opacacms 0.1.7 → 0.1.8

package/dist/runtimes/cloudflare-workers.js

@@ -1,22 +1,1923 @@
-import {
-  createAPIRouter
-} from "../chunk-yr32cp7h.js";
-import"../chunk-62ev8gnc.js";
-import"../chunk-cvdd4eqh.js";
-import"../chunk-ybbbqj63.js";
-import"../chunk-8sqjbsgt.js";
+import { createRequire } from "node:module";
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+function __accessProp(key) {
+  return this[key];
+}
+var __toCommonJS = (from) => {
+  var entry = (__moduleCache ??= new WeakMap).get(from), desc;
+  if (entry)
+    return entry;
+  entry = __defProp({}, "__esModule", { value: true });
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (var key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(entry, key))
+        __defProp(entry, key, {
+          get: __accessProp.bind(from, key),
+          enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+        });
+  }
+  __moduleCache.set(from, entry);
+  return entry;
+};
+var __moduleCache;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+var __require = /* @__PURE__ */ createRequire(import.meta.url);
+
+// src/db/system-schema.ts
+var exports_system_schema = {};
+__export(exports_system_schema, {
+  getSystemCollections: () => getSystemCollections
+});
+var getSystemCollections = () => [
+  {
+    slug: "_opaca_assets",
+    label: "Assets",
+    apiPath: "assets",
+    fields: [
+      { name: "id", type: "text", required: true },
+      { name: "key", type: "text", required: true },
+      { name: "filename", type: "text", required: true },
+      { name: "originalFilename", type: "text", required: true },
+      { name: "mimeType", type: "text", required: true },
+      { name: "filesize", type: "number", required: true },
+      { name: "bucket", type: "text", required: true },
+      { name: "folder", type: "text" },
+      { name: "altText", type: "text" },
+      { name: "caption", type: "text" },
+      { name: "uploadedBy", type: "text" }
+    ],
+    timestamps: true
+  },
+  {
+    slug: "_users",
+    apiPath: "users",
+    fields: [
+      { name: "id", type: "text", required: true },
+      { name: "name", type: "text", required: true },
+      { name: "email", type: "text", required: true, unique: true },
+      { name: "emailVerified", type: "boolean", required: true, defaultValue: false },
+      { name: "image", type: "text" },
+      { name: "role", type: "text" },
+      { name: "banned", type: "boolean" },
+      { name: "banReason", type: "text" },
+      { name: "banExpires", type: "date" }
+    ],
+    timestamps: true
+  },
+  {
+    slug: "_sessions",
+    fields: [
+      { name: "id", type: "text", required: true },
+      { name: "expiresAt", type: "date", required: true },
+      { name: "token", type: "text", required: true, unique: true },
+      { name: "ipAddress", type: "text" },
+      { name: "userAgent", type: "text" },
+      {
+        name: "userId",
+        type: "text",
+        required: true,
+        references: { table: "_users", column: "id", onDelete: "cascade" }
+      },
+      { name: "impersonatedBy", type: "text" }
+    ],
+    timestamps: true,
+    hidden: true
+  },
+  {
+    slug: "_accounts",
+    fields: [
+      { name: "id", type: "text", required: true },
+      { name: "accountId", type: "text", required: true },
+      { name: "providerId", type: "text", required: true },
+      {
+        name: "userId",
+        type: "text",
+        required: true,
+        references: { table: "_users", column: "id", onDelete: "cascade" }
+      },
+      { name: "accessToken", type: "text" },
+      { name: "refreshToken", type: "text" },
+      { name: "idToken", type: "text" },
+      { name: "accessTokenExpiresAt", type: "date" },
+      { name: "refreshTokenExpiresAt", type: "date" },
+      { name: "scope", type: "text" },
+      { name: "password", type: "text" }
+    ],
+    timestamps: true,
+    hidden: true
+  },
+  {
+    slug: "_verifications",
+    fields: [
+      { name: "id", type: "text", required: true },
+      { name: "identifier", type: "text", required: true },
+      { name: "value", type: "text", required: true },
+      { name: "expiresAt", type: "date", required: true }
+    ],
+    timestamps: true,
+    hidden: true
+  },
+  {
+    slug: "_api_keys",
+    fields: [
+      { name: "id", type: "text", required: true },
+      { name: "configId", type: "text", required: true },
+      { name: "name", type: "text" },
+      { name: "start", type: "text" },
+      { name: "prefix", type: "text" },
+      { name: "key", type: "text", required: true },
+      { name: "referenceId", type: "text", required: true },
+      { name: "refillInterval", type: "number" },
+      { name: "refillAmount", type: "number" },
+      { name: "lastRefillAt", type: "date" },
+      { name: "enabled", type: "boolean", required: true },
+      { name: "rateLimitEnabled", type: "boolean", required: true },
+      { name: "rateLimitTimeWindow", type: "number" },
+      { name: "rateLimitMax", type: "number" },
+      { name: "requestCount", type: "number", required: true },
+      { name: "remaining", type: "number" },
+      { name: "lastRequest", type: "date" },
+      { name: "expiresAt", type: "date" },
+      { name: "permissions", type: "text" },
+      { name: "metadata", type: "text" }
+    ],
+    timestamps: { createdAt: "createdAt", updatedAt: "updatedAt" },
+    hidden: true
+  }
+];
+
+// src/utils/logger.ts
+var RESET = "\x1B[0m", BLUE = "\x1B[34m", GREEN = "\x1B[32m", YELLOW = "\x1B[33m", RED = "\x1B[31m", GRAY = "\x1B[90m", PREFIX, logger;
+var init_logger = __esm(() => {
+  PREFIX = `${BLUE}[OpacaCMS]${RESET}`;
+  logger = {
+    info: (message, ...args) => {
+      console.log(`${PREFIX} ${message}`, ...args);
+    },
+    success: (message, ...args) => {
+      console.log(`${PREFIX} ${GREEN}${message}${RESET}`, ...args);
+    },
+    debug: (message, ...args) => {
+      console.log(`${PREFIX} ${GRAY}${message}${RESET}`, ...args);
+    },
+    warn: (message, ...args) => {
+      console.warn(`${PREFIX} ${YELLOW}Warning: ${message}${RESET}`, ...args);
+    },
+    error: (message, ...args) => {
+      console.error(`${PREFIX} ${RED}Error: ${message}${RESET}`, ...args);
+    },
+    format: (color, msg) => {
+      switch (color) {
+        case "green":
+          return `${GREEN}${msg}${RESET}`;
+        case "red":
+          return `${RED}${msg}${RESET}`;
+        case "yellow":
+          return `${YELLOW}${msg}${RESET}`;
+        case "gray":
+          return `${GRAY}${msg}${RESET}`;
+        default:
+          return msg;
+      }
+    }
+  };
+});
+
+// src/db/kysely/field-mapper.ts
+var exports_field_mapper = {};
+__export(exports_field_mapper, {
+  toSnakeCase: () => toSnakeCase,
+  mapFieldToSQLiteType: () => mapFieldToSQLiteType,
+  mapFieldToPostgresType: () => mapFieldToPostgresType,
+  getRelationalFields: () => getRelationalFields,
+  flattenFields: () => flattenFields
+});
+function toSnakeCase(str) {
+  return str.replace(/([A-Z])/g, "_$1").toLowerCase().replace(/^_/, "");
+}
+function mapFieldToPostgresType(field) {
+  switch (field.type) {
+    case "text":
+    case "richtext":
+    case "select":
+    case "radio":
+    case "relationship":
+      return "text";
+    case "number":
+      return "double precision";
+    case "boolean":
+      return "boolean";
+    case "date":
+      return "timestamp with time zone";
+    case "json":
+    case "file":
+      return "jsonb";
+    default:
+      return "text";
+  }
+}
+function mapFieldToSQLiteType(field) {
+  switch (field.type) {
+    case "text":
+    case "richtext":
+    case "select":
+    case "radio":
+    case "relationship":
+    case "date":
+    case "json":
+    case "file":
+      return "text";
+    case "number":
+      return "numeric";
+    case "boolean":
+      return "integer";
+    default:
+      return "text";
+  }
+}
+function flattenFields(fields, prefix = "") {
+  const result = [];
+  for (const field of fields) {
+    if (field.type === "join" || field.type === "virtual")
+      continue;
+    const currentName = field.name ? `${prefix}${field.name}` : undefined;
+    if (field.type === "group") {
+      if (field.fields && Array.isArray(field.fields)) {
+        const nextPrefix = currentName ? `${currentName}__` : "";
+        result.push(...flattenFields(field.fields, nextPrefix));
+      }
+      continue;
+    }
+    if (field.type === "blocks") {
+      continue;
+    }
+    if (field.type === "relationship" && "hasMany" in field && field.hasMany) {
+      continue;
+    }
+    if (currentName) {
+      result.push({ ...field, name: currentName });
+    }
+    if (field.type === "row" || field.type === "collapsible") {
