npm - @nixxie-cms/core - Versions diffs - 1.0.3 → 2.0.0 - Mend

@nixxie-cms/core 1.0.3 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (203) hide show

package/dist/nixxie-cms-core.esm.js CHANGED Viewed

@@ -1,19 +1,112 @@
-import { i as idFieldType, m as merge } from './resolve-hooks-6813a045.esm.js';
-import { t as timestamp, r as relationship } from './index-15c8f81e.esm.js';
+import { i as idFieldType, m as merge } from './resolve-hooks-9e676794.esm.js';
+export { p as previewDelete } from './resolve-hooks-9e676794.esm.js';
+import { randomBytes } from 'node:crypto';
+import { t as timestamp, a as text, j as json } from './index-f1703b7b.esm.js';
+import { r as relationship, s as select, i as integer } from './index-5d8b0b4e.esm.js';
 export { g, a as gWithContext, g as graphql } from './next-fields-9bf04ed8.esm.js';
 import 'pluralize';
 import '@graphql-ts/schema';
 import '@graphql-ts/extend';
 import 'graphql';
-import './non-null-graphql-a84ed64d.esm.js';
+import 'node:async_hooks';
+import './non-null-graphql-8c5feaae.esm.js';
 import 'node:path';
 import './admin-meta-14c60fec.esm.js';
+import './utils-0cc426c8.esm.js';
 import 'decimal.js';
 import 'graphql-upload/GraphQLUpload.js';
+function normalise(spec) {
+  if (Array.isArray(spec)) {
+    return Object.fromEntries(spec.map(name => [name, {}]));
+  }
+  return spec;
+}
+/**
+ * Validate `env` (default `process.env`) against a spec. Applies `default`s to the env
+ * object for unset variables, then throws one aggregated error listing every missing or
+ * malformed variable. Called automatically when the config declares `env`, and exported
+ * for standalone use.
+ */
+function validateEnv(spec, env = process.env) {
+  const problems = [];
+  for (const [name, requirement] of Object.entries(normalise(spec))) {
+    let value = env[name];
+    if ((value === undefined || value === '') && requirement.default !== undefined) {
+      env[name] = requirement.default;
+      value = requirement.default;
+    }
+    const describe = requirement.description ? ` — ${requirement.description}` : '';
+    if (value === undefined || value === '') {
+      if (requirement.required !== false) {
+        problems.push(`  • ${name} is not set${describe}`);
+      }
+      continue;
+    }
+    if (requirement.pattern && !requirement.pattern.test(value)) {
+      problems.push(`  • ${name} does not match ${requirement.pattern}${describe}`);
+    }
+  }
+  if (problems.length) {
+    throw new Error(`Environment validation failed (${problems.length} problem${problems.length === 1 ? '' : 's'}):\n` + problems.join('\n'));
+  }
+}
+/**
+ * Fold `config.plugins` into the config: merge plugin collections (key conflicts throw),
+ * run each plugin's `extendConfig`, and chain plugin `onConnect`s before `db.onConnect`.
+ */
+function applyPlugins(config) {
+  var _config$plugins;
+  const plugins = (_config$plugins = config.plugins) !== null && _config$plugins !== void 0 ? _config$plugins : [];
+  if (!plugins.length) return config;
+  const seen = new Set();
+  for (const plugin of plugins) {
+    if (!plugin.name) throw new Error('Every plugin must have a `name`');
+    if (seen.has(plugin.name)) throw new Error(`Duplicate plugin name "${plugin.name}"`);
+    seen.add(plugin.name);
+  }
+  let next = {
+    ...config,
+    collections: {
+      ...config.collections
+    }
+  };
+  for (const plugin of plugins) {
+    for (const [key, collection] of Object.entries((_plugin$collections = plugin.collections) !== null && _plugin$collections !== void 0 ? _plugin$collections : {})) {
+      var _plugin$collections;
+      if (key in next.collections) {
+        throw new Error(`Plugin "${plugin.name}" adds the collection "${key}", but a collection with that key already exists`);
+      }
+      next.collections[key] = collection;
+    }
+    if (plugin.extendConfig) {
+      next = plugin.extendConfig(next);
+      if (!next) {
+        throw new Error(`Plugin "${plugin.name}".extendConfig must return the config`);
+      }
+    }
+  }
+  const onConnects = plugins.flatMap(plugin => plugin.onConnect ? [plugin.onConnect] : []);
+  if (onConnects.length) {
+    const userOnConnect = next.db.onConnect;
+    next = {
+      ...next,
+      db: {
+        ...next.db,
+        onConnect: async context => {
+          for (const fn of onConnects) await fn(context);
+          await (userOnConnect === null || userOnConnect === void 0 ? void 0 : userOnConnect(context));
+        }
+      }
+    };
+  }
+  return next;
+}
 function listsWithDefaults(config, defaultIdField) {
   // some error checking
-  for (const [listKey, list] of Object.entries(config.lists)) {
+  for (const [listKey, list] of Object.entries(config.collections)) {
     var _list$db;
     if (list.fields.id) {
       throw new Error(`"fields.id" is reserved by Nixxie, use "db.idField" for the "${listKey}" list`);
@@ -23,7 +116,7 @@ function listsWithDefaults(config, defaultIdField) {
     }
   }
   return Object.fromEntries([...function* () {
-    for (const [listKey, list] of Object.entries(config.lists)) {
+    for (const [listKey, list] of Object.entries(config.collections)) {
       var _list$db$idField, _list$db2;
       yield [listKey, {
         listKey,
@@ -32,6 +125,7 @@ function listsWithDefaults(config, defaultIdField) {
         defaultIsOrderable: true,
         // TODO: move to access control?
