@rebasepro/server-core 0.0.1-canary.eae7889 → 0.1.0

package/dist/index.umd.js

@@ -1011,13 +1011,14 @@
       }, { buffer: 3, lYpoI2: 11 }] }, {}, [1])(1);
     });
   })(object_hash);
-  const snakeCaseRegex = /[A-Z]{2,}(?=[A-Z][a-z]+[0-9]*|\b)|[A-Z]?[a-z]+[0-9]*|[A-Z]|[0-9]+/g;
+  const tokenizeRegex = /[A-Z]{2,}(?=[A-Z][a-z]|\b)|[A-Z]?[a-z]+|[0-9]+(?:[a-z](?![a-z]))?|[A-Z]/g;
+  const snakeCaseRegex = tokenizeRegex;
   const toSnakeCase = (str) => {
     const regExpMatchArray = str.match(snakeCaseRegex);
     if (!regExpMatchArray) return "";
     return regExpMatchArray.map((x) => x.toLowerCase()).join("_");
   };
-  function isObject$b(item) {
+  function isObject$a(item) {
     return !!item && typeof item === "object" && !Array.isArray(item);
   }
   function isPlainObject$3(obj) {
@@ -1028,13 +1029,13 @@
     return proto === Object.prototype;
   }
   function mergeDeep(target, source, ignoreUndefined = false) {
-    if (!isObject$b(target)) {
+    if (!isObject$a(target)) {
       return target;
     }
     const output = {
       ...target
     };
-    if (!isObject$b(source)) {
+    if (!isObject$a(source)) {
       return output;
     }
     for (const key in source) {
@@ -1075,7 +1076,7 @@
           } else {
             output[key] = sourceValue;
           }
-        } else if (isObject$b(sourceValue)) {
+        } else if (isObject$a(sourceValue)) {
           output[key] = sourceValue;
         } else {
           output[key] = sourceValue;
@@ -1712,8 +1713,8 @@
       return jsonLogic;
     });
   })(logic);
-  var getOwnPropertyNames = Object.getOwnPropertyNames, getOwnPropertySymbols = Object.getOwnPropertySymbols;
-  var hasOwnProperty$d = Object.prototype.hasOwnProperty;
+  const { getOwnPropertyNames, getOwnPropertySymbols } = Object;
+  const { hasOwnProperty: hasOwnProperty$d } = Object.prototype;
   function combineComparators(comparatorA, comparatorB) {
     return function isEqual(a2, b, state) {
       return comparatorA(a2, b, state) && comparatorB(a2, b, state);
@@ -1724,38 +1725,45 @@
       if (!a2 || !b || typeof a2 !== "object" || typeof b !== "object") {
         return areItemsEqual(a2, b, state);
       }
-      var cache2 = state.cache;
-      var cachedA = cache2.get(a2);
-      var cachedB = cache2.get(b);
+      const { cache } = state;
+      const cachedA = cache.get(a2);
+      const cachedB = cache.get(b);
       if (cachedA && cachedB) {
         return cachedA === b && cachedB === a2;
       }
-      cache2.set(a2, b);
-      cache2.set(b, a2);
-      var result = areItemsEqual(a2, b, state);
-      cache2.delete(a2);
-      cache2.delete(b);
+      cache.set(a2, b);
+      cache.set(b, a2);
+      const result = areItemsEqual(a2, b, state);
+      cache.delete(a2);
+      cache.delete(b);
       return result;
     };
   }
-  function getShortTag(value) {
-    return value != null ? value[Symbol.toStringTag] : void 0;
-  }
   function getStrictProperties(object) {
     return getOwnPropertyNames(object).concat(getOwnPropertySymbols(object));
   }
-  var hasOwn$1 = Object.hasOwn || function(object, property) {
-    return hasOwnProperty$d.call(object, property);
-  };
-  function sameValueZeroEqual(a2, b) {
-    return a2 === b || !a2 && !b && a2 !== a2 && b !== b;
+  const hasOwn$1 = (
+    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
+    Object.hasOwn || ((object, property) => hasOwnProperty$d.call(object, property))
+  );
+  const PREACT_VNODE = "__v";
+  const PREACT_OWNER = "__o";
+  const REACT_OWNER = "_owner";
+  const { getOwnPropertyDescriptor, keys: keys$5 } = Object;
+  const sameValueEqual = (
+    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
+    Object.is || function sameValueEqual2(a2, b) {
+      return a2 === b ? a2 !== 0 || 1 / a2 === 1 / b : a2 !== a2 && b !== b;
+    }
+  );
+  function strictEqual(a2, b) {
+    return a2 === b;
+  }
+  function areArrayBuffersEqual(a2, b) {
+    return a2.byteLength === b.byteLength && areTypedArraysEqual(new Uint8Array(a2), new Uint8Array(b));
   }
-  var PREACT_VNODE = "__v";
-  var PREACT_OWNER = "__o";
-  var REACT_OWNER = "_owner";
-  var getOwnPropertyDescriptor = Object.getOwnPropertyDescriptor, keys$5 = Object.keys;
   function areArraysEqual(a2, b, state) {
-    var index2 = a2.length;
+    let index2 = a2.length;
     if (b.length !== index2) {
       return false;
     }
@@ -1766,35 +1774,35 @@
     }
     return true;
   }
+  function areDataViewsEqual(a2, b) {
+    return a2.byteLength === b.byteLength && areTypedArraysEqual(new Uint8Array(a2.buffer, a2.byteOffset, a2.byteLength), new Uint8Array(b.buffer, b.byteOffset, b.byteLength));
+  }
   function areDatesEqual(a2, b) {
-    return sameValueZeroEqual(a2.getTime(), b.getTime());
+    return sameValueEqual(a2.getTime(), b.getTime());
   }
   function areErrorsEqual(a2, b) {
     return a2.name === b.name && a2.message === b.message && a2.cause === b.cause && a2.stack === b.stack;
   }
-  function areFunctionsEqual(a2, b) {
-    return a2 === b;
-  }
   function areMapsEqual(a2, b, state) {
-    var size = a2.size;
+    const size = a2.size;
     if (size !== b.size) {
       return false;
     }
     if (!size) {
       return true;
     }
-    var matchedIndices = new Array(size);
-    var aIterable = a2.entries();
-    var aResult;
-    var bResult;
-    var index2 = 0;
+    const matchedIndices = new Array(size);
+    const aIterable = a2.entries();
+    let aResult;
+    let bResult;
+    let index2 = 0;
     while (aResult = aIterable.next()) {
       if (aResult.done) {
         break;
       }
-      var bIterable = b.entries();
-      var hasMatch = false;
-      var matchIndex = 0;
+      const bIterable = b.entries();
+      let hasMatch = false;
+      let matchIndex = 0;
       while (bResult = bIterable.next()) {
         if (bResult.done) {
           break;
@@ -1803,8 +1811,8 @@
           matchIndex++;
           continue;
         }
-        var aEntry = aResult.value;
-        var bEntry = bResult.value;
+        const aEntry = aResult.value;
+        const bEntry = bResult.value;
         if (state.equals(aEntry[0], bEntry[0], index2, matchIndex, a2, b, state) && state.equals(aEntry[1], bEntry[1], aEntry[0], bEntry[0], a2, b, state)) {
           hasMatch = matchedIndices[matchIndex] = true;
           break;
@@ -1818,10 +1826,9 @@
     }
     return true;
   }
-  var areNumbersEqual = sameValueZeroEqual;
   function areObjectsEqual(a2, b, state) {
-    var properties = keys$5(a2);
-    var index2 = properties.length;
+    const properties = keys$5(a2);
+    let index2 = properties.length;
     if (keys$5(b).length !== index2) {
       return false;
     }
@@ -1833,14 +1840,14 @@
     return true;
   }
   function areObjectsEqualStrict(a2, b, state) {
-    var properties = getStrictProperties(a2);
-    var index2 = properties.length;
+    const properties = getStrictProperties(a2);
+    let index2 = properties.length;
     if (getStrictProperties(b).length !== index2) {
       return false;
     }
-    var property;
-    var descriptorA;
-    var descriptorB;
+    let property;
+    let descriptorA;
+    let descriptorB;
     while (index2-- > 0) {
       property = properties[index2];
       if (!isPropertyEqual(a2, b, state, property)) {
@@ -1855,30 +1862,30 @@
     return true;
   }
   function arePrimitiveWrappersEqual(a2, b) {
-    return sameValueZeroEqual(a2.valueOf(), b.valueOf());
+    return sameValueEqual(a2.valueOf(), b.valueOf());
   }
   function areRegExpsEqual(a2, b) {
     return a2.source === b.source && a2.flags === b.flags;
   }
   function areSetsEqual(a2, b, state) {
-    var size = a2.size;
+    const size = a2.size;
     if (size !== b.size) {
       return false;
     }
     if (!size) {
       return true;
     }
-    var matchedIndices = new Array(size);
-    var aIterable = a2.values();
-    var aResult;
-    var bResult;
+    const matchedIndices = new Array(size);
+    const aIterable = a2.values();
+    let aResult;
+    let bResult;
     while (aResult = aIterable.next()) {
       if (aResult.done) {
         break;
       }
-      var bIterable = b.values();
-      var hasMatch = false;
-      var matchIndex = 0;
+      const bIterable = b.values();
+      let hasMatch = false;
+      let matchIndex = 0;
       while (bResult = bIterable.next()) {
         if (bResult.done) {
           break;
@@ -1896,8 +1903,8 @@
     return true;
   }
   function areTypedArraysEqual(a2, b) {
-    var index2 = a2.length;
-    if (b.length !== index2) {
+    let index2 = a2.byteLength;
+    if (b.byteLength !== index2 || a2.byteOffset !== b.byteOffset) {
       return false;
     }
     while (index2-- > 0) {
@@ -1916,23 +1923,10 @@
     }
     return hasOwn$1(b, property) && state.equals(a2[property], b[property], property, property, a2, b, state);
   }
-  var ARGUMENTS_TAG = "[object Arguments]";
-  var BOOLEAN_TAG = "[object Boolean]";
-  var DATE_TAG = "[object Date]";
-  var ERROR_TAG = "[object Error]";
-  var MAP_TAG = "[object Map]";
-  var NUMBER_TAG = "[object Number]";
-  var OBJECT_TAG = "[object Object]";
-  var REG_EXP_TAG = "[object RegExp]";
-  var SET_TAG = "[object Set]";
-  var STRING_TAG = "[object String]";
-  var URL_TAG = "[object URL]";
-  var isArray$7 = Array.isArray;
-  var isTypedArray$2 = typeof ArrayBuffer === "function" && ArrayBuffer.isView ? ArrayBuffer.isView : null;
-  var assign$1 = Object.assign;
-  var getTag$4 = Object.prototype.toString.call.bind(Object.prototype.toString);
-  function createEqualityComparator(_a2) {
-    var areArraysEqual2 = _a2.areArraysEqual, areDatesEqual2 = _a2.areDatesEqual, areErrorsEqual2 = _a2.areErrorsEqual, areFunctionsEqual2 = _a2.areFunctionsEqual, areMapsEqual2 = _a2.areMapsEqual, areNumbersEqual2 = _a2.areNumbersEqual, areObjectsEqual2 = _a2.areObjectsEqual, arePrimitiveWrappersEqual2 = _a2.arePrimitiveWrappersEqual, areRegExpsEqual2 = _a2.areRegExpsEqual, areSetsEqual2 = _a2.areSetsEqual, areTypedArraysEqual2 = _a2.areTypedArraysEqual, areUrlsEqual2 = _a2.areUrlsEqual, unknownTagComparators = _a2.unknownTagComparators;
+  const toString$2 = Object.prototype.toString;
+  function createEqualityComparator(config) {
+    const supportedComparatorMap = createSupportedComparatorMap(config);
+    const { areArraysEqual: areArraysEqual2, areDatesEqual: areDatesEqual2, areFunctionsEqual, areMapsEqual: areMapsEqual2, areNumbersEqual, areObjectsEqual: areObjectsEqual2, areRegExpsEqual: areRegExpsEqual2, areSetsEqual: areSetsEqual2, getUnsupportedCustomComparator } = config;
     return function comparator2(a2, b, state) {
       if (a2 === b) {
         return true;
@@ -1940,32 +1934,29 @@
       if (a2 == null || b == null) {
         return false;
       }
-      var type = typeof a2;
+      const type = typeof a2;
       if (type !== typeof b) {
         return false;
       }
       if (type !== "object") {
-        if (type === "number") {
-          return areNumbersEqual2(a2, b, state);
+        if (type === "number" || type === "bigint") {
+          return areNumbersEqual(a2, b, state);
         }
         if (type === "function") {
-          return areFunctionsEqual2(a2, b, state);
+          return areFunctionsEqual(a2, b, state);
         }
         return false;
       }
-      var constructor = a2.constructor;
+      const constructor = a2.constructor;
       if (constructor !== b.constructor) {
         return false;
       }
       if (constructor === Object) {
         return areObjectsEqual2(a2, b, state);
       }
-      if (isArray$7(a2)) {
+      if (constructor === Array) {
         return areArraysEqual2(a2, b, state);
       }
-      if (isTypedArray$2 != null && isTypedArray$2(a2)) {
-        return areTypedArraysEqual2(a2, b, state);
-      }
       if (constructor === Date) {
         return areDatesEqual2(a2, b, state);
       }
@@ -1978,79 +1969,55 @@
       if (constructor === Set) {
         return areSetsEqual2(a2, b, state);
       }
-      var tag2 = getTag$4(a2);
-      if (tag2 === DATE_TAG) {
-        return areDatesEqual2(a2, b, state);
-      }
-      if (tag2 === REG_EXP_TAG) {
-        return areRegExpsEqual2(a2, b, state);
-      }
-      if (tag2 === MAP_TAG) {
-        return areMapsEqual2(a2, b, state);
-      }
-      if (tag2 === SET_TAG) {
-        return areSetsEqual2(a2, b, state);
-      }
-      if (tag2 === OBJECT_TAG) {
-        return typeof a2.then !== "function" && typeof b.then !== "function" && areObjectsEqual2(a2, b, state);
-      }
-      if (tag2 === URL_TAG) {
-        return areUrlsEqual2(a2, b, state);
-      }
-      if (tag2 === ERROR_TAG) {
-        return areErrorsEqual2(a2, b, state);
+      if (constructor === Promise) {
+        return false;
       }
-      if (tag2 === ARGUMENTS_TAG) {
-        return areObjectsEqual2(a2, b, state);
+      if (Array.isArray(a2)) {
+        return areArraysEqual2(a2, b, state);
       }
-      if (tag2 === BOOLEAN_TAG || tag2 === NUMBER_TAG || tag2 === STRING_TAG) {
-        return arePrimitiveWrappersEqual2(a2, b, state);
+      const tag = toString$2.call(a2);
+      const supportedComparator = supportedComparatorMap[tag];
+      if (supportedComparator) {
+        return supportedComparator(a2, b, state);
       }
-      if (unknownTagComparators) {
-        var unknownTagComparator = unknownTagComparators[tag2];
-        if (!unknownTagComparator) {
-          var shortTag = getShortTag(a2);
-          if (shortTag) {
-            unknownTagComparator = unknownTagComparators[shortTag];
-          }
-        }
-        if (unknownTagComparator) {
-          return unknownTagComparator(a2, b, state);
-        }
+      const unsupportedCustomComparator = getUnsupportedCustomComparator && getUnsupportedCustomComparator(a2, b, state, tag);
+      if (unsupportedCustomComparator) {
+        return unsupportedCustomComparator(a2, b, state);
       }
       return false;
     };
   }
-  function createEqualityComparatorConfig(_a2) {
-    var circular = _a2.circular, createCustomConfig = _a2.createCustomConfig, strict = _a2.strict;
-    var config = {
+  function createEqualityComparatorConfig({ circular, createCustomConfig, strict }) {
+    let config = {
+      areArrayBuffersEqual,
       areArraysEqual: strict ? areObjectsEqualStrict : areArraysEqual,
+      areDataViewsEqual,
       areDatesEqual,
       areErrorsEqual,
-      areFunctionsEqual,
+      areFunctionsEqual: strictEqual,
       areMapsEqual: strict ? combineComparators(areMapsEqual, areObjectsEqualStrict) : areMapsEqual,
-      areNumbersEqual,
+      areNumbersEqual: sameValueEqual,
       areObjectsEqual: strict ? areObjectsEqualStrict : areObjectsEqual,
       arePrimitiveWrappersEqual,
       areRegExpsEqual,
       areSetsEqual: strict ? combineComparators(areSetsEqual, areObjectsEqualStrict) : areSetsEqual,
-      areTypedArraysEqual: strict ? areObjectsEqualStrict : areTypedArraysEqual,
+      areTypedArraysEqual: strict ? combineComparators(areTypedArraysEqual, areObjectsEqualStrict) : areTypedArraysEqual,
       areUrlsEqual,
-      unknownTagComparators: void 0
+      getUnsupportedCustomComparator: void 0
     };
     if (createCustomConfig) {
-      config = assign$1({}, config, createCustomConfig(config));
+      config = Object.assign({}, config, createCustomConfig(config));
     }
     if (circular) {
-      var areArraysEqual$1 = createIsCircular(config.areArraysEqual);
-      var areMapsEqual$1 = createIsCircular(config.areMapsEqual);
-      var areObjectsEqual$1 = createIsCircular(config.areObjectsEqual);
-      var areSetsEqual$1 = createIsCircular(config.areSetsEqual);
-      config = assign$1({}, config, {
-        areArraysEqual: areArraysEqual$1,
-        areMapsEqual: areMapsEqual$1,
-        areObjectsEqual: areObjectsEqual$1,
-        areSetsEqual: areSetsEqual$1
+      const areArraysEqual2 = createIsCircular(config.areArraysEqual);
+      const areMapsEqual2 = createIsCircular(config.areMapsEqual);
+      const areObjectsEqual2 = createIsCircular(config.areObjectsEqual);
+      const areSetsEqual2 = createIsCircular(config.areSetsEqual);
+      config = Object.assign({}, config, {
+        areArraysEqual: areArraysEqual2,
+        areMapsEqual: areMapsEqual2,
+        areObjectsEqual: areObjectsEqual2,
+        areSetsEqual: areSetsEqual2
       });
     }
     return config;
@@ -2060,13 +2027,12 @@
       return compare2(a2, b, state);
     };
   }
-  function createIsEqual(_a2) {
-    var circular = _a2.circular, comparator2 = _a2.comparator, createState = _a2.createState, equals = _a2.equals, strict = _a2.strict;
+  function createIsEqual({ circular, comparator: comparator2, createState, equals, strict }) {
     if (createState) {
       return function isEqual(a2, b) {
-        var _a3 = createState(), _b2 = _a3.cache, cache2 = _b2 === void 0 ? circular ? /* @__PURE__ */ new WeakMap() : void 0 : _b2, meta = _a3.meta;
+        const { cache = circular ? /* @__PURE__ */ new WeakMap() : void 0, meta } = createState();
         return comparator2(a2, b, {
-          cache: cache2,
+          cache,
           equals,
           meta,
           strict
@@ -2083,7 +2049,7 @@
         });
       };
     }
-    var state = {
+    const state = {
       cache: void 0,
       equals,
       meta: void 0,
@@ -2093,7 +2059,50 @@
       return comparator2(a2, b, state);
     };
   }
-  var deepEqual = createCustomEqual();
+  function createSupportedComparatorMap({ areArrayBuffersEqual: areArrayBuffersEqual2, areArraysEqual: areArraysEqual2, areDataViewsEqual: areDataViewsEqual2, areDatesEqual: areDatesEqual2, areErrorsEqual: areErrorsEqual2, areFunctionsEqual, areMapsEqual: areMapsEqual2, areNumbersEqual, areObjectsEqual: areObjectsEqual2, arePrimitiveWrappersEqual: arePrimitiveWrappersEqual2, areRegExpsEqual: areRegExpsEqual2, areSetsEqual: areSetsEqual2, areTypedArraysEqual: areTypedArraysEqual2, areUrlsEqual: areUrlsEqual2 }) {
+    return {
+      "[object Arguments]": areObjectsEqual2,
+      "[object Array]": areArraysEqual2,
+      "[object ArrayBuffer]": areArrayBuffersEqual2,
+      "[object AsyncGeneratorFunction]": areFunctionsEqual,
+      "[object BigInt]": areNumbersEqual,
+      "[object BigInt64Array]": areTypedArraysEqual2,
+      "[object BigUint64Array]": areTypedArraysEqual2,
+      "[object Boolean]": arePrimitiveWrappersEqual2,
+      "[object DataView]": areDataViewsEqual2,
+      "[object Date]": areDatesEqual2,
+      // If an error tag, it should be tested explicitly. Like RegExp, the properties are not
+      // enumerable, and therefore will give false positives if tested like a standard object.
+      "[object Error]": areErrorsEqual2,
+      "[object Float16Array]": areTypedArraysEqual2,
+      "[object Float32Array]": areTypedArraysEqual2,
+      "[object Float64Array]": areTypedArraysEqual2,
+      "[object Function]": areFunctionsEqual,
+      "[object GeneratorFunction]": areFunctionsEqual,
+      "[object Int8Array]": areTypedArraysEqual2,
+      "[object Int16Array]": areTypedArraysEqual2,
+      "[object Int32Array]": areTypedArraysEqual2,
+      "[object Map]": areMapsEqual2,
+      "[object Number]": arePrimitiveWrappersEqual2,
+      "[object Object]": (a2, b, state) => (
+        // The exception for value comparison is custom `Promise`-like class instances. These should
+        // be treated the same as standard `Promise` objects, which means strict equality, and if
+        // it reaches this point then that strict equality comparison has already failed.
+        typeof a2.then !== "function" && typeof b.then !== "function" && areObjectsEqual2(a2, b, state)
+      ),
+      // For RegExp, the properties are not enumerable, and therefore will give false positives if
+      // tested like a standard object.
