@questpie/admin 3.5.2 → 3.5.4

package/dist/server/modules/admin/collections/verification.d.mts

@@ -1,57 +1,58 @@
 import * as questpie_shared67 from "questpie/shared";
-import * as questpie428 from "questpie";
+import * as questpie430 from "questpie";
 import * as questpie_src_server_modules_core_fields_email_js9 from "questpie/src/server/modules/core/fields/email.js";
 import * as questpie_src_server_modules_core_fields_json_js9 from "questpie/src/server/modules/core/fields/json.js";
-import * as drizzle_orm_pg_core141 from "drizzle-orm/pg-core";
-import * as drizzle_orm79 from "drizzle-orm";
+import * as drizzle_orm_pg_core144 from "drizzle-orm/pg-core";
+import * as drizzle_orm80 from "drizzle-orm";
+import * as questpie_src_server_collection_builder_types_js17 from "questpie/src/server/collection/builder/types.js";
 
 //#region src/server/modules/admin/collections/verification.d.ts
-declare const _default: questpie428.CollectionBuilder<questpie_shared67.Override<questpie428.EmptyCollectionState<"verification", undefined, {
-  readonly text: typeof questpie428.text;
-  readonly textarea: typeof questpie428.textarea;
+declare const _default: questpie430.CollectionBuilder<questpie_shared67.Override<questpie430.EmptyCollectionState<"verification", undefined, {
+  readonly text: typeof questpie430.text;
+  readonly textarea: typeof questpie430.textarea;
   readonly email: typeof questpie_src_server_modules_core_fields_email_js9.email;
-  readonly url: typeof questpie428.url;
-  readonly number: typeof questpie428.number;
-  readonly boolean: typeof questpie428.boolean;
-  readonly date: typeof questpie428.date;
-  readonly datetime: typeof questpie428.datetime;
-  readonly time: typeof questpie428.time;
-  readonly select: typeof questpie428.select;
-  readonly upload: typeof questpie428.upload;
-  readonly relation: typeof questpie428.relation;
-  readonly object: typeof questpie428.object;
+  readonly url: typeof questpie430.url;
+  readonly number: typeof questpie430.number;
+  readonly boolean: typeof questpie430.boolean;
+  readonly date: typeof questpie430.date;
+  readonly datetime: typeof questpie430.datetime;
+  readonly time: typeof questpie430.time;
+  readonly select: typeof questpie430.select;
+  readonly upload: typeof questpie430.upload;
+  readonly relation: typeof questpie430.relation;
+  readonly object: typeof questpie430.object;
   readonly json: typeof questpie_src_server_modules_core_fields_json_js9.json;
-  readonly from: typeof questpie428.from;
+  readonly from: typeof questpie430.from;
 }>, {
   name: "verification";
   fields: Record<string, any> & {
-    readonly identifier: drizzle_orm79.NotNull<drizzle_orm_pg_core141.PgVarcharBuilder<[string, ...string[]]>>;
-    readonly value: drizzle_orm79.NotNull<drizzle_orm_pg_core141.PgVarcharBuilder<[string, ...string[]]>>;
-    readonly expiresAt: drizzle_orm79.NotNull<drizzle_orm_pg_core141.PgTimestampBuilder>;
+    readonly identifier: drizzle_orm80.NotNull<drizzle_orm_pg_core144.PgVarcharBuilder<[string, ...string[]]>>;
+    readonly value: drizzle_orm80.NotNull<drizzle_orm_pg_core144.PgVarcharBuilder<[string, ...string[]]>>;
+    readonly expiresAt: drizzle_orm80.NotNull<drizzle_orm_pg_core144.PgTimestampBuilder>;
   };
   virtuals: undefined;
-  relations: Record<string, questpie428.RelationConfig>;
+  relations: Record<string, questpie430.RelationConfig>;
   indexes: Record<string, any>;
   title: "identifier";
-  options: questpie428.CollectionOptions & {
+  options: questpie430.CollectionOptions & {
     timestamps: true;
   };
-  hooks: Record<string, any>;
-  access: Record<string, any>;
+  hooks: questpie_src_server_collection_builder_types_js17.CollectionHooksStorage;
+  access: questpie_src_server_collection_builder_types_js17.CollectionAccessStorage;
   searchable: undefined;
   fieldDefinitions: {
-    readonly identifier: questpie428.FieldWithMethods<Omit<questpie428.TextFieldState, "notNull" | "column"> & {
+    readonly identifier: questpie430.FieldWithMethods<Omit<questpie430.TextFieldState, "notNull" | "column"> & {
       notNull: true;
-      column: drizzle_orm79.NotNull<drizzle_orm_pg_core141.PgVarcharBuilder<[string, ...string[]]>>;
-    }, questpie428.TextFieldMethods>;
-    readonly value: questpie428.FieldWithMethods<Omit<questpie428.TextFieldState, "notNull" | "column"> & {
+      column: drizzle_orm80.NotNull<drizzle_orm_pg_core144.PgVarcharBuilder<[string, ...string[]]>>;
+    }, questpie430.TextFieldMethods>;
+    readonly value: questpie430.FieldWithMethods<Omit<questpie430.TextFieldState, "notNull" | "column"> & {
       notNull: true;
-      column: drizzle_orm79.NotNull<drizzle_orm_pg_core141.PgVarcharBuilder<[string, ...string[]]>>;
-    }, questpie428.TextFieldMethods>;
-    readonly expiresAt: questpie428.FieldWithMethods<Omit<questpie428.DatetimeFieldState, "notNull" | "column"> & {
+      column: drizzle_orm80.NotNull<drizzle_orm_pg_core144.PgVarcharBuilder<[string, ...string[]]>>;
+    }, questpie430.TextFieldMethods>;
+    readonly expiresAt: questpie430.FieldWithMethods<Omit<questpie430.DatetimeFieldState, "notNull" | "column"> & {
       notNull: true;
-      column: drizzle_orm79.NotNull<drizzle_orm_pg_core141.PgTimestampBuilder>;
-    }, questpie428.DatetimeFieldMethods>;
+      column: drizzle_orm80.NotNull<drizzle_orm_pg_core144.PgTimestampBuilder>;
+    }, questpie430.DatetimeFieldMethods>;
   };
   upload: undefined;
   output: {};

