@plank-cms/plank 0.13.0 → 0.14.2

package/dist/{server-LQ6BBDAE.js → server-CKAS7YSX.js}

@@ -67,7 +67,7 @@ async function ensureMigrationsTable(client) {
 }
 async function appliedMigrations(client) {
   const { rows } = await client.query("SELECT filename FROM plank_migrations ORDER BY filename");
-  return new Set(rows.map((r) => r.filename));
+  return new Set(rows.map((r2) => r2.filename));
 }
 async function seedDefaultRoles(client) {
   const { rows } = await client.query("SELECT COUNT(*) as count FROM plank_roles");
@@ -83,7 +83,7 @@ async function migrate() {
   try {
     await client.query("BEGIN");
     await ensureMigrationsTable(client);
-    const files = (await readdir(MIGRATIONS_DIR)).filter((f) => f.endsWith(".sql")).sort();
+    const files = (await readdir(MIGRATIONS_DIR)).filter((f2) => f2.endsWith(".sql")).sort();
     const applied = await appliedMigrations(client);
     for (const file of files) {
       if (applied.has(file))
@@ -270,7 +270,7 @@ function relationSignature(field) {
 async function createTable(contentType) {
   assertSafeIdentifier(contentType.tableName);
   const quotedTableName = quoteIdentifier(contentType.tableName);
-  const columnFields = contentType.fields.filter((f) => !isVirtualRelation(f));
+  const columnFields = contentType.fields.filter((f2) => !isVirtualRelation(f2));
   const columns = columnFields.map(buildColumnDef).filter(Boolean);
   const sql = [
     `CREATE TABLE IF NOT EXISTS ${quotedTableName} (`,
@@ -300,8 +300,8 @@ async function createTable(contentType) {
 async function syncTable(next, prev) {
   assertSafeIdentifier(next.tableName);
   const quotedTableName = quoteIdentifier(next.tableName);
-  const prevFields = new Map(prev.fields.map((f) => [f.name, f]));
-  const nextFields = new Map(next.fields.map((f) => [f.name, f]));
+  const prevFields = new Map(prev.fields.map((f2) => [f2.name, f2]));
+  const nextFields = new Map(next.fields.map((f2) => [f2.name, f2]));
   const statements = [];
   const junctionOps = [];
   for (const [name, field] of nextFields) {
@@ -390,7 +390,7 @@ async function syncAllTables() {
     assertSafeIdentifier(ct.tableName);
     const quotedTableName = quoteIdentifier(ct.tableName);
     const { rows } = await pool_default.query(`SELECT column_name FROM information_schema.columns WHERE table_name = $1 AND table_schema = 'public'`, [ct.tableName]);
-    const existingColumns = new Set(rows.map((r) => r.column_name));
+    const existingColumns = new Set(rows.map((r2) => r2.column_name));
     if (!existingColumns.has("localized")) {
       try {
         await pool_default.query(`ALTER TABLE ${quotedTableName} ADD COLUMN IF NOT EXISTS localized JSONB`);
@@ -435,9 +435,9 @@ function validateNavigationItems(value, fieldName, errors, path = fieldName, dep
   if (value.length > MAX_NAVIGATION_ITEMS_PER_LEVEL) {
     errors.push(`Field "${path}" cannot have more than ${MAX_NAVIGATION_ITEMS_PER_LEVEL} items per level`);
   }
-  for (let i = 0; i < value.length; i++) {
-    const item = value[i];
-    const itemPath = `${path}[${i}]`;
+  for (let i2 = 0; i2 < value.length; i2++) {
+    const item = value[i2];
+    const itemPath = `${path}[${i2}]`;
     if (typeof item !== "object" || item === null) {
       errors.push(`Field "${itemPath}" must be an object`);
       continue;
@@ -495,7 +495,7 @@ function validate(contentType, payload) {
         }
         break;
       case "media-gallery":
-        if (!Array.isArray(value) || value.some((v) => typeof v !== "string" || !v.trim())) {
+        if (!Array.isArray(value) || value.some((v3) => typeof v3 !== "string" || !v3.trim())) {
           errors.push(`Field "${field.name}" must be an array of media IDs`);
         } else if (field.required && value.length === 0) {
           errors.push(`Field "${field.name}" is required`);
@@ -506,7 +506,7 @@ function validate(contentType, payload) {
         if (rt === "one-to-many")
           break;
         if (rt === "many-to-many") {
-          if (!Array.isArray(value) || value.some((v) => typeof v !== "string" || !v.trim())) {
+          if (!Array.isArray(value) || value.some((v3) => typeof v3 !== "string" || !v3.trim())) {
             errors.push(`Field "${field.name}" must be an array of IDs`);
           } else if (field.required && value.length === 0) {
             errors.push(`Field "${field.name}" is required`);
@@ -524,17 +524,17 @@ function validate(contentType, payload) {
         } else if (field.required && value.length === 0) {
           errors.push(`Field "${field.name}" is required`);
         } else if (field.arrayFields && field.arrayFields.length > 0) {
-          for (let i = 0; i < value.length; i++) {
-            const item = value[i];
+          for (let i2 = 0; i2 < value.length; i2++) {
+            const item = value[i2];
             if (typeof item !== "object" || item === null) {
-              errors.push(`Field "${field.name}[${i}]" must be an object`);
+              errors.push(`Field "${field.name}[${i2}]" must be an object`);
               continue;
             }
             for (const subField of field.arrayFields) {
               const subValue = item[subField.name];
               const subEmpty = subValue === void 0 || subValue === null || subValue === "";
               if (subField.required && subEmpty) {
-                errors.push(`Field "${field.name}[${i}].${subField.name}" is required`);
+                errors.push(`Field "${field.name}[${i2}].${subField.name}" is required`);
               }
             }
           }
@@ -557,7 +557,7 @@ function validate(contentType, payload) {
 import express from "express";
 import cors from "cors";
 import helmet from "helmet";
-import { join as join3, dirname as dirname2 } from "path";
+import { join as join4, dirname as dirname2 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 
 // ../core/dist/routes/auth.js
@@ -566,23 +566,1453 @@ import { Router } from "express";
 // ../core/dist/controllers/auth.js
 import bcrypt from "bcryptjs";
 import jwt from "jsonwebtoken";
+
+// ../../node_modules/.pnpm/@otplib+core@13.4.0/node_modules/@otplib/core/dist/index.js
+var i = class extends Error {
+  constructor(e, t2) {
+    super(e, t2), this.name = "OTPError";
+  }
+};
+var x = class extends i {
+  constructor(e) {
+    super(e), this.name = "SecretError";
+  }
+};
+var h = class extends x {
+  constructor(e, t2) {
+    super(`Secret must be at least ${e} bytes (${e * 8} bits), got ${t2} bytes`), this.name = "SecretTooShortError";
+  }
+};
+var P = class extends x {
+  constructor(e, t2) {
+    super(`Secret must not exceed ${e} bytes, got ${t2} bytes`), this.name = "SecretTooLongError";
+  }
+};
+var m = class extends i {
+  constructor(e) {
+    super(e), this.name = "CounterError";
+  }
+};
+var O = class extends m {
+  constructor() {
+    super("Counter must be non-negative"), this.name = "CounterNegativeError";
+  }
+};
+var T = class extends m {
+  constructor() {
+    super("Counter exceeds maximum safe integer value"), this.name = "CounterOverflowError";
+  }
+};
+var b = class extends m {
+  constructor() {
+    super("Counter must be a finite integer"), this.name = "CounterNotIntegerError";
+  }
+};
+var A = class extends i {
+  constructor(e) {
+    super(e), this.name = "TimeError";
+  }
+};
+var C = class extends A {
+  constructor() {
+    super("Time must be non-negative"), this.name = "TimeNegativeError";
+  }
+};
+var S = class extends A {
+  constructor() {
+    super("Time must be a finite number"), this.name = "TimeNotFiniteError";
+  }
+};
+var B = class extends i {
+  constructor(e) {
+    super(e), this.name = "PeriodError";
+  }
+};
+var w = class extends B {
+  constructor(e) {
+    super(`Period must be at least ${e} second(s)`), this.name = "PeriodTooSmallError";
+  }
+};
+var _ = class extends B {
+  constructor(e) {
+    super(`Period must not exceed ${e} seconds`), this.name = "PeriodTooLargeError";
+  }
+};
+var R = class extends i {
+  constructor(e) {
+    super(e), this.name = "TokenError";
+  }
+};
+var I = class extends R {
+  constructor(e, t2) {
+    super(`Token must be ${e} digits, got ${t2}`), this.name = "TokenLengthError";
+  }
+};
+var M = class extends R {
+  constructor() {
+    super("Token must contain only digits"), this.name = "TokenFormatError";
+  }
+};
+var N = class extends i {
+  constructor(e, t2) {
+    super(e, t2), this.name = "CryptoError";
+  }
+};
+var c = class extends N {
+  constructor(e, t2) {
+    super(`HMAC computation failed: ${e}`, t2), this.name = "HMACError";
+  }
+};
+var v = class extends N {
+  constructor(e, t2) {
+    super(`Random byte generation failed: ${e}`, t2), this.name = "RandomBytesError";
+  }
+};
+var g = class extends i {
+  constructor(e) {
+    super(e), this.name = "CounterToleranceError";
+  }
+};
+var U = class extends g {
+  constructor(e, t2) {
+    super(`Counter tolerance validation failed: total checks (${t2}) exceeds MAX_WINDOW (${e})`), this.name = "CounterToleranceTooLargeError";
+  }
+};
+var X = class extends g {
+  constructor() {
+    super("Counter tolerance cannot contain negative values"), this.name = "CounterToleranceNegativeError";
+  }
+};
+var E = class extends i {
+  constructor(e) {
+    super(e), this.name = "EpochToleranceError";
+  }
+};
+var k = class extends E {
+  constructor() {
+    super("Epoch tolerance cannot contain negative values"), this.name = "EpochToleranceNegativeError";
+  }
+};
+var q = class extends E {
+  constructor(e, t2) {
+    super(`Epoch tolerance must not exceed ${e} seconds, got ${t2}. Large tolerances can cause performance issues.`), this.name = "EpochToleranceTooLargeError";
+  }
+};
+var G = class extends i {
+  constructor(e) {
+    super(e), this.name = "PluginError";
+  }
+};
+var Y = class extends G {
+  constructor() {
+    super("Crypto plugin is required."), this.name = "CryptoPluginMissingError";
+  }
+};
+var L = class extends G {
+  constructor() {
+    super("Base32 plugin is required."), this.name = "Base32PluginMissingError";
+  }
+};
+var a = class extends i {
+  constructor(e) {
+    super(e), this.name = "ConfigurationError";
+  }
+};
+var W = class extends a {
+  constructor() {
+    super("Secret is required. Use generateSecret() to create one, or provide via { secret: 'YOUR_BASE32_SECRET' }"), this.name = "SecretMissingError";
+  }
+};
+var f = class extends i {
+  constructor(e) {
+    super(e), this.name = "AfterTimeStepError";
+  }
+};
+var J = class extends f {
+  constructor() {
+    super("afterTimeStep must be >= 0"), this.name = "AfterTimeStepNegativeError";
+  }
+};
+var Q = class extends f {
+  constructor() {
+    super("Invalid afterTimeStep: non-integer value"), this.name = "AfterTimeStepNotIntegerError";
+  }
+};
+var Z = class extends f {
+  constructor() {
+    super("Invalid afterTimeStep: cannot be greater than current time step plus window"), this.name = "AfterTimeStepRangeExceededError";
+  }
+};
+var yr = new TextEncoder();
+var xr = new TextDecoder();
+var or = 16;
+var sr = 64;
+var ir = 20;
+var ar = 1;
+var ur = 3600;
+var cr = 30;
+var pr = Number.MAX_SAFE_INTEGER;
+var lr = 99;
+var er = /* @__PURE__ */ Symbol("otplib.guardrails.override");
+function y(r2, e, t2) {
+  if (typeof e != "number" || !Number.isSafeInteger(e)) throw new a(`Guardrail '${r2}' must be a safe integer`);
+  if (e < t2) throw new a(`Guardrail '${r2}' must be >= ${t2}`);
+}
+var d = Object.freeze({ MIN_SECRET_BYTES: or, MAX_SECRET_BYTES: sr, MIN_PERIOD: ar, MAX_PERIOD: ur, MAX_COUNTER: pr, MAX_WINDOW: lr, [er]: false });
+function hr(r2) {
+  if (!r2) return d;
+  r2.MIN_SECRET_BYTES !== void 0 && y("MIN_SECRET_BYTES", r2.MIN_SECRET_BYTES, 1), r2.MAX_SECRET_BYTES !== void 0 && y("MAX_SECRET_BYTES", r2.MAX_SECRET_BYTES, 1), r2.MIN_PERIOD !== void 0 && y("MIN_PERIOD", r2.MIN_PERIOD, 1), r2.MAX_PERIOD !== void 0 && y("MAX_PERIOD", r2.MAX_PERIOD, 1), r2.MAX_COUNTER !== void 0 && y("MAX_COUNTER", r2.MAX_COUNTER, 0), r2.MAX_WINDOW !== void 0 && y("MAX_WINDOW", r2.MAX_WINDOW, 1);
+  let e = { ...d, ...r2 };
+  if (e.MIN_SECRET_BYTES > e.MAX_SECRET_BYTES) throw new a("Guardrail 'MIN_SECRET_BYTES' must be <= 'MAX_SECRET_BYTES'");
+  if (e.MIN_PERIOD > e.MAX_PERIOD) throw new a("Guardrail 'MIN_PERIOD' must be <= 'MAX_PERIOD'");
+  return Object.freeze({ ...e, [er]: true });
+}
+function Or(r2, e = d) {
+  if (r2.length < e.MIN_SECRET_BYTES) throw new h(e.MIN_SECRET_BYTES, r2.length);
+  if (r2.length > e.MAX_SECRET_BYTES) throw new P(e.MAX_SECRET_BYTES, r2.length);
+}
+function br(r2, e = d) {
+  if (typeof r2 == "number") {
+    if (!Number.isFinite(r2) || !Number.isInteger(r2)) throw new b();
+    if (!Number.isSafeInteger(r2)) throw new T();
+  }
+  let t2 = typeof r2 == "bigint" ? r2 : BigInt(r2);
+  if (t2 < 0n) throw new O();
+  if (t2 > BigInt(e.MAX_COUNTER)) throw new T();
+}
+function Ar(r2) {
+  if (!Number.isFinite(r2)) throw new S();
+  if (r2 < 0) throw new C();
+}
+function Cr(r2, e = d) {
+  if (!Number.isInteger(r2) || r2 < e.MIN_PERIOD) throw new w(e.MIN_PERIOD);
+  if (r2 > e.MAX_PERIOD) throw new _(e.MAX_PERIOD);
+}
+function Sr(r2, e) {
+  if (r2.length !== e) throw new I(e, r2.length);
+  if (!/^\d+$/.test(r2)) throw new M();
+}
+function Br(r2, e = d) {
+  let [t2, o] = Er(r2);
+  if (!Number.isSafeInteger(t2) || !Number.isSafeInteger(o)) throw new g("Counter tolerance values must be safe integers");
+  if (t2 < 0 || o < 0) throw new X();
+  let n = t2 + o + 1;
