@sonicjs-cms/core 2.18.1 → 3.0.0-beta.2

package/dist/{chunk-DSUJ5YQH.cjs → chunk-AAWNRBRB.cjs}

@@ -1,11 +1,367 @@
 'use strict';
 
-var chunkT3Q5V33G_cjs = require('./chunk-T3Q5V33G.cjs');
-var chunkC54YUA23_cjs = require('./chunk-C54YUA23.cjs');
+var chunk2CB4KY7I_cjs = require('./chunk-2CB4KY7I.cjs');
+var chunkQAYFOER6_cjs = require('./chunk-QAYFOER6.cjs');
+var chunkDSA4UX5B_cjs = require('./chunk-DSA4UX5B.cjs');
+var chunkJ6JTWD2A_cjs = require('./chunk-J6JTWD2A.cjs');
 var chunkRCQ2HIQD_cjs = require('./chunk-RCQ2HIQD.cjs');
+var zod = require('zod');
 var jwt = require('hono/jwt');
 var cookie = require('hono/cookie');
 
+// src/services/document-type-registry.ts
+function rowToDocumentType(row) {
+  return {
+    id: row.id,
+    name: row.name,
+    displayName: row.display_name,
+    description: row.description,
+    schema: JSON.parse(row.schema),
+    queryableFields: JSON.parse(row.queryable_fields),
+    settings: JSON.parse(row.settings),
+    pluginId: row.plugin_id,
+    source: row.source,
+    schemaVersion: row.schema_version,
+    isSystem: row.is_system === 1,
+    isActive: row.is_active === 1,
+    isAuth: row.is_auth === 1,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at
+  };
+}
+var DocumentTypeRegistry = class {
+  constructor(db) {
+    this.db = db;
+  }
+  cache = /* @__PURE__ */ new Map();
+  // Register or update a document type. Idempotent: bumps schema_version only when schema changes.
+  async register(def) {
+    const now = Math.floor(Date.now() / 1e3);
+    const existing = await this.findById(def.id);
+    const schemaJson = JSON.stringify({ queryableFields: def.queryableFields ?? [], settings: def.settings ?? {} });
+    const queryableJson = JSON.stringify(def.queryableFields ?? []);
+    const settingsJson = JSON.stringify(def.settings ?? {});
+    if (existing) {
+      const schemaChanged = schemaJson !== JSON.stringify(existing.schema);
+      const newVersion = schemaChanged ? existing.schemaVersion + 1 : existing.schemaVersion;
+      await this.db.prepare(
+        `UPDATE document_types SET
+             display_name = ?,
+             description = ?,
+             schema = ?,
+             queryable_fields = ?,
+             settings = ?,
+             plugin_id = ?,
+             schema_version = ?,
+             is_active = 1,
+             is_auth = ?,
+             updated_at = ?