+      "[object RegExp]": areRegExpsEqual2,
+      "[object Set]": areSetsEqual2,
+      "[object String]": arePrimitiveWrappersEqual2,
+      "[object URL]": areUrlsEqual2,
+      "[object Uint8Array]": areTypedArraysEqual2,
+      "[object Uint8ClampedArray]": areTypedArraysEqual2,
+      "[object Uint16Array]": areTypedArraysEqual2,
+      "[object Uint32Array]": areTypedArraysEqual2
+    };
+  }
+  const deepEqual = createCustomEqual();
   createCustomEqual({ strict: true });
   createCustomEqual({ circular: true });
   createCustomEqual({
@@ -2101,37 +2110,26 @@
     strict: true
   });
   createCustomEqual({
-    createInternalComparator: function() {
-      return sameValueZeroEqual;
-    }
+    createInternalComparator: () => sameValueEqual
   });
   createCustomEqual({
     strict: true,
-    createInternalComparator: function() {
-      return sameValueZeroEqual;
-    }
+    createInternalComparator: () => sameValueEqual
   });
   createCustomEqual({
     circular: true,
-    createInternalComparator: function() {
-      return sameValueZeroEqual;
-    }
+    createInternalComparator: () => sameValueEqual
   });
   createCustomEqual({
     circular: true,
-    createInternalComparator: function() {
-      return sameValueZeroEqual;
-    },
+    createInternalComparator: () => sameValueEqual,
     strict: true
   });
-  function createCustomEqual(options2) {
-    if (options2 === void 0) {
-      options2 = {};
-    }
-    var _a2 = options2.circular, circular = _a2 === void 0 ? false : _a2, createCustomInternalComparator = options2.createInternalComparator, createState = options2.createState, _b2 = options2.strict, strict = _b2 === void 0 ? false : _b2;
-    var config = createEqualityComparatorConfig(options2);
-    var comparator2 = createEqualityComparator(config);
-    var equals = createCustomInternalComparator ? createCustomInternalComparator(comparator2) : createInternalEqualityComparator(comparator2);
+  function createCustomEqual(options2 = {}) {
+    const { circular = false, createInternalComparator: createCustomInternalComparator, createState, strict = false } = options2;
+    const config = createEqualityComparatorConfig(options2);
+    const comparator2 = createEqualityComparator(config);
+    const equals = createCustomInternalComparator ? createCustomInternalComparator(comparator2) : createInternalEqualityComparator(comparator2);
     return createIsEqual({ circular, comparator: comparator2, createState, equals, strict });
   }
   function listCacheClear$1() {
@@ -2245,7 +2243,7 @@
   var nativeObjectToString$1 = objectProto$j.toString;
   var symToStringTag$1 = Symbol$3 ? Symbol$3.toStringTag : void 0;
   function getRawTag$1(value) {
-    var isOwn = hasOwnProperty$c.call(value, symToStringTag$1), tag2 = value[symToStringTag$1];
+    var isOwn = hasOwnProperty$c.call(value, symToStringTag$1), tag = value[symToStringTag$1];
     try {
       value[symToStringTag$1] = void 0;
       var unmasked = true;
@@ -2254,7 +2252,7 @@
     var result = nativeObjectToString$1.call(value);
     if (unmasked) {
       if (isOwn) {
-        value[symToStringTag$1] = tag2;
+        value[symToStringTag$1] = tag;
       } else {
         delete value[symToStringTag$1];
       }
@@ -2278,19 +2276,19 @@
     return symToStringTag && symToStringTag in Object(value) ? getRawTag(value) : objectToString$7(value);
   }
   var _baseGetTag = baseGetTag$4;
-  function isObject$a(value) {
+  function isObject$9(value) {
     var type = typeof value;
     return value != null && (type == "object" || type == "function");
   }
-  var isObject_1 = isObject$a;
-  var baseGetTag$3 = _baseGetTag, isObject$9 = isObject_1;
+  var isObject_1 = isObject$9;
+  var baseGetTag$3 = _baseGetTag, isObject$8 = isObject_1;
   var asyncTag = "[object AsyncFunction]", funcTag$3 = "[object Function]", genTag$2 = "[object GeneratorFunction]", proxyTag = "[object Proxy]";
   function isFunction$3(value) {
-    if (!isObject$9(value)) {
+    if (!isObject$8(value)) {
       return false;
     }
-    var tag2 = baseGetTag$3(value);
-    return tag2 == funcTag$3 || tag2 == genTag$2 || tag2 == asyncTag || tag2 == proxyTag;
+    var tag = baseGetTag$3(value);
+    return tag == funcTag$3 || tag == genTag$2 || tag == asyncTag || tag == proxyTag;
   }
   var isFunction_1 = isFunction$3;
   var root$6 = _root;
@@ -2321,7 +2319,7 @@
     return "";
   }
   var _toSource = toSource$2;
-  var isFunction$2 = isFunction_1, isMasked = _isMasked, isObject$8 = isObject_1, toSource$1 = _toSource;
+  var isFunction$2 = isFunction_1, isMasked = _isMasked, isObject$7 = isObject_1, toSource$1 = _toSource;
   var reRegExpChar = /[\\^$.*+?()[\]{}|]/g;
   var reIsHostCtor = /^\[object .+?Constructor\]$/;
   var funcProto$1 = Function.prototype, objectProto$h = Object.prototype;
@@ -2331,7 +2329,7 @@
     "^" + funcToString$1.call(hasOwnProperty$b).replace(reRegExpChar, "\\$&").replace(/hasOwnProperty|(function).*?(?=\\\()| for .+?(?=\\\])/g, "$1.*?") + "$"
   );
   function baseIsNative$1(value) {
-    if (!isObject$8(value) || isMasked(value)) {
+    if (!isObject$7(value) || isMasked(value)) {
       return false;
     }
     var pattern = isFunction$2(value) ? reIsNative : reIsHostCtor;
@@ -2573,24 +2571,24 @@
     return result;
   }
   var _baseTimes = baseTimes$2;
-  function isObjectLike$e(value) {
+  function isObjectLike$d(value) {
     return value != null && typeof value == "object";
   }
-  var isObjectLike_1 = isObjectLike$e;
-  var baseGetTag$2 = _baseGetTag, isObjectLike$d = isObjectLike_1;
+  var isObjectLike_1 = isObjectLike$d;
+  var baseGetTag$2 = _baseGetTag, isObjectLike$c = isObjectLike_1;
   var argsTag$3 = "[object Arguments]";
   function baseIsArguments$1(value) {
-    return isObjectLike$d(value) && baseGetTag$2(value) == argsTag$3;
+    return isObjectLike$c(value) && baseGetTag$2(value) == argsTag$3;
   }
   var _baseIsArguments = baseIsArguments$1;
-  var baseIsArguments = _baseIsArguments, isObjectLike$c = isObjectLike_1;
+  var baseIsArguments = _baseIsArguments, isObjectLike$b = isObjectLike_1;
   var objectProto$d = Object.prototype;
   var hasOwnProperty$7 = objectProto$d.hasOwnProperty;
   var propertyIsEnumerable$2 = objectProto$d.propertyIsEnumerable;
   var isArguments$2 = baseIsArguments(/* @__PURE__ */ function() {
     return arguments;
   }()) ? baseIsArguments : function(value) {
-    return isObjectLike$c(value) && hasOwnProperty$7.call(value, "callee") && !propertyIsEnumerable$2.call(value, "callee");
+    return isObjectLike$b(value) && hasOwnProperty$7.call(value, "callee") && !propertyIsEnumerable$2.call(value, "callee");
   };
   var isArguments_1 = isArguments$2;
   var isArray$6 = Array.isArray;
@@ -2625,14 +2623,14 @@
     return typeof value == "number" && value > -1 && value % 1 == 0 && value <= MAX_SAFE_INTEGER$3;
   }
   var isLength_1 = isLength$3;
-  var baseGetTag$1 = _baseGetTag, isLength$2 = isLength_1, isObjectLike$b = isObjectLike_1;
+  var baseGetTag$1 = _baseGetTag, isLength$2 = isLength_1, isObjectLike$a = isObjectLike_1;
   var argsTag$2 = "[object Arguments]", arrayTag$1 = "[object Array]", boolTag$3 = "[object Boolean]", dateTag$2 = "[object Date]", errorTag$1 = "[object Error]", funcTag$2 = "[object Function]", mapTag$4 = "[object Map]", numberTag$3 = "[object Number]", objectTag$3 = "[object Object]", regexpTag$2 = "[object RegExp]", setTag$4 = "[object Set]", stringTag$4 = "[object String]", weakMapTag$2 = "[object WeakMap]";
   var arrayBufferTag$2 = "[object ArrayBuffer]", dataViewTag$3 = "[object DataView]", float32Tag$2 = "[object Float32Array]", float64Tag$2 = "[object Float64Array]", int8Tag$2 = "[object Int8Array]", int16Tag$2 = "[object Int16Array]", int32Tag$2 = "[object Int32Array]", uint8Tag$2 = "[object Uint8Array]", uint8ClampedTag$2 = "[object Uint8ClampedArray]", uint16Tag$2 = "[object Uint16Array]", uint32Tag$2 = "[object Uint32Array]";
   var typedArrayTags = {};
   typedArrayTags[float32Tag$2] = typedArrayTags[float64Tag$2] = typedArrayTags[int8Tag$2] = typedArrayTags[int16Tag$2] = typedArrayTags[int32Tag$2] = typedArrayTags[uint8Tag$2] = typedArrayTags[uint8ClampedTag$2] = typedArrayTags[uint16Tag$2] = typedArrayTags[uint32Tag$2] = true;
   typedArrayTags[argsTag$2] = typedArrayTags[arrayTag$1] = typedArrayTags[arrayBufferTag$2] = typedArrayTags[boolTag$3] = typedArrayTags[dataViewTag$3] = typedArrayTags[dateTag$2] = typedArrayTags[errorTag$1] = typedArrayTags[funcTag$2] = typedArrayTags[mapTag$4] = typedArrayTags[numberTag$3] = typedArrayTags[objectTag$3] = typedArrayTags[regexpTag$2] = typedArrayTags[setTag$4] = typedArrayTags[stringTag$4] = typedArrayTags[weakMapTag$2] = false;
   function baseIsTypedArray$1(value) {
-    return isObjectLike$b(value) && isLength$2(value.length) && !!typedArrayTags[baseGetTag$1(value)];
+    return isObjectLike$a(value) && isLength$2(value.length) && !!typedArrayTags[baseGetTag$1(value)];
   }
   var _baseIsTypedArray = baseIsTypedArray$1;
   function baseUnary$3(func) {
@@ -2739,11 +2737,11 @@
     return result;
   }
   var _nativeKeysIn = nativeKeysIn$1;
-  var isObject$7 = isObject_1, isPrototype$2 = _isPrototype, nativeKeysIn = _nativeKeysIn;
+  var isObject$6 = isObject_1, isPrototype$2 = _isPrototype, nativeKeysIn = _nativeKeysIn;
   var objectProto$9 = Object.prototype;
   var hasOwnProperty$4 = objectProto$9.hasOwnProperty;
   function baseKeysIn$1(object) {
-    if (!isObject$7(object)) {
+    if (!isObject$6(object)) {
       return nativeKeysIn(object);
     }
     var isProto = isPrototype$2(object), result = [];
@@ -2957,9 +2955,9 @@
   var cloneArrayBuffer = _cloneArrayBuffer, cloneDataView = _cloneDataView, cloneRegExp = _cloneRegExp, cloneSymbol = _cloneSymbol, cloneTypedArray = _cloneTypedArray;
   var boolTag$2 = "[object Boolean]", dateTag$1 = "[object Date]", mapTag$2 = "[object Map]", numberTag$2 = "[object Number]", regexpTag$1 = "[object RegExp]", setTag$2 = "[object Set]", stringTag$3 = "[object String]", symbolTag$4 = "[object Symbol]";
   var arrayBufferTag$1 = "[object ArrayBuffer]", dataViewTag$1 = "[object DataView]", float32Tag$1 = "[object Float32Array]", float64Tag$1 = "[object Float64Array]", int8Tag$1 = "[object Int8Array]", int16Tag$1 = "[object Int16Array]", int32Tag$1 = "[object Int32Array]", uint8Tag$1 = "[object Uint8Array]", uint8ClampedTag$1 = "[object Uint8ClampedArray]", uint16Tag$1 = "[object Uint16Array]", uint32Tag$1 = "[object Uint32Array]";
-  function initCloneByTag$1(object, tag2, isDeep) {
+  function initCloneByTag$1(object, tag, isDeep) {
     var Ctor = object.constructor;
-    switch (tag2) {
+    switch (tag) {
       case arrayBufferTag$1:
         return cloneArrayBuffer(object);
       case boolTag$2:
@@ -2991,13 +2989,13 @@
     }
   }
   var _initCloneByTag = initCloneByTag$1;
-  var isObject$6 = isObject_1;
+  var isObject$5 = isObject_1;
   var objectCreate = Object.create;
   var baseCreate$1 = /* @__PURE__ */ function() {
     function object() {
     }
     return function(proto) {
-      if (!isObject$6(proto)) {
+      if (!isObject$5(proto)) {
         return {};
       }
       if (objectCreate) {
@@ -3015,27 +3013,27 @@
     return typeof object.constructor == "function" && !isPrototype$1(object) ? baseCreate(getPrototype$1(object)) : {};
   }
   var _initCloneObject = initCloneObject$1;
-  var getTag$2 = _getTag, isObjectLike$a = isObjectLike_1;
+  var getTag$2 = _getTag, isObjectLike$9 = isObjectLike_1;
   var mapTag$1 = "[object Map]";
   function baseIsMap$1(value) {
-    return isObjectLike$a(value) && getTag$2(value) == mapTag$1;
+    return isObjectLike$9(value) && getTag$2(value) == mapTag$1;
   }
   var _baseIsMap = baseIsMap$1;
   var baseIsMap = _baseIsMap, baseUnary$1 = _baseUnary, nodeUtil$1 = _nodeUtilExports;
   var nodeIsMap = nodeUtil$1 && nodeUtil$1.isMap;
   var isMap$1 = nodeIsMap ? baseUnary$1(nodeIsMap) : baseIsMap;
   var isMap_1 = isMap$1;
-  var getTag$1 = _getTag, isObjectLike$9 = isObjectLike_1;
+  var getTag$1 = _getTag, isObjectLike$8 = isObjectLike_1;
   var setTag$1 = "[object Set]";
   function baseIsSet$1(value) {
-    return isObjectLike$9(value) && getTag$1(value) == setTag$1;
+    return isObjectLike$8(value) && getTag$1(value) == setTag$1;
   }
   var _baseIsSet = baseIsSet$1;
   var baseIsSet = _baseIsSet, baseUnary = _baseUnary, nodeUtil = _nodeUtilExports;
   var nodeIsSet = nodeUtil && nodeUtil.isSet;
   var isSet$1 = nodeIsSet ? baseUnary(nodeIsSet) : baseIsSet;
   var isSet_1 = isSet$1;
-  var Stack = _Stack, arrayEach = _arrayEach, assignValue = _assignValue, baseAssign = _baseAssign, baseAssignIn = _baseAssignIn, cloneBuffer = _cloneBufferExports, copyArray = _copyArray, copySymbols = _copySymbols, copySymbolsIn = _copySymbolsIn, getAllKeys = _getAllKeys, getAllKeysIn = _getAllKeysIn, getTag = _getTag, initCloneArray = _initCloneArray, initCloneByTag = _initCloneByTag, initCloneObject = _initCloneObject, isArray$3 = isArray_1, isBuffer = isBufferExports, isMap = isMap_1, isObject$5 = isObject_1, isSet = isSet_1, keys$1 = keys_1, keysIn = keysIn_1;
+  var Stack = _Stack, arrayEach = _arrayEach, assignValue = _assignValue, baseAssign = _baseAssign, baseAssignIn = _baseAssignIn, cloneBuffer = _cloneBufferExports, copyArray = _copyArray, copySymbols = _copySymbols, copySymbolsIn = _copySymbolsIn, getAllKeys = _getAllKeys, getAllKeysIn = _getAllKeysIn, getTag = _getTag, initCloneArray = _initCloneArray, initCloneByTag = _initCloneByTag, initCloneObject = _initCloneObject, isArray$3 = isArray_1, isBuffer = isBufferExports, isMap = isMap_1, isObject$4 = isObject_1, isSet = isSet_1, keys$1 = keys_1, keysIn = keysIn_1;
   var CLONE_DEEP_FLAG$1 = 1, CLONE_FLAT_FLAG = 2, CLONE_SYMBOLS_FLAG$1 = 4;
   var argsTag$1 = "[object Arguments]", arrayTag = "[object Array]", boolTag$1 = "[object Boolean]", dateTag = "[object Date]", errorTag = "[object Error]", funcTag$1 = "[object Function]", genTag$1 = "[object GeneratorFunction]", mapTag = "[object Map]", numberTag$1 = "[object Number]", objectTag$1 = "[object Object]", regexpTag = "[object RegExp]", setTag = "[object Set]", stringTag$2 = "[object String]", symbolTag$3 = "[object Symbol]", weakMapTag = "[object WeakMap]";
   var arrayBufferTag = "[object ArrayBuffer]", dataViewTag = "[object DataView]", float32Tag = "[object Float32Array]", float64Tag = "[object Float64Array]", int8Tag = "[object Int8Array]", int16Tag = "[object Int16Array]", int32Tag = "[object Int32Array]", uint8Tag = "[object Uint8Array]", uint8ClampedTag = "[object Uint8ClampedArray]", uint16Tag = "[object Uint16Array]", uint32Tag = "[object Uint32Array]";
@@ -3050,7 +3048,7 @@
     if (result !== void 0) {
       return result;
     }
-    if (!isObject$5(value)) {
+    if (!isObject$4(value)) {
       return value;
     }
     var isArr = isArray$3(value);
@@ -3060,20 +3058,20 @@
         return copyArray(value, result);
       }
     } else {
-      var tag2 = getTag(value), isFunc = tag2 == funcTag$1 || tag2 == genTag$1;
+      var tag = getTag(value), isFunc = tag == funcTag$1 || tag == genTag$1;
       if (isBuffer(value)) {
         return cloneBuffer(value, isDeep);
       }
-      if (tag2 == objectTag$1 || tag2 == argsTag$1 || isFunc && !object) {
+      if (tag == objectTag$1 || tag == argsTag$1 || isFunc && !object) {
         result = isFlat || isFunc ? {} : initCloneObject(value);
         if (!isDeep) {
           return isFlat ? copySymbolsIn(value, baseAssignIn(result, value)) : copySymbols(value, baseAssign(result, value));
         }
       } else {
-        if (!cloneableTags[tag2]) {
+        if (!cloneableTags[tag]) {
           return object ? value : {};
         }
-        result = initCloneByTag(value, tag2, isDeep);
+        result = initCloneByTag(value, tag, isDeep);
       }
     }
     stack || (stack = new Stack());
@@ -3381,7 +3379,10 @@
         if (!relation) {
           throw new Error(`Relation '${relationKey}' not found in collection '${currentCollection.slug}'`);
         }
-        currentCollection = relation.target();
+        const target = relation.target();
+        const targetRelationKey = relation.relationName || target.slug;
+        const targetSlug = relation.overrides?.slug ?? targetRelationKey;
+        currentCollection = this.get(targetSlug) || this.normalizeCollection(target);
         if (i2 + 1 < pathSegments.length) ;
       }
       return currentCollection;
@@ -3430,7 +3431,7 @@
           if (!subcollection) {
             throw new Error(`Subcollection '${subcollectionSlug}' not found in ${currentCollection.slug}`);
           }
-          currentCollection = subcollection;
+          currentCollection = this.get(subcollection.slug) || this.normalizeCollection(subcollection);
           collections.push(currentCollection);
         }
       }
@@ -3465,16 +3466,15 @@
           const filePath = path__namespace.join(directory, file);
           try {
             const fileUrl = require$$0$2.pathToFileURL(filePath).href;
-            const dynamicImport = new Function("url", "return import(url)");
-            const module2 = await dynamicImport(fileUrl);
+            const module2 = await import(fileUrl);
             if (module2 && module2.default) {
               collections.push(module2.default);
             } else {
               console.warn(`[loadCollectionsFromDirectory] File ${file} does not have a default export. Skipping.`);
             }
           } catch (err) {
-            const message2 = err instanceof Error ? err.message : String(err);
-            console.error(`[loadCollectionsFromDirectory] Failed to load collection from ${file}: ${message2}`);
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`[loadCollectionsFromDirectory] Failed to load collection from ${file}: ${message}`);
           }
         }
       }
@@ -3557,34 +3557,34 @@
     statusCode;
     code;
     details;
-    constructor(statusCode, code2, message2, details) {
-      super(message2);
+    constructor(statusCode, code2, message, details) {
+      super(message);
       this.name = "ApiError";
       this.statusCode = statusCode;
       this.code = code2;
       this.details = details;
     }
     // ── Factory methods ──────────────────────────────────────────────
-    static badRequest(message2, code2 = "BAD_REQUEST", details) {
-      return new ApiError(400, code2, message2, details);
+    static badRequest(message, code2 = "BAD_REQUEST", details) {
+      return new ApiError(400, code2, message, details);
     }
-    static unauthorized(message2, code2 = "UNAUTHORIZED") {
-      return new ApiError(401, code2, message2);
+    static unauthorized(message, code2 = "UNAUTHORIZED") {
+      return new ApiError(401, code2, message);
     }
-    static forbidden(message2, code2 = "FORBIDDEN") {
-      return new ApiError(403, code2, message2);
+    static forbidden(message, code2 = "FORBIDDEN") {
+      return new ApiError(403, code2, message);
     }
-    static notFound(message2, code2 = "NOT_FOUND") {
-      return new ApiError(404, code2, message2);
+    static notFound(message, code2 = "NOT_FOUND") {
+      return new ApiError(404, code2, message);
     }
-    static conflict(message2, code2 = "CONFLICT") {
-      return new ApiError(409, code2, message2);
+    static conflict(message, code2 = "CONFLICT") {
+      return new ApiError(409, code2, message);
     }
-    static internal(message2, code2 = "INTERNAL_ERROR") {
-      return new ApiError(500, code2, message2);
+    static internal(message, code2 = "INTERNAL_ERROR") {
+      return new ApiError(500, code2, message);
     }
-    static serviceUnavailable(message2, code2 = "SERVICE_UNAVAILABLE") {
-      return new ApiError(503, code2, message2);
+    static serviceUnavailable(message, code2 = "SERVICE_UNAVAILABLE") {
+      return new ApiError(503, code2, message);
     }
   }
   const errorHandler = (err, c) => {
@@ -3624,7 +3624,8 @@
     console.error(`❌ [API] ${c.req.method} ${c.req.path} → ${statusCode} ${code2}: ${logMessage}`);
     const causePg = error2.cause && typeof error2.cause === "object" ? error2.cause : void 0;
     const pgErrorCode = causePg?.code || error2.code;
-    if (pgErrorCode !== "42703" && pgErrorCode !== "42P01") {
+    const suppressStack = pgErrorCode === "42703" || pgErrorCode === "42P01" || statusCode < 500 && code2 === "BAD_REQUEST";
+    if (!suppressStack) {
       console.error(error2.stack || error2);
     }
     let clientMessage = "An unexpected error occurred";
@@ -3712,8 +3713,8 @@
         }
         Object.assign(options2.where, parsedWhere);
       } catch (e) {
-        const message2 = e instanceof Error ? e.message : "malformed JSON";
-        const err = new Error(`Invalid 'where' filter: ${message2}`);
+        const message = e instanceof Error ? e.message : "malformed JSON";
+        const err = new Error(`Invalid 'where' filter: ${message}`);
         err.code = "BAD_REQUEST";
         err.statusCode = 400;
         throw err;
@@ -3797,11 +3798,24 @@
     collections;
     router;
     driver;
-    constructor(collections, driver) {
+    dataHooks;
+    constructor(collections, driver, dataHooks) {
       this.collections = collections;
       this.driver = driver;
+      this.dataHooks = dataHooks;
       this.router = new hono.Hono();
     }
+    /** Build a BackendHookContext from a Hono context */
+    buildHookContext(c, method) {
+      const user = c.get("user");
+      return {
+        requestUser: user ? {
+          userId: user.userId,
+          roles: user.roles ?? []
+        } : void 0,
+        method
+      };
+    }
     /**
      * Generate REST routes using existing DataDriver
      */
@@ -3813,16 +3827,10 @@
       return this.router;
     }
     /**
-     * Get the EntityFetchService from a driver if it exposes one (for include support)
+     * Get the typed RestFetchService from a driver if it exposes one (for include support).
