@sonicjs-cms/core 2.19.0 → 3.0.0-beta.11

package/dist/{chunk-7A4CB7T3.cjs → chunk-YJEBDJDV.cjs}

@@ -1,12 +1,370 @@
 'use strict';
 
-var chunkE4YFJBM2_cjs = require('./chunk-E4YFJBM2.cjs');
-var chunkRLMUFFUD_cjs = require('./chunk-RLMUFFUD.cjs');
+var chunk2CB4KY7I_cjs = require('./chunk-2CB4KY7I.cjs');
+var chunkQJNKSFDJ_cjs = require('./chunk-QJNKSFDJ.cjs');
+var chunkORF4CT74_cjs = require('./chunk-ORF4CT74.cjs');
+var chunkK623Q6WD_cjs = require('./chunk-K623Q6WD.cjs');
+var chunkJ6JTWD2A_cjs = require('./chunk-J6JTWD2A.cjs');
 var chunkRCQ2HIQD_cjs = require('./chunk-RCQ2HIQD.cjs');
+var zod = require('zod');
 var jwt = require('hono/jwt');
 var cookie = require('hono/cookie');
 
+// src/services/document-type-registry.ts
+function rowToDocumentType(row) {
+  return {
+    id: row.id,
+    name: row.name,
+    displayName: row.display_name,
+    description: row.description,
+    schema: JSON.parse(row.schema),
+    queryableFields: JSON.parse(row.queryable_fields),
+    settings: JSON.parse(row.settings),
+    pluginId: row.plugin_id,
+    source: row.source,
+    schemaVersion: row.schema_version,
+    isSystem: row.is_system === 1,
+    isActive: row.is_active === 1,
+    isAuth: row.is_auth === 1,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at
+  };
+}
+var DocumentTypeRegistry = class {
+  constructor(db) {
+    this.db = db;
+  }
+  cache = /* @__PURE__ */ new Map();
+  // Register or update a document type. Idempotent: bumps schema_version only when schema changes.
+  async register(def) {
+    const now = Math.floor(Date.now() / 1e3);
+    const existing = await this.findById(def.id);
+    const schemaJson = JSON.stringify({ queryableFields: def.queryableFields ?? [], settings: def.settings ?? {} });
+    const queryableJson = JSON.stringify(def.queryableFields ?? []);
+    const settingsJson = JSON.stringify(def.settings ?? {});
+    if (existing) {
+      const schemaChanged = schemaJson !== JSON.stringify(existing.schema);
+      const newVersion = schemaChanged ? existing.schemaVersion + 1 : existing.schemaVersion;
+      await this.db.prepare(
+        `UPDATE document_types SET
+             display_name = ?,
+             description = ?,
+             schema = ?,
+             queryable_fields = ?,
+             settings = ?,
+             plugin_id = ?,
+             schema_version = ?,
+             is_active = 1,
+             is_auth = ?,
+             updated_at = ?
