npm - @wecode-team/cms-supabase-api - Versions diffs - 0.1.33 → 0.1.35 - Mend

@wecode-team/cms-supabase-api 0.1.33 → 0.1.35

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/README.md +77 -1
package/USAGE_EXAMPLE.md +70 -3
package/dist/handlers/upload.d.ts +25 -0
package/dist/index.d.ts +4 -1
package/dist/index.esm.js +841 -182
package/dist/index.esm.js.map +1 -1
package/dist/index.js +846 -181
package/dist/index.js.map +1 -1
package/dist/services/oss-upload.service.d.ts +13 -0
package/dist/types/index.d.ts +1 -0
package/dist/types/upload.d.ts +47 -0
package/dist/utils/route-helpers.d.ts +1 -0
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -1029,11 +1029,11 @@ function _defineProperty(e, r, t) {
   }) : e[r] = t, e;
 }
-function ownKeys$2(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
-function _objectSpread$2(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys$2(Object(t), !0).forEach(function (r) { _defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys$2(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
-function _createForOfIteratorHelper$1(r, e) { var t = "undefined" != typeof Symbol && r[Symbol.iterator] || r["@@iterator"]; if (!t) { if (Array.isArray(r) || (t = _unsupportedIterableToArray$2(r)) || e && r && "number" == typeof r.length) { t && (r = t); var _n = 0, F = function F() {}; return { s: F, n: function n() { return _n >= r.length ? { done: !0 } : { done: !1, value: r[_n++] }; }, e: function e(r) { throw r; }, f: F }; } throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); } var o, a = !0, u = !1; return { s: function s() { t = t.call(r); }, n: function n() { var r = t.next(); return a = r.done, r; }, e: function e(r) { u = !0, o = r; }, f: function f() { try { a || null == t["return"] || t["return"](); } finally { if (u) throw o; } } }; }
-function _unsupportedIterableToArray$2(r, a) { if (r) { if ("string" == typeof r) return _arrayLikeToArray$2(r, a); var t = {}.toString.call(r).slice(8, -1); return "Object" === t && r.constructor && (t = r.constructor.name), "Map" === t || "Set" === t ? Array.from(r) : "Arguments" === t || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(t) ? _arrayLikeToArray$2(r, a) : void 0; } }
-function _arrayLikeToArray$2(r, a) { (null == a || a > r.length) && (a = r.length); for (var e = 0, n = Array(a); e < a; e++) n[e] = r[e]; return n; }
+function ownKeys$3(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
+function _objectSpread$3(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys$3(Object(t), !0).forEach(function (r) { _defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys$3(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
+function _createForOfIteratorHelper$3(r, e) { var t = "undefined" != typeof Symbol && r[Symbol.iterator] || r["@@iterator"]; if (!t) { if (Array.isArray(r) || (t = _unsupportedIterableToArray$4(r)) || e && r && "number" == typeof r.length) { t && (r = t); var _n = 0, F = function F() {}; return { s: F, n: function n() { return _n >= r.length ? { done: !0 } : { done: !1, value: r[_n++] }; }, e: function e(r) { throw r; }, f: F }; } throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); } var o, a = !0, u = !1; return { s: function s() { t = t.call(r); }, n: function n() { var r = t.next(); return a = r.done, r; }, e: function e(r) { u = !0, o = r; }, f: function f() { try { a || null == t["return"] || t["return"](); } finally { if (u) throw o; } } }; }
+function _unsupportedIterableToArray$4(r, a) { if (r) { if ("string" == typeof r) return _arrayLikeToArray$4(r, a); var t = {}.toString.call(r).slice(8, -1); return "Object" === t && r.constructor && (t = r.constructor.name), "Map" === t || "Set" === t ? Array.from(r) : "Arguments" === t || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(t) ? _arrayLikeToArray$4(r, a) : void 0; } }
+function _arrayLikeToArray$4(r, a) { (null == a || a > r.length) && (a = r.length); for (var e = 0, n = Array(a); e < a; e++) n[e] = r[e]; return n; }
 // 字段类型映射到PostgreSQL类型
 var fieldTypeMapping = {
   string: "text",
@@ -1123,7 +1123,7 @@ var DynamicTableService = /*#__PURE__*/function () {
     value: function applySupabaseFilters(query, filters) {
       if (!filters || filters.length === 0) return query;
       var q = query;
-      var _iterator = _createForOfIteratorHelper$1(filters),
+      var _iterator = _createForOfIteratorHelper$3(filters),
         _step;
       try {
         for (_iterator.s(); !(_step = _iterator.n()).done;) {
@@ -2085,7 +2085,7 @@ var DynamicTableService = /*#__PURE__*/function () {
               throw error;
             case 2:
               return _context14.abrupt("return", (data || []).map(function (item) {
-                return _objectSpread$2({
+                return _objectSpread$3({
                   id: item.id,
                   label: item[displayField] || "ID: ".concat(item.id)
                 }, item);
@@ -2198,8 +2198,8 @@ function getDynamicTableService() {
   return defaultService$1;
 }
-function ownKeys$1(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
-function _objectSpread$1(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys$1(Object(t), !0).forEach(function (r) { _defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys$1(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
+function ownKeys$2(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
+function _objectSpread$2(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys$2(Object(t), !0).forEach(function (r) { _defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys$2(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
 var AuthService = /*#__PURE__*/function () {
   function AuthService() {
     _classCallCheck(this, AuthService);
@@ -2376,7 +2376,7 @@ var AuthService = /*#__PURE__*/function () {
         return _regeneratorRuntime.wrap(function (_context4) {
           while (1) switch (_context4.prev = _context4.next) {
             case 0:
-              finalUserData = _objectSpread$1({
+              finalUserData = _objectSpread$2({
                 tableName: this.defaultTableName
               }, userData);
               _context4.prev = 1;
@@ -2434,7 +2434,7 @@ var AuthService = /*#__PURE__*/function () {
             case 0:
               updateData = _args5.length > 1 && _args5[1] !== undefined ? _args5[1] : {};
               // 设置默认值
-              finalUpdateData = _objectSpread$1({
+              finalUpdateData = _objectSpread$2({
                 tableName: this.defaultTableName
               }, updateData);
               _context5.prev = 1;
@@ -2706,10 +2706,652 @@ function getAuthService() {
   return defaultService;
 }
+function _objectWithoutPropertiesLoose(r, e) {
+  if (null == r) return {};
+  var t = {};
+  for (var n in r) if ({}.hasOwnProperty.call(r, n)) {
+    if (-1 !== e.indexOf(n)) continue;
+    t[n] = r[n];
+  }
+  return t;
+}
+function _objectWithoutProperties(e, t) {
+  if (null == e) return {};
+  var o,
+    r,
+    i = _objectWithoutPropertiesLoose(e, t);
+  if (Object.getOwnPropertySymbols) {
