@kyro-cms/core 0.9.0 → 0.9.2

package/dist/{chunk-3AJE4SEG.js → chunk-OHC6UHFY.js}

@@ -1,5 +1,6 @@
-import { WEBHOOK_EVENTS, createWebhookService, extractApiKeyFromRequest, validateApiKey, createApiKeyContext } from './chunk-QXIQWPAP.js';
-import { evaluateAccess } from './chunk-SDMNUYVU.js';
+import { WEBHOOK_EVENTS, createWebhookService } from './chunk-3UK5XBVJ.js';
+import { extractApiKeyFromRequest, validateApiKey, createApiKeyContext, hasApiKeyPermission, evaluateAccess } from './chunk-CJONKRHJ.js';
+import { hasPermission } from './chunk-L4EZKIEX.js';
 
 // src/api/trpc/context.ts
 async function createContext(options) {
@@ -15,7 +16,14 @@ async function createContext(options) {
   };
   const apiKeyRaw = extractApiKeyFromRequest(options.req);
   if (apiKeyRaw) {
-    const result = await validateApiKey(apiKeyRaw, options.db);
+    const result = await validateApiKey(apiKeyRaw, options.db, async (userId) => {
+      try {
+        const user = await options.db.findByID({ collection: "users", id: userId });
+        return user || null;
+      } catch {
+        return null;
+      }
+    });
     if (result.valid) {
       baseContext.user = result.user || options.user;
       baseContext.tenantID = result.tenantId || options.tenantID;
@@ -53,18 +61,85 @@ async function triggerWebhook(ctx, event, payload) {
     console.error(`[Webhook] Failed to trigger ${event}:`, err);
   }
 }
+function normalizeEmptyStrings(data, fields) {
+  if (!data || typeof data !== "object") return;
+  for (const field of fields) {
+    if (!field.name || !(field.name in data)) continue;
+    const val = data[field.name];
+    if (val === "") {
+      const isTextual = field.type === "text" || field.type === "textarea" || field.type === "code" || field.type === "markdown" || field.type === "email" || field.type === "password" || field.type === "color";
+      if (!isTextual) data[field.name] = null;
+    }
+    if (field.type === "tabs" && field.name && Array.isArray(field.tabs) && data[field.name] && typeof data[field.name] === "object") {
+      for (const tab of field.tabs) {
+        if (Array.isArray(tab.fields)) normalizeEmptyStrings(data[field.name], tab.fields);
+      }
+    } else if ((field.type === "group" || field.type === "collapsible") && field.name && Array.isArray(field.fields) && data[field.name] && typeof data[field.name] === "object") {
+      normalizeEmptyStrings(data[field.name], field.fields);
+    } else if (field.type === "array" && field.name && Array.isArray(field.fields) && Array.isArray(data[field.name])) {
+      for (const item of data[field.name]) {
+        if (item && typeof item === "object") normalizeEmptyStrings(item, field.fields);
+      }
+    } else if (field.type === "blocks" && field.name && Array.isArray(field.blocks) && Array.isArray(data[field.name])) {
+      for (const item of data[field.name]) {
+        if (!item || typeof item !== "object") continue;
+        const blockTypeStr = item.type || item.blockType;
+        if (!blockTypeStr) continue;
+        const blockDef = field.blocks.find((b) => b.slug === blockTypeStr);
+        if (!blockDef || !Array.isArray(blockDef.fields)) continue;
+        const target = item.data && typeof item.data === "object" ? item.data : item;
+        normalizeEmptyStrings(target, blockDef.fields);
+      }
+    }
+  }
+}
+async function checkTRPCAccess(config, operation, ctx) {
+  const accessRule = config.access?.[operation];
+  const apiKey = ctx.apiKey;
+  if (apiKey && apiKey.permissions && apiKey.permissions.length > 0) {
+    const resource = config.slug;
+    const action = operation === "read" ? "read" : operation === "create" ? "create" : "update";
+    const permission = `${resource}:${action}`;
+    if (!hasApiKeyPermission(apiKey.permissions, permission) && !hasApiKeyPermission(apiKey.permissions, `${resource}:admin`)) {
+      throw new Error(`Access denied: missing API key permission ${permission}`);
+    }
+  }
+  if (ctx.user && !(apiKey && apiKey.permissions && apiKey.permissions.length > 0)) {
+    const resource = config.slug;
+    const action = operation === "read" ? "read" : operation === "create" ? "create" : operation === "update" ? "update" : "delete";
+    const permission = `${resource}:${action}`;
+    const userHasPermission = hasPermission(
+      { id: ctx.user.id, email: ctx.user.email, role: ctx.user.role },
+      permission
+    );
+    if (!userHasPermission && !hasPermission(
+      { id: ctx.user.id, email: ctx.user.email, role: ctx.user.role },
+      `${resource}:admin`
+    )) {
+      if (!accessRule) {
+        throw new Error(`Access denied: missing RBAC permission ${permission}`);
+      }
+    }
+  }
+  if (accessRule) {
+    const allowed = await evaluateAccess(accessRule, {
+      req: ctx.req,
+      user: ctx.user,
+      tenantID: ctx.tenantID
+    });
+    if (allowed === false) throw new Error("Access denied");
+  } else if (!ctx.user && !ctx.apiKey) {
+    throw new Error("Access denied: authentication required");
+  }
+  if (ctx.tenantID) {
+    ctx.db.setTenantContext({ tenantId: ctx.tenantID, userId: ctx.user?.id ?? "", role: ctx.user?.role, isSuperAdmin: ctx.user?.role === "super_admin" });
+  }
+}
 function createFindProcedure(ctx) {
   return async (input) => {
-    const { collection, where, sort, limit, page, depth, select } = input;
+    const { collection, where, sort, limit, page, depth, select, draft } = input;
     const config = ctx.registry.getCollection(collection);
-    if (config.access?.read) {
-      const allowed = await evaluateAccess(config.access.read, {
-        req: ctx.req,
-        user: ctx.user,
-        tenantID: ctx.tenantID
-      });
-      if (allowed === false) throw new Error("Access denied");
-    }
+    await checkTRPCAccess(config, "read", ctx);
     if (config.hooks?.beforeRead) {
       for (const hook of config.hooks.beforeRead) {
         await hook({
@@ -77,6 +152,7 @@ function createFindProcedure(ctx) {
         });
       }
     }
+    const isDraft = draft ?? !!ctx.user;
     const result = await ctx.db.find({
       collection,
       where: where || {},
@@ -85,7 +161,8 @@ function createFindProcedure(ctx) {
       page: page || 1,
       depth: depth || 0,
       tenantID: ctx.tenantID,
-      select
+      select,
+      draft: isDraft
     });
     if (config.hooks?.afterRead) {
       for (const doc of result.docs) {
@@ -106,23 +183,17 @@ function createFindProcedure(ctx) {
 }
 function createFindByIDProcedure(ctx) {
   return async (input) => {
-    const { collection, id, depth, select } = input;
+    const { collection, id, depth, select, draft } = input;
     const config = ctx.registry.getCollection(collection);
-    if (config.access?.read) {
-      const allowed = await evaluateAccess(config.access.read, {
-        req: ctx.req,
-        user: ctx.user,
-        tenantID: ctx.tenantID,
-        id
-      });
-      if (allowed === false) throw new Error("Access denied");
-    }
+    await checkTRPCAccess(config, "read", ctx);
+    const isDraft = draft ?? !!ctx.user;
     const doc = await ctx.db.findByID({
       collection,
       id,
       depth: depth || 0,
       tenantID: ctx.tenantID,
-      select
+      select,
+      draft: isDraft
     });
     if (!doc) throw new Error(`Document not found: ${collection}/${id}`);
     if (config.hooks?.afterRead) {
@@ -145,15 +216,7 @@ function createCreateProcedure(ctx) {
   return async (input) => {
     const { collection, data, depth, select } = input;
     const config = ctx.registry.getCollection(collection);
-    if (config.access?.create) {
-      const allowed = await evaluateAccess(config.access.create, {
-        req: ctx.req,
-        user: ctx.user,
-        tenantID: ctx.tenantID,
-        data
-      });
-      if (allowed === false) throw new Error("Access denied");
-    }
+    await checkTRPCAccess(config, "create", ctx);
     const schema = ctx.registry.getCreateZodSchema(collection);
     const validated = schema.parse(data);
     if (config.tenantScoped && ctx.tenantID) {