+           WHERE id = ?`
+      ).bind(
+        def.displayName,
+        def.description ?? null,
+        schemaJson,
+        queryableJson,
+        settingsJson,
+        def.pluginId ?? null,
+        newVersion,
+        def.isAuth ? 1 : 0,
+        now,
+        def.id
+      ).run();
+      await chunkDSA4UX5B_cjs.ensureScalarSchema(this.db, def.id, def.queryableFields ?? []);
+      const updated = await this.findById(def.id);
+      this.cache.set(def.id, updated);
+      return updated;
+    }
+    await this.db.prepare(
+      `INSERT INTO document_types (id, name, display_name, description, schema, queryable_fields, settings, plugin_id, source, schema_version, is_system, is_active, is_auth, created_at, updated_at)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, 1, 0, 1, ?, ?, ?)`
+    ).bind(
+      def.id,
+      def.name ?? def.id,
+      def.displayName,
+      def.description ?? null,
+      schemaJson,
+      queryableJson,
+      settingsJson,
+      def.pluginId ?? null,
+      def.source ?? "code",
+      def.isAuth ? 1 : 0,
+      now,
+      now
+    ).run();
+    await chunkDSA4UX5B_cjs.ensureScalarSchema(this.db, def.id, def.queryableFields ?? []);
+    const created = await this.findById(def.id);
+    this.cache.set(def.id, created);
+    return created;
+  }
+  async findById(id) {
+    if (this.cache.has(id)) return this.cache.get(id);
+    const row = await this.db.prepare("SELECT * FROM document_types WHERE id = ?").bind(id).first();
+    if (!row) return null;
+    const dt = rowToDocumentType(row);
+    this.cache.set(id, dt);
+    return dt;
+  }
+  async findAll(activeOnly = true) {
+    const sql = activeOnly ? "SELECT * FROM document_types WHERE is_active = 1 ORDER BY name" : "SELECT * FROM document_types ORDER BY name";
+    const result = await this.db.prepare(sql).all();
+    return (result.results ?? []).map(rowToDocumentType);
+  }
+  async deactivate(id) {
+    const now = Math.floor(Date.now() / 1e3);
+    await this.db.prepare("UPDATE document_types SET is_active = 0, updated_at = ? WHERE id = ?").bind(now, id).run();
+    this.cache.delete(id);
+  }
+  clearCache() {
+    this.cache.clear();
+  }
+};
+
+// src/services/document-types-seed.ts
+var anyObject = zod.z.record(zod.z.string(), zod.z.unknown());
+async function bootstrapDocumentTypes(db) {
+  const registry = new DocumentTypeRegistry(db);
+  await registry.register({
+    id: "site_settings",
+    name: "site_settings",
+    displayName: "Site Settings",
+    description: "Global site configuration (internal; managed via admin settings UI)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      internal: true,
+      maxVersionsPerRoot: 1,
+      baseGrants: { admin: ["read", "create", "update", "delete", "manage"] }
+    },
+    queryableFields: []
+  });
+  await registry.register({
+    id: "blog_post",
+    name: "blog_post",
+    displayName: "Blog Post",
+    description: "Blog post (document-backed; edited via the content collection UI)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      baseGrants: { public: ["read"], admin: ["read", "create", "update", "delete", "publish", "manage"], editor: ["read", "create", "update", "publish"], viewer: ["read"] },
+      maxVersionsPerRoot: 50
+    },
+    queryableFields: [
+      { name: "difficulty", kind: "scalar", type: "text", column: "q_blog_difficulty" },
+      { name: "author", kind: "scalar", type: "text", column: "q_blog_author" }
+    ]
+  });
+  await registry.register({
+    id: "plugin",
+    name: "plugin",
+    displayName: "Plugin",
+    description: "System plugin record (managed by the plugin bootstrap service)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      baseGrants: { admin: ["read", "create", "update", "delete", "publish", "manage"] },
+      maxVersionsPerRoot: 1,
+      internal: true
+    },
+    queryableFields: [
+      { name: "status", kind: "scalar", type: "text", column: "q_plugin_status" },
+      { name: "category", kind: "scalar", type: "text", column: "q_plugin_category" },
+      { name: "isCore", kind: "scalar", type: "integer", column: "q_plugin_is_core" }
+    ]
+  });
+  await registry.register({
+    id: "tenant",
+    name: "tenant",
+    displayName: "Tenant",
+    description: "Tenant record (managed by the multi-tenant plugin; slug = tenant id)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      baseGrants: { admin: ["read", "create", "update", "delete", "manage"] },
+      maxVersionsPerRoot: 1,
+      internal: true
+    },
+    queryableFields: [
+      { name: "status", kind: "scalar", type: "text", column: "q_tenant_status" },
+      { name: "domain", kind: "scalar", type: "text", column: "q_tenant_domain" }
+    ]
+  });
+  await registry.register({
+    id: "user_profile",
+    name: "user_profile",
+    displayName: "User Profile",
+    description: "Per-user profile record (auth-owned; one document per user, slug = userId)",
+    source: "system",
+    isAuth: true,
+    schema: anyObject,
+    settings: {
+      // Hidden from the content admin surfaces; a single mutable record (no version history).
