nextly 0.0.1 → 0.0.2-alpha.0

package/dist/index.mjs

@@ -0,0 +1,1336 @@
+import {
+  applyDesiredSchema,
+  buildDesiredSchemaFromRegistry,
+  buildDesiredSchemaFromRegistryAsync
+} from "./chunk-XGI4EMS3.mjs";
+import {
+  RESERVED_SINGLE_SLUGS,
+  array,
+  assertValidSingleConfig,
+  checkbox,
+  chips,
+  code,
+  component,
+  date,
+  defineCollection,
+  defineComponent,
+  defineSingle,
+  email,
+  group,
+  json,
+  number,
+  option,
+  password,
+  radio,
+  relationship,
+  repeater,
+  richText,
+  select,
+  text,
+  textarea,
+  upload,
+  validateSingleConfig
+} from "./chunk-WD34YQ6T.mjs";
+import {
+  ALLOWED_USER_FIELD_TYPES,
+  RESERVED_USER_FIELD_NAMES,
+  assertValidUserConfig,
+  defineConfig,
+  validateUserConfig
+} from "./chunk-GDBJ5JCU.mjs";
+import {
+  ApiKeyTokenTypeSchema,
+  CreateApiKeySchema,
+  ExpiresInSchema,
+  UpdateApiKeySchema
+} from "./chunk-YZZCTONM.mjs";
+import {
+  InMemoryRateLimitStore,
+  createRateLimitHeaders,
+  createRateLimiter
+} from "./chunk-ERCNLX3V.mjs";
+import {
+  getTrustedClientIp,
+  parseTrustedProxyIpsEnv
+} from "./chunk-APKKRD2G.mjs";
+import "./chunk-VWF3JO32.mjs";
+import {
+  createRegister,
+  getCachedNextly,
+  getNextly,
+  nextly,
+  shutdownNextly
+} from "./chunk-P7NH2OSC.mjs";
+import "./chunk-2OALJTK6.mjs";
+import "./chunk-VJ66NCL4.mjs";
+import "./chunk-R6JJQHFC.mjs";
+import "./chunk-X23WKS3Z.mjs";
+import {
+  ExternalUrlError,
+  clearServices,
+  createPluginContext,
+  definePlugin,
+  getService,
+  isServicesRegistered,
+  registerServices,
+  safeFetch,
+  shutdownServices,
+  validateExternalUrl
+} from "./chunk-X7TXCYYN.mjs";
+import "./chunk-YZNBLFIW.mjs";
+import {
+  MAX_COMPONENT_NESTING_DEPTH,
+  RESERVED_COMPONENT_SLUGS,
+  RESERVED_SLUGS,
+  SQL_RESERVED_KEYWORDS,
+  assertValidCollectionConfig,
+  assertValidComponentConfig,
+  validateCollectionConfig,
+  validateComponentConfig
+} from "./chunk-FQULBZ53.mjs";
+import {
+  AssignPermissionToRoleSchema,
+  AssignRoleToUserSchema,
+  CheckUserPermissionSchema,
+  CollectionFileManager,
+  CollectionService,
+  CollectionsHandler,
+  CreateLocalUserSchema,
+  CreatePermissionSchema,
+  CreateRoleInheritanceSchema,
+  CreateRoleSchema,
+  CreateUserWithPasswordSchema,
+  DeletePermissionSchema,
+  DeleteRoleInheritanceSchema,
+  DeleteRoleSchema,
+  DeleteUserAccountSchema,
+  DeleteUserResponseSchema,
+  DeleteUserSchema,
+  DynamicCollectionService,
+  GetPermissionByIdSchema,
+  GetRoleByIdSchema,
+  GetRolePermissionsSchema,
+  GetUserByIdSchema,
+  GetUserPermissionsSchema,
+  GetUserRolesSchema,
+  HookRegistry,
+  IdSchema,
+  ListUsersSchema,
+  MediaService2 as MediaService,
+  MinimalUserSchema,
+  PAGINATION_DEFAULTS,
+  PermissionActionSchema,
+  PermissionCheckResponseSchema,
+  PermissionListResponseSchema,
+  PermissionResourceSchema,
+  PermissionSchema,
+  RemovePermissionFromRoleSchema,
+  RemoveRoleFromUserSchema,
+  RoleInheritanceSchema,
+  RoleListResponseSchema,
+  RolePermissionListResponseSchema,
+  RolePermissionSchema,
+  RoleSchema,
+  SYSTEM_CONTEXT,
+  SYSTEM_RESOURCES,
+  ServiceContainer,
+  ServiceDispatcher,
+  UnlinkAccountResponseSchema,
+  UnlinkAccountSchema,
+  UpdatePasswordSchema,
+  UpdatePermissionSchema,
+  UpdateRoleSchema,
+  UpdateUserSchema,
+  UserAccountSchema,
+  UserIdSchema,
+  UserListResponseSchema,
+  UserResponseSchema,
+  UserRoleListResponseSchema,
+  UserRoleSchema,
+  UserService,
+  buildPaginatedResponse,
+  calculateOffset,
+  clampLimit,
+  consoleLogger,
+  getHookRegistry,
+  isSystemResource,
+  isValidResource,
+  resetHookRegistry
+} from "./chunk-NSEFNNU4.mjs";
+import "./chunk-3FA7FKAV.mjs";
+import "./chunk-AGJ6F2T3.mjs";
+import "./chunk-KIMNCZGV.mjs";
+import "./chunk-AK6Z23OX.mjs";
+import "./chunk-INV7QKLG.mjs";
+import "./chunk-GZ6DCQKC.mjs";
+import "./chunk-SBACDPNX.mjs";
+import "./chunk-RJLLGGPG.mjs";
+import "./chunk-V4EQTOA4.mjs";
+import "./chunk-I4JMR3UR.mjs";
+import "./chunk-XZKLBMN6.mjs";
+import "./chunk-IZWPRDC3.mjs";
+import "./chunk-DNNG377Z.mjs";