@@ -215,26 +278,21 @@ function createCreateProcedure(ctx) {
 }
 function createUpdateProcedure(ctx) {
   return async (input) => {
-    const { collection, id, data, depth, select } = input;
+    const { collection, id, data, depth, select, baseUpdatedAt } = input;
     const config = ctx.registry.getCollection(collection);
+    await checkTRPCAccess(config, "update", ctx);
     const originalDoc = await ctx.db.findByID({
       collection,
       id,
-      tenantID: ctx.tenantID
+      tenantID: ctx.tenantID,
+      draft: true
     });
     if (!originalDoc)
       throw new Error(`Document not found: ${collection}/${id}`);
-    if (config.access?.update) {
-      const allowed = await evaluateAccess(config.access.update, {
-        req: ctx.req,
-        user: ctx.user,
-        tenantID: ctx.tenantID,
-        id,
-        doc: originalDoc,
-        data
-      });
-      if (allowed === false) throw new Error("Access denied");
+    if (baseUpdatedAt && originalDoc.updatedAt && baseUpdatedAt !== originalDoc.updatedAt) {
+      throw new Error(`Revision conflict: document has changed since ${baseUpdatedAt}. Current updatedAt: ${originalDoc.updatedAt}`);
     }
+    normalizeEmptyStrings(data, config.fields);
     const schema = ctx.registry.getUpdateZodSchema(collection);
     const validated = schema.parse(data);
     if (config.tenantScoped && ctx.tenantID) {
@@ -270,14 +328,48 @@ function createUpdateProcedure(ctx) {
         if (hookResult) Object.assign(validated, hookResult);
       }
     }
-    const doc = await ctx.db.update({
-      collection,
-      id,
-      data: validated,
-      depth: depth || 0,
-      tenantID: ctx.tenantID,
-      select
-    });
+    const isDraft = ctx.req && typeof ctx.req.headers?.get === "function" && ctx.req.headers.get("x-draft") === "true" || input.draft === true;
+    const isDraftEnabled = config.versions?.drafts === true;
+    const isAutosave = ctx.req?.query?.autosave === "true" || ctx.req?.url?.includes("autosave=true") || input.autosave === true;
+    let doc;
+    if (isDraftEnabled && isDraft) {
+      await ctx.db.createVersion({
+        collection,
+        documentId: id,
+        data: validated,
+        status: "draft",
+        autosave: isAutosave,
+        createdBy: ctx.user?.id,
+        tenantID: ctx.tenantID
+      });
+      doc = await ctx.db.findByID({ collection, id, tenantID: ctx.tenantID, draft: true });
+    } else if (isDraftEnabled) {
+      doc = await ctx.db.update({
+        collection,
+        id,
+        data: { ...validated, status: "published" },
+        depth: depth || 0,
+        tenantID: ctx.tenantID,
+        select
+      });
+      await ctx.db.createVersion({
+        collection,
+        documentId: id,
+        data: validated,
+        status: "published",
+        createdBy: ctx.user?.id,
+        tenantID: ctx.tenantID
+      });
+    } else {
+      doc = await ctx.db.update({
+        collection,
+        id,
+        data: validated,
+        depth: depth || 0,
+        tenantID: ctx.tenantID,
+        select
+      });
+    }
     if (config.hooks?.afterChange) {
       for (const hook of config.hooks.afterChange) {
         await hook({
@@ -306,23 +398,15 @@ function createDeleteProcedure(ctx) {
   return async (input) => {
     const { collection, id } = input;
     const config = ctx.registry.getCollection(collection);
+    await checkTRPCAccess(config, "delete", ctx);
     const originalDoc = await ctx.db.findByID({
       collection,
       id,
-      tenantID: ctx.tenantID
+      tenantID: ctx.tenantID,
+      draft: true
     });
     if (!originalDoc)
       throw new Error(`Document not found: ${collection}/${id}`);
-    if (config.access?.delete) {
-      const allowed = await evaluateAccess(config.access.delete, {
-        req: ctx.req,
-        user: ctx.user,
-        tenantID: ctx.tenantID,
-        id,
-        doc: originalDoc
-      });
-      if (allowed === false) throw new Error("Access denied");
-    }
     if (config.hooks?.beforeDelete) {
       for (const hook of config.hooks.beforeDelete) {
         await hook({
@@ -367,14 +451,7 @@ function createCountProcedure(ctx) {
   return async (input) => {
     const { collection, where } = input;
     const config = ctx.registry.getCollection(collection);
-    if (config.access?.read) {
-      const allowed = await evaluateAccess(config.access.read, {
-        req: ctx.req,
-        user: ctx.user,
-        tenantID: ctx.tenantID
-      });
-      if (allowed === false) throw new Error("Access denied");
-    }
+    await checkTRPCAccess(config, "read", ctx);
     const totalDocs = await ctx.db.count({
       collection,
       where: where || {},
@@ -385,6 +462,44 @@ function createCountProcedure(ctx) {
 }
 
 // src/api/trpc/router.ts
+async function checkGlobalAccessTRPC(global, operation, ctx) {
+  const accessRule = global.access?.[operation];
+  const apiKey = ctx.apiKey;
+  if (apiKey && apiKey.permissions && apiKey.permissions.length > 0) {
+    const permission = `globals:${operation}`;
+    if (!hasApiKeyPermission(apiKey.permissions, permission) && !hasApiKeyPermission(apiKey.permissions, "globals:admin")) {
+      throw new Error(`Access denied: missing API key permission ${permission}`);
+    }
+  }
+  if (ctx.user) {
+    const permission = `globals:${operation}`;
+    const userHasPermission = hasPermission(
+      { id: ctx.user.id, email: ctx.user.email, role: ctx.user.role },
+      permission
+    );
+    if (!userHasPermission && !hasPermission(
+      { id: ctx.user.id, email: ctx.user.email, role: ctx.user.role },
+      "globals:admin"
+    )) {
+      if (!accessRule) {
+        throw new Error(`Access denied: missing RBAC permission ${permission}`);
+      }
+    }
+  }
+  if (accessRule) {
+    const allowed = await evaluateAccess(accessRule, {
+      req: ctx.req,
+      user: ctx.user,
+      tenantID: ctx.tenantID
+    });
+    if (allowed === false) throw new Error("Access denied");
+  } else if (!ctx.user && !ctx.apiKey) {
+    throw new Error("Access denied: authentication required");
+  }
+  if (ctx.tenantID) {
+    ctx.db.setTenantContext({ tenantId: ctx.tenantID, userId: ctx.user?.id ?? "", role: ctx.user?.role, isSuperAdmin: ctx.user?.role === "super_admin" });
+  }
+}
 function createDynamicRouter(ctx) {
   const router = {};
   const collections = ctx.registry.getCollections();
@@ -404,6 +519,7 @@ function createDynamicRouter(ctx) {
     const slug = global.slug;
     router[`_globals_${slug}`] = {
       get: async () => {
+        await checkGlobalAccessTRPC(global, "read", ctx);
         const doc = await ctx.db.findOne({
           collection: `_globals_${slug}`,
           where: {},
@@ -412,13 +528,29 @@ function createDynamicRouter(ctx) {
         return doc;
       },
       update: async (input) => {
+        await checkGlobalAccessTRPC(global, "update", ctx);
         const schema = ctx.registry.getZodSchema(slug);
         const validated = schema.parse(input.data);
-        const doc = await ctx.db.create({
+        const existing = await ctx.db.findOne({
           collection: `_globals_${slug}`,
-          data: { ...validated, id: slug },
+          where: {},
           tenantID: ctx.tenantID
         });
+        let doc;
+        if (existing) {
+          doc = await ctx.db.update({
+            collection: `_globals_${slug}`,
+            id: existing.id,
+            data: validated,
+            tenantID: ctx.tenantID
+          });
+        } else {
+          doc = await ctx.db.create({
+            collection: `_globals_${slug}`,
+            data: { ...validated, id: slug },
+            tenantID: ctx.tenantID
+          });
+        }
         return doc;
       }
     };
@@ -434,5 +566,5 @@ function createKyroServer(ctx) {
 }
 
 export { createContext, createCountProcedure, createCreateProcedure, createDeleteProcedure, createDynamicRouter, createFindByIDProcedure, createFindProcedure, createKyroServer, createUpdateProcedure };
-//# sourceMappingURL=chunk-3AJE4SEG.js.map