+      internal: true,
+      maxVersionsPerRoot: 1,
+      pii: true,
+      baseGrants: { admin: ["read", "create", "update", "delete", "manage"] }
+    },
+    queryableFields: []
+  });
+  await registry.register({
+    id: "media_asset",
+    name: "media_asset",
+    displayName: "Media Asset",
+    description: "Uploaded media file metadata (managed via the media library; backs an R2 object)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      internal: true,
+      maxVersionsPerRoot: 5,
+      baseGrants: {
+        admin: ["read", "create", "update", "delete", "manage"],
+        editor: ["read", "create", "update"],
+        author: ["read", "create"],
+        viewer: ["read"]
+      }
+    },
+    queryableFields: [
+      { name: "mimeType", kind: "scalar", type: "text", column: "q_media_mime" },
+      { name: "folder", kind: "scalar", type: "text", column: "q_media_folder" },
+      { name: "size", kind: "scalar", type: "integer", column: "q_media_size" },
+      { name: "tags", kind: "facet", type: "text" }
+    ]
+  });
+  await registry.register({
+    id: "plugin_activity",
+    name: "plugin_activity",
+    displayName: "Plugin Activity",
+    description: "Plugin lifecycle event log (installed/activated/deactivated/settings_updated/error)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      internal: true,
+      maxVersionsPerRoot: 1,
+      baseGrants: { admin: ["read", "create", "manage"] }
+    },
+    queryableFields: [
+      { name: "pluginId", kind: "scalar", type: "text", column: "q_plugin_activity_plugin_id" },
+      { name: "action", kind: "scalar", type: "text", column: "q_plugin_activity_action" }
+    ]
+  });
+  await registry.register({
+    id: "security_event",
+    name: "security_event",
+    displayName: "Security Event",
+    description: "Security audit event (login attempts, lockouts, suspicious activity)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      internal: true,
+      maxVersionsPerRoot: 1,
+      baseGrants: { admin: ["read", "create", "manage"] }
+    },
+    queryableFields: [
+      { name: "eventType", kind: "scalar", type: "text", column: "q_sa_event_type" },
+      { name: "severity", kind: "scalar", type: "text", column: "q_sa_severity" },
+      { name: "userId", kind: "scalar", type: "text", column: "q_sa_user_id" },
+      { name: "email", kind: "scalar", type: "text", column: "q_sa_email" },
+      { name: "ipAddress", kind: "scalar", type: "text", column: "q_sa_ip_address" },
+      { name: "blocked", kind: "scalar", type: "integer", column: "q_sa_blocked" }
+    ]
+  });
+  await registry.register({
+    id: "analytics_event",
+    name: "analytics_event",
+    displayName: "Analytics Event",
+    description: "Tracked analytics event (page view, user action, custom event)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      internal: true,
+      maxVersionsPerRoot: 1,
+      baseGrants: { admin: ["read", "create", "manage"] }
+    },
+    queryableFields: [
+      { name: "event", kind: "scalar", type: "text", column: "q_evt_event" },
+      { name: "category", kind: "scalar", type: "text", column: "q_evt_category" },
+      { name: "userId", kind: "scalar", type: "text", column: "q_evt_user_id" },
+      { name: "sessionId", kind: "scalar", type: "text", column: "q_evt_session_id" },
+      { name: "path", kind: "scalar", type: "text", column: "q_evt_path" }
+    ]
+  });
+  await registry.register({
+    id: "media_asset",
+    name: "media_asset",
+    displayName: "Media Asset",