+      if (field.fields && Array.isArray(field.fields)) {
+        result.push(...flattenFields(field.fields, prefix));
+      }
+    }
+    if (field.type === "tabs" && field.tabs && Array.isArray(field.tabs)) {
+      for (const tab of field.tabs) {
+        if (tab.fields && Array.isArray(tab.fields)) {
+          result.push(...flattenFields(tab.fields, prefix));
+        }
+      }
+    }
+  }
+  return result;
+}
+function getRelationalFields(fields, prefix = "") {
+  const result = [];
+  for (const field of fields) {
+    const currentName = field.name ? `${prefix}${field.name}` : undefined;
+    if (field.type === "relationship" && "hasMany" in field && field.hasMany || field.type === "blocks") {
+      if (currentName) {
+        result.push({ ...field, name: currentName });
+      }
+      continue;
+    }
+    if (field.type === "group" || field.type === "row" || field.type === "collapsible") {
+      if (field.fields && Array.isArray(field.fields)) {
+        const nextPrefix = field.type === "group" && field.name ? `${currentName}__` : prefix;
+        result.push(...getRelationalFields(field.fields, nextPrefix));
+      }
+      continue;
+    }
+    if (field.type === "tabs" && field.tabs && Array.isArray(field.tabs)) {
+      for (const tab of field.tabs) {
+        if (tab.fields && Array.isArray(tab.fields)) {
+          result.push(...getRelationalFields(tab.fields, prefix));
+        }
+      }
+    }
+  }
+  return result;
+}
 
 // src/runtimes/cloudflare-workers.ts
+import { Hono as Hono4 } from "hono";
+
+// src/server/router.ts
+import { Hono as Hono3 } from "hono";
+
+// src/server/admin-router.ts
 import { Hono } from "hono";
+
+// src/config-utils.ts
+function sanitizeConfig(config) {
+  const collections = [...config.collections];
+  const supportsAuth = config.db.name === "sqlite" || config.db.name === "postgres" || config.db.name === "d1";
+  const systemCollections = getSystemCollections();
+  for (const systemCol of systemCollections) {
+    const isAsset = systemCol.slug === "_opaca_assets";
+    const isAuth = ["_users", "_sessions", "_accounts", "_verifications", "_api_keys"].includes(systemCol.slug);
+    if (isAsset && config.storages || isAuth && supportsAuth) {
+      if (!collections.find((col) => col.slug === systemCol.slug)) {
+        collections.push({
+          ...systemCol,
+          admin: true
+        });
+      }
+    }
+  }
+  const sanitizeField = (f) => ({
+    name: f.name,
+    type: f.type,
+    label: f.label,
+    required: f.required,
+    unique: f.unique,
+    defaultValue: f.defaultValue,
+    localized: f.localized,
+    admin: f.admin ? {
+      description: f.admin.description,
+      hidden: f.admin.hidden,
+      readOnly: f.admin.readOnly,
+      components: f.admin.components
+    } : undefined,
+    options: f.options,
+    fields: f.fields ? f.fields.map(sanitizeField) : undefined,
+    relationTo: f.relationTo,
+    displayField: f.displayField,
+    collection: f.collection,
+    on: f.on,
+    blocks: f.blocks ? f.blocks.map((b) => ({
+      slug: b.slug,
+      label: b.label,
+      fields: b.fields.map(sanitizeField)
+    })) : undefined,
+    tabs: f.tabs ? f.tabs.map((t) => ({
+      label: t.label,
+      fields: t.fields.map(sanitizeField)
+    })) : undefined
+  });
+  return {
+    appName: config.appName,
+    serverURL: config.serverURL,
+    collections: collections.map((col) => ({
+      slug: col.slug,
+      apiPath: col.apiPath,
+      label: col.label,
+      icon: col.icon,
+      admin: col.admin,
+      hidden: col.hidden,
+      fields: col.fields.map(sanitizeField),
+      timestamps: col.timestamps,
+      auth: col.auth,
+      versions: col.versions
+    })),
+    globals: config.globals?.map((g) => ({
+      slug: g.slug,
+      label: g.label,
+      icon: g.icon,
+      fields: g.fields.map(sanitizeField)
+    })),
+    storages: config.storages ? Object.keys(config.storages).reduce((acc, key) => {
+      acc[key] = {};
+      return acc;
+    }, {}) : {},
+    i18n: config.i18n
+  };
+}
+
+// src/server/admin.ts
+function createAdminHandlers(config, getAuth) {
+  const getMetadata = (c) => {
+    return c.json(sanitizeConfig(config));
+  };
+  const getCollections = (c) => {
+    const collections = [...config.collections];
+    const supportsAuth = config.db.name === "sqlite" || config.db.name === "postgres" || config.db.name === "d1";
+    const { getSystemCollections: getSystemCollections2 } = __toCommonJS(exports_system_schema);
+    const systemCollections = getSystemCollections2();
+    for (const systemCol of systemCollections) {
+      const isAsset = systemCol.slug === "_opaca_assets";
+      const isAuth = ["_users", "_sessions", "_accounts", "_verifications", "_api_keys"].includes(systemCol.slug);
+      if (isAsset && config.storages || isAuth && supportsAuth) {
+        if (!collections.find((col) => col.slug === systemCol.slug)) {
+          collections.push({
+            ...systemCol,
+            admin: true
+          });
+        }
+      }
+    }
+    const filteredCollections = collections.filter((c2) => !c2.hidden);
+    return c.json({
+      collections: filteredCollections,
+      globals: config.globals
+    });
+  };
+  const getConfig = async (c) => {
+    return c.json({
+      serverURL: config.serverURL,
+      admin: config.admin
+    });
+  };
+  const getSetupStatus = async (c) => {
+    try {
+      let userCount = 0;
+      try {
+        userCount = await config.db.count("_users");
+      } catch (_e) {
+        const result = await config.db.unsafe("SELECT COUNT(*) as count FROM _users");
+        const rows = result?.results || result || [];
+        userCount = Number(rows[0]?.count || rows[0]?.["count(*)"] || 0);
+      }
+      return c.json({
+        initialized: userCount > 0
+      });
+    } catch (e) {
+      console.error("[OpacaCMS] Failed to check setup status:", e);
+      return c.json({
+        initialized: false
+      });
+    }
+  };
+  const createApiKey = async (c) => {
+    const auth = getAuth();
+    if (!auth) {
+      return c.json({ message: "Auth not initialized" }, 503);
+    }
+    const user = c.get("user");
+    if (!user) {
+      return c.json({ message: "Unauthorized" }, 401);
+    }
+    try {
+      const { name, expiresIn, permissions } = await c.req.json();
+      if (!name || typeof name !== "string") {
+        return c.json({ message: "Invalid or missing 'name'" }, 400);
+      }
+      const res = await auth.api.createApiKey({
+        body: {
+          name,
+          expiresIn: expiresIn ? Number(expiresIn) : undefined,
+          permissions,
+          userId: user.id
+        }
+      });
+      return c.json(res);
+    } catch (err) {
+      console.error("[OpacaCMS] Failed to create API key:", err);
+      const message = err?.message || (typeof err === "string" ? err : JSON.stringify(err));
+      return c.json({ message, detail: err }, 400);
+    }
+  };
+  return {
+    getMetadata,
+    getCollections,
+    getConfig,
+    getSetupStatus,
+    createApiKey
+  };
+}
+
+// src/server/middlewares/admin.ts
+var adminMiddleware = async (c, next) => {
+  const user = c.get("user");
+  const isPublicAdmin = c.req.path.endsWith("/__admin/metadata") || c.req.path.endsWith("/__admin/setup");
+  if (!user && !isPublicAdmin) {
+    return c.json({ message: "Unauthorized" }, 401);
+  }
+  if (isPublicAdmin) {
+    await next();
+    return;
+  }
+  if (user.role === "admin" || user.role?.includes("admin")) {
+    await next();
+    return;
+  }
+  return c.json({ message: "Forbidden" }, 403);
+};
+
+// src/server/admin-router.ts
+function createAdminRouter(config, state) {
+  const adminRouter = new Hono;
+  const adminHandlers = createAdminHandlers(config, () => state.auth);
+  adminRouter.get("/collections", adminMiddleware, adminHandlers.getCollections);
+  adminRouter.get("/metadata", adminHandlers.getMetadata);
+  adminRouter.get("/config", adminMiddleware, adminHandlers.getConfig);
+  adminRouter.get("/setup", adminHandlers.getSetupStatus);
+  adminRouter.post("/api-key/create", adminMiddleware, adminHandlers.createApiKey);
+  return adminRouter;
+}
+// src/server/handlers.ts
+init_logger();
+
+// src/validator.ts
+import { z } from "zod";
+function generateSchemaForCollection(collection, isUpdate = false) {
+  const shape = mapFieldsToShape(collection.fields, isUpdate);
+  if (collection.versions) {
+    shape._status = z.enum(["draft", "published"]).optional().nullable();
+  }
+  const ts = collection.timestamps;
+  if (ts !== false && ts !== undefined) {
+    const config = typeof ts === "object" ? ts : {};
+    const createdField = config.createdAt || "createdAt";
+    const updatedField = config.updatedAt || "updatedAt";
