npm - @kyro-cms/core - Versions diffs - 0.9.0 → 0.9.2 - Mend

@kyro-cms/core 0.9.0 → 0.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (265) hide show

package/README.md +55 -593
package/dist/{WebhookService-AefJfqX0.d.cts → WebhookService-BKszZlG0.d.cts} +1 -1
package/dist/{WebhookService-118ZTFis.d.ts → WebhookService-Ccf1j-IN.d.ts} +1 -1
package/dist/api-handler-graphql.cjs +44 -0
package/dist/api-handler-graphql.cjs.map +1 -0
package/dist/api-handler-graphql.d.cts +6 -0
package/dist/api-handler-graphql.d.ts +6 -0
package/dist/api-handler-graphql.js +41 -0
package/dist/api-handler-graphql.js.map +1 -0
package/dist/api-handler-trpc.cjs +38 -0
package/dist/api-handler-trpc.cjs.map +1 -0
package/dist/api-handler-trpc.d.cts +5 -0
package/dist/api-handler-trpc.d.ts +5 -0
package/dist/api-handler-trpc.js +36 -0
package/dist/api-handler-trpc.js.map +1 -0
package/dist/api-handler.cjs +33 -99
package/dist/api-handler.cjs.map +1 -1
package/dist/api-handler.d.cts +2 -1
package/dist/api-handler.d.ts +2 -1
package/dist/api-handler.js +21 -97
package/dist/api-handler.js.map +1 -1
package/dist/{tenant-B1YB0Jy8.d.ts → base-CIuXkrH4.d.cts} +7 -15
package/dist/{tenant-Cpeveji6.d.cts → base-fFo4lqER.d.ts} +7 -15
package/dist/bootstrap-3PV3GJ3S.js +7 -0
package/dist/{bootstrap-JCML6NFO.js.map → bootstrap-3PV3GJ3S.js.map} +1 -1
package/dist/bootstrap-4CELFLJO.cjs +32 -0
package/dist/{bootstrap-AKAUP6F6.cjs.map → bootstrap-4CELFLJO.cjs.map} +1 -1
package/dist/{chunk-VJT6P4N6.cjs → chunk-3HR772HI.cjs} +199 -32
package/dist/chunk-3HR772HI.cjs.map +1 -0
package/dist/chunk-3KTWGODI.cjs +178 -0
package/dist/chunk-3KTWGODI.cjs.map +1 -0
package/dist/{chunk-QXIQWPAP.js → chunk-3UK5XBVJ.js} +4 -134
package/dist/chunk-3UK5XBVJ.js.map +1 -0
package/dist/{chunk-FXYP2HA6.js → chunk-4AO3A3JM.js} +48 -4
package/dist/chunk-4AO3A3JM.js.map +1 -0
package/dist/{chunk-Z6ZWNWWR.js → chunk-4CV4JOE5.js} +3 -9
package/dist/{chunk-Z6ZWNWWR.js.map → chunk-4CV4JOE5.js.map} +1 -1
package/dist/chunk-4M7X5HAB.cjs +173 -0
package/dist/chunk-4M7X5HAB.cjs.map +1 -0
package/dist/chunk-53NYVYVX.js +3243 -0
package/dist/chunk-53NYVYVX.js.map +1 -0
package/dist/{chunk-35U3FROB.js → chunk-5H3MWQJS.js} +714 -184
package/dist/chunk-5H3MWQJS.js.map +1 -0
package/dist/{chunk-YVUJBEXE.cjs → chunk-5PMQQFRE.cjs} +16 -7
package/dist/chunk-5PMQQFRE.cjs.map +1 -0
package/dist/{chunk-57P6MJKC.js → chunk-6UNONDW7.js} +94 -10
package/dist/chunk-6UNONDW7.js.map +1 -0
package/dist/{chunk-Y3N7UUDO.js → chunk-7OGPN7MP.js} +5 -2
package/dist/chunk-7OGPN7MP.js.map +1 -0
package/dist/{chunk-2OL4O2TH.cjs → chunk-7OS7TX2Q.cjs} +68 -62
package/dist/chunk-7OS7TX2Q.cjs.map +1 -0
package/dist/{chunk-3TPQ2BU6.js → chunk-BYBMTIMT.js} +2 -6
package/dist/chunk-BYBMTIMT.js.map +1 -0
package/dist/{chunk-ES5HNFFT.js → chunk-CF7OL6HR.js} +4 -2
package/dist/chunk-CF7OL6HR.js.map +1 -0
package/dist/chunk-CJONKRHJ.js +162 -0
package/dist/chunk-CJONKRHJ.js.map +1 -0
package/dist/{chunk-OHVB4AJ7.js → chunk-CJX74IYK.js} +24 -18
package/dist/chunk-CJX74IYK.js.map +1 -0
package/dist/{chunk-5KVM3WEY.cjs → chunk-CNKT4PME.cjs} +1592 -868
package/dist/chunk-CNKT4PME.cjs.map +1 -0
package/dist/{chunk-G7VZBCD6.cjs → chunk-CZLDE2OZ.cjs} +2 -9
package/dist/{chunk-G7VZBCD6.cjs.map → chunk-CZLDE2OZ.cjs.map} +1 -1
package/dist/{chunk-WQBRWOQT.cjs → chunk-DPA3KWPY.cjs} +4 -3
package/dist/chunk-DPA3KWPY.cjs.map +1 -0
package/dist/{chunk-LINKCEG4.cjs → chunk-E2763JUP.cjs} +726 -196
package/dist/chunk-E2763JUP.cjs.map +1 -0
package/dist/chunk-E5UJBLQ7.js +220 -0
package/dist/chunk-E5UJBLQ7.js.map +1 -0
package/dist/{chunk-DVD5P72E.cjs → chunk-EEJUFDMF.cjs} +2 -6
package/dist/chunk-EEJUFDMF.cjs.map +1 -0
package/dist/chunk-FSKONGCX.cjs +253 -0
package/dist/chunk-FSKONGCX.cjs.map +1 -0
package/dist/{chunk-Y3QQN7PN.js → chunk-GAAHG2Z4.js} +13 -4
package/dist/chunk-GAAHG2Z4.js.map +1 -0
package/dist/chunk-GAOXD3XT.js +175 -0
package/dist/chunk-GAOXD3XT.js.map +1 -0
package/dist/{chunk-SA7NSSIQ.cjs → chunk-GUUB5EAG.cjs} +13 -187
package/dist/chunk-GUUB5EAG.cjs.map +1 -0
package/dist/{chunk-4DA7QPLA.cjs → chunk-GXFOGU7N.cjs} +5 -2
package/dist/chunk-GXFOGU7N.cjs.map +1 -0
package/dist/{chunk-I7HHI6QV.cjs → chunk-IDVRRRAK.cjs} +17 -9
package/dist/chunk-IDVRRRAK.cjs.map +1 -0
package/dist/{chunk-HXRD4B37.js → chunk-IPTZM3VE.js} +1423 -704
package/dist/chunk-IPTZM3VE.js.map +1 -0
package/dist/chunk-KC2GDBLS.cjs +84 -0
package/dist/chunk-KC2GDBLS.cjs.map +1 -0
package/dist/{chunk-QUW2RZTM.cjs → chunk-L46ROHUS.cjs} +51 -7
package/dist/chunk-L46ROHUS.cjs.map +1 -0
package/dist/chunk-L4EZKIEX.js +185 -0
package/dist/chunk-L4EZKIEX.js.map +1 -0
package/dist/{chunk-REK7AYOC.js → chunk-L5UKKZQN.js} +199 -32
package/dist/chunk-L5UKKZQN.js.map +1 -0
package/dist/chunk-NKPKR5BW.cjs +188 -0
package/dist/chunk-NKPKR5BW.cjs.map +1 -0
package/dist/chunk-NWUEVLQT.cjs +99 -0
package/dist/chunk-NWUEVLQT.cjs.map +1 -0
package/dist/{chunk-3AJE4SEG.js → chunk-OHC6UHFY.js} +208 -76
package/dist/chunk-OHC6UHFY.js.map +1 -0
package/dist/chunk-PHJRNPHY.cjs +3291 -0
package/dist/chunk-PHJRNPHY.cjs.map +1 -0
package/dist/{chunk-DXHRBMGB.js → chunk-PQ72Z6WC.js} +67 -112
package/dist/chunk-PQ72Z6WC.js.map +1 -0
package/dist/{chunk-K7JPTH3G.cjs → chunk-PV2I2KMI.cjs} +214 -82
package/dist/chunk-PV2I2KMI.cjs.map +1 -0
package/dist/{chunk-PDYFVNUX.cjs → chunk-Q23GAMLE.cjs} +71 -116
package/dist/chunk-Q23GAMLE.cjs.map +1 -0
package/dist/{chunk-H727JIG7.js → chunk-Q72BOAPK.js} +16 -8
package/dist/chunk-Q72BOAPK.js.map +1 -0
package/dist/{chunk-IBG6V56E.cjs → chunk-QFLB4EIJ.cjs} +2 -139
package/dist/chunk-QFLB4EIJ.cjs.map +1 -0
package/dist/{chunk-2KVHZE6O.cjs → chunk-RFFSZSCL.cjs} +282 -190
package/dist/chunk-RFFSZSCL.cjs.map +1 -0
package/dist/{chunk-V3LKPM3O.cjs → chunk-SHTTJMLT.cjs} +4 -2
package/dist/chunk-SHTTJMLT.cjs.map +1 -0
package/dist/{chunk-WOWUL7ZY.js → chunk-UUDTPZX6.js} +5 -4
package/dist/chunk-UUDTPZX6.js.map +1 -0
package/dist/{chunk-QPPDLRNR.js → chunk-V7KZQIZ6.js} +277 -185
package/dist/chunk-V7KZQIZ6.js.map +1 -0
package/dist/{chunk-3ZFYL34R.js → chunk-WXVB364T.js} +12 -185
package/dist/chunk-WXVB364T.js.map +1 -0
package/dist/chunk-XEB7PH2E.js +81 -0
package/dist/chunk-XEB7PH2E.js.map +1 -0
package/dist/{chunk-IA6AU5PI.cjs → chunk-Y7AQK4R4.cjs} +94 -10
package/dist/chunk-Y7AQK4R4.cjs.map +1 -0
package/dist/chunk-YFAVQQTU.js +92 -0
package/dist/chunk-YFAVQQTU.js.map +1 -0
package/dist/cli/index.cjs +6 -6
package/dist/cli/index.cjs.map +1 -1
package/dist/cli/index.js +6 -6
package/dist/cli/index.js.map +1 -1
package/dist/client.cjs +4 -4
package/dist/client.d.cts +3 -3
package/dist/client.d.ts +3 -3
package/dist/client.js +2 -2
package/dist/drizzle/index.cjs +15 -14
package/dist/drizzle/index.d.cts +10 -14
package/dist/drizzle/index.d.ts +10 -14
package/dist/drizzle/index.js +6 -5
package/dist/fields/index.cjs +22 -38
package/dist/fields/index.d.cts +2 -22
package/dist/fields/index.d.ts +2 -22
package/dist/fields/index.js +2 -2
package/dist/graphql/index.cjs +6 -5
package/dist/graphql/index.d.cts +5 -3
package/dist/graphql/index.d.ts +5 -3
package/dist/graphql/index.js +4 -3
package/dist/index-BKta3cBH.d.cts +277 -0
package/dist/index-ClOqnkTO.d.ts +277 -0
package/dist/index.cjs +310 -168
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +130 -211
package/dist/index.d.ts +130 -211
package/dist/index.js +174 -35
package/dist/index.js.map +1 -1
package/dist/integration.cjs +3 -3
package/dist/integration.js +2 -2
package/dist/media-7WDX4BDJ.js +4 -0
package/dist/{media-GPPTZ43E.js.map → media-7WDX4BDJ.js.map} +1 -1
package/dist/{media-XNTUFJZR.cjs → media-TUSLVRQ6.cjs} +3 -3
package/dist/{media-XNTUFJZR.cjs.map → media-TUSLVRQ6.cjs.map} +1 -1
package/dist/mongo-auth-adapter-GT4S7SCU.cjs +17 -0
package/dist/{mongo-auth-adapter-NHHUJHVH.cjs.map → mongo-auth-adapter-GT4S7SCU.cjs.map} +1 -1
package/dist/mongo-auth-adapter-M7VV4LNB.js +4 -0
package/dist/{mongo-auth-adapter-NJQUUCTP.js.map → mongo-auth-adapter-M7VV4LNB.js.map} +1 -1
package/dist/mongodb/index.cjs +9 -8
package/dist/mongodb/index.d.cts +6 -13
package/dist/mongodb/index.d.ts +6 -13
package/dist/mongodb/index.js +5 -4
package/dist/postgres-auth-adapter-AFAPISH7.js +5 -0
package/dist/{postgres-auth-adapter-3T2NKTSE.js.map → postgres-auth-adapter-AFAPISH7.js.map} +1 -1
package/dist/postgres-auth-adapter-SFDTLONT.cjs +14 -0
package/dist/{postgres-auth-adapter-7IEENCKQ.cjs.map → postgres-auth-adapter-SFDTLONT.cjs.map} +1 -1
package/dist/redis-adapter-UQX4EE3B.cjs +13 -0
package/dist/{redis-adapter-D2E2S3GB.cjs.map → redis-adapter-UQX4EE3B.cjs.map} +1 -1
package/dist/redis-adapter-XALOGWY3.js +4 -0
package/dist/{redis-adapter-VQXD7ESY.js.map → redis-adapter-XALOGWY3.js.map} +1 -1
package/dist/rest/index.cjs +16 -15
package/dist/rest/index.d.cts +4 -4
package/dist/rest/index.d.ts +4 -4
package/dist/rest/index.js +14 -13
package/dist/{schema-37SE2F4B.cjs → schema-6QL3USNB.cjs} +15 -15
package/dist/{schema-37SE2F4B.cjs.map → schema-6QL3USNB.cjs.map} +1 -1
package/dist/{schema-5PHL5IVB.js → schema-FNNWEAAW.js} +4 -4
package/dist/{schema-5PHL5IVB.js.map → schema-FNNWEAAW.js.map} +1 -1
package/dist/sqlite-adapter-AQB5TCGV.cjs +13 -0
package/dist/{sqlite-adapter-LVK5PS4T.cjs.map → sqlite-adapter-AQB5TCGV.cjs.map} +1 -1
package/dist/sqlite-adapter-N5H6IM2X.js +4 -0
package/dist/{sqlite-adapter-TR3U3W6Q.js.map → sqlite-adapter-N5H6IM2X.js.map} +1 -1
package/dist/templates/index.cjs +134 -32
package/dist/templates/index.d.cts +52 -9
package/dist/templates/index.d.ts +52 -9
package/dist/templates/index.js +4 -2
package/dist/trpc/index.cjs +14 -13
package/dist/trpc/index.d.cts +55 -49
package/dist/trpc/index.d.ts +55 -49
package/dist/trpc/index.js +5 -4
package/dist/{types-D6ZLRGbH.d.cts → types-CpjuXbe7.d.cts} +2 -0
package/dist/{types-D6ZLRGbH.d.ts → types-CpjuXbe7.d.ts} +2 -0
package/dist/{types-VtjUxIMp.d.cts → types-DeSApf9T.d.cts} +36 -14
package/dist/{types-VtjUxIMp.d.ts → types-DeSApf9T.d.ts} +36 -14
package/dist/{types-J3R9nVsZ.d.cts → types-Dgzlftb7.d.ts} +32 -28
package/dist/{types-Bs1up4yP.d.ts → types-Ds0tCA3L.d.cts} +32 -28
package/dist/ws/index.cjs +6 -6
package/dist/ws/index.js +2 -2
package/package.json +22 -4
package/dist/bootstrap-AKAUP6F6.cjs +0 -32
package/dist/bootstrap-JCML6NFO.js +0 -7
package/dist/chunk-2KVHZE6O.cjs.map +0 -1
package/dist/chunk-2OL4O2TH.cjs.map +0 -1
package/dist/chunk-35U3FROB.js.map +0 -1
package/dist/chunk-3AJE4SEG.js.map +0 -1
package/dist/chunk-3J4MFTI3.js +0 -3872
package/dist/chunk-3J4MFTI3.js.map +0 -1
package/dist/chunk-3TPQ2BU6.js.map +0 -1
package/dist/chunk-3ZFYL34R.js.map +0 -1
package/dist/chunk-4DA7QPLA.cjs.map +0 -1
package/dist/chunk-57P6MJKC.js.map +0 -1
package/dist/chunk-5KVM3WEY.cjs.map +0 -1
package/dist/chunk-6IMPH6WV.cjs +0 -3897
package/dist/chunk-6IMPH6WV.cjs.map +0 -1
package/dist/chunk-ATBOUGQP.cjs +0 -513
package/dist/chunk-ATBOUGQP.cjs.map +0 -1
package/dist/chunk-DVD5P72E.cjs.map +0 -1
package/dist/chunk-DXHRBMGB.js.map +0 -1
package/dist/chunk-ES5HNFFT.js.map +0 -1
package/dist/chunk-FXYP2HA6.js.map +0 -1
package/dist/chunk-H727JIG7.js.map +0 -1
package/dist/chunk-HXRD4B37.js.map +0 -1
package/dist/chunk-I7HHI6QV.cjs.map +0 -1
package/dist/chunk-IA6AU5PI.cjs.map +0 -1
package/dist/chunk-IBG6V56E.cjs.map +0 -1
package/dist/chunk-K7JPTH3G.cjs.map +0 -1
package/dist/chunk-LINKCEG4.cjs.map +0 -1
package/dist/chunk-OHVB4AJ7.js.map +0 -1
package/dist/chunk-PDYFVNUX.cjs.map +0 -1
package/dist/chunk-Q23JB3KL.js +0 -488
package/dist/chunk-Q23JB3KL.js.map +0 -1
package/dist/chunk-QPPDLRNR.js.map +0 -1
package/dist/chunk-QUW2RZTM.cjs.map +0 -1
package/dist/chunk-QXIQWPAP.js.map +0 -1
package/dist/chunk-R3XIBBAW.cjs +0 -34
package/dist/chunk-R3XIBBAW.cjs.map +0 -1
package/dist/chunk-REK7AYOC.js.map +0 -1
package/dist/chunk-SA7NSSIQ.cjs.map +0 -1
package/dist/chunk-SDMNUYVU.js +0 -30
package/dist/chunk-SDMNUYVU.js.map +0 -1
package/dist/chunk-V3LKPM3O.cjs.map +0 -1
package/dist/chunk-VJT6P4N6.cjs.map +0 -1
package/dist/chunk-WOWUL7ZY.js.map +0 -1
package/dist/chunk-WQBRWOQT.cjs.map +0 -1
package/dist/chunk-Y3N7UUDO.js.map +0 -1
package/dist/chunk-Y3QQN7PN.js.map +0 -1
package/dist/chunk-YVUJBEXE.cjs.map +0 -1
package/dist/index-CLp-DRKA.d.ts +0 -64
package/dist/index-DfO7G4kN.d.cts +0 -64
package/dist/media-GPPTZ43E.js +0 -4
package/dist/mongo-auth-adapter-NHHUJHVH.cjs +0 -17
package/dist/mongo-auth-adapter-NJQUUCTP.js +0 -4
package/dist/postgres-auth-adapter-3T2NKTSE.js +0 -5
package/dist/postgres-auth-adapter-7IEENCKQ.cjs +0 -14
package/dist/redis-adapter-D2E2S3GB.cjs +0 -13
package/dist/redis-adapter-VQXD7ESY.js +0 -4
package/dist/sqlite-adapter-LVK5PS4T.cjs +0 -13
package/dist/sqlite-adapter-TR3U3W6Q.js +0 -4

package/dist/{chunk-HXRD4B37.js → chunk-IPTZM3VE.js} RENAMED Viewed

@@ -1,15 +1,15 @@
-import { PasswordPolicy, ConfigService, EmailTransport } from './chunk-57P6MJKC.js';
-import { SQLiteAuthAdapter } from './chunk-H727JIG7.js';
+import { PasswordPolicy, ConfigService, EmailTransport } from './chunk-6UNONDW7.js';
+import { usersCollection } from './chunk-XEB7PH2E.js';
+import { SQLiteAuthAdapter } from './chunk-Q72BOAPK.js';
 import { createAuditContext } from './chunk-P2YW545G.js';
-import { WEBHOOK_EVENTS, extractApiKeyFromRequest, validateApiKey, createApiKeyContext, API_KEY_COLLECTION, generateApiKey, generateApiKeyPrefix, hasApiKeyPermission } from './chunk-QXIQWPAP.js';
-import { buildGraphQLSchema } from './chunk-REK7AYOC.js';
-import { evaluateAccess } from './chunk-SDMNUYVU.js';
-import { genId, DrizzleAdapter } from './chunk-QPPDLRNR.js';
-import { PostgresAuthAdapter } from './chunk-OHVB4AJ7.js';
-import { MongoDBAdapter } from './chunk-DXHRBMGB.js';
-import { MongoDBAuthAdapter } from './chunk-Y3N7UUDO.js';
-import { hasPermission } from './chunk-3ZFYL34R.js';
-import { __esm, __export, __toCommonJS, __require } from './chunk-Z6ZWNWWR.js';
