@plank-cms/plank 0.12.1 → 0.14.1

package/dist/server-VPVKRT67.js

@@ -1,2742 +0,0 @@
-#!/usr/bin/env node
-
-// ../db/dist/pool.js
-import pg from "pg";
-pg.types.setTypeParser(1114, (val) => val ? /* @__PURE__ */ new Date(val.replace(" ", "T") + "Z") : null);
-pg.types.setTypeParser(1700, (val) => val !== null ? parseFloat(val) : null);
-var pool = new pg.Pool({
-  connectionString: process.env.PLANK_DATABASE_URL,
-  max: 10,
-  idleTimeoutMillis: 3e4,
-  connectionTimeoutMillis: 2e3
-});
-pool.on("error", (err) => {
-  console.error("[plank/db] Unexpected pool error:", err.message);
-  process.exit(1);
-});
-var pool_default = pool;
-
-// ../db/dist/migrate.js
-import { readdir, readFile } from "fs/promises";
-import { join, dirname } from "path";
-import { fileURLToPath } from "url";
-
-// ../db/dist/id.js
-import { randomUUID } from "crypto";
-var createId = () => randomUUID();
-
-// ../db/dist/defaults.js
-var DEFAULT_ROLE_PERMISSIONS = {
-  "Super Admin": ["*"],
-  "Admin": [
-    "content-types:read",
-    "content-types:write",
-    "entries:read",
-    "entries:write",
-    "entries:delete",
-    "media:read",
-    "media:write",
-    "media:delete",
-    "settings:overview:read",
-    "settings:users:read",
-    "settings:users:write",
-    "settings:users:delete",
-    "settings:webhooks:read",
-    "settings:webhooks:write",
-    "settings:webhooks:delete"
-  ],
-  "User": [
-    "content-types:read",
-    "entries:read",
-    "entries:write",
-    "media:read",
-    "media:write"
-  ]
-};
-
-// ../db/dist/migrate.js
-var MIGRATIONS_DIR = join(dirname(fileURLToPath(import.meta.url)), "migrations");
-async function ensureMigrationsTable(client) {
-  await client.query(`
-    CREATE TABLE IF NOT EXISTS plank_migrations (
-      id         TEXT PRIMARY KEY,
-      filename   VARCHAR(255) NOT NULL UNIQUE,
-      applied_at TIMESTAMP NOT NULL DEFAULT NOW()
-    )
-  `);
-}
-async function appliedMigrations(client) {
-  const { rows } = await client.query("SELECT filename FROM plank_migrations ORDER BY filename");
-  return new Set(rows.map((r) => r.filename));
-}
-async function seedDefaultRoles(client) {
-  const { rows } = await client.query("SELECT COUNT(*) as count FROM plank_roles");
-  if (parseInt(rows[0].count) > 0)
-    return;
-  for (const [name, permissions] of Object.entries(DEFAULT_ROLE_PERMISSIONS)) {
-    await client.query("INSERT INTO plank_roles (id, name, permissions) VALUES ($1, $2, $3)", [createId(), name, JSON.stringify(permissions)]);
-  }
-  console.log("[plank/db] Seeded default roles.");
-}
-async function migrate() {
-  const client = await pool_default.connect();
-  try {
-    await client.query("BEGIN");
-    await ensureMigrationsTable(client);
-    const files = (await readdir(MIGRATIONS_DIR)).filter((f) => f.endsWith(".sql")).sort();
-    const applied = await appliedMigrations(client);
-    for (const file of files) {
-      if (applied.has(file))
-        continue;
-      const sql = await readFile(join(MIGRATIONS_DIR, file), "utf8");
-      await client.query(sql);
-      await client.query("INSERT INTO plank_migrations (id, filename) VALUES ($1, $2)", [createId(), file]);
-      console.log(`[plank/db] Applied migration: ${file}`);
-    }
-    await seedDefaultRoles(client);
-    await client.query("COMMIT");
-    console.log("[plank/db] Migrations up to date.");
-  } catch (err) {
-    await client.query("ROLLBACK");
-    throw err;
-  } finally {
-    client.release();
-  }
-}
-
-// ../schema/dist/types.js
-var ValidationError = class extends Error {
-  errors;
-  constructor(errors) {
-    super(errors.join(", "));
-    this.errors = errors;
-    this.name = "ValidationError";
-  }
-};
-var SchemaError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "SchemaError";
-  }
-};
-
-// ../schema/dist/fieldTypes.js
-function quoteIdentifier(name) {
-  return `"${name.replace(/"/g, '""')}"`;
-}
-function toPostgresType(field) {
-  switch (field.type) {
-    case "string":
-      return "VARCHAR(255)";
-    case "text":
-    case "richtext":
-      return "TEXT";
-    case "number":
-      return field.subtype === "float" ? "NUMERIC" : "INTEGER";
-    case "boolean":
-      return "BOOLEAN";
-    case "datetime":
-      return "TIMESTAMP";
-    case "media":
-      return "TEXT";
-    case "media-gallery":
-      return "JSONB";
-    case "relation": {
-      const relType = field.relationType ?? "many-to-one";
-      if (relType === "one-to-many" || relType === "many-to-many") {
-        throw new SchemaError(`"${relType}" relation does not produce a column`);
-      }
-      if (!field.relatedTable)
-        return "TEXT";
-      const relatedTable = quoteIdentifier(field.relatedTable);
-      const unique = relType === "one-to-one" ? " UNIQUE" : "";
-      return `TEXT${unique} REFERENCES ${relatedTable}(id) ON DELETE SET NULL`;
-    }
-    case "uid":
-      return "VARCHAR(255) UNIQUE";
-    case "array":
-      return "JSONB";
-    default:
-      throw new SchemaError(`Unknown field type: "${field.type}"`);
-  }
-}
-function isVirtualRelation(field) {
-  if (field.type !== "relation")
-    return false;
-  const rt = field.relationType ?? "many-to-one";
-  return rt === "one-to-many" || rt === "many-to-many";
-}
-function hasRelationColumn(field) {
-  if (field.type !== "relation")
-    return false;
-  const rt = field.relationType ?? "many-to-one";
-  return rt === "many-to-one" || rt === "one-to-one";
-}
-function assertSafeIdentifier(name) {
-  if (!/^[a-z][a-z0-9_]*$/.test(name)) {
-    throw new SchemaError(`Invalid identifier "${name}". Use only lowercase letters, digits, and underscores.`);
-  }
-}
-
-// ../schema/dist/store.js
-function rowToContentType(row) {
-  return {
-    id: row.id,
-    name: row.name,
-    slug: row.slug,
-    kind: row.kind,
-    tableName: row.table_name,
-    fields: row.fields,
-    isDefault: row.is_default,
-    createdAt: row.created_at,
-    updatedAt: row.updated_at
-  };
-}
-async function findAllContentTypes() {
-  const { rows } = await pool_default.query("SELECT * FROM plank_content_types ORDER BY name");
-  return rows.map(rowToContentType);
-}
-async function findContentTypeBySlug(slug) {
-  const { rows } = await pool_default.query("SELECT * FROM plank_content_types WHERE slug = $1", [slug]);
-  return rows[0] ? rowToContentType(rows[0]) : null;
-}
-async function saveContentType(contentType) {
-  const { rows } = await pool_default.query(`INSERT INTO plank_content_types (id, name, slug, kind, table_name, fields)
-     VALUES ($1, $2, $3, $4, $5, $6)
-     RETURNING *`, [createId(), contentType.name, contentType.slug, contentType.kind ?? "collection", contentType.tableName, JSON.stringify(contentType.fields)]);
-  return rowToContentType(rows[0]);
-}
-async function updateContentType(slug, contentType) {
-  const { rows } = await pool_default.query(`UPDATE plank_content_types
-     SET name = $1, fields = $2, updated_at = NOW()
-     WHERE slug = $3
-     RETURNING *`, [contentType.name, JSON.stringify(contentType.fields), slug]);
-  return rowToContentType(rows[0]);
-}
-async function setDefaultContentType(slug) {
-  const client = await pool_default.connect();
-  try {
-    await client.query("BEGIN");
-    await client.query("UPDATE plank_content_types SET is_default = false");
-    const { rows } = await client.query("UPDATE plank_content_types SET is_default = true WHERE slug = $1 RETURNING *", [slug]);
-    if (!rows[0])
-      throw new Error(`Content type "${slug}" not found`);
-    await client.query("COMMIT");
-    return rowToContentType(rows[0]);
-  } catch (err) {
-    await client.query("ROLLBACK");
-    throw err;
-  } finally {
-    client.release();
-  }
-}
-async function deleteContentType(slug) {
-  await pool_default.query("DELETE FROM plank_content_types WHERE slug = $1", [slug]);
-}
-
-// ../schema/dist/tableBuilder.js
-function buildColumnDef(field) {
-  if (isVirtualRelation(field))
-    return null;
-  assertSafeIdentifier(field.name);
-  const pgType = toPostgresType(field);
-  const notNull = field.required ? " NOT NULL" : "";
-  return `${quoteIdentifier(field.name)} ${pgType}${notNull}`;
-}
-function junctionTableName(sourceTable, fieldName) {
-  return `_rel_${sourceTable}_${fieldName}`;
-}
-function buildJunctionTableSQL(sourceTable, fieldName, targetTable) {
-  const jt = junctionTableName(sourceTable, fieldName);
-  assertSafeIdentifier(targetTable);
-  const quotedJt = quoteIdentifier(jt);
-  const quotedSourceTable = quoteIdentifier(sourceTable);
-  const quotedTargetTable = quoteIdentifier(targetTable);
-  return [
-    `CREATE TABLE IF NOT EXISTS ${quotedJt} (`,
-    `  source_id TEXT NOT NULL REFERENCES ${quotedSourceTable}(id) ON DELETE CASCADE,`,
-    `  target_id TEXT NOT NULL REFERENCES ${quotedTargetTable}(id) ON DELETE CASCADE,`,
-    `  PRIMARY KEY (source_id, target_id)`,
-    `)`
-  ].join("\n");
-}
-function relationSignature(field) {
-  if (field.type !== "relation")
-    return "";
-  const rt = field.relationType ?? "many-to-one";
-  return `${rt}:${field.relatedTable ?? ""}`;
-}
-async function createTable(contentType) {
-  assertSafeIdentifier(contentType.tableName);
-  const quotedTableName = quoteIdentifier(contentType.tableName);
-  const columnFields = contentType.fields.filter((f) => !isVirtualRelation(f));
-  const columns = columnFields.map(buildColumnDef).filter(Boolean);
-  const sql = [
-    `CREATE TABLE IF NOT EXISTS ${quotedTableName} (`,
-    `  id         TEXT PRIMARY KEY,`,
-    ...columns.map((col) => `  ${col},`),
-    `  localized      JSONB,`,
-    `  status         VARCHAR(20) NOT NULL DEFAULT 'draft',`,
-    `  published_data JSONB,`,
-    `  published_at   TIMESTAMP,`,
-    `  scheduled_for  TIMESTAMP,`,
-    `  created_by     TEXT REFERENCES plank_users(id) ON DELETE SET NULL,`,
-    `  created_at     TIMESTAMP NOT NULL DEFAULT NOW(),`,
-    `  updated_at     TIMESTAMP NOT NULL DEFAULT NOW()`,
-    `)`
-  ].join("\n");
-  await pool_default.query(sql);
-  try {
-    await pool_default.query(`CREATE INDEX IF NOT EXISTS idx_${contentType.tableName}_localized_gin ON ${quotedTableName} USING gin (localized)`);
-  } catch (err) {
-  }
-  for (const field of contentType.fields) {
-    if (field.type === "relation" && (field.relationType ?? "many-to-one") === "many-to-many" && field.relatedTable) {
-      await pool_default.query(buildJunctionTableSQL(contentType.tableName, field.name, field.relatedTable));
-    }
-  }
-}
-async function syncTable(next, prev) {
-  assertSafeIdentifier(next.tableName);
-  const quotedTableName = quoteIdentifier(next.tableName);
-  const prevFields = new Map(prev.fields.map((f) => [f.name, f]));
-  const nextFields = new Map(next.fields.map((f) => [f.name, f]));
-  const statements = [];
-  const junctionOps = [];
-  for (const [name, field] of nextFields) {
-    if (!prevFields.has(name)) {
-      if (isVirtualRelation(field))
-        continue;
-      assertSafeIdentifier(name);
-      const colDef = buildColumnDef(field);
-      if (colDef)
-        statements.push(`ALTER TABLE ${quotedTableName} ADD COLUMN IF NOT EXISTS ${colDef}`);
-      if (field.type === "relation" && (field.relationType ?? "many-to-one") === "many-to-many" && field.relatedTable) {
-        const sql = buildJunctionTableSQL(next.tableName, name, field.relatedTable);
-        junctionOps.push(() => pool_default.query(sql));
-      }
-    }
-  }
-  for (const [name] of prevFields) {
-    if (!nextFields.has(name)) {
-      const prevField = prevFields.get(name);
-      assertSafeIdentifier(name);
-      if (!isVirtualRelation(prevField)) {
-        statements.push(`ALTER TABLE ${quotedTableName} DROP COLUMN ${quoteIdentifier(name)}`);
-      }
-      if (prevField.type === "relation" && (prevField.relationType ?? "many-to-one") === "many-to-many") {
-        const jt = junctionTableName(next.tableName, name);
-        junctionOps.push(() => pool_default.query(`DROP TABLE IF EXISTS ${jt}`));
-      }
-    }
-  }
-  for (const [name, nextField] of nextFields) {
-    const prevField = prevFields.get(name);
-    if (!prevField)
-      continue;
-    if (nextField.type === "relation" || prevField.type === "relation") {
-      const prevSig = relationSignature(prevField);
-      const nextSig = relationSignature(nextField);
-      if (prevSig === nextSig)
-        continue;
-      assertSafeIdentifier(name);
-      if (prevField.type === "relation" && (prevField.relationType ?? "many-to-one") === "many-to-many") {
-        const jt = junctionTableName(next.tableName, name);
-        junctionOps.push(() => pool_default.query(`DROP TABLE IF EXISTS ${jt}`));
-      }
-      if (hasRelationColumn(prevField)) {
-        statements.push(`ALTER TABLE ${quotedTableName} DROP COLUMN IF EXISTS ${quoteIdentifier(name)}`);
-      }
-      if (hasRelationColumn(nextField)) {
-        const colDef = buildColumnDef(nextField);
-        if (colDef)
-          statements.push(`ALTER TABLE ${quotedTableName} ADD COLUMN IF NOT EXISTS ${colDef}`);
-      }
-      if (nextField.type === "relation" && (nextField.relationType ?? "many-to-one") === "many-to-many" && nextField.relatedTable) {
-        const sql = buildJunctionTableSQL(next.tableName, name, nextField.relatedTable);
-        junctionOps.push(() => pool_default.query(sql));
-      }
-      continue;
-    }
-    if (toPostgresType(prevField) !== toPostgresType(nextField)) {
-      assertSafeIdentifier(name);
-      const pgType = toPostgresType(nextField);
-      statements.push(`ALTER TABLE ${quotedTableName} ALTER COLUMN ${quoteIdentifier(name)} TYPE ${pgType} USING ${quoteIdentifier(name)}::text::${pgType}`);
-    }
-  }
-  if (statements.length > 0) {
-    const client = await pool_default.connect();
-    try {
-      await client.query("BEGIN");
-      for (const stmt of statements) {
-        await client.query(stmt);
-      }
