nextly 0.0.1 → 0.0.2-alpha.1

package/dist/index.d.ts

@@ -0,0 +1,4175 @@
+import { DrizzleAdapter } from '@nextlyhq/adapter-drizzle';
+export { DrizzleAdapter } from '@nextlyhq/adapter-drizzle';
+import { bc as BaseService, bd as Logger, k as CodeFieldValue, o as CollectionConfig, bt as UserConfig, bC as UserExtSchemaService, bF as EmailService, bW as ListUsersResponse, bX as GetUserResponse, bY as MinimalUser, bZ as UserMutationResponse, b_ as GetAccountsResponse, b$ as UnlinkAccountResult, bJ as AuthService, bb as CollectionsHandler, c0 as RoleService, c1 as PermissionService, c2 as RolePermissionService, c3 as MediaService, c4 as MediaFolderService, c5 as MigrationRecordStatus, bL as HookType, $ as HookHandler, bs as HookRegistry, c6 as CollectionSlug, c7 as FindArgs, c8 as ListResult, c9 as DataFromCollectionSlug, ca as FindByIDArgs, cb as CreateArgs, cc as MutationResult, cd as UpdateArgs, ce as DeleteArgs, cf as DeleteResult, cg as CountArgs, ch as CountResult, ci as BulkDeleteArgs, cj as BulkOperationResult, ck as DuplicateArgs, cl as SingleSlug, cm as FindSingleArgs, cn as DataFromSingleSlug, co as UpdateSingleArgs, cp as FindSinglesArgs, cq as SingleListResult, cr as LoginArgs, cs as UserContext, ct as AuthResult, cu as RegisterArgs, cv as ChangePasswordArgs, cw as ForgotPasswordArgs, cx as ResetPasswordArgs, cy as VerifyEmailArgs, cz as FindUsersArgs, cA as User, cB as FindUserByIDArgs, cC as CreateUserArgs, cD as UpdateUserArgs, cE as DeleteUserArgs, cF as UploadMediaArgs, cG as MediaFile, cH as FindMediaArgs, cI as FindMediaByIDArgs, cJ as UpdateMediaArgs, cK as DeleteMediaArgs, cL as BulkDeleteMediaArgs, cM as ListFoldersArgs, cN as MediaFolder, cO as CreateFolderArgs, cP as FindFormsArgs, cQ as FindFormBySlugArgs, cR as SubmitFormArgs, cS as SubmitFormResult, cT as FormSubmissionsArgs, cU as FindEmailProvidersArgs, cV as EmailProviderRecord, cW as FindEmailProviderByIDArgs, cX as CreateEmailProviderArgs, cY as UpdateEmailProviderArgs, cZ as DeleteEmailProviderArgs, c_ as SetDefaultProviderArgs, c$ as TestEmailProviderArgs, d0 as FindEmailTemplatesArgs, d1 as EmailTemplateRecord, d2 as FindEmailTemplateByIDArgs, d3 as FindEmailTemplateBySlugArgs, d4 as CreateEmailTemplateArgs, d5 as UpdateEmailTemplateArgs, d6 as DeleteEmailTemplateArgs, d7 as PreviewEmailTemplateArgs, d8 as GetEmailLayoutArgs, d9 as UpdateEmailLayoutArgs, da as FindUserFieldsArgs, db as UserFieldDefinitionRecord, dc as FindUserFieldByIDArgs, dd as CreateUserFieldArgs, de as UpdateUserFieldArgs, df as DeleteUserFieldArgs, dg as ReorderUserFieldsArgs, dh as SendEmailArgs, di as SendEmailResult, dj as SendTemplateEmailArgs, dk as FindRolesArgs, dl as Role, dm as FindRoleByIDArgs, dn as CreateRoleArgs, dp as UpdateRoleArgs, dq as DeleteRoleArgs, dr as GetRolePermissionsArgs, ds as Permission, dt as SetRolePermissionsArgs, du as FindPermissionsArgs, dv as FindPermissionByIDArgs, dw as CreatePermissionArgs, dx as DeletePermissionArgs, dy as CheckAccessArgs, P as FieldConfig, dz as IndexConfig, aQ as SingleConfig, t as ComponentConfig } from './_dts-chunks/collections-handler.d-DjgO74Wt.d.ts';
+export { A as ALL_FIELD_TYPES, dA as AccessControlContext, dB as AccessControlFunction, a as AccessFunction, dC as ApiKeyMeta, dD as ApiKeyResult, dE as ApiKeyTokenType, B as BaseFieldConfig, dF as BuildPaginatedResponseOptions, dG as BulkOperationResult, dH as COMPONENT_MIGRATION_STATUSES, dI as COMPONENT_SOURCE_TYPES, C as CellComponentProps, dJ as CheckApiKeyArgs, dK as CheckApiKeyResult, b as CheckboxFieldAdminOptions, c as CheckboxFieldConfig, d as CheckboxFieldValue, e as ChipsFieldAdminOptions, f as ChipsFieldConfig, g as ChipsFieldValue, h as CodeEditorOptions, i as CodeFieldAdminOptions, j as CodeFieldConfig, l as CodeLanguage, m as CollectionAccessControl, n as CollectionAdminOptions, dL as CollectionArtifacts, dM as CollectionFileManager, p as CollectionHooks, q as CollectionLabels, r as CollectionPagination, dN as CollectionSchemaDefinition, s as ComponentAdminOptions, u as ComponentFieldConfig, v as ComponentLabel, bN as ComponentMigrationStatus, bM as ComponentSource, dO as CreateApiKeyArgs, dP as CreateFolderInput, dQ as CreateUserServiceInput, w as CustomEndpoint, D as DATA_FIELD_TYPES, x as DataFieldConfig, y as DataFieldType, z as DateFieldAdminOptions, E as DateFieldConfig, F as DateFieldValue, G as DatePickerAppearance, H as DatePickerOptions, dR as DirectAPIConfig, dS as DirectAPIRequestContext, dT as DrizzleDB, dU as DynamicCollection, dV as DynamicCollectionService, dW as DynamicComponentInsert, dX as DynamicComponentRecord, dY as DynamicFieldType, bu as EmailConfig, I as EmailFieldAdminOptions, J as EmailFieldConfig, K as EmailFieldValue, dZ as EmailProviderAdapter, d_ as EmailTemplateFn, d$ as ExpiresIn, L as FieldAccess, M as FieldAdminOptions, N as FieldComponentProps, e0 as FieldCondition, bm as FieldDefinition, Q as FieldHooks, R as FieldType, S as FieldValidation, T as FilterComponentProps, U as FilterOptionsArgs, V as FilterOptionsFunction, e1 as FindApiKeyByIDArgs, e2 as FolderContents, e3 as FormsConfig, e4 as GeneratedTypes, W as GroupFieldAdminOptions, X as GroupFieldConfig, Y as GroupFieldConfig_FieldConfig, Z as GroupFieldValue, _ as HookContext, a0 as HttpMethod, a1 as JSONEditorOptions, a2 as JSONFieldAdminOptions, a3 as JSONFieldConfig, a4 as JSONFieldValue, a5 as JSONSchemaDefinition, a6 as JSONSchemaProperty, a7 as JSONSchemaType, a8 as JoinFieldAdminOptions, a9 as JoinFieldConfig, aa as JoinFieldWhere, e5 as ListApiKeysArgs, e6 as ListMediaOptions, e7 as ListUsersQueryOptions, e8 as LoginResult, bw as MediaService, e9 as MediaType, ea as MigrationRecord, eb as MigrationRecordInsert, ec as MinimalUser, ed as NewDynamicCollection, ab as NumberFieldAdminOptions, ac as NumberFieldConfig, ad as NumberFieldValue, ae as NumberFilterOperator, ee as PAGINATION_DEFAULTS, ef as PaginatedResponse, bq as PaginatedResult, eg as PaginationMeta, eh as PaginationOptions, af as PasswordFieldAdminOptions, ag as PasswordFieldConfig, ah as PasswordFieldValue, ei as PasswordHasher, ej as PopulateOptions, ek as QueryOperator, br as QueryOptions, ai as RadioFieldAdminOptions, aj as RadioFieldConfig, ak as RadioFieldValue, al as RadioLayout, am as RelationshipAppearance, an as RelationshipFieldAdminOptions, ao as RelationshipFieldConfig, ap as RelationshipFieldValue, aq as RelationshipFilterOptions, ar as RelationshipFilterOptionsArgs, as as RelationshipFilterOptionsFunction, at as RelationshipFilterQuery, au as RelationshipPolymorphicValue, av as RelationshipSingleValue, aw as RelationshipSortOptions, ax as RepeaterFieldAdminOptions, ay as RepeaterFieldConfig, az as RepeaterFieldLabels, aA as RepeaterFieldValue, aB as RepeaterRowLabelProps, aC as RepeaterRowValue, bp as RequestContext, el as ResendConfig, em as RevokeApiKeyArgs, aE as RichTextFeature, aF as RichTextFieldAdminOptions, aG as RichTextFieldConfig, aH as RichTextFieldValue, aI as RichTextNode, aJ as RichTextValue, en as SYSTEM_CONTEXT, aK as SelectFieldAdminOptions, aL as SelectFieldConfig, aM as SelectFieldValue, aN as SelectOption, eo as SendLayerConfig, ep as ServiceDeps, aO as SingleAccessControl, aP as SingleAdminOptions, aR as SingleHooks, aS as SingleLabel, eq as SmtpConfig, er as SortOptions, aT as StringFilterOperator, aU as TextFieldAdminOptions, aV as TextFieldConfig, aW as TextFieldValue, aX as TextareaFieldAdminOptions, aY as TextareaFieldConfig, aZ as TextareaFieldValue, es as UpdateApiKeyArgs, et as UpdateFolderInput, eu as UpdateMediaInput, ev as UpdateUserServiceInput, a_ as UploadFieldAdminOptions, a$ as UploadFieldConfig, b0 as UploadFieldValue, ew as UploadFileData, b1 as UploadFilterOptions, b2 as UploadFilterOptionsArgs, b3 as UploadFilterOptionsFunction, b4 as UploadFilterQuery, ex as UploadMediaInput, b5 as UploadPolymorphicValue, b6 as UploadSingleValue, ey as UserAdminOptions, ez as UserFieldConfig, bR as UserFieldType, bv as UserService, b7 as VIRTUAL_FIELD_TYPES, b8 as VirtualFieldConfig, b9 as VirtualFieldType, eA as WhereFilter, eB as buildPaginatedResponse, eC as calculateOffset, eD as clampLimit, eE as consoleLogger, ba as defineCollection, eF as dynamicCollections, eG as getHookRegistry, eH as nextly, eI as resetHookRegistry } from './_dts-chunks/collections-handler.d-DjgO74Wt.d.ts';
+import { NextlyError } from './errors/index.d.ts';
+import { z } from 'zod';
+export { A as AdapterConfig, a as AdapterType, D as DbError, b as DbErrorKind, c as DynamicComponentInsertMysql, d as DynamicComponentInsertPg, e as DynamicComponentInsertSqlite, f as DynamicComponentMysql, g as DynamicComponentPg, h as DynamicComponentSqlite, H as HealthCheckResult, i as checkAdapterHealth, j as createAdapter, k as createAdapterFromEnv, l as dynamicComponentsMysql, m as dynamicComponentsPg, n as dynamicComponentsSqlite, o as env, p as getDialectTables, q as healthCheck, r as isDbError, s as schema, t as toDbError, v as validateDatabaseEnv, w as withDbErrors } from './_dts-chunks/index.d-axCAzZ7m.d.ts';
+import * as drizzle_orm_pg_core from 'drizzle-orm/pg-core';
+import * as drizzle_orm_mysql_core from 'drizzle-orm/mysql-core';
+import * as drizzle_orm_sqlite_core from 'drizzle-orm/sqlite-core';
+import { d as NextlyServiceConfig, S as SanitizedNextlyConfig, e as ServiceMap } from './_dts-chunks/config.d-DNwsDnjs.d.ts';
+export { A as AdminBrandingColors, f as AdminBrandingConfig, g as AdminConfig, h as AdminPlacement, i as AuthRateLimitConfigInput, j as AuthRateLimitConfigSchema, C as Collection, k as CollectionDocument, l as CollectionService, m as CorsConfig, n as CorsConfigInput, o as CorsConfigSchema, p as CreateCollectionInput, D as DatabaseConfig, I as InMemoryRateLimitStore, L as ListCollectionsOptions, N as NextlyUserConfig, P as PluginAdminAppearance, q as PluginAdminConfig, r as PluginContext, t as PluginDefinition, u as PluginHookRegistry, v as PluginOverride, w as RateLimitConfig, R as RateLimitRecord, x as RateLimitResult, a as RateLimitStore, b as RateLimitingConfig, y as SanitizationConfigInput, z as SanitizationConfigSchema, c as SanitizedRateLimitingConfig, B as SecurityConfig, E as SecurityConfigInput, F as SecurityConfigSchema, G as SecurityHeadersConfig, H as SecurityHeadersConfigInput, J as SecurityHeadersConfigSchema, K as SecurityLimitsConfigInput, M as SecurityLimitsConfigSchema, T as TypeScriptConfig, U as UpdateCollectionInput, O as UploadSecurityConfigInput, Q as UploadSecurityConfigSchema, V as clearServices, W as createPluginContext, X as createRateLimitHeaders, Y as createRateLimiter, Z as definePlugin, _ as getService, $ as isServicesRegistered, a0 as registerServices, a1 as shutdownServices } from './_dts-chunks/config.d-DNwsDnjs.d.ts';
+export { DatabaseCapabilities, SelectOptions, TransactionContext, WhereClause } from '@nextlyhq/adapter-drizzle/types';
+export { I as StorageProvider } from './_dts-chunks/image-processor.d-OO1PmMrv.d.ts';
+export { a as array, c as checkbox, b as chips, d as code, e as component, f as date, g as defineComponent, h as defineConfig, i as defineSingle, j as email, k as group, l as hasNestedFields, m as isCheckboxField, n as isChipsField, o as isCodeField, p as isComponentField, q as isDataField, r as isDateField, s as isEmailField, t as isGroupField, u as isJSONField, v as isNumberField, w as isPasswordField, x as isRadioField, y as isRelationalField, z as isRelationshipField, A as isRepeaterField, B as isRichTextField, C as isSelectField, D as isTextField, E as isTextareaField, F as isUploadField, G as json, H as number, I as option, J as password, K as radio, L as relationship, M as repeater, N as richText, O as select, P as text, Q as textarea, R as upload } from './_dts-chunks/define-component.d-BUgTHmt3.d.ts';
+import 'react';
+import './_dts-chunks/media.d-DjDOZo4B.d.ts';
+import 'drizzle-orm';
+import './_dts-chunks/storage.d-BUhQ2we_.d.ts';
+
+/**
+ * PermissionCheckerService handles authorization checking logic.
+ *
+ * Responsibilities:
+ * - Get all permissions for a role (direct + inherited)
+ * - Check if a user has specific permissions (future)
+ * - Batch permission checking (future)
+ *
+ * This service depends on RoleInheritanceService for traversing role hierarchies.
+ *
+ * @example
+ * ```typescript
+ * const service = new PermissionCheckerService(adapter, logger);
+ * const permissions = await service.getAllPermissionsForRole(roleId);
+ * ```
+ */
+declare class PermissionCheckerService extends BaseService {
+    private roleInheritanceService;
+    constructor(adapter: DrizzleAdapter, logger: Logger);
+    /**
+     * Get all permissions for a given role (direct + inherited).
+     *
+     * @param roleId - Role ID to get permissions for
+     * @returns Array of permission IDs (deduplicated)
+     */
+    getAllPermissionsForRole(roleId: string): Promise<string[]>;
+}
+
+/**
+ * RoleInheritanceService handles role hierarchy management.
+ *
+ * Responsibilities:
+ * - Add parent-child role relationships
+ * - Remove role inheritance relationships
+ * - List ancestor roles (parents, grandparents, etc.)
+ * - List descendant roles (children, grandchildren, etc.)
+ * - Prevent circular inheritance (cycle detection)
+ *
+ * Role hierarchy enables permission inheritance:
+ * - Child roles inherit permissions from parent roles
+ * - Multi-level inheritance is supported (child → parent → grandparent)
+ * - Cycles are forbidden to maintain consistency
+ *
+ * @example
+ * ```typescript
+ * const service = new RoleInheritanceService(adapter, logger);
+ * await service.addRoleInheritance(childRoleId, parentRoleId);
+ * const ancestors = await service.listAncestorRoles(roleId);
+ * ```
+ */
+declare class RoleInheritanceService extends BaseService {
+    constructor(adapter: DrizzleAdapter, logger: Logger);
+    /**
+     * Add a parent-child role inheritance relationship.
+     *
+     * The child role will inherit all permissions from the parent role.
+     * Multi-level inheritance is supported.
+     *
+     * @param childRoleId - Child role ID (inherits from parent)
+     * @param parentRoleId - Parent role ID (provides permissions)
+     * @throws Error if self-inheritance or cycle would be created
+     */
+    addRoleInheritance(childRoleId: string, parentRoleId: string): Promise<void>;
+    /**
+     * Remove a parent-child role inheritance relationship.
+     *
+     * @param childRoleId - Child role ID
+     * @param parentRoleId - Parent role ID
+     */
+    removeRoleInheritance(childRoleId: string, parentRoleId: string): Promise<void>;
+    /**
+     * List all ancestor roles (parents, grandparents, etc.) for a given role.
+     *
+     * Uses breadth-first traversal to find all roles in the hierarchy above this role.
+     * Note: The starting roleId is NOT included in the results - only its ancestors.
+     *
+     * Safety limit: Stops after visiting MAX_ROLE_HIERARCHY_DEPTH roles to prevent infinite loops.
+     *
+     * @param roleId - Role ID to find ancestors for
+     * @returns Array of ancestor role IDs (excluding the starting roleId)
+     */
+    listAncestorRoles(roleId: string): Promise<string[]>;
+    /**
+     * List all descendant roles (children, grandchildren, etc.) for a given role.
+     *
+     * Uses breadth-first traversal to find all roles in the hierarchy below this role.
+     * Note: The starting roleId is NOT included in the results - only its descendants.
+     *
+     * Safety limit: Stops after visiting MAX_ROLE_HIERARCHY_DEPTH roles to prevent infinite loops.
+     *
+     * @param roleId - Role ID to find descendants for
+     * @returns Array of descendant role IDs (excluding the starting roleId)
+     */
+    listDescendantRoles(roleId: string): Promise<string[]>;
+    private willCreateCycle;
+}
+
+declare class UserRoleService extends BaseService {
+    constructor(adapter: DrizzleAdapter, logger: Logger);
+    /**
+     * Assign a role to a user.
+     *
+     * @param userId - User ID to assign role to
+     * @param roleId - Role ID to assign
+     * @param opts - Optional expiration date
+     * @returns Success/failure status
+     */
+    assignRoleToUser(userId: string, roleId: string, opts?: {
+        expiresAt?: Date | string;
+    }): Promise<{
+        success: boolean;
+        statusCode: number;
+        message: string;
+    }>;
+    /**
+     * Remove a role assignment from a user.
+     *
+     * @param userId - User ID to remove role from
+     * @param roleId - Role ID to remove
+     * @returns Success/failure status
+     */
+    unassignRoleFromUser(userId: string, roleId: string): Promise<{
+        success: boolean;
+        statusCode: number;
+        message: string;
+    }>;
+    /**
+     * List all role IDs assigned to a user.
+     *
+     * @param userId - User ID to list roles for
+     * @returns Array of role IDs
+     */
+    listUserRoles(userId: string): Promise<string[]>;
+    /**
+     * List all role names assigned to a user.
+     *
+     * @param userId - User ID to list role names for
+     * @returns Array of role names
+     */
+    listUserRoleNames(userId: string): Promise<string[]>;
+    /**
+     * Invalidate API key permission caches for all active read-only and full-access
+     * keys owned by a user.
+     *
+     * Called after `assignRoleToUser()` and `unassignRoleFromUser()` because those
+     * token types resolve permissions from the creator's current role set. When the
+     * role set changes, the cached permission slugs must be evicted so the next
+     * request re-resolves them from the updated roles.
+     *
+     * Role-based keys are NOT invalidated here — their cache is keyed to the assigned
+     * role, not to the creator, and is invalidated via RolePermissionService instead.
+     *
+     * @param userId - The user whose read-only and full-access API key caches to evict
+     */
+    private invalidateApiKeyCachesForUser;
+}
+
+/**
+ * Code Field Validators
+ *
+ * Reusable validation functions for code fields with language-specific syntax checking.
+ * These validators can be used in field configurations to ensure code content is valid.
