opacacms 0.3.18 → 0.3.19

package/dist/runtimes/cloudflare-workers.js

@@ -1,26 +1,3081 @@
-import {
-  createAPIRouter
-} from "../chunk-2abqb0h6.js";
-import"../chunk-b1g8jmth.js";
-import"../chunk-2vbfc4q8.js";
-import"../chunk-hthm9srb.js";
-import"../chunk-q5sb5dcr.js";
-import"../chunk-5xpf5jxd.js";
-import"../chunk-jq1drsen.js";
-import"../chunk-h8v093av.js";
-import"../chunk-8sqjbsgt.js";
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+function __accessProp(key) {
+  return this[key];
+}
+var __toCommonJS = (from) => {
+  var entry = (__moduleCache ??= new WeakMap).get(from), desc;
+  if (entry)
+    return entry;
+  entry = __defProp({}, "__esModule", { value: true });
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (var key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(entry, key))
+        __defProp(entry, key, {
+          get: __accessProp.bind(from, key),
+          enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+        });
+  }
+  __moduleCache.set(from, entry);
+  return entry;
+};
+var __moduleCache;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined")
+    return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
+// src/db/system-schema.ts
+var exports_system_schema = {};
+__export(exports_system_schema, {
+  getSystemCollections: () => getSystemCollections
+});
+var getSystemCollections = () => [
+  {
+    slug: "_assets",
+    label: "Assets",
+    apiPath: "assets",
+    fields: [
+      { name: "id", type: "text", required: true },
+      { name: "key", type: "text", required: true },
+      { name: "filename", type: "text", required: true },
+      { name: "originalFilename", type: "text", required: true },
+      { name: "mimeType", type: "text", required: true },
+      { name: "filesize", type: "number", required: true },
+      { name: "bucket", type: "text", required: true },
+      { name: "folder", type: "text" },
+      { name: "altText", type: "text" },
+      { name: "caption", type: "text" },
+      { name: "uploadedBy", type: "text" }
+    ],
+    timestamps: true
+  },
+  {
+    slug: "_users",
+    apiPath: "users",
+    fields: [
+      { name: "id", type: "text", required: true },
+      { name: "name", type: "text", required: true },
+      { name: "email", type: "text", required: true, unique: true },
+      { name: "emailVerified", type: "boolean", required: true, defaultValue: false },
+      { name: "image", type: "text" },
+      { name: "role", type: "text" },
+      { name: "banned", type: "boolean" },
+      { name: "banReason", type: "text" },
+      { name: "banExpires", type: "date" }
+    ],
+    timestamps: true
+  },
+  {
+    slug: "_sessions",
+    fields: [
+      { name: "id", type: "text", required: true },
+      { name: "expiresAt", type: "date", required: true },
+      { name: "token", type: "text", required: true, unique: true },
+      { name: "ipAddress", type: "text" },
+      { name: "userAgent", type: "text" },
+      {
+        name: "userId",
+        type: "text",
+        required: true,
+        references: { table: "_users", column: "id", onDelete: "cascade" }
+      },
+      { name: "impersonatedBy", type: "text" }
+    ],
+    timestamps: true,
+    hidden: true
+  },
+  {
+    slug: "_accounts",
+    fields: [
+      { name: "id", type: "text", required: true },
+      { name: "accountId", type: "text", required: true },
+      { name: "providerId", type: "text", required: true },
+      {
+        name: "userId",
+        type: "text",
+        required: true,
+        references: { table: "_users", column: "id", onDelete: "cascade" }
+      },
+      { name: "accessToken", type: "text" },
+      { name: "refreshToken", type: "text" },
+      { name: "idToken", type: "text" },
+      { name: "accessTokenExpiresAt", type: "date" },
+      { name: "refreshTokenExpiresAt", type: "date" },
+      { name: "scope", type: "text" },
+      { name: "password", type: "text" }
+    ],
+    timestamps: true,
+    hidden: true
+  },
+  {
+    slug: "_verifications",
+    fields: [
+      { name: "id", type: "text", required: true },
+      { name: "identifier", type: "text", required: true },
+      { name: "value", type: "text", required: true },
+      { name: "expiresAt", type: "date", required: true }
+    ],
+    timestamps: true,
+    hidden: true
+  },
+  {
+    slug: "_api_keys",
+    fields: [
+      { name: "id", type: "text", required: true },
+      { name: "configId", type: "text", required: true },
+      { name: "name", type: "text" },
+      { name: "start", type: "text" },
+      { name: "prefix", type: "text" },
+      { name: "key", type: "text", required: true },
+      { name: "referenceId", type: "text", required: true },
+      { name: "refillInterval", type: "number" },
+      { name: "refillAmount", type: "number" },
+      { name: "lastRefillAt", type: "date" },
+      { name: "enabled", type: "boolean", required: true },
+      { name: "rateLimitEnabled", type: "boolean", required: true },
+      { name: "rateLimitTimeWindow", type: "number" },
+      { name: "rateLimitMax", type: "number" },
+      { name: "requestCount", type: "number", required: true },
+      { name: "remaining", type: "number" },
+      { name: "lastRequest", type: "date" },
+      { name: "expiresAt", type: "date" },
+      { name: "permissions", type: "text" },
+      { name: "metadata", type: "text" }
+    ],
+    timestamps: { createdAt: "createdAt", updatedAt: "updatedAt" },
+    hidden: true
+  },
+  {
+    slug: "_plugin_settings",
+    label: "Plugin Settings",
+    apiPath: "plugin-settings",
+    fields: [
+      { name: "pluginName", type: "text", required: true, unique: true },
+      { name: "config", type: "json", required: true }
+    ],
+    timestamps: true,
+    hidden: false,
+    admin: {
+      hidden: true,
+      disableAdmin: true
+    }
+  },
+  {
+    slug: "_audit_logs",
+    label: "Audit Logs",
+    apiPath: "audit-logs",
+    fields: [
+      { name: "id", type: "text", required: true },
+      { name: "operation", type: "text", required: true },
+      { name: "collection", type: "text", required: true },
+      { name: "entity_id", type: "text", required: true },
+      { name: "user_id", type: "text" },
+      { name: "previous_data", type: "json" },
+      { name: "new_data", type: "json" },
+      { name: "timestamp", type: "date" }
+    ],
+    timestamps: true,
+    admin: {
+      hidden: true,
+      disableAdmin: true
+    }
+  },
+  {
+    slug: "_doc_versions",
+    label: "Document Versions",
+    apiPath: "doc-versions",
+    fields: [
+      { name: "id", type: "text", required: true },
+      { name: "collection", type: "text", required: true },
+      { name: "entity_id", type: "text", required: true },
+      { name: "data", type: "json", required: true },
+      { name: "status", type: "text" },
+      { name: "autosave", type: "boolean", defaultValue: false },
+      { name: "version_name", type: "text" },
+      { name: "created_by", type: "text" }
+    ],
+    timestamps: true,
+    admin: {
+      hidden: true,
+      disableAdmin: true
+    }
+  }
+];
+
+// src/schema/compiler.ts
+var exports_compiler = {};
+__export(exports_compiler, {
+  zodToOpacaFields: () => zodToOpacaFields
+});
+function zodToOpacaFields(schema, currentPath = "") {
+  if (!schema || !schema._def) {
+    return [];
+  }
+  let innerSchema = schema;
+  let meta = {};
+  while (innerSchema && innerSchema._def && ["optional", "nullable", "default"].includes(innerSchema._def.type)) {
+    const currentMeta = typeof innerSchema.meta === "function" ? innerSchema.meta() : innerSchema._def.meta;
+    if (currentMeta?.opaca) {
+      meta = { ...currentMeta.opaca, ...meta };
+    }
+    innerSchema = innerSchema._def.innerType;
+  }
+  if (innerSchema && innerSchema._def) {
+    const finalMeta = typeof innerSchema.meta === "function" ? innerSchema.meta() : innerSchema._def.meta;
+    if (finalMeta?.opaca) {
+      meta = { ...finalMeta.opaca, ...meta };
+    }
+  }
+  const def = schema._def;
+  const defaultValue = def.type === "default" && typeof def.defaultValue === "function" ? def.defaultValue() : def.defaultValue;
+  const baseConfig = {
+    name: currentPath,
+    label: meta.admin?.label || currentPath,
+    required: !schema.isOptional(),
+    unique: meta.unique || false,
+    localized: meta.localized || false,
+    virtual: meta.virtual || meta.isVirtual || false,
+    requiredCondition: meta.requiredCondition || meta.required,
+    condition: meta.condition || meta.admin?.condition,
+    defaultValue,
+    admin: {
+      ...meta.admin,
+      condition: meta.condition || meta.admin?.condition,
+      requiredCondition: meta.requiredCondition || meta.required
+    },
+    ...meta.admin,
+    ...meta
+  };
+  const OPACA_TYPES = [
+    "text",
+    "slug",
+    "textarea",
+    "number",
+    "richtext",
+    "relationship",
+    "select",
+    "radio",
+    "date",
+    "boolean",
+    "json",
+    "file",
+    "blocks",
+    "group",
+    "row",
+    "collapsible",
+    "tabs",
+    "join",
+    "array",
+    "virtual",
+    "ui"
+  ];
+  const type = innerSchema._def.type;
+  if (type === "string") {
+    const component = meta.admin?.component;
+    return [
+      {
+        ...baseConfig,
+        type: component && OPACA_TYPES.includes(component) ? component : "text"
+      }
+    ];
+  }
+  if (type === "number") {
+    return [{ ...baseConfig, type: "number" }];
+  }
+  if (type === "boolean") {
+    return [{ ...baseConfig, type: "boolean" }];
+  }
+  if (type === "date") {
+    return [{ ...baseConfig, type: "date" }];
+  }
+  if (type === "enum") {
+    const component = meta.admin?.component;
+    const choices = innerSchema._def.values || Object.values(innerSchema.enum || {});
+    return [
+      {
+        ...baseConfig,
+        type: component && OPACA_TYPES.includes(component) ? component : "select",
+        options: {
+          choices
+        }
+      }
+    ];
+  }
+  if (type === "object") {
+    const shape = innerSchema.shape;
+    const nestedFields = Object.entries(shape).flatMap(([key, val]) => zodToOpacaFields(val, key));
+    if (currentPath === "") {
+      return nestedFields;
+    }
+    const component = meta.admin?.component || "group";
+    if (component === "tabs" && meta.admin?.tabsConfig) {
+      return [
+        {
+          ...baseConfig,
+          type: "tabs",
+          tabs: meta.admin.tabsConfig.map((t) => ({
+            label: t.label,
+            fields: nestedFields.filter((f) => t.fields.includes(f.name))
+          }))
+        }
+      ];
+    }
+    return [
+      {
+        ...baseConfig,
+        type: component,
+        fields: nestedFields
+      }
+    ];
+  }
+  if (type === "array") {
+    const elementSchema = innerSchema._def.element;
+    const component = meta.admin?.component || "array";
+    const isDiscUnion = elementSchema && elementSchema._def.type === "union" && elementSchema._def.discriminator;
+    if (component === "blocks" || isDiscUnion) {
+      let blocks = [];
+      if (isDiscUnion) {
+        const options = elementSchema._def.options;
+        blocks = options.map((obj) => {
+          const discriminator = elementSchema._def.discriminator;
+          const shape = obj.shape;
+          const discriminatorField = shape?.[discriminator];
+          const slug = discriminatorField?._def.values?.[0] || "block";
+          return {
+            slug,
+            fields: zodToOpacaFields(obj)
+          };
+        });
+      }
+      return [
+        {
+          ...baseConfig,
+          type: "blocks",
+          blocks
+        }
+      ];
+    }
+    return [
+      {
+        ...baseConfig,
+        type: "array",
+        fields: elementSchema ? zodToOpacaFields(elementSchema, "") : []
+      }
+    ];
+  }
+  if (meta.admin?.component) {
+    return [
+      {
+        ...baseConfig,
+        type: meta.admin.component
+      }
+    ];
+  }
+  return [
+    {
+      ...baseConfig,
+      type: "json"
+    }
+  ];
+}
 
 // src/runtimes/cloudflare-workers.ts
+import { Hono as Hono5 } from "hono";
+
+// src/server/router.ts
+import { Hono as Hono4 } from "hono";
+
+// src/server/openapi.ts
+import { z as z2 } from "zod";
+import { zodToJsonSchema } from "zod-to-json-schema";
+
+// src/validator.ts
+import { z } from "zod";
+function generateSchemaForCollection(collection, isUpdate = false, forDocs = false) {
+  let shape;
+  if (collection.schema && collection.schema._def.type === "object") {
+    const originalShape = collection.schema.shape;
+    shape = { ...originalShape };
+    if (isUpdate) {
+      for (const key in shape) {
+        const field = shape[key];
+        if (field) {
+          shape[key] = field.optional().nullable();
+        }
+      }
+    }
+  } else {
+    shape = mapFieldsToShape(collection.fields, isUpdate, forDocs);
+  }
+  if (collection.versions) {
+    shape._status = z.enum(["draft", "published"]).optional().nullable();
+  }
+  const ts = collection.timestamps;
+  if (ts !== false && ts !== undefined) {
+    const config = typeof ts === "object" ? ts : {};
+    const createdField = config.createdAt || "createdAt";
+    const updatedField = config.updatedAt || "updatedAt";
