agent-cms 0.1.0

package/dist/index.mjs

@@ -0,0 +1,1170 @@
+import { $ as listRecords, A as scheduleUnpublish, B as getAsset, C as SearchInput, D as clearSchedule, E as UpdateModelInput, G as updateAssetMetadata, H as listAssets, J as publishRecord, M as deleteLocale, N as listLocales, O as runScheduledTransitions, Q as getRecord, R as createAsset, S as SearchAssetsInput, T as UpdateFieldInput, U as replaceAsset, W as searchAssets, X as bulkCreateRecords, Y as unpublishRecord, Z as createRecord, _ as PatchBlocksInput, _t as updateModel, a as exportSchema, at as getVersion, b as ReorderInput, bt as VectorizeContext, c as CreateAssetInput, ct as HooksContext, d as CreateLocaleInput, dt as listFields, et as patchBlocksForField, f as CreateModelInput, ft as updateField, g as ImportSchemaInput, gt as listModels, ht as getModel, i as validateEditorToken, j as createLocale, k as schedulePublish, l as CreateEditorTokenInput, lt as createField, m as CreateUploadUrlInput, mt as deleteModel, n as listEditorTokens, nt as removeRecord, o as importSchema, ot as listVersions, p as CreateRecordInput, pt as createModel, r as revokeEditorToken, rt as reorderRecords, s as BulkCreateRecordsInput, st as restoreVersion, t as createEditorToken, tt as patchRecord, u as CreateFieldInput, ut as deleteField, v as PatchRecordInput, vt as reindexAll, w as UpdateAssetMetadataInput, x as ScheduleRecordInput, y as ReindexSearchInput, yt as search, z as deleteAsset } from "./token-service-BDjccMmz.mjs";
+import { J as ValidationError, X as isCmsError, Y as errorToResponse, q as UnauthorizedError } from "./structured-text-service-B4xSlUg_.mjs";
+import { D1Client } from "@effect/sql-d1";
+import { Cause, Effect, Layer, Logger, Option, ParseResult, Schema } from "effect";
+import { HttpApp, HttpRouter, HttpServerError, HttpServerRequest, HttpServerResponse } from "@effect/platform";
+import { SqlClient } from "@effect/sql";
+//#region src/migrations.ts
+/**
+* Embedded schema migrations — runs automatically on first request.
+* The project is still pre-deployment, so the full schema lives in a single genesis migration.
+*/
+const MIGRATIONS = [{
+	version: 1,
+	statements: [
+		`CREATE TABLE IF NOT EXISTS "assets" (
+        "id" text PRIMARY KEY,
+        "filename" text NOT NULL,
+        "mime_type" text NOT NULL,
+        "size" integer NOT NULL,
+        "width" integer,
+        "height" integer,
+        "alt" text,
+        "title" text,
+        "r2_key" text NOT NULL,
+        "blurhash" text,
+        "colors" text,
+        "focal_point" text,
+        "tags" text DEFAULT '[]',
+        "custom_data" text DEFAULT '{}',
+        "created_at" text NOT NULL,
+        "updated_at" text NOT NULL,
+        "created_by" text,
+        "updated_by" text
+      )`,
+		`CREATE TABLE IF NOT EXISTS "models" (
+        "id" text PRIMARY KEY,
+        "name" text NOT NULL,
+        "api_key" text NOT NULL UNIQUE,
+        "is_block" integer DEFAULT false NOT NULL,
+        "singleton" integer DEFAULT false NOT NULL,
+        "sortable" integer DEFAULT false NOT NULL,
+        "tree" integer DEFAULT false NOT NULL,
+        "has_draft" integer DEFAULT true NOT NULL,
+        "all_locales_required" integer DEFAULT 0 NOT NULL,
+        "ordering" text,
+        "created_at" text NOT NULL,
+        "updated_at" text NOT NULL
+      )`,
+		`CREATE TABLE IF NOT EXISTS "fieldsets" (
+        "id" text PRIMARY KEY,
+        "model_id" text NOT NULL,
+        "title" text NOT NULL,
+        "position" integer DEFAULT 0 NOT NULL,
+        CONSTRAINT "fk_fieldsets_model_id_models_id_fk" FOREIGN KEY ("model_id") REFERENCES "models"("id") ON DELETE CASCADE
+      )`,
+		`CREATE TABLE IF NOT EXISTS "fields" (
+        "id" text PRIMARY KEY,
+        "model_id" text NOT NULL,
+        "label" text NOT NULL,
+        "api_key" text NOT NULL,
+        "field_type" text NOT NULL,
+        "position" integer DEFAULT 0 NOT NULL,
+        "localized" integer DEFAULT false NOT NULL,
+        "validators" text DEFAULT '{}',
+        "default_value" text,
+        "appearance" text,
+        "hint" text,
+        "fieldset_id" text,
+        "created_at" text NOT NULL,
+        "updated_at" text NOT NULL,
+        CONSTRAINT "fk_fields_model_id_models_id_fk" FOREIGN KEY ("model_id") REFERENCES "models"("id") ON DELETE CASCADE,
+        CONSTRAINT "fk_fields_fieldset_id_fieldsets_id_fk" FOREIGN KEY ("fieldset_id") REFERENCES "fieldsets"("id") ON DELETE SET NULL
+      )`,
+		`CREATE TABLE IF NOT EXISTS "locales" (
+        "id" text PRIMARY KEY,
+        "code" text NOT NULL UNIQUE,
+        "position" integer DEFAULT 0 NOT NULL,
+        "fallback_locale_id" text,
+        CONSTRAINT "fk_locales_fallback_locale_id_locales_id_fk" FOREIGN KEY ("fallback_locale_id") REFERENCES "locales"("id") ON DELETE SET NULL
+      )`,
+		`CREATE TABLE IF NOT EXISTS "site_settings" (
+        "id" text PRIMARY KEY DEFAULT 'default',
+        "site_name" text,
+        "title_suffix" text,
+        "no_index" integer DEFAULT 0 NOT NULL,
+        "favicon_id" text,
+        "facebook_page_url" text,
+        "twitter_account" text,
+        "fallback_seo_title" text,
+        "fallback_seo_description" text,
+        "fallback_seo_image_id" text,
+        "fallback_seo_twitter_card" text DEFAULT 'summary',
+        "updated_at" text NOT NULL DEFAULT (datetime('now')),
+        CONSTRAINT "fk_site_settings_favicon" FOREIGN KEY ("favicon_id") REFERENCES "assets"("id") ON DELETE SET NULL,
+        CONSTRAINT "fk_site_settings_seo_image" FOREIGN KEY ("fallback_seo_image_id") REFERENCES "assets"("id") ON DELETE SET NULL
+      )`,
+		`CREATE TABLE IF NOT EXISTS "record_versions" (
+        "id" text PRIMARY KEY,
+        "model_api_key" text NOT NULL,
+        "record_id" text NOT NULL,
+        "version_number" integer NOT NULL,
+        "snapshot" text NOT NULL,
+        "action" text NOT NULL DEFAULT 'publish',
+        "actor_type" text,
+        "actor_label" text,
+        "actor_token_id" text,
+        "created_at" text NOT NULL
+      )`,
+		`CREATE INDEX IF NOT EXISTS "idx_record_versions_lookup"
+        ON "record_versions" ("model_api_key", "record_id", "version_number" DESC)`,
+		`CREATE TABLE IF NOT EXISTS "editor_tokens" (
+        "id" TEXT PRIMARY KEY,
+        "name" TEXT NOT NULL,
+        "token_prefix" TEXT NOT NULL,
+        "secret_hash" TEXT NOT NULL,
+        "created_at" TEXT NOT NULL DEFAULT (datetime('now')),
+        "last_used_at" TEXT,
+        "expires_at" TEXT
+      )`,
+		`CREATE UNIQUE INDEX IF NOT EXISTS "idx_editor_tokens_secret_hash" ON "editor_tokens" ("secret_hash")`
+	]
+}, {
+	version: 2,
+	statements: [
+		`ALTER TABLE "assets" ADD COLUMN "basename" text`,
+		`ALTER TABLE "assets" ADD COLUMN "format" text`,
+		`UPDATE "assets"
+       SET "basename" = CASE
+         WHEN instr("filename", '.') > 0 THEN substr("filename", 1, length("filename") - length(substr("filename", instr("filename", '.') + 1)) - 1)
+         ELSE "filename"
+       END`,
+		`UPDATE "assets"
+       SET "format" = lower(CASE
+         WHEN instr("filename", '.') > 0 THEN substr("filename", instr("filename", '.') + 1)
+         WHEN instr("mime_type", '/') > 0 THEN substr("mime_type", instr("mime_type", '/') + 1)
+         ELSE 'bin'
+       END)`,
+		`CREATE INDEX IF NOT EXISTS "idx_assets_basename" ON "assets" ("basename")`,
+		`CREATE INDEX IF NOT EXISTS "idx_assets_format" ON "assets" ("format")`
+	]
+}];
+/**
+* Ensure all CMS system tables exist.