+ *
+ * @module collections/fields/validators/code-validators
+ * @since 1.0.0
+ */
+
+/**
+ * Validation result type for code validators.
+ * Returns `true` if valid, or an error message string if invalid.
+ */
+type CodeValidationResult = string | true;
+/**
+ * Validator function signature.
+ */
+type CodeValidator = (value: CodeFieldValue) => CodeValidationResult;
+/**
+ * Validates JSON syntax.
+ *
+ * Ensures the code field contains valid, parseable JSON.
+ * Provides detailed error messages including line/column information.
+ *
+ * @example
+ * ```typescript
+ * const configField: CodeFieldConfig = {
+ *   name: 'config',
+ *   type: 'code',
+ *   admin: { language: 'json' },
+ *   validate: validateJSON,
+ * };
+ * ```
+ *
+ * @param value - The JSON string to validate
+ * @returns `true` if valid, error message if invalid
+ */
+declare function validateJSON(value: CodeFieldValue): CodeValidationResult;
+/**
+ * Validates basic XML/HTML syntax.
+ *
+ * Performs basic validation checking for:
+ * - Properly closed tags
+ * - Balanced brackets
+ * - Valid tag names
+ *
+ * Note: This is a basic validator. For comprehensive validation,
+ * consider using a proper XML parser library.
+ *
+ * @example
+ * ```typescript
+ * const xmlField: CodeFieldConfig = {
+ *   name: 'xmlContent',
+ *   type: 'code',
+ *   admin: { language: 'xml' },
+ *   validate: validateXML,
+ * };
+ * ```
+ *
+ * @param value - The XML/HTML string to validate
+ * @returns `true` if valid, error message if invalid
+ */
+declare function validateXML(value: CodeFieldValue): CodeValidationResult;
+/**
+ * Validates JavaScript/TypeScript syntax.
+ *
+ * Uses the Function constructor for basic syntax validation.
+ * Note: This only checks if the code is parseable JavaScript,
+ * not if it's valid TypeScript or follows best practices.
+ *
+ * @example
+ * ```typescript
+ * const scriptField: CodeFieldConfig = {
+ *   name: 'customScript',
+ *   type: 'code',
+ *   admin: { language: 'javascript' },
+ *   validate: validateJavaScript,
+ * };
+ * ```
+ *
+ * @param value - The JavaScript code to validate
+ * @returns `true` if valid, error message if invalid
+ */
+declare function validateJavaScript(value: CodeFieldValue): CodeValidationResult;
+/**
+ * Options for SQL validation.
+ */
+interface SQLValidatorOptions {
+    /**
+     * Forbidden SQL commands (case-insensitive).
+     * Common dangerous commands to block.
+     *
+     * @default ['DROP TABLE', 'DROP DATABASE', 'TRUNCATE', 'DELETE FROM', 'ALTER TABLE']
+     */
+    forbiddenCommands?: string[];
+    /**
+     * Allow empty values.
+     * @default true
+     */
+    allowEmpty?: boolean;
+}
+/**
+ * Creates a basic SQL validator with configurable forbidden commands.
+ *
+ * This is a safety validator, not a comprehensive syntax checker.
+ * It blocks potentially dangerous SQL commands.
+ *
+ * @example
+ * ```typescript
+ * const queryField: CodeFieldConfig = {
+ *   name: 'customQuery',
+ *   type: 'code',
+ *   admin: { language: 'sql' },
+ *   validate: createSQLValidator({
+ *     forbiddenCommands: ['DROP', 'DELETE', 'TRUNCATE', 'ALTER'],
+ *   }),
+ * };
+ * ```
+ *
+ * @param options - Validation options
+ * @returns Validator function
+ */
+declare function createSQLValidator(options?: SQLValidatorOptions): CodeValidator;
+/**
+ * Validates basic CSS syntax.
+ *
+ * Performs simple validation checking for:
+ * - Balanced braces
+ * - Basic selector syntax
+ * - Property-value pairs
+ *
+ * @example
+ * ```typescript
+ * const stylesField: CodeFieldConfig = {
+ *   name: 'customStyles',
+ *   type: 'code',
+ *   admin: { language: 'css' },
+ *   validate: validateCSS,
+ * };
+ * ```
+ *
+ * @param value - The CSS code to validate
+ * @returns `true` if valid, error message if invalid
+ */
+declare function validateCSS(value: CodeFieldValue): CodeValidationResult;
+/**
+ * Collection of all available code validators.
+ */
+declare const codeValidators: {
+    readonly json: typeof validateJSON;
+    readonly xml: typeof validateXML;
+    readonly html: typeof validateXML;
+    readonly javascript: typeof validateJavaScript;
+    readonly typescript: typeof validateJavaScript;
+    readonly css: typeof validateCSS;
+    readonly sql: typeof createSQLValidator;
+};
+
+/**
+ * Shared SQL Reserved Keyword & Slug Constants
+ *
+ * Pure-data module — no imports — so it can be the cycle-breaker between
+ * collections/config/validate-config.ts and shared/base-validator.ts.
+ *
+ * Originally these constants lived in validate-config.ts and base-validator.ts
+ * imported them back, creating a circular dependency. tsup's bundling masked
+ * the issue (its evaluation order happened to initialise the constants before
+ * base-validator's top-level Set construction). Turbopack's strict ESM
+ * evaluation surfaced it as a TDZ ReferenceError when source-mode dev started
+ * walking the source files directly.
+ *
+ * Solution: extract the constants here. Both validate-config and base-validator
+ * import from this leaf module, which has no further imports → no cycle.
+ *
+ * @module shared/sql-reserved
+ */
+/**
+ * Reserved collection slugs that cannot be used.
+ * These are used by the system or have special meaning.
+ */
+declare const RESERVED_SLUGS: readonly ["api", "graphql", "rest", "admin", "dashboard", "auth", "login", "logout", "register", "signup", "signin", "signout", "forgot-password", "reset-password", "verify", "verify-email", "static", "public", "assets", "_next", "health", "status", "metrics", "users", "roles", "permissions", "sessions", "tokens", "media", "uploads", "files"];
+/**
+ * SQL reserved keywords that should not be used as identifiers.
+ *
+ * Curated list of the most problematic keywords across PostgreSQL, MySQL,
+ * and SQLite. Using these as table or column names can cause issues even
+ * with quoting.
+ *
+ * @see https://sqlite.org/lang_keywords.html
+ * @see https://www.postgresql.org/docs/current/sql-keywords-appendix.html
+ * @see https://dev.mysql.com/doc/refman/8.0/en/keywords.html
+ */
+declare const SQL_RESERVED_KEYWORDS: readonly ["select", "insert", "update", "delete", "from", "where", "set", "values", "create", "drop", "alter", "table", "index", "view", "trigger", "database", "join", "inner", "outer", "left", "right", "cross", "full", "on", "using", "order", "group", "by", "having", "limit", "offset", "distinct", "as", "case", "when", "then", "else", "end", "and", "or", "not", "in", "is", "null", "like", "between", "exists", "primary", "foreign", "key", "references", "unique", "check", "constraint", "default", "begin", "commit", "rollback", "transaction", "count", "sum", "avg", "min", "max", "all", "any", "union", "except", "intersect", "column", "row", "rows", "for", "to", "into", "with", "user", "password", "role", "session", "grant", "revoke", "match", "natural"];
+
+/**
+ * Collection Configuration Validator
+ *
+ * Validates a {@link CollectionConfig} using shared base-validator helpers
+ * for slug/field-name/relationship/select/component rules, plus the
+ * collection-specific access control (create/read/update/delete) and
+ * index validation that Singles/Components don't have.
+ *
+ * Duplicated validation logic was moved to `src/shared/base-validator.ts`
+ * This file now orchestrates those helpers and keeps
+ * only Collection-specific rules.
+ *
+ * @module collections/config/validate-config
+ * @since 1.0.0
+ *
+ * @example
+ * ```typescript
+ * import { validateCollectionConfig } from '@nextly/core';
+ *
+ * const result = validateCollectionConfig(config, ['users', 'posts']);
+ * if (!result.valid) {
+ *   console.error('Validation errors:', result.errors);
+ * }
+ * ```
+ */
+
+/**
+ * Error codes for validation failures.
+ * Used for programmatic error handling.
+ */
+type ValidationErrorCode$1 = "SLUG_REQUIRED" | "SLUG_INVALID_TYPE" | "SLUG_TOO_SHORT" | "SLUG_TOO_LONG" | "SLUG_INVALID_FORMAT" | "SLUG_RESERVED" | "SLUG_SQL_KEYWORD" | "FIELDS_REQUIRED" | "FIELDS_INVALID_TYPE" | "FIELDS_EMPTY" | "FIELD_NAME_REQUIRED" | "FIELD_NAME_INVALID_FORMAT" | "FIELD_NAME_SQL_KEYWORD" | "FIELD_NAME_DUPLICATE" | "FIELD_TYPE_REQUIRED" | "FIELD_TYPE_INVALID" | "SELECT_OPTIONS_REQUIRED" | "SELECT_OPTIONS_EMPTY" | "RADIO_OPTIONS_REQUIRED" | "RADIO_OPTIONS_EMPTY" | "RELATIONSHIP_TARGET_REQUIRED" | "RELATIONSHIP_TARGET_INVALID" | "RELATIONSHIP_TARGET_UNKNOWN" | "ARRAY_FIELDS_REQUIRED" | "GROUP_FIELDS_REQUIRED" | "BLOCKS_REQUIRED" | "BLOCKS_EMPTY" | "BLOCK_SLUG_REQUIRED" | "BLOCK_FIELDS_REQUIRED" | "COMPONENT_REF_REQUIRED" | "COMPONENT_REF_CONFLICT" | "COMPONENT_REF_INVALID" | "COMPONENT_REF_EMPTY" | "ACCESS_INVALID_TYPE" | "ACCESS_FUNCTION_INVALID" | "INDEX_INVALID_TYPE" | "INDEX_FIELDS_REQUIRED" | "INDEX_FIELDS_EMPTY" | "INDEX_FIELD_UNKNOWN" | "INDEX_NAME_INVALID";
+/**
+ * A single validation error with path and context.
+ */
+interface ValidationError$1 {
+    /**
+     * Dot-notation path to the invalid property.
+     * @example 'slug', 'fields.0.name', 'fields.metadata.items.title'
+     */
+    path: string;
+    /** Human-readable error message. */
+    message: string;
+    /** Machine-readable error code for programmatic handling. */
+    code: ValidationErrorCode$1;
+}
+/**
+ * Result of collection config validation.
+ */
+interface ValidationResult$1 {
+    /** Whether the configuration is valid. */
+    valid: boolean;
+    /** Array of validation errors (empty if valid). */
+    errors: ValidationError$1[];
+}
+/**
+ * Validates a complete collection configuration.
+ *
+ * Performs comprehensive validation including slug format/reserved names,
+ * SQL keyword blocking, recursive field validation, select options,
+ * relationship targets (optionally cross-checked against known collection
+ * slugs), duplicate detection, access function types, and index
+ * configuration validation.
+ *
+ * @param config - The collection configuration to validate
+ * @param allCollectionSlugs - Optional array of all collection slugs for relationship validation
+ * @returns Validation result with any errors found
+ *
+ * @example
+ * ```typescript
+ * import { validateCollectionConfig } from '@nextly/core';
+ *
+ * const result = validateCollectionConfig(config, ['users', 'posts', 'categories']);
+ *
+ * if (!result.valid) {
+ *   result.errors.forEach(err => {
+ *     console.error(`[${err.code}] ${err.path}: ${err.message}`);
+ *   });
+ * }
+ * ```
+ */
+declare function validateCollectionConfig(config: CollectionConfig, allCollectionSlugs?: string[]): ValidationResult$1;
+/**
+ * Throws an error if the configuration is invalid.
+ *
+ * Convenience wrapper around {@link validateCollectionConfig}.
+ */
+declare function assertValidCollectionConfig(config: CollectionConfig, allCollectionSlugs?: string[]): void;
+
+/**
+ * TypeScript Type Generator Service
+ *
+ * Generates TypeScript interfaces from collection and single definitions. Provides strong typing for
+ * collections, singles, entries, and input types.
+ *
+ * Generates:
+ * - Collection interfaces with all fields typed
+ * - Single interfaces with all fields typed
+ * - Config interface mapping slugs to types (collections and singles)
+ * - Create/Update input types for collections
+ * - Update input types for singles
+ * - Module augmentation for type-safe collection and single access
+ *
+ * @module services/schema/type-generator
+ * @since 1.0.0
+ */
+
+/**
+ * Result of generating TypeScript types for a single collection.
+ */
+interface GeneratedTypeInterface {
+    /** Collection slug */
+    collectionSlug: string;
+    /** Generated TypeScript interface code */
+    code: string;
+    /** Interface name (e.g., "Post", "User") */
+    interfaceName: string;
+}
+/**
+ * Result of generating TypeScript types for a single Single.
+ */
+interface GeneratedSingleTypeInterface {
+    /** Single slug */
+    singleSlug: string;
+    /** Generated TypeScript interface code */
+    code: string;
+    /** Interface name (e.g., "SiteSettings", "Header") */
+    interfaceName: string;
+}
+/**
+ * Result of generating the complete payload-types.ts file.
+ */
+interface GeneratedTypesFile {
+    /** Generated TypeScript code for the types file */
+    code: string;
+    /** Suggested filename (default: "payload-types.ts") */
+    filename: string;
+}
+/**
+ * Options for TypeScript type generation.
+ */
+interface TypeGeneratorOptions {
+    /**
+     * Whether to include JSDoc comments in generated code.
+     * @default true
+     */
+    includeComments?: boolean;
+    /**
+     * Whether to generate Create and Update input types.
+     * @default true
+     */
+    generateInputTypes?: boolean;
+    /**
+     * Whether to generate Config interface mapping.
+     * @default true
+     */
+    generateConfig?: boolean;
+    /**
+     * Whether to generate module augmentation.
+     * @default true
+     */
+    generateModuleAugmentation?: boolean;
+    /**
+     * Custom filename for generated types.
+     * @default "payload-types.ts"
+     */
+    filename?: string;
+    /**
+     * Module to augment for GeneratedTypes.
+     * @default "nextly"
+     */
+    moduleToAugment?: string;
+}
+
+/**
+ * UsersService - Facade for user operations
+ *
+ * This service acts as a facade, delegating to specialized services:
+ * - UserQueryService: List, get, find operations
+ * - UserMutationService: Create, update, delete operations
+ * - UserAccountService: Profile, password, OAuth account operations
+ *
+ * For new code, consider using the specialized services directly for better
+ * separation of concerns.
+ *
+ * PR 4 (unified-error-system): facade methods now mirror the underlying
+ * services — they return the value directly and throw NextlyError on
+ * failure rather than returning `{ success, statusCode, message, data }`
+ * envelopes. Callers should use try/catch with NextlyError.is*() guards.
+ *
+ * @example
+ * ```typescript
+ * const usersService = new UsersService(adapter, logger);
+ * const users = await usersService.listUsers();
+ *
+ * // Using specialized services directly (recommended for new code)
+ * import { UserQueryService, UserMutationService } from './users/index';
+ * const queryService = new UserQueryService(adapter, logger);
+ * const users = await queryService.listUsers();
+ * ```
+ */
+
+declare class UsersService extends BaseService {
+    private queryService;
+    private mutationService;
+    private accountService;
+    /**
+     * Creates a new UsersService instance.
+     *
+     * @param adapter - Database adapter for multi-database support
+     * @param logger - Logger instance
+     * @param userConfig - Optional user extension configuration (custom fields)
+     * @param userExtSchemaService - Optional schema service for runtime user_ext table
+     * @param emailService - Optional email service for welcome emails
+     */
+    constructor(adapter: DrizzleAdapter, logger: Logger, userConfig?: UserConfig, userExtSchemaService?: UserExtSchemaService, emailService?: EmailService);
+    /**
+     * List users with pagination, filtering, and sorting.
+     *
+     * PR 4: returns the data envelope directly (no `success` wrapper).
+     * Throws NextlyError on failure.
+     */
+    listUsers(options?: {
+        page?: number;
+        limit?: number;
+        search?: string;
+        emailVerified?: boolean;
+        hasPassword?: boolean;
+        createdAtFrom?: Date;
+        createdAtTo?: Date;
+        sortBy?: "createdAt" | "name" | "email" | (string & {});
+        sortOrder?: "asc" | "desc";
+    }): Promise<ListUsersResponse>;
+    /**
+     * Get a user by ID.
+     *
+     * PR 4: returns the user directly. Throws NextlyError(NOT_FOUND) if missing.
+     */
+    getUserById(userId: number | string): Promise<GetUserResponse>;
+    /**
+     * Find a user by email
+     */
+    findByEmail(email: string): Promise<MinimalUser | null>;
+    /**
+     * Create a new local user.
+     *
+     * PR 4: returns the created user directly. Throws NextlyError on failure
+     * (e.g. DUPLICATE on email collision).
+     */
+    createLocalUser(userData: {
+        email: string;
+        name: string;
+        image?: string | null;
+        password?: string | null;
+        roles?: string[];
+        isActive?: boolean;
+        sendWelcomeEmail?: boolean;
+        [key: string]: unknown;
+    }): Promise<UserMutationResponse>;
+    /**
+     * Update an existing user.
+     *
+     * PR 4: returns the updated user directly. Throws NextlyError(NOT_FOUND)
+     * or NextlyError(DUPLICATE) on failure.
+     */
+    updateUser(userId: number | string, changes: {
+        email?: string;
+        name?: string;
+        password?: string | null;
+        image?: string;
+        emailVerified?: Date | null;
+        roles?: string[];
+        isActive?: boolean;
+        sendWelcomeEmail?: boolean;
+        [key: string]: unknown;
+    }): Promise<UserMutationResponse>;
+    /**
+     * Delete a user.
+     *
+     * PR 4: returns void. Throws NextlyError(NOT_FOUND) when the user does
+     * not exist, or NextlyError on DB errors.
+     */
+    deleteUser(userId: number | string): Promise<void>;
+    /**
+     * Get current user profile.
+     *
+     * PR 4: returns the user directly. Throws NextlyError(NOT_FOUND) if missing.
+     */
+    getCurrentUser(userId: number | string): Promise<GetUserResponse>;
+    /**
+     * Update current user profile.
+     *
+     * PR 4: returns the updated user directly. Throws NextlyError on failure.
+     */
+    updateCurrentUser(userId: number | string, changes: {
+        name?: string;
+        image?: string;
+    }): Promise<GetUserResponse>;
+    /**
+     * Update a user's password hash.
+     *
+     * PR 4: returns void. Throws NextlyError(NOT_FOUND) when the user does
+     * not exist, or NextlyError on DB errors.
+     */
+    updatePasswordHash(userId: number | string, passwordHash: string): Promise<void>;
+    /**
+     * Check if a user has a password set
+     */
+    hasPassword(userId: number | string): Promise<boolean>;
+    /**
+     * Get a user's password hash by ID
+     */
+    getUserPasswordHashById(userId: number | string): Promise<string | null>;
+    /**
+     * Get all OAuth accounts linked to a user.
+     *
+     * PR 4: returns the array directly. Throws NextlyError on failure.
+     */
+    getAccounts(userId: number | string): Promise<GetAccountsResponse>;
+    /**
+     * Delete a specific OAuth account
+     */
+    deleteUserAccount(userId: number | string, provider: string, providerAccountId: string): Promise<number>;
+    /**
+     * Unlink an OAuth account from a user.
+     *
+     * Note: this method intentionally returns a discriminated union rather
+     * than throwing — callers branch on `.ok` (see UserAccountService for
+     * rationale). It does NOT follow the throw-based pattern.
+     */
+    unlinkAccountForUser(userId: number | string, provider: string, providerAccountId: string): Promise<UnlinkAccountResult>;
+}
+
+/**
+ * Service container providing dependency injection for Nextly services.
+ *
+ * Centralizes service instantiation with consistent db and tables injection.
+ * Services are lazily instantiated to avoid unnecessary overhead.
+ */
+declare class ServiceContainer {
+    private readonly adapter;
+    private _users?;
+    private _auth?;
+    private _collections?;
+    private _roles?;
+    private _permissions?;
+    private _rolePermissions?;
+    private _userRoles?;
+    private _roleInheritance?;
+    private _permissionChecker?;
+    private _media?;
+    private _mediaFolders?;
+    private readonly tables;
+    private readonly db;
+    constructor(adapter: DrizzleAdapter);
+    private getLogger;
+    /**
+     * Check if adapter is configured
+     */
+    get hasAdapter(): boolean;
+    /**
+     * Get Users service instance (lazy-loaded)
+     * Injects UserExtSchemaService, UserConfig, and EmailService from DI container if available.