+  if (n > e.MAX_WINDOW) throw new U(e.MAX_WINDOW, n);
+}
+function wr(r2, e = cr, t2 = d) {
+  let [o, n] = Array.isArray(r2) ? r2 : [r2, r2];
+  if (!Number.isSafeInteger(o) || !Number.isSafeInteger(n)) throw new E("Epoch tolerance values must be safe integers");
+  if (o < 0 || n < 0) throw new k();
+  let s = (t2.MAX_WINDOW - 1) * e, u = o + n;
+  if (u > s) throw new q(s, u);
+}
+function _r(r2) {
+  let e = typeof r2 == "bigint" ? r2 : BigInt(r2), t2 = new ArrayBuffer(8);
+  return new DataView(t2).setBigUint64(0, e, false), new Uint8Array(t2);
+}
+function Rr(r2) {
+  let e = r2[r2.length - 1] & 15;
+  return (r2[e] & 127) << 24 | r2[e + 1] << 16 | r2[e + 2] << 8 | r2[e + 3];
+}
+function Ir(r2, e) {
+  let t2 = 10 ** e;
+  return (r2 % t2).toString().padStart(e, "0");
+}
+function gr(r2, e) {
+  return r2.length === e.length;
+}
+function tr(r2, e) {
+  let t2 = rr(r2), o = rr(e);
+  if (!gr(t2, o)) return false;
+  let n = 0;
+  for (let s = 0; s < t2.length; s++) n |= t2[s] ^ o[s];
+  return n === 0;
+}
+function rr(r2) {
+  return typeof r2 == "string" ? yr.encode(r2) : r2;
+}
+function vr(r2, e) {
+  return typeof r2 == "string" ? (nr(e), e.decode(r2)) : r2;
+}
+function Dr(r2) {
+  let { crypto: e, base32: t2, length: o = ir } = r2;
+  dr(e), nr(t2);
+  let n = e.randomBytes(o);
+  return t2.encode(n, { padding: false });
+}
+function Er(r2 = 0) {
+  return Array.isArray(r2) ? r2 : [0, r2];
+}
+function Ur(r2 = 0) {
+  return Array.isArray(r2) ? r2 : [r2, r2];
+}
+function dr(r2) {
+  if (!r2) throw new Y();
+}
+function nr(r2) {
+  if (!r2) throw new L();
+}
+function Xr(r2) {
+  if (!r2) throw new W();
+}
+var K = class {
+  constructor(e) {
+    this.crypto = e;
+  }
+  get plugin() {
+    return this.crypto;
+  }
+  async hmac(e, t2, o) {
+    try {
+      let n = this.crypto.hmac(e, t2, o);
+      return n instanceof Promise ? await n : n;
+    } catch (n) {
+      let s = n instanceof Error ? n.message : String(n);
+      throw new c(s, { cause: n });
+    }
+  }
+  hmacSync(e, t2, o) {
+    try {
+      let n = this.crypto.hmac(e, t2, o);
+      if (n instanceof Promise) throw new c("Crypto plugin does not support synchronous HMAC operations");
+      return n;
+    } catch (n) {
+      if (n instanceof c) throw n;
+      let s = n instanceof Error ? n.message : String(n);
+      throw new c(s, { cause: n });
+    }
+  }
+  randomBytes(e) {
+    try {
+      return this.crypto.randomBytes(e);
+    } catch (t2) {
+      let o = t2 instanceof Error ? t2.message : String(t2);
+      throw new v(o, { cause: t2 });
+    }
+  }
+};
+function Wr(r2) {
+  return new K(r2);
+}
+
+// ../../node_modules/.pnpm/@otplib+uri@13.4.0/node_modules/@otplib/uri/dist/index.js
+function m2(r2) {
+  let { type: e, label: s, params: t2 } = r2, i2 = s.split(":").map((c3) => encodeURIComponent(c3)).join(":"), o = `otpauth://${e}/${i2}?`, n = [];
+  return t2.secret && n.push(`secret=${encodeURIComponent(t2.secret)}`), t2.issuer && n.push(`issuer=${encodeURIComponent(t2.issuer)}`), t2.algorithm && t2.algorithm !== "sha1" && n.push(`algorithm=${t2.algorithm.toUpperCase()}`), t2.digits && t2.digits !== 6 && n.push(`digits=${t2.digits}`), e === "hotp" && t2.counter !== void 0 && n.push(`counter=${t2.counter}`), e === "totp" && t2.period !== void 0 && t2.period !== 30 && n.push(`period=${t2.period}`), o += n.join("&"), o;
+}
+function x2(r2) {
+  let { issuer: e, label: s, secret: t2, algorithm: i2 = "sha1", digits: o = 6, period: n = 30 } = r2, c3 = e ? `${e}:${s}` : s;
+  return m2({ type: "totp", label: c3, params: { secret: t2, issuer: e, algorithm: i2, digits: o, period: n } });
+}
+function U2(r2) {
+  let { issuer: e, label: s, secret: t2, counter: i2 = 0, algorithm: o = "sha1", digits: n = 6 } = r2, c3 = e ? `${e}:${s}` : s;
+  return m2({ type: "hotp", label: c3, params: { secret: t2, issuer: e, algorithm: o, digits: n, counter: i2 } });
+}
+
+// ../../node_modules/.pnpm/@otplib+hotp@13.4.0/node_modules/@otplib/hotp/dist/index.js
+function v2(u) {
+  let { secret: t2, counter: e, algorithm: r2 = "sha1", digits: i2 = 6, crypto: n, base32: o, guardrails: a2, hooks: s } = u;
+  Xr(t2), dr(n);
+  let c3 = vr(t2, o);
+  Or(c3, a2), br(e, a2);
+  let p = Wr(n), l2 = _r(e);
+  return { ctx: p, algorithm: r2, digits: i2, secretBytes: c3, counterBytes: l2, hooks: s };
+}
+function F(u) {
+  let { ctx: t2, algorithm: e, digits: r2, secretBytes: i2, counterBytes: n, hooks: o } = v2(u), a2 = t2.hmacSync(e, i2, n), s = o?.truncateDigest ? o.truncateDigest(a2) : Rr(a2);
+  return o?.encodeToken ? o.encodeToken(s, r2) : Ir(s, r2);
+}
+function G2(u) {
+  let { secret: t2, counter: e, token: r2, algorithm: i2 = "sha1", digits: n = 6, crypto: o, base32: a2, counterTolerance: s = 0, guardrails: c3 = hr(), hooks: p } = u;
+  Xr(t2), dr(o);
+  let l2 = vr(t2, a2);
+  Or(l2, c3), br(e, c3), p?.validateToken ? p.validateToken(r2, n) : Sr(r2, n), Br(s, c3);
+  let V = typeof e == "bigint" ? Number(e) : e, [f2, d4] = Er(s), R3 = f2 + d4 + 1;
+  return { token: r2, counterNum: V, past: f2, future: d4, totalChecks: R3, crypto: o, getGenerateOptions: (B2) => ({ secret: l2, counter: B2, algorithm: i2, digits: n, crypto: o, guardrails: c3, hooks: p }) };
+}
+function Y2(u) {
+  let { token: t2, counterNum: e, past: r2, totalChecks: i2, crypto: n, getGenerateOptions: o } = G2(u), a2 = Math.max(0, r2 - e);
+  for (let s = a2; s < i2; s++) {
+    let c3 = s - r2, p = e + c3, l2 = F(o(p));
+    if (n.constantTimeEqual(l2, t2)) return { valid: true, delta: c3 | 0 };
+  }
+  return { valid: false };
+}
+
+// ../../node_modules/.pnpm/@otplib+totp@13.4.0/node_modules/@otplib/totp/dist/index.js
+function k2(r2) {
+  let { secret: e, epoch: n = Math.floor(Date.now() / 1e3), t0: o = 0, period: i2 = 30, algorithm: s = "sha1", digits: l2 = 6, crypto: a2, base32: u, guardrails: c3 = hr(), hooks: t2 } = r2;
+  Xr(e), dr(a2);
+  let p = vr(e, u);
+  Or(p, c3), Ar(n), Cr(i2, c3);
+  let f2 = Math.floor((n - o) / i2);
+  return { secret: p, counter: f2, algorithm: s, digits: l2, crypto: a2, guardrails: c3, hooks: t2 };
+}
+function Z2(r2) {
+  let e = k2(r2);
+  return F(e);
+}
+function _2(r2, e) {
+  if (r2 !== void 0) {
+    if (r2 < 0) throw new J();
+    if (!Number.isSafeInteger(r2)) throw new Q();
+    if (r2 > e) throw new Z();
+  }
+}
+function w2(r2, e) {
+  return e !== void 0 && r2 <= e;
+}
+function R2(r2) {
+  let { secret: e, token: n, epoch: o = Math.floor(Date.now() / 1e3), t0: i2 = 0, period: s = 30, algorithm: l2 = "sha1", digits: a2 = 6, crypto: u, base32: c3, epochTolerance: t2 = 0, afterTimeStep: p, guardrails: f2 = hr(), hooks: T3 } = r2;
+  Xr(e), dr(u);
+  let m3 = vr(e, c3);
+  Or(m3, f2), Ar(o), Cr(s, f2), T3?.validateToken ? T3.validateToken(n, a2) : Sr(n, a2), wr(t2, s, f2);
+  let M2 = Math.floor((o - i2) / s), [I3, q2] = Ur(t2), A3 = Math.max(0, Math.floor((o - I3 - i2) / s)), S2 = Math.floor((o + q2 - i2) / s);
+  return _2(p, S2), { token: n, crypto: u, minCounter: A3, maxCounter: S2, currentCounter: M2, t0: i2, period: s, afterTimeStep: p, getGenerateOptions: (D) => ({ secret: m3, epoch: D * s + i2, t0: i2, period: s, algorithm: l2, digits: a2, crypto: u, guardrails: f2, hooks: T3 }) };
+}
+function ie(r2) {
+  let { token: e, crypto: n, minCounter: o, maxCounter: i2, currentCounter: s, t0: l2, period: a2, afterTimeStep: u, getGenerateOptions: c3 } = R2(r2);
+  for (let t2 = o; t2 <= i2; t2++) {
+    if (w2(t2, u)) continue;
+    let p = Z2(c3(t2));
+    if (n.constantTimeEqual(p, e)) return { valid: true, delta: t2 - s, epoch: t2 * a2 + l2, timeStep: t2 };
+  }
+  return { valid: false };
+}
+
+// ../../node_modules/.pnpm/@scure+base@2.2.0/node_modules/@scure/base/index.js
+function isBytes(a2) {
+  return a2 instanceof Uint8Array || ArrayBuffer.isView(a2) && a2.constructor.name === "Uint8Array" && "BYTES_PER_ELEMENT" in a2 && a2.BYTES_PER_ELEMENT === 1;
+}
+function isArrayOf(isString, arr) {
+  if (!Array.isArray(arr))
+    return false;
+  if (arr.length === 0)
+    return true;
+  if (isString) {
+    return arr.every((item) => typeof item === "string");
+  } else {
+    return arr.every((item) => Number.isSafeInteger(item));
+  }
+}
+function astr(label, input) {
+  if (typeof input !== "string")
+    throw new TypeError(`${label}: string expected`);
+  return true;
+}
+function anumber(n) {
+  if (typeof n !== "number")
+    throw new TypeError(`number expected, got ${typeof n}`);
+  if (!Number.isSafeInteger(n))
+    throw new RangeError(`invalid integer: ${n}`);
+}
+function aArr(input) {
+  if (!Array.isArray(input))
+    throw new TypeError("array expected");
+}
+function astrArr(label, input) {
+  if (!isArrayOf(true, input))
+    throw new TypeError(`${label}: array of strings expected`);
+}
+function anumArr(label, input) {
+  if (!isArrayOf(false, input))
+    throw new TypeError(`${label}: array of numbers expected`);
+}
+// @__NO_SIDE_EFFECTS__
+function chain(...args) {
+  const id = (a2) => a2;
+  const wrap = (a2, b3) => (c3) => a2(b3(c3));
+  const encode = args.map((x4) => x4.encode).reduceRight(wrap, id);
+  const decode = args.map((x4) => x4.decode).reduce(wrap, id);
+  return { encode, decode };
+}
+// @__NO_SIDE_EFFECTS__
+function alphabet(letters) {
+  const lettersA = typeof letters === "string" ? letters.split("") : letters;
+  const len = lettersA.length;
+  astrArr("alphabet", lettersA);
+  const indexes = new Map(lettersA.map((l2, i2) => [l2, i2]));
+  return {
+    encode: (digits) => {
+      aArr(digits);
+      return digits.map((i2) => {
+        if (!Number.isSafeInteger(i2) || i2 < 0 || i2 >= len)
+          throw new Error(`alphabet.encode: digit index outside alphabet "${i2}". Allowed: ${letters}`);
+        return lettersA[i2];
+      });
+    },
+    decode: (input) => {
+      aArr(input);
+      return input.map((letter) => {
+        astr("alphabet.decode", letter);
+        const i2 = indexes.get(letter);
+        if (i2 === void 0)
+          throw new Error(`Unknown letter: "${letter}". Allowed: ${letters}`);
+        return i2;
+      });
+    }
+  };
+}
+// @__NO_SIDE_EFFECTS__
+function join2(separator = "") {
+  astr("join", separator);
+  return {
+    encode: (from) => {
+      astrArr("join.decode", from);
+      return from.join(separator);
+    },
+    decode: (to) => {
+      astr("join.decode", to);
+      return to.split(separator);
+    }
+  };
+}
+// @__NO_SIDE_EFFECTS__
+function padding(bits, chr = "=") {
+  anumber(bits);
+  astr("padding", chr);
+  return {
+    encode(data) {
+      astrArr("padding.encode", data);
+      while (data.length * bits % 8)
+        data.push(chr);
+      return data;
+    },
+    decode(input) {
+      astrArr("padding.decode", input);
+      let end = input.length;
+      if (end * bits % 8)
+        throw new Error("padding: invalid, string should have whole number of bytes");
+      for (; end > 0 && input[end - 1] === chr; end--) {
+        const last = end - 1;
+        const byte = last * bits;
+        if (byte % 8 === 0)
+          throw new Error("padding: invalid, string has too much padding");
+      }
+      return input.slice(0, end);
+    }
+  };
+}
+var gcd = (a2, b3) => b3 === 0 ? a2 : gcd(b3, a2 % b3);
+var radix2carry = /* @__NO_SIDE_EFFECTS__ */ (from, to) => from + (to - gcd(from, to));
+var powers = /* @__PURE__ */ (() => {
+  let res = [];
+  for (let i2 = 0; i2 < 40; i2++)
+    res.push(2 ** i2);
+  return res;
+})();
+function convertRadix2(data, from, to, padding2) {
+  aArr(data);
+  if (from <= 0 || from > 32)
+    throw new RangeError(`convertRadix2: wrong from=${from}`);
+  if (to <= 0 || to > 32)
+    throw new RangeError(`convertRadix2: wrong to=${to}`);
+  if (/* @__PURE__ */ radix2carry(from, to) > 32) {
+    throw new Error(`convertRadix2: carry overflow from=${from} to=${to} carryBits=${/* @__PURE__ */ radix2carry(from, to)}`);
+  }
+  let carry = 0;
+  let pos = 0;
+  const max = powers[from];
+  const mask = powers[to] - 1;
+  const res = [];
+  for (const n of data) {
+    anumber(n);
+    if (n >= max)
+      throw new Error(`convertRadix2: invalid data word=${n} from=${from}`);
+    carry = carry << from | n;
+    if (pos + from > 32)
+      throw new Error(`convertRadix2: carry overflow pos=${pos} from=${from}`);
+    pos += from;
+    for (; pos >= to; pos -= to)
+      res.push((carry >> pos - to & mask) >>> 0);
+    const pow = powers[pos];
+    if (pow === void 0)
+      throw new Error("invalid carry");
+    carry &= pow - 1;
+  }
+  carry = carry << to - pos & mask;
+  if (!padding2 && pos >= from)
+    throw new Error("Excess padding");
+  if (!padding2 && carry > 0)
+    throw new Error(`Non-zero padding: ${carry}`);
+  if (padding2 && pos > 0)
+    res.push(carry >>> 0);
+  return res;
+}
+// @__NO_SIDE_EFFECTS__
+function radix2(bits, revPadding = false) {
+  anumber(bits);
+  if (bits <= 0 || bits > 32)
+    throw new RangeError("radix2: bits should be in (0..32]");
+  if (/* @__PURE__ */ radix2carry(8, bits) > 32 || /* @__PURE__ */ radix2carry(bits, 8) > 32)
+    throw new RangeError("radix2: carry overflow");
+  return {
+    encode: (bytes) => {
+      if (!isBytes(bytes))
+        throw new TypeError("radix2.encode input should be Uint8Array");
+      return convertRadix2(Array.from(bytes), 8, bits, !revPadding);
+    },
+    decode: (digits) => {
+      anumArr("radix2.decode", digits);
+      return Uint8Array.from(convertRadix2(digits, bits, 8, revPadding));
+    }
+  };
+}
