opacacms 0.2.1 → 0.3.1

package/dist/{chunk-2es275xs.js → chunk-941zxavt.js}

@@ -1,23 +1,29 @@
 import {
   createAuth,
   sanitizeConfig
-} from "./chunk-b3kr8w41.js";
+} from "./chunk-m24yqkeq.js";
+import {
+  sanitizeGraphQLName
+} from "./chunk-5b8r0v8c.js";
+import {
+  requestContext
+} from "./chunk-q5sb5dcr.js";
 import {
   toSnakeCase
 } from "./chunk-qxt9vge8.js";
+import {
+  OpacaLogger,
+  logger
+} from "./chunk-jq1drsen.js";
 import {
   exports_system_schema,
   getSystemCollections,
   init_system_schema
-} from "./chunk-v9z61v3g.js";
-import {
-  OpacaLogger,
-  logger
-} from "./chunk-t0zg026p.js";
+} from "./chunk-6qs0g65f.js";
 import {
   __require,
   __toCommonJS
-} from "./chunk-8sqjbsgt.js";
+} from "./chunk-6bywt602.js";
 
 // src/server/admin.ts
 function createAdminHandlers(config, settings, getAuth) {
@@ -30,7 +36,7 @@ function createAdminHandlers(config, settings, getAuth) {
     const { getSystemCollections: getSystemCollections2 } = (init_system_schema(), __toCommonJS(exports_system_schema));
     const systemCollections = getSystemCollections2();
     for (const systemCol of systemCollections) {
-      const isAsset = systemCol.slug === "_opaca_assets";
+      const isAsset = systemCol.slug === "_assets";
       const isAuth = ["_users", "_sessions", "_accounts", "_verifications", "_api_keys"].includes(systemCol.slug);
       if (isAsset && config.storages || isAuth && supportsAuth) {
         if (!collections.find((col) => col.slug === systemCol.slug)) {
@@ -64,7 +70,8 @@ function createAdminHandlers(config, settings, getAuth) {
         userCount = Number(rows[0]?.count || rows[0]?.["count(*)"] || 0);
       }
       return c.json({
-        initialized: userCount > 0
+        initialized: userCount > 0,
+        api: sanitizeConfig(config, settings).api
       });
     } catch (e) {
       console.error("[OpacaCMS] Failed to check setup status:", e);
@@ -119,10 +126,111 @@ function createAdminHandlers(config, settings, getAuth) {
   };
 }
 
+// src/server/handlers.ts
+init_system_schema();
+
+// src/utils/webhooks-engine.ts
+async function verifyWebhookSignature(req, secretOrFn, headerName = "x-opaca-signature") {
+  if (typeof secretOrFn === "function") {
+    return secretOrFn(req);
+  }
+  const signature = req.headers.get(headerName);
+  if (!signature || !secretOrFn)
+    return false;
+  try {
+    const body = await req.clone().text();
+    const encoder = new TextEncoder;
+    const key = await crypto.subtle.importKey("raw", encoder.encode(secretOrFn).buffer, { name: "HMAC", hash: "SHA-256" }, false, ["verify"]);
+    const sigArray = hexToUint8Array(signature);
+    return await crypto.subtle.verify("HMAC", key, sigArray.buffer, encoder.encode(body).buffer);
+  } catch (err) {
+    logger.error("[Webhooks] Signature verification failed:", err);
+    return false;
+  }
+}
+async function dispatchWebhook(args) {
+  const { url, data, event, collection, headers, retries = 3, timeoutMs = 30000, transform } = args;
+  let payload = data;
+  if (transform) {
+    try {
+      payload = await transform(data);
+    } catch (err) {
+      logger.error(`[Webhooks] Transformation failed for ${collection} [${event}]`, err);
+    }
+  }
+  const fullPayload = {
+    event,
+    collection,
+    data: payload,
+    timestamp: new Date().toISOString()
+  };
+  let lastError = null;
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  const attempt = async (retryCount) => {
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-Opaca-Event": event,
+          "X-Opaca-Collection": collection,
+          ...headers
+        },
+        body: JSON.stringify(fullPayload),
+        signal: controller.signal
+      });
+      if (!response.ok) {
+        throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+      }
+      logger.info(`[Webhooks] Sent to ${url} [${collection}:${event}]`);
+      return;
+    } catch (err) {
+      lastError = err;
+      logger.warn(`[Webhooks] Attempt ${retryCount + 1}/${retries} failed for ${url} [${collection}:${event}]: ${err.message}`);
+      if (retryCount < retries) {
+        const delay = 2 ** retryCount * 1000;
+        logger.warn(`[Webhooks] Delivery failed to ${url}. Retrying in ${delay}ms... (Attempt ${retryCount + 1}/${retries})`);
+        await new Promise((resolve) => setTimeout(resolve, delay));
+        return attempt(retryCount + 1);
+      }
+    }
+  };
+  try {
+    await attempt(0);
+  } catch {} finally {
+    clearTimeout(timeout);
+    if (lastError) {
+      const msg = lastError.message || String(lastError);
+      logger.error(`[Webhooks] Final delivery failure to ${url} after ${retries} attempts. Last error: ${msg}`);
+    }
+  }
+}
+function hexToUint8Array(hex) {
+  const matches = hex.match(/.{1,2}/g);
+  if (!matches)
+    return new Uint8Array;
+  return new Uint8Array(matches.map((byte) => parseInt(byte, 16)));
+}
+
 // src/validator.ts
 import { z } from "zod";
 function generateSchemaForCollection(collection, isUpdate = false, forDocs = false) {
-  const shape = mapFieldsToShape(collection.fields, isUpdate, forDocs);
+  let shape;
+  if (collection.schema && collection.schema._def.type === "object") {
+    const originalShape = collection.schema.shape;
+    shape = { ...originalShape };
+    if (isUpdate) {
+      for (const key in shape) {
+        const field = shape[key];
+        if (field) {
+          shape[key] = field.optional().nullable();
+        }
+      }
+    }
+  } else {
+    shape = mapFieldsToShape(collection.fields, isUpdate, forDocs);
+  }
   if (collection.versions) {
     shape._status = z.enum(["draft", "published"]).optional().nullable();
   }
@@ -135,7 +243,38 @@ function generateSchemaForCollection(collection, isUpdate = false, forDocs = fal
     shape[createdField] = dateSchema.optional().nullable();
     shape[updatedField] = dateSchema.optional().nullable();
   }
-  return z.object(shape);
+  let baseSchema = z.object(shape);
+  if (!isUpdate) {
+    baseSchema = baseSchema.superRefine((data, ctx) => {
+      const checkFields = (fields, currentData, path = []) => {
+        if (!fields)
+          return;
+        fields.forEach((field) => {
+          if (field.requiredCondition && typeof field.requiredCondition === "function") {
+            const isRequired = field.requiredCondition(data);
+            const value = currentData?.[field.name];
+            if (isRequired && (value === undefined || value === null || value === "")) {
+              ctx.addIssue({
+                code: z.ZodIssueCode.custom,
+                message: `${field.label || field.name} is required`,
+                path: [...path, field.name]
+              });
+            }
+          }
+          if (field.fields && Array.isArray(field.fields)) {
+            checkFields(field.fields, currentData?.[field.name], [...path, field.name]);
+          }
+          if (field.tabs && Array.isArray(field.tabs)) {
+            field.tabs.forEach((tab) => {
+              checkFields(tab.fields, currentData, path);
+            });
+          }
+        });
+      };
+      checkFields(collection.fields, data);
+    });
+  }
+  return baseSchema;
 }
 function mapFieldsToShape(fields, isUpdate = false, forDocs = false) {
   const shape = {};
