@rebasepro/server-core 0.0.1-canary.eae7889 → 0.1.0

package/dist/index.es.js

@@ -7,7 +7,7 @@ import { Hono } from "hono";
 import require$$0$2 from "buffer";
 import require$$0$3 from "stream";
 import require$$5, { promisify } from "util";
-import require$$0$4, { randomBytes, createHash, timingSafeEqual as timingSafeEqual$1, scrypt, createPrivateKey as createPrivateKey$1 } from "crypto";
+import require$$0$4, { randomBytes, createHash, timingSafeEqual as timingSafeEqual$1, scrypt } from "crypto";
 import { bodyLimit } from "hono/body-limit";
 import { csrf } from "hono/csrf";
 import require$$0$a from "child_process";
@@ -1020,13 +1020,14 @@ var object_hash = { exports: {} };
     }, { buffer: 3, lYpoI2: 11 }] }, {}, [1])(1);
   });
 })(object_hash);
-const snakeCaseRegex = /[A-Z]{2,}(?=[A-Z][a-z]+[0-9]*|\b)|[A-Z]?[a-z]+[0-9]*|[A-Z]|[0-9]+/g;
+const tokenizeRegex = /[A-Z]{2,}(?=[A-Z][a-z]|\b)|[A-Z]?[a-z]+|[0-9]+(?:[a-z](?![a-z]))?|[A-Z]/g;
+const snakeCaseRegex = tokenizeRegex;
 const toSnakeCase = (str) => {
   const regExpMatchArray = str.match(snakeCaseRegex);
   if (!regExpMatchArray) return "";
   return regExpMatchArray.map((x) => x.toLowerCase()).join("_");
 };
-function isObject$b(item) {
+function isObject$a(item) {
   return !!item && typeof item === "object" && !Array.isArray(item);
 }
 function isPlainObject$3(obj) {
@@ -1037,13 +1038,13 @@ function isPlainObject$3(obj) {
   return proto === Object.prototype;
 }
 function mergeDeep(target, source, ignoreUndefined = false) {
-  if (!isObject$b(target)) {
+  if (!isObject$a(target)) {
     return target;
   }
   const output = {
     ...target
   };
-  if (!isObject$b(source)) {
+  if (!isObject$a(source)) {
     return output;
   }
   for (const key in source) {
@@ -1084,7 +1085,7 @@ function mergeDeep(target, source, ignoreUndefined = false) {
         } else {
           output[key] = sourceValue;
         }
-      } else if (isObject$b(sourceValue)) {
+      } else if (isObject$a(sourceValue)) {
         output[key] = sourceValue;
       } else {
         output[key] = sourceValue;
@@ -1721,8 +1722,8 @@ var logic = { exports: {} };
     return jsonLogic;
   });
 })(logic);
-var getOwnPropertyNames = Object.getOwnPropertyNames, getOwnPropertySymbols = Object.getOwnPropertySymbols;
-var hasOwnProperty$d = Object.prototype.hasOwnProperty;
+const { getOwnPropertyNames, getOwnPropertySymbols } = Object;
+const { hasOwnProperty: hasOwnProperty$d } = Object.prototype;
 function combineComparators(comparatorA, comparatorB) {
   return function isEqual(a2, b, state) {
     return comparatorA(a2, b, state) && comparatorB(a2, b, state);
@@ -1733,38 +1734,45 @@ function createIsCircular(areItemsEqual) {
     if (!a2 || !b || typeof a2 !== "object" || typeof b !== "object") {
       return areItemsEqual(a2, b, state);
     }
-    var cache2 = state.cache;
-    var cachedA = cache2.get(a2);
-    var cachedB = cache2.get(b);
+    const { cache } = state;
+    const cachedA = cache.get(a2);
+    const cachedB = cache.get(b);
     if (cachedA && cachedB) {
       return cachedA === b && cachedB === a2;
     }
-    cache2.set(a2, b);
-    cache2.set(b, a2);
-    var result = areItemsEqual(a2, b, state);
-    cache2.delete(a2);
-    cache2.delete(b);
+    cache.set(a2, b);
+    cache.set(b, a2);
+    const result = areItemsEqual(a2, b, state);
+    cache.delete(a2);
+    cache.delete(b);
     return result;
   };
 }
-function getShortTag(value) {
-  return value != null ? value[Symbol.toStringTag] : void 0;
-}
 function getStrictProperties(object) {
   return getOwnPropertyNames(object).concat(getOwnPropertySymbols(object));
 }
-var hasOwn$1 = Object.hasOwn || function(object, property) {
-  return hasOwnProperty$d.call(object, property);
-};
-function sameValueZeroEqual(a2, b) {
-  return a2 === b || !a2 && !b && a2 !== a2 && b !== b;
+const hasOwn$1 = (
+  // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
+  Object.hasOwn || ((object, property) => hasOwnProperty$d.call(object, property))
+);
+const PREACT_VNODE = "__v";
+const PREACT_OWNER = "__o";
+const REACT_OWNER = "_owner";
+const { getOwnPropertyDescriptor, keys: keys$5 } = Object;
+const sameValueEqual = (
+  // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
+  Object.is || function sameValueEqual2(a2, b) {
+    return a2 === b ? a2 !== 0 || 1 / a2 === 1 / b : a2 !== a2 && b !== b;
+  }
+);
+function strictEqual(a2, b) {
+  return a2 === b;
+}
+function areArrayBuffersEqual(a2, b) {
+  return a2.byteLength === b.byteLength && areTypedArraysEqual(new Uint8Array(a2), new Uint8Array(b));
 }
-var PREACT_VNODE = "__v";
-var PREACT_OWNER = "__o";
-var REACT_OWNER = "_owner";
-var getOwnPropertyDescriptor = Object.getOwnPropertyDescriptor, keys$5 = Object.keys;
 function areArraysEqual(a2, b, state) {
-  var index = a2.length;
+  let index = a2.length;
   if (b.length !== index) {
     return false;
   }
@@ -1775,35 +1783,35 @@ function areArraysEqual(a2, b, state) {
   }
   return true;
 }
+function areDataViewsEqual(a2, b) {
+  return a2.byteLength === b.byteLength && areTypedArraysEqual(new Uint8Array(a2.buffer, a2.byteOffset, a2.byteLength), new Uint8Array(b.buffer, b.byteOffset, b.byteLength));
+}
 function areDatesEqual(a2, b) {
-  return sameValueZeroEqual(a2.getTime(), b.getTime());
+  return sameValueEqual(a2.getTime(), b.getTime());
 }
 function areErrorsEqual(a2, b) {
   return a2.name === b.name && a2.message === b.message && a2.cause === b.cause && a2.stack === b.stack;
 }
-function areFunctionsEqual(a2, b) {
-  return a2 === b;
-}
 function areMapsEqual(a2, b, state) {
-  var size = a2.size;
+  const size = a2.size;
   if (size !== b.size) {
     return false;
   }
   if (!size) {
     return true;
   }
-  var matchedIndices = new Array(size);
-  var aIterable = a2.entries();
-  var aResult;
-  var bResult;
-  var index = 0;
+  const matchedIndices = new Array(size);
+  const aIterable = a2.entries();
+  let aResult;
+  let bResult;
+  let index = 0;
   while (aResult = aIterable.next()) {
     if (aResult.done) {
       break;
     }
-    var bIterable = b.entries();
-    var hasMatch = false;
-    var matchIndex = 0;
+    const bIterable = b.entries();
+    let hasMatch = false;
+    let matchIndex = 0;
     while (bResult = bIterable.next()) {
       if (bResult.done) {
         break;
@@ -1812,8 +1820,8 @@ function areMapsEqual(a2, b, state) {
         matchIndex++;
         continue;
       }
-      var aEntry = aResult.value;
-      var bEntry = bResult.value;
+      const aEntry = aResult.value;
+      const bEntry = bResult.value;
       if (state.equals(aEntry[0], bEntry[0], index, matchIndex, a2, b, state) && state.equals(aEntry[1], bEntry[1], aEntry[0], bEntry[0], a2, b, state)) {
         hasMatch = matchedIndices[matchIndex] = true;
         break;
@@ -1827,10 +1835,9 @@ function areMapsEqual(a2, b, state) {
   }
   return true;
 }
-var areNumbersEqual = sameValueZeroEqual;
 function areObjectsEqual(a2, b, state) {
-  var properties = keys$5(a2);
-  var index = properties.length;
+  const properties = keys$5(a2);
+  let index = properties.length;
   if (keys$5(b).length !== index) {
     return false;
   }
@@ -1842,14 +1849,14 @@ function areObjectsEqual(a2, b, state) {
   return true;
 }
 function areObjectsEqualStrict(a2, b, state) {
-  var properties = getStrictProperties(a2);
-  var index = properties.length;
+  const properties = getStrictProperties(a2);
+  let index = properties.length;
   if (getStrictProperties(b).length !== index) {
     return false;
   }
-  var property;
-  var descriptorA;
-  var descriptorB;
+  let property;
+  let descriptorA;
+  let descriptorB;
   while (index-- > 0) {
     property = properties[index];
     if (!isPropertyEqual(a2, b, state, property)) {
@@ -1864,30 +1871,30 @@ function areObjectsEqualStrict(a2, b, state) {
   return true;
 }
 function arePrimitiveWrappersEqual(a2, b) {
-  return sameValueZeroEqual(a2.valueOf(), b.valueOf());
+  return sameValueEqual(a2.valueOf(), b.valueOf());
 }
 function areRegExpsEqual(a2, b) {
   return a2.source === b.source && a2.flags === b.flags;
 }
 function areSetsEqual(a2, b, state) {
-  var size = a2.size;
+  const size = a2.size;
   if (size !== b.size) {
     return false;
   }
   if (!size) {
     return true;
   }
-  var matchedIndices = new Array(size);
-  var aIterable = a2.values();
-  var aResult;
-  var bResult;
+  const matchedIndices = new Array(size);
+  const aIterable = a2.values();
+  let aResult;
+  let bResult;
   while (aResult = aIterable.next()) {
     if (aResult.done) {
       break;
     }
-    var bIterable = b.values();
-    var hasMatch = false;
-    var matchIndex = 0;
+    const bIterable = b.values();
+    let hasMatch = false;
+    let matchIndex = 0;
     while (bResult = bIterable.next()) {
       if (bResult.done) {
         break;
@@ -1905,8 +1912,8 @@ function areSetsEqual(a2, b, state) {
   return true;
 }
 function areTypedArraysEqual(a2, b) {
-  var index = a2.length;
-  if (b.length !== index) {
+  let index = a2.byteLength;
+  if (b.byteLength !== index || a2.byteOffset !== b.byteOffset) {
     return false;
   }
   while (index-- > 0) {
@@ -1925,23 +1932,10 @@ function isPropertyEqual(a2, b, state, property) {
   }
   return hasOwn$1(b, property) && state.equals(a2[property], b[property], property, property, a2, b, state);
 }
-var ARGUMENTS_TAG = "[object Arguments]";
-var BOOLEAN_TAG = "[object Boolean]";
-var DATE_TAG = "[object Date]";
-var ERROR_TAG = "[object Error]";
-var MAP_TAG = "[object Map]";
-var NUMBER_TAG = "[object Number]";
-var OBJECT_TAG = "[object Object]";
-var REG_EXP_TAG = "[object RegExp]";
-var SET_TAG = "[object Set]";
-var STRING_TAG = "[object String]";
-var URL_TAG = "[object URL]";
-var isArray$7 = Array.isArray;
-var isTypedArray$2 = typeof ArrayBuffer === "function" && ArrayBuffer.isView ? ArrayBuffer.isView : null;
-var assign$1 = Object.assign;
-var getTag$4 = Object.prototype.toString.call.bind(Object.prototype.toString);
-function createEqualityComparator(_a2) {
-  var areArraysEqual2 = _a2.areArraysEqual, areDatesEqual2 = _a2.areDatesEqual, areErrorsEqual2 = _a2.areErrorsEqual, areFunctionsEqual2 = _a2.areFunctionsEqual, areMapsEqual2 = _a2.areMapsEqual, areNumbersEqual2 = _a2.areNumbersEqual, areObjectsEqual2 = _a2.areObjectsEqual, arePrimitiveWrappersEqual2 = _a2.arePrimitiveWrappersEqual, areRegExpsEqual2 = _a2.areRegExpsEqual, areSetsEqual2 = _a2.areSetsEqual, areTypedArraysEqual2 = _a2.areTypedArraysEqual, areUrlsEqual2 = _a2.areUrlsEqual, unknownTagComparators = _a2.unknownTagComparators;
+const toString$2 = Object.prototype.toString;
+function createEqualityComparator(config) {
+  const supportedComparatorMap = createSupportedComparatorMap(config);
+  const { areArraysEqual: areArraysEqual2, areDatesEqual: areDatesEqual2, areFunctionsEqual, areMapsEqual: areMapsEqual2, areNumbersEqual, areObjectsEqual: areObjectsEqual2, areRegExpsEqual: areRegExpsEqual2, areSetsEqual: areSetsEqual2, getUnsupportedCustomComparator } = config;
   return function comparator2(a2, b, state) {
     if (a2 === b) {
       return true;
@@ -1949,32 +1943,29 @@ function createEqualityComparator(_a2) {
     if (a2 == null || b == null) {
       return false;
     }
-    var type = typeof a2;
+    const type = typeof a2;
     if (type !== typeof b) {
       return false;
     }
     if (type !== "object") {
-      if (type === "number") {
-        return areNumbersEqual2(a2, b, state);
+      if (type === "number" || type === "bigint") {
+        return areNumbersEqual(a2, b, state);
       }
       if (type === "function") {
-        return areFunctionsEqual2(a2, b, state);
+        return areFunctionsEqual(a2, b, state);
       }
       return false;
     }
-    var constructor = a2.constructor;
+    const constructor = a2.constructor;
     if (constructor !== b.constructor) {
       return false;
     }
     if (constructor === Object) {
       return areObjectsEqual2(a2, b, state);
     }
-    if (isArray$7(a2)) {
+    if (constructor === Array) {
       return areArraysEqual2(a2, b, state);
     }
-    if (isTypedArray$2 != null && isTypedArray$2(a2)) {
-      return areTypedArraysEqual2(a2, b, state);
-    }
     if (constructor === Date) {
       return areDatesEqual2(a2, b, state);
     }
@@ -1987,79 +1978,55 @@ function createEqualityComparator(_a2) {
     if (constructor === Set) {
       return areSetsEqual2(a2, b, state);
     }
-    var tag2 = getTag$4(a2);
-    if (tag2 === DATE_TAG) {
-      return areDatesEqual2(a2, b, state);
-    }
-    if (tag2 === REG_EXP_TAG) {
-      return areRegExpsEqual2(a2, b, state);
-    }
-    if (tag2 === MAP_TAG) {
-      return areMapsEqual2(a2, b, state);
-    }
-    if (tag2 === SET_TAG) {
-      return areSetsEqual2(a2, b, state);
-    }
-    if (tag2 === OBJECT_TAG) {
-      return typeof a2.then !== "function" && typeof b.then !== "function" && areObjectsEqual2(a2, b, state);
-    }
-    if (tag2 === URL_TAG) {
-      return areUrlsEqual2(a2, b, state);
-    }
-    if (tag2 === ERROR_TAG) {
-      return areErrorsEqual2(a2, b, state);
+    if (constructor === Promise) {
+      return false;
     }
-    if (tag2 === ARGUMENTS_TAG) {
-      return areObjectsEqual2(a2, b, state);
+    if (Array.isArray(a2)) {
+      return areArraysEqual2(a2, b, state);
     }
-    if (tag2 === BOOLEAN_TAG || tag2 === NUMBER_TAG || tag2 === STRING_TAG) {
-      return arePrimitiveWrappersEqual2(a2, b, state);
+    const tag = toString$2.call(a2);
+    const supportedComparator = supportedComparatorMap[tag];
+    if (supportedComparator) {
+      return supportedComparator(a2, b, state);
     }
-    if (unknownTagComparators) {
-      var unknownTagComparator = unknownTagComparators[tag2];
-      if (!unknownTagComparator) {
-        var shortTag = getShortTag(a2);
-        if (shortTag) {
-          unknownTagComparator = unknownTagComparators[shortTag];
-        }
-      }
-      if (unknownTagComparator) {
-        return unknownTagComparator(a2, b, state);
-      }
+    const unsupportedCustomComparator = getUnsupportedCustomComparator && getUnsupportedCustomComparator(a2, b, state, tag);
+    if (unsupportedCustomComparator) {
+      return unsupportedCustomComparator(a2, b, state);
     }
     return false;
   };
 }
-function createEqualityComparatorConfig(_a2) {
-  var circular = _a2.circular, createCustomConfig = _a2.createCustomConfig, strict = _a2.strict;
-  var config = {
+function createEqualityComparatorConfig({ circular, createCustomConfig, strict }) {
+  let config = {
+    areArrayBuffersEqual,
     areArraysEqual: strict ? areObjectsEqualStrict : areArraysEqual,
+    areDataViewsEqual,
     areDatesEqual,
     areErrorsEqual,
-    areFunctionsEqual,
+    areFunctionsEqual: strictEqual,
     areMapsEqual: strict ? combineComparators(areMapsEqual, areObjectsEqualStrict) : areMapsEqual,
-    areNumbersEqual,
+    areNumbersEqual: sameValueEqual,
     areObjectsEqual: strict ? areObjectsEqualStrict : areObjectsEqual,
     arePrimitiveWrappersEqual,
     areRegExpsEqual,
     areSetsEqual: strict ? combineComparators(areSetsEqual, areObjectsEqualStrict) : areSetsEqual,
-    areTypedArraysEqual: strict ? areObjectsEqualStrict : areTypedArraysEqual,
+    areTypedArraysEqual: strict ? combineComparators(areTypedArraysEqual, areObjectsEqualStrict) : areTypedArraysEqual,
     areUrlsEqual,
-    unknownTagComparators: void 0
+    getUnsupportedCustomComparator: void 0
   };
   if (createCustomConfig) {
-    config = assign$1({}, config, createCustomConfig(config));
+    config = Object.assign({}, config, createCustomConfig(config));
   }
   if (circular) {
-    var areArraysEqual$1 = createIsCircular(config.areArraysEqual);
-    var areMapsEqual$1 = createIsCircular(config.areMapsEqual);
-    var areObjectsEqual$1 = createIsCircular(config.areObjectsEqual);
-    var areSetsEqual$1 = createIsCircular(config.areSetsEqual);
-    config = assign$1({}, config, {
-      areArraysEqual: areArraysEqual$1,
-      areMapsEqual: areMapsEqual$1,
-      areObjectsEqual: areObjectsEqual$1,
-      areSetsEqual: areSetsEqual$1
+    const areArraysEqual2 = createIsCircular(config.areArraysEqual);
+    const areMapsEqual2 = createIsCircular(config.areMapsEqual);
+    const areObjectsEqual2 = createIsCircular(config.areObjectsEqual);
+    const areSetsEqual2 = createIsCircular(config.areSetsEqual);
+    config = Object.assign({}, config, {
+      areArraysEqual: areArraysEqual2,
+      areMapsEqual: areMapsEqual2,
+      areObjectsEqual: areObjectsEqual2,
+      areSetsEqual: areSetsEqual2
     });
   }
   return config;
@@ -2069,13 +2036,12 @@ function createInternalEqualityComparator(compare2) {
     return compare2(a2, b, state);
   };
 }
-function createIsEqual(_a2) {
-  var circular = _a2.circular, comparator2 = _a2.comparator, createState = _a2.createState, equals = _a2.equals, strict = _a2.strict;
+function createIsEqual({ circular, comparator: comparator2, createState, equals, strict }) {
   if (createState) {
     return function isEqual(a2, b) {
-      var _a3 = createState(), _b2 = _a3.cache, cache2 = _b2 === void 0 ? circular ? /* @__PURE__ */ new WeakMap() : void 0 : _b2, meta = _a3.meta;
+      const { cache = circular ? /* @__PURE__ */ new WeakMap() : void 0, meta } = createState();
       return comparator2(a2, b, {
-        cache: cache2,
+        cache,
         equals,
         meta,
         strict
@@ -2092,7 +2058,7 @@ function createIsEqual(_a2) {
       });
     };
   }
-  var state = {
+  const state = {
     cache: void 0,
     equals,
     meta: void 0,
@@ -2102,7 +2068,50 @@ function createIsEqual(_a2) {
     return comparator2(a2, b, state);
   };
 }
-var deepEqual = createCustomEqual();
+function createSupportedComparatorMap({ areArrayBuffersEqual: areArrayBuffersEqual2, areArraysEqual: areArraysEqual2, areDataViewsEqual: areDataViewsEqual2, areDatesEqual: areDatesEqual2, areErrorsEqual: areErrorsEqual2, areFunctionsEqual, areMapsEqual: areMapsEqual2, areNumbersEqual, areObjectsEqual: areObjectsEqual2, arePrimitiveWrappersEqual: arePrimitiveWrappersEqual2, areRegExpsEqual: areRegExpsEqual2, areSetsEqual: areSetsEqual2, areTypedArraysEqual: areTypedArraysEqual2, areUrlsEqual: areUrlsEqual2 }) {
+  return {
+    "[object Arguments]": areObjectsEqual2,
+    "[object Array]": areArraysEqual2,
+    "[object ArrayBuffer]": areArrayBuffersEqual2,
+    "[object AsyncGeneratorFunction]": areFunctionsEqual,
+    "[object BigInt]": areNumbersEqual,
+    "[object BigInt64Array]": areTypedArraysEqual2,
+    "[object BigUint64Array]": areTypedArraysEqual2,
+    "[object Boolean]": arePrimitiveWrappersEqual2,
+    "[object DataView]": areDataViewsEqual2,
+    "[object Date]": areDatesEqual2,
+    // If an error tag, it should be tested explicitly. Like RegExp, the properties are not
+    // enumerable, and therefore will give false positives if tested like a standard object.
+    "[object Error]": areErrorsEqual2,
+    "[object Float16Array]": areTypedArraysEqual2,
+    "[object Float32Array]": areTypedArraysEqual2,
+    "[object Float64Array]": areTypedArraysEqual2,
+    "[object Function]": areFunctionsEqual,
+    "[object GeneratorFunction]": areFunctionsEqual,
+    "[object Int8Array]": areTypedArraysEqual2,
+    "[object Int16Array]": areTypedArraysEqual2,
+    "[object Int32Array]": areTypedArraysEqual2,
+    "[object Map]": areMapsEqual2,
+    "[object Number]": arePrimitiveWrappersEqual2,
+    "[object Object]": (a2, b, state) => (
+      // The exception for value comparison is custom `Promise`-like class instances. These should
+      // be treated the same as standard `Promise` objects, which means strict equality, and if
+      // it reaches this point then that strict equality comparison has already failed.
+      typeof a2.then !== "function" && typeof b.then !== "function" && areObjectsEqual2(a2, b, state)
+    ),
+    // For RegExp, the properties are not enumerable, and therefore will give false positives if
+    // tested like a standard object.