+           WHERE id = ?`
+      ).bind(
+        def.displayName,
+        def.description ?? null,
+        schemaJson,
+        queryableJson,
+        settingsJson,
+        def.pluginId ?? null,
+        newVersion,
+        def.isAuth ? 1 : 0,
+        now,
+        def.id
+      ).run();
+      await chunkORF4CT74_cjs.ensureScalarSchema(this.db, def.id, def.queryableFields ?? []);
+      const updated = await this.findById(def.id);
+      this.cache.set(def.id, updated);
+      return updated;
+    }
+    await this.db.prepare(
+      `INSERT INTO document_types (id, name, display_name, description, schema, queryable_fields, settings, plugin_id, source, schema_version, is_system, is_active, is_auth, created_at, updated_at)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, 1, 0, 1, ?, ?, ?)`
+    ).bind(
+      def.id,
+      def.name ?? def.id,
+      def.displayName,
+      def.description ?? null,
+      schemaJson,
+      queryableJson,
+      settingsJson,
+      def.pluginId ?? null,
+      def.source ?? "code",
+      def.isAuth ? 1 : 0,
+      now,
+      now
+    ).run();
+    await chunkORF4CT74_cjs.ensureScalarSchema(this.db, def.id, def.queryableFields ?? []);
+    const created = await this.findById(def.id);
+    this.cache.set(def.id, created);
+    return created;
+  }
+  async findById(id) {
+    if (this.cache.has(id)) return this.cache.get(id);
+    const row = await this.db.prepare("SELECT * FROM document_types WHERE id = ?").bind(id).first();
+    if (!row) return null;
+    const dt = rowToDocumentType(row);
+    this.cache.set(id, dt);
+    return dt;
+  }
+  async findAll(activeOnly = true) {
+    const sql = activeOnly ? "SELECT * FROM document_types WHERE is_active = 1 ORDER BY name" : "SELECT * FROM document_types ORDER BY name";
+    const result = await this.db.prepare(sql).all();
+    return (result.results ?? []).map(rowToDocumentType);
+  }
+  async deactivate(id) {
+    const now = Math.floor(Date.now() / 1e3);
+    await this.db.prepare("UPDATE document_types SET is_active = 0, updated_at = ? WHERE id = ?").bind(now, id).run();
+    this.cache.delete(id);
+  }
+  clearCache() {
+    this.cache.clear();
+  }
+};
+
+// src/services/document-types-seed.ts
+var anyObject = zod.z.record(zod.z.string(), zod.z.unknown());
+async function bootstrapDocumentTypes(db) {
+  const registry = new DocumentTypeRegistry(db);
+  await registry.register({
+    id: "site_settings",
+    name: "site_settings",
+    displayName: "Site Settings",
+    description: "Global site configuration (internal; managed via admin settings UI)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      internal: true,
+      maxVersionsPerRoot: 1,
+      baseGrants: { admin: ["read", "create", "update", "delete", "manage"] }
+    },
+    queryableFields: []
+  });
+  await registry.register({
+    id: "blog_post",
+    name: "blog_post",
+    displayName: "Blog Post",
+    description: "Blog post (document-backed; edited via the content collection UI)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      baseGrants: { public: ["read"], admin: ["read", "create", "update", "delete", "publish", "manage"], editor: ["read", "create", "update", "publish"], viewer: ["read"] },
+      maxVersionsPerRoot: 50
+    },
+    queryableFields: [
+      { name: "difficulty", kind: "scalar", type: "text", column: "q_blog_difficulty" },
+      { name: "author", kind: "scalar", type: "text", column: "q_blog_author" }
+    ]
+  });
+  await registry.register({
+    id: "plugin",
+    name: "plugin",
+    displayName: "Plugin",
+    description: "System plugin record (managed by the plugin bootstrap service)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      baseGrants: { admin: ["read", "create", "update", "delete", "publish", "manage"] },
+      maxVersionsPerRoot: 1,
+      internal: true
+    },
+    queryableFields: [
+      { name: "status", kind: "scalar", type: "text", column: "q_plugin_status" },
+      { name: "category", kind: "scalar", type: "text", column: "q_plugin_category" },
+      { name: "isCore", kind: "scalar", type: "integer", column: "q_plugin_is_core" }
+    ]
+  });
+  await registry.register({
+    id: "tenant",
+    name: "tenant",
+    displayName: "Tenant",
+    description: "Tenant record (managed by the multi-tenant plugin; slug = tenant id)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      baseGrants: { admin: ["read", "create", "update", "delete", "manage"] },
+      maxVersionsPerRoot: 1,
+      internal: true
+    },
+    queryableFields: [
+      { name: "status", kind: "scalar", type: "text", column: "q_tenant_status" },
+      { name: "domain", kind: "scalar", type: "text", column: "q_tenant_domain" }
+    ]
+  });
+  await registry.register({
+    id: "user_profile",
+    name: "user_profile",
+    displayName: "User Profile",
+    description: "Per-user profile record (auth-owned; one document per user, slug = userId)",
+    source: "system",
+    isAuth: true,
+    schema: anyObject,
+    settings: {
+      // Hidden from the content admin surfaces; a single mutable record (no version history).