      */
     getFetchService(driver) {
-      if ("entityService" in driver && typeof driver.entityService === "object" && driver.entityService) {
-        const es = driver.entityService;
-        if (typeof es.getFetchService === "function") {
-          return es.getFetchService();
-        }
-      }
-      return null;
+      return driver.restFetchService;
     }
     /**
      * Create REST routes for a collection using existing Rebase patterns
@@ -3830,15 +3838,26 @@
     createCollectionRoutes(collection) {
       const basePath = `/${collection.slug}`;
       const resolvedCollection = collection;
+      this.router.get(`${basePath}/count`, async (c) => {
+        const queryDict = c.req.query();
+        const queryOptions = parseQueryOptions(queryDict);
+        const searchString = queryDict.searchString;
+        const driver = c.get("driver") || this.driver;
+        const total = await this.countRawEntities(driver, resolvedCollection, queryOptions, searchString);
+        return c.json({
+          count: total
+        });
+      });
       this.router.get(basePath, async (c) => {
         const queryDict = c.req.query();
         const queryOptions = parseQueryOptions(queryDict);
         const searchString = queryDict.searchString;
         const driver = c.get("driver") || this.driver;
         const fetchService = this.getFetchService(driver);
+        const hookCtx = this.buildHookContext(c, "GET");
         if (fetchService) {
           const collectionPath = collection.slug;
-          const entities2 = await fetchService.fetchCollectionForRest(collectionPath, {
+          let entities2 = await fetchService.fetchCollectionForRest(collectionPath, {
             filter: queryOptions.where,
             limit: queryOptions.limit,
             offset: queryOptions.offset,
@@ -3846,6 +3865,7 @@
             order: queryOptions.orderBy?.[0]?.direction === "desc" ? "desc" : "asc",
             searchString
           }, queryOptions.include);
+          entities2 = await this.applyAfterReadBatch(collection.slug, entities2, hookCtx);
           const total2 = await this.countRawEntities(driver, resolvedCollection, queryOptions, searchString);
           return c.json({
             data: entities2,
@@ -3857,7 +3877,8 @@
             }
           });
         }
-        const entities = await this.fetchRawCollection(driver, resolvedCollection, queryOptions, searchString);
+        let entities = await this.fetchRawCollection(driver, resolvedCollection, queryOptions, searchString);
+        entities = await this.applyAfterReadBatch(collection.slug, entities, hookCtx);
         const total = await this.countRawEntities(driver, resolvedCollection, queryOptions, searchString);
         return c.json({
           data: entities,
@@ -3875,15 +3896,24 @@
         const queryOptions = parseQueryOptions(queryDict);
         const driver = c.get("driver") || this.driver;
         const fetchService = this.getFetchService(driver);
+        const hookCtx = this.buildHookContext(c, "GET");
         if (fetchService) {
           const collectionPath = collection.slug;
-          const entity2 = await fetchService.fetchEntityForRest(collectionPath, String(id), queryOptions.include);
+          let entity2 = await fetchService.fetchEntityForRest(collectionPath, String(id), queryOptions.include);
+          if (!entity2) {
+            throw ApiError.notFound("Entity not found");
+          }
+          entity2 = await this.applyAfterRead(collection.slug, entity2, hookCtx);
           if (!entity2) {
             throw ApiError.notFound("Entity not found");
           }
           return c.json(entity2);
         }
-        const entity = await this.fetchRawEntity(driver, resolvedCollection, String(id));
+        let entity = await this.fetchRawEntity(driver, resolvedCollection, String(id));
+        if (!entity) {
+          throw ApiError.notFound("Entity not found");
+        }
+        entity = await this.applyAfterRead(collection.slug, entity, hookCtx);
         if (!entity) {
           throw ApiError.notFound("Entity not found");
         }
@@ -3893,14 +3923,24 @@
         try {
           const driver = c.get("driver") || this.driver;
           const path2 = collection.slug;
-          const body = await c.req.json().catch(() => ({}));
+          const hookCtx = this.buildHookContext(c, "POST");
+          let body = await c.req.json().catch(() => ({}));
+          if (this.dataHooks?.beforeSave) {
+            body = await this.dataHooks.beforeSave(path2, body, void 0, hookCtx);
+          }
           const entity = await driver.saveEntity({
             path: path2,
             values: body,
             collection: resolvedCollection,
             status: "new"
           });
-          return c.json(this.formatResponse(entity), 201);
+          const response = this.formatResponse(entity);
+          if (this.dataHooks?.afterSave) {
+            Promise.resolve(this.dataHooks.afterSave(path2, response, hookCtx)).catch((err) => {
+              console.error("[BackendHooks] data.afterSave error:", err instanceof Error ? err.message : err);
+            });
+          }
+          return c.json(response, 201);
         } catch (error2) {
           const err = error2;
           err.code = err.code || "BAD_REQUEST";
@@ -3911,6 +3951,7 @@
         try {
           const id = c.req.param("id");
           const driver = c.get("driver") || this.driver;
+          const hookCtx = this.buildHookContext(c, "PUT");
           const existingEntity = await driver.fetchEntity({
             path: collection.slug,
             entityId: String(id),
@@ -3919,7 +3960,10 @@
           if (!existingEntity) {
             throw ApiError.notFound("Entity not found");
           }
-          const body = await c.req.json().catch(() => ({}));
+          let body = await c.req.json().catch(() => ({}));
+          if (this.dataHooks?.beforeSave) {
+            body = await this.dataHooks.beforeSave(collection.slug, body, String(id), hookCtx);
+          }
           const entity = await driver.saveEntity({
             path: collection.slug,
             entityId: String(id),
@@ -3927,7 +3971,13 @@
             collection: resolvedCollection,
             status: "existing"
           });
-          return c.json(this.formatResponse(entity));
+          const response = this.formatResponse(entity);
+          if (this.dataHooks?.afterSave) {
+            Promise.resolve(this.dataHooks.afterSave(collection.slug, response, hookCtx)).catch((err) => {
+              console.error("[BackendHooks] data.afterSave error:", err instanceof Error ? err.message : err);
+            });
+          }
+          return c.json(response);
         } catch (error2) {
           const err = error2;
           err.code = err.code || "BAD_REQUEST";
@@ -3937,6 +3987,7 @@
       this.router.delete(`${basePath}/:id`, async (c) => {
         const id = c.req.param("id");
         const driver = c.get("driver") || this.driver;
+        const hookCtx = this.buildHookContext(c, "DELETE");
         const existingEntity = await driver.fetchEntity({
           path: collection.slug,
           entityId: String(id),
@@ -3945,10 +3996,18 @@
         if (!existingEntity) {
           throw ApiError.notFound("Entity not found");
         }
+        if (this.dataHooks?.beforeDelete) {
+          await this.dataHooks.beforeDelete(collection.slug, String(id), hookCtx);
+        }
         await driver.deleteEntity({
           entity: existingEntity,
           collection: resolvedCollection
         });
+        if (this.dataHooks?.afterDelete) {
+          Promise.resolve(this.dataHooks.afterDelete(collection.slug, String(id), hookCtx)).catch((err) => {
+            console.error("[BackendHooks] data.afterDelete error:", err instanceof Error ? err.message : err);
+          });
+        }
         return new Response(null, {
           status: 204
         });
@@ -3997,7 +4056,18 @@
         const parsed = parseSubPath(rawPath);
         if (!parsed) return next();
         const driver = c.get("driver") || this.driver;
-        if (parsed.entityId) {
+        if (parsed.entityId === "count") {
+          const queryDict = c.req.query();
+          const queryOptions = parseQueryOptions(queryDict);
+          const total = driver.countEntities ? await driver.countEntities({
+            path: parsed.collectionPath,
+            filter: queryOptions.where,
+            searchString: queryDict.searchString
+          }) : 0;
+          return c.json({
+            count: total
+          });
+        } else if (parsed.entityId) {
           const entity = await driver.fetchEntity({
             path: parsed.collectionPath,
             entityId: parsed.entityId
@@ -4155,6 +4225,22 @@
       });
       return entity ? this.flattenEntity(entity) : null;
     }
+    /**
+     * Apply data.afterRead hook to a single entity.
+     * Returns the transformed entity, or null to filter it out.
+     */
+    async applyAfterRead(slug, entity, ctx) {
+      if (!this.dataHooks?.afterRead) return entity;
+      return this.dataHooks.afterRead(slug, entity, ctx);
+    }
+    /**
+     * Apply data.afterRead hook to an array of entities, filtering out nulls.
+     */
+    async applyAfterReadBatch(slug, entities, ctx) {
+      if (!this.dataHooks?.afterRead) return entities;
+      const results = await Promise.all(entities.map((e) => this.applyAfterRead(slug, e, ctx)));
+      return results.filter((e) => e !== null);
+    }
   }
   var jws$5 = {};
   var safeBuffer = { exports: {} };
@@ -4736,11 +4822,11 @@
   var toString = tostring;
   var util$4 = require$$5;
   var JWS_REGEX = /^[a-zA-Z0-9\-_]+?\.[a-zA-Z0-9\-_]+?\.([a-zA-Z0-9\-_]+)?$/;
-  function isObject$4(thing) {
+  function isObject$3(thing) {
     return Object.prototype.toString.call(thing) === "[object Object]";
   }
   function safeJsonParse(thing) {
-    if (isObject$4(thing))
+    if (isObject$3(thing))
       return thing;
     try {
       return JSON.parse(thing);
@@ -4866,7 +4952,7 @@
     return new VerifyStream(opts);
   };
   var jws$4 = jws$5;
-  var decode$3 = function(jwt2, options2) {
+  var decode$2 = function(jwt2, options2) {
     options2 = options2 || {};
     var decoded = jws$4.decode(jwt2, options2);
     if (!decoded) {
@@ -4891,21 +4977,21 @@
     }
     return payload;
   };
-  var JsonWebTokenError$3 = function(message2, error2) {
-    Error.call(this, message2);
+  var JsonWebTokenError$3 = function(message, error2) {
+    Error.call(this, message);
     if (Error.captureStackTrace) {
       Error.captureStackTrace(this, this.constructor);
     }
     this.name = "JsonWebTokenError";
-    this.message = message2;
+    this.message = message;
     if (error2) this.inner = error2;
   };
   JsonWebTokenError$3.prototype = Object.create(Error.prototype);
   JsonWebTokenError$3.prototype.constructor = JsonWebTokenError$3;
   var JsonWebTokenError_1 = JsonWebTokenError$3;
   var JsonWebTokenError$2 = JsonWebTokenError_1;
-  var NotBeforeError$1 = function(message2, date) {
-    JsonWebTokenError$2.call(this, message2);
+  var NotBeforeError$1 = function(message, date) {
+    JsonWebTokenError$2.call(this, message);
     this.name = "NotBeforeError";
     this.date = date;
   };
@@ -4913,8 +4999,8 @@
   NotBeforeError$1.prototype.constructor = NotBeforeError$1;
   var NotBeforeError_1 = NotBeforeError$1;
   var JsonWebTokenError$1 = JsonWebTokenError_1;
-  var TokenExpiredError$1 = function(message2, expiredAt) {
-    JsonWebTokenError$1.call(this, message2);
+  var TokenExpiredError$1 = function(message, expiredAt) {
+    JsonWebTokenError$1.call(this, message);
     this.name = "TokenExpiredError";
     this.expiredAt = expiredAt;
   };
@@ -5779,7 +5865,7 @@
       parseRange(range2) {
         const memoOpts = (this.options.includePrerelease && FLAG_INCLUDE_PRERELEASE) | (this.options.loose && FLAG_LOOSE);
         const memoKey = memoOpts + ":" + range2;
-        const cached = cache2.get(memoKey);
+        const cached = cache.get(memoKey);
         if (cached) {
           return cached;
         }
@@ -5813,7 +5899,7 @@
           rangeMap.delete("");
         }
         const result = [...rangeMap.values()];
-        cache2.set(memoKey, result);
+        cache.set(memoKey, result);
         return result;
       }
       intersects(range2, options2) {
@@ -5852,7 +5938,7 @@
     }
     range = Range2;
     const LRU = lrucache;
-    const cache2 = new LRU();
+    const cache = new LRU();
     const parseOptions2 = parseOptions_1;
     const Comparator2 = requireComparator();
     const debug2 = debug_1;
@@ -6729,7 +6815,7 @@
   const JsonWebTokenError = JsonWebTokenError_1;
   const NotBeforeError = NotBeforeError_1;
   const TokenExpiredError = TokenExpiredError_1;
-  const decode$2 = decode$3;
+  const decode$1 = decode$2;
   const timespan$1 = timespan$2;
   const validateAsymmetricKey$1 = validateAsymmetricKey$2;
   const PS_SUPPORTED$1 = psSupported;
@@ -6783,7 +6869,7 @@
     }
     let decodedToken;
     try {
-      decodedToken = decode$2(jwtString, { complete: true });
+      decodedToken = decode$1(jwtString, { complete: true });
     } catch (err) {
       return done(err);
     }
@@ -7043,27 +7129,27 @@
     return value != null && isLength(value.length) && !isFunction(value);
   }
   function isArrayLikeObject(value) {
-    return isObjectLike$8(value) && isArrayLike(value);
+    return isObjectLike$7(value) && isArrayLike(value);
   }
   function isFunction(value) {
-    var tag2 = isObject$3(value) ? objectToString$6.call(value) : "";
-    return tag2 == funcTag || tag2 == genTag;
+    var tag = isObject$2(value) ? objectToString$6.call(value) : "";
+    return tag == funcTag || tag == genTag;
   }
   function isLength(value) {
     return typeof value == "number" && value > -1 && value % 1 == 0 && value <= MAX_SAFE_INTEGER;
   }
-  function isObject$3(value) {
+  function isObject$2(value) {
     var type = typeof value;
     return !!value && (type == "object" || type == "function");
   }
-  function isObjectLike$8(value) {
+  function isObjectLike$7(value) {
     return !!value && typeof value == "object";
   }
   function isString$2(value) {
-    return typeof value == "string" || !isArray$2(value) && isObjectLike$8(value) && objectToString$6.call(value) == stringTag$1;
+    return typeof value == "string" || !isArray$2(value) && isObjectLike$7(value) && objectToString$6.call(value) == stringTag$1;
   }
   function isSymbol$2(value) {
-    return typeof value == "symbol" || isObjectLike$8(value) && objectToString$6.call(value) == symbolTag$2;
+    return typeof value == "symbol" || isObjectLike$7(value) && objectToString$6.call(value) == symbolTag$2;
   }
   function toFinite$2(value) {
     if (!value) {
@@ -7087,9 +7173,9 @@
     if (isSymbol$2(value)) {
       return NAN$2;
     }
-    if (isObject$3(value)) {
+    if (isObject$2(value)) {
       var other = typeof value.valueOf == "function" ? value.valueOf() : value;
-      value = isObject$3(other) ? other + "" : other;
+      value = isObject$2(other) ? other + "" : other;
     }
     if (typeof value != "string") {
       return value === 0 ? value : +value;
@@ -7109,9 +7195,9 @@
   var objectProto$5 = Object.prototype;
   var objectToString$5 = objectProto$5.toString;
   function isBoolean$1(value) {
-    return value === true || value === false || isObjectLike$7(value) && objectToString$5.call(value) == boolTag;
+    return value === true || value === false || isObjectLike$6(value) && objectToString$5.call(value) == boolTag;
   }
-  function isObjectLike$7(value) {
+  function isObjectLike$6(value) {
     return !!value && typeof value == "object";
   }
   var lodash_isboolean = isBoolean$1;
@@ -7127,15 +7213,15 @@
   function isInteger$1(value) {
     return typeof value == "number" && value == toInteger$1(value);
   }
-  function isObject$2(value) {
+  function isObject$1(value) {
     var type = typeof value;
     return !!value && (type == "object" || type == "function");
   }
-  function isObjectLike$6(value) {
+  function isObjectLike$5(value) {
     return !!value && typeof value == "object";
   }
   function isSymbol$1(value) {
-    return typeof value == "symbol" || isObjectLike$6(value) && objectToString$4.call(value) == symbolTag$1;
+    return typeof value == "symbol" || isObjectLike$5(value) && objectToString$4.call(value) == symbolTag$1;
   }
   function toFinite$1(value) {
     if (!value) {
@@ -7159,9 +7245,9 @@
     if (isSymbol$1(value)) {
       return NAN$1;
     }
-    if (isObject$2(value)) {
+    if (isObject$1(value)) {
       var other = typeof value.valueOf == "function" ? value.valueOf() : value;
-      value = isObject$2(other) ? other + "" : other;
+      value = isObject$1(other) ? other + "" : other;
     }
     if (typeof value != "string") {
       return value === 0 ? value : +value;
@@ -7174,11 +7260,11 @@
   var numberTag = "[object Number]";
   var objectProto$3 = Object.prototype;
   var objectToString$3 = objectProto$3.toString;
-  function isObjectLike$5(value) {
+  function isObjectLike$4(value) {
     return !!value && typeof value == "object";
   }
   function isNumber$1(value) {
-    return typeof value == "number" || isObjectLike$5(value) && objectToString$3.call(value) == numberTag;
+    return typeof value == "number" || isObjectLike$4(value) && objectToString$3.call(value) == numberTag;
   }
   var lodash_isnumber = isNumber$1;
   var objectTag = "[object Object]";
@@ -7203,11 +7289,11 @@
   var objectCtorString = funcToString.call(Object);
   var objectToString$2 = objectProto$2.toString;
   var getPrototype = overArg(Object.getPrototypeOf, Object);
-  function isObjectLike$4(value) {
+  function isObjectLike$3(value) {
     return !!value && typeof value == "object";
   }
   function isPlainObject$2(value) {
-    if (!isObjectLike$4(value) || objectToString$2.call(value) != objectTag || isHostObject(value)) {
+    if (!isObjectLike$3(value) || objectToString$2.call(value) != objectTag || isHostObject(value)) {
       return false;
     }
     var proto = getPrototype(value);
@@ -7222,11 +7308,11 @@
   var objectProto$1 = Object.prototype;
   var objectToString$1 = objectProto$1.toString;
   var isArray$1 = Array.isArray;
-  function isObjectLike$3(value) {
+  function isObjectLike$2(value) {
     return !!value && typeof value == "object";
   }
   function isString$1(value) {
-    return typeof value == "string" || !isArray$1(value) && isObjectLike$3(value) && objectToString$1.call(value) == stringTag;
+    return typeof value == "string" || !isArray$1(value) && isObjectLike$2(value) && objectToString$1.call(value) == stringTag;
   }
   var lodash_isstring = isString$1;
   var FUNC_ERROR_TEXT = "Expected a function";
@@ -7258,15 +7344,15 @@
   function once$1(func) {
     return before(2, func);
   }
-  function isObject$1(value) {
+  function isObject(value) {
     var type = typeof value;
     return !!value && (type == "object" || type == "function");
   }
-  function isObjectLike$2(value) {
+  function isObjectLike$1(value) {
     return !!value && typeof value == "object";
   }
   function isSymbol(value) {
-    return typeof value == "symbol" || isObjectLike$2(value) && objectToString.call(value) == symbolTag;
+    return typeof value == "symbol" || isObjectLike$1(value) && objectToString.call(value) == symbolTag;
   }
   function toFinite(value) {
     if (!value) {
@@ -7290,9 +7376,9 @@
     if (isSymbol(value)) {
       return NAN;
     }
-    if (isObject$1(value)) {
+    if (isObject(value)) {
       var other = typeof value.valueOf == "function" ? value.valueOf() : value;
-      value = isObject$1(other) ? other + "" : other;
+      value = isObject(other) ? other + "" : other;
     }
     if (typeof value != "string") {
       return value === 0 ? value : +value;
@@ -7383,7 +7469,7 @@
     "subject",
     "jwtid"
   ];
-  var sign$4 = function(payload, secretOrPrivateKey, options2, callback) {
+  var sign$3 = function(payload, secretOrPrivateKey, options2, callback) {
     if (typeof options2 === "function") {
       callback = options2;
       options2 = {};
@@ -7522,9 +7608,9 @@
     }
   };
   var jsonwebtoken = {
-    decode: decode$3,
+    decode: decode$2,
     verify,
-    sign: sign$4,
+    sign: sign$3,
     JsonWebTokenError: JsonWebTokenError_1,
     NotBeforeError: NotBeforeError_1,
     TokenExpiredError: TokenExpiredError_1
@@ -7975,7 +8061,7 @@
   }
   function createLogger(defaultFields = {}) {
     const minLevel = getMinLevel();
-    function emit(level, message2, data) {
+    function emit(level, message, data) {
       if (LOG_PRIORITY[level] < LOG_PRIORITY[minLevel]) return;
       const merged = {
         ...defaultFields,
@@ -7984,7 +8070,7 @@
       if (isProduction$1()) {
         const entry = {
           severity: GCP_SEVERITY[level],
-          message: message2,
+          message,
           timestamp: (/* @__PURE__ */ new Date()).toISOString(),
           ...merged
         };
@@ -7997,7 +8083,7 @@
       } else {
         const prefix = level === "error" ? "❌" : level === "warn" ? "⚠️" : level === "info" ? "ℹ️" : "🐛";
         const extra = Object.keys(merged).length > 0 ? ` ${JSON.stringify(merged)}` : "";
-        const out = `${prefix} [${level.toUpperCase()}] ${message2}${extra}`;
+        const out = `${prefix} [${level.toUpperCase()}] ${message}${extra}`;
         if (level === "error") {
           console.error(out);
         } else if (level === "warn") {
@@ -8358,9 +8444,9 @@
         }
         return Function.prototype[Symbol.hasInstance].call(GaxiosError, instance);
       }
-      constructor(message2, config, response, error2) {
+      constructor(message, config, response, error2) {
         var _b2;
-        super(message2);
+        super(message);
         this.config = config;
         this.response = response;
         this.error = error2;
@@ -14256,8 +14342,8 @@ Content-Type: ${partContentType}\r
   const GOOGLE_TOKEN_URL = "https://www.googleapis.com/oauth2/v4/token";
   const GOOGLE_REVOKE_TOKEN_URL = "https://accounts.google.com/o/oauth2/revoke?token=";
   class ErrorWithCode extends Error {
-    constructor(message2, code2) {
-      super(message2);
+    constructor(message, code2) {
+      super(message);
       this.code = code2;
     }
   }
@@ -15113,13 +15199,13 @@ Content-Type: ${partContentType}\r
         if (!(error2 instanceof Error))
           throw error2;
         let status = 0;
-        let message2 = "";
+        let message = "";
         if (error2 instanceof gaxios_1$2.GaxiosError) {
           status = (_c2 = (_b2 = (_a2 = error2 === null || error2 === void 0 ? void 0 : error2.response) === null || _a2 === void 0 ? void 0 : _a2.data) === null || _b2 === void 0 ? void 0 : _b2.error) === null || _c2 === void 0 ? void 0 : _c2.status;
-          message2 = (_f = (_e = (_d = error2 === null || error2 === void 0 ? void 0 : error2.response) === null || _d === void 0 ? void 0 : _d.data) === null || _e === void 0 ? void 0 : _e.error) === null || _f === void 0 ? void 0 : _f.message;
+          message = (_f = (_e = (_d = error2 === null || error2 === void 0 ? void 0 : error2.response) === null || _d === void 0 ? void 0 : _d.data) === null || _e === void 0 ? void 0 : _e.error) === null || _f === void 0 ? void 0 : _f.message;
         }
-        if (status && message2) {
-          error2.message = `${status}: unable to impersonate: ${message2}`;
+        if (status && message) {
+          error2.message = `${status}: unable to impersonate: ${message}`;
           throw error2;
         } else {
           error2.message = `unable to impersonate: ${error2}`;
@@ -15281,14 +15367,14 @@ Content-Type: ${partContentType}\r
     const errorCode = resp.error;
     const errorDescription = resp.error_description;
     const errorUri = resp.error_uri;
-    let message2 = `Error code ${errorCode}`;
+    let message = `Error code ${errorCode}`;
     if (typeof errorDescription !== "undefined") {
-      message2 += `: ${errorDescription}`;
+      message += `: ${errorDescription}`;
     }
     if (typeof errorUri !== "undefined") {
-      message2 += ` - ${errorUri}`;
+      message += ` - ${errorUri}`;
     }
-    const newError = new Error(message2);
+    const newError = new Error(message);
     if (err) {
       const keys2 = Object.keys(err);
       if (err.stack) {
@@ -16016,14 +16102,14 @@ Content-Type: ${partContentType}\r
     }
   }
   awsrequestsigner.AwsRequestSigner = AwsRequestSigner;
-  async function sign$3(crypto2, key, msg) {
+  async function sign$2(crypto2, key, msg) {
     return await crypto2.signWithHmacSha256(key, msg);
   }
   async function getSigningKey(crypto2, key, dateStamp, region, serviceName) {
-    const kDate = await sign$3(crypto2, `AWS4${key}`, dateStamp);
-    const kRegion = await sign$3(crypto2, kDate, region);
-    const kService = await sign$3(crypto2, kRegion, serviceName);
-    const kSigning = await sign$3(crypto2, kService, "aws4_request");
+    const kDate = await sign$2(crypto2, `AWS4${key}`, dateStamp);
+    const kRegion = await sign$2(crypto2, kDate, region);
+    const kService = await sign$2(crypto2, kRegion, serviceName);
+    const kSigning = await sign$2(crypto2, kService, "aws4_request");
     return kSigning;
   }
   async function generateAuthenticationHeaderMap(options2) {
@@ -16069,7 +16155,7 @@ ${amzDate}
 ${credentialScope}
 ` + await options2.crypto.sha256DigestHex(canonicalRequest);
     const signingKey = await getSigningKey(options2.crypto, options2.securityCredentials.secretAccessKey, dateStamp, options2.region, serviceName);
-    const signature = await sign$3(options2.crypto, signingKey, stringToSign);
+    const signature = await sign$2(options2.crypto, signingKey, stringToSign);
     const authorizationHeader = `${AWS_ALGORITHM} Credential=${options2.securityCredentials.accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${(0, crypto_1.fromArrayBufferToHex)(signature)}`;
     return {
       // Do not return x-amz-date if date is available.