+     */
+    get users(): UsersService;
+    /**
+     * Get Auth service instance (lazy-loaded)
+     * Injects EmailService from DI container if available.
+     */
+    get auth(): AuthService;
+    /**
+     * Get Collections handler instance (lazy-loaded)
+     *
+     * IMPORTANT: This getter first checks the DI container for a registered
+     * CollectionsHandler. This ensures that dynamic schemas registered via
+     * getCollectionsHandler() are available to the ServiceDispatcher.
+     *
+     * @throws Error if adapter was not provided and DI container has no handler
+     */
+    get collections(): CollectionsHandler;
+    /**
+     * Get Role service instance (lazy-loaded)
+     * Handles role CRUD operations
+     */
+    get roles(): RoleService;
+    /**
+     * Get Permission service instance (lazy-loaded)
+     * Handles permission CRUD operations
+     */
+    get permissions(): PermissionService;
+    /**
+     * Get RolePermission service instance (lazy-loaded)
+     * Handles role-permission assignments
+     */
+    get rolePermissions(): RolePermissionService;
+    /**
+     * Get UserRole service instance (lazy-loaded)
+     * Handles user-role assignments
+     */
+    get userRoles(): UserRoleService;
+    /**
+     * Get RoleInheritance service instance (lazy-loaded)
+     * Handles role hierarchy management
+     */
+    get roleInheritance(): RoleInheritanceService;
+    /**
+     * Get PermissionChecker service instance (lazy-loaded)
+     * Handles authorization checking logic
+     */
+    get permissionChecker(): PermissionCheckerService;
+    /**
+     * Get Media service instance (lazy-loaded)
+     * Handles media file uploads, processing, and storage
+     */
+    get media(): MediaService;
+    /**
+     * Get MediaFolder service instance (lazy-loaded)
+     * Handles folder organization for media files
+     */
+    get mediaFolders(): MediaFolderService;
+    /**
+     * Get tables for current dialect (public accessor)
+     */
+    get dialectTables(): unknown;
+    /**
+     * Execute a function within a database transaction with fresh service instances.
+     * Creates new service instances with transaction context for use within the transaction.
+     *
+     * @param fn Function to execute within transaction, receives fresh service container with tx context
+     * @returns Promise resolving to the function's return value
+     */
+    withTransaction<T>(fn: (txServices: ServiceContainer) => Promise<T>): Promise<T>;
+}
+
+/**
+ * Public types for the service dispatcher.
+ *
+ * The dispatcher routes API requests to the appropriate service method,
+ * normalizes responses, and maps error messages to HTTP status codes.
+ * Consumers (route handlers) import `ServiceDispatcher` plus these
+ * types to build and interpret dispatch requests.
+ */
+
+type ServiceType = "users" | "rbac" | "auth" | "posts" | "collections" | "singles" | "forms" | "components" | "userFields" | "emailProviders" | "emailTemplates" | "apiKeys" | "generalSettings" | "imageSizes" | "dashboard" | "email" | "schema";
+type OperationType = "single" | "list" | "create" | "update" | "delete" | "count";
+interface DispatchRequest {
+    service: ServiceType;
+    operation: OperationType;
+    method: string;
+    params?: Record<string, unknown>;
+    body?: unknown;
+    userId?: string;
+    /** Optional request object for accessing headers. */
+    request?: Request;
+}
+interface DispatchResult {
+    success: boolean;
+    data?: unknown;
+    /**
+     * Carries the original NextlyError (not a stringified message) so the
+     * route wrapper can rebuild the response with correct statusCode, code,
+     * publicData, and headers (Retry-After for rate limits, etc.). See spec
+     * §6.4.
+     */
+    error?: NextlyError;
+    status: number;
+    message?: string;
+    meta?: unknown;
+}
+
+/**
+ * Service dispatcher — thin router that delegates every incoming
+ * request to a domain-specific handler.
+ *
+ * The legacy monolithic dispatcher held ~3,000 lines of per-method
+ * logic. That logic now lives in `./handlers/*`. This class keeps only:
+ *
+ * - Lazy initialization of the underlying `ServiceContainer` (it resolves
+ *   the adapter from DI or falls back to env-based adapter creation).
+ * - Request validation (service + operation + method presence/shape).
+ * - Service-name → handler dispatch (the `executeServiceMethod` switch).
+ * - Response normalization (`ServiceResult` → `DispatchResult`).
+ * - Error-status mapping (heuristic text match on error messages).
+ *
+ * Route handlers (e.g. `auth-handler.ts`, `route-parser.ts`) import
+ * `ServiceDispatcher` from `@nextly/services` / `src/services/dispatcher.ts`,
+ * which re-exports this class.
+ */
+
+/**
+ * ServiceDispatcher routes API requests to the appropriate service
+ * method. It provides a unified dispatch interface for all service
+ * operations, handling parameter validation, type coercion, and error
+ * handling.
+ *
+ * @example
+ * ```typescript
+ * const dispatcher = new ServiceDispatcher();
+ * const result = await dispatcher.dispatch({
+ *   service: 'users',
+ *   operation: 'single',
+ *   method: 'getUserById',
+ *   params: { userId: '123' }
+ * });
+ * ```
+ */
+declare class ServiceDispatcher {
+    private container;
+    private availableServices;
+    constructor();
+    /** Returns the underlying service container. */
+    getContainer(): ServiceContainer;
+    /** Checks if a service is available. */
+    isServiceAvailable(service: ServiceType): boolean;
+    /** Validates a dispatch request. */
+    validateRequest(request: DispatchRequest): {
+        valid: boolean;
+        error?: string;
+    };
+    /**
+     * Ensure the service container is fully initialized with an adapter.
+     * Resolves from DI first and falls back to environment-based adapter
+     * creation when DI hasn't been initialized (e.g. certain test paths).
+     */
+    private ensureInitialized;
+    /**
+     * Dispatches a request to the appropriate service method.
+     *
+     * @param request - Service, method, params, and body to execute.
+     * @returns Standardized dispatch result with success, data, and error.
+     */
+    dispatch(request: DispatchRequest): Promise<DispatchResult>;
+    private executeServiceMethod;
+    /** Registers a new service type. */
+    addService(service: ServiceType): void;
+    /** Unregisters a service type. */
+    removeService(service: ServiceType): void;
+    /** Returns list of available service types. */
+    getAvailableServices(): ServiceType[];
+    /** Executes a function within a database transaction. */
+    withTransaction<T>(fn: (dispatcher: ServiceDispatcher) => Promise<T>): Promise<T>;
+}
+
+declare const UserIdSchema: z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>;
+declare const MinimalUserSchema: z.ZodObject<{
+    id: z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>;
+    email: z.ZodString;
+    emailVerified: z.ZodOptional<z.ZodUnion<readonly [z.ZodDate, z.ZodString, z.ZodNull]>>;
+    name: z.ZodNullable<z.ZodString>;
+    image: z.ZodNullable<z.ZodString>;
+    isActive: z.ZodOptional<z.ZodBoolean>;
+    createdAt: z.ZodOptional<z.ZodUnion<readonly [z.ZodDate, z.ZodString]>>;
+    updatedAt: z.ZodOptional<z.ZodUnion<readonly [z.ZodDate, z.ZodString]>>;
+    roles: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        name: z.ZodString;
+    }, z.core.$strip>>>;
+}, z.core.$loose>;
+declare const UserAccountSchema: z.ZodObject<{
+    id: z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>;
+    userId: z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>;
+    provider: z.ZodString;
+    providerAccountId: z.ZodString;
+    type: z.ZodString;
+}, z.core.$strip>;
+declare const CreateLocalUserSchema: z.ZodObject<{
+    email: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+    name: z.ZodString;
+    image: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    password: z.ZodOptional<z.ZodString>;
+    roles: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    isActive: z.ZodOptional<z.ZodBoolean>;
+    sendWelcomeEmail: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strip>;
+declare const CreateUserWithPasswordSchema: z.ZodObject<{
+    email: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+    name: z.ZodString;
+    password: z.ZodString;
+}, z.core.$strip>;
+declare const UpdateUserSchema: z.ZodObject<{
+    email: z.ZodOptional<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>;
+    name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    password: z.ZodOptional<z.ZodString>;
+    image: z.ZodOptional<z.ZodPipe<z.ZodString, z.ZodTransform<string | null, string>>>;
+    emailVerified: z.ZodOptional<z.ZodUnion<readonly [z.ZodDate, z.ZodString, z.ZodNull]>>;
+    roles: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    isActive: z.ZodOptional<z.ZodBoolean>;
+    sendWelcomeEmail: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strip>;
+declare const UpdatePasswordSchema: z.ZodObject<{
+    userId: z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>;
+    password: z.ZodString;
+}, z.core.$strip>;
+declare const GetUserByIdSchema: z.ZodObject<{
+    userId: z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>;
+}, z.core.$strip>;
+declare const DeleteUserSchema: z.ZodObject<{
+    userId: z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>;
+}, z.core.$strip>;
+declare const ListUsersSchema: z.ZodObject<{
+    page: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+    limit: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+    search: z.ZodOptional<z.ZodString>;
+    emailVerified: z.ZodOptional<z.ZodBoolean>;
+    hasPassword: z.ZodOptional<z.ZodBoolean>;
+    createdAtFrom: z.ZodOptional<z.ZodDate>;
+    createdAtTo: z.ZodOptional<z.ZodDate>;
+    sortBy: z.ZodDefault<z.ZodOptional<z.ZodEnum<{
+        email: "email";
+        name: "name";
+        createdAt: "createdAt";
+    }>>>;
+    sortOrder: z.ZodDefault<z.ZodOptional<z.ZodEnum<{
+        asc: "asc";
+        desc: "desc";
+    }>>>;
+}, z.core.$strip>;
+declare const DeleteUserAccountSchema: z.ZodObject<{
+    userId: z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>;
+    provider: z.ZodString;
+    providerAccountId: z.ZodString;
+}, z.core.$strip>;
+declare const UnlinkAccountSchema: z.ZodObject<{
+    userId: z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>;
+    provider: z.ZodString;
+    providerAccountId: z.ZodString;
+}, z.core.$strip>;
+declare const UserListResponseSchema: z.ZodArray<z.ZodObject<{
+    id: z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>;
+    email: z.ZodString;
+    emailVerified: z.ZodOptional<z.ZodUnion<readonly [z.ZodDate, z.ZodString, z.ZodNull]>>;
+    name: z.ZodNullable<z.ZodString>;
+    image: z.ZodNullable<z.ZodString>;
+    isActive: z.ZodOptional<z.ZodBoolean>;
+    createdAt: z.ZodOptional<z.ZodUnion<readonly [z.ZodDate, z.ZodString]>>;
+    updatedAt: z.ZodOptional<z.ZodUnion<readonly [z.ZodDate, z.ZodString]>>;
+    roles: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        name: z.ZodString;
+    }, z.core.$strip>>>;
+}, z.core.$loose>>;
+declare const UserResponseSchema: z.ZodObject<{
+    id: z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>;
+    email: z.ZodString;
+    emailVerified: z.ZodOptional<z.ZodUnion<readonly [z.ZodDate, z.ZodString, z.ZodNull]>>;
+    name: z.ZodNullable<z.ZodString>;
+    image: z.ZodNullable<z.ZodString>;
+    isActive: z.ZodOptional<z.ZodBoolean>;
+    createdAt: z.ZodOptional<z.ZodUnion<readonly [z.ZodDate, z.ZodString]>>;
+    updatedAt: z.ZodOptional<z.ZodUnion<readonly [z.ZodDate, z.ZodString]>>;
+    roles: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        name: z.ZodString;
+    }, z.core.$strip>>>;
+}, z.core.$loose>;
+declare const DeleteUserResponseSchema: z.ZodObject<{
+    deleted: z.ZodBoolean;
+}, z.core.$strip>;
+declare const UnlinkAccountResponseSchema: z.ZodUnion<readonly [z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+}, z.core.$strip>, z.ZodObject<{
+    ok: z.ZodLiteral<false>;
+    status: z.ZodNumber;
+    error: z.ZodString;
+}, z.core.$strip>]>;
+type UserAccount = z.infer<typeof UserAccountSchema>;
+type CreateLocalUser = z.infer<typeof CreateLocalUserSchema>;
+type CreateUserWithPassword = z.infer<typeof CreateUserWithPasswordSchema>;
+type UpdateUser = z.infer<typeof UpdateUserSchema>;
+type UpdatePassword = z.infer<typeof UpdatePasswordSchema>;
+type GetUserById = z.infer<typeof GetUserByIdSchema>;
+type DeleteUser = z.infer<typeof DeleteUserSchema>;
+type ListUsers = z.infer<typeof ListUsersSchema>;
+type DeleteUserAccount = z.infer<typeof DeleteUserAccountSchema>;
+type UnlinkAccount = z.infer<typeof UnlinkAccountSchema>;
+type UserListResponse = z.infer<typeof UserListResponseSchema>;
+type UserResponse = z.infer<typeof UserResponseSchema>;
+type DeleteUserResponse = z.infer<typeof DeleteUserResponseSchema>;
+type UnlinkAccountResponse = z.infer<typeof UnlinkAccountResponseSchema>;
+
+declare const IdSchema: z.ZodString;
+/**
+ * System resources that are always available regardless of dynamic collections.
+ * These represent core Nextly entities that exist in every installation.
+ */
+declare const SYSTEM_RESOURCES: readonly ["users", "roles", "permissions", "media", "settings", "email-providers", "email-templates", "api-keys"];
+type SystemResource = (typeof SYSTEM_RESOURCES)[number];
+/**
+ * Check if a resource is a built-in system resource.
+ */
+declare function isSystemResource(resource: string): resource is SystemResource;
+/**
+ * Check if a resource is valid (either a system resource or a known collection slug).
+ * The caller provides known collection slugs from the database.
+ */
+declare function isValidResource(resource: string, knownCollectionSlugs: string[]): boolean;
+declare const RoleSchema: z.ZodObject<{
+    id: z.ZodString;
+    name: z.ZodString;
+    slug: z.ZodString;
+    description: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    level: z.ZodDefault<z.ZodNumber>;
+    isSystem: z.ZodDefault<z.ZodBoolean>;
+    createdAt: z.ZodOptional<z.ZodDate>;
+    updatedAt: z.ZodOptional<z.ZodDate>;
+}, z.core.$strip>;
+declare const CreateRoleSchema: z.ZodObject<{
+    name: z.ZodString;
+    slug: z.ZodString;
+    description: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    level: z.ZodDefault<z.ZodNumber>;
+    isSystem: z.ZodDefault<z.ZodBoolean>;
+    child: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString>>>;
+}, z.core.$strip>;
+declare const UpdateRoleSchema: z.ZodObject<{
+    name: z.ZodOptional<z.ZodString>;
+    slug: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    level: z.ZodOptional<z.ZodNumber>;
+    isSystem: z.ZodOptional<z.ZodBoolean>;
+    child: z.ZodOptional<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>;
+declare const GetRoleByIdSchema: z.ZodObject<{
+    roleId: z.ZodString;
+}, z.core.$strip>;
+declare const DeleteRoleSchema: z.ZodObject<{
+    roleId: z.ZodString;
+}, z.core.$strip>;
+declare const PermissionActionSchema: z.ZodEnum<{
+    update: "update";
+    delete: "delete";
+    create: "create";
+    read: "read";
+    manage: "manage";
+}>;
+declare const PermissionResourceSchema: z.ZodString;
+declare const PermissionSchema: z.ZodObject<{
+    id: z.ZodString;
+    name: z.ZodString;
+    slug: z.ZodString;
+    action: z.ZodEnum<{
+        update: "update";
+        delete: "delete";
+        create: "create";
+        read: "read";
+        manage: "manage";
+    }>;
+    resource: z.ZodString;
+    description: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    createdAt: z.ZodOptional<z.ZodDate>;
+    updatedAt: z.ZodOptional<z.ZodDate>;
+}, z.core.$strip>;
+declare const CreatePermissionSchema: z.ZodObject<{
+    name: z.ZodString;
+    slug: z.ZodString;
+    action: z.ZodEnum<{
+        update: "update";
+        delete: "delete";
+        create: "create";
+        read: "read";
+        manage: "manage";
+    }>;
+    resource: z.ZodString;
+    description: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+}, z.core.$strip>;
+declare const UpdatePermissionSchema: z.ZodObject<{
+    name: z.ZodOptional<z.ZodString>;
+    slug: z.ZodOptional<z.ZodString>;
+    action: z.ZodOptional<z.ZodEnum<{
+        update: "update";
+        delete: "delete";
+        create: "create";
+        read: "read";
+        manage: "manage";
+    }>>;
+    resource: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+}, z.core.$strip>;
+declare const GetPermissionByIdSchema: z.ZodObject<{
+    permissionId: z.ZodString;
+}, z.core.$strip>;
+declare const DeletePermissionSchema: z.ZodObject<{
+    permissionId: z.ZodString;
+}, z.core.$strip>;
+declare const RolePermissionSchema: z.ZodObject<{
+    id: z.ZodString;
+    roleId: z.ZodString;
+    permissionId: z.ZodString;
+    createdAt: z.ZodOptional<z.ZodDate>;
+}, z.core.$strip>;
+declare const AssignPermissionToRoleSchema: z.ZodObject<{
+    roleId: z.ZodString;
+    permissionId: z.ZodString;
+}, z.core.$strip>;
+declare const RemovePermissionFromRoleSchema: z.ZodObject<{
+    roleId: z.ZodString;
+    permissionId: z.ZodString;
+}, z.core.$strip>;
+declare const UserRoleSchema: z.ZodObject<{
+    id: z.ZodString;
+    userId: z.ZodString;
+    roleId: z.ZodString;
+    createdAt: z.ZodOptional<z.ZodDate>;
+    expiresAt: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+}, z.core.$strip>;
+declare const AssignRoleToUserSchema: z.ZodObject<{
+    userId: z.ZodString;
+    roleId: z.ZodString;
+    expiresAt: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+}, z.core.$strip>;
+declare const RemoveRoleFromUserSchema: z.ZodObject<{
+    userId: z.ZodString;
+    roleId: z.ZodString;
+}, z.core.$strip>;
+declare const RoleInheritanceSchema: z.ZodObject<{
+    id: z.ZodString;
+    parentRoleId: z.ZodString;
+    childRoleId: z.ZodString;
+}, z.core.$strip>;
+declare const CreateRoleInheritanceSchema: z.ZodObject<{
+    parentRoleId: z.ZodString;
+    childRoleId: z.ZodString;
+}, z.core.$strip>;
+declare const DeleteRoleInheritanceSchema: z.ZodObject<{
+    parentRoleId: z.ZodString;
+    childRoleId: z.ZodString;
+}, z.core.$strip>;
+declare const GetUserRolesSchema: z.ZodObject<{
+    userId: z.ZodString;
+}, z.core.$strip>;
+declare const GetRolePermissionsSchema: z.ZodObject<{
+    roleId: z.ZodString;
+}, z.core.$strip>;
+declare const GetUserPermissionsSchema: z.ZodObject<{
+    userId: z.ZodString;
+}, z.core.$strip>;
+declare const CheckUserPermissionSchema: z.ZodObject<{
+    userId: z.ZodString;
+    action: z.ZodEnum<{
+        update: "update";
+        delete: "delete";
+        create: "create";
+        read: "read";
+        manage: "manage";
+    }>;
+    resource: z.ZodString;
+}, z.core.$strip>;
+declare const RoleListResponseSchema: z.ZodArray<z.ZodObject<{
+    id: z.ZodString;
+    name: z.ZodString;
+    slug: z.ZodString;
+    description: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    level: z.ZodDefault<z.ZodNumber>;
+    isSystem: z.ZodDefault<z.ZodBoolean>;
+    createdAt: z.ZodOptional<z.ZodDate>;
+    updatedAt: z.ZodOptional<z.ZodDate>;
+}, z.core.$strip>>;
+declare const PermissionListResponseSchema: z.ZodArray<z.ZodObject<{
+    id: z.ZodString;
+    name: z.ZodString;
+    slug: z.ZodString;
+    action: z.ZodEnum<{
+        update: "update";
+        delete: "delete";
+        create: "create";
+        read: "read";
+        manage: "manage";
+    }>;
+    resource: z.ZodString;
+    description: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    createdAt: z.ZodOptional<z.ZodDate>;
+    updatedAt: z.ZodOptional<z.ZodDate>;
+}, z.core.$strip>>;
+declare const UserRoleListResponseSchema: z.ZodArray<z.ZodObject<{
+    id: z.ZodString;
+    userId: z.ZodString;
+    roleId: z.ZodString;
+    createdAt: z.ZodOptional<z.ZodDate>;
+    expiresAt: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+}, z.core.$strip>>;
+declare const RolePermissionListResponseSchema: z.ZodArray<z.ZodObject<{
+    id: z.ZodString;
+    roleId: z.ZodString;
+    permissionId: z.ZodString;
+    createdAt: z.ZodOptional<z.ZodDate>;
+}, z.core.$strip>>;
+declare const PermissionCheckResponseSchema: z.ZodObject<{
+    hasPermission: z.ZodBoolean;
+    reason: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+type CreateRole = z.infer<typeof CreateRoleSchema>;
+type UpdateRole = z.infer<typeof UpdateRoleSchema>;
+type GetRoleById = z.infer<typeof GetRoleByIdSchema>;
+type DeleteRole = z.infer<typeof DeleteRoleSchema>;
+type PermissionAction = z.infer<typeof PermissionActionSchema>;
+type PermissionResource = z.infer<typeof PermissionResourceSchema>;
+type CreatePermission = z.infer<typeof CreatePermissionSchema>;
+type UpdatePermission = z.infer<typeof UpdatePermissionSchema>;
+type GetPermissionById = z.infer<typeof GetPermissionByIdSchema>;
+type DeletePermission = z.infer<typeof DeletePermissionSchema>;
+type RolePermission = z.infer<typeof RolePermissionSchema>;
+type AssignPermissionToRole = z.infer<typeof AssignPermissionToRoleSchema>;
+type RemovePermissionFromRole = z.infer<typeof RemovePermissionFromRoleSchema>;
+type UserRole = z.infer<typeof UserRoleSchema>;
+type AssignRoleToUser = z.infer<typeof AssignRoleToUserSchema>;
+type RemoveRoleFromUser = z.infer<typeof RemoveRoleFromUserSchema>;
+type RoleInheritance = z.infer<typeof RoleInheritanceSchema>;
+type CreateRoleInheritance = z.infer<typeof CreateRoleInheritanceSchema>;
+type DeleteRoleInheritance = z.infer<typeof DeleteRoleInheritanceSchema>;
+type GetUserRoles = z.infer<typeof GetUserRolesSchema>;
+type GetRolePermissions = z.infer<typeof GetRolePermissionsSchema>;
+type GetUserPermissions = z.infer<typeof GetUserPermissionsSchema>;
+type CheckUserPermission = z.infer<typeof CheckUserPermissionSchema>;
+type RoleListResponse = z.infer<typeof RoleListResponseSchema>;
+type PermissionListResponse = z.infer<typeof PermissionListResponseSchema>;
+type UserRoleListResponse = z.infer<typeof UserRoleListResponseSchema>;
+type RolePermissionListResponse = z.infer<typeof RolePermissionListResponseSchema>;
+type PermissionCheckResponse = z.infer<typeof PermissionCheckResponseSchema>;
+
+declare const PaginationSchema: z.ZodObject<{
+    page: z.ZodDefault<z.ZodNumber>;
+    limit: z.ZodDefault<z.ZodNumber>;
+    offset: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strip>;
+declare const PaginatedResponseSchema: <T extends z.ZodTypeAny>(dataSchema: T) => z.ZodObject<{
+    data: z.ZodArray<T>;
+    pagination: z.ZodObject<Record<string, z.ZodTypeAny>>;
+}>;
+declare const SortOrderSchema: z.ZodDefault<z.ZodEnum<{
+    asc: "asc";
+    desc: "desc";
+}>>;
+declare const SortSchema: z.ZodObject<{
+    field: z.ZodString;
+    order: z.ZodDefault<z.ZodEnum<{
+        asc: "asc";
+        desc: "desc";
+    }>>;
+}, z.core.$strip>;
+declare const DateRangeSchema: z.ZodObject<{
+    from: z.ZodOptional<z.ZodDate>;
+    to: z.ZodOptional<z.ZodDate>;
+}, z.core.$strip>;
+declare const SearchSchema: z.ZodObject<{
+    query: z.ZodString;
+    fields: z.ZodOptional<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>;
+declare const SuccessResponseSchema: z.ZodObject<{
+    success: z.ZodLiteral<true>;
+    message: z.ZodOptional<z.ZodString>;
+    data: z.ZodOptional<z.ZodAny>;
+}, z.core.$strip>;
+declare const ErrorResponseSchema: z.ZodObject<{
+    success: z.ZodLiteral<false>;
+    error: z.ZodString;
+    code: z.ZodOptional<z.ZodString>;
+    details: z.ZodOptional<z.ZodAny>;
+}, z.core.$strip>;
+/**
+ * @deprecated Use `ValidationError` and `ValidationErrorResponse` from `nextly/validation` instead.
