@saacms/core 0.1.5 → 0.1.6

package/dist/index-dy25fetw.js

@@ -0,0 +1,3037 @@
+import {
+  resolveHooksFor,
+  runHooks
+} from "./index-zgbq60fy.js";
+import {
+  collectionToOpenApiPaths,
+  filterOpenApiForUser,
+  slugToTableName
+} from "./index-a3pnt8yz.js";
+import {
+  withMediaFields
+} from "./index-8g8ymd37.js";
+
+// src/runtime/index.ts
+import { Hono } from "hono";
+
+// src/runtime/auth-middleware.ts
+var LOG_PREFIX = "[saacms/auth]";
+function mountAuthMiddleware(app, config) {
+  const adapter = config.auth;
+  if (adapter == null) {
+    return;
+  }
+  app.use("*", async (c, next) => {
+    try {
+      const user = await adapter.getSession(c.req.raw);
+      if (user != null) {
+        c.set("user", user);
+      }
+    } catch (err) {
+      console.warn(`${LOG_PREFIX} adapter "${adapter.name}" threw:`, err);
+    }
+    await next();
+  });
+}
+
+// src/runtime/create-route.ts
+import { Cause, Effect, Either, Exit, Schema } from "effect";
+import { ArrayFormatter, TreeFormatter } from "effect/ParseResult";
+
+// src/storage/index.ts
+class RowStorageError extends Error {
+  code;
+  cause;
+  name = "RowStorageError";
+  constructor(code, message, cause) {
+    super(message);
+    this.code = code;
+    this.cause = cause;
+  }
+}
+
+class UniqueConstraintError extends Error {
+  table;
+  name = "UniqueConstraintError";
+  constructor(table, cause) {
+    super(`Unique constraint violated on table "${table}"`);
+    this.table = table;
+    if (cause != null)
+      this.cause = cause;
+  }
+}
+
+// src/runtime/services.ts
+var CONTEXT_KEY = "saacmsServices";
+var EMPTY_SERVICES = Object.freeze({});
+function collectServices(config) {
+  const merged = {};
+  for (const plugin of config.plugins ?? []) {
+    const services = plugin.services;
+    if (services == null) {
+      continue;
+    }
+    Object.assign(merged, services);
+  }
+  return Object.freeze(merged);
+}
+function getServices(c) {
+  const raw = c.get(CONTEXT_KEY);
+  return raw != null && typeof raw === "object" ? raw : EMPTY_SERVICES;
+}
+
+// src/observability/audit.ts
+var NO_OP_SINK = Object.freeze({ emit() {} });
+function recordAuditEvent(c, event) {
+  const sink = getServices(c).auditSink ?? NO_OP_SINK;
+  let result;
+  try {
+    result = sink.emit(event);
+  } catch (err) {
+    console.warn("[saacms/audit] sink threw synchronously (best-effort, not propagated):", err);
+    return;
+  }
+  if (result instanceof Promise) {
+    result.catch((err) => {
+      console.warn("[saacms/audit] sink rejected async (best-effort, not propagated):", err);
+    });
+  }
+}
+
+// src/runtime/cache.ts
+var inIsolateStore = new Map;
+var inIsolateTagIndex = new Map;
+function unindexKey(key, tags) {
+  for (const tag of tags) {
+    const keys = inIsolateTagIndex.get(tag);
+    if (keys == null)
+      continue;
+    keys.delete(key);
+    if (keys.size === 0)
+      inIsolateTagIndex.delete(tag);
+  }
+}
+var clock = () => Date.now();
+var inIsolateCache = {
+  async get(key) {
+    const cell = inIsolateStore.get(key);
+    if (cell == null)
+      return null;
+    if (cell.expiresAtMs != null && clock() >= cell.expiresAtMs) {
+      inIsolateStore.delete(key);
+      return null;
+    }
+    return cell.entry;
+  },
+  async put(key, value, opts) {
+    const tags = opts?.tags ?? [];
+    const ttl = opts?.expirationTtl;
+    const expiresAtMs = ttl != null && ttl > 0 ? clock() + ttl * 1000 : null;
+    const prev = inIsolateStore.get(key);
+    if (prev != null)
+      unindexKey(key, prev.entry.tags);
+    inIsolateStore.set(key, {
+      entry: { value, tags, storedAt: new Date(clock()).toISOString() },
+      expiresAtMs
+    });
+    for (const tag of tags) {
+      let keys = inIsolateTagIndex.get(tag);
+      if (keys == null) {
+        keys = new Set;
+        inIsolateTagIndex.set(tag, keys);
+      }
+      keys.add(key);
+    }
+  },
+  async purgeByTag(tag) {
+    const keys = inIsolateTagIndex.get(tag);
+    if (keys == null)
+      return { purgedKeys: 0 };
+    let purgedKeys = 0;
+    for (const key of [...keys]) {
+      const cell = inIsolateStore.get(key);
+      if (cell == null)
+        continue;
+      unindexKey(key, cell.entry.tags);
+      inIsolateStore.delete(key);
+      purgedKeys++;
+    }
+    inIsolateTagIndex.delete(tag);
+    return { purgedKeys };
+  }
+};
+function hasGetPut(x) {
+  return x != null && typeof x === "object" && typeof x.get === "function" && typeof x.put === "function";
+}
+function hasPurgeByTag(x) {
+  return typeof x.purgeByTag === "function";
+}
+var warnedNoPurge = false;
+function withNoopPurge(base) {
+  return {
+    get: (key) => base.get(key),
+    put: (key, value, opts) => base.put(key, value, opts),
+    async purgeByTag(_tag) {
+      if (!warnedNoPurge) {
+        warnedNoPurge = true;
+        console.warn("[saacms/cache] service has no purgeByTag; tag invalidation is a no-op");
+      }
+      return { purgedKeys: 0 };
+    }
+  };
+}
+function resolveCache(c) {
+  const candidate = getServices(c).cache;
+  if (!hasGetPut(candidate))
+    return inIsolateCache;
+  return hasPurgeByTag(candidate) ? candidate : withNoopPurge(candidate);
+}
+
+// src/runtime/boolean-columns.ts
+import { SchemaAST as AST } from "effect";
+function isNullKeyword(ast) {
+  return AST.isLiteral(ast) && ast.literal === null;
+}
+function resolveInner(signature) {
+  let t = signature.type;
+  if (AST.isUnion(t)) {
+    const nonNullish = t.types.filter((m) => !AST.isUndefinedKeyword(m) && !isNullKeyword(m));
+    if (nonNullish.length === 1) {
+      t = nonNullish[0];
+    }
+  }
+  while (AST.isRefinement(t)) {
+    t = t.from;
+  }
+  return t;
+}
+function booleanColumnNames(schema) {
+  const out = new Set;
+  const root = schema.ast;
+  if (!AST.isTypeLiteral(root))
+    return out;
+  for (const ps of root.propertySignatures) {
+    const name = String(ps.name);
+    if (name === "id" || name === "createdAt" || name === "updatedAt")
+      continue;
+    if (AST.isBooleanKeyword(resolveInner(ps)))
+      out.add(name);
+  }
+  return out;
+}
+function encodeBooleanColumns(schema, record) {
+  const cols = booleanColumnNames(schema);
+  if (cols.size === 0)
+    return record;
+  const out = { ...record };
+  for (const key of cols) {
+    if (!(key in out))
+      continue;
+    const v = out[key];
+    if (typeof v !== "boolean")
+      continue;
+    out[key] = v ? 1 : 0;
+  }
+  return out;
+}
+function decodeBooleanColumns(schema, record) {
+  const cols = booleanColumnNames(schema);
+  if (cols.size === 0)
+    return record;
+  const out = { ...record };
+  for (const key of cols) {
+    if (!(key in out))
+      continue;
+    const v = out[key];
+    if (typeof v === "number") {
+      if (v === 1)
+        out[key] = true;
+      else if (v === 0)
+        out[key] = false;
+    } else if (typeof v === "bigint") {
+      if (v === 1n)
+        out[key] = true;
+      else if (v === 0n)
+        out[key] = false;
+    }
+  }
+  return out;
+}
+
+// src/runtime/json-columns.ts
+import { SchemaAST as AST2 } from "effect";
+function isNullKeyword2(ast) {
+  return AST2.isLiteral(ast) && ast.literal === null;
+}
+function resolveInner2(signature) {
+  let t = signature.type;
+  if (AST2.isUnion(t)) {
+    const nonNullish = t.types.filter((m) => !AST2.isUndefinedKeyword(m) && !isNullKeyword2(m));
+    if (nonNullish.length === 1) {
+      t = nonNullish[0];
+    }
+  }
+  while (AST2.isRefinement(t)) {
+    t = t.from;
+  }
+  return t;
+}
+function isJsonColumnType(inner) {
+  return AST2.isTupleType(inner) || AST2.isTypeLiteral(inner) || AST2.isUnknownKeyword(inner) || AST2.isAnyKeyword(inner) || AST2.isObjectKeyword(inner);
+}
+function jsonColumnNames(schema) {
+  const out = new Set;
+  const root = schema.ast;
+  if (!AST2.isTypeLiteral(root))
+    return out;
+  for (const ps of root.propertySignatures) {
+    const name = String(ps.name);
+    if (name === "id" || name === "createdAt" || name === "updatedAt")
+      continue;
+    if (isJsonColumnType(resolveInner2(ps)))
+      out.add(name);
+  }
+  return out;
+}
+function encodeJsonColumns(schema, record) {
+  const cols = jsonColumnNames(schema);
+  if (cols.size === 0)
+    return record;
+  const out = { ...record };
+  for (const key of cols) {
+    if (!(key in out))
+      continue;
+    const v = out[key];
+    if (v === null || v === undefined || typeof v === "string")
+      continue;
+    out[key] = JSON.stringify(v);
+  }
+  return out;
+}
+function decodeJsonColumns(schema, record) {
+  const cols = jsonColumnNames(schema);
+  if (cols.size === 0)
+    return record;
+  const out = { ...record };
+  for (const key of cols) {
+    if (!(key in out))
+      continue;
+    const v = out[key];
+    if (typeof v !== "string")
+      continue;
+    try {
+      out[key] = JSON.parse(v);
+    } catch {}
+  }
+  return out;
+}
+
+// src/runtime/problem-details.ts
+var PROBLEM_TYPE_BASE = "https://saacms.dev/errors";
+function problemDetails(c, options) {
+  const body = {
+    type: `${PROBLEM_TYPE_BASE}/${options.code}`,
+    title: options.title,
+    status: options.status
+  };
+  if (options.detail !== undefined)
+    body.detail = options.detail;
+  if (options.instance !== undefined)
+    body.instance = options.instance;
+  if (options.extensions !== undefined) {
+    for (const [k, v] of Object.entries(options.extensions)) {
+      if (k in body)
+        continue;
+      body[k] = v;
+    }
+  }
+  return c.newResponse(JSON.stringify(body), options.status, {
+    "Content-Type": "application/problem+json"
+  });
+}
+
+// src/runtime/create-route.ts
+var CREATE_PATH = "/api/saacms/v1/:collection";
+var PATH_PREFIX = "/api/saacms/v1/";
+function mountCreateRoute(app, config) {
+  const collections = config.collections ?? [];
+  app.post(CREATE_PATH, async (c) => {
+    const slug = c.req.param("collection") ?? "";
+    const collection = collections.find((coll) => coll.slug === slug);
+    if (collection == null) {
+      return problemDetails(c, {
+        code: "collection-not-found",
+        title: "Collection not found",
+        status: 404,
+        detail: slug
+      });
+    }
+    const user = readUser(c);
+    const rows = config.storage?.rows;
+    if (rows == null) {
+      return problemDetails(c, {
+        code: "storage-unavailable",
+        title: "Row storage adapter not configured",
+        status: 503,
+        detail: "config.storage.rows is required to serve this endpoint"
+      });
+    }
+    if (!isJsonContentType(c.req.header("content-type"))) {
+      return problemDetails(c, {
+        code: "unsupported-media-type",
+        title: "Unsupported media type",
+        status: 415,
+        detail: "Content-Type must be application/json"
+      });
+    }
+    let parsedBody;
+    try {
+      parsedBody = await c.req.json();
+    } catch {
+      return problemDetails(c, {
+        code: "malformed-body",
+        title: "Malformed request body",
+        status: 400,
+        detail: "Request body is not valid JSON"
+      });
+    }
+    const decode = Schema.decodeUnknownEither(collection.schema);
+    const decoded = decode(parsedBody);
+    if (Either.isLeft(decoded)) {
+      const error = decoded.left;
+      return problemDetails(c, {
+        code: "invalid-body",
+        title: "Request body failed schema validation",
+        status: 422,
+        detail: TreeFormatter.formatErrorSync(error),
+        extensions: { issues: ArrayFormatter.formatErrorSync(error) }
+      });
+    }
+    const validatedBody = decoded.right;
+    let finalBody = validatedBody;
+    const beforeHooks = resolveHooksFor("beforeChange", {
+      collection,
+      plugins: config.plugins
+    });
+    if (beforeHooks.length > 0) {
+      const ctx = {
+        op: "create",
+        user,
+        data: validatedBody
+      };
+      const exit = await Effect.runPromiseExit(runHooks("beforeChange", ctx, beforeHooks));
+      if (Exit.isFailure(exit)) {
+        return problemDetails(c, {
+          code: "hook-rejected",
+          title: "Operation rejected by a lifecycle hook",
+          status: 422,
+          detail: hookRejectionDetail(exit.cause)
+        });
+      }
+      if (isHookObject(exit.value))
+        finalBody = exit.value;
+    }
+    const createPredicate = collection.access?.create;
+    if (createPredicate != null) {
+      const result = await createPredicate({ user, record: finalBody });
+      if (!allows(result, finalBody)) {
+        recordAuditEvent(c, {
+          op: "create",
+          collection: slug,
+          user,
+          decision: "denied",
+          reason: "access.create predicate denied",
+          at: new Date().toISOString()
+        });
+        return problemDetails(c, {
+          code: "forbidden",
+          title: "Forbidden",
+          status: 403,
+          detail: slug
+        });
+      }
+      recordAuditEvent(c, {
+        op: "create",
+        collection: slug,
+        user,
+        decision: "granted",
+        at: new Date().toISOString()
+      });
+    }
+    let newId;
+    try {
+      const storageBody = encodeJsonColumns(collection.schema, encodeBooleanColumns(collection.schema, finalBody));
+      const result = await rows.insert(slugToTableName(collection.slug), storageBody);
+      newId = result.id;
+    } catch (err) {
+      if (err instanceof UniqueConstraintError) {
+        return problemDetails(c, {
+          code: "unique-constraint-violated",
+          title: "Unique constraint violated",
+          status: 409,
+          detail: "A record with the same value(s) for the unique fields already exists."