+    var n = Object.getOwnPropertySymbols(e);
+    for (r = 0; r < n.length; r++) o = n[r], -1 === t.indexOf(o) && {}.propertyIsEnumerable.call(e, o) && (i[o] = e[o]);
+  }
+  return i;
+}
+function _assertThisInitialized(e) {
+  if (void 0 === e) throw new ReferenceError("this hasn't been initialised - super() hasn't been called");
+  return e;
+}
+function _possibleConstructorReturn(t, e) {
+  if (e && ("object" == _typeof$1(e) || "function" == typeof e)) return e;
+  if (void 0 !== e) throw new TypeError("Derived constructors may only return object or undefined");
+  return _assertThisInitialized(t);
+}
+function _getPrototypeOf(t) {
+  return _getPrototypeOf = Object.setPrototypeOf ? Object.getPrototypeOf.bind() : function (t) {
+    return t.__proto__ || Object.getPrototypeOf(t);
+  }, _getPrototypeOf(t);
+}
+function _setPrototypeOf(t, e) {
+  return _setPrototypeOf = Object.setPrototypeOf ? Object.setPrototypeOf.bind() : function (t, e) {
+    return t.__proto__ = e, t;
+  }, _setPrototypeOf(t, e);
+}
+function _inherits(t, e) {
+  if ("function" != typeof e && null !== e) throw new TypeError("Super expression must either be null or a function");
+  t.prototype = Object.create(e && e.prototype, {
+    constructor: {
+      value: t,
+      writable: !0,
+      configurable: !0
+    }
+  }), Object.defineProperty(t, "prototype", {
+    writable: !1
+  }), e && _setPrototypeOf(t, e);
+}
+function _isNativeFunction(t) {
+  try {
+    return -1 !== Function.toString.call(t).indexOf("[native code]");
+  } catch (n) {
+    return "function" == typeof t;
+  }
+}
+function _isNativeReflectConstruct$1() {
+  try {
+    var t = !Boolean.prototype.valueOf.call(Reflect.construct(Boolean, [], function () {}));
+  } catch (t) {}
+  return (_isNativeReflectConstruct$1 = function _isNativeReflectConstruct() {
+    return !!t;
+  })();
+}
+function _construct(t, e, r) {
+  if (_isNativeReflectConstruct$1()) return Reflect.construct.apply(null, arguments);
+  var o = [null];
+  o.push.apply(o, e);
+  var p = new (t.bind.apply(t, o))();
+  return r && _setPrototypeOf(p, r.prototype), p;
+}
+function _wrapNativeSuper(t) {
+  var r = "function" == typeof Map ? new Map() : void 0;
+  return _wrapNativeSuper = function _wrapNativeSuper(t) {
+    if (null === t || !_isNativeFunction(t)) return t;
+    if ("function" != typeof t) throw new TypeError("Super expression must either be null or a function");
+    if (void 0 !== r) {
+      if (r.has(t)) return r.get(t);
+      r.set(t, Wrapper);
+    }
+    function Wrapper() {
+      return _construct(t, arguments, _getPrototypeOf(this).constructor);
+    }
+    return Wrapper.prototype = Object.create(t.prototype, {
+      constructor: {
+        value: Wrapper,
+        enumerable: !1,
+        writable: !0,
+        configurable: !0
+      }
+    }), _setPrototypeOf(Wrapper, t);
+  }, _wrapNativeSuper(t);
+}
+var _excluded$1 = ["accessKeyId", "accessKeySecret"];
+function ownKeys$1(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
+function _objectSpread$1(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys$1(Object(t), !0).forEach(function (r) { _defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys$1(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
+function _createForOfIteratorHelper$2(r, e) { var t = "undefined" != typeof Symbol && r[Symbol.iterator] || r["@@iterator"]; if (!t) { if (Array.isArray(r) || (t = _unsupportedIterableToArray$3(r)) || e && r && "number" == typeof r.length) { t && (r = t); var _n = 0, F = function F() {}; return { s: F, n: function n() { return _n >= r.length ? { done: !0 } : { done: !1, value: r[_n++] }; }, e: function e(r) { throw r; }, f: F }; } throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); } var o, a = !0, u = !1; return { s: function s() { t = t.call(r); }, n: function n() { var r = t.next(); return a = r.done, r; }, e: function e(r) { u = !0, o = r; }, f: function f() { try { a || null == t["return"] || t["return"](); } finally { if (u) throw o; } } }; }
+function _unsupportedIterableToArray$3(r, a) { if (r) { if ("string" == typeof r) return _arrayLikeToArray$3(r, a); var t = {}.toString.call(r).slice(8, -1); return "Object" === t && r.constructor && (t = r.constructor.name), "Map" === t || "Set" === t ? Array.from(r) : "Arguments" === t || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(t) ? _arrayLikeToArray$3(r, a) : void 0; } }
+function _arrayLikeToArray$3(r, a) { (null == a || a > r.length) && (a = r.length); for (var e = 0, n = Array(a); e < a; e++) n[e] = r[e]; return n; }
+function _callSuper(t, o, e) { return o = _getPrototypeOf(o), _possibleConstructorReturn(t, _isNativeReflectConstruct() ? Reflect.construct(o, e || [], _getPrototypeOf(t).constructor) : o.apply(t, e)); }
+function _isNativeReflectConstruct() { try { var t = !Boolean.prototype.valueOf.call(Reflect.construct(Boolean, [], function () {})); } catch (t) {} return (_isNativeReflectConstruct = function _isNativeReflectConstruct() { return !!t; })(); }
+var DEFAULT_MAX_SIZE = 2 * 1024 * 1024;
+var DEFAULT_SIGNED_URL_EXPIRES_IN = 60 * 60;
+var OssUploadError = /*#__PURE__*/function (_Error) {
+  function OssUploadError(message) {
+    var _this;
+    var status = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : 400;
+    _classCallCheck(this, OssUploadError);
+    _this = _callSuper(this, OssUploadError, [message]);
+    _this.name = "OssUploadError";
+    _this.status = status;
+    return _this;
+  }
+  _inherits(OssUploadError, _Error);
+  return _createClass(OssUploadError);
+}(/*#__PURE__*/_wrapNativeSuper(Error));
+function requiredValue(value, name) {
+  var trimmed = String(value || "").trim();
+  if (!trimmed) {
+    throw new OssUploadError("Missing required OSS config: ".concat(name), 500);
+  }
+  return trimmed;
+}
+function normalizeHost(value) {
+  return value.replace(/^https?:\/\//, "").replace(/\/+$/, "");
+}
+function buildBucketBaseUrl(bucket, endpoint) {
+  return "https://".concat(bucket, ".").concat(endpoint);
+}
+function normalizePublicBaseUrl(value, bucket, endpoint) {
+  var raw = String(value || "").trim();
+  if (!raw) {
+    return buildBucketBaseUrl(bucket, endpoint);
+  }
+  var withProtocol = /^https?:\/\//i.test(raw) ? raw : "https://".concat(raw);
+  try {
+    var url = new URL(withProtocol);
+    if (url.host === endpoint) {
+      url.host = "".concat(bucket, ".").concat(endpoint);
+    }
+    return url.toString().replace(/\/+$/, "");
+  } catch (_unused) {
+    return withProtocol.replace(/\/+$/, "");
+  }
+}
+function sanitizePathSegment(value) {
+  return String(value || "").trim().replace(/[^a-zA-Z0-9/_-]+/g, "-").replace(/\/{2,}/g, "/").replace(/^\/+|\/+$/g, "");
+}
+function extFromName() {
+  var name = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : "";
+  var match = String(name).match(/(\.[a-zA-Z0-9]+)$/);
+  return match ? match[1].toLowerCase() : "";
+}
+function encodeObjectKey(objectKey) {
+  return objectKey.split("/").map(function (segment) {
+    return encodeURIComponent(segment);