package/dist/server/modules/admin/dto/admin-config.dto.mjs

@@ -12,9 +12,18 @@ import { z } from "zod";
 * They mirror the server augmentation types but are pure data
 * (no functions, no callbacks, no non-serializable fields).
 */
+function containsFunction(value, seen = /* @__PURE__ */ new WeakSet()) {
+	if (typeof value === "function") return true;
+	if (!value || typeof value !== "object") return false;
+	if (seen.has(value)) return false;
+	seen.add(value);
+	if (Array.isArray(value)) return value.some((item) => containsFunction(item, seen));
+	return Object.values(value).some((item) => containsFunction(item, seen));
+}
+const serializableUnknownSchema = z.unknown().refine((value) => !containsFunction(value), { message: "Functions cannot be serialized in admin config DTOs" });
 const componentReferenceSchema = z.object({
 	type: z.string(),
-	props: z.record(z.string(), z.any()).optional()
+	props: z.record(z.string(), serializableUnknownSchema).optional()
 });
 const sidebarItemSchema = z.discriminatedUnion("type", [
 	z.object({
@@ -99,8 +108,8 @@ const dashboardConfigSchema = z.object({
 	rowHeight: z.union([z.number(), z.string()]).optional(),
 	gap: z.number().optional(),
 	realtime: z.boolean().optional(),
-	actions: z.array(z.any()).optional(),
-	items: z.array(z.record(z.string(), z.any())).optional()
+	actions: z.array(serializableUnknownSchema).optional(),
+	items: z.array(z.record(z.string(), serializableUnknownSchema)).optional()
 });
 const brandLogoSchema = z.union([
 	z.string(),
@@ -120,6 +129,27 @@ const brandingConfigSchema = z.object({
 	tagline: i18nTextSchema.optional(),
 	favicon: z.string().optional()
 });
+const blockAdminSchema = z.object({
+	label: serializableUnknownSchema.optional(),
+	description: serializableUnknownSchema.optional(),
+	icon: componentReferenceSchema.optional(),
+	category: z.object({
+		label: serializableUnknownSchema,
+		icon: componentReferenceSchema.optional(),
+		order: z.number().optional()
+	}).optional(),
+	order: z.number().optional(),
+	hidden: z.boolean().optional()
+});
+const blockSchema = z.object({
+	name: z.string(),
+	admin: blockAdminSchema.optional(),
+	allowChildren: z.boolean().optional(),
+	maxChildren: z.number().optional(),
+	hasPrefetch: z.boolean(),
+	fields: z.record(z.string(), serializableUnknownSchema),
+	form: z.object({ fields: z.array(serializableUnknownSchema) }).optional()
+});
 /**
 * Zod schema for the complete AdminConfigDTO.
 * Can be used as the outputSchema for the getAdminConfig route.
@@ -129,7 +159,7 @@ const adminConfigDTOSchema = z.object({
 	sidebar: sidebarConfigSchema.optional(),
 	shell: adminShellConfigSchema.optional(),
 	branding: brandingConfigSchema.optional(),
-	blocks: z.record(z.string(), z.record(z.string(), z.any())).optional(),
+	blocks: z.record(z.string(), blockSchema).optional(),
 	collections: z.record(z.string(), collectionMetaSchema).optional(),
 	globals: z.record(z.string(), collectionMetaSchema).optional(),
 	uploads: uploadsConfigSchema.optional()

