@nixxie-cms/core 1.0.3 → 1.1.0

package/dist/nixxie-cms-core.cjs.js

@@ -2,22 +2,114 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var resolveHooks = require('./resolve-hooks-165a9ce2.cjs.js');
-var index = require('./index-42045902.cjs.js');
+var resolveHooks = require('./resolve-hooks-10a5f84c.cjs.js');
+var node_crypto = require('node:crypto');
+var index = require('./index-6055753b.cjs.js');
+var index$1 = require('./index-ac29f382.cjs.js');
 var nextFields = require('./next-fields-49c025ef.cjs.js');
 require('pluralize');
 require('@graphql-ts/schema');
 require('@graphql-ts/extend');
 require('graphql');
-require('./non-null-graphql-add6bb3d.cjs.js');
+require('node:async_hooks');
+require('./non-null-graphql-4a44c122.cjs.js');
 require('node:path');
 require('./admin-meta-18d0c276.cjs.js');
+require('./utils-1b632a8f.cjs.js');
 require('decimal.js');
 require('graphql-upload/GraphQLUpload.js');
 
+function normalise(spec) {
+  if (Array.isArray(spec)) {
+    return Object.fromEntries(spec.map(name => [name, {}]));
+  }
+  return spec;
+}
+
+/**
+ * Validate `env` (default `process.env`) against a spec. Applies `default`s to the env
+ * object for unset variables, then throws one aggregated error listing every missing or
+ * malformed variable. Called automatically when the config declares `env`, and exported
+ * for standalone use.
+ */
+function validateEnv(spec, env = process.env) {
+  const problems = [];
+  for (const [name, requirement] of Object.entries(normalise(spec))) {
+    let value = env[name];
+    if ((value === undefined || value === '') && requirement.default !== undefined) {
+      env[name] = requirement.default;
+      value = requirement.default;
+    }
+    const describe = requirement.description ? ` — ${requirement.description}` : '';
+    if (value === undefined || value === '') {
+      if (requirement.required !== false) {
+        problems.push(`  • ${name} is not set${describe}`);
+      }
+      continue;
+    }
+    if (requirement.pattern && !requirement.pattern.test(value)) {
+      problems.push(`  • ${name} does not match ${requirement.pattern}${describe}`);
+    }
+  }
+  if (problems.length) {
+    throw new Error(`Environment validation failed (${problems.length} problem${problems.length === 1 ? '' : 's'}):\n` + problems.join('\n'));
+  }
+}
+
+/**
+ * Fold `config.plugins` into the config: merge plugin collections (key conflicts throw),
+ * run each plugin's `extendConfig`, and chain plugin `onConnect`s before `db.onConnect`.
+ */
+function applyPlugins(config) {
+  var _config$plugins;
+  const plugins = (_config$plugins = config.plugins) !== null && _config$plugins !== void 0 ? _config$plugins : [];
+  if (!plugins.length) return config;
+  const seen = new Set();
+  for (const plugin of plugins) {
+    if (!plugin.name) throw new Error('Every plugin must have a `name`');
+    if (seen.has(plugin.name)) throw new Error(`Duplicate plugin name "${plugin.name}"`);
+    seen.add(plugin.name);
+  }
+  let next = {
+    ...config,
+    collections: {
+      ...config.collections
+    }
+  };
+  for (const plugin of plugins) {
+    for (const [key, collection] of Object.entries((_plugin$collections = plugin.collections) !== null && _plugin$collections !== void 0 ? _plugin$collections : {})) {
+      var _plugin$collections;
+      if (key in next.collections) {
+        throw new Error(`Plugin "${plugin.name}" adds the collection "${key}", but a collection with that key already exists`);
+      }
+      next.collections[key] = collection;
+    }
+    if (plugin.extendConfig) {
+      next = plugin.extendConfig(next);
+      if (!next) {
+        throw new Error(`Plugin "${plugin.name}".extendConfig must return the config`);
+      }
+    }
+  }
+  const onConnects = plugins.flatMap(plugin => plugin.onConnect ? [plugin.onConnect] : []);
+  if (onConnects.length) {
+    const userOnConnect = next.db.onConnect;
+    next = {
+      ...next,
+      db: {
+        ...next.db,
+        onConnect: async context => {
+          for (const fn of onConnects) await fn(context);
+          await (userOnConnect === null || userOnConnect === void 0 ? void 0 : userOnConnect(context));
+        }
+      }
+    };
+  }
+  return next;
+}
 function listsWithDefaults(config, defaultIdField) {
   // some error checking
-  for (const [listKey, list] of Object.entries(config.lists)) {
+  for (const [listKey, list] of Object.entries(config.collections)) {
     var _list$db;
     if (list.fields.id) {
       throw new Error(`"fields.id" is reserved by Nixxie, use "db.idField" for the "${listKey}" list`);
@@ -27,7 +119,7 @@ function listsWithDefaults(config, defaultIdField) {
     }
   }
   return Object.fromEntries([...function* () {
-    for (const [listKey, list] of Object.entries(config.lists)) {
+    for (const [listKey, list] of Object.entries(config.collections)) {
       var _list$db$idField, _list$db2;
       yield [listKey, {
         listKey,
@@ -36,6 +128,7 @@ function listsWithDefaults(config, defaultIdField) {
         defaultIsOrderable: true,
         // TODO: move to access control?