+        });
+      }
+      throw err;
+    }
+    const afterHooks = resolveHooksFor("afterChange", {
+      collection,
+      plugins: config.plugins
+    });
+    if (afterHooks.length > 0) {
+      const ctx = {
+        op: "create",
+        user,
+        record: { ...finalBody, id: newId }
+      };
+      const exit = await Effect.runPromiseExit(runHooks("afterChange", ctx, afterHooks));
+      if (Exit.isFailure(exit)) {
+        console.warn("[saacms/hooks] afterChange (create) failOnError hook failed");
+      }
+    }
+    const collectionTag = `saacms:collection:${collection.slug}`;
+    try {
+      await resolveCache(c).purgeByTag(collectionTag);
+    } catch (err) {
+      console.warn(`[saacms/cache] purge failed for tag ${collectionTag}:`, err);
+    }
+    const href = `${PATH_PREFIX}${collection.slug}/${newId}`;
+    const envelope = {
+      data: { ...finalBody, id: newId },
+      _links: {
+        self: { href },
+        collection: { href: `${PATH_PREFIX}${collection.slug}` }
+      }
+    };
+    return c.json(envelope, 201, {
+      "Content-Type": "application/json",
+      "Cache-Control": "no-store",
+      Location: href
+    });
+  });
+}
+function readUser(c) {
+  const raw = c.get("user");
+  return raw != null && typeof raw === "object" ? raw : null;
+}
+function isJsonContentType(header) {
+  if (header == null)
+    return false;
+  const semi = header.indexOf(";");
+  const mediaType = (semi === -1 ? header : header.slice(0, semi)).trim().toLowerCase();
+  return mediaType === "application/json";
+}
+function allows(result, record) {
+  if (typeof result === "boolean")
+    return result;
+  const where = result.where;
+  for (const [key, value] of Object.entries(where)) {
+    if (record[key] !== value)
+      return false;
+  }
+  return true;
+}
+function isHookObject(value) {
+  return typeof value === "object" && value !== null;
+}
+function hookRejectionDetail(cause) {
+  const err = Cause.squash(cause);
+  if (err instanceof Error)
+    return err.message;
+  if (typeof err === "string")
+    return err;
+  try {
+    return JSON.stringify(err);
+  } catch {
+    return String(err);
+  }
+}
+
+// src/runtime/delete-route.ts
+import { Cause as Cause2, Effect as Effect2, Exit as Exit2 } from "effect";
+var DELETE_PATH = "/api/saacms/v1/:collection/:id";
+function mountDeleteRoute(app, config) {
+  const collections = config.collections ?? [];
+  app.delete(DELETE_PATH, async (c) => {
+    const slug = c.req.param("collection") ?? "";
+    const recordId = c.req.param("id") ?? "";
+    const collection = collections.find((coll) => coll.slug === slug);
+    if (collection == null) {
+      return problemDetails(c, {
+        code: "collection-not-found",
+        title: "Collection not found",
+        status: 404,
+        detail: slug
+      });
+    }
+    const rows = config.storage?.rows;
+    if (rows == null) {
+      return problemDetails(c, {
+        code: "storage-unavailable",
+        title: "Row storage not configured",
+        status: 503,
+        detail: "config.storage.rows is required to serve this endpoint"
+      });
+    }
+    const user = readUser2(c);
+    const ifMatch = c.req.header("if-match");
+    const table = slugToTableName(collection.slug);
+    const rawRecord = await rows.getById(table, recordId);
+    const record = rawRecord == null ? null : decodeBooleanColumns(collection.schema, decodeJsonColumns(collection.schema, rawRecord));
+    if (record == null) {
+      if (ifMatch != null) {
+        return problemDetails(c, {
+          code: "precondition-failed",
+          title: "Precondition failed",
+          status: 412,
+          detail: `${slug}/${recordId}`
+        });
+      }
+      return new Response(null, {
+        status: 204,
+        headers: { "Cache-Control": "no-store" }
+      });
+    }
+    if (ifMatch != null) {
+      const etag = computeWeakEtag(slug, recordId, record);
+      if (etag == null || ifMatch !== etag) {
+        return problemDetails(c, {
+          code: "precondition-failed",
+          title: "Precondition failed",
+          status: 412,
+          detail: `${slug}/${recordId}`
+        });
+      }
+    }
+    const deletePredicate = collection.access?.delete;
+    if (deletePredicate != null) {
+      const result = await deletePredicate({ user, record });
+      if (!allows2(result, record)) {
+        recordAuditEvent(c, {
+          op: "delete",
+          collection: slug,
+          user,
+          decision: "denied",
+          reason: "access.delete predicate denied",
+          recordId,
+          at: new Date().toISOString()
+        });
+        return problemDetails(c, {
+          code: "forbidden",
+          title: "Forbidden",
+          status: 403,
+          detail: `${slug}/${recordId}`
+        });
+      }
+      recordAuditEvent(c, {
+        op: "delete",
+        collection: slug,
+        user,
+        decision: "granted",
+        recordId,
+        at: new Date().toISOString()
+      });
+    }
+    const beforeHooks = resolveHooksFor("beforeDelete", {
+      collection,
+      plugins: config.plugins
+    });
+    if (beforeHooks.length > 0) {
+      const ctx = {
+        op: "delete",
+        user,
+        record
+      };
+      const exit = await Effect2.runPromiseExit(runHooks("beforeDelete", ctx, beforeHooks));
+      if (Exit2.isFailure(exit)) {
+        return problemDetails(c, {
+          code: "hook-rejected",
+          title: "Operation rejected by a lifecycle hook",
+          status: 409,
+          detail: hookRejectionDetail2(exit.cause)
+        });
+      }
+    }
+    await rows.delete(table, recordId);
+    const afterHooks = resolveHooksFor("afterDelete", {
+      collection,
+      plugins: config.plugins
+    });
+    if (afterHooks.length > 0) {
+      const ctx = {
+        op: "delete",
+        user,
+        record
+      };
+      const exit = await Effect2.runPromiseExit(runHooks("afterDelete", ctx, afterHooks));
+      if (Exit2.isFailure(exit)) {
+        console.warn("[saacms/hooks] afterDelete (delete) failOnError hook failed");
+      }
+    }
+    const cache = resolveCache(c);
+    for (const tag of [
+      `saacms:record:${slug}:${recordId}`,
+      `saacms:collection:${slug}`
+    ]) {
+      try {
+        await cache.purgeByTag(tag);
+      } catch (err) {
+        console.warn(`[saacms/cache] purge failed for tag ${tag}:`, err);
+      }
+    }
+    return new Response(null, {
+      status: 204,
+      headers: { "Cache-Control": "no-store" }
+    });
+  });
+}
+function readUser2(c) {
+  const raw = c.get("user");
+  return raw != null && typeof raw === "object" ? raw : null;
+}
+function allows2(result, record) {
+  if (typeof result === "boolean")
+    return result;
+  for (const [key, value] of Object.entries(result.where)) {
+    if (record[key] !== value)
+      return false;
+  }
+  return true;
+}
+function hookRejectionDetail2(cause) {
+  const err = Cause2.squash(cause);
+  if (err instanceof Error)
+    return err.message;
+  if (typeof err === "string")
+    return err;
+  try {
+    return JSON.stringify(err);
+  } catch {
+    return String(err);
+  }
+}
+function computeWeakEtag(slug, recordId, record) {
+  const updatedAt = record["updatedAt"];
+  if (typeof updatedAt !== "string" || updatedAt.length === 0)
+    return null;
+  return `W/"${slug}:${recordId}:${updatedAt}"`;
+}
+
+// src/runtime/drafts-route.ts
+import { Effect as Effect3, Exit as Exit3 } from "effect";
+var DRAFTS_TABLE = "saacms_drafts";
+var BASE_HREF = "/api/saacms/v1/drafts";
+var PATH = `${BASE_HREF}/:pageId`;
+function mountDraftsRoute(app, config) {
+  app.get(PATH, async (c) => {
+    const rows = config.storage?.rows;
+    if (rows == null)
+      return storageUnavailable(c);
+    const pageId = c.req.param("pageId") ?? "";
+    const user = readUser3(c);
+    if (user == null)
+      return notFound(c, pageId);
+    const record = await rows.getById(DRAFTS_TABLE, pageId);
+    if (record == null)
+      return notFound(c, pageId);
+    const etag = computeWeakEtag2(pageId, record.updatedAt);
+    if (etag != null) {
+      const ifNoneMatch = c.req.header("if-none-match");
+      if (ifNoneMatch != null && ifNoneMatch === etag) {
+        return new Response(null, {
+          status: 304,
+          headers: { ETag: etag, "Cache-Control": "no-store" }
+        });
+      }
+    }
+    const envelope = {
+      data: toView(pageId, record),
+      _links: { self: { href: `${BASE_HREF}/${pageId}` } }
+    };
+    const headers = {
+      "Content-Type": "application/json",
+      "Cache-Control": "no-store"
+    };
+    if (etag != null)
+      headers["ETag"] = etag;
+    return c.newResponse(JSON.stringify(envelope), 200, headers);
+  });
+  app.put(PATH, async (c) => {
+    const rows = config.storage?.rows;
+    if (rows == null)
+      return storageUnavailable(c);
+    const user = readUser3(c);
+    if (user == null)
+      return forbidden(c);
+    if (!isJsonContentType2(c.req.header("content-type"))) {
+      return problemDetails(c, {
+        code: "unsupported-media-type",
+        title: "Unsupported media type",
+        status: 415,
+        detail: "Content-Type must be application/json"
+      });
+    }
+    let parsedBody;
+    try {
+      parsedBody = await c.req.json();
+    } catch {
+      return invalidBody(c, [
+        { path: [], message: "Request body is not valid JSON" }
+      ]);
+    }
+    const issues = validateTree(parsedBody);
+    if (issues.length > 0)
+      return invalidBody(c, issues);
+    const tree = parsedBody;
+    const pageId = c.req.param("pageId") ?? "";
+    const existing = await rows.getById(DRAFTS_TABLE, pageId);
+    const ifMatch = c.req.header("if-match");
+    if (ifMatch != null) {
+      if (existing == null)
+        return preconditionFailed(c, pageId);
+      const currentEtag = computeWeakEtag2(pageId, existing.updatedAt);
+      if (currentEtag == null || currentEtag !== ifMatch) {
+        return preconditionFailed(c, pageId);
+      }
+    }
+    const now = new Date().toISOString();
+    const serialized = JSON.stringify(tree);
+    const created = existing == null;
+    if (created) {
+      await rows.insert(DRAFTS_TABLE, {
+        id: pageId,
+        tree: serialized,
+        createdBy: user.id ?? null,
+        createdAt: now,
+        updatedAt: now
+      });
+    } else {
+      await rows.update(DRAFTS_TABLE, pageId, {
+        tree: serialized,
+        updatedAt: now
+      });
+    }
+    const stored = await rows.getById(DRAFTS_TABLE, pageId);
+    if (stored == null)
+      return notFound(c, pageId);
+    await runAfterHook("afterChange", created ? "create" : "update", user, stored, config);
+    const etag = computeWeakEtag2(pageId, stored.updatedAt);
+    const href = `${BASE_HREF}/${pageId}`;
+    const envelope = {
+      data: toView(pageId, stored),
+      _links: { self: { href } }
+    };
+    const headers = {
+      "Content-Type": "application/json",
+      "Cache-Control": "no-store"
+    };
+    if (etag != null)
+      headers["ETag"] = etag;
+    if (created)
+      headers["Location"] = href;
+    return c.newResponse(JSON.stringify(envelope), created ? 201 : 200, headers);
+  });
+  app.delete(PATH, async (c) => {
+    const rows = config.storage?.rows;
+    if (rows == null)
+      return storageUnavailable(c);
+    const user = readUser3(c);
+    if (user == null)
+      return forbidden(c);
+    const pageId = c.req.param("pageId") ?? "";
+    const ifMatch = c.req.header("if-match");
+    const record = await rows.getById(DRAFTS_TABLE, pageId);
+    if (record == null) {
+      if (ifMatch != null)
+        return preconditionFailed(c, pageId);
+      return new Response(null, {
+        status: 204,
+        headers: { "Cache-Control": "no-store" }
+      });
+    }
+    if (ifMatch != null) {
+      const etag = computeWeakEtag2(pageId, record.updatedAt);
+      if (etag == null || ifMatch !== etag) {
+        return preconditionFailed(c, pageId);
+      }
+    }
+    await rows.delete(DRAFTS_TABLE, pageId);
+    await runAfterHook("afterDelete", "delete", user, record, config);