+ * This schema will be removed in a future version.
+ *
+ * Migration:
+ * ```typescript
+ * // Old
+ * import { ValidationErrorSchema } from 'nextly/schemas/validation';
+ *
+ * // New
+ * import { ValidationError, ValidationErrorResponse } from 'nextly/validation';
+ * ```
+ */
+declare const ValidationErrorSchema: z.ZodObject<{
+    success: z.ZodLiteral<false>;
+    error: z.ZodLiteral<"Validation failed">;
+    details: z.ZodArray<z.ZodObject<{
+        field: z.ZodString;
+        message: z.ZodString;
+        code: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+declare const BulkOperationSchema: z.ZodObject<{
+    ids: z.ZodArray<z.ZodString>;
+    operation: z.ZodEnum<{
+        update: "update";
+        delete: "delete";
+        activate: "activate";
+        deactivate: "deactivate";
+    }>;
+}, z.core.$strip>;
+declare const BulkOperationResponseSchema: z.ZodObject<{
+    success: z.ZodBoolean;
+    processed: z.ZodNumber;
+    failed: z.ZodNumber;
+    errors: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        error: z.ZodString;
+    }, z.core.$strip>>>;
+}, z.core.$strip>;
+declare const FileUploadSchema: z.ZodObject<{
+    filename: z.ZodString;
+    mimetype: z.ZodString;
+    size: z.ZodNumber;
+    buffer: z.ZodOptional<z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>>;
+}, z.core.$strip>;
+declare const ImageUploadSchema: z.ZodObject<{
+    filename: z.ZodString;
+    buffer: z.ZodOptional<z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>>;
+    mimetype: z.ZodString;
+    size: z.ZodNumber;
+}, z.core.$strip>;
+declare const EmailSchema: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+declare const PasswordSchema: z.ZodString;
+declare const UrlSchema: z.ZodString;
+declare const PhoneSchema: z.ZodString;
+type Pagination = z.infer<typeof PaginationSchema>;
+type SortOrder = z.infer<typeof SortOrderSchema>;
+type Sort = z.infer<typeof SortSchema>;
+type DateRange = z.infer<typeof DateRangeSchema>;
+type Search = z.infer<typeof SearchSchema>;
+type SuccessResponse = z.infer<typeof SuccessResponseSchema>;
+type ErrorResponse = z.infer<typeof ErrorResponseSchema>;
+/**
+ * @deprecated Use `ValidationError` from `nextly/validation` instead.
+ * Renamed to `LegacyValidationError` to avoid conflicts.
+ */
+type LegacyValidationError = z.infer<typeof ValidationErrorSchema>;
+type BulkOperation = z.infer<typeof BulkOperationSchema>;
+type BulkOperationResponse = z.infer<typeof BulkOperationResponseSchema>;
+type FileUpload = z.infer<typeof FileUploadSchema>;
+type ImageUpload = z.infer<typeof ImageUploadSchema>;
+
+/**
+ * PostgreSQL `nextly_migrations` table.
+ *
+ * Per the F11 spec (§7), columns capture everything an operator needs
+ * to debug a production deploy: structured `errorJson`, `appliedBy`
+ * actor, `durationMs` for ops visibility, and a reserved `rollbackSql`
+ * column for the future v2 corrective-rollback feature.
+ *
+ * `status` is constrained to `'applied' | 'failed'` only — the spec
+ * deliberately drops `'pending'` because rows are inserted ONLY after
+ * the apply attempt completes (no transient pending state on disk).
+ */
+declare const nextlyMigrationsPg: drizzle_orm_pg_core.PgTableWithColumns<{
+    name: "nextly_migrations";
+    schema: undefined;
+    columns: {
+        id: drizzle_orm_pg_core.PgColumn<{
+            name: "id";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "PgUUID";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: true;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        filename: drizzle_orm_pg_core.PgColumn<{
+            name: "filename";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        sha256: drizzle_orm_pg_core.PgColumn<{
+            name: "sha256";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "PgChar";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 64;
+        }>;
+        appliedAt: drizzle_orm_pg_core.PgColumn<{
+            name: "applied_at";
+            tableName: "nextly_migrations";
+            dataType: "date";
+            columnType: "PgTimestamp";
+            data: Date;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        appliedBy: drizzle_orm_pg_core.PgColumn<{
+            name: "applied_by";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        durationMs: drizzle_orm_pg_core.PgColumn<{
+            name: "duration_ms";
+            tableName: "nextly_migrations";
+            dataType: "number";
+            columnType: "PgInteger";
+            data: number;
+            driverParam: string | number;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        status: drizzle_orm_pg_core.PgColumn<{
+            name: "status";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "PgText";
+            data: MigrationRecordStatus;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            $type: MigrationRecordStatus;
+        }>;
+        errorJson: drizzle_orm_pg_core.PgColumn<{
+            name: "error_json";
+            tableName: "nextly_migrations";
+            dataType: "json";
+            columnType: "PgJsonb";
+            data: unknown;
+            driverParam: unknown;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        rollbackSql: drizzle_orm_pg_core.PgColumn<{
+            name: "rollback_sql";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+    };
+    dialect: "pg";
+}>;
+/** Full row type for SELECT queries. */
+type NextlyMigrationPg = typeof nextlyMigrationsPg.$inferSelect;
+/** Insert shape for INSERT queries. `id` and `appliedAt` have defaults. */
+type NextlyMigrationInsertPg = typeof nextlyMigrationsPg.$inferInsert;
+
+/**
+ * MySQL `nextly_migrations` table.
+ *
+ * Mirrors the PG schema with dialect-appropriate types:
+ * - `uuid` → `varchar(36)` with client-side `crypto.randomUUID()`.
+ * - `timestamptz` → `datetime` (MySQL stores in DB session timezone;
+ *   the app layer is responsible for UTC normalization).
+ * - `jsonb` → `json` (MySQL 5.7+ native JSON column).
+ *
+ * MySQL 8.0.16+ supports CHECK constraints (per F17 minimum 8.0+).
+ */
+declare const nextlyMigrationsMysql: drizzle_orm_mysql_core.MySqlTableWithColumns<{
+    name: "nextly_migrations";
+    schema: undefined;
+    columns: {
+        id: drizzle_orm_mysql_core.MySqlColumn<{
+            name: "id";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "MySqlVarChar";
+            data: string;
+            driverParam: string | number;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: true;
+            isAutoincrement: false;
+            hasRuntimeDefault: true;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        filename: drizzle_orm_mysql_core.MySqlColumn<{
+            name: "filename";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "MySqlVarChar";
+            data: string;
+            driverParam: string | number;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        sha256: drizzle_orm_mysql_core.MySqlColumn<{
+            name: "sha256";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "MySqlChar";
+            data: string;
+            driverParam: string | number;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 64;
+        }>;
+        appliedAt: drizzle_orm_mysql_core.MySqlColumn<{
+            name: "applied_at";
+            tableName: "nextly_migrations";
+            dataType: "date";
+            columnType: "MySqlDateTime";
+            data: Date;
+            driverParam: string | number;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: true;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        appliedBy: drizzle_orm_mysql_core.MySqlColumn<{
+            name: "applied_by";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "MySqlVarChar";
+            data: string;
+            driverParam: string | number;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        durationMs: drizzle_orm_mysql_core.MySqlColumn<{
+            name: "duration_ms";
+            tableName: "nextly_migrations";
+            dataType: "number";
+            columnType: "MySqlInt";
+            data: number;
+            driverParam: string | number;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        status: drizzle_orm_mysql_core.MySqlColumn<{
+            name: "status";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "MySqlVarChar";
+            data: MigrationRecordStatus;
+            driverParam: string | number;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            $type: MigrationRecordStatus;
+        }>;
+        errorJson: drizzle_orm_mysql_core.MySqlColumn<{
+            name: "error_json";
+            tableName: "nextly_migrations";
+            dataType: "json";
+            columnType: "MySqlJson";
+            data: unknown;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        rollbackSql: drizzle_orm_mysql_core.MySqlColumn<{
+            name: "rollback_sql";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "MySqlText";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+    };
+    dialect: "mysql";
+}>;
+type NextlyMigrationMysql = typeof nextlyMigrationsMysql.$inferSelect;
+type NextlyMigrationInsertMysql = typeof nextlyMigrationsMysql.$inferInsert;
+
+/**
+ * SQLite `nextly_migrations` table.
+ *
+ * Mirrors the PG schema with dialect-appropriate types:
+ * - `uuid` → `text` with client-side `crypto.randomUUID()`.
+ * - `timestamptz` → `integer` (Unix epoch ms; SQLite has no native
+ *   timestamp; we store ms-since-epoch for sub-second precision).
+ * - `jsonb` → `text` (JSON-encoded; readers JSON.parse on access).
+ *
+ * SQLite supports CHECK constraints on every supported version
+ * (3.38+ per F17), so the two-state lifecycle is enforced at the DB.
+ */
+declare const nextlyMigrationsSqlite: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
+    name: "nextly_migrations";
+    schema: undefined;
+    columns: {
+        id: drizzle_orm_sqlite_core.SQLiteColumn<{
+            name: "id";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: true;
+            isAutoincrement: false;
+            hasRuntimeDefault: true;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
+        filename: drizzle_orm_sqlite_core.SQLiteColumn<{
+            name: "filename";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
+        sha256: drizzle_orm_sqlite_core.SQLiteColumn<{
+            name: "sha256";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
+        appliedAt: drizzle_orm_sqlite_core.SQLiteColumn<{
+            name: "applied_at";
+            tableName: "nextly_migrations";
+            dataType: "date";
+            columnType: "SQLiteTimestamp";
+            data: Date;
+            driverParam: number;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: true;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        appliedBy: drizzle_orm_sqlite_core.SQLiteColumn<{
+            name: "applied_by";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
+        durationMs: drizzle_orm_sqlite_core.SQLiteColumn<{
+            name: "duration_ms";
+            tableName: "nextly_migrations";
+            dataType: "number";
+            columnType: "SQLiteInteger";
+            data: number;
+            driverParam: number;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        status: drizzle_orm_sqlite_core.SQLiteColumn<{
+            name: "status";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: MigrationRecordStatus;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+            $type: MigrationRecordStatus;
+        }>;
+        errorJson: drizzle_orm_sqlite_core.SQLiteColumn<{
+            name: "error_json";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
+        rollbackSql: drizzle_orm_sqlite_core.SQLiteColumn<{
+            name: "rollback_sql";
+            tableName: "nextly_migrations";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
+    };
+    dialect: "sqlite";
+}>;
+type NextlyMigrationSqlite = typeof nextlyMigrationsSqlite.$inferSelect;
+type NextlyMigrationInsertSqlite = typeof nextlyMigrationsSqlite.$inferInsert;
+
+/**
+ * The three token types that determine how permissions are resolved at request time.
+ * - "read-only"   — resolves to the creator's read-* permissions only
+ * - "full-access" — resolves to the creator's full permission set
+ * - "role-based"  — resolves to the permissions of the selected role
+ */
+declare const ApiKeyTokenTypeSchema: z.ZodEnum<{
+    "role-based": "role-based";
+    "read-only": "read-only";
+    "full-access": "full-access";
+}>;
+/**
+ * Token duration options. "unlimited" means the key never expires.
+ */
+declare const ExpiresInSchema: z.ZodEnum<{
+    "7d": "7d";
+    "30d": "30d";
+    "90d": "90d";
+    unlimited: "unlimited";
+}>;
+/**
+ * Validates the request body for POST /api/api-keys.
+ *
+ * Refinement rules:
+ * - `roleId` is required when `tokenType === "role-based"`
+ * - `roleId` must be absent (undefined) when `tokenType` is not "role-based"
+ */
+declare const CreateApiKeySchema: z.ZodObject<{
+    name: z.ZodString;
+    description: z.ZodOptional<z.ZodString>;
+    tokenType: z.ZodEnum<{
+        "role-based": "role-based";
+        "read-only": "read-only";
+        "full-access": "full-access";
+    }>;
+    roleId: z.ZodOptional<z.ZodString>;
+    expiresIn: z.ZodEnum<{
+        "7d": "7d";
+        "30d": "30d";
+        "90d": "90d";
+        unlimited: "unlimited";
+    }>;
+}, z.core.$strip>;
+/**
+ * Validates the request body for PATCH /api/api-keys/:id.
+ *
+ * Only name and description may be updated. Token type, role, and duration
+ * are immutable — revoke and recreate to change them.
+ */
+declare const UpdateApiKeySchema: z.ZodObject<{
+    name: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+}, z.core.$strip>;
+type ApiKeyTokenTypeEnum = z.infer<typeof ApiKeyTokenTypeSchema>;
+type ExpiresInEnum = z.infer<typeof ExpiresInSchema>;
+type CreateApiKey = z.infer<typeof CreateApiKeySchema>;
+type UpdateApiKey = z.infer<typeof UpdateApiKeySchema>;
+
+/**
+ * Database Lifecycle Hooks - Public API for NPM Package Consumers
+ *
+ * This module provides a clean, user-friendly API for registering and
+ * managing database lifecycle hooks in Next.js 16 applications.
+ *
+ * **Usage in Next.js App:**
+ * ```typescript
+ * // app/db/hooks.ts
+ * import { registerHook } from 'nextly';
+ * import bcrypt from 'bcryptjs';
+ *
+ * // Hash password before creating user
+ * registerHook('beforeCreate', 'users', async (context) => {
+ *   if (context.data?.password) {
+ *     const hashed = await bcrypt.hash(context.data.password, 10);
+ *     return { ...context.data, password: hashed };
+ *   }
+ *   return context.data;
+ * });
+ *
+ * // Send welcome email after user creation
+ * registerHook('afterCreate', 'users', async (context) => {
+ *   await sendWelcomeEmail(context.data.email);
+ * });
+ * ```
+ *
+ * @module hooks
+ * @since 1.0.0
+ */
+
+/**
+ * Register a database lifecycle hook
+ *
+ * Hooks allow you to run custom logic before/after database operations.
+ * They are executed in the order they are registered (FIFO).
+ *
+ * **Hook Types:**
+ * - `beforeCreate` - Run before creating a record (can modify data)
+ * - `afterCreate` - Run after creating a record (for side effects)
+ * - `beforeUpdate` - Run before updating a record (can modify data)
+ * - `afterUpdate` - Run after updating a record (for side effects)
+ * - `beforeDelete` - Run before deleting a record (can prevent deletion)
+ * - `afterDelete` - Run after deleting a record (for cleanup)
+ * - `beforeRead` - Run before reading records (can modify query)
+ * - `afterRead` - Run after reading records (can transform data)
+ *
+ * @param hookType - Type of hook (e.g., 'beforeCreate', 'afterUpdate')
+ * @param collection - Collection name or '*' for global hooks
+ * @param handler - Hook function to execute
+ *
+ * @example
+ * ```typescript
+ * // Auto-generate slug from title
+ * registerHook('beforeCreate', 'posts', (context) => {
+ *   return {
+ *     ...context.data,
+ *     slug: slugify(context.data.title)
+ *   };
+ * });
+ *
+ * // Send notification after post creation
+ * registerHook('afterCreate', 'posts', async (context) => {
+ *   await notifySubscribers(context.data);
+ * });
+ *
+ * // Global hook for all collections
+ * registerHook('afterCreate', '*', async (context) => {
+ *   console.log(`Created ${context.collection}:`, context.data.id);
+ * });
+ * ```
+ */
+declare function registerHook<T = any>(hookType: HookType, collection: string, handler: HookHandler<T>): void;
+/**
+ * Unregister a specific database lifecycle hook
+ *
+ * Removes the exact handler function from the registry.
+ * Useful for cleanup or dynamically enabling/disabling hooks.
+ *
+ * @param hookType - Type of hook
+ * @param collection - Collection name or '*'
+ * @param handler - The exact handler function to remove
+ *
+ * @example
+ * ```typescript
+ * const myHook = async (context) => {
+ *   // Hook logic
+ * };
+ *
+ * registerHook('beforeCreate', 'posts', myHook);
+ *
+ * // Later, remove the hook
+ * unregisterHook('beforeCreate', 'posts', myHook);
+ * ```
+ */
+declare function unregisterHook(hookType: HookType, collection: string, handler: HookHandler): void;
+/**
+ * Clear all registered hooks
+ *
+ * Removes all hooks for all collections.