+    const dateSchema = forDocs ? z.string() : z.union([z.string(), z.date()]);
+    shape[createdField] = dateSchema.optional().nullable();
+    shape[updatedField] = dateSchema.optional().nullable();
+  }
+  let baseSchema = z.object(shape);
+  if (!isUpdate) {
+    baseSchema = baseSchema.superRefine((data, ctx) => {
+      const checkFields = (fields, currentData, path = []) => {
+        if (!fields)
+          return;
+        fields.forEach((field) => {
+          if (field.requiredCondition && typeof field.requiredCondition === "function") {
+            const isRequired = field.requiredCondition(data);
+            const value = currentData?.[field.name];
+            if (isRequired && (value === undefined || value === null || value === "")) {
+              ctx.addIssue({
+                code: z.ZodIssueCode.custom,
+                message: `${field.label || field.name} is required`,
+                path: [...path, field.name]
+              });
+            }
+          }
+          if (field.fields && Array.isArray(field.fields)) {
+            checkFields(field.fields, currentData?.[field.name], [...path, field.name]);
+          }
+          if (field.tabs && Array.isArray(field.tabs)) {
+            field.tabs.forEach((tab) => {
+              checkFields(tab.fields, currentData, path);
+            });
+          }
+        });
+      };
+      checkFields(collection.fields, data);
+    });
+  }
+  return baseSchema;
+}
+function mapFieldsToShape(fields, isUpdate = false, forDocs = false) {
+  const shape = {};
+  for (const field of fields) {
+    if (field.type === "virtual" || field.type === "ui")
+      continue;
+    if (!field.name) {
+      if (field.type === "tabs" && field.tabs) {
+        for (const tab of field.tabs) {
+          Object.assign(shape, mapFieldsToShape(tab.fields, isUpdate, forDocs));
+        }
+      } else if (field.type === "group" && field.fields) {
+        Object.assign(shape, mapFieldsToShape(field.fields, isUpdate, forDocs));
+      } else if (field.type === "row" && field.fields) {
+        Object.assign(shape, mapFieldsToShape(field.fields, isUpdate, forDocs));
+      } else if (field.type === "collapsible" && field.fields) {
+        Object.assign(shape, mapFieldsToShape(field.fields, isUpdate, forDocs));
+      }
+      continue;
+    }
+    const fieldName = field.name;
+    let schema;
+    if (field.type === "group" && field.fields) {
+      schema = z.object(mapFieldsToShape(field.fields, isUpdate, forDocs));
+    } else if (field.type === "blocks" && field.blocks) {
+      const blockSchemas = field.blocks.map((block) => z.object({
+        blockType: z.literal(block.slug),
+        ...mapFieldsToShape(block.fields, isUpdate, forDocs)
+      }));
+      schema = z.array(z.union(blockSchemas));
+    } else if (field.type === "row" || field.type === "collapsible") {
+      if (field.fields) {
+        schema = z.object(mapFieldsToShape(field.fields, isUpdate, forDocs));
+      } else {
+        schema = z.any();
+      }
+    } else {
+      schema = mapFieldToZod(field, forDocs);
+    }
+    if (field.localized) {
+      schema = z.union([z.record(z.string(), schema), schema]);
+    }
+    if (field.required && !isUpdate) {
+      if (field.type === "slug" && field.from) {
+        schema = schema.optional().nullable();
+      }
+    } else {
+      schema = schema.optional().nullable();
+    }
+    if (field.defaultValue !== undefined && !isUpdate) {
+      schema = schema.default(field.defaultValue);
+    }
+    if (field.validate) {
+      if (typeof field.validate === "function") {
+        schema = schema.superRefine((val, ctx) => {
+          if (val === undefined || val === null)
+            return;
+          const result = field.validate(val);
+          if (result !== true) {
+            ctx.addIssue({
+              code: z.ZodIssueCode.custom,
+              message: typeof result === "string" ? result : "Invalid field"
+            });
+          }
+        });
+      } else if (field.validate instanceof z.ZodType) {
+        schema = z.intersection(schema, field.validate);
+      }
+    }
+    shape[fieldName] = schema;
+  }
+  return shape;
+}
+function mapFieldToZod(field, forDocs = false) {
+  switch (field.type) {
+    case "text":
+    case "slug":
+    case "textarea":
+      return z.string();
+    case "richtext":
+      return z.any();
+    case "relationship":
+      return field.hasMany ? z.array(z.string()) : z.string();
+    case "select":
+    case "radio": {
+      const choices = field.options?.choices || [];
+      const values = choices.map((c) => typeof c === "string" ? c : c.value);
+      if (values.length > 0) {
+        return z.enum(values);
+      }
+      return z.string();
+    }
+    case "date":
+      return forDocs ? z.string() : z.union([z.string(), z.date()]);
+    case "boolean":
+      return z.preprocess((val) => {
+        if (val === "true" || val === 1)
+          return true;
+        if (val === "false" || val === 0)
+          return false;
+        return val;
+      }, z.boolean());
+    case "number":
+      return z.preprocess((val) => {
+        if (val === "" || val === undefined || val === null)
+          return;
+        if (typeof val === "string") {
+          const num = Number(val);
+          return Number.isNaN(num) ? undefined : num;
+        }
+        return val;
+      }, z.number());
+    case "json":
+      return z.any();
+    case "file":
+      return z.object({
+        id: z.string(),
+        url: z.string(),
+        filename: z.string(),
+        mime_type: z.string(),
+        filesize: z.number(),
+        width: z.number().optional().nullable(),
+        height: z.number().optional().nullable(),
+        focal_x: z.number().optional().nullable(),
+        focal_y: z.number().optional().nullable()
+      });
+    case "array":
+      return z.array(z.any());
+    default:
+      return z.any();
+  }
+}
+
+// src/server/openapi.ts
+function generateOpenAPISchema(config) {
+  const openapi = {
+    openapi: "3.1.0",
+    info: {
+      title: config.appName || "OpacaCMS API",
+      version: "1.0.0",
+      description: "Automatically generated OpenAPI schema for OpacaCMS Collections and Globals."
+    },
+    paths: {},
+    components: {
+      schemas: {},
+      securitySchemes: {
+        bearerAuth: {
+          type: "http",
+          scheme: "bearer"
+        }
+      }
+    }
+  };
+  for (const collection of config.collections || []) {
+    const isHidden = collection.hidden === true;
+    if (isHidden)
+      continue;
+    const pathBase = `/api/${collection.apiPath || collection.slug}`;
+    const tag = collection.label || collection.slug;
+    const zodSchema = generateSchemaForCollection(collection, false, true);
+    const schemaName = collection.slug.charAt(0).toUpperCase() + collection.slug.slice(1);
+    const jsonSchema = typeof z2.toJSONSchema === "function" ? z2.toJSONSchema(zodSchema, { target: "openapi-3.0" }) : zodToJsonSchema(zodSchema, { target: "openApi3" });
+    openapi.components.schemas[schemaName] = jsonSchema;
+    const ref = `#/components/schemas/${schemaName}`;
+    openapi.paths[pathBase] = {
+      get: {
+        tags: [tag],
+        summary: `Find ${tag}`,
+        parameters: [
+          { name: "limit", in: "query", schema: { type: "integer" } },
+          { name: "page", in: "query", schema: { type: "integer" } }
+        ],
+        responses: {
+          "200": {
+            description: "Successful response",
+            content: {
+              "application/json": {
+                schema: {
+                  type: "object",
+                  properties: {
+                    docs: { type: "array", items: { $ref: ref } },
+                    totalDocs: { type: "integer" }
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      post: {
+        tags: [tag],
+        summary: `Create ${tag}`,
+        requestBody: {
+          required: true,
+          content: {
+            "application/json": { schema: { $ref: ref } }
+          }
+        },
+        responses: {
+          "201": {
+            description: "Created successfully",
+            content: { "application/json": { schema: { $ref: ref } } }
+          }
+        }
+      }
+    };
+    openapi.paths[`${pathBase}/{id}`] = {
+      get: {
+        tags: [tag],
+        summary: `Find ${tag} by ID`,
+        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+        responses: {
+          "200": {
+            description: "Successful response",
+            content: { "application/json": { schema: { $ref: ref } } }
+          },
+          "404": { description: "Not found" }
+        }
+      },
+      patch: {
+        tags: [tag],
+        summary: `Update ${tag}`,
+        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+        requestBody: {
+          content: { "application/json": { schema: { $ref: ref } } }
+        },
+        responses: {
+          "200": {
+            description: "Updated successfully",
+            content: { "application/json": { schema: { $ref: ref } } }
+          }
+        }
+      },
+      delete: {
+        tags: [tag],
+        summary: `Delete ${tag}`,
+        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+        responses: {
+          "200": { description: "Deleted successfully" }
+        }
+      }
+    };
+  }
+  for (const global of config.globals || []) {
+    const pathBase = `/api/globals/${global.slug}`;
+    const tag = global.label || global.slug;
+    const zodSchema = generateSchemaForCollection(global, false, true);
+    const schemaName = global.slug.charAt(0).toUpperCase() + global.slug.slice(1);
+    const jsonSchema = typeof z2.toJSONSchema === "function" ? z2.toJSONSchema(zodSchema, { target: "openapi-3.0" }) : zodToJsonSchema(zodSchema, { target: "openApi3" });
+    openapi.components.schemas[schemaName] = jsonSchema;
+    const ref = `#/components/schemas/${schemaName}`;
+    openapi.paths[pathBase] = {
+      get: {
+        tags: [tag],
+        summary: `Find ${tag}`,
+        responses: {
+          "200": {
+            description: "Successful response",
+            content: { "application/json": { schema: { $ref: ref } } }
+          }
+        }
+      },
+      post: {
+        tags: [tag],
+        summary: `Update ${tag}`,
+        requestBody: {
+          content: { "application/json": { schema: { $ref: ref } } }
+        },
+        responses: {
+          "200": {
+            description: "Updated successfully",
+            content: { "application/json": { schema: { $ref: ref } } }
+          }
+        }
+      }
+    };
+  }
+  return openapi;
+}
+
+// src/server/routers/admin.ts
 import { Hono } from "hono";
+
+// src/config-utils.ts
+function sanitizeConfig(config, settings = {}) {
+  const collections = [...config.collections];
+  const supportsAuth = ["sqlite", "postgres", "d1", "bun-sqlite", "better-sqlite3"].includes(config.db.name);
+  const systemCollections = getSystemCollections();
+  for (const systemCol of systemCollections) {
+    const isAsset = systemCol.slug === "_assets";
+    const isAuth = ["_users", "_sessions", "_accounts", "_verifications", "_api_keys"].includes(systemCol.slug);
+    if (isAsset && config.storages || isAuth && supportsAuth) {
+      if (!collections.find((col) => col.slug === systemCol.slug)) {
+        collections.push({
+          ...systemCol,
+          admin: true
+        });
+      }
+    }
+  }
+  const serializeFn = (fn) => {
+    if (typeof fn !== "function")
+      return fn;
+    return `__opaca_fn__:${fn.toString()}`;
+  };
+  const sanitizeField = (f) => ({
+    name: f.name,
+    type: f.type,
+    label: f.label,
+    required: f.required,
+    unique: f.unique,
+    defaultValue: f.defaultValue,
+    localized: f.localized,
+    condition: serializeFn(f.condition),
+    requiredCondition: serializeFn(f.requiredCondition),
+    admin: f.admin ? {
+      description: f.admin.description,
+      hidden: f.admin.hidden,
+      readOnly: f.admin.readOnly,
+      components: f.admin.components,
+      condition: serializeFn(f.admin.condition),
+      requiredCondition: serializeFn(f.admin.requiredCondition)
+    } : undefined,
+    options: f.options,
+    fields: f.fields ? f.fields.map(sanitizeField) : undefined,
+    relationTo: f.relationTo,
+    displayField: f.displayField,
+    collection: f.collection,
+    on: f.on,
+    blocks: f.blocks ? f.blocks.map((b) => ({
+      slug: b.slug,
+      label: b.label,
+      fields: b.fields.map(sanitizeField)
+    })) : undefined,
+    tabs: f.tabs ? f.tabs.map((t) => ({
+      label: t.label,
+      fields: t.fields.map(sanitizeField)
+    })) : undefined
+  });
+  return {
+    appName: config.appName,
+    serverURL: config.serverURL,
+    collections: collections.map((col) => ({
+      slug: col.slug,
+      apiPath: col.apiPath,
+      label: col.label,
+      icon: col.icon,
+      admin: col.admin,
+      hidden: col.hidden,
+      fields: col.fields.map(sanitizeField),
+      timestamps: col.timestamps,
+      auth: col.auth,
+      versions: col.versions
+    })),
+    globals: config.globals?.map((g) => ({
+      slug: g.slug,
+      label: g.label,
+      icon: g.icon,