-      await client.query("COMMIT");
-    } catch (err) {
-      await client.query("ROLLBACK");
-      throw err;
-    } finally {
-      client.release();
-    }
-    for (const op of junctionOps) {
-      await op();
-    }
-  }
-}
-async function syncAllTables() {
-  const contentTypes = await findAllContentTypes();
-  for (const ct of contentTypes) {
-    assertSafeIdentifier(ct.tableName);
-    const quotedTableName = quoteIdentifier(ct.tableName);
-    const { rows } = await pool_default.query(`SELECT column_name FROM information_schema.columns WHERE table_name = $1 AND table_schema = 'public'`, [ct.tableName]);
-    const existingColumns = new Set(rows.map((r) => r.column_name));
-    if (!existingColumns.has("localized")) {
-      try {
-        await pool_default.query(`ALTER TABLE ${quotedTableName} ADD COLUMN IF NOT EXISTS localized JSONB`);
-        existingColumns.add("localized");
-        try {
-          await pool_default.query(`CREATE INDEX IF NOT EXISTS idx_${ct.tableName}_localized_gin ON ${quotedTableName} USING gin (localized)`);
-        } catch (err) {
-        }
-        console.log(`[plank] Added missing column "localized" to table "${ct.tableName}"`);
-      } catch (err) {
-      }
-    }
-    for (const field of ct.fields) {
-      if (!isVirtualRelation(field) && !existingColumns.has(field.name)) {
-        assertSafeIdentifier(field.name);
-        const colDef = buildColumnDef(field);
-        if (colDef) {
-          await pool_default.query(`ALTER TABLE ${quotedTableName} ADD COLUMN IF NOT EXISTS ${colDef}`);
-          console.log(`[plank] Added missing column "${field.name}" to table "${ct.tableName}"`);
-        }
-      }
-      if (field.type === "relation" && (field.relationType ?? "many-to-one") === "many-to-many" && field.relatedTable) {
-        await pool_default.query(buildJunctionTableSQL(ct.tableName, field.name, field.relatedTable));
-        console.log(`[plank] Created missing junction table for "${ct.tableName}.${field.name}"`);
-      }
-    }
-  }
-}
-
-// ../schema/dist/validator.js
-function validate(contentType, payload) {
-  const errors = [];
-  for (const field of contentType.fields) {
-    const value = payload[field.name];
-    const isEmpty = value === void 0 || value === null || value === "";
-    if (field.required && isEmpty) {
-      errors.push(`Field "${field.name}" is required`);
-      continue;
-    }
-    if (isEmpty)
-      continue;
-    switch (field.type) {
-      case "string":
-      case "text":
-      case "richtext":
-        if (typeof value !== "string") {
-          errors.push(`Field "${field.name}" must be a string`);
-        }
-        break;
-      case "number":
-        if (typeof value !== "number" || isNaN(value)) {
-          errors.push(`Field "${field.name}" must be a number`);
-        } else if (field.subtype !== "float" && !Number.isInteger(value)) {
-          errors.push(`Field "${field.name}" must be an integer`);
-        }
-        break;
-      case "boolean":
-        if (typeof value !== "boolean") {
-          errors.push(`Field "${field.name}" must be a boolean`);
-        }
-        break;
-      case "datetime":
-        if (!(value instanceof Date) && isNaN(Date.parse(String(value)))) {
-          errors.push(`Field "${field.name}" must be a valid date`);
-        }
-        break;
-      case "media":
-        if (typeof value !== "string" || !value.trim()) {
-          errors.push(`Field "${field.name}" must be a non-empty string URL`);
-        }
-        break;
-      case "media-gallery":
-        if (!Array.isArray(value) || value.some((v) => typeof v !== "string" || !v.trim())) {
-          errors.push(`Field "${field.name}" must be an array of media IDs`);
-        } else if (field.required && value.length === 0) {
-          errors.push(`Field "${field.name}" is required`);
-        }
-        break;
-      case "relation": {
-        const rt = field.relationType ?? "many-to-one";
-        if (rt === "one-to-many")
-          break;
-        if (rt === "many-to-many") {
-          if (!Array.isArray(value) || value.some((v) => typeof v !== "string" || !v.trim())) {
-            errors.push(`Field "${field.name}" must be an array of IDs`);
-          } else if (field.required && value.length === 0) {
-            errors.push(`Field "${field.name}" is required`);
-          }
-        } else {
-          if (typeof value !== "string" || !value.trim()) {
-            errors.push(`Field "${field.name}" must be a non-empty string ID`);
-          }
-        }
-        break;
-      }
-      case "array":
-        if (!Array.isArray(value)) {
-          errors.push(`Field "${field.name}" must be an array`);
-        } else if (field.required && value.length === 0) {
-          errors.push(`Field "${field.name}" is required`);
-        } else if (field.arrayFields && field.arrayFields.length > 0) {
-          for (let i = 0; i < value.length; i++) {
-            const item = value[i];
-            if (typeof item !== "object" || item === null) {
-              errors.push(`Field "${field.name}[${i}]" must be an object`);
-              continue;
-            }
-            for (const subField of field.arrayFields) {
-              const subValue = item[subField.name];
-              const subEmpty = subValue === void 0 || subValue === null || subValue === "";
-              if (subField.required && subEmpty) {
-                errors.push(`Field "${field.name}[${i}].${subField.name}" is required`);
-              }
-            }
-          }
-        }
-        break;
-    }
-  }
-  if (errors.length > 0)
-    throw new ValidationError(errors);
-}
-
-// ../core/dist/app.js
-import express from "express";
-import cors from "cors";
-import helmet from "helmet";
-import { join as join3, dirname as dirname2 } from "path";
-import { fileURLToPath as fileURLToPath2 } from "url";
-
-// ../core/dist/routes/auth.js
-import { Router } from "express";
-
-// ../core/dist/controllers/auth.js
-import bcrypt from "bcryptjs";
-import jwt from "jsonwebtoken";
-import { z, flattenError } from "zod";
-
-// ../core/dist/media/index.js
-import multer from "multer";
-
-// ../core/dist/lib/encrypt.js
-import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
-var ALGORITHM = "aes-256-gcm";
-var KEY_LENGTH = 32;
-var IV_LENGTH = 12;
-var TAG_LENGTH = 16;
-function getKey() {
-  const raw = process.env.PLANK_ENCRYPTION_KEY;
-  if (!raw)
-    return null;
-  const buf = Buffer.from(raw, "hex");
-  if (buf.length !== KEY_LENGTH) {
-    console.warn("[plank] PLANK_ENCRYPTION_KEY must be 64 hex chars (32 bytes). Falling back to plaintext storage.");
-    return null;
-  }
-  return buf;
-}
-function encrypt(plaintext) {
-  const key = getKey();
-  if (!key)
-    return plaintext;
-  const iv = randomBytes(IV_LENGTH);
-  const cipher = createCipheriv(ALGORITHM, key, iv);
-  const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
-  const tag = cipher.getAuthTag();
-  return Buffer.concat([iv, tag, encrypted]).toString("hex");
-}
-function decrypt(stored) {
-  const key = getKey();
-  if (!key)
-    return stored;
-  try {
-    const buf = Buffer.from(stored, "hex");
-    const iv = buf.subarray(0, IV_LENGTH);
-    const tag = buf.subarray(IV_LENGTH, IV_LENGTH + TAG_LENGTH);
-    const ciphertext = buf.subarray(IV_LENGTH + TAG_LENGTH);
-    const decipher = createDecipheriv(ALGORITHM, key, iv);
-    decipher.setAuthTag(tag);
-    return decipher.update(ciphertext) + decipher.final("utf8");
-  } catch {
-    return stored;
-  }
-}
-
-// ../core/dist/lib/settings.js
-var SENSITIVE_FIELDS = {
-  media: /* @__PURE__ */ new Set(["s3.secret_access_key", "r2.secret_access_key"])
-};
-function isSensitive(namespace, key) {
-  return SENSITIVE_FIELDS[namespace]?.has(key) ?? false;
-}
-async function getSettings(namespace) {
-  const { rows } = await pool_default.query("SELECT key, value FROM plank_settings WHERE namespace = $1", [namespace]);
-  return Object.fromEntries(rows.map((r) => [r.key, isSensitive(namespace, r.key) ? decrypt(r.value) : r.value]));
-}
-async function getSetting(namespace, key) {
-  const { rows } = await pool_default.query("SELECT value FROM plank_settings WHERE namespace = $1 AND key = $2", [namespace, key]);
-  if (!rows[0])
-    return null;
-  return isSensitive(namespace, key) ? decrypt(rows[0].value) : rows[0].value;
-}
-async function setSettings(namespace, values) {
-  if (Object.keys(values).length === 0)
-    return;
-  const entries = Object.entries(values).map(([key, value]) => ({
-    key,
-    value: isSensitive(namespace, key) ? encrypt(value) : value
-  }));
-  const placeholders = entries.map((_, i) => `($1, $${i * 2 + 2}, $${i * 2 + 3})`).join(", ");
-  const params = [namespace];
-  for (const { key, value } of entries) {
-    params.push(key, value);
-  }
-  await pool_default.query(`INSERT INTO plank_settings (namespace, key, value)
-     VALUES ${placeholders}
-     ON CONFLICT (namespace, key) DO UPDATE SET value = EXCLUDED.value, updated_at = NOW()`, params);
-}
-
-// ../core/dist/media/providers/local.js
-import { writeFile, mkdir } from "fs/promises";
-import { join as join2, extname } from "path";
-import { randomBytes as randomBytes2 } from "crypto";
-async function uploadsDir() {
-  const fromSettings = await getSetting("media", "local.uploads_dir");
-  return fromSettings ?? process.env.PLANK_UPLOADS_DIR ?? "public/uploads";
-}
-async function publicUrl() {
-  const fromSettings = await getSetting("media", "local.public_url");
-  return fromSettings ?? process.env.PLANK_PUBLIC_URL ?? "http://localhost:1337";
-}
-var localProvider = {
-  async upload(file, options) {
-    const base_dir = await uploadsDir();
-    const subdir = options?.prefix ? join2(base_dir, options.prefix) : base_dir;
-    await mkdir(subdir, { recursive: true });
-    const ext = extname(file.originalname);
-    const filename = `${randomBytes2(16).toString("hex")}${ext}`;
-    const key = options?.prefix ? `${options.prefix}/${filename}` : filename;
-    await writeFile(join2(base_dir, key), file.buffer);
-    const base = await publicUrl();
-    return { url: `${base}/uploads/${key}`, key };
-  },
-  async uploadRaw(buffer, exactKey, mimeType) {
-    const base_dir = await uploadsDir();
-    const dir = join2(base_dir, exactKey.split("/").slice(0, -1).join("/"));
-    await mkdir(dir, { recursive: true });
-    await writeFile(join2(base_dir, exactKey), buffer);
-    const base = await publicUrl();
-    return { url: `${base}/uploads/${exactKey}`, key: exactKey };
-  },
-  async delete(key) {
-    const { unlink } = await import("fs/promises");
-    const dir = await uploadsDir();
-    await unlink(join2(dir, key));
-  },
-  async getUrl(key) {
-    const base = await publicUrl();
-    return `${base}/uploads/${key}`;
-  }
-};
-
-// ../core/dist/media/providers/s3.js
-import { S3Client, PutObjectCommand, DeleteObjectCommand } from "@aws-sdk/client-s3";
-import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
-import { extname as extname2 } from "path";
-import { randomBytes as randomBytes3 } from "crypto";
-async function getConfig() {
-  const [accessKeyId, secretAccessKey, region, bucket, pathPrefix, publicUrl2] = await Promise.all([
-    getSetting("media", "s3.access_key_id"),
-    getSetting("media", "s3.secret_access_key"),
-    getSetting("media", "s3.region"),
-    getSetting("media", "s3.bucket"),
-    getSetting("media", "s3.path_prefix"),
-    getSetting("media", "s3.public_url")
-  ]);
-  return { accessKeyId, secretAccessKey, region, bucket, pathPrefix, publicUrl: publicUrl2 };
-}
-function buildClient(cfg) {
-  if (!cfg.accessKeyId || !cfg.secretAccessKey || !cfg.region) {
-    throw new Error("S3 provider is not configured. Set access_key_id, secret_access_key, and region in Settings > Media.");
-  }
-  return new S3Client({
-    region: cfg.region,
-    credentials: { accessKeyId: cfg.accessKeyId, secretAccessKey: cfg.secretAccessKey }
-  });
-}
-function buildKey(cfg, filename, prefix) {
-  const ext = extname2(filename);
-  const name = `${randomBytes3(16).toString("hex")}${ext}`;
-  const parts = [cfg.pathPrefix?.replace(/\/$/, ""), prefix, name].filter(Boolean);
-  return parts.join("/");
-}
-function buildStoredUrl(cfg, key) {
-  return cfg.publicUrl ? `${cfg.publicUrl.replace(/\/$/, "")}/${key}` : `https://${cfg.bucket}.s3.${cfg.region}.amazonaws.com/${key}`;
-}
-var s3Provider = {
-  async upload(file, options) {
-    const cfg = await getConfig();
-    const client = buildClient(cfg);
-    const key = buildKey(cfg, file.originalname, options?.prefix);
-    await client.send(new PutObjectCommand({
-      Bucket: cfg.bucket,
-      Key: key,
-      Body: file.buffer,
-      ContentType: file.mimetype
-    }));
-    return { url: buildStoredUrl(cfg, key), key };
-  },
-  async uploadRaw(buffer, exactKey, mimeType) {
-    const cfg = await getConfig();
-    const client = buildClient(cfg);
-    await client.send(new PutObjectCommand({
-      Bucket: cfg.bucket,
-      Key: exactKey,
-      Body: buffer,
-      ContentType: mimeType
-    }));
-    return { url: buildStoredUrl(cfg, exactKey), key: exactKey };
-  },
-  async delete(key) {
-    const cfg = await getConfig();
-    const client = buildClient(cfg);
-    await client.send(new DeleteObjectCommand({ Bucket: cfg.bucket, Key: key }));
-  },
-  async getUrl(key) {
-    const cfg = await getConfig();
-    return buildStoredUrl(cfg, key);
-  },
-  async presign(filename, mimeType, options) {
-    const cfg = await getConfig();
-    const client = buildClient(cfg);
-    const key = buildKey(cfg, filename, options?.prefix);
-    const command = new PutObjectCommand({ Bucket: cfg.bucket, Key: key, ContentType: mimeType });
-    const uploadUrl = await getSignedUrl(client, command, { expiresIn: 300 });
-    return { key, uploadUrl, publicUrl: buildStoredUrl(cfg, key) };