         isSingleton: false,
+        cascade: [],
         ...list,
         db: {
           ...list.db
@@ -75,8 +169,10 @@ async function noop() {}
 function identity(x) {
   return x;
 }
-function config(config) {
-  var _config$db, _config$db$url, _config$db$idField, _config$server, _config$server2, _config$server$cors, _config$server3, _config$types$path, _config$types, _config$db$shadowData, _config$db2, _config$db$extendPris, _config$db3, _config$db$extendPris2, _config$db4, _config$db$onConnect, _config$db$prismaClie, _config$db5, _config$db$prismaSche, _config$db6, _config$db$idField2, _config$db7, _config$db$enableLogg, _config$graphql$path, _config$graphql, _config$graphql$playg, _config$graphql2, _config$graphql$schem, _config$graphql3, _config$graphql$exten, _config$graphql4, _config$server$maxFil, _config$server4, _config$server$extend, _config$server5, _config$server$extend2, _config$server6, _config$telemetry, _config$ui$basePath, _config$ui, _config$ui$isAccessAl, _config$ui2, _config$ui$isDisabled, _config$ui3, _config$ui$getAdditio, _config$ui4, _config$ui$pageMiddle, _config$ui5, _config$ui$publicPage, _config$ui6;
+function buildConfig(config) {
+  var _config$db, _config$db$url, _config$db$idField, _config$server, _config$server2, _config$server$cors, _config$server3, _config, _config2, _config$types$path, _config$types, _config$db$shadowData, _config$db2, _config$db$extendPris, _config$db3, _config$db$extendPris2, _config$db4, _config$db$onConnect, _config$db$prismaClie, _config$db5, _config$db$prismaSche, _config$db6, _config$db$idField2, _config$db7, _config$db$enableLogg, _config$graphql$path, _config$graphql, _config$graphql$playg, _config$graphql2, _config$graphql$schem, _config$graphql3, _config$graphql$exten, _config$graphql4, _config$server$maxFil, _config$server4, _config$server$extend, _config$server5, _config$server$extend2, _config$server6, _config$telemetry, _config$ui$basePath, _config$ui, _config$ui$isAccessAl, _config$ui2, _config$ui$isDisabled, _config$ui3, _config$ui$getAdditio, _config$ui4, _config$ui$pageMiddle, _config$ui5, _config$ui$publicPage, _config$ui6;
+  if (config.env) validateEnv(config.env);
+  config = applyPlugins(config);
   if (!['postgresql', 'sqlite', 'mysql'].includes(config.db.provider)) {
     throw new TypeError(`"db.provider" only supports "sqlite", "postgresql" or "mysql"`);
   }
@@ -93,10 +189,10 @@ function config(config) {
   const httpOptions = {
     port: 3000
   };
-  if (config !== null && config !== void 0 && config.server && 'port' in config.server) {
+  if ((_config = config) !== null && _config !== void 0 && _config.server && 'port' in config.server) {
     httpOptions.port = config.server.port;
   }
-  if (config !== null && config !== void 0 && config.server && 'options' in config.server && config.server.options) {
+  if ((_config2 = config) !== null && _config2 !== void 0 && _config2.server && 'options' in config.server && config.server.options) {
     Object.assign(httpOptions, config.server.options);
   }
   return {
@@ -144,6 +240,12 @@ function config(config) {
     search: config.search,
     notifications: config.notifications,
     ai: config.ai,
+    aiRag: config.aiRag,
+    versioning: config.versioning,
+    workflow: config.workflow,
+    apiKeys: config.apiKeys,
+    logger: config.logger,
+    backup: config.backup,
     telemetry: (_config$telemetry = config.telemetry) !== null && _config$telemetry !== void 0 ? _config$telemetry : true,
     ui: {
       ...config.ui,
@@ -157,7 +259,7 @@ function config(config) {
   };
 }
 let i = 0;
-function group(config) {
+function fieldGroup(config) {
   var _config$description;
   const keys = Object.keys(config.fields);
   if (keys.some(key => key.startsWith('__group'))) {
@@ -173,18 +275,408 @@ function group(config) {
     ...config.fields
   }; // TODO: FIXME, see initialise-lists.ts:getListsWithInitialisedFields
 }
-function list(listConfig) {
+function collection(listConfig) {
   return {
     ...listConfig
   };
 }
-function action(action) {
+function createAction(action) {
   return {
     ...action,
     ___defineActionsWithActionFunction: true
   };
 }
+/**
+ * Declarative collection features compiled into hooks + access-control filters by
+ * `defineCollection()`: computed fields, constraints, default filters, state machines,
+ * policies, events, search indexing and version snapshots.
+ *
+ * Everything here builds on the public hook/access surface — no resolver internals —
+ * so the features compose with mixins and user hooks via the same merge pipeline.
+ */
+// ── Option types ──
+/**
+ * Persisted derived fields, recalculated on every create/update after all other
+ * `resolveInput` hooks have run. The target keys must be real fields on the collection
+ * (unlike `virtual()` fields, computed values are stored — so they can be filtered and
+ * sorted). `merged` is the item's prospective state (existing values + this write).
+ *
+ * @example
+ * computed: { total: ({ merged }) => merged.price * merged.quantity }
+ */
+/**
+ * Data-integrity rules checked before every create/update.
+ *
+ * - `uniqueTogether`: compound uniqueness over scalar fields (e.g. `[['tenant', 'slug']]`).
+ *   Checked with a query, so add a DB index for hot paths.
+ * - `checks`: named cross-field rules; return an error message to reject the write.
+ *
+ * @example
+ * constraints: {
+ *   uniqueTogether: [['translationKey', 'locale']],
+ *   checks: { dates: ({ merged }) => merged.endDate <= merged.startDate ? 'endDate must be after startDate' : undefined },
+ * }
+ */
+/**
+ * A where-filter automatically ANDed into every query/update/delete — including the
+ * Admin UI, which respects access filters. This is what makes `withSoftDelete()` real:
+ *
+ * @example
+ * defaultFilter: { deletedAt: null }
+ * @example
+ * defaultFilter: ({ session }) => session?.data?.isAdmin ? true : { status: { equals: 'published' } }
+ */
+/**
+ * Enforce legal status transitions on a select field at the mutation layer.
+ *
+ * @example
+ * stateMachine: {
+ *   field: 'status',
+ *   transitions: { draft: ['review'], review: ['published', 'draft'], published: ['archived'] },
+ *   guards: { 'review->published': ({ session }) => session?.data?.role === 'editor' || 'Only editors can publish' },
+ * }
+ */
+/** One row-level access rule: the first rule whose `when` matches decides the filter. */
+/**
+ * Declarative row-level access: per operation, rules are evaluated in order and the
+ * first matching `when` supplies the filter; no match means no access. ANDed with any
+ * explicit `access.filter` you also configure. Pairs naturally with @nixxie-cms/rbac.
+ *
+ * @example
+ * policies: {
+ *   query: [
+ *     { when: s => s?.data?.role === 'admin', filter: true },
+ *     { when: s => !!s, filter: s => ({ author: { id: { equals: s.itemId } } }) },
+ *   ],
+ * }
+ */
+/**
+ * Emit lifecycle events through `context.services.webhooks` after every write:
+ * `<prefix>.created` / `.updated` / `.deleted` (prefix defaults to the list key).
+ * No-op when the webhooks service is not configured.
+ */
+/**
+ * Keep a search index in sync through `context.services.search`: documents are indexed
+ * after create/update and removed after delete. No-op when search is not configured.
+ */
+/**
+ * Snapshot every create/update into `context.services.versioning` (resource = list key).
+ * No-op when versioning is not configured.
