@rebasepro/server-core 0.0.1-canary.eae7889 → 0.1.0

package/src/auth/admin-routes.ts

@@ -4,6 +4,7 @@ import type { AuthRepository } from "./interfaces";
 import { requireAuth, requireAdmin, createRequireAuth } from "./middleware";
 import { hashPassword, validatePasswordStrength } from "./password";
 import { AuthModuleConfig } from "./routes";
+import type { BackendHooks, AdminUser, AdminRole, BackendHookContext } from "@rebasepro/types";
 
 interface AdminRouteOptions extends AuthModuleConfig {
     serviceKey?: string;
@@ -12,6 +13,10 @@ interface AdminRouteOptions extends AuthModuleConfig {
      * Invoked after the first admin user is promoted via POST /admin/bootstrap.
      */
     setBootstrapCompleted?: () => Promise<void>;
+    /**
+     * Backend-level hooks for intercepting admin data.
+     */
+    hooks?: BackendHooks;
 }
 import { HonoEnv } from "../api/types";
 import { randomBytes, createHash } from "crypto";
@@ -63,7 +68,50 @@ function hashToken(token: string): string {
 export function createAdminRoutes(config: AdminRouteOptions): Hono<HonoEnv> {
     const router = new Hono<HonoEnv>();
     const authRepo = config.authRepo;
-    const { emailService, emailConfig } = config;
+    const { emailService, emailConfig, hooks } = config;
+
+    /** Build a BackendHookContext from Hono's context object */
+    function buildHookContext(c: { get: (key: string) => unknown }, method: BackendHookContext["method"]): BackendHookContext {
+        const user = c.get("user") as { userId: string; roles?: string[] } | undefined;
+        return {
+            requestUser: user ? { userId: user.userId, roles: user.roles ?? [] } : undefined,
+            method
+        };
+    }
+
+    /** Apply users.afterRead hook to an AdminUser, returning null to filter out */
+    async function applyUserAfterRead(user: AdminUser, ctx: BackendHookContext): Promise<AdminUser | null> {
+        if (!hooks?.users?.afterRead) return user;
+        return hooks.users.afterRead(user, ctx);
+    }
+
+    /** Apply users.afterRead hook to an array and filter nulls */
+    async function applyUserAfterReadBatch(users: AdminUser[], ctx: BackendHookContext): Promise<AdminUser[]> {
+        if (!hooks?.users?.afterRead) return users;
+        const results = await Promise.all(users.map(u => applyUserAfterRead(u, ctx)));
+        return results.filter((u): u is AdminUser => u !== null);
+    }
+
+    /** Apply roles.afterRead hook to an array and filter nulls */
+    async function applyRoleAfterReadBatch(roles: AdminRole[], ctx: BackendHookContext): Promise<AdminRole[]> {
+        if (!hooks?.roles?.afterRead) return roles;
+        const results = await Promise.all(roles.map(r => hooks!.roles!.afterRead!(r, ctx)));
+        return results.filter((r): r is AdminRole => r !== null);
+    }
+
+    /** Convert a DB user record + role IDs into the AdminUser API shape */
+    function toAdminUser(u: { id: string; email: string; displayName?: string | null; photoUrl?: string | null; createdAt?: Date | string; updatedAt?: Date | string }, roles: string[]): AdminUser {
+        return {
+            uid: u.id,
+            email: u.email,
+            displayName: u.displayName ?? null,
+            photoURL: u.photoUrl ?? null,
+            provider: "custom",
+            roles,
+            createdAt: u.createdAt instanceof Date ? u.createdAt.toISOString() : (u.createdAt ?? new Date().toISOString()),
+            updatedAt: u.updatedAt instanceof Date ? u.updatedAt.toISOString() : (u.updatedAt ?? new Date().toISOString())
+        };
+    }
 
     // Attach Rebase error handler to ensure exceptions are correctly formatted
     // instead of caught by Hono's default error handler from the sub-router.
@@ -142,6 +190,7 @@ export function createAdminRoutes(config: AdminRouteOptions): Hono<HonoEnv> {
         const search = c.req.query("search");
         const orderBy = c.req.query("orderBy");
         const orderDir = c.req.query("orderDir") as "asc" | "desc" | undefined;
+        const hookCtx = buildHookContext(c, "GET");
 