+* Uses a _cms_migrations tracking table. Idempotent — safe to call on every request.
+* Fast path: single SELECT after first run.
+*/
+function ensureSchema() {
+	return Effect.gen(function* () {
+		const sql = yield* SqlClient.SqlClient;
+		yield* sql.unsafe(`CREATE TABLE IF NOT EXISTS "_cms_migrations" ("version" integer PRIMARY KEY, "applied_at" text NOT NULL DEFAULT (datetime('now')))`);
+		const applied = yield* sql.unsafe("SELECT version FROM _cms_migrations");
+		const appliedSet = new Set(applied.map((r) => r.version));
+		for (const migration of MIGRATIONS) {
+			if (appliedSet.has(migration.version)) continue;
+			for (const stmt of migration.statements) yield* sql.unsafe(stmt);
+			yield* sql.unsafe("INSERT INTO _cms_migrations (version) VALUES (?)", [migration.version]);
+		}
+	});
+}
+//#endregion
+//#region src/attribution.ts
+const ACTOR_TYPE_HEADER = "X-Cms-Actor-Type";
+const ACTOR_LABEL_HEADER = "X-Cms-Actor-Label";
+const ACTOR_TOKEN_ID_HEADER = "X-Cms-Actor-Token-Id";
+function actorHeaders(actor) {
+	if (!actor) return {};
+	const headers = {
+		[ACTOR_TYPE_HEADER]: actor.type,
+		[ACTOR_LABEL_HEADER]: actor.label
+	};
+	if (actor.tokenId) headers[ACTOR_TOKEN_ID_HEADER] = actor.tokenId;
+	return headers;
+}
+function actorFromHeaders(headers) {
+	const type = headers.get(ACTOR_TYPE_HEADER);
+	const label = headers.get(ACTOR_LABEL_HEADER);
+	if (type !== "admin" && type !== "editor" || !label) return null;
+	return {
+		type,
+		label,
+		tokenId: headers.get(ACTOR_TOKEN_ID_HEADER)
+	};
+}
+//#endregion
+//#region src/http/router.ts
+function describeUnknown(error) {
+	if (error instanceof Error) return `${error.name}: ${error.message}`;
+	if (typeof error === "string") return error;
+	try {
+		return JSON.stringify(error);
+	} catch {
+		return String(error);
+	}
+}
+function getRequestIdFromHeaders(headers) {
+	return headers.get("x-request-id") ?? headers.get("cf-ray") ?? crypto.randomUUID();
+}
+/** Helper: run a CMS Effect and return an HTTP response */
+function handle(effect, status = 200) {
+	return effect.pipe(Effect.flatMap((result) => HttpServerResponse.json(result, { status })), Effect.tapErrorCause((cause) => Effect.logError("REST effect failed", Cause.pretty(cause))), Effect.catchAll((error) => {
+		if (isCmsError(error)) {
+			const mapped = errorToResponse(error);
+			return HttpServerResponse.json(mapped.body, { status: mapped.status });
+		}
+		return Effect.logError("Unhandled REST error").pipe(Effect.annotateLogs({ error: describeUnknown(error) }), Effect.zipRight(HttpServerResponse.json({ error: "Internal server error" }, { status: 500 })));
+	}), Effect.catchAllDefect((defect) => {
+		return Effect.logError("REST defect").pipe(Effect.annotateLogs({ defect: describeUnknown(defect) }), Effect.zipRight(HttpServerResponse.json({ error: "Internal server error" }, { status: 500 })));
+	}));
+}
+/** Extract a required path parameter, defaulting to empty string if missing */
+function param(params, name) {
+	return params[name] ?? "";
+}
+/** Get query param */
+function queryParam(name) {
+	return Effect.gen(function* () {
+		const req = yield* HttpServerRequest.HttpServerRequest;
+		return new URL(req.url, "http://localhost").searchParams.get(name) ?? "";
+	});
+}
+function decodeUnknownInput(schema, input, message = "Invalid input") {
+	return Schema.decodeUnknown(schema)(input).pipe(Effect.mapError((e) => new ValidationError({ message: `${message}: ${e.message}` })));
+}
+function readJsonBody(message = "Invalid JSON body") {
+	return Effect.gen(function* () {
+		return yield* (yield* HttpServerRequest.HttpServerRequest).json.pipe(Effect.mapError((e) => new ValidationError({ message: `${message}: ${describeUnknown(e)}` })));
+	});
+}
+function currentActor() {
+	return Effect.gen(function* () {
+		const req = yield* HttpServerRequest.HttpServerRequest;
+		return actorFromHeaders(new Headers(req.headers));
+	});
+}
+const modelsRouter = HttpRouter.empty.pipe(HttpRouter.get("/", handle(listModels())), HttpRouter.post("/", Effect.gen(function* () {
+	return yield* handle(createModel(yield* decodeUnknownInput(CreateModelInput, yield* readJsonBody())), 201);
+})), HttpRouter.get("/:id", Effect.gen(function* () {
+	return yield* handle(getModel(param(yield* HttpRouter.params, "id")));
+})), HttpRouter.patch("/:id", Effect.gen(function* () {
+	const params = yield* HttpRouter.params;
+	const input = yield* decodeUnknownInput(UpdateModelInput, yield* readJsonBody());
+	return yield* handle(updateModel(param(params, "id"), input));
+})), HttpRouter.del("/:id", Effect.gen(function* () {
+	return yield* handle(deleteModel(param(yield* HttpRouter.params, "id")));
+})));
+const fieldsRouter = HttpRouter.empty.pipe(HttpRouter.get("/models/:modelId/fields", Effect.gen(function* () {
+	return yield* handle(listFields(param(yield* HttpRouter.params, "modelId")));
+})), HttpRouter.post("/models/:modelId/fields", Effect.gen(function* () {
+	const params = yield* HttpRouter.params;
+	const input = yield* decodeUnknownInput(CreateFieldInput, yield* readJsonBody());
+	return yield* handle(createField(param(params, "modelId"), input), 201);
+})), HttpRouter.patch("/models/:modelId/fields/:fieldId", Effect.gen(function* () {
+	const params = yield* HttpRouter.params;
+	const input = yield* decodeUnknownInput(UpdateFieldInput, yield* readJsonBody());
+	return yield* handle(updateField(param(params, "fieldId"), input));
+})), HttpRouter.del("/models/:modelId/fields/:fieldId", Effect.gen(function* () {
+	return yield* handle(deleteField(param(yield* HttpRouter.params, "fieldId")));
+})));
+const recordsRouter = HttpRouter.empty.pipe(HttpRouter.post("/records/bulk", Effect.gen(function* () {
+	return yield* handle(bulkCreateRecords(yield* decodeUnknownInput(BulkCreateRecordsInput, yield* readJsonBody()), yield* currentActor()), 201);
+})), HttpRouter.post("/records", Effect.gen(function* () {
+	return yield* handle(createRecord(yield* decodeUnknownInput(CreateRecordInput, yield* readJsonBody()), yield* currentActor()), 201);
