kernelcms 0.1.0

package/dist/chunk-O5TO5JFA.js

@@ -0,0 +1,1181 @@
+// ../core/src/config.ts
+function withAuthFields(collection) {
+  const fields = [...collection.fields];
+  if (!fields.some((f) => f.name === "email")) {
+    fields.unshift({ name: "email", type: "email", required: true, unique: true, index: true });
+  }
+  if (!fields.some((f) => f.name === "hash")) {
+    fields.push({ name: "hash", type: "text", admin: { hidden: true } });
+  }
+  return { ...collection, fields };
+}
+var IDENT_RE = /^[a-z][a-z0-9_]*$/;
+function defineConfig(config) {
+  return config;
+}
+function assert(condition, message) {
+  if (!condition) throw new Error(`KernelCMS config error: ${message}`);
+}
+function validateCollection(collection) {
+  assert(IDENT_RE.test(collection.slug), `collection slug "${collection.slug}" must be snake_case starting with a letter`);
+  const seen = /* @__PURE__ */ new Set();
+  for (const field of collection.fields) {
+    assert(IDENT_RE.test(field.name), `field "${field.name}" in "${collection.slug}" must be snake_case`);
+    assert(!seen.has(field.name), `duplicate field "${field.name}" in collection "${collection.slug}"`);
+    seen.add(field.name);
+  }
+}
+function validateGlobal(global) {
+  assert(IDENT_RE.test(global.slug), `global slug "${global.slug}" must be snake_case starting with a letter`);
+}
+function sanitizeConfig(config) {
+  assert(config.db, "a database adapter is required (config.db)");
+  assert(Array.isArray(config.collections), "config.collections must be an array");
+  const collections = config.collections.map((c) => c.auth ? withAuthFields(c) : c);
+  const globals = config.globals ?? [];
+  const collectionsBySlug = {};
+  for (const collection of collections) {
+    validateCollection(collection);
+    assert(!collectionsBySlug[collection.slug], `duplicate collection slug "${collection.slug}"`);
+    collectionsBySlug[collection.slug] = collection;
+  }
+  const globalsBySlug = {};
+  for (const global of globals) {
+    validateGlobal(global);
+    assert(!globalsBySlug[global.slug], `duplicate global slug "${global.slug}"`);
+    assert(!collectionsBySlug[global.slug], `global "${global.slug}" collides with a collection slug`);
+    globalsBySlug[global.slug] = global;
+  }
+  let localization = false;
+  if (config.localization) {
+    const { locales, defaultLocale, fallback } = config.localization;
+    assert(locales.length > 0, "localization.locales must not be empty");
+    assert(locales.includes(defaultLocale), `localization.defaultLocale "${defaultLocale}" must be in locales`);
+    localization = { locales, defaultLocale, fallback: fallback ?? true };
+  }
+  const secret = config.secret ?? process.env.KERNEL_SECRET ?? devSecret();
+  const adminUser = config.admin?.user ?? collections.find((c) => c.auth)?.slug ?? "users";
+  return {
+    serverURL: config.serverURL ?? "http://localhost:3000",
+    db: config.db,
+    collections,
+    globals,
+    localization,
+    routes: { api: config.routes?.api ?? "/api" },
+    admin: { user: adminUser },
+    secret,
+    collectionsBySlug,
+    globalsBySlug
+  };
+}
+var warned = false;
+function devSecret() {
+  if (!warned) {
+    warned = true;
+    console.warn(
+      "[KernelCMS] No `secret` or KERNEL_SECRET set \u2014 using an insecure development secret. Set KERNEL_SECRET in production."
+    );
+  }
+  return "kernel-dev-insecure-secret-do-not-use-in-production";
+}
+function defaultLocaleOf(config) {
+  return config.localization ? config.localization.defaultLocale : "en";
+}
+
+// ../core/src/fields.ts
+var EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+var SLUG_RE = /^[a-z0-9]+(?:-[a-z0-9]+)*$/;
+function humanize(name) {
+  return name.replace(/[_-]+/g, " ").replace(/([a-z0-9])([A-Z])/g, "$1 $2").replace(/^\w/, (c) => c.toUpperCase()).trim();
+}
+function fieldLabel(field) {
+  return field.label ?? humanize(field.name);
+}
+function optionValue(opt) {
+  return typeof opt === "string" ? opt : opt.value;
+}
+function optionLabel(opt) {
+  return typeof opt === "string" ? humanize(opt) : opt.label;
+}
+function storageTypeForField(field) {
+  if (field.localized) return "json";
+  switch (field.type) {
+    case "number":
+      return field.integer ? "integer" : "real";
+    case "boolean":
+    case "checkbox":
+      return "boolean";
+    case "date":
+      return "timestamp";
+    case "json":
+    case "richText":
+    case "point":
+    case "array":
+    case "group":
+      return "json";
+    case "select":
+    case "radio":
+      return field.hasMany ? "json" : "text";
+    case "relationship":
+    case "upload":
+      return field.hasMany ? "json" : "text";
+    default:
+      return "text";
+  }
+}
+function columnForField(field) {
+  const column = {
+    name: field.name,
+    type: storageTypeForField(field),
+    required: Boolean(field.required),
+    unique: Boolean(field.unique),
+    indexed: Boolean(field.index ?? field.unique),
+    localized: Boolean(field.localized)
+  };
+  if ((field.type === "relationship" || field.type === "upload") && !field.hasMany) {
+    column.relationTo = field.relationTo;
+  }
+  return column;
+}
+function defaultForField(field) {
+  const dv = field.defaultValue;
+  if (dv === void 0) return void 0;
+  if (typeof dv === "function") return dv();
+  return dv;
+}
+function applyDefaults(fields, data) {
+  const out = { ...data };
+  for (const field of fields) {
+    if (out[field.name] === void 0) {
+      const dv = defaultForField(field);
+      if (dv !== void 0) out[field.name] = dv;
+    }
+  }
+  return out;
+}
+function isEmpty(value) {
+  return value === void 0 || value === null || value === "" || Array.isArray(value) && value.length === 0;