package/dist/server/modules/admin/factories.mjs

@@ -1,4 +1,4 @@
-import { createActionCallbackProxy } from "../../proxy-factories.mjs";
+import { createActionCallbackProxy, createActionFieldBuilderProxy } from "../../proxy-factories.mjs";
 import { CollectionBuilder } from "questpie";
 
 //#region src/server/modules/admin/factories.ts
@@ -26,37 +26,6 @@ const _componentProxy = new Proxy({}, { get: (_, prop) => (...args) => ({
 	props: typeof args[0] === "string" ? { name: args[0] } : args[0] ?? {}
 }) });
 const _fieldRefProxy = new Proxy({}, { get: (_, prop) => String(prop) });
-/**
-* Field builder proxy for actions context.
-* Supports `f.text().required().label({...})` chaining.
-* Each method call returns a new proxy with accumulated properties.
-*/
-function _createFieldBuilderProxy() {
-	return new Proxy({}, { get: (_, prop) => {
-		if (typeof prop !== "string") return void 0;
-		return (...args) => {
-			const def = { type: prop };
-			if (Array.isArray(args[0])) def.options = args[0];
-			else if (args[0] && typeof args[0] === "object") Object.assign(def, args[0]);
-			else if (args[0] !== void 0) def.value = args[0];
-			return _chainable(def);
-		};
-	} });
-}
-function _chainable(def) {
-	return new Proxy(def, { get: (target, prop) => {
-		if (typeof prop !== "string") return Reflect.get(target, prop);
-		if (prop in target) return target[prop];
-		if (prop === "set") return (key, value) => _chainable({
-			...target,
-			[key]: value
-		});
-		return (...args) => _chainable({
-			...target,
-			[prop]: args.length === 0 ? true : args[0]
-		});
-	} });
-}
 const _actionBuilderProxy = createActionCallbackProxy();
 const _simpleActionProxy = createActionCallbackProxy();
 const _collExt = {
@@ -81,7 +50,8 @@ const _collExt = {
 						collectionTable: "collection-table"
 					}),
 					f: _fieldRefProxy,
-					a: _simpleActionProxy
+					a: _simpleActionProxy,
+					c: _componentProxy
 				}) : configOrFn
 			};
 		}
@@ -112,7 +82,7 @@ const _collExt = {
 			if (typeof configOrFn === "function") return configOrFn({
 				a: _actionBuilderProxy,
 				c: _componentProxy,
-				f: _createFieldBuilderProxy()
+				f: createActionFieldBuilderProxy()
 			});
 			return configOrFn;
 		}