+  }).join("/");
+}
+function buildObjectKey(config, directory, originalName) {
+  var safeDirectory = sanitizePathSegment(directory || "uploads");
+  var safePrefix = sanitizePathSegment(config.prefix || "cms-assets");
+  var extension = extFromName(originalName) || ".bin";
+  var stamp = new Date().toISOString().replace(/[-:.TZ]/g, "").slice(0, 14);
+  var random = Math.random().toString(16).slice(2, 10).padEnd(8, "0");
+  return "".concat(safePrefix, "/").concat(safeDirectory, "/").concat(stamp, "-").concat(random).concat(extension);
+}
+function extractXmlField(errorText, fieldName) {
+  var match = String(errorText || "").match(new RegExp("<".concat(fieldName, ">([^<]+)</").concat(fieldName, ">"), "i"));
+  return match ? match[1].trim() : "";
+}
+function extractRecommendedEndpoint(errorText) {
+  return normalizeHost(extractXmlField(errorText, "Endpoint"));
+}
+function resolvePublicBaseUrl(publicBaseUrl, bucket, endpoint, nextEndpoint) {
+  var defaultBaseUrl = buildBucketBaseUrl(bucket, endpoint);
+  if (publicBaseUrl === defaultBaseUrl) {
+    return buildBucketBaseUrl(bucket, nextEndpoint);
+  }
+  return publicBaseUrl;
+}
+function arrayBufferToBase64(value) {
+  var bytes = new Uint8Array(value);
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  var binary = "";
+  var _iterator = _createForOfIteratorHelper$2(bytes),
+    _step;
+  try {
+    for (_iterator.s(); !(_step = _iterator.n()).done;) {
+      var _byte = _step.value;
+      binary += String.fromCharCode(_byte);
+    }
+  } catch (err) {
+    _iterator.e(err);
+  } finally {
+    _iterator.f();
+  }
+  return btoa(binary);
+}
+function signBase64(_x, _x2) {
+  return _signBase.apply(this, arguments);
+}
+function _signBase() {
+  _signBase = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee2(secret, stringToSign) {
+    var _globalThis$crypto;
+    var encoder, key, signature;
+    return _regeneratorRuntime.wrap(function (_context2) {
+      while (1) switch (_context2.prev = _context2.next) {
+        case 0:
+          if ((_globalThis$crypto = globalThis.crypto) !== null && _globalThis$crypto !== void 0 && _globalThis$crypto.subtle) {
+            _context2.next = 1;
+            break;
+          }
+          throw new OssUploadError("Web Crypto is unavailable in the current runtime", 500);
+        case 1:
+          encoder = new TextEncoder();
+          _context2.next = 2;
+          return globalThis.crypto.subtle.importKey("raw", encoder.encode(secret), {
+            name: "HMAC",
+            hash: "SHA-1"
+          }, false, ["sign"]);
+        case 2:
+          key = _context2.sent;
+          _context2.next = 3;
+          return globalThis.crypto.subtle.sign("HMAC", key, encoder.encode(stringToSign));
+        case 3:
+          signature = _context2.sent;
+          return _context2.abrupt("return", arrayBufferToBase64(signature));
+        case 4:
+        case "end":
+          return _context2.stop();
+      }
+    }, _callee2);
+  }));
+  return _signBase.apply(this, arguments);
+}
+function createPermissionDeniedMessage(bucket, objectKey, errorText) {
+  var action = extractXmlField(errorText, "AuthAction");
+  var principalType = extractXmlField(errorText, "AuthPrincipalType");
+  var principalName = extractXmlField(errorText, "AuthPrincipalDisplayName");
+  var policyType = extractXmlField(errorText, "PolicyType");
+  var denyType = extractXmlField(errorText, "NoPermissionType");
+  var parts = ["OSS permission denied for bucket \"".concat(bucket, "\""), action ? "missing ".concat(action) : "missing required OSS permission", "resource ".concat(bucket, "/").concat(objectKey)];
+  if (principalType || principalName) {
+    parts.push("principal ".concat([principalType, principalName].filter(Boolean).join(":")));
+  }
+  if (policyType || denyType) {
+    parts.push("policy ".concat([policyType, denyType].filter(Boolean).join("/")));
+  }
+  parts.push("Grant oss:PutObject to the configured RAM user for this bucket or prefix.");
+  return parts.join("; ");
+}
+function createEndpointMismatchMessage(bucket, endpoint, suggestedEndpoint) {
+  return ["OSS endpoint mismatch for bucket \"".concat(bucket, "\""), "configured OSS_ENDPOINT=".concat(endpoint), "OSS says use ".concat(suggestedEndpoint), "Update OSS_ENDPOINT and OSS_PUBLIC_BASE_URL to the bucket's actual region."].join("; ");
+}
+function createAuthorization(_x3, _x4, _x5, _x6, _x7) {
+  return _createAuthorization.apply(this, arguments);
+}
+function _createAuthorization() {
+  _createAuthorization = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee3(config, method, objectKey, contentType, date) {
+    var stringToSign, signature;
+    return _regeneratorRuntime.wrap(function (_context3) {
+      while (1) switch (_context3.prev = _context3.next) {
+        case 0:
+          stringToSign = [method, "", contentType, date, "/".concat(config.bucket, "/").concat(objectKey)].join("\n");
+          _context3.next = 1;
+          return signBase64(config.accessKeySecret, stringToSign);
+        case 1:
+          signature = _context3.sent;
+          return _context3.abrupt("return", "OSS ".concat(config.accessKeyId, ":").concat(signature));
+        case 2:
+        case "end":
+          return _context3.stop();
+      }
+    }, _callee3);
+  }));
+  return _createAuthorization.apply(this, arguments);
+}
+function createSignedGetUrl(_x8, _x9, _x0) {
+  return _createSignedGetUrl.apply(this, arguments);
+}
+function _createSignedGetUrl() {
+  _createSignedGetUrl = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee4(config, objectKey, expiresIn) {
+    var expires, stringToSign, signature, encodedObjectKey, url;
+    return _regeneratorRuntime.wrap(function (_context4) {
+      while (1) switch (_context4.prev = _context4.next) {
+        case 0:
+          expires = Math.max(1, Math.floor(Date.now() / 1000) + expiresIn);
+          stringToSign = ["GET", "", "", String(expires), "/".concat(config.bucket, "/").concat(objectKey)].join("\n");
+          _context4.next = 1;
+          return signBase64(config.accessKeySecret, stringToSign);
+        case 1:
+          signature = _context4.sent;
+          encodedObjectKey = encodeObjectKey(objectKey);
+          url = new URL("".concat(buildBucketBaseUrl(config.bucket, config.endpoint), "/").concat(encodedObjectKey));
+          url.searchParams.set("OSSAccessKeyId", config.accessKeyId);
+          url.searchParams.set("Expires", String(expires));
+          url.searchParams.set("Signature", signature);
+          return _context4.abrupt("return", url.toString());
+        case 2:
+        case "end":
+          return _context4.stop();
+      }
+    }, _callee4);
+  }));
+  return _createSignedGetUrl.apply(this, arguments);
+}
+function putObjectToOss(_x1, _x10, _x11, _x12, _x13) {
+  return _putObjectToOss.apply(this, arguments);
+}
+function _putObjectToOss() {
+  _putObjectToOss = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee5(config, endpoint, objectKey, contentType, buffer) {