+}
+async function validateFields(fields, data, ctx, prefix = "") {
+  const errors = [];
+  for (const field of fields) {
+    const path = prefix ? `${prefix}.${field.name}` : field.name;
+    const value = data?.[field.name];
+    const label = fieldLabel(field);
+    if (isEmpty(value)) {
+      if (field.required) errors.push({ path, message: `${label} is required.` });
+      continue;
+    }
+    const typeError = validateFieldType(field, value, label);
+    if (typeError) {
+      errors.push({ path, message: typeError });
+      continue;
+    }
+    if (field.type === "array" && Array.isArray(value)) {
+      if (field.minRows !== void 0 && value.length < field.minRows) {
+        errors.push({ path, message: `${label} requires at least ${field.minRows} row(s).` });
+      }
+      if (field.maxRows !== void 0 && value.length > field.maxRows) {
+        errors.push({ path, message: `${label} allows at most ${field.maxRows} row(s).` });
+      }
+      for (let i = 0; i < value.length; i++) {
+        const row = value[i];
+        if (row && typeof row === "object") {
+          errors.push(...await validateFields(field.fields, row, ctx, `${path}.${i}`));
+        } else {
+          errors.push({ path: `${path}.${i}`, message: "Each row must be an object." });
+        }
+      }
+    } else if (field.type === "group" && value && typeof value === "object") {
+      errors.push(...await validateFields(field.fields, value, ctx, path));
+    }
+    if (field.validate) {
+      const result = await field.validate({
+        value,
+        data,
+        siblingData: data,
+        req: ctx.req,
+        operation: ctx.operation
+      });
+      if (result !== true) errors.push({ path, message: result });
+    }
+  }
+  return errors;
+}
+function validateFieldType(field, value, label) {
+  switch (field.type) {
+    case "text":
+    case "textarea":
+    case "code":
+    case "email":
+    case "slug": {
+      if (typeof value !== "string") return `${label} must be text.`;
+      if (field.minLength !== void 0 && value.length < field.minLength)
+        return `${label} must be at least ${field.minLength} characters.`;
+      if (field.maxLength !== void 0 && value.length > field.maxLength)
+        return `${label} must be at most ${field.maxLength} characters.`;
+      if (field.type === "email" && !EMAIL_RE.test(value)) return `${label} must be a valid email address.`;
+      if (field.type === "slug" && !SLUG_RE.test(value)) return `${label} must be a lowercase, hyphenated slug.`;
+      if (field.pattern && !new RegExp(field.pattern).test(value)) return `${label} has an invalid format.`;
+      return null;
+    }
+    case "number": {
+      if (typeof value !== "number" || Number.isNaN(value)) return `${label} must be a number.`;
+      if (field.integer && !Number.isInteger(value)) return `${label} must be an integer.`;
+      if (field.min !== void 0 && value < field.min) return `${label} must be at least ${field.min}.`;
+      if (field.max !== void 0 && value > field.max) return `${label} must be at most ${field.max}.`;
+      return null;
+    }
+    case "boolean":
+    case "checkbox":
+      return typeof value === "boolean" ? null : `${label} must be true or false.`;
+    case "date":
+      return Number.isNaN(Date.parse(String(value))) ? `${label} must be a valid date.` : null;
+    case "select":
+    case "radio": {
+      const allowed = field.options.map(optionValue);
+      if (field.hasMany) {
+        if (!Array.isArray(value)) return `${label} must be a list.`;
+        for (const v of value) if (!allowed.includes(String(v))) return `${label} contains an invalid option.`;
+        return null;
+      }
+      return allowed.includes(String(value)) ? null : `${label} must be one of: ${allowed.join(", ")}.`;
+    }
+    case "relationship":
+    case "upload": {
+      if (field.hasMany) return Array.isArray(value) ? null : `${label} must be a list of references.`;
+      return typeof value === "string" || typeof value === "number" ? null : `${label} must be a reference id.`;
+    }
+    case "array":
+      return Array.isArray(value) ? null : `${label} must be a list.`;
+    case "group":
+      return value && typeof value === "object" && !Array.isArray(value) ? null : `${label} must be an object.`;
+    case "point":
+      return Array.isArray(value) && value.length === 2 ? null : `${label} must be a [lng, lat] pair.`;
+    case "json":
+    case "richText":
+      return null;
+    default:
+      return null;
+  }
+}
+function normalizeWrite(field, value) {
+  if (value === void 0) return null;
+  if (field.type === "date") {
+    if (value instanceof Date) return value.toISOString();
+    if (typeof value === "number") return new Date(value).toISOString();
+  }
+  return value;
+}
+function serializeDoc(fields, data, opts) {
+  const row = {};
+  for (const field of fields) {
+    const has = Object.prototype.hasOwnProperty.call(data, field.name);
+    if (field.localized) {
+      const existing = opts.existingRow?.[field.name];
+      const map = existing && typeof existing === "object" && !Array.isArray(existing) ? { ...existing } : {};
+      if (has) map[opts.locale] = normalizeWrite(field, data[field.name]);
+      row[field.name] = map;
+    } else if (has) {
+      row[field.name] = normalizeWrite(field, data[field.name]);
+    } else if (opts.existingRow && Object.prototype.hasOwnProperty.call(opts.existingRow, field.name)) {
+      row[field.name] = opts.existingRow[field.name];
+    }
+  }
+  return row;
+}
+function resolveLocale(raw, locale, fallback) {
+  if (raw && typeof raw === "object" && !Array.isArray(raw)) {
+    const map = raw;