+      fields: g.fields.map(sanitizeField)
+    })),
+    storages: config.storages ? Object.keys(config.storages).reduce((acc, key) => {
+      acc[key] = {};
+      return acc;
+    }, {}) : {},
+    i18n: config.i18n,
+    plugins: config.plugins?.map((p) => ({
+      name: p.name,
+      label: p.label,
+      description: p.description,
+      version: p.version,
+      author: p.author,
+      homepage: p.homepage,
+      icon: p.icon,
+      adminAssets: p.adminAssets ? p.adminAssets() : undefined,
+      adminUI: p.adminUI,
+      settings: settings[p.name] || {},
+      configSchema: p.configSchema ? (Array.isArray(p.configSchema) ? p.configSchema : __toCommonJS(exports_compiler).zodToOpacaFields(p.configSchema)).map(sanitizeField) : undefined
+    })),
+    api: config.api ? {
+      rest: config.api.rest,
+      graphql: config.api.graphql
+    } : undefined
+  };
+}
+
+// src/server/admin.ts
+function createAdminHandlers(config, settings, getAuth) {
+  const getMetadata = (c) => {
+    return c.json(sanitizeConfig(config, settings));
+  };
+  const getCollections = (c) => {
+    const collections = [...config.collections];
+    const supportsAuth = config.db.name === "sqlite" || config.db.name === "postgres" || config.db.name === "d1";
+    const { getSystemCollections: getSystemCollections2 } = __toCommonJS(exports_system_schema);
+    const systemCollections = getSystemCollections2();
+    for (const systemCol of systemCollections) {
+      const isAsset = systemCol.slug === "_assets";
+      const isAuth = ["_users", "_sessions", "_accounts", "_verifications", "_api_keys"].includes(systemCol.slug);
+      if (isAsset && config.storages || isAuth && supportsAuth) {
+        if (!collections.find((col) => col.slug === systemCol.slug)) {
+          collections.push({
+            ...systemCol,
+            admin: true
+          });
+        }
+      }
+    }
+    const filteredCollections = collections.filter((c2) => !c2.hidden);
+    return c.json({
+      collections: filteredCollections,
+      globals: config.globals
+    });
+  };
+  const getConfig = async (c) => {
+    return c.json({
+      serverURL: config.serverURL,
+      admin: config.admin
+    });
+  };
+  const getSetupStatus = async (c) => {
+    try {
+      let userCount = 0;
+      try {
+        userCount = await config.db.count("_users");
+      } catch (_e) {
+        const result = await config.db.unsafe("SELECT COUNT(*) as count FROM _users");
+        const rows = result?.results || result || [];
+        userCount = Number(rows[0]?.count || rows[0]?.["count(*)"] || 0);
+      }
+      return c.json({
+        initialized: userCount > 0,
+        api: sanitizeConfig(config, settings).api
+      });
+    } catch (e) {
+      console.error("[OpacaCMS] Failed to check setup status:", e);
+      return c.json({
+        initialized: false
+      });
+    }
+  };
+  const createApiKey = async (c) => {
+    const auth = getAuth();
+    if (!auth) {
+      return c.json({ message: "Auth not initialized" }, 503);
+    }
+    const user = c.get("user");
+    if (!user) {
+      return c.json({ message: "Unauthorized" }, 401);
+    }
+    try {
+      const { name, expiresIn, permissions } = await c.req.json();
+      if (!name || typeof name !== "string") {
+        return c.json({ message: "Invalid or missing 'name'" }, 400);
+      }
+      const res = await auth.api.createApiKey({
+        body: {
+          name,
+          expiresIn: expiresIn ? Number(expiresIn) : undefined,
+          permissions,
+          userId: user.id
+        }
+      });
+      return c.json(res);
+    } catch (err) {
+      console.error("[OpacaCMS] Failed to create API key:", err);
+      const message = err?.message || (typeof err === "string" ? err : JSON.stringify(err));
+      return c.json({ message, detail: err }, 400);
+    }
+  };
+  const getPluginSettings = async (c) => {
+    const name = c.req.param("name");
+    if (!name)
+      return c.json({ error: "Plugin name is required" }, 400);
+    const pluginSettings = settings[name] || {};
+    return c.json(pluginSettings);
+  };
+  return {
+    getMetadata,
+    getCollections,
+    getConfig,
+    getSetupStatus,
+    createApiKey,
+    getPluginSettings
+  };
+}
+
+// src/server/middlewares/admin.ts
+var adminMiddleware = async (c, next) => {
+  const user = c.get("user");
+  const config = c.get("config");
+  const isDevelopment = true;
+  const path = c.req.path;
+  const isMetadata = path.endsWith("/__admin/metadata");
+  const isSetup = path.endsWith("/__admin/setup");
+  const secretHeader = c.req.header("X-Opaca-Secret");
+  const isSecretValid = config?.secret && secretHeader && secretHeader === config.secret;
+  if (isSetup) {
+    await next();
+    return;
+  }
+  if (isMetadata) {
+    if (isDevelopment || isSecretValid) {
+      await next();
+      return;
+    }
+  }
+  if (user) {
+    const isAdmin = user.role === "admin" || user.role?.includes("admin");
+    if (isAdmin) {
+      await next();
+      return;
+    }
+    return c.json({ message: "Forbidden" }, 403);
+  }
+  return c.json({ message: "Unauthorized" }, 401);
+};
+
+// src/server/routers/admin.ts
+function createAdminRouter(config, settings, state) {
+  const adminRouter = new Hono;
+  const adminHandlers = createAdminHandlers(config, settings, () => state.auth);
+  adminRouter.get("/collections", adminMiddleware, adminHandlers.getCollections);
+  adminRouter.get("/metadata", adminMiddleware, adminHandlers.getMetadata);
+  adminRouter.get("/config", adminMiddleware, adminHandlers.getConfig);
+  adminRouter.get("/setup", adminHandlers.getSetupStatus);
+  adminRouter.get("/plugin-settings/:name", adminMiddleware, adminHandlers.getPluginSettings);
+  adminRouter.post("/api-key/create", adminMiddleware, adminHandlers.createApiKey);
+  return adminRouter;
+}
+
+// src/server/routers/auth.ts
+import { Hono as Hono2 } from "hono";
+function createAuthRouter(config, state) {
+  const authRouter = new Hono2;
+  authRouter.all("/*", async (c) => {
+    if (!state.auth) {
+      return c.json({ message: "Auth not initialized" }, 503);
+    }
+    return await state.auth.handler(c.req.raw);
+  });
+  return authRouter;
+}
+
+// src/server/routers/collections.ts
+import { Hono as Hono3 } from "hono";
+
+// src/server/assets.ts
+function createAssetsHandlers(config) {
+  return {
+    async upload(c) {
+      const user = c.get("user");
+      if (!user)
+        return c.json({ error: "Unauthorized" }, 401);
+      const bucket = c.req.query("bucket") || "default";
+      if (!config.storages)
+        return c.json({ error: "Storage not configured" }, 500);
+      const storageAdapter = config.storages[bucket];
+      if (!storageAdapter) {
+        return c.json({ error: `Bucket '${bucket}' not found` }, 404);
+      }
+      try {
+        try {
+          if (config.db.name === "sqlite" || config.db.name === "d1") {
+            const tableInfo = await config.db.unsafe(`PRAGMA table_info(_assets)`);
+            const columns = tableInfo.map((c2) => c2.name);
+            if (!columns.includes("folder"))
+              await config.db.unsafe(`ALTER TABLE _assets ADD COLUMN folder TEXT`);
+            if (!columns.includes("alt_text"))
+              await config.db.unsafe(`ALTER TABLE _assets ADD COLUMN alt_text TEXT`);
+            if (!columns.includes("caption"))
+              await config.db.unsafe(`ALTER TABLE _assets ADD COLUMN caption TEXT`);
+          } else if (config.db.name === "postgres") {
+            const checkCols = await config.db.unsafe(`
+              SELECT column_name FROM information_schema.columns 
+              WHERE table_name = '_assets' AND column_name IN ('folder', 'alt_text', 'caption')
+             `);
+            const existing = checkCols.map((c2) => c2.column_name);
+            if (!existing.includes("folder"))
+              await config.db.unsafe(`ALTER TABLE _assets ADD COLUMN folder TEXT`);
+            if (!existing.includes("alt_text"))
+              await config.db.unsafe(`ALTER TABLE _assets ADD COLUMN "alt_text" TEXT`);
+            if (!existing.includes("caption"))
+              await config.db.unsafe(`ALTER TABLE _assets ADD COLUMN caption TEXT`);
+          }
+        } catch (e) {
+          console.error("Auto-patch columns failed", e);
+        }
+        const folder = c.req.query("folder") || null;
+        const keyPrefix = folder ? `${folder}/` : "";
+        const now = new Date().toISOString();
+        const formData = await c.req.parseBody({ all: true });
+        const fileRaw = formData["file"];
+        const file = Array.isArray(fileRaw) ? fileRaw[0] : fileRaw;
+        if (!file || typeof file !== "object" && typeof file !== "string") {
+          return c.json({ error: "No file provided" }, 400);
+        }
+        const fileName = file.name || "unnamed";
+        const fileType = file.type || "application/octet-stream";
+        const fileSize = file.size || 0;
+        const fileRecord = {
+          filename: fileName,
+          original_filename: fileName,
+          mime_type: fileType,
+          filesize: fileSize,
+          stream: typeof file.stream === "function" ? file.stream() : new Response(file).body
+        };
+        const uploadedFileData = await storageAdapter.upload(fileRecord, {
+          generateUniqueName: true,
+          keyPrefix
+        });
+        const storedKey = keyPrefix + uploadedFileData.filename;
+        try {
+          const assetId = (globalThis.crypto?.randomUUID?.() || Math.random().toString(36).slice(2)).replace(/-/g, "");
+          await config.db.create("_assets", {
+            id: assetId,
+            key: storedKey,
+            filename: fileName,
+            originalFilename: fileName,
+            mimeType: uploadedFileData.mime_type,
+            filesize: uploadedFileData.filesize,
+            bucket,
+            folder,
+            altText: null,
+            caption: null,
+            uploadedBy: user.id || null
+          });
+          return c.json({
+            assetId,
+            ...uploadedFileData,
+            key: storedKey
+          }, 201);
+        } catch (dbError) {
+          console.error(`[OpacaCMS] Registry insert failed, rolling back physical file upload: ${storedKey}`);
+          storageAdapter.delete(storedKey).catch((cleanupError) => {
+            console.error(`[OpacaCMS] CRITICAL: Failed to clean up orphaned file ${storedKey}!`, cleanupError);
+          });
+          throw dbError;
+        }
+      } catch (error) {
+        return c.json({ error: error.message }, 400);
+      }
+    },
+    async list(c) {
+      const user = c.get("user");
+      if (!user || user.role !== "admin" && !user.role?.includes("admin")) {
+        return c.json({ error: "Unauthorized" }, 401);
+      }
+      const bucket = c.req.query("bucket") || "all";
+      const page = parseInt(c.req.query("page") || "1", 10);
+      const limit = parseInt(c.req.query("limit") || "20", 10);
+      const offset = (page - 1) * limit;
+      const folder = c.req.query("folder") || null;
+      try {
+        let query = {};
+        if (bucket !== "all")
+          query.bucket = bucket;
+        if (folder !== null && folder !== "") {
+          query.folder = folder;
+        } else {
+          if (bucket !== "all") {
+            query = {
+              and: [{ bucket }, { or: [{ folder: null }, { folder: "" }] }]
+            };
+          } else {
+            query = { or: [{ folder: null }, { folder: "" }] };
+          }
+        }
+        const result = await config.db.find("_assets", query, {
+          page,
+          limit,
+          sort: "created_at:desc"
+        });
+        const rows = result.docs;
+        const total = result.totalDocs;
+        let folderRows = [];
+        if (config.db.name === "postgres") {
+          if (folder === null || folder === "") {
+            folderRows = await config.db.unsafe("SELECT DISTINCT split_part(folder, '/', 1) as subfolder, bucket FROM _assets WHERE folder IS NOT NULL AND folder != '' AND (bucket = $1 OR $1 = 'all')", [bucket]);
+          } else {
+            folderRows = await config.db.unsafe("SELECT DISTINCT split_part(substring(folder from length($1) + 2), '/', 1) as subfolder, bucket FROM _assets WHERE folder LIKE $2 AND (bucket = $3 OR $3 = 'all')", [folder, `${folder}/%`, bucket]);
+          }
+        } else {
+          if (folder === null || folder === "") {
+            folderRows = await config.db.unsafe(`
+              SELECT DISTINCT 
+                CASE 
+                  WHEN INSTR(folder, '/') > 0 THEN SUBSTR(folder, 1, INSTR(folder, '/') - 1)
+                  ELSE folder 
+                END as subfolder,
+                bucket
+              FROM _assets WHERE folder IS NOT NULL AND folder != '' AND (bucket = ? OR ? = 'all')
+            `, [bucket, bucket]);
+          } else {
+            const skipLen = folder.length + 2;
+            folderRows = await config.db.unsafe(`
+              SELECT DISTINCT 
+                CASE 
+                  WHEN INSTR(SUBSTR(folder, ?), '/') > 0 THEN SUBSTR(SUBSTR(folder, ?), 1, INSTR(SUBSTR(folder, ?), '/') - 1)
+                  ELSE SUBSTR(folder, ?)