         isSingleton: false,
+        cascade: [],
         ...list,
         db: {
           ...list.db
@@ -79,8 +172,10 @@ async function noop() {}
 function identity(x) {
   return x;
 }
-function config(config) {
-  var _config$db, _config$db$url, _config$db$idField, _config$server, _config$server2, _config$server$cors, _config$server3, _config$types$path, _config$types, _config$db$shadowData, _config$db2, _config$db$extendPris, _config$db3, _config$db$extendPris2, _config$db4, _config$db$onConnect, _config$db$prismaClie, _config$db5, _config$db$prismaSche, _config$db6, _config$db$idField2, _config$db7, _config$db$enableLogg, _config$graphql$path, _config$graphql, _config$graphql$playg, _config$graphql2, _config$graphql$schem, _config$graphql3, _config$graphql$exten, _config$graphql4, _config$server$maxFil, _config$server4, _config$server$extend, _config$server5, _config$server$extend2, _config$server6, _config$telemetry, _config$ui$basePath, _config$ui, _config$ui$isAccessAl, _config$ui2, _config$ui$isDisabled, _config$ui3, _config$ui$getAdditio, _config$ui4, _config$ui$pageMiddle, _config$ui5, _config$ui$publicPage, _config$ui6;
+function buildConfig(config) {
+  var _config$db, _config$db$url, _config$db$idField, _config$server, _config$server2, _config$server$cors, _config$server3, _config, _config2, _config$types$path, _config$types, _config$db$shadowData, _config$db2, _config$db$extendPris, _config$db3, _config$db$extendPris2, _config$db4, _config$db$onConnect, _config$db$prismaClie, _config$db5, _config$db$prismaSche, _config$db6, _config$db$idField2, _config$db7, _config$db$enableLogg, _config$graphql$path, _config$graphql, _config$graphql$playg, _config$graphql2, _config$graphql$schem, _config$graphql3, _config$graphql$exten, _config$graphql4, _config$server$maxFil, _config$server4, _config$server$extend, _config$server5, _config$server$extend2, _config$server6, _config$telemetry, _config$ui$basePath, _config$ui, _config$ui$isAccessAl, _config$ui2, _config$ui$isDisabled, _config$ui3, _config$ui$getAdditio, _config$ui4, _config$ui$pageMiddle, _config$ui5, _config$ui$publicPage, _config$ui6;
+  if (config.env) validateEnv(config.env);
+  config = applyPlugins(config);
   if (!['postgresql', 'sqlite', 'mysql'].includes(config.db.provider)) {
     throw new TypeError(`"db.provider" only supports "sqlite", "postgresql" or "mysql"`);
   }
@@ -97,10 +192,10 @@ function config(config) {
   const httpOptions = {
     port: 3000
   };
-  if (config !== null && config !== void 0 && config.server && 'port' in config.server) {
+  if ((_config = config) !== null && _config !== void 0 && _config.server && 'port' in config.server) {
     httpOptions.port = config.server.port;
   }
-  if (config !== null && config !== void 0 && config.server && 'options' in config.server && config.server.options) {
+  if ((_config2 = config) !== null && _config2 !== void 0 && _config2.server && 'options' in config.server && config.server.options) {
     Object.assign(httpOptions, config.server.options);
   }
   return {
@@ -148,6 +243,11 @@ function config(config) {
     search: config.search,
     notifications: config.notifications,
     ai: config.ai,
+    versioning: config.versioning,
+    workflow: config.workflow,
+    apiKeys: config.apiKeys,
+    logger: config.logger,
+    backup: config.backup,
     telemetry: (_config$telemetry = config.telemetry) !== null && _config$telemetry !== void 0 ? _config$telemetry : true,
     ui: {
       ...config.ui,
@@ -161,7 +261,7 @@ function config(config) {
   };
 }
 let i = 0;
-function group(config) {
+function fieldGroup(config) {
   var _config$description;
   const keys = Object.keys(config.fields);
   if (keys.some(key => key.startsWith('__group'))) {
@@ -177,18 +277,408 @@ function group(config) {
     ...config.fields
   }; // TODO: FIXME, see initialise-lists.ts:getListsWithInitialisedFields
 }
-function list(listConfig) {
+function collection(listConfig) {
   return {
     ...listConfig
   };
 }
-function action(action) {
+function createAction(action) {
   return {
     ...action,
     ___defineActionsWithActionFunction: true
   };
 }
 
+/**
+ * Declarative collection features compiled into hooks + access-control filters by
+ * `defineCollection()`: computed fields, constraints, default filters, state machines,
+ * policies, events, search indexing and version snapshots.
+ *
+ * Everything here builds on the public hook/access surface — no resolver internals —
+ * so the features compose with mixins and user hooks via the same merge pipeline.
+ */
+
+// ── Option types ──
+
+/**
+ * Persisted derived fields, recalculated on every create/update after all other
+ * `resolveInput` hooks have run. The target keys must be real fields on the collection
+ * (unlike `virtual()` fields, computed values are stored — so they can be filtered and
+ * sorted). `merged` is the item's prospective state (existing values + this write).
+ *
+ * @example
+ * computed: { total: ({ merged }) => merged.price * merged.quantity }
+ */
+
+/**
+ * Data-integrity rules checked before every create/update.
+ *
+ * - `uniqueTogether`: compound uniqueness over scalar fields (e.g. `[['tenant', 'slug']]`).
+ *   Checked with a query, so add a DB index for hot paths.
+ * - `checks`: named cross-field rules; return an error message to reject the write.
+ *
+ * @example
+ * constraints: {
+ *   uniqueTogether: [['translationKey', 'locale']],
+ *   checks: { dates: ({ merged }) => merged.endDate <= merged.startDate ? 'endDate must be after startDate' : undefined },
+ * }
+ */
+
+/**
+ * A where-filter automatically ANDed into every query/update/delete — including the
+ * Admin UI, which respects access filters. This is what makes `withSoftDelete()` real:
+ *
+ * @example
+ * defaultFilter: { deletedAt: null }
+ * @example
+ * defaultFilter: ({ session }) => session?.data?.isAdmin ? true : { status: { equals: 'published' } }
+ */
+
+/**
+ * Enforce legal status transitions on a select field at the mutation layer.
+ *
+ * @example
+ * stateMachine: {
+ *   field: 'status',
+ *   transitions: { draft: ['review'], review: ['published', 'draft'], published: ['archived'] },
+ *   guards: { 'review->published': ({ session }) => session?.data?.role === 'editor' || 'Only editors can publish' },
+ * }
+ */
+
+/** One row-level access rule: the first rule whose `when` matches decides the filter. */
+
+/**
+ * Declarative row-level access: per operation, rules are evaluated in order and the
+ * first matching `when` supplies the filter; no match means no access. ANDed with any
+ * explicit `access.filter` you also configure. Pairs naturally with @nixxie-cms/rbac.
+ *
+ * @example
+ * policies: {
+ *   query: [
+ *     { when: s => s?.data?.role === 'admin', filter: true },
+ *     { when: s => !!s, filter: s => ({ author: { id: { equals: s.itemId } } }) },
+ *   ],
+ * }
+ */
+
+/**
+ * Emit lifecycle events through `context.services.webhooks` after every write:
+ * `<prefix>.created` / `.updated` / `.deleted` (prefix defaults to the list key).
+ * No-op when the webhooks service is not configured.
+ */
+
+/**
+ * Keep a search index in sync through `context.services.search`: documents are indexed
+ * after create/update and removed after delete. No-op when search is not configured.
+ */
+
+/**
+ * Snapshot every create/update into `context.services.versioning` (resource = list key).
+ * No-op when versioning is not configured.
+ */
+
+// ── Compilation to hooks ──
+
+const mergedView = args => {
+  var _args$item, _args$resolvedData;
+  return {
+    ...((_args$item = args.item) !== null && _args$item !== void 0 ? _args$item : {}),
+    ...((_args$resolvedData = args.resolvedData) !== null && _args$resolvedData !== void 0 ? _args$resolvedData : {})
+  };
+};
+function computedHooks(computed) {
+  return {
+    resolveInput: async args => {
+      const out = {
+        ...args.resolvedData
+      };
+      for (const [field, fn] of Object.entries(computed)) {
+        var _args$item2;
+        out[field] = await fn({
+          operation: args.operation,
+          resolvedData: out,
+          merged: {
+            ...((_args$item2 = args.item) !== null && _args$item2 !== void 0 ? _args$item2 : {}),
+            ...out
+          },
+          item: args.item,
+          context: args.context
+        });
+      }
+      return out;
+    }
+  };
+}
+function constraintsHooks(constraints) {
+  return {
+    validate: async args => {
+      const {
+        operation,
+        addValidationError
+      } = args;
+      if (operation === 'delete') return;
+      const merged = mergedView(args);
+      for (const tuple of (_constraints$uniqueTo = constraints.uniqueTogether) !== null && _constraints$uniqueTo !== void 0 ? _constraints$uniqueTo : []) {
+        var _constraints$uniqueTo;
+        const values = tuple.map(field => merged[field]);
+        // Incomplete tuples (a NULL member) are not checked — same semantics as SQL unique indexes.