+    return new Response(null, {
+      status: 204,
+      headers: { "Cache-Control": "no-store" }
+    });
+  });
+}
+function readUser3(c) {
+  const raw = c.get("user");
+  return raw != null && typeof raw === "object" ? raw : null;
+}
+function toView(pageId, row) {
+  let tree = row.tree;
+  if (typeof row.tree === "string") {
+    try {
+      tree = JSON.parse(row.tree);
+    } catch {
+      tree = row.tree;
+    }
+  }
+  return {
+    pageId,
+    tree,
+    createdBy: row.createdBy ?? null,
+    createdAt: row.createdAt,
+    updatedAt: row.updatedAt
+  };
+}
+function storageUnavailable(c) {
+  return problemDetails(c, {
+    code: "storage-unavailable",
+    title: "Row storage not configured",
+    status: 503,
+    detail: "config.storage.rows is required to serve this endpoint"
+  });
+}
+function forbidden(c) {
+  return problemDetails(c, {
+    code: "forbidden",
+    title: "Forbidden",
+    status: 403,
+    detail: "A logged-in editor is required to modify Drafts"
+  });
+}
+function notFound(c, pageId) {
+  return problemDetails(c, {
+    code: "draft-not-found",
+    title: "Draft not found",
+    status: 404,
+    detail: `${DRAFTS_TABLE}/${pageId}`
+  });
+}
+function preconditionFailed(c, pageId) {
+  return problemDetails(c, {
+    code: "precondition-failed",
+    title: "Precondition failed",
+    status: 412,
+    detail: `${DRAFTS_TABLE}/${pageId}`
+  });
+}
+function invalidBody(c, issues) {
+  return problemDetails(c, {
+    code: "invalid-body",
+    title: "Request body failed validation",
+    status: 422,
+    detail: issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; "),
+    extensions: { issues }
+  });
+}
+function validateTree(body) {
+  if (typeof body !== "object" || body === null || Array.isArray(body)) {
+    return [{ path: [], message: "Draft tree must be a JSON object" }];
+  }
+  const obj = body;
+  if (!Array.isArray(obj["nodes"])) {
+    return [{ path: ["nodes"], message: "nodes is required and must be an array" }];
+  }
+  return [];
+}
+function computeWeakEtag2(pageId, updatedAt) {
+  if (typeof updatedAt !== "string" || updatedAt.length === 0)
+    return null;
+  return `W/"${DRAFTS_TABLE}:${pageId}:${updatedAt}"`;
+}
+async function runAfterHook(moment, op, user, record, config) {
+  const hooks = resolveHooksFor(moment, { plugins: config.plugins });
+  if (hooks.length === 0)
+    return;
+  const ctx = {
+    op,
+    user,
+    record
+  };
+  const exit = await Effect3.runPromiseExit(runHooks(moment, ctx, hooks));
+  if (Exit3.isFailure(exit)) {
+    console.warn(`[saacms/hooks] ${moment} (${op}) failOnError hook failed`);
+  }
+}
+function isJsonContentType2(header) {
+  if (header == null)
+    return false;
+  const semi = header.indexOf(";");
+  const mediaType = (semi === -1 ? header : header.slice(0, semi)).trim().toLowerCase();
+  return mediaType === "application/json";
+}
+// package.json
+var package_default = {
+  name: "@saacms/core",
+  version: "0.1.6",
+  type: "module",
+  exports: {
+    ".": "./src/index.ts",
+    "./schema": "./src/schema/index.ts",
+    "./access": "./src/access/index.ts",
+    "./hooks": "./src/hooks/index.ts",
+    "./runtime": "./src/runtime/index.ts",
+    "./signals": "./src/signals/index.ts",
+    "./types": "./src/types/index.ts",
+    "./codegen": "./src/codegen/index.ts"
+  },
+  files: [
+    "dist",
+    "README.md"
+  ],
+  scripts: {
+    build: "tsc --build",
+    typecheck: "tsc --build --noEmit",
+    prepack: "cp package.json package.json.pack-bak && bun run ../../scripts/prepack-pkg.ts",
+    postpack: "mv package.json.pack-bak package.json"
+  },
+  publishConfig: {
+    access: "public"
+  },
+  dependencies: {
+    "@preact/signals-core": "^1.8.0",
+    "drizzle-orm": "^0.36.0",
+    effect: "^3.10.0",
+    hono: "^4.6.0"
+  },
+  devDependencies: {
+    "@types/bun": "latest",
+    typescript: "^5.7.0"
+  }
+};
+
+// src/runtime/health-route.ts
+var HEALTH_PATH = "/api/saacms/v1/health";
+var VERSION = package_default.version;
+var BOOT_MS = Date.now();
+function mountHealthRoute(app, _config) {
+  app.get(HEALTH_PATH, (c) => c.json({
+    status: "ok",
+    version: VERSION,
+    ts: new Date().toISOString(),
+    uptimeMs: Date.now() - BOOT_MS
+  }, 200, { "Cache-Control": "no-store" }));
+}
+
+// src/runtime/list-route.ts
+import { Cause as Cause3, Effect as Effect4, Exit as Exit4 } from "effect";
+var LIST_PATH = "/api/saacms/v1/:collection";
+var PATH_PREFIX2 = "/api/saacms/v1/";
+var DEFAULT_LIMIT = 50;
+var MAX_LIMIT = 1000;
+function parseListQuery(params) {
+  const rawLimit = params.get("limit");
+  let limit = DEFAULT_LIMIT;
+  if (rawLimit != null) {
+    const parsed = Number.parseInt(rawLimit, 10);
+    if (Number.isFinite(parsed) && parsed > 0) {
+      limit = Math.min(parsed, MAX_LIMIT);
+    }
+  }
+  const cursor = params.get("cursor");
+  const orderBy = params.getAll("sort").map((raw) => {
+    if (raw.startsWith("-")) {
+      return { col: raw.slice(1), dir: "desc" };
+    }
+    return { col: raw, dir: "asc" };
+  });
+  const FILTER_OP_SET = new Set(["eq", "ne", "gt", "gte", "lt", "lte"]);
+  const filterWhere = {};
+  for (const [key, value] of params.entries()) {
+    const m = /^filter\[(.+)\]$/.exec(key);
+    if (m == null || m[1] == null)
+      continue;
+    const inner = m[1];
+    const dotIdx = inner.lastIndexOf(".");
+    if (dotIdx > 0) {
+      const col = inner.slice(0, dotIdx);
+      const op = inner.slice(dotIdx + 1);
+      if (FILTER_OP_SET.has(op)) {
+        filterWhere[col] = { op, value };
+        continue;
+      }
+    }
+    filterWhere[inner] = value;
+  }
+  return { limit, cursor, orderBy, filterWhere };
+}
+function readUser4(c) {
+  const raw = c.get("user");
+  return raw != null && typeof raw === "object" ? raw : null;
+}
+function buildSelfHref(slug, params) {
+  const qs = params.toString();
+  return qs.length > 0 ? `${PATH_PREFIX2}${slug}?${qs}` : `${PATH_PREFIX2}${slug}`;
+}
+function buildNextHref(slug, params, nextCursor) {
+  const cloned = new URLSearchParams(params);
+  cloned.set("cursor", nextCursor);
+  return `${PATH_PREFIX2}${slug}?${cloned.toString()}`;
+}
+function sortedSearchParamsString(params) {
+  const entries = [...params.entries()].sort((a, b) => {
+    if (a[0] !== b[0])
+      return a[0] < b[0] ? -1 : 1;
+    if (a[1] !== b[1])
+      return a[1] < b[1] ? -1 : 1;
+    return 0;
+  });
+  return entries.map(([k, v]) => `${k}=${v}`).join("&");
+}
+function mountListRoute(app, config) {
+  const collections = config.collections ?? [];
+  app.get(LIST_PATH, async (c) => {
+    const slug = c.req.param("collection");
+    const collection = slug != null ? collections.find((coll) => coll.slug === slug) : undefined;
+    if (collection == null) {
+      return problemDetails(c, {
+        code: "collection-not-found",
+        title: "Collection not found",
+        status: 404,
+        detail: slug ?? ""
+      });
+    }
+    const user = readUser4(c);
+    const readPredicate = collection.access?.read;
+    let scopedWhere = null;
+    if (readPredicate != null) {
+      const result = await readPredicate({ user });
+      if (result === false) {
+        recordAuditEvent(c, {
+          op: "list",
+          collection: slug ?? "",
+          user,
+          decision: "denied",
+          reason: "collection-level read predicate denied",
+          at: new Date().toISOString()
+        });
+        return problemDetails(c, {
+          code: "collection-not-found",
+          title: "Collection not found",
+          status: 404,
+          detail: slug ?? ""
+        });
+      }
+      if (result !== true && typeof result === "object") {
+        scopedWhere = result.where;
+      }
+      recordAuditEvent(c, {
+        op: "list",
+        collection: slug ?? "",
+        user,
+        decision: "granted",
+        at: new Date().toISOString()
+      });
+    }
+    const rows = config.storage?.rows;
+    if (rows == null) {
+      return problemDetails(c, {
+        code: "storage-unavailable",
+        title: "Row storage adapter not configured",
+        status: 503
+      });
+    }
+    const url = new URL(c.req.url);
+    const parsed = parseListQuery(url.searchParams);
+    const where = {
+      ...scopedWhere ?? {},
+      ...parsed.filterWhere
+    };
+    const hasWhere = Object.keys(where).length > 0;
+    const beforeHooks = resolveHooksFor("beforeRead", {
+      collection,
+      plugins: config.plugins
+    });
+    if (beforeHooks.length > 0) {
+      const ctx = { op: "read", user };
+      const exit = await Effect4.runPromiseExit(runHooks("beforeRead", ctx, beforeHooks));
+      if (Exit4.isFailure(exit)) {
+        return problemDetails(c, {
+          code: "hook-rejected",
+          title: "Read rejected by a lifecycle hook",
+          status: 403,
+          detail: hookRejectionDetail3(exit.cause)
+        });
+      }
+    }
+    const cacheKey = `saacms:collection:${collection.slug}:list:${sortedSearchParamsString(url.searchParams)}`;
+    const cache = resolveCache(c);
+    const hit = await cache.get(cacheKey);
+    let listResult;
+    if (hit != null) {
+      listResult = hit.value;
+    } else {
+      listResult = await rows.list(slugToTableName(collection.slug), {
+        limit: parsed.limit,
+        ...parsed.cursor != null ? { cursor: parsed.cursor } : {},
+        ...hasWhere ? { where } : {},
+        ...parsed.orderBy.length > 0 ? { orderBy: parsed.orderBy } : {}
+      });
+      await cache.put(cacheKey, listResult, {
+        tags: [`saacms:collection:${collection.slug}`],
+        expirationTtl: 15
+      });
+    }
+    const decodedRows = listResult.rows.map((r) => decodeBooleanColumns(collection.schema, decodeJsonColumns(collection.schema, r)));
+    let outgoing = decodedRows;
+    const afterHooks = resolveHooksFor("afterRead", {
+      collection,
+      plugins: config.plugins
+    });
+    if (afterHooks.length > 0) {
+      const ctx = {
+        op: "read",
+        user,
+        record: decodedRows
+      };
+      const exit = await Effect4.runPromiseExit(runAfterRead(ctx, afterHooks));
+      if (Exit4.isFailure(exit)) {
+        console.warn("[saacms/hooks] afterRead failOnError hook failed");
+      } else if (Array.isArray(exit.value)) {
+        outgoing = exit.value;
+      }
+    }
+    const selfHref = buildSelfHref(collection.slug, url.searchParams);
+    const nextHref = listResult.nextCursor != null ? buildNextHref(collection.slug, url.searchParams, listResult.nextCursor) : null;
+    const body = {
+      data: outgoing,
+      _links: {
+        self: { href: selfHref },
+        next: nextHref != null ? { href: nextHref } : null
+      },
+      _meta: {
+        limit: parsed.limit,
+        cursor: parsed.cursor
+      }
+    };
+    return c.newResponse(JSON.stringify(body), 200, {
+      "Content-Type": "application/json",
+      "Cache-Control": "private, max-age=15",
+      Vary: "Authorization"
+    });
+  });
+}
+function runAfterRead(ctx, hooks) {
+  return hooks.reduce((acc, hook) => Effect4.flatMap(acc, (prev) => {
+    const ran = hook.fn(ctx);
+    const guarded = hook.options?.failOnError === true ? ran : Effect4.catchAll(ran, (err) => Effect4.sync(() => {
+      console.warn("[saacms/hooks] afterRead hook failed:", err);
+      return prev;
+    }));
+    return Effect4.map(guarded, (out) => isHookObject2(out) ? out : prev);
+  }), Effect4.succeed(ctx.record));
+}
+function isHookObject2(value) {
+  return typeof value === "object" && value !== null;
+}
+function hookRejectionDetail3(cause) {
+  const err = Cause3.squash(cause);
+  if (err instanceof Error)
+    return err.message;
+  if (typeof err === "string")
+    return err;
+  try {
+    return JSON.stringify(err);
+  } catch {
+    return String(err);
+  }
+}
+
+// src/runtime/openapi-route.ts
+var OPENAPI_PATH = "/api/saacms/v1/openapi.json";
+var SECURITY_SCHEMES = {
+  cookieAuth: {
+    type: "apiKey",
+    in: "cookie",
+    name: "better-auth.session_token",
+    description: "Better Auth session cookie set by the host adapter's sign-in flow. Per ADR 0008."