+var base32 = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ chain(/* @__PURE__ */ radix2(5), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"), /* @__PURE__ */ padding(5), /* @__PURE__ */ join2("")));
+
+// ../../node_modules/.pnpm/@otplib+plugin-base32-scure@13.4.0/node_modules/@otplib/plugin-base32-scure/dist/index.js
+var r = class {
+  name = "scure";
+  encode(o, e = {}) {
+    let { padding: t2 = false } = e, n = base32.encode(o);
+    return t2 ? n : n.replace(/=+$/, "");
+  }
+  decode(o) {
+    try {
+      let e = o.toUpperCase(), t2 = e.padEnd(Math.ceil(e.length / 8) * 8, "=");
+      return base32.decode(t2);
+    } catch (e) {
+      throw e instanceof Error ? new Error(`Invalid Base32 string: ${e.message}`) : new Error("Invalid Base32 string");
+    }
+  }
+};
+var d2 = Object.freeze(new r());
+
+// ../../node_modules/.pnpm/@noble+hashes@2.2.0/node_modules/@noble/hashes/utils.js
+function isBytes2(a2) {
+  return a2 instanceof Uint8Array || ArrayBuffer.isView(a2) && a2.constructor.name === "Uint8Array" && "BYTES_PER_ELEMENT" in a2 && a2.BYTES_PER_ELEMENT === 1;
+}
+function anumber2(n, title = "") {
+  if (typeof n !== "number") {
+    const prefix = title && `"${title}" `;
+    throw new TypeError(`${prefix}expected number, got ${typeof n}`);
+  }
+  if (!Number.isSafeInteger(n) || n < 0) {
+    const prefix = title && `"${title}" `;
+    throw new RangeError(`${prefix}expected integer >= 0, got ${n}`);
+  }
+}
+function abytes(value, length, title = "") {
+  const bytes = isBytes2(value);
+  const len = value?.length;
+  const needsLen = length !== void 0;
+  if (!bytes || needsLen && len !== length) {
+    const prefix = title && `"${title}" `;
+    const ofLen = needsLen ? ` of length ${length}` : "";
+    const got = bytes ? `length=${len}` : `type=${typeof value}`;
+    const message = prefix + "expected Uint8Array" + ofLen + ", got " + got;
+    if (!bytes)
+      throw new TypeError(message);
+    throw new RangeError(message);
+  }
+  return value;
+}
+function ahash(h3) {
+  if (typeof h3 !== "function" || typeof h3.create !== "function")
+    throw new TypeError("Hash must wrapped by utils.createHasher");
+  anumber2(h3.outputLen);
+  anumber2(h3.blockLen);
+  if (h3.outputLen < 1)
+    throw new Error('"outputLen" must be >= 1');
+  if (h3.blockLen < 1)
+    throw new Error('"blockLen" must be >= 1');
+}
+function aexists(instance, checkFinished = true) {
+  if (instance.destroyed)
+    throw new Error("Hash instance has been destroyed");
+  if (checkFinished && instance.finished)
+    throw new Error("Hash#digest() has already been called");
+}
+function aoutput(out, instance) {
+  abytes(out, void 0, "digestInto() output");
+  const min = instance.outputLen;
+  if (out.length < min) {
+    throw new RangeError('"digestInto() output" expected to be of length >=' + min);
+  }
+}
+function clean(...arrays) {
+  for (let i2 = 0; i2 < arrays.length; i2++) {
+    arrays[i2].fill(0);
+  }
+}
+function createView(arr) {
+  return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
+}
+function rotr(word, shift) {
+  return word << 32 - shift | word >>> shift;
+}
+function rotl(word, shift) {
+  return word << shift | word >>> 32 - shift >>> 0;
+}
+function createHasher(hashCons, info = {}) {
+  const hashC = (msg, opts) => hashCons(opts).update(msg).digest();
+  const tmp = hashCons(void 0);
+  hashC.outputLen = tmp.outputLen;
+  hashC.blockLen = tmp.blockLen;
+  hashC.canXOF = tmp.canXOF;
+  hashC.create = (opts) => hashCons(opts);
+  Object.assign(hashC, info);
+  return Object.freeze(hashC);
+}
+function randomBytes(bytesLength = 32) {
+  anumber2(bytesLength, "bytesLength");
+  const cr2 = typeof globalThis === "object" ? globalThis.crypto : null;
+  if (typeof cr2?.getRandomValues !== "function")
+    throw new Error("crypto.getRandomValues must be defined");
+  if (bytesLength > 65536)
+    throw new RangeError(`"bytesLength" expected <= 65536, got ${bytesLength}`);
+  return cr2.getRandomValues(new Uint8Array(bytesLength));
+}
+var oidNist = (suffix) => ({
+  // Current NIST hashAlgs suffixes used here fit in one DER subidentifier octet.
+  // Larger suffix values would need base-128 OID encoding and a different length byte.
+  oid: Uint8Array.from([6, 9, 96, 134, 72, 1, 101, 3, 4, 2, suffix])
+});
+
+// ../../node_modules/.pnpm/@noble+hashes@2.2.0/node_modules/@noble/hashes/hmac.js
+var _HMAC = class {
+  oHash;
+  iHash;
+  blockLen;
+  outputLen;
+  canXOF = false;
+  finished = false;
+  destroyed = false;
+  constructor(hash, key) {
+    ahash(hash);
+    abytes(key, void 0, "key");
+    this.iHash = hash.create();
+    if (typeof this.iHash.update !== "function")
+      throw new Error("Expected instance of class which extends utils.Hash");
+    this.blockLen = this.iHash.blockLen;
+    this.outputLen = this.iHash.outputLen;
+    const blockLen = this.blockLen;
+    const pad = new Uint8Array(blockLen);
+    pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
+    for (let i2 = 0; i2 < pad.length; i2++)
+      pad[i2] ^= 54;
+    this.iHash.update(pad);
+    this.oHash = hash.create();
+    for (let i2 = 0; i2 < pad.length; i2++)
+      pad[i2] ^= 54 ^ 92;
+    this.oHash.update(pad);
+    clean(pad);
+  }
+  update(buf) {
+    aexists(this);
+    this.iHash.update(buf);
+    return this;
+  }
+  digestInto(out) {
+    aexists(this);
+    aoutput(out, this);
+    this.finished = true;
+    const buf = out.subarray(0, this.outputLen);
+    this.iHash.digestInto(buf);
+    this.oHash.update(buf);
+    this.oHash.digestInto(buf);
+    this.destroy();
+  }
+  digest() {
+    const out = new Uint8Array(this.oHash.outputLen);
+    this.digestInto(out);
+    return out;
+  }
+  _cloneInto(to) {
+    to ||= Object.create(Object.getPrototypeOf(this), {});
+    const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
+    to = to;
+    to.finished = finished;
+    to.destroyed = destroyed;
+    to.blockLen = blockLen;
+    to.outputLen = outputLen;
+    to.oHash = oHash._cloneInto(to.oHash);
+    to.iHash = iHash._cloneInto(to.iHash);
+    return to;
+  }
+  clone() {
+    return this._cloneInto();
+  }
+  destroy() {
+    this.destroyed = true;
+    this.oHash.destroy();
+    this.iHash.destroy();
+  }
+};
+var hmac = /* @__PURE__ */ (() => {
+  const hmac_ = ((hash, key, message) => new _HMAC(hash, key).update(message).digest());
+  hmac_.create = (hash, key) => new _HMAC(hash, key);
+  return hmac_;
+})();
+
+// ../../node_modules/.pnpm/@noble+hashes@2.2.0/node_modules/@noble/hashes/_md.js
+function Chi(a2, b3, c3) {
+  return a2 & b3 ^ ~a2 & c3;
+}
+function Maj(a2, b3, c3) {
+  return a2 & b3 ^ a2 & c3 ^ b3 & c3;
+}
+var HashMD = class {
+  blockLen;
+  outputLen;
+  canXOF = false;
+  padOffset;
+  isLE;
+  // For partial updates less than block size
+  buffer;
+  view;
+  finished = false;
+  length = 0;
+  pos = 0;
+  destroyed = false;
+  constructor(blockLen, outputLen, padOffset, isLE) {
+    this.blockLen = blockLen;
+    this.outputLen = outputLen;
+    this.padOffset = padOffset;
+    this.isLE = isLE;
+    this.buffer = new Uint8Array(blockLen);
+    this.view = createView(this.buffer);
+  }
+  update(data) {
+    aexists(this);
+    abytes(data);
+    const { view, buffer, blockLen } = this;
+    const len = data.length;
+    for (let pos = 0; pos < len; ) {
+      const take = Math.min(blockLen - this.pos, len - pos);
+      if (take === blockLen) {
+        const dataView = createView(data);
+        for (; blockLen <= len - pos; pos += blockLen)
+          this.process(dataView, pos);
+        continue;
+      }
+      buffer.set(data.subarray(pos, pos + take), this.pos);
+      this.pos += take;
+      pos += take;
+      if (this.pos === blockLen) {
+        this.process(view, 0);
+        this.pos = 0;
+      }
+    }
+    this.length += data.length;
+    this.roundClean();
+    return this;
+  }
+  digestInto(out) {
+    aexists(this);
+    aoutput(out, this);
+    this.finished = true;
+    const { buffer, view, blockLen, isLE } = this;
+    let { pos } = this;
+    buffer[pos++] = 128;
+    clean(this.buffer.subarray(pos));
+    if (this.padOffset > blockLen - pos) {
+      this.process(view, 0);
+      pos = 0;
+    }
+    for (let i2 = pos; i2 < blockLen; i2++)
+      buffer[i2] = 0;
+    view.setBigUint64(blockLen - 8, BigInt(this.length * 8), isLE);
+    this.process(view, 0);
+    const oview = createView(out);
+    const len = this.outputLen;
+    if (len % 4)
+      throw new Error("_sha2: outputLen must be aligned to 32bit");
+    const outLen = len / 4;
+    const state = this.get();
+    if (outLen > state.length)
+      throw new Error("_sha2: outputLen bigger than state");
+    for (let i2 = 0; i2 < outLen; i2++)
+      oview.setUint32(4 * i2, state[i2], isLE);
+  }
+  digest() {
+    const { buffer, outputLen } = this;
+    this.digestInto(buffer);
+    const res = buffer.slice(0, outputLen);
+    this.destroy();
+    return res;
+  }
+  _cloneInto(to) {
+    to ||= new this.constructor();
+    to.set(...this.get());
+    const { blockLen, buffer, length, finished, destroyed, pos } = this;
+    to.destroyed = destroyed;
+    to.finished = finished;
+    to.length = length;
+    to.pos = pos;
+    if (length % blockLen)
+      to.buffer.set(buffer);
+    return to;
+  }
+  clone() {
+    return this._cloneInto();
+  }
+};
+var SHA256_IV = /* @__PURE__ */ Uint32Array.from([
+  1779033703,
+  3144134277,
+  1013904242,
+  2773480762,
+  1359893119,
+  2600822924,
+  528734635,
+  1541459225
+]);
+var SHA512_IV = /* @__PURE__ */ Uint32Array.from([
+  1779033703,
+  4089235720,
+  3144134277,
+  2227873595,
+  1013904242,
+  4271175723,
+  2773480762,
+  1595750129,
+  1359893119,
+  2917565137,
+  2600822924,
+  725511199,
+  528734635,
+  4215389547,
+  1541459225,
+  327033209
+]);
+
+// ../../node_modules/.pnpm/@noble+hashes@2.2.0/node_modules/@noble/hashes/legacy.js
+var SHA1_IV = /* @__PURE__ */ Uint32Array.from([
+  1732584193,
+  4023233417,
+  2562383102,
+  271733878,
+  3285377520
+]);
+var SHA1_W = /* @__PURE__ */ new Uint32Array(80);
+var _SHA1 = class extends HashMD {
+  A = SHA1_IV[0] | 0;
+  B = SHA1_IV[1] | 0;
+  C = SHA1_IV[2] | 0;
+  D = SHA1_IV[3] | 0;
+  E = SHA1_IV[4] | 0;
+  constructor() {
+    super(64, 20, 8, false);
+  }
+  get() {
+    const { A: A3, B: B2, C: C2, D, E: E2 } = this;
+    return [A3, B2, C2, D, E2];
+  }
+  set(A3, B2, C2, D, E2) {
+    this.A = A3 | 0;
+    this.B = B2 | 0;
+    this.C = C2 | 0;
+    this.D = D | 0;
+    this.E = E2 | 0;
+  }
+  process(view, offset) {
+    for (let i2 = 0; i2 < 16; i2++, offset += 4)
+      SHA1_W[i2] = view.getUint32(offset, false);
+    for (let i2 = 16; i2 < 80; i2++)
+      SHA1_W[i2] = rotl(SHA1_W[i2 - 3] ^ SHA1_W[i2 - 8] ^ SHA1_W[i2 - 14] ^ SHA1_W[i2 - 16], 1);
+    let { A: A3, B: B2, C: C2, D, E: E2 } = this;
+    for (let i2 = 0; i2 < 80; i2++) {
+      let F2, K2;
+      if (i2 < 20) {
+        F2 = Chi(B2, C2, D);
+        K2 = 1518500249;
+      } else if (i2 < 40) {
+        F2 = B2 ^ C2 ^ D;
+        K2 = 1859775393;
+      } else if (i2 < 60) {
+        F2 = Maj(B2, C2, D);
+        K2 = 2400959708;
+      } else {
+        F2 = B2 ^ C2 ^ D;
+        K2 = 3395469782;
+      }
+      const T3 = rotl(A3, 5) + F2 + E2 + K2 + SHA1_W[i2] | 0;
+      E2 = D;
+      D = C2;
+      C2 = rotl(B2, 30);
+      B2 = A3;
+      A3 = T3;
+    }
+    A3 = A3 + this.A | 0;
+    B2 = B2 + this.B | 0;
+    C2 = C2 + this.C | 0;
+    D = D + this.D | 0;
+    E2 = E2 + this.E | 0;
+    this.set(A3, B2, C2, D, E2);
+  }
+  roundClean() {
+    clean(SHA1_W);
+  }
+  destroy() {
+    this.destroyed = true;
+    this.set(0, 0, 0, 0, 0);
+    clean(this.buffer);
+  }
+};
+var sha1 = /* @__PURE__ */ createHasher(() => new _SHA1());
+
+// ../../node_modules/.pnpm/@noble+hashes@2.2.0/node_modules/@noble/hashes/_u64.js
+var U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
+var _32n = /* @__PURE__ */ BigInt(32);
+function fromBig(n, le = false) {
+  if (le)
+    return { h: Number(n & U32_MASK64), l: Number(n >> _32n & U32_MASK64) };
+  return { h: Number(n >> _32n & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 };
+}
+function split(lst, le = false) {
+  const len = lst.length;
+  let Ah = new Uint32Array(len);
+  let Al = new Uint32Array(len);
+  for (let i2 = 0; i2 < len; i2++) {
+    const { h: h3, l: l2 } = fromBig(lst[i2], le);
+    [Ah[i2], Al[i2]] = [h3, l2];
+  }
+  return [Ah, Al];
+}
+var shrSH = (h3, _l, s) => h3 >>> s;
+var shrSL = (h3, l2, s) => h3 << 32 - s | l2 >>> s;
+var rotrSH = (h3, l2, s) => h3 >>> s | l2 << 32 - s;
+var rotrSL = (h3, l2, s) => h3 << 32 - s | l2 >>> s;
+var rotrBH = (h3, l2, s) => h3 << 64 - s | l2 >>> s - 32;
+var rotrBL = (h3, l2, s) => h3 >>> s - 32 | l2 << 64 - s;
+function add(Ah, Al, Bh, Bl) {
+  const l2 = (Al >>> 0) + (Bl >>> 0);
+  return { h: Ah + Bh + (l2 / 2 ** 32 | 0) | 0, l: l2 | 0 };
+}
+var add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);
+var add3H = (low, Ah, Bh, Ch) => Ah + Bh + Ch + (low / 2 ** 32 | 0) | 0;
+var add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);
+var add4H = (low, Ah, Bh, Ch, Dh) => Ah + Bh + Ch + Dh + (low / 2 ** 32 | 0) | 0;
+var add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);
+var add5H = (low, Ah, Bh, Ch, Dh, Eh) => Ah + Bh + Ch + Dh + Eh + (low / 2 ** 32 | 0) | 0;
+
+// ../../node_modules/.pnpm/@noble+hashes@2.2.0/node_modules/@noble/hashes/sha2.js
