npm - @sonicjs-cms/core - Versions diffs - 2.18.1 → 3.0.0-beta.2 - Mend

@sonicjs-cms/core 2.18.1 → 3.0.0-beta.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (225) hide show

package/README.md +4 -3
package/dist/admin-documents-form.template-KN7JF66Q.cjs +19 -0
package/dist/{admin-layout-catalyst.template-UMTIN66R.js.map → admin-documents-form.template-KN7JF66Q.cjs.map} +1 -1
package/dist/admin-documents-form.template-NLSI6Z42.js +6 -0
package/dist/{admin-layout-catalyst.template-HFD37TY5.cjs.map → admin-documents-form.template-NLSI6Z42.js.map} +1 -1
package/dist/admin-layout-catalyst.template-WHJGSWWD.js +7 -0
package/dist/admin-layout-catalyst.template-WHJGSWWD.js.map +1 -0
package/dist/admin-layout-catalyst.template-ZK5HD545.cjs +17 -0
package/dist/admin-layout-catalyst.template-ZK5HD545.cjs.map +1 -0
package/dist/app-Bo0X1OWX.d.ts +1268 -0
package/dist/app-Do66yCcV.d.cts +1268 -0
package/dist/cache-DDARE4QE.js +4 -0
package/dist/cache-DDARE4QE.js.map +1 -0
package/dist/cache-LVYS4BPL.cjs +33 -0
package/dist/cache-LVYS4BPL.cjs.map +1 -0
package/dist/chunk-2CB4KY7I.cjs +771 -0
package/dist/chunk-2CB4KY7I.cjs.map +1 -0
package/dist/{chunk-55RDMDOP.js → chunk-3TB6AT6X.js} +148 -55
package/dist/chunk-3TB6AT6X.js.map +1 -0
package/dist/{chunk-ON5ZMSU4.js → chunk-6JQOUUOB.js} +3 -3
package/dist/chunk-6JQOUUOB.js.map +1 -0
package/dist/chunk-6OUHGKFD.js +387 -0
package/dist/chunk-6OUHGKFD.js.map +1 -0
package/dist/{chunk-DSUJ5YQH.cjs → chunk-AAWNRBRB.cjs} +537 -92
package/dist/chunk-AAWNRBRB.cjs.map +1 -0
package/dist/chunk-AI663NBO.js +821 -0
package/dist/chunk-AI663NBO.js.map +1 -0
package/dist/chunk-BDDABDAB.cjs +1149 -0
package/dist/chunk-BDDABDAB.cjs.map +1 -0
package/dist/chunk-BLMTL57B.js +767 -0
package/dist/chunk-BLMTL57B.js.map +1 -0
package/dist/chunk-DNQCEKUK.cjs +327 -0
package/dist/chunk-DNQCEKUK.cjs.map +1 -0
package/dist/chunk-DSA4UX5B.cjs +276 -0
package/dist/chunk-DSA4UX5B.cjs.map +1 -0
package/dist/chunk-EF2NQUIQ.js +323 -0
package/dist/chunk-EF2NQUIQ.js.map +1 -0
package/dist/chunk-GCDZZNIN.js +192 -0
package/dist/chunk-GCDZZNIN.js.map +1 -0
package/dist/{chunk-ABB34XUS.cjs → chunk-H2AXVCLS.cjs} +667 -19
package/dist/chunk-H2AXVCLS.cjs.map +1 -0
package/dist/{chunk-XWIA3HVX.js → chunk-HDWE5FRJ.js} +6 -1249
package/dist/chunk-HDWE5FRJ.js.map +1 -0
package/dist/chunk-HIKBY7MS.cjs +70 -0
package/dist/chunk-HIKBY7MS.cjs.map +1 -0
package/dist/chunk-IESEVHXL.js +66 -0
package/dist/chunk-IESEVHXL.js.map +1 -0
package/dist/chunk-IVPRUGTY.js +242 -0
package/dist/chunk-IVPRUGTY.js.map +1 -0
package/dist/{chunk-SQ6FNXU2.cjs → chunk-IXUHXTHW.cjs} +2 -151
package/dist/chunk-IXUHXTHW.cjs.map +1 -0
package/dist/chunk-J6JTWD2A.cjs +100 -0
package/dist/chunk-J6JTWD2A.cjs.map +1 -0
package/dist/chunk-JEQ7FLOD.cjs +199 -0
package/dist/chunk-JEQ7FLOD.cjs.map +1 -0
package/dist/chunk-K25XHMM3.js +566 -0
package/dist/chunk-K25XHMM3.js.map +1 -0
package/dist/chunk-LRZIAW7U.cjs +158 -0
package/dist/chunk-LRZIAW7U.cjs.map +1 -0
package/dist/{chunk-OHYBNCVL.cjs → chunk-MVIZJOO5.cjs} +10 -1256
package/dist/chunk-MVIZJOO5.cjs.map +1 -0
package/dist/{chunk-UYJ6TJHX.cjs → chunk-NAVPFIG5.cjs} +148 -55
package/dist/chunk-NAVPFIG5.cjs.map +1 -0
package/dist/chunk-NLJVSER2.js +273 -0
package/dist/chunk-NLJVSER2.js.map +1 -0
package/dist/chunk-NMPEMSU4.js +154 -0
package/dist/chunk-NMPEMSU4.js.map +1 -0
package/dist/chunk-NUKJ54GA.cjs +245 -0
package/dist/chunk-NUKJ54GA.cjs.map +1 -0
package/dist/{chunk-T3Q5V33G.cjs → chunk-QAYFOER6.cjs} +621 -829
package/dist/chunk-QAYFOER6.cjs.map +1 -0
package/dist/{chunk-MGFRZO24.js → chunk-QZGABF2M.js} +3 -149
package/dist/chunk-QZGABF2M.js.map +1 -0
package/dist/chunk-RNZFGN4R.js +88 -0
package/dist/chunk-RNZFGN4R.js.map +1 -0
package/dist/chunk-RZ6H7OZK.js +1134 -0
package/dist/chunk-RZ6H7OZK.js.map +1 -0
package/dist/{chunk-XXDFQERJ.js → chunk-VD2EA3WT.js} +7192 -9806
package/dist/chunk-VD2EA3WT.js.map +1 -0
package/dist/{chunk-SXXTQETM.cjs → chunk-VXE42MYF.cjs} +8722 -11323
package/dist/chunk-VXE42MYF.cjs.map +1 -0
package/dist/{chunk-4ZSNJDLS.cjs → chunk-WULONYGB.cjs} +9 -9
package/dist/chunk-WULONYGB.cjs.map +1 -0