+      internal: true,
+      maxVersionsPerRoot: 1,
+      pii: true,
+      baseGrants: { admin: ["read", "create", "update", "delete", "manage"] }
+    },
+    queryableFields: []
+  });
+  await registry.register({
+    id: "media_asset",
+    name: "media_asset",
+    displayName: "Media Asset",
+    description: "Uploaded media file metadata (managed via the media library; backs an R2 object)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      internal: true,
+      maxVersionsPerRoot: 5,
+      baseGrants: {
+        admin: ["read", "create", "update", "delete", "manage"],
+        editor: ["read", "create", "update"],
+        author: ["read", "create"],
+        viewer: ["read"]
+      }
+    },
+    queryableFields: [
+      { name: "mimeType", kind: "scalar", type: "text", column: "q_media_mime" },
+      { name: "folder", kind: "scalar", type: "text", column: "q_media_folder" },
+      { name: "size", kind: "scalar", type: "integer", column: "q_media_size" },
+      { name: "tags", kind: "facet", type: "text" }
+    ]
+  });
+  await registry.register({
+    id: "plugin_activity",
+    name: "plugin_activity",
+    displayName: "Plugin Activity",
+    description: "Plugin lifecycle event log (installed/activated/deactivated/settings_updated/error)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      internal: true,
+      maxVersionsPerRoot: 1,
+      baseGrants: { admin: ["read", "create", "manage"] }
+    },
+    queryableFields: [
+      { name: "pluginId", kind: "scalar", type: "text", column: "q_plugin_activity_plugin_id" },
+      { name: "action", kind: "scalar", type: "text", column: "q_plugin_activity_action" }
+    ]
+  });
+  await registry.register({
+    id: "security_event",
+    name: "security_event",
+    displayName: "Security Event",
+    description: "Security audit event (login attempts, lockouts, suspicious activity)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      internal: true,
+      maxVersionsPerRoot: 1,
+      baseGrants: { admin: ["read", "create", "manage"] }
+    },
+    queryableFields: [
+      { name: "eventType", kind: "scalar", type: "text", column: "q_sa_event_type" },
+      { name: "severity", kind: "scalar", type: "text", column: "q_sa_severity" },
+      { name: "userId", kind: "scalar", type: "text", column: "q_sa_user_id" },
+      { name: "email", kind: "scalar", type: "text", column: "q_sa_email" },
+      { name: "ipAddress", kind: "scalar", type: "text", column: "q_sa_ip_address" },
+      { name: "blocked", kind: "scalar", type: "integer", column: "q_sa_blocked" }
+    ]
+  });
+  await registry.register({
+    id: "analytics_event",
+    name: "analytics_event",
+    displayName: "Analytics Event",
+    description: "Tracked analytics event (page view, user action, custom event)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      internal: true,
+      maxVersionsPerRoot: 1,
+      baseGrants: { admin: ["read", "create", "manage"] }
+    },
+    queryableFields: [
+      { name: "event", kind: "scalar", type: "text", column: "q_evt_event" },
+      { name: "category", kind: "scalar", type: "text", column: "q_evt_category" },
+      { name: "userId", kind: "scalar", type: "text", column: "q_evt_user_id" },
+      { name: "sessionId", kind: "scalar", type: "text", column: "q_evt_session_id" },
+      { name: "path", kind: "scalar", type: "text", column: "q_evt_path" }
+    ]
+  });
+  await registry.register({
+    id: "media_asset",
+    name: "media_asset",
+    displayName: "Media Asset",
+    description: "Media file metadata (R2 object key + intrinsic properties; URL derived at read time)",
+    source: "system",
+    schema: anyObject,
+    settings: {
+      baseGrants: { public: ["read"], admin: ["read", "create", "update", "delete", "publish", "manage"], editor: ["read", "create", "update"] },