+    "[object RegExp]": areRegExpsEqual2,
+    "[object Set]": areSetsEqual2,
+    "[object String]": arePrimitiveWrappersEqual2,
+    "[object URL]": areUrlsEqual2,
+    "[object Uint8Array]": areTypedArraysEqual2,
+    "[object Uint8ClampedArray]": areTypedArraysEqual2,
+    "[object Uint16Array]": areTypedArraysEqual2,
+    "[object Uint32Array]": areTypedArraysEqual2
+  };
+}
+const deepEqual = createCustomEqual();
 createCustomEqual({ strict: true });
 createCustomEqual({ circular: true });
 createCustomEqual({
@@ -2110,37 +2119,26 @@ createCustomEqual({
   strict: true
 });
 createCustomEqual({
-  createInternalComparator: function() {
-    return sameValueZeroEqual;
-  }
+  createInternalComparator: () => sameValueEqual
 });
 createCustomEqual({
   strict: true,
-  createInternalComparator: function() {
-    return sameValueZeroEqual;
-  }
+  createInternalComparator: () => sameValueEqual
 });
 createCustomEqual({
   circular: true,
-  createInternalComparator: function() {
-    return sameValueZeroEqual;
-  }
+  createInternalComparator: () => sameValueEqual
 });
 createCustomEqual({
   circular: true,
-  createInternalComparator: function() {
-    return sameValueZeroEqual;
-  },
+  createInternalComparator: () => sameValueEqual,
   strict: true
 });
-function createCustomEqual(options2) {
-  if (options2 === void 0) {
-    options2 = {};
-  }
-  var _a2 = options2.circular, circular = _a2 === void 0 ? false : _a2, createCustomInternalComparator = options2.createInternalComparator, createState = options2.createState, _b2 = options2.strict, strict = _b2 === void 0 ? false : _b2;
-  var config = createEqualityComparatorConfig(options2);
-  var comparator2 = createEqualityComparator(config);
-  var equals = createCustomInternalComparator ? createCustomInternalComparator(comparator2) : createInternalEqualityComparator(comparator2);
+function createCustomEqual(options2 = {}) {
+  const { circular = false, createInternalComparator: createCustomInternalComparator, createState, strict = false } = options2;
+  const config = createEqualityComparatorConfig(options2);
+  const comparator2 = createEqualityComparator(config);
+  const equals = createCustomInternalComparator ? createCustomInternalComparator(comparator2) : createInternalEqualityComparator(comparator2);
   return createIsEqual({ circular, comparator: comparator2, createState, equals, strict });
 }
 function listCacheClear$1() {
@@ -2254,7 +2252,7 @@ var hasOwnProperty$c = objectProto$j.hasOwnProperty;
 var nativeObjectToString$1 = objectProto$j.toString;
 var symToStringTag$1 = Symbol$3 ? Symbol$3.toStringTag : void 0;
 function getRawTag$1(value) {
-  var isOwn = hasOwnProperty$c.call(value, symToStringTag$1), tag2 = value[symToStringTag$1];
+  var isOwn = hasOwnProperty$c.call(value, symToStringTag$1), tag = value[symToStringTag$1];
   try {
     value[symToStringTag$1] = void 0;
     var unmasked = true;
@@ -2263,7 +2261,7 @@ function getRawTag$1(value) {
   var result = nativeObjectToString$1.call(value);
   if (unmasked) {
     if (isOwn) {
-      value[symToStringTag$1] = tag2;
+      value[symToStringTag$1] = tag;
     } else {
       delete value[symToStringTag$1];
     }
@@ -2287,19 +2285,19 @@ function baseGetTag$4(value) {
   return symToStringTag && symToStringTag in Object(value) ? getRawTag(value) : objectToString$7(value);
 }
 var _baseGetTag = baseGetTag$4;
-function isObject$a(value) {
+function isObject$9(value) {
   var type = typeof value;
   return value != null && (type == "object" || type == "function");
 }
-var isObject_1 = isObject$a;
-var baseGetTag$3 = _baseGetTag, isObject$9 = isObject_1;
+var isObject_1 = isObject$9;
+var baseGetTag$3 = _baseGetTag, isObject$8 = isObject_1;
 var asyncTag = "[object AsyncFunction]", funcTag$3 = "[object Function]", genTag$2 = "[object GeneratorFunction]", proxyTag = "[object Proxy]";
 function isFunction$3(value) {
-  if (!isObject$9(value)) {
+  if (!isObject$8(value)) {
     return false;
   }
-  var tag2 = baseGetTag$3(value);
-  return tag2 == funcTag$3 || tag2 == genTag$2 || tag2 == asyncTag || tag2 == proxyTag;
+  var tag = baseGetTag$3(value);
+  return tag == funcTag$3 || tag == genTag$2 || tag == asyncTag || tag == proxyTag;
 }
 var isFunction_1 = isFunction$3;
 var root$6 = _root;
@@ -2330,7 +2328,7 @@ function toSource$2(func) {
   return "";
 }
 var _toSource = toSource$2;
-var isFunction$2 = isFunction_1, isMasked = _isMasked, isObject$8 = isObject_1, toSource$1 = _toSource;
+var isFunction$2 = isFunction_1, isMasked = _isMasked, isObject$7 = isObject_1, toSource$1 = _toSource;
 var reRegExpChar = /[\\^$.*+?()[\]{}|]/g;
 var reIsHostCtor = /^\[object .+?Constructor\]$/;
 var funcProto$1 = Function.prototype, objectProto$h = Object.prototype;
@@ -2340,7 +2338,7 @@ var reIsNative = RegExp(
   "^" + funcToString$1.call(hasOwnProperty$b).replace(reRegExpChar, "\\$&").replace(/hasOwnProperty|(function).*?(?=\\\()| for .+?(?=\\\])/g, "$1.*?") + "$"
 );
 function baseIsNative$1(value) {
-  if (!isObject$8(value) || isMasked(value)) {
+  if (!isObject$7(value) || isMasked(value)) {
     return false;
   }
   var pattern = isFunction$2(value) ? reIsNative : reIsHostCtor;
@@ -2582,24 +2580,24 @@ function baseTimes$2(n, iteratee) {
   return result;
 }
 var _baseTimes = baseTimes$2;
-function isObjectLike$e(value) {
+function isObjectLike$d(value) {
   return value != null && typeof value == "object";
 }
-var isObjectLike_1 = isObjectLike$e;
-var baseGetTag$2 = _baseGetTag, isObjectLike$d = isObjectLike_1;
+var isObjectLike_1 = isObjectLike$d;
+var baseGetTag$2 = _baseGetTag, isObjectLike$c = isObjectLike_1;
 var argsTag$3 = "[object Arguments]";
 function baseIsArguments$1(value) {
-  return isObjectLike$d(value) && baseGetTag$2(value) == argsTag$3;
+  return isObjectLike$c(value) && baseGetTag$2(value) == argsTag$3;
 }
 var _baseIsArguments = baseIsArguments$1;
-var baseIsArguments = _baseIsArguments, isObjectLike$c = isObjectLike_1;
+var baseIsArguments = _baseIsArguments, isObjectLike$b = isObjectLike_1;
 var objectProto$d = Object.prototype;
 var hasOwnProperty$7 = objectProto$d.hasOwnProperty;
 var propertyIsEnumerable$2 = objectProto$d.propertyIsEnumerable;
 var isArguments$2 = baseIsArguments(/* @__PURE__ */ function() {
   return arguments;
 }()) ? baseIsArguments : function(value) {
-  return isObjectLike$c(value) && hasOwnProperty$7.call(value, "callee") && !propertyIsEnumerable$2.call(value, "callee");
+  return isObjectLike$b(value) && hasOwnProperty$7.call(value, "callee") && !propertyIsEnumerable$2.call(value, "callee");
 };
 var isArguments_1 = isArguments$2;
 var isArray$6 = Array.isArray;
@@ -2634,14 +2632,14 @@ function isLength$3(value) {
   return typeof value == "number" && value > -1 && value % 1 == 0 && value <= MAX_SAFE_INTEGER$3;
 }
 var isLength_1 = isLength$3;
-var baseGetTag$1 = _baseGetTag, isLength$2 = isLength_1, isObjectLike$b = isObjectLike_1;
+var baseGetTag$1 = _baseGetTag, isLength$2 = isLength_1, isObjectLike$a = isObjectLike_1;
 var argsTag$2 = "[object Arguments]", arrayTag$1 = "[object Array]", boolTag$3 = "[object Boolean]", dateTag$2 = "[object Date]", errorTag$1 = "[object Error]", funcTag$2 = "[object Function]", mapTag$4 = "[object Map]", numberTag$3 = "[object Number]", objectTag$3 = "[object Object]", regexpTag$2 = "[object RegExp]", setTag$4 = "[object Set]", stringTag$4 = "[object String]", weakMapTag$2 = "[object WeakMap]";
 var arrayBufferTag$2 = "[object ArrayBuffer]", dataViewTag$3 = "[object DataView]", float32Tag$2 = "[object Float32Array]", float64Tag$2 = "[object Float64Array]", int8Tag$2 = "[object Int8Array]", int16Tag$2 = "[object Int16Array]", int32Tag$2 = "[object Int32Array]", uint8Tag$2 = "[object Uint8Array]", uint8ClampedTag$2 = "[object Uint8ClampedArray]", uint16Tag$2 = "[object Uint16Array]", uint32Tag$2 = "[object Uint32Array]";
 var typedArrayTags = {};
 typedArrayTags[float32Tag$2] = typedArrayTags[float64Tag$2] = typedArrayTags[int8Tag$2] = typedArrayTags[int16Tag$2] = typedArrayTags[int32Tag$2] = typedArrayTags[uint8Tag$2] = typedArrayTags[uint8ClampedTag$2] = typedArrayTags[uint16Tag$2] = typedArrayTags[uint32Tag$2] = true;
 typedArrayTags[argsTag$2] = typedArrayTags[arrayTag$1] = typedArrayTags[arrayBufferTag$2] = typedArrayTags[boolTag$3] = typedArrayTags[dataViewTag$3] = typedArrayTags[dateTag$2] = typedArrayTags[errorTag$1] = typedArrayTags[funcTag$2] = typedArrayTags[mapTag$4] = typedArrayTags[numberTag$3] = typedArrayTags[objectTag$3] = typedArrayTags[regexpTag$2] = typedArrayTags[setTag$4] = typedArrayTags[stringTag$4] = typedArrayTags[weakMapTag$2] = false;
 function baseIsTypedArray$1(value) {
-  return isObjectLike$b(value) && isLength$2(value.length) && !!typedArrayTags[baseGetTag$1(value)];
+  return isObjectLike$a(value) && isLength$2(value.length) && !!typedArrayTags[baseGetTag$1(value)];
 }
 var _baseIsTypedArray = baseIsTypedArray$1;
 function baseUnary$3(func) {
@@ -2748,11 +2746,11 @@ function nativeKeysIn$1(object) {
   return result;
 }
 var _nativeKeysIn = nativeKeysIn$1;
-var isObject$7 = isObject_1, isPrototype$2 = _isPrototype, nativeKeysIn = _nativeKeysIn;
+var isObject$6 = isObject_1, isPrototype$2 = _isPrototype, nativeKeysIn = _nativeKeysIn;
 var objectProto$9 = Object.prototype;
 var hasOwnProperty$4 = objectProto$9.hasOwnProperty;
 function baseKeysIn$1(object) {
-  if (!isObject$7(object)) {
+  if (!isObject$6(object)) {
     return nativeKeysIn(object);
   }
   var isProto = isPrototype$2(object), result = [];
@@ -2966,9 +2964,9 @@ var _cloneTypedArray = cloneTypedArray$1;
 var cloneArrayBuffer = _cloneArrayBuffer, cloneDataView = _cloneDataView, cloneRegExp = _cloneRegExp, cloneSymbol = _cloneSymbol, cloneTypedArray = _cloneTypedArray;
 var boolTag$2 = "[object Boolean]", dateTag$1 = "[object Date]", mapTag$2 = "[object Map]", numberTag$2 = "[object Number]", regexpTag$1 = "[object RegExp]", setTag$2 = "[object Set]", stringTag$3 = "[object String]", symbolTag$4 = "[object Symbol]";
 var arrayBufferTag$1 = "[object ArrayBuffer]", dataViewTag$1 = "[object DataView]", float32Tag$1 = "[object Float32Array]", float64Tag$1 = "[object Float64Array]", int8Tag$1 = "[object Int8Array]", int16Tag$1 = "[object Int16Array]", int32Tag$1 = "[object Int32Array]", uint8Tag$1 = "[object Uint8Array]", uint8ClampedTag$1 = "[object Uint8ClampedArray]", uint16Tag$1 = "[object Uint16Array]", uint32Tag$1 = "[object Uint32Array]";
-function initCloneByTag$1(object, tag2, isDeep) {
+function initCloneByTag$1(object, tag, isDeep) {
   var Ctor = object.constructor;
-  switch (tag2) {
+  switch (tag) {
     case arrayBufferTag$1:
       return cloneArrayBuffer(object);
     case boolTag$2:
@@ -3000,13 +2998,13 @@ function initCloneByTag$1(object, tag2, isDeep) {
   }
 }
 var _initCloneByTag = initCloneByTag$1;
-var isObject$6 = isObject_1;
+var isObject$5 = isObject_1;
 var objectCreate = Object.create;
 var baseCreate$1 = /* @__PURE__ */ function() {
   function object() {
   }
   return function(proto) {
-    if (!isObject$6(proto)) {
+    if (!isObject$5(proto)) {
       return {};
     }
     if (objectCreate) {
@@ -3024,27 +3022,27 @@ function initCloneObject$1(object) {
   return typeof object.constructor == "function" && !isPrototype$1(object) ? baseCreate(getPrototype$1(object)) : {};
 }
 var _initCloneObject = initCloneObject$1;
-var getTag$2 = _getTag, isObjectLike$a = isObjectLike_1;
+var getTag$2 = _getTag, isObjectLike$9 = isObjectLike_1;
 var mapTag$1 = "[object Map]";
 function baseIsMap$1(value) {
-  return isObjectLike$a(value) && getTag$2(value) == mapTag$1;
+  return isObjectLike$9(value) && getTag$2(value) == mapTag$1;
 }
 var _baseIsMap = baseIsMap$1;
 var baseIsMap = _baseIsMap, baseUnary$1 = _baseUnary, nodeUtil$1 = _nodeUtilExports;
 var nodeIsMap = nodeUtil$1 && nodeUtil$1.isMap;
 var isMap$1 = nodeIsMap ? baseUnary$1(nodeIsMap) : baseIsMap;
 var isMap_1 = isMap$1;
-var getTag$1 = _getTag, isObjectLike$9 = isObjectLike_1;
+var getTag$1 = _getTag, isObjectLike$8 = isObjectLike_1;
 var setTag$1 = "[object Set]";
 function baseIsSet$1(value) {
-  return isObjectLike$9(value) && getTag$1(value) == setTag$1;
+  return isObjectLike$8(value) && getTag$1(value) == setTag$1;
 }
 var _baseIsSet = baseIsSet$1;
 var baseIsSet = _baseIsSet, baseUnary = _baseUnary, nodeUtil = _nodeUtilExports;
 var nodeIsSet = nodeUtil && nodeUtil.isSet;
 var isSet$1 = nodeIsSet ? baseUnary(nodeIsSet) : baseIsSet;
 var isSet_1 = isSet$1;
-var Stack = _Stack, arrayEach = _arrayEach, assignValue = _assignValue, baseAssign = _baseAssign, baseAssignIn = _baseAssignIn, cloneBuffer = _cloneBufferExports, copyArray = _copyArray, copySymbols = _copySymbols, copySymbolsIn = _copySymbolsIn, getAllKeys = _getAllKeys, getAllKeysIn = _getAllKeysIn, getTag = _getTag, initCloneArray = _initCloneArray, initCloneByTag = _initCloneByTag, initCloneObject = _initCloneObject, isArray$3 = isArray_1, isBuffer = isBufferExports, isMap = isMap_1, isObject$5 = isObject_1, isSet = isSet_1, keys$1 = keys_1, keysIn = keysIn_1;
+var Stack = _Stack, arrayEach = _arrayEach, assignValue = _assignValue, baseAssign = _baseAssign, baseAssignIn = _baseAssignIn, cloneBuffer = _cloneBufferExports, copyArray = _copyArray, copySymbols = _copySymbols, copySymbolsIn = _copySymbolsIn, getAllKeys = _getAllKeys, getAllKeysIn = _getAllKeysIn, getTag = _getTag, initCloneArray = _initCloneArray, initCloneByTag = _initCloneByTag, initCloneObject = _initCloneObject, isArray$3 = isArray_1, isBuffer = isBufferExports, isMap = isMap_1, isObject$4 = isObject_1, isSet = isSet_1, keys$1 = keys_1, keysIn = keysIn_1;
 var CLONE_DEEP_FLAG$1 = 1, CLONE_FLAT_FLAG = 2, CLONE_SYMBOLS_FLAG$1 = 4;
 var argsTag$1 = "[object Arguments]", arrayTag = "[object Array]", boolTag$1 = "[object Boolean]", dateTag = "[object Date]", errorTag = "[object Error]", funcTag$1 = "[object Function]", genTag$1 = "[object GeneratorFunction]", mapTag = "[object Map]", numberTag$1 = "[object Number]", objectTag$1 = "[object Object]", regexpTag = "[object RegExp]", setTag = "[object Set]", stringTag$2 = "[object String]", symbolTag$3 = "[object Symbol]", weakMapTag = "[object WeakMap]";
 var arrayBufferTag = "[object ArrayBuffer]", dataViewTag = "[object DataView]", float32Tag = "[object Float32Array]", float64Tag = "[object Float64Array]", int8Tag = "[object Int8Array]", int16Tag = "[object Int16Array]", int32Tag = "[object Int32Array]", uint8Tag = "[object Uint8Array]", uint8ClampedTag = "[object Uint8ClampedArray]", uint16Tag = "[object Uint16Array]", uint32Tag = "[object Uint32Array]";
@@ -3059,7 +3057,7 @@ function baseClone$1(value, bitmask, customizer, key, object, stack) {
   if (result !== void 0) {
     return result;
   }
-  if (!isObject$5(value)) {
+  if (!isObject$4(value)) {
     return value;
   }
   var isArr = isArray$3(value);
@@ -3069,20 +3067,20 @@ function baseClone$1(value, bitmask, customizer, key, object, stack) {
       return copyArray(value, result);
     }
   } else {
-    var tag2 = getTag(value), isFunc = tag2 == funcTag$1 || tag2 == genTag$1;
+    var tag = getTag(value), isFunc = tag == funcTag$1 || tag == genTag$1;
     if (isBuffer(value)) {
       return cloneBuffer(value, isDeep);
     }
-    if (tag2 == objectTag$1 || tag2 == argsTag$1 || isFunc && !object) {
+    if (tag == objectTag$1 || tag == argsTag$1 || isFunc && !object) {
       result = isFlat || isFunc ? {} : initCloneObject(value);
       if (!isDeep) {
         return isFlat ? copySymbolsIn(value, baseAssignIn(result, value)) : copySymbols(value, baseAssign(result, value));
       }
     } else {
-      if (!cloneableTags[tag2]) {
+      if (!cloneableTags[tag]) {
         return object ? value : {};
       }
-      result = initCloneByTag(value, tag2, isDeep);
+      result = initCloneByTag(value, tag, isDeep);
     }
   }
   stack || (stack = new Stack());
@@ -3390,7 +3388,10 @@ class CollectionRegistry {
       if (!relation) {
         throw new Error(`Relation '${relationKey}' not found in collection '${currentCollection.slug}'`);
       }
-      currentCollection = relation.target();
+      const target = relation.target();
+      const targetRelationKey = relation.relationName || target.slug;
+      const targetSlug = relation.overrides?.slug ?? targetRelationKey;
+      currentCollection = this.get(targetSlug) || this.normalizeCollection(target);
       if (i + 1 < pathSegments.length) ;
     }
     return currentCollection;
@@ -3439,7 +3440,7 @@ class CollectionRegistry {
         if (!subcollection) {
           throw new Error(`Subcollection '${subcollectionSlug}' not found in ${currentCollection.slug}`);
         }
-        currentCollection = subcollection;
+        currentCollection = this.get(subcollection.slug) || this.normalizeCollection(subcollection);
         collections.push(currentCollection);
       }
     }
@@ -3474,16 +3475,15 @@ async function loadCollectionsFromDirectory(directory) {
         const filePath = path$3.join(directory, file);
         try {
           const fileUrl = pathToFileURL(filePath).href;
-          const dynamicImport = new Function("url", "return import(url)");
-          const module = await dynamicImport(fileUrl);
+          const module = await import(fileUrl);
           if (module && module.default) {
             collections.push(module.default);
           } else {
             console.warn(`[loadCollectionsFromDirectory] File ${file} does not have a default export. Skipping.`);
           }
         } catch (err) {
-          const message2 = err instanceof Error ? err.message : String(err);
-          console.error(`[loadCollectionsFromDirectory] Failed to load collection from ${file}: ${message2}`);
+          const message = err instanceof Error ? err.message : String(err);
+          console.error(`[loadCollectionsFromDirectory] Failed to load collection from ${file}: ${message}`);
         }
       }
     }
@@ -3566,34 +3566,34 @@ class ApiError extends Error {
   statusCode;
   code;
   details;
-  constructor(statusCode, code2, message2, details) {
-    super(message2);
+  constructor(statusCode, code2, message, details) {
+    super(message);
     this.name = "ApiError";
     this.statusCode = statusCode;
     this.code = code2;
     this.details = details;
   }
   // ── Factory methods ──────────────────────────────────────────────
-  static badRequest(message2, code2 = "BAD_REQUEST", details) {
-    return new ApiError(400, code2, message2, details);
+  static badRequest(message, code2 = "BAD_REQUEST", details) {
+    return new ApiError(400, code2, message, details);
   }
-  static unauthorized(message2, code2 = "UNAUTHORIZED") {
-    return new ApiError(401, code2, message2);
+  static unauthorized(message, code2 = "UNAUTHORIZED") {
+    return new ApiError(401, code2, message);
   }
-  static forbidden(message2, code2 = "FORBIDDEN") {
-    return new ApiError(403, code2, message2);
+  static forbidden(message, code2 = "FORBIDDEN") {
+    return new ApiError(403, code2, message);
   }
-  static notFound(message2, code2 = "NOT_FOUND") {
-    return new ApiError(404, code2, message2);
+  static notFound(message, code2 = "NOT_FOUND") {
+    return new ApiError(404, code2, message);
   }
-  static conflict(message2, code2 = "CONFLICT") {
-    return new ApiError(409, code2, message2);
+  static conflict(message, code2 = "CONFLICT") {
+    return new ApiError(409, code2, message);
   }
-  static internal(message2, code2 = "INTERNAL_ERROR") {
-    return new ApiError(500, code2, message2);
+  static internal(message, code2 = "INTERNAL_ERROR") {
+    return new ApiError(500, code2, message);
   }
-  static serviceUnavailable(message2, code2 = "SERVICE_UNAVAILABLE") {
-    return new ApiError(503, code2, message2);
+  static serviceUnavailable(message, code2 = "SERVICE_UNAVAILABLE") {
+    return new ApiError(503, code2, message);
   }
 }
 const errorHandler = (err, c) => {
@@ -3633,7 +3633,8 @@ const errorHandler = (err, c) => {
   console.error(`❌ [API] ${c.req.method} ${c.req.path} → ${statusCode} ${code2}: ${logMessage}`);
   const causePg = error2.cause && typeof error2.cause === "object" ? error2.cause : void 0;
   const pgErrorCode = causePg?.code || error2.code;
-  if (pgErrorCode !== "42703" && pgErrorCode !== "42P01") {
+  const suppressStack = pgErrorCode === "42703" || pgErrorCode === "42P01" || statusCode < 500 && code2 === "BAD_REQUEST";
+  if (!suppressStack) {
     console.error(error2.stack || error2);
   }
   let clientMessage = "An unexpected error occurred";
@@ -3721,8 +3722,8 @@ function parseQueryOptions(query) {
       }
       Object.assign(options2.where, parsedWhere);
     } catch (e) {
-      const message2 = e instanceof Error ? e.message : "malformed JSON";
-      const err = new Error(`Invalid 'where' filter: ${message2}`);
+      const message = e instanceof Error ? e.message : "malformed JSON";
+      const err = new Error(`Invalid 'where' filter: ${message}`);
       err.code = "BAD_REQUEST";
       err.statusCode = 400;
       throw err;
@@ -3806,11 +3807,24 @@ class RestApiGenerator {
   collections;
   router;
   driver;
-  constructor(collections, driver) {
+  dataHooks;
+  constructor(collections, driver, dataHooks) {
     this.collections = collections;
     this.driver = driver;
+    this.dataHooks = dataHooks;
     this.router = new Hono();
   }
+  /** Build a BackendHookContext from a Hono context */
+  buildHookContext(c, method) {
+    const user = c.get("user");
+    return {
+      requestUser: user ? {
+        userId: user.userId,
+        roles: user.roles ?? []
+      } : void 0,
+      method
+    };
+  }
   /**
    * Generate REST routes using existing DataDriver
    */
@@ -3822,16 +3836,10 @@ class RestApiGenerator {
     return this.router;
   }
   /**
-   * Get the EntityFetchService from a driver if it exposes one (for include support)
+   * Get the typed RestFetchService from a driver if it exposes one (for include support).