+    description: "Media file metadata (R2 object key + intrinsic properties; URL derived at read time)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      baseGrants: { public: ["read"], admin: ["read", "create", "update", "delete", "publish", "manage"], editor: ["read", "create", "update"] },
+      maxVersionsPerRoot: 5
+    },
+    queryableFields: [
+      { name: "mimeType", kind: "scalar", type: "text", column: "q_media_mime" },
+      { name: "folder", kind: "scalar", type: "text", column: "q_media_folder" },
+      { name: "size", kind: "scalar", type: "integer", column: "q_media_size" },
+      { name: "tags", kind: "facet", type: "text" }
+    ]
+  });
+  for (const [id, displayName, description] of [
+    ["rbac_role", "RBAC Role", "Role record with embedded grants (auth-owned)"],
+    ["rbac_verb", "RBAC Verb", "Permission verb (auth-owned)"],
+    ["rbac_user_roles", "RBAC User Roles", "Per-user role assignments (auth-owned; slug = userId)"]
+  ]) {
+    await registry.register({
+      id,
+      name: id,
+      displayName,
+      description,
+      source: "system",
+      isAuth: true,
+      schema: anyObject,
+      settings: {
+        internal: true,
+        maxVersionsPerRoot: 1,
+        baseGrants: { admin: ["read", "create", "update", "delete", "manage"] }
+      },
+      queryableFields: []
+    });
+  }
+}
+async function autoRegisterCollectionDocumentTypes(db) {
+  const registry = new DocumentTypeRegistry(db);
+  const collections = chunkQAYFOER6_cjs.getCollectionRegistry().listActive();
+  const registered = [];
+  for (const collection of collections) {
+    if (collection.internal) continue;
+    if (collection.name === "blog_post") continue;
+    try {
+      await registry.register({
+        id: collection.name,
+        name: collection.name,
+        displayName: collection.displayName,
+        description: collection.description,
+        source: "system",
+        schema: anyObject,
+        settings: {
+          baseGrants: {
+            public: ["read"],
+            admin: ["read", "create", "update", "delete", "publish", "manage"],
+            editor: ["read", "create", "update", "publish"],
+            viewer: ["read"]
+          },
+          maxVersionsPerRoot: 50,
+          ...collection.versioning ? { versioning: true } : {}
+        },
+        queryableFields: []
+      });
+      registered.push(collection.name);
+    } catch (error) {
+      console.error(`[document-types-seed] Failed to register collection "${collection.name}":`, error);
+    }
+  }
+  return registered;
+}
+
 // src/middleware/bootstrap.ts
 var bootstrapComplete = false;
 function verifySecurityConfig(env) {
@@ -47,6 +403,9 @@ function verifySecurityConfig(env) {
 }
 function bootstrapMiddleware(config = {}) {
   return async (c, next) => {
+    if (chunkJ6JTWD2A_cjs.hasHookSystem()) {
+      c.set("hookSystem", chunkJ6JTWD2A_cjs.getHookSystem());
+    }
     if (bootstrapComplete) {
       return next();
     }
@@ -56,24 +415,52 @@ function bootstrapMiddleware(config = {}) {
     }
     try {
       console.log("[Bootstrap] Starting system initialization...");
-      console.log("[Bootstrap] Running database migrations...");
-      const migrationService = new chunkC54YUA23_cjs.MigrationService(c.env.DB);
-      await migrationService.runPendingMigrations();
-      console.log("[Bootstrap] Syncing collection configurations...");
+      console.log("[Bootstrap] Checking schema compatibility...");
+      const migrationService = new chunkDSA4UX5B_cjs.MigrationService(c.env.DB);