+import "./chunk-5HMZ644B.mjs";
+import {
+  BulkOperationResponseSchema,
+  BulkOperationSchema,
+  DateRangeSchema,
+  EmailSchema,
+  ErrorResponseSchema,
+  FileUploadSchema,
+  ImageUploadSchema,
+  PaginatedResponseSchema,
+  PaginationSchema,
+  PasswordSchema,
+  PhoneSchema,
+  SearchSchema,
+  SortOrderSchema,
+  SortSchema,
+  SuccessResponseSchema,
+  UrlSchema,
+  ValidationErrorSchema
+} from "./chunk-W5KKPZT5.mjs";
+import "./chunk-56WO4WX7.mjs";
+import "./chunk-2W3DVD7S.mjs";
+import {
+  dynamicComponentsMysql,
+  dynamicComponentsPg,
+  dynamicComponentsSqlite,
+  getDialectTables,
+  schema_exports,
+  withDbErrors
+} from "./chunk-TS7GHTG2.mjs";
+import "./chunk-H26B4FYG.mjs";
+import {
+  checkAdapterHealth,
+  createAdapter,
+  createAdapterFromEnv,
+  validateDatabaseEnv
+} from "./chunk-DP3G27G5.mjs";
+import "./chunk-DV6WVX2Q.mjs";
+import {
+  env
+} from "./chunk-UJ2IMJ4W.mjs";
+import "./chunk-EGXBZCGC.mjs";
+import "./chunk-G2AA4QLC.mjs";
+import "./chunk-4MJLT6PZ.mjs";
+import "./chunk-IUDOC7N7.mjs";
+import {
+  healthCheck
+} from "./chunk-LAZXX4HR.mjs";
+import {
+  Container,
+  container
+} from "./chunk-D5HQBNUB.mjs";
+import {
+  DbError,
+  NextlyError,
+  isDbError,
+  toDbError
+} from "./chunk-NRUWQ5Z7.mjs";
+import "./chunk-VTJADRO3.mjs";
+import {
+  ALL_FIELD_TYPES,
+  DATA_FIELD_TYPES,
+  VIRTUAL_FIELD_TYPES,
+  hasNestedFields,
+  isCheckboxField,
+  isChipsField,
+  isCodeField,
+  isComponentField,
+  isDataField,
+  isDateField,
+  isEmailField,
+  isGroupField,
+  isJSONField,
+  isNumberField,
+  isPasswordField,
+  isRadioField,
+  isRelationalField,
+  isRelationshipField,
+  isRepeaterField,
+  isRichTextField,
+  isSelectField,
+  isTextField,
+  isTextareaField,
+  isUploadField
+} from "./chunk-5APFUGAD.mjs";
+import "./chunk-7P6ASYW6.mjs";
+
+// src/schemas/dynamic-collections.ts
+import {
+  pgTable,
+  uuid,
+  varchar,
+  text as text2,
+  jsonb,
+  timestamp
+} from "drizzle-orm/pg-core";
+var dynamicCollections = pgTable("dynamic_collections", {
+  id: uuid("id").primaryKey().defaultRandom(),
+  name: varchar("name", { length: 255 }).unique().notNull(),
+  label: varchar("label", { length: 255 }).notNull(),
+  tableName: varchar("table_name", { length: 255 }).unique().notNull(),
+  description: text2("description"),
+  icon: varchar("icon", { length: 50 }),
+  schemaDefinition: jsonb("schema_definition").$type().notNull(),
+  createdBy: uuid("created_by"),
+  createdAt: timestamp("created_at").defaultNow().notNull(),
+  updatedAt: timestamp("updated_at").defaultNow().notNull()
+});
+
+// src/schemas/dynamic-components/types.ts
+var COMPONENT_SOURCE_TYPES = [
+  "code",
+  "ui"
+];
+var COMPONENT_MIGRATION_STATUSES = ["synced", "pending", "generated", "applied", "failed"];
+
+// src/schemas/migrations/postgres.ts
+import { sql } from "drizzle-orm";
+import {
+  pgTable as pgTable2,
+  uuid as uuid2,
+  text as text3,
+  char,
+  integer,
+  timestamp as timestamp2,
+  jsonb as jsonb2,
+  index,
+  check
+} from "drizzle-orm/pg-core";
+var nextlyMigrationsPg = pgTable2(
+  "nextly_migrations",
+  {
+    /** UUID v4, generated server-side. */
+    id: uuid2("id").primaryKey().defaultRandom(),
+    /**
+     * Migration filename (without directory). Unique.
+     *
+     * @example "20260429_154500_123_add_excerpt.sql"
+     */
+    filename: text3("filename").notNull().unique(),
+    /**
+     * SHA-256 of the .sql file content as written. 64 hex chars.
+     * Used by `nextly migrate` to detect tampering on subsequent runs
+     * and by `nextly migrate:check` (via the paired snapshot file).
+     */
+    sha256: char("sha256", { length: 64 }).notNull(),
+    /**
+     * When the migration was applied to this database. Timezone-aware
+     * for cross-region operator clarity.
+     */
+    appliedAt: timestamp2("applied_at", { withTimezone: true }).notNull().defaultNow(),
+    /**
+     * Who/what ran the migration. Resolved by the CLI from
+     * `NEXTLY_APPLIED_BY` → `GITHUB_ACTOR` → `USER` → hostname.