+  },
+  bearerAuth: {
+    type: "http",
+    scheme: "bearer",
+    bearerFormat: "JWT",
+    description: "JWT bearer token (`Authorization: Bearer ...`) for non-browser clients. Per ADR 0008."
+  }
+};
+function mountOpenApiRoute(app, config) {
+  const collections = config.collections ?? [];
+  app.get(OPENAPI_PATH, async (c) => {
+    const raw = c.get("user");
+    const user = raw != null && typeof raw === "object" ? raw : null;
+    const headers = {
+      "Cache-Control": "private, max-age=60",
+      Vary: "Authorization"
+    };
+    const role = user?.role ?? "anon";
+    const cacheKey = `saacms:openapi:role:${role}`;
+    const cache = resolveCache(c);
+    const cached = await cache.get(cacheKey);
+    if (cached != null) {
+      return c.json(cached.value, 200, headers);
+    }
+    const assembled = assembleSpec(collections);
+    const filtered = await filterOpenApiForUser({
+      spec: assembled,
+      collections,
+      user
+    });
+    const doc = {
+      openapi: "3.1.0",
+      info: {
+        title: config.title ?? "saacms",
+        version: config.version ?? "0.0.0",
+        ...config.description != null ? { description: config.description } : {}
+      },
+      servers: [{ url: "/api/saacms/v1" }],
+      paths: filtered.paths,
+      components: {
+        schemas: filtered.components.schemas,
+        securitySchemes: SECURITY_SCHEMES
+      }
+    };
+    await cache.put(cacheKey, doc, {
+      tags: ["saacms:openapi", `saacms:openapi:role:${role}`],
+      expirationTtl: 60
+    });
+    return c.json(doc, 200, headers);
+  });
+}
+function assembleSpec(collections) {
+  const specs = collections.map((c) => collectionToOpenApiPaths(c));
+  return mergeOpenApiSpecs(specs);
+}
+function mergeOpenApiSpecs(specs) {
+  const paths = {};
+  const schemas = {};
+  for (const spec of specs) {
+    for (const [p, item] of Object.entries(spec.paths)) {
+      if (p in paths) {
+        throw new Error(`mergeOpenApiSpecs: duplicate path "${p}" — two Collections share a slug`);
+      }
+      paths[p] = item;
+    }
+    for (const [name, schema] of Object.entries(spec.components.schemas)) {
+      if (name === "ProblemDetails") {
+        schemas[name] = schema;
+        continue;
+      }
+      if (name in schemas) {
+        throw new Error(`mergeOpenApiSpecs: duplicate components.schemas key "${name}" — two Collections share a PascalCase identity`);
+      }
+      schemas[name] = schema;
+    }
+  }
+  return { paths, components: { schemas } };
+}
+
+// src/runtime/pattern-route.ts
+import { Effect as Effect5, Exit as Exit5 } from "effect";
+var PATTERN_TABLE = "saacms_patterns";
+var BASE_HREF2 = "/api/saacms/v1/patterns";
+var LIST_CACHE_KEY = "saacms:patterns:list";
+var LIST_CACHE_TAG = "saacms:patterns";
+var LIST_TTL = 30;
+var RECORD_TTL = 30;
+var NAME_MAX = 120;
+var DEFAULT_LIMIT2 = 50;
+var MAX_LIMIT2 = 200;
+var CACHE_CONTROL_READ = "private, max-age=30";
+var VARY = "Authorization";
+function mountPatternRoute(app, config) {
+  app.get(BASE_HREF2, async (c) => {
+    const rows = config.storage?.rows;
+    if (rows == null)
+      return storageUnavailable2(c);
+    const url = new URL(c.req.url);
+    const limit = parseLimit(url.searchParams.get("limit"));
+    const cache = resolveCache(c);
+    const hit = await cache.get(LIST_CACHE_KEY);
+    let data;
+    if (hit != null) {
+      data = hit.value;
+    } else {
+      const result = await rows.list(PATTERN_TABLE, { limit });
+      data = result.rows;
+      await cache.put(LIST_CACHE_KEY, data, {
+        tags: [LIST_CACHE_TAG],
+        expirationTtl: LIST_TTL
+      });
+    }
+    const body = {
+      data,
+      _links: { self: { href: BASE_HREF2 } },
+      _meta: { count: data.length }
+    };
+    return c.newResponse(JSON.stringify(body), 200, {
+      "Content-Type": "application/json",
+      "Cache-Control": CACHE_CONTROL_READ,
+      Vary: VARY
+    });
+  });
+  app.post(BASE_HREF2, async (c) => {
+    const rows = config.storage?.rows;
+    if (rows == null)
+      return storageUnavailable2(c);
+    const user = readUser5(c);
+    if (user == null)
+      return forbidden2(c);
+    if (!isJsonContentType3(c.req.header("content-type"))) {
+      return problemDetails(c, {
+        code: "unsupported-media-type",
+        title: "Unsupported media type",
+        status: 415,
+        detail: "Content-Type must be application/json"
+      });
+    }
+    let parsedBody;
+    try {
+      parsedBody = await c.req.json();
+    } catch {
+      return problemDetails(c, {
+        code: "malformed-body",
+        title: "Malformed request body",
+        status: 400,
+        detail: "Request body is not valid JSON"
+      });
+    }
+    const issues = validatePatternInput(parsedBody);
+    if (issues.length > 0) {
+      return problemDetails(c, {
+        code: "invalid-body",
+        title: "Request body failed validation",
+        status: 422,
+        detail: issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; "),
+        extensions: { issues }
+      });
+    }
+    const input = parsedBody;
+    const now = new Date().toISOString();
+    const record = {
+      id: `pat_${crypto.randomUUID()}`,
+      name: input.name,
+      tree: input.tree,
+      createdBy: user.id ?? null,
+      createdAt: now,
+      updatedAt: now
+    };
+    await rows.insert(PATTERN_TABLE, record);
+    await runAfterHook2("afterChange", "create", user, record, config);
+    await purgeTags(c, [LIST_CACHE_TAG]);
+    const href = `${BASE_HREF2}/${record.id}`;
+    const envelope = {
+      data: record,
+      _links: { self: { href }, collection: { href: BASE_HREF2 } }
+    };
+    return c.newResponse(JSON.stringify(envelope), 201, {
+      "Content-Type": "application/json",
+      "Cache-Control": "no-store",
+      Location: href
+    });
+  });
+  app.get(`${BASE_HREF2}/:id`, async (c) => {
+    const rows = config.storage?.rows;
+    if (rows == null)
+      return storageUnavailable2(c);
+    const recordId = c.req.param("id") ?? "";
+    const cacheKey = recordCacheKey(recordId);
+    const cache = resolveCache(c);
+    const hit = await cache.get(cacheKey);
+    const record = hit != null ? hit.value : await rows.getById(PATTERN_TABLE, recordId);
+    if (record == null) {
+      return problemDetails(c, {
+        code: "record-not-found",
+        title: "Record not found",
+        status: 404,
+        detail: `${PATTERN_TABLE}/${recordId}`
+      });
+    }
+    if (hit == null) {
+      await cache.put(cacheKey, record, {
+        tags: [cacheKey, LIST_CACHE_TAG],
+        expirationTtl: RECORD_TTL
+      });
+    }
+    const etag = computeWeakEtag3(recordId, record);
+    if (etag != null) {
+      const ifNoneMatch = c.req.header("if-none-match");
+      if (ifNoneMatch != null && ifNoneMatch === etag) {
+        return new Response(null, {
+          status: 304,
+          headers: {
+            ETag: etag,
+            "Cache-Control": CACHE_CONTROL_READ,
+            Vary: VARY
+          }
+        });
+      }
+    }
+    const envelope = {
+      data: record,
+      _links: {
+        self: { href: `${BASE_HREF2}/${recordId}` },
+        collection: { href: BASE_HREF2 }
+      }
+    };
+    const headers = {
+      "Content-Type": "application/json",
+      "Cache-Control": CACHE_CONTROL_READ,
+      Vary: VARY
+    };
+    if (etag != null)
+      headers["ETag"] = etag;
+    return c.newResponse(JSON.stringify(envelope), 200, headers);
+  });
+  app.delete(`${BASE_HREF2}/:id`, async (c) => {
+    const rows = config.storage?.rows;
+    if (rows == null)
+      return storageUnavailable2(c);
+    const user = readUser5(c);
+    if (user == null)
+      return forbidden2(c);
+    const recordId = c.req.param("id") ?? "";
+    const ifMatch = c.req.header("if-match");
+    const record = await rows.getById(PATTERN_TABLE, recordId);
+    if (record == null) {
+      if (ifMatch != null) {
+        return problemDetails(c, {
+          code: "precondition-failed",
+          title: "Precondition failed",
+          status: 412,
+          detail: `${PATTERN_TABLE}/${recordId}`
+        });
+      }
+      return new Response(null, {
+        status: 204,
+        headers: { "Cache-Control": "no-store" }
+      });
+    }
+    if (ifMatch != null) {
+      const etag = computeWeakEtag3(recordId, record);
+      if (etag == null || ifMatch !== etag) {
+        return problemDetails(c, {
+          code: "precondition-failed",
+          title: "Precondition failed",
+          status: 412,
+          detail: `${PATTERN_TABLE}/${recordId}`
+        });
+      }
+    }
+    await rows.delete(PATTERN_TABLE, recordId);
+    await runAfterHook2("afterDelete", "delete", user, record, config);
+    await purgeTags(c, [recordCacheKey(recordId), LIST_CACHE_TAG]);
+    return new Response(null, {
+      status: 204,
+      headers: { "Cache-Control": "no-store" }
+    });
+  });
+}
+function readUser5(c) {
+  const raw = c.get("user");
+  return raw != null && typeof raw === "object" ? raw : null;
+}
+function storageUnavailable2(c) {
+  return problemDetails(c, {
+    code: "storage-unavailable",
+    title: "Row storage not configured",
+    status: 503,
+    detail: "config.storage.rows is required to serve this endpoint"
+  });
+}
+function forbidden2(c) {
+  return problemDetails(c, {
+    code: "forbidden",
+    title: "Forbidden",
+    status: 403,
+    detail: "A logged-in editor is required to modify Patterns"
+  });
+}
+function recordCacheKey(recordId) {
+  return `saacms:record:${PATTERN_TABLE}:${recordId}`;
+}
+function parseLimit(raw) {
+  if (raw == null)
+    return DEFAULT_LIMIT2;
+  const parsed = Number.parseInt(raw, 10);
+  if (!Number.isFinite(parsed) || parsed <= 0)
+    return DEFAULT_LIMIT2;
+  return Math.min(parsed, MAX_LIMIT2);
+}
+function isJsonContentType3(header) {
+  if (header == null)
+    return false;
+  const semi = header.indexOf(";");
+  const mediaType = (semi === -1 ? header : header.slice(0, semi)).trim().toLowerCase();
+  return mediaType === "application/json";
+}
+function validatePatternInput(body) {
+  if (typeof body !== "object" || body === null || Array.isArray(body)) {
+    return [{ path: [], message: "Request body must be a JSON object" }];
+  }
+  const obj = body;
+  const issues = [];
+  const name = obj["name"];
+  if (typeof name !== "string" || name.length === 0) {
+    issues.push({
+      path: ["name"],
+      message: "name is required and must be a non-empty string"
+    });
+  } else if (name.length > NAME_MAX) {
+    issues.push({
+      path: ["name"],
+      message: `name must be at most ${NAME_MAX} characters`
+    });
+  }
+  if (!("tree" in obj)) {
+    issues.push({ path: ["tree"], message: "tree is required" });
+  }
+  return issues;
+}
+function computeWeakEtag3(recordId, record) {
+  const updatedAt = record.updatedAt;
+  if (typeof updatedAt !== "string" || updatedAt.length === 0)
+    return null;
+  return `W/"${PATTERN_TABLE}:${recordId}:${updatedAt}"`;
+}
+async function runAfterHook2(moment, op, user, record, config) {
+  const hooks = resolveHooksFor(moment, { plugins: config.plugins });
+  if (hooks.length === 0)
+    return;
+  const ctx = {
+    op,
+    user,
+    record
+  };
+  const exit = await Effect5.runPromiseExit(runHooks(moment, ctx, hooks));
+  if (Exit5.isFailure(exit)) {
+    console.warn(`[saacms/hooks] ${moment} (${op}) failOnError hook failed`);
+  }
+}
+async function purgeTags(c, tags) {
+  const cache = resolveCache(c);
+  for (const tag of tags) {
+    try {
+      await cache.purgeByTag(tag);
+    } catch (err) {
+      console.warn(`[saacms/cache] purge failed for tag ${tag}:`, err);
+    }
+  }
+}
+
+// src/runtime/scheme-route.ts
+import { Effect as Effect6, Exit as Exit6 } from "effect";