+import { WEBHOOK_EVENTS } from './chunk-3UK5XBVJ.js';
+import { API_KEY_COLLECTION, generateApiKey, generateApiKeyPrefix, evaluateAccess, hasApiKeyPermission, extractApiKeyFromRequest, validateApiKey, createApiKeyContext } from './chunk-CJONKRHJ.js';
+import { genId, DrizzleAdapter } from './chunk-V7KZQIZ6.js';
+import { PostgresAuthAdapter } from './chunk-CJX74IYK.js';
+import { MongoDBAdapter } from './chunk-PQ72Z6WC.js';
+import { MongoDBAuthAdapter } from './chunk-7OGPN7MP.js';
+import { hasPermission } from './chunk-L4EZKIEX.js';
+import { __esm, __export, __toCommonJS } from './chunk-4CV4JOE5.js';
 import crypto, { randomBytes, createHash } from 'crypto';
 import { createStorage } from 'unstorage';
 import fsDriver from 'unstorage/drivers/fs';
@@ -17,11 +17,13 @@ import { Hono } from 'hono';
 import path, { join, basename, extname, resolve } from 'path';
 import { existsSync, readFileSync } from 'fs';
 import sharp from 'sharp';
-import { parse, execute } from 'graphql';
 import { mkdir, readdir, stat, rename, unlink, writeFile } from 'fs/promises';
+import process2 from 'process';
 import { S3Client, ListObjectsV2Command, DeleteObjectsCommand, DeleteObjectCommand, PutObjectCommand, HeadObjectCommand, CopyObjectCommand } from '@aws-sdk/client-s3';
+import { NodeHttpHandler } from '@smithy/node-http-handler';
 import { Readable } from 'stream';
 import { Client } from 'basic-ftp';
+import { zodToJsonSchema } from 'zod-to-json-schema';
 function setDbAdapter(adapter) {
   dbAdapter = adapter;
@@ -30,8 +32,8 @@ async function loadSecrets() {
   if (dbAdapter) {
     try {
       const result = await dbAdapter.findOne({
-        collection: "_globals",
-        where: { slug: "system" }
+        collection: "_globals_system",
+        where: {}
       });
       if (result) {
         cachedSecrets = {
@@ -441,6 +443,9 @@ function createTenantContextFromUser(user) {
   };
 }
+// src/api/rest/hono-app.ts
+init_secret();
 // src/auth/security/in-memory-rate-limit.ts
 var InMemoryRateLimiter = class {
   storage = /* @__PURE__ */ new Map();
@@ -773,7 +778,7 @@ var AuditLogger = class {
   serializeLog(log) {
     const result = {
       id: log.id,
-      timestamp: log.timestamp.toISOString(),
+      timestamp: new Date(log.timestamp).toISOString(),
       action: log.action,
       resource: log.resource,
       success: log.success ? "1" : "0"
@@ -1168,23 +1173,19 @@ var AuthRoutes = class {
     }
   }
   async me(req) {
-    try {
-      const session = await getCurrentUser(req);
-      if (!session) {
-        return this.errorResponse("Not authenticated", 401);
-      }
-      const user = await this.authAdapter.findUserById(session.userId);
-      if (!user) {
-        return this.errorResponse("User not found", 404);
-      }
-      return this.jsonResponse({
-        success: true,
-        user: this.sanitizeUser(user)
-      });
-    } catch (error) {
-      console.error("[AuthRoutes.me] Authentication failed:", error.message);
-      return this.errorResponse("Authentication failed", 401);
+    const session = await getCurrentUser(req);
+    if (!session) {
+      return this.errorResponse("Not authenticated", 401);
     }
+    return this.jsonResponse({
+      success: true,
+      user: {
+        id: session.userId,
+        email: session.email,
+        role: session.role,
+        tenantId: session.tenantId
+      }
+    });
   }
   async changePassword(req) {
     const session = await getCurrentUser(req);
@@ -1294,7 +1295,7 @@ var AuthRoutes = class {
       }
       if (this.auditLogger) {
         await this.auditLogger.log({
-          action: "password_reset_request",
+          action: "password_reset",
           userId: user.id,
           userEmail: user.email,
           resource: "auth",
@@ -1482,7 +1483,7 @@ var AuthRoutes = class {
   }
 };
 function createLocalStorage(config) {
-  const { uploadDir, baseUrl = "/uploads" } = config;
+  const { uploadDir = join(process2.cwd(), "public", "uploads"), baseUrl = "/uploads" } = config;
   async function ensureDir(dir) {
     if (!existsSync(dir)) {
       await mkdir(dir, { recursive: true });
@@ -1670,6 +1671,467 @@ function createLocalStorage(config) {
     }
   };
 }
+// src/storage/imgix.ts
+function createImgixStorage(config) {
+  const signUrl = (path3, params) => {
+    if (!config.signKey) return path3;
+    const signer = new TextEncoder();
+    const key = signer.encode(config.signKey);
+    const data = signer.encode(path3 + params.toString());
+    let hash = 0;
+    const combined = new Uint8Array(key.length + data.length);
+    combined.set(key);
+    combined.set(data, key.length);
+    for (let i = 0; i < combined.length; i++) {
+      hash = (hash << 5) - hash + combined[i] | 0;
+    }
+    params.set("s", Math.abs(hash).toString(16));
+    return path3;
+  };
+  return {
+    name: "imgix",
+    displayName: "Imgix",
+    supportsDynamicResize: true,
+    async upload(_file, _options) {
+      throw new Error(
+        "Imgix is a transformation service. Use another provider for uploads."
+      );
+    },
+    async uploadFromUrl(url, options) {
+      const filename = options?.filename || url.split("/").pop() || "file";
+      const response = await fetch(url);
+      if (!response.ok) {
+        throw new Error(`Failed to fetch: ${response.statusText}`);
+      }
+      const blob = await response.blob();
+      new File([blob], filename, { type: blob.type });
+      return {
+        id: Buffer.from(url).toString("base64").slice(0, 20),
+        filename,
+        originalName: filename,
+        mimeType: blob.type,
+        size: blob.size,
+        url: this.getImageUrl(url),
+        thumbnailUrl: this.getImageUrl(url, {
+          width: 200,
+          height: 200,
+          fit: "crop"
+        }),
+        provider: "imgix",
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    },
+    async delete(_url) {
+    },
+    async rename(_oldUrl, newKey) {
+      return `https://${config.domain}/${newKey}`;
+    },
+    getImageUrl(url, transforms) {
+      const parsed = new URL(url);
+      const params = new URLSearchParams(parsed.search);
+      if (config.defaultParameters) {
+        Object.entries(config.defaultParameters).forEach(([key, value]) => {
+          if (!params.has(key)) {
+            params.set(key, value);
+          }
+        });
+      }
+      if (transforms) {
+        if (transforms.width) params.set("w", String(transforms.width));
+        if (transforms.height) params.set("h", String(transforms.height));
+        if (transforms.quality) params.set("q", String(transforms.quality));
+        if (transforms.format) params.set("fm", transforms.format);
+        if (transforms.fit) params.set("fit", transforms.fit);
+        if (transforms.blur) params.set("blur", String(transforms.blur));
+        if (transforms.sharpen) params.set("sharp", String(transforms.sharpen));
+      }
+      params.set("auto", "compress,format");
+      parsed.pathname + "?" + params.toString();
+      if (config.signKey) {
+        signUrl(parsed.pathname + params.toString(), params);
+      }
+      return `https://${config.domain}${parsed.pathname}${params.toString() ? "?" + params.toString() : ""}`;
+    },
+    async generateThumbnail(file) {
+      return this.getImageUrl(file.url, {
+        width: 200,
+        height: 200,
+        fit: "crop"
+      });
+    },
+    async list() {
+      return [];
+    },
+    async exists(url) {
+      try {
+        const response = await fetch(url, { method: "HEAD" });
+        return response.ok;
+      } catch {
+        return false;
+      }
+    },
+    async createFolder() {
+    },
+    async deleteFolder() {
+    }
+  };
+}
+// src/storage/bunny.ts
+function getUrl(key, config) {
+  if (config.cdnUrl) {
+    return `${config.cdnUrl.replace(/\/$/, "")}/${key}`;
+  }
+  return `https://${config.storageZone}.b-cdn.net/${key}`;
+}
+function getUrlPrefix(config) {
+  if (config.cdnUrl) {
+    return config.cdnUrl.replace(/\/$/, "") + "/";
+  }
+  return `https://${config.storageZone}.b-cdn.net/`;
+}
+function createBunnyStorage(config) {
+  const baseUrl = `https://storage.bunnycdn.com/${config.storageZone}`;
+  const getKey = (path3) => {
+    const prefix = config.prefix ? `${config.prefix}/` : "";
+    return `${prefix}${path3}`.replace(/\/+/g, "/");
+  };
+  return {
+    name: "bunny",
+    displayName: "Bunny.net Storage",
+    supportsDynamicResize: true,
+    async upload(file, options) {
+      const key = getKey(
+        `${options?.folder ? `${options.folder}/` : ""}${options?.filename || file.name}`
+      );
+      const buffer = Buffer.from(await file.arrayBuffer());
+      const response = await fetch(`${baseUrl}/${key}`, {
+        method: "PUT",
+        headers: {
+          AccessKey: config.apiKey,
+          "Content-Type": file.type
+        },
+        body: buffer
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(
+          `Bunny.net upload failed: ${response.status} ${errorText}`
+        );
+      }
+      return {
+        id: Buffer.from(key).toString("base64url"),
+        filename: options?.filename || file.name,
+        originalName: file.name,
+        mimeType: file.type,
+        size: buffer.length,
+        url: getUrl(key, config),
+        thumbnailUrl: file.type.startsWith("image/") ? getUrl(key, config) : void 0,
+        folder: options?.folder,
+        provider: "bunny",
+        metadata: options?.metadata,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    },
+    async uploadFromUrl(url) {
+      const response = await fetch(url);
+      if (!response.ok) {
+        throw new Error(`Failed to fetch: ${response.statusText}`);
+      }
+      const blob = await response.blob();
+      const filename = url.split("/").pop() || "file";
+      const file = new File([blob], filename, { type: blob.type });
+      return this.upload(file);
+    },
+    async delete(url) {
+      const key = url.replace(getUrlPrefix(config), "");
+      const response = await fetch(`${baseUrl}/${key}`, {
+        method: "DELETE",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+      if (!response.ok && response.status !== 404) {
+        const errorText = await response.text();
+        throw new Error(
+          `Bunny.net delete failed: ${response.status} ${errorText}`
+        );
+      }
+    },
+    async rename(oldUrl, newKey) {
+      const oldKey = oldUrl.replace(getUrlPrefix(config), "");
+      const fullPath = config.prefix ? `${config.prefix}/${newKey}` : newKey;
+      const response = await fetch(`${baseUrl}/${oldKey}`, {
+        method: "GET",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+      if (!response.ok) {
+        throw new Error(`Bunny.net rename failed: could not read old file`);
+      }
+      const content = await response.arrayBuffer();
+      await fetch(`${baseUrl}/${fullPath}`, {
+        method: "PUT",
+        headers: {
+          AccessKey: config.apiKey,
+          "Content-Type": response.headers.get("Content-Type") || "application/octet-stream"
+        },
+        body: content
+      });
+      await this.delete(oldUrl);
+      return getUrl(fullPath, config);
+    },
+    getImageUrl(url, transforms) {
+      if (!transforms || Object.keys(transforms).length === 0) return url;
+      const params = new URLSearchParams({ url });
+      if (transforms.width) params.set("w", String(transforms.width));
+      if (transforms.height) params.set("h", String(transforms.height));
+      if (transforms.quality) params.set("q", String(transforms.quality));
+      if (transforms.format) params.set("f", transforms.format);
+      return `/api/media/resize?${params.toString()}`;
+    },
+    async generateThumbnail(file) {
+      return this.getImageUrl(file.url, { width: 400, height: 400 });
+    },
+    async list(prefix) {
+      const key = getKey(prefix || "");
+      const response = await fetch(`${baseUrl}/${key}`, {
+        method: "GET",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(
+          `Bunny.net list failed: ${response.status} ${errorText}`
+        );
+      }
+      const items = await response.json();
+      return items.map((item) => ({
+        id: Buffer.from(item.ObjectName || "").toString("base64url"),
+        filename: item.ObjectName?.split("/").pop() || "",
+        originalName: item.ObjectName?.split("/").pop() || "",
+        mimeType: "application/octet-stream",
+        size: item.Length || 0,
+        url: getUrl(item.ObjectName || "", config),
+        provider: "bunny",
+        createdAt: item.LastChanged || (/* @__PURE__ */ new Date()).toISOString()
+      }));
+    },
+    async exists(url) {
+      const key = url.replace(getUrlPrefix(config), "");
+      const response = await fetch(`${baseUrl}/${key}`, {
+        method: "HEAD",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+      return response.ok;
+    },
+    async createFolder(folder) {
+      const key = getKey(`${folder}/`);
+      await fetch(`${baseUrl}/${key}`, {
+        method: "PUT",
+        headers: {
+          AccessKey: config.apiKey,
+          "Content-Length": "0"
+        },
+        body: ""
+      });
+    },
+    async deleteFolder(folder) {
+      const key = getKey(`${folder}/`);
+      await fetch(`${baseUrl}/${key}`, {
+        method: "DELETE",
+        headers: {
+          AccessKey: config.apiKey
+        }
+      });
+    }
+  };
+}
+var StorageProviderRegistry = class {
+  providers = /* @__PURE__ */ new Map();
+  providerToPlugin = /* @__PURE__ */ new Map();
+  disabledPlugins = /* @__PURE__ */ new Set();
+  constructor() {
+    this.registerLocal();
+    this.registerImgix();