+ */
+// ── Compilation to hooks ──
+const mergedView = args => {
+  var _args$item, _args$resolvedData;
+  return {
+    ...((_args$item = args.item) !== null && _args$item !== void 0 ? _args$item : {}),
+    ...((_args$resolvedData = args.resolvedData) !== null && _args$resolvedData !== void 0 ? _args$resolvedData : {})
+  };
+};
+function computedHooks(computed) {
+  return {
+    resolveInput: async args => {
+      const out = {
+        ...args.resolvedData
+      };
+      for (const [field, fn] of Object.entries(computed)) {
+        var _args$item2;
+        out[field] = await fn({
+          operation: args.operation,
+          resolvedData: out,
+          merged: {
+            ...((_args$item2 = args.item) !== null && _args$item2 !== void 0 ? _args$item2 : {}),
+            ...out
+          },
+          item: args.item,
+          context: args.context
+        });
+      }
+      return out;
+    }
+  };
+}
+function constraintsHooks(constraints) {
+  return {
+    validate: async args => {
+      const {
+        operation,
+        addValidationError
+      } = args;
+      if (operation === 'delete') return;
+      const merged = mergedView(args);
+      for (const tuple of (_constraints$uniqueTo = constraints.uniqueTogether) !== null && _constraints$uniqueTo !== void 0 ? _constraints$uniqueTo : []) {
+        var _constraints$uniqueTo;
+        const values = tuple.map(field => merged[field]);
+        // Incomplete tuples (a NULL member) are not checked — same semantics as SQL unique indexes.
+        if (values.some(value => value === undefined || value === null)) continue;
+        const where = {};
+        tuple.forEach((field, i) => where[field] = {
+          equals: values[i]
+        });
+        try {
+          const clashes = await args.context.sudo().db[args.listKey].findMany({
+            where,
+            take: 2
+          });
+          const other = clashes.find(clash => !args.item || String(clash.id) !== String(args.item.id));
+          if (other) {
+            addValidationError(`Another item already exists with the same ${tuple.join(' + ')}`);
+          }
+        } catch (err) {
+          // A malformed tuple (unknown/non-scalar field) should fail loudly, not silently pass.
+          addValidationError(`uniqueTogether check for (${tuple.join(', ')}) failed: ${err instanceof Error ? err.message : err}`);
+        }
+      }
+      for (const check of Object.values((_constraints$checks = constraints.checks) !== null && _constraints$checks !== void 0 ? _constraints$checks : {})) {
+        var _constraints$checks;
+        const message = await check({
+          operation: args.operation,
+          resolvedData: args.resolvedData,
+          merged,
+          item: args.item,
+          context: args.context
+        });
+        if (typeof message === 'string' && message.length > 0) addValidationError(message);
+      }
+    }
+  };
+}
+function stateMachineHooks(machine) {
+  const {
+    field,
+    transitions,
+    guards = {}
+  } = machine;
+  const initial = machine.initial === undefined ? undefined : Array.isArray(machine.initial) ? machine.initial : [machine.initial];
+  return {
+    validate: async args => {
+      var _transitions$previous;
+      const {
+        operation,
+        resolvedData,
+        item,
+        addValidationError
+      } = args;
+      if (operation === 'delete') return;
+      const next = resolvedData === null || resolvedData === void 0 ? void 0 : resolvedData[field];
+      if (next === undefined) return;
+      if (operation === 'create') {
+        if (initial && next != null && !initial.includes(next)) {
+          addValidationError(`"${field}" cannot start as "${next}" (allowed: ${initial.join(', ')})`);
+        }
+        return;
+      }
+      const previous = item === null || item === void 0 ? void 0 : item[field];
+      if (next === previous) return;
+      const allowed = (_transitions$previous = transitions[previous]) !== null && _transitions$previous !== void 0 ? _transitions$previous : [];
+      if (!allowed.includes(next)) {
+        addValidationError(`"${field}" cannot change from "${previous}" to "${next}"` + (allowed.length ? ` (allowed: ${allowed.join(', ')})` : ' (no transitions from this state)'));
+        return;
+      }
+      const guard = guards[`${previous}->${next}`];
+      if (guard) {
+        var _args$context;
+        const verdict = await guard({
+          item,
+          resolvedData,
+          context: args.context,
+          session: (_args$context = args.context) === null || _args$context === void 0 ? void 0 : _args$context.session
+        });
+        if (verdict !== true) {
+          addValidationError(typeof verdict === 'string' ? verdict : `"${field}" transition "${previous}" → "${next}" was blocked`);
+        }
+      }
+    }
+  };
+}
+const pastTense = {
+  create: 'created',
+  update: 'updated',
+  delete: 'deleted'
+};
+function eventsHooks(events) {
+  var _options$operations;
+  const options = events === true ? {} : events;
+  const operations = (_options$operations = options.operations) !== null && _options$operations !== void 0 ? _options$operations : ['create', 'update', 'delete'];
+  return {
+    afterOperation: async args => {
+      var _args$context2;
+      if (!operations.includes(args.operation)) return;
+      const webhooks = (_args$context2 = args.context) === null || _args$context2 === void 0 || (_args$context2 = _args$context2.services) === null || _args$context2 === void 0 ? void 0 : _args$context2.webhooks;
+      if (!webhooks) return;
+      try {
+        var _args$item3, _options$prefix;
+        const subject = (_args$item3 = args.item) !== null && _args$item3 !== void 0 ? _args$item3 : args.originalItem;
+        const event = `${(_options$prefix = options.prefix) !== null && _options$prefix !== void 0 ? _options$prefix : args.listKey}.${pastTense[args.operation]}`;
+        const payload = options.payload ? await options.payload(args) : {
+          listKey: args.listKey,
+          id: (subject === null || subject === void 0 ? void 0 : subject.id) != null ? String(subject.id) : undefined,
+          item: subject
+        };
+        await webhooks.trigger(event, payload);
+      } catch (err) {
+        console.error(`[nixxie] events: failed to emit for ${args.listKey}:`, err);
+      }
+    }
+  };
+}
+/** Copy the indexable scalar values off an item (used when `fields` is not specified). */
+function scalarDocument(item) {
+  const doc = {};
+  for (const [key, value] of Object.entries(item)) {
+    if (key.startsWith('__')) continue;
+    if (value === null) doc[key] = null;else if (value instanceof Date) doc[key] = value.toISOString();else if (['string', 'number', 'boolean'].includes(typeof value)) doc[key] = value;
+  }
+  return doc;
+}
+function searchableHooks(searchable) {
+  const options = searchable === true ? {} : searchable;
+  return {
+    afterOperation: async args => {
+      var _args$context3, _options$index;
+      const search = (_args$context3 = args.context) === null || _args$context3 === void 0 || (_args$context3 = _args$context3.services) === null || _args$context3 === void 0 ? void 0 : _args$context3.search;
+      if (!search) return;
+      const indexName = (_options$index = options.index) !== null && _options$index !== void 0 ? _options$index : String(args.listKey).toLowerCase();
+      try {
+        if (args.operation === 'delete') {
+          await search.remove(indexName, String(args.originalItem.id));