+var SCHEME_TABLE = "saacms_schemes";
+var BASE_HREF3 = "/api/saacms/v1/schemes";
+var LIST_CACHE_KEY2 = "saacms:schemes:list";
+var LIST_CACHE_TAG2 = "saacms:schemes";
+var LIST_TTL2 = 30;
+var RECORD_TTL2 = 30;
+var NAME_MAX2 = 120;
+var DEFAULT_LIMIT3 = 50;
+var MAX_LIMIT3 = 200;
+var CACHE_CONTROL_READ2 = "private, max-age=30";
+var VARY2 = "Authorization";
+function mountSchemeRoute(app, config) {
+  app.get(BASE_HREF3, async (c) => {
+    const rows = config.storage?.rows;
+    if (rows == null)
+      return storageUnavailable3(c);
+    const url = new URL(c.req.url);
+    const limit = parseLimit2(url.searchParams.get("limit"));
+    const cache = resolveCache(c);
+    const hit = await cache.get(LIST_CACHE_KEY2);
+    let data;
+    if (hit != null) {
+      data = hit.value;
+    } else {
+      const result = await rows.list(SCHEME_TABLE, { limit });
+      data = result.rows;
+      await cache.put(LIST_CACHE_KEY2, data, {
+        tags: [LIST_CACHE_TAG2],
+        expirationTtl: LIST_TTL2
+      });
+    }
+    const body = {
+      data,
+      _links: { self: { href: BASE_HREF3 } },
+      _meta: { count: data.length }
+    };
+    return c.newResponse(JSON.stringify(body), 200, {
+      "Content-Type": "application/json",
+      "Cache-Control": CACHE_CONTROL_READ2,
+      Vary: VARY2
+    });
+  });
+  app.post(BASE_HREF3, async (c) => {
+    const rows = config.storage?.rows;
+    if (rows == null)
+      return storageUnavailable3(c);
+    const user = readUser6(c);
+    if (user == null)
+      return forbidden3(c);
+    if (!isJsonContentType4(c.req.header("content-type"))) {
+      return problemDetails(c, {
+        code: "unsupported-media-type",
+        title: "Unsupported media type",
+        status: 415,
+        detail: "Content-Type must be application/json"
+      });
+    }
+    let parsedBody;
+    try {
+      parsedBody = await c.req.json();
+    } catch {
+      return problemDetails(c, {
+        code: "malformed-body",
+        title: "Malformed request body",
+        status: 400,
+        detail: "Request body is not valid JSON"
+      });
+    }
+    const issues = validateSchemeInput(parsedBody, config);
+    if (issues.length > 0) {
+      return problemDetails(c, {
+        code: "invalid-body",
+        title: "Request body failed validation",
+        status: 422,
+        detail: issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; "),
+        extensions: { issues }
+      });
+    }
+    const input = parsedBody;
+    const now = new Date().toISOString();
+    const record = {
+      id: `sch_${crypto.randomUUID()}`,
+      name: input.name,
+      tokens: input.tokens,
+      ...input.darkTokens != null ? { darkTokens: input.darkTokens } : {},
+      createdBy: user.id ?? null,
+      createdAt: now,
+      updatedAt: now
+    };
+    await rows.insert(SCHEME_TABLE, record);
+    await runAfterHook3("afterChange", "create", user, record, config);
+    await purgeTags2(c, [LIST_CACHE_TAG2]);
+    const href = `${BASE_HREF3}/${record.id}`;
+    const envelope = {
+      data: record,
+      _links: { self: { href }, collection: { href: BASE_HREF3 } }
+    };
+    return c.newResponse(JSON.stringify(envelope), 201, {
+      "Content-Type": "application/json",
+      "Cache-Control": "no-store",
+      Location: href
+    });
+  });
+  app.get(`${BASE_HREF3}/:id`, async (c) => {
+    const rows = config.storage?.rows;
+    if (rows == null)
+      return storageUnavailable3(c);
+    const recordId = c.req.param("id") ?? "";
+    const cacheKey = recordCacheKey2(recordId);
+    const cache = resolveCache(c);
+    const hit = await cache.get(cacheKey);
+    const record = hit != null ? hit.value : await rows.getById(SCHEME_TABLE, recordId);
+    if (record == null) {
+      return problemDetails(c, {
+        code: "record-not-found",
+        title: "Record not found",
+        status: 404,
+        detail: `${SCHEME_TABLE}/${recordId}`
+      });
+    }
+    if (hit == null) {
+      await cache.put(cacheKey, record, {
+        tags: [cacheKey, LIST_CACHE_TAG2],
+        expirationTtl: RECORD_TTL2
+      });
+    }
+    const etag = computeWeakEtag4(recordId, record);
+    if (etag != null) {
+      const ifNoneMatch = c.req.header("if-none-match");
+      if (ifNoneMatch != null && ifNoneMatch === etag) {
+        return new Response(null, {
+          status: 304,
+          headers: {
+            ETag: etag,
+            "Cache-Control": CACHE_CONTROL_READ2,
+            Vary: VARY2
+          }
+        });
+      }
+    }
+    const envelope = {
+      data: record,
+      _links: {
+        self: { href: `${BASE_HREF3}/${recordId}` },
+        collection: { href: BASE_HREF3 }
+      }
+    };
+    const headers = {
+      "Content-Type": "application/json",
+      "Cache-Control": CACHE_CONTROL_READ2,
+      Vary: VARY2
+    };
+    if (etag != null)
+      headers["ETag"] = etag;
+    return c.newResponse(JSON.stringify(envelope), 200, headers);
+  });
+  app.delete(`${BASE_HREF3}/:id`, async (c) => {
+    const rows = config.storage?.rows;
+    if (rows == null)
+      return storageUnavailable3(c);
+    const user = readUser6(c);
+    if (user == null)
+      return forbidden3(c);
+    const recordId = c.req.param("id") ?? "";
+    const ifMatch = c.req.header("if-match");
+    const record = await rows.getById(SCHEME_TABLE, recordId);
+    if (record == null) {
+      if (ifMatch != null) {
+        return problemDetails(c, {
+          code: "precondition-failed",
+          title: "Precondition failed",
+          status: 412,
+          detail: `${SCHEME_TABLE}/${recordId}`
+        });
+      }
+      return new Response(null, {
+        status: 204,
+        headers: { "Cache-Control": "no-store" }
+      });
+    }
+    if (ifMatch != null) {
+      const etag = computeWeakEtag4(recordId, record);
+      if (etag == null || ifMatch !== etag) {
+        return problemDetails(c, {
+          code: "precondition-failed",
+          title: "Precondition failed",
+          status: 412,
+          detail: `${SCHEME_TABLE}/${recordId}`
+        });
+      }
+    }
+    await rows.delete(SCHEME_TABLE, recordId);
+    await runAfterHook3("afterDelete", "delete", user, record, config);
+    await purgeTags2(c, [recordCacheKey2(recordId), LIST_CACHE_TAG2]);
+    return new Response(null, {
+      status: 204,
+      headers: { "Cache-Control": "no-store" }
+    });
+  });
+}
+function readUser6(c) {
+  const raw = c.get("user");
+  return raw != null && typeof raw === "object" ? raw : null;
+}
+function storageUnavailable3(c) {
+  return problemDetails(c, {
+    code: "storage-unavailable",
+    title: "Row storage not configured",
+    status: 503,
+    detail: "config.storage.rows is required to serve this endpoint"
+  });
+}
+function forbidden3(c) {
+  return problemDetails(c, {
+    code: "forbidden",
+    title: "Forbidden",
+    status: 403,
+    detail: "A logged-in editor is required to modify Schemes"
+  });
+}
+function recordCacheKey2(recordId) {
+  return `saacms:record:${SCHEME_TABLE}:${recordId}`;
+}
+function parseLimit2(raw) {
+  if (raw == null)
+    return DEFAULT_LIMIT3;
+  const parsed = Number.parseInt(raw, 10);
+  if (!Number.isFinite(parsed) || parsed <= 0)
+    return DEFAULT_LIMIT3;
+  return Math.min(parsed, MAX_LIMIT3);
+}
+function isJsonContentType4(header) {
+  if (header == null)
+    return false;
+  const semi = header.indexOf(";");
+  const mediaType = (semi === -1 ? header : header.slice(0, semi)).trim().toLowerCase();
+  return mediaType === "application/json";
+}
+function validateSchemeInput(body, config) {
+  if (typeof body !== "object" || body === null || Array.isArray(body)) {
+    return [{ path: [], message: "Request body must be a JSON object" }];
+  }
+  const obj = body;
+  const issues = [];
+  const name = obj["name"];
+  if (typeof name !== "string" || name.length === 0) {
+    issues.push({
+      path: ["name"],
+      message: "name is required and must be a non-empty string"
+    });
+  } else if (name.length > NAME_MAX2) {
+    issues.push({
+      path: ["name"],
+      message: `name must be at most ${NAME_MAX2} characters`
+    });
+  }
+  const tokens = obj["tokens"];
+  if (tokens == null || typeof tokens !== "object" || Array.isArray(tokens)) {
+    issues.push({
+      path: ["tokens"],
+      message: "tokens is required and must be a JSON object"
+    });
+  } else if (config.theme != null) {
+    const knownNames = new Set(config.theme.tokens.map((t) => t.name));
+    for (const key of Object.keys(tokens)) {
+      if (!knownNames.has(key)) {
+        issues.push({
+          path: ["tokens", key],
+          message: `unknown token "${key}" — not declared in the active Theme contract`
+        });
+      }
+    }
+  }
+  const darkTokens = obj["darkTokens"];
+  if (darkTokens != null) {
+    if (typeof darkTokens !== "object" || Array.isArray(darkTokens)) {
+      issues.push({
+        path: ["darkTokens"],
+        message: "darkTokens must be a JSON object when present"
+      });
+    } else if (config.theme != null) {
+      const darkCapable = new Set(config.theme.tokens.filter((t) => t.dark === true).map((t) => t.name));
+      for (const key of Object.keys(darkTokens)) {
+        if (!darkCapable.has(key)) {
+          issues.push({
+            path: ["darkTokens", key],
+            message: `unknown dark token "${key}" — not declared as a dark-capable token in the active Theme contract`
+          });
+        }
+      }
+    }
+  }
+  return issues;
+}
+function computeWeakEtag4(recordId, record) {
+  const updatedAt = record.updatedAt;
+  if (typeof updatedAt !== "string" || updatedAt.length === 0)
+    return null;
+  return `W/"${SCHEME_TABLE}:${recordId}:${updatedAt}"`;
+}
+async function runAfterHook3(moment, op, user, record, config) {
+  const hooks = resolveHooksFor(moment, { plugins: config.plugins });
+  if (hooks.length === 0)
+    return;
+  const ctx = {
+    op,
+    user,
+    record
+  };
+  const exit = await Effect6.runPromiseExit(runHooks(moment, ctx, hooks));
+  if (Exit6.isFailure(exit)) {
+    console.warn(`[saacms/hooks] ${moment} (${op}) failOnError hook failed`);
+  }
+}
+async function purgeTags2(c, tags) {
+  const cache = resolveCache(c);
+  for (const tag of tags) {
+    try {
+      await cache.purgeByTag(tag);
+    } catch (err) {
+      console.warn(`[saacms/cache] purge failed for tag ${tag}:`, err);
+    }
+  }
+}
+
+// src/runtime/put-route.ts
+import { Either as Either2, Schema as Schema2 } from "effect";
+import { ArrayFormatter as ArrayFormatter2, TreeFormatter as TreeFormatter2 } from "effect/ParseResult";
+var PUT_PATH = "/api/saacms/v1/:collection/:id";
+var CACHE_CONTROL = "no-store";
+function mountPutRoute(app, config) {
+  const collections = config.collections ?? [];
+  app.put(PUT_PATH, async (c) => {
+    const slug = c.req.param("collection") ?? "";
+    const recordId = c.req.param("id") ?? "";
+    const collection = collections.find((coll) => coll.slug === slug);
+    if (collection == null) {
+      return problemDetails(c, {
+        code: "collection-not-found",
+        title: "Collection not found",
+        status: 404,
+        detail: slug
+      });
+    }
+    const user = readUser7(c);
+    const rows = config.storage?.rows;
+    if (rows == null) {
+      return problemDetails(c, {
+        code: "storage-unavailable",
+        title: "Row storage not configured",
+        status: 503,
+        detail: "config.storage.rows is required to serve this endpoint"
+      });
+    }
+    if (!isJsonContentType5(c.req.header("content-type"))) {
+      return problemDetails(c, {
+        code: "unsupported-media-type",
+        title: "Unsupported Media Type",
+        status: 415,
