@kyro-cms/core 0.9.4 → 0.9.6

package/dist/{chunk-CNKT4PME.cjs → chunk-QVJNSAQL.cjs}

@@ -5,7 +5,7 @@ var chunkKC2GDBLS_cjs = require('./chunk-KC2GDBLS.cjs');
 var chunkIDVRRRAK_cjs = require('./chunk-IDVRRRAK.cjs');
 var chunkADLJSJSN_cjs = require('./chunk-ADLJSJSN.cjs');
 var chunkQFLB4EIJ_cjs = require('./chunk-QFLB4EIJ.cjs');
-var chunk4M7X5HAB_cjs = require('./chunk-4M7X5HAB.cjs');
+var chunkFKKQUMXR_cjs = require('./chunk-FKKQUMXR.cjs');
 var chunkRFFSZSCL_cjs = require('./chunk-RFFSZSCL.cjs');
 var chunk7OS7TX2Q_cjs = require('./chunk-7OS7TX2Q.cjs');
 var chunkQ23GAMLE_cjs = require('./chunk-Q23GAMLE.cjs');
@@ -391,14 +391,14 @@ function createAuthMiddleware(config) {
     userLookup
   } = config;
   return async function authMiddleware(req) {
-    const apiKeyRaw = chunk4M7X5HAB_cjs.extractApiKeyFromRequest(req);
+    const apiKeyRaw = chunkFKKQUMXR_cjs.extractApiKeyFromRequest(req);
     if (apiKeyRaw && db) {
-      const result = await chunk4M7X5HAB_cjs.validateApiKey(apiKeyRaw, db, userLookup);
+      const result = await chunkFKKQUMXR_cjs.validateApiKey(apiKeyRaw, db, userLookup);
       if (result.valid && result.user) {
         return {
           user: result.user,
           tenantContext: createTenantContextFromUser(result.user),
-          apiKeyContext: chunk4M7X5HAB_cjs.createApiKeyContext(result),
+          apiKeyContext: chunkFKKQUMXR_cjs.createApiKeyContext(result),
           status: 200,
           authType: "apikey"
         };
@@ -3545,105 +3545,27 @@ function buildConflictResponse(expectedUpdatedAt, currentDoc) {
     }
   };
 }
-async function checkCollectionAccess(collection, operation, req, ctxUser, ctxTenantID, apiKeyContext, enablePublicAccess = true, defaultCollectionAccess = "none") {
-  const accessRule = collection.access?.[operation];
-  const accessLevels = {
-    none: false,
-    read: operation === "read",
-    create: operation === "read" || operation === "create",
-    update: operation === "read" || operation === "create" || operation === "update",
-    delete: operation === "read" || operation === "create" || operation === "update" || operation === "delete",
-    admin: true
-  };
-  const isDefaultAllowed = accessLevels[defaultCollectionAccess] || false;
-  if (accessRule) {
-    const allowed = await chunk4M7X5HAB_cjs.evaluateAccess(accessRule, {
-      req,
-      user: ctxUser,
-      tenantID: ctxTenantID
-    });
-    if (allowed === false) {
-      return { allowed: false, error: "Access denied", status: 403 };
-    }
-  } else if (!ctxUser) {
-    const allowed = enablePublicAccess && isDefaultAllowed;
-    if (!allowed) {
-      return {
-        allowed: false,
-        error: "Authentication required",
-        status: 401
-      };
-    }
-  }
-  if (apiKeyContext?.permissions?.length > 0) {
-    const resource = collection.slug;
-    const action = operation === "read" ? "read" : operation === "create" ? "create" : "update";
-    const permission = `${resource}:${action}`;
-    if (!chunk4M7X5HAB_cjs.hasApiKeyPermission(apiKeyContext.permissions, permission) && !chunk4M7X5HAB_cjs.hasApiKeyPermission(apiKeyContext.permissions, `${resource}:admin`)) {
-      return {
-        allowed: false,
-        error: `Missing permission: ${permission}`,
-        status: 403
-      };
-    }
-  }
-  if (ctxUser && !(apiKeyContext?.permissions?.length > 0)) {
-    const resource = collection.slug;
-    const action = operation === "read" ? "read" : operation === "create" ? "create" : operation === "update" ? "update" : "delete";
-    const permission = `${resource}:${action}`;
-    let rbacAllowed = false;
-    if (ctxUser.role) {
-      const userHasPermission = chunkNKPKR5BW_cjs.hasPermission(
-        { id: ctxUser.id, email: ctxUser.email, role: ctxUser.role },
-        permission
-      );
-      if (userHasPermission) {
-        rbacAllowed = true;
-      } else {
-        const adminPermission = chunkNKPKR5BW_cjs.hasPermission(
