kernelcms 0.1.0 → 0.2.0

package/dist/bin.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   serve
-} from "./chunk-Z2RKB4LF.js";
+} from "./chunk-TBZIZTVM.js";
 import {
   generateTypes,
   initKernel
@@ -93,10 +93,12 @@ async function run(argv) {
       const server = await serve(kernel, {
         port,
         apiKey: process.env.KERNEL_API_KEY,
-        cors: true
+        cors: true,
+        admin: true
       });
       console.log(`
   KernelCMS dev server`);
+      console.log(`  \u279C  Admin:  ${server.url}/admin`);
       console.log(`  \u279C  API:    ${server.url}${kernel.config.routes.api}`);
       console.log(`  \u279C  Health: ${server.url}${kernel.config.routes.api}/health`);
       console.log(`  \u279C  Collections: ${kernel.config.collections.map((c) => c.slug).join(", ") || "(none)"}`);

package/dist/chunk-TBZIZTVM.js

@@ -0,0 +1,725 @@
+import {
+  BadRequestError,
+  ForbiddenError,
+  NotFoundError,
+  UnauthorizedError,
+  describeConfig,
+  isKernelError
+} from "./chunk-O5TO5JFA.js";
+
+// ../server/src/index.ts
+import { createServer } from "http";
+
+// ../server/src/admin-ui.ts
+var CSS = `
+:root {
+  --bg: #ffffff; --fg: #111827; --muted: #6b7280; --line: #e5e7eb;
+  --line-2: #f3f4f6; --accent: #111827; --accent-fg: #ffffff;
+  --danger: #b91c1c; --radius: 12px; --shadow: 0 1px 2px rgba(16,24,40,.04), 0 4px 16px rgba(16,24,40,.06);
+}
+* { box-sizing: border-box; }
+html, body { margin: 0; height: 100%; }
+body {
+  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
+  color: var(--fg); background: var(--bg); -webkit-font-smoothing: antialiased; font-size: 14px; line-height: 1.5;
+}
+#app { min-height: 100%; }
+.muted { color: var(--muted); }
+.err { color: var(--danger); font-size: 13px; min-height: 18px; }
+.help { display: block; color: var(--muted); font-size: 12px; margin-top: 4px; }
+.spacer { flex: 1; }
+
+/* buttons + inputs */
+.btn {
+  appearance: none; border: 1px solid var(--accent); background: var(--accent); color: var(--accent-fg);
+  font: inherit; font-weight: 550; padding: 9px 16px; border-radius: 9px; cursor: pointer; transition: opacity .15s ease;
+}
+.btn:hover { opacity: .88; }
+.btn:disabled { opacity: .5; cursor: default; }
+.btn.ghost { background: transparent; color: var(--fg); border-color: var(--line); }
+.btn.danger { background: transparent; color: var(--danger); border-color: var(--line); }
+input, textarea, select {
+  font: inherit; color: var(--fg); width: 100%; padding: 9px 11px; border: 1px solid var(--line);
+  border-radius: 9px; background: #fff; outline: none; transition: border-color .15s ease, box-shadow .15s ease;
+}
+input:focus, textarea:focus, select:focus { border-color: #9ca3af; box-shadow: 0 0 0 3px rgba(17,24,39,.06); }
+textarea { resize: vertical; }
+textarea.mono { font-family: ui-monospace, SFMono-Regular, Menlo, monospace; font-size: 13px; }
+input[type=checkbox] { width: auto; }
+.fld { display: block; margin-bottom: 16px; }
+.fld .lbl { display: block; font-weight: 550; margin-bottom: 6px; font-size: 13px; }
+.opts { display: flex; flex-wrap: wrap; gap: 8px 18px; }
+.opt { display: inline-flex; align-items: center; gap: 6px; font-weight: 400; }
+
+/* auth screen */
+.auth-wrap { min-height: 100vh; display: grid; place-items: center; padding: 24px; background: #fafafa; }
+.card { width: 100%; max-width: 380px; background: #fff; border: 1px solid var(--line); border-radius: var(--radius); padding: 32px; box-shadow: var(--shadow); }
+.brand { font-weight: 650; letter-spacing: -.01em; }
+.card h1 { font-size: 20px; margin: 18px 0 4px; letter-spacing: -.02em; }
+.card .sub { color: var(--muted); margin: 0 0 22px; }
+.form .btn { width: 100%; margin-top: 6px; }
+
+/* app shell */
+.shell { display: flex; flex-direction: column; min-height: 100vh; }
+.top { display: flex; align-items: center; gap: 14px; padding: 14px 22px; border-bottom: 1px solid var(--line); }
+.top .who { color: var(--muted); font-size: 13px; }
+.body { display: flex; flex: 1; align-items: stretch; }
+.side { width: 232px; border-right: 1px solid var(--line); padding: 18px 12px; background: #fcfcfc; }
+.nav-h { font-size: 11px; text-transform: uppercase; letter-spacing: .06em; color: var(--muted); padding: 14px 10px 6px; }
+.nav-i { display: block; padding: 8px 10px; border-radius: 8px; color: var(--fg); text-decoration: none; cursor: pointer; }
+.nav-i:hover { background: var(--line-2); }
+.nav-i.active { background: #eef2f7; font-weight: 550; }
+.main { flex: 1; padding: 26px 32px; max-width: 920px; }
+.page-h { display: flex; align-items: center; gap: 12px; margin-bottom: 20px; }
+.page-h h2 { font-size: 18px; margin: 0; letter-spacing: -.01em; }
+.back { color: var(--muted); cursor: pointer; text-decoration: none; }
+.back:hover { color: var(--fg); }
+
+/* table */
+.tablewrap { border: 1px solid var(--line); border-radius: var(--radius); overflow: hidden; }
+.tbl { width: 100%; border-collapse: collapse; }
+.tbl th { text-align: left; font-size: 12px; color: var(--muted); font-weight: 550; padding: 11px 16px; background: #fcfcfc; border-bottom: 1px solid var(--line); }
+.tbl td { padding: 12px 16px; border-bottom: 1px solid var(--line-2); }
+.tbl tbody tr:last-child td { border-bottom: none; }
+.tbl tbody tr.row { cursor: pointer; }
+.tbl tbody tr.row:hover { background: #fafafa; }
+.tbl td:last-child { color: var(--muted); text-align: right; width: 1px; }
+
+.editor { max-width: 640px; }
+.actions { display: flex; gap: 10px; margin-top: 8px; }
+`;
+var APP = `
+var K = window.__KERNEL__; var API = K.api; var ADMIN = K.admin;
+var TOKEN_KEY = "kernelcms.token";
+var state = { schema: null, status: null, user: null, activeNav: null };
+
+function getToken() { return localStorage.getItem(TOKEN_KEY); }