+        detail: "Content-Type must be application/json"
+      });
+    }
+    let parsedBody;
+    try {
+      parsedBody = await c.req.json();
+    } catch {
+      return problemDetails(c, {
+        code: "malformed-body",
+        title: "Malformed JSON body",
+        status: 400,
+        detail: "Request body is not valid JSON"
+      });
+    }
+    if (!isPlainObject(parsedBody)) {
+      return problemDetails(c, {
+        code: "malformed-body",
+        title: "Body must be a JSON object",
+        status: 400,
+        detail: "PUT body MUST be a JSON object representing the full record"
+      });
+    }
+    const schema = collection.schema;
+    const decoded = Schema2.decodeUnknownEither(schema)(parsedBody);
+    if (Either2.isLeft(decoded)) {
+      const error = decoded.left;
+      return problemDetails(c, {
+        code: "invalid-body",
+        title: "Request body failed schema validation",
+        status: 422,
+        detail: TreeFormatter2.formatErrorSync(error),
+        extensions: { issues: ArrayFormatter2.formatErrorSync(error) }
+      });
+    }
+    const validatedBody = decoded.right;
+    const table = slugToTableName(collection.slug);
+    const rawExisting = await rows.getById(table, recordId);
+    const existing = rawExisting == null ? null : decodeBooleanColumns(schema, decodeJsonColumns(schema, rawExisting));
+    if (existing == null) {
+      return problemDetails(c, {
+        code: "record-not-found",
+        title: "Record not found",
+        status: 404,
+        detail: `${slug}/${recordId}`
+      });
+    }
+    const ifMatch = c.req.header("if-match");
+    if (ifMatch != null) {
+      const currentEtag = computeWeakEtag5(slug, recordId, existing);
+      if (currentEtag == null || currentEtag !== ifMatch) {
+        return problemDetails(c, {
+          code: "precondition-failed",
+          title: "Precondition Failed",
+          status: 412,
+          detail: currentEtag == null ? "Record has no updatedAt; If-Match cannot be satisfied" : "If-Match header does not match current resource etag"
+        });
+      }
+    }
+    const updatePredicate = collection.access?.update;
+    if (updatePredicate != null) {
+      const ctx = {
+        user,
+        record: existing,
+        input: validatedBody
+      };
+      const result = await updatePredicate(ctx);
+      if (!allows3(result, existing)) {
+        recordAuditEvent(c, {
+          op: "put",
+          collection: slug,
+          user,
+          decision: "denied",
+          reason: "access.update predicate denied",
+          recordId,
+          at: new Date().toISOString()
+        });
+        return problemDetails(c, {
+          code: "forbidden",
+          title: "Forbidden",
+          status: 403,
+          detail: `${slug}/${recordId}`
+        });
+      }
+      recordAuditEvent(c, {
+        op: "put",
+        collection: slug,
+        user,
+        decision: "granted",
+        recordId,
+        at: new Date().toISOString()
+      });
+    }
+    try {
+      await rows.update(table, recordId, encodeJsonColumns(schema, encodeBooleanColumns(schema, validatedBody)));
+    } catch (err) {
+      if (err instanceof UniqueConstraintError) {
+        return problemDetails(c, {
+          code: "unique-constraint-violated",
+          title: "Unique constraint violated",
+          status: 409,
+          detail: "A record with the same value(s) for the unique fields already exists."
+        });
+      }
+      throw err;
+    }
+    const rawUpdated = await rows.getById(table, recordId);
+    const updated = rawUpdated == null ? null : decodeBooleanColumns(schema, decodeJsonColumns(schema, rawUpdated));
+    if (updated == null) {
+      return problemDetails(c, {
+        code: "record-not-found",
+        title: "Record vanished after update",
+        status: 404,
+        detail: `${slug}/${recordId}`
+      });
+    }
+    const envelope = {
+      data: updated,
+      _links: {
+        self: { href: `/api/saacms/v1/${slug}/${recordId}` },
+        collection: { href: `/api/saacms/v1/${slug}` }
+      }
+    };
+    const headers = {
+      "Content-Type": "application/json",
+      "Cache-Control": CACHE_CONTROL
+    };
+    const newEtag = computeWeakEtag5(slug, recordId, updated);
+    if (newEtag != null)
+      headers["ETag"] = newEtag;
+    return c.newResponse(JSON.stringify(envelope), 200, headers);
+  });
+}
+function readUser7(c) {
+  const raw = c.get("user");
+  return raw != null && typeof raw === "object" ? raw : null;
+}
+function allows3(result, record) {
+  if (typeof result === "boolean")
+    return result;
+  for (const [key, value] of Object.entries(result.where)) {
+    if (record[key] !== value)
+      return false;
+  }
+  return true;
+}
+function isPlainObject(v) {
+  return v != null && typeof v === "object" && !Array.isArray(v);
+}
+function isJsonContentType5(header) {
+  if (header == null)
+    return false;
+  const semi = header.indexOf(";");
+  const mediaType = (semi === -1 ? header : header.slice(0, semi)).trim().toLowerCase();
+  return mediaType === "application/json";
+}
+function computeWeakEtag5(slug, recordId, record) {
+  const updatedAt = record["updatedAt"];
+  if (typeof updatedAt !== "string" || updatedAt.length === 0)
+    return null;
+  return `W/"${slug}:${recordId}:${updatedAt}"`;
+}
+
+// src/runtime/read-route.ts
+import { Cause as Cause4, Effect as Effect7, Exit as Exit7 } from "effect";
+var READ_PATH = "/api/saacms/v1/:collection/:id";
+var CACHE_CONTROL2 = "private, max-age=30";
+var VARY3 = "Authorization";
+function mountReadRoute(app, config) {
+  const collections = config.collections ?? [];
+  app.get(READ_PATH, async (c) => {
+    const slug = c.req.param("collection") ?? "";
+    const recordId = c.req.param("id") ?? "";
+    const collection = collections.find((coll) => coll.slug === slug);
+    if (collection == null) {
+      return problemDetails(c, {
+        code: "collection-not-found",
+        title: "Collection not found",
+        status: 404,
+        detail: slug
+      });
+    }
+    const user = readUser8(c);
+    const rows = config.storage?.rows;
+    if (rows == null) {
+      return problemDetails(c, {
+        code: "storage-unavailable",
+        title: "Row storage not configured",
+        status: 503,
+        detail: "config.storage.rows is required to serve this endpoint"
+      });
+    }
+    const beforeHooks = resolveHooksFor("beforeRead", {
+      collection,
+      plugins: config.plugins
+    });
+    if (beforeHooks.length > 0) {
+      const ctx = { op: "read", user };
+      const exit = await Effect7.runPromiseExit(runHooks("beforeRead", ctx, beforeHooks));
+      if (Exit7.isFailure(exit)) {
+        return problemDetails(c, {
+          code: "hook-rejected",
+          title: "Read rejected by a lifecycle hook",
+          status: 403,
+          detail: hookRejectionDetail4(exit.cause)
+        });
+      }
+    }
+    const readPredicate = collection.access?.read;
+    if (readPredicate != null) {
+      const collectionLevelResult = await readPredicate({ user });
+      if (collectionLevelResult === false) {
+        recordAuditEvent(c, {
+          op: "read",
+          collection: slug,
+          user,
+          decision: "denied",
+          reason: "collection-level read predicate denied",
+          at: new Date().toISOString()
+        });
+        return problemDetails(c, {
+          code: "collection-not-found",
+          title: "Collection not found",
+          status: 404,
+          detail: slug
+        });
+      }
+    }
+    const cacheKey = `saacms:record:${slug}:${recordId}`;
+    const cache = resolveCache(c);
+    const hit = await cache.get(cacheKey);
+    const rawRecord = hit != null ? hit.value : await rows.getById(slugToTableName(collection.slug), recordId);
+    if (rawRecord == null) {
+      return problemDetails(c, {
+        code: "record-not-found",
+        title: "Record not found",
+        status: 404,
+        detail: `${slug}/${recordId}`
+      });
+    }
+    if (hit == null) {
+      await cache.put(cacheKey, rawRecord, {
+        tags: [cacheKey, `saacms:collection:${slug}`],
+        expirationTtl: 30
+      });
+    }
+    const record = decodeBooleanColumns(collection.schema, decodeJsonColumns(collection.schema, rawRecord));
+    if (readPredicate != null) {
+      const result = await readPredicate({ user, record });
+      if (!allows4(result, record)) {
+        recordAuditEvent(c, {
+          op: "read",
+          collection: slug,
+          user,
+          decision: "denied",
+          reason: "per-record read predicate denied",
+          recordId,
+          at: new Date().toISOString()
+        });
+        return problemDetails(c, {
+          code: "forbidden",
+          title: "Forbidden",
+          status: 403,
+          detail: `${slug}/${recordId}`
+        });
+      }
+      recordAuditEvent(c, {
+        op: "read",
+        collection: slug,
+        user,
+        decision: "granted",
+        recordId,
+        at: new Date().toISOString()
+      });
+    }
+    const etag = computeWeakEtag6(slug, recordId, record);
+    if (etag != null) {
+      const ifNoneMatch = c.req.header("if-none-match");
+      if (ifNoneMatch != null && ifNoneMatch === etag) {
+        return new Response(null, {
+          status: 304,
+          headers: {
+            ETag: etag,
+            "Cache-Control": CACHE_CONTROL2,
+            Vary: VARY3
+          }
+        });
+      }
+    }
+    let outgoing = record;
+    const afterHooks = resolveHooksFor("afterRead", {
+      collection,
+      plugins: config.plugins
+    });
+    if (afterHooks.length > 0) {
+      const ctx = { op: "read", user, record };
+      const exit = await Effect7.runPromiseExit(runAfterRead2(ctx, afterHooks));
+      if (Exit7.isFailure(exit)) {
+        console.warn("[saacms/hooks] afterRead failOnError hook failed");
+      } else if (isHookObject3(exit.value)) {
+        outgoing = exit.value;
+      }
+    }
+    const envelope = {
+      data: outgoing,
+      _links: {
+        self: { href: `/api/saacms/v1/${slug}/${recordId}` },
+        collection: { href: `/api/saacms/v1/${slug}` }
+      }
+    };
+    const headers = {
+      "Cache-Control": CACHE_CONTROL2,
+      Vary: VARY3
+    };
+    if (etag != null)
+      headers["ETag"] = etag;
+    return c.json(envelope, 200, headers);
+  });
+}
+function readUser8(c) {
+  const raw = c.get("user");
+  return raw != null && typeof raw === "object" ? raw : null;
+}
+function allows4(result, record) {
+  if (typeof result === "boolean")
+    return result;
+  for (const [key, value] of Object.entries(result.where)) {
+    if (record[key] !== value)
+      return false;
+  }
+  return true;
+}
+function computeWeakEtag6(slug, recordId, record) {
+  const updatedAt = record["updatedAt"];
+  if (typeof updatedAt !== "string" || updatedAt.length === 0)
+    return null;
+  return `W/"${slug}:${recordId}:${updatedAt}"`;
+}
+function runAfterRead2(ctx, hooks) {
+  return hooks.reduce((acc, hook) => Effect7.flatMap(acc, (prev) => {
+    const ran = hook.fn(ctx);
+    const guarded = hook.options?.failOnError === true ? ran : Effect7.catchAll(ran, (err) => Effect7.sync(() => {
+      console.warn("[saacms/hooks] afterRead hook failed:", err);
+      return prev;
+    }));
+    return Effect7.map(guarded, (out) => isHookObject3(out) ? out : prev);
+  }), Effect7.succeed(ctx.record));
+}
+function isHookObject3(value) {
+  return typeof value === "object" && value !== null;
+}
+function hookRejectionDetail4(cause) {
+  const err = Cause4.squash(cause);
+  if (err instanceof Error)
+    return err.message;
+  if (typeof err === "string")
+    return err;
+  try {