+      await migrationService.ensureSchemaCompatibility();
       try {
-        await chunkT3Q5V33G_cjs.syncCollections(c.env.DB);
+        const kv = c.env.CACHE_KV;
+        if (kv) {
+          const { setGlobalKVNamespace } = await import('./cache-LVYS4BPL.cjs');
+          setGlobalKVNamespace(kv);
+        }
       } catch (error) {
-        console.error("[Bootstrap] Error syncing collections:", error);
+        console.error("[Bootstrap] Error wiring CACHE_KV namespace:", error);
       }
-      console.log("[Bootstrap] Syncing form collections...");
+      console.log("[Bootstrap] Populating collection registry...");
       try {
-        await chunkT3Q5V33G_cjs.syncAllFormCollections(c.env.DB);
+        const configs = await chunkQAYFOER6_cjs.loadCollectionConfigs();
+        chunkQAYFOER6_cjs.getCollectionRegistry().register(configs);
+        console.log(`[Bootstrap] Registry populated with ${configs.length} collection(s)`);
       } catch (error) {
-        console.error("[Bootstrap] Error syncing form collections:", error);
+        console.error("[Bootstrap] Error populating collection registry:", error);
+      }
+      console.log("[Bootstrap] Registering document types...");
+      try {
+        await bootstrapDocumentTypes(c.env.DB);
+      } catch (error) {
+        console.error("[Bootstrap] Error registering document types:", error);
+      }
+      try {
+        await repairMissingCredentialAccounts(c.env.DB);
+      } catch (error) {
+        console.error("[Bootstrap] Error repairing credential accounts:", error);
+      }
+      try {
+        const { RbacService: RbacService2 } = await import('./rbac-VONLJJKB.cjs');
+        await new RbacService2(c.env.DB, c.env.CACHE_KV).ensureSystemRbacSeed();
+      } catch (error) {
+        console.error("[Bootstrap] Error seeding RBAC documents:", error);
+      }
+      try {
+        const auto = await autoRegisterCollectionDocumentTypes(c.env.DB);
+        if (auto.length) console.log(`[Bootstrap] Document-backed collections registered: ${auto.join(", ")}`);
+      } catch (error) {
+        console.error("[Bootstrap] Error auto-registering collection document types:", error);
       }
       if (!config.plugins?.disableAll) {
         console.log("[Bootstrap] Bootstrapping core plugins...");
-        const bootstrapService = new chunkT3Q5V33G_cjs.PluginBootstrapService(c.env.DB);
+        const bootstrapService = new chunkQAYFOER6_cjs.PluginBootstrapService(c.env.DB);
         const needsBootstrap = await bootstrapService.isBootstrapNeeded();
         if (needsBootstrap) {
           await bootstrapService.bootstrapCorePlugins();
@@ -90,6 +477,27 @@ function bootstrapMiddleware(config = {}) {
     return next();
   };
 }
+async function repairMissingCredentialAccounts(db) {
+  const { results } = await db.prepare(`
+    SELECT u.id, u.password_hash
+    FROM auth_user u
+    WHERE u.password_hash IS NOT NULL AND u.password_hash != ''
+    AND NOT EXISTS (
+      SELECT 1 FROM auth_account a
+      WHERE a.user_id = u.id AND a.provider_id = 'credential'
+    )
+  `).all();
+  if (!results.length) return;
+  console.log(`[Bootstrap] Repairing ${results.length} user(s) missing credential auth_account rows`);
+  const nowSec = Math.floor(Date.now() / 1e3);
+  for (const user of results) {
+    await db.prepare(`
+      INSERT OR IGNORE INTO auth_account (id, user_id, account_id, provider_id, password, created_at, updated_at)
+      VALUES (?, ?, ?, 'credential', ?, ?, ?)