package/dist/server/modules/admin/index.d.mts

@@ -1,10 +1,10 @@
+import { FilterOperator, FilterRule, SortConfig, ViewConfiguration } from "../../../shared/types/saved-views.types.mjs";
 import { ExecuteActionRequest, ExecuteActionResponse, actionFunctions, executeAction, executeActionFn, getActionsConfig, getActionsConfigFn } from "./routes/execute-action.mjs";
 import { PreviewTokenPayload, createPreviewFunctions, createPreviewTokenVerifier, verifyPreviewTokenDirect } from "./routes/preview.mjs";
 import { batchReactive, fieldOptions, reactiveFunctions } from "./routes/reactive.mjs";
 import { createFirstAdmin, isSetupRequired, setupFunctions } from "./routes/setup.mjs";
 import { fetchWidgetData, widgetDataFunctions } from "./routes/widget-data.mjs";
 import { AdminCollections, AdminComponents, AdminRoutes, AdminViews } from "./.generated/module.mjs";
-import { FilterOperator, FilterRule, SortConfig, ViewConfiguration } from "../../../shared/types/saved-views.types.mjs";
 import { savedViewsCollection } from "../admin-preferences/collections/saved-views.mjs";
 import "./index.mjs";
 import * as zod0 from "zod";
@@ -927,8 +927,8 @@ declare const adminModule: {
                 $Infer: {
                   body: {
                     permissions: {
-                      readonly user?: ("delete" | "create" | "update" | "list" | "set-role" | "ban" | "impersonate" | "impersonate-admins" | "set-password" | "get")[] | undefined;
-                      readonly session?: ("delete" | "list" | "revoke")[] | undefined;
+                      readonly user?: ("create" | "update" | "list" | "set-role" | "ban" | "impersonate" | "impersonate-admins" | "delete" | "set-password" | "get")[] | undefined;
+                      readonly session?: ("list" | "delete" | "revoke")[] | undefined;
                     };
                   } & {
                     userId?: string | undefined;

package/dist/server/modules/admin/routes/admin-config.d.mts

@@ -1,4 +1,5 @@
-import * as questpie454 from "questpie";
+import "./route-helpers.mjs";
+import * as questpie456 from "questpie";
 
 //#region src/server/modules/admin/routes/admin-config.d.ts
 
@@ -7,7 +8,8 @@ import * as questpie454 from "questpie";
  * Registered via module routes and exposed through the fetch handler.
  */
 declare const adminConfigFunctions: {
-  readonly getAdminConfig: questpie454.JsonRouteDefinition<Record<string, never> | undefined, any, questpie454.JsonRouteParams>;
+  readonly getAdminConfig: questpie456.JsonRouteDefinition<Record<string, never> | undefined, any, questpie456.JsonRouteParams>;
+  readonly getPublicAdminConfig: questpie456.JsonRouteDefinition<Record<string, never> | undefined, any, questpie456.JsonRouteParams>;
 };
 //#endregion
 export { adminConfigFunctions };

package/dist/server/modules/admin/routes/admin-config.mjs

@@ -3,7 +3,7 @@ import { introspectBlocks } from "../block/introspection.mjs";
 import { adminConfigDTOSchema } from "../dto/admin-config.dto.mjs";
 import { getAccessContext, getAdminConfig as getAdminConfig$1, getApp, getAppState, getCollectionState, getGlobalState } from "./route-helpers.mjs";
 import { z } from "zod";
-import { executeAccessRule, route } from "questpie";
+import { executeAccessRule, route, shouldAutoAppendUnlistedSidebar } from "questpie";
 