-  }
-};
-
-// ../core/dist/media/providers/r2.js
-import { S3Client as S3Client2, PutObjectCommand as PutObjectCommand2, DeleteObjectCommand as DeleteObjectCommand2 } from "@aws-sdk/client-s3";
-import { getSignedUrl as getSignedUrl2 } from "@aws-sdk/s3-request-presigner";
-import { extname as extname3 } from "path";
-import { randomBytes as randomBytes4 } from "crypto";
-async function getConfig2() {
-  const [accessKeyId, secretAccessKey, accountId, bucket, pathPrefix, publicUrl2] = await Promise.all([
-    getSetting("media", "r2.access_key_id"),
-    getSetting("media", "r2.secret_access_key"),
-    getSetting("media", "r2.account_id"),
-    getSetting("media", "r2.bucket"),
-    getSetting("media", "r2.path_prefix"),
-    getSetting("media", "r2.public_url")
-  ]);
-  return { accessKeyId, secretAccessKey, accountId, bucket, pathPrefix, publicUrl: publicUrl2 };
-}
-function buildClient2(cfg) {
-  if (!cfg.accessKeyId || !cfg.secretAccessKey || !cfg.accountId) {
-    throw new Error("R2 provider is not configured. Set access_key_id, secret_access_key, and account_id in Settings > Media.");
-  }
-  return new S3Client2({
-    region: "auto",
-    endpoint: `https://${cfg.accountId}.r2.cloudflarestorage.com`,
-    credentials: { accessKeyId: cfg.accessKeyId, secretAccessKey: cfg.secretAccessKey },
-    requestChecksumCalculation: "WHEN_REQUIRED",
-    responseChecksumValidation: "WHEN_REQUIRED"
-  });
-}
-function buildKey2(cfg, filename, prefix) {
-  const ext = extname3(filename);
-  const name = `${randomBytes4(16).toString("hex")}${ext}`;
-  const parts = [cfg.pathPrefix?.replace(/\/$/, ""), prefix, name].filter(Boolean);
-  return parts.join("/");
-}
-function buildStoredUrl2(cfg, key) {
-  if (!cfg.publicUrl) {
-    throw new Error("R2 provider requires a public_url configured in Settings > Media.");
-  }
-  return `${cfg.publicUrl.replace(/\/$/, "")}/${key}`;
-}
-var r2Provider = {
-  async upload(file, options) {
-    const cfg = await getConfig2();
-    const client = buildClient2(cfg);
-    const key = buildKey2(cfg, file.originalname, options?.prefix);
-    await client.send(new PutObjectCommand2({
-      Bucket: cfg.bucket,
-      Key: key,
-      Body: file.buffer,
-      ContentType: file.mimetype
-    }));
-    return { url: buildStoredUrl2(cfg, key), key };
-  },
-  async uploadRaw(buffer, exactKey, mimeType) {
-    const cfg = await getConfig2();
-    const client = buildClient2(cfg);
-    await client.send(new PutObjectCommand2({
-      Bucket: cfg.bucket,
-      Key: exactKey,
-      Body: buffer,
-      ContentType: mimeType
-    }));
-    return { url: buildStoredUrl2(cfg, exactKey), key: exactKey };
-  },
-  async delete(key) {
-    const cfg = await getConfig2();
-    const client = buildClient2(cfg);
-    await client.send(new DeleteObjectCommand2({ Bucket: cfg.bucket, Key: key }));
-  },
-  async getUrl(key) {
-    const cfg = await getConfig2();
-    return buildStoredUrl2(cfg, key);
-  },
-  async presign(filename, mimeType, options) {
-    const cfg = await getConfig2();
-    const client = buildClient2(cfg);
-    const key = buildKey2(cfg, filename, options?.prefix);
-    const command = new PutObjectCommand2({ Bucket: cfg.bucket, Key: key, ContentType: mimeType });
-    const uploadUrl = await getSignedUrl2(client, command, { expiresIn: 300 });
-    return { key, uploadUrl, publicUrl: buildStoredUrl2(cfg, key) };
-  }
-};
-
-// ../core/dist/media/index.js
-var providers = {
-  local: localProvider,
-  s3: s3Provider,
-  r2: r2Provider
-};
-async function getProvider() {
-  const fromSettings = await getSetting("media", "provider");
-  const name = fromSettings ?? process.env.PLANK_MEDIA_PROVIDER ?? "local";
-  const provider = providers[name];
-  if (!provider)
-    throw new Error(`Unknown media provider: "${name}". Use local, s3, or r2.`);
-  return provider;
-}
-var upload = multer({ storage: multer.memoryStorage() });
-
-// ../core/dist/controllers/auth.js
-var LoginSchema = z.object({
-  email: z.email(),
-  password: z.string().min(1)
-});
-var RegisterSchema = z.object({
-  email: z.email(),
-  password: z.string().min(8)
-});
-var loginAttempts = /* @__PURE__ */ new Map();
-var RATE_LIMIT_MAX = 10;
-var RATE_LIMIT_WINDOW_MS = 15 * 60 * 1e3;
-function checkRateLimit(ip) {
-  const now = Date.now();
-  const entry = loginAttempts.get(ip);
-  if (!entry || now > entry.resetAt) {
-    loginAttempts.set(ip, { count: 1, resetAt: now + RATE_LIMIT_WINDOW_MS });
-    return true;
-  }
-  if (entry.count >= RATE_LIMIT_MAX)
-    return false;
-  entry.count++;
-  return true;
-}
-function clearRateLimit(ip) {
-  loginAttempts.delete(ip);
-}
-async function login(req, res) {
-  const ip = req.ip ?? "unknown";
-  if (!checkRateLimit(ip)) {
-    res.status(429).json({ error: "Too many login attempts. Try again in 15 minutes." });
-    return;
-  }
-  const parsed = LoginSchema.safeParse(req.body);
-  if (!parsed.success) {
-    res.status(400).json({ errors: flattenError(parsed.error, (i) => i.message) });
-    return;
-  }
-  const { email, password } = parsed.data;
-  const { rows } = await pool_default.query(`SELECT id, email, password, role_id, first_name, last_name, avatar_url, job_title, organization, country
-     FROM plank_users
-     WHERE email = $1`, [email]);
-  const user = rows[0];
-  if (!user || !await bcrypt.compare(password, user.password)) {
-    res.status(401).json({ error: "Invalid credentials" });
-    return;
-  }
-  const { rows: roleRows } = await pool_default.query("SELECT id, name, permissions FROM plank_roles WHERE id = $1", [user.role_id]);
-  clearRateLimit(ip);
-  let avatarUrl = user.avatar_url;
-  if (avatarUrl && !avatarUrl.startsWith("http")) {
-    const provider = await getProvider();
-    avatarUrl = await provider.getUrl(avatarUrl);
-  }
-  const token = jwt.sign({ sub: user.id, roleId: user.role_id }, process.env.PLANK_JWT_SECRET, { expiresIn: "7d" });
-  res.json({
-    token,
-    user: {
-      id: user.id,
-      email: user.email,
-      role: roleRows[0]?.name ?? "unknown",
-      permissions: roleRows[0]?.permissions ?? [],
-      firstName: user.first_name,
-      lastName: user.last_name,
-      avatarUrl,
-      jobTitle: user.job_title,
-      organization: user.organization,
-      country: user.country
-    }
-  });
-}
-async function setup(_req, res) {
-  const { rows } = await pool_default.query("SELECT COUNT(*) as count FROM plank_users");
-  res.json({ needsSetup: parseInt(rows[0].count) === 0 });
-}
-async function register(req, res) {
-  const { rows: countRows } = await pool_default.query("SELECT COUNT(*) as count FROM plank_users");
-  if (parseInt(countRows[0].count) > 0) {
-    res.status(403).json({ error: "Registration is closed. Use the admin panel to manage users." });
-    return;
-  }
-  const parsed = RegisterSchema.safeParse(req.body);
-  if (!parsed.success) {
-    res.status(400).json({ errors: flattenError(parsed.error, (i) => i.message) });
-    return;
-  }
-  const { email, password } = parsed.data;
-  const hashed = await bcrypt.hash(password, 12);
-  const { rows: roleRows } = await pool_default.query("SELECT id, name FROM plank_roles WHERE name = $1", ["Super Admin"]);
-  const id = createId();
-  await pool_default.query("INSERT INTO plank_users (id, email, password, role_id) VALUES ($1, $2, $3, $4)", [id, email, hashed, roleRows[0].id]);
-  res.status(201).json({ id, email });
-}
-
-// ../core/dist/routes/auth.js
-var router = Router();
-router.get("/setup", setup);
-router.post("/login", login);
-router.post("/register", register);
-var auth_default = router;
-
-// ../core/dist/routes/admin.js
-import { Router as Router2 } from "express";
-
-// ../core/dist/middlewares/authenticate.js
-import jwt2 from "jsonwebtoken";
-function authenticate(req, res, next) {
-  const header = req.headers.authorization;
-  if (!header?.startsWith("Bearer ")) {
-    res.status(401).json({ error: "Unauthorized" });
-    return;
-  }
-  const token = header.slice(7);
-  try {
-    const payload = jwt2.verify(token, process.env.PLANK_JWT_SECRET);
-    req.user = { id: payload.sub, roleId: payload.roleId };
-    next();
-  } catch {
-    res.status(401).json({ error: "Invalid or expired token" });
-  }
-}
-
-// ../core/dist/middlewares/authorize.js
-function authorize(permission) {
-  return async (req, res, next) => {
-    const { rows } = await pool_default.query("SELECT permissions FROM plank_roles WHERE id = $1", [req.user.roleId]);
-    const permissions = rows[0]?.permissions ?? [];
-    if (permissions.includes("*") || permissions.includes(permission)) {
-      next();
-    } else {
-      res.status(403).json({ error: "Forbidden" });
-    }
-  };
-}
-
-// ../core/dist/controllers/contentTypes.js
-import { z as z2, flattenError as flattenError2 } from "zod";
-var RESERVED_SQL_IDENTIFIERS = /* @__PURE__ */ new Set([
-  "all",
-  "analyse",
-  "analyze",
-  "and",
-  "any",
-  "array",
-  "as",
-  "asc",
-  "asymmetric",
-  "authorization",
-  "between",
-  "binary",
-  "both",
-  "case",
-  "cast",
-  "check",
-  "collate",
-  "column",
-  "constraint",
-  "create",
-  "cross",
-  "current_catalog",
-  "current_date",
-  "current_role",
-  "current_schema",
-  "current_time",
-  "current_timestamp",
-  "current_user",
-  "default",
-  "deferrable",
-  "desc",
-  "distinct",
-  "do",
-  "else",
-  "end",
-  "except",
-  "false",
-  "fetch",
-  "for",
-  "foreign",
-  "from",
-  "grant",
-  "group",
-  "having",
-  "in",
-  "initially",
-  "intersect",
-  "into",
-  "lateral",
-  "leading",
-  "limit",
-  "localtime",
-  "localtimestamp",
-  "not",
-  "null",
-  "offset",
-  "on",
-  "only",
-  "or",
-  "order",
-  "placing",
-  "primary",
-  "references",
-  "returning",
-  "select",
-  "session_user",
-  "some",
-  "symmetric",
-  "table",
-  "then",
-  "to",
-  "trailing",
-  "true",
-  "union",
-  "unique",
-  "user",
-  "using",
-  "variadic",
-  "when",
-  "where",
-  "window",
-  "with"
-]);
-var ArraySubFieldSchema = z2.object({
-  name: z2.string().regex(/^[a-z][a-z0-9_]*$/, "Sub-field name must be lowercase with underscores"),
-  type: z2.enum(["string", "text", "richtext", "number", "boolean", "datetime", "media"]),
-  required: z2.boolean().optional(),
-  subtype: z2.enum(["integer", "float"]).optional(),
-  allowedTypes: z2.array(z2.enum(["image", "video", "audio", "document"])).optional(),
-  width: z2.enum(["full", "two-thirds", "half", "third"]).optional()
-});
-var FieldSchema = z2.object({
-  name: z2.string().regex(/^[a-z][a-z0-9_]*$/, "Field name must be lowercase with underscores"),
-  type: z2.enum(["string", "text", "richtext", "number", "boolean", "datetime", "media", "media-gallery", "relation", "uid", "array"]),
-  required: z2.boolean().optional(),
-  subtype: z2.enum(["integer", "float"]).optional(),
-  relationType: z2.enum(["many-to-one", "one-to-one", "one-to-many", "many-to-many"]).optional(),
-  relatedTable: z2.string().optional(),
-  relatedSlug: z2.string().optional(),
-  relatedField: z2.string().optional(),
-  targetField: z2.string().optional(),
-  allowedTypes: z2.array(z2.enum(["image", "video", "audio", "document"])).optional(),
-  width: z2.enum(["full", "two-thirds", "half", "third"]).optional(),
-  arrayFields: z2.array(ArraySubFieldSchema).optional()
-});
-var ContentTypeSchema = z2.object({
-  name: z2.string().min(1),
-  slug: z2.string().regex(/^[a-z][a-z0-9-]*$/, "Slug must be lowercase with hyphens"),
-  tableName: z2.string().regex(/^[a-z][a-z0-9_]*$/, "Table name must be lowercase with underscores"),
-  fields: z2.array(FieldSchema)
-});
-var CreateContentTypeSchema = ContentTypeSchema.extend({
-  kind: z2.enum(["collection", "single"]).default("collection")
-});
-function isReservedSqlIdentifier(name) {
-  return RESERVED_SQL_IDENTIFIERS.has(name.toLowerCase());
-}
-function findReservedIdentifierErrors(ct) {
-  const errors = [];
-  if (isReservedSqlIdentifier(ct.tableName)) {
-    errors.push(`Table name "${ct.tableName}" is reserved by SQL. Choose a different content type slug.`);
-  }
-  for (const field of ct.fields) {
-    if (isReservedSqlIdentifier(field.name)) {
-      errors.push(`Field name "${field.name}" is reserved by SQL.`);
-    }
-    if (field.type === "array") {
-      for (const subField of field.arrayFields ?? []) {
-        if (isReservedSqlIdentifier(subField.name)) {
-          errors.push(`Sub-field name "${subField.name}" in array field "${field.name}" is reserved by SQL.`);
-        }
-      }
-    }
-  }
-  return errors;
-}
-function inverseRelationType(rt) {
-  if (rt === "many-to-one")
-    return "one-to-many";
-  if (rt === "one-to-many")
-    return "many-to-one";
-  return rt;
-}
-function inverseFieldName(sourceTable, sourceFieldName, existingNames) {
-  const simple = sourceTable;
-  if (!existingNames.includes(simple))
-    return simple;
-  return `${sourceTable}_${sourceFieldName}`;
-}
-async function syncInverseFields(savedCT, prevCT) {
-  const relatedCTCache = /* @__PURE__ */ new Map();
-  async function getRelatedCT(tableName) {
-    if (relatedCTCache.has(tableName))
-      return relatedCTCache.get(tableName) ?? null;
-    const all = await findAllContentTypes();
-    const ct = all.find((c) => c.tableName === tableName) ?? null;
-    relatedCTCache.set(tableName, ct);
-    return ct;
-  }
-  const prevRelFields = new Map((prevCT?.fields ?? []).filter((f) => f.type === "relation" && f.relationType !== "one-to-many").map((f) => [f.name, f]));
-  const nextRelFields = savedCT.fields.filter((f) => f.type === "relation" && f.relationType !== "one-to-many");
-  for (const [fieldName, prevField] of prevRelFields) {
-    if (!prevField.relatedTable)
-      continue;
-    const nextField = savedCT.fields.find((f) => f.name === fieldName);
-    const targetChanged = nextField?.relatedTable !== prevField.relatedTable;
-    if (!nextField || targetChanged) {