+})), HttpRouter.get("/records", Effect.gen(function* () {
+	return yield* handle(listRecords(yield* queryParam("modelApiKey")));
+})), HttpRouter.get("/records/:id/versions", Effect.gen(function* () {
+	const params = yield* HttpRouter.params;
+	return yield* handle(listVersions(yield* queryParam("modelApiKey"), param(params, "id")));
+})), HttpRouter.get("/records/:id/versions/:versionId", Effect.gen(function* () {
+	return yield* handle(getVersion(param(yield* HttpRouter.params, "versionId")));
+})), HttpRouter.post("/records/:id/versions/:versionId/restore", Effect.gen(function* () {
+	const params = yield* HttpRouter.params;
+	const modelApiKey = yield* queryParam("modelApiKey");
+	const actor = yield* currentActor();
+	return yield* handle(restoreVersion(modelApiKey, param(params, "id"), param(params, "versionId"), actor));
+})), HttpRouter.get("/records/:id", Effect.gen(function* () {
+	const params = yield* HttpRouter.params;
+	return yield* handle(getRecord(yield* queryParam("modelApiKey"), param(params, "id")));
+})), HttpRouter.patch("/records/:id", Effect.gen(function* () {
+	const params = yield* HttpRouter.params;
+	const input = yield* decodeUnknownInput(PatchRecordInput, yield* readJsonBody());
+	const actor = yield* currentActor();
+	return yield* handle(patchRecord(param(params, "id"), input, actor));
+})), HttpRouter.patch("/records/:id/blocks", Effect.gen(function* () {
+	const params = yield* HttpRouter.params;
+	const body = yield* readJsonBody();
+	return yield* handle(patchBlocksForField(yield* decodeUnknownInput(PatchBlocksInput, typeof body === "object" && body !== null ? {
+		...body,
+		recordId: param(params, "id")
+	} : { recordId: param(params, "id") }), yield* currentActor()));
+})), HttpRouter.del("/records/:id", Effect.gen(function* () {
+	const params = yield* HttpRouter.params;
+	return yield* handle(removeRecord(yield* queryParam("modelApiKey"), param(params, "id")));
+})), HttpRouter.post("/records/:id/publish", Effect.gen(function* () {
+	const params = yield* HttpRouter.params;
+	const modelApiKey = yield* queryParam("modelApiKey");
+	const actor = yield* currentActor();
+	return yield* handle(publishRecord(modelApiKey, param(params, "id"), actor));
+})), HttpRouter.post("/records/:id/unpublish", Effect.gen(function* () {
+	const params = yield* HttpRouter.params;
+	const modelApiKey = yield* queryParam("modelApiKey");
+	const actor = yield* currentActor();
+	return yield* handle(unpublishRecord(modelApiKey, param(params, "id"), actor));
+})), HttpRouter.post("/records/:id/schedule-publish", Effect.gen(function* () {
+	const params = yield* HttpRouter.params;
+	const input = yield* decodeUnknownInput(ScheduleRecordInput, yield* readJsonBody());
+	const actor = yield* currentActor();
+	return yield* handle(schedulePublish(input.modelApiKey, param(params, "id"), input.at, actor));
+})), HttpRouter.post("/records/:id/schedule-unpublish", Effect.gen(function* () {
+	const params = yield* HttpRouter.params;
+	const input = yield* decodeUnknownInput(ScheduleRecordInput, yield* readJsonBody());
+	const actor = yield* currentActor();
+	return yield* handle(scheduleUnpublish(input.modelApiKey, param(params, "id"), input.at, actor));
+})), HttpRouter.post("/records/:id/clear-schedule", Effect.gen(function* () {
+	const params = yield* HttpRouter.params;
+	const body = yield* readJsonBody();
+	const input = yield* decodeUnknownInput(Schema.Struct({ modelApiKey: Schema.NonEmptyString }), body);
+	const actor = yield* currentActor();
+	return yield* handle(clearSchedule(input.modelApiKey, param(params, "id"), actor));
+})), HttpRouter.post("/reorder", Effect.gen(function* () {
+	const rawBody = yield* readJsonBody();
+	return yield* handle(Effect.gen(function* () {
+		const { modelApiKey, recordIds } = yield* decodeUnknownInput(ReorderInput, rawBody);
+		return yield* reorderRecords(modelApiKey, recordIds, yield* currentActor());
+	}));
+})));
+const assetsRouter = HttpRouter.empty.pipe(HttpRouter.get("/", Effect.gen(function* () {
+	const req = yield* HttpServerRequest.HttpServerRequest;
+	const url = new URL(req.url, "http://localhost");
+	const q = url.searchParams.get("q");
+	const limit = url.searchParams.get("limit");
+	const offset = url.searchParams.get("offset");
+	if (q !== null || limit !== null || offset !== null) {
+		const parsed = yield* decodeUnknownInput(SearchAssetsInput, {
+			query: q ?? void 0,
+			limit: limit !== null ? Number(limit) : void 0,
+			offset: offset !== null ? Number(offset) : void 0
+		}, "Invalid asset search input");
+		return yield* handle(searchAssets({
+			query: parsed.query,
+			limit: Math.min(parsed.limit, 100),
+			offset: parsed.offset
+		}));
+	}
+	return yield* handle(listAssets());
+})), HttpRouter.post("/", Effect.gen(function* () {
+	return yield* handle(createAsset(yield* decodeUnknownInput(CreateAssetInput, yield* readJsonBody()), yield* currentActor()), 201);
+})), HttpRouter.get("/:id", Effect.gen(function* () {
+	return yield* handle(getAsset(param(yield* HttpRouter.params, "id")));
+})), HttpRouter.put("/:id", Effect.gen(function* () {
+	const params = yield* HttpRouter.params;
+	const input = yield* decodeUnknownInput(CreateAssetInput, yield* readJsonBody());
+	const actor = yield* currentActor();
+	return yield* handle(replaceAsset(param(params, "id"), input, actor));
+})), HttpRouter.patch("/:id", Effect.gen(function* () {
+	const params = yield* HttpRouter.params;
+	const input = yield* decodeUnknownInput(UpdateAssetMetadataInput, yield* readJsonBody());
+	const actor = yield* currentActor();
+	return yield* handle(updateAssetMetadata(param(params, "id"), input, actor));
+})), HttpRouter.del("/:id", Effect.gen(function* () {
+	return yield* handle(deleteAsset(param(yield* HttpRouter.params, "id")));
+})));
+const localesRouter = HttpRouter.empty.pipe(HttpRouter.get("/", handle(listLocales())), HttpRouter.post("/", Effect.gen(function* () {
+	return yield* handle(createLocale(yield* decodeUnknownInput(CreateLocaleInput, yield* readJsonBody())), 201);
+})), HttpRouter.del("/:id", Effect.gen(function* () {