 //#region src/server/modules/admin/routes/admin-config.ts
 /**
@@ -200,16 +200,28 @@ function buildAutoSidebar(collectionsMeta, globalsMeta) {
 * Removes items referencing inaccessible collections/globals.
 * Removes empty sections after filtering.
 */
-function filterSidebarConfig(config, accessibleCollections, accessibleGlobals) {
-	return { sections: config.sections.map((s) => ({
-		...s,
-		items: (s.items ?? []).filter((item) => {
-			const rec = item;
-			if (item.type === "collection") return accessibleCollections.has(rec.collection);
-			if (item.type === "global") return accessibleGlobals.has(rec.global);
-			return true;
-		})
-	})).filter((s) => (s.items?.length ?? 0) > 0 || (s.sections?.length ?? 0) > 0) };
+function filterSidebarConfig(config, accessibleCollections, accessibleGlobals, hiddenCollections, hiddenGlobals) {
+	function filterSection(s) {
+		return {
+			...s,
+			items: (s.items ?? []).filter((item) => {
+				const rec = item;
+				if (item.type === "collection") {
+					const collection$1 = rec.collection;
+					if (hiddenCollections.has(collection$1)) return false;
+					return accessibleCollections.has(collection$1);
+				}
+				if (item.type === "global") {
+					const global = rec.global;
+					if (hiddenGlobals.has(global)) return false;
+					return accessibleGlobals.has(global);
+				}
+				return true;
+			}),
+			sections: (s.sections ?? []).map(filterSection).filter((sub) => (sub.items?.length ?? 0) > 0 || (sub.sections?.length ?? 0) > 0)
+		};
+	}
+	return { sections: config.sections.map(filterSection).filter((s) => (s.items?.length ?? 0) > 0 || (s.sections?.length ?? 0) > 0) };
 }
 /**
 * Collect all collection and global names referenced in a sidebar config.
@@ -502,6 +514,11 @@ async function processDashboardItems(items, accessibleCollections, accessCtx) {
 }
 const getAdminConfigSchema = z.object({}).optional();
 const getAdminConfigOutputSchema = adminConfigDTOSchema;
+function buildPublicAdminConfig(adminCfg) {
+	const response = {};
+	if (adminCfg.branding) response.branding = adminCfg.branding;
+	return stripUndefinedDeep(response);
+}
 /**
 * Get admin configuration including dashboard, sidebar, blocks,
 * and collection/global metadata.
@@ -523,7 +540,7 @@ const getAdminConfigOutputSchema = adminConfigDTOSchema;
 * const config = await client.routes.getAdminConfig({});
 * ```
 */
-const getAdminConfig = route().post().schema(getAdminConfigSchema).outputSchema(getAdminConfigOutputSchema).handler(async (ctx) => {
+const getAdminConfig = route().post().access((ctx) => ctx.session?.user?.role === "admin").schema(getAdminConfigSchema).outputSchema(getAdminConfigOutputSchema).handler(async (ctx) => {
 	const app = getApp(ctx);
 	const appState = getAppState(app);
 	const adminCfg = getAdminConfig$1(app);
@@ -557,27 +574,42 @@ const getAdminConfig = route().post().schema(getAdminConfigSchema).outputSchema(
 		let sidebarConfig;
 		if (isLegacySidebarConfig(adminCfg.sidebar)) sidebarConfig = adminCfg.sidebar;
 		else sidebarConfig = mergeSidebarContributions(normalizeSidebarContributions(adminCfg.sidebar));
-		const filteredSidebar = filterSidebarConfig(sidebarConfig, accessibleCollections, accessibleGlobals);
-		const referenced = collectSidebarReferences(sidebarConfig);
-		const unlistedSidebar = buildAutoSidebar(Object.fromEntries(Object.entries(filteredCollectionsMeta).filter(([name, meta]) => !referenced.collections.has(name) && !meta.hidden)), Object.fromEntries(Object.entries(filteredGlobalsMeta).filter(([name, meta]) => !referenced.globals.has(name) && !meta.hidden)));
-		const mergedSections = [...filteredSidebar.sections];
-		for (const unlistedSection of unlistedSidebar.sections) {
-			const existing = mergedSections.find((s) => s.id === unlistedSection.id);
-			if (existing) existing.items = [...existing.items ?? [], ...unlistedSection.items ?? []];
-			else mergedSections.push(unlistedSection);
-		}
-		response.sidebar = { sections: mergedSections };
+		const hiddenCollections = new Set(Object.entries(allCollectionsMeta).filter(([, meta]) => meta.hidden).map(([name]) => name));
+		const hiddenGlobals = new Set(Object.entries(allGlobalsMeta).filter(([, meta]) => meta.hidden).map(([name]) => name));
+		const filteredSidebar = filterSidebarConfig(sidebarConfig, accessibleCollections, accessibleGlobals, hiddenCollections, hiddenGlobals);