+ * Primarily used for testing cleanup.
+ *
+ * @example
+ * ```typescript
+ * // In test cleanup
+ * afterEach(() => {
+ *   clearAllHooks();
+ * });
+ * ```
+ */
+declare function clearAllHooks(): void;
+/**
+ * Check if hooks are registered for a collection/hook type
+ *
+ * Returns true if any hooks (global or collection-specific) are registered.
+ * Useful for conditional logic or debugging.
+ *
+ * @param hookType - Type of hook to check
+ * @param collection - Collection name
+ * @returns True if hooks are registered
+ *
+ * @example
+ * ```typescript
+ * if (hasHooks('beforeCreate', 'users')) {
+ *   console.log('User creation hooks are active');
+ * }
+ * ```
+ */
+declare function hasHooks(hookType: HookType, collection: string): boolean;
+/**
+ * Get count of registered hooks
+ *
+ * Returns the number of hooks registered for a specific type/collection.
+ * Useful for debugging and monitoring.
+ *
+ * @param hookType - Type of hook
+ * @param collection - Collection name or '*'
+ * @returns Number of registered hooks
+ *
+ * @example
+ * ```typescript
+ * const count = getHookCount('beforeCreate', 'posts');
+ * console.log(`${count} beforeCreate hooks for posts`);
+ * ```
+ */
+declare function getHookCount(hookType: HookType, collection: string): number;
+
+/**
+ * Register Collection Hooks
+ *
+ * Utility to register hooks defined in code-first collection configurations
+ * with the global HookRegistry. This bridges the gap between the declarative
+ * hook definitions in `defineCollection()` and the runtime hook execution system.
+ *
+ * @module hooks/register-collection-hooks
+ * @since 1.0.0
+ *
+ * @example
+ * ```typescript
+ * import { registerCollectionHooks } from 'nextly/hooks';
+ * import { loadConfig } from 'nextly/cli/utils/config-loader';
+ *
+ * // During app initialization
+ * const { config } = await loadConfig();
+ * const result = registerCollectionHooks(config.collections);
+ *
+ * console.log(`Registered ${result.totalHooks} hooks for ${result.collections.length} collections`);
+ * ```
+ */
+
+/**
+ * Result of registering collection hooks
+ */
+interface RegisterCollectionHooksResult {
+    /**
+     * Collection slugs that had hooks registered
+     */
+    collections: string[];
+    /**
+     * Total number of hooks registered
+     */
+    totalHooks: number;
+    /**
+     * Breakdown of hooks registered per collection
+     */
+    details: {
+        collection: string;
+        hooks: {
+            type: string;
+            count: number;
+        }[];
+    }[];
+}
+/**
+ * Register hooks from collection configurations with the global HookRegistry.
+ *
+ * This function takes an array of collection configurations (from `defineCollection()`)
+ * and registers all their hooks with the global hook registry. This enables the hooks
+ * to be executed during CRUD operations.
+ *
+ * **When to call:**
+ * Call this function during application initialization, after loading the config
+ * but before handling any requests.
+ *
+ * **Hook Mapping:**
+ * Collection hooks use semantic names that map to specific registry hooks:
+ * - `beforeChange` → `beforeCreate` and `beforeUpdate`
+ * - `afterChange` → `afterCreate` and `afterUpdate`
+ * - `beforeValidate` → `beforeCreate` and `beforeUpdate` (runs first)
+ * - Other hooks map directly (beforeRead, afterRead, beforeDelete, afterDelete)
+ *
+ * @param collections - Array of collection configurations from `defineCollection()`
+ * @param registry - Optional HookRegistry instance (defaults to global registry)
+ * @returns Result object with registration statistics
+ *
+ * @example
+ * ```typescript
+ * import { registerCollectionHooks } from 'nextly/hooks';
+ * import postsCollection from './collections/posts';
+ * import usersCollection from './collections/users';
+ *
+ * const result = registerCollectionHooks([postsCollection, usersCollection]);
+ *
+ * console.log(`Registered hooks for: ${result.collections.join(', ')}`);
+ * // Output: "Registered hooks for: posts, users"
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // With loaded config
+ * import { registerCollectionHooks } from 'nextly/hooks';
+ * import { loadConfig } from 'nextly/cli/utils/config-loader';
+ *
+ * async function initializeApp() {
+ *   const { config } = await loadConfig();
+ *
+ *   // Register hooks from all collections in config
+ *   const hookResult = registerCollectionHooks(config.collections);
+ *
+ *   console.log(`Initialized ${hookResult.totalHooks} hooks`);
+ * }
+ * ```
+ */
+declare function registerCollectionHooks(collections: CollectionConfig[], registry?: HookRegistry): RegisterCollectionHooksResult;
+/**
+ * Clear all hooks for a specific collection.
+ *
+ * Useful when re-registering hooks after a config change (e.g., in watch mode).
+ *
+ * @param collectionSlug - The collection slug to clear hooks for
+ * @param registry - Optional HookRegistry instance (defaults to global registry)
+ */
+declare function clearCollectionHooks(collectionSlug: string, registry?: HookRegistry): void;
+/**
+ * Re-register hooks for collections.
+ *
+ * Clears existing hooks for the given collections and registers new ones.
+ * Useful for hot-reload scenarios in development mode.
+ *
+ * @param collections - Array of collection configurations
+ * @param registry - Optional HookRegistry instance (defaults to global registry)
+ * @returns Result object with registration statistics
+ */
+declare function reregisterCollectionHooks(collections: CollectionConfig[], registry?: HookRegistry): RegisterCollectionHooksResult;
+
+/**
+ * Nextly Initialization — Service Config Builder
+ *
+ * Merges caller-provided configuration with the loaded `nextly.config.ts`
+ * into a final `NextlyServiceConfig` passed to the DI container.
+ *
+ * Extracted from `init.ts` so initialization orchestration can stay
+ * focused on cache/lifecycle concerns.
+ *
+ * @module init/build-service-config
+ */
+
+/**
+ * Configuration options for getNextly().
+ *
+ * Extends NextlyServiceConfig with a REQUIRED `config` property carrying the
+ * loaded `nextly.config.ts`. It mirrors Payload's `getPayload({ config })`
+ * contract: passing config on every call eliminates a class of "I forgot the
+ * wrapper" bugs where a stray import bypassed the project-local wrapper and silently
+ * bootstrapped an empty collections registry.
+ *
+ * Internal handlers that just need the cached singleton (post-init) should
+ * call `getCachedNextly()` instead.
+ */
+interface GetNextlyOptions extends Partial<NextlyServiceConfig> {
+    /**
+     * Pre-loaded Nextly configuration from nextly.config.ts. Required.
+     *
+     * The recommended import is via the `@nextly-config` TypeScript path
+     * alias auto-generated by `create-nextly-app`:
+     *
+     * @example
+     * ```typescript
+     * import { getNextly } from 'nextly';
+     * import config from '@nextly-config';
+     *
+     * const nextly = await getNextly({ config });
+     * ```
+     */
+    config: SanitizedNextlyConfig;
+}
+
+/**
+ * Nextly Instance Type Definition
+ *
+ * Defines the public `Nextly` interface exposed by `getNextly()`.
+ * Extracted from `init.ts` to keep the initialization orchestration file
+ * focused on lifecycle/cache concerns.
+ *
+ * The interface is re-exported from `../init.ts` so all existing imports
+ * like `import type { Nextly } from "nextly"` continue to work.
+ *
+ * @module init/nextly-instance
+ */
+
+/**
+ * Nextly instance - provides access to all services and APIs.
+ *
+ * This is the main interface for interacting with Nextly. It provides
+ * direct access to all core services and the database adapter.
+ *
+ * The instance is cached as a singleton, so multiple calls to `getNextly()`
+ * will return the same instance.
+ *
+ * **Direct API Methods:**
+ * - `find()`, `findByID()`, `create()`, `update()`, `delete()`
+ * - `count()`, `bulkDelete()`, `duplicate()`
+ * - `findSingle()`, `updateSingle()`
+ *
+ * **Service Accessors:**
+ * - `collections`, `users`, `media`, `storage`, `adapter`
+ */
+interface Nextly {
+    /**
+     * Find multiple documents in a collection.
+     *
+     * @example
+     * ```typescript
+     * const posts = await nextly.find({
+     *   collection: 'posts',
+     *   where: { status: { equals: 'published' } },
+     *   limit: 10,
+     *   sort: '-createdAt',
+     * });
+     * ```
+     */
+    find: <TSlug extends CollectionSlug>(args: FindArgs<TSlug>) => Promise<ListResult<DataFromCollectionSlug<TSlug>>>;
+    /**
+     * Find a single document by ID.
+     *
+     * @example
+     * ```typescript
+     * const post = await nextly.findByID({
+     *   collection: 'posts',
+     *   id: 'post-123',
+     * });
+     * ```
+     */
+    findByID: <TSlug extends CollectionSlug>(args: FindByIDArgs<TSlug>) => Promise<DataFromCollectionSlug<TSlug> | null>;
+    /**
+     * Create a new document.
+     *
+     * @example
+     * ```typescript
+     * const post = await nextly.create({
+     *   collection: 'posts',
+     *   data: { title: 'Hello', content: 'World' },
+     * });
+     * ```
+     */
+    create: <TSlug extends CollectionSlug>(args: CreateArgs<TSlug>) => Promise<MutationResult<DataFromCollectionSlug<TSlug>>>;
+    /**
+     * Update a document by ID.
+     *
+     * @example
+     * ```typescript
+     * const updated = await nextly.update({
+     *   collection: 'posts',
+     *   id: 'post-123',
+     *   data: { status: 'published' },
+     * });
+     * ```
+     */
+    update: <TSlug extends CollectionSlug>(args: UpdateArgs<TSlug>) => Promise<MutationResult<DataFromCollectionSlug<TSlug>>>;
+    /**
+     * Delete a document by ID or by where clause.
+     *
+    * the by-id path returns `{ message, item: { id } }`;
+     * the by-where path keeps the legacy `DeleteResult` because it can
+     * affect multiple rows.
+     *
+     * @example
+     * ```typescript
+     * const result = await nextly.delete({
+     *   collection: 'posts',
+     *   id: 'post-123',
+     * });
+     * ```
+     */
+    delete: <TSlug extends CollectionSlug = CollectionSlug>(args: DeleteArgs<TSlug>) => Promise<MutationResult<{
+        id: string;
+    }> | DeleteResult>;
+    /**
+     * Count documents matching a query.
+     *
+     * @example
+     * ```typescript
+     * //returns { total } (was { totalDocs }).
+     * const { total } = await nextly.count({
+     *   collection: 'posts',
+     *   where: { status: { equals: 'published' } },
+     * });
+     * ```
+     */
+    count: (args: CountArgs) => Promise<CountResult>;
+    /**
+     * Bulk delete multiple documents by IDs.
+     *
+     * @example
+     * ```typescript
+     * const result = await nextly.bulkDelete({
+     *   collection: 'posts',
+     *   ids: ['post-1', 'post-2'],
+     * });
+     * ```
+     */
+    bulkDelete: (args: BulkDeleteArgs) => Promise<BulkOperationResult>;
+    /**
+     * Duplicate a document.
+     *
+     * @example
+     * ```typescript
+     * const copy = await nextly.duplicate({
+     *   collection: 'posts',
+     *   id: 'post-123',
+     * });
+     * ```
+     */
+    duplicate: <TSlug extends CollectionSlug>(args: DuplicateArgs<TSlug>) => Promise<MutationResult<DataFromCollectionSlug<TSlug>>>;
+    /**
+     * Get a Single document.
+     *
+     * @example
+     * ```typescript
+     * const settings = await nextly.findSingle({
+     *   slug: 'site-settings',
+     * });
+     * ```
+     */
+    findSingle: <TSlug extends SingleSlug>(args: FindSingleArgs<TSlug>) => Promise<DataFromSingleSlug<TSlug>>;
+    /**
+     * Update a Single document.
+     *
+     * @example
+     * ```typescript
+     * const updated = await nextly.updateSingle({
+     *   slug: 'site-settings',
+     *   data: { siteName: 'My Site' },
+     * });
+     * ```
+     */
+    updateSingle: <TSlug extends SingleSlug>(args: UpdateSingleArgs<TSlug>) => Promise<DataFromSingleSlug<TSlug>>;
+    /**
+     * List all registered Single type definitions.
+     */
+    findSingles: (args?: FindSinglesArgs) => Promise<SingleListResult>;
+    /**
+     * Verify user credentials and return user info.
+     *
+     * Since Direct API operates server-side without sessions, this simply
+     * verifies credentials and returns the user object (no JWT token).
+     *
+     * @example
+     * ```typescript
+     * const result = await nextly.login({
+     *   email: 'user@example.com',
+     *   password: 'password123',
+     * });
+     * console.log('Logged in as:', result.user.email);
+     * ```
+     */
+    login: (args: LoginArgs) => Promise<{
+        user: Record<string, unknown>;
+    }>;
+    /**
+     * Logout operation (no-op for Direct API).
+     *
+     * Since Direct API operates server-side without sessions,
+     * logout is a no-op. Session management should be handled
+     * at the application level.
+     */
+    logout: () => Promise<void>;
+    /**
+     * Get the current user's profile.
+     *
+     * Requires `user.id` to be provided since Direct API
+     * doesn't have implicit session state.
+     *
+     * @example
+     * ```typescript
+     * const profile = await nextly.me({
+     *   user: { id: session.user.id },
+     * });
+     * ```
+     */
+    me: (args: {
+        user: UserContext;
+    }) => Promise<AuthResult>;
+    /**
+     * Update the current user's profile (name and image only).
+     *
+     * @example
+     * ```typescript
+     * const updated = await nextly.updateMe({
+     *   user: { id: session.user.id },
+     *   data: { name: 'New Name' },
+     * });
+     * ```
+     */
+    updateMe: (args: {
+        user: UserContext;
+        data: {
+            name?: string;
+            image?: string;
+        };
+    }) => Promise<AuthResult>;
+    /**
+     * Register a new user.
+     *
+     * @example
+     * ```typescript
+     * const result = await nextly.register({
+     *   email: 'newuser@example.com',
+     *   password: 'securePassword123!',
+     *   name: 'New User',
+     * });
+     * ```
+     */
+    register: (args: RegisterArgs) => Promise<{
+        user: Record<string, unknown>;
+    }>;
+    /**
+     * Change the current user's password.
+     *
+     * Requires `user.id` and current password for verification.
+     *
+     * @example
+     * ```typescript
+     * await nextly.changePassword({
+     *   user: { id: session.user.id },
+     *   currentPassword: 'oldPassword123',
+     *   newPassword: 'newSecurePassword456!',
+     * });
+     * ```
+     */
+    changePassword: (args: ChangePasswordArgs & {
+        user: UserContext;
+    }) => Promise<{
+        success: true;
+    }>;
+    /**
+     * Initiate password reset by generating a reset token.
+     *
+     * Returns the raw token which should be sent to the user via email.
+     *
+     * @example
+     * ```typescript
+     * const result = await nextly.forgotPassword({
+     *   email: 'user@example.com',
+     * });
+     * if (result.token) {
+     *   await sendResetEmail(args.email, result.token);
+     * }
+     * ```
+     */
+    forgotPassword: (args: ForgotPasswordArgs) => Promise<{
+        success: true;
+        token?: string;
+    }>;
+    /**
+     * Reset password using a reset token.
+     *
+     * @example
+     * ```typescript
+     * const result = await nextly.resetPassword({
+     *   token: 'reset-token-from-email',
+     *   password: 'newSecurePassword456!',
+     * });
+     * ```
+     */
+    resetPassword: (args: ResetPasswordArgs) => Promise<{
+        success: true;
+        email?: string;
+    }>;
+    /**
+     * Verify user email using a verification token.
+     *
+     * @example
+     * ```typescript
+     * const result = await nextly.verifyEmail({
+     *   token: 'verification-token-from-email',
+     * });
+     * ```
+     */
+    verifyEmail: (args: VerifyEmailArgs) => Promise<{
+        success: true;
+        email?: string;
+    }>;
+    /**
+     * Collection service - manage collections and their entries.
+     *
+     * @example
+     * ```typescript
+     * const nextly = await getNextly(config);
+     *
+     * // Find documents
+     * const posts = await nextly.collections.find('posts', {
+     *   where: { status: 'published' }
+     * }, context);
+     *
+     * // Create document
+     * const newPost = await nextly.collections.create('posts', {
+     *   data: { title: 'Hello World' }
+     * }, context);
+     * ```
+     */
+    collections: ServiceMap["collectionService"];
+    /**
+     * Users API namespace - CRUD operations for users.
+     *
+     * Provides direct database operations for user management without HTTP overhead.
+     *
+     * @example
+     * ```typescript
+     * const nextly = await getNextly(config);
+     *
+     * // Find users
+     * const users = await nextly.users.find({
+     *   where: { role: { equals: 'admin' } },
+     *   limit: 10,
+     * });
+     *
+     * // Get user by ID
+     * const user = await nextly.users.findByID({ id: 'user-123' });
+     *
+     * // Create user
+     * const newUser = await nextly.users.create({
+     *   email: 'user@example.com',
+     *   password: 'secure123',
+     *   data: { name: 'John Doe' },
+     * });
+     *
+     * // Update user
+     * await nextly.users.update({
+     *   id: 'user-123',
+     *   data: { name: 'Jane Doe' },
+     * });
+     *
+     * // Delete user
+     * await nextly.users.delete({ id: 'user-123' });
+     * ```
+     */
+    users: {
+        find: (args?: FindUsersArgs) => Promise<ListResult<User>>;
+        findByID: (args: FindUserByIDArgs) => Promise<User | null>;
+        create: (args: CreateUserArgs) => Promise<MutationResult<User>>;
+        update: (args: UpdateUserArgs) => Promise<MutationResult<User>>;
+        delete: (args: DeleteUserArgs) => Promise<MutationResult<{
+            id: string;
+        }>>;
+    };
+    /**
+     * User service - direct access to UserService for advanced operations.
+     *
+     * For most use cases, prefer the `users` namespace above which provides
+     * a simplified CRUD API. Use this for advanced operations like
+     * authentication, password management, etc.
+     *
+     * @example
+     * ```typescript
+     * const nextly = await getNextly(config);
+     *
+     * // Authenticate user
+     * const user = await nextly.userService.authenticate('user@example.com', 'password');
+     *
+     * // Change password
+     * await nextly.userService.changePassword(userId, oldPass, newPass);
+     * ```
+     */
+    userService: ServiceMap["userService"];
+    /**
+     * Runtime key/value flags accessor.
+     *
+     * Backed by the `nextly_meta` table — a small KV store for runtime
+     * state that doesn't belong in collection schemas. First consumers
+     * are the dashboard `SeedDemoContentCard` flags
+     * (`seed.completedAt`, `seed.skippedAt`).
+     *
+     * Values are JSON round-tripped: callers pass and receive JS values;
+     * the service handles serialisation per-dialect.
+     *
+     * @example
+     * ```typescript
+     * const nextly = await getNextly({ config });
+     *
+     * await nextly.meta.set("seed.completedAt", new Date().toISOString());
+     * const ts = await nextly.meta.get<string>("seed.completedAt");
+     * await nextly.meta.delete("seed.skippedAt");
+     * const all = await nextly.meta.getAll();
+     * ```
+     */
+    meta: ServiceMap["metaService"];
+    /**
+     * Media API namespace - operations for media files and folders.
+     *
+     * Provides direct database operations for media management without HTTP overhead.
+     *
+     * @example
+     * ```typescript
+     * const nextly = await getNextly(config);
+     *
+     * // Upload media
+     * const media = await nextly.media.upload({
+     *   file: { data: buffer, name: 'image.jpg', mimetype: 'image/jpeg', size: buffer.length },
+     *   altText: 'My image',
+     * });
+     *
+     * // List media
+     * const files = await nextly.media.find({ folder: 'uploads', limit: 20 });
+     *
+     * // Get by ID
+     * const file = await nextly.media.findByID({ id: 'media-123' });
+     *
+     * // Update metadata
+     * await nextly.media.update({ id: 'media-123', data: { altText: 'Updated' } });
+     *
+     * // Delete
+     * await nextly.media.delete({ id: 'media-123' });
+     *
+     * // Folders
+     * const folder = await nextly.media.folders.create({ name: 'Photos' });
+     * const folders = await nextly.media.folders.list();
+     * ```
+     */
+    media: {
+        upload: (args: UploadMediaArgs) => Promise<MediaFile>;
+        find: (args?: FindMediaArgs) => Promise<ListResult<MediaFile>>;
+        findByID: (args: FindMediaByIDArgs) => Promise<MediaFile | null>;
+        update: (args: UpdateMediaArgs) => Promise<MutationResult<MediaFile>>;
+        delete: (args: DeleteMediaArgs) => Promise<MutationResult<{
+            id: string;
+        }>>;
+        bulkDelete: (args: BulkDeleteMediaArgs) => Promise<BulkOperationResult>;
+        folders: {
+            list: (args?: ListFoldersArgs) => Promise<MediaFolder[]>;
+            create: (args: CreateFolderArgs) => Promise<MediaFolder>;
+        };
+    };
+    /**
+     * Forms API namespace - operations for forms and form submissions.