-      const relatedCT = await getRelatedCT(prevField.relatedTable);
-      if (!relatedCT)
-        continue;
-      const updated = relatedCT.fields.filter((f) => !(f.type === "relation" && f.relationType === inverseRelationType(prevField.relationType ?? "many-to-one") && f.relatedTable === savedCT.tableName && f.relatedField === fieldName));
-      if (updated.length !== relatedCT.fields.length) {
-        await updateContentType(relatedCT.slug, { ...relatedCT, fields: updated });
-      }
-    }
-  }
-  for (const field of nextRelFields) {
-    if (!field.relatedTable)
-      continue;
-    const relatedCT = await getRelatedCT(field.relatedTable);
-    if (!relatedCT)
-      continue;
-    const invType = inverseRelationType(field.relationType ?? "many-to-one");
-    const existingInvIdx = relatedCT.fields.findIndex((f) => f.type === "relation" && f.relationType === invType && f.relatedTable === savedCT.tableName && f.relatedField === field.name);
-    const invField = {
-      name: existingInvIdx >= 0 ? relatedCT.fields[existingInvIdx].name : inverseFieldName(savedCT.tableName, field.name, relatedCT.fields.map((f) => f.name)),
-      type: "relation",
-      relationType: invType,
-      relatedTable: savedCT.tableName,
-      relatedSlug: savedCT.slug,
-      relatedField: field.name
-    };
-    let updatedFields;
-    if (existingInvIdx >= 0) {
-      updatedFields = relatedCT.fields.map((f, i) => i === existingInvIdx ? invField : f);
-    } else {
-      updatedFields = [...relatedCT.fields, invField];
-    }
-    await updateContentType(relatedCT.slug, { ...relatedCT, fields: updatedFields });
-  }
-}
-async function removeRelationDependencies(deletedTable) {
-  const all = await findAllContentTypes();
-  for (const ct of all) {
-    const toRemove = ct.fields.filter((f) => f.type === "relation" && f.relatedTable === deletedTable.tableName);
-    if (toRemove.length === 0)
-      continue;
-    for (const field of toRemove) {
-      const relType = field.relationType ?? "many-to-one";
-      if (relType === "many-to-one" || relType === "one-to-one") {
-        try {
-          await pool_default.query(`ALTER TABLE ${quoteIdentifier(ct.tableName)} DROP COLUMN IF EXISTS ${quoteIdentifier(field.name)}`);
-        } catch {
-        }
-      }
-      if (relType === "many-to-many") {
-        const jt = `_rel_${ct.tableName}_${field.name}`;
-        await pool_default.query(`DROP TABLE IF EXISTS ${quoteIdentifier(jt)}`);
-      }
-    }
-    const filtered = ct.fields.filter((f) => !(f.type === "relation" && f.relatedTable === deletedTable.tableName));
-    await updateContentType(ct.slug, { ...ct, fields: filtered });
-  }
-}
-var listContentTypes = async (_req, res) => {
-  const contentTypes = await findAllContentTypes();
-  res.json(contentTypes);
-};
-var getContentType = async (req, res) => {
-  const ct = await findContentTypeBySlug(req.params.slug);
-  if (!ct) {
-    res.status(404).json({ error: "Content type not found" });
-    return;
-  }
-  res.json(ct);
-};
-var createContentType = async (req, res) => {
-  const parsed = CreateContentTypeSchema.safeParse(req.body);
-  if (!parsed.success) {
-    res.status(400).json({ errors: flattenError2(parsed.error, (i) => i.message) });
-    return;
-  }
-  const reservedErrors = findReservedIdentifierErrors(parsed.data);
-  if (reservedErrors.length > 0) {
-    res.status(400).json({ errors: { formErrors: reservedErrors, fieldErrors: {} } });
-    return;
-  }
-  const ct = await saveContentType(parsed.data);
-  await createTable(ct);
-  try {
-    await syncInverseFields(ct, null);
-  } catch (err) {
-    console.error("[plank] syncInverseFields failed:", err);
-  }
-  res.status(201).json(ct);
-};
-var updateContentType2 = async (req, res) => {
-  const prev = await findContentTypeBySlug(req.params.slug);
-  if (!prev) {
-    res.status(404).json({ error: "Content type not found" });
-    return;
-  }
-  const parsed = ContentTypeSchema.safeParse(req.body);
-  if (!parsed.success) {
-    res.status(400).json({ errors: flattenError2(parsed.error, (i) => i.message) });
-    return;
-  }
-  const reservedErrors = findReservedIdentifierErrors(parsed.data);
-  if (reservedErrors.length > 0) {
-    res.status(400).json({ errors: { formErrors: reservedErrors, fieldErrors: {} } });
-    return;
-  }
-  const next = await updateContentType(req.params.slug, { ...parsed.data, kind: prev.kind });
-  await syncTable(next, prev);
-  try {
-    await syncInverseFields(next, prev);
-  } catch (err) {
-    console.error("[plank] syncInverseFields failed:", err);
-  }
-  res.json(next);
-};
-var setDefaultContentType2 = async (req, res) => {
-  const ct = await setDefaultContentType(req.params.slug);
-  res.json(ct);
-};
-var deleteContentType2 = async (req, res) => {
-  const ct = await findContentTypeBySlug(req.params.slug);
-  if (!ct) {
-    res.status(404).json({ error: "Content type not found" });
-    return;
-  }
-  assertSafeIdentifier(ct.tableName);
-  await removeRelationDependencies(ct);
-  await pool_default.query(`DROP TABLE IF EXISTS ${ct.tableName} CASCADE`);
-  await deleteContentType(req.params.slug);
-  res.status(204).end();
-};
-
-// ../core/dist/controllers/webhooks.js
-import { z as z3, flattenError as flattenError3 } from "zod";
-var CreateWebhookSchema = z3.object({
-  name: z3.string().min(1),
-  url: z3.string().url(),
-  events: z3.array(z3.enum(["entry.created", "entry.updated", "entry.deleted", "entry.published", "entry.unpublished"])).min(1)
-});
-async function listWebhooks(_req, res) {
-  try {
-    const { rows } = await pool_default.query("SELECT id, name, url, events, enabled, created_at FROM plank_webhooks ORDER BY created_at DESC");
-    res.json(rows);
-  } catch {
-    res.status(500).json({ error: "Failed to list webhooks" });
-  }
-}
-async function createWebhook(req, res) {
-  const parsed = CreateWebhookSchema.safeParse(req.body);
-  if (!parsed.success) {
-    res.status(400).json({ errors: flattenError3(parsed.error, (i) => i.message) });
-    return;
-  }
-  const { name, url, events } = parsed.data;
-  const id = createId();
-  try {
-    const { rows } = await pool_default.query("INSERT INTO plank_webhooks (id, name, url, events) VALUES ($1, $2, $3, $4::text[]) RETURNING *", [id, name, url, events]);
-    res.status(201).json(rows[0]);
-  } catch (err) {
-    console.error("[webhooks] create error:", err);
-    res.status(500).json({ error: "Failed to create webhook" });
-  }
-}
-async function deleteWebhook(req, res) {
-  try {
-    const { rowCount } = await pool_default.query("DELETE FROM plank_webhooks WHERE id = $1", [req.params.id]);
-    if (!rowCount) {
-      res.status(404).json({ error: "Webhook not found" });
-      return;
-    }
-    res.status(204).end();
-  } catch {
-    res.status(500).json({ error: "Failed to delete webhook" });
-  }
-}
-async function triggerWebhooks(event, payload) {
-  const { rows } = await pool_default.query("SELECT * FROM plank_webhooks WHERE enabled = TRUE AND $1 = ANY(events)", [event]);
-  if (rows.length === 0)
-    return;
-  const body = JSON.stringify({ event, ...payload, triggered_at: (/* @__PURE__ */ new Date()).toISOString() });
-  await Promise.allSettled(rows.map((webhook) => fetch(webhook.url, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body,
-    signal: AbortSignal.timeout(1e4)
-  })));
-}
-
-// ../core/dist/controllers/entries.js
-function resolveLocalizedRow(row, ct, locale, fallbacks = []) {
-  const localized = row.localized && typeof row.localized === "object" ? row.localized : {};
-  const resolved = { ...row };
-  const localizableTypes = /* @__PURE__ */ new Set(["string", "text", "richtext", "uid"]);
-  for (const f of ct.fields) {
-    if (!localizableTypes.has(f.type))
-      continue;
-    let val = void 0;
-    if (locale && localized[locale] && localized[locale][f.name] !== void 0) {
-      val = localized[locale][f.name];
-    } else {
-      for (const fb of fallbacks) {
-        if (localized[fb] && localized[fb][f.name] !== void 0) {
-          val = localized[fb][f.name];
-          break;
-        }
-      }
-    }
-    if (val !== void 0)
-      resolved[f.name] = val;
-  }
-  return resolved;
-}
-function junctionTableName2(sourceTable, fieldName) {
-  return `_rel_${sourceTable}_${fieldName}`;
-}
-async function syncManyToMany(entryId, tableName, field, targetIds) {
-  const jt = junctionTableName2(tableName, field.name);
-  await pool_default.query(`DELETE FROM ${quoteIdentifier(jt)} WHERE source_id = $1`, [entryId]);
-  if (targetIds.length === 0)
-    return;
-  const placeholders = targetIds.map((_, i) => `($1, $${i + 2})`).join(", ");
-  await pool_default.query(`INSERT INTO ${quoteIdentifier(jt)} (source_id, target_id) VALUES ${placeholders} ON CONFLICT DO NOTHING`, [entryId, ...targetIds]);
-}
-async function isUserRole(roleId) {
-  if (!roleId)
-    return false;
-  const { rows } = await pool_default.query("SELECT name FROM plank_roles WHERE id = $1", [roleId]);
-  return rows[0]?.name?.toLowerCase() === "user";
-}
-var listEntries = async (req, res) => {
-  const ct = await findContentTypeBySlug(req.params.slug);
-  if (!ct) {
-    res.status(404).json({ error: "Content type not found" });
-    return;
-  }
-  assertSafeIdentifier(ct.tableName);
-  const quotedTableName = quoteIdentifier(ct.tableName);
-  const isUser = await isUserRole(req.user?.roleId);
-  const page = Math.max(1, parseInt(String(req.query.page ?? 1)));
-  const limit = Math.min(100, Math.max(1, parseInt(String(req.query.limit ?? 20))));
-  const offset = (page - 1) * limit;
-  const allowedSort = ["created_at", "updated_at", "published_at", ...ct.fields.map((f) => f.name)];
-  const sortField = allowedSort.includes(String(req.query.sort ?? "")) ? String(req.query.sort) : "created_at";
-  const sortDir = req.query.order === "asc" ? "ASC" : "DESC";
-  assertSafeIdentifier(sortField);
-  const quotedSortField = quoteIdentifier(sortField);
-  const locale = req.query.locale ? String(req.query.locale) : void 0;
-  const fallbacks = req.query.fallback ? String(req.query.fallback).split(",") : [];
-  const ownCollectionOnly = isUser && ct.kind === "collection";
-  const whereClause = ownCollectionOnly ? "WHERE e.created_by = $3" : "";
-  const countWhereClause = ownCollectionOnly ? "WHERE created_by = $1" : "";
-  const listValues = ownCollectionOnly ? [limit, offset, req.user?.id ?? null] : [limit, offset];
-  const countValues = ownCollectionOnly ? [req.user?.id ?? null] : [];
-  const [{ rows }, { rows: countRows }] = await Promise.all([
-    pool_default.query(`SELECT e.*, u.first_name AS _author_first_name, u.last_name AS _author_last_name, u.avatar_url AS _author_avatar_url
-       FROM ${quotedTableName} e
-       LEFT JOIN plank_users u ON u.id = e.created_by
-       ${whereClause}
-       ORDER BY e.${quotedSortField} ${sortDir}
-       LIMIT $1 OFFSET $2`, listValues),
-    pool_default.query(`SELECT COUNT(*) as count FROM ${quotedTableName} ${countWhereClause}`, countValues)
-  ]);
-  const provider = await getProvider();
-  function entryMatchesLocale(row, locale2) {
-    if (!locale2)
-      return true;
-    const localized = row.localized && typeof row.localized === "object" ? row.localized : {};
-    const locales = Object.keys(localized).filter((k) => !k.startsWith("_"));
-    const meta = localized._meta || {};
-    const enabled = meta.enabled ?? locales.length > 0;
-    const primary = meta.primary;
-    if (enabled) {
-      return Boolean(localized[locale2]) || primary === locale2;
-    }
-    return primary === locale2;
-  }
-  const filtered = rows.filter((r) => entryMatchesLocale(r, locale));
-  const data = await Promise.all(filtered.map(async (row) => {
-    const mmIds = await loadManyToManyIds(row.id, ct.tableName, ct.fields);
-    const resolved = resolveLocalizedRow(row, ct, locale, fallbacks);
-    const key = resolved._author_avatar_url;
-    if (key && !key.startsWith("http")) {
-      resolved._author_avatar_url = await provider.getUrl(key);
-    }
-    return { ...resolved, ...mmIds };
-  }));
-  let total = parseInt(countRows[0].count);
-  if (locale) {
-    try {
-      const { rows: allRows } = await pool_default.query(`SELECT localized FROM ${quotedTableName}`);
-      const matching = allRows.filter((r) => entryMatchesLocale(r, locale));
-      total = matching.length;
-    } catch (err) {
-    }
-  }
-  res.json({ data, total, page, limit });
-};
-async function loadManyToManyIds(entryId, tableName, fields) {
-  const mmFields = fields.filter((f) => f.type === "relation" && (f.relationType ?? "many-to-one") === "many-to-many");
-  if (mmFields.length === 0)
-    return {};
-  const result = {};
-  await Promise.all(mmFields.map(async (f) => {
-    const jt = junctionTableName2(tableName, f.name);
-    const { rows } = await pool_default.query(`SELECT target_id FROM ${quoteIdentifier(jt)} WHERE source_id = $1`, [entryId]);
-    result[f.name] = rows.map((r) => r.target_id);
-  }));
-  return result;
-}
-var getEntry = async (req, res) => {
-  const ct = await findContentTypeBySlug(req.params.slug);
-  if (!ct) {
-    res.status(404).json({ error: "Content type not found" });
-    return;
-  }
-  assertSafeIdentifier(ct.tableName);
-  const quotedTableName = quoteIdentifier(ct.tableName);
-  const isUser = await isUserRole(req.user?.roleId);
-  const { rows } = await pool_default.query(`SELECT * FROM ${quotedTableName} WHERE id = $1`, [req.params.id]);
-  if (!rows[0]) {
-    res.status(404).json({ error: "Entry not found" });
-    return;
-  }
-  if (isUser && ct.kind === "collection" && rows[0].created_by !== req.user?.id) {
-    res.status(403).json({ error: "Forbidden" });
-    return;
-  }
-  const locale = req.query.locale ? String(req.query.locale) : void 0;
-  const fallbacks = req.query.fallback ? String(req.query.fallback).split(",") : [];