+var SHA256_K = /* @__PURE__ */ Uint32Array.from([
+  1116352408,
+  1899447441,
+  3049323471,
+  3921009573,
+  961987163,
+  1508970993,
+  2453635748,
+  2870763221,
+  3624381080,
+  310598401,
+  607225278,
+  1426881987,
+  1925078388,
+  2162078206,
+  2614888103,
+  3248222580,
+  3835390401,
+  4022224774,
+  264347078,
+  604807628,
+  770255983,
+  1249150122,
+  1555081692,
+  1996064986,
+  2554220882,
+  2821834349,
+  2952996808,
+  3210313671,
+  3336571891,
+  3584528711,
+  113926993,
+  338241895,
+  666307205,
+  773529912,
+  1294757372,
+  1396182291,
+  1695183700,
+  1986661051,
+  2177026350,
+  2456956037,
+  2730485921,
+  2820302411,
+  3259730800,
+  3345764771,
+  3516065817,
+  3600352804,
+  4094571909,
+  275423344,
+  430227734,
+  506948616,
+  659060556,
+  883997877,
+  958139571,
+  1322822218,
+  1537002063,
+  1747873779,
+  1955562222,
+  2024104815,
+  2227730452,
+  2361852424,
+  2428436474,
+  2756734187,
+  3204031479,
+  3329325298
+]);
+var SHA256_W = /* @__PURE__ */ new Uint32Array(64);
+var SHA2_32B = class extends HashMD {
+  constructor(outputLen) {
+    super(64, outputLen, 8, false);
+  }
+  get() {
+    const { A: A3, B: B2, C: C2, D, E: E2, F: F2, G: G3, H } = this;
+    return [A3, B2, C2, D, E2, F2, G3, H];
+  }
+  // prettier-ignore
+  set(A3, B2, C2, D, E2, F2, G3, H) {
+    this.A = A3 | 0;
+    this.B = B2 | 0;
+    this.C = C2 | 0;
+    this.D = D | 0;
+    this.E = E2 | 0;
+    this.F = F2 | 0;
+    this.G = G3 | 0;
+    this.H = H | 0;
+  }
+  process(view, offset) {
+    for (let i2 = 0; i2 < 16; i2++, offset += 4)
+      SHA256_W[i2] = view.getUint32(offset, false);
+    for (let i2 = 16; i2 < 64; i2++) {
+      const W15 = SHA256_W[i2 - 15];
+      const W2 = SHA256_W[i2 - 2];
+      const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ W15 >>> 3;
+      const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ W2 >>> 10;
+      SHA256_W[i2] = s1 + SHA256_W[i2 - 7] + s0 + SHA256_W[i2 - 16] | 0;
+    }
+    let { A: A3, B: B2, C: C2, D, E: E2, F: F2, G: G3, H } = this;
+    for (let i2 = 0; i2 < 64; i2++) {
+      const sigma1 = rotr(E2, 6) ^ rotr(E2, 11) ^ rotr(E2, 25);
+      const T1 = H + sigma1 + Chi(E2, F2, G3) + SHA256_K[i2] + SHA256_W[i2] | 0;
+      const sigma0 = rotr(A3, 2) ^ rotr(A3, 13) ^ rotr(A3, 22);
+      const T22 = sigma0 + Maj(A3, B2, C2) | 0;
+      H = G3;
+      G3 = F2;
+      F2 = E2;
+      E2 = D + T1 | 0;
+      D = C2;
+      C2 = B2;
+      B2 = A3;
+      A3 = T1 + T22 | 0;
+    }
+    A3 = A3 + this.A | 0;
+    B2 = B2 + this.B | 0;
+    C2 = C2 + this.C | 0;
+    D = D + this.D | 0;
+    E2 = E2 + this.E | 0;
+    F2 = F2 + this.F | 0;
+    G3 = G3 + this.G | 0;
+    H = H + this.H | 0;
+    this.set(A3, B2, C2, D, E2, F2, G3, H);
+  }
+  roundClean() {
+    clean(SHA256_W);
+  }
+  destroy() {
+    this.destroyed = true;
+    this.set(0, 0, 0, 0, 0, 0, 0, 0);
+    clean(this.buffer);
+  }
+};
+var _SHA256 = class extends SHA2_32B {
+  // We cannot use array here since array allows indexing by variable
+  // which means optimizer/compiler cannot use registers.
+  A = SHA256_IV[0] | 0;
+  B = SHA256_IV[1] | 0;
+  C = SHA256_IV[2] | 0;
+  D = SHA256_IV[3] | 0;
+  E = SHA256_IV[4] | 0;
+  F = SHA256_IV[5] | 0;
+  G = SHA256_IV[6] | 0;
+  H = SHA256_IV[7] | 0;
+  constructor() {
+    super(32);
+  }
+};
+var K512 = /* @__PURE__ */ (() => split([
+  "0x428a2f98d728ae22",
+  "0x7137449123ef65cd",
+  "0xb5c0fbcfec4d3b2f",
+  "0xe9b5dba58189dbbc",
+  "0x3956c25bf348b538",
+  "0x59f111f1b605d019",
+  "0x923f82a4af194f9b",
+  "0xab1c5ed5da6d8118",
+  "0xd807aa98a3030242",
+  "0x12835b0145706fbe",
+  "0x243185be4ee4b28c",
+  "0x550c7dc3d5ffb4e2",
+  "0x72be5d74f27b896f",
+  "0x80deb1fe3b1696b1",
+  "0x9bdc06a725c71235",
+  "0xc19bf174cf692694",
+  "0xe49b69c19ef14ad2",
+  "0xefbe4786384f25e3",
+  "0x0fc19dc68b8cd5b5",
+  "0x240ca1cc77ac9c65",
+  "0x2de92c6f592b0275",
+  "0x4a7484aa6ea6e483",
+  "0x5cb0a9dcbd41fbd4",
+  "0x76f988da831153b5",
+  "0x983e5152ee66dfab",
+  "0xa831c66d2db43210",
+  "0xb00327c898fb213f",
+  "0xbf597fc7beef0ee4",
+  "0xc6e00bf33da88fc2",
+  "0xd5a79147930aa725",
+  "0x06ca6351e003826f",
+  "0x142929670a0e6e70",
+  "0x27b70a8546d22ffc",
+  "0x2e1b21385c26c926",
+  "0x4d2c6dfc5ac42aed",
+  "0x53380d139d95b3df",
+  "0x650a73548baf63de",
+  "0x766a0abb3c77b2a8",
+  "0x81c2c92e47edaee6",
+  "0x92722c851482353b",
+  "0xa2bfe8a14cf10364",
+  "0xa81a664bbc423001",
+  "0xc24b8b70d0f89791",
+  "0xc76c51a30654be30",
+  "0xd192e819d6ef5218",
+  "0xd69906245565a910",
+  "0xf40e35855771202a",
+  "0x106aa07032bbd1b8",
+  "0x19a4c116b8d2d0c8",
+  "0x1e376c085141ab53",
+  "0x2748774cdf8eeb99",
+  "0x34b0bcb5e19b48a8",
+  "0x391c0cb3c5c95a63",
+  "0x4ed8aa4ae3418acb",
+  "0x5b9cca4f7763e373",
+  "0x682e6ff3d6b2b8a3",
+  "0x748f82ee5defb2fc",
+  "0x78a5636f43172f60",
+  "0x84c87814a1f0ab72",
+  "0x8cc702081a6439ec",
+  "0x90befffa23631e28",
+  "0xa4506cebde82bde9",
+  "0xbef9a3f7b2c67915",
+  "0xc67178f2e372532b",
+  "0xca273eceea26619c",
+  "0xd186b8c721c0c207",
+  "0xeada7dd6cde0eb1e",
+  "0xf57d4f7fee6ed178",
+  "0x06f067aa72176fba",
+  "0x0a637dc5a2c898a6",
+  "0x113f9804bef90dae",
+  "0x1b710b35131c471b",
+  "0x28db77f523047d84",
+  "0x32caab7b40c72493",
+  "0x3c9ebe0a15c9bebc",
+  "0x431d67c49c100d4c",
+  "0x4cc5d4becb3e42b6",
+  "0x597f299cfc657e2a",
+  "0x5fcb6fab3ad6faec",
+  "0x6c44198c4a475817"
+].map((n) => BigInt(n))))();
+var SHA512_Kh = /* @__PURE__ */ (() => K512[0])();
+var SHA512_Kl = /* @__PURE__ */ (() => K512[1])();
+var SHA512_W_H = /* @__PURE__ */ new Uint32Array(80);
+var SHA512_W_L = /* @__PURE__ */ new Uint32Array(80);
+var SHA2_64B = class extends HashMD {
+  constructor(outputLen) {
+    super(128, outputLen, 16, false);
+  }
+  // prettier-ignore
+  get() {
+    const { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
+    return [Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl];
+  }
+  // prettier-ignore
+  set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl) {
+    this.Ah = Ah | 0;
+    this.Al = Al | 0;
+    this.Bh = Bh | 0;
+    this.Bl = Bl | 0;
+    this.Ch = Ch | 0;
+    this.Cl = Cl | 0;
+    this.Dh = Dh | 0;
+    this.Dl = Dl | 0;
+    this.Eh = Eh | 0;
+    this.El = El | 0;
+    this.Fh = Fh | 0;
+    this.Fl = Fl | 0;
+    this.Gh = Gh | 0;
+    this.Gl = Gl | 0;
+    this.Hh = Hh | 0;
+    this.Hl = Hl | 0;
+  }
+  process(view, offset) {
+    for (let i2 = 0; i2 < 16; i2++, offset += 4) {
+      SHA512_W_H[i2] = view.getUint32(offset);
+      SHA512_W_L[i2] = view.getUint32(offset += 4);
+    }
+    for (let i2 = 16; i2 < 80; i2++) {
+      const W15h = SHA512_W_H[i2 - 15] | 0;
+      const W15l = SHA512_W_L[i2 - 15] | 0;
+      const s0h = rotrSH(W15h, W15l, 1) ^ rotrSH(W15h, W15l, 8) ^ shrSH(W15h, W15l, 7);
+      const s0l = rotrSL(W15h, W15l, 1) ^ rotrSL(W15h, W15l, 8) ^ shrSL(W15h, W15l, 7);
+      const W2h = SHA512_W_H[i2 - 2] | 0;
+      const W2l = SHA512_W_L[i2 - 2] | 0;
+      const s1h = rotrSH(W2h, W2l, 19) ^ rotrBH(W2h, W2l, 61) ^ shrSH(W2h, W2l, 6);
+      const s1l = rotrSL(W2h, W2l, 19) ^ rotrBL(W2h, W2l, 61) ^ shrSL(W2h, W2l, 6);
+      const SUMl = add4L(s0l, s1l, SHA512_W_L[i2 - 7], SHA512_W_L[i2 - 16]);
+      const SUMh = add4H(SUMl, s0h, s1h, SHA512_W_H[i2 - 7], SHA512_W_H[i2 - 16]);
+      SHA512_W_H[i2] = SUMh | 0;
+      SHA512_W_L[i2] = SUMl | 0;
+    }
+    let { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
+    for (let i2 = 0; i2 < 80; i2++) {
+      const sigma1h = rotrSH(Eh, El, 14) ^ rotrSH(Eh, El, 18) ^ rotrBH(Eh, El, 41);
+      const sigma1l = rotrSL(Eh, El, 14) ^ rotrSL(Eh, El, 18) ^ rotrBL(Eh, El, 41);
+      const CHIh = Eh & Fh ^ ~Eh & Gh;
+      const CHIl = El & Fl ^ ~El & Gl;
+      const T1ll = add5L(Hl, sigma1l, CHIl, SHA512_Kl[i2], SHA512_W_L[i2]);
+      const T1h = add5H(T1ll, Hh, sigma1h, CHIh, SHA512_Kh[i2], SHA512_W_H[i2]);
+      const T1l = T1ll | 0;
+      const sigma0h = rotrSH(Ah, Al, 28) ^ rotrBH(Ah, Al, 34) ^ rotrBH(Ah, Al, 39);
+      const sigma0l = rotrSL(Ah, Al, 28) ^ rotrBL(Ah, Al, 34) ^ rotrBL(Ah, Al, 39);
+      const MAJh = Ah & Bh ^ Ah & Ch ^ Bh & Ch;
+      const MAJl = Al & Bl ^ Al & Cl ^ Bl & Cl;
+      Hh = Gh | 0;
+      Hl = Gl | 0;
+      Gh = Fh | 0;
+      Gl = Fl | 0;
+      Fh = Eh | 0;
+      Fl = El | 0;
+      ({ h: Eh, l: El } = add(Dh | 0, Dl | 0, T1h | 0, T1l | 0));
+      Dh = Ch | 0;
+      Dl = Cl | 0;
+      Ch = Bh | 0;
+      Cl = Bl | 0;
+      Bh = Ah | 0;
+      Bl = Al | 0;
+      const All = add3L(T1l, sigma0l, MAJl);
+      Ah = add3H(All, T1h, sigma0h, MAJh);
+      Al = All | 0;
+    }
+    ({ h: Ah, l: Al } = add(this.Ah | 0, this.Al | 0, Ah | 0, Al | 0));
+    ({ h: Bh, l: Bl } = add(this.Bh | 0, this.Bl | 0, Bh | 0, Bl | 0));
+    ({ h: Ch, l: Cl } = add(this.Ch | 0, this.Cl | 0, Ch | 0, Cl | 0));
+    ({ h: Dh, l: Dl } = add(this.Dh | 0, this.Dl | 0, Dh | 0, Dl | 0));
+    ({ h: Eh, l: El } = add(this.Eh | 0, this.El | 0, Eh | 0, El | 0));
+    ({ h: Fh, l: Fl } = add(this.Fh | 0, this.Fl | 0, Fh | 0, Fl | 0));
+    ({ h: Gh, l: Gl } = add(this.Gh | 0, this.Gl | 0, Gh | 0, Gl | 0));
+    ({ h: Hh, l: Hl } = add(this.Hh | 0, this.Hl | 0, Hh | 0, Hl | 0));
+    this.set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl);
+  }
+  roundClean() {
+    clean(SHA512_W_H, SHA512_W_L);
+  }
+  destroy() {
+    this.destroyed = true;
+    clean(this.buffer);
+    this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+  }
+};
+var _SHA512 = class extends SHA2_64B {
+  Ah = SHA512_IV[0] | 0;
+  Al = SHA512_IV[1] | 0;
+  Bh = SHA512_IV[2] | 0;
+  Bl = SHA512_IV[3] | 0;
+  Ch = SHA512_IV[4] | 0;
+  Cl = SHA512_IV[5] | 0;
+  Dh = SHA512_IV[6] | 0;
+  Dl = SHA512_IV[7] | 0;
+  Eh = SHA512_IV[8] | 0;
+  El = SHA512_IV[9] | 0;
+  Fh = SHA512_IV[10] | 0;
+  Fl = SHA512_IV[11] | 0;
+  Gh = SHA512_IV[12] | 0;
+  Gl = SHA512_IV[13] | 0;
+  Hh = SHA512_IV[14] | 0;
+  Hl = SHA512_IV[15] | 0;
+  constructor() {
+    super(64);
+  }
+};
+var sha256 = /* @__PURE__ */ createHasher(
+  () => new _SHA256(),
+  /* @__PURE__ */ oidNist(1)
+);
+var sha512 = /* @__PURE__ */ createHasher(
+  () => new _SHA512(),
+  /* @__PURE__ */ oidNist(3)
+);
+
+// ../../node_modules/.pnpm/@otplib+plugin-crypto-noble@13.4.0/node_modules/@otplib/plugin-crypto-noble/dist/index.js
+var t = class {
+  name = "noble";
+  hmac(r2, n, a2) {
+    return hmac(r2 === "sha1" ? sha1 : r2 === "sha256" ? sha256 : sha512, n, a2);
+  }
+  randomBytes(r2) {
+    return randomBytes(r2);
+  }
+  constantTimeEqual(r2, n) {
+    return tr(r2, n);
+  }
+};
+var A2 = Object.freeze(new t());
+
+// ../../node_modules/.pnpm/otplib@13.4.0/node_modules/otplib/dist/index.js
+function c2(t2) {
+  return { secret: t2.secret, strategy: t2.strategy ?? "totp", crypto: t2.crypto ?? A2, base32: t2.base32 ?? d2, algorithm: t2.algorithm ?? "sha1", digits: t2.digits ?? 6, period: t2.period ?? 30, epoch: t2.epoch ?? Math.floor(Date.now() / 1e3), t0: t2.t0 ?? 0, counter: t2.counter, guardrails: t2.guardrails ?? hr(), hooks: t2.hooks };
+}
+function O3(t2) {
+  return { ...c2(t2), token: t2.token, epochTolerance: t2.epochTolerance ?? 0, counterTolerance: t2.counterTolerance ?? 0, afterTimeStep: t2.afterTimeStep };
+}
+function l(t2, e, r2) {
+  if (t2 === "totp") return r2.totp();
+  if (t2 === "hotp") {
+    if (e === void 0) throw new a("Counter is required for HOTP strategy. Example: { strategy: 'hotp', counter: 0 }");
+    return r2.hotp(e);
+  }
+  throw new a(`Unknown OTP strategy: ${t2}. Valid strategies are 'totp' or 'hotp'.`);
+}
+function I2(t2) {
+  let { crypto: e = A2, base32: r2 = d2, length: a2 = 20 } = t2 || {};
+  return Dr({ crypto: e, base32: r2, length: a2 });
+}
+function T2(t2) {
+  let { strategy: e = "totp", issuer: r2, label: a2, secret: o, algorithm: i2 = "sha1", digits: s = 6, period: n = 30, counter: p } = t2;
+  return l(e, p, { totp: () => x2({ issuer: r2, label: a2, secret: o, algorithm: i2, digits: s, period: n }), hotp: (y2) => U2({ issuer: r2, label: a2, secret: o, algorithm: i2, digits: s, counter: y2 }) });
+}
+function d3(t2) {
+  let e = O3(t2), { secret: r2, token: a2, crypto: o, base32: i2, algorithm: s, digits: n, hooks: p } = e, y2 = { secret: r2, token: a2, crypto: o, base32: i2, algorithm: s, digits: n, hooks: p };
+  return l(e.strategy, e.counter, { totp: () => ie({ ...y2, period: e.period, epoch: e.epoch, t0: e.t0, epochTolerance: e.epochTolerance, afterTimeStep: e.afterTimeStep, guardrails: e.guardrails }), hotp: (f2) => Y2({ ...y2, counter: f2, counterTolerance: e.counterTolerance, guardrails: e.guardrails }) });
+}
+
+// ../core/dist/controllers/auth.js
 import { z, flattenError } from "zod";
 
 // ../core/dist/media/index.js
 import multer from "multer";
 
 // ../core/dist/lib/encrypt.js
-import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
+import { createCipheriv, createDecipheriv, randomBytes as randomBytes2 } from "crypto";
 var ALGORITHM = "aes-256-gcm";
 var KEY_LENGTH = 32;
 var IV_LENGTH = 12;
 var TAG_LENGTH = 16;
 function getKey() {
   const raw = process.env.PLANK_ENCRYPTION_KEY;
-  if (!raw)
+  if (!raw) {
+    if (process.env.NODE_ENV === "production") {
+      throw new Error("PLANK_ENCRYPTION_KEY is required in production");
+    }
     return null;
+  }
   const buf = Buffer.from(raw, "hex");
   if (buf.length !== KEY_LENGTH) {
+    if (process.env.NODE_ENV === "production") {
+      throw new Error("PLANK_ENCRYPTION_KEY must be 64 hex chars (32 bytes) in production");
+    }