+    this.registerBunny();
+  }
+  registerLocal() {
+    this.register({
+      type: "local",
+      displayName: "Local Server",
+      configKey: "local",
+      configFields: [
+        {
+          name: "uploadDir",
+          type: "text",
+          label: "Upload Directory",
+          defaultValue: "./public/uploads"
+        },
+        {
+          name: "baseUrl",
+          type: "text",
+          label: "Base URL",
+          defaultValue: "/uploads"
+        }
+      ],
+      extractConfig: (sc, key) => sc[key] || {},
+      extractRawConfig: (c) => {
+        const localConfig = c?.local || c;
+        const savedUploadDir = (localConfig?.uploadDir || "").trim();
+        let uploadDir;
+        if (savedUploadDir) {
+          if (path.isAbsolute(savedUploadDir)) {
+            uploadDir = savedUploadDir;
+          } else if (savedUploadDir.includes("/") || savedUploadDir.includes("\\")) {
+            uploadDir = path.resolve(process.cwd(), savedUploadDir);
+          } else {
+            uploadDir = path.join(process.cwd(), "public", savedUploadDir);
+          }
+        } else {
+          uploadDir = path.join(process.cwd(), "public", "uploads");
+        }
+        const savedBaseUrl = (localConfig?.baseUrl || "").trim();
+        let baseUrl;
+        if (savedBaseUrl) {
+          baseUrl = savedBaseUrl.startsWith("/") ? savedBaseUrl : `/${savedBaseUrl}`;
+        } else {
+          baseUrl = "/uploads";
+        }
+        return { uploadDir, baseUrl };
+      },
+      factory: (c) => createLocalStorage(c)
+    });
+  }
+  registerImgix() {
+    this.register({
+      type: "imgix",
+      displayName: "Imgix",
+      configKey: "imgix",
+      configFields: [
+        { name: "domain", type: "text", label: "Domain", required: true },
+        { name: "signKey", type: "password", label: "Sign Key" }
+      ],
+      extractConfig: (sc, key) => sc[key] || {},
+      extractRawConfig: (c) => c?.imgix || c,
+      factory: (c) => createImgixStorage(c)
+    });
+  }
+  registerBunny() {
+    this.register({
+      type: "bunny",
+      displayName: "Bunny.net",
+      configKey: "bunny",
+      configFields: [
+        {
+          name: "storageZone",
+          type: "text",
+          label: "Storage Zone",
+          required: true
+        },
+        { name: "apiKey", type: "password", label: "API Key", required: true },
+        { name: "cdnUrl", type: "text", label: "CDN URL" },
+        { name: "prefix", type: "text", label: "Path Prefix" }
+      ],
+      extractConfig: (sc, key) => sc[key] || {},
+      extractRawConfig: (c) => c?.bunny || c,
+      factory: (c) => createBunnyStorage(c)
+    });
+  }
+  register(registration) {
+    if (this.providers.has(registration.type)) {
+      console.warn(
+        `[StorageRegistry] Provider "${registration.type}" already registered, skipping`
+      );
+      return;
+    }
+    if (registration.pluginName) {
+      this.providerToPlugin.set(registration.type, registration.pluginName);
+    }
+    this.providers.set(registration.type, registration);
+  }
+  unregister(type) {
+    this.providers.delete(type);
+    this.providerToPlugin.delete(type);
+  }
+  get(type) {
+    return this.providers.get(type);
+  }
+  getAll() {
+    return Array.from(this.providers.values());
+  }
+  getAllAvailable(isPluginEnabled) {
+    const all = this.getAll();
+    if (!isPluginEnabled) return all;
+    return all.filter((p) => {
+      if (!p.pluginName) return true;
+      return isPluginEnabled(p.pluginName);
+    });
+  }
+  has(type) {
+    return this.providers.has(type);
+  }
+  async resolve(type, storageConfig) {
+    const reg = this.providers.get(type);
+    if (!reg) {
+      throw new Error(
+        `Unknown storage provider type: "${type}". Is the plugin that provides it enabled?`
+      );
+    }
+    if (reg.pluginName && this.disabledPlugins.has(reg.pluginName)) {
+      throw new Error(
+        `Storage provider "${type}" is not available (plugin "${reg.pluginName}" is disabled)`
+      );
+    }
+    const configKey = reg.configKey || type;
+    const config = reg.extractConfig(storageConfig, configKey);
+    return reg.factory(config);
+  }
+  async resolveWithConfig(type, config) {
+    const reg = this.providers.get(type);
+    if (!reg) {
+      throw new Error(
+        `Unknown storage provider type: "${type}". Is the plugin that provides it enabled?`
+      );
+    }
+    if (reg.pluginName && this.disabledPlugins.has(reg.pluginName)) {
+      throw new Error(
+        `Storage provider "${type}" is not available (plugin "${reg.pluginName}" is disabled)`
+      );
+    }
+    const providerConfig = reg.extractRawConfig(config);
+    return reg.factory(providerConfig);
+  }
+  getProviderPluginName(type) {
+    return this.providerToPlugin.get(type);
+  }
+  getAllPluginNames() {
+    return Array.from(new Set(this.providerToPlugin.values()));
+  }
+  setPluginEnabled(name, enabled) {
+    if (enabled) {
+      this.disabledPlugins.delete(name);
+    } else {
+      this.disabledPlugins.add(name);
+    }
+  }
+  isPluginEnabled(name) {
+    return !this.disabledPlugins.has(name);
+  }
+};
+var instance = null;
+function getDefaultRegistry() {
+  if (!instance) {
+    instance = new StorageProviderRegistry();
+  }
+  return instance;
+}
 function extractPublicDevUrlId(url) {
   if (!url) return "";
   if (url.startsWith("pub-")) return url;
@@ -1703,7 +2165,7 @@ function getPublicUrl(key, config) {
       return `https://${config.bucket}.s3.${config.region}.amazonaws.com/${normalizedKey}`;
   }
 }
-function getUrlPrefix(config) {
+function getUrlPrefix2(config) {
   if (config.cdnUrl) {
     return config.cdnUrl.replace(/\/$/, "") + "/";
   }
@@ -1765,17 +2227,17 @@ function createS3Storage(config) {
     tls: true,
     // R2 requires specific SSL configuration
     ...config.provider === "r2" && {
-      requestHandler: new (__require("@smithy/node-http-handler")).NodeHttpHandler({
+      requestHandler: new NodeHttpHandler({
         connectionTimeout: 1e4,
         socketTimeout: 1e4
       })
     }
   });
-  const getKey = (path2) => {
+  const getKey = (path3) => {
     const prefix = config.prefix ? `${config.prefix}/` : "";
-    return `${prefix}${path2}`.replace(/\/+/g, "/");
+    return `${prefix}${path3}`.replace(/\/+/g, "/");
   };
-  const getUrl = (key) => getPublicUrl(key, config);
+  const getUrl2 = (key) => getPublicUrl(key, config);
   return {
     name: config.provider,
     displayName: getDisplayName(config.provider),
@@ -1806,8 +2268,8 @@ function createS3Storage(config) {
         originalName: file.name,
         mimeType: file.type,
         size: buffer.length,
-        url: getUrl(key),
-        thumbnailUrl: file.type.startsWith("image/") ? getUrl(key) : void 0,
+        url: getUrl2(key),
+        thumbnailUrl: file.type.startsWith("image/") ? getUrl2(key) : void 0,
         folder: options?.folder,
         provider: config.provider,
         metadata: {
@@ -1828,7 +2290,7 @@ function createS3Storage(config) {
       return this.upload(file);
     },
     async delete(url) {
-      const key = url.replace(getUrlPrefix(config), "");
+      const key = url.replace(getUrlPrefix2(config), "");
       await client.send(
         new DeleteObjectCommand({
           Bucket: config.bucket,
@@ -1837,7 +2299,7 @@ function createS3Storage(config) {
       );
     },
     async rename(oldUrl, newKey) {
-      const oldKey = oldUrl.replace(getUrlPrefix(config), "");
+      const oldKey = oldUrl.replace(getUrlPrefix2(config), "");
       const newKeyWithPrefix = config.prefix ? `${config.prefix}/${newKey}` : newKey;
       await client.send(
         new CopyObjectCommand({
@@ -1852,7 +2314,7 @@ function createS3Storage(config) {
           Key: oldKey
         })
       );
-      return getUrl(newKeyWithPrefix);
+      return getUrl2(newKeyWithPrefix);
     },
     getImageUrl(url, transforms) {
       if (!transforms || Object.keys(transforms).length === 0) return url;
@@ -1880,14 +2342,14 @@ function createS3Storage(config) {
         originalName: item.Key?.split("/").pop() || "",
         mimeType: "application/octet-stream",
         size: item.Size || 0,
-        url: getUrl(item.Key || ""),
+        url: getUrl2(item.Key || ""),
         provider: config.provider,
         createdAt: item.LastModified?.toISOString() || (/* @__PURE__ */ new Date()).toISOString()
       }));
     },
     async exists(url) {
       try {
-        const key = url.replace(getUrlPrefix(config), "");
+        const key = url.replace(getUrlPrefix2(config), "");
         await client.send(
           new HeadObjectCommand({
             Bucket: config.bucket,
@@ -1947,9 +2409,9 @@ function createS3Storage(config) {
 function createCloudinaryStorage(config) {
   const getBaseUrl = () => `https://api.cloudinary.com/v1_1/${config.cloudName}/upload`;
   const generateSignature = async (params) => {
-    const crypto3 = await import('crypto');
+    const crypto4 = await import('crypto');
     const sortedParams = Object.keys(params).sort().map((key) => `${key}=${params[key]}`).join("&");
-    return crypto3.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
+    return crypto4.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
   };
   return {
     name: "cloudinary",
@@ -2051,8 +2513,8 @@ function createCloudinaryStorage(config) {
           public_id: publicId
         };
         const sortedParams = Object.keys(signatureParams).sort().map((key) => `${key}=${signatureParams[key]}`).join("&");
-        const crypto3 = await import('crypto');
-        const signature = crypto3.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
+        const crypto4 = await import('crypto');
+        const signature = crypto4.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
         const deleteUrl = `https://api.cloudinary.com/v1_1/${config.cloudName}/image/destroy`;
         const formData = new FormData();
         formData.append("public_id", publicId);
@@ -2103,8 +2565,8 @@ function createCloudinaryStorage(config) {
           timestamp: String(timestamp)
         };
         const sortedParams = Object.keys(signatureParams).sort().map((key) => `${key}=${signatureParams[key]}`).join("&");
-        const crypto3 = await import('crypto');
-        const signature = crypto3.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
+        const crypto4 = await import('crypto');
+        const signature = crypto4.createHash("sha256").update(sortedParams + config.apiSecret).digest("hex");
         const formData = new FormData();
         formData.append("from_public_id", publicIdWithoutVersion);
         formData.append("to_public_id", newPublicId);
@@ -2122,140 +2584,38 @@ function createCloudinaryStorage(config) {
           const data = await response.json();
           console.log("[Cloudinary rename] Success:", data.secure_url);
           return data.secure_url;
-        } else {
-          const error = await response.json();
-          console.warn("[Cloudinary rename] Failed:", error);
-          const versionStr = version ? `/${version}/` : "/";
-          return `https://res.cloudinary.com/${config.cloudName}/image/upload${versionStr}${newPublicId}.${newKey.split(".").pop()}`;
-        }
-      } catch (e) {
-        console.warn("[Cloudinary rename] Error:", e.message);
-        const versionStr = version ? `/${version}/` : "/";
-        return `https://res.cloudinary.com/${config.cloudName}/image/upload${versionStr}${newPublicId}.${newKey.split(".").pop()}`;
-      }
-    },
-    getImageUrl(url, transforms) {
-      if (!transforms) return url;
-      const parts = url.split("/upload/");
-      if (parts.length !== 2) return url;
-      const transformationArr = [];
-      if (transforms.width) transformationArr.push(`w_${transforms.width}`);
-      if (transforms.height) transformationArr.push(`h_${transforms.height}`);
-      if (transforms.fit) {
-        const fitMap = {
-          crop: "c_fill",
-          clip: "c_fit",
-          scale: "c_scale",
-          fill: "c_fill"
-        };
-        transformationArr.push(fitMap[transforms.fit] || "c_limit");
-      }
-      if (transforms.quality) transformationArr.push(`q_${transforms.quality}`);
-      if (transforms.format) transformationArr.push(`f_${transforms.format}`);
-      const transformationStr = transformationArr.join(",");
-      return `${parts[0]}/upload/${transformationStr}/${parts[1]}`;
-    },
-    async generateThumbnail(file) {
-      return this.getImageUrl(file.url, {
-        width: 200,
-        height: 200,
-        fit: "crop"
-      });
-    },
-    async list() {
-      return [];
-    },
-    async exists(url) {
-      const response = await fetch(url, { method: "HEAD" });
-      return response.ok;
-    },
-    async createFolder() {
-    },
-    async deleteFolder() {
-    }
-  };
-}
-// src/storage/imgix.ts
-function createImgixStorage(config) {
-  const signUrl = (path2, params) => {
-    if (!config.signKey) return path2;
-    const signer = new TextEncoder();
-    const key = signer.encode(config.signKey);
-    const data = signer.encode(path2 + params.toString());
-    let hash = 0;
-    const combined = new Uint8Array(key.length + data.length);
-    combined.set(key);
-    combined.set(data, key.length);
-    for (let i = 0; i < combined.length; i++) {
-      hash = (hash << 5) - hash + combined[i] | 0;
-    }
-    params.set("s", Math.abs(hash).toString(16));
-    return path2;
-  };
-  return {
-    name: "imgix",
-    displayName: "Imgix",
-    supportsDynamicResize: true,
-    async upload(_file, _options) {
-      throw new Error(
-        "Imgix is a transformation service. Use another provider for uploads."