+	return yield* handle(deleteLocale(param(yield* HttpRouter.params, "id")));
+})));
+const schemaRouter = HttpRouter.empty.pipe(HttpRouter.get("/", handle(exportSchema())), HttpRouter.post("/", Effect.gen(function* () {
+	return yield* handle(importSchema(yield* decodeUnknownInput(ImportSchemaInput, yield* readJsonBody())), 201);
+})));
+const searchRouter = HttpRouter.empty.pipe(HttpRouter.post("/", Effect.gen(function* () {
+	return yield* handle(search(yield* decodeUnknownInput(SearchInput, yield* readJsonBody(), "Invalid search input")));
+})), HttpRouter.post("/reindex", Effect.gen(function* () {
+	const modelApiKey = (yield* decodeUnknownInput(ReindexSearchInput, yield* readJsonBody())).modelApiKey;
+	return yield* handle(reindexAll(modelApiKey));
+})));
+const tokensRouter = HttpRouter.empty.pipe(HttpRouter.get("/", handle(listEditorTokens())), HttpRouter.post("/", Effect.gen(function* () {
+	return yield* handle(createEditorToken(yield* decodeUnknownInput(CreateEditorTokenInput, yield* readJsonBody())), 201);
+})), HttpRouter.del("/:id", Effect.gen(function* () {
+	return yield* handle(revokeEditorToken(param(yield* HttpRouter.params, "id")));
+})));
+const setupRouter = HttpRouter.empty.pipe(HttpRouter.post("/setup", handle(ensureSchema().pipe(Effect.as({ ok: true })))));
+const healthRouter = HttpRouter.empty.pipe(HttpRouter.get("/health", HttpServerResponse.json({ status: "ok" })));
+const appRouter = HttpRouter.empty.pipe(HttpRouter.concat(healthRouter), HttpRouter.concat(modelsRouter.pipe(HttpRouter.prefixAll("/api/models"))), HttpRouter.concat(fieldsRouter.pipe(HttpRouter.prefixAll("/api"))), HttpRouter.concat(recordsRouter.pipe(HttpRouter.prefixAll("/api"))), HttpRouter.concat(assetsRouter.pipe(HttpRouter.prefixAll("/api/assets"))), HttpRouter.concat(localesRouter.pipe(HttpRouter.prefixAll("/api/locales"))), HttpRouter.concat(schemaRouter.pipe(HttpRouter.prefixAll("/api/schema"))), HttpRouter.concat(searchRouter.pipe(HttpRouter.prefixAll("/api/search"))), HttpRouter.concat(tokensRouter.pipe(HttpRouter.prefixAll("/api/tokens"))), HttpRouter.concat(setupRouter.pipe(HttpRouter.prefixAll("/api"))));
+function createWebHandler(sqlLayer, options) {
+	const vectorizeLayer = Layer.succeed(VectorizeContext, options?.ai && options.vectorize ? Option.some({
+		ai: options.ai,
+		vectorize: options.vectorize
+	}) : Option.none());
+	const hooksLayer = Layer.succeed(HooksContext, options?.hooks ? Option.some(options.hooks) : Option.none());
+	const fullLayer = Layer.mergeAll(sqlLayer, vectorizeLayer, hooksLayer, Logger.json);
+	const runLoggedEffect = (effect) => {
+		Effect.runFork(effect.pipe(Effect.provide(fullLayer), Effect.orDie));
+	};
+	const logInfo = (message, fields) => {
+		runLoggedEffect(Effect.logInfo(message).pipe(Effect.annotateLogs(fields)));
+	};
+	const logError = (message, fields) => {
+		runLoggedEffect(Effect.logError(message).pipe(Effect.annotateLogs(fields)));
+	};
+	const restApp = Effect.flatten(HttpRouter.toHttpApp(appRouter)).pipe(Effect.catchAll((error) => {
+		if (isCmsError(error)) {
+			const mapped = errorToResponse(error);
+			return HttpServerResponse.json(mapped.body, { status: mapped.status });
+		}
+		if (error instanceof HttpServerError.RouteNotFound) return HttpServerResponse.json({ error: "Not found" }, { status: 404 });
+		return Effect.logError("REST handler error").pipe(Effect.annotateLogs({ error: describeUnknown(error) }), Effect.zipRight(HttpServerResponse.json({ error: "Internal server error" }, { status: 500 })));
+	}), Effect.provide(fullLayer));
+	const restHandler = HttpApp.toWebHandler(restApp);
+	let graphqlInstance = null;
+	let mcpHandler = null;
+	let graphqlModulePromise = null;
+	let mcpEditorHandler = null;
+	function invalidateGraphqlSchemaCache() {
+		if (graphqlInstance) graphqlInstance.invalidateSchema();
+	}
+	async function getGraphqlInstance() {
+		if (!graphqlInstance) {
+			if (!graphqlModulePromise) graphqlModulePromise = import("./handler-ClOW1ldA.mjs");
+			graphqlInstance = (await graphqlModulePromise).createGraphQLHandler(sqlLayer, {
+				assetBaseUrl: options?.assetBaseUrl,
+				isProduction: options?.isProduction
+			});
+		}
+		return graphqlInstance;
+	}
+	async function runScheduledTransitions$1(now = /* @__PURE__ */ new Date()) {
+		const result = await Effect.runPromise(runScheduledTransitions(now).pipe(Effect.withSpan("schedule.run_transitions"), Effect.annotateLogs({ now: now.toISOString() }), Effect.provide(fullLayer)));
+		if (result.published.length > 0 || result.unpublished.length > 0) invalidateGraphqlSchemaCache();
+		return result;
+	}
+	function isSchemaMutationRequest(url, method) {
+		if (![
+			"POST",
+			"PATCH",
+			"DELETE"
+		].includes(method)) return false;
+		return url.pathname.startsWith("/api/models") || url.pathname.startsWith("/api/locales") || url.pathname.startsWith("/api/schema") || url.pathname === "/api/setup";
+	}
+	/** Add CORS headers to a response */
+	function withCors(response, request) {
+		const origin = request.headers.get("Origin") ?? "*";
+		const headers = new Headers(response.headers);
+		headers.set("Access-Control-Allow-Origin", origin);
+		headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS");
+		headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Include-Drafts, X-Exclude-Invalid, X-Filename, X-Requested-With, Accept, User-Agent");
+		headers.set("Access-Control-Max-Age", "600");
+		return new Response(response.body, {
+			status: response.status,
+			statusText: response.statusText,
+			headers
+		});
+	}
+	/**
+	* Extract Bearer token from Authorization header.
+	* Accepts: "Bearer <token>" or raw "<token>"
+	*/
+	function getBearerToken(request) {
+		const header = request.headers.get("Authorization");
+		if (!header) return null;
+		if (header.startsWith("Bearer ")) return header.slice(7);
+		return header;
+	}
+	/**
+	* Check if a request is authorized for write access.
+	* If no writeKey is configured, all requests are allowed (local dev).
+	* When adminOnly is true, only writeKey is accepted (not editor tokens).