-//# sourceMappingURL=chunk-3AJE4SEG.js.map
+//# sourceMappingURL=chunk-OHC6UHFY.js.map
+//# sourceMappingURL=chunk-OHC6UHFY.js.map

package/dist/chunk-OHC6UHFY.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/api/trpc/context.ts","../src/api/trpc/procedures.ts","../src/api/trpc/router.ts"],"names":[],"mappings":";;;;;AAsCA,eAAsB,cAAc,OAAA,EAOX;AACvB,EAAA,MAAM,cAAA,GAAiB,oBAAA,CAAqB,OAAA,CAAQ,EAAE,CAAA;AAEtD,EAAA,MAAM,WAAA,GAA2B;AAAA,IAC/B,IAAI,OAAA,CAAQ,EAAA;AAAA,IACZ,UAAU,OAAA,CAAQ,QAAA;AAAA,IAClB,KAAK,OAAA,CAAQ,GAAA;AAAA,IACb,MAAM,OAAA,CAAQ,IAAA;AAAA,IACd,UAAU,OAAA,CAAQ,QAAA;AAAA,IAClB,cAAA;AAAA,IACA,UAAU,OAAA,CAAQ;AAAA,GACpB;AAEA,EAAA,MAAM,SAAA,GAAY,wBAAA,CAAyB,OAAA,CAAQ,GAAU,CAAA;AAC7D,EAAA,IAAI,SAAA,EAAW;AACb,IAAA,MAAM,SAAS,MAAM,cAAA,CAAe,WAAW,OAAA,CAAQ,EAAA,EAAI,OAAO,MAAA,KAAW;AAC3E,MAAA,IAAI;AACF,QAAA,MAAM,IAAA,GAAO,MAAM,OAAA,CAAQ,EAAA,CAAG,QAAA,CAAS,EAAE,UAAA,EAAY,OAAA,EAAS,EAAA,EAAI,MAAA,EAAQ,CAAA;AAC1E,QAAA,OAAO,IAAA,IAAQ,IAAA;AAAA,MACjB,CAAA,CAAA,MAAQ;AACN,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF,CAAC,CAAA;AACD,IAAA,IAAI,OAAO,KAAA,EAAO;AAChB,MAAA,WAAA,CAAY,IAAA,GAAQ,MAAA,CAAO,IAAA,IAAiB,OAAA,CAAQ,IAAA;AACpD,MAAA,WAAA,CAAY,QAAA,GAAW,MAAA,CAAO,QAAA,IAAY,OAAA,CAAQ,QAAA;AAClD,MAAA,WAAA,CAAY,MAAA,GAAS,oBAAoB,MAAM,CAAA;AAAA,IACjD;AAAA,EACF;AAEA,EAAA,OAAO,WAAA;AACT;;;AC5DA,IAAM,oBAAA,GAGF;AAAA,EACF,MAAA,EAAQ;AAAA,IACN,QAAQ,cAAA,CAAe,YAAA;AAAA,IACvB,QAAQ,cAAA,CAAe,YAAA;AAAA,IACvB,QAAQ,cAAA,CAAe;AAAA;AAE3B,CAAA;AAEA,SAAS,eAAA,CACP,YACA,SAAA,EACc;AACd,EAAA,MAAM,MAAA,GAAS,qBAAqB,UAAU,CAAA;AAC9C,EAAA,IAAI,MAAA,EAAQ,OAAO,MAAA,CAAO,SAAS,CAAA;AACnC,EAAA,OAAO,cAAc,SAAS,CAAA,CAAA;AAChC;AAEA,eAAe,cAAA,CACb,GAAA,EACA,KAAA,EACA,OAAA,EAMA;AACA,EAAA,IAAI,CAAC,IAAI,cAAA,EAAgB;AACzB,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,CAAI,cAAA,CAAe,OAAA,CAAQ,KAAA,EAAO;AAAA,MACtC,YAAY,OAAA,CAAQ,UAAA;AAAA,MACpB,WAAW,OAAA,CAAQ,SAAA;AAAA,MACnB,MAAM,OAAA,CAAQ,IAAA;AAAA,MACd,cAAc,OAAA,CAAQ,YAAA;AAAA,MACtB,MAAM,GAAA,CAAI,IAAA,GACN,EAAE,EAAA,EAAI,IAAI,IAAA,CAAK,EAAA,EAAI,KAAA,EAAO,GAAA,CAAI,KAAK,KAAA,EAAO,IAAA,EAAM,GAAA,CAAI,IAAA,CAAK,MAAK,GAC9D,KAAA,CAAA;AAAA,MACJ,UAAU,GAAA,CAAI;AAAA,KACf,CAAA;AAAA,EACH,SAAS,GAAA,EAAK;AACZ,IAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,4BAAA,EAA+B,KAAK,CAAA,CAAA,CAAA,EAAK,GAAG,CAAA;AAAA,EAC5D;AACF;AAMA,SAAS,qBAAA,CAAsB,MAAW,MAAA,EAAuB;AAC/D,EAAA,IAAI,CAAC,IAAA,IAAQ,OAAO,IAAA,KAAS,QAAA,EAAU;AACvC,EAAA,KAAA,MAAW,SAAS,MAAA,EAAQ;AAC1B,IAAA,IAAI,CAAC,KAAA,CAAM,IAAA,IAAQ,EAAE,KAAA,CAAM,QAAQ,IAAA,CAAA,EAAO;AAC1C,IAAA,MAAM,GAAA,GAAM,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA;AAC3B,IAAA,IAAI,QAAQ,EAAA,EAAI;AACd,MAAA,MAAM,SAAA,GAAY,MAAM,IAAA,KAAS,MAAA,IAAU,MAAM,IAAA,KAAS,UAAA,IAAc,MAAM,IAAA,KAAS,MAAA,IAAU,MAAM,IAAA,KAAS,UAAA,IAAc,MAAM,IAAA,KAAS,OAAA,IAAW,MAAM,IAAA,KAAS,UAAA,IAAc,MAAM,IAAA,KAAS,OAAA;AACpM,MAAA,IAAI,CAAC,SAAA,EAAW,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA,GAAI,IAAA;AAAA,IACrC;AACA,IAAA,IAAI,MAAM,IAAA,KAAS,MAAA,IAAU,MAAM,IAAA,IAAQ,KAAA,CAAM,QAAS,KAAA,CAAc,IAAI,KAAK,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA,IAAK,OAAO,KAAK,KAAA,CAAM,IAAI,MAAM,QAAA,EAAU;AACzI,MAAA,KAAA,MAAW,GAAA,IAAQ,MAAc,IAAA,EAAM;AACrC,QAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAA,CAAI,MAAM,CAAA,EAAG,qBAAA,CAAsB,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA,EAAG,GAAA,CAAI,MAAiB,CAAA;AAAA,MAC9F;AAAA,IACF,CAAA,MAAA,IAAA,CAAY,MAAM,IAAA,KAAS,OAAA,IAAW,MAAM,IAAA,KAAS,aAAA,KAAkB,KAAA,CAAM,IAAA,IAAQ,KAAA,CAAM,OAAA,CAAS,MAAc,MAAM,CAAA,IAAK,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA,IAAK,OAAO,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA,KAAM,QAAA,EAAU;AACrL,MAAA,qBAAA,CAAsB,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA,EAAI,MAAc,MAAiB,CAAA;AAAA,IAC1E,WAAW,KAAA,CAAM,IAAA,KAAS,OAAA,IAAW,KAAA,CAAM,QAAQ,KAAA,CAAM,OAAA,CAAS,KAAA,CAAc,MAAM,KAAK,KAAA,CAAM,OAAA,CAAQ,KAAK,KAAA,CAAM,IAAI,CAAC,CAAA,EAAG;AAC1H,MAAA,KAAA,MAAW,IAAA,IAAQ,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA,EAAG;AACnC,QAAA,IAAI,QAAQ,OAAO,IAAA,KAAS,UAAU,qBAAA,CAAsB,IAAA,EAAO,MAAc,MAAiB,CAAA;AAAA,MACpG;AAAA,IACF,WAAW,KAAA,CAAM,IAAA,KAAS,QAAA,IAAY,KAAA,CAAM,QAAQ,KAAA,CAAM,OAAA,CAAS,KAAA,CAAc,MAAM,KAAK,KAAA,CAAM,OAAA,CAAQ,KAAK,KAAA,CAAM,IAAI,CAAC,CAAA,EAAG;AAC3H,MAAA,KAAA,MAAW,IAAA,IAAQ,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA,EAAG;AACnC,QAAA,IAAI,CAAC,IAAA,IAAQ,OAAO,IAAA,KAAS,QAAA,EAAU;AACvC,QAAA,MAAM,YAAA,GAAe,IAAA,CAAK,IAAA,IAAQ,IAAA,CAAK,SAAA;AACvC,QAAA,IAAI,CAAC,YAAA,EAAc;AACnB,QAAA,MAAM,QAAA,GAAY,MAAc,MAAA,CAAO,IAAA,CAAK,CAAC,CAAA,KAAW,CAAA,CAAE,SAAS,YAAY,CAAA;AAC/E,QAAA,IAAI,CAAC,QAAA,IAAY,CAAC,MAAM,OAAA,CAAQ,QAAA,CAAS,MAAM,CAAA,EAAG;AAClD,QAAA,MAAM,MAAA,GAAS,KAAK,IAAA,IAAQ,OAAO,KAAK,IAAA,KAAS,QAAA,GAAW,KAAK,IAAA,GAAO,IAAA;AACxE,QAAA,qBAAA,CAAsB,MAAA,EAAQ,SAAS,MAAiB,CAAA;AAAA,MAC1D;AAAA,IACF;AAAA,EACF;AACF;AAMA,eAAe,eAAA,CACb,MAAA,EACA,SAAA,EACA,GAAA,EACe;AACf,EAAA,MAAM,UAAA,GAAa,MAAA,CAAO,MAAA,GAAS,SAAS,CAAA;AAG5C,EAAA,MAAM,SAAS,GAAA,CAAI,MAAA;AACnB,EAAA,IAAI,UAAU,MAAA,CAAO,WAAA,IAAe,MAAA,CAAO,WAAA,CAAY,SAAS,CAAA,EAAG;AACjE,IAAA,MAAM,WAAW,MAAA,CAAO,IAAA;AACxB,IAAA,MAAM,SAAS,SAAA,KAAc,MAAA,GAAS,MAAA,GAAS,SAAA,KAAc,WAAW,QAAA,GAAW,QAAA;AACnF,IAAA,MAAM,UAAA,GAAa,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,MAAM,CAAA,CAAA;AACxC,IAAA,IACE,CAAC,mBAAA,CAAoB,MAAA,CAAO,WAAA,EAAa,UAAU,CAAA,IACnD,CAAC,mBAAA,CAAoB,MAAA,CAAO,WAAA,EAAa,CAAA,EAAG,QAAQ,QAAQ,CAAA,EAC5D;AACA,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,0CAAA,EAA6C,UAAU,CAAA,CAAE,CAAA;AAAA,IAC3E;AAAA,EACF;AAGA,EAAA,IAAI,GAAA,CAAI,QAAQ,EAAE,MAAA,IAAU,OAAO,WAAA,IAAe,MAAA,CAAO,WAAA,CAAY,MAAA,GAAS,CAAA,CAAA,EAAI;AAChF,IAAA,MAAM,WAAW,MAAA,CAAO,IAAA;AACxB,IAAA,MAAM,MAAA,GAAS,cAAc,MAAA,GAAS,MAAA,GAAS,cAAc,QAAA,GAAW,QAAA,GAAW,SAAA,KAAc,QAAA,GAAW,QAAA,GAAW,QAAA;AACvH,IAAA,MAAM,UAAA,GAAa,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,MAAM,CAAA,CAAA;AACxC,IAAA,MAAM,iBAAA,GAAoB,aAAA;AAAA,MACxB,EAAE,EAAA,EAAI,GAAA,CAAI,IAAA,CAAK,EAAA,EAAI,KAAA,EAAO,GAAA,CAAI,IAAA,CAAK,KAAA,EAAO,IAAA,EAAM,GAAA,CAAI,IAAA,CAAK,IAAA,EAAK;AAAA,MAC9D;AAAA,KACF;AACA,IAAA,IAAI,CAAC,qBAAqB,CAAC,aAAA;AAAA,MACzB,EAAE,EAAA,EAAI,GAAA,CAAI,IAAA,CAAK,EAAA,EAAI,KAAA,EAAO,GAAA,CAAI,IAAA,CAAK,KAAA,EAAO,IAAA,EAAM,GAAA,CAAI,IAAA,CAAK,IAAA,EAAK;AAAA,MAC9D,GAAG,QAAQ,CAAA,MAAA;AAAA,KACb,EAAG;AACD,MAAA,IAAI,CAAC,UAAA,EAAY;AACf,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,uCAAA,EAA0C,UAAU,CAAA,CAAE,CAAA;AAAA,MACxE;AAAA,IACF;AAAA,EACF;AAEA,EAAA,IAAI,UAAA,EAAY;AACd,IAAA,MAAM,OAAA,GAAU,MAAM,cAAA,CAAe,UAAA,EAAY;AAAA,MAC/C,KAAK,GAAA,CAAI,GAAA;AAAA,MACT,MAAM,GAAA,CAAI,IAAA;AAAA,MACV,UAAU,GAAA,CAAI;AAAA,KACf,CAAA;AACD,IAAA,IAAI,OAAA,KAAY,KAAA,EAAO,MAAM,IAAI,MAAM,eAAe,CAAA;AAAA,EACxD,WAAW,CAAC,GAAA,CAAI,IAAA,IAAQ,CAAC,IAAI,MAAA,EAAQ;AACnC,IAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAAA,EAC1D;AAGA,EAAA,IAAI,IAAI,QAAA,EAAU;AAChB,IAAA,GAAA,CAAI,EAAA,CAAG,iBAAiB,EAAE,QAAA,EAAU,IAAI,QAAA,EAAU,MAAA,EAAQ,IAAI,IAAA,EAAM,EAAA,IAAM,IAAI,IAAA,EAAM,GAAA,CAAI,MAAM,IAAA,EAAM,YAAA,EAAc,IAAI,IAAA,EAAM,IAAA,KAAS,eAAe,CAAA;AAAA,EACtJ;AACF;AAMO,SAAS,oBAAoB,GAAA,EAAkB;AACpD,EAAA,OAAO,OAAO,KAAA,KASR;AACJ,IAAA,MAAM,EAAE,YAAY,KAAA,EAAO,IAAA,EAAM,OAAO,IAAA,EAAM,KAAA,EAAO,MAAA,EAAQ,KAAA,EAAM,GAAI,KAAA;AACvE,IAAA,MAAM,MAAA,GAAS,GAAA,CAAI,QAAA,CAAS,aAAA,CAAc,UAAU,CAAA;AAEpD,IAAA,MAAM,eAAA,CAAgB,MAAA,EAAQ,MAAA,EAAQ,GAAG,CAAA;AAGzC,IAAA,IAAI,MAAA,CAAO,OAAO,UAAA,EAAY;AAC5B,MAAA,KAAA,MAAW,IAAA,IAAQ,MAAA,CAAO,KAAA,CAAM,UAAA,EAAY;AAC1C,QAAA,MAAM,IAAA,CAAK;AAAA,UACT,UAAA;AAAA,UACA,KAAK,GAAA,CAAI,GAAA;AAAA,UACT,MAAM,GAAA,CAAI,IAAA;AAAA,UACV,UAAU,GAAA,CAAI,QAAA;AAAA,UACd,SAAA,EAAW,MAAA;AAAA,UACX;AAAA,SACD,CAAA;AAAA,MACH;AAAA,IACF;AAEA,IAAA,MAAM,OAAA,GAAU,KAAA,IAAS,CAAC,CAAC,GAAA,CAAI,IAAA;AAG/B,IAAA,MAAM,MAAA,GAAS,MAAM,GAAA,CAAI,EAAA,CAAG,IAAA,CAAK;AAAA,MAC/B,UAAA;AAAA,MACA,KAAA,EAAO,SAAS,EAAC;AAAA,MACjB,IAAA;AAAA,MACA,OAAO,KAAA,IAAS,EAAA;AAAA,MAChB,MAAM,IAAA,IAAQ,CAAA;AAAA,MACd,OAAO,KAAA,IAAS,CAAA;AAAA,MAChB,UAAU,GAAA,CAAI,QAAA;AAAA,MACd,MAAA;AAAA,MACA,KAAA,EAAO;AAAA,KACR,CAAA;AAGD,IAAA,IAAI,MAAA,CAAO,OAAO,SAAA,EAAW;AAC3B,MAAA,KAAA,MAAW,GAAA,IAAO,OAAO,IAAA,EAAM;AAC7B,QAAA,KAAA,MAAW,IAAA,IAAQ,MAAA,CAAO,KAAA,CAAM,SAAA,EAAW;AACzC,UAAA,MAAM,IAAA,CAAK;AAAA,YACT,UAAA;AAAA,YACA,GAAA;AAAA,YACA,KAAK,GAAA,CAAI,GAAA;AAAA,YACT,MAAM,GAAA,CAAI,IAAA;AAAA,YACV,UAAU,GAAA,CAAI,QAAA;AAAA,YACd,SAAA,EAAW;AAAA,WACZ,CAAA;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAEA,IAAA,OAAO,MAAA;AAAA,EACT,CAAA;AACF;AAEO,SAAS,wBAAwB,GAAA,EAAkB;AACxD,EAAA,OAAO,OAAO,KAAA,KAMR;AACJ,IAAA,MAAM,EAAE,UAAA,EAAY,EAAA,EAAI,KAAA,EAAO,MAAA,EAAQ,OAAM,GAAI,KAAA;AACjD,IAAA,MAAM,MAAA,GAAS,GAAA,CAAI,QAAA,CAAS,aAAA,CAAc,UAAU,CAAA;AAEpD,IAAA,MAAM,eAAA,CAAgB,MAAA,EAAQ,MAAA,EAAQ,GAAG,CAAA;AAEzC,IAAA,MAAM,OAAA,GAAU,KAAA,IAAS,CAAC,CAAC,GAAA,CAAI,IAAA;AAE/B,IAAA,MAAM,GAAA,GAAM,MAAM,GAAA,CAAI,EAAA,CAAG,QAAA,CAAS;AAAA,MAChC,UAAA;AAAA,MACA,EAAA;AAAA,MACA,OAAO,KAAA,IAAS,CAAA;AAAA,MAChB,UAAU,GAAA,CAAI,QAAA;AAAA,MACd,MAAA;AAAA,MACA,KAAA,EAAO;AAAA,KACR,CAAA;AAED,IAAA,IAAI,CAAC,KAAK,MAAM,IAAI,MAAM,CAAA,oBAAA,EAAuB,UAAU,CAAA,CAAA,EAAI,EAAE,CAAA,CAAE,CAAA;AAGnE,IAAA,IAAI,MAAA,CAAO,OAAO,SAAA,EAAW;AAC3B,MAAA,KAAA,MAAW,IAAA,IAAQ,MAAA,CAAO,KAAA,CAAM,SAAA,EAAW;AACzC,QAAA,MAAM,IAAA,CAAK;AAAA,UACT,UAAA;AAAA,UACA,GAAA;AAAA,UACA,KAAK,GAAA,CAAI,GAAA;AAAA,UACT,MAAM,GAAA,CAAI,IAAA;AAAA,UACV,UAAU,GAAA,CAAI,QAAA;AAAA,UACd,SAAA,EAAW,MAAA;AAAA,UACX;AAAA,SACD,CAAA;AAAA,MACH;AAAA,IACF;AAEA,IAAA,OAAO,GAAA;AAAA,EACT,CAAA;AACF;AAEO,SAAS,sBAAsB,GAAA,EAAkB;AACtD,EAAA,OAAO,OAAO,KAAA,KAKR;AACJ,IAAA,MAAM,EAAE,UAAA,EAAY,IAAA,EAAM,KAAA,EAAO,QAAO,GAAI,KAAA;AAC5C,IAAA,MAAM,MAAA,GAAS,GAAA,CAAI,QAAA,CAAS,aAAA,CAAc,UAAU,CAAA;AAEpD,IAAA,MAAM,eAAA,CAAgB,MAAA,EAAQ,QAAA,EAAU,GAAG,CAAA;AAG3C,IAAA,MAAM,MAAA,GAAS,GAAA,CAAI,QAAA,CAAS,kBAAA,CAAmB,UAAU,CAAA;AACzD,IAAA,MAAM,SAAA,GAAY,MAAA,CAAO,KAAA,CAAM,IAAI,CAAA;AAGnC,IAAA,IAAI,MAAA,CAAO,YAAA,IAAgB,GAAA,CAAI,QAAA,EAAU;AACvC,MAAA,SAAA,CAAU,WAAW,GAAA,CAAI,QAAA;AAAA,IAC3B;AAGA,IAAA,IAAI,MAAA,CAAO,OAAO,cAAA,EAAgB;AAChC,MAAA,KAAA,MAAW,IAAA,IAAQ,MAAA,CAAO,KAAA,CAAM,cAAA,EAAgB;AAC9C,QAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK;AAAA,UAC5B,UAAA;AAAA,UACA,IAAA,EAAM,SAAA;AAAA,UACN,KAAK,GAAA,CAAI,GAAA;AAAA,UACT,MAAM,GAAA,CAAI,IAAA;AAAA,UACV,UAAU,GAAA,CAAI,QAAA;AAAA,UACd,SAAA,EAAW;AAAA,SACZ,CAAA;AACD,QAAA,IAAI,UAAA,EAAY,MAAA,CAAO,MAAA,CAAO,SAAA,EAAW,UAAU,CAAA;AAAA,MACrD;AAAA,IACF;AAGA,IAAA,IAAI,MAAA,CAAO,OAAO,YAAA,EAAc;AAC9B,MAAA,KAAA,MAAW,IAAA,IAAQ,MAAA,CAAO,KAAA,CAAM,YAAA,EAAc;AAC5C,QAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK;AAAA,UAC5B,UAAA;AAAA,UACA,IAAA,EAAM,SAAA;AAAA,UACN,KAAK,GAAA,CAAI,GAAA;AAAA,UACT,MAAM,GAAA,CAAI,IAAA;AAAA,UACV,UAAU,GAAA,CAAI,QAAA;AAAA,UACd,SAAA,EAAW;AAAA,SACZ,CAAA;AACD,QAAA,IAAI,UAAA,EAAY,MAAA,CAAO,MAAA,CAAO,SAAA,EAAW,UAAU,CAAA;AAAA,MACrD;AAAA,IACF;AAGA,IAAA,MAAM,GAAA,GAAM,MAAM,GAAA,CAAI,EAAA,CAAG,MAAA,CAAO;AAAA,MAC9B,UAAA;AAAA,MACA,IAAA,EAAM,SAAA;AAAA,MACN,OAAO,KAAA,IAAS,CAAA;AAAA,MAChB,UAAU,GAAA,CAAI,QAAA;AAAA,MACd;AAAA,KACD,CAAA;AAGD,IAAA,IAAI,MAAA,CAAO,OAAO,WAAA,EAAa;AAC7B,MAAA,KAAA,MAAW,IAAA,IAAQ,MAAA,CAAO,KAAA,CAAM,WAAA,EAAa;AAC3C,QAAA,MAAM,IAAA,CAAK;AAAA,UACT,UAAA;AAAA,UACA,GAAA;AAAA,UACA,IAAA,EAAM,SAAA;AAAA,UACN,KAAK,GAAA,CAAI,GAAA;AAAA,UACT,MAAM,GAAA,CAAI,IAAA;AAAA,UACV,UAAU,GAAA,CAAI,QAAA;AAAA,UACd,SAAA,EAAW;AAAA,SACZ,CAAA;AAAA,MACH;AAAA,IACF;AAEA,IAAA,MAAM,cAAA,CAAe,GAAA,EAAK,eAAA,CAAgB,UAAA,EAAY,QAAQ,CAAA,EAAG;AAAA,MAC/D,UAAA;AAAA,MACA,IAAA,EAAM,GAAA;AAAA,MACN,SAAA,EAAW;AAAA,KACZ,CAAA;AAED,IAAA,OAAO,EAAE,GAAA,EAAI;AAAA,EACf,CAAA;AACF;AAEO,SAAS,sBAAsB,GAAA,EAAkB;AACtD,EAAA,OAAO,OAAO,KAAA,KAOR;AACJ,IAAA,MAAM,EAAE,UAAA,EAAY,EAAA,EAAI,MAAM,KAAA,EAAO,MAAA,EAAQ,eAAc,GAAI,KAAA;AAC/D,IAAA,MAAM,MAAA,GAAS,GAAA,CAAI,QAAA,CAAS,aAAA,CAAc,UAAU,CAAA;AAEpD,IAAA,MAAM,eAAA,CAAgB,MAAA,EAAQ,QAAA,EAAU,GAAG,CAAA;AAG3C,IAAA,MAAM,WAAA,GAAc,MAAM,GAAA,CAAI,EAAA,CAAG,QAAA,CAAS;AAAA,MACxC,UAAA;AAAA,MACA,EAAA;AAAA,MACA,UAAU,GAAA,CAAI,QAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAED,IAAA,IAAI,CAAC,WAAA;AACH,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,oBAAA,EAAuB,UAAU,CAAA,CAAA,EAAI,EAAE,CAAA,CAAE,CAAA;AAG3D,IAAA,IAAI,aAAA,IAAkB,WAAA,CAAoC,SAAA,IAAa,aAAA,KAAmB,YAAoC,SAAA,EAAW;AACvI,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,8CAAA,EAAiD,aAAa,CAAA,qBAAA,EAAyB,WAAA,CAAoC,SAAS,CAAA,CAAE,CAAA;AAAA,IACxJ;AAGA,IAAA,qBAAA,CAAsB,IAAA,EAAa,OAAO,MAAa,CAAA;AAGvD,IAAA,MAAM,MAAA,GAAS,GAAA,CAAI,QAAA,CAAS,kBAAA,CAAmB,UAAU,CAAA;AACzD,IAAA,MAAM,SAAA,GAAY,MAAA,CAAO,KAAA,CAAM,IAAI,CAAA;AAGnC,IAAA,IAAI,MAAA,CAAO,YAAA,IAAgB,GAAA,CAAI,QAAA,EAAU;AACvC,MAAA,SAAA,CAAU,WAAW,GAAA,CAAI,QAAA;AAAA,IAC3B;AAGA,IAAA,IAAI,MAAA,CAAO,OAAO,cAAA,EAAgB;AAChC,MAAA,KAAA,MAAW,IAAA,IAAQ,MAAA,CAAO,KAAA,CAAM,cAAA,EAAgB;AAC9C,QAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK;AAAA,UAC5B,UAAA;AAAA,UACA,IAAA,EAAM,SAAA;AAAA,UACN,WAAA;AAAA,UACA,KAAK,GAAA,CAAI,GAAA;AAAA,UACT,MAAM,GAAA,CAAI,IAAA;AAAA,UACV,UAAU,GAAA,CAAI,QAAA;AAAA,UACd,SAAA,EAAW,QAAA;AAAA,UACX;AAAA,SACD,CAAA;AACD,QAAA,IAAI,UAAA,EAAY,MAAA,CAAO,MAAA,CAAO,SAAA,EAAW,UAAU,CAAA;AAAA,MACrD;AAAA,IACF;AAGA,IAAA,IAAI,MAAA,CAAO,OAAO,YAAA,EAAc;AAC9B,MAAA,KAAA,MAAW,IAAA,IAAQ,MAAA,CAAO,KAAA,CAAM,YAAA,EAAc;AAC5C,QAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK;AAAA,UAC5B,UAAA;AAAA,UACA,IAAA,EAAM,SAAA;AAAA,UACN,WAAA;AAAA,UACA,KAAK,GAAA,CAAI,GAAA;AAAA,UACT,MAAM,GAAA,CAAI,IAAA;AAAA,UACV,UAAU,GAAA,CAAI,QAAA;AAAA,UACd,SAAA,EAAW,QAAA;AAAA,UACX;AAAA,SACD,CAAA;AACD,QAAA,IAAI,UAAA,EAAY,MAAA,CAAO,MAAA,CAAO,SAAA,EAAW,UAAU,CAAA;AAAA,MACrD;AAAA,IACF;AAGA,IAAA,MAAM,UAAW,GAAA,CAAI,GAAA,IAAO,OAAQ,GAAA,CAAI,IAAY,OAAA,EAAS,GAAA,KAAQ,UAAA,IAAe,GAAA,CAAI,IAAY,OAAA,CAAQ,GAAA,CAAI,SAAS,CAAA,KAAM,MAAA,IAAY,MAAc,KAAA,KAAU,IAAA;AACnK,IAAA,MAAM,cAAA,GAAiB,MAAA,CAAO,QAAA,EAAU,MAAA,KAAW,IAAA;AACnD,IAAA,MAAM,UAAA,GAAe,GAAA,CAAI,GAAA,EAAa,KAAA,EAAO,QAAA,KAAa,MAAA,IAAa,GAAA,CAAI,GAAA,EAAa,GAAA,EAAK,QAAA,CAAS,eAAe,CAAA,IAAO,MAAc,QAAA,KAAa,IAAA;AAEvJ,IAAA,IAAI,GAAA;AACJ,IAAA,IAAI,kBAAkB,OAAA,EAAS;AAG7B,MAAA,MAAM,GAAA,CAAI,GAAG,aAAA,CAAc;AAAA,QACzB,UAAA;AAAA,QACA,UAAA,EAAY,EAAA;AAAA,QACZ,IAAA,EAAM,SAAA;AAAA,QACN,MAAA,EAAQ,OAAA;AAAA,QACR,QAAA,EAAU,UAAA;AAAA,QACV,SAAA,EAAW,IAAI,IAAA,EAAM,EAAA;AAAA,QACrB,UAAU,GAAA,CAAI;AAAA,OACf,CAAA;AAED,MAAA,GAAA,GAAM,MAAM,GAAA,CAAI,EAAA,CAAG,QAAA,CAAS,EAAE,UAAA,EAAY,EAAA,EAAI,QAAA,EAAU,GAAA,CAAI,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,IACrF,WAAW,cAAA,EAAgB;AAEzB,MAAA,GAAA,GAAM,MAAM,GAAA,CAAI,EAAA,CAAG,MAAA,CAAO;AAAA,QACxB,UAAA;AAAA,QACA,EAAA;AAAA,QACA,IAAA,EAAM,EAAE,GAAG,SAAA,EAAW,QAAQ,WAAA,EAAY;AAAA,QAC1C,OAAO,KAAA,IAAS,CAAA;AAAA,QAChB,UAAU,GAAA,CAAI,QAAA;AAAA,QACd;AAAA,OACD,CAAA;AACD,MAAA,MAAM,GAAA,CAAI,GAAG,aAAA,CAAc;AAAA,QACzB,UAAA;AAAA,QACA,UAAA,EAAY,EAAA;AAAA,QACZ,IAAA,EAAM,SAAA;AAAA,QACN,MAAA,EAAQ,WAAA;AAAA,QACR,SAAA,EAAW,IAAI,IAAA,EAAM,EAAA;AAAA,QACrB,UAAU,GAAA,CAAI;AAAA,OACf,CAAA;AAAA,IACH,CAAA,MAAO;AAEL,MAAA,GAAA,GAAM,MAAM,GAAA,CAAI,EAAA,CAAG,MAAA,CAAO;AAAA,QACxB,UAAA;AAAA,QACA,EAAA;AAAA,QACA,IAAA,EAAM,SAAA;AAAA,QACN,OAAO,KAAA,IAAS,CAAA;AAAA,QAChB,UAAU,GAAA,CAAI,QAAA;AAAA,QACd;AAAA,OACD,CAAA;AAAA,IACH;AAGA,IAAA,IAAI,MAAA,CAAO,OAAO,WAAA,EAAa;AAC7B,MAAA,KAAA,MAAW,IAAA,IAAQ,MAAA,CAAO,KAAA,CAAM,WAAA,EAAa;AAC3C,QAAA,MAAM,IAAA,CAAK;AAAA,UACT,UAAA;AAAA,UACA,GAAA;AAAA,UACA,IAAA,EAAM,SAAA;AAAA,UACN,WAAA;AAAA,UACA,KAAK,GAAA,CAAI,GAAA;AAAA,UACT,MAAM,GAAA,CAAI,IAAA;AAAA,UACV,UAAU,GAAA,CAAI,QAAA;AAAA,UACd,SAAA,EAAW,QAAA;AAAA,UACX;AAAA,SACD,CAAA;AAAA,MACH;AAAA,IACF;AAEA,IAAA,MAAM,cAAA,CAAe,GAAA,EAAK,eAAA,CAAgB,UAAA,EAAY,QAAQ,CAAA,EAAG;AAAA,MAC/D,UAAA;AAAA,MACA,IAAA,EAAM,GAAA;AAAA,MACN,YAAA,EAAc,WAAA;AAAA,MACd,SAAA,EAAW;AAAA,KACZ,CAAA;AAED,IAAA,OAAO,EAAE,GAAA,EAAI;AAAA,EACf,CAAA;AACF;AAEO,SAAS,sBAAsB,GAAA,EAAkB;AACtD,EAAA,OAAO,OAAO,KAAA,KAA8C;AAC1D,IAAA,MAAM,EAAE,UAAA,EAAY,EAAA,EAAG,GAAI,KAAA;AAC3B,IAAA,MAAM,MAAA,GAAS,GAAA,CAAI,QAAA,CAAS,aAAA,CAAc,UAAU,CAAA;AAEpD,IAAA,MAAM,eAAA,CAAgB,MAAA,EAAQ,QAAA,EAAU,GAAG,CAAA;AAG3C,IAAA,MAAM,WAAA,GAAc,MAAM,GAAA,CAAI,EAAA,CAAG,QAAA,CAAS;AAAA,MACxC,UAAA;AAAA,MACA,EAAA;AAAA,MACA,UAAU,GAAA,CAAI,QAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAED,IAAA,IAAI,CAAC,WAAA;AACH,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,oBAAA,EAAuB,UAAU,CAAA,CAAA,EAAI,EAAE,CAAA,CAAE,CAAA;AAG3D,IAAA,IAAI,MAAA,CAAO,OAAO,YAAA,EAAc;AAC9B,MAAA,KAAA,MAAW,IAAA,IAAQ,MAAA,CAAO,KAAA,CAAM,YAAA,EAAc;AAC5C,QAAA,MAAM,IAAA,CAAK;AAAA,UACT,UAAA;AAAA,UACA,GAAA,EAAK,WAAA;AAAA,UACL,KAAK,GAAA,CAAI,GAAA;AAAA,UACT,MAAM,GAAA,CAAI,IAAA;AAAA,UACV,UAAU,GAAA,CAAI,QAAA;AAAA,UACd,SAAA,EAAW,QAAA;AAAA,UACX;AAAA,SACD,CAAA;AAAA,MACH;AAAA,IACF;AAGA,IAAA,MAAM,GAAA,GAAM,MAAM,GAAA,CAAI,EAAA,CAAG,MAAA,CAAO;AAAA,MAC9B,UAAA;AAAA,MACA,EAAA;AAAA,MACA,UAAU,GAAA,CAAI;AAAA,KACf,CAAA;AAGD,IAAA,IAAI,MAAA,CAAO,OAAO,WAAA,EAAa;AAC7B,MAAA,KAAA,MAAW,IAAA,IAAQ,MAAA,CAAO,KAAA,CAAM,WAAA,EAAa;AAC3C,QAAA,MAAM,IAAA,CAAK;AAAA,UACT,UAAA;AAAA,UACA,GAAA;AAAA,UACA,KAAK,GAAA,CAAI,GAAA;AAAA,UACT,MAAM,GAAA,CAAI,IAAA;AAAA,UACV,UAAU,GAAA,CAAI,QAAA;AAAA,UACd,SAAA,EAAW,QAAA;AAAA,UACX;AAAA,SACD,CAAA;AAAA,MACH;AAAA,IACF;AAEA,IAAA,MAAM,cAAA,CAAe,GAAA,EAAK,eAAA,CAAgB,UAAA,EAAY,QAAQ,CAAA,EAAG;AAAA,MAC/D,UAAA;AAAA,MACA,IAAA,EAAM,GAAA;AAAA,MACN,YAAA,EAAc,WAAA;AAAA,MACd,SAAA,EAAW;AAAA,KACZ,CAAA;AAED,IAAA,OAAO,EAAE,GAAA,EAAK,OAAA,EAAS,sBAAA,EAAuB;AAAA,EAChD,CAAA;AACF;AAEO,SAAS,qBAAqB,GAAA,EAAkB;AACrD,EAAA,OAAO,OAAO,KAAA,KAA+D;AAC3E,IAAA,MAAM,EAAE,UAAA,EAAY,KAAA,EAAM,GAAI,KAAA;AAC9B,IAAA,MAAM,MAAA,GAAS,GAAA,CAAI,QAAA,CAAS,aAAA,CAAc,UAAU,CAAA;AAEpD,IAAA,MAAM,eAAA,CAAgB,MAAA,EAAQ,MAAA,EAAQ,GAAG,CAAA;AAEzC,IAAA,MAAM,SAAA,GAAY,MAAM,GAAA,CAAI,EAAA,CAAG,KAAA,CAAM;AAAA,MACnC,UAAA;AAAA,MACA,KAAA,EAAO,SAAS,EAAC;AAAA,MACjB,UAAU,GAAA,CAAI;AAAA,KACf,CAAA;AAED,IAAA,OAAO,EAAE,SAAA,EAAU;AAAA,EACrB,CAAA;AACF;;;AClkBA,eAAe,qBAAA,CACb,MAAA,EACA,SAAA,EACA,GAAA,EACe;AACf,EAAA,MAAM,UAAA,GAAa,MAAA,CAAO,MAAA,GAAS,SAAS,CAAA;AAE5C,EAAA,MAAM,SAAS,GAAA,CAAI,MAAA;AACnB,EAAA,IAAI,UAAU,MAAA,CAAO,WAAA,IAAe,MAAA,CAAO,WAAA,CAAY,SAAS,CAAA,EAAG;AACjE,IAAA,MAAM,UAAA,GAAa,WAAW,SAAS,CAAA,CAAA;AACvC,IAAA,IACE,CAAC,mBAAA,CAAoB,MAAA,CAAO,WAAA,EAAa,UAAU,CAAA,IACnD,CAAC,mBAAA,CAAoB,MAAA,CAAO,WAAA,EAAa,eAAe,CAAA,EACxD;AACA,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,0CAAA,EAA6C,UAAU,CAAA,CAAE,CAAA;AAAA,IAC3E;AAAA,EACF;AAEA,EAAA,IAAI,IAAI,IAAA,EAAM;AACZ,IAAA,MAAM,UAAA,GAAa,WAAW,SAAS,CAAA,CAAA;AACvC,IAAA,MAAM,iBAAA,GAAoB,aAAA;AAAA,MACxB,EAAE,EAAA,EAAI,GAAA,CAAI,IAAA,CAAK,EAAA,EAAI,KAAA,EAAO,GAAA,CAAI,IAAA,CAAK,KAAA,EAAO,IAAA,EAAM,GAAA,CAAI,IAAA,CAAK,IAAA,EAAK;AAAA,MAC9D;AAAA,KACF;AACA,IAAA,IAAI,CAAC,qBAAqB,CAAC,aAAA;AAAA,MACzB,EAAE,EAAA,EAAI,GAAA,CAAI,IAAA,CAAK,EAAA,EAAI,KAAA,EAAO,GAAA,CAAI,IAAA,CAAK,KAAA,EAAO,IAAA,EAAM,GAAA,CAAI,IAAA,CAAK,IAAA,EAAK;AAAA,MAC9D;AAAA,KACF,EAAG;AACD,MAAA,IAAI,CAAC,UAAA,EAAY;AACf,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,uCAAA,EAA0C,UAAU,CAAA,CAAE,CAAA;AAAA,MACxE;AAAA,IACF;AAAA,EACF;AAEA,EAAA,IAAI,UAAA,EAAY;AACd,IAAA,MAAM,OAAA,GAAU,MAAM,cAAA,CAAe,UAAA,EAAY;AAAA,MAC/C,KAAK,GAAA,CAAI,GAAA;AAAA,MACT,MAAM,GAAA,CAAI,IAAA;AAAA,MACV,UAAU,GAAA,CAAI;AAAA,KACf,CAAA;AACD,IAAA,IAAI,OAAA,KAAY,KAAA,EAAO,MAAM,IAAI,MAAM,eAAe,CAAA;AAAA,EACxD,WAAW,CAAC,GAAA,CAAI,IAAA,IAAQ,CAAC,IAAI,MAAA,EAAQ;AACnC,IAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAAA,EAC1D;AAEA,EAAA,IAAI,IAAI,QAAA,EAAU;AAChB,IAAA,GAAA,CAAI,EAAA,CAAG,iBAAiB,EAAE,QAAA,EAAU,IAAI,QAAA,EAAU,MAAA,EAAQ,IAAI,IAAA,EAAM,EAAA,IAAM,IAAI,IAAA,EAAM,GAAA,CAAI,MAAM,IAAA,EAAM,YAAA,EAAc,IAAI,IAAA,EAAM,IAAA,KAAS,eAAe,CAAA;AAAA,EACtJ;AACF;AAMO,SAAS,oBAAoB,GAAA,EAAkB;AACpD,EAAA,MAAM,SAA8B,EAAC;AACrC,EAAA,MAAM,WAAA,GAAc,GAAA,CAAI,QAAA,CAAS,cAAA,EAAe;AAEhD,EAAA,KAAA,MAAW,cAAc,WAAA,EAAa;AACpC,IAAA,MAAM,OAAO,UAAA,CAAW,IAAA;AAExB,IAAA,MAAA,CAAO,IAAI,CAAA,GAAI;AAAA,MACb,IAAA,EAAM,oBAAoB,GAAG,CAAA;AAAA,MAC7B,QAAA,EAAU,wBAAwB,GAAG,CAAA;AAAA,MACrC,MAAA,EAAQ,sBAAsB,GAAG,CAAA;AAAA,MACjC,MAAA,EAAQ,sBAAsB,GAAG,CAAA;AAAA,MACjC,MAAA,EAAQ,sBAAsB,GAAG,CAAA;AAAA,MACjC,KAAA,EAAO,qBAAqB,GAAG;AAAA,KACjC;AAAA,EACF;AAGA,EAAA,MAAM,OAAA,GAAU,GAAA,CAAI,QAAA,CAAS,UAAA,EAAW;AACxC,EAAA,KAAA,MAAW,UAAU,OAAA,EAAS;AAC5B,IAAA,MAAM,OAAO,MAAA,CAAO,IAAA;AAEpB,IAAA,MAAA,CAAO,CAAA,SAAA,EAAY,IAAI,CAAA,CAAE,CAAA,GAAI;AAAA,MAC3B,KAAK,YAAY;AACf,QAAA,MAAM,qBAAA,CAAsB,MAAA,EAAQ,MAAA,EAAQ,GAAG,CAAA;AAE/C,QAAA,MAAM,GAAA,GAAM,MAAM,GAAA,CAAI,EAAA,CAAG,OAAA,CAAQ;AAAA,UAC/B,UAAA,EAAY,YAAY,IAAI,CAAA,CAAA;AAAA,UAC5B,OAAO,EAAC;AAAA,UACR,UAAU,GAAA,CAAI;AAAA,SACf,CAAA;AACD,QAAA,OAAO,GAAA;AAAA,MACT,CAAA;AAAA,MACA,MAAA,EAAQ,OAAO,KAAA,KAAyC;AACtD,QAAA,MAAM,qBAAA,CAAsB,MAAA,EAAQ,QAAA,EAAU,GAAG,CAAA;AAEjD,QAAA,MAAM,MAAA,GAAS,GAAA,CAAI,QAAA,CAAS,YAAA,CAAa,IAAI,CAAA;AAC7C,QAAA,MAAM,SAAA,GAAY,MAAA,CAAO,KAAA,CAAM,KAAA,CAAM,IAAI,CAAA;AAEzC,QAAA,MAAM,QAAA,GAAW,MAAM,GAAA,CAAI,EAAA,CAAG,OAAA,CAAQ;AAAA,UACpC,UAAA,EAAY,YAAY,IAAI,CAAA,CAAA;AAAA,UAC5B,OAAO,EAAC;AAAA,UACR,UAAU,GAAA,CAAI;AAAA,SACf,CAAA;AAED,QAAA,IAAI,GAAA;AACJ,QAAA,IAAI,QAAA,EAAU;AACZ,UAAA,GAAA,GAAM,MAAM,GAAA,CAAI,EAAA,CAAG,MAAA,CAAO;AAAA,YACxB,UAAA,EAAY,YAAY,IAAI,CAAA,CAAA;AAAA,YAC5B,IAAI,QAAA,CAAS,EAAA;AAAA,YACb,IAAA,EAAM,SAAA;AAAA,YACN,UAAU,GAAA,CAAI;AAAA,WACf,CAAA;AAAA,QACH,CAAA,MAAO;AACL,UAAA,GAAA,GAAM,MAAM,GAAA,CAAI,EAAA,CAAG,MAAA,CAAO;AAAA,YACxB,UAAA,EAAY,YAAY,IAAI,CAAA,CAAA;AAAA,YAC5B,IAAA,EAAM,EAAE,GAAG,SAAA,EAAW,IAAI,IAAA,EAAK;AAAA,YAC/B,UAAU,GAAA,CAAI;AAAA,WACf,CAAA;AAAA,QACH;AAEA,QAAA,OAAO,GAAA;AAAA,MACT;AAAA,KACF;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT;AAyDO,SAAS,iBAAiB,GAAA,EAA8B;AAE7D,EAAA,MAAM,SAAA,GAAY,GAAA,CAAI,QAAA,EAAU,MAAA,EAAQ,SAAA;AACxC,EAAA,IAAI,SAAA,EAAW,gBAAgB,KAAA,EAAO;AACpC,IAAA,MAAM,IAAI,MAAM,sBAAsB,CAAA;AAAA,EACxC;AAEA,EAAA,OAAO,oBAAoB,GAAG,CAAA;AAChC","file":"chunk-OHC6UHFY.js","sourcesContent":["import type { BaseAdapter } from \"../../registry/types.js\";\nimport type { User, Request } from \"../../hooks/types.js\";\nimport {\n  validateApiKey,\n  extractApiKeyFromRequest,\n  createApiKeyContext,\n} from \"../../auth/api-key.js\";\nimport { createWebhookService } from \"../../webhooks/index.js\";\n\n// ============================================================================\n// Context Types\n// ============================================================================\n\nexport interface ApiKeyContext {\n  userId: string;\n  user: Partial<User>;\n  permissions: string[];\n  apiKeyId: string;\n  tenantId?: string;\n  role?: string;\n}\n\nexport interface KyroContext {\n  db: BaseAdapter;\n  registry: any;\n  user?: User;\n  tenantID?: string;\n  req: Request;\n  apiKey?: ApiKeyContext;\n  webhookService?: ReturnType<typeof createWebhookService>;\n  settings?: Record<string, any>;\n  [key: string]: any;\n}\n\n// ============================================================================\n// Context Factory\n// ============================================================================\n\nexport async function createContext(options: {\n  db: BaseAdapter;\n  registry: any;\n  req: Request;\n  user?: User;\n  tenantID?: string;\n  settings?: Record<string, any>;\n}): Promise<KyroContext> {\n  const webhookService = createWebhookService(options.db);\n\n  const baseContext: KyroContext = {\n    db: options.db,\n    registry: options.registry,\n    req: options.req,\n    user: options.user,\n    tenantID: options.tenantID,\n    webhookService,\n    settings: options.settings,\n  };\n\n  const apiKeyRaw = extractApiKeyFromRequest(options.req as any);\n  if (apiKeyRaw) {\n    const result = await validateApiKey(apiKeyRaw, options.db, async (userId) => {\n      try {\n        const user = await options.db.findByID({ collection: 'users', id: userId });\n        return user || null;\n      } catch {\n        return null;\n      }\n    });\n    if (result.valid) {\n      baseContext.user = (result.user as User) || options.user;\n      baseContext.tenantID = result.tenantId || options.tenantID;\n      baseContext.apiKey = createApiKeyContext(result) as ApiKeyContext;\n    }\n  }\n\n  return baseContext;\n}\n","import type {\n  FindArgs,\n  CreateArgs,\n  UpdateArgs,\n  DeleteArgs,\n} from \"../../registry/types.js\";\nimport { runHooks } from \"../../hooks/types.js\";\nimport { evaluateAccess } from \"../../access/types.js\";\nexport type { KyroContext, ApiKeyContext } from \"./context.js\";\nexport { createContext } from \"./context.js\";\nimport type { KyroContext, ApiKeyContext } from \"./context.js\";\nimport type { Field } from \"../../fields/types.js\";\nimport { WEBHOOK_EVENTS, type WebhookEvent } from \"../../webhooks/types.js\";\nimport { hasApiKeyPermission } from \"../../auth/api-key.js\";\nimport { hasPermission } from \"../../auth/rbac/checker.js\";\n\nconst COLLECTION_EVENT_MAP: Record<\n  string,\n  { create: WebhookEvent; update: WebhookEvent; delete: WebhookEvent }\n> = {\n  _media: {\n    create: WEBHOOK_EVENTS.MEDIA_UPLOAD,\n    update: WEBHOOK_EVENTS.MEDIA_UPLOAD,\n    delete: WEBHOOK_EVENTS.MEDIA_DELETE,\n  },\n};\n\nfunction getWebhookEvent(\n  collection: string,\n  operation: \"create\" | \"update\" | \"delete\",\n): WebhookEvent {\n  const mapped = COLLECTION_EVENT_MAP[collection];\n  if (mapped) return mapped[operation];\n  return `collection.