@nexpress/core 0.1.0

package/dist/index.d.ts

@@ -0,0 +1,2037 @@
+import { c as NpConfig, d as NpCollectionConfig, e as NpAuthUser, f as NpSaveOptions, g as NpSaveResult, h as NpFindOptions, i as NpFindResult, j as NpFieldConfig, a as NpNavItem, k as NpRegisteredTheme, l as NpThemeFieldRequirement, m as NpThemeManifest, n as NpUserRole, o as NpPluginConfig } from './types-TlsbXS0T.js';
+export { p as NpAccessFunction, q as NpArrayField, r as NpBlockConfig, b as NpBlockInstance, s as NpBlocksField, t as NpCheckboxField, u as NpCollapsibleField, v as NpCollectionHook, w as NpDateField, x as NpDocumentStatus, y as NpEditorConfig, z as NpEmailField, A as NpFieldCondition, B as NpFieldValidator, C as NpFindWhere, D as NpFindWhereSystemTokens, E as NpGroupField, F as NpHookPrincipal, G as NpI18nConfig, H as NpImageSize, I as NpJobType, J as NpJsonField, K as NpNumberField, L as NpPluginContext, F as NpPrincipal, M as NpRadioField, O as NpRelationshipField, P as NpResolvedPluginLike, N as NpRichTextContent, Q as NpRichTextField, R as NpRowField, S as NpSelectField, T as NpTextField, U as NpTextareaField, V as NpThemeCollectionRequirement, W as NpUploadConfig, X as NpUploadField, Y as ROLE_HIERARCHY } from './types-TlsbXS0T.js';
+export { ARGON2_OPTIONS, ArcticLikeProvider, ArcticLikeTokens, FromArcticOptions, IssuedOAuthState, NpCapability, NpConsumeMemberEmailVerifyResult, NpConsumeMemberResetResult, NpConsumeResetTokenOptions, NpConsumeResetTokenResult, NpCreateResetTokenOptions, NpIssuedMemberToken, NpIssuedResetToken, NpMemberAuthRow, NpMemberIdentityRow, NpMemberResetRequestResult, NpMemberTokenPayload, NpPasswordResetPurpose, NpResetRequestResult, NpTokenPayload, NpUserIdentityRow, OAuthAuthorizeParams, OAuthExchangeParams, OAuthProfile, OAuthProvider, OAuthStatePayload, ResolveMemberOAuthLoginInput, ResolveMemberOAuthLoginResult, ResolveOAuthLoginInput, ResolveOAuthLoginResult, ResolvedOAuthMember, ResolvedOAuthUser, VerifyOAuthStateResult, authenticated, can, consumeMemberEmailVerifyToken, consumeMemberPasswordReset, consumePasswordResetToken, createMemberEmailVerifyToken, createPasswordResetToken, fromArctic, getMemberFromTokenPayload, getOAuthProvider, hashPassword, invalidateAllMemberSessions, invalidateAllSessions, isAdmin, isEditorOrAbove, isOwnerOrAdmin, isTokenVerificationError, issueOAuthState, listMemberIdentities, listOAuthProviders, listUserIdentities, registerOAuthProvider, requestMemberPasswordReset, requestPasswordReset, resetOAuthProviders, resolveMemberOAuthLogin, resolveOAuthLogin, revokeMemberIdentity, revokeUserIdentity, sha256, signMemberToken, signToken, verifyCsrf, verifyMemberToken, verifyOAuthState, verifyPassword, verifyToken, verifyTokenFull } from './auth.js';
+import { SQL } from 'drizzle-orm';
+import { NpSitemapEntry, NpFeedEntry } from './seo.js';
+export { ArticleJsonLd, ArticleJsonLdInput, BuildAtomFeedOptions, BuildJsonLdContext, BuildSitemapOptions, DEFAULT_SITE_SEO_SETTINGS, DiscussionForumPostingJsonLd, NpPageMetadata, NpPageMetadataInput, NpSeoSettingsPatch, NpSiteSeoSettings, NpSitemapIndexEntry, PersonJsonLd, PersonJsonLdInput, WebSiteJsonLd, buildArticleJsonLd, buildAtomFeed, buildDiscussionForumPostingJsonLd, buildPageMetadata, buildPersonJsonLd, buildSitemap, buildWebSiteJsonLd, getSiteSeoSettings, renderAtomFeed, renderSitemapIndexXml, renderSitemapXml, validateSeoSettingsPatch } from './seo.js';
+export { c as createDbConnection, g as generateDocumentsModule, a as generateDrizzleSchema, b as generateTypeScript, d as getDb, s as setDb } from './index-XwP1ET8b.js';
+import { z, ZodTypeAny } from 'zod';
+export { N as NP_GLOBAL_PLUGIN_SITE_ID, n as npAuditEvents, a as npBanKindEnum, b as npBanScopeEnum, c as npBans, d as npCommentStatusEnum, e as npComments, f as npFollows, g as npJobLogs, h as npMedia, i as npMediaFolders, j as npMediaFoldersRelations, k as npMediaRefs, l as npMediaRefsRelations, m as npMediaRelations, o as npMediaStatusEnum, p as npMemberIdentities, q as npMemberMutes, r as npMemberRoleScopeEnum, s as npMemberRoles, t as npMemberSessions, u as npMemberStatusEnum, v as npMembers, w as npNavigation, x as npNavigationRelations, y as npNotifications, z as npPasswordResetPurposeEnum, A as npPluginStorage, B as npPlugins, C as npReactions, D as npReports, E as npRevisionStatusEnum, F as npRevisions, G as npRevisionsRelations, H as npSessions, I as npSessionsRelations, J as npSettings, K as npSettingsRelations, L as npSiteMemberships, M as npSites, O as npSlugHistory, P as npStringOverrides, Q as npUserOAuthIdentities, R as npUserRoleEnum, S as npUsers, T as npUsersRelations, U as npWorkerHeartbeats } from './index-CY55LC0u.js';
+export { D as DEFAULT_JOB_LOG_RETENTION_MS, L as ListJobLogsOptions, N as NpJobCountOptions, a as NpJobHandler, b as NpJobListOptions, c as NpJobListResult, d as NpJobLogEntry, e as NpJobQueue, f as NpJobState, g as NpJobStateCounts, h as NpJobSummary, i as NpJobsPauseState, j as NpPluginScheduleStats, k as NpReconcileSchedulesResult, l as NpScheduleSummary, m as NpWorkerHealthSummary, n as NpWorkerHeartbeat, P as PAUSE_SYNC_INTERVAL_MS, o as PgBossAdapter, S as SetJobsPauseStateInput, W as WORKER_HEARTBEAT_INTERVAL_MS, p as WORKER_STALE_THRESHOLD_MS, q as configureBuiltinJobContext, r as countAliveWorkers, s as countJobLogs, t as enqueueJob, u as getAllJobHandlers, v as getCurrentJobId, w as getJobHandler, x as getJobQueue, y as getJobsPauseState, z as getOptionalJobQueue, A as listJobLogs, B as listWorkerHealth, C as markWorkerStopped, E as pruneJobLogsOlderThan, F as purgeStaleWorkers, G as recordHeartbeat, H as recordJobLog, I as registerBuiltinHandlers, J as registerJobHandler, K as runInJobContext, M as setJobQueue, O as setJobsPauseState, Q as startProducer, R as startWorker, T as stopProducer, U as stopWorker } from './index-B6-_vr_m.js';
+import { N as NpStorageAdapter, a as NpFileMetadata } from './index-CeiTvwbp.js';
+export { D as DEFAULT_IMAGE_SIZES, b as NpGetMediaUrlOptions, c as NpMediaUploader, d as NpMediaUploaderKindFilter, e as NpMediaVariantName, f as NpProcessedImageResult, g as NpProcessedImageVariant, h as cleanupDeletedMedia, i as deleteMedia, j as extractMediaIds, k as getMediaById, l as getMediaUrl, m as getStorageAdapter, n as listMedia, p as processImage, o as processMediaImage, s as setStorageAdapter, u as uploadMedia } from './index-CeiTvwbp.js';
+import { ReadableStream } from 'node:stream/web';
+export { NpLocaleDirection, NpResolveLocaleInput, NpResolveLocaleResult, NpStringOverrideRow, NpTranslationBundle, NpTranslationParams, addStrings, clearStringOverrideCacheForSite, deleteStringOverride, formatDate, formatNumber, formatRelativeTime, getAllStrings, getCurrentLocale, getI18nConfig, getLocaleDirection, getStringOverride, getStringOverridesForSite, getStrings, listStringOverridesForSite, loadStringOverridesForSite, resetI18nConfig, resetIntlFormatterCache, resetStringOverrideCache, resetStrings, resetTranslationCache, resolveLocale, setI18nConfig, setStringOverride, setStrings, t, tSync } from './i18n.js';
+import { NodePgDatabase } from 'drizzle-orm/node-postgres';
+export { N as NpLogLevel, a as NpLogger, c as consoleLogger, g as getLogger, b as getScopedLogger, r as resetLogger, s as setLogger } from './logger-DqGaOU_j.js';
+export { NpErrorReportContext, NpErrorReporter, NpStartupSafetyInput, getErrorReporter, noopErrorReporter, reportError, resetErrorReporter, setErrorReporter, verifyStartupSafety } from './observability.js';
+export { InMemoryRateLimiter, NpRateLimitDecision, NpRateLimiterAdapter, getOptionalRateLimiter, getRateLimiter, setRateLimiter } from './rate-limit.js';
+export { AuditActor, AuditActorKind, AuditEventRow, BanKind, BanScope, BuildDigestEmailInput, CommentStatus, CommunityCapability, CommunityRoleDefinition, CommunityScope, CreateNotificationInput, DEFAULT_COMMUNITY_SETTINGS, DEFAULT_REACTION_KINDS, FanOutMentionsInput, FileReportInput, GrantMemberRoleInput, IssueBanInput, ListAuditOptions, ListMutesOptions, ListNotificationsOptions, ListReportsOptions, ListReportsResult, MENTION_HANDLE_RE, MarkReadInput, MemberAction, MemberCanTarget, MuteMemberInput, NpBanRow, NpCommentCreateInput, NpCommentDeleteInput, NpCommentHideInput, NpCommentListOptions, NpCommentListResult, NpCommentRestoreInput, NpCommentRow, NpCommentSort, NpCommentUpdateInput, NpCommunitySettings, NpDigestCadence, NpDigestEmailContent, NpDigestNotificationSummary, NpFollowInput, NpFollowRow, NpMemberMuteRow, NpMemberMuteSummary, NpMemberProfile, NpMemberPurgeResult, NpMemberRoleGrantRow, NpMemberUploadQuota, NpMentionTarget, NpNotificationKindMeta, NpNotificationListResult, NpNotificationPrefs, NpNotificationRow, NpProfanityAdapter, NpProfanityCheckContext, NpProfanityVerdict, NpProfanityVerdictKind, NpReactToInput, NpReactionRow, NpReportRow, NpReputationAdapter, NpReputationEvent, NpSpamAdapter, NpSpamCheckContext, NpSpamVerdict, NpSpamVerdictKind, Principal, RecordAuditEventInput, ResolveReportInput, RevokeBanInput, RevokeMemberRoleInput, RunDigestSweepInput, RunDigestSweepResult, SetMemberNotificationPrefsInput, addReaction, applyReputation, assertNotBanned, assertOwnsNotification, assertReactableExists, buildDigestEmail, countReactions, createComment, createNotification, deleteComment, extractMentionHandles, extractMentionHandlesFromDocData, extractMentionHandlesFromRichText, fanOutMentionNotifications, fileReport, follow, getCommunityRole, getCommunitySettings, getMemberNotificationPrefs, getMemberProfile, getMemberProfiles, getMutedTargetIds, getProfanityAdapter, getReputationAdapter, getSpamAdapter, grantMemberRole, hideComment, isFollowing, isMuted, isNotificationKindEnabled, issueBan, listAuditEvents, listBansForMember, listComments, listCommunityRoles, listFollowing, listMemberReactions, listMemberRoleGrants, listMutes, listNotificationKinds, listNotifications, listReports, markAllNotificationsRead, markNotificationsRead, memberCan, muteMember, principalCan, purgeMemberContent, recordAuditEvent, recordDigestSent, registerCommunityRole, registerNotificationKind, removeReaction, renderCommentMarkdown, resetCommunityRoles, resetProfanityAdapter, resetReputationAdapter, resetSpamAdapter, resolveMentionedMembers, resolveReport, restoreComment, revokeBan, revokeMemberRole, runDigestSweep, setMemberNotificationPrefs, setProfanityAdapter, setReputationAdapter, setSpamAdapter, staffDeleteComment, staffHideComment, staffRestoreComment, unfollow, unmuteMember, unreadNotificationCount, unresolvedReportCount, updateComment, updateCommunitySettings, validateCommunitySettingsPatch, withMemberWrite } from './community.js';
+export { NpCustomRoute, clearCustomRoutes, getCustomRoutes, registerCustomRoute } from './routes.js';
+import '@node-rs/argon2';
+import 'pg';
+import 'drizzle-orm/pg-core';
+import 'pg-boss';
+
+/**
+ * Validates the project's NpConfig against the declarative schema and returns
+ * it unchanged on success. Catches common mistakes (bad collection slug,
+ * missing auth.secret, malformed storage adapter, etc.) at module-eval time
+ * with a clear message instead of a cryptic runtime failure once the app
+ * tries to boot.