+        if (values.some(value => value === undefined || value === null)) continue;
+        const where = {};
+        tuple.forEach((field, i) => where[field] = {
+          equals: values[i]
+        });
+        try {
+          const clashes = await args.context.sudo().db[args.listKey].findMany({
+            where,
+            take: 2
+          });
+          const other = clashes.find(clash => !args.item || String(clash.id) !== String(args.item.id));
+          if (other) {
+            addValidationError(`Another item already exists with the same ${tuple.join(' + ')}`);
+          }
+        } catch (err) {
+          // A malformed tuple (unknown/non-scalar field) should fail loudly, not silently pass.
+          addValidationError(`uniqueTogether check for (${tuple.join(', ')}) failed: ${err instanceof Error ? err.message : err}`);
+        }
+      }
+      for (const check of Object.values((_constraints$checks = constraints.checks) !== null && _constraints$checks !== void 0 ? _constraints$checks : {})) {
+        var _constraints$checks;
+        const message = await check({
+          operation: args.operation,
+          resolvedData: args.resolvedData,
+          merged,
+          item: args.item,
+          context: args.context
+        });
+        if (typeof message === 'string' && message.length > 0) addValidationError(message);
+      }
+    }
+  };
+}
+function stateMachineHooks(machine) {
+  const {
+    field,
+    transitions,
+    guards = {}
+  } = machine;
+  const initial = machine.initial === undefined ? undefined : Array.isArray(machine.initial) ? machine.initial : [machine.initial];
+  return {
+    validate: async args => {
+      var _transitions$previous;
+      const {
+        operation,
+        resolvedData,
+        item,
+        addValidationError
+      } = args;
+      if (operation === 'delete') return;
+      const next = resolvedData === null || resolvedData === void 0 ? void 0 : resolvedData[field];
+      if (next === undefined) return;
+      if (operation === 'create') {
+        if (initial && next != null && !initial.includes(next)) {
+          addValidationError(`"${field}" cannot start as "${next}" (allowed: ${initial.join(', ')})`);
+        }
+        return;
+      }
+      const previous = item === null || item === void 0 ? void 0 : item[field];
+      if (next === previous) return;
+      const allowed = (_transitions$previous = transitions[previous]) !== null && _transitions$previous !== void 0 ? _transitions$previous : [];
+      if (!allowed.includes(next)) {
+        addValidationError(`"${field}" cannot change from "${previous}" to "${next}"` + (allowed.length ? ` (allowed: ${allowed.join(', ')})` : ' (no transitions from this state)'));
+        return;
+      }
+      const guard = guards[`${previous}->${next}`];
+      if (guard) {
+        var _args$context;
+        const verdict = await guard({
+          item,
+          resolvedData,
+          context: args.context,
+          session: (_args$context = args.context) === null || _args$context === void 0 ? void 0 : _args$context.session
+        });
+        if (verdict !== true) {
+          addValidationError(typeof verdict === 'string' ? verdict : `"${field}" transition "${previous}" → "${next}" was blocked`);
+        }
+      }
+    }
+  };
+}
+const pastTense = {
+  create: 'created',
+  update: 'updated',
+  delete: 'deleted'
+};
+function eventsHooks(events) {
+  var _options$operations;
+  const options = events === true ? {} : events;
+  const operations = (_options$operations = options.operations) !== null && _options$operations !== void 0 ? _options$operations : ['create', 'update', 'delete'];
+  return {
+    afterOperation: async args => {
+      var _args$context2;
+      if (!operations.includes(args.operation)) return;
+      const webhooks = (_args$context2 = args.context) === null || _args$context2 === void 0 || (_args$context2 = _args$context2.services) === null || _args$context2 === void 0 ? void 0 : _args$context2.webhooks;
+      if (!webhooks) return;
+      try {
+        var _args$item3, _options$prefix;
+        const subject = (_args$item3 = args.item) !== null && _args$item3 !== void 0 ? _args$item3 : args.originalItem;
+        const event = `${(_options$prefix = options.prefix) !== null && _options$prefix !== void 0 ? _options$prefix : args.listKey}.${pastTense[args.operation]}`;
+        const payload = options.payload ? await options.payload(args) : {
+          listKey: args.listKey,
+          id: (subject === null || subject === void 0 ? void 0 : subject.id) != null ? String(subject.id) : undefined,
+          item: subject
+        };
+        await webhooks.trigger(event, payload);
+      } catch (err) {
+        console.error(`[nixxie] events: failed to emit for ${args.listKey}:`, err);
+      }
+    }
+  };
+}
+
+/** Copy the indexable scalar values off an item (used when `fields` is not specified). */
+function scalarDocument(item) {
+  const doc = {};
+  for (const [key, value] of Object.entries(item)) {
+    if (key.startsWith('__')) continue;
+    if (value === null) doc[key] = null;else if (value instanceof Date) doc[key] = value.toISOString();else if (['string', 'number', 'boolean'].includes(typeof value)) doc[key] = value;
+  }
+  return doc;
+}
+function searchableHooks(searchable) {
+  const options = searchable === true ? {} : searchable;
+  return {
+    afterOperation: async args => {
+      var _args$context3, _options$index;
+      const search = (_args$context3 = args.context) === null || _args$context3 === void 0 || (_args$context3 = _args$context3.services) === null || _args$context3 === void 0 ? void 0 : _args$context3.search;
+      if (!search) return;
+      const indexName = (_options$index = options.index) !== null && _options$index !== void 0 ? _options$index : String(args.listKey).toLowerCase();
+      try {
+        if (args.operation === 'delete') {
+          await search.remove(indexName, String(args.originalItem.id));
+          return;
+        }
+        const item = args.item;
+        const picked = options.fields ? Object.fromEntries(options.fields.map(field => [field, item[field] instanceof Date ? item[field].toISOString() : item[field]])) : scalarDocument(item);
+        await search.index(indexName, {
+          ...picked,
+          id: String(item.id)
+        });
+      } catch (err) {
+        console.error(`[nixxie] searchable: failed to sync index "${indexName}":`, err);
+      }
+    }
+  };
+}
+function versionedHooks(versioned) {
+  const options = versioned === true ? {} : versioned;
+  return {
+    afterOperation: async args => {
+      var _args$context4;
+      if (args.operation === 'delete') return;
+      const versioning = (_args$context4 = args.context) === null || _args$context4 === void 0 || (_args$context4 = _args$context4.services) === null || _args$context4 === void 0 ? void 0 : _args$context4.versioning;
+      if (!versioning) return;
+      try {
+        var _args$context5, _options$label;