${operation}` as WebhookEvent;\n}\n\nasync function triggerWebhook(\n  ctx: KyroContext,\n  event: WebhookEvent,\n  payload: {\n    collection: string;\n    data: unknown;\n    previousData?: unknown;\n    operation: \"create\" | \"update\" | \"delete\";\n  },\n) {\n  if (!ctx.webhookService) return;\n  try {\n    await ctx.webhookService.trigger(event, {\n      collection: payload.collection,\n      operation: payload.operation,\n      data: payload.data,\n      previousData: payload.previousData,\n      user: ctx.user\n        ? { id: ctx.user.id, email: ctx.user.email, role: ctx.user.role }\n        : undefined,\n      tenantId: ctx.tenantID,\n    });\n  } catch (err) {\n    console.error(`[Webhook] Failed to trigger ${event}:`, err);\n  }\n}\n\n// ============================================================================\n// Data normalization helpers\n// ============================================================================\n\nfunction normalizeEmptyStrings(data: any, fields: Field[]): void {\n  if (!data || typeof data !== 'object') return;\n  for (const field of fields) {\n    if (!field.name || !(field.name in data)) continue;\n    const val = data[field.name];\n    if (val === \"\") {\n      const isTextual = field.type === 'text' || field.type === 'textarea' || field.type === 'code' || field.type === 'markdown' || field.type === 'email' || field.type === 'password' || field.type === 'color';\n      if (!isTextual) data[field.name] = null;\n    }\n    if (field.type === 'tabs' && field.name && Array.isArray((field as any).tabs) && data[field.name] && typeof data[field.name] === 'object') {\n      for (const tab of (field as any).tabs) {\n        if (Array.isArray(tab.fields)) normalizeEmptyStrings(data[field.name], tab.fields as Field[]);\n      }\n    } else if ((field.type === 'group' || field.type === 'collapsible') && field.name && Array.isArray((field as any).fields) && data[field.name] && typeof data[field.name] === 'object') {\n      normalizeEmptyStrings(data[field.name], (field as any).fields as Field[]);\n    } else if (field.type === 'array' && field.name && Array.isArray((field as any).fields) && Array.isArray(data[field.name])) {\n      for (const item of data[field.name]) {\n        if (item && typeof item === 'object') normalizeEmptyStrings(item, (field as any).fields as Field[]);\n      }\n    } else if (field.type === 'blocks' && field.name && Array.isArray((field as any).blocks) && Array.isArray(data[field.name])) {\n      for (const item of data[field.name]) {\n        if (!item || typeof item !== 'object') continue;\n        const blockTypeStr = item.type || item.blockType;\n        if (!blockTypeStr) continue;\n        const blockDef = (field as any).blocks.find((b: any) => b.slug === blockTypeStr);\n        if (!blockDef || !Array.isArray(blockDef.fields)) continue;\n        const target = item.data && typeof item.data === 'object' ? item.data : item;\n        normalizeEmptyStrings(target, blockDef.fields as Field[]);\n      }\n    }\n  }\n}\n\n// ============================================================================\n// Access Check Helper\n// ============================================================================\n\nasync function checkTRPCAccess(\n  config: { access?: any; slug: string },\n  operation: \"read\" | \"create\" | \"update\" | \"delete\",\n  ctx: KyroContext,\n): Promise<void> {\n  const accessRule = config.access?.[operation];\n\n  // API key permission check\n  const apiKey = ctx.apiKey;\n  if (apiKey && apiKey.permissions && apiKey.permissions.length > 0) {\n    const resource = config.slug;\n    const action = operation === \"read\" ? \"read\" : operation === \"create\" ? \"create\" : \"update\";\n    const permission = `${resource}:${action}`;\n    if (\n      !hasApiKeyPermission(apiKey.permissions, permission) &&\n      !hasApiKeyPermission(apiKey.permissions, `${resource}:admin`)\n    ) {\n      throw new Error(`Access denied: missing API key permission ${permission}`);\n    }\n  }\n\n  // RBAC check for authenticated users (skip when API key permissions are authoritative)\n  if (ctx.user && !(apiKey && apiKey.permissions && apiKey.permissions.length > 0)) {\n    const resource = config.slug;\n    const action = operation === \"read\" ? \"read\" : operation === \"create\" ? \"create\" : operation === \"update\" ? \"update\" : \"delete\";\n    const permission = `${resource}:${action}`;\n    const userHasPermission = hasPermission(\n      { id: ctx.user.id, email: ctx.user.email, role: ctx.user.role } as any,\n      permission,\n    );\n    if (!userHasPermission && !hasPermission(\n      { id: ctx.user.id, email: ctx.user.email, role: ctx.user.role } as any,\n      `${resource}:admin`,\n    )) {\n      if (!accessRule) {\n        throw new Error(`Access denied: missing RBAC permission ${permission}`);\n      }\n    }\n  }\n\n  if (accessRule) {\n    const allowed = await evaluateAccess(accessRule, {\n      req: ctx.req,\n      user: ctx.user,\n      tenantID: ctx.tenantID,\n    });\n    if (allowed === false) throw new Error(\"Access denied\");\n  } else if (!ctx.user && !ctx.apiKey) {\n    throw new Error(\"Access denied: authentication required\");\n  }\n\n  // Set tenant context\n  if (ctx.tenantID) {\n    ctx.db.setTenantContext({ tenantId: ctx.tenantID, userId: ctx.user?.id ?? '', role: ctx.user?.role, isSuperAdmin: ctx.user?.role === 'super_admin' });\n  }\n}\n\n// ============================================================================\n// CRUD Procedure Builders\n// ============================================================================\n\nexport function createFindProcedure(ctx: KyroContext) {\n  return async (input: {\n    collection: string;\n    where?: Record<string, any>;\n    sort?: string;\n    limit?: number;\n    page?: number;\n    depth?: number;\n    select?: string[];\n    draft?: boolean;\n  }) => {\n    const { collection, where, sort, limit, page, depth, select, draft } = input;\n    const config = ctx.registry.getCollection(collection);\n\n    await checkTRPCAccess(config, \"read\", ctx);\n\n    // Run beforeRead hooks\n    if (config.hooks?.beforeRead) {\n      for (const hook of config.hooks.beforeRead) {\n        await hook({\n          collection,\n          req: ctx.req,\n          user: ctx.user,\n          tenantID: ctx.tenantID,\n          operation: \"read\",\n          where,\n        });\n      }\n    }\n\n    const isDraft = draft ?? !!ctx.user;\n\n    // Execute query\n    const result = await ctx.db.find({\n      collection,\n      where: where || {},\n      sort,\n      limit: limit || 10,\n      page: page || 1,\n      depth: depth || 0,\n      tenantID: ctx.tenantID,\n      select,\n      draft: isDraft,\n    });\n\n    // Run afterRead hooks\n    if (config.hooks?.afterRead) {\n      for (const doc of result.docs) {\n        for (const hook of config.hooks.afterRead) {\n          await hook({\n            collection,\n            doc,\n            req: ctx.req,\n            user: ctx.user,\n            tenantID: ctx.tenantID,\n            operation: \"read\",\n          });\n        }\n      }\n    }\n\n    return result;\n  };\n}\n\nexport function createFindByIDProcedure(ctx: KyroContext) {\n  return async (input: {\n    collection: string;\n    id: string;\n    depth?: number;\n    select?: string[];\n    draft?: boolean;\n  }) => {\n    const { collection, id, depth, select, draft } = input;\n    const config = ctx.registry.getCollection(collection);\n\n    await checkTRPCAccess(config, \"read\", ctx);\n\n    