+    shape[createdField] = z.union([z.string(), z.date()]).optional().nullable();
+    shape[updatedField] = z.union([z.string(), z.date()]).optional().nullable();
+  }
+  return z.object(shape);
+}
+function mapFieldsToShape(fields, isUpdate = false) {
+  const shape = {};
+  for (const field of fields) {
+    if (!field.name) {
+      if (field.type === "tabs" && field.tabs) {
+        for (const tab of field.tabs) {
+          Object.assign(shape, mapFieldsToShape(tab.fields, isUpdate));
+        }
+      } else if (field.type === "group" && field.fields) {
+        Object.assign(shape, mapFieldsToShape(field.fields, isUpdate));
+      } else if (field.type === "row" && field.fields) {
+        Object.assign(shape, mapFieldsToShape(field.fields, isUpdate));
+      } else if (field.type === "collapsible" && field.fields) {
+        Object.assign(shape, mapFieldsToShape(field.fields, isUpdate));
+      }
+      continue;
+    }
+    const fieldName = field.name;
+    let schema;
+    if (field.type === "group" && field.fields) {
+      schema = z.object(mapFieldsToShape(field.fields, isUpdate));
+    } else if (field.type === "blocks" && field.blocks) {
+      const blockSchemas = field.blocks.map((block) => z.object({
+        blockType: z.literal(block.slug),
+        ...mapFieldsToShape(block.fields, isUpdate)
+      }));
+      schema = z.array(z.union(blockSchemas));
+    } else if (field.type === "row" || field.type === "collapsible") {
+      if (field.fields) {
+        schema = z.object(mapFieldsToShape(field.fields, isUpdate));
+      } else {
+        schema = z.any();
+      }
+    } else {
+      schema = mapFieldToZod(field);
+    }
+    if (field.localized) {
+      schema = z.union([z.record(z.string(), schema), schema]);
+    }
+    if (field.required && !isUpdate) {
+      if (field.type === "slug" && field.from) {
+        schema = schema.optional().nullable();
+      }
+    } else {
+      schema = schema.optional().nullable();
+    }
+    if (field.defaultValue !== undefined && !isUpdate) {
+      schema = schema.default(field.defaultValue);
+    }
+    if (field.validate) {
+      schema = schema.superRefine((val, ctx) => {
+        if (val === undefined || val === null)
+          return;
+        const result = field.validate(val);
+        if (result !== true) {
+          ctx.addIssue({
+            code: z.ZodIssueCode.custom,
+            message: typeof result === "string" ? result : "Invalid field"
+          });
+        }
+      });
+    }
+    shape[fieldName] = schema;
+  }
+  return shape;
+}
+function mapFieldToZod(field) {
+  switch (field.type) {
+    case "text":
+    case "slug":
+    case "richtext":
+    case "textarea":
+      return z.string();
+    case "relationship": {
+      const isHasMany = "hasMany" in field && field.hasMany;
+      const base = z.union([z.string(), z.number(), z.undefined(), z.null()]);
+      const schema = isHasMany ? z.array(base.optional().nullable()) : base;
+      if (isHasMany) {
+        return z.preprocess((val) => {
+          if (val === undefined || val === null || val === "")
+            return [];
+          if (Array.isArray(val))
+            return val;
+          return [val];
+        }, schema);
+      }
+      return schema;
+    }
+    case "number":
+      return z.preprocess((val) => {
+        if (val === "" || val === undefined || val === null)
+          return;
+        if (typeof val === "string") {
+          const num = Number(val);
+          return Number.isNaN(num) ? undefined : num;
+        }
+        return val;
+      }, z.union([z.number(), z.undefined(), z.null()]));
+    case "boolean":
+      return z.preprocess((val) => {
+        if (typeof val === "string")
+          return val === "true";
+        return val;
+      }, z.boolean());
+    case "date":
+      return z.preprocess((val) => {
+        if (val === "" || val === undefined || val === null)
+          return;
+        return val;
+      }, z.union([
+        z.string().regex(/^\d{4}-\d{2}-\d{2}/, "Invalid date format"),
+        z.date(),
+        z.undefined(),
+        z.null()
+      ]));
+    case "select":
+      return z.string();
+    case "array":
+      return z.preprocess((val) => {
+        if (val === undefined || val === null || val === "")
+          return [];
+        if (Array.isArray(val))
+          return val;
+        return [val];
+      }, z.array(z.any()));
+    default:
+      return z.any();
+  }
+}
+
+// src/server/handlers.ts
+var hydrateDoc = async (doc, fields, c, config) => {
+  if (!doc)
+    return doc;
+  const user = c.get("user");
+  const session = c.get("session");
+  const apiKey = c.get("apiKey");
+  const hydratePromises = fields.map(async (field) => {
+    if (field.type === "virtual" && typeof field.resolve === "function") {
+      try {
+        doc[field.name] = await field.resolve({
+          data: doc,
+          req: c,
+          user,
+          session,
+          apiKey
+        });
+      } catch (err) {
+        console.error(`[OpacaCMS] Failed to resolve virtual field ${field.name} `, err);
+        doc[field.name] = null;
+      }
+    }
+    if (field.fields && Array.isArray(field.fields)) {
+      await hydrateDoc(doc, field.fields, c, config);
+    }
+    if (field.tabs && Array.isArray(field.tabs)) {
+      for (const tab of field.tabs) {
+        if (tab.fields && Array.isArray(tab.fields)) {
+          await hydrateDoc(doc, tab.fields, c, config);
+        }
+      }
+    }
+    if (field.type === "group" && field.fields && doc[field.name]) {
+      await hydrateDoc(doc[field.name], field.fields, c, config);
+    }
+    if (field.type === "array" && field.fields && Array.isArray(doc[field.name])) {
+      await Promise.all(doc[field.name].map((item) => hydrateDoc(item, field.fields, c, config)));
+    }
+    if (field.type === "blocks" && field.blocks && Array.isArray(doc[field.name])) {
+      await Promise.all(doc[field.name].map((item) => {
+        const block = field.blocks.find((b) => b.slug === item.block_type);
+        if (block && block.fields) {
+          return hydrateDoc(item, block.fields, c, config);
+        }
+        return Promise.resolve();
+      }));
+    }
+    if (field.localized && doc[field.name] && typeof doc[field.name] === "object") {
+      const i18nConfig = config.i18n;
+      const requestedLocale = c.req.header("x-opaca-locale") || c.req.query("locale");
+      const targetLocale = requestedLocale || i18nConfig?.defaultLocale || "en";
+      if (targetLocale !== "all") {
+        const localizedValue = doc[field.name][targetLocale] ?? doc[field.name][i18nConfig?.defaultLocale || "en"] ?? "";
+        doc[field.name] = localizedValue;
+      }
+    }
+  });
+  await Promise.all(hydratePromises);
+  return doc;
+};
+var populateDoc = async (db, fields, doc, populateKeys) => {
+  if (!doc)
+    return doc;
+  const populatePromises = fields.filter((f) => {
+    const field = f;
+    return field.type === "relationship" && field.relationTo && populateKeys.includes(field.name) && doc[field.name];
+  }).map(async (f) => {
+    const field = f;
+    try {
+      const relatedDoc = await db.findOne(field.relationTo, { id: doc[field.name] });
+      if (relatedDoc) {
+        doc[field.name] = relatedDoc;
+      }
+    } catch (err) {
+      console.error(`[OpacaCMS] Failed to populate relationship ${field.name} `, err);
+    }
+  });
+  await Promise.all(populatePromises);
+  return doc;
+};
+function createHandlers(config, collection, getAuth) {
+  const { db } = config;
+  const checkAccess = async (c, action, data) => {
+    const access = collection.access?.[action];
+    const apiKey = c.get("apiKey");
+    if (collection.access?.requireApiKey && !apiKey) {
+      const user2 = c.get("user");
+      if (user2?.role === "admin" || Array.isArray(user2?.role) && user2.role.includes("admin")) {} else {
+        return false;
+      }
+    }
+    if (apiKey) {
+      if (apiKey.permissions) {
+        const collectionPermissions = apiKey.permissions[collection.slug];
+        if (collectionPermissions) {
+          if (!collectionPermissions.includes(action)) {
+            return false;
+          }
+          return true;
+        }
+      }
+    }
+    if (access === undefined)
+      return true;
+    if (typeof access === "boolean")
+      return access;
+    const user = c.get("user");
+    const session = c.get("session");
+    return await access({
+      req: c,
+      user,
+      session,
+      apiKey,
+      data
+    });
+  };
+  const getFieldAccessPermissions = async (c, operation, fields, data) => {
+    const permissions = {};
+    const user = c.get("user");
+    const session = c.get("session");
+    const apiKey = c.get("apiKey");
