millas 0.2.12-beta-2 → 0.2.13

package/package.json

@@ -1,11 +1,12 @@
 {
   "name": "millas",
-  "version": "0.2.12-beta-2",
+  "version": "0.2.13",
   "description": "A modern batteries-included backend framework for Node.js — built on Express, inspired by Laravel, Django, and FastAPI",
   "main": "src/index.js",
   "exports": {
     ".": "./src/index.js",
     "./core/*": "./src/core/*.js",
+    "./middleware/*": "./src/middleware/*.js",
     "./facades/*": "./src/facades/*.js"
   },
   "bin": {
@@ -47,7 +48,7 @@
     "nodemailer": "^6.9.0",
     "nunjucks": "^3.2.4",
     "ora": "5.4.1",
-    "sqlite3": "^5.1.7"
+    "sqlite": "^5.1.1"
   },
   "peerDependencies": {
     "express": "^4.18.0"

package/src/admin/Admin.js

@@ -8,6 +8,8 @@ const { FormGenerator }              = require('./FormGenerator');
 const { ViewContext }                 = require('./ViewContext');
 const AdminAuth   = require('./AdminAuth');
 const { AdminResource, AdminField, AdminFilter, AdminInline } = require('./resources/AdminResource');
+const LookupParser = require('../orm/query/LookupParser');
+const Facade       = require('../facades/Facade');
 
 /**
  * Admin
@@ -148,6 +150,17 @@ class Admin {
     });
 
     // ── Custom filters ───────────────────────────────────────────
+
+    // Resolve a fkResource table name to the registered admin slug (or null)
+    const resolveFkSlug = (tableName) => {
+      if (!tableName) return null;
+      if (this._resources.has(tableName)) return tableName;
+      for (const R of this._resources.values()) {
+        if (R.model && R.model.table === tableName) return R.slug;
+      }
+      return null;
+    };
+
     env.addFilter('adminCell', (value, field) => {
       if (value === null || value === undefined) return '<span class="cell-muted">—</span>';
       switch (field.type) {
@@ -189,6 +202,14 @@ class Admin {
           return `<span style="display:inline-flex;align-items:center;gap:6px"><span style="width:16px;height:16px;border-radius:3px;background:${value};border:1px solid var(--border);flex-shrink:0"></span><span class="cell-mono">${value}</span></span>`;
         case 'richtext':
           return `<div style="max-width:300px;overflow:hidden;text-overflow:ellipsis;white-space:nowrap;color:var(--text-soft)">${String(value).replace(/<[^>]+>/g, '').slice(0, 80)}</div>`;
+        case 'fk': {
+          const fkSlug = resolveFkSlug(field.fkResource);
+          const prefix = this._config.prefix || '/admin';
+          if (fkSlug) {
+            return `<span class="fk-cell">${value}<a class="fk-arrow-btn" href="${prefix}/${fkSlug}/${value}" title="View record #${value}"><svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><path d="M5 12h14M13 6l6 6-6 6"/></svg></a></span>`;
+          }
+          return String(value);
+        }
         default: {
           const str = String(value);
           return str.length > 60
@@ -243,6 +264,14 @@ class Admin {
           const c2 = (field.colors && field.colors[String(value)]) || colorMap2[String(value)] || 'gray';
           return `<span class="badge badge-${c2}">${value}</span>`;
         }
+        case 'fk': {
+          const fkSlug = resolveFkSlug(field.fkResource);
+          const prefix = this._config.prefix || '/admin';
+          if (fkSlug) {
+            return `<span class="fk-cell fk-cell-detail">${value}<a class="fk-arrow-btn" href="${prefix}/${fkSlug}/${value}" title="View record #${value}"><svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><path d="M5 12h14M13 6l6 6-6 6"/></svg></a></span>`;
+          }
+          return String(value);
+        }
         default: {
           const str = String(value);
           return str;
@@ -279,6 +308,26 @@ class Admin {
   // ─── Base render context ──────────────────────────────────────────────────
 