@@ -201,17 +340,8 @@ function mapFieldsToShape(fields, isUpdate = false, forDocs = false) {
             });
           }
         });
-      } else if (typeof field.validate === "object" && field.validate !== null && "safeParse" in field.validate) {
-        schema = schema.superRefine((val, ctx) => {
-          if (val === undefined || val === null)
-            return;
-          const result = field.validate.safeParse(val);
-          if (!result.success) {
-            for (const issue of result.error.issues) {
-              ctx.addIssue(issue);
-            }
-          }
-        });
+      } else if (field.validate instanceof z.ZodType) {
+        schema = z.intersection(schema, field.validate);
       }
     }
     shape[fieldName] = schema;
@@ -222,24 +352,43 @@ function mapFieldToZod(field, forDocs = false) {
   switch (field.type) {
     case "text":
     case "slug":
-    case "richtext":
     case "textarea":
       return z.string();
-    case "relationship": {
-      const isHasMany = "hasMany" in field && field.hasMany;
-      const base = forDocs ? z.union([z.string(), z.number(), z.null()]) : z.union([z.string(), z.number(), z.undefined(), z.null()]);
-      const schema = isHasMany ? z.array(base.optional().nullable()) : base;
-      if (isHasMany) {
-        return z.preprocess((val) => {
-          if (val === undefined || val === null || val === "")
-            return [];
-          if (Array.isArray(val))
-            return val;
-          return [val];
-        }, schema);
-      }
-      return schema;
+    case "richtext":
+      return z.any();
+    case "relationship":
+      return field.hasMany ? z.array(z.string()) : z.string();
+    case "select":
+    case "radio": {
+      const choices = field.options?.choices || [];
+      const values = choices.map((c) => typeof c === "string" ? c : c.value);
+      if (values.length > 0) {
+        return z.enum(values);
+      }
+      return z.string();
     }
+    case "date":
+      return forDocs ? z.string() : z.union([z.string(), z.date()]);
+    case "boolean":
+      return z.preprocess((val) => {
+        if (val === "true" || val === 1)
+          return true;
+        if (val === "false" || val === 0)
+          return false;
+        return val;
+      }, z.boolean());
+    case "number":
+      return z.preprocess((val) => {
+        if (val === "" || val === undefined || val === null)
+          return;
+        if (typeof val === "string") {
+          const num = Number(val);
+          return Number.isNaN(num) ? undefined : num;
+        }
+        return val;
+      }, z.number());
+    case "json":
+      return z.any();
     case "file":
       return z.object({
         id: z.string(),
@@ -252,64 +401,14 @@ function mapFieldToZod(field, forDocs = false) {
         focal_x: z.number().optional().nullable(),
         focal_y: z.number().optional().nullable()
       });
-    case "number":
-      return z.preprocess((val) => {
-        if (val === "" || val === undefined || val === null)
-          return;
-        if (typeof val === "string") {
-          const num = Number(val);
-          return Number.isNaN(num) ? undefined : num;
-        }
-        return val;
-      }, z.number().optional().nullable());
-    case "boolean":
-      return z.preprocess((val) => {
-        if (typeof val === "string")
-          return val === "true";
-        return val;
-      }, z.boolean());
-    case "date": {
-      if (forDocs)
-        return z.string().describe("ISO 8601 Date");
-      return z.preprocess((val) => {
-        if (val === "" || val === undefined || val === null)
-          return;
-        return val;
-      }, z.union([
-        z.string().regex(/^\d{4}-\d{2}-\d{2}/, "Invalid date format"),
-        z.date(),
-        z.undefined(),
-        z.null()
-      ]));
-    }
-    case "select":
-    case "radio": {
-      const choices = field.options?.choices;
-      if (choices && Array.isArray(choices)) {
-        const values = choices.map((c) => typeof c === "string" ? c : c.value);
-        if (values.length > 0) {
-          return z.enum(values);
-        }
-      }
-      return z.string();
-    }
-    case "json":
-      return z.any();
     case "array":
-      return z.preprocess((val) => {
-        if (val === undefined || val === null || val === "")
-          return [];
-        if (Array.isArray(val))
-          return val;
-        return [val];
-      }, z.array(z.any()));
+      return z.array(z.any());
     default:
       return z.any();
   }
 }
 
 // src/server/handlers.ts
-init_system_schema();
 var hydrateDoc = async (doc, fields, c, config) => {
   if (!doc)
     return doc;
@@ -484,7 +583,7 @@ var populateDoc = async (db, fields, doc, populate, config) => {
   }
   return doc;
 };
-function createHandlers(config, collection, getAuth) {
+function createHandlers(collection, config) {
   const { db } = config;
   const checkAccess = async (c, action, data) => {
     const access = collection.access?.[action];
@@ -517,7 +616,8 @@ function createHandlers(config, collection, getAuth) {
       user,
       session,
       apiKey,
-      data
+      data,
+      operation: action
     });
   };
   const getFieldAccessPermissions = async (c, operation, fields, data) => {
@@ -562,24 +662,18 @@ function createHandlers(config, collection, getAuth) {
   const saveVersion = async (doc, status) => {
     if (!collection.versions)
       return;
-    const versionsTable = `${toSnakeCase(collection.slug)}_versions`;
-    const versionDoc = {
-      id: crypto.randomUUID(),
-      _parent_id: doc.id,
-      _version_data: JSON.stringify(doc),
-      _status: status || doc._status || "published",
-      created_at: new Date().toISOString()
-    };
     try {
-      await db.unsafe(`INSERT INTO ${versionsTable} (id, _parent_id, _version_data, _status, created_at) VALUES(?, ?, ?, ?, ?)`, [
-        versionDoc.id,
-        versionDoc._parent_id,
-        versionDoc._version_data,
-        versionDoc._status,
-        versionDoc.created_at
-      ]);
+      await db.db.insertInto("_doc_versions").values({
+        id: crypto.randomUUID(),
+        collection: collection.slug,
+        entity_id: doc.id,
+        data: JSON.stringify(doc),
+        status: status || doc._status || "published",
+        created_at: new Date().toISOString(),
+        updated_at: new Date().toISOString()
+      }).execute();
     } catch (err) {
-      console.error(`[OpacaCMS] Failed to save version for ${collection.slug}: `, err);
+      logger.error(`[OpacaCMS] Failed to save version for ${collection.slug}: `, err);
     }
   };
   return {
@@ -597,8 +691,19 @@ function createHandlers(config, collection, getAuth) {
       const populate = parsePopulate(queries.populate);
       const filter = {};
       for (const [key, value] of Object.entries(queries)) {
-        if (["page", "limit", "sort", "populate", "locale", "draft"].includes(key))
+        if ([
+          "page",
+          "limit",
+          "sort",
+          "populate",
+          "locale",
+          "draft",
+          "after",
+          "before",
+          "cursorColumn"
+        ].includes(key)) {
           continue;
+        }
         const match = key.match(/^([^[]+)\[([^\]]+)\]$/);
         if (match) {
           const field = match[1];