package/dist/chunk-XW56B23A.cjs +408 -0
package/dist/chunk-XW56B23A.cjs.map +1 -0
package/dist/chunk-YA3TJ65D.cjs +575 -0
package/dist/chunk-YA3TJ65D.cjs.map +1 -0
package/dist/{chunk-TFNTM3OA.js → chunk-YHSQVQXX.js} +645 -15
package/dist/chunk-YHSQVQXX.js.map +1 -0
package/dist/chunk-YP7GW2G5.cjs +866 -0
package/dist/chunk-YP7GW2G5.cjs.map +1 -0
package/dist/{chunk-QFWHAFEO.js → chunk-ZEZ245PW.js} +148 -858
package/dist/chunk-ZEZ245PW.js.map +1 -0
package/dist/{chunk-EW5NOBVU.js → chunk-ZGGXCFR6.js} +611 -817
package/dist/chunk-ZGGXCFR6.js.map +1 -0
package/dist/{collection-config-B4PG-AaF.d.cts → collection-config-JgHOpFCG.d.cts} +30 -2
package/dist/{collection-config-B4PG-AaF.d.ts → collection-config-JgHOpFCG.d.ts} +30 -2
package/dist/config-HFXANXCC.js +6 -0
package/dist/config-HFXANXCC.js.map +1 -0
package/dist/config-ON6FNMYX.cjs +19 -0
package/dist/config-ON6FNMYX.cjs.map +1 -0
package/dist/define-plugin-BzNHc1ZI.d.ts +1321 -0
package/dist/define-plugin-IWDKYaVm.d.cts +1321 -0
package/dist/document-projection-TDWRJX3Z.cjs +13 -0
package/dist/document-projection-TDWRJX3Z.cjs.map +1 -0
package/dist/document-projection-YYMC6I4U.js +4 -0
package/dist/document-projection-YYMC6I4U.js.map +1 -0
package/dist/index.cjs +13735 -4329
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +329 -492
package/dist/index.d.ts +329 -492
package/dist/index.js +13386 -3999
package/dist/index.js.map +1 -1
package/dist/middleware.cjs +36 -32
package/dist/middleware.d.cts +69 -7
package/dist/middleware.d.ts +69 -7
package/dist/middleware.js +7 -3
package/dist/migrations-NJJWQUKK.cjs +13 -0
package/dist/{migrations-IYNTWDC6.cjs.map → migrations-NJJWQUKK.cjs.map} +1 -1
package/dist/migrations-WCAVBD7C.js +4 -0
package/dist/{migrations-R337UD46.js.map → migrations-WCAVBD7C.js.map} +1 -1
package/dist/{plugin-bootstrap-DfVerYV4.d.cts → plugin-bootstrap-B8ThJU21.d.cts} +4315 -1661
package/dist/{plugin-bootstrap-P_ciLp_C.d.ts → plugin-bootstrap-qu8hJgUt.d.ts} +4315 -1661
package/dist/plugins.cjs +171 -12
package/dist/plugins.d.cts +36 -2
package/dist/plugins.d.ts +36 -2
package/dist/plugins.js +5 -2
package/dist/rbac-O73MFKDA.js +5 -0
package/dist/rbac-O73MFKDA.js.map +1 -0
package/dist/rbac-VONLJJKB.cjs +14 -0
package/dist/rbac-VONLJJKB.cjs.map +1 -0
package/dist/routes.cjs +41 -45
package/dist/routes.d.cts +56 -146
package/dist/routes.d.ts +56 -146
package/dist/routes.js +17 -9
package/dist/services.cjs +39 -72
package/dist/services.d.cts +79 -54
package/dist/services.d.ts +79 -54
package/dist/services.js +6 -3
package/dist/templates.cjs +17 -29
package/dist/templates.d.cts +1 -66
package/dist/templates.d.ts +1 -66
package/dist/templates.js +3 -3
package/dist/types-Dea1eNxU.d.cts +286 -0
package/dist/types-Dea1eNxU.d.ts +286 -0
package/dist/types.d.cts +1 -1
package/dist/types.d.ts +1 -1
package/dist/utils.cjs +18 -17
package/dist/utils.d.cts +1 -1
package/dist/utils.d.ts +1 -1
package/dist/utils.js +2 -1
package/migrations/0001_core.sql +184 -0
package/migrations/0002_documents.sql +163 -0
package/package.json +12 -7
package/dist/admin-layout-catalyst.template-HFD37TY5.cjs +0 -17
package/dist/admin-layout-catalyst.template-UMTIN66R.js +0 -7
package/dist/app-C9esKLmh.d.cts +0 -112
package/dist/app-C9esKLmh.d.ts +0 -112
package/dist/chunk-4R3NOOL3.js +0 -2217
package/dist/chunk-4R3NOOL3.js.map +0 -1
package/dist/chunk-4ZSNJDLS.cjs.map +0 -1
package/dist/chunk-55RDMDOP.js.map +0 -1
package/dist/chunk-635JAMSE.cjs +0 -653
package/dist/chunk-635JAMSE.cjs.map +0 -1
package/dist/chunk-ABB34XUS.cjs.map +0 -1
package/dist/chunk-C54YUA23.cjs +0 -2219
package/dist/chunk-C54YUA23.cjs.map +0 -1
package/dist/chunk-DSUJ5YQH.cjs.map +0 -1
package/dist/chunk-EW5NOBVU.js.map +0 -1
package/dist/chunk-EXNEW5US.js +0 -648
package/dist/chunk-EXNEW5US.js.map +0 -1
package/dist/chunk-I2H5NGJQ.js +0 -692
package/dist/chunk-I2H5NGJQ.js.map +0 -1
package/dist/chunk-MGFRZO24.js.map +0 -1
package/dist/chunk-OHYBNCVL.cjs.map +0 -1
package/dist/chunk-ON5ZMSU4.js.map +0 -1
package/dist/chunk-QFWHAFEO.js.map +0 -1
package/dist/chunk-SQ6FNXU2.cjs.map +0 -1
package/dist/chunk-SXXTQETM.cjs.map +0 -1