+          return;
+        }
+        const item = args.item;
+        const picked = options.fields ? Object.fromEntries(options.fields.map(field => [field, item[field] instanceof Date ? item[field].toISOString() : item[field]])) : scalarDocument(item);
+        await search.index(indexName, {
+          ...picked,
+          id: String(item.id)
+        });
+      } catch (err) {
+        console.error(`[nixxie] searchable: failed to sync index "${indexName}":`, err);
+      }
+    }
+  };
+}
+function versionedHooks(versioned) {
+  const options = versioned === true ? {} : versioned;
+  return {
+    afterOperation: async args => {
+      var _args$context4;
+      if (args.operation === 'delete') return;
+      const versioning = (_args$context4 = args.context) === null || _args$context4 === void 0 || (_args$context4 = _args$context4.services) === null || _args$context4 === void 0 ? void 0 : _args$context4.versioning;
+      if (!versioning) return;
+      try {
+        var _args$context5, _options$label;
+        const session = (_args$context5 = args.context) === null || _args$context5 === void 0 ? void 0 : _args$context5.session;
+        await versioning.snapshot({
+          resource: args.listKey,
+          resourceId: String(args.item.id),
+          data: scalarSafe(args.item),
+          label: (_options$label = options.label) === null || _options$label === void 0 ? void 0 : _options$label.call(options, args),
+          actor: (session === null || session === void 0 ? void 0 : session.itemId) != null ? {
+            id: String(session.itemId)
+          } : undefined
+        });
+      } catch (err) {
+        console.error(`[nixxie] versioned: failed to snapshot ${args.listKey}:`, err);
+      }
+    }
+  };
+}
+/** Snapshot-safe clone: keeps JSON-representable values, ISO-stringifies dates. */
+function scalarSafe(item) {
+  const out = {};
+  for (const [key, value] of Object.entries(item)) {
+    if (value instanceof Date) out[key] = value.toISOString();else if (typeof value === 'bigint') out[key] = value.toString();else if (typeof value !== 'function' && typeof value !== 'symbol') out[key] = value;
+  }
+  return out;
+}
+/** Compile the declarative features into hook fragments, in a deliberate order. */
+function compileFeatureHooks(features) {
+  const hooks = [];
+  if (features.computed) hooks.push(computedHooks(features.computed));
+  if (features.constraints) hooks.push(constraintsHooks(features.constraints));
+  if (features.stateMachine) hooks.push(stateMachineHooks(features.stateMachine));
+  if (features.events) hooks.push(eventsHooks(features.events));
+  if (features.searchable) hooks.push(searchableHooks(features.searchable));
+  if (features.versioned) hooks.push(versionedHooks(features.versioned));
+  return hooks;
+}
+// ── Compilation to access filters ──
+/** AND two access filters; `true`/missing means unrestricted, `false` wins outright. */
+function andFilters(a, b) {
+  if (a === undefined) return b;
+  return async args => {
+    const ra = typeof a === 'function' ? await a(args) : a;
+    const rb = typeof b === 'function' ? await b(args) : b;
+    if (ra === false || rb === false) return false;
+    if (ra === true) return rb;
+    if (rb === true) return ra;
+    return {
+      AND: [ra, rb]
+    };
+  };
+}
+function policyFilter(rules) {
+  return ({
+    session
+  }) => {
+    for (const rule of rules) {
+      if (!rule.when(session)) continue;
+      return typeof rule.filter === 'function' ? rule.filter(session) : rule.filter;
+    }
+    return false;
+  };
+}
+/**
+ * Merge `defaultFilter` and `policies` into an access-control object. Existing filters
+ * are preserved and ANDed with the feature filters.
+ */
+function applyAccessFeatures(access, features) {
+  var _access$filter;
+  const {
+    defaultFilter,
+    policies
+  } = features;
+  if (!defaultFilter && !policies) return access;
+  const filter = {
+    ...((_access$filter = access === null || access === void 0 ? void 0 : access.filter) !== null && _access$filter !== void 0 ? _access$filter : {})
+  };
+  for (const operation of ['query', 'update', 'delete']) {
+    let merged = filter[operation];
+    if (defaultFilter) {
+      merged = andFilters(merged, typeof defaultFilter === 'function' ? args => defaultFilter({
+        session: args.session,
+        context: args.context
+      }) : defaultFilter);
+    }
+    const rules = policies === null || policies === void 0 ? void 0 : policies[operation];
+    if (rules !== null && rules !== void 0 && rules.length) {
+      merged = andFilters(merged, policyFilter(rules));
+    }
+    if (merged !== undefined) filter[operation] = merged;
+  }
+  return {
+    ...(access !== null && access !== void 0 ? access : {}),
+    filter
+  };
+}
 // ================================================================
 // Validators — use inside field `validation` config
 // ================================================================
@@ -236,6 +728,72 @@ const validators = {
   }
 };
+// ================================================================
+// Access presets — readable shorthands for common access patterns
+// ================================================================
+//
+// Spelling out an access-control object on every list gets repetitive. In
+// practice 90% of lists fall into a handful of patterns, so we name them.
+// Anything more bespoke can still drop down to a raw access object.
+const isSignedIn = ({
+  session
+}) => !!session;
+const accessPresets = {
+  public: () => true,
+  authenticated: {
+    operation: {
+      query: isSignedIn,
+      create: isSignedIn,
+      update: isSignedIn,
+      delete: isSignedIn
+    }
+  },
+  publicReadAuthenticatedWrite: {
+    operation: {
+      query: () => true,
+      create: isSignedIn,
+      update: isSignedIn,
+      delete: isSignedIn
+    }
+  },
+  readOnly: {
+    operation: {
+      query: () => true,
+      create: () => false,
+      update: () => false,
+      delete: () => false
+    }
+  },
+  owner(field = 'user') {
+    const scopeToOwner = ({
+      session
+    }) => {
+      if (!(session !== null && session !== void 0 && session.itemId)) return false;
+      return {
+        [field]: {
+          id: {
+            equals: session.itemId
+          }
+        }
+      };
+    };
+    return {
+      operation: {
+        query: isSignedIn,
+        create: isSignedIn,
+        update: isSignedIn,
+        delete: isSignedIn
+      },
+      filter: {
+        query: scopeToOwner,
+        update: scopeToOwner,
+        delete: scopeToOwner
+      }
+    };
+  }
+};
 // ================================================================
 // Mixin system
 // ================================================================
@@ -391,6 +949,760 @@ function withAudit(userListKey = 'User') {
   };
 }
+/**
+ * Turn an arbitrary string into a URL-safe slug. Pure, dependency-free.
+ */
+function slugify(input) {
+  return input.toString().normalize('NFKD').replace(/[̀-ͯ]/g, '') // strip accents
+  .toLowerCase().trim().replace(/[^a-z0-9]+/g, '-') // non-alphanumerics → dashes
+  .replace(/^-+|-+$/g, ''); // trim leading/trailing dashes
+}
+/**
+ * Adds a URL-friendly `slug` field that is auto-generated from another field
+ * (e.g. `title`) when left blank, and normalised when provided.
+ *
+ * Solves a perennial papercut: there's no built-in slug field, so everyone
+ * re-implements the same `resolveInput` hook by hand.