@@ -610,7 +715,17 @@ function createHandlers(config, collection, getAuth) {
           filter[key] = value;
         }
       }
-      const results = await db.find(collection.slug, filter, { page, limit, sort });
+      const after = queries.after;
+      const before = queries.before;
+      const cursorColumn = queries.cursorColumn;
+      const results = await db.find(collection.slug, filter, {
+        page,
+        limit,
+        sort,
+        after,
+        before,
+        cursorColumn
+      });
       if (Object.keys(populate).length > 0) {
         results.docs = await Promise.all(results.docs.map((doc) => populateDoc(db, collection.fields, doc, populate, config)));
       }
@@ -676,13 +791,20 @@ function createHandlers(config, collection, getAuth) {
         await collection.hooks.afterCreate(doc);
       }
       if (collection.webhooks) {
-        const afterCreateWebhooks = collection.webhooks.filter((w) => w.events.includes("afterCreate"));
+        const afterCreateWebhooks = collection.webhooks.filter((w) => w.type === "outgoing" && w.events.includes("after:create"));
         for (const webhook of afterCreateWebhooks) {
-          const hookPromise = fetch(webhook.url, {
-            method: "POST",
-            headers: { "Content-Type": "application/json", ...webhook.headers },
-            body: JSON.stringify(doc)
-          }).catch((e) => logger.error(`Webhook afterCreate failed for ${collection.slug}: `, e));
+          if (webhook.type !== "outgoing")
+            continue;
+          const hookPromise = dispatchWebhook({
+            url: webhook.url,
+            data: doc,
+            event: "after:create",
+            collection: collection.slug,
+            headers: webhook.headers,
+            retries: webhook.retries,
+            timeoutMs: webhook.timeoutMs,
+            transform: webhook.transform
+          });
           if (c.executionCtx?.waitUntil) {
             c.executionCtx.waitUntil(hookPromise);
           }
@@ -736,13 +858,20 @@ function createHandlers(config, collection, getAuth) {
         await collection.hooks.afterUpdate(doc);
       }
       if (collection.webhooks) {
-        const afterUpdateWebhooks = collection.webhooks.filter((w) => w.events.includes("afterUpdate"));
+        const afterUpdateWebhooks = collection.webhooks.filter((w) => w.type === "outgoing" && w.events.includes("after:update"));
         for (const webhook of afterUpdateWebhooks) {
-          const hookPromise = fetch(webhook.url, {
-            method: "POST",
-            headers: { "Content-Type": "application/json", ...webhook.headers },
-            body: JSON.stringify(doc)
-          }).catch((e) => logger.error(`Webhook afterUpdate failed for ${collection.slug}: `, e));
+          if (webhook.type !== "outgoing")
+            continue;
+          const hookPromise = dispatchWebhook({
+            url: webhook.url,
+            data: doc,
+            event: "after:update",
+            collection: collection.slug,
+            headers: webhook.headers,
+            retries: webhook.retries,
+            timeoutMs: webhook.timeoutMs,
+            transform: webhook.transform
+          });
           if (c.executionCtx?.waitUntil) {
             c.executionCtx.waitUntil(hookPromise);
           }
@@ -761,7 +890,7 @@ function createHandlers(config, collection, getAuth) {
       const id = c.req.param("id");
       let docToPass = { id };
       try {
-        if (collection.webhooks && collection.webhooks.some((w) => w.events.includes("afterDelete"))) {
+        if (collection.webhooks && collection.webhooks.some((w) => w.type === "outgoing" && w.events.includes("after:delete"))) {
           docToPass = await db.findOne(collection.slug, { id });
         }
       } catch (e) {}
@@ -773,13 +902,20 @@ function createHandlers(config, collection, getAuth) {
         await collection.hooks.afterDelete(id);
       }
       if (collection.webhooks) {
-        const afterDeleteWebhooks = collection.webhooks.filter((w) => w.events.includes("afterDelete"));
+        const afterDeleteWebhooks = collection.webhooks.filter((w) => w.type === "outgoing" && w.events.includes("after:delete"));
         for (const webhook of afterDeleteWebhooks) {
-          const hookPromise = fetch(webhook.url, {
-            method: "POST",
-            headers: { "Content-Type": "application/json", ...webhook.headers },
-            body: JSON.stringify(docToPass || { id })
-          }).catch((e) => logger.error(`Webhook afterDelete failed for ${collection.slug}: `, e));
+          if (webhook.type !== "outgoing")
+            continue;
+          const hookPromise = dispatchWebhook({
+            url: webhook.url,
+            data: docToPass || { id },
+            event: "after:delete",
+            collection: collection.slug,
+            headers: webhook.headers,
+            retries: webhook.retries,
+            timeoutMs: webhook.timeoutMs,
+            transform: webhook.transform
+          });
           if (c.executionCtx?.waitUntil) {
             c.executionCtx.waitUntil(hookPromise);
           }
@@ -792,11 +928,12 @@ function createHandlers(config, collection, getAuth) {
         return c.json({ message: "Forbidden" }, 403);
       }
       const parentId = c.req.query("parentId");
-      const versionsTable = `${toSnakeCase(collection.slug)}_versions`;
-      const query = parentId ? `SELECT * FROM ${versionsTable} WHERE _parent_id = ? ORDER BY created_at DESC` : `SELECT * FROM ${versionsTable} ORDER BY created_at DESC`;
-      const params = parentId ? [parentId] : [];
       try {
-        const rows = await db.unsafe(query, params);
+        let qb = db.db.selectFrom("_doc_versions").selectAll().where("collection", "=", collection.slug);
+        if (parentId) {
+          qb = qb.where("entity_id", "=", parentId);
+        }
+        const rows = await qb.orderBy("created_at", "desc").execute();
         return c.json({ docs: rows });
       } catch (err) {
         return c.json({ message: "Failed to fetch versions", error: err.message }, 500);
@@ -807,17 +944,15 @@ function createHandlers(config, collection, getAuth) {
         return c.json({ message: "Forbidden" }, 403);
       }
       const versionId = c.req.param("versionId");
-      const versionsTable = `${toSnakeCase(collection.slug)}_versions`;
       try {
-        const versionRows = await db.unsafe(`SELECT * FROM ${versionsTable} WHERE id = ? `, [versionId]);
-        if (versionRows.length === 0)
+        const version = await db.db.selectFrom("_doc_versions").selectAll().where("id", "=", versionId).executeTakeFirst();
+        if (!version)
           return c.json({ message: "Version not found" }, 404);
-        const version = versionRows[0];
-        const data = JSON.parse(version._version_data);
-        const id = version._parent_id;
+        const data = JSON.parse(version.data);
+        const id = version.entity_id;
         delete data.id;
-        delete data.created_at;
-        delete data.updated_at;
+        delete data.createdAt;
+        delete data.updatedAt;
         const doc = await db.update(collection.slug, { id }, data);
         await saveVersion(doc, "published");
         return c.json(doc);
@@ -827,6 +962,55 @@ function createHandlers(config, collection, getAuth) {