+    `).bind(`cred-${user.id}`, user.id, user.id, user.password_hash, nowSec, nowSec).run();
+  }
+  console.log(`[Bootstrap] Credential account repair complete (${results.length} repaired)`);
+}
 var JWT_SECRET_FALLBACK = "your-super-secret-jwt-key-change-in-production";
 var DEFAULT_JWT_EXPIRES_IN_SECONDS = 60 * 60 * 24 * 30;
 function parseDuration(input) {
@@ -121,14 +529,10 @@ async function getJwtExpirySecondsFromDb(db, env) {
   if (envParsed) return envParsed;
   if (db) {
     try {
-      const row = await db.prepare("SELECT value FROM settings WHERE category = 'security' AND key = 'jwtExpiresIn'").first();
-      if (row?.value) {
-        let stored = row.value;
-        try {
-          stored = JSON.parse(row.value);
-        } catch {
-        }
-        const parsed = parseDuration(stored);
+      const row = await db.prepare("SELECT data FROM documents WHERE type_id = 'site_settings' AND slug = 'security' AND tenant_id = 'default' AND is_current_draft = 1 AND deleted_at IS NULL").first();
+      if (row?.data) {
+        const data = JSON.parse(row.data);
+        const parsed = parseDuration(data.jwtExpiresIn);
         if (parsed) return parsed;
       }
     } catch (err) {
@@ -143,14 +547,10 @@ async function getJwtRefreshGraceSecondsFromDb(db, env) {
   if (envParsed) return envParsed;
   if (db) {
     try {
-      const row = await db.prepare("SELECT value FROM settings WHERE category = 'security' AND key = 'jwtRefreshGraceSeconds'").first();
-      if (row?.value) {
-        let stored = row.value;
-        try {
-          stored = JSON.parse(row.value);
-        } catch {
-        }
-        const parsed = parseDuration(stored);
+      const row = await db.prepare("SELECT data FROM documents WHERE type_id = 'site_settings' AND slug = 'security' AND tenant_id = 'default' AND is_current_draft = 1 AND deleted_at IS NULL").first();
+      if (row?.data) {
+        const data = JSON.parse(row.data);
+        const parsed = parseDuration(data.jwtRefreshGraceSeconds?.toString());
         if (parsed) return parsed;
       }
     } catch (err) {
@@ -200,7 +600,7 @@ async function verifyHs256Signature(token, secret) {
     return false;
   }
 }
-var AuthManager = class {
+var AuthManager = class _AuthManager {
   static async generateToken(userId, email, role, secret, expiresInSeconds) {
     const ttl = expiresInSeconds && expiresInSeconds > 0 ? Math.floor(expiresInSeconds) : DEFAULT_JWT_EXPIRES_IN_SECONDS;
     const now = Math.floor(Date.now() / 1e3);
@@ -216,6 +616,13 @@ var AuthManager = class {
   /**
    * Verify a token's signature and expiration.
    *
+   * IMPORTANT: pass the `JWT_SECRET` binding (e.g. `c.env.JWT_SECRET`) as the
+   * `secret` argument. If omitted, this falls back to a development-only
+   * placeholder secret — tokens signed with the real `JWT_SECRET` will then
+   * silently fail verification. From inside a Hono handler prefer
+   * `AuthManager.verifyAuthRequest(c)`, which handles header/cookie extraction
+   * and pulls the secret from `c.env` for you.
+   *
    * If `graceSeconds` > 0, tokens whose `exp` is within the grace window
    * (i.e. expired by no more than `graceSeconds`) are still returned. This
    * supports a sliding-session refresh endpoint that accepts recently-expired
@@ -251,6 +658,26 @@ var AuthManager = class {
       return null;
     }
   }
+  /**
+   * Verify the JWT on an incoming Hono request using the `JWT_SECRET`
+   * binding from `c.env`. Reads the token from the `Authorization: Bearer …`
+   * header first, then falls back to the `auth_token` cookie. Returns the
+   * decoded payload, or null when the token is missing, malformed, expired,
+   * or signed with a different secret.
+   *
+   * Use this from custom Hono routes mounted alongside SonicJS — it
+   * resolves the secret the same way `requireAuth()` does, without forcing
+   * the caller to plumb it through manually.