+    if (locale in map) return map[locale];
+    if (fallback && fallback in map) return map[fallback];
+    return null;
+  }
+  return raw ?? null;
+}
+function deserializeDoc(fields, row, opts) {
+  const doc = {};
+  for (const field of fields) {
+    const raw = row[field.name];
+    doc[field.name] = field.localized ? resolveLocale(raw, opts.locale, opts.fallbackLocale) : raw === void 0 ? null : raw;
+  }
+  return doc;
+}
+function relationshipFields(fields) {
+  const out = [];
+  for (const field of fields) {
+    if (field.type === "relationship" || field.type === "upload") {
+      out.push({ name: field.name, relationTo: field.relationTo, hasMany: Boolean(field.hasMany) });
+    }
+  }
+  return out;
+}
+
+// ../core/src/schema.ts
+function tableForCollection(slug) {
+  return slug;
+}
+function tableForGlobal(slug) {
+  return `__global_${slug}`;
+}
+var GLOBAL_ROW_ID = "singleton";
+function compileSchema(config) {
+  const tables = [];
+  for (const collection of config.collections) {
+    tables.push({
+      table: tableForCollection(collection.slug),
+      slug: collection.slug,
+      columns: collection.fields.map(columnForField),
+      timestamps: collection.timestamps ?? true,
+      singleton: false
+    });
+  }
+  for (const global of config.globals) {
+    tables.push({
+      table: tableForGlobal(global.slug),
+      slug: global.slug,
+      columns: global.fields.map(columnForField),
+      timestamps: true,
+      singleton: true
+    });
+  }
+  return { tables };
+}
+
+// ../core/src/errors.ts
+var KernelError = class extends Error {
+  code;
+  status;
+  details;
+  constructor(message, code, status, details) {
+    super(message);
+    this.name = "KernelError";
+    this.code = code;
+    this.status = status;
+    this.details = details;
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+  toJSON() {
+    return {
+      error: {
+        code: this.code,
+        message: this.message,
+        ...this.details === void 0 ? {} : { details: this.details }
+      }
+    };
+  }
+};
+var ValidationError = class extends KernelError {
+  errors;
+  constructor(errors) {
+    super(
+      `Validation failed: ${errors.map((e) => e.path).join(", ")}`,
+      "VALIDATION",
+      400,
+      errors
+    );
+    this.name = "ValidationError";
+    this.errors = errors;
+  }
+};
+var NotFoundError = class extends KernelError {
+  constructor(message = "The requested resource was not found.") {
+    super(message, "NOT_FOUND", 404);
+    this.name = "NotFoundError";
+  }
+};
+var ForbiddenError = class extends KernelError {
+  constructor(message = "You are not allowed to perform this action.") {
+    super(message, "FORBIDDEN", 403);
+    this.name = "ForbiddenError";
+  }
+};
+var UnauthorizedError = class extends KernelError {
+  constructor(message = "Authentication is required.") {
+    super(message, "UNAUTHORIZED", 401);
+    this.name = "UnauthorizedError";
+  }
+};
+var BadRequestError = class extends KernelError {
+  constructor(message = "The request was malformed.", details) {
+    super(message, "BAD_REQUEST", 400, details);
+    this.name = "BadRequestError";
+  }
+};
+var ConflictError = class extends KernelError {
+  constructor(message = "The resource already exists.", details) {
+    super(message, "CONFLICT", 409, details);
+    this.name = "ConflictError";
+  }
+};
+var TooManyRequestsError = class extends KernelError {
+  /** Seconds the client should wait before retrying, surfaced as Retry-After. */
+  retryAfter;
+  constructor(message = "Too many requests. Please try again later.", retryAfter) {
+    super(message, "TOO_MANY_REQUESTS", 429, retryAfter === void 0 ? void 0 : { retryAfter });
+    this.name = "TooManyRequestsError";
+    this.retryAfter = retryAfter;
+  }
+};
+function isKernelError(err) {
+  return err instanceof KernelError;
+}
+
+// ../core/src/auth.ts
+import { createHmac, randomBytes, scrypt as scryptCb, timingSafeEqual } from "crypto";
+import { promisify } from "util";
+var SCRYPT_KEYLEN = 64;
+var scrypt = promisify(scryptCb);
+async function hashPassword(password) {
+  const salt = randomBytes(16);
+  const derived = await scrypt(password, salt, SCRYPT_KEYLEN);
+  return `scrypt$${salt.toString("hex")}$${derived.toString("hex")}`;
+}
+async function verifyPassword(password, stored) {
+  const parts = stored.split("$");
+  if (parts.length !== 3 || parts[0] !== "scrypt") return false;
+  const salt = Buffer.from(parts[1], "hex");
+  const expected = Buffer.from(parts[2], "hex");
+  const derived = await scrypt(password, salt, expected.length);
+  return expected.length === derived.length && timingSafeEqual(expected, derived);
+}
+function nowSeconds() {
+  return Math.floor(Date.now() / 1e3);
+}
+function signToken(payload, secret, expiresInSec = 3600) {
+  const now = nowSeconds();
+  const header = Buffer.from(JSON.stringify({ alg: "HS256", typ: "JWT" })).toString("base64url");
+  const body = Buffer.from(JSON.stringify({ ...payload, iat: now, exp: now + expiresInSec })).toString("base64url");
+  const sig = createHmac("sha256", secret).update(`${header}.${body}`).digest("base64url");
+  return `${header}.${body}.${sig}`;
+}
+function verifyToken(token, secret) {
+  const parts = token.split(".");
+  if (parts.length !== 3) return null;
+  const [header, body, sig] = parts;
+  const expected = createHmac("sha256", secret).update(`${header}.${body}`).digest("base64url");
+  const a = Buffer.from(sig);
+  const b = Buffer.from(expected);
+  if (a.length !== b.length || !timingSafeEqual(a, b)) return null;
+  try {
+    const payload = JSON.parse(Buffer.from(body, "base64url").toString("utf8"));