     }
   };
 }
+function createIncomingWebhookHandler(webhookConfig, collection, config) {
+  const { db } = config;
+  if (!webhookConfig) {
+    throw new Error(`Collection ${collection.slug} does not have webhooksIncoming configured.`);
+  }
+  return async (c) => {
+    if (webhookConfig.verifySignature) {
+      const isValid = await verifyWebhookSignature(c.req.raw, webhookConfig.verifySignature);
+      if (!isValid) {
+        logger.warn(`[Webhooks] Invalid signature for incoming webhook on ${collection.slug}`);
+        return c.json({ message: "Invalid signature" }, 401);
+      }
+    }
+    try {
+      const payload = await c.req.json();
+      let data = payload;
+      if (webhookConfig.mapPayload) {
+        data = await webhookConfig.mapPayload(payload);
+      }
+      let doc = null;
+      let operation = "create";
+      const uniqueFields = collection.fields.filter((f) => f.name && f.unique && data[f.name] !== undefined);
+      if (data.id) {
+        doc = await db.findOne(collection.slug, { id: data.id });
+      } else if (uniqueFields.length > 0) {
+        const query = {};
+        for (const f of uniqueFields) {
+          const fieldName = f.name;
+          query[fieldName] = data[fieldName];
+        }
+        doc = await db.findOne(collection.slug, query);
+      }
+      if (doc) {
+        operation = "update";
+        doc = await db.update(collection.slug, { id: doc.id }, data);
+      } else {
+        doc = await db.create(collection.slug, data);
+      }
+      if (webhookConfig.onSuccess) {
+        await webhookConfig.onSuccess({ data: doc, payload, operation });
+      }
+      logger.info(`[Webhooks] Incoming webhook processed for ${collection.slug} (${operation})`);
+      return c.json({ success: true, operation, id: doc.id });
+    } catch (err) {
+      logger.error(`[Webhooks] Failed to process incoming webhook for ${collection.slug}:`, err.message);
+      return c.json({ message: "Internal Server Error", error: err.message }, 500);
+    }
+  };
+}
 function createGlobalHandlers(config, globalConfig, getAuth) {
   const { db } = config;
   const checkAccess = async (c, action, data) => {
@@ -843,7 +1027,8 @@ function createGlobalHandlers(config, globalConfig, getAuth) {
       user,
       session,
       apiKey,
-      data
+      data,
+      operation: action
     });
   };
   return {
@@ -885,6 +1070,155 @@ function createGlobalHandlers(config, globalConfig, getAuth) {
 // src/server/router.ts
 import { Hono as Hono4 } from "hono";
 
+// src/server/openapi.ts
+import { z as z2 } from "zod";
+import { zodToJsonSchema } from "zod-to-json-schema";
+function generateOpenAPISchema(config) {
+  const openapi = {
+    openapi: "3.1.0",
+    info: {
+      title: config.appName || "OpacaCMS API",
+      version: "1.0.0",
+      description: "Automatically generated OpenAPI schema for OpacaCMS Collections and Globals."
+    },
+    paths: {},
+    components: {
+      schemas: {},
+      securitySchemes: {
+        bearerAuth: {
+          type: "http",
+          scheme: "bearer"
+        }
+      }
+    }
+  };
+  for (const collection of config.collections || []) {
+    const isHidden = collection.hidden === true;
+    if (isHidden)
+      continue;
+    const pathBase = `/api/${collection.apiPath || collection.slug}`;
+    const tag = collection.label || collection.slug;
+    const zodSchema = generateSchemaForCollection(collection, false, true);
+    const schemaName = collection.slug.charAt(0).toUpperCase() + collection.slug.slice(1);
+    const jsonSchema = typeof z2.toJSONSchema === "function" ? z2.toJSONSchema(zodSchema, { target: "openapi-3.0" }) : zodToJsonSchema(zodSchema, { target: "openApi3" });
+    openapi.components.schemas[schemaName] = jsonSchema;
+    const ref = `#/components/schemas/${schemaName}`;
+    openapi.paths[pathBase] = {
+      get: {
+        tags: [tag],
+        summary: `Find ${tag}`,
+        parameters: [
+          { name: "limit", in: "query", schema: { type: "integer" } },
+          { name: "page", in: "query", schema: { type: "integer" } }
+        ],
+        responses: {
+          "200": {
+            description: "Successful response",
+            content: {
+              "application/json": {
+                schema: {
+                  type: "object",
+                  properties: {
+                    docs: { type: "array", items: { $ref: ref } },
+                    totalDocs: { type: "integer" }
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      post: {
+        tags: [tag],
+        summary: `Create ${tag}`,
+        requestBody: {
+          required: true,
+          content: {
+            "application/json": { schema: { $ref: ref } }
+          }
+        },
+        responses: {
+          "201": {
+            description: "Created successfully",
+            content: { "application/json": { schema: { $ref: ref } } }
+          }
+        }
+      }
+    };
+    openapi.paths[`${pathBase}/{id}`] = {
+      get: {
+        tags: [tag],
+        summary: `Find ${tag} by ID`,
+        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+        responses: {
+          "200": {
+            description: "Successful response",
+            content: { "application/json": { schema: { $ref: ref } } }
+          },
+          "404": { description: "Not found" }
+        }
+      },
+      patch: {
+        tags: [tag],
+        summary: `Update ${tag}`,
+        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+        requestBody: {
+          content: { "application/json": { schema: { $ref: ref } } }
+        },
+        responses: {
+          "200": {
+            description: "Updated successfully",
+            content: { "application/json": { schema: { $ref: ref } } }
+          }
+        }
+      },
+      delete: {
+        tags: [tag],
+        summary: `Delete ${tag}`,
+        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+        responses: {
+          "200": { description: "Deleted successfully" }
+        }
+      }
+    };
+  }
+  for (const global of config.globals || []) {
+    const pathBase = `/api/globals/${global.slug}`;
+    const tag = global.label || global.slug;
+    const zodSchema = generateSchemaForCollection(global, false, true);
+    const schemaName = global.slug.charAt(0).toUpperCase() + global.slug.slice(1);
+    const jsonSchema = typeof z2.toJSONSchema === "function" ? z2.toJSONSchema(zodSchema, { target: "openapi-3.0" }) : zodToJsonSchema(zodSchema, { target: "openApi3" });
+    openapi.components.schemas[schemaName] = jsonSchema;
+    const ref = `#/components/schemas/${schemaName}`;
+    openapi.paths[pathBase] = {
+      get: {
+        tags: [tag],
+        summary: `Find ${tag}`,
+        responses: {
+          "200": {
+            description: "Successful response",
+            content: { "application/json": { schema: { $ref: ref } } }
+          }
+        }
+      },
+      post: {
+        tags: [tag],
+        summary: `Update ${tag}`,
+        requestBody: {
+          content: { "application/json": { schema: { $ref: ref } } }
+        },
+        responses: {
+          "200": {
+            description: "Updated successfully",
+            content: { "application/json": { schema: { $ref: ref } } }