-          { id: ctxUser.id, email: ctxUser.email, role: ctxUser.role },
-          `${resource}:admin`
-        );
-        if (adminPermission) rbacAllowed = true;
-      }
-    }
-    if (!rbacAllowed && !isDefaultAllowed && !accessRule) {
-      return {
-        allowed: false,
-        error: `Missing RBAC permission: ${permission}`,
-        status: 403
-      };
-    }
-  }
-  return { allowed: true };
+async function checkCollectionAccess2(collection, operation, req, ctxUser, ctxTenantID, apiKeyContext, enablePublicAccess = true, defaultCollectionAccess = "none") {
+  const result = await chunkFKKQUMXR_cjs.checkCollectionAccess(collection, operation, {
+    user: ctxUser,
+    req,
+    tenantID: ctxTenantID,
+    apiKey: apiKeyContext
+  }, {
+    enablePublicAccess,
+    defaultAccess: defaultCollectionAccess
+  });
+  return result;
 }
-async function checkGlobalAccess(global, operation, req, ctxUser, ctxTenantID, enablePublicAccess = true) {
-  const accessRule = global.access?.[operation];
-  if (accessRule) {
-    const allowed = await chunk4M7X5HAB_cjs.evaluateAccess(accessRule, {
-      req,
-      user: ctxUser,
-      tenantID: ctxTenantID
-    });
-    if (allowed === false) {
-      return { allowed: false, error: "Access denied", status: 403 };
-    }
-  } else if (!ctxUser) {
-    const accessLevels = {
-      none: false,
-      read: operation === "read",
-      update: operation === "read" || operation === "update"
-    };
-    const allowed = enablePublicAccess && accessLevels[operation === "read" ? "read" : "admin"];
-    if (!allowed) {
-      return {
-        allowed: false,
-        error: "Authentication required",
-        status: 401
-      };
-    }
-  }
-  return { allowed: true };
+async function checkGlobalAccess2(global, operation, req, ctxUser, ctxTenantID, enablePublicAccess = true) {
+  const result = await chunkFKKQUMXR_cjs.checkGlobalAccess(global, operation, {
+    user: ctxUser,
+    req,
+    tenantID: ctxTenantID
+  }, {
+    enablePublicAccess
+  });
+  return result;
 }
 async function resolveAuthContext(req, authMw, staticUser, staticTenantID) {
   if (staticUser) {
@@ -3815,7 +3737,7 @@ function createHonoApp(options) {
       const globals = {};
       for (const col of registry.getCollections()) {
         const permissions = {
-          read: (await checkCollectionAccess(
+          read: (await checkCollectionAccess2(
             col,
             "read",
             c.req.raw,
@@ -3825,7 +3747,7 @@ function createHonoApp(options) {
             enablePublicAccess,
             defaultCollectionAccess
           )).allowed,
-          create: (await checkCollectionAccess(
+          create: (await checkCollectionAccess2(
             col,
             "create",
             c.req.raw,
@@ -3835,7 +3757,7 @@ function createHonoApp(options) {
             enablePublicAccess,
             defaultCollectionAccess
           )).allowed,
-          update: (await checkCollectionAccess(
+          update: (await checkCollectionAccess2(
             col,
             "update",
             c.req.raw,
@@ -3845,7 +3767,7 @@ function createHonoApp(options) {
             enablePublicAccess,
             defaultCollectionAccess
           )).allowed,
-          delete: (await checkCollectionAccess(
+          delete: (await checkCollectionAccess2(
             col,
             "delete",
             c.req.raw,
@@ -3860,7 +3782,7 @@ function createHonoApp(options) {
       }
       for (const globalConfig of registry.getGlobals()) {
         const permissions = {
-          read: (await checkGlobalAccess(
+          read: (await checkGlobalAccess2(
             globalConfig,
             "read",
             c.req.raw,
@@ -3868,7 +3790,7 @@ function createHonoApp(options) {
             ctxTenantID,
             enablePublicAccess
           )).allowed,
-          update: (await checkGlobalAccess(
+          update: (await checkGlobalAccess2(
             globalConfig,