+    if (typeof payload.exp === "number" && payload.exp < nowSeconds()) return null;
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+// ../core/src/access.ts
+async function evalAccess(fn, args) {
+  if (!fn) return Boolean(args.req.user);
+  return fn(args);
+}
+function isAllowed(result) {
+  return result !== false;
+}
+function asWhere(result) {
+  return result === true || result === false ? void 0 : result;
+}
+
+// ../core/src/query.ts
+function parseSort(sort) {
+  if (!sort) return [];
+  const tokens = (Array.isArray(sort) ? sort : [sort]).flatMap((s) => s.split(",")).map((s) => s.trim()).filter(Boolean);
+  return tokens.map(
+    (token) => token.startsWith("-") ? { field: token.slice(1), direction: "desc" } : { field: token, direction: "asc" }
+  );
+}
+function mergeWhere(a, b) {
+  if (a && b) return { and: [a, b] };
+  return a ?? b;
+}
+function toArray(v) {
+  return Array.isArray(v) ? v : [v];
+}
+function looseEq(a, b) {
+  if (a === b) return true;
+  if (a === null || a === void 0 || b === null || b === void 0) return false;
+  if (typeof a === "number" || typeof b === "number") return Number(a) === Number(b);
+  return String(a) === String(b);
+}
+function compare(a, b) {
+  const an = Number(a);
+  const bn = Number(b);
+  if (!Number.isNaN(an) && !Number.isNaN(bn)) return an < bn ? -1 : an > bn ? 1 : 0;
+  return String(a).localeCompare(String(b));
+}
+function matchesCondition(value, cond) {
+  for (const [op, operand] of Object.entries(cond)) {
+    switch (op) {
+      case "equals":
+        if (!looseEq(value, operand)) return false;
+        break;
+      case "not_equals":
+        if (looseEq(value, operand)) return false;
+        break;
+      case "in":
+        if (!toArray(operand).some((o) => looseEq(value, o))) return false;
+        break;
+      case "not_in":
+        if (toArray(operand).some((o) => looseEq(value, o))) return false;
+        break;
+      case "greater_than":
+        if (!(compare(value, operand) > 0)) return false;
+        break;
+      case "greater_than_equal":
+        if (!(compare(value, operand) >= 0)) return false;
+        break;
+      case "less_than":
+        if (!(compare(value, operand) < 0)) return false;
+        break;
+      case "less_than_equal":
+        if (!(compare(value, operand) <= 0)) return false;
+        break;
+      case "like":
+      case "contains":
+        if (!String(value ?? "").toLowerCase().includes(String(operand).toLowerCase())) return false;
+        break;
+      case "exists": {
+        const exists = value !== null && value !== void 0;
+        if (Boolean(operand) !== exists) return false;
+        break;
+      }
+      default:
+        return false;
+    }
+  }
+  return true;
+}
+function matchesWhere(row, where) {
+  if (!where) return true;
+  if (where.and && !where.and.every((w) => matchesWhere(row, w))) return false;
+  if (where.or && where.or.length > 0 && !where.or.some((w) => matchesWhere(row, w))) return false;
+  for (const [key, cond] of Object.entries(where)) {
+    if (key === "and" || key === "or" || cond === void 0) continue;
+    if (!matchesCondition(row[key], cond)) return false;
+  }
+  return true;
+}
+
+// ../core/src/operations.ts
+import { randomUUID } from "crypto";
+var MAX_LIMIT = 1e3;
+var DEFAULT_LIMIT = 25;
+var LOGIN_MAX_FAILURES = 10;
+var LOGIN_WINDOW_MS = 15 * 60 * 1e3;
+function createOperations(ctx) {
+  const { config, db } = ctx;
+  const loginFailures = /* @__PURE__ */ new Map();
+  function loginKey(slug, email) {
+    return `${slug}:${email.trim().toLowerCase()}`;
+  }
+  function assertLoginAllowed(key) {
+    const rec = loginFailures.get(key);
+    if (!rec) return;
+    const elapsed = Date.now() - rec.windowStart;
+    if (elapsed > LOGIN_WINDOW_MS) {
+      loginFailures.delete(key);
+      return;
+    }
+    if (rec.count >= LOGIN_MAX_FAILURES) {
+      const retryAfter = Math.ceil((LOGIN_WINDOW_MS - elapsed) / 1e3);
+      throw new TooManyRequestsError("Too many failed login attempts. Please try again later.", retryAfter);
+    }
+  }
+  function recordLoginFailure(key) {
+    const now = Date.now();
+    const rec = loginFailures.get(key);
+    if (!rec || now - rec.windowStart > LOGIN_WINDOW_MS) {
+      loginFailures.set(key, { count: 1, windowStart: now });
+    } else {
+      rec.count += 1;
+    }
+  }
+  async function applyFieldAccess(fields, data, operation, req, id) {
+    for (const field of fields) {
+      if (!Object.prototype.hasOwnProperty.call(data, field.name)) continue;
+      const rule = field.access?.[operation];
+      if (rule) {
+        const decision = await evalAccess(rule, { req, id, data });
+        if (!isAllowed(decision)) {
+          delete data[field.name];
+          continue;
+        }
+      }
+      const value = data[field.name];
+      if (field.type === "group" && value && typeof value === "object" && !Array.isArray(value)) {
+        await applyFieldAccess(field.fields, value, operation, req, id);
+      } else if (field.type === "array" && Array.isArray(value)) {
+        for (const row of value) {
+          if (row && typeof row === "object") {
+            await applyFieldAccess(field.fields, row, operation, req, id);
+          }
+        }
+      }
+    }
+  }
+  function buildReq(partial) {
+    const defaultLocale = config.localization ? config.localization.defaultLocale : "en";
+    const fallback = config.localization ? config.localization.fallback ? config.localization.defaultLocale : false : false;
+    return {
+      user: partial?.user ?? null,
+      locale: partial?.locale ?? defaultLocale,
+      fallbackLocale: partial?.fallbackLocale ?? fallback,
+      context: partial?.context ?? {}
+    };
+  }
+  function collectionOrThrow(slug) {