     console.warn("[plank] PLANK_ENCRYPTION_KEY must be 64 hex chars (32 bytes). Falling back to plaintext storage.");
     return null;
   }
@@ -592,7 +2022,7 @@ function encrypt(plaintext) {
   const key = getKey();
   if (!key)
     return plaintext;
-  const iv = randomBytes(IV_LENGTH);
+  const iv = randomBytes2(IV_LENGTH);
   const cipher = createCipheriv(ALGORITHM, key, iv);
   const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
   const tag = cipher.getAuthTag();
@@ -624,7 +2054,7 @@ function isSensitive(namespace, key) {
 }
 async function getSettings(namespace) {
   const { rows } = await pool_default.query("SELECT key, value FROM plank_settings WHERE namespace = $1", [namespace]);
-  return Object.fromEntries(rows.map((r) => [r.key, isSensitive(namespace, r.key) ? decrypt(r.value) : r.value]));
+  return Object.fromEntries(rows.map((r2) => [r2.key, isSensitive(namespace, r2.key) ? decrypt(r2.value) : r2.value]));
 }
 async function getSetting(namespace, key) {
   const { rows } = await pool_default.query("SELECT value FROM plank_settings WHERE namespace = $1 AND key = $2", [namespace, key]);
@@ -639,7 +2069,7 @@ async function setSettings(namespace, values) {
     key,
     value: isSensitive(namespace, key) ? encrypt(value) : value
   }));
-  const placeholders = entries.map((_, i) => `($1, $${i * 2 + 2}, $${i * 2 + 3})`).join(", ");
+  const placeholders = entries.map((_3, i2) => `($1, $${i2 * 2 + 2}, $${i2 * 2 + 3})`).join(", ");
   const params = [namespace];
   for (const { key, value } of entries) {
     params.push(key, value);
@@ -651,8 +2081,8 @@ async function setSettings(namespace, values) {
 
 // ../core/dist/media/providers/local.js
 import { writeFile, mkdir } from "fs/promises";
-import { join as join2, extname } from "path";
-import { randomBytes as randomBytes2 } from "crypto";
+import { join as join3, extname } from "path";
+import { randomBytes as randomBytes3 } from "crypto";
 async function uploadsDir() {
   const fromSettings = await getSetting("media", "local.uploads_dir");
   return fromSettings ?? process.env.PLANK_UPLOADS_DIR ?? "public/uploads";
@@ -664,27 +2094,27 @@ async function publicUrl() {
 var localProvider = {
   async upload(file, options) {
     const base_dir = await uploadsDir();
-    const subdir = options?.prefix ? join2(base_dir, options.prefix) : base_dir;
+    const subdir = options?.prefix ? join3(base_dir, options.prefix) : base_dir;
     await mkdir(subdir, { recursive: true });
     const ext = extname(file.originalname);
-    const filename = `${randomBytes2(16).toString("hex")}${ext}`;
+    const filename = `${randomBytes3(16).toString("hex")}${ext}`;
     const key = options?.prefix ? `${options.prefix}/${filename}` : filename;
-    await writeFile(join2(base_dir, key), file.buffer);
+    await writeFile(join3(base_dir, key), file.buffer);
     const base = await publicUrl();
     return { url: `${base}/uploads/${key}`, key };
   },
   async uploadRaw(buffer, exactKey, mimeType) {
     const base_dir = await uploadsDir();
-    const dir = join2(base_dir, exactKey.split("/").slice(0, -1).join("/"));
+    const dir = join3(base_dir, exactKey.split("/").slice(0, -1).join("/"));
     await mkdir(dir, { recursive: true });
-    await writeFile(join2(base_dir, exactKey), buffer);
+    await writeFile(join3(base_dir, exactKey), buffer);
     const base = await publicUrl();
     return { url: `${base}/uploads/${exactKey}`, key: exactKey };
   },
   async delete(key) {
     const { unlink } = await import("fs/promises");
     const dir = await uploadsDir();
-    await unlink(join2(dir, key));
+    await unlink(join3(dir, key));
   },
   async getUrl(key) {
     const base = await publicUrl();
@@ -696,7 +2126,7 @@ var localProvider = {
 import { S3Client, PutObjectCommand, DeleteObjectCommand } from "@aws-sdk/client-s3";
 import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
 import { extname as extname2 } from "path";
-import { randomBytes as randomBytes3 } from "crypto";
+import { randomBytes as randomBytes4 } from "crypto";
 async function getConfig() {
   const [accessKeyId, secretAccessKey, region, bucket, pathPrefix, publicUrl2] = await Promise.all([
     getSetting("media", "s3.access_key_id"),
@@ -719,7 +2149,7 @@ function buildClient(cfg) {
 }
 function buildKey(cfg, filename, prefix) {
   const ext = extname2(filename);
-  const name = `${randomBytes3(16).toString("hex")}${ext}`;
+  const name = `${randomBytes4(16).toString("hex")}${ext}`;
   const parts = [cfg.pathPrefix?.replace(/\/$/, ""), prefix, name].filter(Boolean);
   return parts.join("/");
 }
@@ -773,7 +2203,7 @@ var s3Provider = {
 import { S3Client as S3Client2, PutObjectCommand as PutObjectCommand2, DeleteObjectCommand as DeleteObjectCommand2 } from "@aws-sdk/client-s3";
 import { getSignedUrl as getSignedUrl2 } from "@aws-sdk/s3-request-presigner";
 import { extname as extname3 } from "path";
-import { randomBytes as randomBytes4 } from "crypto";
+import { randomBytes as randomBytes5 } from "crypto";
 async function getConfig2() {
   const [accessKeyId, secretAccessKey, accountId, bucket, pathPrefix, publicUrl2] = await Promise.all([
     getSetting("media", "r2.access_key_id"),
@@ -799,7 +2229,7 @@ function buildClient2(cfg) {
 }
 function buildKey2(cfg, filename, prefix) {
   const ext = extname3(filename);
-  const name = `${randomBytes4(16).toString("hex")}${ext}`;
+  const name = `${randomBytes5(16).toString("hex")}${ext}`;
   const parts = [cfg.pathPrefix?.replace(/\/$/, ""), prefix, name].filter(Boolean);
   return parts.join("/");
 }
@@ -873,57 +2303,78 @@ var LoginSchema = z.object({
   email: z.email(),
   password: z.string().min(1)
 });
+var Login2FASchema = z.object({
+  challengeToken: z.string().min(1),
+  code: z.string().trim().length(6)
+});
 var RegisterSchema = z.object({
   email: z.email(),
   password: z.string().min(8)
 });
-var loginAttempts = /* @__PURE__ */ new Map();
-var RATE_LIMIT_MAX = 10;
 var RATE_LIMIT_WINDOW_MS = 15 * 60 * 1e3;
-function checkRateLimit(ip) {
-  const now = Date.now();
-  const entry = loginAttempts.get(ip);
-  if (!entry || now > entry.resetAt) {
-    loginAttempts.set(ip, { count: 1, resetAt: now + RATE_LIMIT_WINDOW_MS });
-    return true;
-  }
-  if (entry.count >= RATE_LIMIT_MAX)
-    return false;
-  entry.count++;
-  return true;
+var LOGIN_RATE_LIMIT_MAX = 10;
+var LOGIN_2FA_RATE_LIMIT_MAX = 5;
+var ACCESS_TOKEN_COOKIE = "plank_session";
+var ACCESS_TOKEN_EXPIRES_SECONDS = 60 * 15;
+function isProduction() {
+  return process.env.NODE_ENV === "production";
 }
-function clearRateLimit(ip) {
-  loginAttempts.delete(ip);
+function setSessionCookie(res, token) {
+  res.cookie(ACCESS_TOKEN_COOKIE, token, {
+    httpOnly: true,
+    secure: isProduction(),
+    sameSite: "lax",
+    path: "/",
+    maxAge: ACCESS_TOKEN_EXPIRES_SECONDS * 1e3
+  });
 }
-async function login(req, res) {
-  const ip = req.ip ?? "unknown";
-  if (!checkRateLimit(ip)) {
-    res.status(429).json({ error: "Too many login attempts. Try again in 15 minutes." });
-    return;
-  }
-  const parsed = LoginSchema.safeParse(req.body);
-  if (!parsed.success) {
-    res.status(400).json({ errors: flattenError(parsed.error, (i) => i.message) });
-    return;
-  }
-  const { email, password } = parsed.data;
-  const { rows } = await pool_default.query(`SELECT id, email, password, role_id, first_name, last_name, avatar_url, job_title, organization, country
-     FROM plank_users
-     WHERE email = $1`, [email]);
-  const user = rows[0];
-  if (!user || !await bcrypt.compare(password, user.password)) {
-    res.status(401).json({ error: "Invalid credentials" });
-    return;
-  }
+function clearSessionCookie(res) {
+  res.clearCookie(ACCESS_TOKEN_COOKIE, {
+    httpOnly: true,
+    secure: isProduction(),
+    sameSite: "lax",
+    path: "/"
+  });
+}
+async function consumeRateLimit(scope, rateKey, max) {
+  const resetAt = new Date(Date.now() + RATE_LIMIT_WINDOW_MS);
+  const { rows } = await pool_default.query(`INSERT INTO plank_auth_rate_limits (id, scope, rate_key, count, reset_at)
+     VALUES ($1, $2, $3, 1, $4)
+     ON CONFLICT (scope, rate_key)
+     DO UPDATE
+       SET count = CASE
+                     WHEN plank_auth_rate_limits.reset_at <= NOW() THEN 1
+                     ELSE plank_auth_rate_limits.count + 1
+                   END,
+           reset_at = CASE
+                        WHEN plank_auth_rate_limits.reset_at <= NOW() THEN $4
+                        ELSE plank_auth_rate_limits.reset_at
+                      END,
+           updated_at = NOW()
+     RETURNING count, reset_at`, [createId(), scope, rateKey, resetAt]);
+  return (rows[0]?.count ?? max + 1) <= max;
+}
+async function clearRateLimit(scope, rateKey) {
+  await pool_default.query("DELETE FROM plank_auth_rate_limits WHERE scope = $1 AND rate_key = $2", [
+    scope,
+    rateKey
+  ]);
+}
+function buildAccessToken(payload) {
+  return jwt.sign(payload, process.env.PLANK_JWT_SECRET, { expiresIn: "15m" });
+}
+function buildChallengeToken(payload) {
+  return jwt.sign(payload, process.env.PLANK_JWT_SECRET, { expiresIn: "5m" });
+}
+async function buildAuthPayload(user) {
   const { rows: roleRows } = await pool_default.query("SELECT id, name, permissions FROM plank_roles WHERE id = $1", [user.role_id]);
-  clearRateLimit(ip);
   let avatarUrl = user.avatar_url;
   if (avatarUrl && !avatarUrl.startsWith("http")) {
     const provider = await getProvider();
     avatarUrl = await provider.getUrl(avatarUrl);
   }
-  const token = jwt.sign({ sub: user.id, roleId: user.role_id }, process.env.PLANK_JWT_SECRET, { expiresIn: "7d" });
-  res.json({
+  const token = buildAccessToken({ sub: user.id, roleId: user.role_id, sv: user.session_version });
+  return {
     token,
     user: {
       id: user.id,
@@ -935,10 +2386,118 @@ async function login(req, res) {
       avatarUrl,
       jobTitle: user.job_title,
       organization: user.organization,
-      country: user.country
+      country: user.country,
+      twoFactorEnabled: user.two_factor_enabled
     }
+  };
+}
+async function login(req, res) {
+  const ip = req.ip ?? "unknown";
+  const parsed = LoginSchema.safeParse(req.body);
+  if (!parsed.success) {
+    res.status(400).json({ errors: flattenError(parsed.error, (i2) => i2.message) });
+    return;
+  }
+  const { email, password } = parsed.data;
+  const rateKey = `${ip}:${email.toLowerCase()}`;
+  if (!await consumeRateLimit("login", rateKey, LOGIN_RATE_LIMIT_MAX)) {
+    res.status(429).json({ error: "Too many login attempts. Try again in 15 minutes." });
+    return;
+  }
+  const { rows } = await pool_default.query(`SELECT id, email, password, role_id, first_name, last_name, avatar_url, job_title, organization, country, two_factor_enabled, two_factor_secret, session_version
+     FROM plank_users
+     WHERE email = $1`, [email]);
+  const user = rows[0];
+  if (!user || !await bcrypt.compare(password, user.password)) {
+    res.status(401).json({ error: "Invalid credentials" });
+    return;
+  }
+  await clearRateLimit("login", rateKey);
+  if (user.two_factor_enabled && user.two_factor_secret) {
+    const challengeToken = buildChallengeToken({
+      sub: user.id,
+      roleId: user.role_id,
+      sv: user.session_version,
+      twoFactor: true,
+      jti: createId()
+    });
+    res.json({ requiresTwoFactor: true, challengeToken });
+    return;
+  }
+  const auth = await buildAuthPayload(user);
+  setSessionCookie(res, auth.token);
+  res.json({
+    requiresTwoFactor: false,
+    user: auth.user
+  });
+}
+async function loginWithTwoFactor(req, res) {
+  const ip = req.ip ?? "unknown";
+  const parsed = Login2FASchema.safeParse(req.body);
+  if (!parsed.success) {
+    res.status(400).json({ errors: flattenError(parsed.error, (i2) => i2.message) });
+    return;
+  }
+  let payload;
+  try {
+    payload = jwt.verify(parsed.data.challengeToken, process.env.PLANK_JWT_SECRET);
+  } catch {
+    res.status(401).json({ error: "Invalid or expired 2FA challenge" });
+    return;
+  }
+  if (!payload.twoFactor) {
+    res.status(400).json({ error: "Invalid 2FA challenge token" });
+    return;
+  }
+  const rateKey = `${ip}:${payload.sub}:${payload.jti ?? "nojti"}`;
+  if (!await consumeRateLimit("login-2fa", rateKey, LOGIN_2FA_RATE_LIMIT_MAX)) {
+    res.status(429).json({ error: "Too many 2FA attempts. Try again in 15 minutes." });
+    return;
+  }
+  const { rows } = await pool_default.query(`SELECT id, email, role_id, first_name, last_name, avatar_url, job_title, organization, country, two_factor_enabled, two_factor_secret, password, session_version
+     FROM plank_users WHERE id = $1`, [payload.sub]);
+  const user = rows[0];
+  if (!user || !user.two_factor_enabled || !user.two_factor_secret) {
+    res.status(401).json({ error: "2FA is not enabled for this account" });
+    return;
+  }
+  if (user.session_version !== payload.sv) {
+    res.status(401).json({ error: "2FA challenge expired. Start login again." });
+    return;
+  }
+  const result = d3({
+    token: parsed.data.code,
+    secret: decrypt(user.two_factor_secret)
+  });
+  if (!result.valid) {
+    res.status(401).json({ error: "Invalid verification code" });
+    return;
+  }
+  await clearRateLimit("login-2fa", rateKey);
+  const auth = await buildAuthPayload(user);
+  setSessionCookie(res, auth.token);
+  res.json({
+    requiresTwoFactor: false,
+    user: auth.user
   });
 }