+        const session = (_args$context5 = args.context) === null || _args$context5 === void 0 ? void 0 : _args$context5.session;
+        await versioning.snapshot({
+          resource: args.listKey,
+          resourceId: String(args.item.id),
+          data: scalarSafe(args.item),
+          label: (_options$label = options.label) === null || _options$label === void 0 ? void 0 : _options$label.call(options, args),
+          actor: (session === null || session === void 0 ? void 0 : session.itemId) != null ? {
+            id: String(session.itemId)
+          } : undefined
+        });
+      } catch (err) {
+        console.error(`[nixxie] versioned: failed to snapshot ${args.listKey}:`, err);
+      }
+    }
+  };
+}
+
+/** Snapshot-safe clone: keeps JSON-representable values, ISO-stringifies dates. */
+function scalarSafe(item) {
+  const out = {};
+  for (const [key, value] of Object.entries(item)) {
+    if (value instanceof Date) out[key] = value.toISOString();else if (typeof value === 'bigint') out[key] = value.toString();else if (typeof value !== 'function' && typeof value !== 'symbol') out[key] = value;
+  }
+  return out;
+}
+
+/** Compile the declarative features into hook fragments, in a deliberate order. */
+function compileFeatureHooks(features) {
+  const hooks = [];
+  if (features.computed) hooks.push(computedHooks(features.computed));
+  if (features.constraints) hooks.push(constraintsHooks(features.constraints));
+  if (features.stateMachine) hooks.push(stateMachineHooks(features.stateMachine));
+  if (features.events) hooks.push(eventsHooks(features.events));
+  if (features.searchable) hooks.push(searchableHooks(features.searchable));
+  if (features.versioned) hooks.push(versionedHooks(features.versioned));
+  return hooks;
+}
+
+// ── Compilation to access filters ──
+
+/** AND two access filters; `true`/missing means unrestricted, `false` wins outright. */
+function andFilters(a, b) {
+  if (a === undefined) return b;
+  return async args => {
+    const ra = typeof a === 'function' ? await a(args) : a;
+    const rb = typeof b === 'function' ? await b(args) : b;
+    if (ra === false || rb === false) return false;
+    if (ra === true) return rb;
+    if (rb === true) return ra;
+    return {
+      AND: [ra, rb]
+    };
+  };
+}
+function policyFilter(rules) {
+  return ({
+    session
+  }) => {
+    for (const rule of rules) {
+      if (!rule.when(session)) continue;
+      return typeof rule.filter === 'function' ? rule.filter(session) : rule.filter;
+    }
+    return false;
+  };
+}
+
+/**
+ * Merge `defaultFilter` and `policies` into an access-control object. Existing filters
+ * are preserved and ANDed with the feature filters.
+ */
+function applyAccessFeatures(access, features) {
+  var _access$filter;
+  const {
+    defaultFilter,
+    policies
+  } = features;
+  if (!defaultFilter && !policies) return access;
+  const filter = {
+    ...((_access$filter = access === null || access === void 0 ? void 0 : access.filter) !== null && _access$filter !== void 0 ? _access$filter : {})
+  };
+  for (const operation of ['query', 'update', 'delete']) {
+    let merged = filter[operation];
+    if (defaultFilter) {
+      merged = andFilters(merged, typeof defaultFilter === 'function' ? args => defaultFilter({
+        session: args.session,
+        context: args.context
+      }) : defaultFilter);
+    }
+    const rules = policies === null || policies === void 0 ? void 0 : policies[operation];
+    if (rules !== null && rules !== void 0 && rules.length) {
+      merged = andFilters(merged, policyFilter(rules));
+    }
+    if (merged !== undefined) filter[operation] = merged;
+  }
+  return {
+    ...(access !== null && access !== void 0 ? access : {}),
+    filter
+  };
+}
+
 // ================================================================
 // Validators — use inside field `validation` config
 // ================================================================
@@ -240,6 +730,72 @@ const validators = {
   }
 };
 
+// ================================================================
+// Access presets — readable shorthands for common access patterns
+// ================================================================
+//
+// Spelling out an access-control object on every list gets repetitive. In
+// practice 90% of lists fall into a handful of patterns, so we name them.
+// Anything more bespoke can still drop down to a raw access object.
+
+const isSignedIn = ({
+  session
+}) => !!session;
+const accessPresets = {
+  public: () => true,
+  authenticated: {
+    operation: {
+      query: isSignedIn,
+      create: isSignedIn,
+      update: isSignedIn,
+      delete: isSignedIn
+    }
+  },
+  publicReadAuthenticatedWrite: {
+    operation: {
+      query: () => true,
+      create: isSignedIn,
+      update: isSignedIn,
+      delete: isSignedIn
+    }
+  },
+  readOnly: {
+    operation: {
+      query: () => true,
+      create: () => false,
+      update: () => false,
+      delete: () => false
+    }
+  },
+  owner(field = 'user') {
+    const scopeToOwner = ({
+      session
+    }) => {
+      if (!(session !== null && session !== void 0 && session.itemId)) return false;
+      return {
+        [field]: {
+          id: {
+            equals: session.itemId
+          }
+        }
+      };
+    };
+    return {
+      operation: {
+        query: isSignedIn,
+        create: isSignedIn,
+        update: isSignedIn,
+        delete: isSignedIn
+      },
+      filter: {
+        query: scopeToOwner,
+        update: scopeToOwner,
+        delete: scopeToOwner
+      }
+    };
+  }
+};
+
 // ================================================================
 // Mixin system
 // ================================================================
@@ -330,7 +886,7 @@ function withSoftDelete() {
 function withAudit(userListKey = 'User') {
   return {
     fields: {
-      createdBy: index.relationship({
+      createdBy: index$1.relationship({
         ref: userListKey,
         ui: {
           createView: {
@@ -341,7 +897,7 @@ function withAudit(userListKey = 'User') {
           }
         }
       }),
-      updatedBy: index.relationship({
+      updatedBy: index$1.relationship({
         ref: userListKey,
         ui: {
           createView: {
@@ -395,6 +951,760 @@ function withAudit(userListKey = 'User') {
   };
 }
 
+/**
+ * Turn an arbitrary string into a URL-safe slug. Pure, dependency-free.
+ */
+function slugify(input) {
+  return input.toString().normalize('NFKD').replace(/[̀-ͯ]/g, '') // strip accents
+  .toLowerCase().trim().replace(/[^a-z0-9]+/g, '-') // non-alphanumerics → dashes
+  .replace(/^-+|-+$/g, ''); // trim leading/trailing dashes
+}
+
+/**
+ * Adds a URL-friendly `slug` field that is auto-generated from another field
+ * (e.g. `title`) when left blank, and normalised when provided.
+ *
+ * Solves a perennial papercut: there's no built-in slug field, so everyone
+ * re-implements the same `resolveInput` hook by hand.