   _ctx(req, extra = {}) {
+    // Resolve the auth user model from the container so we can tag its
+    // resource as 'auth' in the sidebar — automatic, no dev config needed.
+    let authUserModel = null;
+    try {
+      const container = Facade._container;
+      if (container) {
+        const auth = container.make('auth');
+        authUserModel = auth?._UserModel || null;
+      }
+    } catch { /* container not booted yet or auth not registered */ }
+
+    // A resource is in the 'auth' category if:
+    //   1. Its model is the configured auth_user model, OR
+    //   2. The developer explicitly set static authCategory = 'auth'
+    const isAuthResource = (r) => {
+      if (r.authCategory === 'auth') return true;
+      if (authUserModel && r.model && r.model === authUserModel) return true;
+      return false;
+    };
+
     return {
       csrfToken:      AdminAuth.enabled ? AdminAuth.csrfToken(req) : 'disabled',
       adminPrefix:    this._config.prefix,
@@ -294,6 +343,7 @@ class Admin {
           icon:     r.icon,
           canView:  r.hasPermission(req.adminUser || null, 'view'),
           index:    idx + 1,
+          category: isAuthResource(r) ? 'auth' : 'app',
         })),
       flash:          extra._flash || {},
       activePage:     extra.activePage || null,
@@ -406,7 +456,7 @@ class Admin {
         activityTotals,
       }));
     } catch (err) {
-      this._error(res, err);
+      this._error(req, res, err);
     }
   }
 
@@ -449,7 +499,7 @@ class Admin {
           baseCtx: this._ctxWithFlash(req, res, {}),
         }), R);
     } catch (err) {
-      this._error(res, err);
+      this._error(req, res, err);
     }
   }
 
@@ -465,7 +515,7 @@ class Admin {
           baseCtx:     this._ctxWithFlash(req, res, {}),
         }), R);
     } catch (err) {
-      this._error(res, err);
+      this._error(req, res, err);
     }
   }
 
@@ -502,7 +552,7 @@ class Admin {
             baseCtx:     this._ctxWithFlash(req, res, {}),
           }), R);
       }
-      this._error(res, err);
+      this._error(req, res, err);
     }
   }
 
@@ -524,7 +574,7 @@ class Admin {
           baseCtx:     this._ctxWithFlash(req, res, {}),
         }), R);
     } catch (err) {
-      this._error(res, err);
+      this._error(req, res, err);
     }
   }
 
@@ -563,7 +613,7 @@ class Admin {
             baseCtx:     this._ctxWithFlash(req, res, {}),
           }), R);
       }
-      this._error(res, err);
+      this._error(req, res, err);
     }
   }
 
@@ -579,7 +629,7 @@ class Admin {
       this._flash(req, 'success', `${R._getLabelSingular()} deleted`);
       this._redirectWithFlash(res, `${this._config.prefix}/${R.slug}`, req._flashType, req._flashMessage);
     } catch (err) {
-      this._error(res, err);
+      this._error(req, res, err);
     }
   }
 
@@ -618,7 +668,7 @@ class Admin {
           baseCtx: this._ctxWithFlash(req, res, {}),
         }), R);
     } catch (err) {
-      this._error(res, err);
+      this._error(req, res, err);
     }
   }
 
@@ -642,7 +692,7 @@ class Admin {
       this._flash(req, 'success', `Deleted ${ids.length} record${ids.length > 1 ? 's' : ''}.`);
       this._redirectWithFlash(res, `${this._config.prefix}/${R.slug}`, req._flashType, req._flashMessage);
     } catch (err) {
-      this._error(res, err);
+      this._error(req, res, err);
     }
   }
 
@@ -673,7 +723,7 @@ class Admin {
       this._flash(req, 'success', `Action "${action.label}" applied to ${ids.length} record${ids.length > 1 ? 's' : ''}.`);
       this._redirectWithFlash(res, `${this._config.prefix}/${R.slug}`, req._flashType, req._flashMessage);
     } catch (err) {
-      this._error(res, err);
+      this._error(req, res, err);
     }
   }
 
@@ -704,7 +754,7 @@ class Admin {
       this._flash(req, 'success', rowAction.successMessage || `Action "${rowAction.label}" completed.`);
       this._redirectWithFlash(res, redirect, req._flashType, req._flashMessage);
     } catch (err) {
-      this._error(res, err);
+      this._error(req, res, err);
     }
   }
 