+    var date, authorization, bodyBytes, body;
+    return _regeneratorRuntime.wrap(function (_context5) {
+      while (1) switch (_context5.prev = _context5.next) {
+        case 0:
+          date = new Date().toUTCString();
+          _context5.next = 1;
+          return createAuthorization(config, "PUT", objectKey, contentType, date);
+        case 1:
+          authorization = _context5.sent;
+          bodyBytes = Uint8Array.from(buffer);
+          body = new Blob([bodyBytes], {
+            type: contentType
+          });
+          return _context5.abrupt("return", fetch("".concat(buildBucketBaseUrl(config.bucket, endpoint), "/").concat(encodeObjectKey(objectKey)), {
+            method: "PUT",
+            headers: {
+              Authorization: authorization,
+              Date: date,
+              "Content-Type": contentType
+            },
+            body: body
+          }));
+        case 2:
+        case "end":
+          return _context5.stop();
+      }
+    }, _callee5);
+  }));
+  return _putObjectToOss.apply(this, arguments);
+}
+function normalizeConfig(config) {
+  var bucket = requiredValue(config.bucket, "bucket");
+  var endpoint = normalizeHost(requiredValue(config.endpoint, "endpoint"));
+  return {
+    provider: "aliyun-oss",
+    bucket: bucket,
+    endpoint: endpoint,
+    accessKeyId: requiredValue(config.accessKeyId, "accessKeyId"),
+    accessKeySecret: requiredValue(config.accessKeySecret, "accessKeySecret"),
+    publicBaseUrl: normalizePublicBaseUrl(config.publicBaseUrl, bucket, endpoint),
+    prefix: sanitizePathSegment(config.prefix || "cms-assets"),
+    maxSize: Number(config.maxSize || DEFAULT_MAX_SIZE),
+    returnMode: config.returnMode || "both",
+    signedUrlExpiresIn: Number(config.signedUrlExpiresIn || DEFAULT_SIGNED_URL_EXPIRES_IN)
+  };
+}
+var OssUploadService = /*#__PURE__*/function () {
+  function OssUploadService(config) {
+    _classCallCheck(this, OssUploadService);
+    this.config = normalizeConfig(config);
+  }
+  return _createClass(OssUploadService, [{
+    key: "getConfig",
+    value: function getConfig() {
+      var _this$config = this.config;
+        _this$config.accessKeyId;
+        _this$config.accessKeySecret;
+        var safeConfig = _objectWithoutProperties(_this$config, _excluded$1);
+      return safeConfig;
+    }
+  }, {
+    key: "upload",
+    value: function () {
+      var _upload = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee(input) {
+        var contentType, buffer, objectKey, activeEndpoint, publicBaseUrl, response, lastErrorText, errorText, suggestedEndpoint, finalErrorText, finalSuggestedEndpoint, encodedObjectKey, publicUrl, signedUrl, _t;
+        return _regeneratorRuntime.wrap(function (_context) {
+          while (1) switch (_context.prev = _context.next) {
+            case 0:
+              contentType = String(input.contentType || "application/octet-stream").trim() || "application/octet-stream";
+              buffer = new Uint8Array(input.buffer);
+              if (buffer.byteLength) {
+                _context.next = 1;
+                break;
+              }
+              throw new OssUploadError("Uploaded file is empty");
+            case 1:
+              if (!(buffer.byteLength > this.config.maxSize)) {
+                _context.next = 2;
+                break;
+              }
+              throw new OssUploadError("File exceeds max size of ".concat(this.config.maxSize, " bytes"));
+            case 2:
+              objectKey = buildObjectKey(this.config, input.directory, input.originalName);
+              activeEndpoint = this.config.endpoint;
+              publicBaseUrl = this.config.publicBaseUrl;
+              _context.next = 3;
+              return putObjectToOss(this.config, activeEndpoint, objectKey, contentType, buffer);
+            case 3:
+              response = _context.sent;
+              lastErrorText = "";
+              if (response.ok) {
+                _context.next = 10;
+                break;
+              }
+              _context.next = 4;
+              return response.text();
+            case 4:
+              errorText = _context.sent;
+              lastErrorText = errorText;
+              suggestedEndpoint = extractRecommendedEndpoint(errorText);
+              if (!(response.status === 403 && suggestedEndpoint && suggestedEndpoint !== activeEndpoint)) {
+                _context.next = 7;
+                break;
+              }
+              activeEndpoint = suggestedEndpoint;
+              publicBaseUrl = resolvePublicBaseUrl(publicBaseUrl, this.config.bucket, this.config.endpoint, suggestedEndpoint);
+              _context.next = 5;
+              return putObjectToOss(this.config, activeEndpoint, objectKey, contentType, buffer);
+            case 5:
+              response = _context.sent;
+              if (response.ok) {
+                _context.next = 7;
+                break;
+              }
+              _context.next = 6;
+              return response.text();
+            case 6:
+              lastErrorText = _context.sent;
+            case 7:
+              if (response.ok) {
+                _context.next = 10;
+                break;
+              }
+              finalErrorText = lastErrorText;
+              finalSuggestedEndpoint = extractRecommendedEndpoint(finalErrorText);
+              if (!(response.status === 403 && finalSuggestedEndpoint && finalSuggestedEndpoint !== this.config.endpoint)) {
+                _context.next = 8;
+                break;
+              }
+              throw new OssUploadError(createEndpointMismatchMessage(this.config.bucket, this.config.endpoint, finalSuggestedEndpoint), 400);
+            case 8:
+              if (!(response.status === 403 && /<Code>AccessDenied<\/Code>/i.test(finalErrorText))) {
+                _context.next = 9;
+                break;
+              }
+              throw new OssUploadError(createPermissionDeniedMessage(this.config.bucket, objectKey, finalErrorText), 403);
+            case 9:
+              throw new OssUploadError("OSS upload failed: ".concat(response.status, " ").concat(finalErrorText), 502);
+            case 10:
+              encodedObjectKey = encodeObjectKey(objectKey);
+              publicUrl = "".concat(publicBaseUrl, "/").concat(encodedObjectKey);
+              if (!(this.config.returnMode === "public-url")) {
+                _context.next = 11;
+                break;
+              }
+              _t = undefined;
+              _context.next = 13;
+              break;
+            case 11:
+              _context.next = 12;
+              return createSignedGetUrl(_objectSpread$1(_objectSpread$1({}, this.config), {}, {
+                endpoint: activeEndpoint
+              }), objectKey, this.config.signedUrlExpiresIn);
+            case 12:
+              _t = _context.sent;
+            case 13:
+              signedUrl = _t;
+              return _context.abrupt("return", {
+                objectKey: objectKey,