+ *
+ * The most common boot trip-up by far is "auth.secret" / "site.url" /
+ * "db.connectionString" missing on a fresh install. We translate Zod's raw
+ * `String must contain at least 1 character` style messages into actionable
+ * "set NP_SECRET in .env, or run `pnpm run setup`" hints so the new operator
+ * isn't googling Zod path strings.
+ *
+ * Unknown plugin entries are accepted here — the plugin loader does the
+ * deeper validation of manifests against @nexpress/plugin-sdk.
+ */
+declare function defineConfig(config: NpConfig): NpConfig;
+
+declare function defineCollection(config: NpCollectionConfig): NpCollectionConfig;
+
+/**
+ * Public error-code contract (#290).
+ *
+ * `NpError.code` is the machine-readable string the API surface
+ * sends to clients (`response.error.code`). The moment a client
+ * branches on `error.code === "VALIDATION_ERROR"` it becomes
+ * part of the public contract — adding a typo'd code or
+ * renaming an existing one breaks every integration.
+ *
+ * `NpErrorCode` is the union of every code the framework
+ * currently emits. Adding a new code requires extending this
+ * union deliberately — no more "casual" string adoption that
+ * accumulates over a year of PRs.
+ *
+ * The `NpError` constructor still accepts plain `string` so
+ * out-of-tree plugins that throw their own codes keep working;
+ * internal code paths use the union to get IntelliSense and
+ * catch typos at compile time. The `(string & {})` trick on
+ * the public type keeps editor completion narrow without
+ * locking the runtime contract.
+ *
+ * **Stability**: codes follow semver. Renames or removals are
+ * major-bump only. New codes may land in minor versions. See
+ * `docs/api-error-codes.md` for the catalogue an operator /
+ * client team should rely on.
+ */
+type NpErrorCode = "FORBIDDEN" | "NOT_FOUND" | "VALIDATION_ERROR" | "UNAUTHORIZED" | "CONFLICT" | "RATE_LIMITED" | "TOO_MANY_REQUESTS" | "INVALID_URL" | "EMAIL_ADAPTER_MISSING_DEPENDENCY" | "EMAIL_DELIVERY_FAILED" | "SITE_CONTEXT_MISSING" | "INTERNAL_ERROR";
+/**
+ * The constructor signature accepts the union *or* an arbitrary
+ * string. Inside the codebase, passing a literal that isn't in
+ * the union triggers a TypeScript error in strict editors
+ * (autocompletion narrows to `NpErrorCode`). External plugins
+ * authoring their own codes keep working — they just won't get
+ * the autocomplete win.
+ */
+type NpErrorCodeInput = NpErrorCode | (string & Record<never, never>);
+declare class NpError extends Error {
+    readonly code: NpErrorCodeInput;
+    readonly statusCode: number;
+    constructor(message: string, code: NpErrorCodeInput, statusCode?: number);
+}
+declare class NpForbiddenError extends NpError {
+    constructor(collection: string, operation: string);
+}
+declare class NpNotFoundError extends NpError {
+    constructor(collection: string, id: string);
+}
+declare class NpValidationError extends NpError {
+    readonly errors: Array<{
+        field: string;
+        message: string;
+    }>;
+    constructor(message: string, errors: Array<{
+        field: string;
+        message: string;
+    }>);
+}
+declare class NpAuthError extends NpError {
+    constructor(message?: string);
+}
+declare class NpConflictError extends NpError {
+    constructor(message: string);
+}
+/**
+ * Per-actor rate limit / quota exceeded. Distinct from
+ * `NpValidationError` because the request shape was valid — the
+ * server is rejecting it on policy grounds. The 429 status lets
+ * client UIs recognize the case and surface a "you've hit your
+ * daily limit" message rather than a generic validation error.
+ */
+declare class NpRateLimitError extends NpError {
+    constructor(message: string);
+}
+/**
+ * No site context resolved when one was required (#272). Thrown
+ * by `requireSiteId()` on write paths. 500 because this is a
+ * server-side wiring bug — the user request was well-formed,
+ * but the framework couldn't tell which tenant to write to.
+ * Promoted from a plain `Error` to a real `NpError` subclass so
+ * the API layer surfaces it as a uniform error envelope and
+ * clients can branch on the stable `SITE_CONTEXT_MISSING` code.
+ */
+declare class NpSiteContextMissingError extends NpError {
+    constructor(message: string);
+}
+
+/**
+ * Plain-text concatenation of every searchable field. Used by
+ * the moderation pipeline (spam/profanity adapters need the
+ * full text, weights don't matter there).
+ */
+declare function buildSearchVector(config: NpCollectionConfig, data: Record<string, unknown>): string;
+/**
+ * Phase 10.7 — split searchable fields into Postgres tsvector
+ * weight buckets so title-like matches outrank body matches at
+ * query time.
+ *
+ * Convention (no per-field opt-in to keep collections
+ * declarations terse):
+ *   - field.name === "title" or "name"            → weight A
+ *   - other text / textarea / email                → weight B
+ *   - richText                                     → weight C
+ *
+ * Sites that want different weights can name their primary
+ * field "title" and the framework picks the right bucket
+ * automatically. (A future revision can add `field.search.weight`
+ * for explicit control.)
+ *
+ * Postgres ts_rank() applies the default weight scale
+ * { D: 0.1, C: 0.2, B: 0.4, A: 1.0 }, so an A-weighted match
+ * scores ~10× a D-weighted one — meaningful boost for titles.
+ */
+interface NpSearchVectorParts {
+    /** Title-like fields. Highest rank weight. */
+    a: string;
+    /** Body fields (text/textarea/email). */
+    b: string;
+    /** Rich-text body. */
+    c: string;
+    /** Reserved for future categorization (tags, slugs, etc.). */
+    d: string;
+}
+declare function buildSearchVectorParts(config: NpCollectionConfig, data: Record<string, unknown>): NpSearchVectorParts;
+/**
+ * Build the weighted-tsvector SQL fragment that the pipeline
+ * binds to `searchVector` on insert/update. Each non-empty
+ * bucket becomes `setweight(to_tsvector('english', $bucket), '<W>')`;
+ * the buckets are concatenated with `||`. Empty buckets are
+ * skipped so the resulting expression is always non-trivial.
+ *
+ * If every bucket is empty (collection has no text fields, or
+ * every text field is null on this row), returns an empty
+ * tsvector cast — Postgres accepts this as a valid empty
+ * vector value.
+ */
+declare function buildWeightedSearchVectorSql(config: NpCollectionConfig, data: Record<string, unknown>): SQL;
+
+interface CollectionRegistration {
+    config: NpCollectionConfig;
+    table: unknown;
+    childTables?: Record<string, unknown>;
+    joinTables?: Record<string, unknown>;
+}
+declare function registerCollection(slug: string, table: unknown, config: NpCollectionConfig, opts?: {
+    childTables?: Record<string, unknown>;
+    joinTables?: Record<string, unknown>;
+}): void;
+declare function getCollectionConfig(slug: string): NpCollectionConfig;
+declare function getCollectionTable(slug: string): unknown;
+declare function getCollectionRegistration(slug: string): CollectionRegistration;
+declare function getAllCollectionSlugs(): string[];
+
+declare function saveDocument(collection: string, docId: string | null, data: Record<string, unknown>, user: NpAuthUser, options?: NpSaveOptions): Promise<NpSaveResult>;
+/**
+ * Member-side document create. Only valid when
+ * `config.community?.memberWrite?.create === true`. Assumes the API
+ * layer has already authenticated the member (and that the cookie's
+ * status was checked) — this function adds:
+ *   - the per-collection opt-in gate, and
+ *   - `assertNotBanned(memberId)` (site-wide; per-collection bans
+ *     resolve to the same site scope)
+ *
+ * Fires the `document.created` reputation event after a successful
+ * write so adapters can credit the author the same way they credit
+ * comments / reactions. Member-side update / delete live in
+ * `updateMemberDocument` / `deleteMemberDocument` below.
+ */
+/**
+ * Member-side document update. Only valid when
+ * `config.community?.memberWrite?.update === true` AND the existing
+ * row's `member_author_id` matches the caller. Members can NOT
+ * change `_status` via update — `options.status` is stripped here
+ * so a forged body field can't bypass the moderation pipeline. The
+ * author column itself is also locked — see saveDocumentImpl.
+ */
+declare function updateMemberDocument(collection: string, docId: string, data: Record<string, unknown>, memberId: string, options?: NpSaveOptions): Promise<NpSaveResult>;
+declare function createMemberDocument(collection: string, data: Record<string, unknown>, memberId: string, options?: NpSaveOptions): Promise<NpSaveResult>;
+/**
+ * Persist an in-flight editor snapshot as a revision **without** touching
+ * the main document row. Designed for client-side autosave loops: the
+ * editor sends every few seconds while the user types, and a crash mid-
+ * edit can be recovered by restoring the latest autosave revision.
+ *
+ *  - Requires `versions.drafts` to be enabled on the collection.
+ *  - Optionally gated by `versions.drafts.autosave === true` (when
+ *    `versions` is the object form). Throws `NpValidationError` otherwise
+ *    so the API can return a tidy 4xx instead of silently writing.
+ *  - Skips the full zod validation that `saveDocument` runs — autosave
+ *    payloads may be temporarily incomplete (the user is still typing).
+ *  - Skips hooks, jobs, and revalidation: nothing is "saved" yet.
+ *  - Deduplicates against the most recent autosave: if the snapshot is
+ *    byte-identical to the previous autosave row, returns the existing
+ *    summary instead of writing a new one. Avoids unbounded autosave
+ *    rows during long idle edit sessions where react-hook-form fires
+ *    spurious "change" events.
+ */
+declare function autosaveRevision(collection: string, documentId: string, data: Record<string, unknown>, user: NpAuthUser): Promise<{
+    id: string;
+    version: number;
+    status: "autosave";
+    createdAt: Date;
+    reused: boolean;
+}>;
+declare function deleteDocument(collection: string, docId: string, user: NpAuthUser): Promise<void>;
+/**
+ * Member-side delete. Owner-only — the existing row's
+ * `member_author_id` must match the caller. Fires
+ * `document.deleted` reputation event so adapters can debit the
+ * author the same way `comment.deleted` debits commenters.
+ *
+ * The reputation event is gated on the row's status at delete
+ * time: only `published` docs ever earned a `document.created`
+ * credit (the create path withholds it for pending rows; promote
+ * later backfills the credit). Issuing a `document.deleted`
+ * debit for a row that was never credited would drive the
+ * member negative for deleting their own not-yet-visible
+ * content (#126). The audit row is unconditional — the operator
+ * still wants to see "member deleted X".
+ */
+declare function deleteMemberDocument(collection: string, docId: string, memberId: string): Promise<void>;
+/**
+ * Staff promotion of a member-authored `pending` row to `published`
+ * (Phase 9.7d). Closes the loop on the 9.7c moderation gate:
+ *   - the row's status flips to `published` (visible on the public
+ *     site immediately)
+ *   - the deferred `document.created` reputation event fires now,
+ *     crediting the author for content that was held in review
+ *     (mirrors how a comment promoted from `pending` would, in a
+ *     hypothetical comment-promote API — not implemented yet)
+ *   - audit log records `document.promote` with the staff actor
+ *     and the original member author in the payload
+ *
+ * Guards:
+ *   - 404 if the row doesn't exist
+ *   - 400 (validation) if the row isn't currently `pending`
+ *   - 400 (validation) if the row isn't member-authored
+ *     (`member_author_id` is null) — staff drafts use the standard
+ *     edit path
+ *
+ * Idempotence: a second promote on an already-`published` row 400s
+ * rather than silently no-op'ing — the audit trail and reputation
+ * backfill must run exactly once per row.