@@ -16400,8 +16486,8 @@ ${credentialScope}
   }
   executableResponse.ExecutableResponse = ExecutableResponse;
   class ExecutableResponseError extends Error {
-    constructor(message2) {
-      super(message2);
+    constructor(message) {
+      super(message);
       Object.setPrototypeOf(this, new.target.prototype);
     }
   }
@@ -16564,8 +16650,8 @@ ${credentialScope}
     const executable_response_1 = executableResponse;
     const pluggable_auth_handler_1 = requirePluggableAuthHandler();
     class ExecutableError extends Error {
-      constructor(message2, code2) {
-        super(`The executable failed with exit code: ${code2} and error message: ${message2}.`);
+      constructor(message, code2) {
+        super(`The executable failed with exit code: ${code2} and error message: ${message}.`);
         this.code = code2;
         Object.setPrototypeOf(this, new.target.prototype);
       }
@@ -18213,104 +18299,104 @@ ${credentialScope}
     return error2;
   };
   const errorMap = (issue, _ctx) => {
-    let message2;
+    let message;
     switch (issue.code) {
       case ZodIssueCode.invalid_type:
         if (issue.received === ZodParsedType.undefined) {
-          message2 = "Required";
+          message = "Required";
         } else {
-          message2 = `Expected ${issue.expected}, received ${issue.received}`;
+          message = `Expected ${issue.expected}, received ${issue.received}`;
         }
         break;
       case ZodIssueCode.invalid_literal:
-        message2 = `Invalid literal value, expected ${JSON.stringify(issue.expected, util$1.jsonStringifyReplacer)}`;
+        message = `Invalid literal value, expected ${JSON.stringify(issue.expected, util$1.jsonStringifyReplacer)}`;
         break;
       case ZodIssueCode.unrecognized_keys:
-        message2 = `Unrecognized key(s) in object: ${util$1.joinValues(issue.keys, ", ")}`;
+        message = `Unrecognized key(s) in object: ${util$1.joinValues(issue.keys, ", ")}`;
         break;
       case ZodIssueCode.invalid_union:
-        message2 = `Invalid input`;
+        message = `Invalid input`;
         break;
       case ZodIssueCode.invalid_union_discriminator:
-        message2 = `Invalid discriminator value. Expected ${util$1.joinValues(issue.options)}`;
+        message = `Invalid discriminator value. Expected ${util$1.joinValues(issue.options)}`;
         break;
       case ZodIssueCode.invalid_enum_value:
-        message2 = `Invalid enum value. Expected ${util$1.joinValues(issue.options)}, received '${issue.received}'`;
+        message = `Invalid enum value. Expected ${util$1.joinValues(issue.options)}, received '${issue.received}'`;
         break;
       case ZodIssueCode.invalid_arguments:
-        message2 = `Invalid function arguments`;
+        message = `Invalid function arguments`;
         break;
       case ZodIssueCode.invalid_return_type:
-        message2 = `Invalid function return type`;
+        message = `Invalid function return type`;
         break;
       case ZodIssueCode.invalid_date:
-        message2 = `Invalid date`;
+        message = `Invalid date`;
         break;
       case ZodIssueCode.invalid_string:
         if (typeof issue.validation === "object") {
           if ("includes" in issue.validation) {
-            message2 = `Invalid input: must include "${issue.validation.includes}"`;
+            message = `Invalid input: must include "${issue.validation.includes}"`;
             if (typeof issue.validation.position === "number") {
-              message2 = `${message2} at one or more positions greater than or equal to ${issue.validation.position}`;
+              message = `${message} at one or more positions greater than or equal to ${issue.validation.position}`;
             }
           } else if ("startsWith" in issue.validation) {
-            message2 = `Invalid input: must start with "${issue.validation.startsWith}"`;
+            message = `Invalid input: must start with "${issue.validation.startsWith}"`;
           } else if ("endsWith" in issue.validation) {
-            message2 = `Invalid input: must end with "${issue.validation.endsWith}"`;
+            message = `Invalid input: must end with "${issue.validation.endsWith}"`;
           } else {
             util$1.assertNever(issue.validation);
           }
         } else if (issue.validation !== "regex") {
-          message2 = `Invalid ${issue.validation}`;
+          message = `Invalid ${issue.validation}`;
         } else {
-          message2 = "Invalid";
+          message = "Invalid";
         }
         break;
       case ZodIssueCode.too_small:
         if (issue.type === "array")
-          message2 = `Array must contain ${issue.exact ? "exactly" : issue.inclusive ? `at least` : `more than`} ${issue.minimum} element(s)`;
+          message = `Array must contain ${issue.exact ? "exactly" : issue.inclusive ? `at least` : `more than`} ${issue.minimum} element(s)`;
         else if (issue.type === "string")
-          message2 = `String must contain ${issue.exact ? "exactly" : issue.inclusive ? `at least` : `over`} ${issue.minimum} character(s)`;
+          message = `String must contain ${issue.exact ? "exactly" : issue.inclusive ? `at least` : `over`} ${issue.minimum} character(s)`;
         else if (issue.type === "number")
-          message2 = `Number must be ${issue.exact ? `exactly equal to ` : issue.inclusive ? `greater than or equal to ` : `greater than `}${issue.minimum}`;
+          message = `Number must be ${issue.exact ? `exactly equal to ` : issue.inclusive ? `greater than or equal to ` : `greater than `}${issue.minimum}`;
         else if (issue.type === "bigint")
-          message2 = `Number must be ${issue.exact ? `exactly equal to ` : issue.inclusive ? `greater than or equal to ` : `greater than `}${issue.minimum}`;
+          message = `Number must be ${issue.exact ? `exactly equal to ` : issue.inclusive ? `greater than or equal to ` : `greater than `}${issue.minimum}`;
         else if (issue.type === "date")
-          message2 = `Date must be ${issue.exact ? `exactly equal to ` : issue.inclusive ? `greater than or equal to ` : `greater than `}${new Date(Number(issue.minimum))}`;
+          message = `Date must be ${issue.exact ? `exactly equal to ` : issue.inclusive ? `greater than or equal to ` : `greater than `}${new Date(Number(issue.minimum))}`;
         else
-          message2 = "Invalid input";
+          message = "Invalid input";
         break;
       case ZodIssueCode.too_big:
         if (issue.type === "array")
-          message2 = `Array must contain ${issue.exact ? `exactly` : issue.inclusive ? `at most` : `less than`} ${issue.maximum} element(s)`;
+          message = `Array must contain ${issue.exact ? `exactly` : issue.inclusive ? `at most` : `less than`} ${issue.maximum} element(s)`;
         else if (issue.type === "string")
-          message2 = `String must contain ${issue.exact ? `exactly` : issue.inclusive ? `at most` : `under`} ${issue.maximum} character(s)`;
+          message = `String must contain ${issue.exact ? `exactly` : issue.inclusive ? `at most` : `under`} ${issue.maximum} character(s)`;
         else if (issue.type === "number")
-          message2 = `Number must be ${issue.exact ? `exactly` : issue.inclusive ? `less than or equal to` : `less than`} ${issue.maximum}`;
+          message = `Number must be ${issue.exact ? `exactly` : issue.inclusive ? `less than or equal to` : `less than`} ${issue.maximum}`;
         else if (issue.type === "bigint")
-          message2 = `BigInt must be ${issue.exact ? `exactly` : issue.inclusive ? `less than or equal to` : `less than`} ${issue.maximum}`;
+          message = `BigInt must be ${issue.exact ? `exactly` : issue.inclusive ? `less than or equal to` : `less than`} ${issue.maximum}`;
         else if (issue.type === "date")
-          message2 = `Date must be ${issue.exact ? `exactly` : issue.inclusive ? `smaller than or equal to` : `smaller than`} ${new Date(Number(issue.maximum))}`;
+          message = `Date must be ${issue.exact ? `exactly` : issue.inclusive ? `smaller than or equal to` : `smaller than`} ${new Date(Number(issue.maximum))}`;
         else
-          message2 = "Invalid input";
+          message = "Invalid input";
         break;
       case ZodIssueCode.custom:
-        message2 = `Invalid input`;
+        message = `Invalid input`;
         break;
       case ZodIssueCode.invalid_intersection_types:
-        message2 = `Intersection results could not be merged`;
+        message = `Intersection results could not be merged`;
         break;
       case ZodIssueCode.not_multiple_of:
-        message2 = `Number must be a multiple of ${issue.multipleOf}`;
+        message = `Number must be a multiple of ${issue.multipleOf}`;
         break;
       case ZodIssueCode.not_finite:
-        message2 = "Number must be finite";
+        message = "Number must be finite";
         break;
       default:
-        message2 = _ctx.defaultError;
+        message = _ctx.defaultError;
         util$1.assertNever(issue);
     }
-    return { message: message2 };
+    return { message };
   };
   let overrideErrorMap = errorMap;
   function getErrorMap() {
@@ -18425,8 +18511,8 @@ ${credentialScope}
   const isAsync = (x) => typeof Promise !== "undefined" && x instanceof Promise;
   var errorUtil;
   (function(errorUtil2) {
-    errorUtil2.errToObj = (message2) => typeof message2 === "string" ? { message: message2 } : message2 || {};
-    errorUtil2.toString = (message2) => typeof message2 === "string" ? message2 : message2?.message;
+    errorUtil2.errToObj = (message) => typeof message === "string" ? { message } : message || {};
+    errorUtil2.toString = (message) => typeof message === "string" ? message : message?.message;
   })(errorUtil || (errorUtil = {}));
   class ParseInputLazyPath {
     constructor(parent, value, path2, key) {
@@ -18476,16 +18562,16 @@ ${credentialScope}
     if (errorMap2)
       return { errorMap: errorMap2, description: description2 };
     const customMap = (iss, ctx) => {
-      const { message: message2 } = params;
+      const { message } = params;
       if (iss.code === "invalid_enum_value") {
-        return { message: message2 ?? ctx.defaultError };
+        return { message: message ?? ctx.defaultError };
       }
       if (typeof ctx.data === "undefined") {
-        return { message: message2 ?? required_error ?? ctx.defaultError };
+        return { message: message ?? required_error ?? ctx.defaultError };
       }
       if (iss.code !== "invalid_type")
         return { message: ctx.defaultError };
-      return { message: message2 ?? invalid_type_error ?? ctx.defaultError };
+      return { message: message ?? invalid_type_error ?? ctx.defaultError };
     };
     return { errorMap: customMap, description: description2 };
   }
@@ -18611,14 +18697,14 @@ ${credentialScope}
       const result = await (isAsync(maybeAsyncResult) ? maybeAsyncResult : Promise.resolve(maybeAsyncResult));
       return handleResult(ctx, result);
     }
-    refine(check, message2) {
+    refine(check, message) {
       const getIssueProperties = (val) => {
-        if (typeof message2 === "string" || typeof message2 === "undefined") {
-          return { message: message2 };
-        } else if (typeof message2 === "function") {
-          return message2(val);
+        if (typeof message === "string" || typeof message === "undefined") {
+          return { message };
+        } else if (typeof message === "function") {
+          return message(val);
         } else {
-          return message2;
+          return message;
         }
       };
       return this._refinement((val, ctx) => {
@@ -19154,11 +19240,11 @@ ${credentialScope}
       }
       return { status: status.value, value: input.data };
     }
-    _regex(regex2, validation, message2) {
+    _regex(regex2, validation, message) {
       return this.refinement((data) => regex2.test(data), {
         validation,
         code: ZodIssueCode.invalid_string,
-        ...errorUtil.errToObj(message2)
+        ...errorUtil.errToObj(message)
       });
     }
     _addCheck(check) {
@@ -19167,37 +19253,37 @@ ${credentialScope}
         checks: [...this._def.checks, check]
       });
     }
-    email(message2) {
-      return this._addCheck({ kind: "email", ...errorUtil.errToObj(message2) });
+    email(message) {
+      return this._addCheck({ kind: "email", ...errorUtil.errToObj(message) });
     }
-    url(message2) {
-      return this._addCheck({ kind: "url", ...errorUtil.errToObj(message2) });
+    url(message) {
+      return this._addCheck({ kind: "url", ...errorUtil.errToObj(message) });
     }
-    emoji(message2) {
-      return this._addCheck({ kind: "emoji", ...errorUtil.errToObj(message2) });
+    emoji(message) {
+      return this._addCheck({ kind: "emoji", ...errorUtil.errToObj(message) });
     }
-    uuid(message2) {
-      return this._addCheck({ kind: "uuid", ...errorUtil.errToObj(message2) });
+    uuid(message) {
+      return this._addCheck({ kind: "uuid", ...errorUtil.errToObj(message) });
     }
-    nanoid(message2) {
-      return this._addCheck({ kind: "nanoid", ...errorUtil.errToObj(message2) });
+    nanoid(message) {
+      return this._addCheck({ kind: "nanoid", ...errorUtil.errToObj(message) });
     }
-    cuid(message2) {
-      return this._addCheck({ kind: "cuid", ...errorUtil.errToObj(message2) });
+    cuid(message) {
+      return this._addCheck({ kind: "cuid", ...errorUtil.errToObj(message) });
     }
-    cuid2(message2) {
-      return this._addCheck({ kind: "cuid2", ...errorUtil.errToObj(message2) });
+    cuid2(message) {
+      return this._addCheck({ kind: "cuid2", ...errorUtil.errToObj(message) });
     }
-    ulid(message2) {
-      return this._addCheck({ kind: "ulid", ...errorUtil.errToObj(message2) });
+    ulid(message) {
+      return this._addCheck({ kind: "ulid", ...errorUtil.errToObj(message) });
     }
-    base64(message2) {
-      return this._addCheck({ kind: "base64", ...errorUtil.errToObj(message2) });
+    base64(message) {
+      return this._addCheck({ kind: "base64", ...errorUtil.errToObj(message) });
     }
-    base64url(message2) {
+    base64url(message) {
       return this._addCheck({
         kind: "base64url",
-        ...errorUtil.errToObj(message2)
+        ...errorUtil.errToObj(message)
       });
     }
     jwt(options2) {
@@ -19227,8 +19313,8 @@ ${credentialScope}
         ...errorUtil.errToObj(options2?.message)
       });
     }
-    date(message2) {
-      return this._addCheck({ kind: "date", message: message2 });
+    date(message) {
+      return this._addCheck({ kind: "date", message });
     }
     time(options2) {
       if (typeof options2 === "string") {
@@ -19244,14 +19330,14 @@ ${credentialScope}
         ...errorUtil.errToObj(options2?.message)
       });
     }
-    duration(message2) {
-      return this._addCheck({ kind: "duration", ...errorUtil.errToObj(message2) });
+    duration(message) {
+      return this._addCheck({ kind: "duration", ...errorUtil.errToObj(message) });
     }
-    regex(regex2, message2) {
+    regex(regex2, message) {
       return this._addCheck({
         kind: "regex",
         regex: regex2,
-        ...errorUtil.errToObj(message2)
+        ...errorUtil.errToObj(message)
       });
     }
     includes(value, options2) {
@@ -19262,46 +19348,46 @@ ${credentialScope}
         ...errorUtil.errToObj(options2?.message)
       });
     }
-    startsWith(value, message2) {
+    startsWith(value, message) {
       return this._addCheck({
         kind: "startsWith",
         value,
-        ...errorUtil.errToObj(message2)
+        ...errorUtil.errToObj(message)
       });
     }
-    endsWith(value, message2) {
+    endsWith(value, message) {
       return this._addCheck({
         kind: "endsWith",
         value,
-        ...errorUtil.errToObj(message2)
+        ...errorUtil.errToObj(message)
       });
     }
-    min(minLength, message2) {
+    min(minLength, message) {
       return this._addCheck({
         kind: "min",
         value: minLength,
-        ...errorUtil.errToObj(message2)
+        ...errorUtil.errToObj(message)
       });
     }
-    max(maxLength, message2) {
+    max(maxLength, message) {
       return this._addCheck({
         kind: "max",
         value: maxLength,
-        ...errorUtil.errToObj(message2)
+        ...errorUtil.errToObj(message)
       });
     }
-    length(len2, message2) {
+    length(len2, message) {
       return this._addCheck({
         kind: "length",
         value: len2,
-        ...errorUtil.errToObj(message2)
+        ...errorUtil.errToObj(message)
       });
     }
     /**
      * Equivalent to `.min(1)`
      */
-    nonempty(message2) {
-      return this.min(1, errorUtil.errToObj(message2));
+    nonempty(message) {
+      return this.min(1, errorUtil.errToObj(message));
     }
     trim() {
       return new ZodString({
@@ -19494,19 +19580,19 @@ ${credentialScope}
       }
       return { status: status.value, value: input.data };
     }
-    gte(value, message2) {
-      return this.setLimit("min", value, true, errorUtil.toString(message2));
+    gte(value, message) {
+      return this.setLimit("min", value, true, errorUtil.toString(message));
     }
-    gt(value, message2) {
-      return this.setLimit("min", value, false, errorUtil.toString(message2));
+    gt(value, message) {
+      return this.setLimit("min", value, false, errorUtil.toString(message));
     }
-    lte(value, message2) {
-      return this.setLimit("max", value, true, errorUtil.toString(message2));
+    lte(value, message) {
+      return this.setLimit("max", value, true, errorUtil.toString(message));
     }
-    lt(value, message2) {
-      return this.setLimit("max", value, false, errorUtil.toString(message2));
+    lt(value, message) {
+      return this.setLimit("max", value, false, errorUtil.toString(message));
     }
-    setLimit(kind, value, inclusive, message2) {
+    setLimit(kind, value, inclusive, message) {
       return new ZodNumber({
         ...this._def,
         checks: [
@@ -19515,7 +19601,7 @@ ${credentialScope}
             kind,
             value,
             inclusive,
-            message: errorUtil.toString(message2)
+            message: errorUtil.toString(message)
           }
         ]
       });
@@ -19526,68 +19612,68 @@ ${credentialScope}
         checks: [...this._def.checks, check]
       });
     }
-    int(message2) {
+    int(message) {
       return this._addCheck({
         kind: "int",
-        message: errorUtil.toString(message2)
+        message: errorUtil.toString(message)
       });
     }
-    positive(message2) {
+    positive(message) {
       return this._addCheck({
         kind: "min",
         value: 0,
         inclusive: false,
-        message: errorUtil.toString(message2)
+        message: errorUtil.toString(message)
       });
     }
-    negative(message2) {
+    negative(message) {
       return this._addCheck({
         kind: "max",
         value: 0,
         inclusive: false,
-        message: errorUtil.toString(message2)
+        message: errorUtil.toString(message)
       });
     }
-    nonpositive(message2) {
+    nonpositive(message) {
       return this._addCheck({
         kind: "max",
         value: 0,
         inclusive: true,
-        message: errorUtil.toString(message2)
+        message: errorUtil.toString(message)
       });
     }
-    nonnegative(message2) {
+    nonnegative(message) {
       return this._addCheck({
         kind: "min",
         value: 0,
         inclusive: true,
-        message: errorUtil.toString(message2)
+        message: errorUtil.toString(message)
       });
     }
-    multipleOf(value, message2) {
+    multipleOf(value, message) {
       return this._addCheck({
         kind: "multipleOf",
         value,
-        message: errorUtil.toString(message2)
+        message: errorUtil.toString(message)
       });
     }
-    finite(message2) {
+    finite(message) {
       return this._addCheck({
         kind: "finite",
-        message: errorUtil.toString(message2)
+        message: errorUtil.toString(message)
       });
     }
-    safe(message2) {
+    safe(message) {
       return this._addCheck({
         kind: "min",
         inclusive: true,
         value: Number.MIN_SAFE_INTEGER,
-        message: errorUtil.toString(message2)
+        message: errorUtil.toString(message)
       })._addCheck({
         kind: "max",
         inclusive: true,
         value: Number.MAX_SAFE_INTEGER,
-        message: errorUtil.toString(message2)
+        message: errorUtil.toString(message)
       });
     }
     get minValue() {
@@ -19710,19 +19796,19 @@ ${credentialScope}
       });
       return INVALID;
     }
-    gte(value, message2) {
-      return this.setLimit("min", value, true, errorUtil.toString(message2));
+    gte(value, message) {
+      return this.setLimit("min", value, true, errorUtil.toString(message));
     }
-    gt(value, message2) {
-      return this.setLimit("min", value, false, errorUtil.toString(message2));
+    gt(value, message) {
+      return this.setLimit("min", value, false, errorUtil.toString(message));
     }
-    lte(value, message2) {
-      return this.setLimit("max", value, true, errorUtil.toString(message2));
+    lte(value, message) {
+      return this.setLimit("max", value, true, errorUtil.toString(message));
     }
-    lt(value, message2) {
-      return this.setLimit("max", value, false, errorUtil.toString(message2));
+    lt(value, message) {
+      return this.setLimit("max", value, false, errorUtil.toString(message));
     }
-    setLimit(kind, value, inclusive, message2) {
+    setLimit(kind, value, inclusive, message) {
       return new ZodBigInt({
         ...this._def,
         checks: [
@@ -19731,7 +19817,7 @@ ${credentialScope}
             kind,
             value,
             inclusive,