+    const accessArgs = {
+      req: c,
+      user,
+      session,
+      apiKey,
+      data,
+      operation
+    };
+    for (const field of fields) {
+      if (field.name) {
+        if (!field.access) {
+          permissions[field.name] = { hidden: false, readOnly: false, disabled: false };
+        } else {
+          const hidden = typeof field.access.hidden === "function" ? await field.access.hidden(accessArgs) : !!field.access.hidden;
+          const readOnly = typeof field.access.readOnly === "function" ? await field.access.readOnly(accessArgs) : !!field.access.readOnly;
+          const disabled = typeof field.access.disabled === "function" ? await field.access.disabled(accessArgs) : !!field.access.disabled;
+          permissions[field.name] = { hidden, readOnly, disabled };
+        }
+      }
+      if (field.fields && Array.isArray(field.fields)) {
+        const nestedPermissions = await getFieldAccessPermissions(c, operation, field.fields, data);
+        Object.assign(permissions, nestedPermissions);
+      }
+      if (field.tabs && Array.isArray(field.tabs)) {
+        for (const tab of field.tabs) {
+          if (tab.fields && Array.isArray(tab.fields)) {
+            const nestedPermissions = await getFieldAccessPermissions(c, operation, tab.fields, data);
+            Object.assign(permissions, nestedPermissions);
+          }
+        }
+      }
+    }
+    return permissions;
+  };
+  const saveVersion = async (doc, status) => {
+    if (!collection.versions)
+      return;
+    const versionsTable = `${collection.slug}_versions`.toLowerCase();
+    const versionDoc = {
+      id: crypto.randomUUID(),
+      _parent_id: doc.id,
+      _version_data: JSON.stringify(doc),
+      _status: status || doc._status || "published",
+      created_at: new Date().toISOString()
+    };
+    try {
+      await db.unsafe(`INSERT INTO ${versionsTable} (id, _parent_id, _version_data, _status, created_at) VALUES(?, ?, ?, ?, ?)`, [
+        versionDoc.id,
+        versionDoc._parent_id,
+        versionDoc._version_data,
+        versionDoc._status,
+        versionDoc.created_at
+      ]);
+    } catch (err) {
+      console.error(`[OpacaCMS] Failed to save version for ${collection.slug}: `, err);
+    }
+  };
+  return {
+    async find(c) {
+      if (!await checkAccess(c, "read")) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      const queries = c.req.query();
+      const maxLimit = config.api?.maxLimit ?? 100;
+      const page = queries.page ? parseInt(queries.page, 10) : 1;
+      let limit = queries.limit ? parseInt(queries.limit, 10) : 10;
+      if (limit > maxLimit)
+        limit = maxLimit;
+      const sort = queries.sort;
+      const populate = queries.populate ? queries.populate.split(",") : [];
+      const filter = {};
+      for (const [key, value] of Object.entries(queries)) {
+        if (["page", "limit", "sort", "populate", "locale", "draft"].includes(key))
+          continue;
+        const match = key.match(/^([^[]+)\[([^\]]+)\]$/);
+        if (match) {
+          const field = match[1];
+          const op = match[2];
+          if (!filter[field])
+            filter[field] = {};
+          filter[field][op] = value;
+        } else {
+          filter[key] = value;
+        }
+      }
+      const results = await db.find(collection.slug, filter, { page, limit, sort });
+      if (populate.length > 0) {
+        results.docs = await Promise.all(results.docs.map((doc) => populateDoc(db, collection.fields, doc, populate)));
+      }
+      results.docs = await Promise.all(results.docs.map((doc) => hydrateDoc(doc, collection.fields, c, config)));
+      return c.json(results);
+    },
+    async findOne(c) {
+      if (!await checkAccess(c, "read")) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      const queries = c.req.query();
+      const populate = queries.populate ? queries.populate.split(",") : [];
+      const id = c.req.param("id");
+      let doc = await db.findOne(collection.slug, { id });
+      if (!doc)
+        return c.json({ message: "Not found" }, 404);
+      if (populate.length > 0) {
+        doc = await populateDoc(db, collection.fields, doc, populate);
+      }
+      doc = await hydrateDoc(doc, collection.fields, c, config);
+      const permissions = await getFieldAccessPermissions(c, "read", collection.fields, doc);
+      const cleanDoc = { ...doc };
+      for (const [field, perm] of Object.entries(permissions)) {
+        if (perm.hidden) {
+          delete cleanDoc[field];
+        }
+      }
+      return c.json(cleanDoc);
+    },
+    async create(c) {
+      const body = await c.req.json();
+      if (!await checkAccess(c, "create", body)) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      for (const field of collection.fields) {
+        if (field.type === "slug" && !body[field.name]) {
+          const fromValue = body[field.from];
+          if (fromValue && typeof fromValue === "string") {
+            const formatted = field.format ? field.format(fromValue) : fromValue.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
+            body[field.name] = formatted;
+          }
+        }
+      }
+      const schema = generateSchemaForCollection(collection);
+      const validation = schema.safeParse(body);
+      if (!validation.success) {
+        return c.json({ message: "Validation Error", errors: validation.error.format() }, 400);
+      }
+      let data = validation.data;
+      const locale = c.req.header("x-opaca-locale");
+      if (locale && locale !== "all") {
+        for (const field of collection.fields) {
+          if (field.name && field.localized && data[field.name] !== undefined) {
+            data[field.name] = { [locale]: data[field.name] };
+          }
+        }
+      }
+      if (collection.hooks?.beforeCreate) {
+        data = await collection.hooks.beforeCreate(data);
+      }
+      const doc = await db.create(collection.slug, data);
+      if (collection.hooks?.afterCreate) {
+        await collection.hooks.afterCreate(doc);
+      }
+      if (collection.webhooks) {
+        const afterCreateWebhooks = collection.webhooks.filter((w) => w.events.includes("afterCreate"));
+        for (const webhook of afterCreateWebhooks) {
+          const hookPromise = fetch(webhook.url, {
+            method: "POST",
+            headers: { "Content-Type": "application/json", ...webhook.headers },
+            body: JSON.stringify(doc)
+          }).catch((e) => logger.error(`Webhook afterCreate failed for ${collection.slug}: `, e));
+          if (c.executionCtx?.waitUntil) {
+            c.executionCtx.waitUntil(hookPromise);
+          }
+        }
+      }
+      if (collection.versions) {
+        await saveVersion(doc, body._status);
+      }
+      const hydratedDoc = await hydrateDoc(doc, collection.fields, c, config);
+      return c.json(hydratedDoc, 201);
+    },
+    async update(c) {
+      const id = c.req.param("id");
+      const body = await c.req.json();
+      if (!await checkAccess(c, "update", body)) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      for (const field of collection.fields) {
+        if (field.type === "slug" && !body[field.name]) {
+          const fromValue = body[field.from];
+          if (fromValue && typeof fromValue === "string") {
+            const formatted = field.format ? field.format(fromValue) : fromValue.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
+            body[field.name] = formatted;
+          }
+        }
+      }
+      const schema = generateSchemaForCollection(collection, true);
+      const validation = schema.safeParse(body);
+      if (!validation.success) {
+        return c.json({ message: "Validation Error", errors: validation.error.format() }, 400);
+      }
+      let data = validation.data;
+      const locale = c.req.header("x-opaca-locale");
+      if (locale && locale !== "all") {
+        let existing = null;
+        for (const field of collection.fields) {
+          if (field.name && field.localized && data[field.name] !== undefined) {
+            if (!existing) {
+              existing = await db.findOne(collection.slug, { id });
+            }
+            const currentObj = existing?.[field.name] || {};
+            data[field.name] = { ...currentObj, [locale]: data[field.name] };
+          }
+        }
+      }
+      if (collection.hooks?.beforeUpdate) {
+        data = await collection.hooks.beforeUpdate(data);
+      }
+      const doc = await db.update(collection.slug, { id }, data);
+      if (collection.hooks?.afterUpdate) {
+        await collection.hooks.afterUpdate(doc);
+      }
+      if (collection.webhooks) {
+        const afterUpdateWebhooks = collection.webhooks.filter((w) => w.events.includes("afterUpdate"));