    */
   getFetchService(driver) {
-    if ("entityService" in driver && typeof driver.entityService === "object" && driver.entityService) {
-      const es = driver.entityService;
-      if (typeof es.getFetchService === "function") {
-        return es.getFetchService();
-      }
-    }
-    return null;
+    return driver.restFetchService;
   }
   /**
    * Create REST routes for a collection using existing Rebase patterns
@@ -3839,15 +3847,26 @@ class RestApiGenerator {
   createCollectionRoutes(collection) {
     const basePath = `/${collection.slug}`;
     const resolvedCollection = collection;
+    this.router.get(`${basePath}/count`, async (c) => {
+      const queryDict = c.req.query();
+      const queryOptions = parseQueryOptions(queryDict);
+      const searchString = queryDict.searchString;
+      const driver = c.get("driver") || this.driver;
+      const total = await this.countRawEntities(driver, resolvedCollection, queryOptions, searchString);
+      return c.json({
+        count: total
+      });
+    });
     this.router.get(basePath, async (c) => {
       const queryDict = c.req.query();
       const queryOptions = parseQueryOptions(queryDict);
       const searchString = queryDict.searchString;
       const driver = c.get("driver") || this.driver;
       const fetchService = this.getFetchService(driver);
+      const hookCtx = this.buildHookContext(c, "GET");
       if (fetchService) {
         const collectionPath = collection.slug;
-        const entities2 = await fetchService.fetchCollectionForRest(collectionPath, {
+        let entities2 = await fetchService.fetchCollectionForRest(collectionPath, {
           filter: queryOptions.where,
           limit: queryOptions.limit,
           offset: queryOptions.offset,
@@ -3855,6 +3874,7 @@ class RestApiGenerator {
           order: queryOptions.orderBy?.[0]?.direction === "desc" ? "desc" : "asc",
           searchString
         }, queryOptions.include);
+        entities2 = await this.applyAfterReadBatch(collection.slug, entities2, hookCtx);
         const total2 = await this.countRawEntities(driver, resolvedCollection, queryOptions, searchString);
         return c.json({
           data: entities2,
@@ -3866,7 +3886,8 @@ class RestApiGenerator {
           }
         });
       }
-      const entities = await this.fetchRawCollection(driver, resolvedCollection, queryOptions, searchString);
+      let entities = await this.fetchRawCollection(driver, resolvedCollection, queryOptions, searchString);
+      entities = await this.applyAfterReadBatch(collection.slug, entities, hookCtx);
       const total = await this.countRawEntities(driver, resolvedCollection, queryOptions, searchString);
       return c.json({
         data: entities,
@@ -3884,15 +3905,24 @@ class RestApiGenerator {
       const queryOptions = parseQueryOptions(queryDict);
       const driver = c.get("driver") || this.driver;
       const fetchService = this.getFetchService(driver);
+      const hookCtx = this.buildHookContext(c, "GET");
       if (fetchService) {
         const collectionPath = collection.slug;
-        const entity2 = await fetchService.fetchEntityForRest(collectionPath, String(id), queryOptions.include);
+        let entity2 = await fetchService.fetchEntityForRest(collectionPath, String(id), queryOptions.include);
+        if (!entity2) {
+          throw ApiError.notFound("Entity not found");
+        }
+        entity2 = await this.applyAfterRead(collection.slug, entity2, hookCtx);
         if (!entity2) {
           throw ApiError.notFound("Entity not found");
         }
         return c.json(entity2);
       }
-      const entity = await this.fetchRawEntity(driver, resolvedCollection, String(id));
+      let entity = await this.fetchRawEntity(driver, resolvedCollection, String(id));
+      if (!entity) {
+        throw ApiError.notFound("Entity not found");
+      }
+      entity = await this.applyAfterRead(collection.slug, entity, hookCtx);
       if (!entity) {
         throw ApiError.notFound("Entity not found");
       }
@@ -3902,14 +3932,24 @@ class RestApiGenerator {
       try {
         const driver = c.get("driver") || this.driver;
         const path2 = collection.slug;
-        const body = await c.req.json().catch(() => ({}));
+        const hookCtx = this.buildHookContext(c, "POST");
+        let body = await c.req.json().catch(() => ({}));
+        if (this.dataHooks?.beforeSave) {
+          body = await this.dataHooks.beforeSave(path2, body, void 0, hookCtx);
+        }
         const entity = await driver.saveEntity({
           path: path2,
           values: body,
           collection: resolvedCollection,
           status: "new"
         });
-        return c.json(this.formatResponse(entity), 201);
+        const response = this.formatResponse(entity);
+        if (this.dataHooks?.afterSave) {
+          Promise.resolve(this.dataHooks.afterSave(path2, response, hookCtx)).catch((err) => {
+            console.error("[BackendHooks] data.afterSave error:", err instanceof Error ? err.message : err);
+          });
+        }
+        return c.json(response, 201);
       } catch (error2) {
         const err = error2;
         err.code = err.code || "BAD_REQUEST";
@@ -3920,6 +3960,7 @@ class RestApiGenerator {
       try {
         const id = c.req.param("id");
         const driver = c.get("driver") || this.driver;
+        const hookCtx = this.buildHookContext(c, "PUT");
         const existingEntity = await driver.fetchEntity({
           path: collection.slug,
           entityId: String(id),
@@ -3928,7 +3969,10 @@ class RestApiGenerator {
         if (!existingEntity) {
           throw ApiError.notFound("Entity not found");
         }
-        const body = await c.req.json().catch(() => ({}));
+        let body = await c.req.json().catch(() => ({}));
+        if (this.dataHooks?.beforeSave) {
+          body = await this.dataHooks.beforeSave(collection.slug, body, String(id), hookCtx);
+        }
         const entity = await driver.saveEntity({
           path: collection.slug,
           entityId: String(id),
@@ -3936,7 +3980,13 @@ class RestApiGenerator {
           collection: resolvedCollection,
           status: "existing"
         });
-        return c.json(this.formatResponse(entity));
+        const response = this.formatResponse(entity);
+        if (this.dataHooks?.afterSave) {
+          Promise.resolve(this.dataHooks.afterSave(collection.slug, response, hookCtx)).catch((err) => {
+            console.error("[BackendHooks] data.afterSave error:", err instanceof Error ? err.message : err);
+          });
+        }
+        return c.json(response);
       } catch (error2) {
         const err = error2;
         err.code = err.code || "BAD_REQUEST";
@@ -3946,6 +3996,7 @@ class RestApiGenerator {
     this.router.delete(`${basePath}/:id`, async (c) => {
       const id = c.req.param("id");
       const driver = c.get("driver") || this.driver;
+      const hookCtx = this.buildHookContext(c, "DELETE");
       const existingEntity = await driver.fetchEntity({
         path: collection.slug,
         entityId: String(id),
@@ -3954,10 +4005,18 @@ class RestApiGenerator {
       if (!existingEntity) {
         throw ApiError.notFound("Entity not found");
       }
+      if (this.dataHooks?.beforeDelete) {
+        await this.dataHooks.beforeDelete(collection.slug, String(id), hookCtx);
+      }
       await driver.deleteEntity({
         entity: existingEntity,
         collection: resolvedCollection
       });
+      if (this.dataHooks?.afterDelete) {
+        Promise.resolve(this.dataHooks.afterDelete(collection.slug, String(id), hookCtx)).catch((err) => {
+          console.error("[BackendHooks] data.afterDelete error:", err instanceof Error ? err.message : err);
+        });
+      }
       return new Response(null, {
         status: 204
       });
@@ -4006,7 +4065,18 @@ class RestApiGenerator {
       const parsed = parseSubPath(rawPath);
       if (!parsed) return next();
       const driver = c.get("driver") || this.driver;
-      if (parsed.entityId) {
+      if (parsed.entityId === "count") {
+        const queryDict = c.req.query();
+        const queryOptions = parseQueryOptions(queryDict);
+        const total = driver.countEntities ? await driver.countEntities({
+          path: parsed.collectionPath,
+          filter: queryOptions.where,
+          searchString: queryDict.searchString
+        }) : 0;
+        return c.json({
+          count: total
+        });
+      } else if (parsed.entityId) {
         const entity = await driver.fetchEntity({
           path: parsed.collectionPath,
           entityId: parsed.entityId
@@ -4164,6 +4234,22 @@ class RestApiGenerator {
     });
     return entity ? this.flattenEntity(entity) : null;
   }
+  /**
+   * Apply data.afterRead hook to a single entity.
+   * Returns the transformed entity, or null to filter it out.
+   */
+  async applyAfterRead(slug, entity, ctx) {
+    if (!this.dataHooks?.afterRead) return entity;
+    return this.dataHooks.afterRead(slug, entity, ctx);
+  }
+  /**
+   * Apply data.afterRead hook to an array of entities, filtering out nulls.
+   */
+  async applyAfterReadBatch(slug, entities, ctx) {
+    if (!this.dataHooks?.afterRead) return entities;
+    const results = await Promise.all(entities.map((e) => this.applyAfterRead(slug, e, ctx)));
+    return results.filter((e) => e !== null);
+  }
 }
 var jws$5 = {};
 var safeBuffer = { exports: {} };
@@ -4745,11 +4831,11 @@ var Stream$1 = require$$0$3;
 var toString2 = tostring;
 var util$4 = require$$5;
 var JWS_REGEX = /^[a-zA-Z0-9\-_]+?\.[a-zA-Z0-9\-_]+?\.([a-zA-Z0-9\-_]+)?$/;
-function isObject$4(thing) {
+function isObject$3(thing) {
   return Object.prototype.toString.call(thing) === "[object Object]";
 }
 function safeJsonParse(thing) {
-  if (isObject$4(thing))
+  if (isObject$3(thing))
     return thing;
   try {
     return JSON.parse(thing);
@@ -4875,7 +4961,7 @@ jws$5.createVerify = function createVerify(opts) {
   return new VerifyStream(opts);
 };
 var jws$4 = jws$5;
-var decode$3 = function(jwt2, options2) {
+var decode$2 = function(jwt2, options2) {
   options2 = options2 || {};
   var decoded = jws$4.decode(jwt2, options2);
   if (!decoded) {
@@ -4900,21 +4986,21 @@ var decode$3 = function(jwt2, options2) {
   }
   return payload;
 };
-var JsonWebTokenError$3 = function(message2, error2) {
-  Error.call(this, message2);
+var JsonWebTokenError$3 = function(message, error2) {
+  Error.call(this, message);
   if (Error.captureStackTrace) {
     Error.captureStackTrace(this, this.constructor);
   }
   this.name = "JsonWebTokenError";
-  this.message = message2;
+  this.message = message;
   if (error2) this.inner = error2;
 };
 JsonWebTokenError$3.prototype = Object.create(Error.prototype);
 JsonWebTokenError$3.prototype.constructor = JsonWebTokenError$3;
 var JsonWebTokenError_1 = JsonWebTokenError$3;
 var JsonWebTokenError$2 = JsonWebTokenError_1;
-var NotBeforeError$1 = function(message2, date) {
-  JsonWebTokenError$2.call(this, message2);
+var NotBeforeError$1 = function(message, date) {
+  JsonWebTokenError$2.call(this, message);
   this.name = "NotBeforeError";
   this.date = date;
 };
@@ -4922,8 +5008,8 @@ NotBeforeError$1.prototype = Object.create(JsonWebTokenError$2.prototype);
 NotBeforeError$1.prototype.constructor = NotBeforeError$1;
 var NotBeforeError_1 = NotBeforeError$1;
 var JsonWebTokenError$1 = JsonWebTokenError_1;
-var TokenExpiredError$1 = function(message2, expiredAt) {
-  JsonWebTokenError$1.call(this, message2);
+var TokenExpiredError$1 = function(message, expiredAt) {
+  JsonWebTokenError$1.call(this, message);
   this.name = "TokenExpiredError";
   this.expiredAt = expiredAt;
 };
@@ -5788,7 +5874,7 @@ function requireRange() {
     parseRange(range2) {
       const memoOpts = (this.options.includePrerelease && FLAG_INCLUDE_PRERELEASE) | (this.options.loose && FLAG_LOOSE);
       const memoKey = memoOpts + ":" + range2;
-      const cached = cache2.get(memoKey);
+      const cached = cache.get(memoKey);
       if (cached) {
         return cached;
       }
@@ -5822,7 +5908,7 @@ function requireRange() {
         rangeMap.delete("");
       }
       const result = [...rangeMap.values()];
-      cache2.set(memoKey, result);
+      cache.set(memoKey, result);
       return result;
     }
     intersects(range2, options2) {
@@ -5861,7 +5947,7 @@ function requireRange() {
   }
   range = Range2;
   const LRU = lrucache;
-  const cache2 = new LRU();
+  const cache = new LRU();
   const parseOptions2 = parseOptions_1;
   const Comparator2 = requireComparator();
   const debug2 = debug_1;
@@ -6738,7 +6824,7 @@ var psSupported = semver.satisfies(process.version, "^6.12.0 || >=8.0.0");
 const JsonWebTokenError = JsonWebTokenError_1;
 const NotBeforeError = NotBeforeError_1;
 const TokenExpiredError = TokenExpiredError_1;
-const decode$2 = decode$3;
+const decode$1 = decode$2;
 const timespan$1 = timespan$2;
 const validateAsymmetricKey$1 = validateAsymmetricKey$2;
 const PS_SUPPORTED$1 = psSupported;
@@ -6792,7 +6878,7 @@ var verify2 = function(jwtString, secretOrPublicKey, options2, callback) {
   }
   let decodedToken;
   try {
-    decodedToken = decode$2(jwtString, { complete: true });
+    decodedToken = decode$1(jwtString, { complete: true });
   } catch (err) {
     return done(err);
   }
@@ -7052,27 +7138,27 @@ function isArrayLike(value) {
   return value != null && isLength(value.length) && !isFunction(value);
 }
 function isArrayLikeObject(value) {
-  return isObjectLike$8(value) && isArrayLike(value);
+  return isObjectLike$7(value) && isArrayLike(value);
 }
 function isFunction(value) {
-  var tag2 = isObject$3(value) ? objectToString$6.call(value) : "";
-  return tag2 == funcTag || tag2 == genTag;
+  var tag = isObject$2(value) ? objectToString$6.call(value) : "";
+  return tag == funcTag || tag == genTag;
 }
 function isLength(value) {
   return typeof value == "number" && value > -1 && value % 1 == 0 && value <= MAX_SAFE_INTEGER;
 }
-function isObject$3(value) {
+function isObject$2(value) {
   var type = typeof value;
   return !!value && (type == "object" || type == "function");
 }
-function isObjectLike$8(value) {
+function isObjectLike$7(value) {
   return !!value && typeof value == "object";
 }
 function isString$2(value) {
-  return typeof value == "string" || !isArray$2(value) && isObjectLike$8(value) && objectToString$6.call(value) == stringTag$1;
+  return typeof value == "string" || !isArray$2(value) && isObjectLike$7(value) && objectToString$6.call(value) == stringTag$1;
 }
 function isSymbol$2(value) {
-  return typeof value == "symbol" || isObjectLike$8(value) && objectToString$6.call(value) == symbolTag$2;
+  return typeof value == "symbol" || isObjectLike$7(value) && objectToString$6.call(value) == symbolTag$2;
 }
 function toFinite$2(value) {
   if (!value) {
@@ -7096,9 +7182,9 @@ function toNumber$2(value) {
   if (isSymbol$2(value)) {
     return NAN$2;
   }
-  if (isObject$3(value)) {
+  if (isObject$2(value)) {
     var other = typeof value.valueOf == "function" ? value.valueOf() : value;
-    value = isObject$3(other) ? other + "" : other;
+    value = isObject$2(other) ? other + "" : other;
   }
   if (typeof value != "string") {
     return value === 0 ? value : +value;
@@ -7118,9 +7204,9 @@ var boolTag = "[object Boolean]";
 var objectProto$5 = Object.prototype;
 var objectToString$5 = objectProto$5.toString;
 function isBoolean$1(value) {
-  return value === true || value === false || isObjectLike$7(value) && objectToString$5.call(value) == boolTag;
+  return value === true || value === false || isObjectLike$6(value) && objectToString$5.call(value) == boolTag;
 }
-function isObjectLike$7(value) {
+function isObjectLike$6(value) {
   return !!value && typeof value == "object";
 }
 var lodash_isboolean = isBoolean$1;
@@ -7136,15 +7222,15 @@ var objectToString$4 = objectProto$4.toString;
 function isInteger$1(value) {
   return typeof value == "number" && value == toInteger$1(value);
 }
-function isObject$2(value) {
+function isObject$1(value) {
   var type = typeof value;
   return !!value && (type == "object" || type == "function");
 }
-function isObjectLike$6(value) {
+function isObjectLike$5(value) {
   return !!value && typeof value == "object";
 }
 function isSymbol$1(value) {
-  return typeof value == "symbol" || isObjectLike$6(value) && objectToString$4.call(value) == symbolTag$1;
+  return typeof value == "symbol" || isObjectLike$5(value) && objectToString$4.call(value) == symbolTag$1;
 }
 function toFinite$1(value) {
   if (!value) {
@@ -7168,9 +7254,9 @@ function toNumber$1(value) {
   if (isSymbol$1(value)) {
     return NAN$1;
   }
-  if (isObject$2(value)) {
+  if (isObject$1(value)) {
     var other = typeof value.valueOf == "function" ? value.valueOf() : value;
-    value = isObject$2(other) ? other + "" : other;
+    value = isObject$1(other) ? other + "" : other;
   }
   if (typeof value != "string") {
     return value === 0 ? value : +value;
@@ -7183,11 +7269,11 @@ var lodash_isinteger = isInteger$1;
 var numberTag = "[object Number]";
 var objectProto$3 = Object.prototype;
 var objectToString$3 = objectProto$3.toString;
-function isObjectLike$5(value) {
+function isObjectLike$4(value) {
   return !!value && typeof value == "object";
 }
 function isNumber$1(value) {
-  return typeof value == "number" || isObjectLike$5(value) && objectToString$3.call(value) == numberTag;
+  return typeof value == "number" || isObjectLike$4(value) && objectToString$3.call(value) == numberTag;
 }
 var lodash_isnumber = isNumber$1;
 var objectTag = "[object Object]";
@@ -7212,11 +7298,11 @@ var hasOwnProperty$1 = objectProto$2.hasOwnProperty;
 var objectCtorString = funcToString.call(Object);
 var objectToString$2 = objectProto$2.toString;
 var getPrototype = overArg(Object.getPrototypeOf, Object);
-function isObjectLike$4(value) {
+function isObjectLike$3(value) {
   return !!value && typeof value == "object";
 }
 function isPlainObject$2(value) {
-  if (!isObjectLike$4(value) || objectToString$2.call(value) != objectTag || isHostObject(value)) {
+  if (!isObjectLike$3(value) || objectToString$2.call(value) != objectTag || isHostObject(value)) {
     return false;
   }
   var proto = getPrototype(value);
@@ -7231,11 +7317,11 @@ var stringTag = "[object String]";
 var objectProto$1 = Object.prototype;
 var objectToString$1 = objectProto$1.toString;
 var isArray$1 = Array.isArray;
-function isObjectLike$3(value) {
+function isObjectLike$2(value) {
   return !!value && typeof value == "object";
 }
 function isString$1(value) {
-  return typeof value == "string" || !isArray$1(value) && isObjectLike$3(value) && objectToString$1.call(value) == stringTag;
+  return typeof value == "string" || !isArray$1(value) && isObjectLike$2(value) && objectToString$1.call(value) == stringTag;
 }
 var lodash_isstring = isString$1;
 var FUNC_ERROR_TEXT = "Expected a function";
@@ -7267,15 +7353,15 @@ function before(n, func) {
 function once$1(func) {
   return before(2, func);
 }
-function isObject$1(value) {
+function isObject(value) {
   var type = typeof value;
   return !!value && (type == "object" || type == "function");
 }
-function isObjectLike$2(value) {
+function isObjectLike$1(value) {
   return !!value && typeof value == "object";
 }
 function isSymbol(value) {
-  return typeof value == "symbol" || isObjectLike$2(value) && objectToString.call(value) == symbolTag;
+  return typeof value == "symbol" || isObjectLike$1(value) && objectToString.call(value) == symbolTag;
 }
 function toFinite(value) {
   if (!value) {
@@ -7299,9 +7385,9 @@ function toNumber(value) {
   if (isSymbol(value)) {
     return NAN;
   }
-  if (isObject$1(value)) {
+  if (isObject(value)) {
     var other = typeof value.valueOf == "function" ? value.valueOf() : value;
-    value = isObject$1(other) ? other + "" : other;
+    value = isObject(other) ? other + "" : other;
   }
   if (typeof value != "string") {
     return value === 0 ? value : +value;
@@ -7392,7 +7478,7 @@ const options_for_objects = [
   "subject",
   "jwtid"
 ];
-var sign$4 = function(payload, secretOrPrivateKey, options2, callback) {
+var sign$3 = function(payload, secretOrPrivateKey, options2, callback) {
   if (typeof options2 === "function") {
     callback = options2;
     options2 = {};
@@ -7531,9 +7617,9 @@ var sign$4 = function(payload, secretOrPrivateKey, options2, callback) {
   }
 };
 var jsonwebtoken = {
-  decode: decode$3,
+  decode: decode$2,
   verify: verify2,
-  sign: sign$4,
+  sign: sign$3,
   JsonWebTokenError: JsonWebTokenError_1,
   NotBeforeError: NotBeforeError_1,
   TokenExpiredError: TokenExpiredError_1
@@ -7984,7 +8070,7 @@ function formatData(data) {
 }
 function createLogger(defaultFields = {}) {
   const minLevel = getMinLevel();
-  function emit(level, message2, data) {
+  function emit(level, message, data) {
     if (LOG_PRIORITY[level] < LOG_PRIORITY[minLevel]) return;
     const merged = {
       ...defaultFields,
@@ -7993,7 +8079,7 @@ function createLogger(defaultFields = {}) {
     if (isProduction$1()) {
       const entry = {
         severity: GCP_SEVERITY[level],
-        message: message2,
+        message,
         timestamp: (/* @__PURE__ */ new Date()).toISOString(),
         ...merged
       };
@@ -8006,7 +8092,7 @@ function createLogger(defaultFields = {}) {
     } else {
       const prefix = level === "error" ? "❌" : level === "warn" ? "⚠️" : level === "info" ? "ℹ️" : "🐛";
       const extra = Object.keys(merged).length > 0 ? ` ${JSON.stringify(merged)}` : "";
-      const out = `${prefix} [${level.toUpperCase()}] ${message2}${extra}`;
+      const out = `${prefix} [${level.toUpperCase()}] ${message}${extra}`;
       if (level === "error") {
         console.error(out);
       } else if (level === "warn") {
@@ -8367,9 +8453,9 @@ util$3.pkg = require$$0$1;
       }
       return Function.prototype[Symbol.hasInstance].call(GaxiosError, instance);
     }
-    constructor(message2, config, response, error2) {
+    constructor(message, config, response, error2) {
       var _b2;
-      super(message2);
+      super(message);
       this.config = config;
       this.response = response;
       this.error = error2;
@@ -14265,8 +14351,8 @@ const readFile$2 = fs$3.readFile ? (0, util_1$5.promisify)(fs$3.readFile) : asyn
 const GOOGLE_TOKEN_URL = "https://www.googleapis.com/oauth2/v4/token";
 const GOOGLE_REVOKE_TOKEN_URL = "https://accounts.google.com/o/oauth2/revoke?token=";
 class ErrorWithCode extends Error {
-  constructor(message2, code2) {
-    super(message2);
+  constructor(message, code2) {
+    super(message);
     this.code = code2;
   }
 }
@@ -15122,13 +15208,13 @@ class Impersonated extends oauth2client_1.OAuth2Client {
       if (!(error2 instanceof Error))
         throw error2;
       let status = 0;
-      let message2 = "";
+      let message = "";
       if (error2 instanceof gaxios_1$2.GaxiosError) {
         status = (_c2 = (_b2 = (_a2 = error2 === null || error2 === void 0 ? void 0 : error2.response) === null || _a2 === void 0 ? void 0 : _a2.data) === null || _b2 === void 0 ? void 0 : _b2.error) === null || _c2 === void 0 ? void 0 : _c2.status;
-        message2 = (_f = (_e = (_d = error2 === null || error2 === void 0 ? void 0 : error2.response) === null || _d === void 0 ? void 0 : _d.data) === null || _e === void 0 ? void 0 : _e.error) === null || _f === void 0 ? void 0 : _f.message;
+        message = (_f = (_e = (_d = error2 === null || error2 === void 0 ? void 0 : error2.response) === null || _d === void 0 ? void 0 : _d.data) === null || _e === void 0 ? void 0 : _e.error) === null || _f === void 0 ? void 0 : _f.message;
       }
-      if (status && message2) {
-        error2.message = `${status}: unable to impersonate: ${message2}`;
+      if (status && message) {
+        error2.message = `${status}: unable to impersonate: ${message}`;
         throw error2;
       } else {
         error2.message = `unable to impersonate: ${error2}`;
@@ -15290,14 +15376,14 @@ function getErrorFromOAuthErrorResponse(resp, err) {
   const errorCode = resp.error;
   const errorDescription = resp.error_description;
   const errorUri = resp.error_uri;
-  let message2 = `Error code ${errorCode}`;
+  let message = `Error code ${errorCode}`;
   if (typeof errorDescription !== "undefined") {
-    message2 += `: ${errorDescription}`;
+    message += `: ${errorDescription}`;
   }
   if (typeof errorUri !== "undefined") {
-    message2 += ` - ${errorUri}`;
+    message += ` - ${errorUri}`;
   }
-  const newError = new Error(message2);
+  const newError = new Error(message);
   if (err) {
     const keys2 = Object.keys(err);
     if (err.stack) {
@@ -16025,14 +16111,14 @@ class AwsRequestSigner {
   }
 }
 awsrequestsigner.AwsRequestSigner = AwsRequestSigner;
-async function sign$3(crypto2, key, msg) {
+async function sign$2(crypto2, key, msg) {
   return await crypto2.signWithHmacSha256(key, msg);
 }
 async function getSigningKey(crypto2, key, dateStamp, region, serviceName) {
-  const kDate = await sign$3(crypto2, `AWS4${key}`, dateStamp);
-  const kRegion = await sign$3(crypto2, kDate, region);
-  const kService = await sign$3(crypto2, kRegion, serviceName);
-  const kSigning = await sign$3(crypto2, kService, "aws4_request");
+  const kDate = await sign$2(crypto2, `AWS4${key}`, dateStamp);
+  const kRegion = await sign$2(crypto2, kDate, region);
+  const kService = await sign$2(crypto2, kRegion, serviceName);
+  const kSigning = await sign$2(crypto2, kService, "aws4_request");
   return kSigning;
 }
 async function generateAuthenticationHeaderMap(options2) {
@@ -16078,7 +16164,7 @@ ${amzDate}
 ${credentialScope}
 ` + await options2.crypto.sha256DigestHex(canonicalRequest);
   const signingKey = await getSigningKey(options2.crypto, options2.securityCredentials.secretAccessKey, dateStamp, options2.region, serviceName);
-  const signature = await sign$3(options2.crypto, signingKey, stringToSign);
+  const signature = await sign$2(options2.crypto, signingKey, stringToSign);
   const authorizationHeader = `${AWS_ALGORITHM} Credential=${options2.securityCredentials.accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${(0, crypto_1.fromArrayBufferToHex)(signature)}`;
   return {
     // Do not return x-amz-date if date is available.