+function setToken(t) { if (t) localStorage.setItem(TOKEN_KEY, t); else localStorage.removeItem(TOKEN_KEY); }
+
+function el(tag, attrs, kids) {
+  var n = document.createElement(tag);
+  if (attrs) for (var k in attrs) {
+    var v = attrs[k];
+    if (v == null) continue;
+    if (k === "class") n.className = v;
+    else if (k === "text") n.textContent = v;
+    else if (k.slice(0, 2) === "on") n.addEventListener(k.slice(2).toLowerCase(), v);
+    else if (k === "value") n.value = v;
+    else if (k === "checked") n.checked = !!v;
+    else n.setAttribute(k, v);
+  }
+  if (kids != null) {
+    var arr = Array.isArray(kids) ? kids : [kids];
+    for (var i = 0; i < arr.length; i++) {
+      var c = arr[i];
+      if (c == null) continue;
+      n.appendChild(typeof c === "string" ? document.createTextNode(c) : c);
+    }
+  }
+  return n;
+}
+function mount(node) { var a = document.getElementById("app"); a.textContent = ""; a.appendChild(node); }
+function field(label, input, help) {
+  return el("label", { class: "fld" }, [el("span", { class: "lbl", text: label }), input, help ? el("span", { class: "help", text: help }) : null]);
+}
+
+function api(method, path, body) {
+  var headers = { "Content-Type": "application/json" };
+  var t = getToken(); if (t) headers["Authorization"] = "Bearer " + t;
+  return fetch(API + path, { method: method, headers: headers, body: body === undefined ? undefined : JSON.stringify(body) })
+    .then(function (res) {
+      return res.text().then(function (txt) {
+        var data = txt ? JSON.parse(txt) : null;
+        if (!res.ok) {
+          if (res.status === 401) { setToken(null); go("/login"); }
+          var m = data && data.error ? data.error.message : "HTTP " + res.status;
+          throw new Error(m);
+        }
+        return data;
+      });
+    });
+}
+
+function go(path) { history.pushState({}, "", path); render(); }
+window.addEventListener("popstate", render);
+
+function render() {
+  api("GET", "/_admin/status").then(function (status) {
+    state.status = status;
+    var path = location.pathname;
+    if (!getToken()) {
+      if (path !== "/login") history.replaceState({}, "", "/login");
+      return authScreen();
+    }
+    if (path === "/login") history.replaceState({}, "", ADMIN);
+    if (status.authCollection) {
+      return api("GET", "/" + status.authCollection + "/me")
+        .then(function (r) { state.user = r.user; appScreen(); })
+        .catch(function () { setToken(null); authScreen(); });
+    }
+    return appScreen();
+  }).catch(function (ex) {
+    mount(el("div", { class: "auth-wrap" }, el("div", { class: "card" }, el("p", { class: "err", text: ex.message }))));
+  });
+}
+
+function authScreen() {
+  var isSetup = state.status.needsSetup;
+  var err = el("div", { class: "err" });
+  var email = el("input", { type: "email", placeholder: "you@example.com", autocomplete: "username" });
+  var pw = el("input", { type: "password", placeholder: "Password", autocomplete: isSetup ? "new-password" : "current-password" });
+  var confirm = isSetup ? el("input", { type: "password", placeholder: "Confirm password", autocomplete: "new-password" }) : null;
+  var btn = el("button", { class: "btn", text: isSetup ? "Create account" : "Sign in" });
+  function submit() {
+    err.textContent = "";
+    var e = email.value.trim(), p = pw.value;
+    if (!e || !p) { err.textContent = "Email and password are required."; return; }
+    if (isSetup && p !== confirm.value) { err.textContent = "Passwords do not match."; return; }
+    if (isSetup && p.length < 8) { err.textContent = "Password must be at least 8 characters."; return; }
+    btn.disabled = true; btn.textContent = "Please wait\\u2026";
+    var path = isSetup ? "/_admin/setup" : "/" + state.status.authCollection + "/login";
+    api("POST", path, { email: e, password: p }).then(function (res) {
+      setToken(res.token); state.user = res.user; go(ADMIN);
+    }).catch(function (ex) {
+      err.textContent = ex.message; btn.disabled = false; btn.textContent = isSetup ? "Create account" : "Sign in";
+    });
+  }
+  btn.addEventListener("click", submit);
+  [email, pw, confirm].forEach(function (i) { if (i) i.addEventListener("keydown", function (ev) { if (ev.key === "Enter") submit(); }); });
+  var card = el("div", { class: "card" }, [
+    el("div", { class: "brand", text: "KernelCMS" }),
+    el("h1", { text: isSetup ? "Create admin account" : "Sign in" }),
+    el("p", { class: "sub", text: isSetup ? "Set up the first administrator to get started." : "Welcome back." }),
+    el("div", { class: "form" }, [
+      field("Email", email), field("Password", pw), confirm ? field("Confirm password", confirm) : null, err, btn,
+    ]),
+  ]);
+  mount(el("div", { class: "auth-wrap" }, card));
+}
+
+function appScreen() {
+  api("GET", "/_config").then(function (schema) {
+    state.schema = schema;
+    var cols = schema.collections.filter(function (c) { return !c.hidden; });
+    var nav = el("nav", { class: "nav" });
+    nav.appendChild(el("div", { class: "nav-h", text: "Collections" }));
+    cols.forEach(function (c) {
+      nav.appendChild(el("a", { class: "nav-i", "data-key": "c:" + c.slug, onClick: function () { selectCollection(c.slug); } }, c.labels.plural));
+    });
+    if (schema.globals.length) {
+      nav.appendChild(el("div", { class: "nav-h", text: "Globals" }));
+      schema.globals.forEach(function (g) {
+        nav.appendChild(el("a", { class: "nav-i", "data-key": "g:" + g.slug, onClick: function () { selectGlobal(g.slug); } }, g.label));
+      });
+    }
+    var top = el("header", { class: "top" }, [
+      el("div", { class: "brand", text: "KernelCMS" }),
+      el("div", { class: "spacer" }),
+      el("span", { class: "who", text: state.user ? state.user.email : "" }),