@@ -772,17 +822,49 @@ class Admin {
       }
       labelCol = labelCol || pk;
 
+      // Resolve fkWhere — look up the field on the SOURCE resource (the one
+      // that owns the FK field), not the target resource being queried.
+      // e.g. TenantOwnershipResource.tenant_id has .where({ role: 'tenant' })
+      //      but we're currently querying UserResource — wrong place to look.
+      const fieldName  = (req.query.field || '').trim();
+      const fromSlug   = (req.query.from  || '').trim();
+      let fkWhere = null;
+      if (fieldName && fromSlug) {
+        const sourceResource = this._resources.get(fromSlug)
+          || [...this._resources.values()].find(r => r.model?.table === fromSlug);
+        if (sourceResource) {
+          const fieldDef = (sourceResource.fields() || []).find(f => f._name === fieldName);
+          if (fieldDef && fieldDef._fkWhere) fkWhere = fieldDef._fkWhere;
+        }
+      }
+
+      // Helper: apply fkWhere constraints to a knex query builder.
+      // Plain object keys are run through LookupParser so __ syntax works:
+      //   { role: 'tenant' }            → WHERE role = 'tenant'
+      //   { age__gte: 18 }              → WHERE age >= 18
+      //   { role__in: ['a','b'] }       → WHERE role IN ('a','b')
+      //   { name__icontains: 'alice' }  → WHERE name ILIKE '%alice%'
+      const applyScope = (q) => {
+        if (!fkWhere) return q;
+        if (typeof fkWhere === 'function') return fkWhere(q) || q;
+        // Plain object — run each key through LookupParser for __ support
+        for (const [key, value] of Object.entries(fkWhere)) {
+          LookupParser.apply(q, key, value, R.model);
+        }
+        return q;
+      };
+
       // Call _db() separately for each query — knex builders are mutable,
       // reusing the same instance across count + select corrupts both queries.
-      let countQ = R.model._db().count(`${pk} as total`);
+      let countQ = applyScope(R.model._db().count(`${pk} as total`));
       if (search) countQ = countQ.where(labelCol, 'like', `%${search}%`);
       const [{ total }] = await countQ;
 
-      let rowQ = R.model._db()
+      let rowQ = applyScope(R.model._db()
         .select([`${pk} as id`, `${labelCol} as label`])
         .orderBy(labelCol, 'asc')
         .limit(perPage)
-        .offset(offset);
+        .offset(offset));
       if (search) rowQ = rowQ.where(labelCol, 'like', `%${search}%`);
       const rows = await rowQ;
 
@@ -834,7 +916,7 @@ class Admin {
       AdminAuth.setFlash(res, 'success', `${inline.label} added.`);
       res.redirect(`${this._config.prefix}/${R.slug}/${req.params.id}`);
     } catch (err) {
-      this._error(res, err);
+      this._error(req, res, err);
     }
   }
 
@@ -860,7 +942,7 @@ class Admin {
       AdminAuth.setFlash(res, 'success', 'Record deleted.');
       res.redirect(`${this._config.prefix}/${R.slug}/${req.params.id}`);
     } catch (err) {
-      this._error(res, err);
+      this._error(req, res, err);
     }
   }
 
@@ -907,7 +989,7 @@ class Admin {
           baseCtx: this._ctxWithFlash(req, res, { activePage: 'search' }),
         }));
     } catch (err) {
-      this._error(res, err);
+      this._error(req, res, err);
     }
   }
 
@@ -963,7 +1045,7 @@ class Admin {
       res.setHeader('Content-Disposition', `attachment; filename="${filename}.csv"`);
       res.send([header, ...csvRows].join('\r\n'));
     } catch (err) {
-      this._error(res, err);
+      this._error(req, res, err);
     }
   }
 
@@ -1084,7 +1166,7 @@ class Admin {
       finalCtx = hookCtx.templateCtx || ctx;
     } catch (err) {
       // before_render errors abort the render — surface as a 500
-      return this._error(res, err);
+      return this._error(req, res, err);
     }
 
