@momentumcms/server-analog 0.3.0 → 0.4.1

package/index.cjs

@@ -5,6 +5,9 @@ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -27,14 +30,524 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
-// libs/server-analog/src/index.ts
+// libs/storage/src/lib/storage.types.ts
+var init_storage_types = __esm({
+  "libs/storage/src/lib/storage.types.ts"() {
+    "use strict";
+  }
+});
+
+// libs/storage/src/lib/storage-local.ts
+function localStorageAdapter(options) {
+  const { directory, baseUrl } = options;
+  const resolvedRoot = (0, import_node_path.resolve)(directory);
+  if (!(0, import_node_fs.existsSync)(resolvedRoot)) {
+    (0, import_node_fs.mkdirSync)(resolvedRoot, { recursive: true });
+  }
+  function safePath(unsafePath) {
+    const normalized = (0, import_node_path.normalize)(unsafePath);
+    if (normalized.includes("..")) {
+      throw new Error("Invalid path: directory traversal not allowed");
+    }
+    const full = (0, import_node_path.resolve)(resolvedRoot, normalized);
+    if (!full.startsWith(resolvedRoot)) {
+      throw new Error("Invalid path: directory traversal not allowed");
+    }
+    if ((0, import_node_fs.existsSync)(full) && (0, import_node_fs.lstatSync)(full).isSymbolicLink()) {
+      throw new Error("Invalid path: symbolic links not allowed");
+    }
+    return full;
+  }
+  return {
+    async upload(file, uploadOptions) {
+      const ext = (0, import_node_path.extname)(file.originalName) || getExtensionFromMimeType(file.mimeType);
+      const filename = uploadOptions?.filename ? `${uploadOptions.filename}${ext}` : `${(0, import_node_crypto2.randomUUID)()}${ext}`;
+      const subdir = uploadOptions?.directory ?? "";
+      const targetDir = subdir ? safePath(subdir) : resolvedRoot;
+      if (subdir && !(0, import_node_fs.existsSync)(targetDir)) {
+        (0, import_node_fs.mkdirSync)(targetDir, { recursive: true });
+      }
+      const filePath = safePath(subdir ? (0, import_node_path.join)(subdir, filename) : filename);
+      const relativePath = subdir ? (0, import_node_path.join)((0, import_node_path.normalize)(subdir), filename) : filename;
+      (0, import_node_fs.writeFileSync)(filePath, file.buffer);
+      const url = baseUrl ? `${baseUrl}/${relativePath}` : `/api/media/file/${relativePath}`;
+      return {
+        path: relativePath,
+        url,
+        filename,
+        mimeType: file.mimeType,
+        size: file.size
+      };
+    },
+    async delete(path) {
+      const filePath = safePath(path);
+      if ((0, import_node_fs.existsSync)(filePath)) {
+        (0, import_node_fs.unlinkSync)(filePath);
+        return true;
+      }
+      return false;
+    },
+    getUrl(path) {
+      return baseUrl ? `${baseUrl}/${path}` : `/api/media/file/${path}`;
+    },
+    async exists(path) {
+      const filePath = safePath(path);
+      return (0, import_node_fs.existsSync)(filePath);
+    },
+    async read(path) {
+      const filePath = safePath(path);
+      if ((0, import_node_fs.existsSync)(filePath)) {
+        return (0, import_node_fs.readFileSync)(filePath);
+      }
+      return null;
+    }
+  };
+}
+function getExtensionFromMimeType(mimeType) {
+  const mimeToExt = {
+    "image/jpeg": ".jpg",
+    "image/png": ".png",
+    "image/gif": ".gif",
+    "image/webp": ".webp",
+    "image/svg+xml": ".svg",
+    "application/pdf": ".pdf",
+    "application/json": ".json",
+    "text/plain": ".txt",
+    "text/html": ".html",
+    "text/css": ".css",
+    "application/javascript": ".js",
+    "video/mp4": ".mp4",
+    "video/webm": ".webm",
+    "audio/mpeg": ".mp3",
+    "audio/wav": ".wav",
+    "application/zip": ".zip"
+  };
+  return mimeToExt[mimeType] ?? "";
+}
+var import_node_fs, import_node_path, import_node_crypto2;
+var init_storage_local = __esm({
+  "libs/storage/src/lib/storage-local.ts"() {
+    "use strict";
+    import_node_fs = require("node:fs");
+    import_node_path = require("node:path");
+    import_node_crypto2 = require("node:crypto");
+  }
+});
+
+// libs/storage/src/lib/storage-s3.ts
+async function loadAwsSdk() {
+  if (S3Client)
+    return;
+  const s3Module = await import("@aws-sdk/client-s3");
+  const presignerModule = await import("@aws-sdk/s3-request-presigner");
+  S3Client = s3Module.S3Client;
+  PutObjectCommand = s3Module.PutObjectCommand;
+  DeleteObjectCommand = s3Module.DeleteObjectCommand;