-  const mmIds = await loadManyToManyIds(req.params.id, ct.tableName, ct.fields);
-  const provider = await getProvider();
-  const resolved = resolveLocalizedRow(rows[0], ct, locale, fallbacks);
-  const key = resolved._author_avatar_url;
-  if (key && !key.startsWith("http"))
-    resolved._author_avatar_url = await provider.getUrl(key);
-  res.json({ ...resolved, ...mmIds });
-};
-var createEntry = async (req, res) => {
-  const ct = await findContentTypeBySlug(req.params.slug);
-  if (!ct) {
-    res.status(404).json({ error: "Content type not found" });
-    return;
-  }
-  validate(ct, req.body);
-  assertSafeIdentifier(ct.tableName);
-  const quotedTableName = quoteIdentifier(ct.tableName);
-  const isUser = await isUserRole(req.user?.roleId);
-  if (isUser && ct.kind === "single") {
-    res.status(403).json({ error: "Single types are read-only for User role" });
-    return;
-  }
-  const mmFields = ct.fields.filter((f) => f.type === "relation" && (f.relationType ?? "many-to-one") === "many-to-many" && req.body[f.name] !== void 0);
-  const fields = ct.fields.filter((f) => req.body[f.name] !== void 0 && !isVirtualRelation(f));
-  fields.forEach((f) => assertSafeIdentifier(f.name));
-  if (ct.kind === "single") {
-    const { rows: existing } = await pool_default.query(`SELECT id FROM ${quotedTableName} LIMIT 1`);
-    if (existing[0]) {
-      const setClauses = fields.map((f, i) => f.type === "media-gallery" || f.type === "array" ? `${quoteIdentifier(f.name)} = $${i + 1}::jsonb` : `${quoteIdentifier(f.name)} = $${i + 1}`).join(", ");
-      const extraClauses = [];
-      const extraValues2 = [];
-      if (req.body.localized !== void 0) {
-        extraClauses.push(`localized = $${fields.length + 1}::jsonb`);
-        extraValues2.push(JSON.stringify(req.body.localized));
-      }
-      const allClauses = [setClauses, ...extraClauses].filter(Boolean).join(", ");
-      const values2 = [
-        ...fields.map((f) => {
-          const v = req.body[f.name];
-          return f.type === "media-gallery" || f.type === "array" ? JSON.stringify(v) : v;
-        }),
-        ...extraValues2,
-        existing[0].id
-      ];
-      const updateSql = fields.length + extraValues2.length > 0 ? `UPDATE ${quotedTableName} SET ${allClauses}, updated_at = NOW() WHERE id = $${fields.length + extraValues2.length + 1} RETURNING *` : `UPDATE ${quotedTableName} SET updated_at = NOW() WHERE id = $1 RETURNING *`;
-      const updateValues = fields.length + extraValues2.length > 0 ? values2 : [existing[0].id];
-      const { rows: rows2 } = await pool_default.query(updateSql, updateValues);
-      await Promise.all(mmFields.map((f) => {
-        const ids = Array.isArray(req.body[f.name]) ? req.body[f.name] : [];
-        return syncManyToMany(existing[0].id, ct.tableName, f, ids);
-      }));
-      res.json(rows2[0]);
-      return;
-    }
-  }
-  const id = createId();
-  const userId = req.user?.id ?? null;
-  const extraCols = [];
-  const extraPlaceholders = [];
-  const extraValues = [];
-  if (req.body.localized !== void 0) {
-    extraCols.push("localized");
-    extraPlaceholders.push(`$${3 + fields.length}::jsonb`);
-    extraValues.push(JSON.stringify(req.body.localized));
-  }
-  const cols = ["id", "created_by", ...fields.map((f) => f.name), ...extraCols].map((col) => quoteIdentifier(col)).join(", ");
-  const placeholders = [
-    "$1",
-    "$2",
-    ...fields.map((f, i) => f.type === "media-gallery" || f.type === "array" ? `$${i + 3}::jsonb` : `$${i + 3}`),
-    ...extraPlaceholders
-  ].join(", ");
-  const values = [
-    id,
-    userId,
-    ...fields.map((f) => {
-      const v = req.body[f.name];
-      return f.type === "media-gallery" || f.type === "array" ? JSON.stringify(v) : v;
-    }),
-    ...extraValues
-  ];
-  const { rows } = await pool_default.query(`INSERT INTO ${quotedTableName} (${cols}) VALUES (${placeholders}) RETURNING *`, values);
-  await Promise.all(mmFields.map((f) => {
-    const ids = Array.isArray(req.body[f.name]) ? req.body[f.name] : [];
-    return syncManyToMany(id, ct.tableName, f, ids);
-  }));
-  res.status(201).json(rows[0]);
-  triggerWebhooks("entry.created", { content_type: req.params.slug, entry_id: rows[0].id });
-};
-var getSingleEntry = async (req, res) => {
-  const ct = await findContentTypeBySlug(req.params.slug);
-  if (!ct) {
-    res.status(404).json({ error: "Content type not found" });
-    return;
-  }
-  if (ct.kind !== "single") {
-    res.status(400).json({ error: "Content type is not a Single Type" });
-    return;
-  }
-  assertSafeIdentifier(ct.tableName);
-  const quotedTableName = quoteIdentifier(ct.tableName);
-  const { rows } = await pool_default.query(`SELECT * FROM ${quotedTableName} LIMIT 1`);
-  if (!rows[0]) {
-    res.status(404).json({ error: "No entry found" });
-    return;
-  }
-  const locale = req.query.locale ? String(req.query.locale) : void 0;
-  const fallbacks = req.query.fallback ? String(req.query.fallback).split(",") : [];
-  const mmIds = await loadManyToManyIds(rows[0].id, ct.tableName, ct.fields);
-  const provider = await getProvider();
-  const resolved = resolveLocalizedRow(rows[0], ct, locale, fallbacks);
-  const key = resolved._author_avatar_url;
-  if (key && !key.startsWith("http"))
-    resolved._author_avatar_url = await provider.getUrl(key);
-  res.json({ ...resolved, ...mmIds });
-};
-var updateEntry = async (req, res) => {
-  const ct = await findContentTypeBySlug(req.params.slug);
-  if (!ct) {
-    res.status(404).json({ error: "Content type not found" });
-    return;
-  }
-  validate(ct, req.body);
-  assertSafeIdentifier(ct.tableName);
-  const quotedTableName = quoteIdentifier(ct.tableName);
-  const isUser = await isUserRole(req.user?.roleId);
-  if (isUser && ct.kind === "single") {
-    res.status(403).json({ error: "Single types are read-only for User role" });
-    return;
-  }
-  if (isUser && ct.kind === "collection") {
-    const { rows: authorRows } = await pool_default.query(`SELECT created_by FROM ${quotedTableName} WHERE id = $1`, [req.params.id]);
-    if (!authorRows[0]) {
-      res.status(404).json({ error: "Entry not found" });
-      return;
-    }
-    if (authorRows[0].created_by !== req.user?.id) {
-      res.status(403).json({ error: "Forbidden" });
-      return;
-    }
-  }
-  const mmFields = ct.fields.filter((f) => f.type === "relation" && (f.relationType ?? "many-to-one") === "many-to-many" && req.body[f.name] !== void 0);
-  const fields = ct.fields.filter((f) => req.body[f.name] !== void 0 && !isVirtualRelation(f));
-  fields.forEach((f) => assertSafeIdentifier(f.name));
-  const setClauses = fields.map((f, i) => f.type === "media-gallery" || f.type === "array" ? `${quoteIdentifier(f.name)} = $${i + 1}::jsonb` : `${quoteIdentifier(f.name)} = $${i + 1}`).join(", ");
-  const extraClauses = [];
-  const extraValues = [];
-  if (req.body.localized !== void 0) {
-    extraClauses.push(`localized = $${fields.length + 1}::jsonb`);
-    extraValues.push(JSON.stringify(req.body.localized));
-  }
-  const allClauses = [setClauses, ...extraClauses].filter(Boolean).join(", ");
-  const values = [
-    ...fields.map((f) => {
-      const v = req.body[f.name];
-      return f.type === "media-gallery" || f.type === "array" ? JSON.stringify(v) : v;
-    }),
-    ...extraValues,
-    req.params.id
-  ];
-  const updateSql = fields.length + extraValues.length > 0 ? `UPDATE ${quotedTableName} SET ${allClauses}, updated_at = NOW() WHERE id = $${fields.length + extraValues.length + 1} RETURNING *` : `UPDATE ${quotedTableName} SET updated_at = NOW() WHERE id = $1 RETURNING *`;
-  const updateValues = fields.length + extraValues.length > 0 ? values : [req.params.id];
-  const { rows } = await pool_default.query(updateSql, updateValues);
-  if (!rows[0]) {
-    res.status(404).json({ error: "Entry not found" });
-    return;
-  }
-  await Promise.all(mmFields.map((f) => {
-    const ids = Array.isArray(req.body[f.name]) ? req.body[f.name] : [];
-    return syncManyToMany(req.params.id, ct.tableName, f, ids);
-  }));
-  res.json(rows[0]);
-  triggerWebhooks("entry.updated", { content_type: req.params.slug, entry_id: req.params.id });
-};
-var SNAPSHOT_EXCLUDED = [
-  "'id'",
-  "'status'",
-  "'published_data'",
-  "'published_at'",
-  "'scheduled_for'",
-  "'created_at'",
-  "'updated_at'"
-];
-function buildSnapshotExpr(tableName) {
-  const strip = SNAPSHOT_EXCLUDED.reduce((expr, col) => `${expr} - ${col}`, `to_jsonb(t.*)`);
-  return `(SELECT ${strip} FROM ${quoteIdentifier(tableName)} t WHERE t.id = $1)`;
-}
-var patchEntryStatus = async (req, res) => {
-  const { status, scheduled_for } = req.body;
-  if (status !== "draft" && status !== "published" && status !== "scheduled") {
-    res.status(400).json({ error: "status must be draft, published, or scheduled" });
-    return;
-  }
-  if (status === "scheduled") {
-    if (!scheduled_for || typeof scheduled_for !== "string" || isNaN(Date.parse(scheduled_for))) {
-      res.status(400).json({ error: "scheduled_for must be a valid ISO date string" });
-      return;
-    }
-    if (new Date(scheduled_for) <= /* @__PURE__ */ new Date()) {
-      res.status(400).json({ error: "scheduled_for must be in the future" });
-      return;
-    }
-  }
-  const ct = await findContentTypeBySlug(req.params.slug);
-  if (!ct) {
-    res.status(404).json({ error: "Content type not found" });
-    return;
-  }
-  assertSafeIdentifier(ct.tableName);
-  const quotedTableName = quoteIdentifier(ct.tableName);
-  const isUser = await isUserRole(req.user?.roleId);
-  if (isUser && ct.kind === "single") {
-    res.status(403).json({ error: "Single types are read-only for User role" });
-    return;
-  }
-  if (isUser && ct.kind === "collection") {
-    const { rows: authorRows } = await pool_default.query(`SELECT created_by FROM ${quotedTableName} WHERE id = $1`, [req.params.id]);
-    if (!authorRows[0]) {
-      res.status(404).json({ error: "Entry not found" });
-      return;
-    }
-    if (authorRows[0].created_by !== req.user?.id) {
-      res.status(403).json({ error: "Forbidden" });
-      return;
-    }
-  }
-  let sql;
-  let values;
-  if (status === "published") {
-    sql = `
-      UPDATE ${quotedTableName} SET
-        status = 'published',
-        published_data = ${buildSnapshotExpr(ct.tableName)},
-        published_at = NOW(),
-        scheduled_for = NULL,
-        updated_at = NOW()
-      WHERE id = $1
-      RETURNING *
-    `;
-    values = [req.params.id];
-  } else if (status === "scheduled") {
-    sql = `
-      UPDATE ${quotedTableName} SET
-        status = 'scheduled',
-        scheduled_for = $2,
-        updated_at = NOW()
-      WHERE id = $1
-      RETURNING *
-    `;
-    values = [req.params.id, scheduled_for];
-  } else {
-    sql = `
-      UPDATE ${quotedTableName} SET
-        status = 'draft',
-        published_data = NULL,
-        published_at = NULL,
-        scheduled_for = NULL,
-        updated_at = NOW()
-      WHERE id = $1
-      RETURNING *
-    `;
-    values = [req.params.id];
-  }
-  const { rows } = await pool_default.query(sql, values);
-  if (!rows[0]) {
-    res.status(404).json({ error: "Entry not found" });
-    return;
-  }
-  res.json(rows[0]);
-  const webhookEvent = status === "published" ? "entry.published" : status === "draft" ? "entry.unpublished" : null;
-  if (webhookEvent)
-    triggerWebhooks(webhookEvent, { content_type: req.params.slug, entry_id: req.params.id });
-};
-var deleteEntry = async (req, res) => {
-  const ct = await findContentTypeBySlug(req.params.slug);
-  if (!ct) {
-    res.status(404).json({ error: "Content type not found" });
-    return;
-  }
-  assertSafeIdentifier(ct.tableName);
-  const quotedTableName = quoteIdentifier(ct.tableName);
-  const isUser = await isUserRole(req.user?.roleId);
-  if (isUser && ct.kind === "single") {
-    res.status(403).json({ error: "Single types are read-only for User role" });
-    return;
-  }
-  if (isUser && ct.kind === "collection") {
-    const { rows: authorRows } = await pool_default.query(`SELECT created_by FROM ${quotedTableName} WHERE id = $1`, [req.params.id]);
-    if (!authorRows[0]) {
-      res.status(404).json({ error: "Entry not found" });
-      return;
-    }
-    if (authorRows[0].created_by !== req.user?.id) {
-      res.status(403).json({ error: "Forbidden" });
-      return;
-    }
-  }
-  const { rowCount } = await pool_default.query(`DELETE FROM ${quotedTableName} WHERE id = $1`, [
-    req.params.id
-  ]);
-  if (!rowCount) {
-    res.status(404).json({ error: "Entry not found" });
-    return;
-  }
-  res.status(204).end();
-  triggerWebhooks("entry.deleted", { content_type: req.params.slug, entry_id: req.params.id });
-};
-
-// ../core/dist/controllers/users.js
-import bcrypt2 from "bcryptjs";
-import { z as z4, flattenError as flattenError4 } from "zod";
-var CreateUserSchema = z4.object({
-  email: z4.email(),
-  password: z4.string().min(8),
-  roleId: z4.string().min(1)
-});
-var UpdateUserSchema = z4.object({
-  email: z4.email().optional(),
-  roleId: z4.string().min(1).optional(),
-  firstName: z4.string().max(100).nullable().optional(),
-  lastName: z4.string().max(100).nullable().optional()
-});
-var ChangePasswordSchema = z4.object({
-  currentPassword: z4.string().min(1),
-  newPassword: z4.string().min(8)
-});
-var UpdateMeSchema = z4.object({
-  firstName: z4.string().max(100).optional(),
-  lastName: z4.string().max(100).optional(),
-  jobTitle: z4.string().max(100).optional(),
-  organization: z4.string().max(150).optional(),
-  country: z4.string().max(100).optional()
-});
-async function resolveAvatarUrl(row) {
-  if (!row.avatar_url || row.avatar_url.startsWith("http"))
-    return row;
-  const provider = await getProvider();
-  return { ...row, avatar_url: await provider.getUrl(row.avatar_url) };