     // ── Render ──────────────────────────────────────────────────────────
@@ -1121,25 +1203,27 @@ class Admin {
     return R;
   }
 
-  _error(res, err) {
-    const status = err.status || 500;
-    res.status(status).send(`
-      <html><body style="font-family:'DM Sans',system-ui,sans-serif;padding:48px;background:#f4f5f7;color:#111827">
-        <div style="max-width:640px;margin:0 auto">
-          <div style="display:flex;align-items:center;gap:10px;margin-bottom:24px">
-            <div style="width:36px;height:36px;background:#fef2f2;border-radius:8px;display:flex;align-items:center;justify-content:center">
-              <svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="#dc2626" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"/><line x1="12" y1="8" x2="12" y2="12"/><line x1="12" y1="16" x2="12.01" y2="16"/></svg>
-            </div>
-            <h2 style="font-size:17px;font-weight:600;color:#dc2626">Admin Error ${status}</h2>
-          </div>
-          <pre style="background:#fff;border:1px solid #e3e6ec;padding:20px;border-radius:8px;color:#374151;font-size:12.5px;overflow-x:auto;line-height:1.6">${err.stack || err.message}</pre>
-          <a href="javascript:history.back()" style="display:inline-flex;align-items:center;gap:6px;margin-top:16px;color:#2563eb;font-size:13px;text-decoration:none">
-            <svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><line x1="19" y1="12" x2="5" y2="12"/><polyline points="12 19 5 12 12 5"/></svg>
-            Go back
-          </a>
-        </div>
-      </body></html>
-    `);
+  _error(req, res, err) {
+    const status  = err.status || 500;
+    const is404   = status === 404;
+    const title   = is404 ? 'Not found' : `Error ${status}`;
+    const message = err.message || 'An unexpected error occurred.';
+    const stack   = process.env.NODE_ENV !== 'production' && !is404 ? (err.stack || '') : '';
+
+    try {
+      const ctx = this._ctxWithFlash(req, res, {
+        pageTitle:   title,
+        errorStatus: status,
+        errorTitle:  title,
+        errorMsg:    message,
+        errorStack:  stack,
+      });
+      res.status(status);
+      return this._render(req, res, 'pages/error.njk', ctx);
+    } catch (_renderErr) {
+      // Fallback if template itself fails
+      res.status(status).send(`<pre>${message}</pre>`);
+    }
   }
 
   // ─── Flash (cookie-based) ─────────────────────────────────────────────────

package/src/admin/ViewContext.js

@@ -136,7 +136,13 @@ class ViewContext {
         dateHierarchy:      Resource.dateHierarchy || null,
         prepopulatedFields: Resource.prepopulatedFields || {},
       },
-      rows,
+      rows: rows.map(row => ({
+        ...row,
+        _rowActions: (Resource.rowActions || []).map(ra => ({
+          ...ra,
+          href: typeof ra.href === 'function' ? ra.href(row) : ra.href,
+        })),
+      })),
       listFields,
       filters:      Resource.filters().map(f => f.toJSON()),
       activeFilters,
@@ -246,7 +252,10 @@ class ViewContext {
         canEdit:    perms.canEdit,
         canDelete:  perms.canDelete,
         canCreate:  perms.canCreate,
-        rowActions: Resource.rowActions || [],
+        rowActions: (Resource.rowActions || []).map(ra => ({
+          ...ra,
+          href: typeof ra.href === 'function' ? ra.href(record) : ra.href,
+        })),
       },
       record,
       detailFields,
@@ -306,4 +315,4 @@ class ViewContext {
   }
 }
 
-module.exports = { ViewContext };
+module.exports = { ViewContext };

package/src/admin/resources/AdminResource.js

@@ -641,6 +641,15 @@ class AdminField {
    *  e.g. AdminField.text('slug').prepopulate('title')
    */
   prepopulate(src)   { this._prepopulate = src;    return this; }
+  /**
+   * Scope the FK dropdown to records matching these constraints.
+   * Accepts a plain object (col = val pairs) or a function for advanced queries.
+   *
+   *   AdminField.fk('tenant_id',  'users').where({ role: 'tenant' })
+   *   AdminField.fk('landlord_id','users').where({ role: 'landlord', is_active: true })
+   *   AdminField.fk('user_id',    'users').where(q => q.whereIn('role', ['admin', 'moderator']))
+   */
+  where(constraints) { this._fkWhere = constraints; return this; }
 