+async function logout(req, res) {
+  const cookieHeader = req.headers.cookie ?? "";
+  const raw = cookieHeader.split(";").map((c3) => c3.trim()).find((c3) => c3.startsWith(`${ACCESS_TOKEN_COOKIE}=`))?.slice(`${ACCESS_TOKEN_COOKIE}=`.length);
+  if (raw) {
+    try {
+      const payload = jwt.verify(decodeURIComponent(raw), process.env.PLANK_JWT_SECRET);
+      if (payload.sub) {
+        await pool_default.query("UPDATE plank_users SET session_version = session_version + 1 WHERE id = $1", [payload.sub]);
+      }
+    } catch {
+    }
+  }
+  clearSessionCookie(res);
+  const ip = req.ip ?? "unknown";
+  await pool_default.query("DELETE FROM plank_auth_rate_limits WHERE rate_key LIKE $1", [`${ip}:%`]);
+  res.status(204).end();
+}
 async function setup(_req, res) {
   const { rows } = await pool_default.query("SELECT COUNT(*) as count FROM plank_users");
   res.json({ needsSetup: parseInt(rows[0].count) === 0 });
@@ -951,7 +2510,7 @@ async function register(req, res) {
   }
   const parsed = RegisterSchema.safeParse(req.body);
   if (!parsed.success) {
-    res.status(400).json({ errors: flattenError(parsed.error, (i) => i.message) });
+    res.status(400).json({ errors: flattenError(parsed.error, (i2) => i2.message) });
     return;
   }
   const { email, password } = parsed.data;
@@ -966,6 +2525,8 @@ async function register(req, res) {
 var router = Router();
 router.get("/setup", setup);
 router.post("/login", login);
+router.post("/login/2fa", loginWithTwoFactor);
+router.post("/logout", logout);
 router.post("/register", register);
 var auth_default = router;
 
@@ -974,15 +2535,37 @@ import { Router as Router2 } from "express";
 
 // ../core/dist/middlewares/authenticate.js
 import jwt2 from "jsonwebtoken";
-function authenticate(req, res, next) {
+function cookieValue(raw, key) {
+  if (!raw)
+    return null;
+  const parts = raw.split(";");
+  for (const part of parts) {
+    const [k3, ...rest] = part.trim().split("=");
+    if (k3 === key)
+      return decodeURIComponent(rest.join("="));
+  }
+  return null;
+}
+async function authenticate(req, res, next) {
   const header = req.headers.authorization;
-  if (!header?.startsWith("Bearer ")) {
+  const bearer = header?.startsWith("Bearer ") ? header.slice(7) : null;
+  const cookieToken = cookieValue(req.headers.cookie, "plank_session");
+  const token = bearer ?? cookieToken;
+  if (!token) {
     res.status(401).json({ error: "Unauthorized" });
     return;
   }
-  const token = header.slice(7);
   try {
     const payload = jwt2.verify(token, process.env.PLANK_JWT_SECRET);
+    if (typeof payload.sv !== "number") {
+      res.status(401).json({ error: "Invalid session token" });
+      return;
+    }
+    const { rows } = await pool_default.query("SELECT session_version FROM plank_users WHERE id = $1", [payload.sub]);
+    if (!rows[0] || rows[0].session_version !== payload.sv) {
+      res.status(401).json({ error: "Session has been revoked" });
+      return;
+    }
     req.user = { id: payload.sub, roleId: payload.roleId };
     next();
   } catch {
@@ -1161,22 +2744,22 @@ async function syncInverseFields(savedCT, prevCT) {
     if (relatedCTCache.has(tableName))
       return relatedCTCache.get(tableName) ?? null;
     const all = await findAllContentTypes();
-    const ct = all.find((c) => c.tableName === tableName) ?? null;
+    const ct = all.find((c3) => c3.tableName === tableName) ?? null;
     relatedCTCache.set(tableName, ct);
     return ct;
   }
-  const prevRelFields = new Map((prevCT?.fields ?? []).filter((f) => f.type === "relation" && f.relationType !== "one-to-many").map((f) => [f.name, f]));
-  const nextRelFields = savedCT.fields.filter((f) => f.type === "relation" && f.relationType !== "one-to-many");
+  const prevRelFields = new Map((prevCT?.fields ?? []).filter((f2) => f2.type === "relation" && f2.relationType !== "one-to-many").map((f2) => [f2.name, f2]));
+  const nextRelFields = savedCT.fields.filter((f2) => f2.type === "relation" && f2.relationType !== "one-to-many");
   for (const [fieldName, prevField] of prevRelFields) {
     if (!prevField.relatedTable)
       continue;
-    const nextField = savedCT.fields.find((f) => f.name === fieldName);
+    const nextField = savedCT.fields.find((f2) => f2.name === fieldName);
     const targetChanged = nextField?.relatedTable !== prevField.relatedTable;
     if (!nextField || targetChanged) {
       const relatedCT = await getRelatedCT(prevField.relatedTable);
       if (!relatedCT)
         continue;
-      const updated = relatedCT.fields.filter((f) => !(f.type === "relation" && f.relationType === inverseRelationType(prevField.relationType ?? "many-to-one") && f.relatedTable === savedCT.tableName && f.relatedField === fieldName));
+      const updated = relatedCT.fields.filter((f2) => !(f2.type === "relation" && f2.relationType === inverseRelationType(prevField.relationType ?? "many-to-one") && f2.relatedTable === savedCT.tableName && f2.relatedField === fieldName));
       if (updated.length !== relatedCT.fields.length) {
         await updateContentType(relatedCT.slug, { ...relatedCT, fields: updated });
       }
@@ -1189,9 +2772,9 @@ async function syncInverseFields(savedCT, prevCT) {
     if (!relatedCT)
       continue;
     const invType = inverseRelationType(field.relationType ?? "many-to-one");
-    const existingInvIdx = relatedCT.fields.findIndex((f) => f.type === "relation" && f.relationType === invType && f.relatedTable === savedCT.tableName && f.relatedField === field.name);
+    const existingInvIdx = relatedCT.fields.findIndex((f2) => f2.type === "relation" && f2.relationType === invType && f2.relatedTable === savedCT.tableName && f2.relatedField === field.name);
     const invField = {
-      name: existingInvIdx >= 0 ? relatedCT.fields[existingInvIdx].name : inverseFieldName(savedCT.tableName, field.name, relatedCT.fields.map((f) => f.name)),
+      name: existingInvIdx >= 0 ? relatedCT.fields[existingInvIdx].name : inverseFieldName(savedCT.tableName, field.name, relatedCT.fields.map((f2) => f2.name)),
       type: "relation",
       relationType: invType,
       relatedTable: savedCT.tableName,
@@ -1200,7 +2783,7 @@ async function syncInverseFields(savedCT, prevCT) {
     };
     let updatedFields;
     if (existingInvIdx >= 0) {
-      updatedFields = relatedCT.fields.map((f, i) => i === existingInvIdx ? invField : f);
+      updatedFields = relatedCT.fields.map((f2, i2) => i2 === existingInvIdx ? invField : f2);
     } else {
       updatedFields = [...relatedCT.fields, invField];
     }
@@ -1210,7 +2793,7 @@ async function syncInverseFields(savedCT, prevCT) {
 async function removeRelationDependencies(deletedTable) {
   const all = await findAllContentTypes();
   for (const ct of all) {
-    const toRemove = ct.fields.filter((f) => f.type === "relation" && f.relatedTable === deletedTable.tableName);
+    const toRemove = ct.fields.filter((f2) => f2.type === "relation" && f2.relatedTable === deletedTable.tableName);
     if (toRemove.length === 0)
       continue;
     for (const field of toRemove) {
@@ -1226,7 +2809,7 @@ async function removeRelationDependencies(deletedTable) {
         await pool_default.query(`DROP TABLE IF EXISTS ${quoteIdentifier(jt)}`);
       }
     }
-    const filtered = ct.fields.filter((f) => !(f.type === "relation" && f.relatedTable === deletedTable.tableName));
+    const filtered = ct.fields.filter((f2) => !(f2.type === "relation" && f2.relatedTable === deletedTable.tableName));
     await updateContentType(ct.slug, { ...ct, fields: filtered });
   }
 }
@@ -1245,7 +2828,7 @@ var getContentType = async (req, res) => {
 var createContentType = async (req, res) => {
   const parsed = CreateContentTypeSchema.safeParse(req.body);
   if (!parsed.success) {
-    res.status(400).json({ errors: flattenError2(parsed.error, (i) => i.message) });
+    res.status(400).json({ errors: flattenError2(parsed.error, (i2) => i2.message) });
     return;
   }
   const reservedErrors = findReservedIdentifierErrors(parsed.data);
@@ -1270,7 +2853,7 @@ var updateContentType2 = async (req, res) => {
   }
   const parsed = ContentTypeSchema.safeParse(req.body);
   if (!parsed.success) {
-    res.status(400).json({ errors: flattenError2(parsed.error, (i) => i.message) });
+    res.status(400).json({ errors: flattenError2(parsed.error, (i2) => i2.message) });
     return;
   }
   const reservedErrors = findReservedIdentifierErrors(parsed.data);
@@ -1322,7 +2905,7 @@ async function listWebhooks(_req, res) {
 async function createWebhook(req, res) {
   const parsed = CreateWebhookSchema.safeParse(req.body);
   if (!parsed.success) {
-    res.status(400).json({ errors: flattenError3(parsed.error, (i) => i.message) });
+    res.status(400).json({ errors: flattenError3(parsed.error, (i2) => i2.message) });
     return;
   }
   const { name, url, events } = parsed.data;
@@ -1365,22 +2948,22 @@ function resolveLocalizedRow(row, ct, locale, fallbacks = []) {
   const localized = row.localized && typeof row.localized === "object" ? row.localized : {};
   const resolved = { ...row };
   const localizableTypes = /* @__PURE__ */ new Set(["string", "text", "richtext", "uid"]);
-  for (const f of ct.fields) {
-    if (!localizableTypes.has(f.type))
+  for (const f2 of ct.fields) {
+    if (!localizableTypes.has(f2.type))
       continue;
     let val = void 0;
-    if (locale && localized[locale] && localized[locale][f.name] !== void 0) {
-      val = localized[locale][f.name];
+    if (locale && localized[locale] && localized[locale][f2.name] !== void 0) {
+      val = localized[locale][f2.name];
     } else {
       for (const fb of fallbacks) {
-        if (localized[fb] && localized[fb][f.name] !== void 0) {
-          val = localized[fb][f.name];
+        if (localized[fb] && localized[fb][f2.name] !== void 0) {
+          val = localized[fb][f2.name];
           break;
         }
       }
     }
     if (val !== void 0)
-      resolved[f.name] = val;
+      resolved[f2.name] = val;
   }
   return resolved;
 }
@@ -1428,7 +3011,7 @@ async function syncManyToMany(entryId, tableName, field, targetIds) {
   await pool_default.query(`DELETE FROM ${quoteIdentifier(jt)} WHERE source_id = $1`, [entryId]);
   if (targetIds.length === 0)
     return;
-  const placeholders = targetIds.map((_, i) => `($1, $${i + 2})`).join(", ");
+  const placeholders = targetIds.map((_3, i2) => `($1, $${i2 + 2})`).join(", ");
   await pool_default.query(`INSERT INTO ${quoteIdentifier(jt)} (source_id, target_id) VALUES ${placeholders} ON CONFLICT DO NOTHING`, [entryId, ...targetIds]);
 }
 async function isUserRole(roleId) {
@@ -1449,7 +3032,7 @@ var listEntries = async (req, res) => {
   const page = Math.max(1, parseInt(String(req.query.page ?? 1)));
   const limit = Math.min(100, Math.max(1, parseInt(String(req.query.limit ?? 20))));
   const offset = (page - 1) * limit;
-  const allowedSort = ["created_at", "updated_at", "published_at", ...ct.fields.map((f) => f.name)];
+  const allowedSort = ["created_at", "updated_at", "published_at", ...ct.fields.map((f2) => f2.name)];
   const sortField = allowedSort.includes(String(req.query.sort ?? "")) ? String(req.query.sort) : "created_at";
   const sortDir = req.query.order === "asc" ? "ASC" : "DESC";
   assertSafeIdentifier(sortField);
@@ -1475,7 +3058,7 @@ var listEntries = async (req, res) => {
     if (!locale2)
       return true;
     const localized = row.localized && typeof row.localized === "object" ? row.localized : {};
-    const locales = Object.keys(localized).filter((k) => !k.startsWith("_"));
+    const locales = Object.keys(localized).filter((k3) => !k3.startsWith("_"));
     const meta = localized._meta || {};
     const enabled = meta.enabled ?? locales.length > 0;
     const primary = meta.primary;
@@ -1484,7 +3067,7 @@ var listEntries = async (req, res) => {
     }
     return primary === locale2;
   }
-  const filtered = rows.filter((r) => entryMatchesLocale(r, locale));
+  const filtered = rows.filter((r2) => entryMatchesLocale(r2, locale));
   const data = await Promise.all(filtered.map(async (row) => {
     const mmIds = await loadManyToManyIds(row.id, ct.tableName, ct.fields);
     const resolved = resolveLocalizedRow(row, ct, locale, fallbacks);
@@ -1498,7 +3081,7 @@ var listEntries = async (req, res) => {
   if (locale) {
     try {
       const { rows: allRows } = await pool_default.query(`SELECT localized FROM ${quotedTableName}`);
-      const matching = allRows.filter((r) => entryMatchesLocale(r, locale));
+      const matching = allRows.filter((r2) => entryMatchesLocale(r2, locale));
       total = matching.length;
     } catch (err) {
     }
@@ -1506,14 +3089,14 @@ var listEntries = async (req, res) => {
   res.json({ data, total, page, limit });
 };
 async function loadManyToManyIds(entryId, tableName, fields) {
-  const mmFields = fields.filter((f) => f.type === "relation" && (f.relationType ?? "many-to-one") === "many-to-many");
+  const mmFields = fields.filter((f2) => f2.type === "relation" && (f2.relationType ?? "many-to-one") === "many-to-many");
   if (mmFields.length === 0)
     return {};
   const result = {};
-  await Promise.all(mmFields.map(async (f) => {
-    const jt = junctionTableName2(tableName, f.name);
+  await Promise.all(mmFields.map(async (f2) => {
+    const jt = junctionTableName2(tableName, f2.name);
     const { rows } = await pool_default.query(`SELECT target_id FROM ${quoteIdentifier(jt)} WHERE source_id = $1`, [entryId]);