+		if (shouldAutoAppendUnlistedSidebar(adminCfg, sidebarConfig)) {
+			const referenced = collectSidebarReferences(sidebarConfig);
+			const unlistedSidebar = buildAutoSidebar(Object.fromEntries(Object.entries(filteredCollectionsMeta).filter(([name, meta]) => !referenced.collections.has(name) && !meta.hidden)), Object.fromEntries(Object.entries(filteredGlobalsMeta).filter(([name, meta]) => !referenced.globals.has(name) && !meta.hidden)));
+			const mergedSections = [...filteredSidebar.sections];
+			for (const unlistedSection of unlistedSidebar.sections) {
+				const existing = mergedSections.find((s) => s.id === unlistedSection.id);
+				if (existing) existing.items = [...existing.items ?? [], ...unlistedSection.items ?? []];
+				else mergedSections.push(unlistedSection);
+			}
+			response.sidebar = { sections: mergedSections };
+		} else response.sidebar = filteredSidebar;
 	} else response.sidebar = buildAutoSidebar(filteredCollectionsMeta, filteredGlobalsMeta);
-	if (appState.blocks && Object.keys(appState.blocks).length > 0) response.blocks = introspectBlocks(appState.blocks);
+	if (accessCtx.session && appState.blocks && Object.keys(appState.blocks).length > 0) response.blocks = introspectBlocks(appState.blocks);
 	response.collections = filteredCollectionsMeta;
 	response.globals = filteredGlobalsMeta;
 	return stripUndefinedDeep(response);
 });
 /**
+* Get public admin bootstrap configuration for unauthenticated auth pages.
+*
+* This intentionally exposes only branding. Full admin config, sidebar,
+* dashboard, blocks, upload collections, and resource metadata stay behind
+* getAdminConfig's admin-session guard.
+*/
+const getPublicAdminConfig = route().post().access(true).schema(getAdminConfigSchema).outputSchema(getAdminConfigOutputSchema).handler(async (ctx) => buildPublicAdminConfig(getAdminConfig$1(getApp(ctx))));
+/**
 * Admin config route handlers.
 * Registered via module routes and exposed through the fetch handler.
 */
-const adminConfigFunctions = { getAdminConfig };
+const adminConfigFunctions = {
+	getAdminConfig,
+	getPublicAdminConfig
+};
 
 //#endregion
 export { adminConfigFunctions };

package/dist/server/modules/admin/routes/execute-action.d.mts

@@ -1,7 +1,7 @@
 import { ServerActionDefinition, ServerActionResult } from "../../../augmentation/actions.mjs";
 import "../../../augmentation.mjs";
 import { App } from "./route-helpers.mjs";
-import * as questpie69 from "questpie";
+import * as questpie64 from "questpie";
 
 //#region src/server/modules/admin/routes/execute-action.d.ts
 
@@ -56,37 +56,37 @@ declare function executeAction(app: App, request: ExecuteActionRequest, session?
  * });
  * ```
  */
-declare const executeActionFn: questpie69.JsonRouteDefinition<{
+declare const executeActionFn: questpie64.JsonRouteDefinition<{
   collection: string;
   actionId: string;
   itemId?: string | undefined;
   itemIds?: string[] | undefined;
   data?: Record<string, unknown> | undefined;
   locale?: string | undefined;
-}, any, questpie69.JsonRouteParams>;
+}, any, questpie64.JsonRouteParams>;
 /**
  * Get actions configuration for a collection.
  * Returns action definitions without handlers for client rendering.
  */
-declare const getActionsConfigFn: questpie69.JsonRouteDefinition<{
+declare const getActionsConfigFn: questpie64.JsonRouteDefinition<{
   collection: string;
-}, any, questpie69.JsonRouteParams>;
+}, any, questpie64.JsonRouteParams>;
 /**
  * QUESTPIE functions for action execution.
  * These are registered on the `adminModule`.
  */
 declare const actionFunctions: {
-  executeAction: questpie69.JsonRouteDefinition<{
+  executeAction: questpie64.JsonRouteDefinition<{
     collection: string;
     actionId: string;
     itemId?: string | undefined;
     itemIds?: string[] | undefined;
     data?: Record<string, unknown> | undefined;
     locale?: string | undefined;
-  }, any, questpie69.JsonRouteParams>;
-  getActionsConfig: questpie69.JsonRouteDefinition<{
+  }, any, questpie64.JsonRouteParams>;
+  getActionsConfig: questpie64.JsonRouteDefinition<{
     collection: string;
-  }, any, questpie69.JsonRouteParams>;
+  }, any, questpie64.JsonRouteParams>;
 };
 //#endregion
 export { ExecuteActionRequest, ExecuteActionResponse, actionFunctions, executeAction, executeActionFn, getActionsConfig, getActionsConfigFn };