+                END as subfolder,
+                bucket
+              FROM _assets WHERE folder LIKE ? AND (bucket = ? OR ? = 'all')
+            `, [skipLen, skipLen, skipLen, skipLen, `${folder}/%`, bucket, bucket]);
+          }
+        }
+        const folderMap = {};
+        for (const row of folderRows) {
+          if (!row.subfolder)
+            continue;
+          if (!folderMap[row.subfolder])
+            folderMap[row.subfolder] = [];
+          if (!folderMap[row.subfolder]?.includes(row.bucket)) {
+            folderMap[row.subfolder]?.push(row.bucket);
+          }
+        }
+        const folders = Object.entries(folderMap).map(([name, buckets]) => ({
+          name,
+          buckets
+        }));
+        return c.json({
+          docs: rows,
+          folders,
+          totalDocs: total,
+          limit,
+          page,
+          totalPages: Math.ceil(total / limit)
+        });
+      } catch (e) {
+        return c.json({ error: e.message }, 500);
+      }
+    },
+    async presign(c) {
+      const user = c.get("user");
+      if (!user)
+        return c.json({ error: "Unauthorized" }, 401);
+      const { filename, bucket = "default", operation = "write" } = await c.req.json();
+      if (!config.storages || !config.storages[bucket]) {
+        return c.json({ error: "Bucket not found" }, 404);
+      }
+      const adapter = config.storages[bucket];
+      if (!adapter.generatePresignedUrl) {
+        return c.json({ error: "Adapter does not support presigned URLs" }, 400);
+      }
+      try {
+        const url = await adapter.generatePresignedUrl(filename, operation, 3600);
+        return c.json({ uploadUrl: url, filename });
+      } catch (e) {
+        return c.json({ error: e.message }, 500);
+      }
+    },
+    async serve(c) {
+      const id = c.req.param("id");
+      try {
+        const asset = await config.db.findOne("_assets", { id });
+        if (!asset) {
+          return c.json({ error: "Asset not found" }, 404);
+        }
+        const bucket = asset.bucket || "default";
+        if (!config.storages || !config.storages[bucket]) {
+          return c.json({ error: "Storage bucket not configured" }, 500);
+        }
+        const adapter = config.storages[bucket];
+        if (!adapter.download) {
+          return c.json({ error: "Storage adapter does not support direct downloads" }, 400);
+        }
+        const stream = await adapter.download(asset.key || asset.filename);
+        c.header("Content-Type", asset.mimeType || "application/octet-stream");
+        c.header("Content-Length", asset.filesize.toString());
+        c.header("Cache-Control", "public, max-age=86400");
+        return c.body(stream);
+      } catch (e) {
+        console.error(`[OpacaCMS] Failed to serve asset ${id}:`, e);
+        return c.json({ error: e.message }, 500);
+      }
+    }
+  };
+}
+// src/utils/logger.ts
+var RESET = "\x1B[0m";
+var BOLD = "\x1B[1m";
+var BLUE = "\x1B[34m";
+var GREEN = "\x1B[32m";
+var YELLOW = "\x1B[33m";
+var RED = "\x1B[31m";
+var GRAY = "\x1B[90m";
+var PREFIX = `${BLUE}${BOLD}[OpacaCMS]${RESET}`;
+var LOG_LEVELS = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3
+};
+
+class OpacaLogger {
+  config;
+  constructor(config = {}) {
+    this.config = config;
+  }
+  shouldLog(level) {
+    if (this.config.disabled)
+      return false;
+    const configLevel = this.config.level || "info";
+    return LOG_LEVELS[level] >= LOG_LEVELS[configLevel];
+  }
+  info(message, ...args) {
+    if (!this.shouldLog("info"))
+      return;
+    console.log(`${PREFIX} ${message}`, ...args);
+  }
+  success(message, ...args) {
+    if (!this.shouldLog("info"))
+      return;
+    console.log(`${PREFIX} ${GREEN}${message}${RESET}`, ...args);
+  }
+  debug(message, ...args) {
+    if (!this.shouldLog("debug"))
+      return;
+    console.log(`${PREFIX} ${GRAY}${message}${RESET}`, ...args);
+  }
+  warn(message, ...args) {
+    if (!this.shouldLog("warn"))
+      return;
+    console.warn(`${PREFIX} ${YELLOW}Warning: ${message}${RESET}`, ...args);
+  }
+  error(message, ...args) {
+    if (!this.shouldLog("error"))
+      return;
+    console.error(`${PREFIX} ${RED}Error: ${message}${RESET}`, ...args);
+  }
+  log(message, ...args) {
+    if (this.config.disabled)
+      return;
+    console.log(message, ...args);
+  }
+  bold(msg) {
+    if (this.config.disableColors)
+      return msg;
+    return `${BOLD}${msg}${RESET}`;
+  }
+  format(color, msg) {
+    if (this.config.disableColors)
+      return msg;
+    switch (color) {
+      case "green":
+        return `${GREEN}${msg}${RESET}`;
+      case "red":
+        return `${RED}${msg}${RESET}`;
+      case "yellow":
+        return `${YELLOW}${msg}${RESET}`;
+      case "gray":
+        return `${GRAY}${msg}${RESET}`;
+      default:
+        return msg;
+    }
+  }
+}
+var logger = new OpacaLogger;
+
+// src/utils/webhooks-engine.ts
+async function verifyWebhookSignature(req, secretOrFn, headerName = "x-opaca-signature") {
+  if (typeof secretOrFn === "function") {
+    return secretOrFn(req);
+  }
+  const signature = req.headers.get(headerName);
+  if (!signature || !secretOrFn)
+    return false;
+  try {
+    const body = await req.clone().text();
+    const encoder = new TextEncoder;
+    const key = await crypto.subtle.importKey("raw", encoder.encode(secretOrFn).buffer, { name: "HMAC", hash: "SHA-256" }, false, ["verify"]);
+    const sigArray = hexToUint8Array(signature);
+    return await crypto.subtle.verify("HMAC", key, sigArray.buffer, encoder.encode(body).buffer);
+  } catch (err) {
+    logger.error("[Webhooks] Signature verification failed:", err);
+    return false;
+  }
+}
+async function dispatchWebhook(args) {
+  const { url, data, event, collection, headers, retries = 3, timeoutMs = 30000, transform } = args;
+  let payload = data;
+  if (transform) {
+    try {
+      payload = await transform(data);
+    } catch (err) {
+      logger.error(`[Webhooks] Transformation failed for ${collection} [${event}]`, err);
+    }
+  }
+  const fullPayload = {
+    event,
+    collection,
+    data: payload,
+    timestamp: new Date().toISOString()
+  };
+  let lastError = null;
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  const attempt = async (retryCount) => {
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-Opaca-Event": event,
+          "X-Opaca-Collection": collection,
+          ...headers
+        },
+        body: JSON.stringify(fullPayload),
+        signal: controller.signal
+      });
+      if (!response.ok) {
+        throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+      }
+      logger.info(`[Webhooks] Sent to ${url} [${collection}:${event}]`);
+      return;
+    } catch (err) {
+      lastError = err;
+      logger.warn(`[Webhooks] Attempt ${retryCount + 1}/${retries} failed for ${url} [${collection}:${event}]: ${err.message}`);
+      if (retryCount < retries) {
+        const delay = 2 ** retryCount * 1000;
+        logger.warn(`[Webhooks] Delivery failed to ${url}. Retrying in ${delay}ms... (Attempt ${retryCount + 1}/${retries})`);
+        await new Promise((resolve) => setTimeout(resolve, delay));
+        return attempt(retryCount + 1);
+      }
+    }
+  };
+  try {
+    await attempt(0);
+  } catch {} finally {
+    clearTimeout(timeout);
+    if (lastError) {
+      const msg = lastError.message || String(lastError);
+      logger.error(`[Webhooks] Final delivery failure to ${url} after ${retries} attempts. Last error: ${msg}`);
+    }
+  }
+}
+function hexToUint8Array(hex) {
+  const matches = hex.match(/.{1,2}/g);
+  if (!matches)
+    return new Uint8Array;
+  return new Uint8Array(matches.map((byte) => parseInt(byte, 16)));
+}
+
+// src/server/handlers.ts
+var hydrateDoc = async (doc, fields, c, config) => {
+  if (!doc)
+    return doc;
+  const user = c.get("user");
+  const session = c.get("session");
+  const apiKey = c.get("apiKey");
+  const hydratePromises = fields.map(async (field) => {
+    if (field.type === "virtual" && typeof field.resolve === "function") {
+      try {
+        doc[field.name] = await field.resolve({
+          data: doc,
+          req: c,
+          user,
+          session,
+          apiKey
+        });
+      } catch (err) {
+        console.error(`[OpacaCMS] Failed to resolve virtual field ${field.name} `, err);
+        doc[field.name] = null;
+      }
+    }
+    if (field.fields && Array.isArray(field.fields)) {
+      await hydrateDoc(doc, field.fields, c, config);
+    }
+    if (field.tabs && Array.isArray(field.tabs)) {
+      for (const tab of field.tabs) {
+        if (tab.fields && Array.isArray(tab.fields)) {
+          await hydrateDoc(doc, tab.fields, c, config);
+        }
+      }
+    }
+    if (field.type === "group" && field.fields && doc[field.name]) {
+      await hydrateDoc(doc[field.name], field.fields, c, config);
+    }
+    if (field.type === "array" && field.fields && Array.isArray(doc[field.name])) {
+      await Promise.all(doc[field.name].map((item) => hydrateDoc(item, field.fields, c, config)));
+    }
+    if (field.type === "blocks" && field.blocks && Array.isArray(doc[field.name])) {
+      await Promise.all(doc[field.name].map((item) => {
+        const block = field.blocks.find((b) => b.slug === item.block_type);
+        if (block && block.fields) {
+          return hydrateDoc(item, block.fields, c, config);
+        }
+        return Promise.resolve();
+      }));
+    }
+    if (field.localized && doc[field.name] && typeof doc[field.name] === "object") {
+      const i18nConfig = config.i18n;
+      const requestedLocale = c.req.header("x-opaca-locale") || c.req.query("locale");
+      const targetLocale = requestedLocale || i18nConfig?.defaultLocale || "en";
+      if (targetLocale !== "all") {
+        const localizedValue = doc[field.name][targetLocale] ?? doc[field.name][i18nConfig?.defaultLocale || "en"] ?? "";
+        doc[field.name] = localizedValue;
+      }
+    }
+  });
+  await Promise.all(hydratePromises);
+  return doc;
+};
+function parsePopulate(populate) {
+  if (!populate)
+    return {};
+  if (typeof populate === "object" && !Array.isArray(populate)) {
+    return populate;
+  }
+  if (typeof populate === "string" && (populate.startsWith("{") || populate.startsWith("["))) {
+    try {
+      const parsed = JSON.parse(populate);
+      if (Array.isArray(parsed)) {
+        const result2 = {};
+        for (const item of parsed) {
+          if (typeof item === "string") {
+            Object.assign(result2, parsePopulate(item));
+          }
+        }
+        return result2;
+      }
+      return parsed;
+    } catch {}
+  }
+  const result = {};
+  const keys = typeof populate === "string" ? populate.split(",") : [];
+  for (const key of keys) {
+    const parts = key.trim().split(".");
+    let current = result;
+    for (let i = 0;i < parts.length; i++) {
+      const part = parts[i];
+      if (!part)
+        continue;
+      if (i === parts.length - 1) {
+        current[part] = current[part] || true;
+      } else {
+        if (typeof current[part] !== "object") {
+          current[part] = { populate: {} };
+        } else if (!current[part].populate) {
+          current[part].populate = { ...current[part].populate };
+        }
+        current = current[part].populate;
+      }
+    }
+  }
+  return result;
+}
+var populateDoc = async (db, fields, doc, populate, config) => {
+  if (!doc || !populate || Object.keys(populate).length === 0)
+    return doc;
+  const populatePromises = fields.map(async (field) => {
+    const pValue = populate[field.name];
+    if (field.type === "relationship" && field.relationTo && pValue) {
+      const relationTo = field.relationTo;
+      const nestedPopulate = typeof pValue === "object" ? pValue.populate : undefined;
+      const fetchAndPopulate = async (id) => {
+        if (!id)
+          return id;
+        try {
+          const systemCollections = getSystemCollections();
+          const allCollections = [...config.collections, ...systemCollections];
+          const relatedCollection = allCollections.find((c) => c.slug === relationTo || c.apiPath === relationTo);
+          const targetSlug = relatedCollection ? relatedCollection.slug : relationTo;
+          let relatedDoc = await db.findOne(targetSlug, { id });
+          if (relatedDoc && nestedPopulate && relatedCollection) {
+            relatedDoc = await populateDoc(db, relatedCollection.fields, relatedDoc, nestedPopulate, config);
+          }
+          return relatedDoc || id;
+        } catch (err) {
+          console.error(`[OpacaCMS] Failed to populate relationship ${field.name}`, err);
+          return id;
+        }
+      };
+      if (field.hasMany && Array.isArray(doc[field.name])) {
+        doc[field.name] = await Promise.all(doc[field.name].map(fetchAndPopulate));
+      } else if (doc[field.name]) {
+        doc[field.name] = await fetchAndPopulate(doc[field.name]);
+      }
+    }