+      el("button", { class: "btn ghost", text: "Sign out", onClick: function () { setToken(null); state.user = null; go("/login"); } }),
+    ]);
+    var main = el("main", { class: "main" });
+    state._main = main; state._nav = nav;
+    mount(el("div", { class: "shell" }, [top, el("div", { class: "body" }, [el("aside", { class: "side" }, nav), main])]));
+    if (cols[0]) selectCollection(cols[0].slug);
+    else if (schema.globals[0]) selectGlobal(schema.globals[0].slug);
+    else main.appendChild(el("p", { class: "muted", text: "No collections configured." }));
+  }).catch(function (ex) {
+    mount(el("div", { class: "auth-wrap" }, el("div", { class: "card" }, el("p", { class: "err", text: ex.message }))));
+  });
+}
+
+function setActive(key) {
+  state.activeNav = key;
+  var items = state._nav.querySelectorAll(".nav-i");
+  for (var i = 0; i < items.length; i++) items[i].classList.toggle("active", items[i].getAttribute("data-key") === key);
+}
+
+function collBySlug(slug) { return state.schema.collections.filter(function (c) { return c.slug === slug; })[0]; }
+
+function selectCollection(slug) {
+  setActive("c:" + slug);
+  var coll = collBySlug(slug);
+  var main = state._main; main.textContent = "";
+  main.appendChild(el("div", { class: "page-h" }, [
+    el("h2", { text: coll.labels.plural }),
+    el("div", { class: "spacer" }),
+    el("button", { class: "btn", text: "New " + coll.labels.singular, onClick: function () { openEditor(coll, null); } }),
+  ]));
+  var wrap = el("div", { class: "tablewrap" }, el("p", { class: "muted", text: "Loading\\u2026" }));
+  main.appendChild(wrap);
+  api("GET", "/" + slug + "?limit=100").then(function (res) {
+    wrap.textContent = "";
+    if (!res.docs.length) { wrap.appendChild(el("p", { class: "muted", text: "No records yet." })); return; }
+    var title = coll.useAsTitle;
+    var head = el("tr", null, [el("th", { text: title }), el("th", { text: "Updated" }), el("th", { text: "" })]);
+    var tb = el("tbody");
+    res.docs.forEach(function (doc) {
+      var t = doc[title]; if (t == null || t === "") t = "(untitled)";
+      tb.appendChild(el("tr", { class: "row", onClick: function () { openEditor(coll, doc.id); } }, [
+        el("td", { text: String(t) }),
+        el("td", { text: doc.updatedAt ? new Date(doc.updatedAt).toLocaleString() : "" }),
+        el("td", { text: "\\u203A" }),
+      ]));
+    });
+    wrap.appendChild(el("table", { class: "tbl" }, [el("thead", null, head), tb]));
+  }).catch(function (ex) { wrap.textContent = ""; wrap.appendChild(el("p", { class: "err", text: ex.message })); });
+}
+
+function inputForField(f, value) {
+  var t = f.type;
+  if (t === "textarea" || t === "richText" || t === "code") { var ta = el("textarea", { rows: "6" }); ta.value = value != null ? String(value) : ""; return ta; }
+  if (t === "json") { var tj = el("textarea", { rows: "6", class: "mono" }); tj.value = value != null ? JSON.stringify(value, null, 2) : ""; return tj; }
+  if (t === "boolean" || t === "checkbox") { return el("input", { type: "checkbox", checked: !!value }); }
+  if (t === "number") { var nn = el("input", { type: "number" }); if (value != null) nn.value = String(value); return nn; }
+  if (t === "date") { var dd = el("input", { type: "datetime-local" }); if (value) dd.value = toLocalInput(value); return dd; }
+  if (t === "select" || t === "radio") {
+    if (f.hasMany) {
+      var box = el("div", { class: "opts" });
+      (f.options || []).forEach(function (o) {
+        var cb = el("input", { type: "checkbox", value: o.value });
+        if (Array.isArray(value) && value.indexOf(o.value) >= 0) cb.checked = true;
+        box.appendChild(el("label", { class: "opt" }, [cb, document.createTextNode(o.label)]));
+      });
+      box.setAttribute("data-multi", "1");
+      return box;
+    }
+    var s = el("select");
+    s.appendChild(el("option", { value: "", text: "\\u2014" }));
+    (f.options || []).forEach(function (o) {
+      var op = el("option", { value: o.value, text: o.label });
+      if (value === o.value) op.selected = true;
+      s.appendChild(op);
+    });
+    return s;
+  }
+  if (t === "password") { return el("input", { type: "password", placeholder: "\\u2022\\u2022\\u2022\\u2022\\u2022\\u2022\\u2022\\u2022" }); }
+  var inp = el("input", { type: t === "email" ? "email" : "text" });
+  if (value != null && typeof value !== "object") inp.value = String(value);
+  return inp;
+}
+
+function readField(f, input) {
+  var t = f.type;
+  if (t === "boolean" || t === "checkbox") return input.checked;
+  if (t === "number") return input.value === "" ? undefined : Number(input.value);
+  if (t === "json") { if (input.value.trim() === "") return undefined; return JSON.parse(input.value); }
+  if (t === "date") return input.value ? new Date(input.value).toISOString() : undefined;
+  if ((t === "select" || t === "radio") && f.hasMany) {
+    var vals = []; var cbs = input.querySelectorAll("input[type=checkbox]");
+    for (var i = 0; i < cbs.length; i++) if (cbs[i].checked) vals.push(cbs[i].value);
+    return vals;
+  }
+  if (t === "password") return input.value === "" ? undefined : input.value;
+  var v = input.value; return v === "" ? undefined : v;
+}
+
+function openEditor(coll, id) {
+  var isNew = !id;
+  var main = state._main; main.textContent = "";
+  main.appendChild(el("div", { class: "page-h" }, [
+    el("a", { class: "back", text: "\\u2039 " + coll.labels.plural, onClick: function () { selectCollection(coll.slug); } }),
+    el("h2", { text: isNew ? "New " + coll.labels.singular : "Edit " + coll.labels.singular }),
+  ]));
+  var wrap = el("div", { class: "editor" }); main.appendChild(wrap);
+  function build(doc) {
+    wrap.textContent = "";
+    var inputs = {};