-            message: errorUtil.toString(message2)
+            message: errorUtil.toString(message)
           }
         ]
       });
@@ -19742,43 +19828,43 @@ ${credentialScope}
         checks: [...this._def.checks, check]
       });
     }
-    positive(message2) {
+    positive(message) {
       return this._addCheck({
         kind: "min",
         value: BigInt(0),
         inclusive: false,
-        message: errorUtil.toString(message2)
+        message: errorUtil.toString(message)
       });
     }
-    negative(message2) {
+    negative(message) {
       return this._addCheck({
         kind: "max",
         value: BigInt(0),
         inclusive: false,
-        message: errorUtil.toString(message2)
+        message: errorUtil.toString(message)
       });
     }
-    nonpositive(message2) {
+    nonpositive(message) {
       return this._addCheck({
         kind: "max",
         value: BigInt(0),
         inclusive: true,
-        message: errorUtil.toString(message2)
+        message: errorUtil.toString(message)
       });
     }
-    nonnegative(message2) {
+    nonnegative(message) {
       return this._addCheck({
         kind: "min",
         value: BigInt(0),
         inclusive: true,
-        message: errorUtil.toString(message2)
+        message: errorUtil.toString(message)
       });
     }
-    multipleOf(value, message2) {
+    multipleOf(value, message) {
       return this._addCheck({
         kind: "multipleOf",
         value,
-        message: errorUtil.toString(message2)
+        message: errorUtil.toString(message)
       });
     }
     get minValue() {
@@ -19901,18 +19987,18 @@ ${credentialScope}
         checks: [...this._def.checks, check]
       });
     }
-    min(minDate, message2) {
+    min(minDate, message) {
       return this._addCheck({
         kind: "min",
         value: minDate.getTime(),
-        message: errorUtil.toString(message2)
+        message: errorUtil.toString(message)
       });
     }
-    max(maxDate, message2) {
+    max(maxDate, message) {
       return this._addCheck({
         kind: "max",
         value: maxDate.getTime(),
-        message: errorUtil.toString(message2)
+        message: errorUtil.toString(message)
       });
     }
     get minDate() {
@@ -20144,26 +20230,26 @@ ${credentialScope}
     get element() {
       return this._def.type;
     }
-    min(minLength, message2) {
+    min(minLength, message) {
       return new ZodArray({
         ...this._def,
-        minLength: { value: minLength, message: errorUtil.toString(message2) }
+        minLength: { value: minLength, message: errorUtil.toString(message) }
       });
     }
-    max(maxLength, message2) {
+    max(maxLength, message) {
       return new ZodArray({
         ...this._def,
-        maxLength: { value: maxLength, message: errorUtil.toString(message2) }
+        maxLength: { value: maxLength, message: errorUtil.toString(message) }
       });
     }
-    length(len2, message2) {
+    length(len2, message) {
       return new ZodArray({
         ...this._def,
-        exactLength: { value: len2, message: errorUtil.toString(message2) }
+        exactLength: { value: len2, message: errorUtil.toString(message) }
       });
     }
-    nonempty(message2) {
-      return this.min(1, message2);
+    nonempty(message) {
+      return this.min(1, message);
     }
   }
   ZodArray.create = (schema, params) => {
@@ -20306,17 +20392,17 @@ ${credentialScope}
     get shape() {
       return this._def.shape();
     }
-    strict(message2) {
+    strict(message) {
       errorUtil.errToObj;
       return new ZodObject({
         ...this._def,
         unknownKeys: "strict",
-        ...message2 !== void 0 ? {
+        ...message !== void 0 ? {
           errorMap: (issue, ctx) => {
             const defaultError = this._def.errorMap?.(issue, ctx).message ?? ctx.defaultError;
             if (issue.code === "unrecognized_keys")
               return {
-                message: errorUtil.errToObj(message2).message ?? defaultError
+                message: errorUtil.errToObj(message).message ?? defaultError
               };
             return {
               message: defaultError
@@ -20912,23 +20998,23 @@ ${credentialScope}
         return finalizeSet(elements);
       }
     }
-    min(minSize, message2) {
+    min(minSize, message) {
       return new ZodSet({
         ...this._def,
-        minSize: { value: minSize, message: errorUtil.toString(message2) }
+        minSize: { value: minSize, message: errorUtil.toString(message) }
       });
     }
-    max(maxSize, message2) {
+    max(maxSize, message) {
       return new ZodSet({
         ...this._def,
-        maxSize: { value: maxSize, message: errorUtil.toString(message2) }
+        maxSize: { value: maxSize, message: errorUtil.toString(message) }
       });
     }
-    size(size, message2) {
-      return this.min(size, message2).max(size, message2);
+    size(size, message) {
+      return this.min(size, message).max(size, message);
     }
-    nonempty(message2) {
-      return this.min(1, message2);
+    nonempty(message) {
+      return this.min(1, message);
     }
   }
   ZodSet.create = (valueType, params) => {
@@ -21538,32 +21624,125 @@ ${credentialScope}
   ZodPromise.create;
   ZodOptional.create;
   ZodNullable.create;
-  function createGoogleProvider(clientId) {
-    const googleClient = new src$4.OAuth2Client(clientId);
+  function createGoogleProvider(config) {
+    const clientId = typeof config === "string" ? config : config.clientId;
+    const clientSecret = typeof config === "string" ? void 0 : config.clientSecret;
+    const googleClient = new src$4.OAuth2Client(clientId, clientSecret);
     return {
       id: "google",
       schema: objectType({
-        idToken: stringType().min(1, "ID token is required")
+        idToken: stringType().min(1).optional(),
+        accessToken: stringType().min(1).optional(),
+        code: stringType().min(1).optional(),
+        redirectUri: stringType().min(1).optional()
+      }).refine((data) => data.idToken || data.accessToken || data.code && data.redirectUri, {
+        message: "One of idToken, accessToken, or code+redirectUri is required"
       }),
       verify: async (payload) => {
         try {
-          const ticket = await googleClient.verifyIdToken({
-            idToken: payload.idToken,
-            audience: clientId
-          });
-          const content = ticket.getPayload();
-          if (!content) {
-            return null;
+          if (payload.idToken) {
+            const ticket = await googleClient.verifyIdToken({
+              idToken: payload.idToken,
+              audience: clientId
+            });
+            const content = ticket.getPayload();
+            if (!content) {
+              throw new Error("Google ID token payload was empty");
+            }
+            return {
+              providerId: content.sub,
+              email: content.email || "",
+              displayName: content.name || null,
+              photoUrl: content.picture || null
+            };
           }
-          return {
-            providerId: content.sub,
-            email: content.email || "",
-            displayName: content.name || null,
-            photoUrl: content.picture || null
-          };
+          if (payload.accessToken) {
+            const res = await fetch("https://www.googleapis.com/oauth2/v3/userinfo", {
+              headers: {
+                Authorization: `Bearer ${payload.accessToken}`
+              }
+            });
+            if (!res.ok) {
+              throw new Error(`Google userinfo request failed with status ${res.status}`);
+            }
+            const info = await res.json();
+            if (!info.sub || !info.email) {
+              throw new Error("Google userinfo response missing sub or email");
+            }
+            return {
+              providerId: info.sub,
+              email: info.email,
+              displayName: info.name || null,
+              photoUrl: info.picture || null
+            };
+          }
+          if (payload.code && payload.redirectUri) {
+            if (!clientSecret) {
+              throw new Error("Google authorization code flow requires clientSecret. Configure GOOGLE_CLIENT_SECRET in your environment.");
+            }
+            const tokenResponse = await fetch("https://oauth2.googleapis.com/token", {
+              method: "POST",
+              headers: {
+                "Content-Type": "application/x-www-form-urlencoded"
+              },
+              body: new URLSearchParams({
+                code: payload.code,
+                client_id: clientId,
+                client_secret: clientSecret,
+                redirect_uri: payload.redirectUri,
+                grant_type: "authorization_code"
+              })
+            });
+            if (!tokenResponse.ok) {
+              const errorBody = await tokenResponse.text();
+              throw new Error(`Google token exchange failed (${tokenResponse.status}): ${errorBody}`);
+            }
+            const tokenData = await tokenResponse.json();
+            if (tokenData.error) {
+              throw new Error(`Google token exchange error: ${tokenData.error} – ${tokenData.error_description || "no details"}`);
+            }
+            if (tokenData.id_token) {
+              const ticket = await googleClient.verifyIdToken({
+                idToken: tokenData.id_token,
+                audience: clientId
+              });
+              const content = ticket.getPayload();
+              if (!content) {
+                throw new Error("Google ID token payload was empty after code exchange");
+              }
+              return {
+                providerId: content.sub,
+                email: content.email || "",
+                displayName: content.name || null,
+                photoUrl: content.picture || null
+              };
+            }
+            if (tokenData.access_token) {
+              const userInfoRes = await fetch("https://www.googleapis.com/oauth2/v3/userinfo", {
+                headers: {
+                  Authorization: `Bearer ${tokenData.access_token}`
+                }
+              });
+              if (!userInfoRes.ok) {
+                throw new Error(`Google userinfo request failed after code exchange (${userInfoRes.status})`);
+              }
+              const info = await userInfoRes.json();
+              if (!info.sub || !info.email) {
+                return null;
+              }
+              return {
+                providerId: info.sub,
+                email: info.email,
+                displayName: info.name || null,
+                photoUrl: info.picture || null
+              };
+            }
+            throw new Error("Google token exchange returned neither id_token nor access_token");
+          }
+          throw new Error("No valid Google credential provided (expected idToken, accessToken, or code+redirectUri)");
         } catch (error2) {
-          console.error("Failed to verify Google ID token:", error2);
-          return null;
+          console.error("Google OAuth verification failed:", error2);
+          throw error2;
         }
       }
     };
@@ -21755,1002 +21934,16 @@ ${credentialScope}
       }
     };
   }
-  const encoder = new TextEncoder();
-  const decoder = new TextDecoder();
-  function concat(...buffers) {
-    const size = buffers.reduce((acc, { length }) => acc + length, 0);
-    const buf = new Uint8Array(size);
-    let i2 = 0;
-    for (const buffer of buffers) {
-      buf.set(buffer, i2);
-      i2 += buffer.length;
-    }
-    return buf;
-  }
-  function encode$4(string) {
-    const bytes = new Uint8Array(string.length);
-    for (let i2 = 0; i2 < string.length; i2++) {
-      const code2 = string.charCodeAt(i2);
-      if (code2 > 127) {
-        throw new TypeError("non-ASCII string encountered in encode()");
-      }
-      bytes[i2] = code2;
-    }
-    return bytes;
-  }
-  function encodeBase64(input) {
-    if (Uint8Array.prototype.toBase64) {
-      return input.toBase64();
-    }
-    const CHUNK_SIZE = 32768;
-    const arr = [];
-    for (let i2 = 0; i2 < input.length; i2 += CHUNK_SIZE) {
-      arr.push(String.fromCharCode.apply(null, input.subarray(i2, i2 + CHUNK_SIZE)));
-    }
-    return btoa(arr.join(""));
-  }
-  function decodeBase64(encoded) {
-    if (Uint8Array.fromBase64) {
-      return Uint8Array.fromBase64(encoded);
-    }
-    const binary = atob(encoded);
-    const bytes = new Uint8Array(binary.length);
-    for (let i2 = 0; i2 < binary.length; i2++) {
-      bytes[i2] = binary.charCodeAt(i2);
-    }
-    return bytes;
-  }
-  function decode$1(input) {
-    if (Uint8Array.fromBase64) {
-      return Uint8Array.fromBase64(typeof input === "string" ? input : decoder.decode(input), {
-        alphabet: "base64url"
-      });
-    }
-    let encoded = input;
-    if (encoded instanceof Uint8Array) {
-      encoded = decoder.decode(encoded);
-    }
-    encoded = encoded.replace(/-/g, "+").replace(/_/g, "/");
-    try {
-      return decodeBase64(encoded);
-    } catch {
-      throw new TypeError("The input to be decoded is not correctly encoded.");
-    }
-  }
-  function encode$3(input) {
-    let unencoded = input;
-    if (typeof unencoded === "string") {
-      unencoded = encoder.encode(unencoded);
-    }
-    if (Uint8Array.prototype.toBase64) {
-      return unencoded.toBase64({ alphabet: "base64url", omitPadding: true });
-    }
-    return encodeBase64(unencoded).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-  }
-  const unusable = (name2, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name2}`);
-  const isAlgorithm = (algorithm, name2) => algorithm.name === name2;
-  function getHashLength(hash) {
-    return parseInt(hash.name.slice(4), 10);
-  }
-  function checkHashLength(algorithm, expected) {
-    const actual = getHashLength(algorithm.hash);
-    if (actual !== expected)
-      throw unusable(`SHA-${expected}`, "algorithm.hash");
-  }
-  function getNamedCurve(alg) {
-    switch (alg) {
-      case "ES256":
-        return "P-256";
-      case "ES384":
-        return "P-384";
-      case "ES512":
-        return "P-521";
-      default:
-        throw new Error("unreachable");
-    }
-  }
-  function checkUsage(key, usage) {
-    if (!key.usages.includes(usage)) {
-      throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
-    }
-  }
-  function checkSigCryptoKey(key, alg, usage) {
-    switch (alg) {
-      case "HS256":
-      case "HS384":
-      case "HS512": {
-        if (!isAlgorithm(key.algorithm, "HMAC"))
-          throw unusable("HMAC");
-        checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
-        break;
-      }
-      case "RS256":
-      case "RS384":
-      case "RS512": {
-        if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5"))
-          throw unusable("RSASSA-PKCS1-v1_5");
-        checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
-        break;
-      }
-      case "PS256":
-      case "PS384":
-      case "PS512": {
-        if (!isAlgorithm(key.algorithm, "RSA-PSS"))
-          throw unusable("RSA-PSS");
-        checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
-        break;
-      }
-      case "Ed25519":
-      case "EdDSA": {
-        if (!isAlgorithm(key.algorithm, "Ed25519"))
-          throw unusable("Ed25519");
-        break;
-      }
-      case "ML-DSA-44":
-      case "ML-DSA-65":
-      case "ML-DSA-87": {
-        if (!isAlgorithm(key.algorithm, alg))
-          throw unusable(alg);
-        break;
-      }
-      case "ES256":
-      case "ES384":
-      case "ES512": {
-        if (!isAlgorithm(key.algorithm, "ECDSA"))
-          throw unusable("ECDSA");
-        const expected = getNamedCurve(alg);
-        const actual = key.algorithm.namedCurve;
-        if (actual !== expected)
-          throw unusable(expected, "algorithm.namedCurve");
-        break;
-      }
-      default:
-        throw new TypeError("CryptoKey does not support this operation");
-    }
-    checkUsage(key, usage);
-  }
-  function message(msg, actual, ...types2) {
-    types2 = types2.filter(Boolean);
-    if (types2.length > 2) {
-      const last = types2.pop();
-      msg += `one of type ${types2.join(", ")}, or ${last}.`;
-    } else if (types2.length === 2) {
-      msg += `one of type ${types2[0]} or ${types2[1]}.`;
-    } else {
-      msg += `of type ${types2[0]}.`;
-    }
-    if (actual == null) {
-      msg += ` Received ${actual}`;
-    } else if (typeof actual === "function" && actual.name) {
-      msg += ` Received function ${actual.name}`;
-    } else if (typeof actual === "object" && actual != null) {
-      if (actual.constructor?.name) {
-        msg += ` Received an instance of ${actual.constructor.name}`;
-      }
-    }
-    return msg;
-  }
-  const invalidKeyInput = (actual, ...types2) => message("Key must be ", actual, ...types2);
-  const withAlg = (alg, actual, ...types2) => message(`Key for the ${alg} algorithm must be `, actual, ...types2);
-  class JOSEError extends Error {
-    static code = "ERR_JOSE_GENERIC";
-    code = "ERR_JOSE_GENERIC";
-    constructor(message2, options2) {
-      super(message2, options2);
-      this.name = this.constructor.name;
-      Error.captureStackTrace?.(this, this.constructor);
-    }
-  }
-  class JOSENotSupported extends JOSEError {
-    static code = "ERR_JOSE_NOT_SUPPORTED";
-    code = "ERR_JOSE_NOT_SUPPORTED";
-  }
-  class JWSInvalid extends JOSEError {
-    static code = "ERR_JWS_INVALID";
-    code = "ERR_JWS_INVALID";
-  }
-  class JWTInvalid extends JOSEError {
-    static code = "ERR_JWT_INVALID";
-    code = "ERR_JWT_INVALID";
-  }
-  const isCryptoKey = (key) => {
-    if (key?.[Symbol.toStringTag] === "CryptoKey")
-      return true;
-    try {
-      return key instanceof CryptoKey;
-    } catch {
-      return false;
-    }
-  };
-  const isKeyObject = (key) => key?.[Symbol.toStringTag] === "KeyObject";
-  const isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
-  function assertNotSet(value, name2) {
-    if (value) {
-      throw new TypeError(`${name2} can only be called once`);
-    }
-  }
-  const isObjectLike$1 = (value) => typeof value === "object" && value !== null;
-  function isObject(input) {
-    if (!isObjectLike$1(input) || Object.prototype.toString.call(input) !== "[object Object]") {
-      return false;
-    }
-    if (Object.getPrototypeOf(input) === null) {
-      return true;
-    }
-    let proto = input;
-    while (Object.getPrototypeOf(proto) !== null) {
-      proto = Object.getPrototypeOf(proto);
-    }
-    return Object.getPrototypeOf(input) === proto;
-  }
-  function isDisjoint(...headers) {
-    const sources = headers.filter(Boolean);
-    if (sources.length === 0 || sources.length === 1) {
-      return true;
-    }
-    let acc;
-    for (const header of sources) {
-      const parameters = Object.keys(header);
-      if (!acc || acc.size === 0) {
-        acc = new Set(parameters);
-        continue;
-      }
-      for (const parameter of parameters) {
-        if (acc.has(parameter)) {
-          return false;
-        }
-        acc.add(parameter);
-      }
-    }
-    return true;
-  }
-  const isJWK = (key) => isObject(key) && typeof key.kty === "string";
-  const isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
-  const isPublicJWK = (key) => key.kty !== "oct" && key.d === void 0 && key.priv === void 0;
-  const isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
-  function checkKeyLength(alg, key) {
-    if (alg.startsWith("RS") || alg.startsWith("PS")) {
-      const { modulusLength } = key.algorithm;
-      if (typeof modulusLength !== "number" || modulusLength < 2048) {
-        throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
-      }
-    }
-  }
-  function subtleAlgorithm(alg, algorithm) {
-    const hash = `SHA-${alg.slice(-3)}`;
-    switch (alg) {
-      case "HS256":
-      case "HS384":
-      case "HS512":
-        return { hash, name: "HMAC" };
-      case "PS256":
-      case "PS384":
-      case "PS512":
-        return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
-      case "RS256":
-      case "RS384":
-      case "RS512":
-        return { hash, name: "RSASSA-PKCS1-v1_5" };
-      case "ES256":
-      case "ES384":
-      case "ES512":
-        return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
-      case "Ed25519":
-      case "EdDSA":
-        return { name: "Ed25519" };
-      case "ML-DSA-44":
-      case "ML-DSA-65":
-      case "ML-DSA-87":
-        return { name: alg };
-      default:
-        throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-    }
-  }
-  async function getSigKey(alg, key, usage) {
-    if (key instanceof Uint8Array) {
-      if (!alg.startsWith("HS")) {
-        throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
-      }
-      return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
-    }
-    checkSigCryptoKey(key, alg, usage);
-    return key;
-  }
-  async function sign$2(alg, key, data) {
-    const cryptoKey = await getSigKey(alg, key, "sign");
-    checkKeyLength(alg, cryptoKey);
-    const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);
-    return new Uint8Array(signature);
-  }
-  const unsupportedAlg = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
-  function subtleMapping(jwk) {
-    let algorithm;
-    let keyUsages;
-    switch (jwk.kty) {
-      case "AKP": {
-        switch (jwk.alg) {
-          case "ML-DSA-44":
-          case "ML-DSA-65":
-          case "ML-DSA-87":
-            algorithm = { name: jwk.alg };
-            keyUsages = jwk.priv ? ["sign"] : ["verify"];
-            break;
-          default:
-            throw new JOSENotSupported(unsupportedAlg);
-        }
-        break;
-      }
-      case "RSA": {