         // If pagination params are provided, use the paginated path
         if (limitParam !== undefined || search) {
@@ -157,21 +206,15 @@ export function createAdminRoutes(config: AdminRouteOptions): Hono<HonoEnv> {
                 roleId: c.req.query("role") || undefined
             });
 
-            const usersWithRoles = await Promise.all(
+            let usersWithRoles: AdminUser[] = await Promise.all(
                 result.users.map(async (u) => {
                     const roles = await authRepo.getUserRoleIds(u.id);
-                    return {
-                        uid: u.id,
-                        email: u.email,
-                        displayName: u.displayName,
-                        photoURL: u.photoUrl,
-                        roles,
-                        createdAt: u.createdAt,
-                        updatedAt: u.updatedAt
-                    };
+                    return toAdminUser(u, roles);
                 })
             );
 
+            usersWithRoles = await applyUserAfterReadBatch(usersWithRoles, hookCtx);
+
             return c.json({
                 users: usersWithRoles,
                 total: result.total,
@@ -182,20 +225,15 @@ export function createAdminRoutes(config: AdminRouteOptions): Hono<HonoEnv> {
 
         // Legacy: return all users (no pagination)
         const users = await authRepo.listUsers();
-        const usersWithRoles = await Promise.all(
+        let usersWithRoles: AdminUser[] = await Promise.all(
             users.map(async (u) => {
                 const roles = await authRepo.getUserRoleIds(u.id);
-                return {
-                    uid: u.id,
-                    email: u.email,
-                    displayName: u.displayName,
-                    photoURL: u.photoUrl,
-                    roles,
-                    createdAt: u.createdAt,
-                    updatedAt: u.updatedAt
-                };
+                return toAdminUser(u, roles);
             })
         );
+
+        usersWithRoles = await applyUserAfterReadBatch(usersWithRoles, hookCtx);
+
         return c.json({ users: usersWithRoles });
     });
 
@@ -207,27 +245,34 @@ export function createAdminRoutes(config: AdminRouteOptions): Hono<HonoEnv> {
             throw ApiError.notFound("User not found");
         }
 
-        return c.json({
-            user: {
-                uid: result.user.id,
-                email: result.user.email,
-                displayName: result.user.displayName,
-                photoURL: result.user.photoUrl,
-                roles: result.roles.map(r => r.id),
-                createdAt: result.user.createdAt,
-                updatedAt: result.user.updatedAt
-            }
-        });
+        const hookCtx = buildHookContext(c, "GET");
+        let adminUser: AdminUser | null = toAdminUser(result.user, result.roles.map(r => r.id));
+
+        adminUser = await applyUserAfterRead(adminUser, hookCtx);
+        if (!adminUser) {
+            throw ApiError.notFound("User not found");
+        }
+
+        return c.json({ user: adminUser });
     });
 
     router.post("/users", requireAdmin, async (c) => {
         const body = await c.req.json();
-        const { email, displayName, password, roles } = body;
+        let { email, displayName, password, roles } = body;
 
         if (!email) {
             throw ApiError.badRequest("Email is required", "INVALID_INPUT");
         }
 
+        // Apply beforeSave hook
+        const hookCtx = buildHookContext(c, "POST");
+        if (hooks?.users?.beforeSave) {
+            const hooked = await hooks.users.beforeSave({ email, displayName, roles }, hookCtx);
+            email = hooked.email ?? email;
+            displayName = hooked.displayName ?? displayName;
+            roles = hooked.roles ?? roles;
+        }
+
         const existing = await authRepo.getUserByEmail(email);
         if (existing) {
             throw ApiError.conflict("Email already exists", "EMAIL_EXISTS");
@@ -299,13 +344,17 @@ displayName: user.displayName }, appName);
         }
         // If admin provided a password explicitly, don't return it or send email
 
+        const createdAdminUser: AdminUser = toAdminUser(user, userRoles);
+
+        // Fire afterSave hook (fire-and-forget for side-effects)
+        if (hooks?.users?.afterSave) {
+            Promise.resolve(hooks.users.afterSave(createdAdminUser, hookCtx)).catch(err => {
+                console.error("[BackendHooks] users.afterSave error:", err instanceof Error ? err.message : err);
+            });
+        }
+
         return c.json({
-            user: {
-                uid: user.id,
-                email: user.email,
-                displayName: user.displayName,
-                roles: userRoles
-            },
+            user: createdAdminUser,
             invitationSent,
             ...(temporaryPassword ? { temporaryPassword } : {})
         }, 201);
@@ -381,13 +430,22 @@ displayName: existing.displayName }, appName);
     router.put("/users/:userId", requireAdmin, async (c) => {
         const userId = c.req.param("userId");
         const body = await c.req.json();
-        const { email, displayName, password, roles } = body;
+        let { email, displayName, password, roles } = body;
 
         const existing = await authRepo.getUserById(userId);
         if (!existing) {
             throw ApiError.notFound("User not found");
         }
 