+    coll.fields.forEach(function (f) {
+      if (f.name === "id") return;
+      var input = inputForField(f, doc ? doc[f.name] : undefined);
+      inputs[f.name] = { f: f, input: input };
+      wrap.appendChild(field(f.label + (f.required ? " *" : ""), input, f.admin && f.admin.description));
+    });
+    var err = el("div", { class: "err" });
+    var save = el("button", { class: "btn", text: isNew ? "Create" : "Save changes" });
+    var del = isNew ? null : el("button", { class: "btn danger", text: "Delete" });
+    save.addEventListener("click", function () {
+      err.textContent = ""; var payload = {};
+      try { for (var k in inputs) { var val = readField(inputs[k].f, inputs[k].input); if (val !== undefined) payload[k] = val; } }
+      catch (ex) { err.textContent = "Invalid JSON: " + ex.message; return; }
+      save.disabled = true; save.textContent = "Saving\\u2026";
+      var p = isNew ? api("POST", "/" + coll.slug, payload) : api("PATCH", "/" + coll.slug + "/" + id, payload);
+      p.then(function () { selectCollection(coll.slug); })
+       .catch(function (ex) { err.textContent = ex.message; save.disabled = false; save.textContent = isNew ? "Create" : "Save changes"; });
+    });
+    if (del) del.addEventListener("click", function () {
+      if (!window.confirm("Delete this record? This cannot be undone.")) return;
+      api("DELETE", "/" + coll.slug + "/" + id).then(function () { selectCollection(coll.slug); })
+        .catch(function (ex) { err.textContent = ex.message; });
+    });
+    wrap.appendChild(err);
+    wrap.appendChild(el("div", { class: "actions" }, [save, del]));
+  }
+  if (isNew) build(null);
+  else {
+    wrap.appendChild(el("p", { class: "muted", text: "Loading\\u2026" }));
+    api("GET", "/" + coll.slug + "/" + id).then(build)
+      .catch(function (ex) { wrap.textContent = ""; wrap.appendChild(el("p", { class: "err", text: ex.message })); });
+  }
+}
+
+function selectGlobal(slug) {
+  setActive("g:" + slug);
+  var g = state.schema.globals.filter(function (x) { return x.slug === slug; })[0];
+  var main = state._main; main.textContent = "";
+  main.appendChild(el("div", { class: "page-h" }, el("h2", { text: g.label })));
+  var wrap = el("div", { class: "editor" }, el("p", { class: "muted", text: "Loading\\u2026" }));
+  main.appendChild(wrap);
+  api("GET", "/globals/" + slug).then(function (doc) {
+    wrap.textContent = ""; var inputs = {};
+    g.fields.forEach(function (f) {
+      var input = inputForField(f, doc ? doc[f.name] : undefined);
+      inputs[f.name] = { f: f, input: input };
+      wrap.appendChild(field(f.label, input, f.admin && f.admin.description));
+    });
+    var err = el("div", { class: "err" });
+    var save = el("button", { class: "btn", text: "Save changes" });
+    save.addEventListener("click", function () {
+      err.textContent = ""; var payload = {};
+      try { for (var k in inputs) { var val = readField(inputs[k].f, inputs[k].input); if (val !== undefined) payload[k] = val; } }
+      catch (ex) { err.textContent = "Invalid JSON: " + ex.message; return; }
+      save.disabled = true; save.textContent = "Saving\\u2026";
+      api("POST", "/globals/" + slug, payload).then(function () {
+        save.disabled = false; save.textContent = "Saved \\u2713"; setTimeout(function () { save.textContent = "Save changes"; }, 1400);
+      }).catch(function (ex) { err.textContent = ex.message; save.disabled = false; save.textContent = "Save changes"; });
+    });
+    wrap.appendChild(err);
+    wrap.appendChild(el("div", { class: "actions" }, save));
+  }).catch(function (ex) { wrap.textContent = ""; wrap.appendChild(el("p", { class: "err", text: ex.message })); });
+}
+
+function toLocalInput(v) {
+  try {
+    var d = new Date(v); function p(n) { return ("0" + n).slice(-2); }
+    return d.getFullYear() + "-" + p(d.getMonth() + 1) + "-" + p(d.getDate()) + "T" + p(d.getHours()) + ":" + p(d.getMinutes());
+  } catch (e) { return ""; }
+}
+
+render();
+`;
+function renderAdminPage(opts) {
+  const cfg = JSON.stringify({ api: opts.apiBase, admin: opts.adminBase });
+  return '<!doctype html>\n<html lang="en">\n<head>\n<meta charset="utf-8" />\n<meta name="viewport" content="width=device-width, initial-scale=1" />\n<meta name="robots" content="noindex" />\n<title>KernelCMS Admin</title>\n<style>' + CSS + '</style>\n</head>\n<body>\n<div id="app"></div>\n<script>window.__KERNEL__ = ' + cfg + ';</script>\n<script type="module">' + APP + "</script>\n</body>\n</html>\n";
+}
+
+// ../server/src/index.ts
+function authCollectionSlug(kernel) {
+  const configured = kernel.config.admin?.user;
+  if (configured && kernel.config.collectionsBySlug[configured]?.auth) return configured;
+  const found = kernel.config.collections.find((c) => c.auth);
+  return found ? found.slug : null;
+}
+function adminBaseOf(options) {
+  if (!options.admin) return null;
+  if (options.admin === true) return "/admin";
+  return options.admin.path ?? "/admin";
+}
+function html(body, status = 200) {
+  return new Response(body, { status, headers: { "content-type": "text/html; charset=utf-8" } });
+}
+function createRequestHandler(kernel, options = {}) {
+  const apiBase = kernel.config.routes.api;
+  const adminBase = adminBaseOf(options);
+  return async function handle(request) {
+    if (request.method === "OPTIONS") return withCors(new Response(null, { status: 204 }), options, request);
+    if (adminBase && request.method === "GET") {
+      const { pathname } = new URL(request.url);
+      if (pathname === "/") return withCors(new Response(null, { status: 302, headers: { location: adminBase } }), options, request);
+      if (pathname === "/login" || pathname === adminBase || pathname.startsWith(adminBase + "/")) {