-      );
-    },
-    async uploadFromUrl(url, options) {
-      const filename = options?.filename || url.split("/").pop() || "file";
-      const response = await fetch(url);
-      if (!response.ok) {
-        throw new Error(`Failed to fetch: ${response.statusText}`);
+        } else {
+          const error = await response.json();
+          console.warn("[Cloudinary rename] Failed:", error);
+          const versionStr = version ? `/${version}/` : "/";
+          return `https://res.cloudinary.com/${config.cloudName}/image/upload${versionStr}${newPublicId}.${newKey.split(".").pop()}`;
+        }
+      } catch (e) {
+        console.warn("[Cloudinary rename] Error:", e.message);
+        const versionStr = version ? `/${version}/` : "/";
+        return `https://res.cloudinary.com/${config.cloudName}/image/upload${versionStr}${newPublicId}.${newKey.split(".").pop()}`;
       }
-      const blob = await response.blob();
-      new File([blob], filename, { type: blob.type });
-      return {
-        id: Buffer.from(url).toString("base64").slice(0, 20),
-        filename,
-        originalName: filename,
-        mimeType: blob.type,
-        size: blob.size,
-        url: this.getImageUrl(url),
-        thumbnailUrl: this.getImageUrl(url, {
-          width: 200,
-          height: 200,
-          fit: "crop"
-        }),
-        provider: "imgix",
-        createdAt: (/* @__PURE__ */ new Date()).toISOString()
-      };
-    },
-    async delete(_url) {
-    },
-    async rename(_oldUrl, newKey) {
-      return `https://${config.domain}/${newKey}`;
     },
     getImageUrl(url, transforms) {
-      const parsed = new URL(url);
-      const params = new URLSearchParams(parsed.search);
-      if (config.defaultParameters) {
-        Object.entries(config.defaultParameters).forEach(([key, value]) => {
-          if (!params.has(key)) {
-            params.set(key, value);
-          }
-        });
-      }
-      if (transforms) {
-        if (transforms.width) params.set("w", String(transforms.width));
-        if (transforms.height) params.set("h", String(transforms.height));
-        if (transforms.quality) params.set("q", String(transforms.quality));
-        if (transforms.format) params.set("fm", transforms.format);
-        if (transforms.fit) params.set("fit", transforms.fit);
-        if (transforms.blur) params.set("blur", String(transforms.blur));
-        if (transforms.sharpen) params.set("sharp", String(transforms.sharpen));
-      }
-      params.set("auto", "compress,format");
-      parsed.pathname + "?" + params.toString();
-      if (config.signKey) {
-        signUrl(parsed.pathname + params.toString(), params);
+      if (!transforms) return url;
+      const parts = url.split("/upload/");
+      if (parts.length !== 2) return url;
+      const transformationArr = [];
+      if (transforms.width) transformationArr.push(`w_${transforms.width}`);
+      if (transforms.height) transformationArr.push(`h_${transforms.height}`);
+      if (transforms.fit) {
+        const fitMap = {
+          crop: "c_fill",
+          clip: "c_fit",
+          scale: "c_scale",
+          fill: "c_fill"
+        };
+        transformationArr.push(fitMap[transforms.fit] || "c_limit");
       }
-      return `https://${config.domain}${parsed.pathname}${params.toString() ? "?" + params.toString() : ""}`;
+      if (transforms.quality) transformationArr.push(`q_${transforms.quality}`);
+      if (transforms.format) transformationArr.push(`f_${transforms.format}`);
+      const transformationStr = transformationArr.join(",");
+      return `${parts[0]}/upload/${transformationStr}/${parts[1]}`;
     },
     async generateThumbnail(file) {
       return this.getImageUrl(file.url, {
@@ -2268,12 +2628,8 @@ function createImgixStorage(config) {
       return [];
     },
     async exists(url) {
-      try {
-        const response = await fetch(url, { method: "HEAD" });
-        return response.ok;
-      } catch {
-        return false;
-      }
+      const response = await fetch(url, { method: "HEAD" });
+      return response.ok;
     },
     async createFolder() {
     },
@@ -2298,15 +2654,15 @@ function createFtpStorage(config) {
     }
     return client;
   }
-  const getKey = (path2) => {
+  const getKey = (path3) => {
     const prefix = config.prefix ? `${config.prefix}/` : "";
-    return `${prefix}${path2}`.replace(/\/+/g, "/");
+    return `${prefix}${path3}`.replace(/\/+/g, "/");
   };
-  const getUrl = (key) => {
+  const getUrl2 = (key) => {
     const base = config.baseUrl.replace(/\/$/, "");
     return `${base}/${key}`;
   };
-  const getUrlPrefix2 = () => {
+  const getUrlPrefix3 = () => {
     const base = config.baseUrl.replace(/\/$/, "");
     return base + "/";
   };
@@ -2337,8 +2693,8 @@ function createFtpStorage(config) {
         originalName: file.name,
         mimeType: file.type,
         size: buffer.length,
-        url: getUrl(key),
-        thumbnailUrl: file.type.startsWith("image/") ? getUrl(key) : void 0,
+        url: getUrl2(key),
+        thumbnailUrl: file.type.startsWith("image/") ? getUrl2(key) : void 0,
         folder: options?.folder,
         provider: config.type,
         metadata: options?.metadata,
@@ -2357,15 +2713,15 @@ function createFtpStorage(config) {
     },
     async delete(url) {
       const ftp = await getClient();
-      const key = url.replace(getUrlPrefix2(), "");
+      const key = url.replace(getUrlPrefix3(), "");
       await ftp.remove(key);
     },
     async rename(oldUrl, newKey) {
       const ftp = await getClient();
-      const oldKey = oldUrl.replace(getUrlPrefix2(), "");
+      const oldKey = oldUrl.replace(getUrlPrefix3(), "");
       const fullPath = config.prefix ? `${config.prefix}/${newKey}` : newKey;
       await ftp.rename(oldKey, fullPath);
-      return getUrl(fullPath);
+      return getUrl2(fullPath);
     },
     getImageUrl(url, transforms) {
       if (!transforms || Object.keys(transforms).length === 0) return url;
@@ -2394,14 +2750,14 @@ function createFtpStorage(config) {
         originalName: item.name,
         mimeType: "application/octet-stream",
         size: Number(item.size) || 0,
-        url: getUrl(`${key}/${item.name}`.replace(/\/+/g, "/")),
+        url: getUrl2(`${key}/${item.name}`.replace(/\/+/g, "/")),
         provider: config.type,
         createdAt: item.modifiedAt ? item.modifiedAt.toISOString() : (/* @__PURE__ */ new Date()).toISOString()
       }));
     },
     async exists(url) {
       const ftp = await getClient();
-      const key = url.replace(getUrlPrefix2(), "");
+      const key = url.replace(getUrlPrefix3(), "");
       try {
         await ftp.size(key);
         return true;
@@ -2425,105 +2781,17 @@ function createFtpStorage(config) {
 // src/storage/index.ts
 async function resolveProvider(configService) {
   const config = configService.getStorageConfig();
-  switch (config.type) {
-    case "aws":
-      return createS3Storage({
-        provider: "aws",
-        bucket: config.s3.bucket || "",
-        region: config.s3.region || "us-east-1",
-        accessKeyId: config.s3.accessKeyId || "",
-        secretAccessKey: config.s3.secretAccessKey || "",
-        endpoint: config.s3.endpoint,
-        cdnUrl: config.s3.cdnUrl,
-        prefix: config.s3.prefix
-      });
-    case "r2":
-      return createS3Storage({
-        provider: "r2",
-        bucket: config.r2.bucket || "",
-        region: "auto",
-        accessKeyId: config.r2.accessKeyId || "",
-        secretAccessKey: config.r2.secretAccessKey || "",
-        accountId: config.r2.accountId || "",
-        publicDevUrl: config.r2.publicDevUrl,
-        endpoint: `https://${config.r2.accountId || ""}.r2.cloudflarestorage.com`,
-        cdnUrl: config.r2.cdnUrl,
-        prefix: config.r2.prefix
-      });
-    case "gcs":
-      return createS3Storage({
-        provider: "gcs",
-        bucket: config.gcs.bucket || "",
-        region: config.gcs.projectId || "auto",
-        accessKeyId: config.gcs.clientEmail || "",
-        secretAccessKey: config.gcs.privateKey || "",
-        cdnUrl: config.gcs.cdnUrl,
-        prefix: config.gcs.prefix
-      });
-    case "digitalocean":
-      return createS3Storage({
-        provider: "digitalocean",
-        bucket: config.digitalocean.bucket || "",
-        region: config.digitalocean.region || "nyc3",
-        accessKeyId: config.digitalocean.accessKeyId || "",
-        secretAccessKey: config.digitalocean.secretAccessKey || "",
-        endpoint: `https://${config.digitalocean.region || "nyc3"}.digitaloceanspaces.com`,
-        cdnUrl: config.digitalocean.cdnUrl,
-        prefix: config.digitalocean.prefix
-      });
-    case "backblaze":
-      return createS3Storage({
-        provider: "backblaze",
-        bucket: config.backblaze.bucket || "",
-        region: "auto",
-        accessKeyId: config.backblaze.applicationKeyId || "",
-        secretAccessKey: config.backblaze.applicationKey || "",
-        accountId: config.backblaze.accountId || "",
-        endpoint: `https://s3.backblazeb2.com`,
-        cdnUrl: config.backblaze.cdnUrl,
-        prefix: config.backblaze.prefix
-      });
-    case "wasabi":
-      return createS3Storage({
-        provider: "wasabi",
-        bucket: config.wasabi.bucket || "",
-        region: config.wasabi.region || "us-east-1",
-        accessKeyId: config.wasabi.accessKeyId || "",
-        secretAccessKey: config.wasabi.secretAccessKey || "",
-        endpoint: `https://s3.${config.wasabi.region || "us-east-1"}.wasabisys.com`,
-        cdnUrl: config.wasabi.cdnUrl,
-        prefix: config.wasabi.prefix
-      });
-    case "ftp":
-    case "sftp":
-      return createFtpStorage({
-        host: config.ftp?.host || "",
-        port: config.ftp?.port || 21,
-        user: config.ftp?.user || "",
-        password: config.ftp?.password || "",
-        secure: config.ftp?.secure || false,
-        baseUrl: config.ftp?.baseUrl || "",
-        prefix: config.ftp?.prefix,
-        type: "ftp"
-      });
-    case "cloudinary":
-      return createCloudinaryStorage({
-        cloudName: config.cloudinary.cloudName || "",
-        apiKey: config.cloudinary.apiKey || "",
-        apiSecret: config.cloudinary.apiSecret || "",
-        folder: config.cloudinary.folder
-      });
-    case "imgix":
-      return createImgixStorage({
-        domain: config.imgix.domain || "",
-        signKey: config.imgix.signKey
-      });
-    case "local":
-    default:
-      return createLocalStorage({
-        uploadDir: config.local.uploadDir || path.join(process.cwd(), "public", "uploads"),
-        baseUrl: config.local.baseUrl || "/uploads"
-      });
+  const registry = getDefaultRegistry();
+  try {
+    return await registry.resolve(config.type, config);
+  } catch (err) {
+    console.warn(
+      `[resolveProvider] ${err.message} \u2014 falling back to local storage`
+    );
+    return createLocalStorage({
+      uploadDir: path.join(process.cwd(), "public", "uploads"),
+      baseUrl: "/uploads"
+    });
   }
 }
 async function resolveProviderWithConfig(config) {
@@ -2534,121 +2802,18 @@ async function resolveProviderWithConfig(config) {
       baseUrl: "/uploads"
     });
   }
-  console.log("[resolveProviderWithConfig] Creating provider:", config.type);
-  switch (config.type) {
-    case "aws":
-      return createS3Storage({
-        provider: "aws",
-        bucket: config.s3?.bucket || "",
-        region: config.s3?.region || "us-east-1",
-        accessKeyId: config.s3?.accessKeyId || "",
-        secretAccessKey: config.s3?.secretAccessKey || "",
-        endpoint: config.s3?.endpoint,
-        cdnUrl: config.s3?.cdnUrl,
-        prefix: config.s3?.prefix
-      });
-    case "r2":
-      return createS3Storage({
-        provider: "r2",
-        bucket: config.r2?.bucket || "",
-        region: "auto",
-        accessKeyId: config.r2?.accessKeyId || "",
-        secretAccessKey: config.r2?.secretAccessKey || "",
-        accountId: config.r2?.accountId || "",
-        publicDevUrl: config.r2?.publicDevUrl,
-        endpoint: `https://${config.r2?.accountId || ""}.r2.cloudflarestorage.com`,
-        cdnUrl: config.r2?.cdnUrl,
-        prefix: config.r2?.prefix
-      });
-    case "gcs":
-      return createS3Storage({
-        provider: "gcs",
-        bucket: config.gcs?.bucket || "",
-        region: config.gcs?.projectId || "auto",
-        accessKeyId: config.gcs?.clientEmail || "",
-        secretAccessKey: config.gcs?.privateKey || "",
-        cdnUrl: config.gcs?.cdnUrl,
-        prefix: config.gcs?.prefix
-      });
-    case "digitalocean":
-      return createS3Storage({
-        provider: "digitalocean",
-        bucket: config.digitalocean?.bucket || "",
-        region: config.digitalocean?.region || "nyc3",
-        accessKeyId: config.digitalocean?.accessKeyId || "",
-        secretAccessKey: config.digitalocean?.secretAccessKey || "",
-        cdnUrl: config.digitalocean?.cdnUrl,
-        prefix: config.digitalocean?.prefix
-      });
-    case "backblaze":
-      return createS3Storage({
-        provider: "backblaze",
-        bucket: config.backblaze?.bucket || "",
-        region: "auto",
-        accessKeyId: config.backblaze?.applicationKeyId || "",
-        secretAccessKey: config.backblaze?.applicationKey || "",
-        cdnUrl: config.backblaze?.cdnUrl,
-        prefix: config.backblaze?.prefix
-      });
-    case "wasabi":
-      return createS3Storage({
-        provider: "wasabi",
-        bucket: config.wasabi?.bucket || "",
-        region: config.wasabi?.region || "us-east-1",
-        accessKeyId: config.wasabi?.accessKeyId || "",
-        secretAccessKey: config.wasabi?.secretAccessKey || "",
-        cdnUrl: config.wasabi?.cdnUrl,
-        prefix: config.wasabi?.prefix
-      });
-    case "cloudinary":
-      return createCloudinaryStorage({
-        cloudName: config.cloudinary?.cloudName || "",
-        apiKey: config.cloudinary?.apiKey || "",
-        apiSecret: config.cloudinary?.apiSecret || "",
-        folder: config.cloudinary?.folder
-      });
-    case "ftp":
-    case "sftp": {
-      const ftpConf = config.ftp || config;
-      return createFtpStorage({
-        type: "ftp",
-        host: ftpConf.host || "",
-        port: ftpConf.port || 21,
-        user: ftpConf.user || "",
-        password: ftpConf.password || "",
-        secure: ftpConf.secure || false,
-        baseUrl: ftpConf.baseUrl || "",
-        prefix: ftpConf.prefix
-      });
-    }
-    case "local":
-    default: {
-      const localConfig = config.local || {
-        uploadDir: config["local.uploadDir"],
-        baseUrl: config["local.baseUrl"]
-      };
-      const savedUploadDir = (localConfig?.uploadDir || "").trim();
-      let uploadDir;
-      if (savedUploadDir) {
-        if (path.isAbsolute(savedUploadDir)) {
-          uploadDir = savedUploadDir;
-        } else if (savedUploadDir.includes("/") || savedUploadDir.includes("\\")) {
-          uploadDir = path.resolve(process.cwd(), savedUploadDir);
-        } else {
-          uploadDir = path.join(process.cwd(), "public", savedUploadDir);
-        }
-      } else {
-        uploadDir = path.join(process.cwd(), "public", "uploads");
-      }
-      const savedBaseUrl = (localConfig?.baseUrl || "").trim();
-      let baseUrl;
-      if (savedBaseUrl) {
-        baseUrl = savedBaseUrl.startsWith("/") ? savedBaseUrl : `/${savedBaseUrl}`;
-      } else {
-        baseUrl = "/uploads";
-      }
-      return createLocalStorage({ uploadDir, baseUrl });
-    }
+  const type = config.type || "local";
+  const registry = getDefaultRegistry();
+  try {
+    return await registry.resolveWithConfig(type, config);
+  } catch (err) {
+    console.warn(
+      `[resolveProviderWithConfig] ${err.message} \u2014 falling back to local storage`
+    );
+    return createLocalStorage({
+      uploadDir: path.join(process.cwd(), "public", "uploads"),
+      baseUrl: "/uploads"
+    });
   }
 }
 async function processImage(buffer) {
@@ -2685,9 +2850,7 @@ var MediaService = class _MediaService {
       storage2 = await resolveProviderWithConfig(options.storageConfig);
     } else {
       const configService = new ConfigService(db);
-      if (typeof db?.select === "function") {
-        await configService.load();
-      }
+      await configService.load();
       storage2 = await resolveProvider(configService);
     }
     const service = new _MediaService(db, storage2, options);
@@ -2889,7 +3052,7 @@ var MediaService = class _MediaService {
         ]
       );
     } else {
-      const { media: mediaSchema } = await import('./media-GPPTZ43E.js');
+      const { media: mediaSchema } = await import('./media-7WDX4BDJ.js');
       const mime = storageResult.mimeType;
       const mediaType = mime.startsWith("image/") ? "image" : mime.startsWith("video/") ? "video" : mime.startsWith("audio/") ? "audio" : mime.startsWith("application/pdf") ? "document" : ["application/zip", "application/x-zip", "application/x-tar", "application/gzip", "application/x-7z"].includes(mime) ? "archive" : "other";
       await this.db.insert(mediaSchema).values({
@@ -2951,7 +3114,7 @@ var MediaService = class _MediaService {