+  HeadObjectCommand = s3Module.HeadObjectCommand;
+  GetObjectCommand = s3Module.GetObjectCommand;
+  getSignedUrl = presignerModule.getSignedUrl;
+}
+function s3StorageAdapter(options) {
+  const {
+    bucket,
+    region,
+    accessKeyId,
+    secretAccessKey,
+    endpoint,
+    baseUrl,
+    forcePathStyle = false,
+    acl = "private",
+    presignedUrlExpiry = 3600
+  } = options;
+  let client = null;
+  async function getClient() {
+    await loadAwsSdk();
+    if (!client) {
+      const clientConfig = {
+        region,
+        forcePathStyle
+      };
+      if (endpoint) {
+        clientConfig.endpoint = endpoint;
+      }
+      if (accessKeyId && secretAccessKey) {
+        clientConfig.credentials = {
+          accessKeyId,
+          secretAccessKey
+        };
+      }
+      client = new S3Client(clientConfig);
+    }
+    return client;
+  }
+  function getPublicUrl(key) {
+    if (baseUrl) {
+      return `${baseUrl}/${key}`;
+    }
+    if (endpoint) {
+      return `${endpoint}/${bucket}/${key}`;
+    }
+    return `https://${bucket}.s3.${region}.amazonaws.com/${key}`;
+  }
+  return {
+    async upload(file, uploadOptions) {
+      const s3 = await getClient();
+      const ext = (0, import_node_path2.extname)(file.originalName) || getExtensionFromMimeType2(file.mimeType);
+      const filename = uploadOptions?.filename ? `${uploadOptions.filename}${ext}` : `${(0, import_node_crypto3.randomUUID)()}${ext}`;
+      const key = uploadOptions?.directory ? `${uploadOptions.directory}/${filename}` : filename;
+      await s3.send(
+        new PutObjectCommand({
+          Bucket: bucket,
+          Key: key,
+          Body: file.buffer,
+          ContentType: file.mimeType,
+          ACL: acl
+        })
+      );
+      return {
+        path: key,
+        url: acl === "public-read" ? getPublicUrl(key) : `/api/media/file/${key}`,
+        filename,
+        mimeType: file.mimeType,
+        size: file.size
+      };
+    },
+    async delete(path) {
+      const s3 = await getClient();
+      try {
+        await s3.send(
+          new DeleteObjectCommand({
+            Bucket: bucket,
+            Key: path
+          })
+        );
+        return true;
+      } catch {
+        return false;
+      }
+    },
+    getUrl(path) {
+      if (acl === "public-read") {
+        return getPublicUrl(path);
+      }
+      return `/api/media/file/${path}`;
+    },
+    async exists(path) {
+      const s3 = await getClient();
+      try {
+        await s3.send(
+          new HeadObjectCommand({
+            Bucket: bucket,
+            Key: path
+          })
+        );
+        return true;
+      } catch {
+        return false;
+      }
+    },
+    async getSignedUrl(path, expiresIn) {
+      const s3 = await getClient();
+      await loadAwsSdk();
+      const command = new GetObjectCommand({
+        Bucket: bucket,
+        Key: path
+      });
+      return getSignedUrl(s3, command, {
+        expiresIn: expiresIn ?? presignedUrlExpiry
+      });
+    },
+    async read(path) {
+      const s3 = await getClient();
+      try {
+        const response = await s3.send(
+          new GetObjectCommand({
+            Bucket: bucket,
+            Key: path
+          })
+        );
+        if (!response.Body) {
+          return null;
+        }
+        const chunks = [];
+        const body = response.Body;
+        for await (const chunk of body) {
+          chunks.push(chunk);
+        }
+        return Buffer.concat(chunks);
+      } catch {
+        return null;
+      }
+    }
+  };
+}
+function getExtensionFromMimeType2(mimeType) {
+  const mimeToExt = {
+    "image/jpeg": ".jpg",
+    "image/png": ".png",
+    "image/gif": ".gif",
+    "image/webp": ".webp",
+    "image/svg+xml": ".svg",
+    "application/pdf": ".pdf",
+    "application/json": ".json",
+    "text/plain": ".txt",
+    "text/html": ".html",
+    "text/css": ".css",
+    "application/javascript": ".js",
+    "video/mp4": ".mp4",
+    "video/webm": ".webm",
+    "audio/mpeg": ".mp3",
+    "audio/wav": ".wav",
+    "application/zip": ".zip"
+  };
+  return mimeToExt[mimeType] ?? "";
+}
+var import_node_crypto3, import_node_path2, S3Client, PutObjectCommand, DeleteObjectCommand, HeadObjectCommand, GetObjectCommand, getSignedUrl;
+var init_storage_s3 = __esm({
