipient) {
             return c.json({ error: "No test recipient email provided" }, 400);
@@ -5757,15 +6477,19 @@ exports.InMemoryAuditLogger = InMemoryAuditLogger;
 exports.InMemoryRateLimiter = InMemoryRateLimiter;
 exports.MediaService = MediaService;
 exports.createAuditContext = createAuditContext2;
+exports.createCloudinaryStorage = createCloudinaryStorage;
+exports.createFtpStorage = createFtpStorage;
 exports.createHonoApp = createHonoApp;
 exports.createLocalStorage = createLocalStorage;
 exports.createRESTAPI = createRESTAPI;
+exports.createS3Storage = createS3Storage;
 exports.getAppSecret = getAppSecret;
+exports.getDefaultRegistry = getDefaultRegistry;
 exports.getEncryptionKey = getEncryptionKey;
 exports.getSessionConfig = getSessionConfig;
 exports.init_secret = init_secret;
 exports.loadSecrets = loadSecrets;
 exports.resolveProvider = resolveProvider;
 exports.setDbAdapter = setDbAdapter;
-//# sourceMappingURL=chunk-5KVM3WEY.cjs.map
-//# sourceMappingURL=chunk-5KVM3WEY.cjs.map
+//# sourceMappingURL=chunk-CNKT4PME.cjs.map
+//# sourceMappingURL=chunk-CNKT4PME.cjs.map