+ *
+ * @example
+ * defineCollection({ mixins: [withSlug({ from: 'title' })], fields: { title: text() } })
+ */
+function withSlug(opts = {
+  from: 'title'
+}) {
+  var _opts$field, _opts$isIndexed;
+  const fieldKey = (_opts$field = opts.field) !== null && _opts$field !== void 0 ? _opts$field : 'slug';
+  const from = opts.from;
+  return {
+    fields: {
+      [fieldKey]: text({
+        isIndexed: (_opts$isIndexed = opts.isIndexed) !== null && _opts$isIndexed !== void 0 ? _opts$isIndexed : 'unique',
+        ui: {
+          description: `URL slug — auto-generated from "${from}" when left blank.`
+        }
+      })
+    },
+    hooks: {
+      resolveInput: ({
+        resolvedData,
+        inputData
+      }) => {
+        var _from;
+        const provided = resolvedData[fieldKey];
+        if (typeof provided === 'string' && provided.length > 0) {
+          return {
+            ...resolvedData,
+            [fieldKey]: slugify(provided)
+          };
+        }
+        const source = (_from = inputData === null || inputData === void 0 ? void 0 : inputData[from]) !== null && _from !== void 0 ? _from : resolvedData === null || resolvedData === void 0 ? void 0 : resolvedData[from];
+        if (typeof source === 'string' && source.length > 0) {
+          return {
+            ...resolvedData,
+            [fieldKey]: slugify(source)
+          };
+        }
+        return resolvedData;
+      }
+    }
+  };
+}
+/**
+ * Adds a draft → published → archived workflow: a `status` select plus a
+ * `publishedAt` timestamp that is stamped automatically the first time an item
+ * transitions to `published`.
+ *
+ * Publishing is otherwise left entirely to the developer; this bakes in the
+ * common content lifecycle so a blog/news/docs list works out of the box.
+ */
+function withPublishing(opts = {}) {
+  var _opts$defaultStatus;
+  const defaultStatus = (_opts$defaultStatus = opts.defaultStatus) !== null && _opts$defaultStatus !== void 0 ? _opts$defaultStatus : 'draft';
+  return {
+    fields: {
+      status: select({
+        type: 'enum',
+        options: [{
+          label: 'Draft',
+          value: 'draft'
+        }, {
+          label: 'Published',
+          value: 'published'
+        }, {
+          label: 'Archived',
+          value: 'archived'
+        }],
+        defaultValue: defaultStatus,
+        ui: {
+          displayMode: 'segmented-control'
+        }
+      }),
+      publishedAt: timestamp({
+        ui: {
+          createView: {
+            fieldMode: 'hidden'
+          },
+          itemView: {
+            fieldMode: 'read'
+          },
+          listView: {
+            fieldMode: 'read'
+          }
+        }
+      })
+    },
+    hooks: {
+      resolveInput: ({
+        resolvedData,
+        item
+      }) => {
+        var _status;
+        const nextStatus = (_status = resolvedData.status) !== null && _status !== void 0 ? _status : item === null || item === void 0 ? void 0 : item.status;
+        const alreadyPublished = item === null || item === void 0 ? void 0 : item.publishedAt;
+        const incomingPublishedAt = resolvedData.publishedAt;
+        if (nextStatus === 'published' && !alreadyPublished && incomingPublishedAt == null) {
+          return {
+            ...resolvedData,
+            publishedAt: new Date().toISOString()
+          };
+        }
+        return resolvedData;
+      }
+    }
+  };
+}
+/**
+ * Adds standard SEO metadata fields, grouped together in the Admin UI.
+ * Drop-in for any content list that needs search/social previews.
+ */
+function withSEO() {
+  return {
+    fields: {
+      metaTitle: text({
+        ui: {
+          description: 'Title used by search engines and social previews.'
+        }
+      }),
+      metaDescription: text({
+        ui: {
+          displayMode: 'textarea',
+          description: 'Short summary (~155 characters).'
+        }
+      }),
+      ogImage: text({
+        ui: {
+          description: 'Absolute URL to the social sharing image.'
+        }
+      })
+    }
+  };
+}
+/**
+ * Adds an integer `order` field for manual sorting/drag-ordering of items.
+ */
+function withSortable(opts = {}) {
+  var _opts$field2;
+  const fieldKey = (_opts$field2 = opts.field) !== null && _opts$field2 !== void 0 ? _opts$field2 : 'order';
+  return {
+    fields: {
+      [fieldKey]: integer({
+        defaultValue: 0,
+        ui: {
+          description: 'Manual sort position (lower comes first).'
+        }
+      })
+    }
+  };
+}
+/**
+ * Adds self-referential `parent` / `children` relationships for tree-shaped content
+ * (categories, menus, pages), with cycle prevention: an item can never be moved under
+ * one of its own descendants.
+ *
+ * @param listKey - The key of the collection this mixin is applied to (needed for the
+ *   self-referencing relationship and ancestor checks).
+ *
+ * @example
+ * defineCollection({ mixins: [withTreeStructure('Category')], fields: { name: text() } })
+ */
+function withTreeStructure(listKey, opts = {}) {
+  var _opts$parentField, _opts$childrenField;
+  const parentField = (_opts$parentField = opts.parentField) !== null && _opts$parentField !== void 0 ? _opts$parentField : 'parent';
+  const childrenField = (_opts$childrenField = opts.childrenField) !== null && _opts$childrenField !== void 0 ? _opts$childrenField : 'children';
+  return {
+    fields: {
+      [parentField]: relationship({
+        ref: `${listKey}.${childrenField}`,
+        ui: {
+          description: 'Parent item in the tree (leave empty for a root item).'
+        }
+      }),
+      [childrenField]: relationship({
+        ref: `${listKey}.${parentField}`,
+        many: true,
+        ui: {
+          displayMode: 'count',
+          itemView: {
+            fieldMode: 'read'
+          }
+        }
+      })
+    },
+    hooks: {
+      validate: async args => {
+        var _parentOp$connect;
+        const {
+          operation,
+          resolvedData,
+          item,
+          context,
+          addValidationError
+        } = args;
+        if (operation !== 'update') return;
+        const parentOp = resolvedData === null || resolvedData === void 0 ? void 0 : resolvedData[parentField];
+        const newParentId = parentOp === null || parentOp === void 0 || (_parentOp$connect = parentOp.connect) === null || _parentOp$connect === void 0 ? void 0 : _parentOp$connect.id;
+        if (newParentId == null) return;
+        if (String(newParentId) === String(item.id)) {
+          addValidationError(`"${parentField}" cannot point at the item itself`);
+          return;
+        }
+        // Walk up from the new parent — finding the item means we'd create a cycle.