@@ -16409,8 +16495,8 @@ class ExecutableResponse {
 }
 executableResponse.ExecutableResponse = ExecutableResponse;
 class ExecutableResponseError extends Error {
-  constructor(message2) {
-    super(message2);
+  constructor(message) {
+    super(message);
     Object.setPrototypeOf(this, new.target.prototype);
   }
 }
@@ -16573,8 +16659,8 @@ function requirePluggableAuthClient() {
   const executable_response_1 = executableResponse;
   const pluggable_auth_handler_1 = requirePluggableAuthHandler();
   class ExecutableError extends Error {
-    constructor(message2, code2) {
-      super(`The executable failed with exit code: ${code2} and error message: ${message2}.`);
+    constructor(message, code2) {
+      super(`The executable failed with exit code: ${code2} and error message: ${message}.`);
       this.code = code2;
       Object.setPrototypeOf(this, new.target.prototype);
     }
@@ -18222,104 +18308,104 @@ ZodError.create = (issues) => {
   return error2;
 };
 const errorMap = (issue, _ctx) => {
-  let message2;
+  let message;
   switch (issue.code) {
     case ZodIssueCode.invalid_type:
       if (issue.received === ZodParsedType.undefined) {
-        message2 = "Required";
+        message = "Required";
       } else {
-        message2 = `Expected ${issue.expected}, received ${issue.received}`;
+        message = `Expected ${issue.expected}, received ${issue.received}`;
       }
       break;
     case ZodIssueCode.invalid_literal:
-      message2 = `Invalid literal value, expected ${JSON.stringify(issue.expected, util$1.jsonStringifyReplacer)}`;
+      message = `Invalid literal value, expected ${JSON.stringify(issue.expected, util$1.jsonStringifyReplacer)}`;
       break;
     case ZodIssueCode.unrecognized_keys:
-      message2 = `Unrecognized key(s) in object: ${util$1.joinValues(issue.keys, ", ")}`;
+      message = `Unrecognized key(s) in object: ${util$1.joinValues(issue.keys, ", ")}`;
       break;
     case ZodIssueCode.invalid_union:
-      message2 = `Invalid input`;
+      message = `Invalid input`;
       break;
     case ZodIssueCode.invalid_union_discriminator:
-      message2 = `Invalid discriminator value. Expected ${util$1.joinValues(issue.options)}`;
+      message = `Invalid discriminator value. Expected ${util$1.joinValues(issue.options)}`;
       break;
     case ZodIssueCode.invalid_enum_value:
-      message2 = `Invalid enum value. Expected ${util$1.joinValues(issue.options)}, received '${issue.received}'`;
+      message = `Invalid enum value. Expected ${util$1.joinValues(issue.options)}, received '${issue.received}'`;
       break;
     case ZodIssueCode.invalid_arguments:
-      message2 = `Invalid function arguments`;
+      message = `Invalid function arguments`;
       break;
     case ZodIssueCode.invalid_return_type:
-      message2 = `Invalid function return type`;
+      message = `Invalid function return type`;
       break;
     case ZodIssueCode.invalid_date:
-      message2 = `Invalid date`;
+      message = `Invalid date`;
       break;
     case ZodIssueCode.invalid_string:
       if (typeof issue.validation === "object") {
         if ("includes" in issue.validation) {
-          message2 = `Invalid input: must include "${issue.validation.includes}"`;
+          message = `Invalid input: must include "${issue.validation.includes}"`;
           if (typeof issue.validation.position === "number") {
-            message2 = `${message2} at one or more positions greater than or equal to ${issue.validation.position}`;
+            message = `${message} at one or more positions greater than or equal to ${issue.validation.position}`;
           }
         } else if ("startsWith" in issue.validation) {
-          message2 = `Invalid input: must start with "${issue.validation.startsWith}"`;
+          message = `Invalid input: must start with "${issue.validation.startsWith}"`;
         } else if ("endsWith" in issue.validation) {
-          message2 = `Invalid input: must end with "${issue.validation.endsWith}"`;
+          message = `Invalid input: must end with "${issue.validation.endsWith}"`;
         } else {
           util$1.assertNever(issue.validation);
         }
       } else if (issue.validation !== "regex") {
-        message2 = `Invalid ${issue.validation}`;
+        message = `Invalid ${issue.validation}`;
       } else {
-        message2 = "Invalid";
+        message = "Invalid";
       }
       break;
     case ZodIssueCode.too_small:
       if (issue.type === "array")
-        message2 = `Array must contain ${issue.exact ? "exactly" : issue.inclusive ? `at least` : `more than`} ${issue.minimum} element(s)`;
+        message = `Array must contain ${issue.exact ? "exactly" : issue.inclusive ? `at least` : `more than`} ${issue.minimum} element(s)`;
       else if (issue.type === "string")
-        message2 = `String must contain ${issue.exact ? "exactly" : issue.inclusive ? `at least` : `over`} ${issue.minimum} character(s)`;
+        message = `String must contain ${issue.exact ? "exactly" : issue.inclusive ? `at least` : `over`} ${issue.minimum} character(s)`;
       else if (issue.type === "number")
-        message2 = `Number must be ${issue.exact ? `exactly equal to ` : issue.inclusive ? `greater than or equal to ` : `greater than `}${issue.minimum}`;
+        message = `Number must be ${issue.exact ? `exactly equal to ` : issue.inclusive ? `greater than or equal to ` : `greater than `}${issue.minimum}`;
       else if (issue.type === "bigint")
-        message2 = `Number must be ${issue.exact ? `exactly equal to ` : issue.inclusive ? `greater than or equal to ` : `greater than `}${issue.minimum}`;
+        message = `Number must be ${issue.exact ? `exactly equal to ` : issue.inclusive ? `greater than or equal to ` : `greater than `}${issue.minimum}`;
       else if (issue.type === "date")
-        message2 = `Date must be ${issue.exact ? `exactly equal to ` : issue.inclusive ? `greater than or equal to ` : `greater than `}${new Date(Number(issue.minimum))}`;
+        message = `Date must be ${issue.exact ? `exactly equal to ` : issue.inclusive ? `greater than or equal to ` : `greater than `}${new Date(Number(issue.minimum))}`;
       else
-        message2 = "Invalid input";
+        message = "Invalid input";
       break;
     case ZodIssueCode.too_big:
       if (issue.type === "array")
-        message2 = `Array must contain ${issue.exact ? `exactly` : issue.inclusive ? `at most` : `less than`} ${issue.maximum} element(s)`;
+        message = `Array must contain ${issue.exact ? `exactly` : issue.inclusive ? `at most` : `less than`} ${issue.maximum} element(s)`;
       else if (issue.type === "string")
-        message2 = `String must contain ${issue.exact ? `exactly` : issue.inclusive ? `at most` : `under`} ${issue.maximum} character(s)`;
+        message = `String must contain ${issue.exact ? `exactly` : issue.inclusive ? `at most` : `under`} ${issue.maximum} character(s)`;
       else if (issue.type === "number")
-        message2 = `Number must be ${issue.exact ? `exactly` : issue.inclusive ? `less than or equal to` : `less than`} ${issue.maximum}`;
+        message = `Number must be ${issue.exact ? `exactly` : issue.inclusive ? `less than or equal to` : `less than`} ${issue.maximum}`;
       else if (issue.type === "bigint")
-        message2 = `BigInt must be ${issue.exact ? `exactly` : issue.inclusive ? `less than or equal to` : `less than`} ${issue.maximum}`;
+        message = `BigInt must be ${issue.exact ? `exactly` : issue.inclusive ? `less than or equal to` : `less than`} ${issue.maximum}`;
       else if (issue.type === "date")
-        message2 = `Date must be ${issue.exact ? `exactly` : issue.inclusive ? `smaller than or equal to` : `smaller than`} ${new Date(Number(issue.maximum))}`;
+        message = `Date must be ${issue.exact ? `exactly` : issue.inclusive ? `smaller than or equal to` : `smaller than`} ${new Date(Number(issue.maximum))}`;
       else
-        message2 = "Invalid input";
+        message = "Invalid input";
       break;
     case ZodIssueCode.custom:
-      message2 = `Invalid input`;
+      message = `Invalid input`;
       break;
     case ZodIssueCode.invalid_intersection_types:
-      message2 = `Intersection results could not be merged`;
+      message = `Intersection results could not be merged`;
       break;
     case ZodIssueCode.not_multiple_of:
-      message2 = `Number must be a multiple of ${issue.multipleOf}`;
+      message = `Number must be a multiple of ${issue.multipleOf}`;
       break;
     case ZodIssueCode.not_finite:
-      message2 = "Number must be finite";
+      message = "Number must be finite";
       break;
     default:
-      message2 = _ctx.defaultError;
+      message = _ctx.defaultError;
       util$1.assertNever(issue);
   }
-  return { message: message2 };
+  return { message };
 };
 let overrideErrorMap = errorMap;
 function getErrorMap() {
@@ -18434,8 +18520,8 @@ const isValid = (x) => x.status === "valid";
 const isAsync = (x) => typeof Promise !== "undefined" && x instanceof Promise;
 var errorUtil;
 (function(errorUtil2) {
-  errorUtil2.errToObj = (message2) => typeof message2 === "string" ? { message: message2 } : message2 || {};
-  errorUtil2.toString = (message2) => typeof message2 === "string" ? message2 : message2?.message;
+  errorUtil2.errToObj = (message) => typeof message === "string" ? { message } : message || {};
+  errorUtil2.toString = (message) => typeof message === "string" ? message : message?.message;
 })(errorUtil || (errorUtil = {}));
 class ParseInputLazyPath {
   constructor(parent, value, path2, key) {
@@ -18485,16 +18571,16 @@ function processCreateParams(params) {
   if (errorMap2)
     return { errorMap: errorMap2, description: description2 };
   const customMap = (iss, ctx) => {
-    const { message: message2 } = params;
+    const { message } = params;
     if (iss.code === "invalid_enum_value") {
-      return { message: message2 ?? ctx.defaultError };
+      return { message: message ?? ctx.defaultError };
     }
     if (typeof ctx.data === "undefined") {
-      return { message: message2 ?? required_error ?? ctx.defaultError };
+      return { message: message ?? required_error ?? ctx.defaultError };
     }
     if (iss.code !== "invalid_type")
       return { message: ctx.defaultError };
-    return { message: message2 ?? invalid_type_error ?? ctx.defaultError };
+    return { message: message ?? invalid_type_error ?? ctx.defaultError };
   };
   return { errorMap: customMap, description: description2 };
 }
@@ -18620,14 +18706,14 @@ class ZodType {
     const result = await (isAsync(maybeAsyncResult) ? maybeAsyncResult : Promise.resolve(maybeAsyncResult));
     return handleResult(ctx, result);
   }
-  refine(check, message2) {
+  refine(check, message) {
     const getIssueProperties = (val) => {
-      if (typeof message2 === "string" || typeof message2 === "undefined") {
-        return { message: message2 };
-      } else if (typeof message2 === "function") {
-        return message2(val);
+      if (typeof message === "string" || typeof message === "undefined") {
+        return { message };
+      } else if (typeof message === "function") {
+        return message(val);
       } else {
-        return message2;
+        return message;
       }
     };
     return this._refinement((val, ctx) => {
@@ -19163,11 +19249,11 @@ class ZodString extends ZodType {
     }
     return { status: status.value, value: input.data };
   }
-  _regex(regex2, validation, message2) {
+  _regex(regex2, validation, message) {
     return this.refinement((data) => regex2.test(data), {
       validation,
       code: ZodIssueCode.invalid_string,
-      ...errorUtil.errToObj(message2)
+      ...errorUtil.errToObj(message)
     });
   }
   _addCheck(check) {
@@ -19176,37 +19262,37 @@ class ZodString extends ZodType {
       checks: [...this._def.checks, check]
     });
   }
-  email(message2) {
-    return this._addCheck({ kind: "email", ...errorUtil.errToObj(message2) });
+  email(message) {
+    return this._addCheck({ kind: "email", ...errorUtil.errToObj(message) });
   }
-  url(message2) {
-    return this._addCheck({ kind: "url", ...errorUtil.errToObj(message2) });
+  url(message) {
+    return this._addCheck({ kind: "url", ...errorUtil.errToObj(message) });
   }
-  emoji(message2) {
-    return this._addCheck({ kind: "emoji", ...errorUtil.errToObj(message2) });
+  emoji(message) {
+    return this._addCheck({ kind: "emoji", ...errorUtil.errToObj(message) });
   }
-  uuid(message2) {
-    return this._addCheck({ kind: "uuid", ...errorUtil.errToObj(message2) });
+  uuid(message) {
+    return this._addCheck({ kind: "uuid", ...errorUtil.errToObj(message) });
   }
-  nanoid(message2) {
-    return this._addCheck({ kind: "nanoid", ...errorUtil.errToObj(message2) });
+  nanoid(message) {
+    return this._addCheck({ kind: "nanoid", ...errorUtil.errToObj(message) });
   }
-  cuid(message2) {
-    return this._addCheck({ kind: "cuid", ...errorUtil.errToObj(message2) });
+  cuid(message) {
+    return this._addCheck({ kind: "cuid", ...errorUtil.errToObj(message) });
   }
-  cuid2(message2) {
-    return this._addCheck({ kind: "cuid2", ...errorUtil.errToObj(message2) });
+  cuid2(message) {
+    return this._addCheck({ kind: "cuid2", ...errorUtil.errToObj(message) });
   }
-  ulid(message2) {
-    return this._addCheck({ kind: "ulid", ...errorUtil.errToObj(message2) });
+  ulid(message) {
+    return this._addCheck({ kind: "ulid", ...errorUtil.errToObj(message) });
   }
-  base64(message2) {
-    return this._addCheck({ kind: "base64", ...errorUtil.errToObj(message2) });
+  base64(message) {
+    return this._addCheck({ kind: "base64", ...errorUtil.errToObj(message) });
   }
-  base64url(message2) {
+  base64url(message) {
     return this._addCheck({
       kind: "base64url",
-      ...errorUtil.errToObj(message2)
+      ...errorUtil.errToObj(message)
     });
   }
   jwt(options2) {
@@ -19236,8 +19322,8 @@ class ZodString extends ZodType {
       ...errorUtil.errToObj(options2?.message)
     });
   }
-  date(message2) {
-    return this._addCheck({ kind: "date", message: message2 });
+  date(message) {
+    return this._addCheck({ kind: "date", message });
   }
   time(options2) {
     if (typeof options2 === "string") {
@@ -19253,14 +19339,14 @@ class ZodString extends ZodType {
       ...errorUtil.errToObj(options2?.message)
     });
   }
-  duration(message2) {
-    return this._addCheck({ kind: "duration", ...errorUtil.errToObj(message2) });
+  duration(message) {
+    return this._addCheck({ kind: "duration", ...errorUtil.errToObj(message) });
   }
-  regex(regex2, message2) {
+  regex(regex2, message) {
     return this._addCheck({
       kind: "regex",
       regex: regex2,
-      ...errorUtil.errToObj(message2)
+      ...errorUtil.errToObj(message)
     });
   }
   includes(value, options2) {
@@ -19271,46 +19357,46 @@ class ZodString extends ZodType {
       ...errorUtil.errToObj(options2?.message)
     });
   }
-  startsWith(value, message2) {
+  startsWith(value, message) {
     return this._addCheck({
       kind: "startsWith",
       value,
-      ...errorUtil.errToObj(message2)
+      ...errorUtil.errToObj(message)
     });
   }
-  endsWith(value, message2) {
+  endsWith(value, message) {
     return this._addCheck({
       kind: "endsWith",
       value,
-      ...errorUtil.errToObj(message2)
+      ...errorUtil.errToObj(message)
     });
   }
-  min(minLength, message2) {
+  min(minLength, message) {
     return this._addCheck({
       kind: "min",
       value: minLength,
-      ...errorUtil.errToObj(message2)
+      ...errorUtil.errToObj(message)
     });
   }
-  max(maxLength, message2) {
+  max(maxLength, message) {
     return this._addCheck({
       kind: "max",
       value: maxLength,
-      ...errorUtil.errToObj(message2)
+      ...errorUtil.errToObj(message)
     });
   }
-  length(len, message2) {
+  length(len, message) {
     return this._addCheck({
       kind: "length",
       value: len,
-      ...errorUtil.errToObj(message2)
+      ...errorUtil.errToObj(message)
     });
   }
   /**
    * Equivalent to `.min(1)`
    */
-  nonempty(message2) {
-    return this.min(1, errorUtil.errToObj(message2));
+  nonempty(message) {
+    return this.min(1, errorUtil.errToObj(message));
   }
   trim() {
     return new ZodString({
@@ -19503,19 +19589,19 @@ class ZodNumber extends ZodType {
     }
     return { status: status.value, value: input.data };
   }
-  gte(value, message2) {
-    return this.setLimit("min", value, true, errorUtil.toString(message2));
+  gte(value, message) {
+    return this.setLimit("min", value, true, errorUtil.toString(message));
   }
-  gt(value, message2) {
-    return this.setLimit("min", value, false, errorUtil.toString(message2));
+  gt(value, message) {
+    return this.setLimit("min", value, false, errorUtil.toString(message));
   }
-  lte(value, message2) {
-    return this.setLimit("max", value, true, errorUtil.toString(message2));
+  lte(value, message) {
+    return this.setLimit("max", value, true, errorUtil.toString(message));
   }
-  lt(value, message2) {
-    return this.setLimit("max", value, false, errorUtil.toString(message2));
+  lt(value, message) {
+    return this.setLimit("max", value, false, errorUtil.toString(message));
   }
-  setLimit(kind, value, inclusive, message2) {
+  setLimit(kind, value, inclusive, message) {
     return new ZodNumber({
       ...this._def,
       checks: [
@@ -19524,7 +19610,7 @@ class ZodNumber extends ZodType {
           kind,
           value,
           inclusive,
-          message: errorUtil.toString(message2)
+          message: errorUtil.toString(message)
         }
       ]
     });
@@ -19535,68 +19621,68 @@ class ZodNumber extends ZodType {
       checks: [...this._def.checks, check]
     });
   }
-  int(message2) {
+  int(message) {
     return this._addCheck({
       kind: "int",
-      message: errorUtil.toString(message2)
+      message: errorUtil.toString(message)
     });
   }
-  positive(message2) {
+  positive(message) {
     return this._addCheck({
       kind: "min",
       value: 0,
       inclusive: false,
-      message: errorUtil.toString(message2)
+      message: errorUtil.toString(message)
     });
   }
-  negative(message2) {
+  negative(message) {
     return this._addCheck({
       kind: "max",
       value: 0,
       inclusive: false,
-      message: errorUtil.toString(message2)
+      message: errorUtil.toString(message)
     });
   }
-  nonpositive(message2) {
+  nonpositive(message) {
     return this._addCheck({
       kind: "max",
       value: 0,
       inclusive: true,
-      message: errorUtil.toString(message2)
+      message: errorUtil.toString(message)
     });
   }
-  nonnegative(message2) {
+  nonnegative(message) {
     return this._addCheck({
       kind: "min",
       value: 0,
       inclusive: true,
-      message: errorUtil.toString(message2)
+      message: errorUtil.toString(message)
     });
   }
-  multipleOf(value, message2) {
+  multipleOf(value, message) {
     return this._addCheck({
       kind: "multipleOf",
       value,
-      message: errorUtil.toString(message2)
+      message: errorUtil.toString(message)
     });
   }
-  finite(message2) {
+  finite(message) {
     return this._addCheck({
       kind: "finite",
-      message: errorUtil.toString(message2)
+      message: errorUtil.toString(message)
     });
   }
-  safe(message2) {
+  safe(message) {
     return this._addCheck({
       kind: "min",
       inclusive: true,
       value: Number.MIN_SAFE_INTEGER,
-      message: errorUtil.toString(message2)
+      message: errorUtil.toString(message)
     })._addCheck({
       kind: "max",
       inclusive: true,
       value: Number.MAX_SAFE_INTEGER,
-      message: errorUtil.toString(message2)
+      message: errorUtil.toString(message)
     });
   }
   get minValue() {
@@ -19719,19 +19805,19 @@ class ZodBigInt extends ZodType {
     });
     return INVALID;
   }
-  gte(value, message2) {
-    return this.setLimit("min", value, true, errorUtil.toString(message2));
+  gte(value, message) {
+    return this.setLimit("min", value, true, errorUtil.toString(message));
   }
-  gt(value, message2) {
-    return this.setLimit("min", value, false, errorUtil.toString(message2));
+  gt(value, message) {
+    return this.setLimit("min", value, false, errorUtil.toString(message));
   }
-  lte(value, message2) {
-    return this.setLimit("max", value, true, errorUtil.toString(message2));
+  lte(value, message) {
+    return this.setLimit("max", value, true, errorUtil.toString(message));