+     */
+    appliedBy: text3("applied_by"),
+    /** Wall-clock duration of the apply, in milliseconds. */
+    durationMs: integer("duration_ms"),
+    /**
+     * Apply outcome. Only `'applied'` or `'failed'`; rows are inserted
+     * only after the attempt completes. CHECK constraint enforces this.
+     */
+    status: text3("status").notNull().$type(),
+    /**
+     * Structured error info on failure. Shape:
+     * `{ sqlState?: string; statement?: string; message: string }`.
+     * NULL on success.
+     */
+    errorJson: jsonb2("error_json"),
+    /**
+     * Reserved for v2 corrective-rollback feature. Always NULL in v1.
+     * Column exists so future ALTER TABLE ADDs from F15 don't conflict.
+     */
+    rollbackSql: text3("rollback_sql")
+  },
+  (table) => [
+    /** Most-recent-first queries on the operator dashboard. */
+    index("nextly_migrations_applied_at_idx").on(table.appliedAt),
+    /** Enforce the two-state lifecycle at the DB level. */
+    check(
+      "nextly_migrations_status_check",
+      sql`${table.status} IN ('applied', 'failed')`
+    )
+  ]
+);
+
+// src/schemas/migrations/mysql.ts
+import { sql as sql2 } from "drizzle-orm";
+import {
+  mysqlTable,
+  varchar as varchar2,
+  char as char2,
+  int,
+  datetime,
+  text as text4,
+  json as json2,
+  index as index2,
+  check as check2
+} from "drizzle-orm/mysql-core";
+var nextlyMigrationsMysql = mysqlTable(
+  "nextly_migrations",
+  {
+    /** UUID v4, generated client-side for cross-dialect parity. */
+    id: varchar2("id", { length: 36 }).primaryKey().$defaultFn(() => crypto.randomUUID()),
+    /**
+     * Migration filename (without directory). Unique.
+     *
+     * @example "20260429_154500_123_add_excerpt.sql"
+     */
+    filename: varchar2("filename", { length: 512 }).notNull().unique(),
+    /** SHA-256 of the .sql file content. 64 hex chars. */
+    sha256: char2("sha256", { length: 64 }).notNull(),
+    /**
+     * When the migration was applied. Stored as DATETIME (UTC by app
+     * convention; MySQL has no native timestamptz).
+     */
+    appliedAt: datetime("applied_at").notNull().$defaultFn(() => /* @__PURE__ */ new Date()),
+    /** Resolved CLI actor (NEXTLY_APPLIED_BY / GITHUB_ACTOR / USER / host). */
+    appliedBy: varchar2("applied_by", { length: 255 }),
+    /** Wall-clock apply duration in milliseconds. */
+    durationMs: int("duration_ms"),
+    /**
+     * Apply outcome. CHECK constraint enforces two-state lifecycle
+     * on MySQL 8.0.16+.
+     */
+    status: varchar2("status", { length: 20 }).notNull().$type(),
+    /**
+     * Structured error JSON on failure. Shape:
+     * `{ sqlState?: string; statement?: string; message: string }`.
+     */
+    errorJson: json2("error_json"),
+    /** Reserved for v2 corrective-rollback feature. Always NULL in v1. */
+    rollbackSql: text4("rollback_sql")
+  },
+  (table) => [
+    index2("nextly_migrations_applied_at_idx").on(table.appliedAt),
+    check2(
+      "nextly_migrations_status_check",
+      sql2`${table.status} IN ('applied', 'failed')`
+    )
+  ]
+);
+
+// src/schemas/migrations/sqlite.ts
+import { sql as sql3 } from "drizzle-orm";
+import {
+  sqliteTable,
+  text as text5,
+  integer as integer2,
+  index as index3,
+  check as check3
+} from "drizzle-orm/sqlite-core";
+var nextlyMigrationsSqlite = sqliteTable(
+  "nextly_migrations",
+  {
+    /** UUID v4, generated client-side. */
+    id: text5("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    /**
+     * Migration filename (without directory). Unique.
+     *
+     * @example "20260429_154500_123_add_excerpt.sql"
+     */
+    filename: text5("filename").notNull().unique(),
+    /** SHA-256 of the .sql file content. 64 hex chars. */
+    sha256: text5("sha256").notNull(),
+    /**
+     * When the migration was applied. Stored as INTEGER (ms-since-epoch)
+     * for sub-second precision and easy ordering.
+     */
+    appliedAt: integer2("applied_at", { mode: "timestamp_ms" }).notNull().$defaultFn(() => /* @__PURE__ */ new Date()),
+    /** Resolved CLI actor. */
+    appliedBy: text5("applied_by"),
+    /** Wall-clock apply duration in milliseconds. */
+    durationMs: integer2("duration_ms"),
+    /**
+     * Apply outcome. CHECK constraint enforces two-state lifecycle.
+     */
+    status: text5("status").notNull().$type(),
+    /**
+     * Structured error JSON on failure (stored as TEXT; JSON.parse
+     * on read). Shape:
+     * `{ sqlState?: string; statement?: string; message: string }`.
+     */
+    errorJson: text5("error_json"),
+    /** Reserved for v2 corrective-rollback feature. Always NULL in v1. */
+    rollbackSql: text5("rollback_sql")
+  },
+  (table) => [
+    index3("nextly_migrations_applied_at_idx").on(table.appliedAt),
+    check3(
+      "nextly_migrations_status_check",
+      sql3`${table.status} IN ('applied', 'failed')`
+    )
+  ]
+);
+
+// src/schemas/security-config.ts
+import { z } from "zod";
+var SecurityHeadersConfigSchema = z.object({
+  /**
+   * Default is a restrictive policy that still lets
+   * a self-hosted admin SPA run. See `SecurityHeadersConfig.contentSecurityPolicy`
+   * in `middleware/security-headers.ts` for the full default + override docs.