+          }
+        }
+      }
+    };
+  }
+  return openapi;
+}
+
 // src/server/routers/admin.ts
 import { Hono } from "hono";
 
@@ -966,26 +1300,26 @@ function createAssetsHandlers(config) {
       try {
         try {
           if (config.db.name === "sqlite" || config.db.name === "d1") {
-            const tableInfo = await config.db.unsafe(`PRAGMA table_info(_opaca_assets)`);
+            const tableInfo = await config.db.unsafe(`PRAGMA table_info(_assets)`);
             const columns = tableInfo.map((c2) => c2.name);
             if (!columns.includes("folder"))
-              await config.db.unsafe(`ALTER TABLE _opaca_assets ADD COLUMN folder TEXT`);
+              await config.db.unsafe(`ALTER TABLE _assets ADD COLUMN folder TEXT`);
             if (!columns.includes("alt_text"))
-              await config.db.unsafe(`ALTER TABLE _opaca_assets ADD COLUMN alt_text TEXT`);
+              await config.db.unsafe(`ALTER TABLE _assets ADD COLUMN alt_text TEXT`);
             if (!columns.includes("caption"))
-              await config.db.unsafe(`ALTER TABLE _opaca_assets ADD COLUMN caption TEXT`);
+              await config.db.unsafe(`ALTER TABLE _assets ADD COLUMN caption TEXT`);
           } else if (config.db.name === "postgres") {
             const checkCols = await config.db.unsafe(`
               SELECT column_name FROM information_schema.columns 
-              WHERE table_name = '_opaca_assets' AND column_name IN ('folder', 'alt_text', 'caption')
+              WHERE table_name = '_assets' AND column_name IN ('folder', 'alt_text', 'caption')
              `);
             const existing = checkCols.map((c2) => c2.column_name);
             if (!existing.includes("folder"))
-              await config.db.unsafe(`ALTER TABLE _opaca_assets ADD COLUMN folder TEXT`);
+              await config.db.unsafe(`ALTER TABLE _assets ADD COLUMN folder TEXT`);
             if (!existing.includes("alt_text"))
-              await config.db.unsafe(`ALTER TABLE _opaca_assets ADD COLUMN "alt_text" TEXT`);
+              await config.db.unsafe(`ALTER TABLE _assets ADD COLUMN "alt_text" TEXT`);
             if (!existing.includes("caption"))
-              await config.db.unsafe(`ALTER TABLE _opaca_assets ADD COLUMN caption TEXT`);
+              await config.db.unsafe(`ALTER TABLE _assets ADD COLUMN caption TEXT`);
           }
         } catch (e) {
           console.error("Auto-patch columns failed", e);
@@ -1016,7 +1350,7 @@ function createAssetsHandlers(config) {
         const storedKey = keyPrefix + uploadedFileData.filename;
         try {
           const assetId = (globalThis.crypto?.randomUUID?.() || Math.random().toString(36).slice(2)).replace(/-/g, "");
-          await config.db.create("_opaca_assets", {
+          await config.db.create("_assets", {
             id: assetId,
             key: storedKey,
             filename: fileName,
@@ -1070,7 +1404,7 @@ function createAssetsHandlers(config) {
             query = { or: [{ folder: null }, { folder: "" }] };
           }
         }
-        const result = await config.db.find("_opaca_assets", query, {
+        const result = await config.db.find("_assets", query, {
           page,
           limit,
           sort: "created_at:desc"
@@ -1080,9 +1414,9 @@ function createAssetsHandlers(config) {
         let folderRows = [];
         if (config.db.name === "postgres") {
           if (folder === null || folder === "") {
-            folderRows = await config.db.unsafe("SELECT DISTINCT split_part(folder, '/', 1) as subfolder, bucket FROM _opaca_assets WHERE folder IS NOT NULL AND folder != '' AND (bucket = $1 OR $1 = 'all')", [bucket]);
+            folderRows = await config.db.unsafe("SELECT DISTINCT split_part(folder, '/', 1) as subfolder, bucket FROM _assets WHERE folder IS NOT NULL AND folder != '' AND (bucket = $1 OR $1 = 'all')", [bucket]);
           } else {
-            folderRows = await config.db.unsafe("SELECT DISTINCT split_part(substring(folder from length($1) + 2), '/', 1) as subfolder, bucket FROM _opaca_assets WHERE folder LIKE $2 AND (bucket = $3 OR $3 = 'all')", [folder, `${folder}/%`, bucket]);
+            folderRows = await config.db.unsafe("SELECT DISTINCT split_part(substring(folder from length($1) + 2), '/', 1) as subfolder, bucket FROM _assets WHERE folder LIKE $2 AND (bucket = $3 OR $3 = 'all')", [folder, `${folder}/%`, bucket]);
           }
         } else {
           if (folder === null || folder === "") {
@@ -1093,7 +1427,7 @@ function createAssetsHandlers(config) {
                   ELSE folder 
                 END as subfolder,
                 bucket
-              FROM _opaca_assets WHERE folder IS NOT NULL AND folder != '' AND (bucket = ? OR ? = 'all')
+              FROM _assets WHERE folder IS NOT NULL AND folder != '' AND (bucket = ? OR ? = 'all')
             `, [bucket, bucket]);
           } else {
             const skipLen = folder.length + 2;
@@ -1104,7 +1438,7 @@ function createAssetsHandlers(config) {
                   ELSE SUBSTR(folder, ?)
                 END as subfolder,
                 bucket
-              FROM _opaca_assets WHERE folder LIKE ? AND (bucket = ? OR ? = 'all')
+              FROM _assets WHERE folder LIKE ? AND (bucket = ? OR ? = 'all')
             `, [skipLen, skipLen, skipLen, skipLen, `${folder}/%`, bucket, bucket]);
           }
         }
@@ -1156,7 +1490,7 @@ function createAssetsHandlers(config) {
     async serve(c) {
       const id = c.req.param("id");
       try {
-        const asset = await config.db.findOne("_opaca_assets", { id });
+        const asset = await config.db.findOne("_assets", { id });
         if (!asset) {
           return c.json({ error: "Asset not found" }, 404);
         }
@@ -1191,7 +1525,7 @@ function mountCollectionRoutes(router, config, state) {
   }
   const exposedCollections = combinedCollections.filter((c) => !c.hidden);
   for (const collection of exposedCollections) {
-    const handlers = createHandlers(config, collection, () => state.auth);
+    const handlers = createHandlers(collection, config);
     const path = `/${collection.apiPath || collection.slug}`;
     router.get(path, handlers.find);
     router.get(`${path}/versions`, handlers.findVersions);
@@ -1202,6 +1536,18 @@ function mountCollectionRoutes(router, config, state) {
     router.delete(`${path}/:id`, handlers.delete);
   }
 }
+function mountIncomingWebhookRoutes(router, config) {
+  for (const collection of config.collections) {
+    if (collection.webhooks) {
+      for (const webhook of collection.webhooks) {
+        if (webhook.type === "incoming") {
+          const handler = createIncomingWebhookHandler(webhook, collection, config);
+          router.post(webhook.path, handler);
+        }
+      }
+    }
+  }
+}
 function mountGlobalRoutes(router, config, state) {
   if (config.globals) {
     for (const globalConfig of config.globals) {
@@ -1249,8 +1595,8 @@ function createAssetsServingRouter(config) {
   const assetsServingRouter = new Hono3;
   if (config.storages) {
     const assetsHandlers = createAssetsHandlers(config);
-    const assetCol = getSystemCollections().find((c) => c.slug === "_opaca_assets");
-    const assetPath = `/${assetCol?.apiPath || assetCol?.slug || "_opaca_assets"}`;