         id
       ]);
     } else {
-      const { media: mediaSchema } = await import('./media-GPPTZ43E.js');
+      const { media: mediaSchema } = await import('./media-7WDX4BDJ.js');
       const { eq } = await import('drizzle-orm');
       const [row] = await this.db.select().from(mediaSchema).where(eq(mediaSchema.id, id));
       if (row) item = this.rowToMedia(row);
@@ -2967,7 +3130,7 @@ var MediaService = class _MediaService {
     if (this.dialect === "sqlite") {
       await this.sqliteRun(`DELETE FROM ${this.mediaTable} WHERE id = ?`, [id]);
     } else {
-      const { media: mediaSchema } = await import('./media-GPPTZ43E.js');
+      const { media: mediaSchema } = await import('./media-7WDX4BDJ.js');
       const { eq } = await import('drizzle-orm');
       await this.db.delete(mediaSchema).where(eq(mediaSchema.id, id));
     }
@@ -2982,7 +3145,7 @@ var MediaService = class _MediaService {
         id
       ]);
     } else {
-      const { media: mediaSchema } = await import('./media-GPPTZ43E.js');
+      const { media: mediaSchema } = await import('./media-7WDX4BDJ.js');
       const { eq } = await import('drizzle-orm');
       const [row] = await this.db.select().from(mediaSchema).where(eq(mediaSchema.id, id));
       if (row) item = this.rowToMedia(row);
@@ -3017,7 +3180,7 @@ var MediaService = class _MediaService {
         [...vals, this.now(), id]
       );
     } else {
-      const { media: mediaSchema } = await import('./media-GPPTZ43E.js');
+      const { media: mediaSchema } = await import('./media-7WDX4BDJ.js');
       const { eq } = await import('drizzle-orm');
       await this.db.update(mediaSchema).set({ ...updateData, updatedAt: this.now() }).where(eq(mediaSchema.id, id));
     }
@@ -3036,7 +3199,7 @@ var MediaService = class _MediaService {
       );
       return row2 ? this.rowToMedia(row2) : null;
     }
-    const { media: mediaSchema } = await import('./media-GPPTZ43E.js');
+    const { media: mediaSchema } = await import('./media-7WDX4BDJ.js');
     const { eq } = await import('drizzle-orm');
     const [row] = await this.db.select().from(mediaSchema).where(eq(mediaSchema.id, id));
     return row ? this.rowToMedia(row) : null;
@@ -3084,7 +3247,7 @@ var MediaService = class _MediaService {
         totalPages: Math.ceil(totalDocs2 / limit)
       };
     }
-    const { media: mediaSchema } = await import('./media-GPPTZ43E.js');
+    const { media: mediaSchema } = await import('./media-7WDX4BDJ.js');
     const { like, or, and, asc, desc, eq, sql } = await import('drizzle-orm');
     const conditions = [];
     if (search) {
@@ -3163,7 +3326,7 @@ var MediaService = class _MediaService {
       );
       return row ? this.rowToMedia(row) : null;
     }
-    const { media: mediaSchema } = await import('./media-GPPTZ43E.js');
+    const { media: mediaSchema } = await import('./media-7WDX4BDJ.js');
     const { eq } = await import('drizzle-orm');
     const [updated] = await this.db.update(mediaSchema).set({ ...data, updatedAt: /* @__PURE__ */ new Date() }).where(eq(mediaSchema.id, id)).returning();
     return updated ? this.rowToMedia(updated) : null;
@@ -3185,7 +3348,7 @@ var MediaService = class _MediaService {
         );
       }
     } else {
-      const { media: mediaSchema } = await import('./media-GPPTZ43E.js');
+      const { media: mediaSchema } = await import('./media-7WDX4BDJ.js');
       const { eq } = await import('drizzle-orm');
       for (const id of ids) {
         await this.db.update(mediaSchema).set({ ...data, updatedAt: /* @__PURE__ */ new Date() }).where(eq(mediaSchema.id, id));
@@ -3200,7 +3363,7 @@ var MediaService = class _MediaService {
       );
       return rows.map((r) => r.path).filter((f) => f && f !== "").sort();
     }
-    const { media: mediaSchema, mediaFolders: folderSchema } = await import('./media-GPPTZ43E.js');
+    const { media: mediaSchema, mediaFolders: folderSchema } = await import('./media-7WDX4BDJ.js');
     const { eq, sql } = await import('drizzle-orm');
     const fromMedia = await this.db.select({ folder: mediaSchema.folder }).from(mediaSchema).groupBy(mediaSchema.folder);
     const fromFolders = await this.db.select({ path: folderSchema.path }).from(folderSchema);
@@ -3220,7 +3383,7 @@ var MediaService = class _MediaService {
         [fullPath, name, parentPath || null, now]
       );
     } else {
-      const { mediaFolders: folderSchema } = await import('./media-GPPTZ43E.js');
+      const { mediaFolders: folderSchema } = await import('./media-7WDX4BDJ.js');
       await this.db.insert(folderSchema).values({
         path: fullPath,
         name,
@@ -3241,7 +3404,7 @@ var MediaService = class _MediaService {
         [folder, `${folder}/%`]
       );
     } else {
-      const { mediaFolders: folderSchema } = await import('./media-GPPTZ43E.js');
+      const { mediaFolders: folderSchema } = await import('./media-7WDX4BDJ.js');
       const { like, or, eq } = await import('drizzle-orm');
       await this.db.delete(folderSchema).where(
         or(
@@ -3252,8 +3415,75 @@ var MediaService = class _MediaService {
     }
   }
 };
-// src/api/rest/hono-app.ts
+function formatZodErrors(errors) {
+  return errors.map((e) => `${e.path.join(".")}: ${e.message}`).join(", ");
+}
+function normalizeEmptyStrings(data, fields) {
+  if (!data || typeof data !== "object") return;
+  for (const field of fields) {
+    if (!field.name || !(field.name in data)) continue;
+    const val = data[field.name];
+    if (val === "") {
+      const isTextual = field.type === "text" || field.type === "textarea" || field.type === "code" || field.type === "markdown" || field.type === "email" || field.type === "password" || field.type === "color";
+      if (!isTextual) data[field.name] = null;
+    }
+    if (field.type === "tabs" && field.name && Array.isArray(field.tabs) && data[field.name] && typeof data[field.name] === "object") {
+      for (const tab of field.tabs) {
+        if (Array.isArray(tab.fields)) normalizeEmptyStrings(data[field.name], tab.fields);
+      }
+    } else if ((field.type === "group" || field.type === "collapsible") && field.name && Array.isArray(field.fields) && data[field.name] && typeof data[field.name] === "object") {
+      normalizeEmptyStrings(data[field.name], field.fields);
+    } else if (field.type === "array" && field.name && Array.isArray(field.fields) && Array.isArray(data[field.name])) {
+      for (const item of data[field.name]) {
+        if (item && typeof item === "object") normalizeEmptyStrings(item, field.fields);
+      }
+    } else if (field.type === "blocks" && field.name && Array.isArray(field.blocks) && Array.isArray(data[field.name])) {
+      for (const item of data[field.name]) {
+        if (!item || typeof item !== "object") continue;
+        const blockTypeStr = item.type || item.blockType;
+        if (!blockTypeStr) continue;
+        const blockDef = field.blocks.find((b) => b.slug === blockTypeStr);
+        if (!blockDef || !Array.isArray(blockDef.fields)) continue;
+        const target = item.data && typeof item.data === "object" ? item.data : item;
+        normalizeEmptyStrings(target, blockDef.fields);
+      }
+    }
+  }
+}
+function convertRichtextFields(fields, data) {
+  if (!data || typeof data !== "object") return;
+  for (const field of fields) {
+    if (field.type === "richtext" && field.name) {
+      const val = data[field.name];
+      if (typeof val === "string") {
+        data[field.name] = [{ type: "paragraph", children: [{ text: val }] }];
+      } else if (val && typeof val === "object" && !Array.isArray(val) && val.type === "doc" && Array.isArray(val.content)) {
+        data[field.name] = val.content;
+      }
+    }
+    if (field.type === "tabs" && field.name && Array.isArray(field.tabs) && data[field.name] && typeof data[field.name] === "object") {
+      for (const tab of field.tabs) {
+        if (Array.isArray(tab.fields)) convertRichtextFields(tab.fields, data[field.name]);
+      }
+    } else if ((field.type === "group" || field.type === "collapsible") && field.name && Array.isArray(field.fields) && data[field.name] && typeof data[field.name] === "object") {
+      convertRichtextFields(field.fields, data[field.name]);
+    } else if (field.type === "array" && field.name && Array.isArray(field.fields) && Array.isArray(data[field.name])) {
+      for (const item of data[field.name]) {
+        if (item && typeof item === "object") convertRichtextFields(field.fields, item);
+      }
+    } else if (field.type === "blocks" && field.name && Array.isArray(field.blocks) && Array.isArray(data[field.name])) {
+      for (const item of data[field.name]) {
+        if (!item || typeof item !== "object") continue;
+        const blockTypeStr = item.type || item.blockType;
+        if (!blockTypeStr) continue;
+        const blockDef = field.blocks.find((b) => b.slug === blockTypeStr);
+        if (!blockDef || !Array.isArray(blockDef.fields)) continue;
+        const target = item.data && typeof item.data === "object" ? item.data : item;
+        convertRichtextFields(blockDef.fields, target);
+      }
+    }
+  }
+}
 var COLLECTION_EVENT_MAP = {
   _media: {
     create: WEBHOOK_EVENTS.MEDIA_UPLOAD,
@@ -3347,7 +3577,7 @@ async function checkCollectionAccess(collection, operation, req, ctxUser, ctxTen
       };
     }
   }
-  if (ctxUser) {
+  if (ctxUser && !(apiKeyContext?.permissions?.length > 0)) {
     const resource = collection.slug;
     const action = operation === "read" ? "read" : operation === "create" ? "create" : operation === "update" ? "update" : "delete";
     const permission = `${resource}:${action}`;
@@ -3406,31 +3636,30 @@ async function checkGlobalAccess(global, operation, req, ctxUser, ctxTenantID, e
   return { allowed: true };
 }
 async function resolveAuthContext(req, authMw, staticUser, staticTenantID) {
-  if (!authMw) {
-    return {
-      user: staticUser,
-      tenantID: staticTenantID,
-      apiKeyContext: void 0
-    };
-  }
-  let result;
-  try {
-    result = await authMw(req);
-  } catch (err) {
+  if (staticUser) {
     return {
       user: staticUser,
       tenantID: staticTenantID,
-      apiKeyContext: void 0
+      apiKeyContext: void 0,
+      authType: "static"
     };
   }
-  if (result.status === 401) {
-    return { user: void 0, tenantID: void 0, apiKeyContext: void 0 };
+  if (authMw) {
+    const res = await authMw(req);
+    if (res.status === 200 && res.user) {
+      return {
+        user: res.user,
+        tenantID: res.tenantContext?.tenantId,
+        apiKeyContext: res.apiKeyContext,
+        authType: res.authType
+      };
+    }
   }
   return {
-    user: result.user || staticUser,
-    tenantID: result.tenantContext?.tenantId || staticTenantID,
-    apiKeyContext: result.apiKeyContext,
-    authType: result.authType
+    user: void 0,
+    tenantID: void 0,
+    apiKeyContext: void 0,
+    authType: void 0
   };
 }
 function createDefaultAuthAdapter(db, rootDir) {
@@ -3544,6 +3773,13 @@ function createHonoApp(options) {
     baseUrl: process.env.KYRO_BASE_URL || "http://localhost:4321",
     rateLimiter
   });
+  EmailTransport.fromConfig(db).then((transport) => {
+    if (transport) {
+      authRoutes.email = transport;
+    }
+  }).catch((err) => {
+    console.error("[Email] Failed to initialize transport from config:", err);
+  });
   app.post("/api/auth/login", async (c) => authRoutes.login(c.req.raw));
   app.post("/api/auth/register", async (c) => authRoutes.register(c.req.raw));
   app.post("/api/auth/logout", async (c) => authRoutes.logout(c.req.raw));
@@ -3554,69 +3790,6 @@ function createHonoApp(options) {
   app.delete("/api/auth/sessions", async (c) => authRoutes.revokeOtherSessions(c.req.raw));
   app.delete("/api/auth/sessions/:id", async (c) => authRoutes.revokeSession(c.req.raw, c.req.param("id")));
   app.put("/api/auth/sessions/:id/name", async (c) => authRoutes.renameSession(c.req.raw, c.req.param("id")));
-  app.post("/api/graphql", async (c) => {
-    try {
-      const req = c.req.raw;
-      const apiKeyRaw = extractApiKeyFromRequest(req);
-      if (apiKeyRaw && db) {
-        const apiKeyResult = await validateApiKey(apiKeyRaw, db);
-        if (!apiKeyResult.valid) {
-          return c.json({ errors: [{ message: apiKeyResult.error || "Invalid API key" }] }, 401);
-        }
-        const apiKeyId = apiKeyResult.apiKeyId || "";
-        await sessionAuthAdapter?.createAuditLog({
-          action: "api_key_request",
-          userId: apiKeyResult.userId || "",
-          resource: "api_key",
-          resourceId: apiKeyId,
-          success: true,
-          metadata: {
-            endpoint: "/api/graphql",
-            method: "POST",
-            ip: extractIp(req)
-          }
-        });
-      }
-      const body = await req.json().catch(() => ({}));
-      const { query, variables } = body;
-      if (!query) {
-        return c.json({ errors: [{ message: "No query provided" }] }, 400);
-      }
-      let gqlUser;
-      let apiKeyCtx;
-      if (apiKeyRaw && db) {
-        const apiKeyResult = await validateApiKey(apiKeyRaw, db);
-        if (apiKeyResult.valid && apiKeyResult.user) {
-          gqlUser = apiKeyResult.user;
-          apiKeyCtx = createApiKeyContext(apiKeyResult);
-        }
-      }
-      const schema = buildGraphQLSchema({
-        registry,
-        db,
-        user: gqlUser,
-        req,
-        settings
-      });
-      const document = parse(query);
-      const result = await execute({
-        schema,
-        document,
-        variableValues: variables,
-        contextValue: { user: gqlUser, apiKeyContext: apiKeyCtx, req, db }
-      });
-      return c.json(result);
-    } catch (error) {
-      if (error.message?.includes("GraphQL is disabled")) {
-        return c.json({ errors: [{ message: "GraphQL API is disabled" }] }, 403);
-      }
-      if (error instanceof SyntaxError) {
-        return c.json({ errors: [{ message: "Invalid request body" }] }, 400);
-      }
-      console.error("[GraphQL] execution error:", error);
-      return c.json({ errors: [{ message: error.message || "GraphQL execution failed" }] }, 500);
-    }
-  });
   app.get("/api/auth/access", async (c) => {
     try {
       const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(
@@ -3701,7 +3874,13 @@ function createHonoApp(options) {
       return c.json({ error: error.message }, 500);
     }
   });
-  const usersCollection = registry.getCollection("users");
+  const usersCollection2 = typeof registry.hasCollection === "function" && registry.hasCollection("users") ? registry.getCollection("users") : (() => {
+    try {
+      return registry.getCollection("users");
+    } catch {
+      return usersCollection;
+    }
+  })();
   app.get("/api/users", async (c) => {
     try {
       const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(
@@ -3711,7 +3890,7 @@ function createHonoApp(options) {
         tenantID
       );
       const access = await checkCollectionAccess(
-        usersCollection,
+        usersCollection2,
         "read",
         c.req.raw,
         ctxUser,
@@ -3756,19 +3935,6 @@ function createHonoApp(options) {
         user,
         tenantID
       );
-      const access = await checkCollectionAccess(
-        usersCollection,
-        "read",
-        c.req.raw,
-        ctxUser,
-        ctxTenantID,
-        void 0,
-        enablePublicAccess,
-        defaultCollectionAccess
-      );
-      if (!access.allowed) {
-        return c.json({ error: access.error }, access.status || 403);
-      }
       const id = c.req.param("id");
       const found = await sessionAuthAdapter.findUserById(id);
       if (!found) {
@@ -3788,7 +3954,7 @@ function createHonoApp(options) {
         tenantID
       );
       const access = await checkCollectionAccess(
-        usersCollection,
+        usersCollection2,
         "create",
         c.req.raw,
         ctxUser,
@@ -3813,8 +3979,18 @@ function createHonoApp(options) {
         password: body.password,
         name: body.name,
         role: body.role || "customer",
+        avatar: body.avatar,
         tenantId: body.tenantId
       });
+      if (ctxUser) {
+        sessionAuthAdapter?.createAuditLog({
+          action: "user_create",
+          userId: ctxUser.id,
+          resource: "users",
+          resourceId: created.id,
+          success: true
+        });
+      }
       return c.json(
         { data: created, message: "User created successfully" },
         201
@@ -3832,7 +4008,7 @@ function createHonoApp(options) {
         tenantID
       );
       const access = await checkCollectionAccess(
-        usersCollection,
+        usersCollection2,
         "update",
         c.req.raw,
         ctxUser,
@@ -3854,6 +4030,9 @@ function createHonoApp(options) {
       if (body.name !== void 0) updateData.name = body.name;
       if (body.email !== void 0) updateData.email = body.email;
       if (body.role !== void 0) updateData.role = body.role;
+      if (body.avatar !== void 0) {
+        updateData.avatar = typeof body.avatar === "object" && body.avatar !== null ? body.avatar.id || String(body.avatar) : body.avatar;
+      }