+   */
+  contentSecurityPolicy: z.union([z.string(), z.literal(false)]).optional(),
+  /** @default "nosniff" */
+  xContentTypeOptions: z.union([z.string(), z.literal(false)]).optional(),
+  /** @default "DENY" */
+  xFrameOptions: z.union([z.string(), z.literal(false)]).optional(),
+  /** @default "max-age=31536000; includeSubDomains" (production only) */
+  strictTransportSecurity: z.union([z.string(), z.literal(false)]).optional(),
+  /** @default "strict-origin-when-cross-origin" */
+  referrerPolicy: z.union([z.string(), z.literal(false)]).optional(),
+  /** @default "camera=(), microphone=(), geolocation=()" */
+  permissionsPolicy: z.union([z.string(), z.literal(false)]).optional()
+});
+var CorsConfigSchema = z.object({
+  /**
+   * Allowed origins. Empty array = same-origin only.
+   * Use `['*']` for wide-open access (development only).
+   * @default []
+   */
+  origin: z.array(z.string()).optional(),
+  /**
+   * Allowed HTTP methods.
+   * @default ["GET", "POST", "PATCH", "DELETE", "OPTIONS"]
+   */
+  methods: z.array(z.string()).optional(),
+  /**
+   * Headers the client is allowed to send.
+   * @default ["Content-Type", "Authorization"]
+   */
+  allowedHeaders: z.array(z.string()).optional(),
+  /**
+   * Headers exposed to the client in the response.
+   * @default ["X-RateLimit-Limit", "X-RateLimit-Remaining", "X-RateLimit-Reset"]
+   */
+  exposedHeaders: z.array(z.string()).optional(),
+  /**
+   * Whether to include credentials (cookies, Authorization header).
+   * Ignored when origin is `['*']` (CORS spec prohibits credentials with wildcard).
+   * @default true
+   */
+  credentials: z.boolean().optional(),
+  /**
+   * Preflight cache duration in seconds.
+   * @default 86400 (24 hours)
+   */
+  maxAge: z.number().int().nonnegative().optional()
+});
+var UploadSecurityConfigSchema = z.object({
+  /**
+   * Additional MIME types to allow beyond the defaults. Merged with the
+   * default allowlist. Use with caution.
+   */
+  additionalMimeTypes: z.array(z.string()).optional(),
+  /**
+   * Override the default MIME allowlist entirely. Blocked types
+   * (HTML, JS) are still rejected regardless of this setting.
+   */
+  allowedMimeTypes: z.array(z.string()).optional(),
+  /**
+   * Serve SVG files with a restrictive CSP (`script-src 'none'`).
+   * @default true
+   */
+  svgCsp: z.boolean().optional()
+});
+var SanitizationConfigSchema = z.object({
+  /**
+   * Master toggle for the sanitization hook.
+   * @default true
+   */
+  enabled: z.boolean().optional(),
+  /**
+   * Strip HTML tags from plain-text fields (text, textarea, email).
+   * @default true
+   */
+  stripHtmlFromText: z.boolean().optional(),
+  /**
+   * Validate CSS values in rich text (bgColor, textColor, inline styles).
+   * @default true
+   */
+  validateCssValues: z.boolean().optional(),
+  /**
+   * Block dangerous URL protocols (javascript:, data:, vbscript:) in rich text.
+   * @default true
+   */
+  validateUrlProtocols: z.boolean().optional()
+});
+var SecurityLimitsConfigSchema = z.object({
+  /** Max `application/json` body size. @default "1mb" */
+  json: z.union([z.string(), z.number().int().positive()]).optional(),
+  /** Max total `multipart/form-data` body size. @default "50mb" */
+  multipart: z.union([z.string(), z.number().int().positive()]).optional(),
+  /** Per-file size cap inside multipart uploads. @default "10mb" */
+  fileSize: z.union([z.string(), z.number().int().positive()]).optional(),
+  /** Max files per multipart request. @default 10 */
+  fileCount: z.number().int().positive().optional(),
+  /** Max non-file form fields per request. @default 50 */
+  fieldCount: z.number().int().positive().optional(),
+  /** Max size of a single non-file form field. @default "100kb" */
+  fieldSize: z.union([z.string(), z.number().int().positive()]).optional()
+});
+var AuthRateLimitConfigSchema = z.object({
+  /** Max auth-write requests per IP per window. Set to `0` to disable. @default 30 */
+  requestsPerHour: z.number().int().nonnegative().optional(),
+  /** Sliding window duration in ms. @default 3_600_000 (1 hour) */
+  windowMs: z.number().int().positive().optional()
+});
+var SecurityConfigSchema = z.object({
+  headers: SecurityHeadersConfigSchema.optional(),
+  cors: CorsConfigSchema.optional(),
+  uploads: UploadSecurityConfigSchema.optional(),
+  sanitization: SanitizationConfigSchema.optional(),
+  limits: SecurityLimitsConfigSchema.optional(),
+  authRateLimit: AuthRateLimitConfigSchema.optional(),
+  /**
+   * When the application sits behind a reverse proxy (Vercel, Cloudflare,
+   * Nginx, ALB, etc.), set this to `true` so client-IP resolution honors
+   * `X-Forwarded-For`. Pair with the `TRUSTED_PROXY_IPS` env var (a
+   * comma-separated CIDR list of your proxy fleet) so the framework
+   * can identify which hops in the chain are proxies vs the real client.