+    if (field.type === "group" && field.fields && doc[field.name]) {
+      if (typeof pValue === "object" && pValue.populate) {
+        await populateDoc(db, field.fields, doc[field.name], pValue.populate, config);
+      }
+    }
+    if (field.type === "array" && field.fields && Array.isArray(doc[field.name])) {
+      if (typeof pValue === "object" && pValue.populate) {
+        await Promise.all(doc[field.name].map((item) => populateDoc(db, field.fields, item, pValue.populate, config)));
+      }
+    }
+    if (field.type === "blocks" && field.blocks && Array.isArray(doc[field.name])) {
+      if (typeof pValue === "object" && pValue.populate) {
+        await Promise.all(doc[field.name].map((item) => {
+          const block = field.blocks.find((b) => b.slug === item.block_type);
+          if (block && block.fields) {
+            return populateDoc(db, block.fields, item, pValue.populate, config);
+          }
+          return Promise.resolve();
+        }));
+      }
+    }
+  });
+  await Promise.all(populatePromises);
+  const pKeys = Object.keys(populate);
+  const hasSelection = pKeys.some((k) => {
+    const field = fields.find((f) => f.name === k);
+    return field && !["relationship", "group", "array", "blocks"].includes(field.type);
+  });
+  if (hasSelection) {
+    const filtered = {};
+    for (const key of pKeys) {
+      if (populate[key]) {
+        filtered[key] = doc[key];
+      }
+    }
+    return filtered;
+  }
+  return doc;
+};
+function createHandlers(collection, config) {
+  const { db } = config;
+  const checkAccess = async (c, action, data) => {
+    const access = collection.access?.[action];
+    const apiKey = c.get("apiKey");
+    if (collection.access?.requireApiKey && !apiKey) {
+      const user2 = c.get("user");
+      if (user2?.role === "admin" || Array.isArray(user2?.role) && user2.role.includes("admin")) {} else {
+        return false;
+      }
+    }
+    if (apiKey) {
+      if (apiKey.permissions) {
+        const collectionPermissions = apiKey.permissions[collection.slug];
+        if (collectionPermissions) {
+          if (!collectionPermissions.includes(action)) {
+            return false;
+          }
+          return true;
+        }
+      }
+    }
+    if (access === undefined)
+      return true;
+    if (typeof access === "boolean")
+      return access;
+    const user = c.get("user");
+    const session = c.get("session");
+    return await access({
+      req: c,
+      user,
+      session,
+      apiKey,
+      data,
+      operation: action
+    });
+  };
+  const getFieldAccessPermissions = async (c, operation, fields, data) => {
+    const permissions = {};
+    const user = c.get("user");
+    const session = c.get("session");
+    const apiKey = c.get("apiKey");
+    const accessArgs = {
+      req: c,
+      user,
+      session,
+      apiKey,
+      data,
+      operation
+    };
+    for (const field of fields) {
+      if (field.name) {
+        if (!field.access) {
+          permissions[field.name] = { hidden: false, readOnly: false, disabled: false };
+        } else {
+          const hidden = typeof field.access.hidden === "function" ? await field.access.hidden(accessArgs) : !!field.access.hidden;
+          const readOnly = typeof field.access.readOnly === "function" ? await field.access.readOnly(accessArgs) : !!field.access.readOnly;
+          const disabled = typeof field.access.disabled === "function" ? await field.access.disabled(accessArgs) : !!field.access.disabled;
+          permissions[field.name] = { hidden, readOnly, disabled };
+        }
+      }
+      if (field.fields && Array.isArray(field.fields)) {
+        const nestedPermissions = await getFieldAccessPermissions(c, operation, field.fields, data);
+        Object.assign(permissions, nestedPermissions);
+      }
+      if (field.tabs && Array.isArray(field.tabs)) {
+        for (const tab of field.tabs) {
+          if (tab.fields && Array.isArray(tab.fields)) {
+            const nestedPermissions = await getFieldAccessPermissions(c, operation, tab.fields, data);
+            Object.assign(permissions, nestedPermissions);
+          }
+        }
+      }
+    }
+    return permissions;
+  };
+  const saveVersion = async (doc, status) => {
+    if (!collection.versions)
+      return;
+    try {
+      await db.db.insertInto("_doc_versions").values({
+        id: crypto.randomUUID(),
+        collection: collection.slug,
+        entity_id: doc.id,
+        data: JSON.stringify(doc),
+        status: status || doc._status || "published",
+        created_at: new Date().toISOString(),
+        updated_at: new Date().toISOString()
+      }).execute();
+    } catch (err) {
+      logger.error(`[OpacaCMS] Failed to save version for ${collection.slug}: `, err);
+    }
+  };
+  return {
+    async find(c) {
+      if (!await checkAccess(c, "read")) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      const queries = c.req.query();
+      const maxLimit = config.api?.maxLimit ?? 100;
+      const page = queries.page ? parseInt(queries.page, 10) : 1;
+      let limit = queries.limit ? parseInt(queries.limit, 10) : 10;
+      if (limit > maxLimit)
+        limit = maxLimit;
+      const sort = queries.sort;
+      const populate = parsePopulate(queries.populate);
+      const filter = {};
+      for (const [key, value] of Object.entries(queries)) {
+        if ([
+          "page",
+          "limit",
+          "sort",
+          "populate",
+          "locale",
+          "draft",
+          "after",
+          "before",
+          "cursorColumn"
+        ].includes(key)) {
+          continue;
+        }
+        const match = key.match(/^([^[]+)\[([^\]]+)\]$/);
+        if (match) {
+          const field = match[1];
+          const op = match[2];
+          if (!filter[field])
+            filter[field] = {};
+          filter[field][op] = value;
+        } else {
+          filter[key] = value;
+        }
+      }
+      const after = queries.after;
+      const before = queries.before;
+      const cursorColumn = queries.cursorColumn;
+      const results = await db.find(collection.slug, filter, {
+        page,
+        limit,
+        sort,
+        after,
+        before,
+        cursorColumn
+      });
+      if (Object.keys(populate).length > 0) {
+        results.docs = await Promise.all(results.docs.map((doc) => populateDoc(db, collection.fields, doc, populate, config)));
+      }
+      results.docs = await Promise.all(results.docs.map((doc) => hydrateDoc(doc, collection.fields, c, config)));
+      return c.json(results);
+    },
+    async findOne(c) {
+      if (!await checkAccess(c, "read")) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      const queries = c.req.query();
+      const populate = parsePopulate(queries.populate);
+      const id = c.req.param("id");
+      let doc = await db.findOne(collection.slug, { id });
+      if (!doc)
+        return c.json({ message: "Not found" }, 404);
+      if (Object.keys(populate).length > 0) {
+        doc = await populateDoc(db, collection.fields, doc, populate, config);
+      }
+      doc = await hydrateDoc(doc, collection.fields, c, config);
+      const permissions = await getFieldAccessPermissions(c, "read", collection.fields, doc);
+      const cleanDoc = { ...doc };
+      for (const [field, perm] of Object.entries(permissions)) {
+        if (perm.hidden) {
+          delete cleanDoc[field];
+        }
+      }
+      return c.json(cleanDoc);
+    },
+    async create(c) {
+      const body = await c.req.json();
+      if (!await checkAccess(c, "create", body)) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      for (const field of collection.fields) {
+        if (field.type === "slug" && !body[field.name]) {
+          const fromValue = body[field.from];
+          if (fromValue && typeof fromValue === "string") {
+            const formatted = field.format ? field.format(fromValue) : fromValue.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
+            body[field.name] = formatted;
+          }
+        }
+      }
+      const schema = generateSchemaForCollection(collection);
+      const validation = schema.safeParse(body);
+      if (!validation.success) {
+        return c.json({ message: "Validation Error", errors: validation.error.format() }, 400);
+      }
+      let data = validation.data;
+      const locale = c.req.header("x-opaca-locale");
+      if (locale && locale !== "all") {
+        for (const field of collection.fields) {
+          if (field.name && field.localized && data[field.name] !== undefined) {
+            data[field.name] = { [locale]: data[field.name] };
+          }
+        }
+      }
+      if (collection.hooks?.beforeCreate) {
+        data = await collection.hooks.beforeCreate(data);
+      }
+      const doc = await db.create(collection.slug, data);
+      if (collection.hooks?.afterCreate) {
+        await collection.hooks.afterCreate(doc);
+      }
+      if (collection.webhooks) {
+        const afterCreateWebhooks = collection.webhooks.filter((w) => w.type === "outgoing" && w.events.includes("after:create"));
+        for (const webhook of afterCreateWebhooks) {
+          if (webhook.type !== "outgoing")
+            continue;
+          const hookPromise = dispatchWebhook({
+            url: webhook.url,
+            data: doc,
+            event: "after:create",
+            collection: collection.slug,
+            headers: webhook.headers,
+            retries: webhook.retries,
+            timeoutMs: webhook.timeoutMs,
+            transform: webhook.transform
+          });
+          if (c.executionCtx?.waitUntil) {
+            c.executionCtx.waitUntil(hookPromise);
+          }
+        }
+      }
+      if (collection.versions) {
+        await saveVersion(doc, body._status);
+      }
+      const hydratedDoc = await hydrateDoc(doc, collection.fields, c, config);
+      return c.json(hydratedDoc, 201);
+    },
+    async update(c) {
+      const id = c.req.param("id");
+      const body = await c.req.json();
+      if (!await checkAccess(c, "update", body)) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      for (const field of collection.fields) {
+        if (field.type === "slug" && !body[field.name]) {
+          const fromValue = body[field.from];
+          if (fromValue && typeof fromValue === "string") {
+            const formatted = field.format ? field.format(fromValue) : fromValue.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
+            body[field.name] = formatted;
+          }
+        }
+      }
+      const schema = generateSchemaForCollection(collection, true);
+      const validation = schema.safeParse(body);
+      if (!validation.success) {
+        return c.json({ message: "Validation Error", errors: validation.error.format() }, 400);
+      }
+      let data = validation.data;
+      const locale = c.req.header("x-opaca-locale");
+      if (locale && locale !== "all") {
+        let existing = null;
+        for (const field of collection.fields) {
+          if (field.name && field.localized && data[field.name] !== undefined) {
+            if (!existing) {
+              existing = await db.findOne(collection.slug, { id });
+            }
+            const currentObj = existing?.[field.name] || {};
+            data[field.name] = { ...currentObj, [locale]: data[field.name] };
+          }
+        }
+      }
+      if (collection.hooks?.beforeUpdate) {
+        data = await collection.hooks.beforeUpdate(data);
+      }
+      const doc = await db.update(collection.slug, { id }, data);
+      if (collection.hooks?.afterUpdate) {
+        await collection.hooks.afterUpdate(doc);
+      }
+      if (collection.webhooks) {
+        const afterUpdateWebhooks = collection.webhooks.filter((w) => w.type === "outgoing" && w.events.includes("after:update"));
+        for (const webhook of afterUpdateWebhooks) {
+          if (webhook.type !== "outgoing")
+            continue;
+          const hookPromise = dispatchWebhook({
+            url: webhook.url,
+            data: doc,
+            event: "after:update",
+            collection: collection.slug,
+            headers: webhook.headers,
+            retries: webhook.retries,
+            timeoutMs: webhook.timeoutMs,
+            transform: webhook.transform
+          });
+          if (c.executionCtx?.waitUntil) {
+            c.executionCtx.waitUntil(hookPromise);
+          }
+        }
+      }
+      if (collection.versions) {
+        await saveVersion(doc, body._status);
+      }
+      const hydratedDoc = await hydrateDoc(doc, collection.fields, c, config);
+      return c.json(hydratedDoc);
+    },
+    async delete(c) {
+      if (!await checkAccess(c, "delete")) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      const id = c.req.param("id");
+      let docToPass = { id };
+      try {
+        if (collection.webhooks && collection.webhooks.some((w) => w.type === "outgoing" && w.events.includes("after:delete"))) {
+          docToPass = await db.findOne(collection.slug, { id });