+ */
+declare function promoteMemberDocument(collection: string, docId: string, staffUserId: string): Promise<NpSaveResult>;
+declare function findDocuments<T extends object = Record<string, unknown>>(collection: string, options: NpFindOptions<NoInfer<T>>, user?: NpAuthUser): Promise<NpFindResult<T>>;
+declare function getDocumentById<T extends object = Record<string, unknown>>(collection: string, id: string, user?: NpAuthUser): Promise<T | null>;
+
+type NpRevisionStatus = "draft" | "published" | "autosave";
+interface NpRevisionSummary {
+    id: string;
+    collection: string;
+    documentId: string;
+    version: number;
+    status: NpRevisionStatus;
+    changedFields: string[];
+    authorId: string | null;
+    createdAt: Date;
+}
+interface NpRevision extends NpRevisionSummary {
+    snapshot: Record<string, unknown>;
+}
+interface NpRevisionListOptions {
+    limit?: number;
+    offset?: number;
+}
+interface NpRevisionListResult {
+    revisions: NpRevisionSummary[];
+    total: number;
+}
+declare function listRevisions(collection: string, documentId: string, options?: NpRevisionListOptions, user?: NpAuthUser | null): Promise<NpRevisionListResult>;
+declare function getRevision(collection: string, documentId: string, revisionId: string, user?: NpAuthUser | null): Promise<NpRevision>;
+declare function restoreRevision(collection: string, documentId: string, revisionId: string, user: NpAuthUser): Promise<NpSaveResult>;
+
+interface PublishScheduledResult {
+    published: number;
+    byCollection: Record<string, string[]>;
+}
+/**
+ * Scans every registered collection that has a `publishedAt` date field,
+ * flips rows with `status="scheduled"` whose `publishedAt <= now` to
+ * `status="published"`, and fires `content:afterPublish` for each.
+ *
+ * Safe to call repeatedly (idempotent once a doc is published) and cheap —
+ * each UPDATE runs against an indexed status column and no-ops when empty.
+ */
+declare function publishScheduledDocuments(atTime?: Date): Promise<PublishScheduledResult>;
+
+/**
+ * Cross-collection pending queue (Phase 9.7e). Lists every
+ * member-authored row that landed `status = "pending"` — the ones
+ * waiting on a staff promote (9.7d) or staff delete. Only collections
+ * that opt into `community.memberWrite.create` are scanned; the rest
+ * either have no member-author column at all or aren't part of the
+ * member-write surface.
+ *
+ * Phase 12.11 — replaced the v1 fan-out (one round trip per
+ * collection, no SQL `LIMIT`, JS-side merge + page) with a single
+ * `UNION ALL` query whose outer `LIMIT/OFFSET` runs at the database.
+ * The per-collection `(status, member_author_id)` is still
+ * status-indexed (`np_c_<slug>_status_idx`), so each branch of the
+ * union narrows fast; the database does the cross-collection
+ * `ORDER BY created_at DESC` + paging. A site with dozens of
+ * member-writable surfaces no longer fans out N+2 round trips, and
+ * an unattended collection accumulating thousands of pendings can't
+ * blow heap by being read fully into memory.
+ */
+interface NpPendingDocSummary {
+    id: string;
+    collectionSlug: string;
+    /** From the doc's `title` field, when it has one. Never empty. */
+    title: string;
+    slug: string | null;
+    status: "pending";
+    createdAt: Date;
+    /**
+     * Resolved from `np_members` via `member_author_id`. Null when the
+     * member was deleted after authoring (FK is `ON DELETE SET NULL`)
+     * — mods see the audit trail for the original actor in that case.
+     */
+    memberAuthor: {
+        id: string;
+        handle: string;
+        displayName: string;
+    } | null;
+}
+interface NpListPendingDocsOptions {
+    /** Restrict to one collection. Useful for per-collection queue
+     *  pages; omit for the global queue. */
+    collectionSlug?: string;
+    limit?: number;
+    offset?: number;
+}
+interface NpListPendingDocsResult {
+    docs: NpPendingDocSummary[];
+    totalDocs: number;
+}
+declare function listPendingMemberDocs(options?: NpListPendingDocsOptions): Promise<NpListPendingDocsResult>;
+
+interface SearchCollectionsOptions {
+    q: string;
+    collections?: string[];
+    limit?: number;
+    offset?: number;
+    /**
+     * Extra where-filter applied on top of the default `{ status: "published" }`
+     * for each collection. Pass `{}` to disable the status filter (caller should
+     * only do this for authenticated admin contexts).
+     */
+    where?: Record<string, unknown>;
+    /**
+     * Phase 12.4 — restrict i18n collections to one locale. Non-
+     * i18n collections ignore this (no `locale` column to match).
+     * Public site search reads this from the URL's locale prefix
+     * so visitors browsing in `/ko/` only see Korean hits.
+     */
+    locale?: string;
+}
+interface SearchResultItem {
+    collection: string;
+    doc: Record<string, unknown>;
+}
+interface SearchResult {
+    results: SearchResultItem[];
+    total: number;
+    perCollection: Record<string, number>;
+}
+/**
+ * Cross-collection full-text search using the existing `search_vector` column
+ * on each collection table. Built on top of `findDocuments` so it inherits
+ * the ts_rank ordering, access-control read checks, and pagination.
+ *
+ * Results are merged in per-collection slug order; for an MVP the within-
+ * collection ranking is authoritative. A future version can do a UNION across
+ * tables if global ranking becomes a priority.
+ */
+declare function searchCollections(opts: SearchCollectionsOptions): Promise<SearchResult>;
+interface ReindexResult {
+    collection: string;
+    processed: number;
+}
+/**
+ * Rebuilds the `search_vector` column for every row in a collection. Useful
+ * after bulk imports or for recovering from corrupted vectors. Idempotent —
+ * safe to run against a live collection while writes continue.
+ */
+declare function reindexCollection(slug: string): Promise<ReindexResult>;
+
+/**
+ * Phase 10.6 — pluggable search adapter. Same shape as the
+ * spam / profanity / reputation adapters from Phase 9.6+:
+ * a single global slot, opt-in via `setSearchAdapter`, default
+ * is "no adapter" which keeps the existing pg `tsvector` path
+ * authoritative.
+ *
+ * Plugins implement this interface to delegate search to an
+ * external engine — Algolia, Meilisearch, OpenSearch, etc.
+ * The plugin is responsible for KEEPING the engine's index
+ * fresh; that's done by subscribing to the `content:afterCreate` /
+ * `:afterUpdate` / `:afterDelete` hooks the framework already
+ * fires (9.7o made those Principal-aware) — no new plumbing
+ * in the pipeline. The adapter ONLY handles the read path.
+ *
+ * Returning `null` / `undefined` from `search()` means "I don't
+ * know how to handle this query; fall through to the pg
+ * default." Useful when an adapter only indexes certain
+ * collections, or wants to defer to pg under specific
+ * conditions (e.g. very short queries).
+ *
+ * Errors thrown by the adapter are fail-open: the framework
+ * logs a warning and falls back to pg. Sites that want
+ * fail-closed wrap their adapter in try/catch and return
+ * `null` on error.
+ */
+interface NpSearchAdapterContext {
+    /** Trimmed query string (already non-empty by the time this runs). */
+    q: string;
+    /** Subset of collection slugs the caller asked to search. */
+    collections?: string[];
+    /** Page size cap, already normalized. */
+    limit: number;
+    /** Skip count, already normalized. */
+    offset: number;
+    /**
+     * Phase 12.4 — locale to scope results to. When set, the
+     * framework expects only docs in this locale (for i18n
+     * collections) plus all docs from non-i18n collections. The
+     * default pg path applies a `locale = $1` filter on i18n
+     * collections; external adapters typically rebuild the index
+     * with one document per (sourceId, locale) and filter on the
+     * locale field. Adapters that don't support per-locale
+     * filtering can return `null` to fall through to pg.
+     */
+    locale?: string;
+}
+interface NpSearchAdapter {
+    /**
+     * Implementation hook. Return a `SearchResult` to override the
+     * default pg tsvector path, or `null` / `undefined` to fall
+     * through. Throws are fail-open (logged + treated as null).
+     */
+    search(ctx: NpSearchAdapterContext): Promise<SearchResult | null | undefined> | SearchResult | null | undefined;
+}
+/**
+ * Replace the global search adapter. Call once at app boot,
+ * typically from a plugin's `setup()`. The framework holds at
+ * most one adapter; sites that want to layer multiple engines
+ * (e.g. blog → Algolia, products → Meilisearch) compose them
+ * inside a single adapter and dispatch on `ctx.collections`.
+ */
+declare function setSearchAdapter(adapter: NpSearchAdapter): void;
+declare function getSearchAdapter(): NpSearchAdapter | null;
+/** Reset to no adapter. Tests use this between cases. */
+declare function resetSearchAdapter(): void;
+
+declare function buildZodSchema(fields: NpFieldConfig[]): z.ZodObject<Record<string, z.ZodTypeAny>>;
+declare function getCollectionZodSchema(config: NpCollectionConfig): z.ZodSchema;
+
+interface TranslationRow {
+    id: string;
+    locale: string;
+    slug: string;
+    status: string;
+    title?: unknown;
+    updatedAt?: Date | string | null;
+    translationGroupId: string;
+}
+/**
+ * Phase 12.3 — list every locale variant linked to the given
+ * document. The `translationGroupId` keys the sibling lookup;
+ * the originating row is included so callers can render a
+ * "current row + others" tab strip without a separate query.
+ *
+ * Returns rows in the locale order from `getI18nConfig()` so
+ * the UI's tab order matches the configured locale list rather
+ * than insertion order.
+ */
+declare function findTranslations(collection: string, docId: string): Promise<TranslationRow[]>;
+/**
+ * Phase 12.3 — copy a doc into a new locale. The source row's
+ * data is reused minus `id` / `slug` / `locale` / status; the
+ * new row gets the source's `translationGroupId` so the two
+ * link as siblings. The pipeline's locale validation runs as
+ * usual (rejects unknown locales).
+ *
+ * The copy lands as a draft (`status: "draft"`) — translators
+ * almost always want to review before publishing. Promote
+ * normally via the existing publish flow once the translation
+ * is ready.
+ *
+ * Slug is intentionally NOT copied: `applySlugField` will
+ * derive a fresh one from the title (or whatever the configured
+ * `useField` is) so the (locale, slug) unique index doesn't
+ * collide if the source already used the slug in that locale.
+ * Callers can override post-create via the regular update path.
+ */
+declare function createTranslation(collection: string, sourceDocId: string, targetLocale: string, user: NpAuthUser): Promise<{
+    id: string;
+}>;
+/**
+ * Phase 12.6 — translation completeness snapshot for the
+ * admin Locales tab.
+ *
+ * Walks every i18n-enabled collection and counts:
+ *   - `totalGroups` — distinct `translation_group_id` values
+ *     (one per "logical document"; if the source has 5 base
+ *     pages, that's 5 groups regardless of locale spread)
+ *   - `counts[locale]` — actual rows per locale
+ *   - `missing[locale]` — `totalGroups - counts[locale]`,
+ *     i.e. how many groups still need this locale
+ *
+ * Returns `null` when i18n isn't configured. Non-i18n
+ * collections are silently skipped — they don't have the
+ * `translation_group_id` column and the dashboard isn't
+ * meaningful for them.
+ *
+ * One SQL round-trip per i18n collection (two GROUP BYs in a
+ * single query). For 1–2 i18n collections this is well under
+ * the cost of the existing dashboard widgets.
+ */
+interface NpTranslationProgressLocaleStats {
+    count: number;
+    missing: number;
+}
+interface NpCollectionTranslationProgress {
+    collection: string;
+    totalGroups: number;
+    perLocale: Record<string, NpTranslationProgressLocaleStats>;
+}
+interface NpTranslationProgress {
+    defaultLocale: string;
+    locales: string[];
+    collections: NpCollectionTranslationProgress[];
+}
+declare function getTranslationProgress(): Promise<NpTranslationProgress | null>;
+
+interface NpThemeColors {
+    primary: string;
+    primaryForeground: string;
+    background: string;
+    foreground: string;
+    muted: string;
+    mutedForeground: string;
+    border: string;
+    card: string;
+    cardForeground: string;
+    accent: string;
+    accentForeground: string;
+    destructive: string;
+    destructiveForeground: string;
+}
+interface NpThemeTypography {
+    fontHeading: string;
+    fontBody: string;
+    fontMono: string;
+    fontSizeBase: string;
+    lineHeight: string;
+    fontSizeSm: string;
+    fontSizeLg: string;
+    fontSizeXl: string;
+    fontSize2xl: string;
+    fontSize3xl: string;
+    fontSize4xl: string;
+}
+interface NpThemeShape {
+    radiusSm: string;
+    radiusMd: string;
+    radiusLg: string;
+    radiusFull: string;
+    shadowSm: string;
+    shadowMd: string;
+    shadowLg: string;
+}
+interface NpThemeTokens {
+    colors: NpThemeColors;
+    typography: NpThemeTypography;
+    shape: NpThemeShape;
+}
+/**
+ * Author-facing partial token shape. Themes that override only a
+ * few colors / fonts / radii ship one of these via `defineTheme`'s
+ * `impl.tokens`. Each sub-tree is `Partial<...>` so a theme that
+ * sets only `colors.primary` doesn't have to copy the rest of
+ * `colors` from `DEFAULT_THEME`. The runtime merger
+ * (`getTheme()` in `content/helpers.ts`) layers an overlay onto
+ * `DEFAULT_THEME` field-by-field.
+ */
+interface NpThemeTokensOverlay {
+    colors?: Partial<NpThemeColors>;
+    typography?: Partial<NpThemeTypography>;
+    shape?: Partial<NpThemeShape>;
+}
+
+/**
+ * Resolves the effective theme tokens for the current site by
+ * layering three sources, last-writer-wins:
+ *
+ *   1. `DEFAULT_THEME` — framework baseline (always full).