+   *
+   * When `false` (default), proxy headers are ignored entirely. Use
+   * this when the application is exposed directly to clients with no
+   * trusted intermediary, or during local development.
+   *
+   * Audit: closes C4 (XFF blindly trusted across rate-limit / auth flows).
+   *
+   * @default false
+   */
+  trustProxy: z.boolean().optional()
+});
+
+// src/index.ts
+import { DrizzleAdapter } from "@nextlyhq/adapter-drizzle";
+
+// src/hooks.ts
+function registerHook(hookType, collection, handler) {
+  const registry = getHookRegistry();
+  registry.register(hookType, collection, handler);
+}
+function unregisterHook(hookType, collection, handler) {
+  const registry = getHookRegistry();
+  registry.unregister(hookType, collection, handler);
+}
+function clearAllHooks() {
+  const registry = getHookRegistry();
+  registry.clear();
+}
+function hasHooks(hookType, collection) {
+  const registry = getHookRegistry();
+  return registry.hasHooks(hookType, collection);
+}
+function getHookCount(hookType, collection) {
+  const registry = getHookRegistry();
+  return registry.getHookCount(hookType, collection);
+}
+
+// src/hooks/register-collection-hooks.ts
+var HOOK_TYPE_MAPPINGS = {
+  beforeOperation: ["beforeOperation"],
+  beforeValidate: ["beforeCreate", "beforeUpdate"],
+  // Validate runs before create/update
+  beforeChange: ["beforeCreate", "beforeUpdate"],
+  afterChange: ["afterCreate", "afterUpdate"],
+  beforeRead: ["beforeRead"],
+  afterRead: ["afterRead"],
+  beforeDelete: ["beforeDelete"],
+  afterDelete: ["afterDelete"]
+};
+function registerCollectionHooks(collections, registry = getHookRegistry()) {
+  const result = {
+    collections: [],
+    totalHooks: 0,
+    details: []
+  };
+  for (const collection of collections) {
+    if (!collection.hooks) {
+      continue;
+    }
+    const collectionDetails = {
+      collection: collection.slug,
+      hooks: []
+    };
+    let collectionHookCount = 0;
+    for (const [hookKey, handlers] of Object.entries(collection.hooks)) {
+      if (!handlers || !Array.isArray(handlers) || handlers.length === 0) {
+        continue;
+      }
+      const hookTypes = HOOK_TYPE_MAPPINGS[hookKey];
+      if (!hookTypes) {
+        continue;
+      }
+      for (const hookType of hookTypes) {
+        for (const handler of handlers) {
+          registry.register(hookType, collection.slug, handler);
+          collectionHookCount++;
+        }
+      }
+      collectionDetails.hooks.push({
+        type: hookKey,
+        count: handlers.length
+      });
+    }
+    if (collectionHookCount > 0) {
+      result.collections.push(collection.slug);
+      result.totalHooks += collectionHookCount;
+      result.details.push(collectionDetails);
+    }
+  }
+  return result;
+}
+function clearCollectionHooks(collectionSlug, registry = getHookRegistry()) {
+  registry.clearCollection(collectionSlug);
+}
+function reregisterCollectionHooks(collections, registry = getHookRegistry()) {
+  for (const collection of collections) {
+    registry.clearCollection(collection.slug);
+  }
+  return registerCollectionHooks(collections, registry);
+}
+
+// src/validation/types.ts
+var VALIDATION_ERROR_CODES = [
+  "required",
+  "type_error",
+  "invalid_type",
+  "min_length",
+  "max_length",
+  "too_short",
+  "too_long",
+  "pattern",
+  "min_value",
+  "max_value",
+  "too_small",
+  "too_big",
+  "not_integer",
+  "not_finite",
+  "invalid_email",
+  "invalid_url",
+  "invalid_uuid",
+  "invalid_date",
+  "invalid_format",
+  "invalid_option",
+  "invalid_reference",
+  "invalid_enum",
+  "unique",
+  "duplicate",
+  "min_items",
+  "max_items",
+  "invalid_array",
+  "invalid_object",
+  "unknown_key",
+  "invalid_file_type",
+  "file_too_large",
+  "custom"
+];
+function isValidationErrorCode(code2) {
+  return VALIDATION_ERROR_CODES.includes(code2);
+}
+function isValidationError(obj) {
+  if (typeof obj !== "object" || obj === null) {
+    return false;
+  }
+  const error = obj;
+  return typeof error.path === "string" && typeof error.message === "string" && typeof error.code === "string" && isValidationErrorCode(error.code);
+}
+function isValidationResult(obj) {
+  if (typeof obj !== "object" || obj === null) {
+    return false;
+  }
+  const result = obj;
+  return typeof result.valid === "boolean" && Array.isArray(result.errors) && result.errors.every(isValidationError);
+}
+function createValidationError(path, code2, message, value) {
+  const error = {
+    path,
+    code: code2,
+    message
+  };
+  if (value !== void 0) {
+    error.value = value;
+  }
+  return error;
+}
+function validResult() {
+  return {
+    valid: true,
+    errors: []
+  };
+}
+function invalidResult(errors) {
+  return {
+    valid: false,
+    errors
+  };
+}
+function createValidationErrorResponse(errors, message = "Validation failed") {