+                url: this.config.returnMode === "signed-url" ? signedUrl || publicUrl : publicUrl,
+                signedUrl: this.config.returnMode === "both" || this.config.returnMode === "signed-url" ? signedUrl : undefined
+              });
+            case 14:
+            case "end":
+              return _context.stop();
+          }
+        }, _callee, this);
+      }));
+      function upload(_x14) {
+        return _upload.apply(this, arguments);
+      }
+      return upload;
+    }()
+  }]);
+}();
+var ossUploadService = null;
+function initializeOssUpload(config) {
+  ossUploadService = new OssUploadService(config);
+  return ossUploadService;
+}
+function getOssUploadService() {
+  if (!ossUploadService) {
+    throw new OssUploadError("OSS upload is not initialized. Call initializeOssUpload(config) before registering upload routes.", 500);
+  }
+  return ossUploadService;
+}
+var ADMIN_REGISTRY_TABLE = "_cms_admin_registry";
+var ensured = false;
+function normalizeSessionId(sessionId) {
+  // 统一将连字符转换为下划线，确保 UUID 格式一致性
+  // 例如：1047aab4-eecb-4538-ad8d-b5847e762f30 和 1047aab4_eecb_4538_ad8d_b5847e762f30 被视为相同
+  return (sessionId || "").trim().replace(/-/g, "_");
+}
+/**
+ * 从前端传来的 auth tableName 中提取 session_id
+ * 约定：auth tableName 形如 `${sessionId}_cms_users`；无前缀则为 `cms_users`
+ */
+function extractSessionIdFromAuthTableName(tableName) {
+  var name = (tableName || "").trim();
+  if (!name) return "";
+  if (name === "cms_users") return "";
+  if (name.endsWith("_cms_users")) return name.slice(0, -"_cms_users".length);
+  // 兼容：如果传入的不是 cms_users，也允许把最后一个 "_cms_users" 前缀当作 session
+  var idx = name.lastIndexOf("_cms_users");
+  if (idx > 0) return name.slice(0, idx);
+  return "";
+}
+function ensureAdminRegistryTable(_x) {
+  return _ensureAdminRegistryTable.apply(this, arguments);
+}
+function _ensureAdminRegistryTable() {
+  _ensureAdminRegistryTable = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee(supabase) {
+    var _yield$supabase$from$, error;
+    return _regeneratorRuntime.wrap(function (_context) {
+      while (1) switch (_context.prev = _context.next) {
+        case 0:
+          if (!ensured) {
+            _context.next = 1;
+            break;
+          }
+          return _context.abrupt("return", true);
+        case 1:
+          _context.prev = 1;
+          _context.next = 2;
+          return supabase.from(ADMIN_REGISTRY_TABLE).select("session_id").limit(1);
+        case 2:
+          _yield$supabase$from$ = _context.sent;
+          error = _yield$supabase$from$.error;
+          if (error) {
+            _context.next = 3;
+            break;
+          }
+          ensured = true;
+          return _context.abrupt("return", true);
+        case 3:
+          _context.next = 5;
+          break;
+        case 4:
+          _context.prev = 4;
+          _context["catch"](1);
+        case 5:
+          return _context.abrupt("return", false);
+        case 6:
+        case "end":
+          return _context.stop();
+      }
+    }, _callee, null, [[1, 4]]);
+  }));
+  return _ensureAdminRegistryTable.apply(this, arguments);
+}
+function getSessionAdminRow(_x2, _x3) {
+  return _getSessionAdminRow.apply(this, arguments);
+}
+function _getSessionAdminRow() {
+  _getSessionAdminRow = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee2(supabase, sessionId) {
+    var sid, _yield$supabase$from$2, data, error;
+    return _regeneratorRuntime.wrap(function (_context2) {
+      while (1) switch (_context2.prev = _context2.next) {
+        case 0:
+          sid = normalizeSessionId(sessionId);
+          _context2.next = 1;
+          return supabase.from(ADMIN_REGISTRY_TABLE).select("session_id,user_id,email").eq("session_id", sid).maybeSingle();
+        case 1:
+          _yield$supabase$from$2 = _context2.sent;
+          data = _yield$supabase$from$2.data;
+          error = _yield$supabase$from$2.error;
+          if (!(error || !data)) {
+            _context2.next = 2;
+            break;
+          }
+          return _context2.abrupt("return", null);
+        case 2:
+          return _context2.abrupt("return", data);
+        case 3:
+        case "end":
+          return _context2.stop();
+      }
+    }, _callee2);
+  }));
+  return _getSessionAdminRow.apply(this, arguments);
+}
+function isUserSessionAdmin(_x4, _x5, _x6) {
+  return _isUserSessionAdmin.apply(this, arguments);
+}
+function _isUserSessionAdmin() {
+  _isUserSessionAdmin = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee3(supabase, sessionId, userId) {
+    var row;
+    return _regeneratorRuntime.wrap(function (_context3) {
+      while (1) switch (_context3.prev = _context3.next) {
+        case 0:
+          _context3.next = 1;
+          return getSessionAdminRow(supabase, sessionId);
+        case 1:
+          row = _context3.sent;
+          if (row) {
+            _context3.next = 2;
+            break;
+          }
+          return _context3.abrupt("return", false);
+        case 2:
+          return _context3.abrupt("return", row.user_id === userId);
+        case 3:
+        case "end":
+          return _context3.stop();
+      }
+    }, _callee3);
+  }));
+  return _isUserSessionAdmin.apply(this, arguments);
+}
+function _createForOfIteratorHelper$1(r, e) { var t = "undefined" != typeof Symbol && r[Symbol.iterator] || r["@@iterator"]; if (!t) { if (Array.isArray(r) || (t = _unsupportedIterableToArray$2(r)) || e && r && "number" == typeof r.length) { t && (r = t); var _n = 0, F = function F() {}; return { s: F, n: function n() { return _n >= r.length ? { done: !0 } : { done: !1, value: r[_n++] }; }, e: function e(r) { throw r; }, f: F }; } throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); } var o, a = !0, u = !1; return { s: function s() { t = t.call(r); }, n: function n() { var r = t.next(); return a = r.done, r; }, e: function e(r) { u = !0, o = r; }, f: function f() { try { a || null == t["return"] || t["return"](); } finally { if (u) throw o; } } }; }
+function _unsupportedIterableToArray$2(r, a) { if (r) { if ("string" == typeof r) return _arrayLikeToArray$2(r, a); var t = {}.toString.call(r).slice(8, -1); return "Object" === t && r.constructor && (t = r.constructor.name), "Map" === t || "Set" === t ? Array.from(r) : "Arguments" === t || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(t) ? _arrayLikeToArray$2(r, a) : void 0; } }
+function _arrayLikeToArray$2(r, a) { (null == a || a > r.length) && (a = r.length); for (var e = 0, n = Array(a); e < a; e++) n[e] = r[e]; return n; }
+var RESERVED_STATUS_FIELD = "status";
+var PUBLISH_STATUS_VALUES = new Set(["draft", "published"]);
 // 初始化Supabase连接和CMS系统
 function initializeSystem() {
   return _initializeSystem.apply(this, arguments);
-} // GET - 获取所有模型
+}
 function _initializeSystem() {
   _initializeSystem = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee() {
     var _t;
@@ -2740,13 +3382,72 @@ function _initializeSystem() {
   }));
   return _initializeSystem.apply(this, arguments);
 }
+function validateReservedFields(jsonSchema) {