       if (body.tenantId !== void 0) updateData.tenantId = body.tenantId;
       if (body.emailVerified !== void 0)
         updateData.emailVerified = body.emailVerified;
@@ -3865,6 +4044,25 @@ function createHonoApp(options) {
       if (!updated) {
         return c.json({ error: "User update failed" }, 500);
       }
+      if (ctxUser) {
+        sessionAuthAdapter?.createAuditLog({
+          action: "user_update",
+          userId: ctxUser.id,
+          resource: "users",
+          resourceId: id,
+          success: true
+        });
+        if (body.role && existing.role !== body.role) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "role_change",
+            userId: ctxUser.id,
+            resource: "users",
+            resourceId: id,
+            success: true,
+            metadata: { oldRole: existing.role, newRole: body.role }
+          });
+        }
+      }
       return c.json({ data: updated, message: "User updated successfully" });
     } catch (error) {
       return c.json({ error: error.message }, 500);
@@ -3879,7 +4077,7 @@ function createHonoApp(options) {
         tenantID
       );
       const access = await checkCollectionAccess(
-        usersCollection,
+        usersCollection2,
         "delete",
         c.req.raw,
         ctxUser,
@@ -3903,6 +4101,15 @@ function createHonoApp(options) {
       if (!deleted) {
         return c.json({ error: "User deletion failed" }, 500);
       }
+      if (ctxUser) {
+        sessionAuthAdapter?.createAuditLog({
+          action: "user_delete",
+          userId: ctxUser.id,
+          resource: "users",
+          resourceId: id,
+          success: true
+        });
+      }
       return c.json({ data: existing, message: "User deleted successfully" });
     } catch (error) {
       return c.json({ error: error.message }, 500);
@@ -4059,11 +4266,11 @@ function createHonoApp(options) {
       const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
       if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
       const service = await getMedia();
-      const path2 = c.req.query("path");
-      if (!path2) {
+      const path3 = c.req.query("path");
+      if (!path3) {
         return c.json({ error: "Path is required" }, 400);
       }
-      await service.deleteFolder(path2);
+      await service.deleteFolder(path3);
       return c.json({ message: "Folder deleted" });
     } catch (error) {
       console.error("[Media] delete folder error:", error);
@@ -4216,6 +4423,119 @@ function createHonoApp(options) {
       return c.json({ error: error.message }, 500);
     }
   });
+  app.get("/api/plugins", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
+      const plugins = registry.getPlugins();
+      const storageRegistry = registry.storageProviders;
+      const pluginList = await Promise.all(
+        plugins.map(async (p) => {
+          let enabled = true;
+          const pluginName = p.name;
+          let states = {};
+          try {
+            const doc = await db.findOne({
+              collection: "_globals_plugin-settings",
+              where: {}
+            });
+            if (doc && doc.states) states = doc.states;
+          } catch {
+          }
+          if (states[pluginName] !== void 0) {
+            enabled = states[pluginName];
+          }
+          storageRegistry.setPluginEnabled(pluginName, enabled);
+          return {
+            id: pluginName,
+            name: pluginName,
+            version: p.version || "1.0.0",
+            description: p.description || "",
+            enabled,
+            status: enabled ? "active" : "disabled"
+          };
+        })
+      );
+      return c.json(pluginList);
+    } catch (error) {
+      console.error("[Plugins] list error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
+  app.put("/api/plugins/:name/toggle", async (c) => {
+    try {
+      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
+      const pluginName = c.req.param("name");
+      const storageRegistry = registry.storageProviders;
+      const currentEnabled = storageRegistry.isPluginEnabled(pluginName);
+      const newEnabled = !currentEnabled;
+      const affectedProviders = [];
+      if (!newEnabled) {
+        for (const p of storageRegistry.getAll()) {
+          if (p.pluginName === pluginName) {
+            affectedProviders.push(p.type);
+          }
+        }
+      }
+      const force = c.req.query("force") === "1";
+      if (!force && !newEnabled && affectedProviders.length > 0) {
+        let activeProvider = "local";
+        try {
+          const row = db?.prepare?.(`SELECT provider FROM "_globals_storage-settings" LIMIT 1`)?.get();
+          if (row?.provider) activeProvider = row.provider;
+        } catch {
+          try {
+            const result = await db?.findOne?.({
+              collection: "_globals_storage-settings",
+              where: {}
+            });
+            if (result?.provider) activeProvider = result.provider;
+          } catch {
+          }
+        }
+        if (affectedProviders.includes(activeProvider)) {
+          return c.json({
+            error: `Cannot disable "${pluginName}" \u2014 storage provider "${activeProvider}" is currently active. Switch to Local storage first.`,
+            requiresAction: true,
+            activeProvider
+          }, 409);
+        }
+      }
+      try {
+        let states = {};
+        let docId = "global";
+        const doc = await db.findOne({
+          collection: "_globals_plugin-settings",
+          where: {}
+        });
+        if (doc) {
+          states = doc.states || {};
+          docId = doc.id;
+        }
+        states[pluginName] = newEnabled;
+        if (doc) {
+          await db.update({
+            collection: "_globals_plugin-settings",
+            id: docId,
+            data: { states }
+          });
+        } else {
+          await db.create({
+            collection: "_globals_plugin-settings",
+            data: { states, id: "global" }
+          });
+        }
+      } catch (e) {
+        console.warn(`[Plugins] Could not persist state for "${pluginName}":`, e);
+      }
+      storageRegistry.setPluginEnabled(pluginName, newEnabled);
+      return c.json({ name: pluginName, enabled: newEnabled });
+    } catch (error) {
+      console.error("[Plugins] toggle error:", error);
+      return c.json({ error: error.message }, 500);
+    }
+  });
   app.get("/api/health", (c) => {
     return c.json({
       status: "ok",
@@ -4224,6 +4544,102 @@ function createHonoApp(options) {
       timestamp: (/* @__PURE__ */ new Date()).toISOString()
     });
   });
+  app.get("/api/kyro/schema", async (c) => {
+    const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+    if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
+    const extractFields = (fields) => fields.map((f) => {
+      const meta = {
+        name: f.name,
+        type: f.type,
+        label: f.label,
+        required: f.required ?? false,
+        unique: f.unique ?? false,
+        indexed: f.indexed ?? false,
+        defaultValue: f.defaultValue,
+        admin: f.admin ? { ...f.admin } : void 0
+      };
+      if (f.minLength !== void 0) meta.minLength = f.minLength;
+      if (f.maxLength !== void 0) meta.maxLength = f.maxLength;
+      if (f.pattern !== void 0) meta.pattern = f.pattern;
+      if (f.variant !== void 0) meta.variant = f.variant;
+      if (f.hasMany !== void 0) meta.hasMany = f.hasMany;
+      if (f.min !== void 0) meta.min = f.min;
+      if (f.max !== void 0) meta.max = f.max;
+      if (f.step !== void 0) meta.step = f.step;
+      if (f.integer !== void 0) meta.integer = f.integer;
+      if (f.options) meta.options = f.options;
+      if (f.relationTo) meta.relationTo = f.relationTo;
+      if (f.maxDepth !== void 0) meta.maxDepth = f.maxDepth;
+      if (f.minRows !== void 0) meta.minRows = f.minRows;
+      if (f.maxRows !== void 0) meta.maxRows = f.maxRows;
+      if (f.localized !== void 0) meta.localized = f.localized;
+      if (f.language) meta.language = f.language;
+      if (f.format) meta.format = f.format;
+      if (f.allowedTypes) meta.allowedTypes = f.allowedTypes;
+      if (f.maxSize) meta.maxSize = f.maxSize;
+      if (f.type === "group" || f.type === "row" || f.type === "collapsible" && f.fields) {
+        meta.fields = extractFields(f.fields);
+      }
+      if (f.type === "array" && f.fields) {
+        meta.fields = extractFields(f.fields);
+      }
+      if (f.type === "blocks" && f.blocks) {
+        meta.blocks = f.blocks.map((b) => ({
+          slug: b.slug,
+          label: b.label,
+          fields: extractFields(b.fields)
+        }));
+      }
+      if (f.type === "tabs" && f.tabs) {
+        meta.tabs = f.tabs.map((t) => ({
+          label: t.label,
+          name: t.name,
+          fields: extractFields(t.fields)
+        }));
+      }
+      return meta;
+    });
+    const data = { collections: {}, globals: {} };
+    for (const col of registry.getCollections()) {
+      const slug = col.slug;
+      try {
+        data.collections[slug] = {
+          slug,
+          label: col.label || slug,
+          fields: extractFields(col.fields),
+          jsonSchema: zodToJsonSchema(registry.getZodSchema(slug), { target: "openApi3" }),
+          createSchema: zodToJsonSchema(registry.getCreateZodSchema(slug), { target: "openApi3" }),
+          updateSchema: zodToJsonSchema(registry.getUpdateZodSchema(slug), { target: "openApi3" }),
+          procedures: {
+            find: { collection: slug, where: "Record<string,any>", sort: "string", limit: "number", page: "number", depth: "number", select: "string[]", draft: "boolean" },
+            findByID: { collection: slug, id: "string", depth: "number", select: "string[]", draft: "boolean" },
+            create: { collection: slug, data: "Record<string,any>", depth: "number", select: "string[]" },
+            update: { collection: slug, id: "string", data: "Record<string,any>", depth: "number", select: "string[]", baseUpdatedAt: "string" },
+            delete: { collection: slug, id: "string" },
+            count: { collection: slug, where: "Record<string,any>" }
+          }
+        };
+      } catch {
+      }
+    }
+    for (const global of registry.getGlobals()) {
+      const slug = global.slug;
+      try {
+        data.globals[slug] = {
+          slug,
+          label: global.label || slug,
+          fields: extractFields(global.fields),
+          jsonSchema: zodToJsonSchema(registry.getZodSchema(slug), { target: "openApi3" }),
+          procedures: {
+            get: {},
+            update: { data: "Record<string,any>" }
+          }
+        };
+      } catch {
+      }
+    }
+    return c.json(data);
+  });
   app.get("/api/collections", async (c) => {
     const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
     if (!ctxUser) return c.json({ error: "Authentication required" }, 401);
@@ -4239,6 +4655,129 @@ function createHonoApp(options) {
     }));
     return c.json(collections2);
   });
+  function resolveDocField(fields, doc, fieldName) {
+    if (fieldName in doc) return doc[fieldName];
+    for (const field of fields) {
+      if (!field.name) continue;
+      if (field.type === "tabs" && field.tabs) {
+        const data = doc[field.name];
+        if (data && typeof data === "object" && fieldName in data) return data[fieldName];
+      }
+      if ((field.type === "group" || field.type === "collapsible") && field.fields) {
+        const data = doc[field.name];
+        if (data && typeof data === "object") {
+          if (fieldName in data) return data[fieldName];
+          const nested = resolveDocField(field.fields, data, fieldName);
+          if (nested !== void 0) return nested;
+        }
+      }
+    }
+    return void 0;
+  }
+  function flattenRelationshipFields(fields) {
+    const relFields = [];
+    for (const field of fields) {
+      if (field.type === "relationship") {
+        relFields.push(field);
+      } else if (field.type === "tabs" && field.tabs) {
+        for (const tab of field.tabs) {
+          relFields.push(...flattenRelationshipFields(tab.fields || []));
+        }
+      } else if ((field.type === "group" || field.type === "collapsible") && field.fields) {
+        relFields.push(...flattenRelationshipFields(field.fields || []));
+      }
+    }
+    return relFields;
+  }
+  function extractRelValue(value) {
+    if (!value) return [];
+    if (typeof value === "string") return [value];
+    if (Array.isArray(value)) return value.map((v) => typeof v === "object" ? v.value ?? v : v);
+    if (typeof value === "object") {
+      const v = value.value ?? value;
+      return typeof v === "string" ? [v] : Array.isArray(v) ? v : [];
+    }
+    return [];
+  }
+  async function populateRelationships(docs, collection, db2, registry2) {
+    if (docs.length === 0) return;
+    const relFields = flattenRelationshipFields(collection.fields);
+    if (relFields.length === 0) return;
+    for (const relField of relFields) {
+      const targetSlugs = Array.isArray(relField.relationTo) ? relField.relationTo : [relField.relationTo];
+      const idsBySlug = {};
+      for (const slug of targetSlugs) {
+        idsBySlug[slug] = /* @__PURE__ */ new Set();
+      }
+      for (const doc of docs) {
+        const raw = resolveDocField(collection.fields, doc, relField.name);
+        const ids = extractRelValue(raw);
+        for (const id of ids) {
+          if (!id) continue;
+          if (targetSlugs.length === 1) {
+            idsBySlug[targetSlugs[0]].add(id);
+          } else {
+            for (const slug of targetSlugs) {
+              idsBySlug[slug].add(id);
+            }
+          }
+        }
+      }
+      for (const [targetSlug, idSet] of Object.entries(idsBySlug)) {
+        if (idSet.size === 0) continue;
+        const targetCollection = registry2.getCollection(targetSlug);
+        if (!targetCollection) continue;
+        const titleField = targetCollection.admin?.useAsTitle || "title";
+        const idArr = Array.from(idSet);
+        const relatedDocs = [];
+        for (const id of idArr) {
+          try {
+            const relDoc = await db2.findByID({ collection: targetSlug, id, draft: true });
+            if (relDoc) {
+              const title = resolveDocField(targetCollection.fields, relDoc, titleField) ?? id;
+              relatedDocs.push({ id, title: String(title) });
+            }
+          } catch {
+            relatedDocs.push({ id, title: id });
+          }
+        }
+        const titleMap = new Map(relatedDocs.map((d) => [d.id, d.title]));
+        for (const doc of docs) {
+          const raw = resolveDocField(collection.fields, doc, relField.name);
+          if (!raw) continue;
+          const setValue = (val) => {
+            if (relField.name in doc) {
+              doc[relField.name] = val;
+            } else {
+              for (const f of collection.fields) {
+                if (f.type === "tabs" && f.tabs) {
+                  for (const tab of f.tabs) {
+                    if (tab.fields?.some((tf) => tf.name === relField.name)) {
+                      const tabData = doc[f.name];
+                      if (tabData && typeof tabData === "object") {
+                        tabData[relField.name] = val;
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          };
+          if (typeof raw === "string") {
+            setValue({ id: raw, title: titleMap.get(raw) || raw });
+          } else if (Array.isArray(raw)) {
+            setValue(raw.map((v) => {
+              const id = typeof v === "object" ? v.value ?? v.id : v;
+              return { id, title: titleMap.get(id) || id };
+            }));
+          } else if (typeof raw === "object") {
+            const id = raw.value ?? raw.id;
+            setValue({ id, title: titleMap.get(id) || id });
+          }
+        }
+      }
+    }
+  }
   app.get("/api/search", async (c) => {
     try {
       const query = c.req.query("q") || "";
@@ -4290,11 +4829,12 @@ function createHonoApp(options) {
             limit,
             tenantID: ctxTenantID
           });
+          await populateRelationships(searchResult.docs, collection, db, registry);
           for (const doc of searchResult.docs) {
             const titleField = collection.admin?.useAsTitle || searchableFields.find(
               (f) => f === "title" || f === "name" || f === "heading" || f === "slug"
             );
-            const title = titleField ? doc[titleField] : doc.id;
+            const title = titleField ? resolveDocField(collection.fields, doc, titleField) ?? doc.id : doc.id;
             results.push({
               collection: collection.slug,
               label: collection.label || collection.slug,
@@ -4315,15 +4855,13 @@ function createHonoApp(options) {
   });
   app.get("/api/keys", async (c) => {
     try {
-      const { user: ctxUser } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
+      const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
       if (!ctxUser || !hasPermission(ctxUser, "users:read")) {
         return c.json({ error: "Forbidden" }, 403);
       }