+ *   2. The active theme's `impl.tokens` — author-shipped defaults
+ *      that distinguish a theme from the framework baseline (e.g.
+ *      magazine's warm cream palette, portfolio's dark surface).
+ *   3. The DB row in `np_settings.theme` — admin overrides via the
+ *      theme settings tab.
+ *
+ * Each layer is `NpThemeTokensOverlay` (sub-tree-Partial) — themes
+ * only declare the keys they care about, admins only save deltas
+ * they edit. The merge ensures every emitted token has a value.
+ *
+ * This is the canonical token resolver — `apps/web`'s preview
+ * route calls it directly so the page-builder iframe matches what
+ * the public render produces for the same active theme.
+ */
+declare function getTheme(): Promise<NpThemeTokens>;
+declare function getNavigation(location?: string): Promise<NpNavItem[]>;
+declare function getPageBySlug(slug: string, options?: {
+    draft?: boolean;
+    locale?: string;
+}): Promise<Record<string, unknown> | null>;
+declare function getPostBySlug(slug: string, options?: {
+    draft?: boolean;
+}): Promise<Record<string, unknown> | null>;
+declare function findPosts(options: NpFindOptions, user?: NpAuthUser): Promise<NpFindResult>;
+declare function getAllPageSlugs(): Promise<string[]>;
+declare function findSlugRedirect(collection: string, oldSlug: string): Promise<string | null>;
+declare function getSetting<T = unknown>(key: string): Promise<T | null>;
+
+declare const npConfigSchema: z.ZodObject<{
+    site: z.ZodObject<{
+        name: z.ZodString;
+        url: z.ZodString;
+    }, z.core.$strip>;
+    db: z.ZodObject<{
+        connectionString: z.ZodString;
+        pool: z.ZodOptional<z.ZodObject<{
+            max: z.ZodOptional<z.ZodNumber>;
+        }, z.core.$strip>>;
+    }, z.core.$strip>;
+    storage: z.ZodOptional<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        adapter: z.ZodLiteral<"local">;
+        local: z.ZodObject<{
+            directory: z.ZodString;
+            baseUrl: z.ZodString;
+        }, z.core.$strip>;
+    }, z.core.$strip>, z.ZodObject<{
+        adapter: z.ZodLiteral<"s3">;
+        s3: z.ZodObject<{
+            bucket: z.ZodString;
+            region: z.ZodString;
+            endpoint: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>;
+    }, z.core.$strip>], "adapter">>;
+    collections: z.ZodArray<z.ZodLazy<z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>>>;
+    blocks: z.ZodOptional<z.ZodArray<z.ZodUnknown>>;
+    editor: z.ZodOptional<z.ZodObject<{
+        features: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>;
+    images: z.ZodOptional<z.ZodObject<{
+        sizes: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            name: z.ZodString;
+            width: z.ZodNumber;
+            height: z.ZodOptional<z.ZodNumber>;
+            crop: z.ZodOptional<z.ZodEnum<{
+                center: "center";
+                top: "top";
+                bottom: "bottom";
+                left: "left";
+                right: "right";
+            }>>;
+        }, z.core.$strip>>>;
+        format: z.ZodOptional<z.ZodEnum<{
+            webp: "webp";
+            avif: "avif";
+            jpeg: "jpeg";
+            png: "png";
+        }>>;
+        quality: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strip>>;
+    auth: z.ZodOptional<z.ZodObject<{
+        secret: z.ZodString;
+        tokenExpiration: z.ZodOptional<z.ZodNumber>;
+        refreshTokenExpiration: z.ZodOptional<z.ZodNumber>;
+        maxLoginAttempts: z.ZodOptional<z.ZodNumber>;
+        lockoutDuration: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strip>>;
+    plugins: z.ZodOptional<z.ZodArray<z.ZodUnknown>>;
+    typescript: z.ZodOptional<z.ZodUnknown>;
+    themes: z.ZodOptional<z.ZodArray<z.ZodUnknown>>;
+    i18n: z.ZodOptional<z.ZodObject<{
+        locales: z.ZodArray<z.ZodString>;
+        defaultLocale: z.ZodString;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+declare const collectionConfigSchema: z.ZodObject<{
+    slug: z.ZodString;
+    labels: z.ZodObject<{
+        singular: z.ZodString;
+        plural: z.ZodString;
+    }, z.core.$strip>;
+    slugField: z.ZodOptional<z.ZodUnion<readonly [z.ZodBoolean, z.ZodObject<{
+        useField: z.ZodOptional<z.ZodString>;
+        unique: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strip>]>>;
+    i18n: z.ZodOptional<z.ZodBoolean>;
+    fields: z.ZodArray<z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>>;
+    access: z.ZodOptional<z.ZodObject<{
+        create: z.ZodOptional<z.ZodCustom<(...args: unknown[]) => unknown, (...args: unknown[]) => unknown>>;
+        read: z.ZodOptional<z.ZodCustom<(...args: unknown[]) => unknown, (...args: unknown[]) => unknown>>;
+        update: z.ZodOptional<z.ZodCustom<(...args: unknown[]) => unknown, (...args: unknown[]) => unknown>>;
+        delete: z.ZodOptional<z.ZodCustom<(...args: unknown[]) => unknown, (...args: unknown[]) => unknown>>;
+    }, z.core.$strip>>;
+    hooks: z.ZodOptional<z.ZodObject<{
+        beforeCreate: z.ZodOptional<z.ZodArray<z.ZodCustom<(...args: unknown[]) => unknown, (...args: unknown[]) => unknown>>>;
+        afterCreate: z.ZodOptional<z.ZodArray<z.ZodCustom<(...args: unknown[]) => unknown, (...args: unknown[]) => unknown>>>;
+        beforeUpdate: z.ZodOptional<z.ZodArray<z.ZodCustom<(...args: unknown[]) => unknown, (...args: unknown[]) => unknown>>>;
+        afterUpdate: z.ZodOptional<z.ZodArray<z.ZodCustom<(...args: unknown[]) => unknown, (...args: unknown[]) => unknown>>>;
+        beforeDelete: z.ZodOptional<z.ZodArray<z.ZodCustom<(...args: unknown[]) => unknown, (...args: unknown[]) => unknown>>>;
+        afterDelete: z.ZodOptional<z.ZodArray<z.ZodCustom<(...args: unknown[]) => unknown, (...args: unknown[]) => unknown>>>;
+        beforeRead: z.ZodOptional<z.ZodArray<z.ZodCustom<(...args: unknown[]) => unknown, (...args: unknown[]) => unknown>>>;
+        afterRead: z.ZodOptional<z.ZodArray<z.ZodCustom<(...args: unknown[]) => unknown, (...args: unknown[]) => unknown>>>;
+    }, z.core.$strip>>;
+    versions: z.ZodOptional<z.ZodObject<{
+        drafts: z.ZodOptional<z.ZodUnion<readonly [z.ZodBoolean, z.ZodObject<{
+            autosave: z.ZodOptional<z.ZodBoolean>;
+            autosaveInterval: z.ZodOptional<z.ZodNumber>;
+        }, z.core.$strip>]>>;
+        max: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strip>>;
+    community: z.ZodOptional<z.ZodObject<{
+        comments: z.ZodOptional<z.ZodBoolean>;
+        memberWrite: z.ZodOptional<z.ZodObject<{
+            create: z.ZodOptional<z.ZodBoolean>;
+            update: z.ZodOptional<z.ZodBoolean>;
+            delete: z.ZodOptional<z.ZodBoolean>;
+            defaultStatus: z.ZodOptional<z.ZodEnum<{
+                published: "published";
+                pending: "pending";
+            }>>;
+        }, z.core.$strip>>;
+    }, z.core.$strip>>;
+    timestamps: z.ZodOptional<z.ZodBoolean>;
+    admin: z.ZodOptional<z.ZodObject<{
+        listColumns: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        defaultSort: z.ZodOptional<z.ZodString>;
+        group: z.ZodOptional<z.ZodString>;
+        hidden: z.ZodOptional<z.ZodBoolean>;
+        description: z.ZodOptional<z.ZodString>;
+        components: z.ZodOptional<z.ZodObject<{
+            listView: z.ZodOptional<z.ZodString>;
+            editView: z.ZodOptional<z.ZodString>;
+            createView: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>>;
+    }, z.core.$strip>>;
+    upload: z.ZodOptional<z.ZodObject<{
+        maxFileSize: z.ZodOptional<z.ZodNumber>;
+        allowedMimeTypes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        imageSizes: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            name: z.ZodString;
+            width: z.ZodNumber;
+            height: z.ZodOptional<z.ZodNumber>;
+            crop: z.ZodOptional<z.ZodEnum<{
+                center: "center";
+                top: "top";
+                bottom: "bottom";
+                left: "left";
+                right: "right";
+            }>>;
+        }, z.core.$strip>>>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+
+interface LocalStorageAdapterConfig {
+    directory: string;
+    baseUrl: string;
+}
+declare class LocalStorageAdapter implements NpStorageAdapter {
+    private readonly config;
+    constructor(config: LocalStorageAdapterConfig);
+    upload(key: string, data: Buffer | ReadableStream, _: NpFileMetadata): Promise<void>;
+    getStream(key: string): Promise<ReadableStream>;
+    getUrl(key: string): Promise<string>;
+    delete(key: string): Promise<void>;
+    exists(key: string): Promise<boolean>;
+    private resolvePath;
+    private normalizeBaseUrl;
+}
+
+interface S3StorageAdapterConfig {
+    bucket: string;
+    region: string;
+    endpoint?: string;
+    credentials?: {
+        accessKeyId: string;
+        secretAccessKey: string;
+    };
+}
+declare class S3StorageAdapter implements NpStorageAdapter {
+    private readonly config;
+    private clientPromise;
+    constructor(config: S3StorageAdapterConfig);
+    upload(key: string, data: Buffer | ReadableStream, metadata: NpFileMetadata): Promise<void>;
+    getStream(key: string): Promise<ReadableStream>;
+    getUrl(key: string): Promise<string>;
+    delete(key: string): Promise<void>;
+    exists(key: string): Promise<boolean>;
+    private getClient;
+    private createClient;
+}
+
+declare function createStorageAdapter(config: NpConfig["storage"]): NpStorageAdapter;
+
+interface NpEmailMessage {
+    /** RFC-822 recipient address. Single recipient per message. */
+    to: string;
+    /** Plain-text subject line. */
+    subject: string;
+    /** Plain-text body. Always provided as a fallback. */
+    text: string;
+    /** Optional HTML body. Adapter may choose to omit if absent. */
+    html?: string;
+    /** Override the adapter's default From header when set. */
+    from?: string;
+}
+/**
+ * Transactional mailer contract. One method: deliver a single message.
+ * Adapters throw on failure so the pg-boss worker can retry per its
+ * configured policy. Success is a void resolve.
+ */
+interface NpEmailAdapter {
+    readonly kind: string;
+    send(message: NpEmailMessage): Promise<void>;
+}
+
+/**
+ * Default adapter used when no mailer is wired. Logs the message shape so a
+ * developer running the app locally can see that delivery was requested and
+ * follow the reset link from the logs without setting up SMTP.
+ *
+ * Swap via `setEmailAdapter(new SmtpEmailAdapter(...))` or a custom
+ * implementation in production.
+ */
+declare class NoopEmailAdapter implements NpEmailAdapter {
+    readonly kind = "noop";
+    send(message: NpEmailMessage): Promise<void>;
+}
+
+interface SmtpEmailAdapterOptions {
+    host: string;
+    port: number;
+    user?: string;
+    pass?: string;
+    /** Default `From` header when a message doesn't override. */
+    from: string;
+    /**
+     * Use implicit TLS (port 465) when `true`. When `false`, STARTTLS is
+     * negotiated (port 587 / 25). Defaults to `port === 465`.
+     */
+    secure?: boolean;
+}
+/**
+ * Nodemailer-backed SMTP adapter. Works with any SMTP-speaking provider
+ * (Resend, SES, Mailgun, Postmark, Gmail, Zoho, custom relays).
+ *
+ * `nodemailer` is loaded dynamically on first send so that apps that don't
+ * use the SMTP adapter (noop or custom adapter) never pay its import cost.