   // ─── Serialise ─────────────────────────────────────────────────────────────
 
@@ -665,6 +674,7 @@ class AdminField {
       max:         this._max,
       isLink:      this._isLink      || false,
       fkResource:  this._fkResource  || null,
+      fkWhere:     this._fkWhere     || null,
       m2mResource: this._m2mResource || null,
       prepopulate: this._prepopulate || null,
     };

package/src/admin/static/admin.css

@@ -333,18 +333,18 @@
        ════════════════════════════════════════ */
     .stats-grid {
       display: grid;
-      grid-template-columns: repeat(auto-fill, minmax(190px, 1fr));
-      gap: 14px;
-      margin-bottom: 22px;
+      grid-template-columns: repeat(auto-fill, minmax(140px, 1fr));
+      gap: 10px;
+      margin-bottom: 18px;
     }
     .stat-card {
       background: var(--surface);
       border: 1px solid var(--border);
-      border-radius: var(--radius-lg);
-      padding: 18px 20px;
+      border-radius: var(--radius);
+      padding: 10px 12px;
       display: flex;
       flex-direction: column;
-      gap: 6px;
+      gap: 4px;
       transition: box-shadow .15s, border-color .15s;
       text-decoration: none;
       box-shadow: var(--shadow-sm);
@@ -354,28 +354,28 @@
       border-color: var(--primary-dim);
     }
     .stat-icon-wrap {
-      width: 36px; height: 36px;
-      border-radius: 9px;
+      width: 28px; height: 28px;
+      border-radius: 7px;
       background: linear-gradient(135deg, #fff4e6 0%, #ffe4c4 100%);
       display: flex; align-items: center; justify-content: center;
       color: var(--primary);
-      margin-bottom: 4px;
+      margin-bottom: 2px;
     }
     .stat-label {
-      font-size: 11.5px;
+      font-size: 10.5px;
       color: var(--text-muted);
       font-weight: 500;
       text-transform: uppercase;
-      letter-spacing: 0.4px;
+      letter-spacing: 0.3px;
     }
     .stat-value {
-      font-size: 26px;
+      font-size: 20px;
       font-weight: 700;
       color: var(--text);
       line-height: 1;
-      letter-spacing: -0.5px;
+      letter-spacing: -0.3px;
     }
-    .stat-sub { font-size: 12px; color: var(--text-muted); }
+    .stat-sub { font-size: 11px; color: var(--text-muted); }
 
     /* ════════════════════════════════════════
        TABLE
@@ -1338,4 +1338,85 @@
 }
 .toggle-input:disabled ~ .toggle-label {
   opacity: .5;
+}
+
+/* ─────────────────────────────────────────────────────────────────
+   Thin themed scrollbars
+   ───────────────────────────────────────────────────────────────── */
+
+/* Webkit (Chrome, Edge, Safari) */
+::-webkit-scrollbar {
+  width:  5px;
+  height: 5px;
+}
+::-webkit-scrollbar-track {
+  background: transparent;
+}
+::-webkit-scrollbar-thumb {
+  background: var(--primary-dim);
+  border-radius: 99px;
+}
+::-webkit-scrollbar-thumb:hover {
+  background: var(--primary);
+}
+::-webkit-scrollbar-corner {
+  background: transparent;
+}
+
+/* Firefox */
+* {
+  scrollbar-width: thin;
+  scrollbar-color: var(--primary-dim) transparent;
+}
+*:hover {
+  scrollbar-color: var(--primary) transparent;
+}
+
+
+/* ─────────────────────────────────────────────────────────────────
+   FK cells — floating arrow button appears on cell hover
+   ───────────────────────────────────────────────────────────────── */
+
+/* The td needs position:relative — applied via the wrapper span signal */
+td:has(.fk-cell) {
+  position: relative;
+}
+
+.fk-cell {
+  display: block;
+  /* leave room so text never sits under the arrow */
+  padding-right: 24px;
+}
+
+.fk-arrow-btn {
+  position: absolute;
+  right: 8px;
+  top: 50%;
+  transform: translateY(-50%) translateX(4px);
+  opacity: 0;
+  transition: opacity .12s ease, transform .12s ease;
+  color: var(--primary);
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  width: 22px;
+  height: 22px;
+  border-radius: var(--radius-sm);
+  text-decoration: none;
+  background: var(--primary-soft);
+  border: 1px solid var(--primary-dim);
+  pointer-events: none;
+}
+
+/* Show on td hover */
+td:hover .fk-arrow-btn {
+  opacity: 1;
+  transform: translateY(-50%) translateX(0);
+  pointer-events: auto;
+}
+
+/* Detail page variant */
+.fk-cell-detail .fk-arrow-btn {
+  width: 24px;
+  height: 24px;
 }