package/dist/chunk-T3Q5V33G.cjs.map +0 -1
package/dist/chunk-TFNTM3OA.js.map +0 -1
package/dist/chunk-UYJ6TJHX.cjs.map +0 -1
package/dist/chunk-WAEQXGCX.cjs +0 -1898
package/dist/chunk-WAEQXGCX.cjs.map +0 -1
package/dist/chunk-XWIA3HVX.js.map +0 -1
package/dist/chunk-XXDFQERJ.js.map +0 -1
package/dist/migrations-IYNTWDC6.cjs +0 -13
package/dist/migrations-R337UD46.js +0 -4
package/dist/plugin-manager-BoM3Q7o7.d.cts +0 -328
package/dist/plugin-manager-Efx9RyDX.d.ts +0 -328
package/migrations/001_initial_schema.sql +0 -170
package/migrations/002_faq_plugin.sql +0 -86
package/migrations/003_stage5_enhancements.sql +0 -121
package/migrations/004_stage6_user_management.sql +0 -183
package/migrations/005_stage7_workflow_automation.sql +0 -294
package/migrations/006_plugin_system.sql +0 -155
package/migrations/007_demo_login_plugin.sql +0 -23
package/migrations/008_fix_slug_validation.sql +0 -22
package/migrations/009_system_logging.sql +0 -57
package/migrations/011_config_managed_collections.sql +0 -15
package/migrations/012_testimonials_plugin.sql +0 -80
package/migrations/013_code_examples_plugin.sql +0 -177
package/migrations/014_fix_plugin_registry.sql +0 -88
package/migrations/015_add_remaining_plugins.sql +0 -89
package/migrations/016_remove_duplicate_cache_plugin.sql +0 -17
package/migrations/017_auth_configurable_fields.sql +0 -49
package/migrations/018_settings_table.sql +0 -23
package/migrations/019_remove_blog_posts_collection.sql +0 -15
package/migrations/020_add_email_plugin.sql +0 -22
package/migrations/021_add_magic_link_auth_plugin.sql +0 -42
package/migrations/022_add_tinymce_plugin.sql +0 -25
package/migrations/023_add_easy_mdx_plugin.sql +0 -25
package/migrations/024_add_quill_editor_plugin.sql +0 -25
package/migrations/025_add_easymde_plugin.sql +0 -25
package/migrations/026_add_otp_login.sql +0 -42
package/migrations/027_fix_slug_field_type.sql +0 -18
package/migrations/028_fix_slug_field_type_in_schemas.sql +0 -30
package/migrations/029_add_forms_system.sql +0 -184
package/migrations/030_add_turnstile_to_forms.sql +0 -14
package/migrations/031_ai_search_plugin.sql +0 -45
package/migrations/032_user_profiles.sql +0 -37
package/migrations/033_form_content_integration.sql +0 -19
package/migrations/034_security_audit_plugin.sql +0 -27
package/migrations/035_user_profiles_data_column.sql +0 -16
package/migrations/036_analytics_events.sql +0 -22

package/dist/chunk-I2H5NGJQ.js DELETED Viewed

@@ -1,692 +0,0 @@
-import { syncCollections, syncAllFormCollections, PluginBootstrapService } from './chunk-EW5NOBVU.js';
-import { MigrationService } from './chunk-4R3NOOL3.js';
-import { metricsTracker } from './chunk-FICTAGD4.js';
-import { sign, verify } from 'hono/jwt';
-import { setCookie, getCookie } from 'hono/cookie';
-// src/middleware/bootstrap.ts
-var bootstrapComplete = false;
-function verifySecurityConfig(env) {
-  const warnings = [];
-  if (!env.JWT_SECRET) {
-    warnings.push(
-      "JWT_SECRET is not set \u2014 using hardcoded fallback. Set via `wrangler secret put JWT_SECRET`"
-    );
-  } else if (env.JWT_SECRET.includes("change-in-production")) {
-    warnings.push(
-      "JWT_SECRET contains the default value \u2014 tokens are forgeable. Generate a strong random secret"
-    );
-  }
-  if (!env.CORS_ORIGINS) {
-    warnings.push(
-      "CORS_ORIGINS is not set \u2014 all cross-origin API requests will be rejected"
-    );
-  }
-  if (!env.ENVIRONMENT) {
-    warnings.push(
-      'ENVIRONMENT is not set \u2014 HSTS header will not be applied. Set to "production" or "development"'
-    );
-  }
-  if (warnings.length === 0) {
-    return;
-  }
-  const isProduction = env.ENVIRONMENT === "production";
-  for (const warning of warnings) {
-    console.warn(`[SonicJS Security] ${warning}`);
-  }
-  if (isProduction) {
-    const hasCritical = !env.JWT_SECRET || env.JWT_SECRET.includes("change-in-production");
-    if (hasCritical) {
-      throw new Error(
-        "[SonicJS Security] CRITICAL: Production deployment is missing a secure JWT_SECRET. Set it via `wrangler secret put JWT_SECRET` before deploying."