+      maxVersionsPerRoot: 5
+    },
+    queryableFields: [
+      { name: "mimeType", kind: "scalar", type: "text", column: "q_media_mime" },
+      { name: "folder", kind: "scalar", type: "text", column: "q_media_folder" },
+      { name: "size", kind: "scalar", type: "integer", column: "q_media_size" },
+      { name: "tags", kind: "facet", type: "text" }
+    ]
+  });
+  for (const [id, displayName, description] of [
+    ["rbac_role", "RBAC Role", "Role record with embedded grants (auth-owned)"],
+    ["rbac_verb", "RBAC Verb", "Permission verb (auth-owned)"],
+    ["rbac_user_roles", "RBAC User Roles", "Per-user role assignments (auth-owned; slug = userId)"]
+  ]) {
+    await registry.register({
+      id,
+      name: id,
+      displayName,
+      description,
+      source: "system",
+      isAuth: true,
+      schema: anyObject,
+      settings: {
+        internal: true,
+        maxVersionsPerRoot: 1,
+        baseGrants: { admin: ["read", "create", "update", "delete", "manage"] }
+      },
+      queryableFields: []
+    });
+  }
+}
+async function autoRegisterCollectionDocumentTypes(db) {
+  const registry = new DocumentTypeRegistry(db);
+  const collections = chunkQJNKSFDJ_cjs.getCollectionRegistry().listActive();
+  const registered = [];
+  for (const collection of collections) {
+    if (collection.internal) continue;
+    if (collection.name === "blog_post") continue;
+    try {
+      await registry.register({
+        id: collection.name,
+        name: collection.name,
+        displayName: collection.displayName,
+        description: collection.description,
+        source: "system",
+        schema: anyObject,
+        settings: {
+          baseGrants: {
+            public: ["read"],
+            admin: ["read", "create", "update", "delete", "publish", "manage"],
+            editor: ["read", "create", "update", "publish"],
+            viewer: ["read"]
+          },
+          maxVersionsPerRoot: 50,
+          ...collection.versioning ? { versioning: true } : {}
+        },
+        queryableFields: []
+      });
+      registered.push(collection.name);
+    } catch (error) {
+      console.error(`[document-types-seed] Failed to register collection "${collection.name}":`, error);
+    }
+  }
+  return registered;
+}
+
 // src/middleware/bootstrap.ts
+chunkK623Q6WD_cjs.init_admin_layout_catalyst_template();
 var bootstrapComplete = false;
 function verifySecurityConfig(env) {
   const warnings = [];
@@ -47,6 +405,9 @@ function verifySecurityConfig(env) {
 }
 function bootstrapMiddleware(config = {}) {
   return async (c, next) => {
+    if (chunkJ6JTWD2A_cjs.hasHookSystem()) {
+      c.set("hookSystem", chunkJ6JTWD2A_cjs.getHookSystem());
+    }
     if (bootstrapComplete) {
       return next();
     }
@@ -54,26 +415,58 @@ function bootstrapMiddleware(config = {}) {
     if (path.startsWith("/images/") || path.startsWith("/assets/") || path === "/health" || path.endsWith(".js") || path.endsWith(".css") || path.endsWith(".png") || path.endsWith(".jpg") || path.endsWith(".ico")) {
       return next();
     }
+    const host = c.req.header("host") || "";
+    const isLocalhost = host.includes("localhost") || host.includes("127.0.0.1");
+    const gitBranch = c.env.GIT_BRANCH;
+    chunkK623Q6WD_cjs.setBranchLabel(isLocalhost && gitBranch ? gitBranch : void 0);
     try {
       console.log("[Bootstrap] Starting system initialization...");
-      console.log("[Bootstrap] Running database migrations...");
-      const migrationService = new chunkRLMUFFUD_cjs.MigrationService(c.env.DB);
-      await migrationService.runPendingMigrations();
-      console.log("[Bootstrap] Syncing collection configurations...");
+      console.log("[Bootstrap] Checking schema compatibility...");