+	*/
+	async function checkWriteAuth(request, adminOnly = false) {
+		if (!options?.writeKey) return null;
+		const token = getBearerToken(request);
+		if (token === options.writeKey) return null;
+		if (adminOnly) return new UnauthorizedError({ message: "Unauthorized. This endpoint requires admin (writeKey) access." });
+		if (token && token.startsWith("etk_")) try {
+			await Effect.runPromise(validateEditorToken(token).pipe(Effect.provide(fullLayer)));
+			return null;
+		} catch {
+			return new UnauthorizedError({ message: "Unauthorized. Invalid or expired editor token." });
+		}
+		return new UnauthorizedError({ message: "Unauthorized. Provide a valid write API key or editor token via Authorization: Bearer <key>" });
+	}
+	async function getRequestActor(request) {
+		if (!options?.writeKey) return {
+			type: "admin",
+			label: "admin"
+		};
+		const token = getBearerToken(request);
+		if (token === options.writeKey) return {
+			type: "admin",
+			label: "admin"
+		};
+		if (token && token.startsWith("etk_")) try {
+			const editorToken = await Effect.runPromise(validateEditorToken(token).pipe(Effect.provide(fullLayer)));
+			return {
+				type: "editor",
+				label: editorToken.name,
+				tokenId: editorToken.id
+			};
+		} catch {
+			return null;
+		}
+		return null;
+	}
+	async function getCredentialType(request) {
+		return (await getRequestActor(request))?.type ?? null;
+	}
+	const fetchHandler = async (request) => {
+		const requestId = getRequestIdFromHeaders(request.headers);
+		const headers = new Headers(request.headers);
+		headers.set("x-request-id", requestId);
+		let instrumentedRequest = new Request(request, { headers });
+		const startedAt = Date.now();
+		const finish = (response) => {
+			const corsResponse = withCors(response, instrumentedRequest);
+			const responseHeaders = new Headers(corsResponse.headers);
+			responseHeaders.set("x-request-id", requestId);
+			const wrapped = new Response(corsResponse.body, {
+				status: corsResponse.status,
+				statusText: corsResponse.statusText,
+				headers: responseHeaders
+			});
+			const durationMs = Date.now() - startedAt;
+			if (wrapped.status >= 500 || instrumentedRequest.url.includes("/api/assets/")) {
+				const logFields = {
+					requestId,
+					method: instrumentedRequest.method,
+					path: new URL(instrumentedRequest.url).pathname,
+					status: wrapped.status,
+					durationMs
+				};
+				if (wrapped.status >= 500) logError("worker request completed", logFields);
+				else logInfo("worker request completed", logFields);
+			}
+			return wrapped;
+		};
+		try {
+			if (instrumentedRequest.method === "OPTIONS") return finish(new Response(null, { status: 204 }));
+			const url = new URL(instrumentedRequest.url);
+			if (url.pathname.startsWith("/assets/") && options?.r2Bucket) {
+				const assetId = url.pathname.replace("/assets/", "").split("/")[0];
+				if (assetId) {
+					const r2Key = await Effect.runPromise(Effect.gen(function* () {
+						return (yield* (yield* SqlClient.SqlClient).unsafe("SELECT r2_key FROM assets WHERE id = ?", [assetId]))[0]?.r2_key ?? null;
+					}).pipe(Effect.provide(fullLayer), Effect.orDie));
+					if (r2Key) {
+						const object = await options.r2Bucket.get(r2Key);
+						if (object) {
+							const headers = new Headers();
+							headers.set("Content-Type", object.httpMetadata?.contentType || "application/octet-stream");
+							headers.set("Cache-Control", "public, max-age=31536000, immutable");
+							return finish(new Response(object.body, { headers }));
+						}
+					}
+				}
+				return finish(new Response("Not found", { status: 404 }));
+			}
+			if (url.pathname === "/health") return finish(new Response(JSON.stringify({ status: "ok" }), { headers: { "Content-Type": "application/json" } }));
+			if (url.pathname === "/graphql") {
+				const credentialType = await getCredentialType(instrumentedRequest);
+				const h = new Headers(instrumentedRequest.headers);
+				if (credentialType) h.set("X-Credential-Type", credentialType);
+				else h.delete("X-Credential-Type");
+				instrumentedRequest = new Request(instrumentedRequest, { headers: h });
+			} else if (url.pathname === "/mcp") {
+				if ((await getRequestActor(instrumentedRequest))?.type === "editor") return finish(new Response(JSON.stringify({ error: "Unauthorized. Editor tokens must use /mcp/editor." }), {
+					status: 401,
+					headers: { "Content-Type": "application/json" }
+				}));
+				const denied = await checkWriteAuth(instrumentedRequest, true);
+				if (denied) {
+					const mapped = errorToResponse(denied);
+					return finish(new Response(JSON.stringify(mapped.body), {
+						status: mapped.status,
+						headers: { "Content-Type": "application/json" }
+					}));
+				}
+			} else if (url.pathname === "/mcp/editor") {
+				const denied = await checkWriteAuth(instrumentedRequest, false);
+				if (denied) {
+					const mapped = errorToResponse(denied);
+					return finish(new Response(JSON.stringify(mapped.body), {
+						status: mapped.status,
+						headers: { "Content-Type": "application/json" }
+					}));
+				}
+			} else if (url.pathname.startsWith("/api/")) {
+				const adminOnly = isSchemaMutationRequest(url, instrumentedRequest.method) || url.pathname.startsWith("/api/tokens");
+				const denied = await checkWriteAuth(instrumentedRequest, adminOnly);
+				if (denied) {
+					const mapped = errorToResponse(denied);
+					return finish(new Response(JSON.stringify(mapped.body), {
+						status: mapped.status,
+						headers: { "Content-Type": "application/json" }
+					}));
+				}
+				const actor = await getRequestActor(instrumentedRequest);
+				const h = new Headers(instrumentedRequest.headers);
+				for (const [key, value] of Object.entries(actorHeaders(actor))) h.set(key, value);
+				instrumentedRequest = new Request(instrumentedRequest, { headers: h });
+			}
+			if (url.pathname === "/mcp") {
+				const { createMcpHttpHandler } = await import("./http-transport-DbFCI6Cs.mjs");
+				const actor = await getRequestActor(instrumentedRequest);
+				return finish(await (actor?.type === "admin" ? mcpHandler ??= createMcpHttpHandler(fullLayer, {
+					mode: "admin",
+					path: "/mcp",
+					r2Bucket: options?.r2Bucket,
+					assetBaseUrl: options?.assetBaseUrl,
+					actor
+				}) : createMcpHttpHandler(fullLayer, {
+					mode: "admin",
+					path: "/mcp",
+					r2Bucket: options?.r2Bucket,
+					assetBaseUrl: options?.assetBaseUrl,
+					actor
+				}))(instrumentedRequest));
+			}
+			if (url.pathname === "/mcp/editor") {
+				const { createMcpHttpHandler } = await import("./http-transport-DbFCI6Cs.mjs");
+				const actor = await getRequestActor(instrumentedRequest);
+				return finish(await (actor?.type === "editor" ? createMcpHttpHandler(fullLayer, {
+					mode: "editor",
+					path: "/mcp/editor",
+					r2Bucket: options?.r2Bucket,
+					assetBaseUrl: options?.assetBaseUrl,
+					actor
+				}) : mcpEditorHandler ??= createMcpHttpHandler(fullLayer, {
+					mode: "editor",
+					path: "/mcp/editor",
+					r2Bucket: options?.r2Bucket,
+					assetBaseUrl: options?.assetBaseUrl,