-      );
-    }
-  }
-}
-function bootstrapMiddleware(config = {}) {
-  return async (c, next) => {
-    if (bootstrapComplete) {
-      return next();
-    }
-    const path = c.req.path;
-    if (path.startsWith("/images/") || path.startsWith("/assets/") || path === "/health" || path.endsWith(".js") || path.endsWith(".css") || path.endsWith(".png") || path.endsWith(".jpg") || path.endsWith(".ico")) {
-      return next();
-    }
-    try {
-      console.log("[Bootstrap] Starting system initialization...");
-      console.log("[Bootstrap] Running database migrations...");
-      const migrationService = new MigrationService(c.env.DB);
-      await migrationService.runPendingMigrations();
-      console.log("[Bootstrap] Syncing collection configurations...");
-      try {
-        await syncCollections(c.env.DB);
-      } catch (error) {
-        console.error("[Bootstrap] Error syncing collections:", error);
-      }
-      console.log("[Bootstrap] Syncing form collections...");
-      try {
-        await syncAllFormCollections(c.env.DB);
-      } catch (error) {
-        console.error("[Bootstrap] Error syncing form collections:", error);
-      }
-      if (!config.plugins?.disableAll) {
-        console.log("[Bootstrap] Bootstrapping core plugins...");
-        const bootstrapService = new PluginBootstrapService(c.env.DB);
-        const needsBootstrap = await bootstrapService.isBootstrapNeeded();
-        if (needsBootstrap) {
-          await bootstrapService.bootstrapCorePlugins();
-        }
-      } else {
-        console.log("[Bootstrap] Plugin bootstrap skipped (disableAll is true)");
-      }
-      bootstrapComplete = true;
-      console.log("[Bootstrap] System initialization completed");
-    } catch (error) {
-      console.error("[Bootstrap] Error during system initialization:", error);
-    }
-    verifySecurityConfig(c.env);
-    return next();
-  };
-}
-var JWT_SECRET_FALLBACK = "your-super-secret-jwt-key-change-in-production";
-var DEFAULT_JWT_EXPIRES_IN_SECONDS = 60 * 60 * 24 * 30;
-function parseDuration(input) {
-  if (input === void 0 || input === null || input === "") return null;
-  if (typeof input === "number" && Number.isFinite(input) && input > 0) {
-    return Math.floor(input);
-  }
-  const raw = String(input).trim();
-  if (/^\d+$/.test(raw)) {
-    const n = parseInt(raw, 10);
-    return n > 0 ? n : null;
-  }
-  const match = raw.match(/^(\d+)\s*(s|sec|secs|seconds|m|min|mins|minutes|h|hr|hrs|hours|d|day|days)$/i);
-  if (!match) return null;
-  const value = parseInt(match[1], 10);
-  const unit = match[2].toLowerCase();
-  if (unit.startsWith("s")) return value;
-  if (unit.startsWith("m")) return value * 60;
-  if (unit.startsWith("h")) return value * 60 * 60;
-  if (unit.startsWith("d")) return value * 60 * 60 * 24;
-  return null;
-}
-function getJwtExpirySeconds(env) {
-  const configured = parseDuration(env?.JWT_EXPIRES_IN);
-  return configured ?? DEFAULT_JWT_EXPIRES_IN_SECONDS;
-}
-async function getJwtExpirySecondsFromDb(db, env) {
-  const envParsed = parseDuration(env?.JWT_EXPIRES_IN);
-  if (envParsed) return envParsed;
-  if (db) {
-    try {
-      const row = await db.prepare("SELECT value FROM settings WHERE category = 'security' AND key = 'jwtExpiresIn'").first();
-      if (row?.value) {
-        let stored = row.value;
-        try {
-          stored = JSON.parse(row.value);
-        } catch {
-        }
-        const parsed = parseDuration(stored);
-        if (parsed) return parsed;
-      }
-    } catch (err) {
-      console.warn("Failed to read jwtExpiresIn from settings, falling back to default:", err);
-    }
-  }
-  return DEFAULT_JWT_EXPIRES_IN_SECONDS;
-}
-async function getJwtRefreshGraceSecondsFromDb(db, env) {
-  const DEFAULT_GRACE = 60 * 60 * 24 * 7;
-  const envParsed = parseDuration(env?.JWT_REFRESH_GRACE_SECONDS);
-  if (envParsed) return envParsed;
-  if (db) {
-    try {
-      const row = await db.prepare("SELECT value FROM settings WHERE category = 'security' AND key = 'jwtRefreshGraceSeconds'").first();
-      if (row?.value) {
-        let stored = row.value;
-        try {
-          stored = JSON.parse(row.value);
-        } catch {
-        }
-        const parsed = parseDuration(stored);
-        if (parsed) return parsed;
-      }
-    } catch (err) {
-      console.warn("Failed to read jwtRefreshGraceSeconds from settings:", err);
-    }
-  }
-  return DEFAULT_GRACE;
-}