+      const migrationService = new chunkORF4CT74_cjs.MigrationService(c.env.DB);
+      await migrationService.ensureSchemaCompatibility();
       try {
-        await chunkE4YFJBM2_cjs.syncCollections(c.env.DB);
+        const kv = c.env.CACHE_KV;
+        if (kv) {
+          const { setGlobalKVNamespace } = await import('./cache-LVYS4BPL.cjs');
+          setGlobalKVNamespace(kv);
+        }
       } catch (error) {
-        console.error("[Bootstrap] Error syncing collections:", error);
+        console.error("[Bootstrap] Error wiring CACHE_KV namespace:", error);
       }
-      console.log("[Bootstrap] Syncing form collections...");
+      console.log("[Bootstrap] Populating collection registry...");
       try {
-        await chunkE4YFJBM2_cjs.syncAllFormCollections(c.env.DB);
+        const configs = await chunkQJNKSFDJ_cjs.loadCollectionConfigs();
+        chunkQJNKSFDJ_cjs.getCollectionRegistry().register(configs);
+        console.log(`[Bootstrap] Registry populated with ${configs.length} collection(s)`);
       } catch (error) {
-        console.error("[Bootstrap] Error syncing form collections:", error);
+        console.error("[Bootstrap] Error populating collection registry:", error);
+      }
+      console.log("[Bootstrap] Registering document types...");
+      try {
+        await bootstrapDocumentTypes(c.env.DB);
+      } catch (error) {
+        console.error("[Bootstrap] Error registering document types:", error);
+      }
+      try {
+        await repairMissingCredentialAccounts(c.env.DB);
+      } catch (error) {
+        console.error("[Bootstrap] Error repairing credential accounts:", error);
+      }
+      try {
+        const { RbacService: RbacService2 } = await import('./rbac-VONLJJKB.cjs');
+        await new RbacService2(c.env.DB, c.env.CACHE_KV).ensureSystemRbacSeed();
+      } catch (error) {
+        console.error("[Bootstrap] Error seeding RBAC documents:", error);
+      }
+      try {
+        const auto = await autoRegisterCollectionDocumentTypes(c.env.DB);
+        if (auto.length) console.log(`[Bootstrap] Document-backed collections registered: ${auto.join(", ")}`);
+      } catch (error) {
+        console.error("[Bootstrap] Error auto-registering collection document types:", error);
       }
       if (!config.plugins?.disableAll) {
         console.log("[Bootstrap] Bootstrapping core plugins...");
-        const bootstrapService = new chunkE4YFJBM2_cjs.PluginBootstrapService(c.env.DB);
+        const bootstrapService = new chunkQJNKSFDJ_cjs.PluginBootstrapService(c.env.DB);
         const needsBootstrap = await bootstrapService.isBootstrapNeeded();
         if (needsBootstrap) {
           await bootstrapService.bootstrapCorePlugins();
@@ -83,6 +476,52 @@ function bootstrapMiddleware(config = {}) {
       }
       bootstrapComplete = true;
       console.log("[Bootstrap] System initialization completed");
+      try {
+        const registry = chunkQJNKSFDJ_cjs.getCollectionRegistry();
+        const collections = registry.listActive();
+        const countResult = await c.env.DB.prepare(
+          `SELECT type_id, COUNT(*) AS cnt FROM documents
+           WHERE is_current_draft = 1 AND deleted_at IS NULL GROUP BY type_id`
+        ).all();
+        const countMap = {};
+        let docTotal = 0;
+        for (const row of countResult.results ?? []) {
+          countMap[row.type_id] = row.cnt;
+          docTotal += row.cnt;
+        }
+        const fieldTypeHistogram = {};
+        for (const col of collections) {
+          const props = col.schema?.properties ?? {};
+          for (const field of Object.values(props)) {
+            const ft = field?.type ?? "unknown";
+            fieldTypeHistogram[ft] = (fieldTypeHistogram[ft] ?? 0) + 1;
+          }
+        }
+        const activePlugins = (config.plugins?.register ?? []).map((p) => p.name ?? "unknown");