+  "libs/storage/src/lib/storage-s3.ts"() {
+    "use strict";
+    import_node_crypto3 = require("node:crypto");
+    import_node_path2 = require("node:path");
+  }
+});
+
+// libs/storage/src/lib/mime-validator.ts
+function detectMimeType(buffer) {
+  for (const sig of FILE_SIGNATURES) {
+    const offset = sig.offset ?? 0;
+    if (buffer.length < offset + sig.bytes.length) {
+      continue;
+    }
+    let match = true;
+    for (let i = 0; i < sig.bytes.length; i++) {
+      if (buffer[offset + i] !== sig.bytes[i]) {
+        match = false;
+        break;
+      }
+    }
+    if (match) {
+      if (sig.bytes[0] === 82 && sig.bytes[1] === 73) {
+        if (buffer.length >= 12) {
+          const formatId = buffer.slice(8, 12).toString("ascii");
+          if (formatId === "WEBP") {
+            return "image/webp";
+          }
+          if (formatId === "WAVE") {
+            return "audio/wav";
+          }
+          if (formatId === "AVI ") {
+            return "video/avi";
+          }
+        }
+      }
+      if (sig.mimeType === "video/mp4" && buffer.length >= 8) {
+        const boxType = buffer.slice(4, 8).toString("ascii");
+        if (boxType === "ftyp") {
+          return "video/mp4";
+        }
+      }
+      return sig.mimeType;
+    }
+  }
+  if (isTextContent(buffer)) {
+    const text2 = buffer.toString("utf8", 0, Math.min(buffer.length, 1e3));
+    if (text2.trim().startsWith("{") || text2.trim().startsWith("[")) {
+      return "application/json";
+    }
+    if (text2.trim().startsWith("<")) {
+      if (text2.includes("<svg")) {
+        return "image/svg+xml";
+      }
+      if (text2.includes("<!DOCTYPE html") || text2.includes("<html")) {
+        return "text/html";
+      }
+      return "application/xml";
+    }
+    return "text/plain";
+  }
+  return null;
+}
+function isTextContent(buffer) {
+  const checkLength = Math.min(buffer.length, 512);
+  for (let i = 0; i < checkLength; i++) {
+    const byte = buffer[i];
+    if (byte < 9 || // Control chars before tab
+    byte > 13 && byte < 32 || // Control chars between CR and space
+    byte === 127) {
+      if (byte >= 128 && byte <= 191) {
+        continue;
+      }
+      if (byte >= 192 && byte <= 247) {
+        continue;
+      }
+      return false;
+    }
+  }
+  return true;
+}
+function mimeTypeMatches(mimeType, pattern) {
+  if (pattern === "*" || pattern === "*/*") {
+    return true;
+  }
+  if (pattern.endsWith("/*")) {
+    const category = pattern.slice(0, -2);
+    return mimeType.startsWith(`${category}/`);
+  }
+  return mimeType === pattern;
+}
+function isMimeTypeAllowed(mimeType, allowedTypes) {
+  if (allowedTypes.length === 0) {
+    return true;
+  }
+  return allowedTypes.some((pattern) => mimeTypeMatches(mimeType, pattern));
+}
+function validateMimeType(buffer, claimedType, allowedTypes) {
+  const detectedType = detectMimeType(buffer);
+  if (allowedTypes && allowedTypes.length > 0) {
+    const typeToCheck = detectedType ?? claimedType;
+    if (!isMimeTypeAllowed(typeToCheck, allowedTypes)) {
+      return {
+        valid: false,
+        detectedType,
+        claimedType,
+        error: `File type '${typeToCheck}' is not allowed. Allowed types: ${allowedTypes.join(", ")}`
+      };
+    }
+  }
+  if (!detectedType) {
+    return {
+      valid: true,
+      detectedType: null,
+      claimedType
+    };
+  }
+  const compatible = areMimeTypesCompatible(detectedType, claimedType);
+  if (!compatible) {
+    return {
+      valid: false,
+      detectedType,
+      claimedType,
+      error: `File appears to be '${detectedType}' but was uploaded as '${claimedType}'`
+    };
+  }
+  return {
+    valid: true,
+    detectedType,
+    claimedType
+  };
+}
+function areMimeTypesCompatible(detected, claimed) {
+  if (detected === claimed) {
+    return true;
+  }
+  const [detectedCategory] = detected.split("/");
+  const [claimedCategory] = claimed.split("/");
+  if (detectedCategory !== claimedCategory) {
+    return false;
+  }
+  const variations = {
+    "image/jpeg": ["image/jpg", "image/pjpeg"],
+    "text/plain": ["text/x-plain"],
+    "application/json": ["text/json"],
+    "application/javascript": ["text/javascript", "application/x-javascript"]
+  };
+  const allowedVariations = variations[detected];
+  if (allowedVariations && allowedVariations.includes(claimed)) {
+    return true;