+ */
+declare class SmtpEmailAdapter implements NpEmailAdapter {
+    readonly kind = "smtp";
+    private readonly options;
+    private transporter;
+    constructor(options: SmtpEmailAdapterOptions);
+    private ensureTransporter;
+    send(message: NpEmailMessage): Promise<void>;
+}
+
+declare function setEmailAdapter(next: NpEmailAdapter): void;
+declare function getEmailAdapter(): NpEmailAdapter;
+/** Reset to the built-in stub. Primarily used by tests. */
+declare function resetEmailAdapter(): void;
+
+interface NpPasswordResetTemplateData {
+    siteName: string;
+    name: string;
+    resetUrl: string;
+    /** When the link expires (ISO string), for display only. */
+    expiresAt?: string;
+}
+interface NpEmailTemplate {
+    subject: string;
+    text: string;
+    html: string;
+}
+declare function buildInviteEmail(data: NpPasswordResetTemplateData): NpEmailTemplate;
+declare function buildResetEmail(data: NpPasswordResetTemplateData): NpEmailTemplate;
+
+declare const DEFAULT_THEME: NpThemeTokens;
+
+declare function sanitizeTokenValue(value: string): string;
+
+/**
+ * Idempotent — call once at boot from the framework's
+ * bootstrap, again from a hot-reload, etc. Themes are matched
+ * by `manifest.id`; later registrations replace earlier ones.
+ */
+declare function registerThemes(themes: NpRegisteredTheme[]): void;
+declare function getRegisteredThemes(): NpRegisteredTheme[];
+declare function getThemeById(id: string): NpRegisteredTheme | undefined;
+/** Tests use this between cases; production callers should never need it. */
+declare function resetThemes(): void;
+/**
+ * Reads the persisted active-theme id from `np_settings` for
+ * the current site. Returns `null` when no row exists —
+ * caller's job to decide the fallback (typically the first
+ * registered theme).
+ *
+ * Phase 15.4 — scoped by current site. Single-tenant
+ * deployments leave every row at `site_id = 'default'`, so
+ * the lookup behaves identically to the pre-15.4 global
+ * version.
+ */
+declare function getActiveThemeId(): Promise<string | null>;
+/**
+ * Resolves the active theme to render. Looks up the persisted id
+ * in the registry; falls back to the first registered theme when
+ * the id is unset, missing, or points at a theme that's no
+ * longer in the registry (e.g. it was removed from
+ * `nexpress.config.ts` between deploys). Returns `null` only
+ * when the registry is completely empty.
+ */
+declare function getActiveTheme(): Promise<NpRegisteredTheme | null>;
+/**
+ * Persist the active theme. Validates the id is registered so
+ * an admin can't pick a string that doesn't resolve to anything
+ * (which would silently fall back to the default and confuse
+ * the operator).
+ */
+declare function setActiveThemeId(id: string, updatedBy?: string | null): Promise<void>;
+/**
+ * Phase 11.3 — surface the active theme's templates for a
+ * given collection so admin pickers and the catch-all renderer
+ * can introspect what's available without reaching into the
+ * opaque `impl` themselves. The result is sanitized for serial-
+ * ization (no React component refs leak through this path) so
+ * the same shape is safe to send over the API to the admin UI.
+ */
+interface NpThemeTemplateSummary {
+    id: string;
+    label: string;
+    description?: string;
+}
+declare function getThemeTemplateSummaries(collectionSlug: string): Promise<NpThemeTemplateSummary[]>;
+/**
+ * Phase 14.5 — resolve a template's render component for the
+ * given collection + template id. Looks up theme first
+ * (theme always wins), falls back to plugin-contributed
+ * templates. Returns the opaque value (the catch-all casts to
+ * `{ component }` at the render boundary).
+ */
+declare function resolveTemplateComponent(collectionSlug: string, templateId: string): Promise<unknown>;
+
+/**
+ * Phase F.1 — theme requirement check.
+ *
+ * Compares a theme's `manifest.requires` against the site's
+ * registered collections and reports mismatches. The result
+ * drives admin warnings on theme activation; F.8 will reuse
+ * the same shape to drive the CLI patcher.
+ *
+ * "Hard" requirements (default) are normal mismatches the
+ * operator should resolve. "Soft" requirements (`hard: false`)
+ * are recorded separately so admin can show them at lower
+ * severity — the theme renders without them but with degraded
+ * behavior.
+ */
+interface NpThemeRequirementMissingField {
+    collection: string;
+    field: string;
+    expected: NpThemeFieldRequirement;
+    hard: boolean;
+}
+interface NpThemeRequirementTypeConflict {
+    collection: string;
+    field: string;
+    expected: NpThemeFieldRequirement["type"];
+    actual: string;
+    hard: boolean;
+}
+interface NpThemeRequirementRelationConflict {
+    collection: string;
+    field: string;
+    expected: NonNullable<NpThemeFieldRequirement["relationTo"]>;
+    actual: string | string[];
+    hard: boolean;
+}
+interface NpThemeRequirementResult {
+    themeId: string;
+    hasMismatches: boolean;
+    /** Has at least one HARD mismatch — operator should resolve before activation. */
+    hasHardMismatches: boolean;
+    missingCollections: Array<{
+        collection: string;
+        createIfAbsent: boolean;
+    }>;
+    missingFields: NpThemeRequirementMissingField[];
+    typeConflicts: NpThemeRequirementTypeConflict[];
+    relationConflicts: NpThemeRequirementRelationConflict[];
+}
+declare function checkThemeRequirements(manifest: NpThemeManifest, collections: NpCollectionConfig[]): NpThemeRequirementResult;
+
+/**
+ * Read the persisted settings row for a theme and parse it via
+ * the theme's schema. Returns the parsed value when valid;
+ * falls back to schema defaults on parse failure (with the
+ * failure recorded for the admin to surface, see
+ * `getThemeSettingsWithStatus`).
+ *
+ * `themeId` defaults to the active theme. Pass an explicit id
+ * to read another installed theme's settings (used by the
+ * admin settings page).
+ *
+ * Return type is `unknown` because core can't type-narrow to
+ * a specific theme's `z.infer<typeof schema>` — the schema
+ * lives in the theme package, not in core. Theme components
+ * should cast at the call site, ideally against an exported
+ * type alias from the theme package itself:
+ *
+ *   // packages/themes/magazine/src/index.ts
+ *   export const settingsSchema = z.object({ ... });
+ *   export type MagazineSettings = z.infer<typeof settingsSchema>;
+ *
+ *   // a theme component
+ *   const settings = (await getThemeSettings()) as MagazineSettings;
+ */
+declare function getThemeSettings(themeId?: string): Promise<unknown>;
+interface NpThemeSettingsResult {
+    themeId: string | null;
+    /** Parsed settings or schema defaults (never null when a theme
+     *  has a schema; empty object when the theme has no schema). */
+    value: unknown;
+    /** True when there's a stored row, regardless of whether it
+     *  passed validation. */
+    hasPersisted: boolean;
+    /** Set when the persisted value failed `schema.parse()`. The
+     *  admin surface uses this to show a "values reset to
+     *  defaults" banner. */
+    parseError?: string;
+}
+declare function getThemeSettingsWithStatus(themeId?: string): Promise<NpThemeSettingsResult>;
+/**
+ * Validate and persist a theme's settings. Throws
+ * `NpValidationError` when `value` doesn't pass the schema —
+ * the admin form must surface field-level errors before
+ * calling this.
+ *
+ * **Cache invalidation is the caller's responsibility.** This
+ * function writes to `np_settings` only; it doesn't import
+ * `next/cache`. The admin API route (`PUT
+ * /api/admin/themes/[id]/settings`) busts `nx:theme:<siteId>`
+ * (and `nx:sitemap:*` / `nx:feed:*` when `impl.seo` is
+ * declared) after a successful write. Other callers — jobs,
+ * scripts, server actions — must do the same to avoid stale
+ * cached reads.
+ */
+declare function setThemeSettings(themeId: string, value: unknown, updatedBy?: string | null): Promise<unknown>;
+/**
+ * Whether the active theme contributes SEO hooks. The settings
+ * save path consults this to decide whether to additionally
+ * invalidate `nx:sitemap:*` / `nx:feed:*` tags alongside the
+ * always-busted `nx:theme:<siteId>`. Implemented here (in core)
+ * so the API layer in `apps/web` doesn't need to duck-type the
+ * theme `impl`.
+ */
+declare function activeThemeContributesSeo(): Promise<boolean>;
+
+/**
+ * Phase F.6 — extract the active theme's declared nav
+ * locations as plain JSON metadata, narrowed structurally
+ * because core treats `theme.impl` as opaque (`unknown`).
+ *
+ * Used by:
+ *   - The admin nav editor's location-dropdown endpoint
+ *     (`/api/navigation/locations`) so the dropdown surfaces
+ *     theme-named slots with friendly labels.
+ *   - Future cookbook recipes that surface "this theme
+ *     expects you to fill in these menus" guidance.
+ *
+ * Returns `[]` when no theme is active or the active theme
+ * doesn't declare any locations.
+ */
+interface NpThemeNavLocationDescriptor {
+    /** Location key, e.g. `"primary"`. Used as the `location`
+     *  argument to `getNavigation(...)` and the database row's
+     *  `(siteId, location)` lookup. */
+    key: string;
+    label: string;
+    description?: string;
+    maxItems?: number;
+}
+declare function getActiveThemeNavLocations(): Promise<NpThemeNavLocationDescriptor[]>;
+
+/**
+ * Phase F.7 — pure structural narrowers for theme `notFound`,
+ * `error`, and `seo` contributions. Core treats `theme.impl`
+ * as opaque (`unknown`); these helpers do the duck-typing in
+ * one place so the consuming routes stay readable.
+ *
+ * `getActiveThemeNotFoundComponent` / `…ErrorComponent` return
+ * the React component refs unchanged — typing as `unknown`
+ * here, the consumers (in `apps/web`) cast to ComponentType
+ * at the JSX site. Core can't import `react` directly without
+ * dragging the peer into a server-only package, so the cast
+ * is delegated.
+ */
+interface NpThemeSeoHooksExtracted {
+    sitemapEntries?: () => Promise<NpSitemapEntry[]> | NpSitemapEntry[];
+    feedEntries?: () => Promise<NpFeedEntry[]> | NpFeedEntry[];
+    robotsTxt?: () => string | Promise<string>;
+}
+declare function extractNotFoundComponent(impl: unknown): unknown;
+declare function extractErrorComponent(impl: unknown): unknown;
+/**
+ * Phase M.3 — member-tree 404 component, with fallback to the
+ * top-level `impl.notFound`. Returns `null` when neither the
+ * member-specific nor the top-level component is declared (the
+ * caller renders the framework default). Same opacity contract
+ * as `extractNotFoundComponent` — typed as `unknown` here, the
+ * consumer in `apps/web/src/app/(member)/not-found.tsx` casts
+ * to `ComponentType` at the JSX site.
+ */
+declare function extractMembersNotFoundComponent(impl: unknown): unknown;
+declare function extractSeoHooks(impl: unknown): NpThemeSeoHooksExtracted;
+/**
+ * Async sugar over the active theme. Each helper returns a
+ * fresh resolution per call; multi-site safety comes from
+ * `getActiveTheme()` reading per-request site context.
+ */
+declare function getActiveThemeNotFound(): Promise<unknown>;
+declare function getActiveThemeError(): Promise<unknown>;
+/**
+ * Phase M.3 — async sugar for the member-tree 404. Returns the
+ * theme's `impl.members.notFound` when declared, falling back
+ * to its `impl.notFound` (top-level), then `null`.
+ */
+declare function getActiveThemeMembersNotFound(): Promise<unknown>;
+declare function getActiveThemeSeoHooks(): Promise<NpThemeSeoHooksExtracted>;
+
+/**
+ * Phase F.3 — server-side introspection of a theme's
+ * `settingsSchema` Zod tree into a JSON metadata shape the
+ * admin form generator consumes.
+ *
+ * The schema lives in the theme package (server bundle); we
+ * don't ship the schema itself to the browser. Instead, this
+ * function walks the tree once on the server, emits the
+ * metadata as plain JSON, and the admin renders form fields
+ * from the metadata. The browser doesn't need zod at runtime.
+ *
+ * Coverage in v0.2: text, url, color (regex heuristic), number,
+ * boolean, enum, array(object), object. Anything else
+ * introspects as `{ type: "unsupported" }` so the form generator
+ * can render a JSON textarea fallback (operator can still edit;
+ * a follow-up phase widens coverage).
+ */
+type NpThemeSettingsField = NpThemeSettingsTextField | NpThemeSettingsTextareaField | NpThemeSettingsPasswordField | NpThemeSettingsUrlField | NpThemeSettingsColorField | NpThemeSettingsNumberField | NpThemeSettingsBooleanField | NpThemeSettingsEnumField | NpThemeSettingsArrayField | NpThemeSettingsStringArrayField | NpThemeSettingsObjectField | NpThemeSettingsUnsupportedField;
+interface NpThemeSettingsFieldBase {
+    /** Field path key ("hero", "social.0.url", etc. — the
+     *  introspector returns flat keys per node; nested objects
+     *  carry their own children). */
+    name: string;
+    label?: string;
+    description?: string;
+    required: boolean;
+    default?: unknown;
+}
+interface NpThemeSettingsTextField extends NpThemeSettingsFieldBase {
+    type: "text";
+}
+interface NpThemeSettingsTextareaField extends NpThemeSettingsFieldBase {
+    type: "textarea";
+    /** Optional row count hint for the rendered `<textarea>`.