-function decodeJwtPayload(token) {
-  try {
-    const parts = token.split(".");
-    if (parts.length !== 3) return null;
-    const b64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
-    const padded = b64 + "=".repeat((4 - b64.length % 4) % 4);
-    const json = atob(padded);
-    const obj = JSON.parse(json);
-    if (!obj || typeof obj.exp !== "number") return null;
-    return obj;
-  } catch {
-    return null;
-  }
-}
-function base64UrlToBytes(b64url) {
-  const b64 = b64url.replace(/-/g, "+").replace(/_/g, "/");
-  const padded = b64 + "=".repeat((4 - b64.length % 4) % 4);
-  const bin = atob(padded);
-  const bytes = new Uint8Array(bin.length);
-  for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
-  return bytes;
-}
-async function verifyHs256Signature(token, secret) {
-  try {
-    const parts = token.split(".");
-    if (parts.length !== 3) return false;
-    const encoder = new TextEncoder();
-    const key = await crypto.subtle.importKey(
-      "raw",
-      encoder.encode(secret),
-      { name: "HMAC", hash: "SHA-256" },
-      false,
-      ["verify"]
-    );
-    const signature = base64UrlToBytes(parts[2]);
-    const message = encoder.encode(`${parts[0]}.${parts[1]}`);
-    return await crypto.subtle.verify("HMAC", key, signature, message);
-  } catch {
-    return false;
-  }
-}
-var AuthManager = class {
-  static async generateToken(userId, email, role, secret, expiresInSeconds) {
-    const ttl = expiresInSeconds && expiresInSeconds > 0 ? Math.floor(expiresInSeconds) : DEFAULT_JWT_EXPIRES_IN_SECONDS;
-    const now = Math.floor(Date.now() / 1e3);
-    const payload = {
-      userId,
-      email,
-      role,
-      exp: now + ttl,
-      iat: now
-    };
-    return await sign(payload, secret || JWT_SECRET_FALLBACK, "HS256");
-  }
-  /**
-   * Verify a token's signature and expiration.
-   *
-   * If `graceSeconds` > 0, tokens whose `exp` is within the grace window
-   * (i.e. expired by no more than `graceSeconds`) are still returned. This
-   * supports a sliding-session refresh endpoint that accepts recently-expired
-   * tokens. Signature failures always return null.
-   */
-  static async verifyToken(token, secret, graceSeconds = 0) {
-    const effectiveSecret = secret || JWT_SECRET_FALLBACK;
-    try {
-      let payload = null;
-      try {
-        payload = await verify(token, effectiveSecret, "HS256");
-      } catch (verifyError) {
-        const name = verifyError?.name || "";
-        const message = String(verifyError?.message || "");
-        const isExpired = name === "JwtTokenExpired" || message.includes("expired");
-        if (!isExpired || graceSeconds <= 0) {
-          throw verifyError;
-        }
-        const signatureValid = await verifyHs256Signature(token, effectiveSecret);
-        if (!signatureValid) return null;
-        const decoded = decodeJwtPayload(token);
-        if (!decoded) return null;
-        payload = decoded;
-      }
-      if (!payload) return null;
-      const now = Math.floor(Date.now() / 1e3);
-      if (payload.exp < now - Math.max(0, Math.floor(graceSeconds))) {
-        return null;
-      }
-      return payload;
-    } catch (error) {
-      console.error("Token verification failed:", error);
-      return null;
-    }
-  }
-  static async hashPassword(password) {
-    const iterations = 1e5;
-    const salt = new Uint8Array(16);
-    crypto.getRandomValues(salt);
-    const encoder = new TextEncoder();
-    const keyMaterial = await crypto.subtle.importKey(
-      "raw",
-      encoder.encode(password),
-      "PBKDF2",
-      false,
-      ["deriveBits"]
-    );
-    const hashBuffer = await crypto.subtle.deriveBits(
-      {
-        name: "PBKDF2",
-        salt,
-        iterations,
-        hash: "SHA-256"
-      },
-      keyMaterial,
-      256
-    );
-    const saltHex = Array.from(salt).map((b) => b.toString(16).padStart(2, "0")).join("");
-    const hashHex = Array.from(new Uint8Array(hashBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
-    return `pbkdf2:${iterations}:${saltHex}:${hashHex}`;
-  }
-  static async hashPasswordLegacy(password) {
-    const encoder = new TextEncoder();
-    const data = encoder.encode(password + "salt-change-in-production");
-    const hashBuffer = await crypto.subtle.digest("SHA-256", data);
-    const hashArray = Array.from(new Uint8Array(hashBuffer));
-    return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
-  }