+        }
+      } catch (e) {}
+      if (collection.hooks?.beforeDelete) {
+        await collection.hooks.beforeDelete(id);
+      }
+      await db.delete(collection.slug, { id });
+      if (collection.hooks?.afterDelete) {
+        await collection.hooks.afterDelete(id);
+      }
+      if (collection.webhooks) {
+        const afterDeleteWebhooks = collection.webhooks.filter((w) => w.type === "outgoing" && w.events.includes("after:delete"));
+        for (const webhook of afterDeleteWebhooks) {
+          if (webhook.type !== "outgoing")
+            continue;
+          const hookPromise = dispatchWebhook({
+            url: webhook.url,
+            data: docToPass || { id },
+            event: "after:delete",
+            collection: collection.slug,
+            headers: webhook.headers,
+            retries: webhook.retries,
+            timeoutMs: webhook.timeoutMs,
+            transform: webhook.transform
+          });
+          if (c.executionCtx?.waitUntil) {
+            c.executionCtx.waitUntil(hookPromise);
+          }
+        }
+      }
+      return c.json({ message: "Deleted" });
+    },
+    async findVersions(c) {
+      if (!await checkAccess(c, "read")) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      const parentId = c.req.query("parentId");
+      try {
+        let qb = db.db.selectFrom("_doc_versions").selectAll().where("collection", "=", collection.slug);
+        if (parentId) {
+          qb = qb.where("entity_id", "=", parentId);
+        }
+        const rows = await qb.orderBy("created_at", "desc").execute();
+        return c.json({ docs: rows });
+      } catch (err) {
+        return c.json({ message: "Failed to fetch versions", error: err.message }, 500);
+      }
+    },
+    async restoreVersion(c) {
+      if (!await checkAccess(c, "update")) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      const versionId = c.req.param("versionId");
+      try {
+        const version = await db.db.selectFrom("_doc_versions").selectAll().where("id", "=", versionId).executeTakeFirst();
+        if (!version)
+          return c.json({ message: "Version not found" }, 404);
+        const data = JSON.parse(version.data);
+        const id = version.entity_id;
+        delete data.id;
+        delete data.createdAt;
+        delete data.updatedAt;
+        const doc = await db.update(collection.slug, { id }, data);
+        await saveVersion(doc, "published");
+        return c.json(doc);
+      } catch (err) {
+        return c.json({ message: "Failed to restore version", error: err.message }, 500);
+      }
+    }
+  };
+}
+function createIncomingWebhookHandler(webhookConfig, collection, config) {
+  const { db } = config;
+  if (!webhookConfig) {
+    throw new Error(`Collection ${collection.slug} does not have webhooksIncoming configured.`);
+  }
+  return async (c) => {
+    if (webhookConfig.verifySignature) {
+      const isValid = await verifyWebhookSignature(c.req.raw, webhookConfig.verifySignature);
+      if (!isValid) {
+        logger.warn(`[Webhooks] Invalid signature for incoming webhook on ${collection.slug}`);
+        return c.json({ message: "Invalid signature" }, 401);
+      }
+    }
+    try {
+      const payload = await c.req.json();
+      let data = payload;
+      if (webhookConfig.mapPayload) {
+        data = await webhookConfig.mapPayload(payload);
+      }
+      let doc = null;
+      let operation = "create";
+      const uniqueFields = collection.fields.filter((f) => f.name && f.unique && data[f.name] !== undefined);
+      if (data.id) {
+        doc = await db.findOne(collection.slug, { id: data.id });
+      } else if (uniqueFields.length > 0) {
+        const query = {};
+        for (const f of uniqueFields) {
+          const fieldName = f.name;
+          query[fieldName] = data[fieldName];
+        }
+        doc = await db.findOne(collection.slug, query);
+      }
+      if (doc) {
+        operation = "update";
+        doc = await db.update(collection.slug, { id: doc.id }, data);
+      } else {
+        doc = await db.create(collection.slug, data);
+      }
+      if (webhookConfig.onSuccess) {
+        await webhookConfig.onSuccess({ data: doc, payload, operation });
+      }
+      logger.info(`[Webhooks] Incoming webhook processed for ${collection.slug} (${operation})`);
+      return c.json({ success: true, operation, id: doc.id });
+    } catch (err) {
+      logger.error(`[Webhooks] Failed to process incoming webhook for ${collection.slug}:`, err.message);
+      return c.json({ message: "Internal Server Error", error: err.message }, 500);
+    }
+  };
+}
+function createGlobalHandlers(config, globalConfig, getAuth) {
+  const { db } = config;
+  const checkAccess = async (c, action, data) => {
+    const access = globalConfig.access?.[action];
+    if (access === undefined)
+      return true;
+    if (typeof access === "boolean")
+      return access;
+    const user = c.get("user");
+    const session = c.get("session");
+    const apiKey = c.get("apiKey");
+    return await access({
+      req: c,
+      user,
+      session,
+      apiKey,
+      data,
+      operation: action
+    });
+  };
+  return {
+    async find(c) {
+      if (!await checkAccess(c, "read")) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      if (!db.findGlobal) {
+        return c.json({ message: "Globals are not supported by this database adapter" }, 501);
+      }
+      const doc = await db.findGlobal(globalConfig.slug);
+      const hydratedDoc = await hydrateDoc(doc || {}, globalConfig.fields, c, config);
+      return c.json(hydratedDoc);
+    },
+    async update(c) {
+      const body = await c.req.json();
+      if (!await checkAccess(c, "update", body)) {
+        return c.json({ message: "Forbidden" }, 403);
+      }
+      if (!db.updateGlobal) {
+        return c.json({ message: "Globals are not supported by this database adapter" }, 501);
+      }
+      const schema = generateSchemaForCollection(globalConfig, true);
+      const validation = schema.safeParse(body);
+      if (!validation.success) {
+        logger.error(`Validation Error on Global ${globalConfig.slug}: `, validation.error.format());
+        return c.json({
+          message: "Validation Error",
+          errors: validation.error.format()
+        }, 400);
+      }
+      const doc = await db.updateGlobal(globalConfig.slug, validation.data);
+      const hydratedDoc = await hydrateDoc(doc, globalConfig.fields, c, config);
+      return c.json(hydratedDoc);
+    }
+  };
+}
+
+// src/server/routers/collections.ts
+function mountCollectionRoutes(router, config, state) {
+  const combinedCollections = [...config.collections];
+  for (const systemCol of getSystemCollections()) {
+    if (!combinedCollections.find((c) => c.slug === systemCol.slug)) {
+      combinedCollections.push(systemCol);
+    }
+  }
+  const exposedCollections = combinedCollections.filter((c) => !c.hidden);
+  for (const collection of exposedCollections) {
+    const handlers = createHandlers(collection, config);
+    const path = `/${collection.apiPath || collection.slug}`;
+    router.get(path, handlers.find);
+    router.get(`${path}/versions`, handlers.findVersions);
+    router.get(`${path}/:id`, handlers.findOne);
+    router.post(path, handlers.create);
+    router.patch(`${path}/:id`, handlers.update);
+    router.post(`${path}/versions/:versionId/restore`, handlers.restoreVersion);
+    router.delete(`${path}/:id`, handlers.delete);
+  }
+}
+function mountIncomingWebhookRoutes(router, config) {
+  for (const collection of config.collections) {
+    if (collection.webhooks) {
+      for (const webhook of collection.webhooks) {
+        if (webhook.type === "incoming") {
+          const handler = createIncomingWebhookHandler(webhook, collection, config);
+          router.post(webhook.path, handler);
+        }
+      }
+    }
+  }
+}
+function mountGlobalRoutes(router, config, state) {
+  if (config.globals) {
+    for (const globalConfig of config.globals) {
+      const handlers = createGlobalHandlers(config, globalConfig, () => state.auth);
+      const path = `/globals/${globalConfig.slug}`;
+      router.get(path, handlers.find);
+      router.post(path, handlers.update);
+      router.patch(path, handlers.update);
+    }
+  }
+}
+function createSystemRouter(config) {
+  const systemRouter = new Hono3;
+  systemRouter.get("/plugins/assets", adminMiddleware, (c) => {
+    const response = {
+      scripts: [],
+      styles: []
+    };
+    if (config.plugins && Array.isArray(config.plugins)) {
+      for (const plugin of config.plugins) {
+        if (plugin.adminAssets) {
+          try {
+            const assets = plugin.adminAssets();
+            if (assets.scripts)
+              response.scripts.push(...assets.scripts);
+            if (assets.styles)
+              response.styles.push(...assets.styles);
+          } catch (e) {
+            console.error(`[Plugin] ${plugin.name} failed to expose adminAssets: `, e);
+          }
+        }
+      }
+    }
+    return c.json(response);
+  });
+  if (config.storages) {
+    const assetsHandlers = createAssetsHandlers(config);
+    systemRouter.post("/assets/upload", adminMiddleware, assetsHandlers.upload);
+    systemRouter.get("/assets", adminMiddleware, assetsHandlers.list);
+    systemRouter.post("/assets/presign-upload", adminMiddleware, assetsHandlers.presign);
+  }
+  return systemRouter;
+}
+function createAssetsServingRouter(config) {
+  const assetsServingRouter = new Hono3;
+  if (config.storages) {
+    const assetsHandlers = createAssetsHandlers(config);
+    const assetCol = getSystemCollections().find((c) => c.slug === "_assets");
+    const assetPath = `/${assetCol?.apiPath || assetCol?.slug || "_assets"}`;
+    assetsServingRouter.get(`${assetPath}/:id/view`, assetsHandlers.serve);
+  }
+  return assetsServingRouter;
+}
+
+// src/server/middlewares/auth.ts
+function createAuthMiddleware(getAuth) {
+  return async (c, next) => {
+    const auth = getAuth();
+    if (!auth) {
+      c.set("user", null);
+      c.set("session", null);
+      c.set("apiKey", null);
+      await next();
+      return;
+    }
+    try {
+      const session = await auth.api.getSession({ headers: c.req.raw.headers });
+      if (session) {
+        c.set("user", session.user);
+        c.set("session", session.session);
+        c.set("apiKey", null);
+        await next();
+        return;
+      }
+    } catch (err) {
+      logger.debug("Session verification failed or threw:", err);
+    }
+    const authHeader = c.req.header("Authorization");
+    if (authHeader && authHeader.startsWith("Bearer ")) {
+      const token = authHeader.split(" ")[1];
+      if (token) {
+        try {
+          const result = await auth.api.verifyApiKey({
+            headers: c.req.raw.headers,
+            body: { key: token }
+          });
+          if (result && result.valid && result.key) {
+            c.set("apiKey", {
+              id: result.key.id,
+              name: result.key.name,
+              permissions: result.key.permissions,
+              referenceId: result.key.referenceId
+            });
+            try {
+              const ownerResult = await auth.options.database?.findOne?.("_users", {
+                id: result.key.referenceId
+              });
+              c.set("user", ownerResult);
+            } catch (e) {
+              logger.warn("Failed to fetch API key owner from database:", e);
+              c.set("user", null);
+            }
+            c.set("session", null);
+            await next();
+            return;
+          }
+        } catch (err) {
+          logger.warn("API Key verification failed:", err);
+        }
+      }
+    }
+    c.set("user", null);
+    c.set("session", null);
+    c.set("apiKey", null);
+    await next();
+  };
+}
+
+// src/server/middlewares/context.ts
+function createContextMiddleware(config) {
+  const logger2 = new OpacaLogger(config.logger);
+  return async (c, next) => {
+    c.set("config", config);
+    c.set("db", config.db);
+    c.set("logger", logger2);
+    await next();
+  };
+}
+
+// src/server/middlewares/cors.ts
+import { cors } from "hono/cors";
+function createCorsMiddleware(config) {
+  const trustedOrigins = config.trustedOrigins || [];
+  return cors({
+    origin: async (origin, _c) => {
+      const allowed = typeof trustedOrigins === "function" ? await trustedOrigins(_c.req.raw) : trustedOrigins;
+      if (Array.isArray(allowed) && allowed.includes(origin)) {
+        return origin;
+      }
+      return;
+    },
+    allowMethods: ["POST", "GET", "PUT", "PATCH", "DELETE", "OPTIONS"],
+    exposeHeaders: ["Content-Length"],
+    credentials: true
+  });
+}
+
+// src/auth/index.ts
+import { apiKey } from "@better-auth/api-key";
+import { betterAuth } from "better-auth";
+import { admin, openAPI } from "better-auth/plugins";
+
+// src/auth/premissions.ts
+import { createAccessControl } from "better-auth/plugins/access";