+        // Apply beforeSave hook
+        const hookCtx = buildHookContext(c, "PUT");
+        if (hooks?.users?.beforeSave) {
+            const hooked = await hooks.users.beforeSave({ email, displayName, roles }, hookCtx);
+            email = hooked.email ?? email;
+            displayName = hooked.displayName ?? displayName;
+            roles = hooked.roles ?? roles;
+        }
+
         const updates: Record<string, unknown> = {};
         if (email !== undefined) updates.email = email.toLowerCase();
         if (displayName !== undefined) updates.displayName = displayName;
@@ -410,14 +468,16 @@ displayName: existing.displayName }, appName);
 
         const result = await authRepo.getUserWithRoles(userId);
 
-        return c.json({
-            user: {
-                uid: result!.user.id,
-                email: result!.user.email,
-                displayName: result!.user.displayName,
-                roles: result!.roles.map(r => r.id)
-            }
-        });
+        const updatedAdminUser: AdminUser = toAdminUser(result!.user, result!.roles.map(r => r.id));
+
+        // Fire afterSave hook (fire-and-forget)
+        if (hooks?.users?.afterSave) {
+            Promise.resolve(hooks.users.afterSave(updatedAdminUser, hookCtx)).catch(err => {
+                console.error("[BackendHooks] users.afterSave error:", err instanceof Error ? err.message : err);
+            });
+        }
+
+        return c.json({ user: updatedAdminUser });
     });
 
     router.delete("/users/:userId", requireAdmin, async (c) => {
@@ -434,23 +494,39 @@ displayName: existing.displayName }, appName);
             throw ApiError.notFound("User not found");
         }
 
+        // Apply beforeDelete hook (throw to abort)
+        const hookCtx = buildHookContext(c, "DELETE");
+        if (hooks?.users?.beforeDelete) {
+            await hooks.users.beforeDelete(userId, hookCtx);
+        }
+
         await authRepo.deleteUser(userId);
 
+        // Fire afterDelete hook (fire-and-forget)
+        if (hooks?.users?.afterDelete) {
+            Promise.resolve(hooks.users.afterDelete(userId, hookCtx)).catch(err => {
+                console.error("[BackendHooks] users.afterDelete error:", err instanceof Error ? err.message : err);
+            });
+        }
+
         return c.json({ success: true });
     });
 
     router.get("/roles", requireAdmin, async (c) => {
         const roles = await authRepo.listRoles();
+        const hookCtx = buildHookContext(c, "GET");
 
-        return c.json({
-            roles: roles.map(r => ({
-                id: r.id,
-                name: r.name,
-                isAdmin: r.isAdmin,
-                defaultPermissions: r.defaultPermissions,
-                config: r.config
-            }))
-        });
+        let adminRoles: AdminRole[] = roles.map(r => ({
+            id: r.id,
+            name: r.name,
+            isAdmin: r.isAdmin,
+            defaultPermissions: r.defaultPermissions,
+            config: r.config
+        }));
+
+        adminRoles = await applyRoleAfterReadBatch(adminRoles, hookCtx);
+
+        return c.json({ roles: adminRoles });
     });
 
     router.get("/roles/:roleId", requireAdmin, async (c) => {

package/src/auth/apple-oauth.ts

@@ -1,8 +1,6 @@
 import type { OAuthProvider, OAuthProviderProfile } from "./interfaces";
 import { z } from "zod";
-import { createPrivateKey } from "crypto";
-import { SignJWT } from "jose";
-
+import jwt from "jsonwebtoken";
 /**
  * Creates an Apple Sign In OAuth Provider integration.
  *
@@ -31,22 +29,14 @@ export function createAppleProvider(config: {
      * Apple requires this instead of a static client_secret.
      */
     async function generateClientSecret(): Promise<string> {
-        const key = createPrivateKey({
-            key: config.privateKey,
-            format: "pem"
+        return jwt.sign({}, config.privateKey, {
+            algorithm: "ES256",
+            keyid: config.keyId,
+            issuer: config.teamId,
+            expiresIn: "180d",
+            audience: "https://appleid.apple.com",
+            subject: config.clientId
         });
-
-        const now = Math.floor(Date.now() / 1000);
-
-        return new SignJWT({})
-            .setProtectedHeader({ alg: "ES256",
-kid: config.keyId })
-            .setIssuer(config.teamId)
-            .setIssuedAt(now)
-            .setExpirationTime(now + 86400 * 180) // 6 months max
-            .setAudience("https://appleid.apple.com")
-            .setSubject(config.clientId)
-            .sign(key);
     }
 