+        const sudo = context.sudo();
+        let cursor = newParentId;
+        for (let depth = 0; depth < 100 && cursor != null; depth++) {
+          var _ancestor$parentField, _ancestor$parentField2;
+          const ancestor = await sudo.query[listKey].findOne({
+            where: {
+              id: String(cursor)
+            },
+            query: `id ${parentField} { id }`
+          });
+          if (!ancestor) return;
+          cursor = (_ancestor$parentField = (_ancestor$parentField2 = ancestor[parentField]) === null || _ancestor$parentField2 === void 0 ? void 0 : _ancestor$parentField2.id) !== null && _ancestor$parentField !== void 0 ? _ancestor$parentField : null;
+          if (cursor != null && String(cursor) === String(item.id)) {
+            addValidationError(`"${parentField}" would create a cycle — the new parent is a descendant of this item`);
+            return;
+          }
+        }
+      }
+    }
+  };
+}
+/**
+ * Multi-tenancy: adds a required `tenant` relationship that is auto-assigned from the
+ * session on create. Combine with `tenantAccessFilter()` in the collection's
+ * `access.filter` rules to scope every query/update/delete to the session's tenant.
+ *
+ * @example
+ * defineCollection({
+ *   mixins: [withTenant({ ref: 'Tenant' })],
+ *   access: {
+ *     filter: {
+ *       query: tenantAccessFilter(),
+ *       update: tenantAccessFilter(),
+ *       delete: tenantAccessFilter(),
+ *     },
+ *   },
+ *   fields: { ... },
+ * })
+ */
+function withTenant(opts = {}) {
+  var _opts$ref, _opts$field3, _opts$getTenantId;
+  const ref = (_opts$ref = opts.ref) !== null && _opts$ref !== void 0 ? _opts$ref : 'Tenant';
+  const field = (_opts$field3 = opts.field) !== null && _opts$field3 !== void 0 ? _opts$field3 : 'tenant';
+  const getTenantId = (_opts$getTenantId = opts.getTenantId) !== null && _opts$getTenantId !== void 0 ? _opts$getTenantId : defaultGetTenantId;
+  return {
+    fields: {
+      [field]: relationship({
+        ref,
+        ui: {
+          createView: {
+            fieldMode: 'hidden'
+          },
+          itemView: {
+            fieldMode: 'read'
+          }
+        }
+      })
+    },
+    hooks: {
+      resolveInput: ({
+        operation,
+        resolvedData,
+        context
+      }) => {
+        if (operation !== 'create') return resolvedData;
+        if (resolvedData[field]) return resolvedData;
+        const tenantId = getTenantId(context.session);
+        if (!tenantId) return resolvedData;
+        return {
+          ...resolvedData,
+          [field]: {
+            connect: {
+              id: tenantId
+            }
+          }
+        };
+      },
+      validate: async args => {
+        const {
+          operation,
+          resolvedData,
+          addValidationError
+        } = args;
+        if (opts.optional || operation !== 'create') return;
+        if (!(resolvedData !== null && resolvedData !== void 0 && resolvedData[field])) {
+          addValidationError(`"${field}" is required — no tenant found on the session`);
+        }
+      }
+    }
+  };
+}
+function defaultGetTenantId(session) {
+  var _session$data$tenant$, _session$data;
+  return (_session$data$tenant$ = session === null || session === void 0 || (_session$data = session.data) === null || _session$data === void 0 || (_session$data = _session$data.tenant) === null || _session$data === void 0 ? void 0 : _session$data.id) !== null && _session$data$tenant$ !== void 0 ? _session$data$tenant$ : session === null || session === void 0 ? void 0 : session.tenantId;
+}
+/**
+ * Access-control filter companion to `withTenant()`: limits matched items to the
+ * session's tenant. Returns `false` (no access) when the session has no tenant.
+ */
+function tenantAccessFilter(opts = {}) {
+  var _opts$field4, _opts$getTenantId2;
+  const field = (_opts$field4 = opts.field) !== null && _opts$field4 !== void 0 ? _opts$field4 : 'tenant';
+  const getTenantId = (_opts$getTenantId2 = opts.getTenantId) !== null && _opts$getTenantId2 !== void 0 ? _opts$getTenantId2 : defaultGetTenantId;
+  return ({
+    session
+  }) => {
+    const tenantId = getTenantId(session);
+    if (!tenantId) return false;
+    return {
+      [field]: {
+        id: {
+          equals: tenantId
+        }
+      }
+    };
+  };
+}
+/**
+ * Adds `publishAt` / `unpublishAt` timestamps for scheduled publishing. Composes with
+ * `withPublishing()` (which provides the `status` field). The schedule is enacted by
+ * `applyScheduledPublishing()` — run it from a cron job:
+ *
+ * @example
+ * jobs: createJobs({ jobs: [{
+ *   name: 'scheduled-publishing',
+ *   schedule: '* * * * *',
+ *   handler: async () => { await applyScheduledPublishing(getContext(), 'Post') },
+ * }]})
+ */
+function withScheduledPublishing() {
+  return {
+    fields: {
+      publishAt: timestamp({
+        ui: {
+          description: 'Automatically publish at this time (requires the scheduled-publishing job).'
+        }
+      }),
+      unpublishAt: timestamp({
+        ui: {
+          description: 'Automatically archive at this time (requires the scheduled-publishing job).'
+        }
+      })
+    }
+  };
+}
+/**
+ * Enact `withScheduledPublishing()` schedules for one collection: publishes drafts whose
+ * `publishAt` has passed and archives published items whose `unpublishAt` has passed.
+ * Designed to be called from a cron job (see `withScheduledPublishing`).
+ */
+async function applyScheduledPublishing(context, listKey, opts = {}) {
+  var _opts$statusField, _opts$draftValue, _opts$publishedValue, _opts$archivedValue;
+  const statusField = (_opts$statusField = opts.statusField) !== null && _opts$statusField !== void 0 ? _opts$statusField : 'status';
+  const draftValue = (_opts$draftValue = opts.draftValue) !== null && _opts$draftValue !== void 0 ? _opts$draftValue : 'draft';
+  const publishedValue = (_opts$publishedValue = opts.publishedValue) !== null && _opts$publishedValue !== void 0 ? _opts$publishedValue : 'published';
+  const archivedValue = (_opts$archivedValue = opts.archivedValue) !== null && _opts$archivedValue !== void 0 ? _opts$archivedValue : 'archived';
+  const sudo = context.sudo();
+  const now = new Date();
+  const toPublish = await sudo.db[listKey].findMany({
+    where: {
+      [statusField]: {
+        equals: draftValue
+      },
+      publishAt: {
+        lte: now
+      }
+    }
+  });
+  for (const item of toPublish) {
+    await sudo.db[listKey].updateOne({
+      where: {
+        id: String(item.id)
+      },
+      data: {
+        [statusField]: publishedValue
+      }
+    });
+  }
+  const toArchive = await sudo.db[listKey].findMany({
+    where: {
+      [statusField]: {
+        equals: publishedValue
+      },
+      unpublishAt: {
+        lte: now
+      }
+    }
+  });
+  for (const item of toArchive) {
+    await sudo.db[listKey].updateOne({
+      where: {
+        id: String(item.id)
+      },
+      data: {
+        [statusField]: archivedValue
+      }
+    });
+  }
+  return {
+    published: toPublish.length,
+    archived: toArchive.length
+  };
+}
+/**
+ * i18n: adds a `locale` select plus a shared `translationKey` that groups an item with
+ * its translations (auto-generated on create when blank). Query an item's variants with
+ * `{ translationKey: { equals }, locale: { not: ... } }` — and once compound uniqueness
+ * is configured, pair (`translationKey`, `locale`) should be unique.