+     *  Theme authors set this via `.meta({ widget: "textarea",
+     *  rows: 6 })`. Defaults to 4 when unset. */
+    rows?: number;
+}
+interface NpThemeSettingsPasswordField extends NpThemeSettingsFieldBase {
+    type: "password";
+}
+interface NpThemeSettingsUrlField extends NpThemeSettingsFieldBase {
+    type: "url";
+}
+interface NpThemeSettingsColorField extends NpThemeSettingsFieldBase {
+    type: "color";
+}
+interface NpThemeSettingsNumberField extends NpThemeSettingsFieldBase {
+    type: "number";
+    int?: boolean;
+    min?: number;
+    max?: number;
+}
+interface NpThemeSettingsBooleanField extends NpThemeSettingsFieldBase {
+    type: "boolean";
+}
+interface NpThemeSettingsEnumField extends NpThemeSettingsFieldBase {
+    type: "enum";
+    options: string[];
+}
+interface NpThemeSettingsArrayField extends NpThemeSettingsFieldBase {
+    type: "array";
+    /** v0.2 supports `z.array(z.object(...))`. The element
+     *  schema introspects as the array's child fields. */
+    element: NpThemeSettingsField[];
+}
+/** Phase G follow-up — `z.array(z.string())`. Renders as a
+ *  one-item-per-line input. Surfaced for OAuth scopes and
+ *  similar string-list configs that don't fit the object-array
+ *  shape; previously fell through to the JSON-textarea
+ *  `unsupported` fallback. */
+interface NpThemeSettingsStringArrayField extends NpThemeSettingsFieldBase {
+    type: "string-array";
+}
+interface NpThemeSettingsObjectField extends NpThemeSettingsFieldBase {
+    type: "object";
+    fields: NpThemeSettingsField[];
+}
+interface NpThemeSettingsUnsupportedField extends NpThemeSettingsFieldBase {
+    type: "unsupported";
+    /** Best-effort label for what was at this position so
+     *  operators can recognize their schema in the JSON fallback. */
+    zodTypeName: string;
+}
+/**
+ * Walk a theme's `settingsSchema` (top-level z.object) and emit
+ * the form metadata. Returns an empty array when the schema
+ * isn't a top-level object — themes are expected to ship
+ * `settingsSchema: z.object({...})` (validated implicitly: a
+ * non-object top schema yields an empty form, signalling
+ * "nothing to configure").
+ */
+declare function introspectThemeSettingsSchema(schema: ZodTypeAny | undefined): NpThemeSettingsField[];
+
+/**
+ * Phase 14.5 — plugin-contributed page templates. Plugins
+ * register templates the same way themes do (`{ label,
+ * description?, component }` keyed by collection then by
+ * template id) but the registry here is global, separate
+ * from any one theme. The theme registry's
+ * `getThemeTemplateSummaries` merges both sets so admin
+ * pickers and the catch-all see a unified list; theme
+ * registrations win on id collisions because the active
+ * theme is the design authority for the site.
+ *
+ * The framework keeps `impl: unknown` on the public
+ * registered-theme shape (no React peer dep in core), so
+ * plugin template values stay typed as `unknown` here too.
+ * The caller casts to the typed `NpThemeTemplate` shape
+ * from `@nexpress/theme` at the render boundary.
+ */
+/**
+ * Merge a single plugin's `templates` declaration into the
+ * registry. Idempotent: re-registering the same plugin id
+ * overwrites its previous entries.
+ */
+declare function registerPluginTemplates(pluginId: string, templates: Record<string, Record<string, unknown>>): void;
+/** Tests use this between cases; production callers shouldn't need it. */
+declare function resetPluginTemplates(): void;
+/**
+ * Returns every plugin-registered template for a collection,
+ * keyed by template id. The returned values are opaque
+ * (`unknown`); consumers cast to the appropriate shape at the
+ * call site (theme registry casts to summary metadata; the
+ * catch-all casts to `{ component }`).
+ */
+declare function getPluginTemplatesForCollection(collectionSlug: string): Map<string, unknown>;
+
+/**
+ * Phase 15.1 — multi-site registry. The framework treats
+ * sites as long-lived rows in `np_sites`; the bootstrap calls
+ * `ensureDefaultSite()` at boot to guarantee at least one row
+ * exists so single-tenant installs (the existing reference
+ * app shape) keep working without operator intervention.
+ *
+ * 15.1 ships the model + lookup helpers; 15.2 wires
+ * collection queries through `siteId`; 15.3 ships the
+ * super-admin UI for creating / managing sites. Until 15.2
+ * lands, nothing in the existing pipeline knows or cares
+ * about which site a row belongs to — the columns just
+ * exist and the default site backfills.
+ */
+interface NpSite {
+    id: string;
+    name: string;
+    hostname: string | null;
+    description: string | null;
+    settings: Record<string, unknown>;
+    isDefault: boolean;
+    createdAt: Date;
+    updatedAt: Date;
+}
+/**
+ * Idempotently create the default site if no sites exist.
+ * Bootstrap calls this once during framework init; tests
+ * that truncate `np_sites` between cases re-trigger it.
+ */
+declare function ensureDefaultSite(): Promise<NpSite>;
+declare function listSites(): Promise<NpSite[]>;
+declare function getSiteById(id: string): Promise<NpSite | null>;
+/**
+ * Hostname-based lookup. Returns the matching site, or the
+ * default site when no row matches (so a request hitting
+ * an unconfigured host still gets served by the canonical
+ * site rather than 404'ing). Case-insensitive on the host
+ * string.
+ */
+declare function getSiteByHostname(hostname: string): Promise<NpSite | null>;
+declare function getDefaultSite(): Promise<NpSite | null>;
+/**
+ * Resolve which site a request belongs to. Tries hostname
+ * lookup first; falls back to the default site. Returns
+ * `null` only when the database has no sites at all (which
+ * shouldn't happen post-bootstrap).
+ */
+declare function resolveSiteForHostname(hostname: string | null | undefined): Promise<NpSite | null>;
+interface CreateSiteInput {
+    id: string;
+    name: string;
+    hostname?: string | null;
+    description?: string | null;
+    settings?: Record<string, unknown>;
+}
+declare function createSite(input: CreateSiteInput): Promise<NpSite>;
+declare function updateSite(id: string, patch: Partial<Pick<NpSite, "name" | "hostname" | "description" | "settings">>): Promise<NpSite>;
+/**
+ * Phase 15.9 — count of every site-scoped row attached to a
+ * given site. Surfaces in the admin delete-site dialog so
+ * operators see what they're about to nuke (or leave behind
+ * as orphans, in the cascade=false path).
+ *
+ * Includes:
+ *   - per-collection row counts (codegen'd `np_c_*` tables)
+ *   - system tables that carry `site_id`: settings,
+ *     navigation, memberships, string overrides, plugin
+ *     storage (Issue #220)
+ *   - community tables that carry `site_id`: comments,
+ *     reactions, follows, mutes, notifications, reports,
+ *     audit events, bans, member roles (Issue #220)
+ *
+ * Does NOT include things that aren't site-scoped:
+ *   - users (`np_users` is global)
+ *   - members (`np_members` is global; per-site enrollment
+ *     happens through the site-scoped `bans` / `member_roles`
+ *     tables which DO appear in usage)
+ *   - media (`np_media` is global)
+ *   - audit events with `site_id IS NULL` — those are
+ *     intentional super-admin / background-job events that
+ *     don't belong to any tenant.
+ */
+interface NpSiteUsage {
+    collections: Record<string, number>;
+    settings: number;
+    navigation: number;
+    memberships: number;
+    stringOverrides: number;
+    /** Issue #220 — newly-included site-scoped tables. */
+    pluginStorage: number;
+    comments: number;
+    reactions: number;
+    follows: number;
+    mutes: number;
+    notifications: number;
+    reports: number;
+    auditEvents: number;
+    bans: number;
+    memberRoles: number;
+    /** Sum of every count above. Convenience for "is anything here?" checks. */
+    total: number;
+}
+declare function getSiteUsageSummary(id: string): Promise<NpSiteUsage>;
+interface NpDeleteSiteOptions {
+    /**
+     * Phase 15.9 — when `true`, cascade-delete every site-scoped
+     * row (collection content, settings, navigation, memberships,
+     * string overrides) before dropping the `np_sites` row.
+     *
+     * When `false` (default, safe), the call refuses if any
+     * site-scoped data still exists. The admin UI uses this to
+     * force operators to confirm cascade explicitly so an
+     * accidental delete can't quietly orphan thousands of rows.
+     */
+    cascade?: boolean;
+}
+/**
+ * Delete a non-default site. The default site can't be
+ * deleted (the framework's invariant is "at least one site
+ * always exists"); operators who want to retire the default
+ * promote a different site to default first.
+ *
+ * Phase 15.9 — `options.cascade` controls whether site-scoped
+ * data is deleted alongside. Defaults to `false` for safety;
+ * the admin UI surfaces a usage summary first so the operator
+ * sees what cascade would touch.
+ */
+declare function deleteSite(id: string, options?: NpDeleteSiteOptions): Promise<void>;
+declare const NP_DEFAULT_SITE_ID = "default";
+
+/**
+ * Phase 15.1 — process-wide "current site" resolver hook.
+ *
+ * The pipeline doesn't know how to find the current request's
+ * site on its own (the runtime layer does — it reads the
+ * `x-np-site-id` header the middleware sets). This module
+ * exposes a setter the runtime calls at boot:
+ *
+ *   setCurrentSiteResolver(async () => {
+ *     const headerList = await headers();
+ *     return headerList.get("x-np-site-id") ?? null;
+ *   });
+ *
+ * Pipeline / hooks call `getCurrentSiteId()` to read the
+ * resolved id (or `null` when no resolver is wired, e.g.
+ * background workers, scripts).
+ *
+ * This is intentionally async — the canonical Next.js
+ * resolver awaits `headers()`. Sync paths (CLI, tests) can
+ * register a sync resolver by returning the value directly.
+ */
+type Resolver = () => string | null | Promise<string | null>;
+declare function setCurrentSiteResolver(fn: Resolver | null): void;
+declare function resetCurrentSiteResolver(): void;
+declare function getCurrentSiteId(): Promise<string | null>;
+/**
+ * Tests / scripts that want to pin the current site id for the
+ * duration of a block use the `withCurrentSite` helper — it swaps
+ * in a constant resolver, runs `fn`, and restores the previous
+ * resolver on exit.
+ *
+ * Contract — read this carefully (#320):
+ *
+ *   `withCurrentSite` covers ONLY work that completes (synchronously
+ *   or via `await`) before `fn` returns. Any fire-and-forget async
+ *   work spawned inside `fn` runs AFTER the `finally` block has
+ *   already restored the previous resolver, so it sees the OUTER
+ *   site context — typically `null` for a CLI / job, or the wrong
+ *   site for a request that was acting on a different tenant.
+ *
+ *   Concretely:
+ *     - `enqueueJob(...)` persists the row immediately but the
+ *       handler runs later in the worker. The worker has no
+ *       resolver wired, so `getCurrentSiteId()` returns `null`
+ *       and `requireSiteId()` throws — even though the enqueuer
+ *       was inside a `withCurrentSite` block.
+ *     - `void someAsyncFn()` patterns inside `fn` are similarly
+ *       exposed.
+ *
+ *   How to do it safely:
+ *     - Stamp `siteId` explicitly onto every job payload at
+ *       enqueue time. The handler reads it back from the payload
+ *       and wraps its own work in `withCurrentSite(payload.siteId,
+ *       handlerBody)`.
+ *     - `await` everything that needs the site context inside
+ *       `fn`. Don't return from `fn` while a site-dependent
+ *       operation is still pending.
+ *
+ *   This is a fundamental limit of plain module-scoped state. A
+ *   future refactor could switch the resolver to
+ *   `AsyncLocalStorage` so the site follows the async boundary
+ *   automatically — that's tracked under #320 but out of scope
+ *   for this helper today.
+ */
+declare function withCurrentSite<T>(siteId: string, fn: () => Promise<T>): Promise<T>;
+
+/**
+ * Phase 15.5 — per-site role memberships.
+ *
+ * `npUsers.role` stays the "global default role" (used by
+ * existing single-tenant code and as a fallback when no
+ * explicit membership exists for a given site). New
+ * multi-tenant deployments grant explicit memberships via
+ * the helpers here; the `isSuperAdmin` flag (also new in
+ * 15.5) bypasses membership checks entirely so a super-admin
+ * can administer every site without having to be enrolled
+ * on each one individually.
+ *
+ * The framework's existing `hasRole(user, minRole)` keeps
+ * working as a global check. New site-scoped checks should
+ * use `hasRoleOnSite(user, siteId, minRole)`.