+        let installationId = "unknown";
+        try {
+          const kv = c.env.KV;
+          if (kv) {
+            installationId = await kv.get("_sonicjs_installation_id") ?? "";
+            if (!installationId) {
+              installationId = crypto.randomUUID();
+              await kv.put("_sonicjs_installation_id", installationId);
+            }
+          }
+        } catch {
+        }
+        const telemetry = chunkQJNKSFDJ_cjs.getTelemetryService();
+        await telemetry.trackProjectSnapshot({
+          installation_id: installationId,
+          collection_names: collections.map((c2) => c2.name),
+          collection_counts: countMap,
+          active_plugins: activePlugins,
+          field_type_histogram: fieldTypeHistogram,
+          doc_total: docTotal,
+          sonicjs_version: c.env.SONICJS_VERSION ?? "unknown"
+        });
+      } catch {
+      }
     } catch (error) {
       console.error("[Bootstrap] Error during system initialization:", error);
     }
@@ -90,6 +529,27 @@ function bootstrapMiddleware(config = {}) {
     return next();
   };
 }
+async function repairMissingCredentialAccounts(db) {
+  const { results } = await db.prepare(`
+    SELECT u.id, u.password_hash
+    FROM auth_user u
+    WHERE u.password_hash IS NOT NULL AND u.password_hash != ''
+    AND NOT EXISTS (
+      SELECT 1 FROM auth_account a
+      WHERE a.user_id = u.id AND a.provider_id = 'credential'
+    )
+  `).all();
+  if (!results.length) return;
+  console.log(`[Bootstrap] Repairing ${results.length} user(s) missing credential auth_account rows`);
+  const nowSec = Math.floor(Date.now() / 1e3);
+  for (const user of results) {
+    await db.prepare(`
+      INSERT OR IGNORE INTO auth_account (id, user_id, account_id, provider_id, password, created_at, updated_at)
+      VALUES (?, ?, ?, 'credential', ?, ?, ?)
+    `).bind(`cred-${user.id}`, user.id, user.id, user.password_hash, nowSec, nowSec).run();
+  }
+  console.log(`[Bootstrap] Credential account repair complete (${results.length} repaired)`);
+}
 var JWT_SECRET_FALLBACK = "your-super-secret-jwt-key-change-in-production";
 var DEFAULT_JWT_EXPIRES_IN_SECONDS = 60 * 60 * 24 * 30;
 function parseDuration(input) {
@@ -121,14 +581,10 @@ async function getJwtExpirySecondsFromDb(db, env) {
   if (envParsed) return envParsed;
   if (db) {
     try {
-      const row = await db.prepare("SELECT value FROM settings WHERE category = 'security' AND key = 'jwtExpiresIn'").first();
-      if (row?.value) {
-        let stored = row.value;
-        try {
-          stored = JSON.parse(row.value);
-        } catch {
-        }
-        const parsed = parseDuration(stored);
+      const row = await db.prepare("SELECT data FROM documents WHERE type_id = 'site_settings' AND slug = 'security' AND tenant_id = 'default' AND is_current_draft = 1 AND deleted_at IS NULL").first();
+      if (row?.data) {
+        const data = JSON.parse(row.data);
+        const parsed = parseDuration(data.jwtExpiresIn);
         if (parsed) return parsed;
       }
     } catch (err) {
@@ -143,14 +599,10 @@ async function getJwtRefreshGraceSecondsFromDb(db, env) {
   if (envParsed) return envParsed;
   if (db) {
     try {
-      const row = await db.prepare("SELECT value FROM settings WHERE category = 'security' AND key = 'jwtRefreshGraceSeconds'").first();
-      if (row?.value) {
-        let stored = row.value;
-        try {
-          stored = JSON.parse(row.value);
-        } catch {
-        }
-        const parsed = parseDuration(stored);
+      const row = await db.prepare("SELECT data FROM documents WHERE type_id = 'site_settings' AND slug = 'security' AND tenant_id = 'default' AND is_current_draft = 1 AND deleted_at IS NULL").first();
+      if (row?.data) {