package/src/admin/views/layouts/base.njk

@@ -8,7 +8,7 @@
   <link rel="preconnect" href="https://fonts.googleapis.com">
   <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
   <link href="https://fonts.googleapis.com/css2?family=DM+Sans:ital,opsz,wght@0,9..40,300;0,9..40,400;0,9..40,500;0,9..40,600;0,9..40,700;1,9..40,400&family=DM+Mono:wght@400;500&display=swap" rel="stylesheet">
-  <link rel="stylesheet" href="{{ adminPrefix }}/static/admin.css?v=15">
+  <link rel="stylesheet" href="{{ adminPrefix }}/static/admin.css?v=21">
   <link rel="stylesheet" href="{{ adminPrefix }}/static/json-editor.css?v=4">
   <link rel="stylesheet" href="{{ adminPrefix }}/static/date-picker.css?v=3">
   <script src="https://code.jquery.com/jquery-3.7.1.min.js" crossorigin="anonymous"></script>
@@ -19,38 +19,7 @@
   {# ══════════════════════════════════════
      SVG ICON DEFINITIONS (hidden sprite)
      ══════════════════════════════════════ #}
-  <svg xmlns="http://www.w3.org/2000/svg" style="display:none">
-    <symbol id="ic-home" viewBox="0 0 24 24"><path d="M3 9.5L12 3l9 6.5V20a1 1 0 01-1 1H5a1 1 0 01-1-1V9.5z"/><path d="M9 21V12h6v9"/></symbol>
-    <symbol id="ic-table" viewBox="0 0 24 24"><rect x="3" y="3" width="18" height="18" rx="2"/><path d="M3 9h18M9 3v18"/></symbol>
-    <symbol id="ic-users" viewBox="0 0 24 24"><path d="M17 21v-2a4 4 0 00-4-4H5a4 4 0 00-4 4v2"/><circle cx="9" cy="7" r="4"/><path d="M23 21v-2a4 4 0 00-3-3.87M16 3.13a4 4 0 010 7.75"/></symbol>
-    <symbol id="ic-file" viewBox="0 0 24 24"><path d="M14 2H6a2 2 0 00-2 2v16a2 2 0 002 2h12a2 2 0 002-2V8z"/><path d="M14 2v6h6M16 13H8M16 17H8M10 9H8"/></symbol>
-    <symbol id="ic-tag" viewBox="0 0 24 24"><path d="M20.59 13.41l-7.17 7.17a2 2 0 01-2.83 0L2 12V2h10l8.59 8.59a2 2 0 010 2.82z"/><circle cx="7" cy="7" r="1.5" fill="currentColor" stroke="none"/></symbol>
-    <symbol id="ic-settings" viewBox="0 0 24 24"><circle cx="12" cy="12" r="3"/><path d="M19.4 15a1.65 1.65 0 00.33 1.82l.06.06a2 2 0 010 2.83 2 2 0 01-2.83 0l-.06-.06a1.65 1.65 0 00-1.82-.33 1.65 1.65 0 00-1 1.51V21a2 2 0 01-4 0v-.09A1.65 1.65 0 009 19.4a1.65 1.65 0 00-1.82.33l-.06.06a2 2 0 01-2.83-2.83l.06-.06A1.65 1.65 0 004.68 15a1.65 1.65 0 00-1.51-1H3a2 2 0 010-4h.09A1.65 1.65 0 004.6 9a1.65 1.65 0 00-.33-1.82l-.06-.06a2 2 0 012.83-2.83l.06.06A1.65 1.65 0 009 4.68a1.65 1.65 0 001-1.51V3a2 2 0 014 0v.09a1.65 1.65 0 001 1.51 1.65 1.65 0 001.82-.33l.06-.06a2 2 0 012.83 2.83l-.06.06A1.65 1.65 0 0019.4 9a1.65 1.65 0 001.51 1H21a2 2 0 010 4h-.09a1.65 1.65 0 00-1.51 1z"/></symbol>
-    <symbol id="ic-plus" viewBox="0 0 24 24"><line x1="12" y1="5" x2="12" y2="19"/><line x1="5" y1="12" x2="19" y2="12"/></symbol>
-    <symbol id="ic-edit" viewBox="0 0 24 24"><path d="M11 4H4a2 2 0 00-2 2v14a2 2 0 002 2h14a2 2 0 002-2v-7"/><path d="M18.5 2.5a2.121 2.121 0 013 3L12 15l-4 1 1-4 9.5-9.5z"/></symbol>
-    <symbol id="ic-trash" viewBox="0 0 24 24"><polyline points="3 6 5 6 21 6"/><path d="M19 6l-1 14a2 2 0 01-2 2H8a2 2 0 01-2-2L5 6M10 11v6M14 11v6"/><path d="M9 6V4a1 1 0 011-1h4a1 1 0 011 1v2"/></symbol>
-    <symbol id="ic-search" viewBox="0 0 24 24"><circle cx="11" cy="11" r="8"/><line x1="21" y1="21" x2="16.65" y2="16.65"/></symbol>