+    const assetCol = getSystemCollections().find((c) => c.slug === "_assets");
+    const assetPath = `/${assetCol?.apiPath || assetCol?.slug || "_assets"}`;
     assetsServingRouter.get(`${assetPath}/:id/view`, assetsHandlers.serve);
   }
   return assetsServingRouter;
@@ -1267,13 +1613,17 @@ function createAuthMiddleware(getAuth) {
       await next();
       return;
     }
-    const session = await auth.api.getSession({ headers: c.req.raw.headers });
-    if (session) {
-      c.set("user", session.user);
-      c.set("session", session.session);
-      c.set("apiKey", null);
-      await next();
-      return;
+    try {
+      const session = await auth.api.getSession({ headers: c.req.raw.headers });
+      if (session) {
+        c.set("user", session.user);
+        c.set("session", session.session);
+        c.set("apiKey", null);
+        await next();
+        return;
+      }
+    } catch (err) {
+      logger.debug("Session verification failed or threw:", err);
     }
     const authHeader = c.req.header("Authorization");
     if (authHeader && authHeader.startsWith("Bearer ")) {
@@ -1453,7 +1803,6 @@ function createDatabaseInitMiddleware(config, state) {
 }
 
 // src/server/middlewares/rate-limit.ts
-import { rateLimiter } from "hono-rate-limiter";
 function createRateLimitMiddleware(config) {
   const rateLimitConfig = config.api?.rateLimit;
   if (rateLimitConfig?.enabled === false) {
@@ -1470,11 +1819,17 @@ function createRateLimitMiddleware(config) {
       }
     }
     if (provider) {
-      const limiter2 = rateLimiter({
-        binding: () => provider,
-        keyGenerator: rateLimitConfig?.keyGenerator || ((c2) => c2.req.header("cf-connecting-ip") || c2.req.header("x-forwarded-for") || "anonymous")
-      });
-      return limiter2(c, next);
+      try {
+        const { rateLimiter } = await import("hono-rate-limiter");
+        const limiter = rateLimiter({
+          binding: () => provider,
+          keyGenerator: rateLimitConfig?.keyGenerator || ((c2) => c2.req.header("cf-connecting-ip") || c2.req.header("x-forwarded-for") || "anonymous")
+        });
+        return limiter(c, next);
+      } catch (e) {
+        logger.error("Failed to load 'hono-rate-limiter'. Please install it to use rate limiting features.", e);
+        return await next();
+      }
     }
     let resolvedStore = rateLimitConfig?.store;
     if (!resolvedStore && c.env) {
@@ -1488,15 +1843,21 @@ function createRateLimitMiddleware(config) {
         }
       }
     }
-    const limiter = rateLimiter({
-      windowMs,
-      limit,
-      standardHeaders: "draft-6",
-      store: resolvedStore,
-      keyGenerator: rateLimitConfig?.keyGenerator || ((c2) => c2.req.header("cf-connecting-ip") || c2.req.header("x-forwarded-for") || "anonymous"),
-      message: "Too many requests from this IP, please try again after a minute."
-    });
-    return limiter(c, next);
+    try {
+      const { rateLimiter } = await import("hono-rate-limiter");
+      const limiter = rateLimiter({
+        windowMs,
+        limit,
+        standardHeaders: "draft-6",
+        store: resolvedStore,
+        keyGenerator: rateLimitConfig?.keyGenerator || ((c2) => c2.req.header("cf-connecting-ip") || c2.req.header("x-forwarded-for") || "anonymous"),
+        message: "Too many requests from this IP, please try again after a minute."
+      });
+      return limiter(c, next);
+    } catch (e) {
+      logger.error("Failed to load 'hono-rate-limiter'. Please install it to use rate limiting features.", e);
+      return await next();
+    }
   };
 }
 
@@ -1518,163 +1879,319 @@ function setupMiddlewares(router, config, state) {
 }
 function setupAuthMiddlewares(router, config, state) {
   router.use("*", createAuthMiddleware(() => state.auth));
+  router.use("*", async (c, next) => {
+    const user = c.get("user");
+    await requestContext.run({ userId: user?.id }, async () => {
+      await next();
+    });
+  });
 }
 
-// src/server/openapi.ts
-import { z as z2 } from "zod";
-import { zodToJsonSchema } from "zod-to-json-schema";
-function generateOpenAPISchema(config) {
-  const openapi = {
-    openapi: "3.1.0",
-    info: {
-      title: config.appName || "OpacaCMS API",
-      version: "1.0.0",
-      description: "Automatically generated OpenAPI schema for OpacaCMS Collections and Globals."
-    },
-    paths: {},
-    components: {
-      schemas: {},
-      securitySchemes: {
-        bearerAuth: {
-          type: "http",
-          scheme: "bearer"
-        }
-      }
+// src/server/graphql.ts
+import {
+  GraphQLBoolean,
+  GraphQLFloat,
+  GraphQLInt,
+  GraphQLList,
+  GraphQLNonNull,
+  GraphQLObjectType,
+  GraphQLScalarType,
+  GraphQLSchema,
+  GraphQLString
+} from "graphql";
+var GraphQLJSON = new GraphQLScalarType({
+  name: "JSON",
+  description: "The `JSON` scalar type represents JSON values as specified by ECMA-404",
+  serialize: (value) => value,
+  parseValue: (value) => value,
+  parseLiteral: (ast) => {
+    switch (ast.kind) {
+      case "StringValue":
+        return JSON.parse(ast.value);
+      case "ObjectValue":
+        throw new Error("Not implemented");
+      default:
+        return null;
     }
+  }
+});
+function getGraphQLType(field) {
+  switch (field.type) {
+    case "text":
+    case "slug":
+    case "textarea":
+    case "richtext":
+    case "select":
+    case "radio":
+    case "date":
+    case "file":
+    case "relationship":
+      return GraphQLString;
+    case "number":
+      return GraphQLFloat;
+    case "boolean":
+      return GraphQLBoolean;
+    case "json":
+    case "blocks":
+    case "array":
+    case "group":
+    case "row":
+    case "collapsible":
+    case "tabs":
+      return GraphQLJSON;
+    default:
+      return GraphQLString;
+  }
+}
+function buildCollectionType(collection, nameOverride) {
+  const fields = {
+    id: { type: GraphQLString }
   };
-  for (const collection of config.collections || []) {
-    const isHidden = collection.hidden === true;
-    if (isHidden)
+  if (collection.timestamps !== false) {
+    fields.createdAt = { type: GraphQLString };
+    fields.updatedAt = { type: GraphQLString };
+  }
+  for (const field of collection.fields) {
+    if (field.name) {
+      fields[sanitizeGraphQLName(field.name)] = { type: getGraphQLType(field) };
+    }
+  }
+  return new GraphQLObjectType({
+    name: nameOverride || sanitizeGraphQLName(collection.slug),
+    fields
+  });
+}
+function buildCollectionPaginatedType(collectionType, collectionSlug) {
+  return new GraphQLObjectType({
+    name: `Paginated${sanitizeGraphQLName(collectionSlug)}`,
+    fields: {
+      docs: { type: new GraphQLList(collectionType) },
+      totalDocs: { type: GraphQLInt },
+      limit: { type: GraphQLInt },
+      totalPages: { type: GraphQLInt },
+      page: { type: GraphQLInt },
+      pagingCounter: { type: GraphQLInt },
+      hasPrevPage: { type: GraphQLBoolean },
+      hasNextPage: { type: GraphQLBoolean },
+      prevPage: { type: GraphQLInt },
+      nextPage: { type: GraphQLInt },
+      nextCursor: { type: GraphQLString },
+      prevCursor: { type: GraphQLString }
+    }
+  });
+}
+function generateGraphQLSchema(config, state) {
+  const queryFields = {};
+  const mutationFields = {};
+  for (const collection of config.collections) {