             "update",
             c.req.raw,
@@ -3899,7 +3821,7 @@ function createHonoApp(options) {
         user,
         tenantID
       );
-      const access = await checkCollectionAccess(
+      const access = await checkCollectionAccess2(
         usersCollection2,
         "read",
         c.req.raw,
@@ -3963,7 +3885,7 @@ function createHonoApp(options) {
         user,
         tenantID
       );
-      const access = await checkCollectionAccess(
+      const access = await checkCollectionAccess2(
         usersCollection2,
         "create",
         c.req.raw,
@@ -4017,7 +3939,7 @@ function createHonoApp(options) {
         user,
         tenantID
       );
-      const access = await checkCollectionAccess(
+      const access = await checkCollectionAccess2(
         usersCollection2,
         "update",
         c.req.raw,
@@ -4086,7 +4008,7 @@ function createHonoApp(options) {
         user,
         tenantID
       );
-      const access = await checkCollectionAccess(
+      const access = await checkCollectionAccess2(
         usersCollection2,
         "delete",
         c.req.raw,
@@ -4135,7 +4057,7 @@ function createHonoApp(options) {
       );
       const auditLogsCollection = registry.getCollection("audit_logs");
       if (auditLogsCollection) {
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           auditLogsCollection,
           "read",
           c.req.raw,
@@ -4810,7 +4732,7 @@ function createHonoApp(options) {
       );
       for (const collection of registry.getCollections()) {
         if (!targetCollections.includes(collection.slug)) continue;
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "read",
           c.req.raw,
@@ -4871,7 +4793,7 @@ function createHonoApp(options) {
       }
       const page = parseInt(c.req.query("page") || "1");
       const limit = Math.min(parseInt(c.req.query("limit") || "50"), 100);
-      const result = await db.find({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, where: {}, page, limit, tenantID: ctxTenantID });
+      const result = await db.find({ collection: chunkFKKQUMXR_cjs.API_KEY_COLLECTION, where: {}, page, limit, tenantID: ctxTenantID });
       const docs = (result.docs || []).map((doc) => ({
         id: doc.id,
         name: doc.name,
@@ -4896,14 +4818,14 @@ function createHonoApp(options) {
       if (!body.name || typeof body.name !== "string") {
         return c.json({ error: "name is required" }, 400);
       }
-      const rawKey = chunk4M7X5HAB_cjs.generateApiKey();
+      const rawKey = chunkFKKQUMXR_cjs.generateApiKey();
       const doc = await db.create({
-        collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION,
+        collection: chunkFKKQUMXR_cjs.API_KEY_COLLECTION,
         data: {
           userId: ctxUser.id,
           name: body.name,
           key: rawKey,
-          keyPrefix: chunk4M7X5HAB_cjs.generateApiKeyPrefix(rawKey),
+          keyPrefix: chunkFKKQUMXR_cjs.generateApiKeyPrefix(rawKey),
           permissions: Array.isArray(body.permissions) ? body.permissions : ["*"],
           expiresAt: body.expiresAt || null,
           createdAt: (/* @__PURE__ */ new Date()).toISOString()
@@ -4934,9 +4856,9 @@ function createHonoApp(options) {
         return c.json({ error: "Forbidden" }, 403);
       }
       const id = c.req.param("id");
-      const existing = await db.findByID({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, id });
+      const existing = await db.findByID({ collection: chunkFKKQUMXR_cjs.API_KEY_COLLECTION, id });
       if (!existing) return c.json({ error: "API key not found" }, 404);
-      await db.delete({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, id });
+      await db.delete({ collection: chunkFKKQUMXR_cjs.API_KEY_COLLECTION, id });
       await sessionAuthAdapter?.createAuditLog({
         action: "api_key_delete",
         userId: ctxUser.id,
@@ -4959,14 +4881,14 @@ function createHonoApp(options) {
       }