+  if (!(jsonSchema !== null && jsonSchema !== void 0 && jsonSchema.fields) || !Array.isArray(jsonSchema.fields)) {
+    return "json_schema 必须包含 fields 数组";
+  }
+  var _iterator = _createForOfIteratorHelper$1(jsonSchema.fields),
+    _step;
+  try {
+    for (_iterator.s(); !(_step = _iterator.n()).done;) {
+      var field = _step.value;
+      if ((field === null || field === void 0 ? void 0 : field.name) !== RESERVED_STATUS_FIELD) {
+        continue;
+      }
+      if (field.type !== "string") {
+        return '字段 "status" 是保留字段，类型必须为 string。若这是业务状态，请改名为 category_status、order_status 等更具体的字段名。';
+      }
+      var configuredValues = new Set();
+      if (field.defaultValue !== undefined && field.defaultValue !== null) {
+        configuredValues.add(String(field.defaultValue));
+      }
+      if (Array.isArray(field["enum"])) {
+        var _iterator2 = _createForOfIteratorHelper$1(field["enum"]),
+          _step2;
+        try {
+          for (_iterator2.s(); !(_step2 = _iterator2.n()).done;) {
+            var enumValue = _step2.value;
+            configuredValues.add(String(enumValue));
+          }
+        } catch (err) {
+          _iterator2.e(err);
+        } finally {
+          _iterator2.f();
+        }
+      }
+      if (configuredValues.size === 0) {
+        return '字段 "status" 是保留发布状态字段。请显式将其配置为 draft/published；如果你需要业务状态，请改名为 category_status、order_status、user_status 等。';
+      }
+      var _iterator3 = _createForOfIteratorHelper$1(configuredValues),
+        _step3;
+      try {
+        for (_iterator3.s(); !(_step3 = _iterator3.n()).done;) {
+          var value = _step3.value;
+          if (!PUBLISH_STATUS_VALUES.has(value)) {
+            return "\u5B57\u6BB5 \"status\" \u4EC5\u5141\u8BB8\u8868\u793A\u53D1\u5E03\u72B6\u6001\uFF0C\u652F\u6301\u7684\u503C\u53EA\u6709 draft/published\u3002\u68C0\u6D4B\u5230\u975E\u6CD5\u503C \"".concat(value, "\"\u3002\u5982\u679C\u8FD9\u662F\u4E1A\u52A1\u72B6\u6001\uFF0C\u8BF7\u6539\u540D\u4E3A category_status\u3001order_status\u3001user_status \u7B49\u3002");
+          }
+        }
+      } catch (err) {
+        _iterator3.e(err);
+      } finally {
+        _iterator3.f();
+      }
+    }
+  } catch (err) {
+    _iterator.e(err);
+  } finally {
+    _iterator.f();
+  }
+  return null;
+}
+// GET - 获取所有模型
 function getModels(_x) {
   return _getModels.apply(this, arguments);
 }
 // POST - 创建新模型
 function _getModels() {
   _getModels = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee2(c) {
-    var cmsModelService, page, limit, name, models, total, offset, paginatedModels, response, _response, _t2;
+    var cmsModelService, page, limit, name, sessionId, models, tablePrefix, total, offset, paginatedModels, response, _response, _t2;
     return _regeneratorRuntime.wrap(function (_context2) {
       while (1) switch (_context2.prev = _context2.next) {
         case 0:
@@ -2757,11 +3458,19 @@ function _getModels() {
           cmsModelService = getCmsModelService();
           page = parseInt(c.req.query("page") || "1");
           limit = parseInt(c.req.query("limit") || "10");
-          name = c.req.query("name"); // 获取所有模型
+          name = c.req.query("name"); // 获取当前请求的 session_id
+          sessionId = normalizeSessionId(c.req.header("X-Session-Id") || c.req.header("x-session-id")); // 获取所有模型
           _context2.next = 2;
           return cmsModelService.findAll();
         case 2:
           models = _context2.sent;
+          // 根据 session_id 过滤模型（只返回属于当前 session 的表）
+          if (sessionId) {
+            tablePrefix = sessionId + "_";
+            models = models.filter(function (model) {
+              return model.table_name.startsWith(tablePrefix);
+            });
+          }
           // 如果有名称过滤
           if (name) {
             models = models.filter(function (model) {
@@ -2809,7 +3518,7 @@ function createModel(_x2) {
 // PUT - 更新模型
 function _createModel() {
   _createModel = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee3(c) {
-    var cmsModelService, dynamicTableService, body, name, table_name, json_schema, _response2, _response3, existingModel, _response4, allModels, nameExists, _response5, tableExists, _response6, tableCreated, _response7, newModel, response, _response8, _t3;
+    var cmsModelService, dynamicTableService, body, name, table_name, json_schema, _response2, schemaValidationError, _response3, existingModel, _response4, allModels, nameExists, _response5, tableExists, _response6, tableCreated, _response7, newModel, response, _response8, _t3;
     return _regeneratorRuntime.wrap(function (_context3) {
       while (1) switch (_context3.prev = _context3.next) {
         case 0:
@@ -2834,13 +3543,15 @@ function _createModel() {
           };
           return _context3.abrupt("return", c.json(_response2, 200));
         case 3:
-          if (!(!json_schema.fields || !Array.isArray(json_schema.fields))) {
+          // 验证 JSON 模式格式和保留字段规则
+          schemaValidationError = validateReservedFields(json_schema);
+          if (!schemaValidationError) {
             _context3.next = 4;
             break;
           }
           _response3 = {
             success: false,
-            message: "json_schema 必须包含 fields 数组"
+            message: schemaValidationError
           };
           return _context3.abrupt("return", c.json(_response3, 200));
         case 4:
@@ -2941,7 +3652,7 @@ function updateModel(_x3) {
 // DELETE - 删除模型
 function _updateModel() {
   _updateModel = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee4(c) {
-    var cmsModelService, body, id, name, json_schema, _response9, model, _response0, updateData, updatedModel, response, _response1, _t4;
+    var cmsModelService, body, id, name, json_schema, _response9, model, _response0, schemaValidationError, _response1, updateData, updatedModel, response, _response10, _t4;
     return _regeneratorRuntime.wrap(function (_context4) {
       while (1) switch (_context4.prev = _context4.next) {
         case 0:
@@ -2979,13 +3690,28 @@ function _updateModel() {
           };
           return _context4.abrupt("return", c.json(_response0, 200));
         case 5:
+          if (!json_schema) {
+            _context4.next = 6;
+            break;
+          }
+          schemaValidationError = validateReservedFields(json_schema);
+          if (!schemaValidationError) {
+            _context4.next = 6;
+            break;
+          }
+          _response1 = {
+            success: false,
+            message: schemaValidationError
+          };
+          return _context4.abrupt("return", c.json(_response1, 200));
+        case 6:
           // 更新模型信息（不允许修改表名）
           updateData = {};
           if (name) updateData.name = name;
           if (json_schema) updateData.json_schema = json_schema;
-          _context4.next = 6;
+          _context4.next = 7;
           return cmsModelService.update(id, updateData);
-        case 6:
+        case 7:
           updatedModel = _context4.sent;
           response = {
             success: true,