+        const data = JSON.parse(row.data);
+        const parsed = parseDuration(data.jwtRefreshGraceSeconds?.toString());
         if (parsed) return parsed;
       }
     } catch (err) {
@@ -376,52 +828,15 @@ var AuthManager = class _AuthManager {
 };
 var requireAuth = () => {
   return async (c, next) => {
-    try {
-      let token = c.req.header("Authorization")?.replace("Bearer ", "");
-      if (!token) {
-        token = cookie.getCookie(c, "auth_token");
-      }
-      if (!token) {
-        const acceptHeader = c.req.header("Accept") || "";
-        if (acceptHeader.includes("text/html")) {
-          return c.redirect("/auth/login?error=Please login to access the admin area");
-        }
-        return c.json({ error: "Authentication required" }, 401);
-      }
-      const kv = c.env?.KV;
-      let payload = null;
-      if (kv) {
-        const cacheKey = `auth:${token.substring(0, 20)}`;
-        const cached = await kv.get(cacheKey, "json");
-        if (cached) {
-          payload = cached;
-        }
-      }
-      if (!payload) {
-        const jwtSecret = c.env?.JWT_SECRET;
-        payload = await AuthManager.verifyToken(token, jwtSecret);
-        if (payload && kv) {
-          const cacheKey = `auth:${token.substring(0, 20)}`;
-          await kv.put(cacheKey, JSON.stringify(payload), { expirationTtl: 300 });
-        }
-      }
-      if (!payload) {
-        const acceptHeader = c.req.header("Accept") || "";
-        if (acceptHeader.includes("text/html")) {
-          return c.redirect("/auth/login?error=Your session has expired, please login again");
-        }
-        return c.json({ error: "Invalid or expired token" }, 401);
-      }
-      c.set("user", payload);
-      return await next();
-    } catch (error) {
-      console.error("Auth middleware error:", error);
+    const user = c.get("user");
+    if (!user) {
       const acceptHeader = c.req.header("Accept") || "";
       if (acceptHeader.includes("text/html")) {
-        return c.redirect("/auth/login?error=Authentication failed, please login again");
+        return c.redirect("/auth/login?error=Please login to access the admin area");
       }
-      return c.json({ error: "Authentication failed" }, 401);
+      return c.json({ error: "Authentication required" }, 401);
     }
+    return await next();
   };
 };
 var requireRole = (requiredRole) => {
@@ -445,25 +860,36 @@ var requireRole = (requiredRole) => {
     return await next();
   };
 };
-var optionalAuth = () => {
+var requireRbac = (resource, verb) => {
   return async (c, next) => {
-    try {
-      let token = c.req.header("Authorization")?.replace("Bearer ", "");
-      if (!token) {
-        token = cookie.getCookie(c, "auth_token");
+    const user = c.get("user");
+    if (!user) {
+      const acceptHeader = c.req.header("Accept") || "";
+      if (acceptHeader.includes("text/html")) {
+        return c.redirect("/auth/login?error=Please login to access the admin area");
       }
-      if (token) {
-        const jwtSecret = c.env?.JWT_SECRET;
-        const payload = await AuthManager.verifyToken(token, jwtSecret);
-        if (payload) {
-          c.set("user", payload);
-        }
+      return c.json({ error: "Authentication required" }, 401);
+    }
+    const cachedPerms = c.get("rbacPerms");
+    let allowed;
+    if (cachedPerms !== void 0) {
+      allowed = cachedPerms.includes(`${resource}:${verb}`);
+    } else {
+      allowed = await new chunk2CB4KY7I_cjs.RbacService(c.env.DB).can(user.userId, resource, verb);
+    }
+    if (!allowed) {
+      const acceptHeader = c.req.header("Accept") || "";
+      if (acceptHeader.includes("text/html")) {
+        return c.redirect("/auth/login?error=You do not have permission to access this area");
       }
-      return await next();