-        switch (jwk.alg) {
-          case "PS256":
-          case "PS384":
-          case "PS512":
-            algorithm = { name: "RSA-PSS", hash: `SHA-${jwk.alg.slice(-3)}` };
-            keyUsages = jwk.d ? ["sign"] : ["verify"];
-            break;
-          case "RS256":
-          case "RS384":
-          case "RS512":
-            algorithm = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${jwk.alg.slice(-3)}` };
-            keyUsages = jwk.d ? ["sign"] : ["verify"];
-            break;
-          case "RSA-OAEP":
-          case "RSA-OAEP-256":
-          case "RSA-OAEP-384":
-          case "RSA-OAEP-512":
-            algorithm = {
-              name: "RSA-OAEP",
-              hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`
-            };
-            keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
-            break;
-          default:
-            throw new JOSENotSupported(unsupportedAlg);
-        }
-        break;
-      }
-      case "EC": {
-        switch (jwk.alg) {
-          case "ES256":
-          case "ES384":
-          case "ES512":
-            algorithm = {
-              name: "ECDSA",
-              namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[jwk.alg]
-            };
-            keyUsages = jwk.d ? ["sign"] : ["verify"];
-            break;
-          case "ECDH-ES":
-          case "ECDH-ES+A128KW":
-          case "ECDH-ES+A192KW":
-          case "ECDH-ES+A256KW":
-            algorithm = { name: "ECDH", namedCurve: jwk.crv };
-            keyUsages = jwk.d ? ["deriveBits"] : [];
-            break;
-          default:
-            throw new JOSENotSupported(unsupportedAlg);
-        }
-        break;
-      }
-      case "OKP": {
-        switch (jwk.alg) {
-          case "Ed25519":
-          case "EdDSA":
-            algorithm = { name: "Ed25519" };
-            keyUsages = jwk.d ? ["sign"] : ["verify"];
-            break;
-          case "ECDH-ES":
-          case "ECDH-ES+A128KW":
-          case "ECDH-ES+A192KW":
-          case "ECDH-ES+A256KW":
-            algorithm = { name: jwk.crv };
-            keyUsages = jwk.d ? ["deriveBits"] : [];
-            break;
-          default:
-            throw new JOSENotSupported(unsupportedAlg);
-        }
-        break;
-      }
-      default:
-        throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
-    }
-    return { algorithm, keyUsages };
-  }
-  async function jwkToKey(jwk) {
-    if (!jwk.alg) {
-      throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
-    }
-    const { algorithm, keyUsages } = subtleMapping(jwk);
-    const keyData = { ...jwk };
-    if (keyData.kty !== "AKP") {
-      delete keyData.alg;
-    }
-    delete keyData.use;
-    return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
-  }
-  const unusableForAlg = "given KeyObject instance cannot be used for this algorithm";
-  let cache;
-  const handleJWK = async (key, jwk, alg, freeze = false) => {
-    cache ||= /* @__PURE__ */ new WeakMap();
-    let cached = cache.get(key);
-    if (cached?.[alg]) {
-      return cached[alg];
-    }
-    const cryptoKey = await jwkToKey({ ...jwk, alg });
-    if (freeze)
-      Object.freeze(key);
-    if (!cached) {
-      cache.set(key, { [alg]: cryptoKey });
-    } else {
-      cached[alg] = cryptoKey;
-    }
-    return cryptoKey;
-  };
-  const handleKeyObject = (keyObject, alg) => {
-    cache ||= /* @__PURE__ */ new WeakMap();
-    let cached = cache.get(keyObject);
-    if (cached?.[alg]) {
-      return cached[alg];
-    }
-    const isPublic = keyObject.type === "public";
-    const extractable = isPublic ? true : false;
-    let cryptoKey;
-    if (keyObject.asymmetricKeyType === "x25519") {
-      switch (alg) {
-        case "ECDH-ES":
-        case "ECDH-ES+A128KW":
-        case "ECDH-ES+A192KW":
-        case "ECDH-ES+A256KW":
-          break;
-        default:
-          throw new TypeError(unusableForAlg);
-      }
-      cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
-    }
-    if (keyObject.asymmetricKeyType === "ed25519") {
-      if (alg !== "EdDSA" && alg !== "Ed25519") {
-        throw new TypeError(unusableForAlg);
-      }
-      cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
-        isPublic ? "verify" : "sign"
-      ]);
-    }
-    switch (keyObject.asymmetricKeyType) {
-      case "ml-dsa-44":
-      case "ml-dsa-65":
-      case "ml-dsa-87": {
-        if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
-          throw new TypeError(unusableForAlg);
-        }
-        cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
-          isPublic ? "verify" : "sign"
-        ]);
-      }
-    }
-    if (keyObject.asymmetricKeyType === "rsa") {
-      let hash;
-      switch (alg) {
-        case "RSA-OAEP":
-          hash = "SHA-1";
-          break;
-        case "RS256":
-        case "PS256":
-        case "RSA-OAEP-256":
-          hash = "SHA-256";
-          break;
-        case "RS384":
-        case "PS384":
-        case "RSA-OAEP-384":
-          hash = "SHA-384";
-          break;
-        case "RS512":
-        case "PS512":
-        case "RSA-OAEP-512":
-          hash = "SHA-512";
-          break;
-        default:
-          throw new TypeError(unusableForAlg);
-      }
-      if (alg.startsWith("RSA-OAEP")) {
-        return keyObject.toCryptoKey({
-          name: "RSA-OAEP",
-          hash
-        }, extractable, isPublic ? ["encrypt"] : ["decrypt"]);
-      }
-      cryptoKey = keyObject.toCryptoKey({
-        name: alg.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
-        hash
-      }, extractable, [isPublic ? "verify" : "sign"]);
-    }
-    if (keyObject.asymmetricKeyType === "ec") {
-      const nist = /* @__PURE__ */ new Map([
-        ["prime256v1", "P-256"],
-        ["secp384r1", "P-384"],
-        ["secp521r1", "P-521"]
-      ]);
-      const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
-      if (!namedCurve) {
-        throw new TypeError(unusableForAlg);
-      }
-      const expectedCurve = { ES256: "P-256", ES384: "P-384", ES512: "P-521" };
-      if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
-        cryptoKey = keyObject.toCryptoKey({
-          name: "ECDSA",
-          namedCurve
-        }, extractable, [isPublic ? "verify" : "sign"]);
-      }
-      if (alg.startsWith("ECDH-ES")) {
-        cryptoKey = keyObject.toCryptoKey({
-          name: "ECDH",
-          namedCurve
-        }, extractable, isPublic ? [] : ["deriveBits"]);
-      }
-    }
-    if (!cryptoKey) {
-      throw new TypeError(unusableForAlg);
-    }
-    if (!cached) {
-      cache.set(keyObject, { [alg]: cryptoKey });
-    } else {
-      cached[alg] = cryptoKey;
-    }
-    return cryptoKey;
-  };
-  async function normalizeKey$1(key, alg) {
-    if (key instanceof Uint8Array) {
-      return key;
-    }
-    if (isCryptoKey(key)) {
-      return key;
-    }
-    if (isKeyObject(key)) {
-      if (key.type === "secret") {
-        return key.export();
-      }
-      if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
-        try {
-          return handleKeyObject(key, alg);
-        } catch (err) {
-          if (err instanceof TypeError) {
-            throw err;
-          }
-        }
-      }
-      let jwk = key.export({ format: "jwk" });
-      return handleJWK(key, jwk, alg);
-    }
-    if (isJWK(key)) {
-      if (key.k) {
-        return decode$1(key.k);
-      }
-      return handleJWK(key, key, alg, true);
-    }
-    throw new Error("unreachable");
-  }
-  function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-    if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) {
-      throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
-    }
-    if (!protectedHeader || protectedHeader.crit === void 0) {
-      return /* @__PURE__ */ new Set();
-    }
-    if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
-      throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
-    }
-    let recognized;
-    if (recognizedOption !== void 0) {
-      recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
-    } else {
-      recognized = recognizedDefault;
-    }
-    for (const parameter of protectedHeader.crit) {
-      if (!recognized.has(parameter)) {
-        throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
-      }
-      if (joseHeader[parameter] === void 0) {
-        throw new Err(`Extension Header Parameter "${parameter}" is missing`);
-      }
-      if (recognized.get(parameter) && protectedHeader[parameter] === void 0) {
-        throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
-      }
-    }
-    return new Set(protectedHeader.crit);
-  }
-  const tag = (key) => key?.[Symbol.toStringTag];
-  const jwkMatchesOp = (alg, key, usage) => {
-    if (key.use !== void 0) {
-      let expected;
-      switch (usage) {
-        case "sign":
-        case "verify":
-          expected = "sig";
-          break;
-        case "encrypt":
-        case "decrypt":
-          expected = "enc";
-          break;
-      }
-      if (key.use !== expected) {
-        throw new TypeError(`Invalid key for this operation, its "use" must be "${expected}" when present`);
-      }
-    }
-    if (key.alg !== void 0 && key.alg !== alg) {
-      throw new TypeError(`Invalid key for this operation, its "alg" must be "${alg}" when present`);
-    }
-    if (Array.isArray(key.key_ops)) {
-      let expectedKeyOp;
-      switch (true) {
-        case usage === "sign":
-        case alg === "dir":
-        case alg.includes("CBC-HS"):
-          expectedKeyOp = usage;
-          break;
-        case alg.startsWith("PBES2"):
-          expectedKeyOp = "deriveBits";
-          break;
-        case /^A\d{3}(?:GCM)?(?:KW)?$/.test(alg):
-          if (!alg.includes("GCM") && alg.endsWith("KW")) {
-            expectedKeyOp = "unwrapKey";
-          } else {
-            expectedKeyOp = usage;
-          }
-          break;
-        case usage === "encrypt":
-          expectedKeyOp = "wrapKey";
-          break;
-        case usage === "decrypt":
-          expectedKeyOp = alg.startsWith("RSA") ? "unwrapKey" : "deriveBits";
-          break;
-      }
-      if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) {
-        throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${expectedKeyOp}" when present`);
-      }
-    }
-    return true;
-  };
-  const symmetricTypeCheck = (alg, key, usage) => {
-    if (key instanceof Uint8Array)
-      return;
-    if (isJWK(key)) {
-      if (isSecretJWK(key) && jwkMatchesOp(alg, key, usage))
-        return;
-      throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
-    }
-    if (!isKeyLike(key)) {
-      throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
-    }
-    if (key.type !== "secret") {
-      throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
-    }
-  };
-  const asymmetricTypeCheck = (alg, key, usage) => {
-    if (isJWK(key)) {
-      switch (usage) {
-        case "decrypt":
-        case "sign":
-          if (isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))
-            return;
-          throw new TypeError(`JSON Web Key for this operation must be a private JWK`);
-        case "encrypt":
-        case "verify":
-          if (isPublicJWK(key) && jwkMatchesOp(alg, key, usage))
-            return;
-          throw new TypeError(`JSON Web Key for this operation must be a public JWK`);
-      }
-    }
-    if (!isKeyLike(key)) {
-      throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key"));
-    }
-    if (key.type === "secret") {
-      throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type "secret"`);
-    }
-    if (key.type === "public") {
-      switch (usage) {
-        case "sign":
-          throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type "private"`);
-        case "decrypt":
-          throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type "private"`);
-      }
-    }
-    if (key.type === "private") {
-      switch (usage) {
-        case "verify":
-          throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type "public"`);
-        case "encrypt":
-          throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`);
-      }
-    }
-  };
-  function checkKeyType(alg, key, usage) {
-    switch (alg.substring(0, 2)) {
-      case "A1":
-      case "A2":
-      case "di":
-      case "HS":
-      case "PB":
-        symmetricTypeCheck(alg, key, usage);
-        break;
-      default:
-        asymmetricTypeCheck(alg, key, usage);
-    }
-  }
-  const epoch = (date) => Math.floor(date.getTime() / 1e3);
-  const minute = 60;
-  const hour = minute * 60;
-  const day = hour * 24;
-  const week = day * 7;
-  const year = day * 365.25;
-  const REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
-  function secs(str) {
-    const matched = REGEX.exec(str);
-    if (!matched || matched[4] && matched[1]) {
-      throw new TypeError("Invalid time period format");
-    }
-    const value = parseFloat(matched[2]);
-    const unit = matched[3].toLowerCase();
-    let numericDate;
-    switch (unit) {
-      case "sec":
-      case "secs":
-      case "second":
-      case "seconds":
-      case "s":
-        numericDate = Math.round(value);
-        break;
-      case "minute":
-      case "minutes":
-      case "min":
-      case "mins":
-      case "m":
-        numericDate = Math.round(value * minute);
-        break;
-      case "hour":
-      case "hours":
-      case "hr":
-      case "hrs":
-      case "h":
-        numericDate = Math.round(value * hour);
-        break;
-      case "day":
-      case "days":
-      case "d":
-        numericDate = Math.round(value * day);
-        break;
-      case "week":
-      case "weeks":
-      case "w":
-        numericDate = Math.round(value * week);
-        break;
-      default:
-        numericDate = Math.round(value * year);
-        break;
-    }
-    if (matched[1] === "-" || matched[4] === "ago") {
-      return -numericDate;
-    }
-    return numericDate;
-  }
-  function validateInput(label, input) {
-    if (!Number.isFinite(input)) {
-      throw new TypeError(`Invalid ${label} input`);
-    }
-    return input;
-  }
-  class JWTClaimsBuilder {
-    #payload;
-    constructor(payload) {
-      if (!isObject(payload)) {
-        throw new TypeError("JWT Claims Set MUST be an object");
-      }
-      this.#payload = structuredClone(payload);
-    }
-    data() {
-      return encoder.encode(JSON.stringify(this.#payload));
-    }
-    get iss() {
-      return this.#payload.iss;
-    }
-    set iss(value) {
-      this.#payload.iss = value;
-    }
-    get sub() {
-      return this.#payload.sub;
-    }
-    set sub(value) {
-      this.#payload.sub = value;
-    }
-    get aud() {
-      return this.#payload.aud;
-    }
-    set aud(value) {
-      this.#payload.aud = value;
-    }
-    set jti(value) {
-      this.#payload.jti = value;
-    }
-    set nbf(value) {
-      if (typeof value === "number") {
-        this.#payload.nbf = validateInput("setNotBefore", value);
-      } else if (value instanceof Date) {
-        this.#payload.nbf = validateInput("setNotBefore", epoch(value));
-      } else {
-        this.#payload.nbf = epoch(/* @__PURE__ */ new Date()) + secs(value);
-      }
-    }
-    set exp(value) {
-      if (typeof value === "number") {
-        this.#payload.exp = validateInput("setExpirationTime", value);
-      } else if (value instanceof Date) {
-        this.#payload.exp = validateInput("setExpirationTime", epoch(value));
-      } else {
-        this.#payload.exp = epoch(/* @__PURE__ */ new Date()) + secs(value);
-      }
-    }
-    set iat(value) {
-      if (value === void 0) {
-        this.#payload.iat = epoch(/* @__PURE__ */ new Date());
-      } else if (value instanceof Date) {
-        this.#payload.iat = validateInput("setIssuedAt", epoch(value));
-      } else if (typeof value === "string") {
-        this.#payload.iat = validateInput("setIssuedAt", epoch(/* @__PURE__ */ new Date()) + secs(value));
-      } else {
-        this.#payload.iat = validateInput("setIssuedAt", value);
-      }
-    }
-  }
-  class FlattenedSign {
-    #payload;
-    #protectedHeader;
-    #unprotectedHeader;
-    constructor(payload) {
-      if (!(payload instanceof Uint8Array)) {
-        throw new TypeError("payload must be an instance of Uint8Array");
-      }
-      this.#payload = payload;
-    }
-    setProtectedHeader(protectedHeader) {
-      assertNotSet(this.#protectedHeader, "setProtectedHeader");
-      this.#protectedHeader = protectedHeader;
-      return this;
-    }
-    setUnprotectedHeader(unprotectedHeader) {
-      assertNotSet(this.#unprotectedHeader, "setUnprotectedHeader");
-      this.#unprotectedHeader = unprotectedHeader;
-      return this;
-    }
-    async sign(key, options2) {
-      if (!this.#protectedHeader && !this.#unprotectedHeader) {
-        throw new JWSInvalid("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");
-      }
-      if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) {
-        throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
-      }
-      const joseHeader = {
-        ...this.#protectedHeader,
-        ...this.#unprotectedHeader
-      };
-      const extensions2 = validateCrit(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options2?.crit, this.#protectedHeader, joseHeader);
-      let b64 = true;
-      if (extensions2.has("b64")) {
-        b64 = this.#protectedHeader.b64;
-        if (typeof b64 !== "boolean") {
-          throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
-        }
-      }
-      const { alg } = joseHeader;
-      if (typeof alg !== "string" || !alg) {
-        throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
-      }
-      checkKeyType(alg, key, "sign");
-      let payloadS;
-      let payloadB;
-      if (b64) {
-        payloadS = encode$3(this.#payload);
-        payloadB = encode$4(payloadS);
-      } else {
-        payloadB = this.#payload;
-        payloadS = "";
-      }
-      let protectedHeaderString;
-      let protectedHeaderBytes;
-      if (this.#protectedHeader) {
-        protectedHeaderString = encode$3(JSON.stringify(this.#protectedHeader));
-        protectedHeaderBytes = encode$4(protectedHeaderString);
-      } else {
-        protectedHeaderString = "";
-        protectedHeaderBytes = new Uint8Array();
-      }
-      const data = concat(protectedHeaderBytes, encode$4("."), payloadB);
-      const k = await normalizeKey$1(key, alg);
-      const signature = await sign$2(alg, k, data);
-      const jws2 = {
-        signature: encode$3(signature),
-        payload: payloadS
-      };
-      if (this.#unprotectedHeader) {
-        jws2.header = this.#unprotectedHeader;
-      }
-      if (this.#protectedHeader) {
-        jws2.protected = protectedHeaderString;
-      }
-      return jws2;
-    }
-  }
-  class CompactSign {
-    #flattened;
-    constructor(payload) {
-      this.#flattened = new FlattenedSign(payload);
-    }
-    setProtectedHeader(protectedHeader) {
-      this.#flattened.setProtectedHeader(protectedHeader);
-      return this;
-    }
-    async sign(key, options2) {
-      const jws2 = await this.#flattened.sign(key, options2);
-      if (jws2.payload === void 0) {
-        throw new TypeError("use the flattened module for creating JWS with b64: false");
-      }
-      return `${jws2.protected}.${jws2.payload}.${jws2.signature}`;
-    }
-  }
-  class SignJWT {
-    #protectedHeader;
-    #jwt;
-    constructor(payload = {}) {
-      this.#jwt = new JWTClaimsBuilder(payload);
-    }
-    setIssuer(issuer) {
-      this.#jwt.iss = issuer;
-      return this;
-    }
-    setSubject(subject) {
-      this.#jwt.sub = subject;
-      return this;
-    }
-    setAudience(audience) {
-      this.#jwt.aud = audience;
-      return this;
-    }
-    setJti(jwtId) {
-      this.#jwt.jti = jwtId;
-      return this;
-    }
-    setNotBefore(input) {
-      this.#jwt.nbf = input;
-      return this;
-    }
-    setExpirationTime(input) {
-      this.#jwt.exp = input;
-      return this;
-    }
-    setIssuedAt(input) {
-      this.#jwt.iat = input;
-      return this;
-    }
-    setProtectedHeader(protectedHeader) {
-      this.#protectedHeader = protectedHeader;
-      return this;
-    }
-    async sign(key, options2) {
-      const sig = new CompactSign(this.#jwt.data());
-      sig.setProtectedHeader(this.#protectedHeader);
-      if (Array.isArray(this.#protectedHeader?.crit) && this.#protectedHeader.crit.includes("b64") && this.#protectedHeader.b64 === false) {
-        throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
-      }
-      return sig.sign(key, options2);
-    }
-  }
   function createAppleProvider(config) {
     async function generateClientSecret() {
-      const key = require$$0$5.createPrivateKey({
-        key: config.privateKey,
-        format: "pem"
+      return jwt.sign({}, config.privateKey, {
+        algorithm: "ES256",
+        keyid: config.keyId,
+        issuer: config.teamId,
+        expiresIn: "180d",
+        audience: "https://appleid.apple.com",
+        subject: config.clientId
       });
-      const now = Math.floor(Date.now() / 1e3);
-      return new SignJWT({}).setProtectedHeader({
-        alg: "ES256",
-        kid: config.keyId
-      }).setIssuer(config.teamId).setIssuedAt(now).setExpirationTime(now + 86400 * 180).setAudience("https://appleid.apple.com").setSubject(config.clientId).sign(key);
     }
     return {
       id: "apple",
@@ -23558,7 +22751,7 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
       windowMs = 15 * 60 * 1e3,
       limit = 100,
       keyGenerator = defaultKeyGenerator,
-      message: message2 = "Too many requests, please try again later."
+      message = "Too many requests, please try again later."