+ *
+ * @example
+ * defineCollection({ mixins: [withLocale({ locales: ['en', 'ur', 'ar'] })], fields: { ... } })
+ */
+function withLocale(opts) {
+  var _opts$locales, _opts$groupField, _opts$defaultLocale;
+  if (!((_opts$locales = opts.locales) !== null && _opts$locales !== void 0 && _opts$locales.length)) throw new Error('withLocale requires at least one locale');
+  const groupField = (_opts$groupField = opts.groupField) !== null && _opts$groupField !== void 0 ? _opts$groupField : 'translationKey';
+  const defaultLocale = (_opts$defaultLocale = opts.defaultLocale) !== null && _opts$defaultLocale !== void 0 ? _opts$defaultLocale : opts.locales[0];
+  return {
+    fields: {
+      locale: select({
+        type: 'enum',
+        options: opts.locales.map(locale => ({
+          label: locale,
+          value: locale
+        })),
+        defaultValue: defaultLocale,
+        validation: {
+          isRequired: true
+        }
+      }),
+      [groupField]: text({
+        isIndexed: true,
+        ui: {
+          description: 'Shared id linking this item with its translations.',
+          createView: {
+            fieldMode: 'hidden'
+          },
+          itemView: {
+            fieldMode: 'read'
+          }
+        }
+      })
+    },
+    hooks: {
+      resolveInput: ({
+        operation,
+        resolvedData
+      }) => {
+        if (operation !== 'create') return resolvedData;
+        if (resolvedData[groupField]) return resolvedData;
+        return {
+          ...resolvedData,
+          [groupField]: randomBytes(8).toString('hex')
+        };
+      }
+    }
+  };
+}
+/**
+ * Editorial approval: adds an approval status + a `pendingChanges` buffer where proposed
+ * edits wait for review instead of going live. Drive it with `submitForApproval()`,
+ * `approveChanges()` and `rejectChanges()` from custom mutations or the Admin UI.
+ */
+function withApproval() {
+  return {
+    fields: {
+      approvalStatus: select({
+        type: 'enum',
+        options: [{
+          label: 'None',
+          value: 'none'
+        }, {
+          label: 'Pending',
+          value: 'pending'
+        }, {
+          label: 'Approved',
+          value: 'approved'
+        }, {
+          label: 'Rejected',
+          value: 'rejected'
+        }],
+        defaultValue: 'none',
+        ui: {
+          createView: {
+            fieldMode: 'hidden'
+          },
+          itemView: {
+            fieldMode: 'read'
+          }
+        }
+      }),
+      pendingChanges: json({
+        ui: {
+          createView: {
+            fieldMode: 'hidden'
+          },
+          itemView: {
+            fieldMode: 'hidden'
+          },
+          listView: {
+            fieldMode: 'hidden'
+          }
+        }
+      }),
+      approvalSubmittedAt: timestamp({
+        ui: {
+          createView: {
+            fieldMode: 'hidden'
+          },
+          itemView: {
+            fieldMode: 'read'
+          }
+        }
+      }),
+      approvalReviewedAt: timestamp({
+        ui: {
+          createView: {
+            fieldMode: 'hidden'
+          },
+          itemView: {
+            fieldMode: 'read'
+          }
+        }
+      })
+    }
+  };
+}
+/** Park proposed changes on an item for review (see `withApproval`). */
+async function submitForApproval(context, args) {
+  await context.sudo().db[args.listKey].updateOne({
+    where: {
+      id: args.itemId
+    },
+    data: {
+      pendingChanges: args.changes,
+      approvalStatus: 'pending',
+      approvalSubmittedAt: new Date().toISOString()
+    }
+  });
+}
+/**
+ * Apply an item's `pendingChanges` (running normal hooks/validation) and mark it
+ * approved. The buffered changes must be a valid update input for the collection.
+ */
+async function approveChanges(context, args) {
+  const sudo = context.sudo();
+  const item = await sudo.query[args.listKey].findOne({
+    where: {
+      id: args.itemId
+    },
+    query: 'id pendingChanges approvalStatus'
+  });
+  if (!(item !== null && item !== void 0 && item.pendingChanges)) throw new Error('approveChanges: the item has no pending changes');
+  await sudo.db[args.listKey].updateOne({
+    where: {
+      id: args.itemId
+    },
+    data: {
+      ...item.pendingChanges,
+      pendingChanges: null,
+      approvalStatus: 'approved',
+      approvalReviewedAt: new Date().toISOString()
+    }
+  });
+}
+/** Discard an item's `pendingChanges` and mark it rejected. */
+async function rejectChanges(context, args) {
+  await context.sudo().db[args.listKey].updateOne({
+    where: {
+      id: args.itemId
+    },
+    data: {
+      pendingChanges: null,
+      approvalStatus: 'rejected',
+      approvalReviewedAt: new Date().toISOString()
+    }
+  });
+}
+/**
+ * Adds an `expiresAt` timestamp for content with a shelf life. Pair with
+ * `purgeExpired()` in a cron job to physically remove (or just count) expired items.
+ */
+function withExpiry(opts = {}) {
+  var _opts$field5;
+  const field = (_opts$field5 = opts.field) !== null && _opts$field5 !== void 0 ? _opts$field5 : 'expiresAt';
+  return {
+    fields: {
+      [field]: timestamp({
+        ui: {
+          description: 'After this time the item is considered expired.'
+        }
+      })
+    }
+  };
+}
+/**
+ * Delete every item whose expiry has passed (runs normal delete hooks). Returns the
+ * number deleted. Designed for a cron job; see `withExpiry`.
+ */
+async function purgeExpired(context, listKey, opts = {}) {
+  var _opts$field6;
+  const field = (_opts$field6 = opts.field) !== null && _opts$field6 !== void 0 ? _opts$field6 : 'expiresAt';
+  const sudo = context.sudo();
+  const expired = await sudo.db[listKey].findMany({
+    where: {
+      [field]: {
+        lte: new Date()
+      }
+    }
+  });
+  for (const item of expired) {
+    await sudo.db[listKey].deleteOne({
+      where: {
+        id: String(item.id)
+      }
+    });
+  }
+  return expired.length;
+}
+/**
+ * Adds a read-only `viewCount` integer. Increment it with `recordView()` — a direct,
+ * race-safe Prisma increment that bypasses hooks (a view is not an editorial change).