+  }
+  for (const [canonical, variants] of Object.entries(variations)) {
+    if (variants.includes(detected) && (canonical === claimed || variants.includes(claimed))) {
+      return true;
+    }
+  }
+  return false;
+}
+var FILE_SIGNATURES;
+var init_mime_validator = __esm({
+  "libs/storage/src/lib/mime-validator.ts"() {
+    "use strict";
+    FILE_SIGNATURES = [
+      // Images
+      { mimeType: "image/jpeg", bytes: [255, 216, 255] },
+      { mimeType: "image/png", bytes: [137, 80, 78, 71, 13, 10, 26, 10] },
+      { mimeType: "image/gif", bytes: [71, 73, 70, 56] },
+      // GIF8
+      { mimeType: "image/webp", bytes: [82, 73, 70, 70], offset: 0 },
+      // RIFF (need to check for WEBP at offset 8)
+      { mimeType: "image/bmp", bytes: [66, 77] },
+      // BM
+      { mimeType: "image/tiff", bytes: [73, 73, 42, 0] },
+      // Little-endian TIFF
+      { mimeType: "image/tiff", bytes: [77, 77, 0, 42] },
+      // Big-endian TIFF
+      { mimeType: "image/x-icon", bytes: [0, 0, 1, 0] },
+      // ICO
+      { mimeType: "image/svg+xml", bytes: [60, 115, 118, 103] },
+      // <svg (partial match)
+      // Documents
+      { mimeType: "application/pdf", bytes: [37, 80, 68, 70] },
+      // %PDF
+      // Archives
+      { mimeType: "application/zip", bytes: [80, 75, 3, 4] },
+      // PK
+      { mimeType: "application/gzip", bytes: [31, 139] },
+      { mimeType: "application/x-rar-compressed", bytes: [82, 97, 114, 33] },
+      // Rar!
+      // Audio
+      { mimeType: "audio/mpeg", bytes: [73, 68, 51] },
+      // ID3 (MP3)
+      { mimeType: "audio/mpeg", bytes: [255, 251] },
+      // MP3 frame sync
+      { mimeType: "audio/wav", bytes: [82, 73, 70, 70] },
+      // RIFF (need to check for WAVE)
+      { mimeType: "audio/ogg", bytes: [79, 103, 103, 83] },
+      // OggS
+      { mimeType: "audio/flac", bytes: [102, 76, 97, 67] },
+      // fLaC
+      // Video
+      { mimeType: "video/mp4", bytes: [0, 0, 0], offset: 0 },
+      // Need to check for ftyp at offset 4
+      { mimeType: "video/webm", bytes: [26, 69, 223, 163] },
+      // EBML header
+      { mimeType: "video/avi", bytes: [82, 73, 70, 70] },
+      // RIFF (need to check for AVI)
+      // Executables (for blocking)
+      { mimeType: "application/x-executable", bytes: [127, 69, 76, 70] },
+      // ELF
+      { mimeType: "application/x-msdownload", bytes: [77, 90] }
+      // MZ (Windows EXE)
+    ];
+  }
+});
+
+// libs/storage/src/index.ts
 var src_exports = {};
 __export(src_exports, {
+  detectMimeType: () => detectMimeType,
+  isMimeTypeAllowed: () => isMimeTypeAllowed,
+  localStorageAdapter: () => localStorageAdapter,
+  mimeTypeMatches: () => mimeTypeMatches,
+  s3StorageAdapter: () => s3StorageAdapter,
+  validateMimeType: () => validateMimeType
+});
+var init_src = __esm({
+  "libs/storage/src/index.ts"() {
+    "use strict";
+    init_storage_types();
+    init_storage_local();
+    init_storage_s3();
+    init_mime_validator();
+  }
+});
+
+// libs/server-analog/src/index.ts
+var src_exports2 = {};
+__export(src_exports2, {
   createComprehensiveMomentumHandler: () => createComprehensiveMomentumHandler,
   createMomentumHandler: () => createMomentumHandler,
   createSimpleMomentumHandler: () => createSimpleMomentumHandler
 });
-module.exports = __toCommonJS(src_exports);
+module.exports = __toCommonJS(src_exports2);
 
 // libs/logger/src/lib/log-level.ts
 var LOG_LEVEL_VALUES = {
@@ -291,6 +804,9 @@ function getSoftDeleteField(config) {
   const sdConfig = config.softDelete;
   return sdConfig.field ?? "deletedAt";
 }
+function isUploadCollection(config) {
+  return config.upload != null;
+}
 
 // libs/core/src/lib/fields/field.types.ts
 var ReferentialIntegrityError = class extends Error {
@@ -2970,210 +3486,8 @@ function createAdapterApiKeyStore(adapter) {
   };
 }
 
-// libs/storage/src/lib/mime-validator.ts
-var FILE_SIGNATURES = [
-  // Images
-  { mimeType: "image/jpeg", bytes: [255, 216, 255] },
-  { mimeType: "image/png", bytes: [137, 80, 78, 71, 13, 10, 26, 10] },
-  { mimeType: "image/gif", bytes: [71, 73, 70, 56] },
-  // GIF8
-  { mimeType: "image/webp", bytes: [82, 73, 70, 70], offset: 0 },
-  // RIFF (need to check for WEBP at offset 8)
-  { mimeType: "image/bmp", bytes: [66, 77] },
-  // BM
-  { mimeType: "image/tiff", bytes: [73, 73, 42, 0] },
-  // Little-endian TIFF