+ *
+ * @example
+ * defineCollection({ mixins: [withSlug({ from: 'title' })], fields: { title: text() } })
+ */
+function withSlug(opts = {
+  from: 'title'
+}) {
+  var _opts$field, _opts$isIndexed;
+  const fieldKey = (_opts$field = opts.field) !== null && _opts$field !== void 0 ? _opts$field : 'slug';
+  const from = opts.from;
+  return {
+    fields: {
+      [fieldKey]: index.text({
+        isIndexed: (_opts$isIndexed = opts.isIndexed) !== null && _opts$isIndexed !== void 0 ? _opts$isIndexed : 'unique',
+        ui: {
+          description: `URL slug — auto-generated from "${from}" when left blank.`
+        }
+      })
+    },
+    hooks: {
+      resolveInput: ({
+        resolvedData,
+        inputData
+      }) => {
+        var _from;
+        const provided = resolvedData[fieldKey];
+        if (typeof provided === 'string' && provided.length > 0) {
+          return {
+            ...resolvedData,
+            [fieldKey]: slugify(provided)
+          };
+        }
+        const source = (_from = inputData === null || inputData === void 0 ? void 0 : inputData[from]) !== null && _from !== void 0 ? _from : resolvedData === null || resolvedData === void 0 ? void 0 : resolvedData[from];
+        if (typeof source === 'string' && source.length > 0) {
+          return {
+            ...resolvedData,
+            [fieldKey]: slugify(source)
+          };
+        }
+        return resolvedData;
+      }
+    }
+  };
+}
+
+/**
+ * Adds a draft → published → archived workflow: a `status` select plus a
+ * `publishedAt` timestamp that is stamped automatically the first time an item
+ * transitions to `published`.
+ *
+ * Publishing is otherwise left entirely to the developer; this bakes in the
+ * common content lifecycle so a blog/news/docs list works out of the box.
+ */
+function withPublishing(opts = {}) {
+  var _opts$defaultStatus;
+  const defaultStatus = (_opts$defaultStatus = opts.defaultStatus) !== null && _opts$defaultStatus !== void 0 ? _opts$defaultStatus : 'draft';
+  return {
+    fields: {
+      status: index$1.select({
+        type: 'enum',
+        options: [{
+          label: 'Draft',
+          value: 'draft'
+        }, {
+          label: 'Published',
+          value: 'published'
+        }, {
+          label: 'Archived',
+          value: 'archived'
+        }],
+        defaultValue: defaultStatus,
+        ui: {
+          displayMode: 'segmented-control'
+        }
+      }),
+      publishedAt: index.timestamp({
+        ui: {
+          createView: {
+            fieldMode: 'hidden'
+          },
+          itemView: {
+            fieldMode: 'read'
+          },
+          listView: {
+            fieldMode: 'read'
+          }
+        }
+      })
+    },
+    hooks: {
+      resolveInput: ({
+        resolvedData,
+        item
+      }) => {
+        var _status;
+        const nextStatus = (_status = resolvedData.status) !== null && _status !== void 0 ? _status : item === null || item === void 0 ? void 0 : item.status;
+        const alreadyPublished = item === null || item === void 0 ? void 0 : item.publishedAt;
+        const incomingPublishedAt = resolvedData.publishedAt;
+        if (nextStatus === 'published' && !alreadyPublished && incomingPublishedAt == null) {
+          return {
+            ...resolvedData,
+            publishedAt: new Date().toISOString()
+          };
+        }
+        return resolvedData;
+      }
+    }
+  };
+}
+
+/**
+ * Adds standard SEO metadata fields, grouped together in the Admin UI.
+ * Drop-in for any content list that needs search/social previews.
+ */
+function withSEO() {
+  return {
+    fields: {
+      metaTitle: index.text({
+        ui: {
+          description: 'Title used by search engines and social previews.'
+        }
+      }),
+      metaDescription: index.text({
+        ui: {
+          displayMode: 'textarea',
+          description: 'Short summary (~155 characters).'
+        }
+      }),
+      ogImage: index.text({
+        ui: {
+          description: 'Absolute URL to the social sharing image.'
+        }
+      })
+    }
+  };
+}
+
+/**
+ * Adds an integer `order` field for manual sorting/drag-ordering of items.
+ */
+function withSortable(opts = {}) {
+  var _opts$field2;
+  const fieldKey = (_opts$field2 = opts.field) !== null && _opts$field2 !== void 0 ? _opts$field2 : 'order';
+  return {
+    fields: {
+      [fieldKey]: index$1.integer({
+        defaultValue: 0,
+        ui: {
+          description: 'Manual sort position (lower comes first).'
+        }
+      })
+    }
+  };
+}
+
+/**
+ * Adds self-referential `parent` / `children` relationships for tree-shaped content
+ * (categories, menus, pages), with cycle prevention: an item can never be moved under
+ * one of its own descendants.
+ *
+ * @param listKey - The key of the collection this mixin is applied to (needed for the
+ *   self-referencing relationship and ancestor checks).
+ *
+ * @example
+ * defineCollection({ mixins: [withTreeStructure('Category')], fields: { name: text() } })
+ */
+function withTreeStructure(listKey, opts = {}) {
+  var _opts$parentField, _opts$childrenField;
+  const parentField = (_opts$parentField = opts.parentField) !== null && _opts$parentField !== void 0 ? _opts$parentField : 'parent';
+  const childrenField = (_opts$childrenField = opts.childrenField) !== null && _opts$childrenField !== void 0 ? _opts$childrenField : 'children';
+  return {
+    fields: {
+      [parentField]: index$1.relationship({
+        ref: `${listKey}.${childrenField}`,
+        ui: {
+          description: 'Parent item in the tree (leave empty for a root item).'
+        }
+      }),
+      [childrenField]: index$1.relationship({
+        ref: `${listKey}.${parentField}`,
+        many: true,
+        ui: {
+          displayMode: 'count',
+          itemView: {
+            fieldMode: 'read'
+          }
+        }
+      })
+    },
+    hooks: {
+      validate: async args => {
+        var _parentOp$connect;
+        const {
+          operation,
+          resolvedData,
+          item,
+          context,
+          addValidationError
+        } = args;
+        if (operation !== 'update') return;
+        const parentOp = resolvedData === null || resolvedData === void 0 ? void 0 : resolvedData[parentField];
+        const newParentId = parentOp === null || parentOp === void 0 || (_parentOp$connect = parentOp.connect) === null || _parentOp$connect === void 0 ? void 0 : _parentOp$connect.id;
+        if (newParentId == null) return;
+        if (String(newParentId) === String(item.id)) {
+          addValidationError(`"${parentField}" cannot point at the item itself`);
+          return;
+        }
+        // Walk up from the new parent — finding the item means we'd create a cycle.
+        const sudo = context.sudo();
+        let cursor = newParentId;
+        for (let depth = 0; depth < 100 && cursor != null; depth++) {
+          var _ancestor$parentField, _ancestor$parentField2;
+          const ancestor = await sudo.query[listKey].findOne({
+            where: {
+              id: String(cursor)
+            },
+            query: `id ${parentField} { id }`
+          });
+          if (!ancestor) return;
+          cursor = (_ancestor$parentField = (_ancestor$parentField2 = ancestor[parentField]) === null || _ancestor$parentField2 === void 0 ? void 0 : _ancestor$parentField2.id) !== null && _ancestor$parentField !== void 0 ? _ancestor$parentField : null;
+          if (cursor != null && String(cursor) === String(item.id)) {
+            addValidationError(`"${parentField}" would create a cycle — the new parent is a descendant of this item`);
+            return;
+          }
+        }
+      }
+    }
+  };
+}
+
+/**
+ * Multi-tenancy: adds a required `tenant` relationship that is auto-assigned from the
+ * session on create. Combine with `tenantAccessFilter()` in the collection's
+ * `access.filter` rules to scope every query/update/delete to the session's tenant.