+        return withCors(html(renderAdminPage({ apiBase, adminBase })), options, request);
+      }
+    }
+    try {
+      const response = await route(kernel, options, request, apiBase);
+      return withCors(response, options, request);
+    } catch (err) {
+      return withCors(errorResponse(err), options, request);
+    }
+  };
+}
+async function route(kernel, options, request, apiBase) {
+  const url = new URL(request.url);
+  if (!url.pathname.startsWith(apiBase)) {
+    return json({ error: { code: "NOT_FOUND", message: `No route for ${url.pathname}` } }, 404);
+  }
+  const segments = url.pathname.slice(apiBase.length).split("/").filter(Boolean);
+  const { user, overrideAccess } = await resolveAuth(kernel, options, request);
+  const locale = url.searchParams.get("locale") ?? void 0;
+  const depth = toNum(url.searchParams.get("depth"));
+  const base = { req: { user, ...locale ? { locale } : {} }, overrideAccess, ...depth !== void 0 ? { depth } : {} };
+  const method = request.method;
+  if (segments.length === 0) {
+    return json({
+      name: "KernelCMS",
+      collections: kernel.config.collections.map((c) => c.slug),
+      globals: kernel.config.globals.map((g) => g.slug)
+    });
+  }
+  if (segments.length === 1 && segments[0] === "health") {
+    const health = await kernel.db.health();
+    return json({ status: "ok", db: health }, health.status === "ok" ? 200 : 503);
+  }
+  if (segments.length === 1 && segments[0] === "_config") {
+    return json(describeConfig(kernel.config));
+  }
+  if (segments[0] === "_admin") {
+    const slug = authCollectionSlug(kernel);
+    if (segments[1] === "status" && segments.length === 2 && method === "GET") {
+      const needsSetup = slug ? await kernel.count({ collection: slug, overrideAccess: true }) === 0 : false;
+      return json({ needsSetup, authCollection: slug });
+    }
+    if (segments[1] === "setup" && segments.length === 2 && method === "POST") {
+      if (!slug) throw new BadRequestError("No auth collection is configured.");
+      const existing = await kernel.count({ collection: slug, overrideAccess: true });
+      if (existing > 0) throw new ForbiddenError("Setup has already been completed.");
+      const body = await readBody(request);
+      const email = String(body.email ?? "");
+      const password = String(body.password ?? "");
+      const collection2 = kernel.config.collectionsBySlug[slug];
+      const data = { email, password };
+      if (collection2?.fields.some((f) => f.name === "roles")) data.roles = ["admin"];
+      await kernel.create({ collection: slug, data, overrideAccess: true });
+      return json(await kernel.login({ collection: slug, email, password }), 201);
+    }
+    return json({ error: { code: "NOT_FOUND", message: `No route for ${url.pathname}` } }, 404);
+  }
+  if (segments[0] === "globals" && segments.length === 2) {
+    const slug = segments[1];
+    if (method === "GET") return json(await kernel.findGlobal({ slug, ...base }));
+    if (method === "POST" || method === "PATCH") {
+      const data = await readBody(request);
+      return json(await kernel.updateGlobal({ slug, data, ...base }));
+    }
+    return methodNotAllowed();
+  }
+  const collection = segments[0];
+  if (segments.length === 2 && (segments[1] === "login" || segments[1] === "me")) {
+    const authColl = kernel.config.collectionsBySlug[collection];
+    if (authColl?.auth) {
+      if (segments[1] === "login" && method === "POST") {
+        const body = await readBody(request);
+        return json(
+          await kernel.login({
+            collection,
+            email: String(body.email ?? ""),
+            password: String(body.password ?? "")
+          })
+        );
+      }
+      if (segments[1] === "me" && method === "GET") {
+        if (!user) throw new UnauthorizedError();
+        return json({ user });
+      }
+    }
+  }
+  if (segments.length === 1) {
+    if (method === "GET") {
+      const result = await kernel.find({
+        collection,
+        where: parseWhere(url.searchParams),
+        sort: url.searchParams.get("sort") ?? void 0,
+        limit: toNum(url.searchParams.get("limit")),
+        page: toNum(url.searchParams.get("page")),
+        ...base
+      });
+      return json(result);
+    }
+    if (method === "POST") {
+      const data = await readBody(request);
+      return json(await kernel.create({ collection, data, ...base }), 201);
+    }
+    return methodNotAllowed();
+  }
+  if (segments.length === 2) {
+    const id = segments[1];
+    if (method === "GET") {
+      const doc = await kernel.findByID({ collection, id, ...base });
+      if (!doc) throw new NotFoundError();
+      return json(doc);
+    }
+    if (method === "PATCH" || method === "PUT") {
+      const data = await readBody(request);
+      const doc = await kernel.update({ collection, id, data, ...base });
+      if (!doc) throw new NotFoundError();
+      return json(doc);
+    }
+    if (method === "DELETE") {
+      const doc = await kernel.delete({ collection, id, ...base });
+      if (!doc) throw new NotFoundError();
+      return json(doc);
+    }
+    return methodNotAllowed();
+  }
+  return json({ error: { code: "NOT_FOUND", message: `No route for ${url.pathname}` } }, 404);
+}
+async function resolveAuth(kernel, options, request) {
+  const auth = request.headers.get("authorization");
+  if (options.apiKey && auth === `Bearer ${options.apiKey}`) {
+    return { user: { id: "system", roles: ["admin"], collection: "system" }, overrideAccess: true };
+  }
+  if (options.getUser) {
+    const user = await options.getUser(request);
+    if (user) return { user, overrideAccess: false };
+  }
+  if (auth?.startsWith("Bearer ")) {
+    const user = await kernel.authenticate(auth.slice("Bearer ".length));