+					actor
+				}))(instrumentedRequest));
+			}
+			if (url.pathname === "/graphql") {
+				const traceEnabled = instrumentedRequest.headers.get("X-Bench-Trace") === "1" || instrumentedRequest.headers.get("X-Debug-Sql") === "true";
+				let graphqlImportMs = 0;
+				let graphqlInitMs = 0;
+				let graphqlImportCache = "hit";
+				let graphqlInitCache = "hit";
+				if (!graphqlInstance) {
+					graphqlInitCache = "miss";
+					if (!graphqlModulePromise) {
+						graphqlImportCache = "miss";
+						const importStartedAt = performance.now();
+						graphqlModulePromise = import("./handler-ClOW1ldA.mjs").then((module) => {
+							graphqlImportMs = Number((performance.now() - importStartedAt).toFixed(3));
+							return module;
+						});
+					}
+					const module = await graphqlModulePromise;
+					const initStartedAt = performance.now();
+					graphqlInstance = module.createGraphQLHandler(sqlLayer, {
+						assetBaseUrl: options?.assetBaseUrl,
+						isProduction: options?.isProduction
+					});
+					graphqlInitMs = Number((performance.now() - initStartedAt).toFixed(3));
+				}
+				const response = await graphqlInstance.handle(instrumentedRequest);
+				if (!traceEnabled) return finish(response);
+				const headers = new Headers(response.headers);
+				headers.set("X-Cms-Graphql-Import-Ms", graphqlImportMs.toFixed(3));
+				headers.set("X-Cms-Graphql-Import-Cache", graphqlImportCache);
+				headers.set("X-Cms-Graphql-Init-Ms", graphqlInitMs.toFixed(3));
+				headers.set("X-Cms-Graphql-Init-Cache", graphqlInitCache);
+				return finish(new Response(response.body, {
+					status: response.status,
+					statusText: response.statusText,
+					headers
+				}));
+			}
+			if (url.pathname === "/api/assets/upload-url" && instrumentedRequest.method === "POST") {
+				if (!options?.r2Credentials) return finish(new Response(JSON.stringify({ error: "Presigned uploads not configured" }), {
+					status: 501,
+					headers: { "Content-Type": "application/json" }
+				}));
+				const body = await instrumentedRequest.json();
+				const parsed = Schema.decodeUnknownSync(CreateUploadUrlInput)(body);
+				const { S3Client, PutObjectCommand } = await import("@aws-sdk/client-s3");
+				const { getSignedUrl } = await import("@aws-sdk/s3-request-presigner");
+				const creds = options.r2Credentials;
+				const assetId = crypto.randomUUID();
+				const r2Key = `uploads/${assetId}/${parsed.filename}`;
+				const uploadUrl = await getSignedUrl(new S3Client({
+					region: "auto",
+					endpoint: `https://${creds.accountId}.r2.cloudflarestorage.com`,
+					credentials: {
+						accessKeyId: creds.accessKeyId,
+						secretAccessKey: creds.secretAccessKey
+					}
+				}), new PutObjectCommand({
+					Bucket: creds.bucketName,
+					Key: r2Key,
+					ContentType: parsed.mimeType
+				}), { expiresIn: 3600 });
+				return finish(new Response(JSON.stringify({
+					uploadUrl,
+					r2Key,
+					assetId
+				}), {
+					status: 200,
+					headers: { "Content-Type": "application/json" }
+				}));
+			}
+			if (url.pathname.match(/^\/api\/assets\/[^/]+\/file$/) && instrumentedRequest.method === "PUT") {
+				if (!options?.r2Bucket) return finish(new Response(JSON.stringify({ error: "R2 bucket not configured" }), {
+					status: 501,
+					headers: { "Content-Type": "application/json" }
+				}));
+				const assetId = url.pathname.split("/")[3];
+				const contentType = instrumentedRequest.headers.get("Content-Type") ?? "application/octet-stream";
+				const r2Key = `uploads/${assetId}/${instrumentedRequest.headers.get("X-Filename") ?? "upload"}`;
+				const body = await instrumentedRequest.arrayBuffer();
+				await options.r2Bucket.put(r2Key, body, { httpMetadata: { contentType } });
+				return finish(new Response(JSON.stringify({
+					r2Key,
+					assetId
+				}), {
+					status: 200,
+					headers: { "Content-Type": "application/json" }
+				}));
+			}
+			const response = await restHandler(instrumentedRequest);
+			if (response.status < 400 && isSchemaMutationRequest(url, instrumentedRequest.method)) invalidateGraphqlSchemaCache();
+			return finish(response);
+		} catch (error) {
+			logError("worker request crashed", {
+				requestId,
+				method: instrumentedRequest.method,
+				path: new URL(instrumentedRequest.url).pathname,
+				error: describeUnknown(error)
+			});
+			return finish(new Response(JSON.stringify({ error: "Internal server error" }), {
+				status: 500,
+				headers: { "Content-Type": "application/json" }
+			}));
+		}
+	};
+	return {
+		fetch: fetchHandler,
+		async execute(query, variables, context) {
+			return (await getGraphqlInstance()).execute(query, variables, context);
+		},
+		runScheduledTransitions: runScheduledTransitions$1
+	};
+}
+//#endregion
+//#region src/config-schema.ts
+const RuntimeObject = Schema.Unknown.pipe(Schema.filter((value) => typeof value === "object" && value !== null, { message: () => "Expected runtime binding object" }));
+const OptionalNonEmptyString = Schema.optional(Schema.NonEmptyTrimmedString);
+const AssetBaseUrl = Schema.String.pipe(Schema.filter((value) => {
+	try {
+		new URL(value);
+		return true;
+	} catch {
+		return false;
+	}
+}, { message: () => "assetBaseUrl must be a valid URL" }));
+const RawCmsBindingsSchema = Schema.Struct({
+	db: RuntimeObject,
+	assets: Schema.optional(RuntimeObject),
+	environment: Schema.optional(Schema.Literal("production", "development")),
+	assetBaseUrl: Schema.optional(AssetBaseUrl),
+	writeKey: OptionalNonEmptyString,
+	ai: Schema.optional(RuntimeObject),
+	vectorize: Schema.optional(RuntimeObject),
+	r2AccessKeyId: OptionalNonEmptyString,
+	r2SecretAccessKey: OptionalNonEmptyString,
+	r2BucketName: OptionalNonEmptyString,
+	cfAccountId: OptionalNonEmptyString
+}).pipe(Schema.filter((bindings) => {
+	return bindings.ai !== void 0 === (bindings.vectorize !== void 0);
+}, { message: () => "ai and vectorize bindings must be configured together" }), Schema.filter((bindings) => {
+	const r2Fields = [
+		bindings.r2AccessKeyId,
+		bindings.r2SecretAccessKey,
+		bindings.r2BucketName,
+		bindings.cfAccountId
+	];
+	const presentCount = r2Fields.filter((value) => value !== void 0).length;
+	return presentCount === 0 || presentCount === r2Fields.length;
+}, { message: () => "R2 credentials must include r2AccessKeyId, r2SecretAccessKey, r2BucketName, and cfAccountId together" }));
+function formatConfigParseError(error) {
+	return ParseResult.ArrayFormatter.formatErrorSync(error).map((issue) => issue.path.length > 0 ? `${issue.path.join(".")}: ${issue.message}` : issue.message).join("; ");
+}
+function decodeCmsBindings(input) {
+	const decoded = Schema.decodeUnknownEither(RawCmsBindingsSchema)(input);
+	if (decoded._tag === "Left") throw new Error(`Invalid CMS bindings: ${formatConfigParseError(decoded.left)}`);
+	const bindings = decoded.right;
+	return {
+		db: bindings.db,
+		assets: bindings.assets,
+		environment: bindings.environment,
+		assetBaseUrl: bindings.assetBaseUrl,
+		writeKey: bindings.writeKey,
+		ai: bindings.ai,
+		vectorize: bindings.vectorize,
+		r2Credentials: bindings.r2AccessKeyId ? {