     } = options2;
     const store = /* @__PURE__ */ new Map();
     const cleanupInterval = setInterval(() => {
@@ -23593,7 +22786,7 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
         c.header("X-RateLimit-Reset", String(Math.ceil((now + retryAfterMs) / 1e3)));
         return c.json({
           error: {
-            message: message2,
+            message,
             code: "RATE_LIMITED"
           }
         }, 429);
@@ -23605,7 +22798,12 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
     };
   }
   function defaultKeyGenerator(c) {
-    return c.req.header("x-forwarded-for")?.split(",")[0]?.trim() || c.req.header("x-real-ip") || "unknown";
+    const forwardedFor = c.req.header("x-forwarded-for");
+    if (forwardedFor) {
+      const ips = forwardedFor.split(",");
+      return ips[ips.length - 1].trim();
+    }
+    return c.req.header("x-real-ip") || "unknown";
   }
   const defaultAuthLimiter = createRateLimiter({
     windowMs: 15 * 60 * 1e3,
@@ -23752,7 +22950,11 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
         passwordHash,
         displayName: displayName || void 0
       });
-      if (config.defaultRole) {
+      const existingUsers = await authRepo.listUsers();
+      const isFirstUser = existingUsers.length === 1 && existingUsers[0].id === user.id;
+      if (isFirstUser) {
+        await authRepo.setUserRoles(user.id, ["admin"]);
+      } else if (config.defaultRole) {
         await authRepo.assignDefaultRole(user.id, config.defaultRole);
       }
       const {
@@ -23793,7 +22995,13 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
       for (const provider of config.oauthProviders) {
         router.post(`/${provider.id}`, defaultAuthLimiter, async (c) => {
           const payload = parseBody2(provider.schema, await c.req.json());
-          const externalUser = await provider.verify(payload);
+          let externalUser;
+          try {
+            externalUser = await provider.verify(payload);
+          } catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            throw ApiError.unauthorized(`${provider.id} login failed: ${msg}`, "OAUTH_ERROR");
+          }
           if (!externalUser) {
             throw ApiError.unauthorized(`Invalid ${provider.id} credentials`, "INVALID_TOKEN");
           }
@@ -23817,7 +23025,11 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
               await authRepo.linkUserIdentity(user.id, provider.id, externalUser.providerId, {
                 email: externalUser.email
               });
-              if (config.defaultRole) {
+              const allUsers = await authRepo.listUsers();
+              const isFirstUser = allUsers.length === 1 && allUsers[0].id === user.id;
+              if (isFirstUser) {
+                await authRepo.setUserRoles(user.id, ["admin"]);
+              } else if (config.defaultRole) {
                 await authRepo.assignDefaultRole(user.id, config.defaultRole);
               }
               sendWelcomeEmail({
@@ -24173,8 +23385,45 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
     const authRepo = config.authRepo;
     const {
       emailService,
-      emailConfig
+      emailConfig,
+      hooks
     } = config;
+    function buildHookContext(c, method) {
+      const user = c.get("user");
+      return {
+        requestUser: user ? {
+          userId: user.userId,
+          roles: user.roles ?? []
+        } : void 0,
+        method
+      };
+    }
+    async function applyUserAfterRead(user, ctx) {
+      if (!hooks?.users?.afterRead) return user;
+      return hooks.users.afterRead(user, ctx);
+    }
+    async function applyUserAfterReadBatch(users, ctx) {
+      if (!hooks?.users?.afterRead) return users;
+      const results = await Promise.all(users.map((u) => applyUserAfterRead(u, ctx)));
+      return results.filter((u) => u !== null);
+    }
+    async function applyRoleAfterReadBatch(roles, ctx) {
+      if (!hooks?.roles?.afterRead) return roles;
+      const results = await Promise.all(roles.map((r) => hooks.roles.afterRead(r, ctx)));
+      return results.filter((r) => r !== null);
+    }
+    function toAdminUser(u, roles) {
+      return {
+        uid: u.id,
+        email: u.email,
+        displayName: u.displayName ?? null,
+        photoURL: u.photoUrl ?? null,
+        provider: "custom",
+        roles,
+        createdAt: u.createdAt instanceof Date ? u.createdAt.toISOString() : u.createdAt ?? (/* @__PURE__ */ new Date()).toISOString(),
+        updatedAt: u.updatedAt instanceof Date ? u.updatedAt.toISOString() : u.updatedAt ?? (/* @__PURE__ */ new Date()).toISOString()
+      };
+    }
     router.onError(errorHandler);
     router.use("/*", createRequireAuth({
       serviceKey: config.serviceKey
@@ -24225,6 +23474,7 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
       const search = c.req.query("search");
       const orderBy = c.req.query("orderBy");
       const orderDir = c.req.query("orderDir");
+      const hookCtx = buildHookContext(c, "GET");
       if (limitParam !== void 0 || search) {
         const limit = limitParam ? parseInt(limitParam, 10) : 25;
         const offset = offsetParam ? parseInt(offsetParam, 10) : 0;
@@ -24236,18 +23486,11 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
           orderDir: orderDir || void 0,
           roleId: c.req.query("role") || void 0
         });
-        const usersWithRoles2 = await Promise.all(result.users.map(async (u) => {
+        let usersWithRoles2 = await Promise.all(result.users.map(async (u) => {
           const roles = await authRepo.getUserRoleIds(u.id);
-          return {
-            uid: u.id,
-            email: u.email,
-            displayName: u.displayName,
-            photoURL: u.photoUrl,
-            roles,
-            createdAt: u.createdAt,
-            updatedAt: u.updatedAt
-          };
+          return toAdminUser(u, roles);
         }));
+        usersWithRoles2 = await applyUserAfterReadBatch(usersWithRoles2, hookCtx);
         return c.json({
           users: usersWithRoles2,
           total: result.total,
@@ -24256,18 +23499,11 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
         });
       }
       const users = await authRepo.listUsers();
-      const usersWithRoles = await Promise.all(users.map(async (u) => {
+      let usersWithRoles = await Promise.all(users.map(async (u) => {
         const roles = await authRepo.getUserRoleIds(u.id);
-        return {
-          uid: u.id,
-          email: u.email,
-          displayName: u.displayName,
-          photoURL: u.photoUrl,
-          roles,
-          createdAt: u.createdAt,
-          updatedAt: u.updatedAt
-        };
+        return toAdminUser(u, roles);
       }));
+      usersWithRoles = await applyUserAfterReadBatch(usersWithRoles, hookCtx);
       return c.json({
         users: usersWithRoles
       });
@@ -24278,21 +23514,19 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
       if (!result) {
         throw ApiError.notFound("User not found");
       }
+      const hookCtx = buildHookContext(c, "GET");
+      let adminUser = toAdminUser(result.user, result.roles.map((r) => r.id));
+      adminUser = await applyUserAfterRead(adminUser, hookCtx);
+      if (!adminUser) {
+        throw ApiError.notFound("User not found");
+      }
       return c.json({
-        user: {
-          uid: result.user.id,
-          email: result.user.email,
-          displayName: result.user.displayName,
-          photoURL: result.user.photoUrl,
-          roles: result.roles.map((r) => r.id),
-          createdAt: result.user.createdAt,
-          updatedAt: result.user.updatedAt
-        }
+        user: adminUser
       });
     });
     router.post("/users", requireAdmin, async (c) => {
       const body = await c.req.json();
-      const {
+      let {
         email,
         displayName,
         password,
@@ -24301,6 +23535,17 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
       if (!email) {
         throw ApiError.badRequest("Email is required", "INVALID_INPUT");
       }
+      const hookCtx = buildHookContext(c, "POST");
+      if (hooks?.users?.beforeSave) {
+        const hooked = await hooks.users.beforeSave({
+          email,
+          displayName,
+          roles
+        }, hookCtx);
+        email = hooked.email ?? email;
+        displayName = hooked.displayName ?? displayName;
+        roles = hooked.roles ?? roles;
+      }
       const existing = await authRepo.getUserByEmail(email);
       if (existing) {
         throw ApiError.conflict("Email already exists", "EMAIL_EXISTS");
@@ -24356,13 +23601,14 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
       } else if (!password) {
         temporaryPassword = clearPassword;
       }
+      const createdAdminUser = toAdminUser(user, userRoles);
+      if (hooks?.users?.afterSave) {
+        Promise.resolve(hooks.users.afterSave(createdAdminUser, hookCtx)).catch((err) => {
+          console.error("[BackendHooks] users.afterSave error:", err instanceof Error ? err.message : err);
+        });
+      }
       return c.json({
-        user: {
-          uid: user.id,
-          email: user.email,
-          displayName: user.displayName,
-          roles: userRoles
-        },
+        user: createdAdminUser,
         invitationSent,
         ...temporaryPassword ? {
           temporaryPassword
@@ -24432,7 +23678,7 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
     router.put("/users/:userId", requireAdmin, async (c) => {
       const userId = c.req.param("userId");
       const body = await c.req.json();
-      const {
+      let {
         email,
         displayName,
         password,
@@ -24442,6 +23688,17 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
       if (!existing) {
         throw ApiError.notFound("User not found");
       }
+      const hookCtx = buildHookContext(c, "PUT");
+      if (hooks?.users?.beforeSave) {
+        const hooked = await hooks.users.beforeSave({
+          email,
+          displayName,
+          roles
+        }, hookCtx);
+        email = hooked.email ?? email;
+        displayName = hooked.displayName ?? displayName;
+        roles = hooked.roles ?? roles;
+      }
       const updates = {};
       if (email !== void 0) updates.email = email.toLowerCase();
       if (displayName !== void 0) updates.displayName = displayName;
@@ -24459,13 +23716,14 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
         await authRepo.setUserRoles(userId, roles);
       }
       const result = await authRepo.getUserWithRoles(userId);
+      const updatedAdminUser = toAdminUser(result.user, result.roles.map((r) => r.id));
+      if (hooks?.users?.afterSave) {
+        Promise.resolve(hooks.users.afterSave(updatedAdminUser, hookCtx)).catch((err) => {
+          console.error("[BackendHooks] users.afterSave error:", err instanceof Error ? err.message : err);
+        });
+      }
       return c.json({
-        user: {
-          uid: result.user.id,
-          email: result.user.email,
-          displayName: result.user.displayName,
-          roles: result.roles.map((r) => r.id)
-        }
+        user: updatedAdminUser
       });
     });
     router.delete("/users/:userId", requireAdmin, async (c) => {
@@ -24479,21 +23737,33 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
       if (!existing) {
         throw ApiError.notFound("User not found");
       }
+      const hookCtx = buildHookContext(c, "DELETE");
+      if (hooks?.users?.beforeDelete) {
+        await hooks.users.beforeDelete(userId, hookCtx);
+      }
       await authRepo.deleteUser(userId);
+      if (hooks?.users?.afterDelete) {
+        Promise.resolve(hooks.users.afterDelete(userId, hookCtx)).catch((err) => {
+          console.error("[BackendHooks] users.afterDelete error:", err instanceof Error ? err.message : err);
+        });
+      }
       return c.json({
         success: true
       });
     });
     router.get("/roles", requireAdmin, async (c) => {
       const roles = await authRepo.listRoles();
+      const hookCtx = buildHookContext(c, "GET");
+      let adminRoles = roles.map((r) => ({
+        id: r.id,
+        name: r.name,
+        isAdmin: r.isAdmin,
+        defaultPermissions: r.defaultPermissions,
+        config: r.config
+      }));
+      adminRoles = await applyRoleAfterReadBatch(adminRoles, hookCtx);
       return c.json({
-        roles: roles.map((r) => ({
-          id: r.id,
-          name: r.name,
-          isAdmin: r.isAdmin,
-          defaultPermissions: r.defaultPermissions,
-          config: r.config
-        }))
+        roles: adminRoles
       });
     });
     router.get("/roles/:roleId", requireAdmin, async (c) => {
@@ -24656,10 +23926,10 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
      * Includes a path traversal guard to prevent escaping the base directory.
      */
     getFullPath(storagePath, bucket) {
-      const parts = bucket ? [this.basePath, bucket, storagePath] : [this.basePath, storagePath];
-      const resolved = path__namespace.resolve(path__namespace.join(...parts));
-      if (!resolved.startsWith(this.basePath + path__namespace.sep) && resolved !== this.basePath) {
-        throw new Error("Path traversal detected: resolved storage path is outside the base directory.");
+      const bucketPath = bucket ? path__namespace.join(this.basePath, bucket) : this.basePath;
+      const resolved = path__namespace.resolve(path__namespace.join(bucketPath, storagePath));
+      if (!resolved.startsWith(bucketPath + path__namespace.sep) && resolved !== bucketPath) {
+        throw new Error("Path traversal detected: resolved storage path is outside the bucket directory.");
       }
       return resolved;
     }
@@ -24806,17 +24076,34 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
         }
       }
       resolvedPath = normalizeStoragePath(resolvedPath);
+      if (!resolvedPath) {
+        return;
+      }
       const fullPath = this.getFullPath(resolvedPath, resolvedBucket);
       try {
-        await unlink(fullPath);
-        try {
-          await unlink(`${fullPath}.metadata.json`);
-        } catch {
+        await access(fullPath, fs__namespace.constants.F_OK);
+      } catch {
+        return;
+      }
+      try {
+        const stats = await stat(fullPath);
+        if (stats.isDirectory()) {
+          await fs__namespace.promises.rmdir(fullPath);
+        } else {
+          await unlink(fullPath);
+          try {
+            await unlink(`${fullPath}.metadata.json`);
+          } catch {
+          }
         }
       } catch (error2) {
-        if (error2 instanceof Error && error2.code !== "ENOENT") {
-          throw error2;
+        if (error2 instanceof Error) {
+          const code2 = error2.code;
+          if (code2 === "ENOENT" || code2 === "ENOTEMPTY") {
+            return;
+          }
         }
+        throw error2;
       }
     }
     async listObjects(prefix, options2) {
@@ -24923,7 +24210,8 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
      * Get the bucket name - either from parameter or config
      */
     getBucket(bucket) {
-      return bucket ?? this.config.bucket;
+      if (!bucket || bucket === "default") return this.config.bucket;
+      return bucket;
     }
     async putObject({
       file,
@@ -25211,11 +24499,18 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
         const fileContent = fs__namespace.readFileSync(absolutePath);
         return c.body(new Uint8Array(fileContent));
       }
-      const downloadConfig = await controller.getSignedUrl(filePath);
-      if (downloadConfig.fileNotFound || !downloadConfig.url) {
+      const {
+        bucket: parsedBucket,
+        resolvedPath: parsedPath
+      } = parseBucketAndPath(filePath);
+      const fileObject = await controller.getObject(parsedPath, parsedBucket);
+      if (!fileObject) {
         throw ApiError.notFound("File not found");
       }
-      return c.redirect(downloadConfig.url);
+      c.header("Content-Type", fileObject.type || "application/octet-stream");
+      c.header("Cache-Control", "public, max-age=3600, immutable");
+      const buf = await fileObject.arrayBuffer();
+      return c.body(new Uint8Array(buf));
     });
     router.get("/metadata/*", readAuthMiddleware, async (c) => {
       const rawPath = extractWildcardPath(c);
@@ -25265,7 +24560,7 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
       const maxResults = c.req.query("maxResults");
       const pageToken = c.req.query("pageToken");
       const result = await controller.listObjects(storagePrefix, {
-        bucket,
+        bucket: bucket ?? (controller.getType() === "local" ? "default" : void 0),
         maxResults: maxResults ? parseInt(maxResults, 10) : void 0,
         pageToken
       });
@@ -25274,6 +24569,40 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
         data: result
       });
     });
+    router.post("/folder", writeAuthMiddleware, async (c) => {
+      const body = await c.req.json();
+      const folderPath = body.path;
+      if (!folderPath || typeof folderPath !== "string") {
+        throw ApiError.badRequest("Folder path is required");
+      }
+      const {
+        bucket,
+        resolvedPath
+      } = parseBucketAndPath(folderPath);
+      if (!resolvedPath || resolvedPath.trim() === "") {
+        throw ApiError.badRequest("Invalid folder path");
+      }
+      if (controller.getType() === "local") {
+        const localController = controller;
+        const absolutePath = localController.getAbsolutePath(resolvedPath, bucket);
+        fs__namespace.mkdirSync(absolutePath, {
+          recursive: true
+        });
+      } else {
+        const key = resolvedPath.endsWith("/") ? resolvedPath : resolvedPath + "/";
+        const emptyFile = new File([], key, {
+          type: "application/x-directory"
+        });
+        await controller.putObject({
+          file: emptyFile,
+          key
+        });
+      }
+      return c.json({
+        success: true,
+        message: "Folder created"
+      }, 201);
+    });
     return router;
   }
   const DEFAULT_STORAGE_ID = "(default)";
@@ -25397,8 +24726,8 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
     status;
     code;
     details;
-    constructor(status, message2, code2, details) {
-      super(message2);
+    constructor(status, message, code2, details) {
+      super(message);
       this.name = "RebaseApiError";
       this.status = status;
       this.code = code2;
@@ -25728,20 +25057,21 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
         refreshToken: session.refreshToken
       };
     }
-    async function signInWithGoogle(idToken) {
+    async function signInWithGoogle(tokenOrPayload) {
       const fetchFn = getFetch();
+      const body = typeof tokenOrPayload === "string" ? {
+        idToken: tokenOrPayload
+      } : tokenOrPayload;
       const res = await fetchFn(authUrl("/google"), {
         method: "POST",
         headers: {
           "Content-Type": "application/json"
         },
-        body: JSON.stringify({
-          idToken
-        })
+        body: JSON.stringify(body)
       });
-      const body = await res.json().catch(() => ({}));
-      if (!res.ok) throwApiError(res.status, body, res.statusText);
-      const session = handleAuthResponse(body, "SIGNED_IN");
+      const responseBody = await res.json().catch(() => ({}));
+      if (!res.ok) throwApiError(res.status, responseBody, res.statusText);
+      const session = handleAuthResponse(responseBody, "SIGNED_IN");
       return {
         user: session.user,
         accessToken: session.accessToken,
@@ -26369,6 +25699,18 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
           method: "DELETE"
         });
       },
+      async count(params) {
+        const countParams = {
+          ...params,
+          limit: void 0,
+          offset: void 0
+        };
+        const qs = buildQueryString(countParams);
+        const raw = await transport.request(basePath + "/count" + qs, {
+          method: "GET"
+        });
+        return raw.count ?? 0;
+      },
       // Fluent builder instantiation
       where(column, operator, value) {
         return new QueryBuilder(client).where(column, operator, value);
@@ -26391,6 +25733,25 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
     };
     return client;
   }
+  function createFunctionsClient(transport) {
+    return {
+      async invoke(name2, payload, options2) {
+        const method = options2?.method ?? "POST";
+        const subPath = options2?.path ? `/${options2.path.replace(/^\//, "")}` : "";
+        const routePath = `/functions/${encodeURIComponent(name2)}${subPath}`;
+        const init = {
+          method
+        };
+        if (payload !== void 0 && method !== "GET") {
+          init.body = JSON.stringify(payload);
+        }
+        if (options2?.headers) {
+          init.headers = options2.headers;
+        }
+        return transport.request(routePath, init);
+      }
+    };
+  }
   function createStorage(transport) {
     const urlsCache = /* @__PURE__ */ new Map();
     async function putObject({
@@ -26524,6 +25885,7 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
     const admin = createAdmin(transport, options2.admin);
     const cron = createCron(transport, options2.cron);
     const storage = createStorage(transport);
+    const functions = createFunctionsClient(transport);
     let ws;
     if (!options2.onUnauthorized) {
       transport.setOnUnauthorized(async () => {
@@ -26562,6 +25924,7 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
       auth,
       admin,
       cron,
+      functions,
       storage,
       ws,
       setToken: transport.setToken,
@@ -27375,7 +26738,7 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
       });
       return options2;
     };
-    module2.exports._logFunc = (logger2, level, defaults, data, message2, ...args) => {
+    module2.exports._logFunc = (logger2, level, defaults, data, message, ...args) => {
       let entry = {};
       Object.keys(defaults || {}).forEach((key) => {
         if (key !== "level") {
@@ -27387,7 +26750,7 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
           entry[key] = data[key];
         }
       });
-      logger2[level](entry, message2, ...args);
+      logger2[level](entry, message, ...args);
     };
     module2.exports.getLogger = (options2, defaults) => {
       options2 = options2 || {};
@@ -27404,8 +26767,8 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
         logger2 = createDefaultLogger(levels);
       }
       levels.forEach((level) => {
-        response[level] = (data, message2, ...args) => {
-          module2.exports._logFunc(logger2, level, defaults, data, message2, ...args);
+        response[level] = (data, message, ...args) => {
+          module2.exports._logFunc(logger2, level, defaults, data, message, ...args);
         };
       });
       return response;
@@ -27588,7 +26951,7 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
         }
         levelNames.set(level, levelName);
       });
-      let print2 = (level, entry, message2, ...args) => {
+      let print2 = (level, entry, message, ...args) => {
         let prefix = "";
         if (entry) {
           if (entry.tnx === "server") {
@@ -27603,8 +26966,8 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
             prefix = "[#" + entry.cid + "] " + prefix;
           }
         }
-        message2 = util2.format(message2, ...args);
-        message2.split(/\r?\n/).forEach((line) => {
+        message = util2.format(message, ...args);
+        message.split(/\r?\n/).forEach((line) => {
           console.log("[%s] %s %s", (/* @__PURE__ */ new Date()).toISOString().substr(0, 19).replace(/T/, " "), levelNames.get(level), prefix + line);
         });
       };
@@ -34100,8 +33463,8 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
      * @param {Object} message String, Buffer or a Stream
      * @param {Function} callback Callback to return once sending is completed
      */
-    send(envelope, message2, done) {
-      if (!message2) {
+    send(envelope, message, done) {
+      if (!message) {
         return done(this._formatError("Empty message", "EMESSAGE", false, "API"));
       }
       const isDestroyedMessage = this._isDestroyedMessage("send message");
@@ -34121,17 +33484,17 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
         returned = true;
         done(...arguments);
       };
-      if (typeof message2.on === "function") {
-        message2.on("error", (err) => callback(this._formatError(err, "ESTREAM", false, "API")));
+      if (typeof message.on === "function") {
+        message.on("error", (err) => callback(this._formatError(err, "ESTREAM", false, "API")));
       }
       let startTime = Date.now();
       this._setEnvelope(envelope, (err, info) => {
         if (err) {
           let stream3 = new PassThrough();
-          if (typeof message2.pipe === "function") {
-            message2.pipe(stream3);
+          if (typeof message.pipe === "function") {
+            message.pipe(stream3);
           } else {
-            stream3.write(message2);
+            stream3.write(message);
             stream3.end();
           }
           return callback(err);
@@ -34147,10 +33510,10 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
           info.response = str;
           return callback(null, info);
         });
-        if (typeof message2.pipe === "function") {
-          message2.pipe(stream2);
+        if (typeof message.pipe === "function") {
+          message.pipe(stream2);
         } else {
-          stream2.write(message2);
+          stream2.write(message);
           stream2.end();
         }
       });
@@ -34263,12 +33626,12 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
       this.emit("error", err);
       this.close();
     }
-    _formatError(message2, type, response, command) {
+    _formatError(message, type, response, command) {
       let err;
-      if (/Error\]$/i.test(Object.prototype.toString.call(message2))) {
-        err = message2;
+      if (/Error\]$/i.test(Object.prototype.toString.call(message))) {
+        err = message;
       } else {
-        err = new Error(message2);
+        err = new Error(message);
       }
       if (type && type !== "Error") {
         err.code = type;
@@ -34911,14 +34274,14 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
      * @param {String} str Message from the server
      */
     _actionMAIL(str, callback) {
-      let message2, curRecipient;
+      let message, curRecipient;
       if (Number(str.charAt(0)) !== 2) {
         if (this._usingSmtpUtf8 && /^550 /.test(str) && /[\x80-\uFFFF]/.test(this._envelope.from)) {
-          message2 = "Internationalized mailbox name not allowed";
+          message = "Internationalized mailbox name not allowed";
         } else {
-          message2 = "Mail command failed";
+          message = "Mail command failed";
         }
-        return callback(this._formatError(message2, "EENVELOPE", str, "MAIL FROM"));
+        return callback(this._formatError(message, "EENVELOPE", str, "MAIL FROM"));
       }
       if (!this._envelope.rcptQueue.length) {
         return callback(this._formatError("Can't send mail - no recipients defined", "EENVELOPE", false, "API"));
@@ -34949,15 +34312,15 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
      * @param {String} str Message from the server
      */
     _actionRCPT(str, callback) {
-      let message2, err, curRecipient = this._recipientQueue.shift();
+      let message, err, curRecipient = this._recipientQueue.shift();
       if (Number(str.charAt(0)) !== 2) {
         if (this._usingSmtpUtf8 && /^553 /.test(str) && /[\x80-\uFFFF]/.test(curRecipient)) {
-          message2 = "Internationalized mailbox name not allowed";
+          message = "Internationalized mailbox name not allowed";
         } else {
-          message2 = "Recipient command failed";
+          message = "Recipient command failed";
         }
         this._envelope.rejected.push(curRecipient);
-        err = this._formatError(message2, "EENVELOPE", str, "RCPT TO");
+        err = this._formatError(message, "EENVELOPE", str, "RCPT TO");
         err.recipient = curRecipient;
         this._envelope.rejectedErrors.push(err);
       } else {
@@ -37673,9 +37036,9 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
           replyTo: options2.replyTo
         });
       } catch (error2) {
-        const message2 = error2 instanceof Error ? error2.message : String(error2);
-        console.error("Failed to send email:", message2);
-        throw new Error(`Failed to send email: ${message2}`);
+        const message = error2 instanceof Error ? error2.message : String(error2);
+        console.error("Failed to send email:", message);
+        throw new Error(`Failed to send email: ${message}`);
       }
     }
     /**
@@ -37689,8 +37052,8 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
         await this.transporter.verify();
         return true;
       } catch (error2) {
-        const message2 = error2 instanceof Error ? error2.message : String(error2);
-        console.error("SMTP connection verification failed:", message2);
+        const message = error2 instanceof Error ? error2.message : String(error2);
+        console.error("SMTP connection verification failed:", message);
         return false;
       }
     }
@@ -37889,7 +37252,7 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
         const {
           createGoogleProvider: createGoogleProvider2
         } = await Promise.resolve().then(() => index);
-        oauthProviders.push(createGoogleProvider2(config.auth.google.clientId));
+        oauthProviders.push(createGoogleProvider2(config.auth.google));
       }
       if (config.auth.linkedin?.clientId && config.auth.linkedin?.clientSecret) {
         const {
@@ -37970,7 +37333,8 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
         authRepo: authConfigResult.authRepository ?? authConfigResult.userService,
         emailService: authConfigResult.emailService,
         emailConfig: config.auth.email,
-        serviceKey
+        serviceKey,
+        hooks: config.hooks
       });
       config.app.route(`${basePath}/admin`, adminRoutes);
     }
@@ -38028,7 +37392,7 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
         });
         dataRouter.route("/", historyRoutes);
       }
-      const restGenerator = new RestApiGenerator(activeCollections, defaultDriver);
+      const restGenerator = new RestApiGenerator(activeCollections, defaultDriver, config.hooks?.data);
       dataRouter.route("/", restGenerator.generateRoutes());
       config.app.route(`${basePath}/data`, dataRouter);
     }
@@ -38089,6 +37453,13 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
     }
     _initRebase(serverClient);
     logger.info("Rebase singleton initialized");
+    if (defaultDriverResult.internals) {
+      const internals = defaultDriverResult.internals;
+      const driver = internals.driver;
+      if (driver && "client" in driver) {
+        driver.client = serverClient;
+      }
+    }
     if (config.functionsDir) {
       const {
         loadFunctionsFromDirectory: loadFunctionsFromDirectory2
@@ -38222,10 +37593,10 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
       shutdown
     };
   }
-  function devAssert(condition, message2) {
+  function devAssert(condition, message) {
     const booleanCondition = Boolean(condition);
     if (!booleanCondition) {
-      throw new Error(message2);
+      throw new Error(message);
     }
   }
   function isPromise(value) {
@@ -38234,11 +37605,11 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
   function isObjectLike(value) {
     return typeof value == "object" && value !== null;
   }
-  function invariant(condition, message2) {
+  function invariant(condition, message) {
     const booleanCondition = Boolean(condition);
     if (!booleanCondition) {
       throw new Error(
-        message2 != null ? message2 : "Unexpected invariant triggered."