   }
-  lt(value, message2) {
-    return this.setLimit("max", value, false, errorUtil.toString(message2));
+  lt(value, message) {
+    return this.setLimit("max", value, false, errorUtil.toString(message));
   }
-  setLimit(kind, value, inclusive, message2) {
+  setLimit(kind, value, inclusive, message) {
     return new ZodBigInt({
       ...this._def,
       checks: [
@@ -19740,7 +19826,7 @@ class ZodBigInt extends ZodType {
           kind,
           value,
           inclusive,
-          message: errorUtil.toString(message2)
+          message: errorUtil.toString(message)
         }
       ]
     });
@@ -19751,43 +19837,43 @@ class ZodBigInt extends ZodType {
       checks: [...this._def.checks, check]
     });
   }
-  positive(message2) {
+  positive(message) {
     return this._addCheck({
       kind: "min",
       value: BigInt(0),
       inclusive: false,
-      message: errorUtil.toString(message2)
+      message: errorUtil.toString(message)
     });
   }
-  negative(message2) {
+  negative(message) {
     return this._addCheck({
       kind: "max",
       value: BigInt(0),
       inclusive: false,
-      message: errorUtil.toString(message2)
+      message: errorUtil.toString(message)
     });
   }
-  nonpositive(message2) {
+  nonpositive(message) {
     return this._addCheck({
       kind: "max",
       value: BigInt(0),
       inclusive: true,
-      message: errorUtil.toString(message2)
+      message: errorUtil.toString(message)
     });
   }
-  nonnegative(message2) {
+  nonnegative(message) {
     return this._addCheck({
       kind: "min",
       value: BigInt(0),
       inclusive: true,
-      message: errorUtil.toString(message2)
+      message: errorUtil.toString(message)
     });
   }
-  multipleOf(value, message2) {
+  multipleOf(value, message) {
     return this._addCheck({
       kind: "multipleOf",
       value,
-      message: errorUtil.toString(message2)
+      message: errorUtil.toString(message)
     });
   }
   get minValue() {
@@ -19910,18 +19996,18 @@ class ZodDate extends ZodType {
       checks: [...this._def.checks, check]
     });
   }
-  min(minDate, message2) {
+  min(minDate, message) {
     return this._addCheck({
       kind: "min",
       value: minDate.getTime(),
-      message: errorUtil.toString(message2)
+      message: errorUtil.toString(message)
     });
   }
-  max(maxDate, message2) {
+  max(maxDate, message) {
     return this._addCheck({
       kind: "max",
       value: maxDate.getTime(),
-      message: errorUtil.toString(message2)
+      message: errorUtil.toString(message)
     });
   }
   get minDate() {
@@ -20153,26 +20239,26 @@ class ZodArray extends ZodType {
   get element() {
     return this._def.type;
   }
-  min(minLength, message2) {
+  min(minLength, message) {
     return new ZodArray({
       ...this._def,
-      minLength: { value: minLength, message: errorUtil.toString(message2) }
+      minLength: { value: minLength, message: errorUtil.toString(message) }
     });
   }
-  max(maxLength, message2) {
+  max(maxLength, message) {
     return new ZodArray({
       ...this._def,
-      maxLength: { value: maxLength, message: errorUtil.toString(message2) }
+      maxLength: { value: maxLength, message: errorUtil.toString(message) }
     });
   }
-  length(len, message2) {
+  length(len, message) {
     return new ZodArray({
       ...this._def,
-      exactLength: { value: len, message: errorUtil.toString(message2) }
+      exactLength: { value: len, message: errorUtil.toString(message) }
     });
   }
-  nonempty(message2) {
-    return this.min(1, message2);
+  nonempty(message) {
+    return this.min(1, message);
   }
 }
 ZodArray.create = (schema, params) => {
@@ -20315,17 +20401,17 @@ class ZodObject extends ZodType {
   get shape() {
     return this._def.shape();
   }
-  strict(message2) {
+  strict(message) {
     errorUtil.errToObj;
     return new ZodObject({
       ...this._def,
       unknownKeys: "strict",
-      ...message2 !== void 0 ? {
+      ...message !== void 0 ? {
         errorMap: (issue, ctx) => {
           const defaultError = this._def.errorMap?.(issue, ctx).message ?? ctx.defaultError;
           if (issue.code === "unrecognized_keys")
             return {
-              message: errorUtil.errToObj(message2).message ?? defaultError
+              message: errorUtil.errToObj(message).message ?? defaultError
             };
           return {
             message: defaultError
@@ -20921,23 +21007,23 @@ class ZodSet extends ZodType {
       return finalizeSet(elements);
     }
   }
-  min(minSize, message2) {
+  min(minSize, message) {
     return new ZodSet({
       ...this._def,
-      minSize: { value: minSize, message: errorUtil.toString(message2) }
+      minSize: { value: minSize, message: errorUtil.toString(message) }
     });
   }
-  max(maxSize, message2) {
+  max(maxSize, message) {
     return new ZodSet({
       ...this._def,
-      maxSize: { value: maxSize, message: errorUtil.toString(message2) }
+      maxSize: { value: maxSize, message: errorUtil.toString(message) }
     });
   }
-  size(size, message2) {
-    return this.min(size, message2).max(size, message2);
+  size(size, message) {
+    return this.min(size, message).max(size, message);
   }
-  nonempty(message2) {
-    return this.min(1, message2);
+  nonempty(message) {
+    return this.min(1, message);
   }
 }
 ZodSet.create = (valueType, params) => {
@@ -21547,32 +21633,125 @@ ZodEnum.create;
 ZodPromise.create;
 ZodOptional.create;
 ZodNullable.create;
-function createGoogleProvider(clientId) {
-  const googleClient = new src$4.OAuth2Client(clientId);
+function createGoogleProvider(config) {
+  const clientId = typeof config === "string" ? config : config.clientId;
+  const clientSecret = typeof config === "string" ? void 0 : config.clientSecret;
+  const googleClient = new src$4.OAuth2Client(clientId, clientSecret);
   return {
     id: "google",
     schema: objectType({
-      idToken: stringType().min(1, "ID token is required")
+      idToken: stringType().min(1).optional(),
+      accessToken: stringType().min(1).optional(),
+      code: stringType().min(1).optional(),
+      redirectUri: stringType().min(1).optional()
+    }).refine((data) => data.idToken || data.accessToken || data.code && data.redirectUri, {
+      message: "One of idToken, accessToken, or code+redirectUri is required"
     }),
     verify: async (payload) => {
       try {
-        const ticket = await googleClient.verifyIdToken({
-          idToken: payload.idToken,
-          audience: clientId
-        });
-        const content = ticket.getPayload();
-        if (!content) {
-          return null;
+        if (payload.idToken) {
+          const ticket = await googleClient.verifyIdToken({
+            idToken: payload.idToken,
+            audience: clientId
+          });
+          const content = ticket.getPayload();
+          if (!content) {
+            throw new Error("Google ID token payload was empty");
+          }
+          return {
+            providerId: content.sub,
+            email: content.email || "",
+            displayName: content.name || null,
+            photoUrl: content.picture || null
+          };
         }
-        return {
-          providerId: content.sub,
-          email: content.email || "",
-          displayName: content.name || null,
-          photoUrl: content.picture || null
-        };
+        if (payload.accessToken) {
+          const res = await fetch("https://www.googleapis.com/oauth2/v3/userinfo", {
+            headers: {
+              Authorization: `Bearer ${payload.accessToken}`
+            }
+          });
+          if (!res.ok) {
+            throw new Error(`Google userinfo request failed with status ${res.status}`);
+          }
+          const info = await res.json();
+          if (!info.sub || !info.email) {
+            throw new Error("Google userinfo response missing sub or email");
+          }
+          return {
+            providerId: info.sub,
+            email: info.email,
+            displayName: info.name || null,
+            photoUrl: info.picture || null
+          };
+        }
+        if (payload.code && payload.redirectUri) {
+          if (!clientSecret) {
+            throw new Error("Google authorization code flow requires clientSecret. Configure GOOGLE_CLIENT_SECRET in your environment.");
+          }
+          const tokenResponse = await fetch("https://oauth2.googleapis.com/token", {
+            method: "POST",
+            headers: {
+              "Content-Type": "application/x-www-form-urlencoded"
+            },
+            body: new URLSearchParams({
+              code: payload.code,
+              client_id: clientId,
+              client_secret: clientSecret,
+              redirect_uri: payload.redirectUri,
+              grant_type: "authorization_code"
+            })
+          });
+          if (!tokenResponse.ok) {
+            const errorBody = await tokenResponse.text();
+            throw new Error(`Google token exchange failed (${tokenResponse.status}): ${errorBody}`);
+          }
+          const tokenData = await tokenResponse.json();
+          if (tokenData.error) {
+            throw new Error(`Google token exchange error: ${tokenData.error} – ${tokenData.error_description || "no details"}`);
+          }
+          if (tokenData.id_token) {
+            const ticket = await googleClient.verifyIdToken({
+              idToken: tokenData.id_token,
+              audience: clientId
+            });
+            const content = ticket.getPayload();
+            if (!content) {
+              throw new Error("Google ID token payload was empty after code exchange");
+            }
+            return {
+              providerId: content.sub,
+              email: content.email || "",
+              displayName: content.name || null,
+              photoUrl: content.picture || null
+            };
+          }
+          if (tokenData.access_token) {
+            const userInfoRes = await fetch("https://www.googleapis.com/oauth2/v3/userinfo", {
+              headers: {
+                Authorization: `Bearer ${tokenData.access_token}`
+              }
+            });
+            if (!userInfoRes.ok) {
+              throw new Error(`Google userinfo request failed after code exchange (${userInfoRes.status})`);
+            }
+            const info = await userInfoRes.json();
+            if (!info.sub || !info.email) {
+              return null;
+            }
+            return {
+              providerId: info.sub,
+              email: info.email,
+              displayName: info.name || null,
+              photoUrl: info.picture || null
+            };
+          }
+          throw new Error("Google token exchange returned neither id_token nor access_token");
+        }
+        throw new Error("No valid Google credential provided (expected idToken, accessToken, or code+redirectUri)");
       } catch (error2) {
-        console.error("Failed to verify Google ID token:", error2);
-        return null;
+        console.error("Google OAuth verification failed:", error2);
+        throw error2;
       }
     }
   };
@@ -21764,1002 +21943,16 @@ function createMicrosoftProvider(config) {
     }
   };
 }
-const encoder = new TextEncoder();
-const decoder = new TextDecoder();
-function concat(...buffers) {
-  const size = buffers.reduce((acc, { length }) => acc + length, 0);
-  const buf = new Uint8Array(size);
-  let i = 0;
-  for (const buffer of buffers) {
-    buf.set(buffer, i);
-    i += buffer.length;
-  }
-  return buf;
-}
-function encode$4(string) {
-  const bytes = new Uint8Array(string.length);
-  for (let i = 0; i < string.length; i++) {
-    const code2 = string.charCodeAt(i);
-    if (code2 > 127) {
-      throw new TypeError("non-ASCII string encountered in encode()");
-    }
-    bytes[i] = code2;
-  }
-  return bytes;
-}
-function encodeBase64(input) {
-  if (Uint8Array.prototype.toBase64) {
-    return input.toBase64();
-  }
-  const CHUNK_SIZE = 32768;
-  const arr = [];
-  for (let i = 0; i < input.length; i += CHUNK_SIZE) {
-    arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
-  }
-  return btoa(arr.join(""));
-}
-function decodeBase64(encoded) {
-  if (Uint8Array.fromBase64) {
-    return Uint8Array.fromBase64(encoded);
-  }
-  const binary = atob(encoded);
-  const bytes = new Uint8Array(binary.length);
-  for (let i = 0; i < binary.length; i++) {
-    bytes[i] = binary.charCodeAt(i);
-  }
-  return bytes;
-}
-function decode$1(input) {
-  if (Uint8Array.fromBase64) {
-    return Uint8Array.fromBase64(typeof input === "string" ? input : decoder.decode(input), {
-      alphabet: "base64url"
-    });
-  }
-  let encoded = input;
-  if (encoded instanceof Uint8Array) {
-    encoded = decoder.decode(encoded);
-  }
-  encoded = encoded.replace(/-/g, "+").replace(/_/g, "/");
-  try {
-    return decodeBase64(encoded);
-  } catch {
-    throw new TypeError("The input to be decoded is not correctly encoded.");
-  }
-}
-function encode$3(input) {
-  let unencoded = input;
-  if (typeof unencoded === "string") {
-    unencoded = encoder.encode(unencoded);
-  }
-  if (Uint8Array.prototype.toBase64) {
-    return unencoded.toBase64({ alphabet: "base64url", omitPadding: true });
-  }
-  return encodeBase64(unencoded).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-const unusable = (name2, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name2}`);
-const isAlgorithm = (algorithm, name2) => algorithm.name === name2;
-function getHashLength(hash) {
-  return parseInt(hash.name.slice(4), 10);
-}
-function checkHashLength(algorithm, expected) {
-  const actual = getHashLength(algorithm.hash);
-  if (actual !== expected)
-    throw unusable(`SHA-${expected}`, "algorithm.hash");
-}
-function getNamedCurve(alg) {
-  switch (alg) {
-    case "ES256":
-      return "P-256";
-    case "ES384":
-      return "P-384";
-    case "ES512":
-      return "P-521";
-    default:
-      throw new Error("unreachable");
-  }
-}
-function checkUsage(key, usage) {
-  if (!key.usages.includes(usage)) {
-    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
-  }
-}
-function checkSigCryptoKey(key, alg, usage) {
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512": {
-      if (!isAlgorithm(key.algorithm, "HMAC"))
-        throw unusable("HMAC");
-      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
-      break;
-    }
-    case "RS256":
-    case "RS384":
-    case "RS512": {
-      if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5"))
-        throw unusable("RSASSA-PKCS1-v1_5");
-      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
-      break;
-    }
-    case "PS256":
-    case "PS384":
-    case "PS512": {
-      if (!isAlgorithm(key.algorithm, "RSA-PSS"))
-        throw unusable("RSA-PSS");
-      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
-      break;
-    }
-    case "Ed25519":
-    case "EdDSA": {
-      if (!isAlgorithm(key.algorithm, "Ed25519"))
-        throw unusable("Ed25519");
-      break;
-    }
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87": {
-      if (!isAlgorithm(key.algorithm, alg))
-        throw unusable(alg);
-      break;
-    }
-    case "ES256":
-    case "ES384":
-    case "ES512": {
-      if (!isAlgorithm(key.algorithm, "ECDSA"))
-        throw unusable("ECDSA");
-      const expected = getNamedCurve(alg);
-      const actual = key.algorithm.namedCurve;
-      if (actual !== expected)
-        throw unusable(expected, "algorithm.namedCurve");
-      break;
-    }
-    default:
-      throw new TypeError("CryptoKey does not support this operation");
-  }
-  checkUsage(key, usage);
-}
-function message(msg, actual, ...types2) {
-  types2 = types2.filter(Boolean);
-  if (types2.length > 2) {
-    const last = types2.pop();
-    msg += `one of type ${types2.join(", ")}, or ${last}.`;
-  } else if (types2.length === 2) {
-    msg += `one of type ${types2[0]} or ${types2[1]}.`;
-  } else {
-    msg += `of type ${types2[0]}.`;
-  }
-  if (actual == null) {
-    msg += ` Received ${actual}`;
-  } else if (typeof actual === "function" && actual.name) {
-    msg += ` Received function ${actual.name}`;
-  } else if (typeof actual === "object" && actual != null) {
-    if (actual.constructor?.name) {
-      msg += ` Received an instance of ${actual.constructor.name}`;
-    }
-  }
-  return msg;
-}
-const invalidKeyInput = (actual, ...types2) => message("Key must be ", actual, ...types2);
-const withAlg = (alg, actual, ...types2) => message(`Key for the ${alg} algorithm must be `, actual, ...types2);
-class JOSEError extends Error {
-  static code = "ERR_JOSE_GENERIC";
-  code = "ERR_JOSE_GENERIC";
-  constructor(message2, options2) {
-    super(message2, options2);
-    this.name = this.constructor.name;
-    Error.captureStackTrace?.(this, this.constructor);
-  }
-}
-class JOSENotSupported extends JOSEError {
-  static code = "ERR_JOSE_NOT_SUPPORTED";
-  code = "ERR_JOSE_NOT_SUPPORTED";
-}
-class JWSInvalid extends JOSEError {
-  static code = "ERR_JWS_INVALID";
-  code = "ERR_JWS_INVALID";
-}
-class JWTInvalid extends JOSEError {
-  static code = "ERR_JWT_INVALID";
-  code = "ERR_JWT_INVALID";
-}
-const isCryptoKey = (key) => {
-  if (key?.[Symbol.toStringTag] === "CryptoKey")
-    return true;
-  try {
-    return key instanceof CryptoKey;
-  } catch {
-    return false;
-  }
-};
-const isKeyObject = (key) => key?.[Symbol.toStringTag] === "KeyObject";
-const isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
-function assertNotSet(value, name2) {
-  if (value) {
-    throw new TypeError(`${name2} can only be called once`);
-  }
-}
-const isObjectLike$1 = (value) => typeof value === "object" && value !== null;
-function isObject(input) {
-  if (!isObjectLike$1(input) || Object.prototype.toString.call(input) !== "[object Object]") {
-    return false;
-  }
-  if (Object.getPrototypeOf(input) === null) {
-    return true;
-  }
-  let proto = input;
-  while (Object.getPrototypeOf(proto) !== null) {
-    proto = Object.getPrototypeOf(proto);
-  }
-  return Object.getPrototypeOf(input) === proto;
-}
-function isDisjoint(...headers) {
-  const sources = headers.filter(Boolean);
-  if (sources.length === 0 || sources.length === 1) {
-    return true;
-  }
-  let acc;
-  for (const header of sources) {
-    const parameters = Object.keys(header);
-    if (!acc || acc.size === 0) {
-      acc = new Set(parameters);
-      continue;
-    }
-    for (const parameter of parameters) {
-      if (acc.has(parameter)) {
-        return false;
-      }
-      acc.add(parameter);
-    }
-  }
-  return true;
-}
-const isJWK = (key) => isObject(key) && typeof key.kty === "string";
-const isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
-const isPublicJWK = (key) => key.kty !== "oct" && key.d === void 0 && key.priv === void 0;
-const isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
-function checkKeyLength(alg, key) {
-  if (alg.startsWith("RS") || alg.startsWith("PS")) {
-    const { modulusLength } = key.algorithm;
-    if (typeof modulusLength !== "number" || modulusLength < 2048) {
-      throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
-    }
-  }
-}
-function subtleAlgorithm(alg, algorithm) {
-  const hash = `SHA-${alg.slice(-3)}`;
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512":
-      return { hash, name: "HMAC" };
-    case "PS256":
-    case "PS384":
-    case "PS512":
-      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
-    case "RS256":
-    case "RS384":
-    case "RS512":
-      return { hash, name: "RSASSA-PKCS1-v1_5" };
-    case "ES256":
-    case "ES384":
-    case "ES512":
-      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
-    case "Ed25519":
-    case "EdDSA":
-      return { name: "Ed25519" };
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87":
-      return { name: alg };
-    default:
-      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-  }
-}
-async function getSigKey(alg, key, usage) {
-  if (key instanceof Uint8Array) {
-    if (!alg.startsWith("HS")) {
-      throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
-    }
-    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
-  }
-  checkSigCryptoKey(key, alg, usage);
-  return key;
-}
-async function sign$2(alg, key, data) {
-  const cryptoKey = await getSigKey(alg, key, "sign");
-  checkKeyLength(alg, cryptoKey);
-  const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);
-  return new Uint8Array(signature);
-}
-const unsupportedAlg = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