+     *
+     * Provides direct database operations for form management without HTTP overhead.
+     * Requires the `@nextlyhq/plugin-form-builder` plugin to be installed.
+     *
+     * @example
+     * ```typescript
+     * const nextly = await getNextly(config);
+     *
+     * // List published forms
+     * const forms = await nextly.forms.find({ status: 'published' });
+     *
+     * // Get form by slug
+     * const form = await nextly.forms.findBySlug({ slug: 'contact-form' });
+     *
+     * // Submit form data
+     * const result = await nextly.forms.submit({
+     *   form: 'contact-form',
+     *   data: { name: 'John', email: 'john@example.com', message: 'Hello!' },
+     * });
+     *
+     * // Get submissions
+     * const submissions = await nextly.forms.submissions({
+     *   form: 'contact-form',
+     *   limit: 20,
+     * });
+     * ```
+     */
+    forms: {
+        find: (args?: FindFormsArgs) => Promise<ListResult<Record<string, unknown>>>;
+        findBySlug: (args: FindFormBySlugArgs) => Promise<Record<string, unknown> | null>;
+        submit: (args: SubmitFormArgs) => Promise<SubmitFormResult>;
+        submissions: (args: FormSubmissionsArgs) => Promise<ListResult<Record<string, unknown>>>;
+    };
+    /**
+     * Media service - direct access to MediaService for advanced operations.
+     *
+     * For most use cases, prefer the `media` namespace above which provides
+     * a simplified CRUD API. Use this for advanced operations like
+     * image processing, storage checks, etc.
+     *
+     * @example
+     * ```typescript
+     * const nextly = await getNextly(config);
+     *
+     * // Check storage type
+     * const storageType = nextly.mediaService.getStorageType();
+     *
+     * // Move media to folder
+     * await nextly.mediaService.moveToFolder('media-id', 'folder-id', context);
+     * ```
+     */
+    mediaService: ServiceMap["mediaService"];
+    /**
+     * Storage manager - manage file storage with collection-specific routing.
+     *
+     * Provides access to storage operations with support for:
+     * - Collection-specific storage backends (S3, Vercel Blob, local)
+     * - Client-side upload URL generation
+     * - Signed download URLs for private files
+     *
+     * @example
+     * ```typescript
+     * const nextly = await getNextly(config);
+     *
+     * // Upload with collection routing
+     * const result = await nextly.storage.upload(buffer, {
+     *   filename: 'photo.jpg',
+     *   mimeType: 'image/jpeg',
+     *   collection: 'media'
+     * });
+     *
+     * // Get client upload URL (bypasses server for large files)
+     * const uploadData = await nextly.storage.getClientUploadUrl(
+     *   'video.mp4',
+     *   'video/mp4',
+     *   'media'
+     * );
+     *
+     * // Get signed URL for private file access
+     * const signedUrl = await nextly.storage.getSignedDownloadUrl(
+     *   'private/doc.pdf',
+     *   'private-docs',
+     *   3600 // expires in 1 hour
+     * );
+     * ```
+     */
+    storage: ServiceMap["mediaStorage"];
+    /**
+     * Database adapter - direct access to the database layer.
+     *
+     * Provides low-level database operations for advanced use cases.
+     * Most applications should use the service APIs instead.
+     *
+     * @example
+     * ```typescript
+     * const nextly = await getNextly(config);
+     *
+     * // Check capabilities
+     * const caps = nextly.adapter.getCapabilities();
+     * console.log('JSONB support:', caps.supportsJsonb);
+     *
+     * // Run raw query (advanced)
+     * const results = await nextly.adapter.select('custom_table', {
+     *   where: { status: 'active' }
+     * });
+     * ```
+     */
+    adapter: DrizzleAdapter;
+    emailProviders: {
+        find: (args?: FindEmailProvidersArgs) => Promise<ListResult<EmailProviderRecord>>;
+        findByID: (args: FindEmailProviderByIDArgs) => Promise<EmailProviderRecord | null>;
+        create: (args: CreateEmailProviderArgs) => Promise<MutationResult<EmailProviderRecord>>;
+        update: (args: UpdateEmailProviderArgs) => Promise<MutationResult<EmailProviderRecord>>;
+        delete: (args: DeleteEmailProviderArgs) => Promise<MutationResult<{
+            id: string;
+        }>>;
+        setDefault: (args: SetDefaultProviderArgs) => Promise<EmailProviderRecord>;
+        test: (args: TestEmailProviderArgs) => Promise<{
+            success: boolean;
+            error?: string;
+        }>;
+    };
+    emailTemplates: {
+        find: (args?: FindEmailTemplatesArgs) => Promise<ListResult<EmailTemplateRecord>>;
+        findByID: (args: FindEmailTemplateByIDArgs) => Promise<EmailTemplateRecord | null>;
+        findBySlug: (args: FindEmailTemplateBySlugArgs) => Promise<EmailTemplateRecord | null>;
+        create: (args: CreateEmailTemplateArgs) => Promise<MutationResult<EmailTemplateRecord>>;
+        update: (args: UpdateEmailTemplateArgs) => Promise<MutationResult<EmailTemplateRecord>>;
+        delete: (args: DeleteEmailTemplateArgs) => Promise<MutationResult<{
+            id: string;
+        }>>;
+        preview: (args: PreviewEmailTemplateArgs) => Promise<{
+            subject: string;
+            html: string;
+        }>;
+        getLayout: (args?: GetEmailLayoutArgs) => Promise<{
+            header: string;
+            footer: string;
+        }>;
+        updateLayout: (args: UpdateEmailLayoutArgs) => Promise<void>;
+    };
+    userFields: {
+        find: (args?: FindUserFieldsArgs) => Promise<ListResult<UserFieldDefinitionRecord>>;
+        findByID: (args: FindUserFieldByIDArgs) => Promise<UserFieldDefinitionRecord | null>;
+        create: (args: CreateUserFieldArgs) => Promise<MutationResult<UserFieldDefinitionRecord>>;
+        update: (args: UpdateUserFieldArgs) => Promise<MutationResult<UserFieldDefinitionRecord>>;
+        delete: (args: DeleteUserFieldArgs) => Promise<MutationResult<{
+            id: string;
+        }>>;
+        reorder: (args: ReorderUserFieldsArgs) => Promise<UserFieldDefinitionRecord[]>;
+    };
+    email: {
+        send: (args: SendEmailArgs) => Promise<SendEmailResult>;
+        sendWithTemplate: (args: SendTemplateEmailArgs) => Promise<SendEmailResult>;
+    };
+    /**
+     * Roles API namespace - CRUD operations for RBAC roles.
+     *
+     * @example
+     * ```typescript
+     * const nextly = await getNextly(config);
+     *
+     * // List roles
+     * const roles = await nextly.roles.find({ limit: 20 });
+     *
+     * // Get role by ID
+     * const role = await nextly.roles.findByID({ id: 'role-123' });
+     *
+     * // Create a role
+     * const editor = await nextly.roles.create({
+     *   data: { name: 'Editor', slug: 'editor', level: 10 },
+     * });
+     *
+     * // Assign permissions to a role
+     * await nextly.roles.setPermissions({
+     *   id: editor.id,
+     *   permissionIds: ['perm-1', 'perm-2'],
+     * });
+     * ```
+     */
+    roles: {
+        find: (args?: FindRolesArgs) => Promise<ListResult<Role>>;
+        findByID: (args: FindRoleByIDArgs) => Promise<Role>;
+        create: (args: CreateRoleArgs) => Promise<MutationResult<Role>>;
+        update: (args: UpdateRoleArgs) => Promise<MutationResult<Role>>;
+        delete: (args: DeleteRoleArgs) => Promise<MutationResult<{
+            id: string;
+        }>>;
+        getPermissions: (args: GetRolePermissionsArgs) => Promise<Permission[]>;
+        setPermissions: (args: SetRolePermissionsArgs) => Promise<Permission[]>;
+    };
+    /**
+     * Permissions API namespace - CRUD operations for RBAC permissions.
+     *
+     * @example
+     * ```typescript
+     * const nextly = await getNextly(config);
+     *
+     * // List all permissions
+     * const perms = await nextly.permissions.find({ resource: 'posts' });
+     *
+     * // Create a permission
+     * const perm = await nextly.permissions.create({
+     *   data: { name: 'Publish Posts', slug: 'publish-posts', action: 'update', resource: 'posts' },
+     * });
+     * ```
+     */
+    permissions: {
+        find: (args?: FindPermissionsArgs) => Promise<ListResult<Permission>>;
+        findByID: (args: FindPermissionByIDArgs) => Promise<Permission | null>;
+        create: (args: CreatePermissionArgs) => Promise<MutationResult<Permission>>;
+        delete: (args: DeletePermissionArgs) => Promise<MutationResult<{
+            id: string;
+        }>>;
+    };
+    /**
+     * Access namespace - programmatic access control evaluation.
+     *
+     * @example
+     * ```typescript
+     * const nextly = await getNextly(config);
+     *
+     * // Check if a user can read posts
+     * const canRead = await nextly.access.check({
+     *   userId: 'user-123',
+     *   resource: 'posts',
+     *   operation: 'read',
+     * });
+     * ```
+     */
+    access: {
+        check: (args: CheckAccessArgs) => Promise<boolean>;
+    };
+    /**
+     * Shutdown the Nextly instance and clean up resources.
+     *
+     * This will:
+     * - Disconnect the database adapter
+     * - Clear the service container
+     * - Reset the cached instance
+     *
+     * After calling this, the next call to `getNextly()` will create
+     * a new instance.
+     *
+     * @example
+     * ```typescript
+     * const nextly = await getNextly(config);
+     *
+     * // When shutting down
+     * await nextly.shutdown();
+     * ```
+     */
+    shutdown: () => Promise<void>;
+}
+
+/**
+ * Nextly Initialization
+ *
+ * This module provides the main entry point for initializing and accessing
+ * Nextly services. `getNextly()` is the primary API, providing a cached
+ * singleton instance.
+ *
+ * The bulky pieces that used to live here have been extracted:
+ *
+ * - The public `Nextly` interface is defined in `./init/nextly-instance.ts`
+ * - `runPostInitTasks()` lives in `./init/post-init-tasks.ts`
+ * - `buildServiceConfig()` and `GetNextlyOptions` live in
+ *   `./init/build-service-config.ts`
+ *
+ * All of those names are re-exported from this module so existing
+ * imports (`import { Nextly } from "nextly"`, etc.) keep working.
+ *
+ * @example
+ * ```typescript
+ * import { getNextly } from 'nextly';
+ *
+ * // In your API route or server component
+ * export async function GET() {
+ *   const nextly = await getNextly({
+ *     storage: myStorageAdapter,
+ *     imageProcessor: myImageProcessor,
+ *   });
+ *
+ *   // Returns ListResult<T> = { items, meta } (Phase 4 canonical shape).
+ *   const posts = await nextly.find({ collection: 'posts' });
+ *   return Response.json(posts);
+ * }
+ * ```
+ */
+
+/**
+ * Get or initialize the Nextly instance.
+ *
+ * Cached: subsequent calls return the same instance. The cache survives
+ * Next.js HMR via `globalThis`.
+ *
+ * happens after validation, so even cached lookups must pass config —
+ * this matches Payload's `getPayload({ config })` contract and keeps
+ * the call site self-documenting. Internal handlers that just need the
+ * cached singleton (post-init) should use `getCachedNextly()` instead.
+ *
+ * @example
+ * ```typescript
+ * // Recommended: use the @nextly-config path alias.
+ * import { getNextly } from 'nextly';
+ * import config from '@nextly-config';
+ *
+ * export async function GET() {
+ *   const nextly = await getNextly({ config });
+ *   // Returns ListResult<T> = { items, meta } (Phase 4 canonical shape).
+ *   const posts = await nextly.find({ collection: 'posts' });
+ *   return Response.json(posts);
+ * }
+ * ```
+ */
+declare function getNextly(options: GetNextlyOptions): Promise<Nextly>;
+/**
+ * Return the already-initialised Nextly instance from the singleton cache.
+ *
+ * Use this inside Nextly's own internal API handlers (anywhere under
+ * `packages/nextly/src/api/*`) where the user-provided config is not in
+ * scope. Throws a clear error if the singleton has not been initialised
+ * yet — the typical fix is to ensure the project ships an
+ * `instrumentation.ts` that calls `createRegister(config)` so init runs
+ * once per worker before the first request.
+ *
+ * Do NOT use this in user code. User code should always call
+ * `getNextly({ config })` directly.
+ */
+declare function getCachedNextly(): Promise<Nextly>;
+/**
+ * Create a Next.js instrumentation `register` function for Nextly.
+ *
+ * This is the recommended way to initialize Nextly via Next.js's
+ * `instrumentation.ts` hook, which runs **once** in each server worker
+ * process before the first request is handled.  Calling `getNextly()`
+ * here warms up the database connection and registers storage/plugins so
+ * that the first page request never pays the cold-start penalty.
+ *
+ * @param config - Pre-loaded Nextly configuration from `nextly.config.ts`.
+ *                 Pass the default export of your config file so storage
+ *                 plugins and collections are registered on startup.
+ * @returns An async `register()` function that satisfies the Next.js
+ *          instrumentation contract.
+ *
+ * @example
+ * ```typescript
+ * // instrumentation.ts  (project root)
+ * import { createRegister } from 'nextly';
+ * import nextlyConfig from './nextly.config';
+ *
+ * export const register = createRegister(nextlyConfig);
+ * ```
+ */
+declare function createRegister(config: SanitizedNextlyConfig): () => Promise<void>;
+/**
+ * Shutdown the Nextly instance and clean up resources.
+ *
+ * This will:
+ * - Disconnect the database adapter
+ * - Clear all service registrations
+ * - Reset the cached Nextly instance
+ *
+ * After calling this, the next call to `getNextly()` will create
+ * a new instance with fresh connections.
+ *
+ * **Use Cases:**
+ * - Application shutdown (SIGTERM/SIGINT handlers)
+ * - Testing (reset between tests)
+ * - Hot reload scenarios
+ *
+ * @example
+ * ```typescript
+ * // Graceful shutdown on process signals
+ * process.on('SIGTERM', async () => {
+ *   await shutdownNextly();
+ *   process.exit(0);
+ * });
+ *
+ * process.on('SIGINT', async () => {
+ *   await shutdownNextly();
+ *   process.exit(0);
+ * });
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // In tests
+ * afterEach(async () => {
+ *   await shutdownNextly();  // Clean up between tests
+ * });
+ *
+ * test('creates a post', async () => {
+ *   const nextly = await getNextly(testConfig);
+ *   const post = await nextly.collections.create('posts', data, context);
+ *   expect(post).toBeDefined();
+ * });
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // Using the instance method
+ * const nextly = await getNextly(config);
+ *
+ * // Later...
+ * await nextly.shutdown();  // Or use shutdownNextly()
+ * ```
+ */
+declare function shutdownNextly(): Promise<void>;
+
+type SchemaApplyErrorCode = "SCHEMA_VERSION_CONFLICT" | "PUSHSCHEMA_FAILED" | "DDL_EXECUTION_FAILED" | "CONFIRMATION_DECLINED" | "CONFIRMATION_REQUIRED_NO_TTY" | "CONNECTION_FAILED" | "UNSUPPORTED_DIALECT_VERSION" | "INTERNAL_ERROR";
+
+interface DesiredSchema {
+    collections: Record<string, DesiredCollection>;
+    singles: Record<string, DesiredSingle>;
+    components: Record<string, DesiredComponent>;
+}
+interface DesiredCollection {
+    slug: string;
+    tableName: string;
+    fields: FieldConfig[];
+    indexes?: IndexConfig[];
+    /**
+     * Whether the collection has Draft/Published status enabled.
+     * When true, the diff input includes a `status` system column so the
+     * pipeline knows to add it on first enable and drop it on disable.
+     */
+    status?: boolean;
+}
+interface DesiredSingle {
+    slug: string;
+    tableName: string;
+    fields: FieldConfig[];
+    indexes?: IndexConfig[];
+    /** Same semantics as DesiredCollection.status. */
+    status?: boolean;
+}
+interface DesiredComponent {
+    slug: string;
+    tableName: string;
+    fields: FieldConfig[];
+    indexes?: IndexConfig[];
+}
+
+interface ApplySummary {
+    added: number;
+    removed: number;
+    renamed: number;
+    changed: number;
+}
+type ApplyResult = {
+    success: true;
+    newSchemaVersions: Record<string, number>;
+    statementsExecuted: number;
+    renamesApplied: number;
+    durationMs: number;
+    summary?: ApplySummary;
+} | {
+    success: false;
+    error: {
+        message: string;
+        code: SchemaApplyErrorCode;
+        details?: unknown;
+    };
+    partiallyApplied?: boolean;
+    durationMs: number;
+};
+type ApplyDesiredSchemaFn = (desired: DesiredSchema, source: "ui" | "code", ctx: {
+    schemaVersions?: Record<string, number>;
+    promptChannel: "browser" | "terminal" | "auto";
+}) => Promise<ApplyResult>;
+
+interface RegistryRecord {
+    slug: string;
+    tableName: string;
+    fields: unknown[];
+    /** Optional — only collections and singles carry this; components ignore it. */
+    status?: boolean;
+}
+interface RegistryReader {
+    getAllCollectionsRecords(): RegistryRecord[] | Promise<RegistryRecord[]>;
+    getAllSinglesRecords(): RegistryRecord[] | Promise<RegistryRecord[]>;
+    getAllComponentsRecords(): RegistryRecord[] | Promise<RegistryRecord[]>;
+}
+interface DesiredSchemaOverrides {
+    collections?: Record<string, DesiredCollection>;
+    singles?: Record<string, DesiredSingle>;
+    components?: Record<string, DesiredComponent>;
+}
+declare function buildDesiredSchemaFromRegistry(registry: RegistryReader, overrides?: DesiredSchemaOverrides): DesiredSchema;
+declare function buildDesiredSchemaFromRegistryAsync(registry: RegistryReader, overrides?: DesiredSchemaOverrides): Promise<DesiredSchema>;
+
+declare const applyDesiredSchema: ApplyDesiredSchemaFn;
+
+/**
+ * Lightweight Dependency Injection Container
+ *
+ * ~50 lines, SWC-compatible (no decorators), zero external dependencies.
+ *
+ * Usage:
+ * ```typescript
+ * import { container } from 'nextly';
+ *
+ * // Register singleton
+ * container.registerSingleton('db', () => createDatabase(config));
+ *
+ * // Register factory (new instance per get)
+ * container.register('requestService', () => new RequestService());
+ *
+ * // Get service
+ * const db = container.get<Database>('db');
+ * ```
+ */
+type Factory<T> = () => T;
+declare class Container {
+    private singletons;
+    private factories;
+    private parent?;
+    constructor(parent?: Container);
+    /**
+     * Register a factory that creates a new instance each time get() is called.
+     */
+    register<T>(name: string, factory: Factory<T>): this;
+    /**
+     * Register a factory that creates a singleton instance (lazily initialized).
+     */
+    registerSingleton<T>(name: string, factory: Factory<T>): this;
+    /**
+     * Get a service by name. Throws if not registered.
+     */
+    get<T>(name: string): T;
+    /**
+     * Check if a service is registered.
+     */
+    has(name: string): boolean;
+    /**
+     * Create a child scope container for request-scoped services.
+     */
+    createScope(): Container;
+    /**
+     * Clear all registrations and singletons (useful for testing).
+     */
+    clear(): void;
+}
+declare const container: Container;
+
+/**
+ * Validation Error Types
+ *
+ * Standardized validation error types for consistent error handling
+ * across the Nextly system. Compatible with Zod error transformation.
+ *
+ * @module validation/types
+ */
+/**
+ * Standard validation error codes.
+ *
+ * These codes provide programmatic error identification and
+ * enable type-safe error handling.