-}
-async function roleNameById(roleId) {
-  const { rows } = await pool_default.query("SELECT name FROM plank_roles WHERE id = $1", [roleId]);
-  return rows[0]?.name ?? null;
-}
-async function listUsers(_req, res) {
-  const { rows } = await pool_default.query(`SELECT u.id, u.email, u.role_id, r.name as role_name, u.first_name, u.last_name, u.created_at
-     FROM plank_users u
-     JOIN plank_roles r ON r.id = u.role_id
-     ORDER BY u.created_at DESC`);
-  res.json(rows);
-}
-async function getMe(req, res) {
-  const { rows } = await pool_default.query(`SELECT u.id, u.email, u.role_id, u.first_name, u.last_name, u.avatar_url,
-            u.job_title, u.organization, u.country, u.created_at,
-            r.permissions
-     FROM plank_users u
-     JOIN plank_roles r ON r.id = u.role_id
-     WHERE u.id = $1`, [req.user.id]);
-  if (!rows[0]) {
-    res.status(404).json({ error: "User not found" });
-    return;
-  }
-  const resolved = await resolveAvatarUrl(rows[0]);
-  res.json({ ...resolved, permissions: rows[0].permissions });
-}
-async function updateMe(req, res) {
-  const parsed = UpdateMeSchema.safeParse(req.body);
-  if (!parsed.success) {
-    res.status(400).json({ errors: flattenError4(parsed.error, (i) => i.message) });
-    return;
-  }
-  const { firstName, lastName, jobTitle, organization, country } = parsed.data;
-  const { rows } = await pool_default.query(`UPDATE plank_users
-     SET first_name   = COALESCE($1, first_name),
-         last_name    = COALESCE($2, last_name),
-         job_title    = COALESCE($3, job_title),
-         organization = COALESCE($4, organization),
-         country      = COALESCE($5, country)
-     WHERE id = $6
-     RETURNING id, email, role_id, first_name, last_name, avatar_url,
-               job_title, organization, country, created_at`, [firstName ?? null, lastName ?? null, jobTitle ?? null, organization ?? null, country ?? null, req.user.id]);
-  if (!rows[0]) {
-    res.status(404).json({ error: "User not found" });
-    return;
-  }
-  res.json(await resolveAvatarUrl(rows[0]));
-}
-async function uploadAvatar(req, res) {
-  if (!req.file) {
-    res.status(400).json({ error: "No file provided" });
-    return;
-  }
-  const provider = await getProvider();
-  const { key } = await provider.upload(req.file, { prefix: "avatars" });
-  const { rows } = await pool_default.query(`UPDATE plank_users SET avatar_url = $1 WHERE id = $2
-     RETURNING id, email, role_id, first_name, last_name, avatar_url, created_at`, [key, req.user.id]);
-  const avatarUrl = await provider.getUrl(key);
-  res.json({ avatarUrl, user: await resolveAvatarUrl(rows[0]) });
-}
-async function presignAvatar(req, res) {
-  const { filename, mimeType } = req.body;
-  if (!filename || !mimeType) {
-    res.status(400).json({ error: "filename and mimeType are required" });
-    return;
-  }
-  const provider = await getProvider();
-  if (!provider.presign) {
-    res.json({ mode: "direct" });
-    return;
-  }
-  const { key, uploadUrl } = await provider.presign(filename, mimeType, { prefix: "avatars" });
-  res.json({ mode: "presigned", key, uploadUrl });
-}
-async function confirmAvatar(req, res) {
-  const { key } = req.body;
-  if (!key) {
-    res.status(400).json({ error: "key is required" });
-    return;
-  }
-  const provider = await getProvider();
-  const { rows } = await pool_default.query(`UPDATE plank_users SET avatar_url = $1 WHERE id = $2
-     RETURNING id, email, role_id, first_name, last_name, avatar_url, created_at`, [key, req.user.id]);
-  const avatarUrl = await provider.getUrl(key);
-  res.json({ avatarUrl, user: await resolveAvatarUrl(rows[0]) });
-}
-async function deleteAvatar(req, res) {
-  const { rows } = await pool_default.query("SELECT avatar_url FROM plank_users WHERE id = $1", [req.user.id]);
-  const current = rows[0]?.avatar_url;
-  if (current && !current.startsWith("http")) {
-    const provider = await getProvider();
-    await provider.delete(current).catch(() => {
-    });
-  }
-  await pool_default.query("UPDATE plank_users SET avatar_url = NULL WHERE id = $1", [req.user.id]);
-  res.status(204).end();
-}
-async function changePassword(req, res) {
-  const parsed = ChangePasswordSchema.safeParse(req.body);
-  if (!parsed.success) {
-    res.status(400).json({ errors: flattenError4(parsed.error, (i) => i.message) });
-    return;
-  }
-  const { rows } = await pool_default.query("SELECT password FROM plank_users WHERE id = $1", [req.user.id]);
-  if (!rows[0]) {
-    res.status(404).json({ error: "User not found" });
-    return;
-  }
-  const valid = await bcrypt2.compare(parsed.data.currentPassword, rows[0].password);
-  if (!valid) {
-    res.status(400).json({ error: "Current password is incorrect" });
-    return;
-  }
-  const hashed = await bcrypt2.hash(parsed.data.newPassword, 12);
-  await pool_default.query("UPDATE plank_users SET password = $1 WHERE id = $2", [hashed, req.user.id]);
-  res.status(204).end();
-}
-async function createUser(req, res) {
-  const parsed = CreateUserSchema.safeParse(req.body);
-  if (!parsed.success) {
-    res.status(400).json({ errors: flattenError4(parsed.error, (i) => i.message) });
-    return;
-  }
-  const { email, password, roleId } = parsed.data;
-  const requesterRoleName = await roleNameById(req.user.roleId);
-  const targetRoleName = await roleNameById(roleId);
-  if (targetRoleName === "Super Admin" && requesterRoleName !== "Super Admin") {
-    res.status(403).json({ error: "Only Super Admin can assign Super Admin role" });
-    return;
-  }
-  const hashed = await bcrypt2.hash(password, 12);
-  const id = createId();
-  await pool_default.query("INSERT INTO plank_users (id, email, password, role_id) VALUES ($1, $2, $3, $4)", [id, email, hashed, roleId]);
-  res.status(201).json({ id, email, roleId });
-}
-async function updateUser(req, res) {
-  const parsed = UpdateUserSchema.safeParse(req.body);
-  if (!parsed.success) {
-    res.status(400).json({ errors: flattenError4(parsed.error, (i) => i.message) });
-    return;
-  }
-  const { email, roleId, firstName, lastName } = parsed.data;
-  const requesterRoleName = await roleNameById(req.user.roleId);
-  const { rows: targetRows } = await pool_default.query("SELECT role_id FROM plank_users WHERE id = $1", [req.params.id]);
-  if (!targetRows[0]) {
-    res.status(404).json({ error: "User not found" });
-    return;
-  }
-  const targetCurrentRoleName = await roleNameById(targetRows[0].role_id);
-  if (targetCurrentRoleName === "Super Admin" && requesterRoleName !== "Super Admin") {
-    res.status(403).json({ error: "Only Super Admin can edit Super Admin users" });
-    return;
-  }
-  if (roleId) {
-    const nextRoleName = await roleNameById(roleId);
-    if (nextRoleName === "Super Admin" && requesterRoleName !== "Super Admin") {
-      res.status(403).json({ error: "Only Super Admin can assign Super Admin role" });
-      return;
-    }
-  }
-  const { rows } = await pool_default.query(`UPDATE plank_users
-     SET email      = COALESCE($1, email),
-         role_id    = COALESCE($2, role_id),
-         first_name = COALESCE($3, first_name),
-         last_name  = COALESCE($4, last_name)
-     WHERE id = $5
-     RETURNING id, email, role_id, first_name, last_name, created_at`, [email ?? null, roleId ?? null, firstName ?? null, lastName ?? null, req.params.id]);
-  if (!rows[0]) {
-    res.status(404).json({ error: "User not found" });
-    return;
-  }
-  res.json(rows[0]);
-}
-async function deleteUser(req, res) {
-  if (req.params.id === req.user.id) {
-    res.status(403).json({ error: "You cannot delete your own account" });
-    return;
-  }
-  const { rows } = await pool_default.query("SELECT role_id FROM plank_users WHERE id = $1", [req.params.id]);
-  if (!rows[0]) {
-    res.status(404).json({ error: "User not found" });
-    return;
-  }
-  const { rows: roleRows } = await pool_default.query("SELECT name FROM plank_roles WHERE id = $1", [rows[0].role_id]);
-  if (roleRows[0]?.name === "Super Admin") {
-    res.status(403).json({ error: "Super Admin users cannot be deleted" });
-    return;
-  }
-  await pool_default.query("DELETE FROM plank_users WHERE id = $1", [req.params.id]);
-  res.status(204).end();
-}
-
-// ../core/dist/controllers/userPrefs.js
-import { z as z5 } from "zod";
-var SetPrefSchema = z5.object({ value: z5.unknown() });
-async function getUserPref(req, res) {
-  const { rows } = await pool_default.query("SELECT value FROM plank_user_prefs WHERE user_id = $1 AND key = $2", [req.user.id, req.params.key]);
-  res.json({ value: rows[0] ? JSON.parse(rows[0].value) : null });
-}
-async function setUserPref(req, res) {
-  const parsed = SetPrefSchema.safeParse(req.body);
-  if (!parsed.success) {
-    res.status(400).json({ error: "Invalid body" });
-    return;
-  }
-  await pool_default.query(`INSERT INTO plank_user_prefs (user_id, key, value, updated_at)
-     VALUES ($1, $2, $3, NOW())
-     ON CONFLICT (user_id, key) DO UPDATE SET value = EXCLUDED.value, updated_at = NOW()`, [req.user.id, req.params.key, JSON.stringify(parsed.data.value)]);
-  res.status(204).end();
-}
-
-// ../core/dist/controllers/roles.js
-import { z as z6 } from "zod";
-async function listRoles(_req, res) {
-  const { rows } = await pool_default.query("SELECT id, name, permissions FROM plank_roles ORDER BY name ASC");
-  res.json(rows);
-}
-async function updateRole(req, res) {
-  const { rows: target } = await pool_default.query("SELECT name FROM plank_roles WHERE id = $1", [req.params.id]);
-  if (!target[0]) {
-    res.status(404).json({ error: "Role not found" });
-    return;
-  }
-  if (target[0].name === "Super Admin") {
-    res.status(403).json({ error: "Super Admin permissions cannot be modified" });
-    return;
-  }
-  const parsed = z6.object({ permissions: z6.array(z6.string()) }).safeParse(req.body);
-  if (!parsed.success) {
-    res.status(400).json({ error: "Invalid permissions" });
-    return;
-  }
-  const { rows } = await pool_default.query("UPDATE plank_roles SET permissions = $1 WHERE id = $2 RETURNING id, name, permissions", [JSON.stringify(parsed.data.permissions), req.params.id]);
-  res.json(rows[0]);
-}
-async function resetRoles(_req, res) {
-  for (const [name, permissions] of Object.entries(DEFAULT_ROLE_PERMISSIONS)) {
-    if (name === "Super Admin")
-      continue;
-    await pool_default.query("UPDATE plank_roles SET permissions = $1 WHERE name = $2", [JSON.stringify(permissions), name]);
-  }
-  const { rows } = await pool_default.query("SELECT id, name, permissions FROM plank_roles ORDER BY name ASC");
-  res.json(rows);
-}
-
-// ../core/dist/controllers/apiTokens.js
-import { randomBytes as randomBytes5, createHash } from "crypto";
-import { z as z7, flattenError as flattenError5 } from "zod";
-var CreateTokenSchema = z7.object({
-  name: z7.string().min(1),
-  accessType: z7.enum(["read-only", "full-access"])
-});
-function hashToken(token) {
-  return createHash("sha256").update(token).digest("hex");
-}
-async function listApiTokens(_req, res) {
-  const { rows } = await pool_default.query("SELECT id, name, access_type, created_at FROM plank_api_tokens ORDER BY created_at DESC");
-  res.json(rows);
-}
-async function createApiToken(req, res) {
-  const parsed = CreateTokenSchema.safeParse(req.body);
-  if (!parsed.success) {
-    res.status(400).json({ errors: flattenError5(parsed.error, (i) => i.message) });
-    return;
-  }
-  const { name, accessType } = parsed.data;
-  const id = createId();
-  const token = `plank_${randomBytes5(32).toString("hex")}`;
-  const hashed = hashToken(token);
-  await pool_default.query("INSERT INTO plank_api_tokens (id, name, token, access_type, created_by) VALUES ($1, $2, $3, $4, $5)", [id, name, hashed, accessType, req.user.id]);
-  res.status(201).json({ id, name, accessType, token });
-}
-async function deleteApiToken(req, res) {
-  const { rowCount } = await pool_default.query("DELETE FROM plank_api_tokens WHERE id = $1", [req.params.id]);
-  if (!rowCount) {
-    res.status(404).json({ error: "API token not found" });
-    return;
-  }
-  res.status(204).end();
-}
-
-// ../core/dist/controllers/media.js
-import { randomBytes as randomBytes6 } from "crypto";
-var MEDIA_PREFIX = "media";
-async function listMedia(req, res) {
-  const page = Math.max(1, parseInt(req.query.page) || 1);
-  const limit = Math.min(100, Math.max(1, parseInt(req.query.limit) || 24));
-  const offset = (page - 1) * limit;
-  const folderId = req.query.folder_id || null;
-  const { rows } = await pool_default.query(`SELECT *, COUNT(*) OVER() AS total
-     FROM plank_media
-     WHERE folder_id IS NOT DISTINCT FROM $3
-     ORDER BY created_at DESC
-     LIMIT $1 OFFSET $2`, [limit, offset, folderId]);
-  const provider = await getProvider();
-  const items = await Promise.all(rows.map(async (r) => ({
-    id: r.id,
-    filename: r.filename,
-    url: await provider.getUrl(r.provider_key),
-    mime_type: r.mime_type,
-    size: r.size,
-    alt: r.alt,
-    width: r.width,
-    height: r.height,
-    folder_id: r.folder_id,
-    uploaded_by: r.uploaded_by,
-    created_at: r.created_at
-  })));
-  const total = rows[0] ? parseInt(rows[0].total) : 0;
-  res.json({ items, total, page, limit, pages: Math.ceil(total / limit) });
-}
-async function uploadMedia(req, res) {
-  const files = req.files ?? [];
-  if (files.length === 0) {
-    res.status(400).json({ error: "No file provided" });
-    return;
-  }
-  const folderId = req.body.folder_id || null;
-  const isBundle = req.body.bundle === "true";
-  const provider = await getProvider();
-  if (folderId) {
-    const { rows } = await pool_default.query("SELECT id FROM plank_folders WHERE id = $1", [folderId]);
-    if (!rows[0]) {
-      res.status(404).json({ error: "Folder not found" });
-      return;
-    }
-  }
-  if (isBundle) {