+ */
+function withViewCount(opts = {}) {
+  var _opts$field7;
+  const field = (_opts$field7 = opts.field) !== null && _opts$field7 !== void 0 ? _opts$field7 : 'viewCount';
+  return {
+    fields: {
+      [field]: integer({
+        defaultValue: 0,
+        ui: {
+          createView: {
+            fieldMode: 'hidden'
+          },
+          itemView: {
+            fieldMode: 'read'
+          }
+        }
+      })
+    }
+  };
+}
+/** Increment an item's view counter (see `withViewCount`). */
+async function recordView(context, listKey, itemId, opts = {}) {
+  var _opts$field8, _context$prisma;
+  const field = (_opts$field8 = opts.field) !== null && _opts$field8 !== void 0 ? _opts$field8 : 'viewCount';
+  const model = (_context$prisma = context.prisma) === null || _context$prisma === void 0 ? void 0 : _context$prisma[listKey[0].toLowerCase() + listKey.slice(1)];
+  if (!model) throw new Error(`recordView: collection "${listKey}" was not found in the Prisma client`);
+  await model.update({
+    where: {
+      id: itemId
+    },
+    data: {
+      [field]: {
+        increment: 1
+      }
+    }
+  });
+}
+/**
+ * Companion to cascade rules: sweep records whose to-one relationship points at
+ * nothing (e.g. rows that pre-date a cascade rule, or were orphaned by `setNull`).
+ * Runs normal delete hooks (so cascade rules fire too). Designed for a cron job.
+ *
+ * @example
+ * jobs: createJobs({ jobs: [{
+ *   name: 'orphan-cleanup',
+ *   schedule: '0 4 * * *',
+ *   handler: async () => { await cleanupOrphans(getContext(), { collection: 'Comment', field: 'post' }) },
+ * }]})
+ */
+async function cleanupOrphans(context, options) {
+  var _options$softDeleteFi;
+  const {
+    collection,
+    field,
+    action = 'delete'
+  } = options;
+  const softDeleteField = (_options$softDeleteFi = options.softDeleteField) !== null && _options$softDeleteFi !== void 0 ? _options$softDeleteFi : 'deletedAt';
+  const sudo = context.sudo();
+  const where = action === 'softDelete' ? {
+    [field]: null,
+    [softDeleteField]: null
+  } : {
+    [field]: null
+  };
+  let total = 0;
+  for (;;) {
+    const orphans = await sudo.db[collection].findMany({
+      where,
+      take: 100
+    });
+    if (!orphans.length) break;
+    for (const orphan of orphans) {
+      if (action === 'delete') {
+        await sudo.db[collection].deleteOne({
+          where: {
+            id: String(orphan.id)
+          }
+        });
+      } else {
+        await sudo.db[collection].updateOne({
+          where: {
+            id: String(orphan.id)
+          },
+          data: {
+            [softDeleteField]: new Date().toISOString()
+          }
+        });
+      }
+      total++;
+    }
+    if (orphans.length < 100) break;
+  }
+  return total;
+}
 /**
  * Factory for building reusable field group mixins.
  *
@@ -409,14 +1721,14 @@ function createMixin(fields, hooks) {
 }
 // ================================================================
-// defineList — a typed wrapper around list() with mixin support
+// defineCollection — a typed wrapper around list() with mixin support
 // ================================================================
 /**
  * Defines a list with optional mixins for reusable field groups and hooks.
  *
  * @example
- * export const Post = defineList({
+ * export const Post = defineCollection({
  *   mixins: [withTimestamps()],
  *   fields: {
  *     title: text({ validation: validators.required }),
@@ -424,9 +1736,18 @@ function createMixin(fields, hooks) {
  *   },
  * })
  */
-function defineList(config) {
+function defineCollection(config) {
   const {
     mixins = [],
+    access,
+    computed,
+    constraints,
+    defaultFilter,
+    stateMachine,
+    policies,
+    events,
+    searchable,
+    versioned,
     ...listConfig
   } = config;
   const mixinFields = {};
@@ -435,9 +1756,26 @@ function defineList(config) {
     if (mixin.fields) Object.assign(mixinFields, mixin.fields);
     if (mixin.hooks) mixinHooksList.push(mixin.hooks);
   }
-  const mergedHooks = mergeMixinHooks(mixinHooksList, listConfig.hooks);
-  return list({
+  // Feature hooks run AFTER mixin + user hooks so computed fields and constraint checks
+  // observe the final resolved data, and events/search/version snapshots fire last.
+  const featureHooks = compileFeatureHooks({
+    computed,
+    constraints,
+    stateMachine,
+    events,
+    searchable,
+    versioned
+  });
+  const mergedHooks = mergeMixinHooks(mixinHooksList, listConfig.hooks, featureHooks);
+  const baseAccess = access !== null && access !== void 0 ? access : accessPresets.public;
+  const finalAccess = applyAccessFeatures(baseAccess, {
+    defaultFilter,
+    policies
+  });
+  return collection({
     ...listConfig,
+    access: finalAccess,
     fields: {
       ...mixinFields,
       ...listConfig.fields
@@ -482,13 +1820,13 @@ function mergeResolveInput(a, b) {
 }
 /**
- * Merge mixin hooks with the list's own hooks. Each Keystone hook may be either a function or a
+ * Merge mixin hooks with the list's own hooks. Each list hook may be either a function or a
  * `{ create, update, delete }` object — `merge` (from resolve-hooks) handles both forms for the
  * void hooks, and `mergeResolveInput` handles the data-threading `resolveInput` hook.
  */
-function mergeMixinHooks(mixinHooks, listHooks) {
-  if (mixinHooks.length === 0) return listHooks !== null && listHooks !== void 0 ? listHooks : {};
-  const all = [...mixinHooks, ...(listHooks ? [listHooks] : [])];
+function mergeMixinHooks(mixinHooks, listHooks, featureHooks = []) {
+  if (mixinHooks.length === 0 && featureHooks.length === 0) return listHooks !== null && listHooks !== void 0 ? listHooks : {};
+  const all = [...mixinHooks, ...(listHooks ? [listHooks] : []), ...featureHooks];
   const merged = {};
   for (const hooks of all) {
     merged.resolveInput = mergeResolveInput(merged.resolveInput, hooks.resolveInput);
@@ -514,7 +1852,7 @@ function mergeMixinHooks(mixinHooks, listHooks) {
  * })
  */
 function defineConfig(nixxieConfig) {
-  return config(nixxieConfig);
+  return buildConfig(nixxieConfig);
 }
 // ================================================================
@@ -525,7 +1863,7 @@ function defineConfig(nixxieConfig) {
  * Defines a list action. Typed alias for `action()`.
  */
 function defineAction(actionConfig) {
-  return action(actionConfig);
+  return createAction(actionConfig);
 }
-export { action, config, createMixin, defineAction, defineConfig, defineList, group, list, validators, withAudit, withSoftDelete, withTimestamps };
+export { accessPresets, applyScheduledPublishing, approveChanges, cleanupOrphans, collection, createAction, createMixin, defineAction, defineCollection, defineConfig, fieldGroup, purgeExpired, recordView, rejectChanges, submitForApproval, tenantAccessFilter, validateEnv, validators, withApproval, withAudit, withExpiry, withLocale, withPublishing, withSEO, withScheduledPublishing, withSlug, withSoftDelete, withSortable, withTenant, withTimestamps, withTreeStructure, withViewCount };