     return {

package/src/auth/google-oauth.ts

@@ -10,38 +10,208 @@ export interface GoogleUserInfo {
     emailVerified: boolean;
 }
 
+export interface GoogleProviderConfig {
+    clientId: string;
+    /**
+     * The OAuth 2.0 client secret from Google Cloud Console.
+     *
+     * Required for the **authorization code flow** (Path 3), where the
+     * frontend sends an authorization `code` and the backend exchanges it
+     * server-side for tokens. This is the most secure flow because tokens
+     * never touch the browser.
+     *
+     * When omitted, only ID-token and access-token verification are available
+     * (Paths 1 & 2), which rely on the frontend obtaining tokens directly.
+     */
+    clientSecret?: string;
+}
+
 /**
- * Creates a Google OAuth Provider integration
+ * Creates a Google OAuth Provider integration.
+ *
+ * Supports three verification paths:
+ *
+ * **Path 1 – ID Token** (One Tap / Sign In With Google button):
+ *   Frontend sends `idToken`. Backend verifies cryptographically using
+ *   Google's public keys. No secret required.
+ *
+ * **Path 2 – Access Token** (popup via `initTokenClient`):
+ *   Frontend sends `accessToken`. Backend validates by calling Google's
+ *   userinfo endpoint. No secret required.
+ *
+ * **Path 3 – Authorization Code** (most secure, requires `clientSecret`):
+ *   Frontend sends `code` + `redirectUri`. Backend exchanges the code
+ *   server-side for an ID token using `clientId` + `clientSecret`, then
+ *   verifies the ID token. Tokens never touch the browser.
  */
-export function createGoogleProvider(clientId: string): OAuthProvider<{ idToken: string }> {
-    const googleClient = new OAuth2Client(clientId);
+export function createGoogleProvider(config: GoogleProviderConfig | string): OAuthProvider<{
+    idToken?: string;
+    accessToken?: string;
+    code?: string;
+    redirectUri?: string;
+}> {
+    const clientId = typeof config === "string" ? config : config.clientId;
+    const clientSecret = typeof config === "string" ? undefined : config.clientSecret;
+    const googleClient = new OAuth2Client(clientId, clientSecret);
 