-    const m3u8File = files.find((f) => f.originalname.endsWith(".m3u8"));
-    if (!m3u8File) {
-      res.status(400).json({ error: "No .m3u8 file found in bundle" });
-      return;
-    }
-    const bundleId = randomBytes6(8).toString("hex");
-    const prefix = [MEDIA_PREFIX, folderId, bundleId].filter(Boolean).join("/");
-    const rootDir = m3u8File.originalname.includes("/") ? m3u8File.originalname.split("/")[0] : null;
-    const stripRoot = (path) => rootDir && path.startsWith(`${rootDir}/`) ? path.slice(rootDir.length + 1) : path;
-    await Promise.all(files.map((file2) => {
-      const relativePath = stripRoot(file2.originalname);
-      const exactKey = `${prefix}/${relativePath}`;
-      return provider.uploadRaw(file2.buffer, exactKey, file2.mimetype);
-    }));
-    const m3u8RelPath = stripRoot(m3u8File.originalname);
-    const m3u8Key = `${prefix}/${m3u8RelPath}`;
-    const m3u8Url = await provider.getUrl(m3u8Key);
-    const id2 = createId();
-    const filename = m3u8File.originalname.split("/").pop() ?? m3u8File.originalname;
-    await pool_default.query(`INSERT INTO plank_media (id, filename, url, provider_key, mime_type, size, folder_id, uploaded_by)
-       VALUES ($1, $2, $3, $4, $5, $6, $7, $8)`, [id2, filename, m3u8Url, m3u8Key, m3u8File.mimetype, m3u8File.size, folderId, req.user.id]);
-    res.status(201).json({ id: id2, url: m3u8Url, filename });
-    return;
-  }
-  const file = files[0];
-  const { url, key } = await provider.upload(file, { prefix: folderId ? `${MEDIA_PREFIX}/${folderId}` : MEDIA_PREFIX });
-  const id = createId();
-  const width = req.body.width ? parseInt(req.body.width) : null;
-  const height = req.body.height ? parseInt(req.body.height) : null;
-  await pool_default.query(`INSERT INTO plank_media (id, filename, url, provider_key, mime_type, size, alt, width, height, folder_id, uploaded_by)
-     VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)`, [id, file.originalname, url, key, file.mimetype, file.size, null, width, height, folderId, req.user.id]);
-  const resolvedUrl = await provider.getUrl(key);
-  res.status(201).json({ id, url: resolvedUrl, filename: file.originalname, alt: null, width, height });
-}
-async function deleteMedia(req, res) {
-  const { id } = req.params;
-  const { rows } = await pool_default.query("SELECT * FROM plank_media WHERE id = $1", [id]);
-  if (!rows[0]) {
-    res.status(404).json({ error: "Media not found" });
-    return;
-  }
-  const provider = await getProvider();
-  await provider.delete(rows[0].provider_key);
-  await pool_default.query("DELETE FROM plank_media WHERE id = $1", [id]);
-  res.status(204).end();
-}
-async function presignMedia(req, res) {
-  const { filename, mimeType, folderId } = req.body;
-  if (!filename || !mimeType) {
-    res.status(400).json({ error: "filename and mimeType are required" });
-    return;
-  }
-  const provider = await getProvider();
-  if (!provider.presign) {
-    res.json({ mode: "direct" });
-    return;
-  }
-  if (folderId) {
-    const { rows } = await pool_default.query("SELECT id FROM plank_folders WHERE id = $1", [folderId]);
-    if (!rows[0]) {
-      res.status(404).json({ error: "Folder not found" });
-      return;
-    }
-  }
-  const prefix = folderId ? `${MEDIA_PREFIX}/${folderId}` : MEDIA_PREFIX;
-  const result = await provider.presign(filename, mimeType, { prefix });
-  res.json({ mode: "presigned", ...result });
-}
-async function confirmMedia(req, res) {
-  const { key, filename, mimeType, size, folderId, width, height } = req.body;
-  if (!key || !filename || !mimeType) {
-    res.status(400).json({ error: "key, filename and mimeType are required" });
-    return;
-  }
-  const provider = await getProvider();
-  const url = await provider.getUrl(key);
-  const id = createId();
-  await pool_default.query(`INSERT INTO plank_media (id, filename, url, provider_key, mime_type, size, alt, width, height, folder_id, uploaded_by)
-     VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)`, [id, filename, url, key, mimeType, size ?? null, null, width ?? null, height ?? null, folderId ?? null, req.user.id]);
-  res.status(201).json({ id, url, filename, alt: null, width: width ?? null, height: height ?? null });
-}
-async function updateMedia(req, res) {
-  const { id } = req.params;
-  const { filename, alt } = req.body;
-  const { rows } = await pool_default.query(`UPDATE plank_media
-     SET filename = COALESCE($1, filename),
-         alt      = $2
-     WHERE id = $3
-     RETURNING *`, [filename ?? null, alt ?? null, id]);
-  if (!rows[0]) {
-    res.status(404).json({ error: "Media not found" });
-    return;
-  }
-  const provider = await getProvider();
-  const url = await provider.getUrl(rows[0].provider_key);
-  res.json({ ...rows[0], url });
-}
-async function getMediaUrl(req, res) {
-  const { id } = req.params;
-  const { rows } = await pool_default.query("SELECT * FROM plank_media WHERE id = $1", [id]);
-  if (!rows[0]) {
-    res.status(404).json({ error: "Media not found" });
-    return;
-  }
-  const provider = await getProvider();
-  const url = await provider.getUrl(rows[0].provider_key);
-  res.json({ id, url });
-}
-
-// ../core/dist/controllers/folders.js
-async function listFolders(req, res) {
-  const parentId = req.query.parent_id || null;
-  const { rows } = await pool_default.query(`SELECT f.*,
-      (
-        (SELECT COUNT(*) FROM plank_folders sub WHERE sub.parent_id = f.id) +
-        (SELECT COUNT(*) FROM plank_media m WHERE m.folder_id = f.id)
-      )::int AS item_count
-     FROM plank_folders f
-     WHERE f.parent_id IS NOT DISTINCT FROM $1
-     ORDER BY f.name ASC`, [parentId]);
-  res.json({ folders: rows });
-}
-async function createFolder(req, res) {
-  const { name, parent_id } = req.body;
-  if (!name?.trim()) {
-    res.status(400).json({ error: "name is required" });
-    return;
-  }
-  if (parent_id) {
-    const { rows: rows2 } = await pool_default.query("SELECT id FROM plank_folders WHERE id = $1", [parent_id]);
-    if (!rows2[0]) {
-      res.status(404).json({ error: "Parent folder not found" });
-      return;
-    }
-  }
-  const id = createId();
-  const { rows } = await pool_default.query(`INSERT INTO plank_folders (id, name, parent_id) VALUES ($1, $2, $3) RETURNING *`, [id, name.trim(), parent_id ?? null]);
-  res.status(201).json(rows[0]);
-}
-async function renameFolder(req, res) {
-  const { id } = req.params;
-  const { name } = req.body;
-  if (!name?.trim()) {
-    res.status(400).json({ error: "name is required" });
-    return;
-  }
-  const { rows } = await pool_default.query(`UPDATE plank_folders SET name = $1 WHERE id = $2 RETURNING *`, [name.trim(), id]);
-  if (!rows[0]) {
-    res.status(404).json({ error: "Folder not found" });
-    return;
-  }
-  res.json(rows[0]);
-}
-async function deleteFolder(req, res) {
-  const { id } = req.params;
-  const { rows: folderRows } = await pool_default.query("SELECT id FROM plank_folders WHERE id = $1", [id]);
-  if (!folderRows[0]) {
-    res.status(404).json({ error: "Folder not found" });
-    return;
-  }
-  const { rows: subfolders } = await pool_default.query("SELECT id FROM plank_folders WHERE parent_id = $1 LIMIT 1", [id]);
-  const { rows: mediaItems } = await pool_default.query("SELECT id FROM plank_media WHERE folder_id = $1 LIMIT 1", [id]);
-  if (subfolders.length > 0 || mediaItems.length > 0) {
-    res.status(409).json({ error: "Folder is not empty. Move or delete its contents first." });
-    return;
-  }
-  await pool_default.query("DELETE FROM plank_folders WHERE id = $1", [id]);
-  res.status(204).end();
-}
-
-// ../core/dist/controllers/settings.js
-var SENSITIVE_FIELDS2 = {
-  media: /* @__PURE__ */ new Set(["s3.secret_access_key", "r2.secret_access_key"])
-};
-var MASKED = "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022";
-function maskSettings(namespace, settings) {
-  const sensitive = SENSITIVE_FIELDS2[namespace];
-  if (!sensitive)
-    return settings;
-  return Object.fromEntries(Object.entries(settings).map(([k, v]) => [k, sensitive.has(k) && v ? MASKED : v]));
-}
-async function getNamespaceSettings(req, res) {
-  const { namespace } = req.params;
-  const settings = await getSettings(namespace);
-  res.json(maskSettings(namespace, settings));
-}
-async function updateNamespaceSettings(req, res) {
-  const { namespace } = req.params;
-  const incoming = req.body;
-  if (typeof incoming !== "object" || Array.isArray(incoming)) {
-    res.status(400).json({ error: "Body must be a flat key-value object" });
-    return;
-  }
-  const sensitive = SENSITIVE_FIELDS2[namespace];
-  const toSave = {};
-  for (const [key, value] of Object.entries(incoming)) {
-    if (sensitive?.has(key) && (!value || value === MASKED))
-      continue;
-    toSave[key] = value;
-  }
-  await setSettings(namespace, toSave);
-  const updated = await getSettings(namespace);
-  res.json(maskSettings(namespace, updated));
-}
-
-// ../core/dist/routes/admin.js
-var router2 = Router2();
-router2.use(authenticate);
-router2.get("/content-types", authorize("content-types:read"), listContentTypes);
-router2.post("/content-types", authorize("content-types:write"), createContentType);
-router2.get("/content-types/:slug", authorize("content-types:read"), getContentType);
-router2.put("/content-types/:slug", authorize("content-types:write"), updateContentType2);
-router2.put("/content-types/:slug/default", authorize("content-types:write"), setDefaultContentType2);
-router2.delete("/content-types/:slug", authorize("content-types:delete"), deleteContentType2);
-router2.get("/content-types/:slug/entries", authorize("entries:read"), listEntries);
-router2.get("/content-types/:slug/single", authorize("entries:read"), getSingleEntry);
-router2.post("/content-types/:slug/entries", authorize("entries:write"), createEntry);
-router2.get("/entries/:slug/:id", authorize("entries:read"), getEntry);
-router2.put("/entries/:slug/:id", authorize("entries:write"), updateEntry);
-router2.patch("/entries/:slug/:id/status", authorize("entries:write"), patchEntryStatus);
-router2.delete("/entries/:slug/:id", authorize("entries:delete"), deleteEntry);
-router2.get("/users/me", getMe);
-router2.patch("/users/me", updateMe);
-router2.patch("/users/me/password", changePassword);
-router2.post("/users/me/avatar", upload.single("file"), uploadAvatar);
-router2.post("/users/me/avatar/presign", presignAvatar);
-router2.post("/users/me/avatar/confirm", confirmAvatar);
-router2.delete("/users/me/avatar", deleteAvatar);
-router2.get("/users/me/prefs/:key", getUserPref);
-router2.put("/users/me/prefs/:key", setUserPref);
-router2.get("/roles", authorize("settings:users:read"), listRoles);
-router2.put("/roles/:id", authorize("settings:roles:write"), updateRole);
-router2.post("/roles/reset", authorize("settings:roles:write"), resetRoles);
-router2.get("/users", authorize("settings:users:read"), listUsers);
-router2.post("/users", authorize("settings:users:write"), createUser);
-router2.put("/users/:id", authorize("settings:users:write"), updateUser);
-router2.delete("/users/:id", authorize("settings:users:delete"), deleteUser);
-router2.get("/api-tokens", authorize("settings:api-tokens:read"), listApiTokens);
-router2.post("/api-tokens", authorize("settings:api-tokens:write"), createApiToken);
-router2.delete("/api-tokens/:id", authorize("settings:api-tokens:delete"), deleteApiToken);
-router2.get("/folders", authorize("media:read"), listFolders);
-router2.post("/folders", authorize("media:write"), createFolder);
-router2.patch("/folders/:id", authorize("media:write"), renameFolder);
-router2.delete("/folders/:id", authorize("media:delete"), deleteFolder);
-router2.get("/media", authorize("media:read"), listMedia);
-router2.post("/media/presign", authorize("media:write"), presignMedia);
-router2.post("/media/confirm", authorize("media:write"), confirmMedia);
-router2.post("/media", authorize("media:write"), upload.array("files", 500), uploadMedia);
-router2.get("/media/:id/url", authorize("media:read"), getMediaUrl);
-router2.patch("/media/:id", authorize("media:write"), updateMedia);
-router2.delete("/media/:id", authorize("media:delete"), deleteMedia);
-router2.get("/settings/:namespace", authorize("settings:overview:read"), getNamespaceSettings);
-router2.put("/settings/:namespace", authorize("settings:overview:write"), updateNamespaceSettings);
-router2.get("/webhooks", authorize("settings:webhooks:read"), listWebhooks);
-router2.post("/webhooks", authorize("settings:webhooks:write"), createWebhook);
-router2.delete("/webhooks/:id", authorize("settings:webhooks:delete"), deleteWebhook);
-var admin_default = router2;
-
-// ../core/dist/routes/public.js
-import { Router as Router3 } from "express";
-
-// ../core/dist/middlewares/apiToken.js
-import { createHash as createHash2 } from "crypto";
-var READ_ONLY_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD", "OPTIONS"]);
-async function apiToken(req, res, next) {
-  const header = req.headers.authorization;
-  if (!header?.startsWith("Bearer ")) {
-    res.status(401).json({ error: "API token required" });
-    return;
-  }
-  const raw = header.slice(7);
-  const hashed = createHash2("sha256").update(raw).digest("hex");
-  const { rows } = await pool_default.query("SELECT id, access_type FROM plank_api_tokens WHERE token = $1", [hashed]);
-  if (!rows[0]) {
-    res.status(401).json({ error: "Invalid API token" });
-    return;
-  }
-  if (rows[0].access_type === "read-only" && !READ_ONLY_METHODS.has(req.method)) {
-    res.status(403).json({ error: "This token only allows read access" });
-    return;
-  }
-  next();
-}
-
-// ../core/dist/controllers/public.js
-async function resolveMediaFields(entries, ct) {
-  const singleFields = ct.fields.filter((f) => f.type === "media").map((f) => f.name);
-  const galleryFields = ct.fields.filter((f) => f.type === "media-gallery").map((f) => f.name);