+ *
+ * @example
+ * defineCollection({
+ *   mixins: [withTenant({ ref: 'Tenant' })],
+ *   access: {
+ *     filter: {
+ *       query: tenantAccessFilter(),
+ *       update: tenantAccessFilter(),
+ *       delete: tenantAccessFilter(),
+ *     },
+ *   },
+ *   fields: { ... },
+ * })
+ */
+function withTenant(opts = {}) {
+  var _opts$ref, _opts$field3, _opts$getTenantId;
+  const ref = (_opts$ref = opts.ref) !== null && _opts$ref !== void 0 ? _opts$ref : 'Tenant';
+  const field = (_opts$field3 = opts.field) !== null && _opts$field3 !== void 0 ? _opts$field3 : 'tenant';
+  const getTenantId = (_opts$getTenantId = opts.getTenantId) !== null && _opts$getTenantId !== void 0 ? _opts$getTenantId : defaultGetTenantId;
+  return {
+    fields: {
+      [field]: index$1.relationship({
+        ref,
+        ui: {
+          createView: {
+            fieldMode: 'hidden'
+          },
+          itemView: {
+            fieldMode: 'read'
+          }
+        }
+      })
+    },
+    hooks: {
+      resolveInput: ({
+        operation,
+        resolvedData,
+        context
+      }) => {
+        if (operation !== 'create') return resolvedData;
+        if (resolvedData[field]) return resolvedData;
+        const tenantId = getTenantId(context.session);
+        if (!tenantId) return resolvedData;
+        return {
+          ...resolvedData,
+          [field]: {
+            connect: {
+              id: tenantId
+            }
+          }
+        };
+      },
+      validate: async args => {
+        const {
+          operation,
+          resolvedData,
+          addValidationError
+        } = args;
+        if (opts.optional || operation !== 'create') return;
+        if (!(resolvedData !== null && resolvedData !== void 0 && resolvedData[field])) {
+          addValidationError(`"${field}" is required — no tenant found on the session`);
+        }
+      }
+    }
+  };
+}
+function defaultGetTenantId(session) {
+  var _session$data$tenant$, _session$data;
+  return (_session$data$tenant$ = session === null || session === void 0 || (_session$data = session.data) === null || _session$data === void 0 || (_session$data = _session$data.tenant) === null || _session$data === void 0 ? void 0 : _session$data.id) !== null && _session$data$tenant$ !== void 0 ? _session$data$tenant$ : session === null || session === void 0 ? void 0 : session.tenantId;
+}
+
+/**
+ * Access-control filter companion to `withTenant()`: limits matched items to the
+ * session's tenant. Returns `false` (no access) when the session has no tenant.
+ */
+function tenantAccessFilter(opts = {}) {
+  var _opts$field4, _opts$getTenantId2;
+  const field = (_opts$field4 = opts.field) !== null && _opts$field4 !== void 0 ? _opts$field4 : 'tenant';
+  const getTenantId = (_opts$getTenantId2 = opts.getTenantId) !== null && _opts$getTenantId2 !== void 0 ? _opts$getTenantId2 : defaultGetTenantId;
+  return ({
+    session
+  }) => {
+    const tenantId = getTenantId(session);
+    if (!tenantId) return false;
+    return {
+      [field]: {
+        id: {
+          equals: tenantId
+        }
+      }
+    };
+  };
+}
+
+/**
+ * Adds `publishAt` / `unpublishAt` timestamps for scheduled publishing. Composes with
+ * `withPublishing()` (which provides the `status` field). The schedule is enacted by
+ * `applyScheduledPublishing()` — run it from a cron job:
+ *
+ * @example
+ * jobs: createJobs({ jobs: [{
+ *   name: 'scheduled-publishing',
+ *   schedule: '* * * * *',
+ *   handler: async () => { await applyScheduledPublishing(getContext(), 'Post') },
+ * }]})
+ */
+function withScheduledPublishing() {
+  return {
+    fields: {
+      publishAt: index.timestamp({
+        ui: {
+          description: 'Automatically publish at this time (requires the scheduled-publishing job).'
+        }
+      }),
+      unpublishAt: index.timestamp({
+        ui: {
+          description: 'Automatically archive at this time (requires the scheduled-publishing job).'
+        }
+      })
+    }
+  };
+}
+
+/**
+ * Enact `withScheduledPublishing()` schedules for one collection: publishes drafts whose
+ * `publishAt` has passed and archives published items whose `unpublishAt` has passed.
+ * Designed to be called from a cron job (see `withScheduledPublishing`).
+ */
+async function applyScheduledPublishing(context, listKey, opts = {}) {
+  var _opts$statusField, _opts$draftValue, _opts$publishedValue, _opts$archivedValue;
+  const statusField = (_opts$statusField = opts.statusField) !== null && _opts$statusField !== void 0 ? _opts$statusField : 'status';
+  const draftValue = (_opts$draftValue = opts.draftValue) !== null && _opts$draftValue !== void 0 ? _opts$draftValue : 'draft';
+  const publishedValue = (_opts$publishedValue = opts.publishedValue) !== null && _opts$publishedValue !== void 0 ? _opts$publishedValue : 'published';
+  const archivedValue = (_opts$archivedValue = opts.archivedValue) !== null && _opts$archivedValue !== void 0 ? _opts$archivedValue : 'archived';
+  const sudo = context.sudo();
+  const now = new Date();
+  const toPublish = await sudo.db[listKey].findMany({
+    where: {
+      [statusField]: {
+        equals: draftValue
+      },
+      publishAt: {
+        lte: now
+      }
+    }
+  });
+  for (const item of toPublish) {
+    await sudo.db[listKey].updateOne({
+      where: {
+        id: String(item.id)
+      },
+      data: {
+        [statusField]: publishedValue
+      }
+    });
+  }
+  const toArchive = await sudo.db[listKey].findMany({
+    where: {
+      [statusField]: {
+        equals: publishedValue
+      },
+      unpublishAt: {
+        lte: now
+      }
+    }
+  });
+  for (const item of toArchive) {
+    await sudo.db[listKey].updateOne({
+      where: {
+        id: String(item.id)
+      },
+      data: {
+        [statusField]: archivedValue
+      }
+    });
+  }
+  return {
+    published: toPublish.length,
+    archived: toArchive.length
+  };
+}
+
+/**
+ * i18n: adds a `locale` select plus a shared `translationKey` that groups an item with
+ * its translations (auto-generated on create when blank). Query an item's variants with
+ * `{ translationKey: { equals }, locale: { not: ... } }` — and once compound uniqueness
+ * is configured, pair (`translationKey`, `locale`) should be unique.