-  { mimeType: "image/tiff", bytes: [77, 77, 0, 42] },
-  // Big-endian TIFF
-  { mimeType: "image/x-icon", bytes: [0, 0, 1, 0] },
-  // ICO
-  { mimeType: "image/svg+xml", bytes: [60, 115, 118, 103] },
-  // <svg (partial match)
-  // Documents
-  { mimeType: "application/pdf", bytes: [37, 80, 68, 70] },
-  // %PDF
-  // Archives
-  { mimeType: "application/zip", bytes: [80, 75, 3, 4] },
-  // PK
-  { mimeType: "application/gzip", bytes: [31, 139] },
-  { mimeType: "application/x-rar-compressed", bytes: [82, 97, 114, 33] },
-  // Rar!
-  // Audio
-  { mimeType: "audio/mpeg", bytes: [73, 68, 51] },
-  // ID3 (MP3)
-  { mimeType: "audio/mpeg", bytes: [255, 251] },
-  // MP3 frame sync
-  { mimeType: "audio/wav", bytes: [82, 73, 70, 70] },
-  // RIFF (need to check for WAVE)
-  { mimeType: "audio/ogg", bytes: [79, 103, 103, 83] },
-  // OggS
-  { mimeType: "audio/flac", bytes: [102, 76, 97, 67] },
-  // fLaC
-  // Video
-  { mimeType: "video/mp4", bytes: [0, 0, 0], offset: 0 },
-  // Need to check for ftyp at offset 4
-  { mimeType: "video/webm", bytes: [26, 69, 223, 163] },
-  // EBML header
-  { mimeType: "video/avi", bytes: [82, 73, 70, 70] },
-  // RIFF (need to check for AVI)
-  // Executables (for blocking)
-  { mimeType: "application/x-executable", bytes: [127, 69, 76, 70] },
-  // ELF
-  { mimeType: "application/x-msdownload", bytes: [77, 90] }
-  // MZ (Windows EXE)
-];
-function detectMimeType(buffer) {
-  for (const sig of FILE_SIGNATURES) {
-    const offset = sig.offset ?? 0;
-    if (buffer.length < offset + sig.bytes.length) {
-      continue;
-    }
-    let match = true;
-    for (let i = 0; i < sig.bytes.length; i++) {
-      if (buffer[offset + i] !== sig.bytes[i]) {
-        match = false;
-        break;
-      }
-    }
-    if (match) {
-      if (sig.bytes[0] === 82 && sig.bytes[1] === 73) {
-        if (buffer.length >= 12) {
-          const formatId = buffer.slice(8, 12).toString("ascii");
-          if (formatId === "WEBP") {
-            return "image/webp";
-          }
-          if (formatId === "WAVE") {
-            return "audio/wav";
-          }
-          if (formatId === "AVI ") {
-            return "video/avi";
-          }
-        }
-      }
-      if (sig.mimeType === "video/mp4" && buffer.length >= 8) {
-        const boxType = buffer.slice(4, 8).toString("ascii");
-        if (boxType === "ftyp") {
-          return "video/mp4";
-        }
-      }
-      return sig.mimeType;
-    }
-  }
-  if (isTextContent(buffer)) {
-    const text2 = buffer.toString("utf8", 0, Math.min(buffer.length, 1e3));
-    if (text2.trim().startsWith("{") || text2.trim().startsWith("[")) {
-      return "application/json";
-    }
-    if (text2.trim().startsWith("<")) {
-      if (text2.includes("<svg")) {
-        return "image/svg+xml";
-      }
-      if (text2.includes("<!DOCTYPE html") || text2.includes("<html")) {
-        return "text/html";
-      }
-      return "application/xml";
-    }
-    return "text/plain";
-  }
-  return null;
-}
-function isTextContent(buffer) {
-  const checkLength = Math.min(buffer.length, 512);
-  for (let i = 0; i < checkLength; i++) {
-    const byte = buffer[i];
-    if (byte < 9 || // Control chars before tab
-    byte > 13 && byte < 32 || // Control chars between CR and space
-    byte === 127) {
-      if (byte >= 128 && byte <= 191) {
-        continue;
-      }
-      if (byte >= 192 && byte <= 247) {
-        continue;
-      }
-      return false;
-    }
-  }
-  return true;
-}
-function mimeTypeMatches(mimeType, pattern) {
-  if (pattern === "*" || pattern === "*/*") {
-    return true;
-  }
-  if (pattern.endsWith("/*")) {
-    const category = pattern.slice(0, -2);
-    return mimeType.startsWith(`${category}/`);
-  }
-  return mimeType === pattern;
-}
-function isMimeTypeAllowed(mimeType, allowedTypes) {
-  if (allowedTypes.length === 0) {
-    return true;
-  }
-  return allowedTypes.some((pattern) => mimeTypeMatches(mimeType, pattern));
-}
-function validateMimeType(buffer, claimedType, allowedTypes) {
-  const detectedType = detectMimeType(buffer);
-  if (allowedTypes && allowedTypes.length > 0) {
-    const typeToCheck = detectedType ?? claimedType;
-    if (!isMimeTypeAllowed(typeToCheck, allowedTypes)) {
-      return {
-        valid: false,
-        detectedType,
-        claimedType,