@@ -2993,21 +3719,21 @@ function _updateModel() {
             data: updatedModel
           };
           return _context4.abrupt("return", c.json(response));
-        case 7:
-          _context4.prev = 7;
+        case 8:
+          _context4.prev = 8;
           _t4 = _context4["catch"](0);
           console.error("更新模型失败:", _t4);
-          _response1 = {
+          _response10 = {
             success: false,
             message: "更新模型失败",
             error: _t4 instanceof Error ? _t4.message : "未知错误"
           };
-          return _context4.abrupt("return", c.json(_response1, 500));
-        case 8:
+          return _context4.abrupt("return", c.json(_response10, 500));
+        case 9:
         case "end":
           return _context4.stop();
       }
-    }, _callee4, null, [[0, 7]]);
+    }, _callee4, null, [[0, 8]]);
   }));
   return _updateModel.apply(this, arguments);
 }
@@ -3016,7 +3742,7 @@ function deleteModel(_x4) {
 }
 function _deleteModel() {
   _deleteModel = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee5(c) {
-    var cmsModelService, dynamicTableService, idStr, _response10, id, model, _response11, tableDropped, _response12, response, _response13, _t5;
+    var cmsModelService, dynamicTableService, idStr, _response11, id, model, _response12, tableDropped, _response13, response, _response14, _t5;
     return _regeneratorRuntime.wrap(function (_context5) {
       while (1) switch (_context5.prev = _context5.next) {
         case 0:
@@ -3031,11 +3757,11 @@ function _deleteModel() {
             _context5.next = 2;
             break;
           }
-          _response10 = {
+          _response11 = {
             success: false,
             message: "缺少模型 ID"
           };
-          return _context5.abrupt("return", c.json(_response10, 200));
+          return _context5.abrupt("return", c.json(_response11, 200));
         case 2:
           id = parseInt(idStr);
           _context5.next = 3;
@@ -3046,11 +3772,11 @@ function _deleteModel() {
             _context5.next = 4;
             break;
           }
-          _response11 = {
+          _response12 = {
             success: false,
             message: "模型不存在"
           };
-          return _context5.abrupt("return", c.json(_response11, 200));
+          return _context5.abrupt("return", c.json(_response12, 200));
         case 4:
           _context5.next = 5;
           return dynamicTableService.dropTable(model.table_name);
@@ -3060,11 +3786,11 @@ function _deleteModel() {
             _context5.next = 6;
             break;
           }
-          _response12 = {
+          _response13 = {
             success: false,
             message: "删除数据表失败"
           };
-          return _context5.abrupt("return", c.json(_response12, 200));
+          return _context5.abrupt("return", c.json(_response13, 200));
         case 6:
           _context5.next = 7;
           return cmsModelService["delete"](id);
@@ -3078,12 +3804,12 @@ function _deleteModel() {
           _context5.prev = 8;
           _t5 = _context5["catch"](0);
           console.error("删除模型失败:", _t5);
-          _response13 = {
+          _response14 = {
             success: false,
             message: "删除模型失败",
             error: _t5 instanceof Error ? _t5.message : "未知错误"
           };
-          return _context5.abrupt("return", c.json(_response13, 500));
+          return _context5.abrupt("return", c.json(_response14, 500));
         case 9:
         case "end":
           return _context5.stop();
@@ -3093,28 +3819,6 @@ function _deleteModel() {
   return _deleteModel.apply(this, arguments);
 }
-function _objectWithoutPropertiesLoose(r, e) {
-  if (null == r) return {};
-  var t = {};
-  for (var n in r) if ({}.hasOwnProperty.call(r, n)) {
-    if (-1 !== e.indexOf(n)) continue;
-    t[n] = r[n];
-  }
-  return t;
-}
-function _objectWithoutProperties(e, t) {
-  if (null == e) return {};
-  var o,
-    r,
-    i = _objectWithoutPropertiesLoose(e, t);
-  if (Object.getOwnPropertySymbols) {
-    var n = Object.getOwnPropertySymbols(e);
-    for (r = 0; r < n.length; r++) o = n[r], -1 === t.indexOf(o) && {}.propertyIsEnumerable.call(e, o) && (i[o] = e[o]);
-  }
-  return i;
-}
 function _arrayWithHoles(r) {
   if (Array.isArray(r)) return r;
 }
@@ -4221,130 +4925,6 @@ var AuthUtils = /*#__PURE__*/function () {
   }]);
 }();
-var ADMIN_REGISTRY_TABLE = "_cms_admin_registry";
-var ensured = false;
-function normalizeSessionId(sessionId) {
-  // 统一将连字符转换为下划线，确保 UUID 格式一致性
-  // 例如：1047aab4-eecb-4538-ad8d-b5847e762f30 和 1047aab4_eecb_4538_ad8d_b5847e762f30 被视为相同
-  return (sessionId || "").trim().replace(/-/g, "_");
-}
-/**
- * 从前端传来的 auth tableName 中提取 session_id
- * 约定：auth tableName 形如 `${sessionId}_cms_users`；无前缀则为 `cms_users`
- */
-function extractSessionIdFromAuthTableName(tableName) {
-  var name = (tableName || "").trim();
-  if (!name) return "";
-  if (name === "cms_users") return "";
-  if (name.endsWith("_cms_users")) return name.slice(0, -"_cms_users".length);
-  // 兼容：如果传入的不是 cms_users，也允许把最后一个 "_cms_users" 前缀当作 session
-  var idx = name.lastIndexOf("_cms_users");
-  if (idx > 0) return name.slice(0, idx);
-  return "";
-}
-function ensureAdminRegistryTable(_x) {
-  return _ensureAdminRegistryTable.apply(this, arguments);
-}
-function _ensureAdminRegistryTable() {
-  _ensureAdminRegistryTable = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee(supabase) {
-    var _yield$supabase$from$, error;
-    return _regeneratorRuntime.wrap(function (_context) {
-      while (1) switch (_context.prev = _context.next) {
-        case 0:
-          if (!ensured) {
-            _context.next = 1;
-            break;
-          }
-          return _context.abrupt("return", true);
-        case 1:
-          _context.prev = 1;
-          _context.next = 2;
-          return supabase.from(ADMIN_REGISTRY_TABLE).select("session_id").limit(1);
-        case 2:
-          _yield$supabase$from$ = _context.sent;
-          error = _yield$supabase$from$.error;
-          if (error) {
-            _context.next = 3;
-            break;
-          }
-          ensured = true;
-          return _context.abrupt("return", true);
-        case 3:
-          _context.next = 5;
-          break;
-        case 4:
-          _context.prev = 4;
-          _context["catch"](1);
-        case 5:
-          return _context.abrupt("return", false);
-        case 6:
-        case "end":
-          return _context.stop();
-      }
-    }, _callee, null, [[1, 4]]);
-  }));
-  return _ensureAdminRegistryTable.apply(this, arguments);
-}
-function getSessionAdminRow(_x2, _x3) {
-  return _getSessionAdminRow.apply(this, arguments);
-}
-function _getSessionAdminRow() {
-  _getSessionAdminRow = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee2(supabase, sessionId) {
-    var sid, _yield$supabase$from$2, data, error;
-    return _regeneratorRuntime.wrap(function (_context2) {
-      while (1) switch (_context2.prev = _context2.next) {
-        case 0:
-          sid = normalizeSessionId(sessionId);