-    result[f.name] = rows.map((r) => r.target_id);
+    result[f2.name] = rows.map((r2) => r2.target_id);
   }));
   return result;
 }
@@ -1559,13 +3142,13 @@ var createEntry = async (req, res) => {
     res.status(403).json({ error: "Single types are read-only for User role" });
     return;
   }
-  const mmFields = ct.fields.filter((f) => f.type === "relation" && (f.relationType ?? "many-to-one") === "many-to-many" && req.body[f.name] !== void 0);
-  const fields = ct.fields.filter((f) => req.body[f.name] !== void 0 && !isVirtualRelation(f));
-  fields.forEach((f) => assertSafeIdentifier(f.name));
+  const mmFields = ct.fields.filter((f2) => f2.type === "relation" && (f2.relationType ?? "many-to-one") === "many-to-many" && req.body[f2.name] !== void 0);
+  const fields = ct.fields.filter((f2) => req.body[f2.name] !== void 0 && !isVirtualRelation(f2));
+  fields.forEach((f2) => assertSafeIdentifier(f2.name));
   if (ct.kind === "single") {
     const { rows: existing } = await pool_default.query(`SELECT id FROM ${quotedTableName} LIMIT 1`);
     if (existing[0]) {
-      const setClauses = fields.map((f, i) => f.type === "media-gallery" || f.type === "array" || f.type === "navigation" ? `${quoteIdentifier(f.name)} = $${i + 1}::jsonb` : `${quoteIdentifier(f.name)} = $${i + 1}`).join(", ");
+      const setClauses = fields.map((f2, i2) => f2.type === "media-gallery" || f2.type === "array" || f2.type === "navigation" ? `${quoteIdentifier(f2.name)} = $${i2 + 1}::jsonb` : `${quoteIdentifier(f2.name)} = $${i2 + 1}`).join(", ");
       const extraClauses = [];
       const extraValues2 = [];
       if (req.body.localized !== void 0) {
@@ -1574,10 +3157,10 @@ var createEntry = async (req, res) => {
       }
       const allClauses = [setClauses, ...extraClauses].filter(Boolean).join(", ");
       const values2 = [
-        ...fields.map((f) => {
-          const v = req.body[f.name];
-          const normalized = f.type === "navigation" ? normalizeNavigationItems(v) : v;
-          return f.type === "media-gallery" || f.type === "array" || f.type === "navigation" ? JSON.stringify(normalized) : v;
+        ...fields.map((f2) => {
+          const v3 = req.body[f2.name];
+          const normalized = f2.type === "navigation" ? normalizeNavigationItems(v3) : v3;
+          return f2.type === "media-gallery" || f2.type === "array" || f2.type === "navigation" ? JSON.stringify(normalized) : v3;
         }),
         ...extraValues2,
         existing[0].id
@@ -1585,9 +3168,9 @@ var createEntry = async (req, res) => {
       const updateSql = fields.length + extraValues2.length > 0 ? `UPDATE ${quotedTableName} SET ${allClauses}, updated_at = NOW() WHERE id = $${fields.length + extraValues2.length + 1} RETURNING *` : `UPDATE ${quotedTableName} SET updated_at = NOW() WHERE id = $1 RETURNING *`;
       const updateValues = fields.length + extraValues2.length > 0 ? values2 : [existing[0].id];
       const { rows: rows2 } = await pool_default.query(updateSql, updateValues);
-      await Promise.all(mmFields.map((f) => {
-        const ids = Array.isArray(req.body[f.name]) ? req.body[f.name] : [];
-        return syncManyToMany(existing[0].id, ct.tableName, f, ids);
+      await Promise.all(mmFields.map((f2) => {
+        const ids = Array.isArray(req.body[f2.name]) ? req.body[f2.name] : [];
+        return syncManyToMany(existing[0].id, ct.tableName, f2, ids);
       }));
       res.json(normalizeNavigationFields(rows2[0], ct.fields));
       return;
@@ -1603,27 +3186,27 @@ var createEntry = async (req, res) => {
     extraPlaceholders.push(`$${3 + fields.length}::jsonb`);
     extraValues.push(JSON.stringify(req.body.localized));
   }
-  const cols = ["id", "created_by", ...fields.map((f) => f.name), ...extraCols].map((col) => quoteIdentifier(col)).join(", ");
+  const cols = ["id", "created_by", ...fields.map((f2) => f2.name), ...extraCols].map((col) => quoteIdentifier(col)).join(", ");
   const placeholders = [
     "$1",
     "$2",
-    ...fields.map((f, i) => f.type === "media-gallery" || f.type === "array" || f.type === "navigation" ? `$${i + 3}::jsonb` : `$${i + 3}`),
+    ...fields.map((f2, i2) => f2.type === "media-gallery" || f2.type === "array" || f2.type === "navigation" ? `$${i2 + 3}::jsonb` : `$${i2 + 3}`),
     ...extraPlaceholders
   ].join(", ");
   const values = [
     id,
     userId,
-    ...fields.map((f) => {
-      const v = req.body[f.name];
-      const normalized = f.type === "navigation" ? normalizeNavigationItems(v) : v;
-      return f.type === "media-gallery" || f.type === "array" || f.type === "navigation" ? JSON.stringify(normalized) : v;
+    ...fields.map((f2) => {
+      const v3 = req.body[f2.name];
+      const normalized = f2.type === "navigation" ? normalizeNavigationItems(v3) : v3;
+      return f2.type === "media-gallery" || f2.type === "array" || f2.type === "navigation" ? JSON.stringify(normalized) : v3;
     }),
     ...extraValues
   ];
   const { rows } = await pool_default.query(`INSERT INTO ${quotedTableName} (${cols}) VALUES (${placeholders}) RETURNING *`, values);
-  await Promise.all(mmFields.map((f) => {
-    const ids = Array.isArray(req.body[f.name]) ? req.body[f.name] : [];
-    return syncManyToMany(id, ct.tableName, f, ids);
+  await Promise.all(mmFields.map((f2) => {
+    const ids = Array.isArray(req.body[f2.name]) ? req.body[f2.name] : [];
+    return syncManyToMany(id, ct.tableName, f2, ids);
   }));
   res.status(201).json(normalizeNavigationFields(rows[0], ct.fields));
   triggerWebhooks("entry.created", { content_type: req.params.slug, entry_id: rows[0].id });
@@ -1680,10 +3263,10 @@ var updateEntry = async (req, res) => {
       return;
     }
   }
-  const mmFields = ct.fields.filter((f) => f.type === "relation" && (f.relationType ?? "many-to-one") === "many-to-many" && req.body[f.name] !== void 0);
-  const fields = ct.fields.filter((f) => req.body[f.name] !== void 0 && !isVirtualRelation(f));
-  fields.forEach((f) => assertSafeIdentifier(f.name));
-  const setClauses = fields.map((f, i) => f.type === "media-gallery" || f.type === "array" || f.type === "navigation" ? `${quoteIdentifier(f.name)} = $${i + 1}::jsonb` : `${quoteIdentifier(f.name)} = $${i + 1}`).join(", ");
+  const mmFields = ct.fields.filter((f2) => f2.type === "relation" && (f2.relationType ?? "many-to-one") === "many-to-many" && req.body[f2.name] !== void 0);
+  const fields = ct.fields.filter((f2) => req.body[f2.name] !== void 0 && !isVirtualRelation(f2));
+  fields.forEach((f2) => assertSafeIdentifier(f2.name));
+  const setClauses = fields.map((f2, i2) => f2.type === "media-gallery" || f2.type === "array" || f2.type === "navigation" ? `${quoteIdentifier(f2.name)} = $${i2 + 1}::jsonb` : `${quoteIdentifier(f2.name)} = $${i2 + 1}`).join(", ");
   const extraClauses = [];
   const extraValues = [];
   if (req.body.localized !== void 0) {
@@ -1692,10 +3275,10 @@ var updateEntry = async (req, res) => {
   }
   const allClauses = [setClauses, ...extraClauses].filter(Boolean).join(", ");
   const values = [
-    ...fields.map((f) => {
-      const v = req.body[f.name];
-      const normalized = f.type === "navigation" ? normalizeNavigationItems(v) : v;
-      return f.type === "media-gallery" || f.type === "array" || f.type === "navigation" ? JSON.stringify(normalized) : v;
+    ...fields.map((f2) => {
+      const v3 = req.body[f2.name];
+      const normalized = f2.type === "navigation" ? normalizeNavigationItems(v3) : v3;
+      return f2.type === "media-gallery" || f2.type === "array" || f2.type === "navigation" ? JSON.stringify(normalized) : v3;
     }),
     ...extraValues,
     req.params.id
@@ -1707,9 +3290,9 @@ var updateEntry = async (req, res) => {
     res.status(404).json({ error: "Entry not found" });
     return;
   }
-  await Promise.all(mmFields.map((f) => {
-    const ids = Array.isArray(req.body[f.name]) ? req.body[f.name] : [];
-    return syncManyToMany(req.params.id, ct.tableName, f, ids);
+  await Promise.all(mmFields.map((f2) => {
+    const ids = Array.isArray(req.body[f2.name]) ? req.body[f2.name] : [];
+    return syncManyToMany(req.params.id, ct.tableName, f2, ids);
   }));
   res.json(normalizeNavigationFields(rows[0], ct.fields));
   triggerWebhooks("entry.updated", { content_type: req.params.slug, entry_id: req.params.id });
@@ -1873,6 +3456,13 @@ var UpdateMeSchema = z4.object({
   organization: z4.string().max(150).optional(),
   country: z4.string().max(100).optional()
 });
+var TwoFactorCodeSchema = z4.object({
+  code: z4.string().trim().length(6)
+});
+var DisableTwoFactorSchema = z4.object({
+  password: z4.string().min(1),
+  code: z4.string().trim().length(6)
+});
 async function resolveAvatarUrl(row) {
   if (!row.avatar_url || row.avatar_url.startsWith("http"))
     return row;
@@ -1892,7 +3482,7 @@ async function listUsers(_req, res) {
 }
 async function getMe(req, res) {
   const { rows } = await pool_default.query(`SELECT u.id, u.email, u.role_id, u.first_name, u.last_name, u.avatar_url,
-            u.job_title, u.organization, u.country, u.created_at,
+            u.job_title, u.organization, u.country, u.two_factor_enabled, u.created_at,
             r.permissions
      FROM plank_users u
      JOIN plank_roles r ON r.id = u.role_id
@@ -1902,12 +3492,100 @@ async function getMe(req, res) {
     return;
   }
   const resolved = await resolveAvatarUrl(rows[0]);
-  res.json({ ...resolved, permissions: rows[0].permissions });
+  res.json({ ...resolved, permissions: rows[0].permissions, two_factor_enabled: rows[0].two_factor_enabled });
+}
+async function getTwoFactorStatus(req, res) {
+  const { rows } = await pool_default.query("SELECT two_factor_enabled FROM plank_users WHERE id = $1", [req.user.id]);
+  if (!rows[0]) {
+    res.status(404).json({ error: "User not found" });
+    return;
+  }
+  res.json({ enabled: rows[0].two_factor_enabled });
+}
+async function startTwoFactorSetup(req, res) {
+  const { rows } = await pool_default.query("SELECT email, two_factor_enabled FROM plank_users WHERE id = $1", [req.user.id]);
+  if (!rows[0]) {
+    res.status(404).json({ error: "User not found" });
+    return;
+  }
+  if (rows[0].two_factor_enabled) {
+    res.status(400).json({ error: "2FA is already enabled" });
+    return;
+  }
+  const secret = I2();
+  await pool_default.query("UPDATE plank_users SET two_factor_temp_secret = $1 WHERE id = $2", [
+    encrypt(secret),
+    req.user.id
+  ]);
+  const otpauthUri = T2({ issuer: "Plank CMS", label: rows[0].email, secret });
+  res.json({ otpauthUri, secret });
+}
+async function verifyTwoFactorSetup(req, res) {
+  const parsed = TwoFactorCodeSchema.safeParse(req.body);
+  if (!parsed.success) {
+    res.status(400).json({ errors: flattenError4(parsed.error, (i2) => i2.message) });
+    return;
+  }
+  const { rows } = await pool_default.query("SELECT two_factor_temp_secret FROM plank_users WHERE id = $1", [req.user.id]);
+  const tempSecret = rows[0]?.two_factor_temp_secret;
+  if (!tempSecret) {
+    res.status(400).json({ error: "No pending 2FA setup found" });
+    return;
+  }
+  const result = d3({ token: parsed.data.code, secret: decrypt(tempSecret) });
+  if (!result.valid) {
+    res.status(401).json({ error: "Invalid verification code" });
+    return;
+  }
+  await pool_default.query(`UPDATE plank_users
+     SET two_factor_enabled = TRUE,
+         two_factor_secret = two_factor_temp_secret,
+         two_factor_temp_secret = NULL,
+         session_version = session_version + 1
+     WHERE id = $1`, [req.user.id]);
+  res.status(204).end();
+}
+async function disableTwoFactor(req, res) {
+  const parsed = DisableTwoFactorSchema.safeParse(req.body);
+  if (!parsed.success) {
+    res.status(400).json({ errors: flattenError4(parsed.error, (i2) => i2.message) });
+    return;
+  }
+  const { rows } = await pool_default.query("SELECT two_factor_enabled, two_factor_secret, password FROM plank_users WHERE id = $1", [req.user.id]);
+  const user = rows[0];
+  if (!user) {
+    res.status(404).json({ error: "User not found" });
+    return;
+  }
+  if (!user.two_factor_enabled || !user.two_factor_secret) {
+    res.status(400).json({ error: "2FA is not enabled" });
+    return;
+  }
+  const passwordOk = await bcrypt2.compare(parsed.data.password, user.password);
+  if (!passwordOk) {
+    res.status(401).json({ error: "Current password is incorrect" });
+    return;
+  }
+  const result = d3({
+    token: parsed.data.code,
+    secret: decrypt(user.two_factor_secret)
+  });
+  if (!result.valid) {
+    res.status(401).json({ error: "Invalid verification code" });
+    return;
+  }
+  await pool_default.query(`UPDATE plank_users
+     SET two_factor_enabled = FALSE,
+         two_factor_secret = NULL,
+         two_factor_temp_secret = NULL,
+         session_version = session_version + 1
+     WHERE id = $1`, [req.user.id]);
+  res.status(204).end();
 }
 async function updateMe(req, res) {
   const parsed = UpdateMeSchema.safeParse(req.body);
   if (!parsed.success) {
-    res.status(400).json({ errors: flattenError4(parsed.error, (i) => i.message) });
+    res.status(400).json({ errors: flattenError4(parsed.error, (i2) => i2.message) });
     return;
   }
   const { firstName, lastName, jobTitle, organization, country } = parsed.data;
@@ -1978,7 +3656,7 @@ async function deleteAvatar(req, res) {
 async function changePassword(req, res) {
   const parsed = ChangePasswordSchema.safeParse(req.body);