+ *
+ * @example
+ * ```typescript
+ * if (error.code === 'required') {
+ *   // Handle required field error
+ * }
+ * ```
+ */
+type ValidationErrorCode = "required" | "type_error" | "invalid_type" | "min_length" | "max_length" | "too_short" | "too_long" | "pattern" | "min_value" | "max_value" | "too_small" | "too_big" | "not_integer" | "not_finite" | "invalid_email" | "invalid_url" | "invalid_uuid" | "invalid_date" | "invalid_format" | "invalid_option" | "invalid_reference" | "invalid_enum" | "unique" | "duplicate" | "min_items" | "max_items" | "invalid_array" | "invalid_object" | "unknown_key" | "invalid_file_type" | "file_too_large" | "custom";
+/**
+ * All validation error codes as a const array.
+ * Useful for runtime validation and iteration.
+ */
+declare const VALIDATION_ERROR_CODES: readonly ["required", "type_error", "invalid_type", "min_length", "max_length", "too_short", "too_long", "pattern", "min_value", "max_value", "too_small", "too_big", "not_integer", "not_finite", "invalid_email", "invalid_url", "invalid_uuid", "invalid_date", "invalid_format", "invalid_option", "invalid_reference", "invalid_enum", "unique", "duplicate", "min_items", "max_items", "invalid_array", "invalid_object", "unknown_key", "invalid_file_type", "file_too_large", "custom"];
+/**
+ * Individual validation error.
+ *
+ * Represents a single validation failure with its location,
+ * error code, human-readable message, and optionally the
+ * invalid value.
+ *
+ * @example
+ * ```typescript
+ * const error: ValidationError = {
+ *   path: 'user.email',
+ *   code: 'invalid_email',
+ *   message: 'Invalid email format',
+ *   value: 'not-an-email',
+ * };
+ * ```
+ */
+interface ValidationError {
+    /**
+     * Dot-notation path to the invalid field.
+     * For nested fields: "fields.0.options.1.label"
+     * For root fields: "email"
+     */
+    path: string;
+    /**
+     * Human-readable error message.
+     * Should be suitable for display to end users.
+     */
+    message: string;
+    /**
+     * Typed error code for programmatic handling.
+     */
+    code: ValidationErrorCode;
+    /**
+     * The invalid value that caused the error.
+     * Optional - may be omitted for security reasons.
+     */
+    value?: unknown;
+}
+/**
+ * Result of a validation operation.
+ *
+ * @example
+ * ```typescript
+ * function validateUser(data: unknown): ValidationResult {
+ *   const errors: ValidationError[] = [];
+ *
+ *   if (!data.email) {
+ *     errors.push({
+ *       path: 'email',
+ *       code: 'required',
+ *       message: 'Email is required',
+ *     });
+ *   }
+ *
+ *   return {
+ *     valid: errors.length === 0,
+ *     errors,
+ *   };
+ * }
+ * ```
+ */
+interface ValidationResult {
+    /**
+     * Whether the validation passed (no errors).
+     */
+    valid: boolean;
+    /**
+     * Array of validation errors.
+     * Empty array when valid is true.
+     */
+    errors: ValidationError[];
+}
+/**
+ * Standard API response format for validation errors.
+ *
+ * Used for HTTP 400 responses when input validation fails.
+ *
+ * @example
+ * ```typescript
+ * // API Response
+ * {
+ *   "error": {
+ *     "code": "VALIDATION_ERROR",
+ *     "message": "Validation failed",
+ *     "details": [
+ *       {
+ *         "path": "email",
+ *         "code": "invalid_email",
+ *         "message": "Invalid email format"
+ *       }
+ *     ]
+ *   }
+ * }
+ * ```
+ */
+interface ValidationErrorResponse {
+    error: {
+        /**
+         * Always "VALIDATION_ERROR" for validation errors.
+         */
+        code: "VALIDATION_ERROR";
+        /**
+         * Summary message describing the error.
+         */
+        message: string;
+        /**
+         * Array of individual field validation errors.
+         */
+        details: ValidationError[];
+    };
+}
+/**
+ * Check if a string is a valid ValidationErrorCode.
+ *
+ * @param code - The string to check
+ * @returns True if the code is a valid ValidationErrorCode
+ *
+ * @example
+ * ```typescript
+ * if (isValidationErrorCode('required')) {
+ *   // TypeScript knows this is ValidationErrorCode
+ * }
+ * ```
+ */
+declare function isValidationErrorCode(code: string): code is ValidationErrorCode;
+/**
+ * Check if an object is a ValidationError.
+ *
+ * @param obj - The object to check
+ * @returns True if the object is a ValidationError
+ *
+ * @example
+ * ```typescript
+ * if (isValidationError(err)) {
+ *   console.log(err.path, err.message);
+ * }
+ * ```
+ */
+declare function isValidationError(obj: unknown): obj is ValidationError;
+/**
+ * Check if an object is a ValidationResult.
+ *
+ * @param obj - The object to check
+ * @returns True if the object is a ValidationResult
+ */
+declare function isValidationResult(obj: unknown): obj is ValidationResult;
+/**
+ * Create a validation error.
+ *
+ * @param path - Dot-notation path to the field
+ * @param code - Error code
+ * @param message - Human-readable message
+ * @param value - Optional invalid value
+ * @returns ValidationError object
+ *
+ * @example
+ * ```typescript
+ * const error = createValidationError(
+ *   'user.email',
+ *   'invalid_email',
+ *   'Please enter a valid email address'
+ * );
+ * ```
+ */
+declare function createValidationError(path: string, code: ValidationErrorCode, message: string, value?: unknown): ValidationError;
+/**
+ * Create a successful validation result.
+ *
+ * @returns ValidationResult with valid=true and empty errors
+ */
+declare function validResult(): ValidationResult;
+/**
+ * Create a failed validation result.
+ *
+ * @param errors - Array of validation errors
+ * @returns ValidationResult with valid=false and the errors
+ */
+declare function invalidResult(errors: ValidationError[]): ValidationResult;
+/**
+ * Create a validation error response for API.
+ *
+ * @param errors - Array of validation errors
+ * @param message - Optional summary message
+ * @returns ValidationErrorResponse object
+ *
+ * @example
+ * ```typescript
+ * const response = createValidationErrorResponse(errors);
+ * return NextResponse.json(response, { status: 400 });
+ * ```
+ */
+declare function createValidationErrorResponse(errors: ValidationError[], message?: string): ValidationErrorResponse;
+
+/**
+ * Error Formatter Utilities
+ *
+ * Provides utilities for converting Zod validation errors to our
+ * standardized validation error format and merging validation results.
+ *
+ * @module validation/error-formatter
+ *
+ * @example
+ * ```typescript
+ * import { z } from "zod";
+ * import { formatZodError, mergeValidationResults, toApiResponse } from "nextly/validation";
+ *
+ * const schema = z.object({
+ *   email: z.string().email(),
+ *   age: z.number().min(18),
+ * });
+ *
+ * const result = schema.safeParse({ email: "invalid", age: 15 });
+ * if (!result.success) {
+ *   const validationResult = formatZodError(result.error);
+ *   const apiResponse = toApiResponse(validationResult);
+ *   return NextResponse.json(apiResponse, { status: 400 });
+ * }
+ * ```
+ */
+
+/**
+ * Convert a Zod error to our standardized ValidationResult format.
+ *
+ * This function transforms Zod's native error format into our
+ * consistent validation error structure, enabling unified error
+ * handling across the application.
+ *
+ * @param error - The ZodError to convert
+ * @returns ValidationResult with valid=false and mapped errors
+ *
+ * @example
+ * ```typescript
+ * import { z } from "zod";
+ * import { formatZodError } from "nextly/validation";
+ *
+ * const schema = z.object({
+ *   email: z.string().email(),
+ *   age: z.number().min(18),
+ * });
+ *
+ * const result = schema.safeParse({ email: "bad", age: 10 });
+ * if (!result.success) {
+ *   const validationResult = formatZodError(result.error);
+ *   // {
+ *   //   valid: false,
+ *   //   errors: [
+ *   //     { path: "email", code: "invalid_email", message: "Invalid email" },
+ *   //     { path: "age", code: "min_value", message: "Number must be >= 18" }
+ *   //   ]
+ *   // }
+ * }
+ * ```
+ */
+declare function formatZodError(error: z.ZodError): ValidationResult;
+/**
+ * Merge multiple validation results into a single result.
+ *
+ * This is useful when you need to combine validation from
+ * multiple sources (e.g., Zod schema + custom business rules).
+ *
+ * @param results - The validation results to merge
+ * @returns A single ValidationResult containing all errors
+ *
+ * @example
+ * ```typescript
+ * import { formatZodError, mergeValidationResults, invalidResult } from "nextly/validation";
+ *
+ * // Schema validation
+ * const schemaResult = formatZodError(zodError);
+ *
+ * // Custom business rule validation
+ * const businessResult = invalidResult([
+ *   { path: "email", code: "unique", message: "Email already exists" }
+ * ]);
+ *
+ * // Combine all errors
+ * const finalResult = mergeValidationResults(schemaResult, businessResult);
+ * ```
+ */
+declare function mergeValidationResults(...results: ValidationResult[]): ValidationResult;
+/**
+ * Format a validation result for API response.
+ *
+ * Converts a ValidationResult into the standard API error response
+ * format with a fixed message including the error count.
+ *
+ * @param result - The validation result to format
+ * @returns ValidationErrorResponse suitable for API response
+ *
+ * @example
+ * ```typescript
+ * import { formatZodError, toApiResponse } from "nextly/validation";
+ * import { NextResponse } from "next/server";
+ *
+ * const result = schema.safeParse(data);
+ * if (!result.success) {
+ *   const validationResult = formatZodError(result.error);
+ *   const apiResponse = toApiResponse(validationResult);
+ *   return NextResponse.json(apiResponse, { status: 400 });
+ * }
+ *
+ * // Response:
+ * // {
+ * //   "error": {
+ * //     "code": "VALIDATION_ERROR",
+ * //     "message": "Validation failed with 2 error(s)",
+ * //     "details": [...]
+ * //   }
+ * // }
+ * ```
+ */
+declare function toApiResponse(result: ValidationResult): ValidationErrorResponse;
+
+/**
+ * Single Configuration Validator
+ *
+ * Validates a {@link SingleConfig} using the shared base-validator helpers
+ * for slug/field-name/relationship/component rules, plus Single-specific
+ * access control validation (read/update only, no create/delete).
+ *
+ * Duplicated validation logic was moved to `src/shared/base-validator.ts`
+ *
+ * @module singles/config/validate-single
+ * @since 1.0.0
+ *
+ * @example
+ * ```typescript
+ * import { validateSingleConfig } from 'nextly';
+ *
+ * const result = validateSingleConfig(config);
+ * if (!result.valid) {
+ *   console.error('Validation errors:', result.errors);
+ * }
+ * ```
+ */
+
+/**
+ * Error codes for Single validation failures.
+ * Shares most codes with Collection/Component validators.
+ */
+type SingleValidationErrorCode = "SLUG_REQUIRED" | "SLUG_INVALID_TYPE" | "SLUG_TOO_SHORT" | "SLUG_TOO_LONG" | "SLUG_INVALID_FORMAT" | "SLUG_RESERVED" | "SLUG_SQL_KEYWORD" | "FIELDS_REQUIRED" | "FIELDS_INVALID_TYPE" | "FIELDS_EMPTY" | "FIELD_NAME_REQUIRED" | "FIELD_NAME_INVALID_FORMAT" | "FIELD_NAME_SQL_KEYWORD" | "FIELD_NAME_DUPLICATE" | "FIELD_TYPE_REQUIRED" | "FIELD_TYPE_INVALID" | "SELECT_OPTIONS_REQUIRED" | "SELECT_OPTIONS_EMPTY" | "RADIO_OPTIONS_REQUIRED" | "RADIO_OPTIONS_EMPTY" | "RELATIONSHIP_TARGET_REQUIRED" | "RELATIONSHIP_TARGET_INVALID" | "ARRAY_FIELDS_REQUIRED" | "GROUP_FIELDS_REQUIRED" | "BLOCKS_REQUIRED" | "BLOCKS_EMPTY" | "BLOCK_SLUG_REQUIRED" | "BLOCK_FIELDS_REQUIRED" | "COMPONENT_REF_REQUIRED" | "COMPONENT_REF_CONFLICT" | "COMPONENT_REF_INVALID" | "COMPONENT_REF_EMPTY" | "ACCESS_INVALID_TYPE" | "ACCESS_FUNCTION_INVALID";
+/**
+ * A single validation error with path and context.
+ */
+interface SingleValidationError {
+    /**
+     * Dot-notation path to the invalid property.
+     * @example 'slug', 'fields.0.name', 'fields.seo.items.title'
+     */
+    path: string;
+    /** Human-readable error message. */
+    message: string;
+    /** Machine-readable error code for programmatic handling. */
+    code: SingleValidationErrorCode;
+}
+/**
+ * Result of Single config validation.
+ */
+interface SingleValidationResult {
+    /** Whether the configuration is valid. */
+    valid: boolean;
+    /** Array of validation errors (empty if valid). */
+    errors: SingleValidationError[];
+}
+/**
+ * Reserved Single slugs that cannot be used.
+ *
+ * Extends the base RESERVED_SLUGS with Single-specific reserved names.
+ */
+declare const RESERVED_SINGLE_SLUGS: readonly ["api", "graphql", "rest", "admin", "dashboard", "auth", "login", "logout", "register", "signup", "signin", "signout", "forgot-password", "reset-password", "verify", "verify-email", "static", "public", "assets", "_next", "health", "status", "metrics", "users", "roles", "permissions", "sessions", "tokens", "media", "uploads", "files"];
+/**
+ * Validates a complete Single configuration.
+ *
+ * Performs comprehensive validation including slug format/reserved names,
+ * SQL keyword blocking, recursive field validation, select options,
+ * relationship targets, component references, duplicate detection, and
+ * Single-specific access control (read/update only).
+ *
+ * @example
+ * ```typescript
+ * import { validateSingleConfig } from 'nextly';
+ *
+ * const result = validateSingleConfig(config);
+ * if (!result.valid) {
+ *   result.errors.forEach(err => {
+ *     console.error(`[${err.code}] ${err.path}: ${err.message}`);
+ *   });
+ * }
+ * ```
+ */
+declare function validateSingleConfig(config: SingleConfig): SingleValidationResult;
+/**
+ * Throws an error if the Single configuration is invalid.
+ *
+ * Convenience wrapper around {@link validateSingleConfig}.
+ */
+declare function assertValidSingleConfig(config: SingleConfig): void;
+
+/**
+ * Component Configuration Validator
+ *
+ * Validates a {@link ComponentConfig} using shared base-validator helpers
+ * for slug/field-name/relationship/component rules. Components do not have
+ * domain-specific access rules or index validation; cross-component
+ * checks (circular references, nesting depth) run at `defineConfig()` time
+ * when all component definitions are available.
+ *
+ * Duplicated validation logic was moved to `src/shared/base-validator.ts`
+ * This file now orchestrates those helpers and keeps
+ * only Component-specific error types and reserved slug constants.
+ *
+ * @module components/config/validate-component
+ * @since 1.0.0
+ *
+ * @example
+ * ```typescript
+ * import { validateComponentConfig } from 'nextly';
+ *
+ * const result = validateComponentConfig(config);
+ * if (!result.valid) {
+ *   console.error('Validation errors:', result.errors);
+ * }
+ * ```
+ */
+
+/**
+ * Maximum nesting depth for component-within-component references.
+ *
+ * A depth of 3 means:
+ * - Level 1: Component A used in a Collection/Single
+ * - Level 2: Component B nested inside Component A
+ * - Level 3: Component C nested inside Component B
+ *
+ * Enforced at `defineConfig()` time when all component definitions are available.
+ */
+declare const MAX_COMPONENT_NESTING_DEPTH = 3;
+/**
+ * Error codes for Component validation failures.
+ */
+type ComponentValidationErrorCode = "SLUG_REQUIRED" | "SLUG_INVALID_TYPE" | "SLUG_TOO_SHORT" | "SLUG_TOO_LONG" | "SLUG_INVALID_FORMAT" | "SLUG_RESERVED" | "SLUG_SQL_KEYWORD" | "FIELDS_REQUIRED" | "FIELDS_INVALID_TYPE" | "FIELDS_EMPTY" | "FIELD_NAME_REQUIRED" | "FIELD_NAME_INVALID_FORMAT" | "FIELD_NAME_SQL_KEYWORD" | "FIELD_NAME_DUPLICATE" | "FIELD_TYPE_REQUIRED" | "FIELD_TYPE_INVALID" | "SELECT_OPTIONS_REQUIRED" | "SELECT_OPTIONS_EMPTY" | "RADIO_OPTIONS_REQUIRED" | "RADIO_OPTIONS_EMPTY" | "RELATIONSHIP_TARGET_REQUIRED" | "RELATIONSHIP_TARGET_INVALID" | "ARRAY_FIELDS_REQUIRED" | "GROUP_FIELDS_REQUIRED" | "COMPONENT_REF_REQUIRED" | "COMPONENT_REF_CONFLICT" | "COMPONENT_REF_INVALID" | "COMPONENT_REF_EMPTY";
+/**
+ * A single validation error with path and context.
+ */
+interface ComponentValidationError {
+    /**
+     * Dot-notation path to the invalid property.
+     * @example 'slug', 'fields.0.name', 'fields.seo.component'
+     */
+    path: string;
+    /** Human-readable error message. */
+    message: string;
+    /** Machine-readable error code for programmatic handling. */
+    code: ComponentValidationErrorCode;
+}
+/**
+ * Result of Component config validation.
+ */
+interface ComponentValidationResult {
+    /** Whether the configuration is valid. */
+    valid: boolean;
+    /** Array of validation errors (empty if valid). */
+    errors: ComponentValidationError[];
+}
+/**
+ * Reserved Component slugs that cannot be used.
+ *
+ * Extends the base RESERVED_SLUGS with Component-specific reserved names.
+ */
+declare const RESERVED_COMPONENT_SLUGS: readonly ["api", "graphql", "rest", "admin", "dashboard", "auth", "login", "logout", "register", "signup", "signin", "signout", "forgot-password", "reset-password", "verify", "verify-email", "static", "public", "assets", "_next", "health", "status", "metrics", "users", "roles", "permissions", "sessions", "tokens", "media", "uploads", "files", "components", "component"];
+/**
+ * Validates a complete Component configuration.
+ *
+ * Performs comprehensive validation including slug format/reserved names,
+ * SQL keyword blocking, recursive field validation, select options,
+ * relationship targets, and component references.
+ *
+ * **Note:** Cross-component validation (circular references, nesting
+ * depth, slug conflicts with Collections/Singles) is performed in
+ * `defineConfig()`.
+ *
+ * @example
+ * ```typescript
+ * import { validateComponentConfig } from 'nextly';
+ *
+ * const result = validateComponentConfig(config);
+ * if (!result.valid) {
+ *   result.errors.forEach(err => {
+ *     console.error(`[${err.code}] ${err.path}: ${err.message}`);
+ *   });
+ * }
+ * ```
+ */
+declare function validateComponentConfig(config: ComponentConfig): ComponentValidationResult;
+/**
+ * Throws an error if the Component configuration is invalid.
+ *
+ * Convenience wrapper around {@link validateComponentConfig}.
+ */
+declare function assertValidComponentConfig(config: ComponentConfig): void;
+
+/**
+ * User Configuration Validator
+ *
+ * Validates UserConfig objects including:
+ * - Field type restrictions (only scalar types allowed)
+ * - Field name format and uniqueness
+ * - Reserved field name checking (built-in user columns)
+ * - SQL keyword blocking
+ * - Select/radio option validation
+ * - Admin option validation (listFields references)
+ *
+ * @module users/config/validate-user-config
+ * @since 1.0.0
+ *
+ * @example
+ * ```typescript
+ * import { validateUserConfig } from '@nextly/core';
+ *
+ * const result = validateUserConfig({
+ *   fields: [
+ *     { type: 'text', name: 'company', label: 'Company' },
+ *   ],
+ * });
+ *
+ * if (!result.valid) {
+ *   console.error('Validation errors:', result.errors);
+ * }
+ * ```
+ */
+
+/**
+ * Error codes for user config validation failures.
+ */
+type UserValidationErrorCode = "USER_FIELD_TYPE_NOT_ALLOWED" | "USER_FIELD_TYPE_REQUIRED" | "USER_FIELD_NAME_REQUIRED" | "USER_FIELD_NAME_INVALID_FORMAT" | "USER_FIELD_NAME_SQL_KEYWORD" | "USER_FIELD_NAME_DUPLICATE" | "USER_FIELD_NAME_RESERVED" | "USER_SELECT_OPTIONS_REQUIRED" | "USER_SELECT_OPTIONS_EMPTY" | "USER_RADIO_OPTIONS_REQUIRED" | "USER_RADIO_OPTIONS_EMPTY" | "USER_FIELDS_INVALID_TYPE" | "USER_ADMIN_INVALID_TYPE" | "USER_ADMIN_LIST_FIELD_UNKNOWN" | "USER_ADMIN_GROUP_INVALID_TYPE";
+/**
+ * A single user config validation error with path and context.