-        error: `File type '${typeToCheck}' is not allowed. Allowed types: ${allowedTypes.join(", ")}`
-      };
-    }
-  }
-  if (!detectedType) {
-    return {
-      valid: true,
-      detectedType: null,
-      claimedType
-    };
-  }
-  const compatible = areMimeTypesCompatible(detectedType, claimedType);
-  if (!compatible) {
-    return {
-      valid: false,
-      detectedType,
-      claimedType,
-      error: `File appears to be '${detectedType}' but was uploaded as '${claimedType}'`
-    };
-  }
-  return {
-    valid: true,
-    detectedType,
-    claimedType
-  };
-}
-function areMimeTypesCompatible(detected, claimed) {
-  if (detected === claimed) {
-    return true;
-  }
-  const [detectedCategory] = detected.split("/");
-  const [claimedCategory] = claimed.split("/");
-  if (detectedCategory !== claimedCategory) {
-    return false;
-  }
-  const variations = {
-    "image/jpeg": ["image/jpg", "image/pjpeg"],
-    "text/plain": ["text/x-plain"],
-    "application/json": ["text/json"],
-    "application/javascript": ["text/javascript", "application/x-javascript"]
-  };
-  const allowedVariations = variations[detected];
-  if (allowedVariations && allowedVariations.includes(claimed)) {
-    return true;
-  }
-  for (const [canonical, variants] of Object.entries(variations)) {
-    if (variants.includes(detected) && (canonical === claimed || variants.includes(claimed))) {
-      return true;
-    }
-  }
-  return false;
-}
-
 // libs/server-core/src/lib/upload-handler.ts
+init_src();
 function getUploadConfig(config) {
   if (!config.storage?.adapter) {
     return null;
@@ -3288,6 +3602,64 @@ async function handleUpload(config, request) {
     };
   }
 }
+async function handleCollectionUpload(globalConfig, request) {
+  const { adapter } = globalConfig;
+  const { file, user, fields, collectionSlug, collectionUpload } = request;
+  const maxFileSize = collectionUpload.maxFileSize ?? globalConfig.maxFileSize ?? 10 * 1024 * 1024;
+  const allowedMimeTypes = collectionUpload.mimeTypes ?? globalConfig.allowedMimeTypes ?? [];
+  try {
+    if (!user) {
+      return {
+        status: 401,
+        error: "Authentication required to upload files"
+      };
+    }
+    const sizeError = validateFileSize(file, maxFileSize);
+    if (sizeError) {
+      return { status: 400, error: sizeError };
+    }
+    const mimeError = validateMimeType2(file.mimeType, allowedMimeTypes);
+    if (mimeError) {
+      return { status: 400, error: mimeError };
+    }
+    if (file.buffer && file.buffer.length > 0) {
+      const magicByteResult = validateMimeType(
+        file.buffer,
+        file.mimeType,
+        allowedMimeTypes
+      );
+      if (!magicByteResult.valid) {
+        return {
+          status: 400,
+          error: magicByteResult.error ?? "File content does not match claimed type"
+        };
+      }
+    }
+    const storedFile = await adapter.upload(file);
+    const docData = {
+      ...fields,
+      filename: file.originalName,
+      mimeType: file.mimeType,
+      filesize: file.size,
+      path: storedFile.path,
+      url: storedFile.url
+    };
+    const api = getMomentumAPI().setContext({ user });
+    const doc = await api.collection(collectionSlug).create(docData);
+    return {
+      status: 201,
+      doc
+    };
+  } catch (error) {
+    if (error instanceof Error) {
+      if (error.message.includes("Access denied")) {
+        return { status: 403, error: error.message };
+      }
+      return { status: 500, error: `Upload failed: ${error.message}` };
+    }
+    return { status: 500, error: "Upload failed: Unknown error" };
+  }
+}
 async function handleFileGet(adapter, path) {
   if (!adapter.read) {
     return null;
@@ -4370,6 +4742,39 @@ function coerceCsvValue(value, fieldType) {
 }
 
 // libs/server-analog/src/lib/server-analog.ts
+function nestBracketParams(flat) {
+  const result = {};
+  for (const [key, value] of Object.entries(flat)) {
+    const bracketIdx = key.indexOf("[");
+    if (bracketIdx === -1) {
+      result[key] = value;
+      continue;
+    }
+    const rootKey = key.slice(0, bracketIdx);
+    const bracketPart = key.slice(bracketIdx);
+    const parts = [];
+    const bracketRegex = /\[([^\]]*)\]/g;
+    let m;
+    while ((m = bracketRegex.exec(bracketPart)) !== null) {
+      parts.push(m[1]);
+    }
+    if (parts.length === 0) {
+      result[key] = value;