+			accessKeyId: bindings.r2AccessKeyId,
+			secretAccessKey: bindings.r2SecretAccessKey,
+			bucketName: bindings.r2BucketName,
+			accountId: bindings.cfAccountId
+		} : void 0
+	};
+}
+//#endregion
+//#region src/admin-client.ts
+function trimTrailingSlash$1(input) {
+	return input.replace(/\/$/, "");
+}
+async function readJsonOrError(response) {
+	if ((response.headers.get("content-type") ?? "").includes("application/json")) return response.json();
+	return { error: await response.text() };
+}
+function createCmsAdminClient(config) {
+	const endpoint = trimTrailingSlash$1(config.endpoint);
+	const fetchFn = config.fetch ?? globalThis.fetch;
+	async function request(path, init) {
+		const headers = new Headers(init?.headers);
+		headers.set("Authorization", `Bearer ${config.writeKey}`);
+		if (init?.body && !headers.has("Content-Type")) headers.set("Content-Type", "application/json");
+		const response = await fetchFn(`${endpoint}${path}`, {
+			...init,
+			headers
+		});
+		if (!response.ok) {
+			const errorPayload = await readJsonOrError(response);
+			const message = typeof errorPayload === "object" && errorPayload !== null && "error" in errorPayload ? String(errorPayload.error) : `Request failed with status ${response.status}`;
+			throw new Error(message);
+		}
+		return response;
+	}
+	return {
+		async createEditorToken(input) {
+			return (await request("/api/tokens", {
+				method: "POST",
+				body: JSON.stringify(input)
+			})).json();
+		},
+		async listEditorTokens() {
+			return (await request("/api/tokens")).json();
+		},
+		async revokeEditorToken(id) {
+			return (await request(`/api/tokens/${id}`, { method: "DELETE" })).json();
+		}
+	};
+}
+//#endregion
+//#region src/editor-mcp-proxy.ts
+function trimTrailingSlash(input) {
+	return input.replace(/\/$/, "");
+}
+function ensureLeadingSlash(input) {
+	return input.startsWith("/") ? input : `/${input}`;
+}
+function base64UrlEncodeBytes(bytes) {
+	return btoa(String.fromCharCode(...bytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function base64UrlEncodeText(input) {
+	return base64UrlEncodeBytes(new TextEncoder().encode(input));
+}
+function base64UrlDecodeText(input) {
+	const normalized = input.replace(/-/g, "+").replace(/_/g, "/");
+	const padded = normalized + "=".repeat((4 - normalized.length % 4) % 4);
+	const decoded = atob(padded);
+	const bytes = Uint8Array.from(decoded, (char) => char.charCodeAt(0));
+	return new TextDecoder().decode(bytes);
+}
+async function importHmacKey(secret) {
+	return crypto.subtle.importKey("raw", new TextEncoder().encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign", "verify"]);
+}
+async function signJwt(secret, claims) {
+	const key = await importHmacKey(secret);
+	const message = `${base64UrlEncodeText(JSON.stringify({
+		alg: "HS256",
+		typ: "JWT"
+	}))}.${base64UrlEncodeText(JSON.stringify(claims))}`;
+	const signature = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(message));
+	return `${message}.${base64UrlEncodeBytes(new Uint8Array(signature))}`;
+}
+async function verifyJwt(secret, token) {
+	const [header, payload, signature] = token.split(".");
+	if (!header || !payload || !signature) return null;
+	const key = await importHmacKey(secret);
+	const message = `${header}.${payload}`;
+	const signatureBytes = Uint8Array.from(atob(signature.replace(/-/g, "+").replace(/_/g, "/") + "=".repeat((4 - signature.length % 4) % 4)), (char) => char.charCodeAt(0));
+	if (!await crypto.subtle.verify("HMAC", key, signatureBytes, new TextEncoder().encode(message))) return null;
+	const claims = JSON.parse(base64UrlDecodeText(payload));
+	if (claims.exp <= Math.floor(Date.now() / 1e3)) return null;
+	return claims;
+}
+async function sha256Base64Url(input) {
+	const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(input));
+	return base64UrlEncodeBytes(new Uint8Array(digest));
+}
+function jsonResponse(body, status = 200) {
+	return new Response(JSON.stringify(body), {
+		status,
+		headers: { "Content-Type": "application/json" }
+	});
+}
+function redirectResponse(url) {
+	return new Response(null, {
+		status: 302,
+		headers: { Location: url.toString() }
+	});
+}
+function unauthorizedForMcp(resourceMetadataUrl) {
+	return new Response(JSON.stringify({ error: "Unauthorized" }), {
+		status: 401,
+		headers: {
+			"Content-Type": "application/json",
+			"WWW-Authenticate": `Bearer resource_metadata="${resourceMetadataUrl}"`
+		}
+	});
+}
+function cloneHeadersWithoutAuthorization(headers) {
+	const cloned = new Headers(headers);
+	cloned.delete("authorization");
+	return cloned;
+}
+function parseBearerToken(request) {
+	const header = request.headers.get("authorization");
+	if (!header) return null;
+	return header.startsWith("Bearer ") ? header.slice(7) : header;
+}
+function appendPathToUrl(base, path) {
+	return `${trimTrailingSlash(base)}${ensureLeadingSlash(path)}`;
+}
+function getPathname(request) {
+	return new URL(request.url).pathname;
+}
+function createEditorMcpProxy(config) {
+	const appBaseUrl = trimTrailingSlash(config.appBaseUrl);
+	const cmsBaseUrl = trimTrailingSlash(config.cmsBaseUrl);
+	const mountPath = ensureLeadingSlash(config.mountPath ?? "/editor-access");
+	const fetchFn = config.fetch ?? globalThis.fetch;
+	const oauthTokenTtlSeconds = config.oauthTokenTtlSeconds ?? 3600;
+	const cmsTokenTtlSeconds = config.cmsTokenTtlSeconds ?? 3600;
+	const issuer = appendPathToUrl(appBaseUrl, mountPath);
+	const paths = {
+		mountPath,
+		issuer,
+		mcpPath: `${mountPath}/mcp`,
+		authorizationPath: `${mountPath}/authorize`,
+		tokenPath: `${mountPath}/token`,
+		registrationPath: `${mountPath}/register`,
+		oauthAuthorizationServerMetadataPath: `/.well-known/oauth-authorization-server${mountPath}`,
+		protectedResourceMetadataPath: `/.well-known/oauth-protected-resource${mountPath}/mcp`
+	};
+	const resourceUrl = appendPathToUrl(appBaseUrl, paths.mcpPath);
+	const protectedResourceMetadataUrl = appendPathToUrl(appBaseUrl, paths.protectedResourceMetadataPath);
+	const cmsAdmin = createCmsAdminClient({
+		endpoint: cmsBaseUrl,
+		writeKey: config.cmsWriteKey,
+		fetch: fetchFn
+	});
+	async function handleAuthorize(request) {
+		const editor = await config.getEditor(request);
+		if (!editor) {
+			const loginUrl = new URL(config.getLoginUrl(request), appBaseUrl);
+			loginUrl.searchParams.set("returnTo", request.url);
+			return redirectResponse(loginUrl);
+		}
+		const url = new URL(request.url);
+		const responseType = url.searchParams.get("response_type");
+		const clientId = url.searchParams.get("client_id");
+		const redirectUri = url.searchParams.get("redirect_uri");
+		const codeChallenge = url.searchParams.get("code_challenge");
+		const codeChallengeMethod = url.searchParams.get("code_challenge_method");
+		const state = url.searchParams.get("state");
+		const resource = url.searchParams.get("resource") ?? resourceUrl;
+		const scope = url.searchParams.get("scope") ?? "editor:mcp";
+		if (responseType !== "code" || !clientId || !redirectUri || !codeChallenge || codeChallengeMethod !== "S256") return jsonResponse({ error: "Invalid authorization request" }, 400);