       const page = parseInt(c.req.query("page") || "1");
       const limit = Math.min(parseInt(c.req.query("limit") || "50"), 100);
-      console.log("[ApiKeys] Querying", API_KEY_COLLECTION, { page, limit });
-      const result = await db.find({ collection: API_KEY_COLLECTION, where: {}, page, limit });
-      console.log("[ApiKeys] Result:", result);
+      const result = await db.find({ collection: API_KEY_COLLECTION, where: {}, page, limit, tenantID: ctxTenantID });
       const docs = (result.docs || []).map((doc) => ({
         id: doc.id,
         name: doc.name,
@@ -4634,37 +5172,31 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
-        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, basePath, "GET", c.req.raw);
+        if (ctxTenantID) {
+          db.setTenantContext({ tenantId: ctxTenantID, userId: ctxUser?.id ?? "", role: ctxUser?.role, isSuperAdmin: ctxUser?.role === "super_admin" });
+        }
         const url = new URL(c.req.url);
         const page = parseInt(url.searchParams.get("page") || "1");
-        const limit = Math.min(
-          parseInt(url.searchParams.get("limit") || "10"),
-          100
-        );
+        const limit = Math.min(parseInt(url.searchParams.get("limit") || "10"), 100);
         const sort = url.searchParams.get("sort") || void 0;
         const depth = parseInt(url.searchParams.get("depth") || "0");
         const select = url.searchParams.get("select")?.split(",") || void 0;
-        let where = {};
-        const whereParam = url.searchParams.get("where");
-        if (whereParam) {
-          try {
-            where = JSON.parse(whereParam);
-          } catch {
-          }
-        }
+        const isDraftRequest = !!ctxUser;
         const result = await db.find({
           collection: slug,
-          where,
+          where: {},
           sort,
           limit,
           page,
           depth,
           tenantID: ctxTenantID,
-          select
+          select,
+          draft: isDraftRequest
         });
+        await populateRelationships(result.docs, collection, db, registry);
         return c.json(result);
       } catch (error) {
-        console.error(`[API] Error listing ${slug}:`, error);
+        console.error("[API] list error:", error);
         return c.json({ error: error.message }, 500);
       }
     });
@@ -4689,6 +5221,9 @@ function createHonoApp(options) {
           return c.json({ error: access.error }, access.status || 403);
         }
         const id = c.req.param("id");
+        if (!id) {
+          return c.json({ error: "Missing document ID" }, 400);
+        }
         const url = new URL(c.req.url);
         const compareA = url.searchParams.get("compareA");
         const compareB = url.searchParams.get("compareB");
@@ -4719,36 +5254,6 @@ function createHonoApp(options) {
         return c.json({ error: error.message }, 500);
       }
     });
-    app.get(`${basePath}/:id/draft`, async (c) => {
-      try {
-        const {
-          user: ctxUser,
-          tenantID: ctxTenantID,
-          apiKeyContext
-        } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
-          collection,
-          "read",
-          c.req.raw,
-          ctxUser,
-          ctxTenantID,
-          apiKeyContext,
-          enablePublicAccess,
-          defaultCollectionAccess
-        );
-        if (!access.allowed) {
-          return c.json({ error: access.error }, access.status || 403);
-        }
-        const draft = await db.findDraft({
-          collection: slug,
-          documentId: c.req.param("id"),
-          tenantID: ctxTenantID
-        });
-        return c.json({ data: draft });
-      } catch (error) {
-        return c.json({ error: error.message }, 500);
-      }
-    });
     app.put(`${basePath}/:id/draft`, async (c) => {
       try {
         const {
@@ -4772,24 +5277,39 @@ function createHonoApp(options) {
         const id = c.req.param("id");
         const body = await c.req.json();
         const baseUpdatedAt = readBaseUpdatedAt(body);
-        const data = body.data ?? omitRevisionFields(body);
         const originalDoc = await db.findByID({
           collection: slug,
           id,
-          tenantID: ctxTenantID
+          tenantID: ctxTenantID,
+          draft: true
         });
         if (!originalDoc) {
           return c.json({ error: "Document not found" }, 404);
         }
-        const draft = await db.upsertDraft({
+        let finalData;
+        if (body.delta) {
+          finalData = { ...originalDoc, ...body.delta };
+        } else {
+          finalData = body.data ?? omitRevisionFields(body);
+        }
+        const version = await db.updateLatestVersion({
           collection: slug,
           documentId: id,
-          tenantID: ctxTenantID,
-          data,
-          baseUpdatedAt,
-          draftUpdatedAt: body.draftUpdatedAt
+          data: finalData,
+          status: "draft",
+          tenantID: ctxTenantID
         });
-        return c.json({ data: draft, message: "Draft saved successfully" });
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_update",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: id,
+            success: true,
+            metadata: { type: "draft_save" }
+          });
+        }
+        return c.json({ data: version, message: "Draft saved successfully" });
       } catch (error) {
         return c.json({ error: error.message }, 500);
       }
@@ -4814,11 +5334,16 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
-        await db.deleteDraft({
-          collection: slug,
-          documentId: c.req.param("id"),
-          tenantID: ctxTenantID
-        });
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_update",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: c.req.param("id"),
+            success: true,
+            metadata: { type: "draft_discard" }
+          });
+        }
         return c.json({ message: "Draft discarded successfully" });
       } catch (error) {
         return c.json({ error: error.message }, 500);
@@ -4861,12 +5386,14 @@ function createHonoApp(options) {
           doc = await db.findOne({
             collection: slug,
             where: { slug: id },
-            tenantID: ctxTenantID
+            tenantID: ctxTenantID,
+            draft: isDraftRequest
           });
         }
         if (!doc) {
           return c.json({ error: "Document not found" }, 404);
         }
+        await populateRelationships([doc], collection, db, registry);
         return c.json({ data: doc });
       } catch (error) {
         return c.json({ error: error.message }, 500);
@@ -4892,23 +5419,81 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
+        if (ctxTenantID) {
+          db.setTenantContext({ tenantId: ctxTenantID, userId: ctxUser?.id ?? "", role: ctxUser?.role, isSuperAdmin: ctxUser?.role === "super_admin" });
+        }
         auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, basePath, "POST", c.req.raw);
         const body = await c.req.json();
+        let validated = body;
+        normalizeEmptyStrings(validated, collection.fields);
+        convertRichtextFields(collection.fields, validated);
+        const hookReq = c.req.raw;
+        if (collection.hooks?.beforeValidate) {
+          for (const hook of collection.hooks.beforeValidate) {
+            const hookResult = await hook({
+              collection: slug,
+              data: validated,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "create"
+            });
+            if (hookResult) Object.assign(validated, hookResult);
+          }
+        }
         const schema = registry.getCreateZodSchema(slug);
-        let validated;
         try {
-          validated = schema.parse(body);
+          validated = schema.parse(validated);
         } catch (zodErr) {
-          return c.json({ error: "Validation failed", details: zodErr.errors }, 400);
+          return c.json({ error: `Validation failed: ${formatZodErrors(zodErr.errors)}`, details: zodErr.errors }, 400);
         }
         if (collection.tenantScoped && ctxTenantID) {
           validated.tenantID = ctxTenantID;
         }
+        const isDraftEnabled = collection.versions?.drafts === true;
+        validated.status = isDraftEnabled ? "draft" : "published";
+        if (collection.hooks?.beforeChange) {
+          for (const hook of collection.hooks.beforeChange) {
+            const hookResult = await hook({
+              collection: slug,
+              data: validated,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "create"
+            });
+            if (hookResult) Object.assign(validated, hookResult);
+          }
+        }
         const doc = await db.create({
           collection: slug,
           data: validated,
           tenantID: ctxTenantID
         });
+        if (isDraftEnabled) {
+          await db.createVersion({
+            collection: slug,
+            documentId: doc.id,
+            data: validated,
+            status: "draft",
+            createdBy: ctxUser?.id,
+            changeDescription: "Created",
+            tenantID: ctxTenantID
+          });
+        }
+        if (collection.hooks?.afterChange) {
+          for (const hook of collection.hooks.afterChange) {
+            await hook({
+              collection: slug,
+              doc,
+              data: validated,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "create"
+            });
+          }
+        }
         if (webhookService) {
           webhookService.trigger(getWebhookEvent(slug, "create"), {
             collection: slug,
@@ -4918,11 +5503,20 @@ function createHonoApp(options) {
             tenantId: ctxTenantID
           }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
         }
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_create",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: doc.id,
+            success: true
+          });
+        }
         return c.json({ data: doc, message: "Created successfully" }, 201);
       } catch (error) {
         if (error.name === "ZodError") {
           return c.json(
-            { error: "Validation failed", details: error.errors },
+            { error: `Validation failed: ${formatZodErrors(error.errors)}`, details: error.errors },
             400
           );
         }
@@ -4952,61 +5546,92 @@ function createHonoApp(options) {
         const id = c.req.param("id");
         const body = await c.req.json();
         const baseUpdatedAt = readBaseUpdatedAt(body);
-        console.log(`[PATCH] ${slug}/${id}`, {
-          baseUpdatedAt,
-          bodyKeys: Object.keys(body),
-          tenantID: ctxTenantID
-        });
-        const cleaned = Object.fromEntries(
-          Object.entries(omitRevisionFields(body)).filter(
-            ([_, v]) => v !== "null" && v !== void 0
-          )
-        );
-        const schema = registry.getUpdateZodSchema(slug);
-        const validated = schema.parse(cleaned);
-        console.log(`[PATCH] Validated data:`, Object.keys(validated));
         const originalDoc = await db.findByID({
           collection: slug,
           id,
           tenantID: ctxTenantID,
           draft: true
-          // Always fetch current doc regardless of status
         });
-        if (originalDoc) {
-          console.log(`[PATCH] Original doc updatedAt:`, originalDoc.updatedAt);
-        }
         if (!originalDoc) {
           return c.json({ error: "Document not found" }, 404);
         }
         if (baseUpdatedAt && originalDoc.updatedAt && baseUpdatedAt !== originalDoc.updatedAt) {
           return c.json(buildConflictResponse(baseUpdatedAt, originalDoc), 409);
         }
+        let validated = Object.fromEntries(
+          Object.entries(omitRevisionFields(body)).filter(
+            ([_, v]) => v !== "null" && v !== void 0
+          )
+        );
+        normalizeEmptyStrings(validated, collection.fields);
+        convertRichtextFields(collection.fields, validated);
+        const hookReq = c.req.raw;
+        if (collection.hooks?.beforeValidate) {
+          for (const hook of collection.hooks.beforeValidate) {
+            const hookResult = await hook({
+              collection: slug,
+              data: validated,
+              originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "update"
+            });
+            if (hookResult) Object.assign(validated, hookResult);
+          }
+        }
+        const schema = registry.getUpdateZodSchema(slug);
+        validated = schema.parse(validated);
+        if (collection.hooks?.beforeChange) {
+          for (const hook of collection.hooks.beforeChange) {
+            const hookResult = await hook({
+              collection: slug,
+              data: validated,
+              originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "update"
+            });
+            if (hookResult) Object.assign(validated, hookResult);
+          }
+        }
+        const isDraft = c.req.header("X-Draft") === "true";
         const isDraftEnabled = collection.versions?.drafts === true;
-        const isAlreadyPublished = originalDoc._status === "published";
+        const isAutosave = c.req.query("autosave") === "true";
         let doc;
-        if (isDraftEnabled && isAlreadyPublished) {
+        if (isDraftEnabled && isDraft) {
           await db.createVersion({
             collection: slug,
             documentId: id,
             data: validated,
             status: "draft",
+            autosave: isAutosave,
             createdBy: ctxUser?.id,
-            changeDescription: "Manual save (Draft)",
+            changeDescription: isAutosave ? "Autosave" : "Draft saved",
             tenantID: ctxTenantID
           });
+        } else if (isDraftEnabled) {
           await db.update({
             collection: slug,
             id,
-            data: { _has_draft: true },
-            // Keep old data, just set flag
+            data: { ...validated, status: "published" },
+            tenantID: ctxTenantID
+          });
+          await db.createVersion({
+            collection: slug,
+            documentId: id,
+            data: validated,
+            status: "published",
+            createdBy: ctxUser?.id,
+            changeDescription: "Published",
             tenantID: ctxTenantID
           });
         } else {
-          const saveData = isDraftEnabled ? { ...validated, _status: "draft", _has_draft: false } : validated;
           await db.update({
             collection: slug,
             id,
-            data: saveData,
+            data: validated,
             tenantID: ctxTenantID
           });
         }
@@ -5016,24 +5641,19 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           draft: true
         });
-        if (isDraftEnabled) {
-          if (!isAlreadyPublished) {
-            await db.createVersion({
+        if (collection.hooks?.afterChange) {
+          for (const hook of collection.hooks.afterChange) {
+            await hook({
               collection: slug,
-              documentId: id,
+              doc,
               data: validated,
-              status: "draft",
-              createdBy: ctxUser?.id,
-              changeDescription: "Manual save",
-              tenantID: ctxTenantID
+              originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "update"
             });
           }
-        } else {
-          await db.deleteDraft({
-            collection: slug,
-            documentId: id,
-            tenantID: ctxTenantID
-          });
         }
         if (webhookService) {
           webhookService.trigger(getWebhookEvent(slug, "update"), {
@@ -5045,16 +5665,26 @@ function createHonoApp(options) {
             tenantId: ctxTenantID
           }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
         }
-        console.log(`[PATCH] Result doc updatedAt:`, doc?.updatedAt);
+        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, `${basePath}/${id}`, "PATCH", c.req.raw);
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_update",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: id,
+            success: true
+          });
+        }
         return c.json({ data: doc, message: isDraftEnabled ? "Draft saved" : "Updated successfully" });
       } catch (error) {
         if (error.name === "ZodError") {
           console.error(`[PATCH ${basePath}/:id] Validation failed:`, error.errors);
           return c.json(
-            { error: "Validation failed", details: error.errors },
+            { error: `Validation failed: ${formatZodErrors(error.errors)}`, details: error.errors },
             400
           );
         }
+        console.error(`[PATCH ${basePath}/:id] ERROR:`, error.message, `CAUSE:`, error.cause?.message || error.cause, `QUERY:`, error.query);
         return c.json({ error: error.message }, 500);
       }
     });
@@ -5078,23 +5708,50 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
+        if (ctxTenantID) {
+          db.setTenantContext({ tenantId: ctxTenantID, userId: ctxUser?.id ?? "", role: ctxUser?.role, isSuperAdmin: ctxUser?.role === "super_admin" });
+        }
         const id = c.req.param("id");