+        message != null ? message : "Unexpected invariant triggered."
       );
     }
   }
@@ -38357,10 +37728,10 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
     /**
      * @deprecated Please use the `GraphQLErrorOptions` constructor overload instead.
      */
-    constructor(message2, ...rawArgs) {
+    constructor(message, ...rawArgs) {
       var _this$nodes, _nodeLocations$, _ref;
       const { nodes, source, positions, path: path2, originalError, extensions: extensions2 } = toNormalizedOptions(rawArgs);
-      super(message2);
+      super(message);
       this.name = "GraphQLError";
       this.path = path2 !== null && path2 !== void 0 ? path2 : void 0;
       this.originalError = originalError !== null && originalError !== void 0 ? originalError : void 0;
@@ -39378,14 +38749,14 @@ Si tienes alguna pregunta, no dudes en contactarnos respondiendo a este correo.
     return "[" + items.join(", ") + "]";
   }
   function getObjectTag(object) {
-    const tag2 = Object.prototype.toString.call(object).replace(/^\[object /, "").replace(/]$/, "");
-    if (tag2 === "Object" && typeof object.constructor === "function") {
+    const tag = Object.prototype.toString.call(object).replace(/^\[object /, "").replace(/]$/, "");
+    if (tag === "Object" && typeof object.constructor === "function") {
       const name2 = object.constructor.name;
       if (typeof name2 === "string" && name2 !== "") {
         return name2;
       }
     }
-    return tag2;
+    return tag;
   }
   const isProduction = globalThis.process && // eslint-disable-next-line no-undef
   process.env.NODE_ENV === "production";
@@ -40783,22 +40154,22 @@ spurious results.`);
   const MAX_SUGGESTIONS = 5;
   function didYouMean(firstArg, secondArg) {
     const [subMessage, suggestionsArg] = secondArg ? [firstArg, secondArg] : [void 0, firstArg];
-    let message2 = " Did you mean ";
+    let message = " Did you mean ";
     if (subMessage) {
-      message2 += subMessage + " ";
+      message += subMessage + " ";
     }
     const suggestions = suggestionsArg.map((x) => `"${x}"`);
     switch (suggestions.length) {
       case 0:
         return "";
       case 1:
-        return message2 + suggestions[0] + "?";
+        return message + suggestions[0] + "?";
       case 2:
-        return message2 + suggestions[0] + " or " + suggestions[1] + "?";
+        return message + suggestions[0] + " or " + suggestions[1] + "?";
     }
     const selected = suggestions.slice(0, MAX_SUGGESTIONS);
     const lastItem = selected.pop();
-    return message2 + selected.join(", ") + ", or " + lastItem + "?";
+    return message + selected.join(", ") + ", or " + lastItem + "?";
   }
   function identityFunc(x) {
     return x;
@@ -43442,10 +42813,10 @@ spurious results.`);
       this._errors = [];
       this.schema = schema;
     }
-    reportError(message2, nodes) {
+    reportError(message, nodes) {
       const _nodes = Array.isArray(nodes) ? nodes.filter(Boolean) : nodes;
       this._errors.push(
-        new GraphQLError(message2, {
+        new GraphQLError(message, {
           nodes: _nodes
         })
       );
@@ -47828,9 +47199,9 @@ spurious results.`);
       };
     }
     return {
-      errors: messages.map((message2) => {
+      errors: messages.map((message) => {
         return {
-          message: message2
+          message
         };
       })
     };
@@ -48967,7 +48338,9 @@ export default ${safeId}Collection;
      * Setup Hono middleware
      */
     setupMiddleware() {
-      this.router.use("/*", secureHeaders.secureHeaders());
+      this.router.use("/*", secureHeaders.secureHeaders({
+        crossOriginOpenerPolicy: "same-origin-allow-popups"
+      }));
       if (this.config.cors) {
         const origin = this.config.cors.origin;
         this.router.use("/*", cors.cors({
@@ -49054,9 +48427,9 @@ export default ${safeId}Collection;
         if (process.env.NODE_ENV === "production") {
           console.warn("[RebaseApiServer] Schema Editor is disabled in production environments for security.");
         } else {
+          this.router.use(`${basePath}/schema-editor/*`, requireAuth, requireAdmin);
           const schemaEditorRoutes2 = createSchemaEditorRoutes(this.config.collectionsDir);
           this.router.route(`${basePath}/schema-editor`, schemaEditorRoutes2);
-          this.router.use(`${basePath}/schema-editor/*`, requireAuth, requireAdmin);
         }
       }
       this.router.get(`${basePath}/docs`, (c) => {
@@ -49170,8 +48543,8 @@ export default ${safeId}Collection;
   Hint: ensure the function exports a Hono app created with the same hono version as the server.
   The loader checks for .fetch() and .routes — any Hono-compatible app will work.`);
         } catch (err) {
-          const message2 = err instanceof Error ? err.message : String(err);
-          console.error(`[functions] Failed to load ${file}: ${message2}`);
+          const message = err instanceof Error ? err.message : String(err);
+          console.error(`[functions] Failed to load ${file}: ${message}`);
         }
       }
     }
@@ -49243,8 +48616,8 @@ export default ${safeId}Collection;
           });
           console.log(`⏰ Loaded cron job: ${id} (${definition.schedule})`);
         } catch (err) {
-          const message2 = err instanceof Error ? err.message : String(err);
-          console.error(`[cron] Failed to load ${file}: ${message2}`);
+          const message = err instanceof Error ? err.message : String(err);
+          console.error(`[cron] Failed to load ${file}: ${message}`);
         }
       }
     }
@@ -49254,46 +48627,98 @@ export default ${safeId}Collection;
     __proto__: null,
     loadCronJobsFromDirectory
   }, Symbol.toStringTag, { value: "Module" }));
+  function expandCronField(field, min, max) {
+    const results = /* @__PURE__ */ new Set();
+    for (const segment of field.split(",")) {
+      const trimmed = segment.trim();
+      if (trimmed === "*") {
+        for (let i2 = min; i2 <= max; i2++) results.add(i2);
+      } else if (trimmed.includes("/")) {
+        const [rangeStr, stepStr] = trimmed.split("/");
+        const step = parseInt(stepStr, 10);
+        if (isNaN(step) || step <= 0) {
+          throw new Error(`Invalid step value "${stepStr}" in cron field "${field}"`);
+        }
+        let start = min;
+        let end = max;
+        if (rangeStr !== "*") {
+          if (rangeStr.includes("-")) {
+            const [a2, b] = rangeStr.split("-").map(Number);
+            start = a2;
+            end = b;
+          } else {
+            start = parseInt(rangeStr, 10);
+          }
+        }
+        for (let i2 = start; i2 <= end; i2 += step) results.add(i2);
+      } else if (trimmed.includes("-")) {
+        const [a2, b] = trimmed.split("-").map(Number);
+        for (let i2 = a2; i2 <= b; i2++) results.add(i2);
+      } else {
+        const val = parseInt(trimmed, 10);
+        if (isNaN(val)) {
+          throw new Error(`Invalid value "${trimmed}" in cron field "${field}"`);
+        }
+        results.add(val);
+      }
+    }
+    return [...results].sort((a2, b) => a2 - b);
+  }
+  function validateCronExpression(schedule) {
+    if (!schedule || typeof schedule !== "string") {
+      return {
+        valid: false,
+        reason: "Schedule must be a non-empty string"
+      };
+    }
+    const parts = schedule.trim().split(/\s+/);
+    if (parts.length !== 5) {
+      return {
+        valid: false,
+        reason: `Expected 5 fields, got ${parts.length}`
+      };
+    }
+    const fieldRanges = [["minute", 0, 59], ["hour", 0, 23], ["day of month", 1, 31], ["month", 1, 12], ["day of week", 0, 6]];
+    for (let i2 = 0; i2 < 5; i2++) {
+      const [name2, min, max] = fieldRanges[i2];
+      try {
+        const values2 = expandCronField(parts[i2], min, max);
+        if (values2.length === 0) {
+          return {
+            valid: false,
+            reason: `${name2} field "${parts[i2]}" produces no values`
+          };
+        }
+        for (const v of values2) {
+          if (v < min || v > max) {
+            return {
+              valid: false,
+              reason: `${name2} field value ${v} out of range [${min}–${max}]`
+            };
+          }
+        }
+      } catch (err) {
+        return {
+          valid: false,
+          reason: `${name2} field: ${err instanceof Error ? err.message : String(err)}`
+        };
+      }
+    }
+    return {
+      valid: true
+    };
+  }
   function parseCronExpression(expression, after) {
     const parts = expression.trim().split(/\s+/);
     if (parts.length < 5) {
       throw new Error(`Invalid cron expression: "${expression}". Expected 5 fields.`);
     }
     const [minField, hourField, domField, monField, dowField] = parts;
-    const expand = (field, min, max) => {
-      const results = /* @__PURE__ */ new Set();
-      for (const segment of field.split(",")) {
-        if (segment === "*") {
-          for (let i2 = min; i2 <= max; i2++) results.add(i2);
-        } else if (segment.includes("/")) {
-          const [rangeStr, stepStr] = segment.split("/");
-          const step = parseInt(stepStr, 10);
-          let start = min;
-          let end = max;
-          if (rangeStr !== "*") {
-            if (rangeStr.includes("-")) {
-              const [a2, b] = rangeStr.split("-").map(Number);
-              start = a2;
-              end = b;
-            } else {
-              start = parseInt(rangeStr, 10);
-            }
-          }
-          for (let i2 = start; i2 <= end; i2 += step) results.add(i2);
-        } else if (segment.includes("-")) {
-          const [a2, b] = segment.split("-").map(Number);
-          for (let i2 = a2; i2 <= b; i2++) results.add(i2);
-        } else {
-          results.add(parseInt(segment, 10));
-        }
-      }
-      return [...results].sort((a2, b) => a2 - b);
-    };
-    const minutes = expand(minField, 0, 59);
-    const hours = expand(hourField, 0, 23);
-    const doms = expand(domField, 1, 31);
-    const months = expand(monField, 1, 12);
-    const dows = expand(dowField, 0, 6);
+    const minutes = expandCronField(minField, 0, 59);
+    const hours = expandCronField(hourField, 0, 23);
+    const doms = expandCronField(domField, 1, 31);
+    const months = expandCronField(monField, 1, 12);
+    const dows = expandCronField(dowField, 0, 6);
     const candidate = new Date(after);
     candidate.setSeconds(0, 0);
     candidate.setMinutes(candidate.getMinutes() + 1);
@@ -49302,9 +48727,9 @@ export default ${safeId}Collection;
       const month = candidate.getMonth() + 1;
       const dom = candidate.getDate();
       const dow = candidate.getDay();
-      const hour2 = candidate.getHours();
-      const minute2 = candidate.getMinutes();
-      if (months.includes(month) && doms.includes(dom) && dows.includes(dow) && hours.includes(hour2) && minutes.includes(minute2)) {
+      const hour = candidate.getHours();
+      const minute = candidate.getMinutes();
+      if (months.includes(month) && doms.includes(dom) && dows.includes(dow) && hours.includes(hour) && minutes.includes(minute)) {
         return candidate;
       }
       candidate.setMinutes(candidate.getMinutes() + 1);
@@ -49314,6 +48739,7 @@ export default ${safeId}Collection;
     return fallback;
   }
   const MAX_LOGS_PER_JOB = 50;
+  const MIN_SCHEDULE_INTERVAL_MS = 5e3;
   class CronScheduler {
     jobs = /* @__PURE__ */ new Map();
     started = false;
@@ -49335,23 +48761,39 @@ export default ${safeId}Collection;
     }
     /**
      * Register a batch of loaded cron jobs.
+     *
+     * If the scheduler is already started, newly registered jobs are
+     * automatically scheduled (so late-registered jobs don't sit idle).
+     *
+     * Validates the cron schedule on registration — invalid schedules
+     * are rejected with a warning and the job is NOT registered.
      */
     registerJobs(loadedJobs) {
       for (const loaded of loadedJobs) {
+        const validation = validateCronExpression(loaded.definition.schedule);
+        if (!validation.valid) {
+          console.error(`[cron] Rejecting job "${loaded.id}": invalid schedule "${loaded.definition.schedule}" — ${validation.reason}`);
+          continue;
+        }
         const existing = this.jobs.get(loaded.id);
         if (existing) {
           console.warn(`[cron] Duplicate cron job id: "${loaded.id}". Overwriting.`);
           this.stopJob(loaded.id);
         }
+        const enabled = loaded.definition.enabled !== false;
         this.jobs.set(loaded.id, {
           id: loaded.id,
           definition: loaded.definition,
-          enabled: loaded.definition.enabled !== false,
-          state: loaded.definition.enabled !== false ? "idle" : "disabled",
+          enabled,
+          state: enabled ? "idle" : "disabled",
           totalRuns: 0,
           totalFailures: 0,
-          logs: []
+          logs: [],
+          executing: false
         });
+        if (this.started && enabled) {
+          this.scheduleNext(loaded.id);
+        }
       }
     }
     /**
@@ -49385,6 +48827,9 @@ export default ${safeId}Collection;
     }
     /**
      * Stop the scheduler and clear all timers.
+     *
+     * Currently-executing handlers run to completion (they are async),
+     * but no further scheduling occurs after stop.
      */
     stop() {
       this.started = false;
@@ -49443,32 +48888,81 @@ export default ${safeId}Collection;
     }
     /**
      * Manually trigger a job execution immediately.
+     *
+     * Returns `undefined` if the job doesn't exist.
+     * If the job is currently executing, returns the log entry with
+     * a `skipped: true` result rather than running concurrently.
      */
     async triggerJob(id) {
       const job = this.jobs.get(id);
       if (!job) return void 0;
+      if (job.executing) {
+        console.warn(`[cron] Skipping manual trigger of "${id}" — already executing`);
+        const logEntry = {
+          jobId: id,
+          startedAt: (/* @__PURE__ */ new Date()).toISOString(),
+          finishedAt: (/* @__PURE__ */ new Date()).toISOString(),
+          durationMs: 0,
+          success: true,
+          result: {
+            skipped: true,
+            reason: "already_executing"
+          },
+          logs: ["Skipped: job is already running"],
+          manual: true
+        };
+        job.logs.push(logEntry);
+        if (job.logs.length > MAX_LOGS_PER_JOB) job.logs.shift();
+        return logEntry;
+      }
       return this.executeJob(job, true);
     }
     // ─── Internal ────────────────────────────────────────────────────
+    /**
+     * Schedule the next execution for a job.
+     *
+     * Safety guarantees:
+     * 1. Clears any existing timer first (prevents leaked/duplicate timers)
+     * 2. Enforces a minimum delay to prevent tight loops from jitter
+     * 3. Unref's the timer so it doesn't prevent process exit
+     * 4. Re-checks enabled & started state before executing
+     * 5. Concurrency guard prevents overlapping handler executions
+     */
     scheduleNext(id) {
       const job = this.jobs.get(id);
       if (!job || !job.enabled || !this.started) return;
+      this.stopJob(id);
       try {
         const now = /* @__PURE__ */ new Date();
         const nextRun = parseCronExpression(job.definition.schedule, now);
         job.nextRunAt = nextRun;
-        const delay = Math.max(nextRun.getTime() - now.getTime(), 0);
-        job.timerId = setTimeout(async () => {
+        const rawDelay = nextRun.getTime() - now.getTime();
+        const delay = Math.max(rawDelay, MIN_SCHEDULE_INTERVAL_MS);
+        const timer = setTimeout(async () => {
           if (!job.enabled || !this.started) return;
+          if (job.executing) {
+            console.warn(`[cron] Skipping scheduled run of "${id}" — still executing from previous run`);
+            this.scheduleNext(id);
+            return;
+          }
           await this.executeJob(job, false);
-          this.scheduleNext(id);
+          if (this.started && job.enabled) {
+            this.scheduleNext(id);
+          }
         }, delay);
+        if (timer && typeof timer === "object" && "unref" in timer) {
+          timer.unref();
+        }
+        job.timerId = timer;
       } catch (err) {
         console.error(`[cron] Failed to schedule "${id}":`, err);
         job.state = "error";
         job.lastError = err instanceof Error ? err.message : String(err);
       }
     }
+    /**
+     * Stop a single job's timer and clear its next run state.
+     */
     stopJob(id) {
       const job = this.jobs.get(id);
       if (job?.timerId) {
@@ -49477,9 +48971,19 @@ export default ${safeId}Collection;
         job.nextRunAt = void 0;
       }
     }
+    /**
+     * Execute a job's handler with full isolation and safety.
+     *
+     * - Sets a concurrency flag to prevent overlapping runs
+     * - Wraps handler in a timeout race
+     * - Captures all logs, errors, and results
+     * - Persists to store (non-blocking) if available
+     * - Always restores state even on catastrophic errors
+     */
     async executeJob(job, manual) {
       const startedAt = /* @__PURE__ */ new Date();
       const capturedLogs = [];
+      job.executing = true;
       const ctx = {
         jobId: job.id,
         scheduledAt: startedAt,
@@ -49498,14 +49002,21 @@ export default ${safeId}Collection;
       try {
         const timeout = (job.definition.timeoutSeconds ?? 300) * 1e3;
         const handlerPromise = Promise.resolve(job.definition.handler(ctx));
+        let timeoutHandle;
         const timeoutPromise = new Promise((_, reject) => {
-          setTimeout(() => reject(new Error(`Cron job "${job.id}" timed out after ${timeout}ms`)), timeout);
+          timeoutHandle = setTimeout(() => reject(new Error(`Cron job "${job.id}" timed out after ${timeout}ms`)), timeout);
         });
-        result = await Promise.race([handlerPromise, timeoutPromise]);
+        try {
+          result = await Promise.race([handlerPromise, timeoutPromise]);
+        } finally {
+          clearTimeout(timeoutHandle);
+        }
       } catch (err) {
         success = false;
         error2 = err instanceof Error ? err.message : String(err);
         job.totalFailures++;
+      } finally {
+        job.executing = false;
       }
       const finishedAt = /* @__PURE__ */ new Date();
       const durationMs = finishedAt.getTime() - startedAt.getTime();
@@ -49528,8 +49039,8 @@ export default ${safeId}Collection;
         job.logs.shift();
       }
       if (this.store) {
-        this.store.insertLog(logEntry).catch((err) => {
-          console.error(`[cron] Failed to persist log for "${job.id}":`, err);
+        this.store.insertLog(logEntry).catch((persistErr) => {
+          console.error(`[cron] Failed to persist log for "${job.id}":`, persistErr);
         });
       }
       if (success) {
@@ -49558,7 +49069,8 @@ export default ${safeId}Collection;
   }
   const cronScheduler = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
     __proto__: null,
-    CronScheduler
+    CronScheduler,
+    validateCronExpression
   }, Symbol.toStringTag, { value: "Module" }));
   function createCronRoutes(scheduler) {
     const router = new hono.Hono();
@@ -49960,6 +49472,7 @@ export default ${safeId}Collection;
   exports2.resetConsole = resetConsole;
   exports2.serveSPA = serveSPA;
   exports2.strictAuthLimiter = strictAuthLimiter;
+  exports2.validateCronExpression = validateCronExpression;
   exports2.validatePasswordStrength = validatePasswordStrength;
   exports2.verifyAccessToken = verifyAccessToken;
   exports2.verifyPassword = verifyPassword;