+    const collection = config.collectionsBySlug[slug];
+    if (!collection) throw new BadRequestError(`Unknown collection "${slug}".`);
+    return collection;
+  }
+  function globalOrThrow(slug) {
+    const global = config.globalsBySlug[slug];
+    if (!global) throw new BadRequestError(`Unknown global "${slug}".`);
+    return global;
+  }
+  function rowToDoc(collection, row, req) {
+    const body = deserializeDoc(collection.fields, row, {
+      locale: req.locale,
+      fallbackLocale: req.fallbackLocale
+    });
+    const doc = { id: String(row.id), ...body };
+    if (row.createdAt !== void 0) doc.createdAt = row.createdAt;
+    if (row.updatedAt !== void 0) doc.updatedAt = row.updatedAt;
+    if (collection.auth) delete doc.hash;
+    return doc;
+  }
+  function authTtl(collection) {
+    const auth = collection.auth;
+    return typeof auth === "object" && auth.tokenExpiration ? auth.tokenExpiration : 3600;
+  }
+  async function prepareAuthInput(collection, data, operation) {
+    if (!collection.auth) return data;
+    const next = { ...data };
+    delete next.hash;
+    const password = next.password;
+    delete next.password;
+    if (typeof password === "string" && password.length > 0) {
+      if (password.length < 8) {
+        throw new ValidationError([{ path: "password", message: "Password must be at least 8 characters." }]);
+      }
+      next.hash = await hashPassword(password);
+    } else if (operation === "create") {
+      throw new ValidationError([{ path: "password", message: "Password is required." }]);
+    }
+    return next;
+  }
+  async function runHooks(hooks, args, key) {
+    let current = args[key];
+    if (!hooks) return current;
+    for (const hook of hooks) {
+      current = await hook({ ...args, [key]: current });
+    }
+    return current;
+  }
+  async function populate(collection, doc, depth, req) {
+    if (depth <= 0) return doc;
+    for (const rel of relationshipFields(collection.fields)) {
+      if (!config.collectionsBySlug[rel.relationTo]) continue;
+      const value = doc[rel.name];
+      if (rel.hasMany && Array.isArray(value)) {
+        const out = [];
+        for (const id of value) {
+          const related = await safeFindByID(rel.relationTo, String(id), depth - 1, req);
+          out.push(related ?? id);
+        }
+        doc[rel.name] = out;
+      } else if (!rel.hasMany && value != null) {
+        const related = await safeFindByID(rel.relationTo, String(value), depth - 1, req);
+        doc[rel.name] = related ?? value;
+      }
+    }
+    return doc;
+  }
+  async function safeFindByID(slug, id, depth, req) {
+    try {
+      return await findByID({ collection: slug, id, depth, req });
+    } catch (err) {
+      if (isKernelError(err)) return null;
+      throw err;
+    }
+  }
+  async function create(opts) {
+    const collection = collectionOrThrow(opts.collection);
+    const req = buildReq(opts.req);
+    const override = opts.overrideAccess ?? false;
+    if (!override) {
+      const access = await evalAccess(collection.access?.create, { req, data: opts.data });
+      if (!isAllowed(access)) throw new ForbiddenError();
+    }
+    const incoming = { ...opts.data };
+    if (!override) await applyFieldAccess(collection.fields, incoming, "create", req);
+    let data = applyDefaults(collection.fields, incoming);
+    data = await prepareAuthInput(collection, data, "create");
+    data = await runHooks(collection.hooks?.beforeChange, { req, operation: "create", data }, "data");
+    const errors = await validateFields(collection.fields, data, { req, operation: "create" });
+    if (errors.length) throw new ValidationError(errors);
+    const row = serializeDoc(collection.fields, data, { locale: req.locale });
+    row.id = randomUUID();
+    const created = await db.create({ collection: collection.slug, data: row });
+    let doc = rowToDoc(collection, created, req);
+    doc = await runHooks(collection.hooks?.afterChange, { req, operation: "create", doc }, "doc");
+    doc = await runHooks(collection.hooks?.afterRead, { req, operation: "read", doc }, "doc");
+    doc = await populate(collection, doc, opts.depth ?? 0, req);
+    return doc;
+  }
+  async function find(opts) {
+    const collection = collectionOrThrow(opts.collection);
+    const req = buildReq(opts.req);
+    const override = opts.overrideAccess ?? false;
+    let where = opts.where;
+    if (!override) {
+      const access = await evalAccess(collection.access?.read, { req });
+      if (!isAllowed(access)) throw new ForbiddenError();
+      where = mergeWhere(where, asWhere(access));
+    }
+    const timestamps = collection.timestamps ?? true;
+    const sort = parseSort(opts.sort);
+    if (sort.length === 0) {
+      sort.push(timestamps ? { field: "createdAt", direction: "desc" } : { field: "id", direction: "asc" });
+    }
+    const limit = Math.min(Math.max(opts.limit ?? DEFAULT_LIMIT, 1), MAX_LIMIT);
+    const page = Math.max(opts.page ?? 1, 1);
+    const result = await db.find({ collection: collection.slug, where, sort, limit, page });
+    const docs = [];
+    for (const row of result.docs) {
+      let doc = rowToDoc(collection, row, req);
+      doc = await runHooks(collection.hooks?.afterRead, { req, operation: "read", doc }, "doc");
+      doc = await populate(collection, doc, opts.depth ?? 0, req);
+      docs.push(doc);
+    }
+    return { ...result, docs };
+  }
+  async function findByID(opts) {
+    const collection = collectionOrThrow(opts.collection);
+    const req = buildReq(opts.req);
+    const override = opts.overrideAccess ?? false;
+    const row = await db.findByID({ collection: collection.slug, id: opts.id });