+ *
+ * @example
+ * defineCollection({ mixins: [withLocale({ locales: ['en', 'ur', 'ar'] })], fields: { ... } })
+ */
+function withLocale(opts) {
+  var _opts$locales, _opts$groupField, _opts$defaultLocale;
+  if (!((_opts$locales = opts.locales) !== null && _opts$locales !== void 0 && _opts$locales.length)) throw new Error('withLocale requires at least one locale');
+  const groupField = (_opts$groupField = opts.groupField) !== null && _opts$groupField !== void 0 ? _opts$groupField : 'translationKey';
+  const defaultLocale = (_opts$defaultLocale = opts.defaultLocale) !== null && _opts$defaultLocale !== void 0 ? _opts$defaultLocale : opts.locales[0];
+  return {
+    fields: {
+      locale: index$1.select({
+        type: 'enum',
+        options: opts.locales.map(locale => ({
+          label: locale,
+          value: locale
+        })),
+        defaultValue: defaultLocale,
+        validation: {
+          isRequired: true
+        }
+      }),
+      [groupField]: index.text({
+        isIndexed: true,
+        ui: {
+          description: 'Shared id linking this item with its translations.',
+          createView: {
+            fieldMode: 'hidden'
+          },
+          itemView: {
+            fieldMode: 'read'
+          }
+        }
+      })
+    },
+    hooks: {
+      resolveInput: ({
+        operation,
+        resolvedData
+      }) => {
+        if (operation !== 'create') return resolvedData;
+        if (resolvedData[groupField]) return resolvedData;
+        return {
+          ...resolvedData,
+          [groupField]: node_crypto.randomBytes(8).toString('hex')
+        };
+      }
+    }
+  };
+}
+
+/**
+ * Editorial approval: adds an approval status + a `pendingChanges` buffer where proposed
+ * edits wait for review instead of going live. Drive it with `submitForApproval()`,
+ * `approveChanges()` and `rejectChanges()` from custom mutations or the Admin UI.
+ */
+function withApproval() {
+  return {
+    fields: {
+      approvalStatus: index$1.select({
+        type: 'enum',
+        options: [{
+          label: 'None',
+          value: 'none'
+        }, {
+          label: 'Pending',
+          value: 'pending'
+        }, {
+          label: 'Approved',
+          value: 'approved'
+        }, {
+          label: 'Rejected',
+          value: 'rejected'
+        }],
+        defaultValue: 'none',
+        ui: {
+          createView: {
+            fieldMode: 'hidden'
+          },
+          itemView: {
+            fieldMode: 'read'
+          }
+        }
+      }),
+      pendingChanges: index.json({
+        ui: {
+          createView: {
+            fieldMode: 'hidden'
+          },
+          itemView: {
+            fieldMode: 'hidden'
+          },
+          listView: {
+            fieldMode: 'hidden'
+          }
+        }
+      }),
+      approvalSubmittedAt: index.timestamp({
+        ui: {
+          createView: {
+            fieldMode: 'hidden'
+          },
+          itemView: {
+            fieldMode: 'read'
+          }
+        }
+      }),
+      approvalReviewedAt: index.timestamp({
+        ui: {
+          createView: {
+            fieldMode: 'hidden'
+          },
+          itemView: {
+            fieldMode: 'read'
+          }
+        }
+      })
+    }
+  };
+}
+
+/** Park proposed changes on an item for review (see `withApproval`). */
+async function submitForApproval(context, args) {
+  await context.sudo().db[args.listKey].updateOne({
+    where: {
+      id: args.itemId
+    },
+    data: {
+      pendingChanges: args.changes,
+      approvalStatus: 'pending',
+      approvalSubmittedAt: new Date().toISOString()
+    }
+  });
+}
+
+/**
+ * Apply an item's `pendingChanges` (running normal hooks/validation) and mark it
+ * approved. The buffered changes must be a valid update input for the collection.
+ */
+async function approveChanges(context, args) {
+  const sudo = context.sudo();
+  const item = await sudo.query[args.listKey].findOne({
+    where: {
+      id: args.itemId
+    },
+    query: 'id pendingChanges approvalStatus'
+  });
+  if (!(item !== null && item !== void 0 && item.pendingChanges)) throw new Error('approveChanges: the item has no pending changes');
+  await sudo.db[args.listKey].updateOne({
+    where: {
+      id: args.itemId
+    },
+    data: {
+      ...item.pendingChanges,
+      pendingChanges: null,
+      approvalStatus: 'approved',
+      approvalReviewedAt: new Date().toISOString()
+    }
+  });
+}
+
+/** Discard an item's `pendingChanges` and mark it rejected. */
+async function rejectChanges(context, args) {
+  await context.sudo().db[args.listKey].updateOne({
+    where: {
+      id: args.itemId
+    },
+    data: {
+      pendingChanges: null,
+      approvalStatus: 'rejected',
+      approvalReviewedAt: new Date().toISOString()
+    }
+  });
+}
+
+/**
+ * Adds an `expiresAt` timestamp for content with a shelf life. Pair with
+ * `purgeExpired()` in a cron job to physically remove (or just count) expired items.
+ */
+function withExpiry(opts = {}) {
+  var _opts$field5;
+  const field = (_opts$field5 = opts.field) !== null && _opts$field5 !== void 0 ? _opts$field5 : 'expiresAt';
+  return {
+    fields: {
+      [field]: index.timestamp({
+        ui: {
+          description: 'After this time the item is considered expired.'
+        }
+      })
+    }
+  };
+}
+
+/**
+ * Delete every item whose expiry has passed (runs normal delete hooks). Returns the
+ * number deleted. Designed for a cron job; see `withExpiry`.
+ */
+async function purgeExpired(context, listKey, opts = {}) {
+  var _opts$field6;
+  const field = (_opts$field6 = opts.field) !== null && _opts$field6 !== void 0 ? _opts$field6 : 'expiresAt';
+  const sudo = context.sudo();
+  const expired = await sudo.db[listKey].findMany({
+    where: {
+      [field]: {
+        lte: new Date()
+      }
+    }
+  });
+  for (const item of expired) {
+    await sudo.db[listKey].deleteOne({
+      where: {
+        id: String(item.id)
+      }
+    });
+  }
+  return expired.length;
+}
+
+/**
+ * Adds a read-only `viewCount` integer. Increment it with `recordView()` — a direct,
+ * race-safe Prisma increment that bypasses hooks (a view is not an editorial change).
+ */
+function withViewCount(opts = {}) {
+  var _opts$field7;
+  const field = (_opts$field7 = opts.field) !== null && _opts$field7 !== void 0 ? _opts$field7 : 'viewCount';
+  return {
+    fields: {
+      [field]: index$1.integer({
+        defaultValue: 0,
+        ui: {
+          createView: {
+            fieldMode: 'hidden'
+          },
+          itemView: {
+            fieldMode: 'read'
+          }
+        }
+      })
+    }
+  };
+}
+
+/** Increment an item's view counter (see `withViewCount`). */
+async function recordView(context, listKey, itemId, opts = {}) {
+  var _opts$field8, _context$prisma;
+  const field = (_opts$field8 = opts.field) !== null && _opts$field8 !== void 0 ? _opts$field8 : 'viewCount';
+  const model = (_context$prisma = context.prisma) === null || _context$prisma === void 0 ? void 0 : _context$prisma[listKey[0].toLowerCase() + listKey.slice(1)];
+  if (!model) throw new Error(`recordView: collection "${listKey}" was not found in the Prisma client`);
+  await model.update({
+    where: {
+      id: itemId
+    },
+    data: {
+      [field]: {
+        increment: 1
+      }
+    }
+  });
+}
+
+/**
+ * Companion to cascade rules: sweep records whose to-one relationship points at
+ * nothing (e.g. rows that pre-date a cascade rule, or were orphaned by `setNull`).