       const id = c.req.param("id");
       const body = await c.req.json();
-      const existing = await db.findByID({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, id });
+      const existing = await db.findByID({ collection: chunkFKKQUMXR_cjs.API_KEY_COLLECTION, id });
       if (!existing) return c.json({ error: "API key not found" }, 404);
       const updateData = {};
       if (typeof body.name === "string" && body.name.trim()) updateData.name = body.name.trim();
       if (Array.isArray(body.permissions)) updateData.permissions = body.permissions;
       if (body.expiresAt !== void 0) updateData.expiresAt = body.expiresAt || null;
       if (Object.keys(updateData).length === 0) return c.json({ error: "Nothing to update" }, 400);
-      const updated = await db.update({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, id, data: updateData });
+      const updated = await db.update({ collection: chunkFKKQUMXR_cjs.API_KEY_COLLECTION, id, data: updateData });
       return c.json({ ...updated, keyPrefix: existing.keyPrefix });
     } catch (error) {
       console.error("[ApiKeys] PATCH error:", error);
@@ -4980,15 +4902,15 @@ function createHonoApp(options) {
         return c.json({ error: "Forbidden" }, 403);
       }
       const id = c.req.param("id");
-      const existing = await db.findByID({ collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION, id });
+      const existing = await db.findByID({ collection: chunkFKKQUMXR_cjs.API_KEY_COLLECTION, id });
       if (!existing) return c.json({ error: "API key not found" }, 404);
-      const rawKey = chunk4M7X5HAB_cjs.generateApiKey();
+      const rawKey = chunkFKKQUMXR_cjs.generateApiKey();
       const updated = await db.update({
-        collection: chunk4M7X5HAB_cjs.API_KEY_COLLECTION,
+        collection: chunkFKKQUMXR_cjs.API_KEY_COLLECTION,
         id,
         data: {
           key: rawKey,
-          keyPrefix: chunk4M7X5HAB_cjs.generateApiKeyPrefix(rawKey),
+          keyPrefix: chunkFKKQUMXR_cjs.generateApiKeyPrefix(rawKey),
           lastUsedAt: null
         }
       });
@@ -5169,7 +5091,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "read",
           c.req.raw,
@@ -5217,7 +5139,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "read",
           c.req.raw,
@@ -5271,7 +5193,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "update",
           c.req.raw,
@@ -5331,7 +5253,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "update",
           c.req.raw,
@@ -5366,7 +5288,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "read",
           c.req.raw,
@@ -5416,7 +5338,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "create",
           c.req.raw,
@@ -5540,7 +5462,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "update",
           c.req.raw,
@@ -5705,7 +5627,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "delete",
           c.req.raw,
@@ -5795,7 +5717,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "create",
           c.req.raw,
@@ -5843,7 +5765,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "update",
           c.req.raw,
@@ -5887,7 +5809,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "update",
           c.req.raw,
@@ -5934,7 +5856,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "update",
           c.req.raw,
@@ -6019,7 +5941,7 @@ function createHonoApp(options) {
           tenantID: ctxTenantID,
           apiKeyContext
         } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkCollectionAccess(
+        const access = await checkCollectionAccess2(
           collection,
           "update",
           c.req.raw,
@@ -6069,7 +5991,7 @@ function createHonoApp(options) {
     app.get(basePath, async (c) => {
       try {
         const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkGlobalAccess(
+        const access = await checkGlobalAccess2(
           globalConfig,
           "read",
           c.req.raw,
@@ -6113,7 +6035,7 @@ function createHonoApp(options) {