+        for (const webhook of afterUpdateWebhooks) {
+          const hookPromise = fetch(webhook.url, {
+            method: "POST",
+            headers: { "Content-Type": "application/json", ...webhook.headers },
+            body: JSON.stringify(doc)
+          }).catch((e) => logger.error(`Webhook afterUpdate failed for ${collection.slug}: `, e));
+          if (c.executionCtx?.waitUntil) {
+            c.executionCtx.waitUntil(hookPromise);
+          }
+        }
+      }
+      if (collection.versions) {
+        await saveVersion(doc, body._status);
+      }
+      const hydratedDoc = await hydrateDoc(doc, collection.fields, c, config);
+      return c.json(hydratedDoc);
+    },
+    async delete(c) {
+      if (!await checkAccess(c, "delete")) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      const id = c.req.param("id");
+      let docToPass = { id };
+      try {
+        if (collection.webhooks && collection.webhooks.some((w) => w.events.includes("afterDelete"))) {
+          docToPass = await db.findOne(collection.slug, { id });
+        }
+      } catch (e) {}
+      if (collection.hooks?.beforeDelete) {
+        await collection.hooks.beforeDelete(id);
+      }
+      await db.delete(collection.slug, { id });
+      if (collection.hooks?.afterDelete) {
+        await collection.hooks.afterDelete(id);
+      }
+      if (collection.webhooks) {
+        const afterDeleteWebhooks = collection.webhooks.filter((w) => w.events.includes("afterDelete"));
+        for (const webhook of afterDeleteWebhooks) {
+          const hookPromise = fetch(webhook.url, {
+            method: "POST",
+            headers: { "Content-Type": "application/json", ...webhook.headers },
+            body: JSON.stringify(docToPass || { id })
+          }).catch((e) => logger.error(`Webhook afterDelete failed for ${collection.slug}: `, e));
+          if (c.executionCtx?.waitUntil) {
+            c.executionCtx.waitUntil(hookPromise);
+          }
+        }
+      }
+      return c.json({ message: "Deleted" });
+    },
+    async findVersions(c) {
+      if (!await checkAccess(c, "read")) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      const parentId = c.req.query("parentId");
+      const versionsTable = `${collection.slug} _versions`.toLowerCase();
+      const query = parentId ? `SELECT * FROM ${versionsTable} WHERE _parent_id = ? ORDER BY created_at DESC` : `SELECT * FROM ${versionsTable} ORDER BY created_at DESC`;
+      const params = parentId ? [parentId] : [];
+      try {
+        const rows = await db.unsafe(query, params);
+        return c.json({ docs: rows });
+      } catch (err) {
+        return c.json({ message: "Failed to fetch versions", error: err.message }, 500);
+      }
+    },
+    async restoreVersion(c) {
+      if (!await checkAccess(c, "update")) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      const versionId = c.req.param("versionId");
+      const versionsTable = `${collection.slug} _versions`.toLowerCase();
+      try {
+        const versionRows = await db.unsafe(`SELECT * FROM ${versionsTable} WHERE id = ? `, [versionId]);
+        if (versionRows.length === 0)
+          return c.json({ message: "Version not found" }, 404);
+        const version = versionRows[0];
+        const data = JSON.parse(version._version_data);
+        const id = version._parent_id;
+        delete data.id;
+        delete data.created_at;
+        delete data.updated_at;
+        const doc = await db.update(collection.slug, { id }, data);
+        await saveVersion(doc, "published");
+        return c.json(doc);
+      } catch (err) {
+        return c.json({ message: "Failed to restore version", error: err.message }, 500);
+      }
+    }
+  };
+}
+function createGlobalHandlers(config, globalConfig, getAuth) {
+  const { db } = config;
+  const checkAccess = async (c, action, data) => {
+    const access = globalConfig.access?.[action];
+    if (access === undefined)
+      return true;
+    if (typeof access === "boolean")
+      return access;
+    const user = c.get("user");
+    const session = c.get("session");
+    const apiKey = c.get("apiKey");
+    return await access({
+      req: c,
+      user,
+      session,
+      apiKey,
+      data
+    });
+  };
+  return {
+    async find(c) {
+      if (!await checkAccess(c, "read")) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      if (!db.findGlobal) {
+        return c.json({ message: "Globals are not supported by this database adapter" }, 501);
+      }
+      const doc = await db.findGlobal(globalConfig.slug);
+      const hydratedDoc = await hydrateDoc(doc || {}, globalConfig.fields, c, config);
+      return c.json(hydratedDoc);
+    },
+    async update(c) {
+      const body = await c.req.json();
+      if (!await checkAccess(c, "update", body)) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      if (!db.updateGlobal) {
+        return c.json({ message: "Globals are not supported by this database adapter" }, 501);
+      }
+      const schema = generateSchemaForCollection(globalConfig, true);
+      const validation = schema.safeParse(body);
+      if (!validation.success) {
+        logger.error(`Validation Error on Global ${globalConfig.slug}: `, validation.error.format());
+        return c.json({
+          message: "Validation Error",
+          errors: validation.error.format()
+        }, 400);
+      }
+      const doc = await db.updateGlobal(globalConfig.slug, validation.data);
+      const hydratedDoc = await hydrateDoc(doc, globalConfig.fields, c, config);
+      return c.json(hydratedDoc);
+    }
+  };
+}
+
+// src/server/collection-router.ts
+function mountCollectionRoutes(router, config, state) {
+  const combinedCollections = [...config.collections];
+  for (const systemCol of getSystemCollections()) {
+    if (!combinedCollections.find((c) => c.slug === systemCol.slug)) {
+      combinedCollections.push(systemCol);
+    }
+  }
+  const exposedCollections = combinedCollections.filter((c) => !c.hidden);
+  for (const collection of exposedCollections) {
+    const handlers = createHandlers(config, collection, () => state.auth);
+    const path = `/${collection.apiPath || collection.slug}`;
+    router.get(path, handlers.find);
+    router.get(`${path}/versions`, handlers.findVersions);
+    router.get(`${path}/:id`, handlers.findOne);
+    router.post(path, handlers.create);
+    router.patch(`${path}/:id`, handlers.update);
+    router.post(`${path}/versions/:versionId/restore`, handlers.restoreVersion);
+    router.delete(`${path}/:id`, handlers.delete);
+  }
+}
+function mountGlobalRoutes(router, config, state) {
+  if (config.globals) {
+    for (const globalConfig of config.globals) {
+      const handlers = createGlobalHandlers(config, globalConfig, () => state.auth);
+      const path = `/globals/${globalConfig.slug}`;
+      router.get(path, handlers.find);
+      router.post(path, handlers.update);
+      router.patch(path, handlers.update);
+    }
+  }
+}
+
+// src/server/setup-middlewares.ts
+init_logger();
+
+// src/server/middlewares/auth.ts
+init_logger();
+function createAuthMiddleware(getAuth) {
+  return async (c, next) => {
+    const auth = getAuth();
+    if (!auth) {
+      c.set("user", null);
+      c.set("session", null);
+      c.set("apiKey", null);
+      await next();
+      return;
+    }
+    const session = await auth.api.getSession({ headers: c.req.raw.headers });
+    if (session) {
+      c.set("user", session.user);
+      c.set("session", session.session);
+      c.set("apiKey", null);
+      await next();
+      return;
+    }
+    const authHeader = c.req.header("Authorization");
+    if (authHeader && authHeader.startsWith("Bearer ")) {
+      const token = authHeader.split(" ")[1];
+      if (token) {
+        try {
+          const result = await auth.api.verifyApiKey({
+            headers: c.req.raw.headers,
+            body: { key: token }
+          });
+          if (result && result.valid && result.key) {
+            c.set("apiKey", {
+              id: result.key.id,
+              name: result.key.name,
+              permissions: result.key.permissions,
+              referenceId: result.key.referenceId
+            });
+            try {
+              const ownerResult = await auth.options.database?.findOne?.("_users", {
+                id: result.key.referenceId
+              });
+              c.set("user", ownerResult || null);
+            } catch (e) {
+              logger.warn("Failed to fetch API key owner from database:", e);
+              c.set("user", null);
+            }
+            c.set("session", null);
+            await next();
+            return;
+          }