+ */
+interface UserValidationError {
+    /** Dot-notation path to the invalid property. */
+    path: string;
+    /** Human-readable error message. */
+    message: string;
+    /** Machine-readable error code for programmatic handling. */
+    code: UserValidationErrorCode;
+}
+/**
+ * Result of user config validation.
+ */
+interface UserValidationResult {
+    /** Whether the configuration is valid. */
+    valid: boolean;
+    /** Array of validation errors (empty if valid). */
+    errors: UserValidationError[];
+}
+/**
+ * Built-in user field names that cannot be used as custom field names.
+ * These correspond to columns in the core `users` table.
+ */
+declare const RESERVED_USER_FIELD_NAMES: readonly ["id", "name", "email", "emailVerified", "passwordHash", "passwordUpdatedAt", "image", "isActive", "createdAt", "updatedAt", "roles", "accounts", "password"];
+/**
+ * Allowed field types for user custom fields.
+ * Limited to scalar types — complex types (relationship, array, group, etc.)
+ * are not supported in user extension fields.
+ */
+declare const ALLOWED_USER_FIELD_TYPES: readonly ["text", "textarea", "number", "email", "select", "radio", "checkbox", "date"];
+/**
+ * Validates a complete user configuration.
+ *
+ * Performs comprehensive validation including:
+ * - Field type restrictions (only scalar types allowed)
+ * - Field name format, uniqueness, and reserved name checking
+ * - SQL keyword blocking for field names
+ * - Select/radio option validation
+ * - Admin listFields reference validation
+ *
+ * @param config - The user configuration to validate
+ * @returns Validation result with any errors found
+ *
+ * @example
+ * ```typescript
+ * import { validateUserConfig } from '@nextly/core';
+ *
+ * const result = validateUserConfig({
+ *   fields: [
+ *     { type: 'text', name: 'company', label: 'Company' },
+ *     { type: 'select', name: 'department', label: 'Department', options: [...] },
+ *   ],
+ *   admin: {
+ *     listFields: ['company', 'department'],
+ *   },
+ * });
+ *
+ * if (!result.valid) {
+ *   result.errors.forEach(err => {
+ *     console.error(`[${err.code}] ${err.path}: ${err.message}`);
+ *   });
+ * }
+ * ```
+ */
+declare function validateUserConfig(config: UserConfig): UserValidationResult;
+/**
+ * Throws an error if the user configuration is invalid.
+ *
+ * Convenience wrapper around `validateUserConfig` that throws a
+ * descriptive error instead of returning a result object.
+ *
+ * @param config - The user configuration to validate
+ * @throws Error if validation fails with all error messages
+ *
+ * @example
+ * ```typescript
+ * import { assertValidUserConfig } from '@nextly/core';
+ *
+ * // Throws if invalid
+ * assertValidUserConfig({
+ *   fields: [
+ *     { type: 'relationship', name: 'manager' }, // throws — type not allowed
+ *   ],
+ * });
+ * ```
+ */
+declare function assertValidUserConfig(config: UserConfig): void;
+
+/**
+ * Trusted client-IP resolution for Web `Request` objects.
+ *
+ * The previous `getClientIp` helpers parsed
+ * `X-Forwarded-For` unconditionally and returned the *leftmost* hop —
+ * which a direct attacker can forge to defeat per-IP rate limits,
+ * brute-force lockouts, and refresh-token IP binding.
+ *
+ * This helper applies the standard "rightmost-untrusted-hop" algorithm:
+ *
+ *   - When `trustProxy` is `false` (default), proxy headers are
+ *     ignored entirely. Returns `null` because Web `Request` does not
+ *     expose the immediate-peer IP.
+ *
+ *   - When `trustProxy` is `true`, walk `X-Forwarded-For` from the
+ *     rightmost hop, skipping any value that matches `trustedProxyIps`
+ *     (CIDR list). Return the first hop that is not in the trust list
+ *     — that is the closest *untrusted* IP in the chain, i.e. the real
+ *     client (or the closest claim of one).
+ *
+ *     If no `X-Forwarded-For` is present, fall back to `cf-connecting-ip`
+ *     (Cloudflare) and `x-real-ip` (Nginx convention).
+ *
+ *     If every hop in the chain is in the trust list, return `null`
+ *     rather than picking a trusted proxy as "the client".
+ *
+ * Implementation note: this module deliberately avoids `node:net` so
+ * downstream packages that bundle for the browser (e.g. `@nextlyhq/admin`)
+ * don't fail at build time. IP-family classification is done with
+ * regex.
+ *
+ * @module utils/get-trusted-client-ip
+ */
+interface TrustedClientIpOptions {
+    /**
+     * When false (default), proxy headers are ignored. When true,
+     * `X-Forwarded-For` / `cf-connecting-ip` / `x-real-ip` are honored
+     * subject to `trustedProxyIps`.
+     */
+    trustProxy: boolean;
+    /**
+     * CIDR list of proxy IPs that the application sits behind. Hops in
+     * the `X-Forwarded-For` chain matching one of these CIDRs are
+     * stripped during resolution; the first non-matching hop (walking
+     * right-to-left) is returned as the client IP.
+     *
+     * IPv4 CIDR (`10.0.0.0/8`) and bare IPv4 addresses (`127.0.0.1`,
+     * treated as `/32`) are fully supported. IPv6 entries are matched
+     * exactly (no prefix masking) — sufficient for the common case
+     * where proxy fleets advertise a small known IPv6 set.
+     */
+    trustedProxyIps?: readonly string[];
+}
+/**
+ * Resolve the client IP for a Web `Request`, applying the trust-proxy
+ * gate described above. Returns `null` when no trusted IP can be
+ * identified — callers should treat that as "unknown" rather than
+ * picking a fallback like `127.0.0.1` (which would collapse all
+ * unknown clients into one rate-limit bucket).
+ */
+declare function getTrustedClientIp(request: Request, options: TrustedClientIpOptions): string | null;
+/**
+ * Parse `TRUSTED_PROXY_IPS` env-var format: comma-separated CIDR list
+ * with optional whitespace. Empty / unset → empty array.
+ */
+declare function parseTrustedProxyIpsEnv(raw: string | undefined): string[];
+
+/**
+ * SSRF-safe external URL validation + fetch.
+ *
+ * Closes the SSRF gap left by the previous webhook URL validator
+ * (protocol-only) and the email-attachment fetcher (no validation).
+ * Either let an attacker who controls a `url` field probe internal
+ * services or exfiltrate cloud-metadata IAM credentials
+ * (`http://169.254.169.254/...`).
+ *
+ * `validateExternalUrl(url, opts)`:
+ *   1. Parse URL; reject non-allowed protocols.
+ *   2. Reject hard-coded cloud-metadata hostnames before DNS.
+ *   3. DNS-resolve the hostname (`all: true`). Reject if ANY returned
+ *      IP is private/loopback/link-local/CGNAT/multicast/cloud-metadata.
+ *      A single bad IP poisons the lookup — attacker-controlled DNS
+ *      could rotate which IP is returned per call.
+ *   4. Return the validated URL + first resolved IP (the caller can use
+ *      it as a hint; full DNS-rebinding defense via dispatcher pinning
+ *      is documented as a follow-up).
+ *
+ * `safeFetch(url, init?, opts?)`:
+ *   Validate → fetch. Convenience wrapper for the common case.
+ *
+ * Implementation note: this module avoids module-level Node imports
+ * so downstream packages that bundle for the browser
+ * (e.g. `@nextlyhq/admin`) don't fail at build time. `node:dns/promises`
+ * is loaded lazily inside the validation function.
+ *
+ * Known gap: full DNS-rebinding defense requires pinning the resolved
+ * IP on the actual fetch dispatcher (undici Agent + custom connect).
+ * Not implemented in v1 — the validation itself closes the primary
+ * attack surface (URL pointing directly at private IP). Tracked for
+ * follow-up.
+ *
+ * @module utils/validate-external-url
+ */
+interface ValidateExternalUrlOptions {
+    /**
+     * When true, allow `localhost` / `127.0.0.1` / `::1` and HTTP
+     * protocol (for tests, dev playgrounds). Default false.
+     */
+    allowLocalhost?: boolean;
+    /**
+     * Allowed URL protocols. Defaults to `["https:"]` — webhooks, email
+     * attachments, and similar should never speak plain HTTP.
+     */
+    allowedProtocols?: readonly string[];
+}
+interface ValidatedUrl {
+    /** The parsed URL (validated). */
+    url: URL;
+    /** The first IP returned by DNS — usable as an IP-pin hint. */
+    pinnedIp: string;
+    /** IP family of `pinnedIp`: 4 or 6. */
+    family: 4 | 6;
+}
+declare class ExternalUrlError extends Error {
+    readonly url: string;
+    constructor(message: string, url: string);
+}
+/** Validate a URL for outbound fetch. Throws `ExternalUrlError` on rejection. */
+declare function validateExternalUrl(rawUrl: string, options?: ValidateExternalUrlOptions): Promise<ValidatedUrl>;
+interface SafeFetchOptions extends ValidateExternalUrlOptions, Omit<RequestInit, never> {
+}
+/**
+ * Validate `rawUrl` then `fetch()` it. Convenience wrapper for the
+ * common case (webhook delivery, email attachment fetch).
+ *
+ * NOTE: this does NOT pin the resolved IP on the actual connection.
+ * If full DNS-rebinding defense is required, the caller should
+ * implement a dispatcher with a custom `connect` that forces the
+ * `pinnedIp` returned by `validateExternalUrl()`.
+ */
+declare function safeFetch(rawUrl: string, options?: SafeFetchOptions): Promise<Response>;
+
+/**
+ * Media variant helpers
+ *
+ * Public-facing utility for picking a sized image variant URL from a Media
+ * record. Consumers (admin UI, public Next.js apps reading the API) call
+ * `getMediaVariant(media, "card")` instead of cracking open the
+ * `media.sizes` JSON themselves.
+ *
+ * Selection rules (in order):
+ *   1. If `media.sizes[name]` exists, return its URL.
+ *   2. If `media.sizes[fallbackName]` exists, return its URL (when caller
+ *      passes one).
+ *   3. If the asset isn't an image OR no sizes are present, fall back to
+ *      `media.url` (the original).
+ *
+ * The shape of `media` here is intentionally narrow so the helper works
+ * for both the full Media row and any subset that callers pass through
+ * the API.
+ */
+interface MediaLike {
+    url: string;
+    thumbnailUrl?: string | null;
+    mimeType?: string | null;
+    sizes?: Record<string, {
+        url: string;
+        width?: number;
+        height?: number;
+        filesize?: number;
+    }> | null;
+}
+interface GetMediaVariantOptions {
+    /**
+     * If the requested `name` isn't present, try this name next. Useful for
+     * progressive fallback: `getMediaVariant(m, "card", { fallback: "thumbnail" })`.
+     */
+    fallback?: string;
+    /**
+     * If true (default), fall through to `media.thumbnailUrl` when neither the
+     * requested variant nor the fallback variant exists. Set false to skip
+     * straight to `media.url`.
+     */
+    preferThumbnail?: boolean;
+}
+/**
+ * Return the URL for a named image-size variant, or fall back to the
+ * thumbnail / original URL.
+ *
+ * Returns `undefined` only when `media` is null/undefined. Otherwise always
+ * returns a string URL.
+ */
+declare function getMediaVariant(media: MediaLike | null | undefined, name: string, options?: GetMediaVariantOptions): string | undefined;
+/**
+ * Convenience: pick the smallest available variant URL. Useful for grid
+ * thumbnails where bandwidth matters more than which exact name is used.
+ *
+ * Walks the variants by `width * height` and returns the smallest. Falls
+ * back to `thumbnailUrl` then `url`.
+ */
+declare function getSmallestMediaVariant(media: MediaLike | null | undefined): string | undefined;
+
+export { ALLOWED_USER_FIELD_TYPES, ApiKeyTokenTypeSchema, AssignPermissionToRoleSchema, AssignRoleToUserSchema, AuthResult, BulkDeleteArgs, BulkDeleteMediaArgs, BulkOperationResponseSchema, BulkOperationSchema, ChangePasswordArgs, CheckAccessArgs, CheckUserPermissionSchema, CodeFieldValue, CollectionConfig, CollectionSlug, CollectionsHandler, ComponentConfig, Container, CountArgs, CountResult, CreateApiKeySchema, CreateArgs, CreateEmailProviderArgs, CreateEmailTemplateArgs, CreateFolderArgs, CreateLocalUserSchema, CreatePermissionArgs, CreatePermissionSchema, CreateRoleArgs, CreateRoleInheritanceSchema, CreateRoleSchema, CreateUserArgs, CreateUserFieldArgs, CreateUserWithPasswordSchema, DataFromCollectionSlug, DataFromSingleSlug, DateRangeSchema, DeleteArgs, DeleteEmailProviderArgs, DeleteEmailTemplateArgs, DeleteMediaArgs, DeletePermissionArgs, DeletePermissionSchema, DeleteResult, DeleteRoleArgs, DeleteRoleInheritanceSchema, DeleteRoleSchema, DeleteUserAccountSchema, DeleteUserArgs, DeleteUserFieldArgs, DeleteUserResponseSchema, DeleteUserSchema, BulkOperationResult as DirectAPIBulkOperationResult, DuplicateArgs, EmailProviderRecord, EmailSchema, EmailTemplateRecord, ErrorResponseSchema, ExpiresInSchema, ExternalUrlError, FieldConfig, FileUploadSchema, FindArgs, FindByIDArgs, FindEmailProviderByIDArgs, FindEmailProvidersArgs, FindEmailTemplateByIDArgs, FindEmailTemplateBySlugArgs, FindEmailTemplatesArgs, FindFormBySlugArgs, FindFormsArgs, FindMediaArgs, FindMediaByIDArgs, FindPermissionByIDArgs, FindPermissionsArgs, FindRoleByIDArgs, FindRolesArgs, FindSingleArgs, FindUserByIDArgs, FindUserFieldByIDArgs, FindUserFieldsArgs, FindUsersArgs, ForgotPasswordArgs, FormSubmissionsArgs, GetEmailLayoutArgs, GetPermissionByIdSchema, GetRoleByIdSchema, GetRolePermissionsArgs, GetRolePermissionsSchema, GetUserByIdSchema, GetUserPermissionsSchema, GetUserRolesSchema, HookHandler, HookRegistry, HookType, IdSchema, ImageUploadSchema, ListFoldersArgs, ListResult, ListUsersSchema, Logger, LoginArgs, MAX_COMPONENT_NESTING_DEPTH, MediaFile, MediaFolder, MigrationRecordStatus, MinimalUserSchema, MutationResult, NextlyServiceConfig as NextlyConfig, NextlyError, NextlyServiceConfig, PaginatedResponseSchema, PaginationSchema, PasswordSchema, Permission, PermissionActionSchema, PermissionCheckResponseSchema, PermissionListResponseSchema, PermissionResourceSchema, PermissionSchema, PhoneSchema, PreviewEmailTemplateArgs, RESERVED_COMPONENT_SLUGS, RESERVED_SINGLE_SLUGS, RESERVED_SLUGS, RESERVED_USER_FIELD_NAMES, RegisterArgs, RemovePermissionFromRoleSchema, RemoveRoleFromUserSchema, ReorderUserFieldsArgs, ResetPasswordArgs, Role, RoleInheritanceSchema, RoleListResponseSchema, RolePermissionListResponseSchema, RolePermissionSchema, RoleSchema, SQL_RESERVED_KEYWORDS, SYSTEM_RESOURCES, SanitizedNextlyConfig, SearchSchema, SendEmailArgs, SendEmailResult, SendTemplateEmailArgs, ServiceContainer, ServiceDispatcher, ServiceMap, SetDefaultProviderArgs, SetRolePermissionsArgs, SingleConfig, SingleSlug, SortOrderSchema, SortSchema, SubmitFormArgs, SubmitFormResult, SuccessResponseSchema, TestEmailProviderArgs, UnlinkAccountResponseSchema, UnlinkAccountSchema, UpdateApiKeySchema, UpdateArgs, UpdateEmailLayoutArgs, UpdateEmailProviderArgs, UpdateEmailTemplateArgs, UpdateMediaArgs, UpdatePasswordSchema, UpdatePermissionSchema, UpdateRoleArgs, UpdateRoleSchema, UpdateSingleArgs, UpdateUserArgs, UpdateUserFieldArgs, UpdateUserSchema, UploadMediaArgs, UrlSchema, User, UserAccountSchema, UserConfig, UserContext, UserFieldDefinitionRecord, UserIdSchema, UserListResponseSchema, UserResponseSchema, UserRoleListResponseSchema, UserRoleSchema, VALIDATION_ERROR_CODES, ValidationErrorSchema, VerifyEmailArgs, applyDesiredSchema, assertValidCollectionConfig, assertValidComponentConfig, assertValidSingleConfig, assertValidUserConfig, buildDesiredSchemaFromRegistry, buildDesiredSchemaFromRegistryAsync, clearAllHooks, clearCollectionHooks, codeValidators, container, createRegister, createSQLValidator, createValidationError, createValidationErrorResponse, formatZodError, getCachedNextly, getHookCount, getMediaVariant, getNextly, getSmallestMediaVariant, getTrustedClientIp, hasHooks, invalidResult, isSystemResource, isValidResource, isValidationError, isValidationErrorCode, isValidationResult, mergeValidationResults, nextlyMigrationsMysql, nextlyMigrationsPg, nextlyMigrationsSqlite, parseTrustedProxyIpsEnv, registerCollectionHooks, registerHook, reregisterCollectionHooks, safeFetch, shutdownNextly, toApiResponse, unregisterHook, validResult, validateCSS, validateCollectionConfig, validateComponentConfig, validateExternalUrl, validateJSON, validateJavaScript, validateSingleConfig, validateUserConfig, validateXML };
+export type { ApiKeyTokenTypeEnum, ApplyResult, AssignPermissionToRole, AssignRoleToUser, BulkOperation, BulkOperationResponse, CheckUserPermission, CodeValidationResult, CodeValidator, ValidationError$1 as CollectionValidationError, ValidationErrorCode$1 as CollectionValidationErrorCode, ValidationResult$1 as CollectionValidationResult, ComponentValidationError, ComponentValidationErrorCode, ComponentValidationResult, CreateApiKey, CreateLocalUser, CreatePermission, CreateRole, CreateRoleInheritance, CreateUserWithPassword, DateRange, DeletePermission, DeleteRole, DeleteRoleInheritance, DeleteUser, DeleteUserAccount, DeleteUserResponse, DesiredCollection, DesiredComponent, DesiredSchema, DesiredSchemaOverrides, DesiredSingle, DispatchRequest, DispatchResult, ErrorResponse, ExpiresInEnum, Factory, FileUpload, GeneratedSingleTypeInterface, GeneratedTypeInterface, GeneratedTypesFile, GetMediaVariantOptions, GetNextlyOptions, GetPermissionById, GetRoleById, GetRolePermissions, GetUserById, GetUserPermissions, GetUserRoles, ImageUpload, LegacyValidationError, ListUsers, MediaLike, Nextly, NextlyMigrationInsertMysql, NextlyMigrationInsertPg, NextlyMigrationInsertSqlite, NextlyMigrationMysql, NextlyMigrationPg, NextlyMigrationSqlite, OperationType, Pagination, PermissionAction, PermissionCheckResponse, PermissionListResponse, PermissionResource, RegisterCollectionHooksResult, RemovePermissionFromRole, RemoveRoleFromUser, RoleInheritance, RoleListResponse, RolePermission, RolePermissionListResponse, SQLValidatorOptions, SafeFetchOptions, SchemaApplyErrorCode, Search, ServiceType, SingleValidationError, SingleValidationErrorCode, SingleValidationResult, Sort, SortOrder, SuccessResponse, SystemResource, TrustedClientIpOptions, TypeGeneratorOptions, UnlinkAccount, UnlinkAccountResponse, UpdateApiKey, UpdatePassword, UpdatePermission, UpdateRole, UpdateUser, UserAccount, UserListResponse, UserResponse, UserRole, UserRoleListResponse, ValidateExternalUrlOptions, ValidatedUrl, ValidationError, ValidationErrorCode, ValidationErrorResponse, ValidationResult };