+function createPermissions(config) {
+  const resources = {
+    user: ["create", "read", "update", "delete", "ban", "impersonate"],
+    session: ["read", "revoke", "delete"]
+  };
+  for (const collection of config.collections) {
+    resources[collection.slug] = ["create", "read", "update", "delete"];
+  }
+  const ac = createAccessControl(resources);
+  const adminRole = ac.newRole({
+    user: ["create", "read", "update", "delete", "ban", "impersonate"],
+    session: ["read", "revoke", "delete"]
+  });
+  for (const collection of config.collections) {
+    adminRole[collection.slug] = ["create", "read", "update", "delete"];
+  }
+  const userRole = ac.newRole({});
+  const roles = {
+    admin: adminRole,
+    user: userRole
+  };
+  if (config.access?.roles) {
+    for (const [roleName, permissions] of Object.entries(config.access.roles)) {
+      roles[roleName] = ac.newRole(permissions);
+    }
+  }
+  return {
+    ac,
+    roles
+  };
+}
+
+// src/auth/index.ts
+async function createAuth(config) {
+  const env = typeof process !== "undefined" ? process.env : {};
+  const baseURL = String(config.serverURL || env.BETTER_AUTH_URL || "").replace(/\/$/, "");
+  if (!baseURL) {
+    throw new Error("[OpacaAuth] baseURL could not be determined. Please provide 'serverURL' in your config or 'BETTER_AUTH_URL' in your environment.");
+  }
+  const authURL = `${baseURL}/api/auth`;
+  const secret = env.OPACA_SECRET || env.BETTER_AUTH_SECRET || config.secret;
+  if (!secret) {
+    throw new Error("[OpacaAuth] No secret found for authentication. Please provide 'OPACA_SECRET' or 'BETTER_AUTH_SECRET'.");
+  }
+  if (typeof process !== "undefined" && !env.BETTER_AUTH_URL) {
+    process.env.BETTER_AUTH_URL = authURL;
+  }
+  const databaseConfig = {
+    db: config.db.db,
+    type: config.db.name === "postgres" ? "pg" : "sqlite"
+  };
+  const isSecure = baseURL.startsWith("https");
+  const userAuth = config.auth || {};
+  const { ac, roles } = createPermissions(config);
+  const trustedOrigins = config.trustedOrigins;
+  const plugins = [
+    admin({
+      ac,
+      roles
+    }),
+    openAPI({
+      disableDefaultReference: true,
+      path: "/open-api"
+    }),
+    ...userAuth.features?.apiKeys?.enabled ? [
+      apiKey({
+        defaultPrefix: "opaca_",
+        schema: {
+          apikey: {
+            modelName: "_api_keys"
+          }
+        }
+      })
+    ] : []
+  ];
+  const socialProviders = {};
+  if (userAuth.socialProviders?.github) {
+    socialProviders.github = userAuth.socialProviders.github;
+  }
+  if (userAuth.socialProviders?.google) {
+    socialProviders.google = userAuth.socialProviders.google;
+  }
+  return betterAuth({
+    database: databaseConfig,
+    baseURL,
+    basePath: "/api/auth",
+    secret,
+    trustedOrigins,
+    emailAndPassword: {
+      enabled: userAuth.strategies?.emailPassword !== false
+    },
+    socialProviders,
+    user: {
+      modelName: "_users"
+    },
+    session: {
+      modelName: "_sessions",
+      expiresIn: (userAuth.session?.expiresInDays || 30) * 86400,
+      updateAge: userAuth.session?.updateAgeSeconds || 86400
+    },
+    account: {
+      modelName: "_accounts"
+    },
+    verification: {
+      modelName: "_verifications"
+    },
+    advanced: {
+      useSecureCookies: isSecure,
+      defaultCookieAttributes: {
+        sameSite: isSecure ? "none" : "lax",
+        secure: isSecure
+      }
+    },
+    databaseHooks: {
+      user: {
+        create: {
+          before: async (user) => {
+            try {
+              let userCount = 0;
+              try {
+                userCount = await config.db.count("_users");
+              } catch (e) {
+                const result = await config.db.unsafe("SELECT COUNT(*) as count FROM _users");
+                const rows = result?.results || result || [];
+                userCount = Number(rows[0]?.count || rows[0]?.["count(*)"] || 0);
+              }
+              if (userCount === 0) {
+                return {
+                  data: {
+                    ...user,
+                    role: "admin"
+                  }
+                };
+              }
+            } catch (e) {
+              console.error("[OpacaAuth] Failed to check user count in hook:", e);
+            }
+          }
+        }
+      }
+    },
+    plugins,
+    logger: {
+      disabled: config.logger?.disabled,
+      disableColors: config.logger?.disableColors,
+      level: config.logger?.level,
+      log: (level, message, ...args) => {
+        const rebrand = (msg) => {
+          if (typeof msg !== "string")
+            return String(msg);
+          return msg.replace(/\[better-auth\]\s*/g, "").replace(/BETTER_AUTH_SECRET/g, "OPACA_SECRET").replace(/`npx auth secret`/g, "`openssl rand -base64 32`").replace(/npx auth secret/g, "openssl rand -base64 32").replace(/^Warning:\s*/i, "");
+        };
+        const branded = rebrand(message);
+        if (level === "error" && (branded.toLowerCase().includes("invalid api key") || branded.toLowerCase().includes("failed to validate api key"))) {
+          return;
+        }
+        const brandedArgs = args.map((a) => typeof a === "string" ? rebrand(a) : a);
+        const authLogger = new OpacaLogger(config.logger);
+        switch (level) {
+          case "debug":
+            authLogger.debug(branded, ...brandedArgs);
+            break;
+          case "info":
+            authLogger.info(branded, ...brandedArgs);
+            break;
+          case "warn":
+            authLogger.warn(branded, ...brandedArgs);
+            break;
+          case "error":
+            authLogger.error(branded, ...brandedArgs);
+            break;
+          default:
+            authLogger.info(branded, ...brandedArgs);
+        }
+      }
+    }
+  });
+}
+
+// src/db/kysely/field-mapper.ts
+function toSnakeCase(str) {
+  const res = str.replace(/([A-Z])/g, "_$1").toLowerCase();
+  if (res.startsWith("_") && !str.startsWith("_")) {
+    return res.slice(1);
+  }
+  return res;
+}
+// src/auth/migrations.ts
+async function runAuthMigrations(db) {
+  const rawDb = db.raw;
+  if (!rawDb) {
+    logger.error("Database not connected yet. Skipping auth migrations.");
+    return;
+  }
+  const isPostgres = db.name === "postgres";
+  const authCollections = getSystemCollections().filter((c) => ["_users", "_sessions", "_accounts", "_verifications", "_api_keys"].includes(c.slug));
+  try {
+    for (const collection of authCollections) {
+      const columnDefs = [];
+      columnDefs.push(`"id" TEXT PRIMARY KEY`);
+      for (const field of collection.fields) {
+        if (field.name === "id")
+          continue;
+        let type = "TEXT";
+        if (field.type === "number")
+          type = "INTEGER";
+        if (field.type === "boolean")
+          type = isPostgres ? "BOOLEAN" : "INTEGER";
+        if (field.type === "date")
+          type = isPostgres ? "TIMESTAMPTZ" : "TEXT";
+        let definition = `"${toSnakeCase(field.name)}" ${type}`;
+        if (field.required)
+          definition += " NOT NULL";
+        if (field.unique)
+          definition += " UNIQUE";
+        if (field.defaultValue !== undefined) {
+          const val = typeof field.defaultValue === "string" ? `'${field.defaultValue}'` : field.defaultValue;
+          definition += ` DEFAULT ${val}`;
+        }
+        if (field.references) {
+          definition += ` REFERENCES "${field.references.table}"("${toSnakeCase(field.references.column)}")`;
+          if (field.references.onDelete) {
+            definition += ` ON DELETE ${field.references.onDelete.toUpperCase()}`;
+          }
+        }
+        columnDefs.push(definition);
+      }
+      const ts = collection.timestamps;
+      if (ts !== false && ts !== undefined) {
+        const config = typeof ts === "object" ? ts : {};
+        const createdField = toSnakeCase(config.createdAt || "createdAt");
+        const updatedField = toSnakeCase(config.updatedAt || "updatedAt");
+        const fieldNames = new Set(collection.fields.map((f) => toSnakeCase(f.name)));
+        if (!fieldNames.has(createdField)) {
+          columnDefs.push(`"${createdField}" ${isPostgres ? "TIMESTAMPTZ" : "TEXT"} DEFAULT CURRENT_TIMESTAMP`);
+        }
+        if (!fieldNames.has(updatedField)) {
+          columnDefs.push(`"${updatedField}" ${isPostgres ? "TIMESTAMPTZ" : "TEXT"} DEFAULT CURRENT_TIMESTAMP`);
+        }
+      }
+      logger.info(`  -> Verifying table: ${logger.format("green", `"${collection.slug}"`)}`);
+      await db.unsafe(`CREATE TABLE IF NOT EXISTS "${collection.slug}" (${columnDefs.join(", ")})`);
+    }
+    logger.success("Auth tables verified/created successfully.");
+  } catch (error) {
+    logger.error("Failed to create auth tables:", error);
+  }
+}
+// src/server/middlewares/database-init.ts
+function createDatabaseInitMiddleware(config, state) {
+  return async (_c, next) => {
+    if (!state.migrated) {
+      const isDev = typeof process !== "undefined" && true;
+      if (isDev) {
+        logger.info(`Connecting to database: ${logger.format("yellow", config.db.name)}...`);
+      } else {
+        logger.debug(`Connecting to database: ${config.db.name}...`);
+      }
+      await config.db.connect();
+      if (isDev) {
+        logger.debug("Synchronizing database schema...");
+      }
+      const allCollections = [...config.collections];
+      for (const systemCol of getSystemCollections()) {
+        if (!allCollections.find((c) => c.slug === systemCol.slug)) {
+          allCollections.push(systemCol);
+        }
+      }
+      await config.db.migrate(allCollections, config.globals);
+      if (isDev) {
+        logger.success("Database schema synchronized.");
+      }
+      const shouldMigrate = config.runMigrationsOnStartup || isDev;
+      if (shouldMigrate) {
+        if (config.runMigrationsOnStartup && config.db.runMigrations) {
+          try {
+            logger.info("Running file-based migrations on startup...");
+            await config.db.runMigrations();
+          } catch (e) {
+            if (e.code === "ENOENT" && e.path && e.path.includes("migrations")) {
+              logger.debug("No 'migrations' folder found. Skipping file-based migrations.");
+            } else {
+              logger.error("Error running migrations on startup:");
+              console.error(e);
+            }
+          }
+        }
+        await runAuthMigrations(config.db);
+      } else {
+        logger.debug("Automatic schema migrations skipped (Production).");
+      }
+      if (!state.auth) {
+        state.auth = await createAuth(config);
+      }
+      state.migrated = true;
+    }
+    await next();
+  };
+}
+
+// src/server/middlewares/rate-limit.ts
+function createRateLimitMiddleware(config) {
+  const rateLimitConfig = config.api?.rateLimit;
+  if (rateLimitConfig?.enabled === false) {
+    return async (_c, next) => await next();
+  }
+  const windowMs = rateLimitConfig?.windowMs || 60000;
+  const limit = rateLimitConfig?.limit || 100;
+  return async (c, next) => {
+    let provider = rateLimitConfig?.provider?.(c);
+    if (!provider && !rateLimitConfig?.store && c.env) {
+      const rateLimitKey = Object.keys(c.env).find((key) => c.env[key]?.limit && typeof c.env[key].limit === "function");
+      if (rateLimitKey) {
+        provider = c.env[rateLimitKey];
+      }
+    }
+    if (provider) {
+      try {
+        const { rateLimiter } = await import("hono-rate-limiter");
+        const limiter = rateLimiter({
+          binding: () => provider,
+          keyGenerator: rateLimitConfig?.keyGenerator || ((c2) => c2.req.header("cf-connecting-ip") || c2.req.header("x-forwarded-for") || "anonymous")
+        });
+        return limiter(c, next);
+      } catch (e) {
+        logger.error("Failed to load 'hono-rate-limiter'. Please install it to use rate limiting features.", e);
+        return await next();
+      }
+    }
+    let resolvedStore = rateLimitConfig?.store;
+    if (!resolvedStore && c.env) {
+      const kvBindingKey = Object.keys(c.env).find((key) => key.startsWith("OPACA_") && c.env[key]?.put && c.env[key]?.get);
+      if (kvBindingKey) {
+        try {
+          const { WorkersKVStore } = await import("@hono-rate-limiter/cloudflare");
+          resolvedStore = new WorkersKVStore({ namespace: c.env[kvBindingKey] });
+        } catch (e) {
+          logger.error("Failed to load @hono-rate-limiter/cloudflare dynamic import. Make sure you are in a Cloudflare environment.", e);
+        }
+      }
+    }
+    try {
+      const { rateLimiter } = await import("hono-rate-limiter");
+      const limiter = rateLimiter({
+        windowMs,
+        limit,
+        standardHeaders: "draft-6",
+        store: resolvedStore,
+        keyGenerator: rateLimitConfig?.keyGenerator || ((c2) => c2.req.header("cf-connecting-ip") || c2.req.header("x-forwarded-for") || "anonymous"),
+        message: "Too many requests from this IP, please try again after a minute."