+        } catch (err) {
+          logger.warn("API Key verification failed:", err);
+        }
+      }
+    }
+    c.set("user", null);
+    c.set("session", null);
+    c.set("apiKey", null);
+    await next();
+  };
+}
+
+// src/server/middlewares/context.ts
+function createContextMiddleware(config) {
+  return async (c, next) => {
+    c.set("config", config);
+    c.set("db", config.db);
+    await next();
+  };
+}
+
+// src/server/middlewares/cors.ts
+import { cors } from "hono/cors";
+function createCorsMiddleware(config) {
+  const trustedOrigins = config.trustedOrigins || [];
+  return cors({
+    origin: async (origin, _c) => {
+      const allowed = typeof trustedOrigins === "function" ? await trustedOrigins(_c.req.raw) : trustedOrigins;
+      if (Array.isArray(allowed) && allowed.includes(origin)) {
+        return origin;
+      }
+      return;
+    },
+    allowMethods: ["POST", "GET", "PUT", "PATCH", "DELETE", "OPTIONS"],
+    exposeHeaders: ["Content-Length"],
+    credentials: true
+  });
+}
+
+// src/auth/index.ts
+import { apiKey } from "@better-auth/api-key";
+import { betterAuth } from "better-auth";
+import { admin } from "better-auth/plugins";
+import { CamelCasePlugin } from "kysely";
+
+// src/auth/premissions.ts
+import { createAccessControl } from "better-auth/plugins/access";
+function createPermissions(config) {
+  const resources = {
+    user: ["create", "read", "update", "delete", "ban", "impersonate"],
+    session: ["read", "revoke", "delete"]
+  };
+  for (const collection of config.collections) {
+    resources[collection.slug] = ["create", "read", "update", "delete"];
+  }
+  const ac = createAccessControl(resources);
+  const adminRole = ac.newRole({
+    user: ["create", "read", "update", "delete", "ban", "impersonate"],
+    session: ["read", "revoke", "delete"]
+  });
+  for (const collection of config.collections) {
+    adminRole[collection.slug] = ["create", "read", "update", "delete"];
+  }
+  const userRole = ac.newRole({});
+  const roles = {
+    admin: adminRole,
+    user: userRole
+  };
+  if (config.access?.roles) {
+    for (const [roleName, permissions] of Object.entries(config.access.roles)) {
+      roles[roleName] = ac.newRole(permissions);
+    }
+  }
+  return {
+    ac,
+    roles
+  };
+}
+
+// src/auth/index.ts
+async function createAuth(config) {
+  const userAuth = config.auth || {};
+  const trustedOrigins = config.trustedOrigins;
+  const { ac, roles } = createPermissions(config);
+  const rawDb = config.db.raw;
+  const env = typeof process !== "undefined" ? process.env : {};
+  const baseURL = String(config.serverURL || env.BETTER_AUTH_URL || "").replace(/\/$/, "");
+  if (!baseURL) {
+    throw new Error("[OpacaAuth] baseURL could not be determined. Please provide 'serverURL' in your config or 'BETTER_AUTH_URL' in your environment.");
+  }
+  const authURL = `${baseURL}/api/auth`;
+  const secret = env.OPACA_SECRET || env.BETTER_AUTH_SECRET || config.secret;
+  if (!secret) {
+    throw new Error("[OpacaAuth] No secret found for authentication. Please provide 'OPACA_SECRET' or 'BETTER_AUTH_SECRET'.");
+  }
+  if (typeof process !== "undefined" && !env.BETTER_AUTH_URL) {
+    process.env.BETTER_AUTH_URL = authURL;
+  }
+  let databaseConfig;
+  if (config.db.name === "postgres" && rawDb) {
+    const { PostgresJSDialect } = await import("kysely-postgres-js");
+    const { Kysely } = await import("kysely");
+    const kysely = new Kysely({
+      dialect: new PostgresJSDialect({ postgres: rawDb }),
+      plugins: [new CamelCasePlugin]
+    });
+    databaseConfig = {
+      db: kysely,
+      type: "pg"
+    };
+  } else if (config.db.name === "d1" && rawDb) {
+    const { D1Dialect } = await import("kysely-d1");
+    const { Kysely } = await import("kysely");
+    const kysely = new Kysely({
+      dialect: new D1Dialect({ database: rawDb }),
+      plugins: [new CamelCasePlugin]
+    });
+    databaseConfig = {
+      db: kysely,
+      type: "sqlite"
+    };
+  } else {
+    databaseConfig = {
+      db: rawDb,
+      type: "sqlite"
+    };
+  }
+  const isSecure = baseURL.startsWith("https");
+  const plugins = [
+    admin({
+      ac,
+      roles
+    }),
+    ...userAuth.features?.apiKeys?.enabled ? [
+      apiKey({
+        defaultPrefix: "opaca_",
+        schema: {
+          apikey: {
+            modelName: "_api_keys"
+          }
+        }
+      })
+    ] : []
+  ];
+  const socialProviders = {};
+  if (userAuth.socialProviders?.github) {
+    socialProviders.github = userAuth.socialProviders.github;
+  }
+  if (userAuth.socialProviders?.google) {
+    socialProviders.google = userAuth.socialProviders.google;
+  }
+  return betterAuth({
+    database: databaseConfig,
+    baseURL,
+    basePath: "/api/auth",
+    secret,
+    trustedOrigins,
+    emailAndPassword: {
+      enabled: userAuth.strategies?.emailPassword !== false
+    },
+    socialProviders,
+    user: {
+      modelName: "_users"
+    },
+    session: {
+      modelName: "_sessions",
+      expiresIn: (userAuth.session?.expiresInDays || 30) * 86400,
+      updateAge: userAuth.session?.updateAgeSeconds || 86400
+    },
+    account: {
+      modelName: "_accounts"
+    },
+    verification: {
+      modelName: "_verifications"
+    },
+    advanced: {
+      useSecureCookies: isSecure,
+      defaultCookieAttributes: {
+        sameSite: isSecure ? "none" : "lax",
+        secure: isSecure
+      }
+    },
+    databaseHooks: {
+      user: {
+        create: {
+          before: async (user) => {
+            try {
+              let userCount = 0;
+              try {
+                userCount = await config.db.count("_users");
+              } catch (e) {
+                const result = await config.db.unsafe("SELECT COUNT(*) as count FROM _users");
+                const rows = result?.results || result || [];
+                userCount = Number(rows[0]?.count || rows[0]?.["count(*)"] || 0);
+              }
+              if (userCount === 0) {
+                return {
+                  data: {
+                    ...user,
+                    role: "admin"
+                  }
+                };
+              }
+            } catch (e) {
+              console.error("[OpacaAuth] Failed to check user count in hook:", e);
+            }
+          }
+        }
+      }
+    },
+    plugins
+  });
+}
+
+// src/auth/migrations.ts
+init_logger();
+async function runAuthMigrations(db) {
+  const rawDb = db.raw;
+  if (!rawDb) {
+    logger.error("Database not connected yet. Skipping auth migrations.");
+    return;
+  }
+  const isPostgres = db.name === "postgres";
+  const authCollections = getSystemCollections().filter((c) => ["_users", "_sessions", "_accounts", "_verifications", "_api_keys"].includes(c.slug));
+  try {
+    for (const collection of authCollections) {
+      const columnDefs = [];
+      columnDefs.push(`"id" TEXT PRIMARY KEY`);
+      for (const field of collection.fields) {
+        if (field.name === "id")
+          continue;
+        let type = "TEXT";
+        if (field.type === "number")
+          type = "INTEGER";
+        if (field.type === "boolean")
+          type = isPostgres ? "BOOLEAN" : "INTEGER";
+        if (field.type === "date")
+          type = isPostgres ? "TIMESTAMPTZ" : "TEXT";
+        let definition = `"${toSnakeCase(field.name)}" ${type}`;
+        if (field.required)
+          definition += " NOT NULL";
+        if (field.unique)
+          definition += " UNIQUE";
+        if (field.defaultValue !== undefined) {
+          const val = typeof field.defaultValue === "string" ? `'${field.defaultValue}'` : field.defaultValue;
+          definition += ` DEFAULT ${val}`;
+        }
+        if (field.references) {
+          definition += ` REFERENCES "${field.references.table}"("${toSnakeCase(field.references.column)}")`;
+          if (field.references.onDelete) {
+            definition += ` ON DELETE ${field.references.onDelete.toUpperCase()}`;
+          }
+        }
+        columnDefs.push(definition);
+      }
+      const ts = collection.timestamps;
+      if (ts !== false && ts !== undefined) {
+        const config = typeof ts === "object" ? ts : {};
+        const createdField = toSnakeCase(config.createdAt || "createdAt");
+        const updatedField = toSnakeCase(config.updatedAt || "updatedAt");
+        const fieldNames = new Set(collection.fields.map((f) => toSnakeCase(f.name)));
+        if (!fieldNames.has(createdField)) {
+          columnDefs.push(`"${createdField}" ${isPostgres ? "TIMESTAMPTZ" : "TEXT"} DEFAULT CURRENT_TIMESTAMP`);
+        }
+        if (!fieldNames.has(updatedField)) {
+          columnDefs.push(`"${updatedField}" ${isPostgres ? "TIMESTAMPTZ" : "TEXT"} DEFAULT CURRENT_TIMESTAMP`);