-  static async verifyPassword(password, storedHash) {
-    if (storedHash.startsWith("pbkdf2:")) {
-      const parts = storedHash.split(":");
-      if (parts.length !== 4) return false;
-      const iterationsStr = parts[1];
-      const saltHex = parts[2];
-      const expectedHashHex = parts[3];
-      const iterations = parseInt(iterationsStr, 10);
-      const saltBytes = saltHex.match(/.{2}/g);
-      if (!saltBytes) return false;
-      const salt = new Uint8Array(saltBytes.map((byte) => parseInt(byte, 16)));
-      const encoder = new TextEncoder();
-      const keyMaterial = await crypto.subtle.importKey(
-        "raw",
-        encoder.encode(password),
-        "PBKDF2",
-        false,
-        ["deriveBits"]
-      );
-      const hashBuffer = await crypto.subtle.deriveBits(
-        {
-          name: "PBKDF2",
-          salt,
-          iterations,
-          hash: "SHA-256"
-        },
-        keyMaterial,
-        256
-      );
-      const actualHashHex = Array.from(new Uint8Array(hashBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
-      if (actualHashHex.length !== expectedHashHex.length) return false;
-      let result2 = 0;
-      for (let i = 0; i < actualHashHex.length; i++) {
-        result2 |= actualHashHex.charCodeAt(i) ^ expectedHashHex.charCodeAt(i);
-      }
-      return result2 === 0;
-    }
-    const legacyHash = await this.hashPasswordLegacy(password);
-    if (legacyHash.length !== storedHash.length) return false;
-    let result = 0;
-    for (let i = 0; i < legacyHash.length; i++) {
-      result |= legacyHash.charCodeAt(i) ^ storedHash.charCodeAt(i);
-    }
-    return result === 0;
-  }
-  static isLegacyHash(storedHash) {
-    return !storedHash.startsWith("pbkdf2:");
-  }
-  /**
-   * Set authentication cookie - useful for plugins implementing alternative auth methods
-   * @param c - Hono context
-   * @param token - JWT token to set in cookie
-   * @param options - Optional cookie configuration
-   */
-  static setAuthCookie(c, token, options) {
-    setCookie(c, "auth_token", token, {
-      httpOnly: options?.httpOnly ?? true,
-      secure: options?.secure ?? true,
-      sameSite: options?.sameSite ?? "Strict",
-      maxAge: options?.maxAge ?? getJwtExpirySeconds(c?.env)
-    });
-  }
-};
-var requireAuth = () => {
-  return async (c, next) => {
-    try {
-      let token = c.req.header("Authorization")?.replace("Bearer ", "");
-      if (!token) {
-        token = getCookie(c, "auth_token");
-      }
-      if (!token) {
-        const acceptHeader = c.req.header("Accept") || "";
-        if (acceptHeader.includes("text/html")) {
-          return c.redirect("/auth/login?error=Please login to access the admin area");
-        }
-        return c.json({ error: "Authentication required" }, 401);
-      }
-      const kv = c.env?.KV;
-      let payload = null;
-      if (kv) {
-        const cacheKey = `auth:${token.substring(0, 20)}`;
-        const cached = await kv.get(cacheKey, "json");
-        if (cached) {
-          payload = cached;
-        }
-      }
-      if (!payload) {
-        const jwtSecret = c.env?.JWT_SECRET;
-        payload = await AuthManager.verifyToken(token, jwtSecret);
-        if (payload && kv) {
-          const cacheKey = `auth:${token.substring(0, 20)}`;
-          await kv.put(cacheKey, JSON.stringify(payload), { expirationTtl: 300 });
-        }
-      }
-      if (!payload) {
-        const acceptHeader = c.req.header("Accept") || "";
-        if (acceptHeader.includes("text/html")) {
-          return c.redirect("/auth/login?error=Your session has expired, please login again");
-        }
-        return c.json({ error: "Invalid or expired token" }, 401);
-      }
-      c.set("user", payload);
-      return await next();
-    } catch (error) {
-      console.error("Auth middleware error:", error);
-      const acceptHeader = c.req.header("Accept") || "";
-      if (acceptHeader.includes("text/html")) {
-        return c.redirect("/auth/login?error=Authentication failed, please login again");
-      }
-      return c.json({ error: "Authentication failed" }, 401);
-    }
-  };
-};
-var requireRole = (requiredRole) => {
-  return async (c, next) => {
-    const user = c.get("user");
-    if (!user) {
-      const acceptHeader = c.req.header("Accept") || "";
-      if (acceptHeader.includes("text/html")) {
-        return c.redirect("/auth/login?error=Please login to access the admin area");