-    <symbol id="ic-filter" viewBox="0 0 24 24"><polygon points="22 3 2 3 10 12.46 10 19 14 21 14 12.46 22 3"/></symbol>
-    <symbol id="ic-chevron-left" viewBox="0 0 24 24"><polyline points="15 18 9 12 15 6"/></symbol>
-    <symbol id="ic-chevron-right" viewBox="0 0 24 24"><polyline points="9 18 15 12 9 6"/></symbol>
-    <symbol id="ic-chevron-down" viewBox="0 0 24 24"><polyline points="6 9 12 15 18 9"/></symbol>
-    <symbol id="ic-x" viewBox="0 0 24 24"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></symbol>
-    <symbol id="ic-check" viewBox="0 0 24 24"><polyline points="20 6 9 17 4 12"/></symbol>
-    <symbol id="ic-alert-circle" viewBox="0 0 24 24"><circle cx="12" cy="12" r="10"/><line x1="12" y1="8" x2="12" y2="12"/><line x1="12" y1="16" x2="12.01" y2="16"/></symbol>
-    <symbol id="ic-info" viewBox="0 0 24 24"><circle cx="12" cy="12" r="10"/><line x1="12" y1="16" x2="12" y2="12"/><line x1="12" y1="8" x2="12.01" y2="8"/></symbol>
-    <symbol id="ic-eye" viewBox="0 0 24 24"><path d="M1 12s4-8 11-8 11 8 11 8-4 8-11 8-11-8-11-8z"/><circle cx="12" cy="12" r="3"/></symbol>
-    <symbol id="ic-download" viewBox="0 0 24 24"><path d="M21 15v4a2 2 0 01-2 2H5a2 2 0 01-2-2v-4"/><polyline points="7 10 12 15 17 10"/><line x1="12" y1="15" x2="12" y2="3"/></symbol>
-    <symbol id="ic-upload" viewBox="0 0 24 24"><path d="M21 15v4a2 2 0 01-2 2H5a2 2 0 01-2-2v-4"/><polyline points="17 8 12 3 7 8"/><line x1="12" y1="3" x2="12" y2="15"/></symbol>
-    <symbol id="ic-refresh" viewBox="0 0 24 24"><polyline points="23 4 23 10 17 10"/><polyline points="1 20 1 14 7 14"/><path d="M3.51 9a9 9 0 0114.85-3.36L23 10M1 14l4.64 4.36A9 9 0 0020.49 15"/></symbol>
-    <symbol id="ic-more-vertical" viewBox="0 0 24 24"><circle cx="12" cy="5" r="1" fill="currentColor" stroke="none"/><circle cx="12" cy="12" r="1" fill="currentColor" stroke="none"/><circle cx="12" cy="19" r="1" fill="currentColor" stroke="none"/></symbol>
-    <symbol id="ic-grid" viewBox="0 0 24 24"><rect x="3" y="3" width="7" height="7"/><rect x="14" y="3" width="7" height="7"/><rect x="14" y="14" width="7" height="7"/><rect x="3" y="14" width="7" height="7"/></symbol>
-    <symbol id="ic-list" viewBox="0 0 24 24"><line x1="8" y1="6" x2="21" y2="6"/><line x1="8" y1="12" x2="21" y2="12"/><line x1="8" y1="18" x2="21" y2="18"/><line x1="3" y1="6" x2="3.01" y2="6"/><line x1="3" y1="12" x2="3.01" y2="12"/><line x1="3" y1="18" x2="3.01" y2="18"/></symbol>
-    <symbol id="ic-save" viewBox="0 0 24 24"><path d="M19 21H5a2 2 0 01-2-2V5a2 2 0 012-2h11l5 5v11a2 2 0 01-2 2z"/><polyline points="17 21 17 13 7 13 7 21"/><polyline points="7 3 7 8 15 8"/></symbol>
-    <symbol id="ic-arrow-left" viewBox="0 0 24 24"><line x1="19" y1="12" x2="5" y2="12"/><polyline points="12 19 5 12 12 5"/></symbol>
-    <symbol id="ic-database" viewBox="0 0 24 24"><ellipse cx="12" cy="5" rx="9" ry="3"/><path d="M21 12c0 1.66-4 3-9 3s-9-1.34-9-3"/><path d="M3 5v14c0 1.66 4 3 9 3s9-1.34 9-3V5"/></symbol>
-    <symbol id="ic-activity" viewBox="0 0 24 24"><polyline points="22 12 18 12 15 21 9 3 6 12 2 12"/></symbol>
-    <symbol id="ic-log-out" viewBox="0 0 24 24"><path d="M9 21H5a2 2 0 01-2-2V5a2 2 0 012-2h4"/><polyline points="16 17 21 12 16 7"/><line x1="21" y1="12" x2="9" y2="12"/></symbol>
-  </svg>
+  {% include "partials/icons.njk" %}
 