-        console.log(`[DELETE] Deleting ${slug}/${id}`);
+        const hookReq = c.req.raw;
         const originalDoc = await db.findByID({
           collection: slug,
           id,
-          tenantID: ctxTenantID
+          tenantID: ctxTenantID,
+          draft: true
         });
+        if (!originalDoc) {
+          return c.json({ error: "Document not found" }, 404);
+        }
+        if (collection.hooks?.beforeDelete) {
+          for (const hook of collection.hooks.beforeDelete) {
+            await hook({
+              collection: slug,
+              doc: originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "delete"
+            });
+          }
+        }
         const doc = await db.delete({
           collection: slug,
           id,
           tenantID: ctxTenantID
         });
-        await db.deleteDraft({
-          collection: slug,
-          documentId: id,
-          tenantID: ctxTenantID
-        });
+        if (collection.hooks?.afterDelete) {
+          for (const hook of collection.hooks.afterDelete) {
+            await hook({
+              collection: slug,
+              doc,
+              originalDoc,
+              req: hookReq,
+              user: ctxUser,
+              tenantID: ctxTenantID,
+              operation: "delete"
+            });
+          }
+        }
         if (webhookService) {
           webhookService.trigger(getWebhookEvent(slug, "delete"), {
             collection: slug,
@@ -5105,6 +5762,16 @@ function createHonoApp(options) {
             tenantId: ctxTenantID
           }).catch((err) => console.error(`[Webhook] Failed to trigger:`, err));
         }
+        auditApiKeyUsage(sessionAuthAdapter, apiKeyContext, `${basePath}/${id}`, "DELETE", c.req.raw);
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "document_delete",
+            userId: ctxUser.id,
+            resource: slug,
+            resourceId: id,
+            success: true
+          });
+        }
         return c.json({ data: doc, message: "Deleted successfully" });
       } catch (error) {
         console.error(`[DELETE] Error deleting ${slug}:`, error);
@@ -5113,7 +5780,6 @@ function createHonoApp(options) {
     });
     app.post(`${basePath}/:id/duplicate`, async (c) => {
       try {
-        console.log(`[Duplicate] Request for ${slug}`);
         const {
           user: ctxUser,
           tenantID: ctxTenantID,
@@ -5130,25 +5796,21 @@ function createHonoApp(options) {
           defaultCollectionAccess
         );
         if (!access.allowed) {
-          console.log("[Duplicate] Access denied:", access.error);
           return c.json({ error: access.error }, access.status || 403);
         }
         const id = c.req.param("id");
-        console.log(`[Duplicate] ID: ${id}`);
         const originalDoc = await db.findByID({
           collection: slug,
           id,
-          tenantID: ctxTenantID
+          tenantID: ctxTenantID,
+          draft: true
         });
         if (!originalDoc) {
-          console.log("[Duplicate] Document not found");
           return c.json({ error: "Document not found" }, 404);
         }
-        console.log(`[Duplicate] Original doc:`, originalDoc);
         const { id: _oldId, createdAt: _oldCreated, updatedAt: _oldUpdated, ...docData } = originalDoc;
         const timestamp = Date.now().toString(36);
         const newSlug = `${originalDoc.slug || "document"}-copy-${timestamp}`;
-        console.log(`[Duplicate] New slug: ${newSlug}`);
         const newDoc = await db.create({
           collection: slug,
           data: {
@@ -5158,7 +5820,6 @@ function createHonoApp(options) {
           },
           tenantID: ctxTenantID
         });
-        console.log(`[Duplicate] Created successfully:`, newDoc.id);
         return c.json({ data: newDoc, message: "Document duplicated successfully" });
       } catch (error) {
         console.error("[Duplicate] Error:", error);
@@ -5198,7 +5859,7 @@ function createHonoApp(options) {
         const doc = await db.update({
           collection: slug,
           id,
-          data: { ...version.data, _status: "draft", _has_draft: false },
+          data: { ...version.data, status: "draft" },
           tenantID: ctxTenantID
         });
         return c.json({
@@ -5243,7 +5904,7 @@ function createHonoApp(options) {
           const doc = await db.update({
             collection: slug,
             id: c.req.param("id"),
-            data: { ...version.data, _status: "draft", _has_draft: false },
+            data: { ...version.data, status: "draft" },
             tenantID: ctxTenantID
           });
           return c.json({
@@ -5276,6 +5937,9 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
+        if (ctxTenantID) {
+          db.setTenantContext({ tenantId: ctxTenantID, userId: ctxUser?.id ?? "", role: ctxUser?.role, isSuperAdmin: ctxUser?.role === "super_admin" });
+        }
         const id = c.req.param("id");
         const body = await c.req.json().catch(() => ({}));
         const baseUpdatedAt = readBaseUpdatedAt(body);
@@ -5291,9 +5955,9 @@ function createHonoApp(options) {
         if (baseUpdatedAt && originalDoc.updatedAt && baseUpdatedAt !== originalDoc.updatedAt) {
           return c.json(buildConflictResponse(baseUpdatedAt, originalDoc), 409);
         }
-        let publishData = { _status: "published", _has_draft: false };
+        let publishData = { status: "published" };
         let finalContent = originalDoc;
-        if (originalDoc._has_draft) {
+        if (collection.versions?.drafts) {
           const versions = await db.findVersions({
             collection: slug,
             documentId: id,
@@ -5301,9 +5965,10 @@ function createHonoApp(options) {
             sort: "-createdAt",
             tenantID: ctxTenantID
           });
-          if (versions.docs.length > 0 && versions.docs[0].status === "draft") {
-            finalContent = { ...originalDoc, ...versions.docs[0].data };
-            publishData = { ...versions.docs[0].data, ...publishData };
+          if (versions.docs.length > 0) {
+            const latestVersion = versions.docs[0];
+            finalContent = { ...originalDoc, ...latestVersion.data };
+            publishData = { ...latestVersion.data, ...publishData };
           }
         }
         const doc = await db.update({
@@ -5316,18 +5981,13 @@ function createHonoApp(options) {
           await db.createVersion({
             collection: slug,
             documentId: id,
-            data: { ...finalContent, _status: "published" },
+            data: { ...finalContent, status: "published" },
             status: "published",
             createdBy: ctxUser?.id,
             changeDescription: "Published",
             tenantID: ctxTenantID
           });
         }
-        await db.deleteDraft({
-          collection: slug,
-          documentId: id,
-          tenantID: ctxTenantID
-        });
         if (webhookService) {
           webhookService.trigger(getWebhookEvent(slug, "update"), {
             collection: slug,
@@ -5375,7 +6035,7 @@ function createHonoApp(options) {
         const doc = await db.update({
           collection: slug,
           id,
-          data: { _status: "draft" },
+          data: { status: "draft" },
           tenantID: ctxTenantID
         });
         if (webhookService) {
@@ -5410,13 +6070,31 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
-        const isDraftRequest = c.req.query("draft") === "true" && !!ctxUser;
-        const doc = await db.findOne({
+        const isDraftRequest = !!ctxUser;
+        let doc = await db.findOne({
           collection: `_globals_${slug}`,
           where: {},
           tenantID: ctxTenantID,
           draft: isDraftRequest
         });
+        if (slug === "system") {
+          const newSecret = crypto.randomBytes(32).toString("hex");
+          if (!doc) {
+            doc = await db.create({
+              collection: `_globals_${slug}`,
+              data: { id: slug, appSecret: newSecret },
+              tenantID: ctxTenantID
+            });
+          } else if (!doc.appSecret) {
+            await db.update({
+              collection: `_globals_${slug}`,
+              id: slug,
+              data: { appSecret: newSecret },
+              tenantID: ctxTenantID
+            });
+            doc.appSecret = newSecret;
+          }
+        }
         return c.json({ data: doc || {} });
       } catch (error) {
         return c.json({ error: error.message }, 500);
@@ -5436,18 +6114,20 @@ function createHonoApp(options) {
         if (!access.allowed) {
           return c.json({ error: access.error }, access.status || 403);
         }
-        const body = await c.req.json();
+        const body = omitRevisionFields(await c.req.json());
         const cleaned = Object.fromEntries(
           Object.entries(body).filter(([_, v]) => v !== null && v !== "null" && v !== void 0)
         );
-        const schema = registry.getZodSchema(slug);
+        normalizeEmptyStrings(cleaned, globalConfig.fields);
+        convertRichtextFields(globalConfig.fields, cleaned);
+        const schema = registry.getUpdateZodSchema(slug);
         let validated;
         try {
           validated = schema.parse(cleaned);
         } catch (zodErr) {
-          return c.json({ error: "Validation failed", details: zodErr.errors }, 400);
+          return c.json({ error: `Validation failed: ${formatZodErrors(zodErr.errors)}`, details: zodErr.errors }, 400);
         }
-        const SYSTEM_FIELDS = /* @__PURE__ */ new Set(["id", "createdAt", "updatedAt", "_status", "_has_draft"]);
+        const SYSTEM_FIELDS = /* @__PURE__ */ new Set(["id", "createdAt", "updatedAt", "status", "baseUpdatedAt", "_baseUpdatedAt"]);
         const userData = Object.fromEntries(
           Object.entries(validated).filter(([k]) => !SYSTEM_FIELDS.has(k))
         );
@@ -5458,49 +6138,68 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           draft: true
         });
+        const isDraft = c.req.header("X-Draft") === "true";
         const isDraftEnabled = globalConfig.versions?.drafts === true;
-        const isAlreadyPublished = originalDoc?._status === "published";
+        const isAutosave = c.req.query("autosave") === "true";
         let doc;
-        if (isDraftEnabled && isAlreadyPublished) {
+        if (isDraftEnabled && isDraft) {
           await db.createVersion({
             collection: collectionSlug,
             documentId: slug,
             data: userData,
             status: "draft",
+            autosave: isAutosave,
             createdBy: ctxUser?.id,
-            changeDescription: "Manual save (Draft)",
-            tenantID: ctxTenantID
-          });
-          doc = await db.update({
-            collection: collectionSlug,
-            id: slug,
-            data: { _has_draft: true },
+            changeDescription: isAutosave ? "Autosave" : "Manual save",
             tenantID: ctxTenantID
           });
-        } else {
-          const saveData = isDraftEnabled ? { ...userData, _status: "draft", _has_draft: false } : { ...userData, _status: "published", _has_draft: false };
+          if (!originalDoc) {
+            doc = await db.create({
+              collection: collectionSlug,
+              data: { ...userData, id: slug, status: "draft" },
+              tenantID: ctxTenantID
+            });
+          } else {
+            doc = originalDoc;
+          }
+        } else if (isDraftEnabled && !isDraft) {
+          const publishStatus = "published";
           if (originalDoc) {
             doc = await db.update({
               collection: collectionSlug,
               id: slug,
-              data: saveData,
+              data: { ...userData, status: publishStatus },
               tenantID: ctxTenantID
             });
           } else {
             doc = await db.create({
               collection: collectionSlug,
-              data: { ...saveData, id: slug },
+              data: { ...userData, id: slug, status: publishStatus },
               tenantID: ctxTenantID
             });
           }
-          if (isDraftEnabled) {
-            await db.createVersion({
+          await db.createVersion({
+            collection: collectionSlug,
+            documentId: slug,
+            data: userData,
+            status: publishStatus,
+            autosave: false,
+            createdBy: ctxUser?.id,
+            changeDescription: "Published",
+            tenantID: ctxTenantID
+          });
+        } else {
+          if (originalDoc) {
+            doc = await db.update({
               collection: collectionSlug,
-              documentId: slug,
+              id: slug,
               data: userData,
-              status: "draft",
-              createdBy: ctxUser?.id,
-              changeDescription: "Manual save",
+              tenantID: ctxTenantID
+            });
+          } else {
+            doc = await db.create({
+              collection: collectionSlug,
+              data: { ...userData, id: slug },
               tenantID: ctxTenantID
             });
           }
@@ -5509,6 +6208,22 @@ function createHonoApp(options) {
           mediaService = null;
           mediaServiceInitError = null;
         }
+        if (slug === "email-settings") {
+          const newEmailTransport = await EmailTransport.fromConfig(db);
+          authRoutes.email = newEmailTransport || void 0;
+        }
+        if (slug === "system") {
+          await loadSecrets();
+        }
+        if (ctxUser) {
+          sessionAuthAdapter?.createAuditLog({
+            action: "settings_change",
+            userId: ctxUser.id,
+            resource: `global:${slug}`,
+            resourceId: slug,
+            success: true
+          });
+        }
         return c.json({ data: doc, message: "Updated successfully" });
       } catch (error) {
         console.error(`[API] Save global "${slug}" failed:`, error);
@@ -5533,9 +6248,9 @@ function createHonoApp(options) {
           draft: true
         });
         if (!originalDoc) return c.json({ error: "Global not found" }, 404);
-        let publishData = { _status: "published", _has_draft: false };
+        let publishData = { status: "published" };
         let finalContent = originalDoc;
-        if (originalDoc._has_draft) {
+        if (globalConfig.versions?.drafts) {
           const versions = await db.findVersions({
             collection: collectionSlug,
             documentId: slug,
@@ -5543,7 +6258,7 @@ function createHonoApp(options) {
             sort: "-createdAt",
             tenantID: ctxTenantID
           });
-          if (versions.docs.length > 0 && versions.docs[0].status === "draft") {
+          if (versions.docs.length > 0) {
             finalContent = { ...originalDoc, ...versions.docs[0].data };
             publishData = { ...versions.docs[0].data, ...publishData };
           }
@@ -5558,7 +6273,7 @@ function createHonoApp(options) {
           await db.createVersion({
             collection: collectionSlug,
             documentId: slug,
-            data: { ...finalContent, _status: "published" },
+            data: { ...finalContent, status: "published" },
             status: "published",
             createdBy: ctxUser?.id,
             changeDescription: "Published",
@@ -5578,7 +6293,7 @@ function createHonoApp(options) {
         const doc = await db.update({
           collection: `_globals_${slug}`,
           id: slug,
-          data: { _status: "draft", _has_draft: false },
+          data: { status: "draft" },
           tenantID: ctxTenantID
         });
         return c.json({ data: doc, message: "Unpublished successfully" });
@@ -5638,9 +6353,13 @@ function createHonoApp(options) {
         const doc = await db.update({
           collection: collectionSlug,
           id: slug,
-          data: { ...version.data, _status: "draft", _has_draft: false },
+          data: { ...version.data, status: "draft" },
           tenantID: ctxTenantID
         });
+        return c.json({
+          data: doc,
+          message: "Version restored successfully"
+        });
         return c.json({ data: doc, message: "Restored successfully" });
       } catch (error) {
         return c.json({ error: error.message }, 500);
@@ -5742,6 +6461,6 @@ function createRESTAPI(registry, db, options) {
   });
 }
-export { AuditLogger, AuthRoutes, InMemoryAuditLogger, InMemoryRateLimiter, MediaService, createAuditContext2 as createAuditContext, createHonoApp, createLocalStorage, createRESTAPI, getAppSecret, getEncryptionKey, getSessionConfig, init_secret, loadSecrets, resolveProvider, setDbAdapter };
-//# sourceMappingURL=chunk-HXRD4B37.js.map
-//# sourceMappingURL=chunk-HXRD4B37.js.map
+export { AuditLogger, AuthRoutes, InMemoryAuditLogger, InMemoryRateLimiter, MediaService, createAuditContext2 as createAuditContext, createCloudinaryStorage, createFtpStorage, createHonoApp, createLocalStorage, createRESTAPI, createS3Storage, getAppSecret, getDefaultRegistry, getEncryptionKey, getSessionConfig, init_secret, loadSecrets, resolveProvider, setDbAdapter };
+//# sourceMappingURL=chunk-IPTZM3VE.js.map
+//# sourceMappingURL=chunk-IPTZM3VE.js.map