+  return {
+    error: {
+      code: "VALIDATION_ERROR",
+      message,
+      details: errors
+    }
+  };
+}
+
+// src/validation/error-formatter.ts
+function getStringProp(obj, key) {
+  if (typeof obj === "object" && obj !== null && key in obj) {
+    const value = obj[key];
+    return typeof value === "string" ? value : void 0;
+  }
+  return void 0;
+}
+function mapZodCodeToValidationCode(issue) {
+  const code2 = issue.code;
+  switch (code2) {
+    // Type mismatch
+    case "invalid_type":
+      return "invalid_type";
+    // Size constraints - map based on the origin (type of value)
+    case "too_small": {
+      const origin = getStringProp(issue, "origin");
+      switch (origin) {
+        case "string":
+          return "min_length";
+        case "number":
+        case "bigint":
+          return "min_value";
+        case "repeater":
+        case "set":
+          return "min_items";
+        case "date":
+          return "invalid_date";
+        default:
+          return "too_small";
+      }
+    }
+    case "too_big": {
+      const origin = getStringProp(issue, "origin");
+      switch (origin) {
+        case "string":
+          return "max_length";
+        case "number":
+        case "bigint":
+          return "max_value";
+        case "repeater":
+        case "set":
+          return "max_items";
+        case "date":
+          return "invalid_date";
+        default:
+          return "too_big";
+      }
+    }
+    // String format validation - map based on the format type
+    case "invalid_format": {
+      const format = getStringProp(issue, "format");
+      switch (format) {
+        case "email":
+          return "invalid_email";
+        case "url":
+          return "invalid_url";
+        case "uuid":
+          return "invalid_uuid";
+        case "regex":
+          return "pattern";
+        case "datetime":
+        case "date":
+        case "time":
+          return "invalid_date";
+        default:
+          return "invalid_format";
+      }
+    }
+    // Invalid value (merged from literal and enum in v4)
+    case "invalid_value":
+      return "invalid_option";
+    // Union validation
+    case "invalid_union":
+      return "type_error";
+    // Object validation
+    case "unrecognized_keys":
+      return "unknown_key";
+    // Number validation
+    case "not_multiple_of":
+      return "custom";
+    // Record/Map key validation
+    case "invalid_key":
+      return "custom";
+    // Map/Set element validation
+    case "invalid_element":
+      return "custom";
+    // Custom validation
+    case "custom":
+      return "custom";
+    // Fallback for any unknown codes
+    default:
+      return "custom";
+  }
+}
+function formatZodError(error) {
+  return {
+    valid: false,
+    errors: error.issues.map(
+      (issue) => ({
+        path: issue.path.join("."),
+        message: issue.message,
+        code: mapZodCodeToValidationCode(issue)
+        // Note: value is intentionally omitted for security reasons
+        // Zod v4 has 'input' on issues but we don't expose it
+      })
+    )
+  };
+}
+function mergeValidationResults(...results) {
+  const errors = results.flatMap((r) => r.errors);
+  return {
+    valid: errors.length === 0,
+    errors
+  };
+}
+function toApiResponse(result) {
+  return {
+    error: {
+      code: "VALIDATION_ERROR",
+      message: `Validation failed with ${result.errors.length} error(s)`,
+      details: result.errors
+    }
+  };
+}
+
+// src/plugins/admin-placement.ts
+var AdminPlacement = {
+  /** Plugin items appear in the Collections sidebar section */
+  COLLECTIONS: "collections",
+  /** Plugin items appear in the Singles sidebar section */
+  SINGLES: "singles",
+  /** Plugin items appear in the Users inner sidebar (alongside Users, User Fields, Roles) */
+  USERS: "users",
+  /** Plugin items appear in the Settings inner sidebar (alongside General, API Keys, etc.) */
+  SETTINGS: "settings",
+  /** Plugin items appear in the dedicated Plugins sidebar section (default) */
+  PLUGINS: "plugins",
+  /** Plugin gets its own top-level icon in the sidebar (requires appearance.icon) */
+  STANDALONE: "standalone"
+};
+
+// src/collections/fields/validators/code-validators.ts
+function validateJSON(value) {
+  if (!value || value.trim() === "") return true;
+  try {
+    JSON.parse(value);
+    return true;
+  } catch (error) {
+    if (error instanceof SyntaxError) {
+      const match = error.message.match(/position (\d+)/);
+      if (match) {
+        const position = parseInt(match[1]);
+        const lines = value.substring(0, position).split("\n");
+        const line = lines.length;
+        const column = lines[lines.length - 1].length + 1;
+        return `Invalid JSON at line ${line}, column ${column}: ${error.message}`;