   {# ══════════════════════════════════════
      SIDEBAR
@@ -80,14 +49,34 @@
     <div class="nav-section">
       <div class="nav-label">Resources</div>
       {% for resource in resources %}
+      {% if resource.category != 'auth' %}
       <a href="{{ adminPrefix }}/{{ resource.slug }}" class="nav-item {% if activeResource == resource.slug %}active{% endif %}">
         <span class="nav-icon icon icon-16">
-          <svg viewBox="0 0 24 24"><use href="#ic-table"/></svg>
+          <svg viewBox="0 0 24 24"><use href="#ic-{{ resource.icon or 'table' }}"/></svg>
         </span>
         {{ resource.label }}
       </a>
+      {% endif %}
       {% endfor %}
     </div>
+
+    {% set hasAuth = false %}
+    {% for resource in resources %}{% if resource.category == 'auth' %}{% set hasAuth = true %}{% endif %}{% endfor %}
+    {% if hasAuth %}
+    <div class="nav-section">
+      <div class="nav-label">Auth</div>
+      {% for resource in resources %}
+      {% if resource.category == 'auth' %}
+      <a href="{{ adminPrefix }}/{{ resource.slug }}" class="nav-item {% if activeResource == resource.slug %}active{% endif %}">
+        <span class="nav-icon icon icon-16">
+          <svg viewBox="0 0 24 24"><use href="#ic-{{ resource.icon or 'user' }}"/></svg>
+        </span>
+        {{ resource.label }}
+      </a>
+      {% endif %}
+      {% endfor %}
+    </div>
+    {% endif %}
     {% endif %}
 
     <div class="sidebar-footer">