     return {
         id: "google",
         schema: z.object({
-            idToken: z.string().min(1, "ID token is required")
-        }),
-        verify: async (payload: { idToken: string }): Promise<OAuthProviderProfile | null> => {
+            idToken: z.string().min(1).optional(),
+            accessToken: z.string().min(1).optional(),
+            code: z.string().min(1).optional(),
+            redirectUri: z.string().min(1).optional()
+        }).refine(
+            (data) => data.idToken || data.accessToken || (data.code && data.redirectUri),
+            { message: "One of idToken, accessToken, or code+redirectUri is required" }
+        ),
+        verify: async (payload: {
+            idToken?: string;
+            accessToken?: string;
+            code?: string;
+            redirectUri?: string;
+        }): Promise<OAuthProviderProfile | null> => {
             try {
-                const ticket = await googleClient.verifyIdToken({
-                    idToken: payload.idToken,
-                    audience: clientId
-                });
-
-                const content = ticket.getPayload();
-                if (!content) {
-                    return null;
+                // Path 1: verify an ID token (One Tap / renderButton)
+                if (payload.idToken) {
+                    const ticket = await googleClient.verifyIdToken({
+                        idToken: payload.idToken,
+                        audience: clientId
+                    });
+
+                    const content = ticket.getPayload();
+                    if (!content) {
+                        throw new Error("Google ID token payload was empty");
+                    }
+
+                    return {
+                        providerId: content.sub,
+                        email: content.email || "",
+                        displayName: content.name || null,
+                        photoUrl: content.picture || null
+                    };
+                }
+
+                // Path 2: verify an access token via Google's userinfo endpoint
+                if (payload.accessToken) {
+                    const res = await fetch(
+                        "https://www.googleapis.com/oauth2/v3/userinfo",
+                        { headers: { Authorization: `Bearer ${payload.accessToken}` } }
+                    );
+                    if (!res.ok) {
+                        throw new Error(`Google userinfo request failed with status ${res.status}`);
+                    }
+                    const info = await res.json() as {
+                        sub: string;
+                        email?: string;
+                        name?: string;
+                        picture?: string;
+                    };
+                    if (!info.sub || !info.email) {
+                        throw new Error("Google userinfo response missing sub or email");
+                    }
+                    return {
+                        providerId: info.sub,
+                        email: info.email,
+                        displayName: info.name || null,
+                        photoUrl: info.picture || null
+                    };
+                }
+
+                // Path 3: authorization code exchange (most secure)
+                // The frontend obtained a one-time authorization code via the
+                // Google OAuth consent screen. We exchange it server-side for
+                // tokens, so the access/id tokens never touch the browser.
+                if (payload.code && payload.redirectUri) {
+                    if (!clientSecret) {
+                        throw new Error(
+                            "Google authorization code flow requires clientSecret. " +
+                            "Configure GOOGLE_CLIENT_SECRET in your environment."
+                        );
+                    }
+
+                    // Exchange the authorization code for tokens
+                    const tokenResponse = await fetch("https://oauth2.googleapis.com/token", {
+                        method: "POST",
+                        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                        body: new URLSearchParams({
+                            code: payload.code,
+                            client_id: clientId,
+                            client_secret: clientSecret,
+                            redirect_uri: payload.redirectUri,
+                            grant_type: "authorization_code"
+                        })
+                    });
+
+                    if (!tokenResponse.ok) {
+                        const errorBody = await tokenResponse.text();
+                        throw new Error(`Google token exchange failed (${tokenResponse.status}): ${errorBody}`);
+                    }
+
+                    const tokenData = await tokenResponse.json() as {
+                        id_token?: string;
+                        access_token?: string;
+                        error?: string;
+                        error_description?: string;
+                    };
+
+                    if (tokenData.error) {
+                        throw new Error(`Google token exchange error: ${tokenData.error} – ${tokenData.error_description || "no details"}`);
+                    }
+
+                    // Prefer verifying the ID token (cryptographic verification)
+                    if (tokenData.id_token) {
+                        const ticket = await googleClient.verifyIdToken({
+                            idToken: tokenData.id_token,
+                            audience: clientId
+                        });
+
+                        const content = ticket.getPayload();
+                        if (!content) {
+                            throw new Error("Google ID token payload was empty after code exchange");
+                        }
+
+                        return {
+                            providerId: content.sub,
+                            email: content.email || "",
+                            displayName: content.name || null,
+                            photoUrl: content.picture || null
+                        };
+                    }
+
+                    // Fallback: use the access token to fetch userinfo
+                    if (tokenData.access_token) {
+                        const userInfoRes = await fetch(
+                            "https://www.googleapis.com/oauth2/v3/userinfo",
+                            { headers: { Authorization: `Bearer ${tokenData.access_token}` } }
+                        );
+                        if (!userInfoRes.ok) {
+                            throw new Error(`Google userinfo request failed after code exchange (${userInfoRes.status})`);
+                        }
+                        const info = await userInfoRes.json() as {
+                            sub: string;
+                            email?: string;
+                            name?: string;
+                            picture?: string;
+                        };
+                        if (!info.sub || !info.email) {
+                            return null;
+                        }
+                        return {
+                            providerId: info.sub,
+                            email: info.email,
+                            displayName: info.name || null,
+                            photoUrl: info.picture || null
+                        };
+                    }
+
+                    throw new Error("Google token exchange returned neither id_token nor access_token");
                 }
 
-                return {
-                    providerId: content.sub,
-                    email: content.email || "",
-                    displayName: content.name || null,
-                    photoUrl: content.picture || null
-                };
+                throw new Error("No valid Google credential provided (expected idToken, accessToken, or code+redirectUri)");
             } catch (error) {
-                console.error("Failed to verify Google ID token:", error);
-                return null;
+                console.error("Google OAuth verification failed:", error);
+                throw error;
             }
         }
     };

package/src/auth/index.ts

@@ -9,6 +9,7 @@ export type { PasswordValidationResult } from "./password";
 