+ */
+interface SiteMembership {
+    siteId: string;
+    userId: string;
+    role: NpUserRole;
+    createdAt: Date;
+    updatedAt: Date;
+}
+declare function listSiteMemberships(siteId: string): Promise<SiteMembership[]>;
+declare function listMembershipsForUser(userId: string): Promise<SiteMembership[]>;
+declare function getMembership(siteId: string, userId: string): Promise<SiteMembership | null>;
+declare function grantSiteMembership(siteId: string, userId: string, role: NpUserRole): Promise<SiteMembership>;
+declare function revokeSiteMembership(siteId: string, userId: string): Promise<void>;
+/**
+ * Promote / demote a user's super-admin status. Super-admins
+ * bypass per-site membership checks; this is the framework's
+ * "I can do anything" gate so it should be granted sparingly
+ * (one or two operators per deployment, typically).
+ */
+declare function setSuperAdmin(userId: string, isSuperAdmin: boolean): Promise<void>;
+/**
+ * Resolve a user's effective role on a specific site:
+ *   1. Super-admins always get `admin`.
+ *   2. Explicit site membership wins over the global role.
+ *   3. Fallback: the user's global `npUsers.role` (preserves
+ *      single-tenant behavior).
+ *
+ * Use this rather than `user.role` for any check that should
+ * respect tenant boundaries.
+ */
+declare function resolveUserRoleOnSite(user: NpAuthUser, siteId: string): Promise<NpUserRole>;
+/**
+ * Site-scoped variant of `hasRole`. Resolves the user's
+ * effective role on the site (super-admin → admin, explicit
+ * membership → that role, otherwise global default) and
+ * compares against `minRole` using the same rank order
+ * `hasRole` uses.
+ *
+ * Defaults to the current request site (or the framework's
+ * `default` site when no resolver is wired) so callers don't
+ * have to thread siteId everywhere.
+ */
+declare function hasRoleOnSite(user: NpAuthUser, minRole: NpUserRole, siteId?: string): Promise<boolean>;
+/**
+ * Quick boolean check for super-admin status. Cheaper than
+ * `resolveUserRoleOnSite` when the caller only needs to know
+ * "can this user manage the framework as a whole?".
+ */
+declare function isSuperAdmin(user: NpAuthUser): Promise<boolean>;
+
+declare function isPluginEnabled(pluginId: string): Promise<boolean>;
+declare function invalidatePluginEnabled(pluginId: string): void;
+
+interface PluginHookHandler {
+    pluginId: string;
+    /**
+     * Returns `void` for fire-and-forget hooks (most of them). Render / extension
+     * hooks may return a value; `runHookAndCollect` gathers those, while
+     * `runHook` ignores returns.
+     */
+    handler: (data: Record<string, unknown>) => unknown;
+    /**
+     * Lower priority runs first. Default `100`, leaving headroom in both
+     * directions: a plugin that wants to observe AFTER everyone else picks
+     * `200`, one that needs to mutate the payload first picks `0`. Stable
+     * ordering: ties keep registration order (which is itself topo-sorted by
+     * plugin `requires`).
+     */
+    priority: number;
+    /**
+     * Per-handler timeout in milliseconds. When the handler doesn't settle
+     * within the budget, `dispatchHookHandler` treats it as a failure —
+     * logged and reported the same way a thrown error is. The remaining
+     * handlers continue. `undefined` means "no timeout enforced", which is
+     * the default for fire-and-forget hooks (`runHook`); render-collecting
+     * hooks may want a tighter budget (e.g. 250ms) so a slow plugin can't
+     * stall page rendering.
+     */
+    timeoutMs?: number;
+}
+interface PluginRouteHandler {
+    pluginId: string;
+    path: string;
+    method: string;
+    /** When true, the dispatcher must verify a staff session before
+     *  invoking `handler` and pass the resolved user as `req.user`.
+     *  When false (default), the route is publicly reachable. */
+    auth: boolean;
+    handler: (req: PluginRouteRequest) => Promise<PluginRouteResponse>;
+}
+interface PluginRouteRequest {
+    method: string;
+    path: string;
+    params: Record<string, string>;
+    query: Record<string, string>;
+    body: unknown;
+    headers: Record<string, string>;
+    user?: {
+        id: string;
+        email: string;
+        role: string;
+    };
+}
+interface PluginRouteResponse {
+    status: number;
+    body?: unknown;
+    headers?: Record<string, string>;
+}
+/**
+ * Declarative admin extension snapshot stored per registration. Shape mirrors
+ * `@nexpress/plugin-sdk`'s `NpAdminExtension` but kept structural here to
+ * avoid a plugin-sdk → core cycle. The admin UI reads this via
+ * `getPluginAdminExtension(id)` and renders it with its own primitives.
+ */
+interface PluginAdminExtension {
+    settings?: {
+        title?: string;
+        description?: string;
+        fields: NpFieldConfig[];
+    };
+    widgets?: Array<{
+        id: string;
+        label: string;
+        kind: "metric" | "status";
+        actionId: string;
+        description?: string;
+    }>;
+    actions?: Array<{
+        id: string;
+        label: string;
+        actionId: string;
+        confirm?: string;
+        description?: string;
+    }>;
+    tables?: Array<{
+        id: string;
+        label: string;
+        columns: Array<{
+            name: string;
+            label: string;
+        }>;
+        rowsActionId: string;
+        emptyMessage?: string;
+    }>;
+    collectionTabs?: Array<{
+        id: string;
+        label: string;
+        collections: string[] | "*";
+        widgets?: Array<{
+            id: string;
+            label: string;
+            kind: "metric" | "status";
+            actionId: string;
+            description?: string;
+        }>;
+        actions?: Array<{
+            id: string;
+            label: string;
+            actionId: string;
+            confirm?: string;
+            description?: string;
+        }>;
+        description?: string;
+    }>;
+    dashboardWidgets?: Array<{
+        id: string;
+        label: string;
+        kind: "metric" | "status";
+        actionId: string;
+        description?: string;
+        priority?: number;
+    }>;
+}
+/**
+ * Phase 19 — first-class plugin cron schedules. Plugins
+ * declare `scheduled: [{ id, cron, handler }]` in their
+ * definition; the host stores the list here and pg-boss
+ * registers one recurring schedule per entry. The handler
+ * runs in the same context shape `setup()` saw, so plugins
+ * already familiar with `ctx.content` / `ctx.storage` /
+ * `ctx.next` use the same surface from a cron tick.
+ */
+interface PluginScheduleHandler {
+    pluginId: string;
+    taskId: string;
+    cron: string;
+    description?: string;
+    handler: (ctx: Record<string, unknown>) => unknown;
+}
+interface PluginRegistration {
+    id: string;
+    name: string;
+    version?: string;
+    description?: string;
+    capabilities: readonly string[];
+    allowedHosts: readonly string[];
+    admin?: PluginAdminExtension;
+    hooks: Map<string, PluginHookHandler[]>;
+    routes: PluginRouteHandler[];
+    actions: Map<string, (data: unknown) => Promise<{
+        ok: boolean;
+        data?: unknown;
+        error?: string;
+    }>>;
+    schedules: Map<string, PluginScheduleHandler>;
+    /**
+     * G.1 — Zod schema describing the plugin's operator-tunable
+     * config. Read by `getPluginConfig` (introspection +
+     * validation) and the admin auto-form. `unknown` here so the
+     * host doesn't pull a hard zod dep into its type surface;
+     * narrowed at the call site (same pattern theme uses for
+     * `settingsSchema`).
+     */
+    configSchema?: unknown;
+    /** G.1 — schema version (defaults to 1). See plugin-sdk types. */
+    configVersion?: number;
+    /** G.1 — migration callback for v(N-1) → current. */
+    configMigrate?: (old: unknown, fromVersion: number) => unknown;
+    /**
+     * Plugin-contributed page routes (#623). Stored as the same
+     * shape the SDK accepts (component + optional metadata as
+     * `unknown`); the route-dispatcher in `@nexpress/next`
+     * narrows them at render time. See
+     * `docs/design/plugin-routes.md` for precedence + surface
+     * semantics.
+     */
+    pageRoutes: readonly PluginPageRouteEntry[];
+}
+interface PluginPageRouteEntry {
+    pattern: string;
+    component: unknown;
+    metadata?: unknown;
+    surface: "site" | "member";
+    locale: "auto" | "none";
+}
+/**
+ * Structural shape for plugins built via `@nexpress/plugin-sdk`'s
+ * `definePlugin()`. Matches `NpResolvedPluginLike` in config/types.ts —
+ * kept deliberately loose so `loadPlugins` can accept the same array
+ * that `NpConfig.plugins` does without narrowing gymnastics.
+ */
+interface ResolvedPluginLike {
+    manifest: {
+        id: string;
+        name: string;
+        version?: string;
+        description?: string;
+        capabilities: readonly string[];
+        allowedHosts?: readonly string[];
+        /**
+         * Compatibility range for the framework. The plugin loads only when
+         * `nexpress.minVersion <= host <= nexpress.maxVersion?` (inclusive).
+         * Optional here so legacy / hand-rolled plugins keep loading; the
+         * plugin-sdk schema requires it for new plugins.
+         */
+        nexpress?: {
+            minVersion?: string;
+            maxVersion?: string;
+        };
+        /**
+         * IDs of other plugins that must load first. The host topo-sorts the
+         * load list so this plugin's `setup()` can assume its prerequisites
+         * have already registered hooks/actions/blocks.
+         */
+        requires?: readonly string[];
+    };
+    hooks?: Record<string, unknown>;
+    routes?: ReadonlyArray<{
+        path: string;
+        method: string;
+        handler: unknown;
+        description?: string;
+        auth?: boolean;
+    }>;
+    admin?: PluginAdminExtension;
+    /** G.1 — runtime zod schema for plugin config (auto-form). */
+    configSchema?: unknown;
+    /** G.1 — schema version for the lazy migration pipeline. */
+    configVersion?: number;
+    /** G.1 — old → current value migrator. */
+    configMigrate?: (old: unknown, fromVersion: number) => unknown;
+}
+declare function loadPlugins(plugins: Array<NpPluginConfig | ResolvedPluginLike>): Promise<void>;
+declare function runHook(hookName: string, data: Record<string, unknown>): Promise<void>;
+/**
+ * Like `runHook`, but collects every non-null/undefined return value from
+ * registered handlers. Used by render extension points (`render:beforePage`,
+ * etc.) where each plugin contributes structured data — head tags, scripts —
+ * that the renderer aggregates into a single output.
+ *
+ * Handlers that throw are isolated (logged + reported, then skipped). A
+ * broken plugin contributing meta tags is allowed to fail silently so the
+ * page itself still ships — incomplete SEO output beats a 500.
+ */
+declare function runHookAndCollect<T>(hookName: string, data: Record<string, unknown>): Promise<T[]>;
+declare function getPluginRoutes(): PluginRouteHandler[];
+/**
+ * Plugin page routes (#623). Returns the flat list of registered
+ * routes from EVERY loaded plugin in registration order, regardless
+ * of enabled state — call sites that care about enabled gating
+ * (e.g. the route dispatcher) walk the list and re-check via
+ * `isPluginEnabled(pluginId)`. Keeping the gate at the call site
+ * means tests can assert the registered shape without mocking the
+ * enabled-state singleton.
+ */
+declare function getPluginPageRoutes(): Array<{
+    pluginId: string;
+    route: PluginPageRouteEntry;
+}>;
+declare function getPluginRegistration(pluginId: string): PluginRegistration | undefined;
+declare function getAllPluginIds(): string[];
+declare function getPluginAdminExtension(pluginId: string): PluginAdminExtension | undefined;
+/**
+ * Resolved collection-tab descriptor for the admin collection edit view.
+ * Each entry carries pluginId + pluginName so the client component can
+ * dispatch actions and label cards per-plugin.
+ */
+interface ResolvedCollectionTab {
+    pluginId: string;
+    pluginName: string;
+    id: string;
+    label: string;
+    widgets?: NonNullable<PluginAdminExtension["collectionTabs"]>[number]["widgets"];
+    actions?: NonNullable<PluginAdminExtension["collectionTabs"]>[number]["actions"];
+    description?: string;
+}
+/**
+ * Collects all `collectionTabs` entries declared by loaded plugins whose
+ * `collections` filter matches the given slug (either `"*"` or includes it).
+ * The returned array is already flattened and annotated with the source
+ * plugin, ready to pass into the admin edit view.
+ */
+declare function getCollectionTabsForSlug(collectionSlug: string): ResolvedCollectionTab[];
+/**
+ * Dashboard widget descriptor annotated with its source plugin. The admin
+ * dashboard dispatches the widget's action with an empty payload — dashboard
+ * widgets are global, not per-document.
+ */
+interface ResolvedDashboardWidget {
+    pluginId: string;
+    pluginName: string;
+    id: string;
+    label: string;
+    kind: "metric" | "status";
+    actionId: string;
+    description?: string;
+    priority?: number;
+}
+/**
+ * Collects `dashboardWidgets` declared by every loaded plugin and returns
+ * them in render order: `priority` asc (missing priority = Infinity, i.e.
+ * rendered last), ties broken by plugin registration order.