-    } catch (error) {
-      console.error("Optional auth error:", error);
-      return await next();
+      return c.json({ error: "Insufficient permissions" }, 403);
     }
+    return await next();
+  };
+};
+var optionalAuth = () => {
+  return async (_c, next) => {
+    return await next();
   };
 };
 
@@ -531,11 +957,17 @@ var DEFAULT_EXEMPT_PATHS = [
   "/auth/login",
   "/auth/register",
   "/auth/seed-admin",
+  "/test-seed-defaults",
+  "/test-cleanup",
   "/auth/accept-invitation",
   "/auth/reset-password",
   "/auth/request-password-reset",
   "/auth/otp",
   "/auth/magic-link",
+  "/auth/sign-out",
+  "/auth/sign-in",
+  "/auth/sign-up",
+  "/auth/get-session",
   "/auth/verify",
   "/api/stripe/webhook",
   "/api/events"
@@ -699,6 +1131,45 @@ var securityHeadersMiddleware = () => {
   };
 };
 
+// src/middleware/plugin-middleware.ts
+async function isPluginActive(db, pluginId) {
+  try {
+    const docResult = await db.prepare(
+      `SELECT json_extract(data, '$.status') as status FROM documents
+         WHERE slug = ? AND type_id = 'plugin' AND tenant_id = 'default'
+           AND is_current_draft = 1 AND deleted_at IS NULL`
+    ).bind(pluginId).first();
+    return docResult?.status === "active";
+  } catch (error) {
+    console.error(`[isPluginActive] Error checking plugin status for ${pluginId}:`, error);
+    return false;
+  }
+}
+async function requireActivePlugin(db, pluginId) {
+  const isActive = await isPluginActive(db, pluginId);
+  if (!isActive) {
+    throw new Error(`Plugin '${pluginId}' is required but is not active`);
+  }
+}
+async function requireActivePlugins(db, pluginIds) {
+  for (const pluginId of pluginIds) {
+    await requireActivePlugin(db, pluginId);
+  }
+}
+async function getActivePlugins(db) {
+  try {
+    const { results } = await db.prepare(
+      `SELECT slug as id, json_extract(data, '$.status') as status, data FROM documents
+         WHERE type_id = 'plugin' AND tenant_id = 'default'
+           AND q_plugin_status = 'active' AND is_current_draft = 1 AND deleted_at IS NULL`
+    ).all();
+    return results || [];
+  } catch (error) {
+    console.error("[getActivePlugins] Error fetching active plugins:", error);
+    return [];
+  }
+}
+
 // src/middleware/index.ts
 var loggingMiddleware = () => async (_c, next) => await next();
 var detailedLoggingMiddleware = () => async (_c, next) => await next();
@@ -711,13 +1182,11 @@ var requirePermission = () => async (_c, next) => await next();
 var requireAnyPermission = () => async (_c, next) => await next();
 var logActivity = () => {
 };
-var requireActivePlugin = () => async (_c, next) => await next();
-var requireActivePlugins = () => async (_c, next) => await next();
-var getActivePlugins = () => [];
-var isPluginActive = () => false;
 
 exports.AuthManager = AuthManager;
+exports.DocumentTypeRegistry = DocumentTypeRegistry;
 exports.PermissionManager = PermissionManager;
+exports.bootstrapDocumentTypes = bootstrapDocumentTypes;
 exports.bootstrapMiddleware = bootstrapMiddleware;
 exports.cacheHeaders = cacheHeaders;
 exports.compressionMiddleware = compressionMiddleware;
@@ -740,10 +1209,11 @@ exports.requireActivePlugins = requireActivePlugins;
 exports.requireAnyPermission = requireAnyPermission;
 exports.requireAuth = requireAuth;
 exports.requirePermission = requirePermission;
+exports.requireRbac = requireRbac;
 exports.requireRole = requireRole;
 exports.securityHeadersMiddleware = securityHeadersMiddleware;
 exports.securityLoggingMiddleware = securityLoggingMiddleware;
 exports.validateCsrfToken = validateCsrfToken;
 exports.verifySecurityConfig = verifySecurityConfig;
-//# sourceMappingURL=chunk-7A4CB7T3.cjs.map
-//# sourceMappingURL=chunk-7A4CB7T3.cjs.map
+//# sourceMappingURL=chunk-YJEBDJDV.cjs.map
+//# sourceMappingURL=chunk-YJEBDJDV.cjs.map