-function subtleMapping(jwk) {
-  let algorithm;
-  let keyUsages;
-  switch (jwk.kty) {
-    case "AKP": {
-      switch (jwk.alg) {
-        case "ML-DSA-44":
-        case "ML-DSA-65":
-        case "ML-DSA-87":
-          algorithm = { name: jwk.alg };
-          keyUsages = jwk.priv ? ["sign"] : ["verify"];
-          break;
-        default:
-          throw new JOSENotSupported(unsupportedAlg);
-      }
-      break;
-    }
-    case "RSA": {
-      switch (jwk.alg) {
-        case "PS256":
-        case "PS384":
-        case "PS512":
-          algorithm = { name: "RSA-PSS", hash: `SHA-${jwk.alg.slice(-3)}` };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
-        case "RS256":
-        case "RS384":
-        case "RS512":
-          algorithm = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${jwk.alg.slice(-3)}` };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
-        case "RSA-OAEP":
-        case "RSA-OAEP-256":
-        case "RSA-OAEP-384":
-        case "RSA-OAEP-512":
-          algorithm = {
-            name: "RSA-OAEP",
-            hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`
-          };
-          keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
-          break;
-        default:
-          throw new JOSENotSupported(unsupportedAlg);
-      }
-      break;
-    }
-    case "EC": {
-      switch (jwk.alg) {
-        case "ES256":
-        case "ES384":
-        case "ES512":
-          algorithm = {
-            name: "ECDSA",
-            namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[jwk.alg]
-          };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
-        case "ECDH-ES":
-        case "ECDH-ES+A128KW":
-        case "ECDH-ES+A192KW":
-        case "ECDH-ES+A256KW":
-          algorithm = { name: "ECDH", namedCurve: jwk.crv };
-          keyUsages = jwk.d ? ["deriveBits"] : [];
-          break;
-        default:
-          throw new JOSENotSupported(unsupportedAlg);
-      }
-      break;
-    }
-    case "OKP": {
-      switch (jwk.alg) {
-        case "Ed25519":
-        case "EdDSA":
-          algorithm = { name: "Ed25519" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
-        case "ECDH-ES":
-        case "ECDH-ES+A128KW":
-        case "ECDH-ES+A192KW":
-        case "ECDH-ES+A256KW":
-          algorithm = { name: jwk.crv };
-          keyUsages = jwk.d ? ["deriveBits"] : [];
-          break;
-        default:
-          throw new JOSENotSupported(unsupportedAlg);
-      }
-      break;
-    }
-    default:
-      throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
-  }
-  return { algorithm, keyUsages };
-}
-async function jwkToKey(jwk) {
-  if (!jwk.alg) {
-    throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
-  }
-  const { algorithm, keyUsages } = subtleMapping(jwk);
-  const keyData = { ...jwk };
-  if (keyData.kty !== "AKP") {
-    delete keyData.alg;
-  }
-  delete keyData.use;
-  return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
-}
-const unusableForAlg = "given KeyObject instance cannot be used for this algorithm";
-let cache;
-const handleJWK = async (key, jwk, alg, freeze = false) => {
-  cache ||= /* @__PURE__ */ new WeakMap();
-  let cached = cache.get(key);
-  if (cached?.[alg]) {
-    return cached[alg];
-  }
-  const cryptoKey = await jwkToKey({ ...jwk, alg });
-  if (freeze)
-    Object.freeze(key);
-  if (!cached) {
-    cache.set(key, { [alg]: cryptoKey });
-  } else {
-    cached[alg] = cryptoKey;
-  }
-  return cryptoKey;
-};
-const handleKeyObject = (keyObject, alg) => {
-  cache ||= /* @__PURE__ */ new WeakMap();
-  let cached = cache.get(keyObject);
-  if (cached?.[alg]) {
-    return cached[alg];
-  }
-  const isPublic = keyObject.type === "public";
-  const extractable = isPublic ? true : false;
-  let cryptoKey;
-  if (keyObject.asymmetricKeyType === "x25519") {
-    switch (alg) {
-      case "ECDH-ES":
-      case "ECDH-ES+A128KW":
-      case "ECDH-ES+A192KW":
-      case "ECDH-ES+A256KW":
-        break;
-      default:
-        throw new TypeError(unusableForAlg);
-    }
-    cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
-  }
-  if (keyObject.asymmetricKeyType === "ed25519") {
-    if (alg !== "EdDSA" && alg !== "Ed25519") {
-      throw new TypeError(unusableForAlg);
-    }
-    cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
-      isPublic ? "verify" : "sign"
-    ]);
-  }
-  switch (keyObject.asymmetricKeyType) {
-    case "ml-dsa-44":
-    case "ml-dsa-65":
-    case "ml-dsa-87": {
-      if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
-        throw new TypeError(unusableForAlg);
-      }
-      cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
-        isPublic ? "verify" : "sign"
-      ]);
-    }
-  }
-  if (keyObject.asymmetricKeyType === "rsa") {
-    let hash;
-    switch (alg) {
-      case "RSA-OAEP":
-        hash = "SHA-1";
-        break;
-      case "RS256":
-      case "PS256":
-      case "RSA-OAEP-256":
-        hash = "SHA-256";
-        break;
-      case "RS384":
-      case "PS384":
-      case "RSA-OAEP-384":
-        hash = "SHA-384";
-        break;
-      case "RS512":
-      case "PS512":
-      case "RSA-OAEP-512":
-        hash = "SHA-512";
-        break;
-      default:
-        throw new TypeError(unusableForAlg);
-    }
-    if (alg.startsWith("RSA-OAEP")) {
-      return keyObject.toCryptoKey({
-        name: "RSA-OAEP",
-        hash
-      }, extractable, isPublic ? ["encrypt"] : ["decrypt"]);
-    }
-    cryptoKey = keyObject.toCryptoKey({
-      name: alg.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
-      hash
-    }, extractable, [isPublic ? "verify" : "sign"]);
-  }
-  if (keyObject.asymmetricKeyType === "ec") {
-    const nist = /* @__PURE__ */ new Map([
-      ["prime256v1", "P-256"],
-      ["secp384r1", "P-384"],
-      ["secp521r1", "P-521"]
-    ]);
-    const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
-    if (!namedCurve) {
-      throw new TypeError(unusableForAlg);
-    }
-    const expectedCurve = { ES256: "P-256", ES384: "P-384", ES512: "P-521" };
-    if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
-    }
-    if (alg.startsWith("ECDH-ES")) {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDH",
-        namedCurve
-      }, extractable, isPublic ? [] : ["deriveBits"]);
-    }
-  }
-  if (!cryptoKey) {
-    throw new TypeError(unusableForAlg);
-  }
-  if (!cached) {
-    cache.set(keyObject, { [alg]: cryptoKey });
-  } else {
-    cached[alg] = cryptoKey;
-  }
-  return cryptoKey;
-};
-async function normalizeKey$1(key, alg) {
-  if (key instanceof Uint8Array) {
-    return key;
-  }
-  if (isCryptoKey(key)) {
-    return key;
-  }
-  if (isKeyObject(key)) {
-    if (key.type === "secret") {
-      return key.export();
-    }
-    if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
-      try {
-        return handleKeyObject(key, alg);
-      } catch (err) {
-        if (err instanceof TypeError) {
-          throw err;
-        }
-      }
-    }
-    let jwk = key.export({ format: "jwk" });
-    return handleJWK(key, jwk, alg);
-  }
-  if (isJWK(key)) {
-    if (key.k) {
-      return decode$1(key.k);
-    }
-    return handleJWK(key, key, alg, true);
-  }
-  throw new Error("unreachable");
-}
-function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-  if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
-  }
-  if (!protectedHeader || protectedHeader.crit === void 0) {
-    return /* @__PURE__ */ new Set();
-  }
-  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
-  }
-  let recognized;
-  if (recognizedOption !== void 0) {
-    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
-  } else {
-    recognized = recognizedDefault;
-  }
-  for (const parameter of protectedHeader.crit) {
-    if (!recognized.has(parameter)) {
-      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
-    }
-    if (joseHeader[parameter] === void 0) {
-      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
-    }
-    if (recognized.get(parameter) && protectedHeader[parameter] === void 0) {
-      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
-    }
-  }
-  return new Set(protectedHeader.crit);
-}
-const tag = (key) => key?.[Symbol.toStringTag];
-const jwkMatchesOp = (alg, key, usage) => {
-  if (key.use !== void 0) {
-    let expected;
-    switch (usage) {
-      case "sign":
-      case "verify":
-        expected = "sig";
-        break;
-      case "encrypt":
-      case "decrypt":
-        expected = "enc";
-        break;
-    }
-    if (key.use !== expected) {
-      throw new TypeError(`Invalid key for this operation, its "use" must be "${expected}" when present`);
-    }
-  }
-  if (key.alg !== void 0 && key.alg !== alg) {
-    throw new TypeError(`Invalid key for this operation, its "alg" must be "${alg}" when present`);
-  }
-  if (Array.isArray(key.key_ops)) {
-    let expectedKeyOp;
-    switch (true) {
-      case usage === "sign":
-      case alg === "dir":
-      case alg.includes("CBC-HS"):
-        expectedKeyOp = usage;
-        break;
-      case alg.startsWith("PBES2"):
-        expectedKeyOp = "deriveBits";
-        break;
-      case /^A\d{3}(?:GCM)?(?:KW)?$/.test(alg):
-        if (!alg.includes("GCM") && alg.endsWith("KW")) {
-          expectedKeyOp = "unwrapKey";
-        } else {
-          expectedKeyOp = usage;
-        }
-        break;
-      case usage === "encrypt":
-        expectedKeyOp = "wrapKey";
-        break;
-      case usage === "decrypt":
-        expectedKeyOp = alg.startsWith("RSA") ? "unwrapKey" : "deriveBits";
-        break;
-    }
-    if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) {
-      throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${expectedKeyOp}" when present`);
-    }
-  }
-  return true;
-};
-const symmetricTypeCheck = (alg, key, usage) => {
-  if (key instanceof Uint8Array)
-    return;
-  if (isJWK(key)) {
-    if (isSecretJWK(key) && jwkMatchesOp(alg, key, usage))
-      return;
-    throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
-  }
-  if (!isKeyLike(key)) {
-    throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
-  }
-  if (key.type !== "secret") {
-    throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
-  }
-};
-const asymmetricTypeCheck = (alg, key, usage) => {
-  if (isJWK(key)) {
-    switch (usage) {
-      case "decrypt":
-      case "sign":
-        if (isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))
-          return;
-        throw new TypeError(`JSON Web Key for this operation must be a private JWK`);
-      case "encrypt":
-      case "verify":
-        if (isPublicJWK(key) && jwkMatchesOp(alg, key, usage))
-          return;
-        throw new TypeError(`JSON Web Key for this operation must be a public JWK`);
-    }
-  }
-  if (!isKeyLike(key)) {
-    throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key"));
-  }
-  if (key.type === "secret") {
-    throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type "secret"`);
-  }
-  if (key.type === "public") {
-    switch (usage) {
-      case "sign":
-        throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type "private"`);
-      case "decrypt":
-        throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type "private"`);
-    }
-  }
-  if (key.type === "private") {
-    switch (usage) {
-      case "verify":
-        throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type "public"`);
-      case "encrypt":
-        throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`);
-    }
-  }
-};
-function checkKeyType(alg, key, usage) {
-  switch (alg.substring(0, 2)) {
-    case "A1":
-    case "A2":
-    case "di":
-    case "HS":
-    case "PB":
-      symmetricTypeCheck(alg, key, usage);
-      break;
-    default:
-      asymmetricTypeCheck(alg, key, usage);
-  }
-}
-const epoch = (date) => Math.floor(date.getTime() / 1e3);
-const minute = 60;
-const hour = minute * 60;
-const day = hour * 24;
-const week = day * 7;
-const year = day * 365.25;
-const REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
-function secs(str) {
-  const matched = REGEX.exec(str);
-  if (!matched || matched[4] && matched[1]) {
-    throw new TypeError("Invalid time period format");
-  }
-  const value = parseFloat(matched[2]);
-  const unit = matched[3].toLowerCase();
-  let numericDate;
-  switch (unit) {
-    case "sec":
-    case "secs":
-    case "second":
-    case "seconds":
-    case "s":
-      numericDate = Math.round(value);
-      break;
-    case "minute":
-    case "minutes":
-    case "min":
-    case "mins":
-    case "m":
-      numericDate = Math.round(value * minute);
-      break;
-    case "hour":
-    case "hours":
-    case "hr":
-    case "hrs":
-    case "h":
-      numericDate = Math.round(value * hour);
-      break;
-    case "day":
-    case "days":
-    case "d":
-      numericDate = Math.round(value * day);
-      break;
-    case "week":
-    case "weeks":
-    case "w":
-      numericDate = Math.round(value * week);
-      break;
-    default:
-      numericDate = Math.round(value * year);
-      break;
-  }
-  if (matched[1] === "-" || matched[4] === "ago") {
-    return -numericDate;
-  }
-  return numericDate;
-}
-function validateInput(label, input) {
-  if (!Number.isFinite(input)) {
-    throw new TypeError(`Invalid ${label} input`);
-  }
-  return input;
-}
-class JWTClaimsBuilder {
-  #payload;
-  constructor(payload) {
-    if (!isObject(payload)) {
-      throw new TypeError("JWT Claims Set MUST be an object");
-    }
-    this.#payload = structuredClone(payload);
-  }
-  data() {
-    return encoder.encode(JSON.stringify(this.#payload));
-  }
-  get iss() {
-    return this.#payload.iss;
-  }
-  set iss(value) {
-    this.#payload.iss = value;
-  }
-  get sub() {
-    return this.#payload.sub;
-  }
-  set sub(value) {
-    this.#payload.sub = value;
-  }
-  get aud() {
-    return this.#payload.aud;
-  }
-  set aud(value) {
-    this.#payload.aud = value;
-  }
-  set jti(value) {
-    this.#payload.jti = value;
-  }
-  set nbf(value) {
-    if (typeof value === "number") {
-      this.#payload.nbf = validateInput("setNotBefore", value);
-    } else if (value instanceof Date) {
-      this.#payload.nbf = validateInput("setNotBefore", epoch(value));
-    } else {
-      this.#payload.nbf = epoch(/* @__PURE__ */ new Date()) + secs(value);
-    }
-  }
-  set exp(value) {
-    if (typeof value === "number") {
-      this.#payload.exp = validateInput("setExpirationTime", value);
-    } else if (value instanceof Date) {
-      this.#payload.exp = validateInput("setExpirationTime", epoch(value));
-    } else {
-      this.#payload.exp = epoch(/* @__PURE__ */ new Date()) + secs(value);
-    }
-  }
-  set iat(value) {
-    if (value === void 0) {
-      this.#payload.iat = epoch(/* @__PURE__ */ new Date());
-    } else if (value instanceof Date) {
-      this.#payload.iat = validateInput("setIssuedAt", epoch(value));
-    } else if (typeof value === "string") {
-      this.#payload.iat = validateInput("setIssuedAt", epoch(/* @__PURE__ */ new Date()) + secs(value));
-    } else {
-      this.#payload.iat = validateInput("setIssuedAt", value);
-    }
-  }
-}
-class FlattenedSign {
-  #payload;
-  #protectedHeader;
-  #unprotectedHeader;
-  constructor(payload) {
-    if (!(payload instanceof Uint8Array)) {
-      throw new TypeError("payload must be an instance of Uint8Array");
-    }
-    this.#payload = payload;
-  }
-  setProtectedHeader(protectedHeader) {
-    assertNotSet(this.#protectedHeader, "setProtectedHeader");
-    this.#protectedHeader = protectedHeader;
-    return this;
-  }
-  setUnprotectedHeader(unprotectedHeader) {
-    assertNotSet(this.#unprotectedHeader, "setUnprotectedHeader");
-    this.#unprotectedHeader = unprotectedHeader;
-    return this;
-  }
-  async sign(key, options2) {
-    if (!this.#protectedHeader && !this.#unprotectedHeader) {
-      throw new JWSInvalid("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");
-    }
-    if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) {
-      throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
-    }
-    const joseHeader = {
-      ...this.#protectedHeader,
-      ...this.#unprotectedHeader
-    };
-    const extensions2 = validateCrit(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options2?.crit, this.#protectedHeader, joseHeader);
-    let b64 = true;
-    if (extensions2.has("b64")) {
-      b64 = this.#protectedHeader.b64;
-      if (typeof b64 !== "boolean") {
-        throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
-      }
-    }
-    const { alg } = joseHeader;
-    if (typeof alg !== "string" || !alg) {
-      throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
-    }
-    checkKeyType(alg, key, "sign");
-    let payloadS;
-    let payloadB;
-    if (b64) {
-      payloadS = encode$3(this.#payload);
-      payloadB = encode$4(payloadS);
-    } else {
-      payloadB = this.#payload;
-      payloadS = "";
-    }
-    let protectedHeaderString;
-    let protectedHeaderBytes;
-    if (this.#protectedHeader) {
-      protectedHeaderString = encode$3(JSON.stringify(this.#protectedHeader));
-      protectedHeaderBytes = encode$4(protectedHeaderString);
-    } else {
-      protectedHeaderString = "";
-      protectedHeaderBytes = new Uint8Array();
-    }
-    const data = concat(protectedHeaderBytes, encode$4("."), payloadB);
-    const k = await normalizeKey$1(key, alg);
-    const signature = await sign$2(alg, k, data);
-    const jws2 = {
-      signature: encode$3(signature),
-      payload: payloadS
-    };
-    if (this.#unprotectedHeader) {
-      jws2.header = this.#unprotectedHeader;
-    }
-    if (this.#protectedHeader) {
-      jws2.protected = protectedHeaderString;
-    }
-    return jws2;
-  }
-}
-class CompactSign {
-  #flattened;
-  constructor(payload) {
-    this.#flattened = new FlattenedSign(payload);
-  }
-  setProtectedHeader(protectedHeader) {
-    this.#flattened.setProtectedHeader(protectedHeader);
-    return this;
-  }
-  async sign(key, options2) {
-    const jws2 = await this.#flattened.sign(key, options2);
-    if (jws2.payload === void 0) {
-      throw new TypeError("use the flattened module for creating JWS with b64: false");
-    }
-    return `${jws2.protected}.${jws2.payload}.${jws2.signature}`;
-  }
-}
-class SignJWT {
-  #protectedHeader;
-  #jwt;
-  constructor(payload = {}) {
-    this.#jwt = new JWTClaimsBuilder(payload);
-  }
-  setIssuer(issuer) {
-    this.#jwt.iss = issuer;
-    return this;
-  }
-  setSubject(subject) {
-    this.#jwt.sub = subject;
-    return this;
-  }
-  setAudience(audience) {
-    this.#jwt.aud = audience;
-    return this;
-  }
-  setJti(jwtId) {
-    this.#jwt.jti = jwtId;
-    return this;
-  }
-  setNotBefore(input) {
-    this.#jwt.nbf = input;
-    return this;
-  }
-  setExpirationTime(input) {
-    this.#jwt.exp = input;
-    return this;
-  }
-  setIssuedAt(input) {
-    this.#jwt.iat = input;
-    return this;
-  }
-  setProtectedHeader(protectedHeader) {
-    this.#protectedHeader = protectedHeader;
-    return this;
-  }
-  async sign(key, options2) {
-    const sig = new CompactSign(this.#jwt.data());
-    sig.setProtectedHeader(this.#protectedHeader);
-    if (Array.isArray(this.#protectedHeader?.crit) && this.#protectedHeader.crit.includes("b64") && this.#protectedHeader.b64 === false) {
-      throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
-    }
-    return sig.sign(key, options2);
-  }
-}
 function createAppleProvider(config) {
   async function generateClientSecret() {
-    const key = createPrivateKey$1({
-      key: config.privateKey,
-      format: "pem"
+    return jwt.sign({}, config.privateKey, {
+      algorithm: "ES256",
+      keyid: config.keyId,
+      issuer: config.teamId,
+      expiresIn: "180d",
+      audience: "https://appleid.apple.com",
+      subject: config.clientId
     });
-    const now = Math.floor(Date.now() / 1e3);
-    return new SignJWT({}).setProtectedHeader({
-      alg: "ES256",
-      kid: config.keyId
-    }).setIssuer(config.teamId).setIssuedAt(now).setExpirationTime(now + 86400 * 180).setAudience("https://appleid.apple.com").setSubject(config.clientId).sign(key);
   }
   return {
     id: "apple",
@@ -23567,7 +22760,7 @@ function createRateLimiter(options2 = {}) {
     windowMs = 15 * 60 * 1e3,
     limit = 100,
     keyGenerator = defaultKeyGenerator,
-    message: message2 = "Too many requests, please try again later."
+    message = "Too many requests, please try again later."