+    if (!row) return null;
+    if (!override) {
+      const access = await evalAccess(collection.access?.read, { req, id: opts.id });
+      if (!isAllowed(access)) throw new ForbiddenError();
+      const scope = asWhere(access);
+      if (scope && !matchesWhere(row, scope)) throw new ForbiddenError();
+    }
+    let doc = rowToDoc(collection, row, req);
+    doc = await runHooks(collection.hooks?.afterRead, { req, operation: "read", doc }, "doc");
+    doc = await populate(collection, doc, opts.depth ?? 0, req);
+    return doc;
+  }
+  async function update(opts) {
+    const collection = collectionOrThrow(opts.collection);
+    const req = buildReq(opts.req);
+    const override = opts.overrideAccess ?? false;
+    const existing = await db.findByID({ collection: collection.slug, id: opts.id });
+    if (!existing) throw new NotFoundError();
+    if (!override) {
+      const access = await evalAccess(collection.access?.update, { req, id: opts.id, data: opts.data });
+      if (!isAllowed(access)) throw new ForbiddenError();
+      const scope = asWhere(access);
+      if (scope && !matchesWhere(existing, scope)) throw new ForbiddenError();
+    }
+    const filtered = { ...opts.data };
+    if (!override) await applyFieldAccess(collection.fields, filtered, "update", req, opts.id);
+    const input = await prepareAuthInput(collection, filtered, "update");
+    const existingDoc = rowToDoc(collection, existing, req);
+    let merged = { ...existingDoc, ...input };
+    merged = await runHooks(
+      collection.hooks?.beforeChange,
+      { req, operation: "update", data: merged, originalDoc: existingDoc },
+      "data"
+    );
+    const errors = await validateFields(collection.fields, merged, { req, operation: "update" });
+    if (errors.length) throw new ValidationError(errors);
+    const row = serializeDoc(collection.fields, input, { locale: req.locale, existingRow: existing });
+    const updated = await db.update({ collection: collection.slug, id: opts.id, data: row });
+    if (!updated) return null;
+    let doc = rowToDoc(collection, updated, req);
+    doc = await runHooks(collection.hooks?.afterChange, { req, operation: "update", doc }, "doc");
+    doc = await runHooks(collection.hooks?.afterRead, { req, operation: "read", doc }, "doc");
+    doc = await populate(collection, doc, opts.depth ?? 0, req);
+    return doc;
+  }
+  async function deleteOne(opts) {
+    const collection = collectionOrThrow(opts.collection);
+    const req = buildReq(opts.req);
+    const override = opts.overrideAccess ?? false;
+    const existing = await db.findByID({ collection: collection.slug, id: opts.id });
+    if (!existing) throw new NotFoundError();
+    if (!override) {
+      const access = await evalAccess(collection.access?.delete, { req, id: opts.id });
+      if (!isAllowed(access)) throw new ForbiddenError();
+      const scope = asWhere(access);
+      if (scope && !matchesWhere(existing, scope)) throw new ForbiddenError();
+    }
+    for (const hook of collection.hooks?.beforeDelete ?? []) await hook({ req, id: opts.id });
+    const removed = await db.delete({ collection: collection.slug, id: opts.id });
+    const doc = removed ? rowToDoc(collection, removed, req) : null;
+    if (doc) for (const hook of collection.hooks?.afterDelete ?? []) await hook({ req, id: opts.id, doc });
+    return doc;
+  }
+  async function count(opts) {
+    const collection = collectionOrThrow(opts.collection);
+    const req = buildReq(opts.req);
+    let where = opts.where;
+    if (!(opts.overrideAccess ?? false)) {
+      const access = await evalAccess(collection.access?.read, { req });
+      if (!isAllowed(access)) throw new ForbiddenError();
+      where = mergeWhere(where, asWhere(access));
+    }
+    return db.count({ collection: collection.slug, where });
+  }
+  async function login(opts) {
+    const collection = collectionOrThrow(opts.collection);
+    if (!collection.auth) throw new BadRequestError(`Collection "${opts.collection}" is not an auth collection.`);
+    const key = loginKey(collection.slug, opts.email);
+    assertLoginAllowed(key);
+    const result = await db.find({
+      collection: collection.slug,
+      where: { email: { equals: opts.email } },
+      sort: [{ field: "id", direction: "asc" }],
+      limit: 1,
+      page: 1
+    });
+    const row = result.docs[0];
+    const passwordOk = !!row && typeof row.hash === "string" && await verifyPassword(opts.password, row.hash);
+    if (!row || !passwordOk) {
+      recordLoginFailure(key);
+      throw new UnauthorizedError("Invalid email or password.");
+    }
+    loginFailures.delete(key);
+    const user = rowToDoc(collection, row, buildReq());
+    user.collection = collection.slug;
+    const ttl = authTtl(collection);
+    const token = signToken({ sub: user.id, collection: collection.slug }, config.secret, ttl);
+    return { user, token, exp: Math.floor(Date.now() / 1e3) + ttl };
+  }
+  async function authenticate(token) {
+    const payload = verifyToken(token, config.secret);
+    if (!payload) return null;
+    const collection = config.collectionsBySlug[payload.collection];
+    if (!collection?.auth) return null;
+    const row = await db.findByID({ collection: collection.slug, id: payload.sub });
+    if (!row) return null;
+    const user = rowToDoc(collection, row, buildReq());
+    user.collection = collection.slug;
+    return user;
+  }
+  function globalDoc(global, row, req) {
+    if (!row) {
+      const defaults = applyDefaults(global.fields, {});
+      return deserializeDoc(global.fields, defaults, {
+        locale: req.locale,
+        fallbackLocale: req.fallbackLocale
+      });
+    }