+    if (user) return { user, overrideAccess: false };
+  }
+  return { user: null, overrideAccess: false };
+}
+async function readBody(request) {
+  let parsed;
+  try {
+    parsed = await request.json();
+  } catch {
+    throw new BadRequestError("Request body must be valid JSON.");
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new BadRequestError("Request body must be a JSON object.");
+  }
+  return parsed;
+}
+function coerce(value) {
+  if (value === "true") return true;
+  if (value === "false") return false;
+  if (value === "null") return null;
+  if (value !== "" && /^-?\d+(\.\d+)?$/.test(value)) return Number(value);
+  return value;
+}
+function setDeep(root, path, value) {
+  let node = root;
+  for (let i = 0; i < path.length - 1; i++) {
+    const key = path[i];
+    if (typeof node[key] !== "object" || node[key] === null) node[key] = {};
+    node = node[key];
+  }
+  node[path[path.length - 1]] = value;
+}
+function parseWhere(params) {
+  const raw = params.get("where");
+  if (raw) {
+    try {
+      return JSON.parse(raw);
+    } catch {
+      throw new BadRequestError("`where` must be valid JSON.");
+    }
+  }
+  const root = {};
+  let found = false;
+  for (const [key, value] of params) {
+    if (!key.startsWith("where[")) continue;
+    found = true;
+    const path = key.slice("where".length).split(/[[\]]+/).filter(Boolean);
+    setDeep(root, path, coerce(value));
+  }
+  return found ? root : void 0;
+}
+function json(data, status = 200) {
+  return new Response(JSON.stringify(data), {
+    status,
+    headers: { "content-type": "application/json; charset=utf-8" }
+  });
+}
+function methodNotAllowed() {
+  return json({ error: { code: "BAD_REQUEST", message: "Method not allowed." } }, 405);
+}
+function errorResponse(err) {
+  if (isKernelError(err)) {
+    const response = json(err.toJSON(), err.status);
+    const retryAfter = err.retryAfter;
+    if (typeof retryAfter === "number") response.headers.set("retry-after", String(retryAfter));
+    return response;
+  }
+  console.error("[kernel] unhandled error:", err);
+  return json({ error: { code: "INTERNAL", message: "Internal server error." } }, 500);
+}
+function withCors(response, options, request) {
+  if (!options.cors) return response;
+  const origin = request.headers.get("origin");
+  let allow = null;
+  let credentials = false;
+  if (Array.isArray(options.cors)) {
+    if (origin && options.cors.includes(origin)) {
+      allow = origin;
+      credentials = true;
+    }
+  } else {
+    allow = origin ?? "*";
+  }
+  if (!allow) return response;
+  response.headers.set("access-control-allow-origin", allow);
+  if (credentials) response.headers.set("access-control-allow-credentials", "true");
+  response.headers.set("access-control-allow-headers", "Content-Type, Authorization");
+  response.headers.set("access-control-allow-methods", "GET, POST, PATCH, PUT, DELETE, OPTIONS");
+  response.headers.set("vary", "Origin");
+  return response;
+}
+function toNum(value) {
+  if (value === null) return void 0;
+  const n = Number(value);
+  return Number.isNaN(n) ? void 0 : n;
+}
+function toNodeListener(handler) {
+  return (req, res) => {
+    const chunks = [];
+    req.on("data", (chunk) => chunks.push(chunk));
+    req.on("error", () => {
+      res.statusCode = 400;
+      res.end();
+    });
+    req.on("end", () => {
+      void (async () => {
+        const headers = new Headers();
+        for (const [key, value] of Object.entries(req.headers)) {
+          if (typeof value === "string") headers.set(key, value);
+          else if (Array.isArray(value)) headers.set(key, value.join(", "));
+        }
+        const url = `http://${req.headers.host ?? "localhost"}${req.url ?? "/"}`;
+        const method = req.method ?? "GET";
+        const hasBody = method !== "GET" && method !== "HEAD" && chunks.length > 0;
+        const request = new Request(url, {
+          method,
+          headers,
+          body: hasBody ? Buffer.concat(chunks) : void 0
+        });
+        try {
+          const response = await handler(request);
+          res.statusCode = response.status;
+          response.headers.forEach((value, key) => res.setHeader(key, value));
+          const body = Buffer.from(await response.arrayBuffer());
+          res.end(body);
+        } catch (err) {
+          console.error("[kernel] listener error:", err);
+          res.statusCode = 500;
+          res.setHeader("content-type", "application/json");
+          res.end(JSON.stringify({ error: { code: "INTERNAL", message: "Internal server error." } }));
+        }
+      })();
+    });
+  };
+}
+async function serve(kernel, options = {}) {
+  const handler = createRequestHandler(kernel, options);
+  const server = createServer(toNodeListener(handler));
+  const requested = options.port ?? 3e3;
+  await new Promise((resolve, reject) => {
+    server.once("error", reject);
+    server.listen(requested, () => resolve());
+  });
+  const address = server.address();
+  const port = typeof address === "object" && address ? address.port : requested;
+  return {
+    url: `http://localhost:${port}`,
+    port,
+    close: () => new Promise((resolve) => server.close(() => resolve()))
+  };
+}
+
+export {
+  authCollectionSlug,
+  createRequestHandler,
+  parseWhere,
+  toNodeListener,
+  serve
+};

package/dist/server.d.ts

@@ -9,7 +9,16 @@ interface HandlerOptions {
     getUser?: (request: Request) => Promise<AuthUser | null> | AuthUser | null;
     /** CORS: true reflects the request origin; an array allow-lists origins. */
     cors?: boolean | string[];
+    /**
+     * Serve the built-in admin UI. `true` mounts it at `/admin` (and `/login`);
+     * pass `{ path }` to change the base. Disabled when omitted.