-      }
-      return c.json({ error: "Authentication required" }, 401);
-    }
-    const roles = Array.isArray(requiredRole) ? requiredRole : [requiredRole];
-    if (!roles.includes(user.role)) {
-      const acceptHeader = c.req.header("Accept") || "";
-      if (acceptHeader.includes("text/html")) {
-        return c.redirect("/auth/login?error=You do not have permission to access this area");
-      }
-      return c.json({ error: "Insufficient permissions" }, 403);
-    }
-    return await next();
-  };
-};
-var optionalAuth = () => {
-  return async (c, next) => {
-    try {
-      let token = c.req.header("Authorization")?.replace("Bearer ", "");
-      if (!token) {
-        token = getCookie(c, "auth_token");
-      }
-      if (token) {
-        const jwtSecret = c.env?.JWT_SECRET;
-        const payload = await AuthManager.verifyToken(token, jwtSecret);
-        if (payload) {
-          c.set("user", payload);
-        }
-      }
-      return await next();
-    } catch (error) {
-      console.error("Optional auth error:", error);
-      return await next();
-    }
-  };
-};
-// src/middleware/metrics.ts
-var metricsMiddleware = () => {
-  return async (c, next) => {
-    const path = new URL(c.req.url).pathname;
-    if (path !== "/admin/dashboard/api/metrics") {
-      metricsTracker.recordRequest();
-    }
-    await next();
-  };
-};
-var JWT_SECRET_FALLBACK2 = "your-super-secret-jwt-key-change-in-production";
-function arrayBufferToBase64Url(buffer) {
-  const bytes = new Uint8Array(buffer);
-  let binary = "";
-  for (let i = 0; i < bytes.length; i++) {
-    binary += String.fromCharCode(bytes[i]);
-  }
-  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-async function getHmacKey(secret) {
-  const encoder = new TextEncoder();
-  return crypto.subtle.importKey(
-    "raw",
-    encoder.encode(secret),
-    { name: "HMAC", hash: "SHA-256" },
-    false,
-    ["sign", "verify"]
-  );
-}
-async function generateCsrfToken(secret) {
-  const nonceBytes = new Uint8Array(32);
-  crypto.getRandomValues(nonceBytes);
-  const nonce = arrayBufferToBase64Url(nonceBytes.buffer);
-  const key = await getHmacKey(secret);
-  const encoder = new TextEncoder();
-  const signatureBuffer = await crypto.subtle.sign("HMAC", key, encoder.encode(nonce));
-  const signature = arrayBufferToBase64Url(signatureBuffer);
-  return `${nonce}.${signature}`;
-}
-async function validateCsrfToken(token, secret) {
-  if (!token || typeof token !== "string") return false;
-  const dotIndex = token.indexOf(".");
-  if (dotIndex === -1) return false;
-  const nonce = token.substring(0, dotIndex);
-  const signature = token.substring(dotIndex + 1);
-  if (!nonce || !signature) return false;
-  try {
-    const key = await getHmacKey(secret);
-    const encoder = new TextEncoder();
-    const sigPadded = signature.replace(/-/g, "+").replace(/_/g, "/");
-    const sigBinary = atob(sigPadded);
-    const sigBytes = new Uint8Array(sigBinary.length);
-    for (let i = 0; i < sigBinary.length; i++) {
-      sigBytes[i] = sigBinary.charCodeAt(i);
-    }
-    return await crypto.subtle.verify("HMAC", key, sigBytes.buffer, encoder.encode(nonce));
-  } catch {
-    return false;
-  }
-}
-var DEFAULT_EXEMPT_PATHS = [
-  "/auth/login",
-  "/auth/register",
-  "/auth/seed-admin",
-  "/auth/accept-invitation",
-  "/auth/reset-password",
-  "/auth/request-password-reset",
-  "/auth/otp",
-  "/auth/magic-link",
-  "/auth/verify",
-  "/api/stripe/webhook",
-  "/api/events"
-];
-function isExemptPath(path, extraExemptPaths = []) {
-  if (path.startsWith("/forms/") || path.startsWith("/api/forms/") || path === "/forms" || path === "/api/forms") {
-    return true;
-  }
-  if (path.startsWith("/api/search")) {
-    return true;
-  }
-  const allExempt = [...DEFAULT_EXEMPT_PATHS, ...extraExemptPaths];
-  for (const exempt of allExempt) {
-    if (path === exempt || path.startsWith(exempt + "/")) {
-      return true;
-    }
-  }
-  return false;
-}
-function csrfProtection(options = {}) {
-  return async (c, next) => {
-    const method = c.req.method.toUpperCase();
-    const path = new URL(c.req.url).pathname;
-    const secret = c.env?.JWT_SECRET || JWT_SECRET_FALLBACK2;
-    if (c.env?.ENVIRONMENT === "production" && !c.env?.JWT_SECRET) {
-      console.warn(
-        "[CSRF] WARNING: JWT_SECRET is not set in production. CSRF tokens are signed with the fallback key, which is insecure."