+      continue;
+    }
+    let current = result[rootKey] ?? {};
+    result[rootKey] = current;
+    for (let i = 0; i < parts.length - 1; i++) {
+      const part = parts[i];
+      if (typeof current[part] !== "object" || current[part] === null) {
+        current[part] = {};
+      }
+      current = current[part];
+    }
+    current[parts[parts.length - 1]] = value;
+  }
+  return result;
+}
 function toMomentumMethod(m) {
   if (m === "GET" || m === "POST" || m === "PATCH" || m === "PUT" || m === "DELETE") {
     return m;
@@ -4385,7 +4790,7 @@ function createMomentumHandler(config) {
     const pathSegments = (params["momentum"] ?? "").split("/").filter(Boolean);
     const collectionSlug = pathSegments[0] ?? "";
     const id = pathSegments[1];
-    const queryParams = getQuery(event);
+    const queryParams = nestBracketParams(getQuery(event));
     const sortParam = queryParams["sort"];
     const query = {
       limit: queryParams["limit"] ? Number(queryParams["limit"]) : void 0,
@@ -4518,7 +4923,7 @@ function createComprehensiveMomentumHandler(config) {
     const user = context?.user;
     const params = utils.getRouterParams(event);
     const pathSegments = (params["momentum"] ?? "").split("/").filter(Boolean);
-    const queryParams = utils.getQuery(event);
+    const queryParams = nestBracketParams(utils.getQuery(event));
     const seg0 = pathSegments[0] ?? "";
     const seg1 = pathSegments[1];
     const seg2 = pathSegments[2];
@@ -4761,7 +5166,7 @@ function createComprehensiveMomentumHandler(config) {
         utils.setResponseStatus(event, 400);
         return { error: "File path required" };
       }
-      const { normalize, isAbsolute, resolve, sep } = await import("node:path");
+      const { normalize: normalize2, isAbsolute, resolve: resolve2, sep } = await import("node:path");
       let decodedPath;
       try {
         decodedPath = decodeURIComponent(rawPath);
@@ -4769,13 +5174,17 @@ function createComprehensiveMomentumHandler(config) {
         utils.setResponseStatus(event, 400);
         return { error: "Invalid path encoding" };
       }
-      const filePath = normalize(decodedPath).replace(/^(\.\.(\/|\\|$))+/, "");
-      if (isAbsolute(filePath) || filePath.includes("..") || filePath.includes(`${sep}..`)) {
+      if (decodedPath.includes("..")) {
+        utils.setResponseStatus(event, 403);
+        return { error: "Invalid file path" };
+      }
+      const filePath = normalize2(decodedPath);
+      if (isAbsolute(filePath)) {
         utils.setResponseStatus(event, 403);
         return { error: "Invalid file path" };
       }
-      const fakeRoot = resolve("/safe-root");
-      const resolved = resolve(fakeRoot, filePath);
+      const fakeRoot = resolve2("/safe-root");
+      const resolved = resolve2(fakeRoot, filePath);
       if (!resolved.startsWith(fakeRoot + sep) && resolved !== fakeRoot) {
         utils.setResponseStatus(event, 403);
         return { error: "Invalid file path" };
@@ -5272,6 +5681,140 @@ function createComprehensiveMomentumHandler(config) {
         return { error: sanitizeErrorMessage(error, "Import failed") };
       }
     }
+    const postUploadCol = seg0 ? config.collections.find((c) => c.slug === seg0) : void 0;
+    if (method === "POST" && seg0 && !seg1 && postUploadCol && isUploadCollection(postUploadCol)) {
+      if (!user) {
+        utils.setResponseStatus(event, 401);
+        return { error: "Authentication required to upload files" };
+      }
+      const uploadConfig = getUploadConfig(config);
+      if (!uploadConfig) {
+        utils.setResponseStatus(event, 500);
+        return { error: "Storage not configured" };
+      }
+      const formData = await utils.readMultipartFormData(event);
+      if (!formData || formData.length === 0) {
+        utils.setResponseStatus(event, 400);
+        return { error: "No file provided" };
+      }
+      const fileField = formData.find((f) => f.name === "file");
+      if (!fileField || !fileField.filename) {
+        utils.setResponseStatus(event, 400);
+        return { error: "No file provided" };
+      }
+      const file = {
+        originalName: fileField.filename,
+        mimeType: fileField.type ?? "application/octet-stream",
+        size: fileField.data.length,
+        buffer: fileField.data
+      };
+      const fields = {};