+    const body = deserializeDoc(global.fields, row, {
+      locale: req.locale,
+      fallbackLocale: req.fallbackLocale
+    });
+    if (row.updatedAt !== void 0) body.updatedAt = row.updatedAt;
+    return body;
+  }
+  async function findGlobal(opts) {
+    const global = globalOrThrow(opts.slug);
+    const req = buildReq(opts.req);
+    if (!(opts.overrideAccess ?? false)) {
+      const access = await evalAccess(global.access?.read, { req });
+      if (!isAllowed(access)) throw new ForbiddenError();
+    }
+    const table = tableForGlobal(global.slug);
+    const row = await db.findByID({ collection: table, id: GLOBAL_ROW_ID });
+    let doc = globalDoc(global, row, req);
+    doc = await runHooks(global.hooks?.afterRead, { req, operation: "read", doc }, "doc");
+    return doc;
+  }
+  async function updateGlobal(opts) {
+    const global = globalOrThrow(opts.slug);
+    const req = buildReq(opts.req);
+    if (!(opts.overrideAccess ?? false)) {
+      const access = await evalAccess(global.access?.update, { req, data: opts.data });
+      if (!isAllowed(access)) throw new ForbiddenError();
+    }
+    const table = tableForGlobal(global.slug);
+    const existing = await db.findByID({ collection: table, id: GLOBAL_ROW_ID });
+    const existingDoc = globalDoc(global, existing, req);
+    const incoming = { ...opts.data };
+    if (!(opts.overrideAccess ?? false)) await applyFieldAccess(global.fields, incoming, "update", req);
+    let merged = { ...existingDoc, ...incoming };
+    merged = await runHooks(global.hooks?.beforeChange, { req, operation: "update", data: merged }, "data");
+    const errors = await validateFields(global.fields, merged, { req, operation: "update" });
+    if (errors.length) throw new ValidationError(errors);
+    const row = serializeDoc(global.fields, incoming, { locale: req.locale, existingRow: existing });
+    let saved;
+    if (existing) {
+      saved = await db.update({ collection: table, id: GLOBAL_ROW_ID, data: row });
+    } else {
+      row.id = GLOBAL_ROW_ID;
+      saved = await db.create({ collection: table, data: row });
+    }
+    let doc = globalDoc(global, saved, req);
+    doc = await runHooks(global.hooks?.afterChange, { req, operation: "update", doc }, "doc");
+    return doc;
+  }
+  return { create, find, findByID, update, delete: deleteOne, count, login, authenticate, findGlobal, updateGlobal };
+}
+
+// ../core/src/kernel.ts
+var LEVELS = { debug: 10, info: 20, warn: 30, error: 40 };
+function createLogger(level = "info") {
+  const min = LEVELS[level];
+  const emit = (lvl, stream) => (msg, meta) => {
+    if (LEVELS[lvl] < min) return;
+    const line = `[kernel] ${lvl.toUpperCase()} ${msg}`;
+    if (meta === void 0) console[stream](line);
+    else console[stream](line, meta);
+  };
+  return {
+    debug: emit("debug", "log"),
+    info: emit("info", "log"),
+    warn: emit("warn", "warn"),
+    error: emit("error", "error")
+  };
+}
+async function initKernel(config, options = {}) {
+  const sanitized = sanitizeConfig(config);
+  const schema = compileSchema(sanitized);
+  const logger = createLogger(options.logLevel ?? process.env.KERNEL_LOG_LEVEL ?? "info");
+  await sanitized.db.init({ logger });
+  if (options.autoMigrate) await sanitized.db.migrate(schema);
+  const ops = createOperations({ config: sanitized, db: sanitized.db });
+  return {
+    config: sanitized,
+    db: sanitized.db,
+    schema,
+    find: ops.find,
+    findByID: ops.findByID,
+    create: ops.create,
+    update: ops.update,
+    delete: ops.delete,
+    count: ops.count,
+    login: ops.login,
+    authenticate: ops.authenticate,
+    findGlobal: ops.findGlobal,
+    updateGlobal: ops.updateGlobal,
+    async migrate() {
+      await sanitized.db.migrate(schema);
+    },
+    async destroy() {
+      await sanitized.db.destroy();
+    }
+  };
+}
+
+// ../core/src/codegen.ts
+function pascal(slug) {
+  return slug.split(/[^a-zA-Z0-9]+/).filter(Boolean).map((p) => p[0].toUpperCase() + p.slice(1)).join("");
+}
+function tsType(field, indent) {
+  switch (field.type) {
+    case "text":
+    case "textarea":
+    case "email":
+    case "code":
+    case "slug":
+      return "string";
+    case "number":
+      return "number";
+    case "boolean":
+    case "checkbox":
+      return "boolean";
+    case "date":
+      return "string";
+    case "json":
+    case "richText":
+      return "unknown";
+    case "point":
+      return "[number, number]";
+    case "select":
+    case "radio": {
+      const union = field.options.map((o) => JSON.stringify(optionValue(o))).join(" | ") || "string";
+      return field.hasMany ? `Array<${union}>` : union;
+    }
+    case "relationship":
+    case "upload":
+      return field.hasMany ? "string[]" : "string";
+    case "array":
+      return `Array<${renderObject(field.fields, indent)}>`;
+    case "group":
+      return renderObject(field.fields, indent);
+    default:
+      return "unknown";
+  }
+}
+function renderObject(fields, indent) {
+  const inner = `${indent}  `;
+  const lines = fields.map(
+    (f) => `${inner}${f.name}${f.required ? "" : "?"}: ${tsType(f, inner)}${f.required ? "" : " | null"}`
+  );
+  return `{
+${lines.join("\n")}
+${indent}}`;
+}
+function renderInterface(name, fields, timestamps) {
+  const lines = fields.map(
+    (f) => `  ${f.name}${f.required ? "" : "?"}: ${tsType(f, "  ")}${f.required ? "" : " | null"}`
+  );
+  const ts = timestamps ? "  createdAt?: string\n  updatedAt?: string\n" : "";
+  return `export interface ${name} {
+  id: string
+${lines.join("\n")}
+${ts}}`;
+}
+function generateTypes(input) {
+  const header = `/**
+ * This file is auto-generated by KernelCMS. Do not edit by hand.