-          _context2.next = 1;
-          return supabase.from(ADMIN_REGISTRY_TABLE).select("session_id,user_id,email").eq("session_id", sid).maybeSingle();
-        case 1:
-          _yield$supabase$from$2 = _context2.sent;
-          data = _yield$supabase$from$2.data;
-          error = _yield$supabase$from$2.error;
-          if (!(error || !data)) {
-            _context2.next = 2;
-            break;
-          }
-          return _context2.abrupt("return", null);
-        case 2:
-          return _context2.abrupt("return", data);
-        case 3:
-        case "end":
-          return _context2.stop();
-      }
-    }, _callee2);
-  }));
-  return _getSessionAdminRow.apply(this, arguments);
-}
-function isUserSessionAdmin(_x4, _x5, _x6) {
-  return _isUserSessionAdmin.apply(this, arguments);
-}
-function _isUserSessionAdmin() {
-  _isUserSessionAdmin = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee3(supabase, sessionId, userId) {
-    var row;
-    return _regeneratorRuntime.wrap(function (_context3) {
-      while (1) switch (_context3.prev = _context3.next) {
-        case 0:
-          _context3.next = 1;
-          return getSessionAdminRow(supabase, sessionId);
-        case 1:
-          row = _context3.sent;
-          if (row) {
-            _context3.next = 2;
-            break;
-          }
-          return _context3.abrupt("return", false);
-        case 2:
-          return _context3.abrupt("return", row.user_id === userId);
-        case 3:
-        case "end":
-          return _context3.stop();
-      }
-    }, _callee3);
-  }));
-  return _isUserSessionAdmin.apply(this, arguments);
-}
 function getRoleFromSupabaseUser$2(user) {
   var _user$app_metadata, _user$user_metadata;
   var appRole = user === null || user === void 0 || (_user$app_metadata = user.app_metadata) === null || _user$app_metadata === void 0 ? void 0 : _user$app_metadata.role;
@@ -4960,6 +5540,81 @@ function requireAuth(handler) {
   }();
 }
+function readTextField(formData, fieldName) {
+  var value = formData.get(fieldName);
+  return typeof value === "string" ? value.trim() : "";
+}
+function isFileLike(value) {
+  return !!value && typeof value !== "string" && typeof value.arrayBuffer === "function";
+}
+function uploadToOss(_x) {
+  return _uploadToOss.apply(this, arguments);
+}
+function _uploadToOss() {
+  _uploadToOss = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee(c) {
+    var formData, file, uploadService, result, status, _t, _t2, _t3, _t4, _t5, _t6;
+    return _regeneratorRuntime.wrap(function (_context) {
+      while (1) switch (_context.prev = _context.next) {
+        case 0:
+          _context.prev = 0;
+          _context.next = 1;
+          return c.req.raw.formData();
+        case 1:
+          formData = _context.sent;
+          file = formData.get("file");
+          if (isFileLike(file)) {
+            _context.next = 2;
+            break;
+          }
+          return _context.abrupt("return", c.json({
+            success: false,
+            message: "Missing file in multipart request"
+          }, 400));
+        case 2:
+          uploadService = getOssUploadService();
+          _t = uploadService;
+          _context.next = 3;
+          return file.arrayBuffer();
+        case 3:
+          _t2 = _context.sent;
+          _t3 = file.type || "application/octet-stream";
+          _t4 = readTextField(formData, "directory");
+          _t5 = file.name || "upload.bin";
+          _context.next = 4;
+          return _t.upload.call(_t, {
+            buffer: _t2,
+            contentType: _t3,
+            directory: _t4,
+            originalName: _t5
+          });
+        case 4:
+          result = _context.sent;
+          return _context.abrupt("return", c.json({
+            success: true,
+            url: result.url,
+            signedUrl: result.signedUrl,
+            objectKey: result.objectKey,
+            fieldName: readTextField(formData, "fieldName"),
+            tableName: readTextField(formData, "tableName")
+          }, 200));
+        case 5:
+          _context.prev = 5;
+          _t6 = _context["catch"](0);
+          status = _t6 instanceof OssUploadError ? _t6.status : 500;
+          return _context.abrupt("return", c.json({
+            success: false,
+            message: "Upload failed",
+            error: _t6 instanceof Error ? _t6.message : "Unknown upload error"
+          }, status));
+        case 6:
+        case "end":
+          return _context.stop();
+      }
+    }, _callee, null, [[0, 5]]);
+  }));
+  return _uploadToOss.apply(this, arguments);
+}
 function getRoleFromSupabaseUser$1(user) {
   var _user$app_metadata, _user$user_metadata;
   var appRole = user === null || user === void 0 || (_user$app_metadata = user.app_metadata) === null || _user$app_metadata === void 0 ? void 0 : _user$app_metadata.role;
@@ -5440,6 +6095,10 @@ function createAuthRoute(app, tableName) {
   });
   return app;
 }
+function createOssUploadRoute(app) {
+  app.post("/upload", requireJwtAuth, requireAdminRole, uploadToOss);
+  return app;
+}
 // 一键创建所有CMS路由
 function createCmsRoutes(app) {
   createModelRoute(app);
@@ -5452,6 +6111,8 @@ exports.AuthService = AuthService;
 exports.CmsModel = getCmsModelService;
 exports.CmsModelService = CmsModelService;
 exports.DynamicTableService = DynamicTableService;
+exports.OssUploadError = OssUploadError;
+exports.OssUploadService = OssUploadService;
 exports.closeDatabase = closeSupabase;
 exports.closeSupabase = closeSupabase;
 exports.createAuthRoute = createAuthRoute;
@@ -5461,6 +6122,7 @@ exports.createDynamicAuthRoute = createDynamicAuthRoute;
 exports.createDynamicDataRoute = createDynamicDataRoute;
 exports.createModel = createModel;
 exports.createModelRoute = createModelRoute;
+exports.createOssUploadRoute = createOssUploadRoute;
 exports.createTableData = createTableData;
 exports.deleteModel = deleteModel;
 exports.deleteTableData = deleteTableData;
@@ -5472,6 +6134,7 @@ exports.getCurrentUser = getCurrentUser;
 exports.getDatabase = getSupabase;
 exports.getDynamicTableService = getDynamicTableService;
 exports.getModels = getModels;
+exports.getOssUploadService = getOssUploadService;
 exports.getRelationOptions = getRelationOptions;
 exports.getSupabase = getSupabase;
 exports.getSupabaseSetupSQL = getSupabaseSetupSQL;
@@ -5480,6 +6143,7 @@ exports.getTableDataWithRelations = getTableDataWithRelations;
 exports.initializeCmsModel = initializeCmsModel;
 exports.initializeCmsSystem = initializeCmsSystem;
 exports.initializeDatabase = initializeSupabase;
+exports.initializeOssUpload = initializeOssUpload;
 exports.initializeSupabase = initializeSupabase;
 exports.login = login;
 exports.requireAuth = requireAuth;
@@ -5489,5 +6153,6 @@ exports.syncDatabase = initializeCmsSystem;
 exports.testConnection = testConnection;
 exports.updateModel = updateModel;
 exports.updateTableData = updateTableData;
+exports.uploadToOss = uploadToOss;
 exports.verifyAuth = verifyAuth;
 //# sourceMappingURL=index.js.map