+     */
+    admin?: boolean | {
+        path?: string;
+    };
 }
+/** The auth collection the admin UI logs into: configured admin.user, else the first auth collection. */
+declare function authCollectionSlug(kernel: Kernel): string | null;
 type RequestHandler = (request: Request) => Promise<Response>;
 declare function createRequestHandler(kernel: Kernel, options?: HandlerOptions): RequestHandler;
 declare function parseWhere(params: URLSearchParams): Where | undefined;
@@ -24,4 +33,4 @@ interface RunningServer {
 }
 declare function serve(kernel: Kernel, options?: ServeOptions): Promise<RunningServer>;
 
-export { type HandlerOptions, type RunningServer, type ServeOptions, createRequestHandler, parseWhere, serve, toNodeListener };
+export { type HandlerOptions, type RunningServer, type ServeOptions, authCollectionSlug, createRequestHandler, parseWhere, serve, toNodeListener };

package/dist/server.js

@@ -1,11 +1,13 @@
 import {
+  authCollectionSlug,
   createRequestHandler,
   parseWhere,
   serve,
   toNodeListener
-} from "./chunk-Z2RKB4LF.js";
+} from "./chunk-TBZIZTVM.js";
 import "./chunk-O5TO5JFA.js";
 export {
+  authCollectionSlug,
   createRequestHandler,
   parseWhere,
   serve,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kernelcms",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "The TanStack-native, adapter-based, end-to-end type-safe headless CMS. Config-as-code, self-hosted.",
   "type": "module",
   "license": "MIT",
@@ -59,12 +59,12 @@
     "@types/pg": "^8.11.10",
     "tsup": "^8.3.5",
     "@kernel/core": "0.0.0",
-    "@kernel/server": "0.0.0",
+    "@kernel/db": "0.0.0",
+    "@kernel/cli": "0.0.0",
     "@kernel/db-sqlite": "0.0.0",
     "@kernel/db-postgres": "0.0.0",
-    "@kernel/client": "0.0.0",
-    "@kernel/db": "0.0.0",
-    "@kernel/cli": "0.0.0"
+    "@kernel/server": "0.0.0",
+    "@kernel/client": "0.0.0"
   },
   "scripts": {
     "build": "tsup"

package/dist/chunk-Z2RKB4LF.js

@@ -1,285 +0,0 @@
-import {
-  BadRequestError,
-  NotFoundError,
-  UnauthorizedError,
-  describeConfig,
-  isKernelError
-} from "./chunk-O5TO5JFA.js";
-
-// ../server/src/index.ts
-import { createServer } from "http";
-function createRequestHandler(kernel, options = {}) {
-  const apiBase = kernel.config.routes.api;
-  return async function handle(request) {
-    if (request.method === "OPTIONS") return withCors(new Response(null, { status: 204 }), options, request);
-    try {
-      const response = await route(kernel, options, request, apiBase);
-      return withCors(response, options, request);
-    } catch (err) {
-      return withCors(errorResponse(err), options, request);
-    }
-  };
-}
-async function route(kernel, options, request, apiBase) {
-  const url = new URL(request.url);
-  if (!url.pathname.startsWith(apiBase)) {
-    return json({ error: { code: "NOT_FOUND", message: `No route for ${url.pathname}` } }, 404);
-  }
-  const segments = url.pathname.slice(apiBase.length).split("/").filter(Boolean);
-  const { user, overrideAccess } = await resolveAuth(kernel, options, request);
-  const locale = url.searchParams.get("locale") ?? void 0;
-  const depth = toNum(url.searchParams.get("depth"));
-  const base = { req: { user, ...locale ? { locale } : {} }, overrideAccess, ...depth !== void 0 ? { depth } : {} };
-  const method = request.method;
-  if (segments.length === 0) {
-    return json({
-      name: "KernelCMS",
-      collections: kernel.config.collections.map((c) => c.slug),
-      globals: kernel.config.globals.map((g) => g.slug)
-    });
-  }
-  if (segments.length === 1 && segments[0] === "health") {
-    const health = await kernel.db.health();
-    return json({ status: "ok", db: health }, health.status === "ok" ? 200 : 503);
-  }
-  if (segments.length === 1 && segments[0] === "_config") {
-    return json(describeConfig(kernel.config));
-  }
-  if (segments[0] === "globals" && segments.length === 2) {
-    const slug = segments[1];
-    if (method === "GET") return json(await kernel.findGlobal({ slug, ...base }));
-    if (method === "POST" || method === "PATCH") {
-      const data = await readBody(request);
-      return json(await kernel.updateGlobal({ slug, data, ...base }));
-    }
-    return methodNotAllowed();
-  }
-  const collection = segments[0];
-  if (segments.length === 2 && (segments[1] === "login" || segments[1] === "me")) {
-    const authColl = kernel.config.collectionsBySlug[collection];
-    if (authColl?.auth) {
-      if (segments[1] === "login" && method === "POST") {
-        const body = await readBody(request);
-        return json(
-          await kernel.login({
-            collection,
-            email: String(body.email ?? ""),
-            password: String(body.password ?? "")
-          })
-        );
-      }
-      if (segments[1] === "me" && method === "GET") {
-        if (!user) throw new UnauthorizedError();
-        return json({ user });
-      }
-    }
-  }
-  if (segments.length === 1) {
-    if (method === "GET") {
-      const result = await kernel.find({
-        collection,
-        where: parseWhere(url.searchParams),
-        sort: url.searchParams.get("sort") ?? void 0,
-        limit: toNum(url.searchParams.get("limit")),
-        page: toNum(url.searchParams.get("page")),
-        ...base
-      });
-      return json(result);
-    }
-    if (method === "POST") {
-      const data = await readBody(request);
-      return json(await kernel.create({ collection, data, ...base }), 201);
-    }
-    return methodNotAllowed();
-  }
-  if (segments.length === 2) {
-    const id = segments[1];
-    if (method === "GET") {
-      const doc = await kernel.findByID({ collection, id, ...base });
-      if (!doc) throw new NotFoundError();
-      return json(doc);
-    }
-    if (method === "PATCH" || method === "PUT") {
-      const data = await readBody(request);
-      const doc = await kernel.update({ collection, id, data, ...base });
-      if (!doc) throw new NotFoundError();
-      return json(doc);
-    }
-    if (method === "DELETE") {
-      const doc = await kernel.delete({ collection, id, ...base });