+ * Run \`kernel generate:types\` to refresh it.
+ */
+/* eslint-disable */
+`;
+  const collectionTypes = input.collections.map((c) => renderInterface(pascal(c.slug), c.fields, c.timestamps ?? true)).join("\n\n");
+  const globalTypes = input.globals.map((g) => renderInterface(pascal(g.slug), g.fields, true)).join("\n\n");
+  const collectionMap = input.collections.map((c) => `    ${c.slug}: ${pascal(c.slug)}`).join("\n");
+  const globalMap = input.globals.map((g) => `    ${g.slug}: ${pascal(g.slug)}`).join("\n");
+  const registry = `export interface KernelTypes {
+  collections: {
+${collectionMap || "    [slug: string]: { id: string }"}
+  }
+  globals: {
+${globalMap || "    [slug: string]: Record<string, unknown>"}
+  }
+}`;
+  return [header, collectionTypes, globalTypes, registry].filter(Boolean).join("\n\n") + "\n";
+}
+
+// ../core/src/describe.ts
+function describeField(field) {
+  const out = {
+    name: field.name,
+    type: field.type,
+    label: fieldLabel(field),
+    required: Boolean(field.required),
+    unique: Boolean(field.unique),
+    localized: Boolean(field.localized)
+  };
+  if (field.admin) {
+    const { condition, ...rest } = field.admin;
+    void condition;
+    out.admin = rest;
+  }
+  if (field.type === "select" || field.type === "radio") {
+    out.options = field.options.map((o) => ({ label: optionLabel(o), value: optionValue(o) }));
+    out.hasMany = Boolean(field.hasMany);
+  }
+  if (field.type === "relationship" || field.type === "upload") {
+    out.relationTo = field.relationTo;
+    out.hasMany = Boolean(field.hasMany);
+  }
+  if (field.type === "array" || field.type === "group") {
+    out.fields = field.fields.map(describeField);
+  }
+  if (field.type === "number") {
+    if (field.min !== void 0) out.min = field.min;
+    if (field.max !== void 0) out.max = field.max;
+  }
+  if (field.type === "text" || field.type === "textarea" || field.type === "email" || field.type === "code") {
+    if (field.minLength !== void 0) out.minLength = field.minLength;
+    if (field.maxLength !== void 0) out.maxLength = field.maxLength;
+  }
+  return out;
+}
+function describeCollection(collection) {
+  const fields = collection.fields.filter((f) => f.name !== "hash").map(describeField);
+  if (collection.auth) {
+    fields.push({
+      name: "password",
+      type: "password",
+      label: "Password",
+      required: false,
+      unique: false,
+      localized: false,
+      admin: { description: "Leave blank to keep the current password." }
+    });
+  }
+  return {
+    slug: collection.slug,
+    labels: {
+      singular: collection.labels?.singular ?? collection.slug,
+      plural: collection.labels?.plural ?? collection.slug
+    },
+    useAsTitle: collection.admin?.useAsTitle ?? collection.fields[0]?.name ?? "id",
+    defaultColumns: collection.admin?.defaultColumns,
+    group: collection.admin?.group,
+    description: collection.admin?.description,
+    auth: Boolean(collection.auth),
+    hidden: Boolean(collection.admin?.hidden),
+    fields
+  };
+}
+function describeGlobal(global) {
+  return {
+    slug: global.slug,
+    label: global.label ?? global.slug,
+    fields: global.fields.map(describeField)
+  };
+}
+function describeConfig(config) {
+  return {
+    collections: config.collections.map(describeCollection),
+    globals: config.globals.map(describeGlobal),
+    localization: config.localization ? { locales: config.localization.locales, defaultLocale: config.localization.defaultLocale } : null,
+    routes: { api: config.routes.api }
+  };
+}
+
+export {
+  defineConfig,
+  sanitizeConfig,
+  defaultLocaleOf,
+  humanize,
+  fieldLabel,
+  optionValue,
+  optionLabel,
+  storageTypeForField,
+  columnForField,
+  defaultForField,
+  applyDefaults,
+  validateFields,
+  serializeDoc,
+  deserializeDoc,
+  relationshipFields,
+  tableForCollection,
+  tableForGlobal,
+  GLOBAL_ROW_ID,
+  compileSchema,
+  KernelError,
+  ValidationError,
+  NotFoundError,
+  ForbiddenError,
+  UnauthorizedError,
+  BadRequestError,
+  ConflictError,
+  TooManyRequestsError,
+  isKernelError,
+  hashPassword,
+  verifyPassword,
+  signToken,
+  verifyToken,
+  evalAccess,
+  isAllowed,
+  asWhere,
+  parseSort,
+  mergeWhere,
+  matchesWhere,
+  createOperations,
+  createLogger,
+  initKernel,
+  generateTypes,
+  describeConfig
+};