+   */
+  static async verifyAuthRequest(c) {
+    let token = c.req.header("Authorization")?.replace("Bearer ", "");
+    if (!token) {
+      token = cookie.getCookie(c, "auth_token");
+    }
+    if (!token) return null;
+    const secret = c.env?.JWT_SECRET;
+    return await _AuthManager.verifyToken(token, secret);
+  }
   static async hashPassword(password) {
     const iterations = 1e5;
     const salt = new Uint8Array(16);
@@ -349,52 +776,15 @@ var AuthManager = class {
 };
 var requireAuth = () => {
   return async (c, next) => {
-    try {
-      let token = c.req.header("Authorization")?.replace("Bearer ", "");
-      if (!token) {
-        token = cookie.getCookie(c, "auth_token");
-      }
-      if (!token) {
-        const acceptHeader = c.req.header("Accept") || "";
-        if (acceptHeader.includes("text/html")) {
-          return c.redirect("/auth/login?error=Please login to access the admin area");
-        }
-        return c.json({ error: "Authentication required" }, 401);
-      }
-      const kv = c.env?.KV;
-      let payload = null;
-      if (kv) {
-        const cacheKey = `auth:${token.substring(0, 20)}`;
-        const cached = await kv.get(cacheKey, "json");
-        if (cached) {
-          payload = cached;
-        }
-      }
-      if (!payload) {
-        const jwtSecret = c.env?.JWT_SECRET;
-        payload = await AuthManager.verifyToken(token, jwtSecret);
-        if (payload && kv) {
-          const cacheKey = `auth:${token.substring(0, 20)}`;
-          await kv.put(cacheKey, JSON.stringify(payload), { expirationTtl: 300 });
-        }
-      }
-      if (!payload) {
-        const acceptHeader = c.req.header("Accept") || "";
-        if (acceptHeader.includes("text/html")) {
-          return c.redirect("/auth/login?error=Your session has expired, please login again");
-        }
-        return c.json({ error: "Invalid or expired token" }, 401);
-      }
-      c.set("user", payload);
-      return await next();
-    } catch (error) {
-      console.error("Auth middleware error:", error);
+    const user = c.get("user");
+    if (!user) {
       const acceptHeader = c.req.header("Accept") || "";
       if (acceptHeader.includes("text/html")) {
-        return c.redirect("/auth/login?error=Authentication failed, please login again");
+        return c.redirect("/auth/login?error=Please login to access the admin area");
       }
-      return c.json({ error: "Authentication failed" }, 401);
+      return c.json({ error: "Authentication required" }, 401);
     }
+    return await next();
   };
 };
 var requireRole = (requiredRole) => {
@@ -418,25 +808,36 @@ var requireRole = (requiredRole) => {
     return await next();
   };
 };
-var optionalAuth = () => {
+var requireRbac = (resource, verb) => {
   return async (c, next) => {
-    try {
-      let token = c.req.header("Authorization")?.replace("Bearer ", "");
-      if (!token) {
-        token = cookie.getCookie(c, "auth_token");
+    const user = c.get("user");
+    if (!user) {
+      const acceptHeader = c.req.header("Accept") || "";
+      if (acceptHeader.includes("text/html")) {
+        return c.redirect("/auth/login?error=Please login to access the admin area");
       }
-      if (token) {
-        const jwtSecret = c.env?.JWT_SECRET;
-        const payload = await AuthManager.verifyToken(token, jwtSecret);
-        if (payload) {
-          c.set("user", payload);
-        }
+      return c.json({ error: "Authentication required" }, 401);
+    }
+    const cachedPerms = c.get("rbacPerms");
+    let allowed;
+    if (cachedPerms !== void 0) {
+      allowed = cachedPerms.includes(`${resource}:${verb}`);
+    } else {
+      allowed = await new chunk2CB4KY7I_cjs.RbacService(c.env.DB).can(user.userId, resource, verb);
+    }
+    if (!allowed) {
+      const acceptHeader = c.req.header("Accept") || "";
+      if (acceptHeader.includes("text/html")) {