   } = options2;
   const store = /* @__PURE__ */ new Map();
   const cleanupInterval = setInterval(() => {
@@ -23602,7 +22795,7 @@ function createRateLimiter(options2 = {}) {
       c.header("X-RateLimit-Reset", String(Math.ceil((now + retryAfterMs) / 1e3)));
       return c.json({
         error: {
-          message: message2,
+          message,
           code: "RATE_LIMITED"
         }
       }, 429);
@@ -23614,7 +22807,12 @@ function createRateLimiter(options2 = {}) {
   };
 }
 function defaultKeyGenerator(c) {
-  return c.req.header("x-forwarded-for")?.split(",")[0]?.trim() || c.req.header("x-real-ip") || "unknown";
+  const forwardedFor = c.req.header("x-forwarded-for");
+  if (forwardedFor) {
+    const ips = forwardedFor.split(",");
+    return ips[ips.length - 1].trim();
+  }
+  return c.req.header("x-real-ip") || "unknown";
 }
 const defaultAuthLimiter = createRateLimiter({
   windowMs: 15 * 60 * 1e3,
@@ -23761,7 +22959,11 @@ function createAuthRoutes(config) {
       passwordHash,
       displayName: displayName || void 0
     });
-    if (config.defaultRole) {
+    const existingUsers = await authRepo.listUsers();
+    const isFirstUser = existingUsers.length === 1 && existingUsers[0].id === user.id;
+    if (isFirstUser) {
+      await authRepo.setUserRoles(user.id, ["admin"]);
+    } else if (config.defaultRole) {
       await authRepo.assignDefaultRole(user.id, config.defaultRole);
     }
     const {
@@ -23802,7 +23004,13 @@ function createAuthRoutes(config) {
     for (const provider of config.oauthProviders) {
       router.post(`/${provider.id}`, defaultAuthLimiter, async (c) => {
         const payload = parseBody2(provider.schema, await c.req.json());
-        const externalUser = await provider.verify(payload);
+        let externalUser;
+        try {
+          externalUser = await provider.verify(payload);
+        } catch (err) {
+          const msg = err instanceof Error ? err.message : String(err);
+          throw ApiError.unauthorized(`${provider.id} login failed: ${msg}`, "OAUTH_ERROR");
+        }
         if (!externalUser) {
           throw ApiError.unauthorized(`Invalid ${provider.id} credentials`, "INVALID_TOKEN");
         }
@@ -23826,7 +23034,11 @@ function createAuthRoutes(config) {
             await authRepo.linkUserIdentity(user.id, provider.id, externalUser.providerId, {
               email: externalUser.email
             });
-            if (config.defaultRole) {
+            const allUsers = await authRepo.listUsers();
+            const isFirstUser = allUsers.length === 1 && allUsers[0].id === user.id;
+            if (isFirstUser) {
+              await authRepo.setUserRoles(user.id, ["admin"]);
+            } else if (config.defaultRole) {
               await authRepo.assignDefaultRole(user.id, config.defaultRole);
             }
             sendWelcomeEmail({
@@ -24182,8 +23394,45 @@ function createAdminRoutes(config) {
   const authRepo = config.authRepo;
   const {
     emailService,
-    emailConfig
+    emailConfig,
+    hooks
   } = config;
+  function buildHookContext(c, method) {
+    const user = c.get("user");
+    return {
+      requestUser: user ? {
+        userId: user.userId,
+        roles: user.roles ?? []
+      } : void 0,
+      method
+    };
+  }
+  async function applyUserAfterRead(user, ctx) {
+    if (!hooks?.users?.afterRead) return user;
+    return hooks.users.afterRead(user, ctx);
+  }
+  async function applyUserAfterReadBatch(users, ctx) {
+    if (!hooks?.users?.afterRead) return users;
+    const results = await Promise.all(users.map((u) => applyUserAfterRead(u, ctx)));
+    return results.filter((u) => u !== null);
+  }
+  async function applyRoleAfterReadBatch(roles, ctx) {
+    if (!hooks?.roles?.afterRead) return roles;
+    const results = await Promise.all(roles.map((r) => hooks.roles.afterRead(r, ctx)));
+    return results.filter((r) => r !== null);
+  }
+  function toAdminUser(u, roles) {
+    return {
+      uid: u.id,
+      email: u.email,
+      displayName: u.displayName ?? null,
+      photoURL: u.photoUrl ?? null,
+      provider: "custom",
+      roles,
+      createdAt: u.createdAt instanceof Date ? u.createdAt.toISOString() : u.createdAt ?? (/* @__PURE__ */ new Date()).toISOString(),
+      updatedAt: u.updatedAt instanceof Date ? u.updatedAt.toISOString() : u.updatedAt ?? (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
   router.onError(errorHandler);
   router.use("/*", createRequireAuth({
     serviceKey: config.serviceKey
@@ -24234,6 +23483,7 @@ function createAdminRoutes(config) {
     const search = c.req.query("search");
     const orderBy = c.req.query("orderBy");
     const orderDir = c.req.query("orderDir");
+    const hookCtx = buildHookContext(c, "GET");
     if (limitParam !== void 0 || search) {
       const limit = limitParam ? parseInt(limitParam, 10) : 25;
       const offset = offsetParam ? parseInt(offsetParam, 10) : 0;
@@ -24245,18 +23495,11 @@ function createAdminRoutes(config) {
         orderDir: orderDir || void 0,
         roleId: c.req.query("role") || void 0
       });
-      const usersWithRoles2 = await Promise.all(result.users.map(async (u) => {
+      let usersWithRoles2 = await Promise.all(result.users.map(async (u) => {
         const roles = await authRepo.getUserRoleIds(u.id);
-        return {
-          uid: u.id,
-          email: u.email,
-          displayName: u.displayName,
-          photoURL: u.photoUrl,
-          roles,
-          createdAt: u.createdAt,
-          updatedAt: u.updatedAt
-        };
+        return toAdminUser(u, roles);
       }));
+      usersWithRoles2 = await applyUserAfterReadBatch(usersWithRoles2, hookCtx);
       return c.json({
         users: usersWithRoles2,
         total: result.total,
@@ -24265,18 +23508,11 @@ function createAdminRoutes(config) {
       });
     }
     const users = await authRepo.listUsers();
-    const usersWithRoles = await Promise.all(users.map(async (u) => {
+    let usersWithRoles = await Promise.all(users.map(async (u) => {
       const roles = await authRepo.getUserRoleIds(u.id);
-      return {
-        uid: u.id,
-        email: u.email,
-        displayName: u.displayName,
-        photoURL: u.photoUrl,
-        roles,
-        createdAt: u.createdAt,
-        updatedAt: u.updatedAt
-      };
+      return toAdminUser(u, roles);
     }));
+    usersWithRoles = await applyUserAfterReadBatch(usersWithRoles, hookCtx);
     return c.json({
       users: usersWithRoles
     });
@@ -24287,21 +23523,19 @@ function createAdminRoutes(config) {
     if (!result) {
       throw ApiError.notFound("User not found");
     }
+    const hookCtx = buildHookContext(c, "GET");
+    let adminUser = toAdminUser(result.user, result.roles.map((r) => r.id));
+    adminUser = await applyUserAfterRead(adminUser, hookCtx);
+    if (!adminUser) {
+      throw ApiError.notFound("User not found");
+    }
     return c.json({
-      user: {
-        uid: result.user.id,
-        email: result.user.email,
-        displayName: result.user.displayName,
-        photoURL: result.user.photoUrl,
-        roles: result.roles.map((r) => r.id),
-        createdAt: result.user.createdAt,
-        updatedAt: result.user.updatedAt
-      }
+      user: adminUser
     });
   });
   router.post("/users", requireAdmin, async (c) => {
     const body = await c.req.json();
-    const {
+    let {
       email,
       displayName,
       password,
@@ -24310,6 +23544,17 @@ function createAdminRoutes(config) {
     if (!email) {
       throw ApiError.badRequest("Email is required", "INVALID_INPUT");
     }
+    const hookCtx = buildHookContext(c, "POST");
+    if (hooks?.users?.beforeSave) {
+      const hooked = await hooks.users.beforeSave({
+        email,
+        displayName,
+        roles
+      }, hookCtx);
+      email = hooked.email ?? email;
+      displayName = hooked.displayName ?? displayName;
+      roles = hooked.roles ?? roles;
+    }
     const existing = await authRepo.getUserByEmail(email);
     if (existing) {
       throw ApiError.conflict("Email already exists", "EMAIL_EXISTS");
@@ -24365,13 +23610,14 @@ function createAdminRoutes(config) {
     } else if (!password) {
       temporaryPassword = clearPassword;
     }
+    const createdAdminUser = toAdminUser(user, userRoles);
+    if (hooks?.users?.afterSave) {
+      Promise.resolve(hooks.users.afterSave(createdAdminUser, hookCtx)).catch((err) => {
+        console.error("[BackendHooks] users.afterSave error:", err instanceof Error ? err.message : err);
+      });
+    }
     return c.json({
-      user: {
-        uid: user.id,
-        email: user.email,
-        displayName: user.displayName,
-        roles: userRoles
-      },
+      user: createdAdminUser,
       invitationSent,
       ...temporaryPassword ? {
         temporaryPassword
@@ -24441,7 +23687,7 @@ function createAdminRoutes(config) {
   router.put("/users/:userId", requireAdmin, async (c) => {
     const userId = c.req.param("userId");
     const body = await c.req.json();
-    const {
+    let {
       email,
       displayName,
       password,
@@ -24451,6 +23697,17 @@ function createAdminRoutes(config) {
     if (!existing) {
       throw ApiError.notFound("User not found");
     }
+    const hookCtx = buildHookContext(c, "PUT");
+    if (hooks?.users?.beforeSave) {
+      const hooked = await hooks.users.beforeSave({
+        email,
+        displayName,
+        roles
+      }, hookCtx);
+      email = hooked.email ?? email;
+      displayName = hooked.displayName ?? displayName;
+      roles = hooked.roles ?? roles;
+    }
     const updates = {};
     if (email !== void 0) updates.email = email.toLowerCase();
     if (displayName !== void 0) updates.displayName = displayName;
@@ -24468,13 +23725,14 @@ function createAdminRoutes(config) {
       await authRepo.setUserRoles(userId, roles);
     }
     const result = await authRepo.getUserWithRoles(userId);
+    const updatedAdminUser = toAdminUser(result.user, result.roles.map((r) => r.id));
+    if (hooks?.users?.afterSave) {
+      Promise.resolve(hooks.users.afterSave(updatedAdminUser, hookCtx)).catch((err) => {
+        console.error("[BackendHooks] users.afterSave error:", err instanceof Error ? err.message : err);
+      });
+    }
     return c.json({
-      user: {
-        uid: result.user.id,
-        email: result.user.email,
-        displayName: result.user.displayName,
-        roles: result.roles.map((r) => r.id)
-      }
+      user: updatedAdminUser
     });
   });
   router.delete("/users/:userId", requireAdmin, async (c) => {
@@ -24488,21 +23746,33 @@ function createAdminRoutes(config) {
     if (!existing) {
       throw ApiError.notFound("User not found");
     }
+    const hookCtx = buildHookContext(c, "DELETE");
+    if (hooks?.users?.beforeDelete) {
+      await hooks.users.beforeDelete(userId, hookCtx);
+    }
     await authRepo.deleteUser(userId);
+    if (hooks?.users?.afterDelete) {
+      Promise.resolve(hooks.users.afterDelete(userId, hookCtx)).catch((err) => {
+        console.error("[BackendHooks] users.afterDelete error:", err instanceof Error ? err.message : err);
+      });
+    }
     return c.json({
       success: true
     });
   });
   router.get("/roles", requireAdmin, async (c) => {
     const roles = await authRepo.listRoles();
+    const hookCtx = buildHookContext(c, "GET");
+    let adminRoles = roles.map((r) => ({
+      id: r.id,
+      name: r.name,
+      isAdmin: r.isAdmin,
+      defaultPermissions: r.defaultPermissions,
+      config: r.config
+    }));
+    adminRoles = await applyRoleAfterReadBatch(adminRoles, hookCtx);
     return c.json({
-      roles: roles.map((r) => ({
-        id: r.id,
-        name: r.name,
-        isAdmin: r.isAdmin,
-        defaultPermissions: r.defaultPermissions,
-        config: r.config
-      }))
+      roles: adminRoles
     });
   });
   router.get("/roles/:roleId", requireAdmin, async (c) => {
@@ -24630,10 +23900,10 @@ class LocalStorageController {
    * Includes a path traversal guard to prevent escaping the base directory.
    */
   getFullPath(storagePath, bucket) {
-    const parts = bucket ? [this.basePath, bucket, storagePath] : [this.basePath, storagePath];
-    const resolved = path$3.resolve(path$3.join(...parts));
-    if (!resolved.startsWith(this.basePath + path$3.sep) && resolved !== this.basePath) {
-      throw new Error("Path traversal detected: resolved storage path is outside the base directory.");
+    const bucketPath = bucket ? path$3.join(this.basePath, bucket) : this.basePath;
+    const resolved = path$3.resolve(path$3.join(bucketPath, storagePath));
+    if (!resolved.startsWith(bucketPath + path$3.sep) && resolved !== bucketPath) {
+      throw new Error("Path traversal detected: resolved storage path is outside the bucket directory.");
     }
     return resolved;
   }
@@ -24780,17 +24050,34 @@ class LocalStorageController {
       }
     }
     resolvedPath = normalizeStoragePath(resolvedPath);
+    if (!resolvedPath) {
+      return;
+    }
     const fullPath = this.getFullPath(resolvedPath, resolvedBucket);
     try {
-      await unlink(fullPath);
-      try {
-        await unlink(`${fullPath}.metadata.json`);
-      } catch {
+      await access(fullPath, fs$4.constants.F_OK);
+    } catch {
+      return;
+    }
+    try {
+      const stats = await stat(fullPath);
+      if (stats.isDirectory()) {
+        await fs$4.promises.rmdir(fullPath);
+      } else {
+        await unlink(fullPath);
+        try {
+          await unlink(`${fullPath}.metadata.json`);
+        } catch {
+        }
       }
     } catch (error2) {
-      if (error2 instanceof Error && error2.code !== "ENOENT") {
-        throw error2;
+      if (error2 instanceof Error) {
+        const code2 = error2.code;
+        if (code2 === "ENOENT" || code2 === "ENOTEMPTY") {
+          return;
+        }
       }
+      throw error2;
     }
   }
   async listObjects(prefix, options2) {
@@ -24897,7 +24184,8 @@ class S3StorageController {
    * Get the bucket name - either from parameter or config
    */
   getBucket(bucket) {
-    return bucket ?? this.config.bucket;
+    if (!bucket || bucket === "default") return this.config.bucket;
+    return bucket;
   }
   async putObject({
     file,
@@ -25185,11 +24473,18 @@ function createStorageRoutes(config) {
       const fileContent = fs$4.readFileSync(absolutePath);
       return c.body(new Uint8Array(fileContent));
     }
-    const downloadConfig = await controller.getSignedUrl(filePath);
-    if (downloadConfig.fileNotFound || !downloadConfig.url) {
+    const {
+      bucket: parsedBucket,
+      resolvedPath: parsedPath
+    } = parseBucketAndPath(filePath);
+    const fileObject = await controller.getObject(parsedPath, parsedBucket);
+    if (!fileObject) {
       throw ApiError.notFound("File not found");
     }
-    return c.redirect(downloadConfig.url);
+    c.header("Content-Type", fileObject.type || "application/octet-stream");
+    c.header("Cache-Control", "public, max-age=3600, immutable");
+    const buf = await fileObject.arrayBuffer();
+    return c.body(new Uint8Array(buf));
   });
   router.get("/metadata/*", readAuthMiddleware, async (c) => {
     const rawPath = extractWildcardPath(c);
@@ -25239,7 +24534,7 @@ function createStorageRoutes(config) {
     const maxResults = c.req.query("maxResults");
     const pageToken = c.req.query("pageToken");
     const result = await controller.listObjects(storagePrefix, {
-      bucket,
+      bucket: bucket ?? (controller.getType() === "local" ? "default" : void 0),
       maxResults: maxResults ? parseInt(maxResults, 10) : void 0,
       pageToken
     });
@@ -25248,6 +24543,40 @@ function createStorageRoutes(config) {
       data: result
     });
   });
+  router.post("/folder", writeAuthMiddleware, async (c) => {
+    const body = await c.req.json();
+    const folderPath = body.path;
+    if (!folderPath || typeof folderPath !== "string") {
+      throw ApiError.badRequest("Folder path is required");
+    }
+    const {
+      bucket,
+      resolvedPath
+    } = parseBucketAndPath(folderPath);
+    if (!resolvedPath || resolvedPath.trim() === "") {
+      throw ApiError.badRequest("Invalid folder path");
+    }
+    if (controller.getType() === "local") {
+      const localController = controller;
+      const absolutePath = localController.getAbsolutePath(resolvedPath, bucket);
+      fs$4.mkdirSync(absolutePath, {
+        recursive: true
+      });
+    } else {
+      const key = resolvedPath.endsWith("/") ? resolvedPath : resolvedPath + "/";
+      const emptyFile = new File([], key, {
+        type: "application/x-directory"
+      });
+      await controller.putObject({
+        file: emptyFile,
+        key
+      });
+    }
+    return c.json({
+      success: true,
+      message: "Folder created"
+    }, 201);
+  });
   return router;
 }
 const DEFAULT_STORAGE_ID = "(default)";
@@ -25371,8 +24700,8 @@ class RebaseApiError extends Error {
   status;
   code;
   details;
-  constructor(status, message2, code2, details) {
-    super(message2);
+  constructor(status, message, code2, details) {
+    super(message);
     this.name = "RebaseApiError";
     this.status = status;
     this.code = code2;
@@ -25702,20 +25031,21 @@ function createAuth(transport, options2) {
       refreshToken: session.refreshToken
     };
   }
-  async function signInWithGoogle(idToken) {
+  async function signInWithGoogle(tokenOrPayload) {
     const fetchFn = getFetch();
+    const body = typeof tokenOrPayload === "string" ? {
+      idToken: tokenOrPayload
+    } : tokenOrPayload;
     const res = await fetchFn(authUrl("/google"), {
       method: "POST",
       headers: {
         "Content-Type": "application/json"
       },
-      body: JSON.stringify({
-        idToken
-      })
+      body: JSON.stringify(body)
     });
-    const body = await res.json().catch(() => ({}));
-    if (!res.ok) throwApiError(res.status, body, res.statusText);
-    const session = handleAuthResponse(body, "SIGNED_IN");
+    const responseBody = await res.json().catch(() => ({}));
+    if (!res.ok) throwApiError(res.status, responseBody, res.statusText);
+    const session = handleAuthResponse(responseBody, "SIGNED_IN");
     return {
       user: session.user,
       accessToken: session.accessToken,
@@ -26343,6 +25673,18 @@ function createCollectionClient(transport, slug, ws) {
         method: "DELETE"
       });
     },
+    async count(params) {
+      const countParams = {
+        ...params,
+        limit: void 0,
+        offset: void 0
+      };
+      const qs = buildQueryString(countParams);
+      const raw = await transport.request(basePath + "/count" + qs, {
+        method: "GET"
+      });
+      return raw.count ?? 0;
+    },
     // Fluent builder instantiation
     where(column, operator, value) {
       return new QueryBuilder(client).where(column, operator, value);
@@ -26365,6 +25707,25 @@ function createCollectionClient(transport, slug, ws) {
   };
   return client;
 }
+function createFunctionsClient(transport) {
+  return {
+    async invoke(name2, payload, options2) {
+      const method = options2?.method ?? "POST";
+      const subPath = options2?.path ? `/${options2.path.replace(/^\//, "")}` : "";
+      const routePath = `/functions/${encodeURIComponent(name2)}${subPath}`;
+      const init = {
+        method
+      };
+      if (payload !== void 0 && method !== "GET") {
+        init.body = JSON.stringify(payload);
+      }
+      if (options2?.headers) {
+        init.headers = options2.headers;
+      }
+      return transport.request(routePath, init);
+    }
+  };
+}
 function createStorage(transport) {
   const urlsCache = /* @__PURE__ */ new Map();
   async function putObject({
@@ -26498,6 +25859,7 @@ function createRebaseClient(options2) {
   const admin = createAdmin(transport, options2.admin);
   const cron = createCron(transport, options2.cron);
   const storage = createStorage(transport);
+  const functions = createFunctionsClient(transport);
   let ws;
   if (!options2.onUnauthorized) {
     transport.setOnUnauthorized(async () => {
@@ -26536,6 +25898,7 @@ function createRebaseClient(options2) {
     auth,
     admin,
     cron,
+    functions,
     storage,
     ws,
     setToken: transport.setToken,
@@ -27349,7 +26712,7 @@ var fetchExports = fetch$1.exports;
     });
     return options2;
   };
-  module.exports._logFunc = (logger2, level, defaults, data, message2, ...args) => {
+  module.exports._logFunc = (logger2, level, defaults, data, message, ...args) => {
     let entry = {};
     Object.keys(defaults || {}).forEach((key) => {
       if (key !== "level") {
@@ -27361,7 +26724,7 @@ var fetchExports = fetch$1.exports;
         entry[key] = data[key];
       }
     });
-    logger2[level](entry, message2, ...args);
+    logger2[level](entry, message, ...args);
   };
   module.exports.getLogger = (options2, defaults) => {
     options2 = options2 || {};
@@ -27378,8 +26741,8 @@ var fetchExports = fetch$1.exports;
       logger2 = createDefaultLogger(levels);
     }
     levels.forEach((level) => {
-      response[level] = (data, message2, ...args) => {
-        module.exports._logFunc(logger2, level, defaults, data, message2, ...args);
+      response[level] = (data, message, ...args) => {
+        module.exports._logFunc(logger2, level, defaults, data, message, ...args);
       };
     });
     return response;
@@ -27562,7 +26925,7 @@ var fetchExports = fetch$1.exports;
       }
       levelNames.set(level, levelName);
     });
-    let print2 = (level, entry, message2, ...args) => {
+    let print2 = (level, entry, message, ...args) => {
       let prefix = "";
       if (entry) {
         if (entry.tnx === "server") {
@@ -27577,8 +26940,8 @@ var fetchExports = fetch$1.exports;
           prefix = "[#" + entry.cid + "] " + prefix;
         }
       }
-      message2 = util2.format(message2, ...args);
-      message2.split(/\r?\n/).forEach((line) => {
+      message = util2.format(message, ...args);
+      message.split(/\r?\n/).forEach((line) => {
         console.log("[%s] %s %s", (/* @__PURE__ */ new Date()).toISOString().substr(0, 19).replace(/T/, " "), levelNames.get(level), prefix + line);
       });
     };
@@ -34074,8 +33437,8 @@ let SMTPConnection$3 = class SMTPConnection extends EventEmitter$4 {
    * @param {Object} message String, Buffer or a Stream
    * @param {Function} callback Callback to return once sending is completed
    */
-  send(envelope, message2, done) {
-    if (!message2) {
+  send(envelope, message, done) {
+    if (!message) {
       return done(this._formatError("Empty message", "EMESSAGE", false, "API"));
     }
     const isDestroyedMessage = this._isDestroyedMessage("send message");
@@ -34095,17 +33458,17 @@ let SMTPConnection$3 = class SMTPConnection extends EventEmitter$4 {
       returned = true;
       done(...arguments);
     };
-    if (typeof message2.on === "function") {
-      message2.on("error", (err) => callback(this._formatError(err, "ESTREAM", false, "API")));
+    if (typeof message.on === "function") {
+      message.on("error", (err) => callback(this._formatError(err, "ESTREAM", false, "API")));
     }
     let startTime = Date.now();
     this._setEnvelope(envelope, (err, info) => {
       if (err) {
         let stream3 = new PassThrough();
-        if (typeof message2.pipe === "function") {
-          message2.pipe(stream3);
+        if (typeof message.pipe === "function") {
+          message.pipe(stream3);
         } else {
-          stream3.write(message2);
+          stream3.write(message);
           stream3.end();
         }
         return callback(err);
@@ -34121,10 +33484,10 @@ let SMTPConnection$3 = class SMTPConnection extends EventEmitter$4 {
         info.response = str;
         return callback(null, info);
       });
-      if (typeof message2.pipe === "function") {
-        message2.pipe(stream2);
+      if (typeof message.pipe === "function") {
+        message.pipe(stream2);
       } else {
-        stream2.write(message2);
+        stream2.write(message);
         stream2.end();
       }
     });
@@ -34237,12 +33600,12 @@ let SMTPConnection$3 = class SMTPConnection extends EventEmitter$4 {
     this.emit("error", err);
     this.close();
   }
-  _formatError(message2, type, response, command) {
+  _formatError(message, type, response, command) {
     let err;
-    if (/Error\]$/i.test(Object.prototype.toString.call(message2))) {
-      err = message2;
+    if (/Error\]$/i.test(Object.prototype.toString.call(message))) {
+      err = message;
     } else {
-      err = new Error(message2);
+      err = new Error(message);
     }
     if (type && type !== "Error") {
       err.code = type;
@@ -34885,14 +34248,14 @@ let SMTPConnection$3 = class SMTPConnection extends EventEmitter$4 {
    * @param {String} str Message from the server
    */
   _actionMAIL(str, callback) {
-    let message2, curRecipient;
+    let message, curRecipient;
     if (Number(str.charAt(0)) !== 2) {
       if (this._usingSmtpUtf8 && /^550 /.test(str) && /[\x80-\uFFFF]/.test(this._envelope.from)) {
-        message2 = "Internationalized mailbox name not allowed";
+        message = "Internationalized mailbox name not allowed";
       } else {
-        message2 = "Mail command failed";
+        message = "Mail command failed";
       }
-      return callback(this._formatError(message2, "EENVELOPE", str, "MAIL FROM"));
+      return callback(this._formatError(message, "EENVELOPE", str, "MAIL FROM"));
     }
     if (!this._envelope.rcptQueue.length) {
       return callback(this._formatError("Can't send mail - no recipients defined", "EENVELOPE", false, "API"));
@@ -34923,15 +34286,15 @@ let SMTPConnection$3 = class SMTPConnection extends EventEmitter$4 {
    * @param {String} str Message from the server
    */
   _actionRCPT(str, callback) {
-    let message2, err, curRecipient = this._recipientQueue.shift();
+    let message, err, curRecipient = this._recipientQueue.shift();
     if (Number(str.charAt(0)) !== 2) {
       if (this._usingSmtpUtf8 && /^553 /.test(str) && /[\x80-\uFFFF]/.test(curRecipient)) {
-        message2 = "Internationalized mailbox name not allowed";
+        message = "Internationalized mailbox name not allowed";
       } else {
-        message2 = "Recipient command failed";
+        message = "Recipient command failed";
       }
       this._envelope.rejected.push(curRecipient);
-      err = this._formatError(message2, "EENVELOPE", str, "RCPT TO");
+      err = this._formatError(message, "EENVELOPE", str, "RCPT TO");
       err.recipient = curRecipient;
       this._envelope.rejectedErrors.push(err);
     } else {
@@ -37647,9 +37010,9 @@ class SMTPEmailService {
         replyTo: options2.replyTo
       });
     } catch (error2) {
-      const message2 = error2 instanceof Error ? error2.message : String(error2);
-      console.error("Failed to send email:", message2);
-      throw new Error(`Failed to send email: ${message2}`);
+      const message = error2 instanceof Error ? error2.message : String(error2);
+      console.error("Failed to send email:", message);
+      throw new Error(`Failed to send email: ${message}`);
     }
   }
   /**
@@ -37663,8 +37026,8 @@ class SMTPEmailService {
       await this.transporter.verify();
       return true;
     } catch (error2) {
-      const message2 = error2 instanceof Error ? error2.message : String(error2);
-      console.error("SMTP connection verification failed:", message2);
+      const message = error2 instanceof Error ? error2.message : String(error2);
+      console.error("SMTP connection verification failed:", message);
       return false;
     }
   }
@@ -37863,7 +37226,7 @@ async function _initializeRebaseBackend(config) {
       const {
         createGoogleProvider: createGoogleProvider2
       } = await import("./index-DXVBFp5V.js");
-      oauthProviders.push(createGoogleProvider2(config.auth.google.clientId));
+      oauthProviders.push(createGoogleProvider2(config.auth.google));
     }
     if (config.auth.linkedin?.clientId && config.auth.linkedin?.clientSecret) {
       const {
@@ -37944,7 +37307,8 @@ async function _initializeRebaseBackend(config) {
       authRepo: authConfigResult.authRepository ?? authConfigResult.userService,
       emailService: authConfigResult.emailService,
       emailConfig: config.auth.email,
-      serviceKey
+      serviceKey,
+      hooks: config.hooks
     });
     config.app.route(`${basePath}/admin`, adminRoutes);
   }
@@ -38002,7 +37366,7 @@ async function _initializeRebaseBackend(config) {
       });
       dataRouter.route("/", historyRoutes);
     }
-    const restGenerator = new RestApiGenerator(activeCollections, defaultDriver);
+    const restGenerator = new RestApiGenerator(activeCollections, defaultDriver, config.hooks?.data);
     dataRouter.route("/", restGenerator.generateRoutes());
     config.app.route(`${basePath}/data`, dataRouter);
   }
@@ -38063,6 +37427,13 @@ async function _initializeRebaseBackend(config) {
   }
   _initRebase(serverClient);
   logger.info("Rebase singleton initialized");
+  if (defaultDriverResult.internals) {
+    const internals = defaultDriverResult.internals;
+    const driver = internals.driver;
+    if (driver && "client" in driver) {
+      driver.client = serverClient;
+    }
+  }
   if (config.functionsDir) {
     const {
       loadFunctionsFromDirectory: loadFunctionsFromDirectory2
@@ -38196,10 +37567,10 @@ async function _initializeRebaseBackend(config) {
     shutdown
   };
 }
-function devAssert(condition, message2) {
+function devAssert(condition, message) {
   const booleanCondition = Boolean(condition);
   if (!booleanCondition) {
-    throw new Error(message2);
+    throw new Error(message);
   }
 }
 function isPromise(value) {
@@ -38208,11 +37579,11 @@ function isPromise(value) {
 function isObjectLike(value) {
   return typeof value == "object" && value !== null;
 }
-function invariant(condition, message2) {
+function invariant(condition, message) {
   const booleanCondition = Boolean(condition);
   if (!booleanCondition) {
     throw new Error(
-      message2 != null ? message2 : "Unexpected invariant triggered."