+        }
+      }
+      logger.info(`  -> Verifying table: ${logger.format("green", `"${collection.slug}"`)}`);
+      await db.unsafe(`CREATE TABLE IF NOT EXISTS "${collection.slug}" (${columnDefs.join(", ")})`);
+    }
+    logger.success("Auth tables verified/created successfully.");
+  } catch (error) {
+    logger.error("Failed to create auth tables:", error);
+  }
+}
+
+// src/server/middlewares/database-init.ts
+init_logger();
+function createDatabaseInitMiddleware(config, state) {
+  const supportsAuth = config.db.name === "sqlite" || config.db.name === "postgres" || config.db.name === "d1";
+  return async (_c, next) => {
+    if (!state.migrated) {
+      const isDev = typeof process !== "undefined" && true;
+      if (isDev) {
+        logger.info(`Connecting to database: ${logger.format("yellow", config.db.name)}...`);
+      } else {
+        logger.debug(`Connecting to database: ${config.db.name}...`);
+      }
+      await config.db.connect();
+      if (isDev) {
+        logger.debug("Synchronizing database schema...");
+      }
+      const allCollections = [...config.collections];
+      for (const systemCol of getSystemCollections()) {
+        if (!allCollections.find((c) => c.slug === systemCol.slug)) {
+          allCollections.push(systemCol);
+        }
+      }
+      await config.db.migrate(allCollections, config.globals);
+      if (isDev) {
+        logger.success("Database schema synchronized.");
+      }
+      const shouldMigrate = config.runMigrationsOnStartup || isDev;
+      if (shouldMigrate) {
+        if (config.runMigrationsOnStartup && config.db.runMigrations) {
+          logger.info("Running file-based migrations on startup...");
+          await config.db.runMigrations();
+        }
+        await runAuthMigrations(config.db);
+      } else {
+        logger.debug("Automatic schema migrations skipped (Production).");
+      }
+      if (supportsAuth && !state.auth) {
+        state.auth = await createAuth(config);
+      }
+      state.migrated = true;
+    }
+    await next();
+  };
+}
+
+// src/server/middlewares/rate-limit.ts
+import { rateLimiter } from "hono-rate-limiter";
+function createRateLimitMiddleware(config) {
+  const rateLimitConfig = config.api?.rateLimit;
+  if (rateLimitConfig?.enabled === false) {
+    return async (_c, next) => await next();
+  }
+  const windowMs = rateLimitConfig?.windowMs || 60000;
+  const limit = rateLimitConfig?.limit || 100;
+  return async (c, next) => {
+    let provider = rateLimitConfig?.provider?.(c);
+    if (!provider && !rateLimitConfig?.store && c.env) {
+      const rateLimitKey = Object.keys(c.env).find((key) => c.env[key]?.limit && typeof c.env[key].limit === "function");
+      if (rateLimitKey) {
+        provider = c.env[rateLimitKey];
+      }
+    }
+    if (provider) {
+      const limiter2 = rateLimiter({
+        binding: () => provider,
+        keyGenerator: rateLimitConfig?.keyGenerator || ((c2) => c2.req.header("cf-connecting-ip") || c2.req.header("x-forwarded-for") || "anonymous")
+      });
+      return limiter2(c, next);
+    }
+    let resolvedStore = rateLimitConfig?.store;
+    if (!resolvedStore && c.env) {
+      const kvBindingKey = Object.keys(c.env).find((key) => key.startsWith("OPACA_") && c.env[key]?.put && c.env[key]?.get);
+      if (kvBindingKey) {
+        try {
+          const { WorkersKVStore } = await import("@hono-rate-limiter/cloudflare");
+          resolvedStore = new WorkersKVStore({ namespace: c.env[kvBindingKey] });
+        } catch (_) {}
+      }
+    }
+    const limiter = rateLimiter({
+      windowMs,
+      limit,
+      standardHeaders: "draft-6",
+      store: resolvedStore,
+      keyGenerator: rateLimitConfig?.keyGenerator || ((c2) => c2.req.header("cf-connecting-ip") || c2.req.header("x-forwarded-for") || "anonymous"),
+      message: "Too many requests from this IP, please try again after a minute."
+    });
+    return limiter(c, next);
+  };
+}
+
+// src/server/setup-middlewares.ts
+function setupMiddlewares(router, config, state) {
+  router.use("*", async (c, next) => {
+    await next();
+    c.res.headers.set("X-Powered-By", "OpacaCMS");
+  });
+  router.use("*", createContextMiddleware(config));
+  router.use("*", createRateLimitMiddleware(config));
+  router.use("*", createCorsMiddleware(config));
+  router.use("*", createDatabaseInitMiddleware(config, state));
+  router.onError((err, c) => {
+    logger.error(`API Error: ${err.message}`, err);
+    return c.json({ message: "Internal Server Error", error: err.message }, 500);
+  });
+}
+function setupAuthMiddlewares(router, config, state) {
+  const supportsAuth = config.db.name === "sqlite" || config.db.name === "postgres" || config.db.name === "d1";
+  if (supportsAuth) {
+    router.use("*", createAuthMiddleware(() => state.auth));
+    router.on(["POST", "GET"], ["/auth/*"], async (c) => {
+      if (!state.auth) {
+        return c.json({ message: "Auth not initialized" }, 503);
+      }
+      return await state.auth.handler(c.req.raw);
+    });
+  }
+}
+
+// src/server/system-router.ts
+import { Hono as Hono2 } from "hono";
+
+// src/server/assets.ts
+function createAssetsHandlers(config) {
+  return {
+    async upload(c) {
+      const user = c.get("user");
+      if (!user)
+        return c.json({ error: "Unauthorized" }, 401);
+      const bucket = c.req.query("bucket") || "default";
+      if (!config.storages)
+        return c.json({ error: "Storage not configured" }, 500);
+      const storageAdapter = config.storages[bucket];
+      if (!storageAdapter) {
+        return c.json({ error: `Bucket '${bucket}' not found` }, 404);
+      }
+      try {
+        try {
+          if (config.db.name === "sqlite" || config.db.name === "d1") {
+            const tableInfo = await config.db.unsafe(`PRAGMA table_info(_opaca_assets)`);
+            const columns = tableInfo.map((c2) => c2.name);
+            if (!columns.includes("folder"))
+              await config.db.unsafe(`ALTER TABLE _opaca_assets ADD COLUMN folder TEXT`);
+            if (!columns.includes("alt_text"))
+              await config.db.unsafe(`ALTER TABLE _opaca_assets ADD COLUMN alt_text TEXT`);
+            if (!columns.includes("caption"))
+              await config.db.unsafe(`ALTER TABLE _opaca_assets ADD COLUMN caption TEXT`);
+          } else if (config.db.name === "postgres") {
+            const checkCols = await config.db.unsafe(`
+              SELECT column_name FROM information_schema.columns 
+              WHERE table_name = '_opaca_assets' AND column_name IN ('folder', 'alt_text', 'caption')
+             `);
+            const existing = checkCols.map((c2) => c2.column_name);
+            if (!existing.includes("folder"))
+              await config.db.unsafe(`ALTER TABLE _opaca_assets ADD COLUMN folder TEXT`);
+            if (!existing.includes("alt_text"))
+              await config.db.unsafe(`ALTER TABLE _opaca_assets ADD COLUMN "alt_text" TEXT`);
+            if (!existing.includes("caption"))
+              await config.db.unsafe(`ALTER TABLE _opaca_assets ADD COLUMN caption TEXT`);
+          }
+        } catch (e) {
+          console.error("Auto-patch columns failed", e);
+        }
+        const folder = c.req.query("folder") || null;
+        const keyPrefix = folder ? `${folder}/` : "";
+        const now = new Date().toISOString();
+        const formData = await c.req.parseBody({ all: true });
+        const fileRaw = formData["file"];
+        const file = Array.isArray(fileRaw) ? fileRaw[0] : fileRaw;
+        if (!file || typeof file !== "object" && typeof file !== "string") {
+          return c.json({ error: "No file provided" }, 400);
+        }
+        const fileName = file.name || "unnamed";
+        const fileType = file.type || "application/octet-stream";
+        const fileSize = file.size || 0;
+        const fileRecord = {
+          filename: fileName,
+          original_filename: fileName,
+          mime_type: fileType,
+          filesize: fileSize,
+          stream: typeof file.stream === "function" ? file.stream() : new Response(file).body
+        };
+        const uploadedFileData = await storageAdapter.upload(fileRecord, {
+          generateUniqueName: true,
+          keyPrefix
+        });
+        const storedKey = keyPrefix + uploadedFileData.filename;
+        try {
+          const assetId = (globalThis.crypto?.randomUUID?.() || Math.random().toString(36).slice(2)).replace(/-/g, "");
+          await config.db.create("_opaca_assets", {
+            id: assetId,
+            key: storedKey,
+            filename: fileName,
+            originalFilename: fileName,
+            mimeType: uploadedFileData.mime_type,