const isDraft = draft ?? !!ctx.user;\n\n    const doc = await ctx.db.findByID({\n      collection,\n      id,\n      depth: depth || 0,\n      tenantID: ctx.tenantID,\n      select,\n      draft: isDraft,\n    });\n\n    if (!doc) throw new Error(`Document not found: ${collection}/${id}`);\n\n    // Run afterRead hooks\n    if (config.hooks?.afterRead) {\n      for (const hook of config.hooks.afterRead) {\n        await hook({\n          collection,\n          doc,\n          req: ctx.req,\n          user: ctx.user,\n          tenantID: ctx.tenantID,\n          operation: \"read\",\n          id,\n        });\n      }\n    }\n\n    return doc;\n  };\n}\n\nexport function createCreateProcedure(ctx: KyroContext) {\n  return async (input: {\n    collection: string;\n    data: Record<string, any>;\n    depth?: number;\n    select?: string[];\n  }) => {\n    const { collection, data, depth, select } = input;\n    const config = ctx.registry.getCollection(collection);\n\n    await checkTRPCAccess(config, \"create\", ctx);\n\n    // Validate with Zod\n    const schema = ctx.registry.getCreateZodSchema(collection);\n    const validated = schema.parse(data);\n\n    // Add tenantID if scoped\n    if (config.tenantScoped && ctx.tenantID) {\n      validated.tenantID = ctx.tenantID;\n    }\n\n    // Run beforeValidate hooks\n    if (config.hooks?.beforeValidate) {\n      for (const hook of config.hooks.beforeValidate) {\n        const hookResult = await hook({\n          collection,\n          data: validated,\n          req: ctx.req,\n          user: ctx.user,\n          tenantID: ctx.tenantID,\n          operation: \"create\",\n        });\n        if (hookResult) Object.assign(validated, hookResult);\n      }\n    }\n\n    // Run beforeChange hooks\n    if (config.hooks?.beforeChange) {\n      for (const hook of config.hooks.beforeChange) {\n        const hookResult = await hook({\n          collection,\n          data: validated,\n          req: ctx.req,\n          user: ctx.user,\n          tenantID: ctx.tenantID,\n          operation: \"create\",\n        });\n        if (hookResult) Object.assign(validated, hookResult);\n      }\n    }\n\n    // Execute create\n    const doc = await ctx.db.create({\n      collection,\n      data: validated,\n      depth: depth || 0,\n      tenantID: ctx.tenantID,\n      select,\n    });\n\n    // Run afterChange hooks\n    if (config.hooks?.afterChange) {\n      for (const hook of config.hooks.afterChange) {\n        await hook({\n          collection,\n          doc,\n          data: validated,\n          req: ctx.req,\n          user: ctx.user,\n          tenantID: ctx.tenantID,\n          operation: \"create\",\n        });\n      }\n    }\n\n    await triggerWebhook(ctx, getWebhookEvent(collection, \"create\"), {\n      collection,\n      data: doc,\n      operation: \"create\",\n    });\n\n    return { doc };\n  };\n}\n\nexport function createUpdateProcedure(ctx: KyroContext) {\n  return async (input: {\n    collection: string;\n    id: string;\n    data: Record<string, any>;\n    depth?: number;\n    select?: string[];\n    baseUpdatedAt?: string;\n  }) => {\n    const { collection, id, data, depth, select, baseUpdatedAt } = input;\n    const config = ctx.registry.getCollection(collection);\n\n    await checkTRPCAccess(config, \"update\", ctx);\n\n    // Get original doc for hooks + conflict detection\n    const originalDoc = await ctx.db.findByID({\n      collection,\n      id,\n      tenantID: ctx.tenantID,\n      draft: true,\n    });\n\n    if (!originalDoc)\n      throw new Error(`Document not found: ${collection}/${id}`);\n\n    // Revision conflict detection\n    if (baseUpdatedAt && (originalDoc as Record<string, any>).updatedAt && baseUpdatedAt !== (originalDoc as Record<string, any>).updatedAt) {\n      throw new Error(`Revision conflict: document has changed since ${baseUpdatedAt}. Current updatedAt: ${(originalDoc as Record<string, any>).updatedAt}`);\n    }\n\n    // Normalize empty strings for non-textual field types\n    normalizeEmptyStrings(data as any, config.fields as any);\n\n    // Validate with Zod\n    const schema = ctx.registry.getUpdateZodSchema(collection);\n    const validated = schema.parse(data);\n\n    // Add tenantID if scoped\n    if (config.tenantScoped && ctx.tenantID) {\n      validated.tenantID = ctx.tenantID;\n    }\n\n    // Run beforeValidate hooks\n    if (config.hooks?.beforeValidate) {\n      for (const hook of config.hooks.beforeValidate) {\n        const hookResult = await hook({\n          collection,\n          data: validated,\n          originalDoc,\n          req: ctx.req,\n          user: ctx.user,\n          tenantID: ctx.tenantID,\n          operation: \"update\",\n          id,\n        });\n        if (hookResult) Object.assign(validated, hookResult);\n      }\n    }\n\n    // Run beforeChange hooks\n    if (config.hooks?.beforeChange) {\n      for (const hook of config.hooks.beforeChange) {\n        const hookResult = await hook({\n          collection,\n          data: validated,\n          originalDoc,\n          req: ctx.req,\n          user: ctx.user,\n          tenantID: ctx.tenantID,\n          operation: \"update\",\n          id,\n        });\n        if (hookResult) Object.assign(validated, hookResult);\n      }\n    }\n\n    // Determine if this is a draft save vs publish\n    const isDraft = (ctx.req && typeof (ctx.req as any).headers?.get === \"function\" && (ctx.req as any).headers.get(\"x-draft\") === \"true\") || (input as any).draft === true;\n    const isDraftEnabled = config.versions?.drafts === true;\n    const isAutosave = ((ctx.req as any)?.query?.autosave === \"true\") || ((ctx.req as any)?.url?.includes(\"autosave=true\")) || (input as any).autosave === true;\n\n    let doc;\n    if (isDraftEnabled && isDraft) {\n      // Draft save: versions table only\n      // Autosave reuses a single version slot; manual draft creates a new version\n      await ctx.db.createVersion({\n        collection,\n        documentId: id,\n        data: validated,\n        status: 'draft',\n        autosave: isAutosave,\n        createdBy: ctx.user?.id,\n        tenantID: ctx.tenantID,\n      });\n      // Refetch merged doc\n      doc = await ctx.db.findByID({ collection, id, tenantID: ctx.tenantID, draft: true });\n    } else if (isDraftEnabled) {\n      // Publish: main doc + versions table\n      doc = await ctx.db.update({\n        collection,\n        id,\n        data: { ...validated, status: 'published' },\n        depth: depth || 0,\n        tenantID: ctx.tenantID,\n        select,\n      });\n      await ctx.db.createVersion({\n        collection,\n        documentId: id,\n        data: validated,\n        status: 'published',\n        createdBy: ctx.user?.id,\n        tenantID: ctx.tenantID,\n      });\n    } else {\n      // No versions: direct update\n      doc = await ctx.db.update({\n        collection,\n        id,\n        data: validated,\n        depth: depth || 0,\n        tenantID: ctx.tenantID,\n        select,\n      });\n    }\n\n    // Run afterChange hooks\n    if (config.hooks?.afterChange) {\n      for (const hook of config.hooks.afterChange) {\n        await hook({\n          collection,\n          doc,\n          data: validated,\n          originalDoc,\n          req: ctx.req,\n          user: ctx.user,\n          tenantID: ctx.tenantID,\n          operation: \"update\",\n          id,\n        });\n      }\n    }\n\n    await triggerWebhook(ctx, getWebhookEvent(collection, \"update\"), {\n      collection,\n      data: doc,\n      previousData: originalDoc,\n      operation: \"update\",\n    });\n\n    return { doc };\n  };\n}\n\nexport function createDeleteProcedure(ctx: KyroContext) {\n  return async (input: { collection: string; id: string }) => {\n    const { collection, id } = input;\n    const config = ctx.registry.getCollection(collection);\n\n    await checkTRPCAccess(config, \"delete\", ctx);\n\n    // Get original doc for hooks\n    const originalDoc = await