 // OAuth Providers
 export { createGoogleProvider } from "./google-oauth";
+export type { GoogleProviderConfig } from "./google-oauth";
 export { createLinkedinProvider } from "./linkedin-oauth";
 export { createGitHubProvider } from "./github-oauth";
 export { createMicrosoftProvider } from "./microsoft-oauth";

package/src/auth/rate-limiter.ts

@@ -101,11 +101,15 @@ export function createRateLimiter(options: RateLimiterOptions = {}): MiddlewareH
  * Default key generator: extract client IP from standard headers.
  */
 function defaultKeyGenerator(c: Parameters<MiddlewareHandler<HonoEnv>>[0]): string {
-    return (
-        c.req.header("x-forwarded-for")?.split(",")[0]?.trim() ||
-        c.req.header("x-real-ip") ||
-        "unknown"
-    );
+    const forwardedFor = c.req.header("x-forwarded-for");
+    if (forwardedFor) {
+        const ips = forwardedFor.split(",");
+        // The leftmost IP can be easily spoofed by the client in the initial request.
+        // Reverse proxies append to the right. We take the rightmost IP as the most
+        // reliable indicator of the true client IP (the one closest to our server).
+        return ips[ips.length - 1].trim();
+    }
+    return c.req.header("x-real-ip") || "unknown";
 }
 
 /**

package/src/auth/routes.ts

@@ -233,8 +233,16 @@ export function createAuthRoutes(config: AuthModuleConfig): Hono<HonoEnv> {
             displayName: displayName || undefined
         });
 
-        // Assign configured default role (never auto-assign admin via registration)
-        if (config.defaultRole) {
+        // Auto-bootstrap: if this is the very first user in the system, promote to admin.
+        // This avoids the chicken-and-egg problem where the first user has no permissions
+        // and no way to access the bootstrap endpoint from the UI.
+        const existingUsers = await authRepo.listUsers();
+        const isFirstUser = existingUsers.length === 1 && existingUsers[0].id === user.id;
+
+        if (isFirstUser) {
+            await authRepo.setUserRoles(user.id, ["admin"]);
+        } else if (config.defaultRole) {
+            // Assign configured default role (never auto-assign admin via registration)
             await authRepo.assignDefaultRole(user.id, config.defaultRole);
         }
 
@@ -289,7 +297,13 @@ displayName: user.displayName });
             router.post(`/${provider.id}`, defaultAuthLimiter, async (c) => {
                 const payload = parseBody(provider.schema, await c.req.json());
 
-                const externalUser = await provider.verify(payload);
+                let externalUser;
+                try {
+                    externalUser = await provider.verify(payload);
+                } catch (err: unknown) {
+                    const msg = err instanceof Error ? err.message : String(err);
+                    throw ApiError.unauthorized(`${provider.id} login failed: ${msg}`, "OAUTH_ERROR");
+                }
                 if (!externalUser) {
                     throw ApiError.unauthorized(`Invalid ${provider.id} credentials`, "INVALID_TOKEN");
                 }
@@ -320,8 +334,14 @@ displayName: user.displayName });
 
                         await authRepo.linkUserIdentity(user.id, provider.id, externalUser.providerId, { email: externalUser.email });
 
-                        // Assign configured default role (never auto-assign admin via registration)
-                        if (config.defaultRole) {
+                        // Auto-bootstrap: first user in the system gets admin
+                        const allUsers = await authRepo.listUsers();
+                        const isFirstUser = allUsers.length === 1 && allUsers[0].id === user.id;
+
+                        if (isFirstUser) {
+                            await authRepo.setUserRoles(user.id, ["admin"]);
+                        } else if (config.defaultRole) {
+                            // Assign configured default role (never auto-assign admin via registration)
                             await authRepo.assignDefaultRole(user.id, config.defaultRole);
                         }
 

package/src/collections/loader.ts

@@ -26,9 +26,9 @@ export async function loadCollectionsFromDirectory(directory: string): Promise<E
                 try {
                     const fileUrl = pathToFileURL(filePath).href;
 
-                    // Use new Function to compile dynamic import natively and bypass tsc converting import() to require()
-                    const dynamicImport = new Function("url", "return import(url)");
-                    const module = await dynamicImport(fileUrl);
+                    // Use standard import() so that tsx/loader hooks can
+                    // resolve .ts files and workspace bare-specifiers.
+                    const module = await import(fileUrl);
 
                     // Expect the collection to be the default export
                     if (module && module.default) {