+ */
+declare function getDashboardWidgetsFromPlugins(): ResolvedDashboardWidget[];
+/**
+ * Dispatches a named action registered by the plugin via
+ * `ctx.actions.register(actionId, handler)`. Admin widgets / actions / tables
+ * call this via POST /api/plugins/:id/actions/:actionId — the handler is
+ * responsible for returning `{ ok, data?, error? }`.
+ */
+declare function dispatchPluginAction(pluginId: string, actionId: string, data?: unknown): Promise<{
+    ok: boolean;
+    data?: unknown;
+    error?: string;
+}>;
+declare function schedulePluginTask(pluginId: string, taskId: string): Promise<void>;
+/**
+ * Phase 19 — return every registered schedule across loaded
+ * plugins. The pg-boss adapter calls this from
+ * `scheduleRecurring()` so each `definePlugin({ scheduled })`
+ * entry becomes a real cron in `pgboss.schedule`.
+ */
+declare function getRegisteredPluginSchedules(): PluginScheduleHandler[];
+/**
+ * Phase 19 — runs the handler for one plugin's scheduled task.
+ * Called from the `plugin:scheduledTask` job handler when a
+ * tick fires. Builds the same plugin context the `setup()`
+ * call sees so handlers reuse `ctx.content` / `ctx.storage` /
+ * etc. Throws when the plugin or task isn't registered so the
+ * worker's retry policy surfaces the misconfiguration.
+ */
+declare function runPluginScheduledTask(pluginId: string, taskId: string): Promise<void>;
+declare function resetPlugins(): void;
+
+interface NpPluginConfigResult {
+    pluginId: string;
+    /** Parsed config or schema defaults. Empty object when the plugin has
+     *  no configSchema. */
+    value: unknown;
+    /** True when there's a stored row, regardless of whether it passed
+     *  validation. */
+    hasPersisted: boolean;
+    /** Set when the persisted value failed `schema.parse()`. The admin
+     *  surface uses this to render a "settings were reset" banner. */
+    parseError?: string;
+}
+/**
+ * Read the persisted config for a plugin and parse it via the plugin's
+ * `configSchema`. Returns the parsed value when valid; falls back to
+ * schema defaults on parse failure (with the failure recorded for the
+ * admin to surface, see `getPluginConfigWithStatus`).
+ *
+ * Return type is `unknown` because core can't type-narrow to the plugin's
+ * `z.infer<typeof configSchema>` — the schema lives in the plugin
+ * package, not in core. Plugin code that reads its own config should
+ * cast at the call site, ideally against an exported type alias from the
+ * plugin package itself:
+ *
+ *   // packages/plugins/oauth-github/src/index.ts
+ *   export const configSchema = z.object({ ... });
+ *   export type GithubOauthConfig = z.infer<typeof configSchema>;
+ *
+ *   // a plugin handler
+ *   const config = (await getPluginConfig("oauth-github")) as GithubOauthConfig;
+ */
+declare function getPluginConfig(pluginId: string): Promise<unknown>;
+declare function getPluginConfigWithStatus(pluginId: string): Promise<NpPluginConfigResult>;
+/**
+ * Validate and persist a plugin's config. Throws `NpValidationError` when
+ * `value` doesn't pass the schema — the admin form must surface
+ * field-level errors before calling this.
+ *
+ * **Cache invalidation is the caller's responsibility.** This function
+ * writes to `np_settings` only; it doesn't import `next/cache`. The
+ * admin API route (`PUT /api/admin/plugins/[id]/config`) busts
+ * `np:plugin:<id>` after a successful write.
+ *
+ * Mirrors `setThemeSettings` in `packages/core/src/themes/settings.ts`.
+ */
+declare function setPluginConfig(pluginId: string, value: unknown, updatedBy?: string | null): Promise<unknown>;
+/** Cache tag for a plugin's config invalidation. Per the prefix policy
+ *  in CLAUDE.md (Naming convention table) every framework-owned tag
+ *  uses the `np` prefix. Distinct from the legacy `nx:theme:<siteId>`
+ *  tag — see `docs/design/plugin-config-auto-form.md` § 7. */
+declare function pluginConfigCacheTag(pluginId: string): string;
+
+/**
+ * G.1 — `np_plugins` is now a lean meta row: `(id, enabled,
+ * installed_at, updated_at)`. The legacy `config` jsonb column was
+ * dropped in favor of `np_settings` rows keyed by `plugin.config:<id>`
+ * (see `packages/core/src/plugins/config.ts` and decision E in
+ * `docs/design/plugin-config-auto-form.md`). Read / write plugin
+ * config through `getPluginConfig` / `setPluginConfig` from the
+ * config module — `getPluginState` only knows about the enable flag.
+ */
+interface NpPluginState {
+    id: string;
+    enabled: boolean;
+    installedAt: Date;
+    updatedAt: Date;
+}
+interface NpPluginStateUpdate {
+    enabled?: boolean;
+}
+declare function listPluginStates(db: NodePgDatabase<Record<string, unknown>>): Promise<NpPluginState[]>;
+declare function getPluginState(db: NodePgDatabase<Record<string, unknown>>, id: string): Promise<NpPluginState | null>;
+/**
+ * Ensures every known plugin id has a row in `np_plugins`. Missing rows are
+ * inserted with `enabled=true`. Existing rows are never touched — this is
+ * called on boot and must not clobber operator edits.
+ *
+ * Uses a single INSERT … ON CONFLICT DO NOTHING so concurrent boots (multi-
+ * process deployments) can all race safely without unique-key violations.
+ */
+declare function syncPluginRegistrations(db: NodePgDatabase<Record<string, unknown>>, pluginIds: readonly string[]): Promise<void>;
+declare function updatePluginState(db: NodePgDatabase<Record<string, unknown>>, id: string, patch: NpPluginStateUpdate): Promise<NpPluginState | null>;
+
+/**
+ * Plugin compatibility checks: framework semver range + inter-plugin
+ * dependency ordering.
+ *
+ * The plugin manifest declares two compatibility hints:
+ *   1. `nexpress.minVersion` / `nexpress.maxVersion` — the plugin must run
+ *      against a framework version inside this range. The host enforces it
+ *      at load time so an outdated plugin can't crash deeper in the call
+ *      stack with an unrelated `TypeError`.
+ *   2. `requires` — other plugins this one depends on. Used to sort the
+ *      load order so a plugin's `setup()` can assume its prerequisites
+ *      have already registered hooks/actions.
+ *
+ * Both checks fail open by default — an incompatible plugin or one with
+ * missing deps is logged and skipped, never thrown. Operators see the warn
+ * lines in boot logs and decide whether to upgrade or pin a version.
+ */
+/**
+ * Returns the running framework version, read from `@nexpress/core`'s
+ * package.json at build time and inlined by tsup. Tests can override via
+ * `setFrameworkVersionForTest()`.
+ */
+declare function getFrameworkVersion(): string;
+/** Returns -1 / 0 / 1 — same contract as `Array.prototype.sort` callbacks. */
+declare function compareSemver(a: string, b: string): number;
+interface NexpressCompatResult {
+    compatible: boolean;
+    reason?: string;
+}
+/**
+ * Verifies that `frameworkVersion` falls inside `[minVersion, maxVersion]`
+ * (inclusive). `maxVersion` is optional — a plugin that omits it claims to
+ * support every later version of the framework.
+ */
+declare function checkNexpressCompat(manifest: {
+    nexpress?: {
+        minVersion?: string;
+        maxVersion?: string;
+    };
+}, framework?: string): NexpressCompatResult;
+
+export { type CreateSiteInput, DEFAULT_THEME, LocalStorageAdapter, NP_DEFAULT_SITE_ID, type NexpressCompatResult, NoopEmailAdapter, NpAuthError, NpAuthUser, NpCollectionConfig, type NpCollectionTranslationProgress, NpConfig, NpConflictError, type NpDeleteSiteOptions, type NpEmailAdapter, type NpEmailMessage, type NpEmailTemplate, NpError, type NpErrorCode, type NpErrorCodeInput, NpFeedEntry, NpFieldConfig, NpFileMetadata, NpFindOptions, NpFindResult, NpForbiddenError, type NpListPendingDocsOptions, type NpListPendingDocsResult, NpNavItem, NpNotFoundError, type NpPasswordResetTemplateData, type NpPendingDocSummary, NpPluginConfig, type NpPluginConfigResult, type NpPluginState, type NpPluginStateUpdate, NpRateLimitError, NpRegisteredTheme, type NpRevision, type NpRevisionListOptions, type NpRevisionListResult, type NpRevisionStatus, type NpRevisionSummary, NpSaveOptions, NpSaveResult, type NpSearchAdapter, type NpSearchAdapterContext, type NpSearchVectorParts, type NpSite, NpSiteContextMissingError, type NpSiteUsage, NpSitemapEntry, NpStorageAdapter, type NpThemeColors, NpThemeFieldRequirement, NpThemeManifest, type NpThemeNavLocationDescriptor, type NpThemeRequirementMissingField, type NpThemeRequirementRelationConflict, type NpThemeRequirementResult, type NpThemeRequirementTypeConflict, type NpThemeSeoHooksExtracted, type NpThemeSettingsArrayField, type NpThemeSettingsBooleanField, type NpThemeSettingsColorField, type NpThemeSettingsEnumField, type NpThemeSettingsField, type NpThemeSettingsNumberField, type NpThemeSettingsObjectField, type NpThemeSettingsResult, type NpThemeSettingsTextField, type NpThemeSettingsTextareaField, type NpThemeSettingsUnsupportedField, type NpThemeSettingsUrlField, type NpThemeShape, type NpThemeTemplateSummary, type NpThemeTokens, type NpThemeTokensOverlay, type NpThemeTypography, type NpTranslationProgress, type NpTranslationProgressLocaleStats, NpUserRole, NpValidationError, type PluginAdminExtension, type PluginHookHandler, type PluginPageRouteEntry, type PluginRouteHandler, type PluginRouteRequest, type PluginRouteResponse, type PublishScheduledResult, type ReindexResult, type ResolvedCollectionTab, type ResolvedDashboardWidget, S3StorageAdapter, type SearchCollectionsOptions, type SearchResult, type SearchResultItem, type SiteMembership, SmtpEmailAdapter, type SmtpEmailAdapterOptions, activeThemeContributesSeo, autosaveRevision, buildInviteEmail, buildResetEmail, buildSearchVector, buildSearchVectorParts, buildWeightedSearchVectorSql, buildZodSchema, checkNexpressCompat, checkThemeRequirements, collectionConfigSchema, compareSemver, createMemberDocument, createSite, createStorageAdapter, createTranslation, defineCollection, defineConfig, deleteDocument, deleteMemberDocument, deleteSite, dispatchPluginAction, ensureDefaultSite, extractErrorComponent, extractMembersNotFoundComponent, extractNotFoundComponent, extractSeoHooks, findDocuments, findPosts, findSlugRedirect, findTranslations, getActiveTheme, getActiveThemeError, getActiveThemeId, getActiveThemeMembersNotFound, getActiveThemeNavLocations, getActiveThemeNotFound, getActiveThemeSeoHooks, getAllCollectionSlugs, getAllPageSlugs, getAllPluginIds, getCollectionConfig, getCollectionRegistration, getCollectionTable, getCollectionTabsForSlug, getCollectionZodSchema, getCurrentSiteId, getDashboardWidgetsFromPlugins, getDefaultSite, getDocumentById, getEmailAdapter, getFrameworkVersion, getMembership, getNavigation, getPageBySlug, getPluginAdminExtension, getPluginConfig, getPluginConfigWithStatus, getPluginPageRoutes, getPluginRegistration, getPluginRoutes, getPluginState, getPluginTemplatesForCollection, getPostBySlug, getRegisteredPluginSchedules, getRegisteredThemes, getRevision, getSearchAdapter, getSetting, getSiteByHostname, getSiteById, getSiteUsageSummary, getTheme, getThemeById, getThemeSettings, getThemeSettingsWithStatus, getThemeTemplateSummaries, getTranslationProgress, grantSiteMembership, hasRoleOnSite, introspectThemeSettingsSchema, invalidatePluginEnabled, isPluginEnabled, isSuperAdmin, listMembershipsForUser, listPendingMemberDocs, listPluginStates, listRevisions, listSiteMemberships, listSites, loadPlugins, npConfigSchema, pluginConfigCacheTag, promoteMemberDocument, publishScheduledDocuments, registerCollection, registerPluginTemplates, registerThemes, reindexCollection, resetCurrentSiteResolver, resetEmailAdapter, resetPluginTemplates, resetPlugins, resetSearchAdapter, resetThemes, resolveSiteForHostname, resolveTemplateComponent, resolveUserRoleOnSite, restoreRevision, revokeSiteMembership, runHook, runHookAndCollect, runPluginScheduledTask, sanitizeTokenValue, saveDocument, schedulePluginTask, searchCollections, setActiveThemeId, setCurrentSiteResolver, setEmailAdapter, setPluginConfig, setSearchAdapter, setSuperAdmin, setThemeSettings, syncPluginRegistrations, updateMemberDocument, updatePluginState, updateSite, withCurrentSite };