-  if (singleFields.length === 0 && galleryFields.length === 0)
-    return;
-  const idSet = /* @__PURE__ */ new Set();
-  for (const entry of entries) {
-    for (const name of singleFields) {
-      const val = entry[name];
-      if (typeof val === "string" && val && !val.startsWith("http"))
-        idSet.add(val);
-    }
-    for (const name of galleryFields) {
-      const val = entry[name];
-      if (Array.isArray(val)) {
-        for (const id of val) {
-          if (typeof id === "string" && id && !id.startsWith("http"))
-            idSet.add(id);
-        }
-      }
-    }
-  }
-  if (idSet.size === 0)
-    return;
-  const { rows } = await pool_default.query("SELECT id, provider_key FROM plank_media WHERE id = ANY($1)", [[...idSet]]);
-  const provider = await getProvider();
-  const urlMap = /* @__PURE__ */ new Map();
-  await Promise.all(rows.map(async (r) => {
-    urlMap.set(r.id, await provider.getUrl(r.provider_key));
-  }));
-  for (const entry of entries) {
-    for (const name of singleFields) {
-      const val = entry[name];
-      if (typeof val === "string" && urlMap.has(val))
-        entry[name] = urlMap.get(val);
-    }
-    for (const name of galleryFields) {
-      const val = entry[name];
-      if (Array.isArray(val)) {
-        entry[name] = val.map((id) => typeof id === "string" && urlMap.has(id) ? urlMap.get(id) : id);
-      }
-    }
-  }
-}
-var SYSTEM_FIELDS = /* @__PURE__ */ new Set([
-  "status",
-  "published_data",
-  "published_at",
-  "scheduled_for",
-  "created_by",
-  "created_at",
-  "updated_at"
-]);
-function stripSystemFields(row) {
-  return Object.fromEntries(Object.entries(row).filter(([k]) => !SYSTEM_FIELDS.has(k)));
-}
-async function resolveRelationFields(entries, ct) {
-  const scalarFields = ct.fields.filter((f) => f.type === "relation" && (f.relationType === "many-to-one" || f.relationType === "one-to-one" || !f.relationType) && f.relatedTable);
-  const mmFields = ct.fields.filter((f) => f.type === "relation" && (f.relationType ?? "many-to-one") === "many-to-many" && f.relatedTable);
-  const entryIds = entries.map((e) => e.id);
-  await Promise.all([
-    ...scalarFields.map(async (field) => {
-      const ids = entries.map((e) => e[field.name]).filter(Boolean);
-      if (ids.length === 0)
-        return;
-      assertSafeIdentifier(field.relatedTable);
-      const { rows } = await pool_default.query(`SELECT * FROM ${field.relatedTable} WHERE id = ANY($1)`, [
-        ids
-      ]);
-      const map = new Map(rows.map((r) => [r.id, stripSystemFields(r)]));
-      for (const entry of entries) {
-        const id = entry[field.name];
-        entry[field.name] = id ? map.get(id) ?? null : null;
-      }
-    }),
-    ...mmFields.map(async (field) => {
-      if (entryIds.length === 0)
-        return;
-      const jt = `_rel_${ct.tableName}_${field.name}`;
-      const { rows: jRows } = await pool_default.query(`SELECT source_id, target_id FROM ${jt} WHERE source_id = ANY($1)`, [entryIds]);
-      const allTargetIds = [...new Set(jRows.map((r) => r.target_id))];
-      const relatedMap = /* @__PURE__ */ new Map();
-      if (allTargetIds.length > 0) {
-        assertSafeIdentifier(field.relatedTable);
-        const { rows: relRows } = await pool_default.query(`SELECT * FROM ${field.relatedTable} WHERE id = ANY($1)`, [allTargetIds]);
-        for (const row of relRows)
-          relatedMap.set(row.id, stripSystemFields(row));
-      }
-      const sourceMap = /* @__PURE__ */ new Map();
-      for (const row of jRows) {
-        const obj = relatedMap.get(row.target_id);
-        if (!obj)
-          continue;
-        const list = sourceMap.get(row.source_id);
-        if (list)
-          list.push(obj);
-        else
-          sourceMap.set(row.source_id, [obj]);
-      }
-      for (const entry of entries) {
-        entry[field.name] = sourceMap.get(entry.id) ?? [];
-      }
-    })
-  ]);
-}
-async function resolveAuthorAvatars(entries) {
-  const provider = await getProvider();
-  await Promise.all(entries.map(async (entry) => {
-    const author = entry.author;
-    if (author?.avatar_url && !author.avatar_url.startsWith("http")) {
-      author.avatar_url = await provider.getUrl(author.avatar_url);
-    }
-  }));
-}
-function serializeEntry(row, ct, statusParam, locale, fallbacks = []) {
-  const { published_data, _author_first_name, _author_last_name, _author_avatar_url, _author_job_title, _author_organization, _author_country, ...rest } = row;
-  const source = statusParam === "published" && published_data ? published_data : rest;
-  const effective = { ...source };
-  if (locale) {
-    const localizedContainer = source && typeof source === "object" && source.localized && typeof source.localized === "object" ? source.localized : row.localized && typeof row.localized === "object" ? row.localized : {};
-    const localizableTypes = /* @__PURE__ */ new Set(["string", "text", "richtext", "uid"]);
-    for (const f of ct.fields) {
-      if (!localizableTypes.has(f.type))
-        continue;
-      let val = void 0;
-      if (localizedContainer[locale] && localizedContainer[locale][f.name] !== void 0) {
-        val = localizedContainer[locale][f.name];
-      } else {
-        for (const fb of fallbacks) {
-          if (localizedContainer[fb] && localizedContainer[fb][f.name] !== void 0) {
-            val = localizedContainer[fb][f.name];
-            break;
-          }
-        }
-      }
-      if (val !== void 0)
-        effective[f.name] = val;
-    }
-  }
-  const out = { id: row.id };
-  for (const field of ct.fields) {
-    if (field.name in effective)
-      out[field.name] = effective[field.name];
-  }
-  out.status = row.status;
-  out.published_at = row.published_at ?? null;
-  out.created_at = row.created_at;
-  out.updated_at = row.updated_at;
-  out.author = _author_first_name || _author_last_name ? {
-    first_name: _author_first_name ?? null,
-    last_name: _author_last_name ?? null,
-    avatar_url: _author_avatar_url ?? null,
-    job_title: _author_job_title ?? null,
-    organization: _author_organization ?? null,
-    country: _author_country ?? null
-  } : null;
-  return out;
-}
-var listPublicEntries = async (req, res) => {
-  const ct = await findContentTypeBySlug(req.params.slug);
-  if (!ct) {
-    res.status(404).json({ error: "Not found" });
-    return;
-  }
-  assertSafeIdentifier(ct.tableName);
-  if (ct.kind === "single") {
-    const statusParam2 = String(req.query.status ?? "published");
-    const locale2 = req.query.locale ? String(req.query.locale) : void 0;
-    const fallbacks2 = req.query.fallback ? String(req.query.fallback).split(",") : [];
-    const statusClause = statusParam2 === "published" || statusParam2 === "draft" ? `WHERE e.status = $1` : "";
-    const values = statusClause ? [statusParam2] : [];
-    const { rows: rows2 } = await pool_default.query(`SELECT e.*, u.first_name AS _author_first_name, u.last_name AS _author_last_name, u.avatar_url AS _author_avatar_url, u.job_title AS _author_job_title, u.organization AS _author_organization, u.country AS _author_country
-       FROM ${ct.tableName} e
-       LEFT JOIN plank_users u ON u.id = e.created_by
-       ${statusClause} LIMIT 1`, values);
-    if (!rows2[0]) {
-      res.status(404).json({ error: "Not found" });
-      return;
-    }
-    const entry = serializeEntry(rows2[0], ct, statusParam2, locale2, fallbacks2);
-    await Promise.all([
-      resolveMediaFields([entry], ct),
-      resolveAuthorAvatars([entry]),
-      resolveRelationFields([entry], ct)
-    ]);
-    res.json(entry);
-    return;
-  }
-  const page = Math.max(1, parseInt(String(req.query.page ?? 1)));
-  const limit = Math.min(100, Math.max(1, parseInt(String(req.query.limit ?? 20))));
-  const offset = (page - 1) * limit;
-  const locale = req.query.locale ? String(req.query.locale) : void 0;
-  const fallbacks = req.query.fallback ? String(req.query.fallback).split(",") : [];
-  const knownFields = new Set(ct.fields.map((f) => f.name));
-  const systemSortFields = /* @__PURE__ */ new Set(["created_at", "updated_at", "published_at"]);
-  const filterClauses = [];
-  const filterValues = [];
-  const statusParam = String(req.query.status ?? "published");
-  if (statusParam === "published" || statusParam === "draft") {
-    filterClauses.push(`e.status = $${filterValues.length + 1}`);
-    filterValues.push(statusParam);
-  }
-  const rawSort = String(req.query.sort ?? "created_at");
-  const sortField = knownFields.has(rawSort) || systemSortFields.has(rawSort) ? rawSort : "created_at";
-  assertSafeIdentifier(sortField);
-  const sortDir = String(req.query.order ?? "desc").toLowerCase() === "asc" ? "ASC" : "DESC";
-  for (const [key, value] of Object.entries(req.query)) {
-    if (key === "page" || key === "limit" || key === "status" || key === "sort" || key === "order")
-      continue;
-    if (knownFields.has(key)) {
-      assertSafeIdentifier(key);
-      filterClauses.push(`e.${key} = $${filterValues.length + 1}`);
-      filterValues.push(value);
-    }
-  }
-  const where = filterClauses.length > 0 ? `WHERE ${filterClauses.join(" AND ")}` : "";
-  const limitParam = filterValues.length + 1;
-  const offsetParam = filterValues.length + 2;
-  const [{ rows }, { rows: countRows }] = await Promise.all([
-    pool_default.query(`SELECT e.*, u.first_name AS _author_first_name, u.last_name AS _author_last_name, u.avatar_url AS _author_avatar_url, u.job_title AS _author_job_title, u.organization AS _author_organization, u.country AS _author_country
-       FROM ${ct.tableName} e
-       LEFT JOIN plank_users u ON u.id = e.created_by
-       ${where} ORDER BY e.${sortField} ${sortDir} LIMIT $${limitParam} OFFSET $${offsetParam}`, [...filterValues, limit, offset]),
-    pool_default.query(`SELECT COUNT(*) as count FROM ${ct.tableName} e ${where}`, filterValues)
-  ]);
-  const data = rows.map((row) => serializeEntry(row, ct, statusParam, locale, fallbacks));
-  await Promise.all([
-    resolveMediaFields(data, ct),
-    resolveAuthorAvatars(data),
-    resolveRelationFields(data, ct)
-  ]);
-  res.json({ data, total: parseInt(countRows[0].count), page, limit });
-};
-var getPublicEntry = async (req, res) => {
-  const ct = await findContentTypeBySlug(req.params.slug);
-  if (!ct) {
-    res.status(404).json({ error: "Not found" });
-    return;
-  }
-  assertSafeIdentifier(ct.tableName);
-  const statusParam = String(req.query.status ?? "published");
-  const statusClause = statusParam === "published" || statusParam === "draft" ? ` AND e.status = $2` : "";
-  const values = statusClause ? [req.params.id, statusParam] : [req.params.id];
-  const { rows } = await pool_default.query(`SELECT e.*, u.first_name AS _author_first_name, u.last_name AS _author_last_name, u.avatar_url AS _author_avatar_url, u.job_title AS _author_job_title, u.organization AS _author_organization, u.country AS _author_country
-     FROM ${ct.tableName} e
-     LEFT JOIN plank_users u ON u.id = e.created_by
-     WHERE e.id = $1${statusClause}`, values);
-  if (!rows[0]) {
-    res.status(404).json({ error: "Not found" });
-    return;
-  }
-  const locale = req.query.locale ? String(req.query.locale) : void 0;
-  const fallbacks = req.query.fallback ? String(req.query.fallback).split(",") : [];
-  const entry = serializeEntry(rows[0], ct, statusParam, locale, fallbacks);
-  await Promise.all([
-    resolveMediaFields([entry], ct),
-    resolveAuthorAvatars([entry]),
-    resolveRelationFields([entry], ct)
-  ]);
-  res.json(entry);
-};
-
-// ../core/dist/routes/public.js
-var router3 = Router3();
-router3.use(apiToken);
-router3.get("/:slug", listPublicEntries);
-router3.get("/:slug/:id", getPublicEntry);
-var public_default = router3;
-
-// ../core/dist/middlewares/errorHandler.js
-import { ZodError, flattenError as flattenError6 } from "zod";
-function errorHandler(err, _req, res, _next) {
-  if (err instanceof ValidationError) {
-    res.status(400).json({ errors: err.errors });
-    return;
-  }
-  if (err instanceof SchemaError) {
-    res.status(400).json({ error: err.message });
-    return;
-  }
-  if (err instanceof ZodError) {
-    res.status(400).json({ errors: flattenError6(err, (i) => i.message) });
-    return;
-  }
-  console.error("[plank] Unhandled error:", err);
-  res.status(500).json({ error: "Internal server error" });
-}
-
-// ../core/dist/app.js
-var app = express();
-app.use(helmet({
-  contentSecurityPolicy: {
-    directives: {
-      ...helmet.contentSecurityPolicy.getDefaultDirectives(),
-      "img-src": ["'self'", "data:", "https:"],
-      "connect-src": ["'self'", "https:"]
-    }
-  }
-}));
-app.use(express.json());
-var PORT = process.env.PLANK_PORT ?? "5500";
-var adminOrigin = process.env.PLANK_PUBLIC_URL ?? `http://localhost:${PORT}`;
-var cmsCorOptions = cors({ origin: adminOrigin, credentials: true });
-app.use("/cms/auth", cmsCorOptions, auth_default);
-app.use("/cms/admin", cmsCorOptions, admin_default);
-app.use("/api", cors(), public_default);
-app.get("/", (_req, res) => res.redirect("/admin"));
-var adminDist = process.env.PLANK_ADMIN_DIST ?? join3(dirname2(fileURLToPath2(import.meta.url)), "../public/admin");
-app.use("/admin", express.static(adminDist));
-app.get("/admin/*path", (_req, res) => res.sendFile(join3(adminDist, "index.html")));
-app.use(errorHandler);
-var app_default = app;
-
-// ../core/dist/server.js
-async function start() {
-  const PORT2 = process.env.PLANK_PORT ?? 5500;
-  await migrate();
-  await syncAllTables();
-  app_default.listen(PORT2, () => {
-    const base = process.env.PLANK_PUBLIC_URL ?? `http://localhost:${PORT2}`;
-    console.log("  \u25B2 Plank CMS by AM25");
-    console.log(`  Admin  \u2192 ${base}/admin`);
-    console.log(`  API    \u2192 ${base}/api`);
-  });
-}
-export {
-  start
-};