+        return c.redirect("/auth/login?error=You do not have permission to access this area");
       }
-      return await next();
-    } catch (error) {
-      console.error("Optional auth error:", error);
-      return await next();
+      return c.json({ error: "Insufficient permissions" }, 403);
     }
+    return await next();
+  };
+};
+var optionalAuth = () => {
+  return async (_c, next) => {
+    return await next();
   };
 };
 
@@ -504,11 +905,17 @@ var DEFAULT_EXEMPT_PATHS = [
   "/auth/login",
   "/auth/register",
   "/auth/seed-admin",
+  "/test-seed-defaults",
+  "/test-cleanup",
   "/auth/accept-invitation",
   "/auth/reset-password",
   "/auth/request-password-reset",
   "/auth/otp",
   "/auth/magic-link",
+  "/auth/sign-out",
+  "/auth/sign-in",
+  "/auth/sign-up",
+  "/auth/get-session",
   "/auth/verify",
   "/api/stripe/webhook",
   "/api/events"
@@ -672,6 +1079,45 @@ var securityHeadersMiddleware = () => {
   };
 };
 
+// src/middleware/plugin-middleware.ts
+async function isPluginActive(db, pluginId) {
+  try {
+    const docResult = await db.prepare(
+      `SELECT json_extract(data, '$.status') as status FROM documents
+         WHERE slug = ? AND type_id = 'plugin' AND tenant_id = 'default'
+           AND is_current_draft = 1 AND deleted_at IS NULL`
+    ).bind(pluginId).first();
+    return docResult?.status === "active";
+  } catch (error) {
+    console.error(`[isPluginActive] Error checking plugin status for ${pluginId}:`, error);
+    return false;
+  }
+}
+async function requireActivePlugin(db, pluginId) {
+  const isActive = await isPluginActive(db, pluginId);
+  if (!isActive) {
+    throw new Error(`Plugin '${pluginId}' is required but is not active`);
+  }
+}
+async function requireActivePlugins(db, pluginIds) {
+  for (const pluginId of pluginIds) {
+    await requireActivePlugin(db, pluginId);
+  }
+}
+async function getActivePlugins(db) {
+  try {
+    const { results } = await db.prepare(
+      `SELECT slug as id, json_extract(data, '$.status') as status, data FROM documents
+         WHERE type_id = 'plugin' AND tenant_id = 'default'
+           AND q_plugin_status = 'active' AND is_current_draft = 1 AND deleted_at IS NULL`
+    ).all();
+    return results || [];
+  } catch (error) {
+    console.error("[getActivePlugins] Error fetching active plugins:", error);
+    return [];
+  }
+}
+
 // src/middleware/index.ts
 var loggingMiddleware = () => async (_c, next) => await next();
 var detailedLoggingMiddleware = () => async (_c, next) => await next();
@@ -684,13 +1130,11 @@ var requirePermission = () => async (_c, next) => await next();
 var requireAnyPermission = () => async (_c, next) => await next();
 var logActivity = () => {
 };
-var requireActivePlugin = () => async (_c, next) => await next();
-var requireActivePlugins = () => async (_c, next) => await next();
-var getActivePlugins = () => [];
-var isPluginActive = () => false;
 
 exports.AuthManager = AuthManager;
+exports.DocumentTypeRegistry = DocumentTypeRegistry;
 exports.PermissionManager = PermissionManager;
+exports.bootstrapDocumentTypes = bootstrapDocumentTypes;
 exports.bootstrapMiddleware = bootstrapMiddleware;
 exports.cacheHeaders = cacheHeaders;
 exports.compressionMiddleware = compressionMiddleware;
@@ -713,10 +1157,11 @@ exports.requireActivePlugins = requireActivePlugins;
 exports.requireAnyPermission = requireAnyPermission;
 exports.requireAuth = requireAuth;
 exports.requirePermission = requirePermission;
+exports.requireRbac = requireRbac;
 exports.requireRole = requireRole;
 exports.securityHeadersMiddleware = securityHeadersMiddleware;
 exports.securityLoggingMiddleware = securityLoggingMiddleware;
 exports.validateCsrfToken = validateCsrfToken;
 exports.verifySecurityConfig = verifySecurityConfig;
-//# sourceMappingURL=chunk-DSUJ5YQH.cjs.map
-//# sourceMappingURL=chunk-DSUJ5YQH.cjs.map
+//# sourceMappingURL=chunk-AAWNRBRB.cjs.map
+//# sourceMappingURL=chunk-AAWNRBRB.cjs.map