+      message != null ? message : "Unexpected invariant triggered."
     );
   }
 }
@@ -38331,10 +37702,10 @@ class GraphQLError extends Error {
   /**
    * @deprecated Please use the `GraphQLErrorOptions` constructor overload instead.
    */
-  constructor(message2, ...rawArgs) {
+  constructor(message, ...rawArgs) {
     var _this$nodes, _nodeLocations$, _ref;
     const { nodes, source, positions, path: path2, originalError, extensions: extensions2 } = toNormalizedOptions(rawArgs);
-    super(message2);
+    super(message);
     this.name = "GraphQLError";
     this.path = path2 !== null && path2 !== void 0 ? path2 : void 0;
     this.originalError = originalError !== null && originalError !== void 0 ? originalError : void 0;
@@ -39352,14 +38723,14 @@ function formatArray(array, seenValues) {
   return "[" + items.join(", ") + "]";
 }
 function getObjectTag(object) {
-  const tag2 = Object.prototype.toString.call(object).replace(/^\[object /, "").replace(/]$/, "");
-  if (tag2 === "Object" && typeof object.constructor === "function") {
+  const tag = Object.prototype.toString.call(object).replace(/^\[object /, "").replace(/]$/, "");
+  if (tag === "Object" && typeof object.constructor === "function") {
     const name2 = object.constructor.name;
     if (typeof name2 === "string" && name2 !== "") {
       return name2;
     }
   }
-  return tag2;
+  return tag;
 }
 const isProduction = globalThis.process && // eslint-disable-next-line no-undef
 process.env.NODE_ENV === "production";
@@ -40757,22 +40128,22 @@ function getTokenKindDesc(kind) {
 const MAX_SUGGESTIONS = 5;
 function didYouMean(firstArg, secondArg) {
   const [subMessage, suggestionsArg] = secondArg ? [firstArg, secondArg] : [void 0, firstArg];
-  let message2 = " Did you mean ";
+  let message = " Did you mean ";
   if (subMessage) {
-    message2 += subMessage + " ";
+    message += subMessage + " ";
   }
   const suggestions = suggestionsArg.map((x) => `"${x}"`);
   switch (suggestions.length) {
     case 0:
       return "";
     case 1:
-      return message2 + suggestions[0] + "?";
+      return message + suggestions[0] + "?";
     case 2:
-      return message2 + suggestions[0] + " or " + suggestions[1] + "?";
+      return message + suggestions[0] + " or " + suggestions[1] + "?";
   }
   const selected = suggestions.slice(0, MAX_SUGGESTIONS);
   const lastItem = selected.pop();
-  return message2 + selected.join(", ") + ", or " + lastItem + "?";
+  return message + selected.join(", ") + ", or " + lastItem + "?";
 }
 function identityFunc(x) {
   return x;
@@ -43416,10 +42787,10 @@ class SchemaValidationContext {
     this._errors = [];
     this.schema = schema;
   }
-  reportError(message2, nodes) {
+  reportError(message, nodes) {
     const _nodes = Array.isArray(nodes) ? nodes.filter(Boolean) : nodes;
     this._errors.push(
-      new GraphQLError(message2, {
+      new GraphQLError(message, {
         nodes: _nodes
       })
     );
@@ -47794,9 +47165,9 @@ var errorMessages = (messages, graphqlErrors) => {
     };
   }
   return {
-    errors: messages.map((message2) => {
+    errors: messages.map((message) => {
       return {
-        message: message2
+        message
       };
     })
   };
@@ -48933,7 +48304,9 @@ class RebaseApiServer {
    * Setup Hono middleware
    */
   setupMiddleware() {
-    this.router.use("/*", secureHeaders());
+    this.router.use("/*", secureHeaders({
+      crossOriginOpenerPolicy: "same-origin-allow-popups"
+    }));
     if (this.config.cors) {
       const origin = this.config.cors.origin;
       this.router.use("/*", cors({
@@ -49020,9 +48393,9 @@ class RebaseApiServer {
       if (process.env.NODE_ENV === "production") {
         console.warn("[RebaseApiServer] Schema Editor is disabled in production environments for security.");
       } else {
+        this.router.use(`${basePath}/schema-editor/*`, requireAuth, requireAdmin);
         const schemaEditorRoutes2 = createSchemaEditorRoutes(this.config.collectionsDir);
         this.router.route(`${basePath}/schema-editor`, schemaEditorRoutes2);
-        this.router.use(`${basePath}/schema-editor/*`, requireAuth, requireAdmin);
       }
     }
     this.router.get(`${basePath}/docs`, (c) => {
@@ -49136,8 +48509,8 @@ async function loadFunctionsFromDirectory(directory) {
   Hint: ensure the function exports a Hono app created with the same hono version as the server.
   The loader checks for .fetch() and .routes — any Hono-compatible app will work.`);
       } catch (err) {
-        const message2 = err instanceof Error ? err.message : String(err);
-        console.error(`[functions] Failed to load ${file}: ${message2}`);
+        const message = err instanceof Error ? err.message : String(err);
+        console.error(`[functions] Failed to load ${file}: ${message}`);
       }
     }
   }
@@ -49209,8 +48582,8 @@ async function loadCronJobsFromDirectory(directory) {
         });
         console.log(`⏰ Loaded cron job: ${id} (${definition.schedule})`);
       } catch (err) {
-        const message2 = err instanceof Error ? err.message : String(err);
-        console.error(`[cron] Failed to load ${file}: ${message2}`);
+        const message = err instanceof Error ? err.message : String(err);
+        console.error(`[cron] Failed to load ${file}: ${message}`);
       }
     }
   }
@@ -49220,46 +48593,98 @@ const cronLoader = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.definePr
   __proto__: null,
   loadCronJobsFromDirectory
 }, Symbol.toStringTag, { value: "Module" }));
+function expandCronField(field, min, max) {
+  const results = /* @__PURE__ */ new Set();
+  for (const segment of field.split(",")) {
+    const trimmed = segment.trim();
+    if (trimmed === "*") {
+      for (let i = min; i <= max; i++) results.add(i);
+    } else if (trimmed.includes("/")) {
+      const [rangeStr, stepStr] = trimmed.split("/");
+      const step = parseInt(stepStr, 10);
+      if (isNaN(step) || step <= 0) {
+        throw new Error(`Invalid step value "${stepStr}" in cron field "${field}"`);
+      }
+      let start = min;
+      let end2 = max;
+      if (rangeStr !== "*") {
+        if (rangeStr.includes("-")) {
+          const [a2, b] = rangeStr.split("-").map(Number);
+          start = a2;
+          end2 = b;
+        } else {
+          start = parseInt(rangeStr, 10);
+        }
+      }
+      for (let i = start; i <= end2; i += step) results.add(i);
+    } else if (trimmed.includes("-")) {
+      const [a2, b] = trimmed.split("-").map(Number);
+      for (let i = a2; i <= b; i++) results.add(i);
+    } else {
+      const val = parseInt(trimmed, 10);
+      if (isNaN(val)) {
+        throw new Error(`Invalid value "${trimmed}" in cron field "${field}"`);
+      }
+      results.add(val);
+    }
+  }
+  return [...results].sort((a2, b) => a2 - b);
+}
+function validateCronExpression(schedule) {
+  if (!schedule || typeof schedule !== "string") {
+    return {
+      valid: false,
+      reason: "Schedule must be a non-empty string"
+    };
+  }
+  const parts = schedule.trim().split(/\s+/);
+  if (parts.length !== 5) {
+    return {
+      valid: false,
+      reason: `Expected 5 fields, got ${parts.length}`
+    };
+  }
+  const fieldRanges = [["minute", 0, 59], ["hour", 0, 23], ["day of month", 1, 31], ["month", 1, 12], ["day of week", 0, 6]];
+  for (let i = 0; i < 5; i++) {
+    const [name2, min, max] = fieldRanges[i];
+    try {
+      const values2 = expandCronField(parts[i], min, max);
+      if (values2.length === 0) {
+        return {
+          valid: false,
+          reason: `${name2} field "${parts[i]}" produces no values`
+        };
+      }
+      for (const v of values2) {
+        if (v < min || v > max) {
+          return {
+            valid: false,
+            reason: `${name2} field value ${v} out of range [${min}–${max}]`
+          };
+        }
+      }
+    } catch (err) {
+      return {
+        valid: false,
+        reason: `${name2} field: ${err instanceof Error ? err.message : String(err)}`
+      };
+    }
+  }
+  return {
+    valid: true
+  };
+}
 function parseCronExpression(expression, after) {
   const parts = expression.trim().split(/\s+/);
   if (parts.length < 5) {
     throw new Error(`Invalid cron expression: "${expression}". Expected 5 fields.`);
   }
   const [minField, hourField, domField, monField, dowField] = parts;
-  const expand = (field, min, max) => {
-    const results = /* @__PURE__ */ new Set();
-    for (const segment of field.split(",")) {
-      if (segment === "*") {
-        for (let i = min; i <= max; i++) results.add(i);
-      } else if (segment.includes("/")) {
-        const [rangeStr, stepStr] = segment.split("/");
-        const step = parseInt(stepStr, 10);
-        let start = min;
-        let end2 = max;
-        if (rangeStr !== "*") {
-          if (rangeStr.includes("-")) {
-            const [a2, b] = rangeStr.split("-").map(Number);
-            start = a2;
-            end2 = b;
-          } else {
-            start = parseInt(rangeStr, 10);
-          }
-        }
-        for (let i = start; i <= end2; i += step) results.add(i);
-      } else if (segment.includes("-")) {
-        const [a2, b] = segment.split("-").map(Number);
-        for (let i = a2; i <= b; i++) results.add(i);
-      } else {
-        results.add(parseInt(segment, 10));
-      }
-    }
-    return [...results].sort((a2, b) => a2 - b);
-  };
-  const minutes = expand(minField, 0, 59);
-  const hours = expand(hourField, 0, 23);
-  const doms = expand(domField, 1, 31);
-  const months = expand(monField, 1, 12);
-  const dows = expand(dowField, 0, 6);
+  const minutes = expandCronField(minField, 0, 59);
+  const hours = expandCronField(hourField, 0, 23);
+  const doms = expandCronField(domField, 1, 31);
+  const months = expandCronField(monField, 1, 12);
+  const dows = expandCronField(dowField, 0, 6);
   const candidate = new Date(after);
   candidate.setSeconds(0, 0);
   candidate.setMinutes(candidate.getMinutes() + 1);
@@ -49268,9 +48693,9 @@ function parseCronExpression(expression, after) {
     const month = candidate.getMonth() + 1;
     const dom = candidate.getDate();
     const dow = candidate.getDay();
-    const hour2 = candidate.getHours();
-    const minute2 = candidate.getMinutes();
-    if (months.includes(month) && doms.includes(dom) && dows.includes(dow) && hours.includes(hour2) && minutes.includes(minute2)) {
+    const hour = candidate.getHours();
+    const minute = candidate.getMinutes();
+    if (months.includes(month) && doms.includes(dom) && dows.includes(dow) && hours.includes(hour) && minutes.includes(minute)) {
       return candidate;
     }
     candidate.setMinutes(candidate.getMinutes() + 1);
@@ -49280,6 +48705,7 @@ function parseCronExpression(expression, after) {
   return fallback;
 }
 const MAX_LOGS_PER_JOB = 50;
+const MIN_SCHEDULE_INTERVAL_MS = 5e3;
 class CronScheduler {
   jobs = /* @__PURE__ */ new Map();
   started = false;
@@ -49301,23 +48727,39 @@ class CronScheduler {
   }
   /**
    * Register a batch of loaded cron jobs.
+   *
+   * If the scheduler is already started, newly registered jobs are
+   * automatically scheduled (so late-registered jobs don't sit idle).
+   *
+   * Validates the cron schedule on registration — invalid schedules
+   * are rejected with a warning and the job is NOT registered.
    */
   registerJobs(loadedJobs) {
     for (const loaded of loadedJobs) {
+      const validation = validateCronExpression(loaded.definition.schedule);
+      if (!validation.valid) {
+        console.error(`[cron] Rejecting job "${loaded.id}": invalid schedule "${loaded.definition.schedule}" — ${validation.reason}`);
+        continue;
+      }
       const existing = this.jobs.get(loaded.id);
       if (existing) {
         console.warn(`[cron] Duplicate cron job id: "${loaded.id}". Overwriting.`);
         this.stopJob(loaded.id);
       }
+      const enabled = loaded.definition.enabled !== false;
       this.jobs.set(loaded.id, {
         id: loaded.id,
         definition: loaded.definition,
-        enabled: loaded.definition.enabled !== false,
-        state: loaded.definition.enabled !== false ? "idle" : "disabled",
+        enabled,
+        state: enabled ? "idle" : "disabled",
         totalRuns: 0,
         totalFailures: 0,
-        logs: []
+        logs: [],
+        executing: false
       });
+      if (this.started && enabled) {
+        this.scheduleNext(loaded.id);
+      }
     }
   }
   /**
@@ -49351,6 +48793,9 @@ class CronScheduler {
   }
   /**
    * Stop the scheduler and clear all timers.
+   *
+   * Currently-executing handlers run to completion (they are async),
+   * but no further scheduling occurs after stop.
    */
   stop() {
     this.started = false;
@@ -49409,32 +48854,81 @@ class CronScheduler {
   }
   /**
    * Manually trigger a job execution immediately.
+   *
+   * Returns `undefined` if the job doesn't exist.
+   * If the job is currently executing, returns the log entry with
+   * a `skipped: true` result rather than running concurrently.
    */
   async triggerJob(id) {
     const job = this.jobs.get(id);
     if (!job) return void 0;
+    if (job.executing) {
+      console.warn(`[cron] Skipping manual trigger of "${id}" — already executing`);
+      const logEntry = {
+        jobId: id,
+        startedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        finishedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        durationMs: 0,
+        success: true,
+        result: {
+          skipped: true,
+          reason: "already_executing"
+        },
+        logs: ["Skipped: job is already running"],
+        manual: true
+      };
+      job.logs.push(logEntry);
+      if (job.logs.length > MAX_LOGS_PER_JOB) job.logs.shift();
+      return logEntry;
+    }
     return this.executeJob(job, true);
   }
   // ─── Internal ────────────────────────────────────────────────────
+  /**
+   * Schedule the next execution for a job.
+   *
+   * Safety guarantees:
+   * 1. Clears any existing timer first (prevents leaked/duplicate timers)
+   * 2. Enforces a minimum delay to prevent tight loops from jitter
+   * 3. Unref's the timer so it doesn't prevent process exit
+   * 4. Re-checks enabled & started state before executing
+   * 5. Concurrency guard prevents overlapping handler executions
+   */
   scheduleNext(id) {
     const job = this.jobs.get(id);
     if (!job || !job.enabled || !this.started) return;
+    this.stopJob(id);
     try {
       const now = /* @__PURE__ */ new Date();
       const nextRun = parseCronExpression(job.definition.schedule, now);
       job.nextRunAt = nextRun;
-      const delay = Math.max(nextRun.getTime() - now.getTime(), 0);
-      job.timerId = setTimeout(async () => {
+      const rawDelay = nextRun.getTime() - now.getTime();
+      const delay = Math.max(rawDelay, MIN_SCHEDULE_INTERVAL_MS);
+      const timer = setTimeout(async () => {
         if (!job.enabled || !this.started) return;
+        if (job.executing) {
+          console.warn(`[cron] Skipping scheduled run of "${id}" — still executing from previous run`);
+          this.scheduleNext(id);
+          return;
+        }
         await this.executeJob(job, false);
-        this.scheduleNext(id);
+        if (this.started && job.enabled) {
+          this.scheduleNext(id);
+        }
       }, delay);
+      if (timer && typeof timer === "object" && "unref" in timer) {
+        timer.unref();
+      }
+      job.timerId = timer;
     } catch (err) {
       console.error(`[cron] Failed to schedule "${id}":`, err);
       job.state = "error";
       job.lastError = err instanceof Error ? err.message : String(err);
     }
   }
+  /**
+   * Stop a single job's timer and clear its next run state.
+   */
   stopJob(id) {
     const job = this.jobs.get(id);
     if (job?.timerId) {
@@ -49443,9 +48937,19 @@ class CronScheduler {
       job.nextRunAt = void 0;
     }
   }
+  /**
+   * Execute a job's handler with full isolation and safety.
+   *
+   * - Sets a concurrency flag to prevent overlapping runs
+   * - Wraps handler in a timeout race
+   * - Captures all logs, errors, and results
+   * - Persists to store (non-blocking) if available
+   * - Always restores state even on catastrophic errors
+   */
   async executeJob(job, manual) {
     const startedAt = /* @__PURE__ */ new Date();
     const capturedLogs = [];
+    job.executing = true;
     const ctx = {
       jobId: job.id,
       scheduledAt: startedAt,
@@ -49464,14 +48968,21 @@ class CronScheduler {
     try {
       const timeout = (job.definition.timeoutSeconds ?? 300) * 1e3;
       const handlerPromise = Promise.resolve(job.definition.handler(ctx));
+      let timeoutHandle;
       const timeoutPromise = new Promise((_, reject) => {
-        setTimeout(() => reject(new Error(`Cron job "${job.id}" timed out after ${timeout}ms`)), timeout);
+        timeoutHandle = setTimeout(() => reject(new Error(`Cron job "${job.id}" timed out after ${timeout}ms`)), timeout);
       });
-      result = await Promise.race([handlerPromise, timeoutPromise]);
+      try {
+        result = await Promise.race([handlerPromise, timeoutPromise]);
+      } finally {
+        clearTimeout(timeoutHandle);
+      }
     } catch (err) {
       success = false;
       error2 = err instanceof Error ? err.message : String(err);
       job.totalFailures++;
+    } finally {
+      job.executing = false;
     }
     const finishedAt = /* @__PURE__ */ new Date();
     const durationMs = finishedAt.getTime() - startedAt.getTime();
@@ -49494,8 +49005,8 @@ class CronScheduler {
       job.logs.shift();
     }
     if (this.store) {
-      this.store.insertLog(logEntry).catch((err) => {
-        console.error(`[cron] Failed to persist log for "${job.id}":`, err);
+      this.store.insertLog(logEntry).catch((persistErr) => {
+        console.error(`[cron] Failed to persist log for "${job.id}":`, persistErr);
       });
     }
     if (success) {
@@ -49524,7 +49035,8 @@ class CronScheduler {
 }
 const cronScheduler = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
   __proto__: null,
-  CronScheduler
+  CronScheduler,
+  validateCronExpression
 }, Symbol.toStringTag, { value: "Module" }));
 function createCronRoutes(scheduler) {
   const router = new Hono();
@@ -49927,6 +49439,7 @@ export {
   resetConsole,
   serveSPA,
   strictAuthLimiter,
+  validateCronExpression,
   validatePasswordStrength,
   verifyAccessToken,
   verifyPassword