+    if (collection.hidden)
       continue;
-    const pathBase = `/api/${collection.apiPath || collection.slug}`;
-    const tag = collection.label || collection.slug;
-    const zodSchema = generateSchemaForCollection(collection, false, true);
-    const schemaName = collection.slug.charAt(0).toUpperCase() + collection.slug.slice(1);
-    const jsonSchema = typeof z2.toJSONSchema === "function" ? z2.toJSONSchema(zodSchema, { target: "openapi-3.0" }) : zodToJsonSchema(zodSchema, { target: "openApi3" });
-    openapi.components.schemas[schemaName] = jsonSchema;
-    const ref = `#/components/schemas/${schemaName}`;
-    openapi.paths[pathBase] = {
-      get: {
-        tags: [tag],
-        summary: `Find ${tag}`,
-        parameters: [
-          { name: "limit", in: "query", schema: { type: "integer" } },
-          { name: "page", in: "query", schema: { type: "integer" } }
-        ],
-        responses: {
-          "200": {
-            description: "Successful response",
-            content: {
-              "application/json": {
-                schema: {
-                  type: "object",
-                  properties: {
-                    docs: { type: "array", items: { $ref: ref } },
-                    totalDocs: { type: "integer" }
-                  }
-                }
-              }
-            }
-          }
-        }
+    const handlers = createHandlers(collection, config);
+    const collectionType = buildCollectionType(collection);
+    const paginatedType = buildCollectionPaginatedType(collectionType, collection.slug);
+    const sanitizedSlug = sanitizeGraphQLName(collection.slug);
+    const capitalizedSlug = sanitizedSlug.charAt(0).toUpperCase() + sanitizedSlug.slice(1);
+    queryFields[`find${capitalizedSlug}`] = {
+      type: paginatedType,
+      args: {
+        limit: { type: GraphQLInt },
+        page: { type: GraphQLInt },
+        sort: { type: GraphQLString }
       },
-      post: {
-        tags: [tag],
-        summary: `Create ${tag}`,
-        requestBody: {
-          required: true,
-          content: {
-            "application/json": { schema: { $ref: ref } }
-          }
-        },
-        responses: {
-          "201": {
-            description: "Created successfully",
-            content: { "application/json": { schema: { $ref: ref } } }
+      resolve: async (_, args, c) => {
+        const req = {
+          query: (key) => {
+            if (!key)
+              return args;
+            return args[key] !== undefined ? String(args[key]) : undefined;
+          },
+          queries: () => ({})
+        };
+        const ctx = { ...c, req: { ...c.req, ...req } };
+        ctx.req.query = req.query;
+        let result;
+        ctx.json = (data, status) => {
+          if (status && status >= 400)
+            throw new Error(data?.message || "Error");
+          result = data;
+          return data;
+        };
+        await handlers.find(ctx);
+        return result;
+      }
+    };
+    queryFields[`get${capitalizedSlug}`] = {
+      type: collectionType,
+      args: {
+        id: { type: new GraphQLNonNull(GraphQLString) }
+      },
+      resolve: async (_, args, c) => {
+        const req = {
+          param: (key) => {
+            if (key === "id")
+              return args.id;
+            if (!key)
+              return { id: args.id };
+            return args.id;
           }
-        }
+        };
+        const ctx = { ...c, req: { ...c.req, ...req } };
+        ctx.req.param = req.param;
+        let result;
+        ctx.json = (data, status) => {
+          if (status && status >= 400)
+            throw new Error(data?.message || "Error");
+          result = data;
+          return data;
+        };
+        await handlers.findOne(ctx);
+        return result?.doc || result;
       }
     };
-    openapi.paths[`${pathBase}/{id}`] = {
-      get: {
-        tags: [tag],
-        summary: `Find ${tag} by ID`,
-        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
-        responses: {
-          "200": {
-            description: "Successful response",
-            content: { "application/json": { schema: { $ref: ref } } }
+    mutationFields[`create${capitalizedSlug}`] = {
+      type: collectionType,
+      args: {
+        data: { type: new GraphQLNonNull(GraphQLJSON) }
+      },
+      resolve: async (_, args, c) => {
+        const req = {
+          json: async () => args.data
+        };
+        const ctx = { ...c, req: { ...c.req, ...req } };
+        let result;
+        ctx.json = (data, status) => {
+          if (status && status >= 400)
+            throw new Error(data?.message || "Error");
+          result = data;
+          return data;
+        };
+        await handlers.create(ctx);
+        return result?.doc || result;
+      }
+    };
+    mutationFields[`update${capitalizedSlug}`] = {
+      type: collectionType,
+      args: {
+        id: { type: new GraphQLNonNull(GraphQLString) },
+        data: { type: new GraphQLNonNull(GraphQLJSON) }
+      },
+      resolve: async (_, args, c) => {
+        const req = {
+          param: (key) => {
+            if (key === "id")
+              return args.id;
+            if (!key)
+              return { id: args.id };
+            return args.id;
           },
-          "404": { description: "Not found" }
-        }
+          json: async () => args.data
+        };
+        const ctx = { ...c, req: { ...c.req, ...req } };
+        ctx.req.param = req.param;
+        let result;
+        ctx.json = (data, status) => {
+          if (status && status >= 400)
+            throw new Error(data?.message || "Error");
+          result = data;
+          return data;
+        };
+        await handlers.update(ctx);
+        return result?.doc || result;
+      }
+    };
+    mutationFields[`delete${capitalizedSlug}`] = {
+      type: GraphQLBoolean,
+      args: {
+        id: { type: new GraphQLNonNull(GraphQLString) }
       },
-      patch: {
-        tags: [tag],
-        summary: `Update ${tag}`,
-        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
-        requestBody: {
-          content: { "application/json": { schema: { $ref: ref } } }
-        },
-        responses: {
-          "200": {
-            description: "Updated successfully",
-            content: { "application/json": { schema: { $ref: ref } } }
+      resolve: async (_, args, c) => {
+        const req = {
+          param: (key) => {
+            if (key === "id")
+              return args.id;
+            if (!key)
+              return { id: args.id };
+            return args.id;
           }
-        }
-      },
-      delete: {
-        tags: [tag],
-        summary: `Delete ${tag}`,
-        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
-        responses: {
-          "200": { description: "Deleted successfully" }
-        }
+        };
+        const ctx = { ...c, req: { ...c.req, ...req } };
+        ctx.req.param = req.param;
+        let result;
+        ctx.json = (data, status) => {
+          if (status && status >= 400)
+            throw new Error(data?.message || "Error");
+          result = data;
+          return data;
+        };
+        await handlers.delete(ctx);
+        return result;