ctx.db.findByID({\n      collection,\n      id,\n      tenantID: ctx.tenantID,\n      draft: true,\n    });\n\n    if (!originalDoc)\n      throw new Error(`Document not found: ${collection}/${id}`);\n\n    // Run beforeDelete hooks\n    if (config.hooks?.beforeDelete) {\n      for (const hook of config.hooks.beforeDelete) {\n        await hook({\n          collection,\n          doc: originalDoc,\n          req: ctx.req,\n          user: ctx.user,\n          tenantID: ctx.tenantID,\n          operation: \"delete\",\n          id,\n        });\n      }\n    }\n\n    // Execute delete\n    const doc = await ctx.db.delete({\n      collection,\n      id,\n      tenantID: ctx.tenantID,\n    });\n\n    // Run afterDelete hooks\n    if (config.hooks?.afterDelete) {\n      for (const hook of config.hooks.afterDelete) {\n        await hook({\n          collection,\n          doc,\n          req: ctx.req,\n          user: ctx.user,\n          tenantID: ctx.tenantID,\n          operation: \"delete\",\n          id,\n        });\n      }\n    }\n\n    await triggerWebhook(ctx, getWebhookEvent(collection, \"delete\"), {\n      collection,\n      data: doc,\n      previousData: originalDoc,\n      operation: \"delete\",\n    });\n\n    return { doc, message: \"Deleted successfully\" };\n  };\n}\n\nexport function createCountProcedure(ctx: KyroContext) {\n  return async (input: { collection: string; where?: Record<string, any> }) => {\n    const { collection, where } = input;\n    const config = ctx.registry.getCollection(collection);\n\n    await checkTRPCAccess(config, \"read\", ctx);\n\n    const totalDocs = await ctx.db.count({\n      collection,\n      where: where || {},\n      tenantID: ctx.tenantID,\n    });\n\n    return { totalDocs };\n  };\n}\n","import type { KyroContext } from \"./context.js\";\nimport {\n  createFindProcedure,\n  createFindByIDProcedure,\n  createCreateProcedure,\n  createUpdateProcedure,\n  createDeleteProcedure,\n  createCountProcedure,\n} from \"./procedures.js\";\nimport { evaluateAccess } from \"../../access/types.js\";\nimport { hasPermission } from \"../../auth/rbac/checker.js\";\nimport { hasApiKeyPermission } from \"../../auth/api-key.js\";\n\n// ============================================================================\n// Global Access Check Helper\n// ============================================================================\n\nasync function checkGlobalAccessTRPC(\n  global: { access?: any; slug: string },\n  operation: \"read\" | \"update\",\n  ctx: KyroContext,\n): Promise<void> {\n  const accessRule = global.access?.[operation];\n\n  const apiKey = ctx.apiKey;\n  if (apiKey && apiKey.permissions && apiKey.permissions.length > 0) {\n    const permission = `globals:${operation}`;\n    if (\n      !hasApiKeyPermission(apiKey.permissions, permission) &&\n      !hasApiKeyPermission(apiKey.permissions, \"globals:admin\")\n    ) {\n      throw new Error(`Access denied: missing API key permission ${permission}`);\n    }\n  }\n\n  if (ctx.user) {\n    const permission = `globals:${operation}`;\n    const userHasPermission = hasPermission(\n      { id: ctx.user.id, email: ctx.user.email, role: ctx.user.role } as any,\n      permission,\n    );\n    if (!userHasPermission && !hasPermission(\n      { id: ctx.user.id, email: ctx.user.email, role: ctx.user.role } as any,\n      \"globals:admin\",\n    )) {\n      if (!accessRule) {\n        throw new Error(`Access denied: missing RBAC permission ${permission}`);\n      }\n    }\n  }\n\n  if (accessRule) {\n    const allowed = await evaluateAccess(accessRule, {\n      req: ctx.req,\n      user: ctx.user,\n      tenantID: ctx.tenantID,\n    });\n    if (allowed === false) throw new Error(\"Access denied\");\n  } else if (!ctx.user && !ctx.apiKey) {\n    throw new Error(\"Access denied: authentication required\");\n  }\n\n  if (ctx.tenantID) {\n    ctx.db.setTenantContext({ tenantId: ctx.tenantID, userId: ctx.user?.id ?? '', role: ctx.user?.role, isSuperAdmin: ctx.user?.role === 'super_admin' });\n  }\n}\n\n// ============================================================================\n// Dynamic Router Generator\n// ============================================================================\n\nexport function createDynamicRouter(ctx: KyroContext) {\n  const router: Record<string, any> = {};\n  const collections = ctx.registry.getCollections();\n\n  for (const collection of collections) {\n    const slug = collection.slug;\n\n    router[slug] = {\n      find: createFindProcedure(ctx),\n      findByID: createFindByIDProcedure(ctx),\n      create: createCreateProcedure(ctx),\n      update: createUpdateProcedure(ctx),\n      delete: createDeleteProcedure(ctx),\n      count: createCountProcedure(ctx),\n    };\n  }\n\n  // Add globals\n  const globals = ctx.registry.getGlobals();\n  for (const global of globals) {\n    const slug = global.slug;\n\n    router[`_globals_${slug}`] = {\n      get: async () => {\n        await checkGlobalAccessTRPC(global, \"read\", ctx);\n\n        const doc = await ctx.db.findOne({\n          collection: `_globals_${slug}`,\n          where: {},\n          tenantID: ctx.tenantID,\n        });\n        return doc;\n      },\n      update: async (input: { data: Record<string, any> }) => {\n        await checkGlobalAccessTRPC(global, \"update\", ctx);\n\n        const schema = ctx.registry.getZodSchema(slug);\n        const validated = schema.parse(input.data);\n\n        const existing = await ctx.db.findOne({\n          collection: `_globals_${slug}`,\n          where: {},\n          tenantID: ctx.tenantID,\n        });\n\n        let doc;\n        if (existing) {\n          doc = await ctx.db.update({\n            collection: `_globals_${slug}`,\n            id: existing.id,\n            data: validated,\n            tenantID: ctx.tenantID,\n          });\n        } else {\n          doc = await ctx.db.create({\n            collection: `_globals_${slug}`,\n            data: { ...validated, id: slug },\n            tenantID: ctx.tenantID,\n          });\n        }\n\n        return doc;\n      },\n    };\n  }\n\n  return router;\n}\n\n// ============================================================================\n// Typed Router Interface\n// ============================================================================\n\nexport interface KyroRouter {\n  [collectionSlug: string]: {\n    find: (input: {\n      where?: Record<string, any>;\n      sort?: string;\n      limit?: number;\n      page?: number;\n      depth?: number;\n      select?: string[];\n      draft?: boolean;\n    }) => Promise<{\n      docs: any[];\n      totalDocs: number;\n      limit: number;\n      totalPages: number;\n      page: number;\n      pagingCounter: number;\n      hasPrevPage: boolean;\n      hasNextPage: boolean;\n      prevPage: number | null;\n      nextPage: number | null;\n    }>;\n    findByID: (input: {\n      id: string;\n      depth?: number;\n      select?: string[];\n      draft?: boolean;\n    }) => Promise<any>;\n    create: (input: {\n      data: Record<string, any>;\n      depth?: number;\n      select?: string[];\n    }) => Promise<{ doc: any }>;\n    update: (input: {\n      id: string;\n      data: Record<string, any>;\n      depth?: number;\n      select?: string[];\n      baseUpdatedAt?: string;\n    }) => Promise<{ doc: any }>;\n    delete: (input: { id: string }) => Promise<{ doc: any; message: string }>;\n    count: (input: {\n      where?: Record<string, any>;\n    }) => Promise<{ totalDocs: number }>;\n  };\n}\n\n// ============================================================================\n// Server Entry\n// ============================================================================\n\nexport function createKyroServer(ctx: KyroContext): KyroRouter {\n  // Check if tRPC is disabled in settings\n  const apiAccess = ctx.settings?.access?.apiAccess;\n  if (apiAccess?.trpcEnabled === false) {\n    throw new Error(\"tRPC API is disabled\");\n  }\n\n  return createDynamicRouter(ctx) as KyroRouter;\n}\n"]}