+ * Runs normal delete hooks (so cascade rules fire too). Designed for a cron job.
+ *
+ * @example
+ * jobs: createJobs({ jobs: [{
+ *   name: 'orphan-cleanup',
+ *   schedule: '0 4 * * *',
+ *   handler: async () => { await cleanupOrphans(getContext(), { collection: 'Comment', field: 'post' }) },
+ * }]})
+ */
+async function cleanupOrphans(context, options) {
+  var _options$softDeleteFi;
+  const {
+    collection,
+    field,
+    action = 'delete'
+  } = options;
+  const softDeleteField = (_options$softDeleteFi = options.softDeleteField) !== null && _options$softDeleteFi !== void 0 ? _options$softDeleteFi : 'deletedAt';
+  const sudo = context.sudo();
+  const where = action === 'softDelete' ? {
+    [field]: null,
+    [softDeleteField]: null
+  } : {
+    [field]: null
+  };
+  let total = 0;
+  for (;;) {
+    const orphans = await sudo.db[collection].findMany({
+      where,
+      take: 100
+    });
+    if (!orphans.length) break;
+    for (const orphan of orphans) {
+      if (action === 'delete') {
+        await sudo.db[collection].deleteOne({
+          where: {
+            id: String(orphan.id)
+          }
+        });
+      } else {
+        await sudo.db[collection].updateOne({
+          where: {
+            id: String(orphan.id)
+          },
+          data: {
+            [softDeleteField]: new Date().toISOString()
+          }
+        });
+      }
+      total++;
+    }
+    if (orphans.length < 100) break;
+  }
+  return total;
+}
+
 /**
  * Factory for building reusable field group mixins.
  *
@@ -413,14 +1723,14 @@ function createMixin(fields, hooks) {
 }
 
 // ================================================================
-// defineList — a typed wrapper around list() with mixin support
+// defineCollection — a typed wrapper around list() with mixin support
 // ================================================================
 
 /**
  * Defines a list with optional mixins for reusable field groups and hooks.
  *
  * @example
- * export const Post = defineList({
+ * export const Post = defineCollection({
  *   mixins: [withTimestamps()],
  *   fields: {
  *     title: text({ validation: validators.required }),
@@ -428,9 +1738,18 @@ function createMixin(fields, hooks) {
  *   },
  * })
  */
-function defineList(config) {
+function defineCollection(config) {
   const {
     mixins = [],
+    access,
+    computed,
+    constraints,
+    defaultFilter,
+    stateMachine,
+    policies,
+    events,
+    searchable,
+    versioned,
     ...listConfig
   } = config;
   const mixinFields = {};
@@ -439,9 +1758,26 @@ function defineList(config) {
     if (mixin.fields) Object.assign(mixinFields, mixin.fields);
     if (mixin.hooks) mixinHooksList.push(mixin.hooks);
   }
-  const mergedHooks = mergeMixinHooks(mixinHooksList, listConfig.hooks);
-  return list({
+
+  // Feature hooks run AFTER mixin + user hooks so computed fields and constraint checks
+  // observe the final resolved data, and events/search/version snapshots fire last.
+  const featureHooks = compileFeatureHooks({
+    computed,
+    constraints,
+    stateMachine,
+    events,
+    searchable,
+    versioned
+  });
+  const mergedHooks = mergeMixinHooks(mixinHooksList, listConfig.hooks, featureHooks);
+  const baseAccess = access !== null && access !== void 0 ? access : accessPresets.public;
+  const finalAccess = applyAccessFeatures(baseAccess, {
+    defaultFilter,
+    policies
+  });
+  return collection({
     ...listConfig,
+    access: finalAccess,
     fields: {
       ...mixinFields,
       ...listConfig.fields
@@ -486,13 +1822,13 @@ function mergeResolveInput(a, b) {
 }
 
 /**
- * Merge mixin hooks with the list's own hooks. Each Keystone hook may be either a function or a
+ * Merge mixin hooks with the list's own hooks. Each list hook may be either a function or a
  * `{ create, update, delete }` object — `merge` (from resolve-hooks) handles both forms for the
  * void hooks, and `mergeResolveInput` handles the data-threading `resolveInput` hook.
  */
-function mergeMixinHooks(mixinHooks, listHooks) {
-  if (mixinHooks.length === 0) return listHooks !== null && listHooks !== void 0 ? listHooks : {};
-  const all = [...mixinHooks, ...(listHooks ? [listHooks] : [])];
+function mergeMixinHooks(mixinHooks, listHooks, featureHooks = []) {
+  if (mixinHooks.length === 0 && featureHooks.length === 0) return listHooks !== null && listHooks !== void 0 ? listHooks : {};
+  const all = [...mixinHooks, ...(listHooks ? [listHooks] : []), ...featureHooks];
   const merged = {};
   for (const hooks of all) {
     merged.resolveInput = mergeResolveInput(merged.resolveInput, hooks.resolveInput);
@@ -518,7 +1854,7 @@ function mergeMixinHooks(mixinHooks, listHooks) {
  * })
  */
 function defineConfig(nixxieConfig) {
-  return config(nixxieConfig);
+  return buildConfig(nixxieConfig);
 }
 
 // ================================================================
@@ -529,21 +1865,42 @@ function defineConfig(nixxieConfig) {
  * Defines a list action. Typed alias for `action()`.
  */
 function defineAction(actionConfig) {
-  return action(actionConfig);
+  return createAction(actionConfig);
 }
 
+exports.previewDelete = resolveHooks.previewDelete;
 exports.g = nextFields.g;
 exports.gWithContext = nextFields.gWithContext;
 exports.graphql = nextFields.g;
-exports.action = action;
-exports.config = config;
+exports.accessPresets = accessPresets;
+exports.applyScheduledPublishing = applyScheduledPublishing;
+exports.approveChanges = approveChanges;
+exports.cleanupOrphans = cleanupOrphans;
+exports.collection = collection;
+exports.createAction = createAction;
 exports.createMixin = createMixin;
 exports.defineAction = defineAction;
+exports.defineCollection = defineCollection;
 exports.defineConfig = defineConfig;
-exports.defineList = defineList;
-exports.group = group;
-exports.list = list;
+exports.fieldGroup = fieldGroup;
+exports.purgeExpired = purgeExpired;
+exports.recordView = recordView;
+exports.rejectChanges = rejectChanges;
+exports.submitForApproval = submitForApproval;
+exports.tenantAccessFilter = tenantAccessFilter;
+exports.validateEnv = validateEnv;
 exports.validators = validators;
+exports.withApproval = withApproval;
 exports.withAudit = withAudit;
+exports.withExpiry = withExpiry;
+exports.withLocale = withLocale;
+exports.withPublishing = withPublishing;
+exports.withSEO = withSEO;
+exports.withScheduledPublishing = withScheduledPublishing;
+exports.withSlug = withSlug;
 exports.withSoftDelete = withSoftDelete;
+exports.withSortable = withSortable;
+exports.withTenant = withTenant;
 exports.withTimestamps = withTimestamps;
+exports.withTreeStructure = withTreeStructure;
+exports.withViewCount = withViewCount;