+      }
+      return `Invalid JSON syntax: ${error.message}`;
+    }
+    return "Invalid JSON: Unable to parse";
+  }
+}
+function validateXML(value) {
+  if (!value || value.trim() === "") return true;
+  const tagStack = [];
+  const selfClosingTags = /* @__PURE__ */ new Set([
+    "br",
+    "hr",
+    "img",
+    "input",
+    "meta",
+    "link",
+    "area",
+    "base",
+    "col",
+    "embed",
+    "param",
+    "source",
+    "track",
+    "wbr"
+  ]);
+  const tagRegex = /<\/?([a-zA-Z][a-zA-Z0-9]*)[^>]*\/?>/g;
+  let match;
+  while ((match = tagRegex.exec(value)) !== null) {
+    const fullTag = match[0];
+    const tagName = match[1].toLowerCase();
+    if (fullTag.endsWith("/>") || selfClosingTags.has(tagName)) {
+      continue;
+    }
+    if (fullTag.startsWith("</")) {
+      if (tagStack.length === 0) {
+        return `Unexpected closing tag: </${tagName}>`;
+      }
+      const lastTag = tagStack.pop();
+      if (lastTag !== tagName) {
+        return `Mismatched tags: expected </${lastTag}>, found </${tagName}>`;
+      }
+    } else {
+      tagStack.push(tagName);
+    }
+  }
+  if (tagStack.length > 0) {
+    return `Unclosed tags: ${tagStack.map((t) => `<${t}>`).join(", ")}`;
+  }
+  return true;
+}
+function validateJavaScript(value) {
+  if (!value || value.trim() === "") return true;
+  try {
+    new Function(value);
+    return true;
+  } catch (error) {
+    if (error instanceof SyntaxError) {
+      return `JavaScript syntax error: ${error.message}`;
+    }
+    return "Invalid JavaScript code";
+  }
+}
+function createSQLValidator(options = {}) {
+  const {
+    forbiddenCommands = [
+      "DROP TABLE",
+      "DROP DATABASE",
+      "TRUNCATE",
+      "DELETE FROM",
+      "ALTER TABLE"
+    ],
+    allowEmpty = true
+  } = options;
+  return (value) => {
+    if (!value || value.trim() === "") {
+      return allowEmpty ? true : "SQL query is required";
+    }
+    const upperValue = value.toUpperCase();
+    for (const command of forbiddenCommands) {
+      if (upperValue.includes(command.toUpperCase())) {
+        return `Forbidden SQL command: ${command}`;
+      }
+    }
+    const keywords = ["SELECT", "INSERT", "UPDATE", "CREATE", "ALTER"];
+    const hasKeyword = keywords.some((keyword) => upperValue.includes(keyword));
+    if (!hasKeyword) {
+      return "SQL query must contain a valid SQL command (SELECT, INSERT, UPDATE, etc.)";
+    }
+    return true;
+  };
+}
+function validateCSS(value) {
+  if (!value || value.trim() === "") return true;
+  let braceCount = 0;
+  for (const char3 of value) {
+    if (char3 === "{") braceCount++;
+    if (char3 === "}") braceCount--;
+    if (braceCount < 0) {
+      return "Unbalanced braces: unexpected closing brace }";
+    }
+  }
+  if (braceCount > 0) {
+    return `Unbalanced braces: ${braceCount} unclosed brace(s)`;
+  }
+  const ruleRegex = /[^}]*\{[^}]*\}/g;
+  const rules = value.match(ruleRegex);
+  if (rules) {
+    for (const rule of rules) {
+      const content = rule.substring(
+        rule.indexOf("{") + 1,
+        rule.lastIndexOf("}")
+      );
+      if (content.trim() && !content.includes(":")) {
+        return "Invalid CSS: missing colon in property-value pair";
+      }
+    }
+  }
+  return true;
+}
+var codeValidators = {
+  json: validateJSON,
+  xml: validateXML,
+  html: validateXML,
+  // HTML uses same validator as XML
+  javascript: validateJavaScript,
+  typescript: validateJavaScript,
+  // TS uses same validator as JS
+  css: validateCSS,
+  sql: createSQLValidator
+};
+
+// src/lib/media-variant.ts
+function getMediaVariant(media, name, options = {}) {
+  if (!media) return void 0;
+  const { fallback, preferThumbnail = true } = options;
+  const sizes = media.sizes ?? null;
+  if (sizes) {
+    const direct = sizes[name];
+    if (direct?.url) return direct.url;
+    if (fallback) {
+      const fb = sizes[fallback];
+      if (fb?.url) return fb.url;
+    }
+  }
+  if (preferThumbnail && media.thumbnailUrl) return media.thumbnailUrl;
+  return media.url;
+}
+function getSmallestMediaVariant(media) {
+  if (!media) return void 0;
+  const sizes = media.sizes ?? null;
+  if (sizes) {
+    const entries = Object.values(sizes).filter(
+      (v) => v?.url && v.width && v.height
+    );
+    if (entries.length > 0) {
+      const smallest = entries.reduce(
+        (acc, cur) => (cur.width ?? 0) * (cur.height ?? 0) < (acc.width ?? 0) * (acc.height ?? 0) ? cur : acc
+      );
+      return smallest.url;
+    }
+  }
+  return media.thumbnailUrl ?? media.url;
+}
+export {
+  ALLOWED_USER_FIELD_TYPES,
+  ALL_FIELD_TYPES,
+  AdminPlacement,
+  ApiKeyTokenTypeSchema,
+  AssignPermissionToRoleSchema,
+  AssignRoleToUserSchema,
+  AuthRateLimitConfigSchema,
+  BulkOperationResponseSchema,
+  BulkOperationSchema,