package/dist/server/modules/admin/routes/execute-action.mjs

@@ -1,7 +1,7 @@
 import { getApp, getCollection, getCollectionCrud, getCollectionCruds, getGlobalCruds, getSession } from "./route-helpers.mjs";
 import { translateAdminMessage } from "./i18n-helpers.mjs";
 import { z } from "zod";
-import { route } from "questpie";
+import { extractAppServices, route, runWithContext } from "questpie";
 
 //#region src/server/modules/admin/routes/execute-action.ts
 /**
@@ -137,12 +137,18 @@ async function executeAction(app, request, session) {
 			success: false,
 			result: {
 				type: "error",
-				toast: { message: validationError }
+				toast: { message: validationError.message },
+				errors: validationError.errors
 			}
 		};
 	}
 	try {
 		const appRec = app;
+		const services = extractAppServices(app, {
+			db: appRec.db,
+			session,
+			locale
+		});
 		const context = {
 			data: data || {},
 			itemId,
@@ -153,9 +159,16 @@ async function executeAction(app, request, session) {
 			db: appRec.db,
 			session,
 			locale,
-			t
+			t,
+			workflows: services.workflows
 		};
-		const result = await customAction.handler(context);
+		const result = await runWithContext({
+			app,
+			db: appRec.db,
+			session,
+			locale,
+			accessMode: "user"
+		}, () => customAction.handler(context));
 		return {
 			success: result.type === "success" || result.type === "redirect",
 			result
@@ -182,7 +195,8 @@ async function executeBuiltinAction(app, params) {
 	const crudContext = {
 		db: appRec.db,
 		session: params.session,
-		locale: params.locale
+		locale: params.locale,
+		accessMode: "user"
 	};
 	try {
 		switch (actionId) {
@@ -420,8 +434,20 @@ function isFieldRequired(field$1) {
 * Returns error message if validation fails, null if valid.
 */
 function validateActionFormData(fields, data, t) {
-	for (const [fieldName, fieldConfig] of Object.entries(fields)) if (isFieldRequired(fieldConfig) && !data[fieldName]) return t("action.fieldRequired", { field: fieldName });
-	return null;
+	const errors = {};
+	for (const [fieldName, fieldConfig] of Object.entries(fields)) {
+		if (isFieldDefinition(fieldConfig)) {
+			const result = fieldConfig.toZodSchema().safeParse(data[fieldName]);
+			if (!result.success) errors[fieldName] = result.error.issues[0]?.message || t("action.fieldRequired", { field: fieldName });
+			continue;
+		}
+		if (isFieldRequired(fieldConfig) && (data[fieldName] === void 0 || data[fieldName] === null)) errors[fieldName] = t("action.fieldRequired", { field: fieldName });
+	}
+	const firstError = Object.values(errors)[0];
+	return firstError ? {
+		message: firstError,
+		errors
+	} : null;
 }
 const executeActionRequestSchema = z.object({
 	collection: z.string(),
@@ -454,7 +480,7 @@ const getActionsConfigResponseSchema = z.object({
 * });
 * ```
 */
-const executeActionFn = route().post().schema(executeActionRequestSchema).outputSchema(executeActionResponseSchema).handler(async (ctx) => {
+const executeActionFn = route().post().access((ctx) => ctx.session?.user?.role === "admin").schema(executeActionRequestSchema).outputSchema(executeActionResponseSchema).handler(async (ctx) => {
 	const app = getApp(ctx);
 	const session = getSession(ctx);
 	return executeAction(app, ctx.input, session);
@@ -463,7 +489,7 @@ const executeActionFn = route().post().schema(executeActionRequestSchema).output
 * Get actions configuration for a collection.
 * Returns action definitions without handlers for client rendering.
 */
-const getActionsConfigFn = route().post().schema(getActionsConfigRequestSchema).outputSchema(getActionsConfigResponseSchema).handler((ctx) => {
+const getActionsConfigFn = route().post().access((ctx) => ctx.session?.user?.role === "admin").schema(getActionsConfigRequestSchema).outputSchema(getActionsConfigResponseSchema).handler((ctx) => {
 	return getActionsConfig(getApp(ctx), ctx.input.collection);
 });
 /**

package/dist/server/modules/admin/routes/locales.mjs

@@ -39,7 +39,7 @@ const getContentLocalesOutputSchema = z.object({
 * // }
 * ```
 */
-const getContentLocales = route().post().schema(getContentLocalesSchema).outputSchema(getContentLocalesOutputSchema).handler(async (ctx) => {
+const getContentLocales = route().post().access(true).schema(getContentLocalesSchema).outputSchema(getContentLocalesOutputSchema).handler(async (ctx) => {
 	const localeConfig = getApp(ctx).config.locale;
 	if (!localeConfig) return {
 		locales: [{

package/dist/server/modules/admin/routes/preview.d.mts

@@ -1,4 +1,4 @@
-import * as questpie141 from "questpie";
+import * as questpie72 from "questpie";
 