       }
     };
   }
-  for (const global of config.globals || []) {
-    const pathBase = `/api/globals/${global.slug}`;
-    const tag = global.label || global.slug;
-    const zodSchema = generateSchemaForCollection(global, false, true);
-    const schemaName = global.slug.charAt(0).toUpperCase() + global.slug.slice(1);
-    const jsonSchema = typeof z2.toJSONSchema === "function" ? z2.toJSONSchema(zodSchema, { target: "openapi-3.0" }) : zodToJsonSchema(zodSchema, { target: "openApi3" });
-    openapi.components.schemas[schemaName] = jsonSchema;
-    const ref = `#/components/schemas/${schemaName}`;
-    openapi.paths[pathBase] = {
-      get: {
-        tags: [tag],
-        summary: `Find ${tag}`,
-        responses: {
-          "200": {
-            description: "Successful response",
-            content: { "application/json": { schema: { $ref: ref } } }
-          }
+  if (config.globals) {
+    for (const globalConfig of config.globals) {
+      const handlers = createGlobalHandlers(config, globalConfig, () => state.auth);
+      const sanitizedGlobalSlug = sanitizeGraphQLName(globalConfig.slug);
+      const capitalizedGlobalSlug = sanitizedGlobalSlug.charAt(0).toUpperCase() + sanitizedGlobalSlug.slice(1);
+      const globalType = buildCollectionType(globalConfig, `Global_${sanitizedGlobalSlug}`);
+      queryFields[`get${capitalizedGlobalSlug}`] = {
+        type: globalType,
+        resolve: async (_, __, c) => {
+          const req = {};
+          const ctx = { ...c, req: { ...c.req, ...req } };
+          let result;
+          ctx.json = (data) => {
+            result = data;
+            return data;
+          };
+          await handlers.find(ctx);
+          return result;
         }
-      },
-      post: {
-        tags: [tag],
-        summary: `Update ${tag}`,
-        requestBody: {
-          content: { "application/json": { schema: { $ref: ref } } }
+      };
+      mutationFields[`update${capitalizedGlobalSlug}`] = {
+        type: globalType,
+        args: {
+          data: { type: new GraphQLNonNull(GraphQLJSON) }
         },
-        responses: {
-          "200": {
-            description: "Updated successfully",
-            content: { "application/json": { schema: { $ref: ref } } }
-          }
+        resolve: async (_, args, c) => {
+          const req = {
+            json: async () => args.data
+          };
+          const ctx = { ...c, req: { ...c.req, ...req } };
+          let result;
+          ctx.json = (data) => {
+            result = data;
+            return data;
+          };
+          await handlers.update(ctx);
+          return result;
         }
-      }
-    };
+      };
+    }
   }
-  return openapi;
+  if (Object.keys(queryFields).length === 0) {
+    queryFields._empty = { type: GraphQLString, resolve: () => "Empty" };
+  }
+  const queryType = new GraphQLObjectType({
+    name: "Query",
+    fields: queryFields
+  });
+  const schemaConfig = { query: queryType };
+  if (Object.keys(mutationFields).length > 0) {
+    schemaConfig.mutation = new GraphQLObjectType({
+      name: "Mutation",
+      fields: mutationFields
+    });
+  }
+  return new GraphQLSchema(schemaConfig);
 }
 
 // src/server/routers/plugins.ts
-function mountPluginRoutes(config, settings, logger2, router) {
+function mountPluginRoutes(config, settings, logger2, router, env = {}) {
   if (config.plugins && Array.isArray(config.plugins)) {
     for (const plugin of config.plugins) {
       const pluginSettings = settings[plugin.name] || {};
-      const pluginContext = { config, logger: logger2, settings: pluginSettings };
+      const pluginContext = { config, logger: logger2, settings: pluginSettings, env };
       if (plugin.onRequest) {
         router.use("*", async (c, next) => {
           const result = await plugin.onRequest(c);
@@ -1694,21 +2211,22 @@ function mountPluginRoutes(config, settings, logger2, router) {
     }
   }
 }
-function firePluginInitComplete(config, settings, logger2) {
+function firePluginInitComplete(config, settings, logger2, env = {}) {
   if (config.plugins && Array.isArray(config.plugins)) {
     for (const plugin of config.plugins) {
       if (plugin.onInitComplete) {
         const pluginSettings = settings[plugin.name] || {};
-        plugin.onInitComplete({ config, logger: logger2, settings: pluginSettings });
+        plugin.onInitComplete({ config, logger: logger2, settings: pluginSettings, env });
       }
     }
   }
 }
 
 // src/server/router.ts
-function createAPIRouter(config, settings = {}) {
+function createAPIRouter(config, settings = {}, env = {}) {
   const state = { auth: undefined, migrated: false };
-  const router = new Hono4().basePath("/api");
+  const app = new Hono4;
+  const router = new Hono4;
   setupMiddlewares(router, config, state);
   setupAuthMiddlewares(router, config, state);
   router.get("/", (c) => {
@@ -1718,9 +2236,30 @@ function createAPIRouter(config, settings = {}) {
   router.route("/__admin", createAdminRouter(config, settings, state));
   router.route("/__system", createSystemRouter(config));
   router.route("/", createAssetsServingRouter(config));
-  mountPluginRoutes(config, settings, logger, router);
-  mountCollectionRoutes(router, config, state);
-  mountGlobalRoutes(router, config, state);
+  mountPluginRoutes(config, settings, logger, router, env);
+  const isRestEnabled = config.api?.rest?.enabled !== false;
+  const isGraphQLEnabled = config.api?.graphql?.enabled === true;
+  if (isRestEnabled) {
+    mountCollectionRoutes(router, config, state);
+    mountGlobalRoutes(router, config, state);
+    mountIncomingWebhookRoutes(router, config);
+  }
+  if (isGraphQLEnabled) {
+    const graphqlPath = config.api?.graphql?.path || "/graphql";
+    const schema = generateGraphQLSchema(config, state);
+    router.use(graphqlPath, async (c, next) => {
+      try {
+        const { graphqlServer } = await import("@hono/graphql-server");
+        return graphqlServer({
+          schema,
+          graphiql: config.api?.graphql?.graphiql ?? false
+        })(c, next);
+      } catch (e) {
+        logger.error("Failed to load @hono/graphql-server. Please install 'graphql' and '@hono/graphql-server' to use GraphQL features.", e);
+        return c.json({ error: "GraphQL is enabled but dependencies are missing." }, 500);
+      }
+    });
+  }
   if (config.api?.openAPI?.enabled) {
     router.get("/open-api.json", (c) => {
       const schema = generateOpenAPISchema(config);
@@ -1746,8 +2285,14 @@ function createAPIRouter(config, settings = {}) {
       })(c, next);
     });
   }
-  firePluginInitComplete(config, settings, logger);
-  return router;
+  firePluginInitComplete(config, settings, logger, env);
+  app.route("/api", router);
+  app.get("/", (c) => c.redirect("/api"));
+  app.notFound((c) => {
+    console.error(`[OpacaRouter] 404 Not Found: ${c.req.method} ${c.req.url}`);
+    return c.json({ message: "Not Found", path: c.req.path }, 404);
+  });
+  return app;
 }
 
-export { createAdminHandlers, hydrateDoc, parsePopulate, populateDoc, createHandlers, createGlobalHandlers, createAPIRouter };
+export { createAdminHandlers, hydrateDoc, parsePopulate, populateDoc, createHandlers, createIncomingWebhookHandler, createGlobalHandlers, createAPIRouter };