   if (!parsed.success) {
-    res.status(400).json({ errors: flattenError4(parsed.error, (i) => i.message) });
+    res.status(400).json({ errors: flattenError4(parsed.error, (i2) => i2.message) });
     return;
   }
   const { rows } = await pool_default.query("SELECT password FROM plank_users WHERE id = $1", [req.user.id]);
@@ -1992,13 +3670,13 @@ async function changePassword(req, res) {
     return;
   }
   const hashed = await bcrypt2.hash(parsed.data.newPassword, 12);
-  await pool_default.query("UPDATE plank_users SET password = $1 WHERE id = $2", [hashed, req.user.id]);
+  await pool_default.query("UPDATE plank_users SET password = $1, session_version = session_version + 1 WHERE id = $2", [hashed, req.user.id]);
   res.status(204).end();
 }
 async function createUser(req, res) {
   const parsed = CreateUserSchema.safeParse(req.body);
   if (!parsed.success) {
-    res.status(400).json({ errors: flattenError4(parsed.error, (i) => i.message) });
+    res.status(400).json({ errors: flattenError4(parsed.error, (i2) => i2.message) });
     return;
   }
   const { email, password, roleId } = parsed.data;
@@ -2016,7 +3694,7 @@ async function createUser(req, res) {
 async function updateUser(req, res) {
   const parsed = UpdateUserSchema.safeParse(req.body);
   if (!parsed.success) {
-    res.status(400).json({ errors: flattenError4(parsed.error, (i) => i.message) });
+    res.status(400).json({ errors: flattenError4(parsed.error, (i2) => i2.message) });
     return;
   }
   const { email, roleId, firstName, lastName } = parsed.data;
@@ -2124,7 +3802,7 @@ async function resetRoles(_req, res) {
 }
 
 // ../core/dist/controllers/apiTokens.js
-import { randomBytes as randomBytes5, createHash } from "crypto";
+import { randomBytes as randomBytes6, createHash } from "crypto";
 import { z as z7, flattenError as flattenError5 } from "zod";
 var CreateTokenSchema = z7.object({
   name: z7.string().min(1),
@@ -2140,12 +3818,12 @@ async function listApiTokens(_req, res) {
 async function createApiToken(req, res) {
   const parsed = CreateTokenSchema.safeParse(req.body);
   if (!parsed.success) {
-    res.status(400).json({ errors: flattenError5(parsed.error, (i) => i.message) });
+    res.status(400).json({ errors: flattenError5(parsed.error, (i2) => i2.message) });
     return;
   }
   const { name, accessType } = parsed.data;
   const id = createId();
-  const token = `plank_${randomBytes5(32).toString("hex")}`;
+  const token = `plank_${randomBytes6(32).toString("hex")}`;
   const hashed = hashToken(token);
   await pool_default.query("INSERT INTO plank_api_tokens (id, name, token, access_type, created_by) VALUES ($1, $2, $3, $4, $5)", [id, name, hashed, accessType, req.user.id]);
   res.status(201).json({ id, name, accessType, token });
@@ -2160,7 +3838,7 @@ async function deleteApiToken(req, res) {
 }
 
 // ../core/dist/controllers/media.js
-import { randomBytes as randomBytes6 } from "crypto";
+import { randomBytes as randomBytes7 } from "crypto";
 var MEDIA_PREFIX = "media";
 async function listMedia(req, res) {
   const page = Math.max(1, parseInt(req.query.page) || 1);
@@ -2173,18 +3851,18 @@ async function listMedia(req, res) {
      ORDER BY created_at DESC
      LIMIT $1 OFFSET $2`, [limit, offset, folderId]);
   const provider = await getProvider();
-  const items = await Promise.all(rows.map(async (r) => ({
-    id: r.id,
-    filename: r.filename,
-    url: await provider.getUrl(r.provider_key),
-    mime_type: r.mime_type,
-    size: r.size,
-    alt: r.alt,
-    width: r.width,
-    height: r.height,
-    folder_id: r.folder_id,
-    uploaded_by: r.uploaded_by,
-    created_at: r.created_at
+  const items = await Promise.all(rows.map(async (r2) => ({
+    id: r2.id,
+    filename: r2.filename,
+    url: await provider.getUrl(r2.provider_key),
+    mime_type: r2.mime_type,
+    size: r2.size,
+    alt: r2.alt,
+    width: r2.width,
+    height: r2.height,
+    folder_id: r2.folder_id,
+    uploaded_by: r2.uploaded_by,
+    created_at: r2.created_at
   })));
   const total = rows[0] ? parseInt(rows[0].total) : 0;
   res.json({ items, total, page, limit, pages: Math.ceil(total / limit) });
@@ -2206,12 +3884,12 @@ async function uploadMedia(req, res) {
     }
   }
   if (isBundle) {
-    const m3u8File = files.find((f) => f.originalname.endsWith(".m3u8"));
+    const m3u8File = files.find((f2) => f2.originalname.endsWith(".m3u8"));
     if (!m3u8File) {
       res.status(400).json({ error: "No .m3u8 file found in bundle" });
       return;
     }
-    const bundleId = randomBytes6(8).toString("hex");
+    const bundleId = randomBytes7(8).toString("hex");
     const prefix = [MEDIA_PREFIX, folderId, bundleId].filter(Boolean).join("/");
     const rootDir = m3u8File.originalname.includes("/") ? m3u8File.originalname.split("/")[0] : null;
     const stripRoot = (path) => rootDir && path.startsWith(`${rootDir}/`) ? path.slice(rootDir.length + 1) : path;
@@ -2385,7 +4063,7 @@ function maskSettings(namespace, settings) {
   const sensitive = SENSITIVE_FIELDS2[namespace];
   if (!sensitive)
     return settings;
-  return Object.fromEntries(Object.entries(settings).map(([k, v]) => [k, sensitive.has(k) && v ? MASKED : v]));
+  return Object.fromEntries(Object.entries(settings).map(([k3, v3]) => [k3, sensitive.has(k3) && v3 ? MASKED : v3]));
 }
 async function getNamespaceSettings(req, res) {
   const { namespace } = req.params;
@@ -2436,6 +4114,10 @@ router2.post("/users/me/avatar/confirm", confirmAvatar);
 router2.delete("/users/me/avatar", deleteAvatar);
 router2.get("/users/me/prefs/:key", getUserPref);
 router2.put("/users/me/prefs/:key", setUserPref);
+router2.get("/users/me/2fa", getTwoFactorStatus);
+router2.post("/users/me/2fa/setup", startTwoFactorSetup);
+router2.post("/users/me/2fa/verify", verifyTwoFactorSetup);
+router2.post("/users/me/2fa/disable", disableTwoFactor);
 router2.get("/roles", authorize("settings:users:read"), listRoles);
 router2.put("/roles/:id", authorize("settings:roles:write"), updateRole);
 router2.post("/roles/reset", authorize("settings:roles:write"), resetRoles);
@@ -2519,8 +4201,8 @@ function normalizeNavigationItems2(value) {
   });
 }
 async function resolveMediaFields(entries, ct) {
-  const singleFields = ct.fields.filter((f) => f.type === "media").map((f) => f.name);
-  const galleryFields = ct.fields.filter((f) => f.type === "media-gallery").map((f) => f.name);
+  const singleFields = ct.fields.filter((f2) => f2.type === "media").map((f2) => f2.name);
+  const galleryFields = ct.fields.filter((f2) => f2.type === "media-gallery").map((f2) => f2.name);
   if (singleFields.length === 0 && galleryFields.length === 0)
     return;
   const idSet = /* @__PURE__ */ new Set();
@@ -2545,8 +4227,8 @@ async function resolveMediaFields(entries, ct) {
   const { rows } = await pool_default.query("SELECT id, provider_key FROM plank_media WHERE id = ANY($1)", [[...idSet]]);
   const provider = await getProvider();
   const urlMap = /* @__PURE__ */ new Map();
-  await Promise.all(rows.map(async (r) => {
-    urlMap.set(r.id, await provider.getUrl(r.provider_key));
+  await Promise.all(rows.map(async (r2) => {
+    urlMap.set(r2.id, await provider.getUrl(r2.provider_key));
   }));
   for (const entry of entries) {
     for (const name of singleFields) {
@@ -2572,11 +4254,11 @@ var SYSTEM_FIELDS = /* @__PURE__ */ new Set([
   "updated_at"
 ]);
 function stripSystemFields(row) {
-  return Object.fromEntries(Object.entries(row).filter(([k]) => !SYSTEM_FIELDS.has(k)));
+  return Object.fromEntries(Object.entries(row).filter(([k3]) => !SYSTEM_FIELDS.has(k3)));
 }
 async function resolveRelationFields(entries, ct) {
-  const scalarFields = ct.fields.filter((f) => f.type === "relation" && (f.relationType === "many-to-one" || f.relationType === "one-to-one" || !f.relationType) && f.relatedTable);
-  const mmFields = ct.fields.filter((f) => f.type === "relation" && (f.relationType ?? "many-to-one") === "many-to-many" && f.relatedTable);
+  const scalarFields = ct.fields.filter((f2) => f2.type === "relation" && (f2.relationType === "many-to-one" || f2.relationType === "one-to-one" || !f2.relationType) && f2.relatedTable);
+  const mmFields = ct.fields.filter((f2) => f2.type === "relation" && (f2.relationType ?? "many-to-one") === "many-to-many" && f2.relatedTable);
   const entryIds = entries.map((e) => e.id);
   await Promise.all([
     ...scalarFields.map(async (field) => {
@@ -2587,7 +4269,7 @@ async function resolveRelationFields(entries, ct) {
       const { rows } = await pool_default.query(`SELECT * FROM ${field.relatedTable} WHERE id = ANY($1)`, [
         ids
       ]);
-      const map = new Map(rows.map((r) => [r.id, stripSystemFields(r)]));
+      const map = new Map(rows.map((r2) => [r2.id, stripSystemFields(r2)]));
       for (const entry of entries) {
         const id = entry[field.name];
         entry[field.name] = id ? map.get(id) ?? null : null;
@@ -2598,7 +4280,7 @@ async function resolveRelationFields(entries, ct) {
         return;
       const jt = `_rel_${ct.tableName}_${field.name}`;
       const { rows: jRows } = await pool_default.query(`SELECT source_id, target_id FROM ${jt} WHERE source_id = ANY($1)`, [entryIds]);
-      const allTargetIds = [...new Set(jRows.map((r) => r.target_id))];
+      const allTargetIds = [...new Set(jRows.map((r2) => r2.target_id))];
       const relatedMap = /* @__PURE__ */ new Map();
       if (allTargetIds.length > 0) {
         assertSafeIdentifier(field.relatedTable);
@@ -2639,22 +4321,22 @@ function serializeEntry(row, ct, statusParam, locale, fallbacks = []) {
   if (locale) {
     const localizedContainer = source && typeof source === "object" && source.localized && typeof source.localized === "object" ? source.localized : row.localized && typeof row.localized === "object" ? row.localized : {};
     const localizableTypes = /* @__PURE__ */ new Set(["string", "text", "richtext", "uid"]);
-    for (const f of ct.fields) {
-      if (!localizableTypes.has(f.type))
+    for (const f2 of ct.fields) {
+      if (!localizableTypes.has(f2.type))
         continue;
       let val = void 0;
-      if (localizedContainer[locale] && localizedContainer[locale][f.name] !== void 0) {
-        val = localizedContainer[locale][f.name];
+      if (localizedContainer[locale] && localizedContainer[locale][f2.name] !== void 0) {
+        val = localizedContainer[locale][f2.name];
       } else {
         for (const fb of fallbacks) {
-          if (localizedContainer[fb] && localizedContainer[fb][f.name] !== void 0) {
-            val = localizedContainer[fb][f.name];
+          if (localizedContainer[fb] && localizedContainer[fb][f2.name] !== void 0) {
+            val = localizedContainer[fb][f2.name];
             break;
           }
         }
       }
       if (val !== void 0)
-        effective[f.name] = val;
+        effective[f2.name] = val;
     }
   }
   const out = { id: row.id };
@@ -2712,7 +4394,7 @@ var listPublicEntries = async (req, res) => {
   const offset = (page - 1) * limit;
   const locale = req.query.locale ? String(req.query.locale) : void 0;
   const fallbacks = req.query.fallback ? String(req.query.fallback).split(",") : [];
-  const knownFields = new Set(ct.fields.map((f) => f.name));
+  const knownFields = new Set(ct.fields.map((f2) => f2.name));
   const systemSortFields = /* @__PURE__ */ new Set(["created_at", "updated_at", "published_at"]);
   const filterClauses = [];
   const filterValues = [];
@@ -2800,7 +4482,7 @@ function errorHandler(err, _req, res, _next) {
     return;
   }
   if (err instanceof ZodError) {
-    res.status(400).json({ errors: flattenError6(err, (i) => i.message) });
+    res.status(400).json({ errors: flattenError6(err, (i2) => i2.message) });
     return;
   }
   console.error("[plank] Unhandled error:", err);
@@ -2808,6 +4490,17 @@ function errorHandler(err, _req, res, _next) {
 }
 
 // ../core/dist/app.js
+function assertSecurityEnv() {
+  if (process.env.NODE_ENV !== "production")
+    return;
+  if (!process.env.PLANK_JWT_SECRET || process.env.PLANK_JWT_SECRET.length < 32) {
+    throw new Error("PLANK_JWT_SECRET is required in production and should be at least 32 characters.");
+  }
+  if (!process.env.PLANK_ENCRYPTION_KEY || process.env.PLANK_ENCRYPTION_KEY.length !== 64) {
+    throw new Error("PLANK_ENCRYPTION_KEY is required in production and must be 64 hex characters.");
+  }
+}
+assertSecurityEnv();
 var app = express();
 app.use(helmet({
   contentSecurityPolicy: {
@@ -2826,9 +4519,9 @@ app.use("/cms/auth", cmsCorOptions, auth_default);
 app.use("/cms/admin", cmsCorOptions, admin_default);
 app.use("/api", cors(), public_default);
 app.get("/", (_req, res) => res.redirect("/admin"));
-var adminDist = process.env.PLANK_ADMIN_DIST ?? join3(dirname2(fileURLToPath2(import.meta.url)), "../public/admin");
+var adminDist = process.env.PLANK_ADMIN_DIST ?? join4(dirname2(fileURLToPath2(import.meta.url)), "../public/admin");
 app.use("/admin", express.static(adminDist));
-app.get("/admin/*path", (_req, res) => res.sendFile(join3(adminDist, "index.html")));
+app.get("/admin/*path", (_req, res) => res.sendFile(join4(adminDist, "index.html")));
 app.use(errorHandler);
 var app_default = app;
 
@@ -2847,3 +4540,8 @@ async function start() {
 export {
   start
 };
+/*! Bundled license information:
+
+@scure/base/index.js:
+  (*! scure-base - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
+*/