+            filesize: uploadedFileData.filesize,
+            bucket,
+            folder,
+            altText: null,
+            caption: null,
+            uploadedBy: user.id || null
+          });
+          return c.json({
+            assetId,
+            ...uploadedFileData,
+            key: storedKey
+          }, 201);
+        } catch (dbError) {
+          console.error(`[OpacaCMS] Registry insert failed, rolling back physical file upload: ${storedKey}`);
+          storageAdapter.delete(storedKey).catch((cleanupError) => {
+            console.error(`[OpacaCMS] CRITICAL: Failed to clean up orphaned file ${storedKey}!`, cleanupError);
+          });
+          throw dbError;
+        }
+      } catch (error) {
+        return c.json({ error: error.message }, 400);
+      }
+    },
+    async list(c) {
+      const user = c.get("user");
+      if (!user || user.role !== "admin" && !user.role?.includes("admin")) {
+        return c.json({ error: "Unauthorized" }, 401);
+      }
+      const bucket = c.req.query("bucket") || "all";
+      const page = parseInt(c.req.query("page") || "1", 10);
+      const limit = parseInt(c.req.query("limit") || "20", 10);
+      const offset = (page - 1) * limit;
+      const folder = c.req.query("folder") || null;
+      try {
+        let query = {};
+        if (bucket !== "all")
+          query.bucket = bucket;
+        if (folder !== null && folder !== "") {
+          query.folder = folder;
+        } else {
+          if (bucket !== "all") {
+            query = {
+              and: [{ bucket }, { or: [{ folder: null }, { folder: "" }] }]
+            };
+          } else {
+            query = { or: [{ folder: null }, { folder: "" }] };
+          }
+        }
+        const result = await config.db.find("_opaca_assets", query, {
+          page,
+          limit,
+          sort: "created_at:desc"
+        });
+        const rows = result.docs;
+        const total = result.totalDocs;
+        let folderRows = [];
+        const bucketFilter = bucket !== "all" ? `AND bucket = ?` : "";
+        const bucketParam = bucket !== "all" ? [bucket] : [];
+        if (config.db.name === "postgres") {
+          const pgBucketFilter = bucketFilter.replace("?", "$1");
+          if (folder === null || folder === "") {
+            folderRows = await config.db.unsafe(`SELECT DISTINCT split_part(folder, '/', 1) as subfolder, bucket FROM _opaca_assets WHERE folder IS NOT NULL AND folder != '' ${pgBucketFilter}`, bucketParam);
+          } else {
+            folderRows = await config.db.unsafe(`SELECT DISTINCT split_part(substring(folder from length($1) + 2), '/', 1) as subfolder, bucket FROM _opaca_assets WHERE folder LIKE $2 ${bucket !== "all" ? "AND bucket = $3" : ""}`, [folder, `${folder}/%`, ...bucketParam]);
+          }
+        } else {
+          if (folder === null || folder === "") {
+            folderRows = await config.db.unsafe(`
+              SELECT DISTINCT 
+                CASE 
+                  WHEN INSTR(folder, '/') > 0 THEN SUBSTR(folder, 1, INSTR(folder, '/') - 1)
+                  ELSE folder 
+                END as subfolder,
+                bucket
+              FROM _opaca_assets WHERE folder IS NOT NULL AND folder != '' ${bucketFilter}
+            `, bucketParam);
+          } else {
+            const skipLen = folder.length + 2;
+            folderRows = await config.db.unsafe(`
+              SELECT DISTINCT 
+                CASE 
+                  WHEN INSTR(SUBSTR(folder, ?), '/') > 0 THEN SUBSTR(SUBSTR(folder, ?), 1, INSTR(SUBSTR(folder, ?), '/') - 1)
+                  ELSE SUBSTR(folder, ?)
+                END as subfolder,
+                bucket
+              FROM _opaca_assets WHERE folder LIKE ? ${bucketFilter}
+            `, [skipLen, skipLen, skipLen, skipLen, `${folder}/%`, ...bucketParam]);
+          }
+        }
+        const folderMap = {};
+        for (const row of folderRows) {
+          if (!row.subfolder)
+            continue;
+          if (!folderMap[row.subfolder])
+            folderMap[row.subfolder] = [];
+          if (!folderMap[row.subfolder]?.includes(row.bucket)) {
+            folderMap[row.subfolder]?.push(row.bucket);
+          }
+        }
+        const folders = Object.entries(folderMap).map(([name, buckets]) => ({
+          name,
+          buckets
+        }));
+        return c.json({
+          docs: rows,
+          folders,
+          totalDocs: total,
+          limit,
+          page,
+          totalPages: Math.ceil(total / limit)
+        });
+      } catch (e) {
+        return c.json({ error: e.message }, 500);
+      }
+    },
+    async presign(c) {
+      const user = c.get("user");
+      if (!user)
+        return c.json({ error: "Unauthorized" }, 401);
+      const { filename, bucket = "default", operation = "write" } = await c.req.json();
+      if (!config.storages || !config.storages[bucket]) {
+        return c.json({ error: "Bucket not found" }, 404);
+      }
+      const adapter = config.storages[bucket];
+      if (!adapter.generatePresignedUrl) {
+        return c.json({ error: "Adapter does not support presigned URLs" }, 400);
+      }
+      try {
+        const url = await adapter.generatePresignedUrl(filename, operation, 3600);
+        return c.json({ uploadUrl: url, filename });
+      } catch (e) {
+        return c.json({ error: e.message }, 500);
+      }
+    },
+    async serve(c) {
+      const id = c.req.param("id");
+      try {
+        const asset = await config.db.findOne("_opaca_assets", { id });
+        if (!asset) {
+          return c.json({ error: "Asset not found" }, 404);
+        }
+        const bucket = asset.bucket || "default";
+        if (!config.storages || !config.storages[bucket]) {
+          return c.json({ error: "Storage bucket not configured" }, 500);
+        }
+        const adapter = config.storages[bucket];
+        if (!adapter.download) {
+          return c.json({ error: "Storage adapter does not support direct downloads" }, 400);
+        }
+        const stream = await adapter.download(asset.key || asset.filename);
+        c.header("Content-Type", asset.mimeType || "application/octet-stream");
+        c.header("Content-Length", asset.filesize.toString());
+        c.header("Cache-Control", "public, max-age=86400");
+        return c.body(stream);
+      } catch (e) {
+        console.error(`[OpacaCMS] Failed to serve asset ${id}:`, e);
+        return c.json({ error: e.message }, 500);
+      }
+    }
+  };
+}
+
+// src/server/system-router.ts
+function createSystemRouter(config) {
+  const systemRouter = new Hono2;
+  if (config.storages) {
+    const assetsHandlers = createAssetsHandlers(config);
+    systemRouter.post("/assets/upload", adminMiddleware, assetsHandlers.upload);
+    systemRouter.get("/assets", adminMiddleware, assetsHandlers.list);
+    systemRouter.post("/assets/presign-upload", adminMiddleware, assetsHandlers.presign);
+  }
+  return systemRouter;
+}
+function createAssetsServingRouter(config) {
+  const assetsServingRouter = new Hono2;
+  if (config.storages) {
+    const assetsHandlers = createAssetsHandlers(config);
+    const assetCol = getSystemCollections().find((c) => c.slug === "_opaca_assets");
+    const assetPath = `/${assetCol?.apiPath || assetCol?.slug || "_opaca_assets"}`;
+    assetsServingRouter.get(`${assetPath}/:id/view`, assetsHandlers.serve);
+  }
+  return assetsServingRouter;
+}
+
+// src/server/router.ts
+function createAPIRouter(config) {
+  const state = { auth: undefined, migrated: false };
+  const router = new Hono3().basePath("/api");
+  setupMiddlewares(router, config, state);
+  setupAuthMiddlewares(router, config, state);
+  router.get("/", (c) => {
+    return c.json({ status: "ok", version: "1.0.0", appName: config.appName });
+  });
+  router.route("/__admin", createAdminRouter(config, state));
+  router.route("/__system", createSystemRouter(config));
+  router.route("/", createAssetsServingRouter(config));
+  mountCollectionRoutes(router, config, state);
+  mountGlobalRoutes(router, config, state);
+  return router;
+}
+
+// src/runtimes/cloudflare-workers.ts
 var cachedApp;
 function createCloudflareWorkersHandler(configOrFactory) {
-  const app = new Hono;
+  const app = new Hono4;
   app.use("/api/*", async (c, next) => {
     if (cachedApp)
       return cachedApp.fetch(c.req.raw, c.env, c.executionCtx);
     const config = typeof configOrFactory === "function" ? await configOrFactory(c.env, c.req.raw) : configOrFactory;
     const apiRouter = createAPIRouter(config);
-    const innerApp = new Hono;
+    const innerApp = new Hono4;
     innerApp.route("/", apiRouter);
     cachedApp = innerApp;
     return cachedApp.fetch(c.req.raw, c.env, c.executionCtx);