 //#region src/server/modules/admin/routes/preview.d.ts
 
@@ -25,13 +25,13 @@ interface PreviewTokenPayload {
  * @returns Object with preview functions
  */
 declare function createPreviewFunctions(secret?: PreviewSecretSource): {
-  mintPreviewToken: questpie141.JsonRouteDefinition<{
+  mintPreviewToken: questpie72.JsonRouteDefinition<{
     path: string;
     ttlMs?: number | undefined;
-  }, any, questpie141.JsonRouteParams>;
-  verifyPreviewToken: questpie141.JsonRouteDefinition<{
+  }, any, questpie72.JsonRouteParams>;
+  verifyPreviewToken: questpie72.JsonRouteDefinition<{
     token: string;
-  }, any, questpie141.JsonRouteParams>;
+  }, any, questpie72.JsonRouteParams>;
 };
 /**
  * Verify a preview token without RPC.
@@ -68,18 +68,18 @@ declare function createPreviewTokenVerifier(secret: string): (token: string) =>
  * Used by the `adminModule` to register preview RPC functions.
  */
 declare const previewFunctions: {
-  getPreviewUrl: questpie141.JsonRouteDefinition<{
+  getPreviewUrl: questpie72.JsonRouteDefinition<{
     collection: string;
     record: Record<string, unknown>;
     locale?: string | undefined;
-  }, any, questpie141.JsonRouteParams>;
-  mintPreviewToken: questpie141.JsonRouteDefinition<{
+  }, any, questpie72.JsonRouteParams>;
+  mintPreviewToken: questpie72.JsonRouteDefinition<{
     path: string;
     ttlMs?: number | undefined;
-  }, any, questpie141.JsonRouteParams>;
-  verifyPreviewToken: questpie141.JsonRouteDefinition<{
+  }, any, questpie72.JsonRouteParams>;
+  verifyPreviewToken: questpie72.JsonRouteDefinition<{
     token: string;
-  }, any, questpie141.JsonRouteParams>;
+  }, any, questpie72.JsonRouteParams>;
 };
 //#endregion
 export { PreviewTokenPayload, createPreviewFunctions, createPreviewTokenVerifier, previewFunctions, verifyPreviewTokenDirect };

package/dist/server/modules/admin/routes/preview.mjs

@@ -1,4 +1,5 @@
-import { getApp, getCollectionState, getLocale, getSession } from "./route-helpers.mjs";
+import { hasAdminRole } from "../auth-helpers.mjs";
+import { getApp, getCollectionState, getLocale } from "./route-helpers.mjs";
 import { translateAdminMessage } from "./i18n-helpers.mjs";
 import { z } from "zod";
 import { ApiError, route } from "questpie";
@@ -103,11 +104,11 @@ const DEFAULT_TTL_MS = 3600 * 1e3;
 */
 function createPreviewFunctions(secret = defaultPreviewSecret) {
 	return {
-		mintPreviewToken: route().post().schema(mintPreviewTokenSchema).outputSchema(mintPreviewTokenOutputSchema).handler(async (ctx) => {
+		mintPreviewToken: route().post().access((ctx) => ctx.session?.user?.role === "admin").schema(mintPreviewTokenSchema).outputSchema(mintPreviewTokenOutputSchema).handler(async (ctx) => {
 			const { input } = ctx;
 			const locale = getLocale(ctx);
 			const t = (key, params) => translateAdminMessage(locale, key, params);
-			if (!getSession(ctx)) throw ApiError.unauthorized(t("preview.adminSessionRequired"));
+			if (!hasAdminRole(ctx)) throw ApiError.unauthorized(t("preview.adminSessionRequired"));
 			const { path, ttlMs = DEFAULT_TTL_MS } = input;
 			const expiresAt = Date.now() + ttlMs;
 			const payload = {
@@ -210,11 +211,11 @@ const getPreviewUrlOutputSchema = z.object({
 * // Returns: "/about?preview=true"
 * ```
 */
-const getPreviewUrl = route().post().schema(getPreviewUrlSchema).outputSchema(getPreviewUrlOutputSchema).handler(async (ctx) => {
+const getPreviewUrl = route().post().access((ctx) => ctx.session?.user?.role === "admin").schema(getPreviewUrlSchema).outputSchema(getPreviewUrlOutputSchema).handler(async (ctx) => {
 	const { input } = ctx;
 	const messageLocale = getLocale(ctx) ?? input.locale;
 	const t = (key, params) => translateAdminMessage(messageLocale, key, params);
-	if (!getSession(ctx)) return {
+	if (!hasAdminRole(ctx)) return {
 		url: null,
 		error: t("preview.adminSessionRequired")
 	};