-      );
-    }
-    if (method === "GET" || method === "HEAD" || method === "OPTIONS") {
-      await ensureCsrfCookie(c, secret);
-      await next();
-      return;
-    }
-    if (isExemptPath(path, options.exemptPaths)) {
-      await next();
-      return;
-    }
-    const authCookie = getCookie(c, "auth_token");
-    if (!authCookie) {
-      await next();
-      return;
-    }
-    const authHeader = c.req.header("Authorization");
-    if (authHeader) {
-      await next();
-      return;
-    }
-    const cookieToken = getCookie(c, "csrf_token");
-    let headerToken = c.req.header("X-CSRF-Token");
-    if (!headerToken) {
-      const contentType = c.req.header("Content-Type") || "";
-      if (contentType.includes("application/x-www-form-urlencoded") || contentType.includes("multipart/form-data")) {
-        try {
-          const body = await c.req.parseBody();
-          headerToken = body["_csrf"];
-        } catch {
-        }
-      }
-    }
-    if (!cookieToken || !headerToken) {
-      return csrfError(c, "CSRF token missing");
-    }
-    if (cookieToken !== headerToken) {
-      return csrfError(c, "CSRF token mismatch");
-    }
-    const isValid = await validateCsrfToken(cookieToken, secret);
-    if (!isValid) {
-      return csrfError(c, "CSRF token invalid");
-    }
-    await next();
-  };
-}
-async function ensureCsrfCookie(c, secret) {
-  const existing = getCookie(c, "csrf_token");
-  if (existing) {
-    const isValid = await validateCsrfToken(existing, secret);
-    if (isValid) {
-      c.set("csrfToken", existing);
-      return;
-    }
-  }
-  const token = await generateCsrfToken(secret);
-  c.set("csrfToken", token);
-  const isDev = c.env?.ENVIRONMENT === "development" || !c.env?.ENVIRONMENT;
-  setCookie(c, "csrf_token", token, {
-    httpOnly: false,
-    // JS must read this cookie
-    secure: !isDev,
-    sameSite: "Strict",
-    path: "/",
-    maxAge: 86400
-    // 24 hours — browser-side expiry
-  });
-}
-function csrfError(c, message) {
-  const accept = c.req.header("Accept") || "";
-  if (accept.includes("text/html")) {
-    return c.html(
-      `<!DOCTYPE html><html><head><title>403 Forbidden</title></head><body><h1>403 Forbidden</h1><p>${message}</p></body></html>`,
-      403
-    );
-  }
-  return c.json({ error: message, status: 403 }, 403);
-}
-// src/middleware/rate-limit.ts
-function rateLimit(options) {
-  const { max, windowMs, keyPrefix } = options;
-  return async (c, next) => {
-    const kv = c.env?.CACHE_KV;
-    if (!kv) {
-      return await next();
-    }
-    const ip = c.req.header("cf-connecting-ip") || c.req.header("x-forwarded-for") || "unknown";
-    const key = `ratelimit:${keyPrefix}:${ip}`;
-    try {
-      const now = Date.now();
-      const stored = await kv.get(key, "json");
-      let entry;
-      if (stored && stored.resetAt > now) {
-        entry = stored;
-      } else {
-        entry = { count: 0, resetAt: now + windowMs };
-      }
-      entry.count++;
-      const ttlSeconds = Math.ceil((entry.resetAt - now) / 1e3);
-      if (entry.count > max) {
-        await kv.put(key, JSON.stringify(entry), { expirationTtl: Math.max(ttlSeconds, 60) });
-        const retryAfter = Math.ceil((entry.resetAt - now) / 1e3);
-        c.header("Retry-After", String(retryAfter));
-        c.header("X-RateLimit-Limit", String(max));
-        c.header("X-RateLimit-Remaining", "0");
-        c.header("X-RateLimit-Reset", String(Math.ceil(entry.resetAt / 1e3)));
-        return c.json({ error: "Too many requests. Please try again later." }, 429);
-      }
-      await kv.put(key, JSON.stringify(entry), { expirationTtl: Math.max(ttlSeconds, 60) });
-      c.header("X-RateLimit-Limit", String(max));
-      c.header("X-RateLimit-Remaining", String(max - entry.count));
-      c.header("X-RateLimit-Reset", String(Math.ceil(entry.resetAt / 1e3)));
-      return await next();
-    } catch (error) {
-      console.error("Rate limiter error (non-fatal):", error);
-      return await next();
-    }
-  };
-}
-// src/middleware/security-headers.ts
-var securityHeadersMiddleware = () => {
-  return async (c, next) => {
-    await next();
-    c.header("X-Content-Type-Options", "nosniff");
-    c.header("X-Frame-Options", "SAMEORIGIN");
-    c.header("Referrer-Policy", "strict-origin-when-cross-origin");
-    c.header("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
-    const environment = c.env?.ENVIRONMENT;
-    if (environment !== "development") {
-      c.header("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
-    }
-  };
-};
-// src/middleware/index.ts
-var loggingMiddleware = () => async (_c, next) => await next();
-var detailedLoggingMiddleware = () => async (_c, next) => await next();
-var securityLoggingMiddleware = () => async (_c, next) => await next();
-var performanceLoggingMiddleware = () => async (_c, next) => await next();
-var cacheHeaders = () => async (_c, next) => await next();
-var compressionMiddleware = async (_c, next) => await next();
-var PermissionManager = {};
-var requirePermission = () => async (_c, next) => await next();
-var requireAnyPermission = () => async (_c, next) => await next();
-var logActivity = () => {
-};
-var requireActivePlugin = () => async (_c, next) => await next();
-var requireActivePlugins = () => async (_c, next) => await next();
-var getActivePlugins = () => [];
-var isPluginActive = () => false;
-export { AuthManager, PermissionManager, bootstrapMiddleware, cacheHeaders, compressionMiddleware, csrfProtection, detailedLoggingMiddleware, generateCsrfToken, getActivePlugins, getJwtExpirySeconds, getJwtExpirySecondsFromDb, getJwtRefreshGraceSecondsFromDb, isPluginActive, logActivity, loggingMiddleware, metricsMiddleware, optionalAuth, performanceLoggingMiddleware, rateLimit, requireActivePlugin, requireActivePlugins, requireAnyPermission, requireAuth, requirePermission, requireRole, securityHeadersMiddleware, securityLoggingMiddleware, validateCsrfToken, verifySecurityConfig };
-//# sourceMappingURL=chunk-I2H5NGJQ.js.map
-//# sourceMappingURL=chunk-I2H5NGJQ.js.map