+		const cmsToken = await cmsAdmin.createEditorToken({
+			name: editor.name,
+			expiresIn: cmsTokenTtlSeconds
+		});
+		const code = await signJwt(config.oauthSecret, {
+			sub: editor.id,
+			name: editor.name,
+			client_id: clientId,
+			redirect_uri: redirectUri,
+			code_challenge: codeChallenge,
+			code_challenge_method: "S256",
+			resource,
+			scope,
+			cms_token: cmsToken.token,
+			exp: Math.floor(Date.now() / 1e3) + 120
+		});
+		const redirectUrl = new URL(redirectUri);
+		redirectUrl.searchParams.set("code", code);
+		if (state) redirectUrl.searchParams.set("state", state);
+		return redirectResponse(redirectUrl);
+	}
+	async function handleToken(request) {
+		const body = await request.formData();
+		const grantType = body.get("grant_type");
+		const code = body.get("code");
+		const clientId = body.get("client_id");
+		const redirectUri = body.get("redirect_uri");
+		const codeVerifier = body.get("code_verifier");
+		if (grantType !== "authorization_code" || typeof code !== "string" || typeof clientId !== "string" || typeof redirectUri !== "string" || typeof codeVerifier !== "string") return jsonResponse({ error: "invalid_request" }, 400);
+		const claims = await verifyJwt(config.oauthSecret, code);
+		if (!claims || claims.client_id !== clientId || claims.redirect_uri !== redirectUri || await sha256Base64Url(codeVerifier) !== claims.code_challenge) return jsonResponse({ error: "invalid_grant" }, 400);
+		return jsonResponse({
+			access_token: await signJwt(config.oauthSecret, {
+				sub: claims.sub,
+				name: claims.name,
+				resource: claims.resource,
+				scope: claims.scope,
+				cms_token: claims.cms_token,
+				exp: Math.floor(Date.now() / 1e3) + oauthTokenTtlSeconds
+			}),
+			token_type: "Bearer",
+			expires_in: oauthTokenTtlSeconds,
+			scope: claims.scope
+		});
+	}
+	async function handleRegister(request) {
+		const metadata = await request.json();
+		const clientId = metadata.client_id || `editor-mcp-${crypto.randomUUID()}`;
+		return jsonResponse({
+			...metadata,
+			client_id: clientId,
+			client_id_issued_at: Math.floor(Date.now() / 1e3),
+			token_endpoint_auth_method: "none",
+			grant_types: ["authorization_code"],
+			response_types: ["code"]
+		});
+	}
+	async function handleMcp(request) {
+		const accessToken = parseBearerToken(request);
+		if (!accessToken) return unauthorizedForMcp(protectedResourceMetadataUrl);
+		const claims = await verifyJwt(config.oauthSecret, accessToken);
+		if (!claims || claims.resource !== resourceUrl) return unauthorizedForMcp(protectedResourceMetadataUrl);
+		const upstreamUrl = new URL(cmsBaseUrl + "/mcp/editor");
+		const upstreamRequest = new Request(upstreamUrl, {
+			method: request.method,
+			headers: cloneHeadersWithoutAuthorization(request.headers),
+			body: request.body,
+			duplex: "half",
+			redirect: "manual"
+		});
+		upstreamRequest.headers.set("Authorization", `Bearer ${claims.cms_token}`);
+		return fetchFn(upstreamRequest);
+	}
+	async function handle(request) {
+		const pathname = getPathname(request);
+		if (pathname === paths.oauthAuthorizationServerMetadataPath) return jsonResponse({
+			issuer,
+			authorization_endpoint: appendPathToUrl(appBaseUrl, paths.authorizationPath),
+			token_endpoint: appendPathToUrl(appBaseUrl, paths.tokenPath),
+			registration_endpoint: appendPathToUrl(appBaseUrl, paths.registrationPath),
+			response_types_supported: ["code"],
+			grant_types_supported: ["authorization_code"],
+			token_endpoint_auth_methods_supported: ["none"],
+			code_challenge_methods_supported: ["S256"],
+			scopes_supported: ["editor:mcp"]
+		});
+		if (pathname === paths.protectedResourceMetadataPath) return jsonResponse({
+			resource: resourceUrl,
+			authorization_servers: [issuer],
+			bearer_methods_supported: ["header"],
+			scopes_supported: ["editor:mcp"],
+			resource_name: config.resourceName ?? "agent-cms editor MCP proxy"
+		});
+		if (pathname === paths.authorizationPath) return handleAuthorize(request);
+		if (pathname === paths.tokenPath && request.method === "POST") return handleToken(request);
+		if (pathname === paths.registrationPath && request.method === "POST") return handleRegister(request);
+		if (pathname === paths.mcpPath) return handleMcp(request);
+		return new Response("Not found", { status: 404 });
+	}
+	return {
+		paths,
+		fetch: handle
+	};
+}
+//#endregion
+//#region src/index.ts
+const objectIds = /* @__PURE__ */ new WeakMap();
+let nextObjectId = 1;
+const handlerCache = /* @__PURE__ */ new Map();
+function getObjectId(value) {
+	if (!value) return 0;
+	const existing = objectIds.get(value);
+	if (existing) return existing;
+	const id = nextObjectId++;
+	objectIds.set(value, id);
+	return id;
+}
+function cacheKey(bindings, hooks) {
+	return [
+		getObjectId(bindings.db),
+		getObjectId(bindings.assets),
+		getObjectId(bindings.ai),
+		getObjectId(bindings.vectorize),
+		getObjectId(hooks),
+		bindings.environment ?? "",
+		bindings.assetBaseUrl ?? "",
+		bindings.writeKey ?? "",
+		bindings.r2Credentials?.accessKeyId ?? "",
+		bindings.r2Credentials?.bucketName ?? "",
+		bindings.r2Credentials?.accountId ?? ""
+	].join("|");
+}
+/**
+* Create the agent-cms fetch handler.
+*
+* Usage in your Worker's src/index.ts:
+* ```typescript
+* import { createCMSHandler } from "agent-cms";
+*
+* export default {
+*   fetch: (request, env) => getHandler(env).fetch(request),
+*   scheduled: (_controller, env) => getHandler(env).runScheduledTransitions(),
+* };
+*
+* let cachedHandler: ReturnType<typeof createCMSHandler> | null = null;
+*
+* function getHandler(env: Env) {
+*   if (!cachedHandler) {
+*     cachedHandler = createCMSHandler({
+*       bindings: {
+*         db: env.DB,
+*         assets: env.ASSETS,
+*         environment: env.ENVIRONMENT,
+*         assetBaseUrl: env.ASSET_BASE_URL,
+*         writeKey: env.CMS_WRITE_KEY,
+*         ai: env.AI,
+*         vectorize: env.VECTORIZE,
+*       },
+*     });
+*   }
+*   return cachedHandler;
+* }
+* ```
+*/
+function createCMSHandler(config) {
+	const decodedBindings = decodeCmsBindings(config.bindings);
+	const key = cacheKey(decodedBindings, config.hooks);
+	const cached = handlerCache.get(key);
+	if (cached) return cached;
+	const handler = createCMSHandlerUncached(decodedBindings, config.hooks);
+	handlerCache.set(key, handler);
+	return handler;
+}
+function createCMSHandlerUncached(bindings, hooks) {
+	const webHandler = createWebHandler(D1Client.layer({ db: bindings.db }).pipe(Layer.orDie), {
+		assetBaseUrl: bindings.assetBaseUrl,
+		isProduction: bindings.environment === "production",
+		writeKey: bindings.writeKey,
+		r2Bucket: bindings.assets,
+		ai: bindings.ai,
+		vectorize: bindings.vectorize,
+		hooks,
+		r2Credentials: bindings.r2Credentials
+	});
+	return {
+		fetch: (request) => webHandler.fetch(request),
+		execute: webHandler.execute,
+		runScheduledTransitions: (now) => webHandler.runScheduledTransitions(now)
+	};
+}
+//#endregion
+export { createCMSHandler, createCmsAdminClient, createEditorMcpProxy };
+
+//# sourceMappingURL=index.mjs.map