     const upsertGlobal = async (c) => {
       try {
         const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkGlobalAccess(
+        const access = await checkGlobalAccess2(
           globalConfig,
           "update",
           c.req.raw,
@@ -6248,7 +6170,7 @@ function createHonoApp(options) {
     app.post(`${basePath}/publish`, async (c) => {
       try {
         const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkGlobalAccess(globalConfig, "update", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
+        const access = await checkGlobalAccess2(globalConfig, "update", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
         if (!access.allowed) return c.json({ error: access.error }, 403);
         const collectionSlug = `_globals_${slug}`;
         const originalDoc = await db.findOne({
@@ -6298,7 +6220,7 @@ function createHonoApp(options) {
     app.post(`${basePath}/unpublish`, async (c) => {
       try {
         const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkGlobalAccess(globalConfig, "update", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
+        const access = await checkGlobalAccess2(globalConfig, "update", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
         if (!access.allowed) return c.json({ error: access.error }, 403);
         const doc = await db.update({
           collection: `_globals_${slug}`,
@@ -6314,7 +6236,7 @@ function createHonoApp(options) {
     app.get(`${basePath}/versions`, async (c) => {
       try {
         const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkGlobalAccess(globalConfig, "read", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
+        const access = await checkGlobalAccess2(globalConfig, "read", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
         if (!access.allowed) return c.json({ error: access.error }, 403);
         const limit = parseInt(c.req.query("limit") || "10");
         const page = parseInt(c.req.query("page") || "1");
@@ -6334,7 +6256,7 @@ function createHonoApp(options) {
       try {
         const versionId = c.req.param("versionId");
         const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkGlobalAccess(globalConfig, "read", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
+        const access = await checkGlobalAccess2(globalConfig, "read", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
         if (!access.allowed) return c.json({ error: access.error }, 403);
         const version = await db.findVersionByID({
           collection: `_globals_${slug}`,
@@ -6351,7 +6273,7 @@ function createHonoApp(options) {
       try {
         const versionId = c.req.param("versionId");
         const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-        const access = await checkGlobalAccess(globalConfig, "update", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
+        const access = await checkGlobalAccess2(globalConfig, "update", c.req.raw, ctxUser, ctxTenantID, enablePublicAccess);
         if (!access.allowed) return c.json({ error: access.error }, 403);
         const collectionSlug = `_globals_${slug}`;
         const version = await db.findVersionByID({
@@ -6379,7 +6301,7 @@ function createHonoApp(options) {
       app.post(`${basePath}/test`, async (c) => {
         try {
           const { user: ctxUser, tenantID: ctxTenantID } = await resolveAuthContext(c.req.raw, authMw, user, tenantID);
-          const access = await checkGlobalAccess(
+          const access = await checkGlobalAccess2(
             globalConfig,
             "update",
             c.req.raw,
@@ -6491,5 +6413,5 @@ exports.init_secret = init_secret;
 exports.loadSecrets = loadSecrets;
 exports.resolveProvider = resolveProvider;
 exports.setDbAdapter = setDbAdapter;
-//# sourceMappingURL=chunk-CNKT4PME.cjs.map
-//# sourceMappingURL=chunk-CNKT4PME.cjs.map
+//# sourceMappingURL=chunk-QVJNSAQL.cjs.map
+//# sourceMappingURL=chunk-QVJNSAQL.cjs.map