+  COMPONENT_MIGRATION_STATUSES,
+  COMPONENT_SOURCE_TYPES,
+  CheckUserPermissionSchema,
+  CollectionFileManager,
+  CollectionService,
+  CollectionsHandler,
+  Container,
+  CorsConfigSchema,
+  CreateApiKeySchema,
+  CreateLocalUserSchema,
+  CreatePermissionSchema,
+  CreateRoleInheritanceSchema,
+  CreateRoleSchema,
+  CreateUserWithPasswordSchema,
+  DATA_FIELD_TYPES,
+  DateRangeSchema,
+  DbError,
+  DeletePermissionSchema,
+  DeleteRoleInheritanceSchema,
+  DeleteRoleSchema,
+  DeleteUserAccountSchema,
+  DeleteUserResponseSchema,
+  DeleteUserSchema,
+  DrizzleAdapter,
+  DynamicCollectionService,
+  EmailSchema,
+  ErrorResponseSchema,
+  ExpiresInSchema,
+  ExternalUrlError,
+  FileUploadSchema,
+  GetPermissionByIdSchema,
+  GetRoleByIdSchema,
+  GetRolePermissionsSchema,
+  GetUserByIdSchema,
+  GetUserPermissionsSchema,
+  GetUserRolesSchema,
+  HookRegistry,
+  IdSchema,
+  ImageUploadSchema,
+  InMemoryRateLimitStore,
+  ListUsersSchema,
+  MAX_COMPONENT_NESTING_DEPTH,
+  MediaService,
+  MinimalUserSchema,
+  NextlyError,
+  PAGINATION_DEFAULTS,
+  PaginatedResponseSchema,
+  PaginationSchema,
+  PasswordSchema,
+  PermissionActionSchema,
+  PermissionCheckResponseSchema,
+  PermissionListResponseSchema,
+  PermissionResourceSchema,
+  PermissionSchema,
+  PhoneSchema,
+  RESERVED_COMPONENT_SLUGS,
+  RESERVED_SINGLE_SLUGS,
+  RESERVED_SLUGS,
+  RESERVED_USER_FIELD_NAMES,
+  RemovePermissionFromRoleSchema,
+  RemoveRoleFromUserSchema,
+  RoleInheritanceSchema,
+  RoleListResponseSchema,
+  RolePermissionListResponseSchema,
+  RolePermissionSchema,
+  RoleSchema,
+  SQL_RESERVED_KEYWORDS,
+  SYSTEM_CONTEXT,
+  SYSTEM_RESOURCES,
+  SanitizationConfigSchema,
+  SearchSchema,
+  SecurityConfigSchema,
+  SecurityHeadersConfigSchema,
+  SecurityLimitsConfigSchema,
+  ServiceContainer,
+  ServiceDispatcher,
+  SortOrderSchema,
+  SortSchema,
+  SuccessResponseSchema,
+  UnlinkAccountResponseSchema,
+  UnlinkAccountSchema,
+  UpdateApiKeySchema,
+  UpdatePasswordSchema,
+  UpdatePermissionSchema,
+  UpdateRoleSchema,
+  UpdateUserSchema,
+  UploadSecurityConfigSchema,
+  UrlSchema,
+  UserAccountSchema,
+  UserIdSchema,
+  UserListResponseSchema,
+  UserResponseSchema,
+  UserRoleListResponseSchema,
+  UserRoleSchema,
+  UserService,
+  VALIDATION_ERROR_CODES,
+  VIRTUAL_FIELD_TYPES,
+  ValidationErrorSchema,
+  applyDesiredSchema,
+  array,
+  assertValidCollectionConfig,
+  assertValidComponentConfig,
+  assertValidSingleConfig,
+  assertValidUserConfig,
+  buildDesiredSchemaFromRegistry,
+  buildDesiredSchemaFromRegistryAsync,
+  buildPaginatedResponse,
+  calculateOffset,
+  checkAdapterHealth,
+  checkbox,
+  chips,
+  clampLimit,
+  clearAllHooks,
+  clearCollectionHooks,
+  clearServices,
+  code,
+  codeValidators,
+  component,
+  consoleLogger,
+  container,
+  createAdapter,
+  createAdapterFromEnv,
+  createPluginContext,
+  createRateLimitHeaders,
+  createRateLimiter,
+  createRegister,
+  createSQLValidator,
+  createValidationError,
+  createValidationErrorResponse,
+  date,
+  defineCollection,
+  defineComponent,
+  defineConfig,
+  definePlugin,
+  defineSingle,
+  dynamicCollections,
+  dynamicComponentsMysql,
+  dynamicComponentsPg,
+  dynamicComponentsSqlite,
+  email,
+  env,
+  formatZodError,
+  getCachedNextly,
+  getDialectTables,
+  getHookCount,
+  getHookRegistry,
+  getMediaVariant,
+  getNextly,
+  getService,
+  getSmallestMediaVariant,
+  getTrustedClientIp,
+  group,
+  hasHooks,
+  hasNestedFields,
+  healthCheck,
+  invalidResult,
+  isCheckboxField,
+  isChipsField,
+  isCodeField,
+  isComponentField,
+  isDataField,
+  isDateField,
+  isDbError,
+  isEmailField,
+  isGroupField,
+  isJSONField,
+  isNumberField,
+  isPasswordField,
+  isRadioField,
+  isRelationalField,
+  isRelationshipField,
+  isRepeaterField,
+  isRichTextField,
+  isSelectField,
+  isServicesRegistered,
+  isSystemResource,
+  isTextField,
+  isTextareaField,
+  isUploadField,
+  isValidResource,
+  isValidationError,
+  isValidationErrorCode,
+  isValidationResult,
+  json,
+  mergeValidationResults,
+  nextly,
+  nextlyMigrationsMysql,
+  nextlyMigrationsPg,
+  nextlyMigrationsSqlite,
+  number,
+  option,
+  parseTrustedProxyIpsEnv,
+  password,
+  radio,
+  registerCollectionHooks,
+  registerHook,
+  registerServices,
+  relationship,
+  repeater,
+  reregisterCollectionHooks,
+  resetHookRegistry,
+  richText,
+  safeFetch,
+  schema_exports as schema,
+  select,
+  shutdownNextly,
+  shutdownServices,
+  text,
+  textarea,
+  toApiResponse,
+  toDbError,
+  unregisterHook,
+  upload,
+  validResult,
+  validateCSS,
+  validateCollectionConfig,
+  validateComponentConfig,
+  validateDatabaseEnv,
+  validateExternalUrl,
+  validateJSON,
+  validateJavaScript,
+  validateSingleConfig,
+  validateUserConfig,
+  validateXML,
+  withDbErrors
+};