+      for (const field of formData) {
+        if (field.name !== "file" && field.name) {
+          fields[field.name] = field.data.toString("utf-8");
+        }
+      }
+      const uploadRequest = {
+        file,
+        user,
+        fields,
+        collectionSlug: seg0,
+        collectionUpload: postUploadCol.upload
+      };
+      const response2 = await handleCollectionUpload(uploadConfig, uploadRequest);
+      utils.setResponseStatus(event, response2.status);
+      return response2;
+    }
+    const patchUploadCol = seg0 ? config.collections.find((c) => c.slug === seg0) : void 0;
+    if (method === "PATCH" && seg0 && seg1 && patchUploadCol && isUploadCollection(patchUploadCol)) {
+      if (!user) {
+        utils.setResponseStatus(event, 401);
+        return { error: "Authentication required to upload files" };
+      }
+      const formData = await utils.readMultipartFormData(event);
+      if (formData) {
+        const uploadConfig = getUploadConfig(config);
+        if (!uploadConfig) {
+          utils.setResponseStatus(event, 500);
+          return { error: "Storage not configured" };
+        }
+        const fileField = formData.find((f) => f.name === "file");
+        if (fileField?.filename) {
+          const file = {
+            originalName: fileField.filename,
+            mimeType: fileField.type ?? "application/octet-stream",
+            size: fileField.data.length,
+            buffer: fileField.data
+          };
+          const maxFileSize = patchUploadCol.upload?.maxFileSize ?? uploadConfig.maxFileSize ?? 10 * 1024 * 1024;
+          const allowedMimeTypes = patchUploadCol.upload?.mimeTypes ?? uploadConfig.allowedMimeTypes ?? [];
+          if (file.size > maxFileSize) {
+            const maxMB = (maxFileSize / (1024 * 1024)).toFixed(1);
+            utils.setResponseStatus(event, 400);
+            return { error: `File too large. Maximum size is ${maxMB}MB` };
+          }
+          const mimeError = validateMimeType2(file.mimeType, allowedMimeTypes);
+          if (mimeError) {
+            utils.setResponseStatus(event, 400);
+            return { error: mimeError };
+          }
+          if (file.buffer && file.buffer.length > 0) {
+            const { validateMimeType: validateMimeByMagicBytes } = await Promise.resolve().then(() => (init_src(), src_exports));
+            const magicByteResult = validateMimeByMagicBytes(
+              file.buffer,
+              file.mimeType,
+              allowedMimeTypes
+            );
+            if (!magicByteResult.valid) {
+              utils.setResponseStatus(event, 400);
+              return {
+                error: magicByteResult.error ?? "File content does not match claimed type"
+              };
+            }
+          }
+          const storedFile = await uploadConfig.adapter.upload(file);
+          const fields = {};
+          for (const field of formData ?? []) {
+            if (field.name !== "file" && field.name) {
+              fields[field.name] = field.data.toString("utf-8");
+            }
+          }
+          const updateData = {
+            ...fields,
+            filename: file.originalName,
+            mimeType: file.mimeType,
+            filesize: file.size,
+            path: storedFile.path,
+            url: storedFile.url
+          };
+          try {
+            const api = getMomentumAPI().setContext({ user });
+            const doc = await api.collection(seg0).update(seg1, updateData);
+            return { doc };
+          } catch (error) {
+            utils.setResponseStatus(event, 500);
+            return { error: sanitizeErrorMessage(error, "Failed to update document") };
+          }
+        } else {
+          const fields = {};
+          for (const field of formData ?? []) {
+            if (field.name) {
+              fields[field.name] = field.data.toString("utf-8");
+            }
+          }
+          const request2 = {
+            method: "PATCH",
+            collectionSlug: seg0,
+            id: seg1,
+            body: fields,
+            user
+          };
+          const response2 = await handlers.routeRequest(request2);
+          utils.setResponseStatus(event, response2.status ?? 200);
+          return response2;
+        }
+      }
+    }
     const collectionSlug = seg0;
     const id = seg1;
     const sortParam = queryParams["sort"];