-      if (!doc) throw new NotFoundError();
-      return json(doc);
-    }
-    return methodNotAllowed();
-  }
-  return json({ error: { code: "NOT_FOUND", message: `No route for ${url.pathname}` } }, 404);
-}
-async function resolveAuth(kernel, options, request) {
-  const auth = request.headers.get("authorization");
-  if (options.apiKey && auth === `Bearer ${options.apiKey}`) {
-    return { user: { id: "system", roles: ["admin"], collection: "system" }, overrideAccess: true };
-  }
-  if (options.getUser) {
-    const user = await options.getUser(request);
-    if (user) return { user, overrideAccess: false };
-  }
-  if (auth?.startsWith("Bearer ")) {
-    const user = await kernel.authenticate(auth.slice("Bearer ".length));
-    if (user) return { user, overrideAccess: false };
-  }
-  return { user: null, overrideAccess: false };
-}
-async function readBody(request) {
-  let parsed;
-  try {
-    parsed = await request.json();
-  } catch {
-    throw new BadRequestError("Request body must be valid JSON.");
-  }
-  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
-    throw new BadRequestError("Request body must be a JSON object.");
-  }
-  return parsed;
-}
-function coerce(value) {
-  if (value === "true") return true;
-  if (value === "false") return false;
-  if (value === "null") return null;
-  if (value !== "" && /^-?\d+(\.\d+)?$/.test(value)) return Number(value);
-  return value;
-}
-function setDeep(root, path, value) {
-  let node = root;
-  for (let i = 0; i < path.length - 1; i++) {
-    const key = path[i];
-    if (typeof node[key] !== "object" || node[key] === null) node[key] = {};
-    node = node[key];
-  }
-  node[path[path.length - 1]] = value;
-}
-function parseWhere(params) {
-  const raw = params.get("where");
-  if (raw) {
-    try {
-      return JSON.parse(raw);
-    } catch {
-      throw new BadRequestError("`where` must be valid JSON.");
-    }
-  }
-  const root = {};
-  let found = false;
-  for (const [key, value] of params) {
-    if (!key.startsWith("where[")) continue;
-    found = true;
-    const path = key.slice("where".length).split(/[[\]]+/).filter(Boolean);
-    setDeep(root, path, coerce(value));
-  }
-  return found ? root : void 0;
-}
-function json(data, status = 200) {
-  return new Response(JSON.stringify(data), {
-    status,
-    headers: { "content-type": "application/json; charset=utf-8" }
-  });
-}
-function methodNotAllowed() {
-  return json({ error: { code: "BAD_REQUEST", message: "Method not allowed." } }, 405);
-}
-function errorResponse(err) {
-  if (isKernelError(err)) {
-    const response = json(err.toJSON(), err.status);
-    const retryAfter = err.retryAfter;
-    if (typeof retryAfter === "number") response.headers.set("retry-after", String(retryAfter));
-    return response;
-  }
-  console.error("[kernel] unhandled error:", err);
-  return json({ error: { code: "INTERNAL", message: "Internal server error." } }, 500);
-}
-function withCors(response, options, request) {
-  if (!options.cors) return response;
-  const origin = request.headers.get("origin");
-  let allow = null;
-  let credentials = false;
-  if (Array.isArray(options.cors)) {
-    if (origin && options.cors.includes(origin)) {
-      allow = origin;
-      credentials = true;
-    }
-  } else {
-    allow = origin ?? "*";
-  }
-  if (!allow) return response;
-  response.headers.set("access-control-allow-origin", allow);
-  if (credentials) response.headers.set("access-control-allow-credentials", "true");
-  response.headers.set("access-control-allow-headers", "Content-Type, Authorization");
-  response.headers.set("access-control-allow-methods", "GET, POST, PATCH, PUT, DELETE, OPTIONS");
-  response.headers.set("vary", "Origin");
-  return response;
-}
-function toNum(value) {
-  if (value === null) return void 0;
-  const n = Number(value);
-  return Number.isNaN(n) ? void 0 : n;
-}
-function toNodeListener(handler) {
-  return (req, res) => {
-    const chunks = [];
-    req.on("data", (chunk) => chunks.push(chunk));
-    req.on("error", () => {
-      res.statusCode = 400;
-      res.end();
-    });
-    req.on("end", () => {
-      void (async () => {
-        const headers = new Headers();
-        for (const [key, value] of Object.entries(req.headers)) {
-          if (typeof value === "string") headers.set(key, value);
-          else if (Array.isArray(value)) headers.set(key, value.join(", "));
-        }
-        const url = `http://${req.headers.host ?? "localhost"}${req.url ?? "/"}`;
-        const method = req.method ?? "GET";
-        const hasBody = method !== "GET" && method !== "HEAD" && chunks.length > 0;
-        const request = new Request(url, {
-          method,
-          headers,
-          body: hasBody ? Buffer.concat(chunks) : void 0
-        });
-        try {
-          const response = await handler(request);
-          res.statusCode = response.status;
-          response.headers.forEach((value, key) => res.setHeader(key, value));
-          const body = Buffer.from(await response.arrayBuffer());
-          res.end(body);
-        } catch (err) {
-          console.error("[kernel] listener error:", err);
-          res.statusCode = 500;
-          res.setHeader("content-type", "application/json");
-          res.end(JSON.stringify({ error: { code: "INTERNAL", message: "Internal server error." } }));
-        }
-      })();
-    });
-  };
-}
-async function serve(kernel, options = {}) {
-  const handler = createRequestHandler(kernel, options);
-  const server = createServer(toNodeListener(handler));
-  const requested = options.port ?? 3e3;
-  await new Promise((resolve, reject) => {
-    server.once("error", reject);
-    server.listen(requested, () => resolve());
-  });
-  const address = server.address();
-  const port = typeof address === "object" && address ? address.port : requested;
-  return {
-    url: `http://localhost:${port}`,
-    port,
-    close: () => new Promise((resolve) => server.close(() => resolve()))
-  };
-}
-
-export {
-  createRequestHandler,
-  parseWhere,
-  toNodeListener,
-  serve
-};