+    return JSON.stringify(err);
+  } catch {
+    return String(err);
+  }
+}
+
+// src/runtime/upload-route.ts
+import { Either as Either3, Schema as Schema3 } from "effect";
+import { ArrayFormatter as ArrayFormatter3, TreeFormatter as TreeFormatter3 } from "effect/ParseResult";
+var ACTION_SUFFIX = ":upload";
+var UPLOAD_PATH = "/api/saacms/v1/:collectionAction{[^/]+:upload}";
+var PATH_PREFIX3 = "/api/saacms/v1/";
+var FILE_FIELD = "file";
+var ANON_UPLOADER = "anonymous";
+function mountUploadRoute(app, config) {
+  const collections = config.collections ?? [];
+  app.post(UPLOAD_PATH, async (c) => {
+    const raw = c.req.param("collectionAction") ?? "";
+    const slug = raw.endsWith(ACTION_SUFFIX) ? raw.slice(0, -ACTION_SUFFIX.length) : raw;
+    const collection = collections.find((coll) => coll.slug === slug);
+    if (collection == null) {
+      return problemDetails(c, {
+        code: "collection-not-found",
+        title: "Collection not found",
+        status: 404,
+        detail: slug
+      });
+    }
+    if (collection.kind !== "media") {
+      return problemDetails(c, {
+        code: "not-a-media-collection",
+        title: "Action not valid for this Collection",
+        status: 409,
+        detail: `:upload is only valid on a kind:"media" Collection; ` + `"${slug}" is kind:"${collection.kind ?? "data"}". ` + `Declare the Collection with kind:"media" (ADR 0009) to accept uploads.`
+      });
+    }
+    const user = readUser9(c);
+    const media = config.storage?.media;
+    const rows = config.storage?.rows;
+    if (media == null || rows == null) {
+      const missing = media == null && rows == null ? "config.storage.media and config.storage.rows" : media == null ? "config.storage.media" : "config.storage.rows";
+      return problemDetails(c, {
+        code: "media-storage-misconfigured",
+        title: "Media storage not configured",
+        status: 503,
+        detail: `${missing} must be wired to serve bucket-mode media uploads. ` + `Wire an @saacms/storage-r2 r2Adapter as config.storage.media ` + `(ADR 0024) and a row adapter as config.storage.rows (ADR 0020). ` + `Repo-mode media (commit-on-publish) is a later wave — use the ` + `Publish flow for repo-mode Collections, not this endpoint.`
+      });
+    }
+    if (!isMultipartContentType(c.req.header("content-type"))) {
+      return problemDetails(c, {
+        code: "unsupported-media-type",
+        title: "Unsupported media type",
+        status: 415,
+        detail: `Content-Type must be multipart/form-data; the "${FILE_FIELD}" part carries the binary`
+      });
+    }
+    let form;
+    try {
+      form = await c.req.formData();
+    } catch {
+      return problemDetails(c, {
+        code: "malformed-body",
+        title: "Malformed request body",
+        status: 400,
+        detail: "Request body is not valid multipart/form-data"
+      });
+    }
+    const filePart = form.get(FILE_FIELD);
+    if (!isFilePart(filePart)) {
+      return problemDetails(c, {
+        code: "invalid-body",
+        title: "Request body failed schema validation",
+        status: 422,
+        detail: `Missing required multipart file part "${FILE_FIELD}"`,
+        extensions: {
+          issues: [
+            {
+              _tag: "Missing",
+              path: [FILE_FIELD],
+              message: `multipart/form-data must include a file part named "${FILE_FIELD}"`
+            }
+          ]
+        }
+      });
+    }
+    const bytes = toFreshBytes(new Uint8Array(await filePart.arrayBuffer()));
+    const size = bytes.byteLength;
+    const mime = filePart.type !== "" ? filePart.type : "application/octet-stream";
+    const supplied = readDimensions(form);
+    const parsed = supplied ?? sniffImageDimensions(bytes);
+    const width = parsed?.width ?? 0;
+    const height = parsed?.height ?? 0;
+    const key = await contentHashKey(bytes, mime);
+    const originalKey = key;
+    const originalUrl = await media.signedUrl(key);
+    const uploadedBy = user != null ? String(user.id) : ANON_UPLOADER;
+    const authorFields = readAuthorFields(form);
+    const candidate = {
+      ...authorFields,
+      mime,
+      size,
+      width,
+      height,
+      uploadedBy,
+      originalKey,
+      originalUrl
+    };
+    let mediaSchema;
+    try {
+      mediaSchema = withMediaFields(collection).schema;
+    } catch (err) {
+      return problemDetails(c, {
+        code: "media-storage-misconfigured",
+        title: "Media Collection schema is invalid",
+        status: 503,
+        detail: err instanceof Error ? err.message : String(err)
+      });
+    }
+    const decoded = Schema3.decodeUnknownEither(mediaSchema)(candidate);
+    if (Either3.isLeft(decoded)) {
+      const error = decoded.left;
+      return problemDetails(c, {
+        code: "invalid-body",
+        title: "Request body failed schema validation",
+        status: 422,
+        detail: TreeFormatter3.formatErrorSync(error),
+        extensions: { issues: ArrayFormatter3.formatErrorSync(error) }
+      });
+    }
+    const validated = decoded.right;
+    const createPredicate = collection.access?.create;
+    if (createPredicate != null) {
+      const result = await createPredicate({ user, record: validated });
+      if (!allows5(result, validated)) {
+        return problemDetails(c, {
+          code: "forbidden",
+          title: "Forbidden",
+          status: 403,
+          detail: slug
+        });
+      }
+    }
+    try {
+      await media.put(key, bytes, { contentType: mime });
+    } catch (err) {
+      return problemDetails(c, {
+        code: "storage-write-failed",
+        title: "Media object write failed",
+        status: 500,
+        detail: err instanceof Error ? err.message : String(err)
+      });
+    }
+    let newId;
+    try {
+      ({ id: newId } = await rows.insert(collection.slug, validated));
+    } catch (err) {
+      return problemDetails(c, {
+        code: "storage-write-failed",
+        title: "Media record write failed",
+        status: 500,
+        detail: err instanceof Error ? err.message : String(err)
+      });
+    }
+    const href = `${PATH_PREFIX3}${collection.slug}/${newId}`;
+    const envelope = {
+      data: { ...validated, id: newId },
+      _links: {
+        self: { href },
+        collection: { href: `${PATH_PREFIX3}${collection.slug}` }
+      }
+    };
+    return c.json(envelope, 201, {
+      "Content-Type": "application/json",
+      "Cache-Control": "no-store",
+      Location: href
+    });
+  });
+}
+function readUser9(c) {
+  const raw = c.get("user");
+  return raw != null && typeof raw === "object" ? raw : null;
+}
+function toFreshBytes(src) {
+  const out = new Uint8Array(src.byteLength);
+  out.set(src);
+  return out;
+}
+function isMultipartContentType(header) {
+  if (header == null)
+    return false;
+  const semi = header.indexOf(";");
+  const mediaType = (semi === -1 ? header : header.slice(0, semi)).trim().toLowerCase();
+  return mediaType === "multipart/form-data";
+}
+function isFilePart(v) {
+  return v != null && typeof v !== "string" && typeof v.arrayBuffer === "function";
+}
+function readDimensions(form) {
+  const w = form.get("width");
+  const h = form.get("height");
+  if (typeof w !== "string" && typeof h !== "string")
+    return;
+  const width = typeof w === "string" ? Number(w) : NaN;
+  const height = typeof h === "string" ? Number(h) : NaN;
+  if (Number.isFinite(width) || Number.isFinite(height)) {
+    return {
+      width: Number.isFinite(width) ? width : 0,
+      height: Number.isFinite(height) ? height : 0
+    };
+  }
+  return;
+}
+var RESERVED_FORM_KEYS = new Set([
+  FILE_FIELD,
+  "width",
+  "height",
+  "mime",
+  "size",
+  "uploadedBy",
+  "originalKey",
+  "originalUrl"
+]);
+function readAuthorFields(form) {
+  const out = {};
+  for (const [k, v] of form.entries()) {
+    if (RESERVED_FORM_KEYS.has(k))
+      continue;
+    if (typeof v === "string")
+      out[k] = v;
+  }
+  return out;
+}
+function allows5(result, record) {
+  if (typeof result === "boolean")
+    return result;
+  for (const [key, value] of Object.entries(result.where)) {
+    if (record[key] !== value)
+      return false;
+  }
+  return true;
+}
+async function contentHashKey(bytes, mime) {
+  const digest = await crypto.subtle.digest("SHA-256", bytes);
+  const hex = Array.from(new Uint8Array(digest)).map((b) => b.toString(16).padStart(2, "0")).join("");
+  return `${hex}${extensionForMime(mime)}`;
+}
+function extensionForMime(mime) {
+  switch (mime) {
+    case "image/png":
+      return ".png";
+    case "image/jpeg":
+      return ".jpg";
+    case "image/gif":
+      return ".gif";
+    case "image/webp":
+      return ".webp";
+    case "image/avif":
+      return ".avif";
+    case "image/svg+xml":
+      return ".svg";
+    default:
+      return "";
+  }
+}
+function sniffImageDimensions(bytes) {
+  return parsePng(bytes) ?? parseJpeg(bytes);
+}
+var PNG_SIG = [137, 80, 78, 71, 13, 10, 26, 10];
+function parsePng(b) {
+  if (b.length < 24)
+    return;
+  for (let i = 0;i < PNG_SIG.length; i++) {
+    if (b[i] !== PNG_SIG[i])
+      return;
+  }
+  if (b[12] !== 73 || b[13] !== 72 || b[14] !== 68 || b[15] !== 82) {
+    return;
+  }
+  const view = new DataView(b.buffer, b.byteOffset, b.byteLength);
+  const width = view.getUint32(16, false);
+  const height = view.getUint32(20, false);
+  if (width === 0 || height === 0)
+    return;
+  return { width, height };
+}
+function parseJpeg(b) {
+  if (b.length < 4 || b[0] !== 255 || b[1] !== 216)
+    return;
+  const view = new DataView(b.buffer, b.byteOffset, b.byteLength);
+  let off = 2;
+  while (off + 1 < b.length) {
+    if (b[off] !== 255) {
+      off++;
+      continue;
+    }
+    const marker = b[off + 1] ?? 0;
+    off += 2;
+    if (marker === 255 || marker === 216 || marker === 217)
+      continue;
+    if (marker >= 208 && marker <= 215)
+      continue;
+    if (off + 1 >= b.length)
+      return;
+    const segLen = view.getUint16(off, false);
+    const isSof = marker >= 192 && marker <= 207 && marker !== 196 && marker !== 200 && marker !== 204;
+    if (isSof) {
+      if (off + 5 >= b.length)
+        return;
+      const height = view.getUint16(off + 3, false);
+      const width = view.getUint16(off + 5, false);
+      if (width === 0 || height === 0)
+        return;
+      return { width, height };
+    }
+    off += segLen;
+  }
+  return;
+}
+
+// src/runtime/update-route.ts
+import { Cause as Cause5, Effect as Effect8, Either as Either4, Exit as Exit8, ParseResult, Schema as Schema4 } from "effect";
+var UPDATE_PATH = "/api/saacms/v1/:collection/:id";
+var CACHE_CONTROL3 = "no-store";
+var MERGE_STYLE = "shallow-rfc7396";
+var ALLOWED_CONTENT_TYPES = new Set([
+  "application/json",
+  "application/merge-patch+json"
+]);
+function mountUpdateRoute(app, config) {
+  const collections = config.collections ?? [];
+  app.patch(UPDATE_PATH, async (c) => {
+    const slug = c.req.param("collection") ?? "";
+    const recordId = c.req.param("id") ?? "";
+    const collection = collections.find((coll) => coll.slug === slug);
+    if (collection == null) {
+      return problemDetails(c, {
+        code: "collection-not-found",
+        title: "Collection not found",
+        status: 404,
+        detail: slug
+      });
+    }
+    const user = readUser10(c);
+    const rows = config.storage?.rows;
+    if (rows == null) {
+      return problemDetails(c, {
+        code: "storage-unavailable",
+        title: "Row storage not configured",
+        status: 503,
+        detail: "config.storage.rows is required to serve this endpoint"
+      });
+    }
+    const mediaType = (c.req.header("content-type") ?? "").split(";", 1)[0].trim().toLowerCase();
+    if (!ALLOWED_CONTENT_TYPES.has(mediaType)) {
+      return problemDetails(c, {
+        code: "unsupported-media-type",
+        title: "Unsupported Media Type",
+        status: 415,
+        detail: `Expected application/json or application/merge-patch+json; received '${mediaType}'`
+      });
+    }
+    let patch;
+    try {
+      patch = await c.req.json();
+    } catch {
+      return problemDetails(c, {
+        code: "malformed-body",
+        title: "Malformed JSON body",
+        status: 400,
+        detail: "Request body is not valid JSON"
+      });
+    }
+    if (!isPlainObject2(patch)) {
+      return problemDetails(c, {
+        code: "malformed-body",
+        title: "Body must be a JSON object",
+        status: 400,
+        detail: "RFC 7396 merge patches MUST be JSON objects"
+      });
+    }
+    const table = slugToTableName(collection.slug);
+    const schemaForJson = collection.schema;
+    const rawExisting = await rows.getById(table, recordId);
+    const existing = rawExisting == null ? null : decodeBooleanColumns(schemaForJson, decodeJsonColumns(schemaForJson, rawExisting));
+    if (existing == null) {
+      return problemDetails(c, {
+        code: "record-not-found",
+        title: "Record not found",
+        status: 404,
+        detail: `${slug}/${recordId}`
+      });
+    }
+    const ifMatch = c.req.header("if-match");
+    if (ifMatch != null) {
+      const currentEtag = computeWeakEtag7(slug, recordId, existing);
+      if (currentEtag == null || currentEtag !== ifMatch) {
+        return problemDetails(c, {
+          code: "precondition-failed",
+          title: "Precondition Failed",
+          status: 412,
+          detail: currentEtag == null ? "Record has no updatedAt; If-Match cannot be satisfied" : "If-Match header does not match current resource etag"
+        });
+      }
+    }
+    const merged = { ...existing };
+    for (const [k, v] of Object.entries(patch)) {
+      merged[k] = v;
+    }
+    const schema = collection.schema;
+    const decoded = Schema4.decodeUnknownEither(schema)(merged);
+    if (Either4.isLeft(decoded)) {
+      const issues = ParseResult.ArrayFormatter.formatErrorSync(decoded.left);
+      return problemDetails(c, {
+        code: "invalid-body",
+        title: "Merged record fails schema validation",
+        status: 422,
+        detail: `${slug}/${recordId}`,
+        extensions: { issues }
+      });
+    }
+    let storagePatch = patch;
+    const beforeHooks = resolveHooksFor("beforeChange", {
+      collection,
+      plugins: config.plugins
+    });
+    if (beforeHooks.length > 0) {
+      const ctx = {
+        op: "update",
+        user,
+        data: merged,
+        record: existing
+      };
+      const exit = await Effect8.runPromiseExit(runHooks("beforeChange", ctx, beforeHooks));
+      if (Exit8.isFailure(exit)) {
+        return problemDetails(c, {
+          code: "hook-rejected",
+          title: "Operation rejected by a lifecycle hook",
+          status: 422,
+          detail: hookRejectionDetail5(exit.cause)
+        });
+      }
+      if (isHookObject4(exit.value)) {
+        storagePatch = exit.value;
+      }
+    }
+    const updatePredicate = collection.access?.update;
+    if (updatePredicate != null) {
+      const ctx = {
+        user,
+        record: existing,
+        input: patch
+      };
+      const result = await updatePredicate(ctx);
+      if (!allows6(result, existing)) {
+        recordAuditEvent(c, {
+          op: "update",
+          collection: slug,
+          user,
+          decision: "denied",
+          reason: "access.update predicate denied",
+          recordId,
+          at: new Date().toISOString()
+        });
+        return problemDetails(c, {
+          code: "forbidden",
+          title: "Forbidden",
+          status: 403,
+          detail: `${slug}/${recordId}`
+        });
+      }
+      recordAuditEvent(c, {
+        op: "update",
+        collection: slug,
+        user,
+        decision: "granted",
+        recordId,
+        at: new Date().toISOString()
+      });
+    }
+    try {
+      await rows.update(table, recordId, encodeJsonColumns(schemaForJson, encodeBooleanColumns(schemaForJson, storagePatch)));
+    } catch (err) {
+      if (err instanceof UniqueConstraintError) {
+        return problemDetails(c, {
+          code: "unique-constraint-violated",
+          title: "Unique constraint violated",
+          status: 409,
+          detail: "A record with the same value(s) for the unique fields already exists."
+        });
+      }
+      throw err;
+    }
+    const rawUpdated = await rows.getById(table, recordId);
+    const updated = rawUpdated == null ? null : decodeBooleanColumns(schemaForJson, decodeJsonColumns(schemaForJson, rawUpdated));
+    if (updated == null) {
+      return problemDetails(c, {
+        code: "record-not-found",
+        title: "Record vanished after update",
+        status: 404,
+        detail: `${slug}/${recordId}`
+      });
+    }
+    const afterHooks = resolveHooksFor("afterChange", {
+      collection,
+      plugins: config.plugins
+    });
+    if (afterHooks.length > 0) {
+      const ctx = {
+        op: "update",
+        user,
+        record: updated
+      };
+      const exit = await Effect8.runPromiseExit(runHooks("afterChange", ctx, afterHooks));
+      if (Exit8.isFailure(exit)) {
+        console.warn("[saacms/hooks] afterChange (update) failOnError hook failed");
+      }
+    }
+    const cache = resolveCache(c);
+    for (const tag of [
+      `saacms:record:${slug}:${recordId}`,
+      `saacms:collection:${slug}`
+    ]) {
+      try {
+        await cache.purgeByTag(tag);
+      } catch (err) {
+        console.warn(`[saacms/cache] purge failed for tag ${tag}:`, err);
+      }
+    }
+    const envelope = {
+      data: updated,
+      _links: {
+        self: { href: `/api/saacms/v1/${slug}/${recordId}` },
+        collection: { href: `/api/saacms/v1/${slug}` }
+      },
+      _meta: { mergeStyle: MERGE_STYLE }
+    };
+    const headers = {
+      "Content-Type": "application/json",
+      "Cache-Control": CACHE_CONTROL3
+    };
+    const newEtag = computeWeakEtag7(slug, recordId, updated);
+    if (newEtag != null)
+      headers["ETag"] = newEtag;
+    return c.newResponse(JSON.stringify(envelope), 200, headers);
+  });
+}
+function readUser10(c) {
+  const raw = c.get("user");
+  return raw != null && typeof raw === "object" ? raw : null;
+}
+function allows6(result, record) {
+  if (typeof result === "boolean")
+    return result;
+  for (const [key, value] of Object.entries(result.where)) {
+    if (record[key] !== value)
+      return false;
+  }
+  return true;
+}
+function isPlainObject2(v) {
+  return v != null && typeof v === "object" && !Array.isArray(v);
+}
+function isHookObject4(value) {
+  return typeof value === "object" && value !== null;
+}
+function hookRejectionDetail5(cause) {
+  const err = Cause5.squash(cause);
+  if (err instanceof Error)
+    return err.message;
+  if (typeof err === "string")
+    return err;
+  try {
+    return JSON.stringify(err);
+  } catch {
+    return String(err);
+  }
+}
+function computeWeakEtag7(slug, recordId, record) {
+  const updatedAt = record["updatedAt"];
+  if (typeof updatedAt !== "string" || updatedAt.length === 0)
+    return null;
+  return `W/"${slug}:${recordId}:${updatedAt}"`;
+}
+// src/runtime/scale-cost.ts
+var DEFAULT_THRESHOLDS = {
+  serveDynamicReadsPerDay: 5000,
+  serveMinCacheHitRate: 0.5,
+  publishMonthlyMinutesFraction: 0.8
+};
+var DAYS_PER_MONTH = 30;
+function int(n) {
+  return Number.isFinite(n) ? Math.round(n) : 0;
+}
+function oneDp(n) {
+  if (!Number.isFinite(n))
+    return 0;
+  return Math.round(n * 10) / 10;
+}
+function safeDiv(num, den) {
+  if (!Number.isFinite(num) || !Number.isFinite(den) || den <= 0)
+    return 0;
+  const r = num / den;
+  return Number.isFinite(r) ? r : 0;
+}
+function serveAxisFor(coll, windowDays, th) {
+  const readsPerDay = safeDiv(coll.dynamicReads, windowDays);
+  const totalCacheTraffic = coll.cacheHits + coll.cacheMisses;
+  const hitRate = safeDiv(coll.cacheHits, totalCacheTraffic);
+  const projectedPerMonth = readsPerDay * DAYS_PER_MONTH;
+  const crossed = readsPerDay >= th.serveDynamicReadsPerDay && hitRate < th.serveMinCacheHitRate;
+  return {
+    axis: "serve",
+    crossed,
+    subject: coll.slug,
+    metricLines: [
+      `reads/day: ${int(readsPerDay)}`,
+      `cache hit-rate: ${oneDp(hitRate * 100)}%`,
+      `projected row-reads/mo: ${int(projectedPerMonth)}`
+    ],
+    recommendedAction: `wire @saacms/plugin-cache-kv on '${coll.slug}'`
+  };
+}
+function publishAxis(pub, windowDays, th) {
+  const publishesPerMonth = safeDiv(pub.publishes, windowDays) * DAYS_PER_MONTH;
+  const projectedMinutesPerMonth = publishesPerMonth * pub.avgCiMinutes;
+  const allowance = pub.githubFreeMinutesPerMonth;
+  const pctOfAllowance = safeDiv(projectedMinutesPerMonth, allowance) * 100;
+  const crossed = projectedMinutesPerMonth >= th.publishMonthlyMinutesFraction * allowance;
+  return {
+    axis: "publish",
+    crossed,
+    metricLines: [
+      `publishes/30d: ${int(publishesPerMonth)}`,
+      `avg CI minutes/publish: ${oneDp(pub.avgCiMinutes)}`,
+      `projected Actions-minutes/mo: ${int(projectedMinutesPerMonth)}`,
+      `GitHub free allowance/mo: ${int(allowance)} minutes`,
+      `% of free allowance: ${oneDp(pctOfAllowance)}%`
+    ],
+    recommendedAction: "reduce publish frequency or fund incremental publish (v1.x); " + "the Draft-batches-Publish invariant already keeps this O(publishes)"
+  };
+}
+function ownerSummaryFor(serveCrossed, publishCrossed) {
+  if (serveCrossed && publishCrossed) {
+    return "Your site is growing fast and publishing very often — ask your developer about a performance and publishing upgrade.";
+  }
+  if (serveCrossed) {
+    return "Your site is growing fast — ask your developer about a performance upgrade.";
+  }
+  if (publishCrossed) {
+    return "Your site is publishing very often — ask your developer about publish costs.";
+  }
+  return "";
+}
+function computeScaleCostSignal(snapshot, thresholds) {
+  const th = { ...DEFAULT_THRESHOLDS, ...thresholds };
+  const windowDays = snapshot.windowDays;
+  const serveAxes = snapshot.collections.map((c) => serveAxisFor(c, windowDays, th)).filter((a) => a.crossed);
+  const pub = publishAxis(snapshot.publish, windowDays, th);
+  const serveCrossed = serveAxes.length > 0;
+  const publishCrossed = pub.crossed;
+  const anyCrossed = serveCrossed || publishCrossed;
+  const axes = [...serveAxes];
+  if (publishCrossed)
+    axes.push(pub);
+  return {
+    window: { days: windowDays },
+    axes,
+    anyCrossed,
+    ownerSummary: ownerSummaryFor(serveCrossed, publishCrossed)
+  };
+}
+
+// src/runtime/index.ts
+var NOT_IMPLEMENTED = { error: "NOT_IMPLEMENTED" };
+function createSaacmsRuntime(config) {
+  const app = new Hono;
+  mountAuthMiddleware(app, config);
+  const services2 = collectServices(config);
+  app.use("*", async (c, next) => {
+    c.set("saacmsServices", services2);
+    await next();
+  });
+  app.all("/admin/*", (c) => c.json(NOT_IMPLEMENTED, 501));
+  mountHealthRoute(app, config);
+  mountOpenApiRoute(app, config);
+  mountListRoute(app, config);
+  mountUploadRoute(app, config);
+  mountCreateRoute(app, config);
+  mountDraftsRoute(app, config);
+  mountReadRoute(app, config);
+  mountPutRoute(app, config);
+  mountUpdateRoute(app, config);
+  mountDeleteRoute(app, config);
+  mountPatternRoute(app, config);
+  mountSchemeRoute(app, config);
+  return app;
+}
+
+export { RowStorageError, UniqueConstraintError, collectServices, getServices, recordAuditEvent, DEFAULT_THRESHOLDS, computeScaleCostSignal, createSaacmsRuntime };