+      });
+      return limiter(c, next);
+    } catch (e) {
+      logger.error("Failed to load 'hono-rate-limiter'. Please install it to use rate limiting features.", e);
+      return await next();
+    }
+  };
+}
+
+// src/utils/context.ts
+var {AsyncLocalStorage} = (() => ({}));
+var GLOBAL_CONTEXT_KEY = Symbol.for("opacacms.requestContext");
+if (!globalThis[GLOBAL_CONTEXT_KEY]) {
+  globalThis[GLOBAL_CONTEXT_KEY] = new AsyncLocalStorage;
+}
+var requestContext = globalThis[GLOBAL_CONTEXT_KEY];
+
+// src/server/setup-middlewares.ts
+function setupMiddlewares(router, config, state) {
+  router.use("*", async (c, next) => {
+    await next();
+    c.res.headers.set("X-Powered-By", "OpacaCMS");
+  });
+  router.use("*", createContextMiddleware(config));
+  router.use("*", createRateLimitMiddleware(config));
+  router.use("*", createCorsMiddleware(config));
+  router.use("*", createDatabaseInitMiddleware(config, state));
+  router.onError((err, c) => {
+    const ctxLogger = c.get("logger");
+    ctxLogger.error(`API Error: ${err.message}`, err);
+    return c.json({ message: "Internal Server Error", error: err.message }, 500);
+  });
+}
+function setupAuthMiddlewares(router, config, state) {
+  router.use("*", createAuthMiddleware(() => state.auth));
+  router.use("*", async (c, next) => {
+    const user = c.get("user");
+    await requestContext.run({ userId: user?.id }, async () => {
+      await next();
+    });
+  });
+}
+
+// src/server/graphql.ts
+import {
+  GraphQLBoolean,
+  GraphQLFloat,
+  GraphQLInt,
+  GraphQLList,
+  GraphQLNonNull,
+  GraphQLObjectType,
+  GraphQLScalarType,
+  GraphQLSchema,
+  GraphQLString
+} from "graphql";
+
+// src/utils/string.ts
+function sanitizeGraphQLName(name) {
+  return name.replace(/[^_a-zA-Z0-9]/g, "_");
+}
+
+// src/server/graphql.ts
+var GraphQLJSON = new GraphQLScalarType({
+  name: "JSON",
+  description: "The `JSON` scalar type represents JSON values as specified by ECMA-404",
+  serialize: (value) => value,
+  parseValue: (value) => value,
+  parseLiteral: (ast) => {
+    switch (ast.kind) {
+      case "StringValue":
+        return JSON.parse(ast.value);
+      case "ObjectValue":
+        throw new Error("Not implemented");
+      default:
+        return null;
+    }
+  }
+});
+function getGraphQLType(field) {
+  switch (field.type) {
+    case "text":
+    case "slug":
+    case "textarea":
+    case "richtext":
+    case "select":
+    case "radio":
+    case "date":
+    case "file":
+    case "relationship":
+      return GraphQLString;
+    case "number":
+      return GraphQLFloat;
+    case "boolean":
+      return GraphQLBoolean;
+    case "json":
+    case "blocks":
+    case "array":
+    case "group":
+    case "row":
+    case "collapsible":
+    case "tabs":
+      return GraphQLJSON;
+    default:
+      return GraphQLString;
+  }
+}
+function buildCollectionType(collection, nameOverride) {
+  const fields = {
+    id: { type: GraphQLString }
+  };
+  if (collection.timestamps !== false) {
+    fields.createdAt = { type: GraphQLString };
+    fields.updatedAt = { type: GraphQLString };
+  }
+  for (const field of collection.fields) {
+    if (field.name) {
+      fields[sanitizeGraphQLName(field.name)] = { type: getGraphQLType(field) };
+    }
+  }
+  return new GraphQLObjectType({
+    name: nameOverride || sanitizeGraphQLName(collection.slug),
+    fields
+  });
+}
+function buildCollectionPaginatedType(collectionType, collectionSlug) {
+  return new GraphQLObjectType({
+    name: `Paginated${sanitizeGraphQLName(collectionSlug)}`,
+    fields: {
+      docs: { type: new GraphQLList(collectionType) },
+      totalDocs: { type: GraphQLInt },
+      limit: { type: GraphQLInt },
+      totalPages: { type: GraphQLInt },
+      page: { type: GraphQLInt },
+      pagingCounter: { type: GraphQLInt },
+      hasPrevPage: { type: GraphQLBoolean },
+      hasNextPage: { type: GraphQLBoolean },
+      prevPage: { type: GraphQLInt },
+      nextPage: { type: GraphQLInt },
+      nextCursor: { type: GraphQLString },
+      prevCursor: { type: GraphQLString }
+    }
+  });
+}
+function generateGraphQLSchema(config, state) {
+  const queryFields = {};
+  const mutationFields = {};
+  for (const collection of config.collections) {
+    if (collection.hidden)
+      continue;
+    const handlers = createHandlers(collection, config);
+    const collectionType = buildCollectionType(collection);
+    const paginatedType = buildCollectionPaginatedType(collectionType, collection.slug);
+    const sanitizedSlug = sanitizeGraphQLName(collection.slug);
+    const capitalizedSlug = sanitizedSlug.charAt(0).toUpperCase() + sanitizedSlug.slice(1);
+    queryFields[`find${capitalizedSlug}`] = {
+      type: paginatedType,
+      args: {
+        limit: { type: GraphQLInt },
+        page: { type: GraphQLInt },
+        sort: { type: GraphQLString }
+      },
+      resolve: async (_, args, c) => {
+        const req = {
+          query: (key) => {
+            if (!key)
+              return args;
+            return args[key] !== undefined ? String(args[key]) : undefined;
+          },
+          queries: () => ({})
+        };
+        const ctx = { ...c, req: { ...c.req, ...req } };
+        ctx.req.query = req.query;
+        let result;
+        ctx.json = (data, status) => {
+          if (status && status >= 400)
+            throw new Error(data?.message || "Error");
+          result = data;
+          return data;
+        };
+        await handlers.find(ctx);
+        return result;
+      }
+    };
+    queryFields[`get${capitalizedSlug}`] = {
+      type: collectionType,
+      args: {
+        id: { type: new GraphQLNonNull(GraphQLString) }
+      },
+      resolve: async (_, args, c) => {
+        const req = {
+          param: (key) => {
+            if (key === "id")
+              return args.id;
+            if (!key)
+              return { id: args.id };
+            return args.id;
+          }
+        };
+        const ctx = { ...c, req: { ...c.req, ...req } };
+        ctx.req.param = req.param;
+        let result;
+        ctx.json = (data, status) => {
+          if (status && status >= 400)
+            throw new Error(data?.message || "Error");
+          result = data;
+          return data;
+        };
+        await handlers.findOne(ctx);
+        return result?.doc || result;
+      }
+    };
+    mutationFields[`create${capitalizedSlug}`] = {
+      type: collectionType,
+      args: {
+        data: { type: new GraphQLNonNull(GraphQLJSON) }
+      },
+      resolve: async (_, args, c) => {
+        const req = {
+          json: async () => args.data
+        };
+        const ctx = { ...c, req: { ...c.req, ...req } };
+        let result;
+        ctx.json = (data, status) => {
+          if (status && status >= 400)
+            throw new Error(data?.message || "Error");
+          result = data;
+          return data;
+        };
+        await handlers.create(ctx);
+        return result?.doc || result;
+      }
+    };
+    mutationFields[`update${capitalizedSlug}`] = {
+      type: collectionType,
+      args: {
+        id: { type: new GraphQLNonNull(GraphQLString) },
+        data: { type: new GraphQLNonNull(GraphQLJSON) }
+      },
+      resolve: async (_, args, c) => {
+        const req = {
+          param: (key) => {
+            if (key === "id")
+              return args.id;
+            if (!key)
+              return { id: args.id };
+            return args.id;
+          },
+          json: async () => args.data
+        };
+        const ctx = { ...c, req: { ...c.req, ...req } };
+        ctx.req.param = req.param;
+        let result;
+        ctx.json = (data, status) => {
+          if (status && status >= 400)
+            throw new Error(data?.message || "Error");
+          result = data;
+          return data;
+        };
+        await handlers.update(ctx);
+        return result?.doc || result;
+      }
+    };
+    mutationFields[`delete${capitalizedSlug}`] = {
+      type: GraphQLBoolean,
+      args: {
+        id: { type: new GraphQLNonNull(GraphQLString) }
+      },
+      resolve: async (_, args, c) => {
+        const req = {
+          param: (key) => {
+            if (key === "id")
+              return args.id;
+            if (!key)
+              return { id: args.id };
+            return args.id;
+          }
+        };
+        const ctx = { ...c, req: { ...c.req, ...req } };
+        ctx.req.param = req.param;
+        let result;
+        ctx.json = (data, status) => {
+          if (status && status >= 400)
+            throw new Error(data?.message || "Error");
+          result = data;
+          return data;
+        };
+        await handlers.delete(ctx);
+        return result;
+      }
+    };
+  }
+  if (config.globals) {
+    for (const globalConfig of config.globals) {
+      const handlers = createGlobalHandlers(config, globalConfig, () => state.auth);
+      const sanitizedGlobalSlug = sanitizeGraphQLName(globalConfig.slug);
+      const capitalizedGlobalSlug = sanitizedGlobalSlug.charAt(0).toUpperCase() + sanitizedGlobalSlug.slice(1);
+      const globalType = buildCollectionType(globalConfig, `Global_${sanitizedGlobalSlug}`);
+      queryFields[`get${capitalizedGlobalSlug}`] = {
+        type: globalType,
+        resolve: async (_, __, c) => {
+          const req = {};
+          const ctx = { ...c, req: { ...c.req, ...req } };
+          let result;
+          ctx.json = (data) => {
+            result = data;
+            return data;
+          };
+          await handlers.find(ctx);
+          return result;
+        }
+      };
+      mutationFields[`update${capitalizedGlobalSlug}`] = {
+        type: globalType,
+        args: {
+          data: { type: new GraphQLNonNull(GraphQLJSON) }
+        },
+        resolve: async (_, args, c) => {
+          const req = {
+            json: async () => args.data
+          };
+          const ctx = { ...c, req: { ...c.req, ...req } };
+          let result;
+          ctx.json = (data) => {
+            result = data;
+            return data;
+          };
+          await handlers.update(ctx);
+          return result;
+        }
+      };
+    }
+  }
+  if (Object.keys(queryFields).length === 0) {
+    queryFields._empty = { type: GraphQLString, resolve: () => "Empty" };
+  }
+  const queryType = new GraphQLObjectType({
+    name: "Query",
+    fields: queryFields
+  });
+  const schemaConfig = { query: queryType };
+  if (Object.keys(mutationFields).length > 0) {
+    schemaConfig.mutation = new GraphQLObjectType({
+      name: "Mutation",
+      fields: mutationFields
+    });
+  }
+  return new GraphQLSchema(schemaConfig);
+}
+
+// src/server/routers/plugins.ts
+function mountPluginRoutes(config, settings, logger2, router, env = {}) {
+  if (config.plugins && Array.isArray(config.plugins)) {
+    for (const plugin of config.plugins) {
+      const pluginSettings = settings[plugin.name] || {};
+      const pluginContext = { config, logger: logger2, settings: pluginSettings, env };
+      if (plugin.onRequest) {
+        router.use("*", async (c, next) => {
+          const result = await plugin.onRequest(c);
+          if (result === false) {
+            return c.json({ error: "Blocked by plugin: " + plugin.name }, 403);
+          }
+          await next();
+        });
+      }
+      if (plugin.onRouterInit) {
+        try {
+          plugin.onRouterInit(router, pluginContext);
+        } catch (e) {
+          logger2.error(`[Plugin] ${plugin.name} failed during onRouterInit: `, e);
+        }
+      }
+    }
+  }
+}
+function firePluginInitComplete(config, settings, logger2, env = {}) {
+  if (config.plugins && Array.isArray(config.plugins)) {
+    for (const plugin of config.plugins) {
+      if (plugin.onInitComplete) {
+        const pluginSettings = settings[plugin.name] || {};
+        plugin.onInitComplete({ config, logger: logger2, settings: pluginSettings, env });
+      }
+    }
+  }
+}
+
+// src/server/router.ts
+function createAPIRouter(config, settings = {}, env = {}) {
+  const state = { auth: undefined, migrated: false };
+  const app = new Hono4;
+  const router = new Hono4;
+  setupMiddlewares(router, config, state);
+  setupAuthMiddlewares(router, config, state);
+  router.get("/", (c) => {
+    return c.json({ status: "ok", version: "1.0.0", appName: config.appName });
+  });
+  router.route("/auth", createAuthRouter(config, state));
+  router.route("/__admin", createAdminRouter(config, settings, state));
+  router.route("/__system", createSystemRouter(config));
+  router.route("/", createAssetsServingRouter(config));
+  mountPluginRoutes(config, settings, logger, router, env);
+  const isRestEnabled = config.api?.rest?.enabled !== false;
+  const isGraphQLEnabled = config.api?.graphql?.enabled === true;
+  if (isRestEnabled) {
+    mountCollectionRoutes(router, config, state);
+    mountGlobalRoutes(router, config, state);
+  }
+  mountIncomingWebhookRoutes(router, config);
+  if (isGraphQLEnabled) {
+    const graphqlPath = config.api?.graphql?.path || "/graphql";
+    const schema = generateGraphQLSchema(config, state);
+    router.all(graphqlPath, async (c, next) => {
+      try {
+        const { graphqlServer } = await import("@hono/graphql-server");
+        return graphqlServer({
+          schema,
+          graphiql: config.api?.graphql?.graphiql ?? false
+        })(c, next);
+      } catch (e) {
+        logger.error("Failed to load @hono/graphql-server. Please install 'graphql' and '@hono/graphql-server' to use GraphQL features.", e);
+        return c.json({ error: "GraphQL is enabled but dependencies are missing." }, 500);
+      }
+    });
+  }
+  if (config.api?.openAPI?.enabled) {
+    router.get("/open-api.json", (c) => {
+      const schema = generateOpenAPISchema(config);
+      return c.json(schema);
+    });
+    const referencePath = config.api.openAPI.path || "/reference";
+    const safeRefPath = referencePath.startsWith("/") ? referencePath : `/${referencePath}`;
+    router.get(safeRefPath, async (c, next) => {
+      const { Scalar } = await import("@scalar/hono-api-reference");
+      return Scalar({
+        pageTitle: `${config.appName || "OpacaCMS"} API Documentation`,
+        theme: config.api?.openAPI?.theme || "default",
+        layout: config.api?.openAPI?.layout === "classic" ? "classic" : "modern",
+        hideModels: config.api?.openAPI?.hideModels,
+        hideDownloadButton: config.api?.openAPI?.hideDownloadButton,
+        customCss: config.api?.openAPI?.customCss,
+        ...{
+          sources: [
+            { url: "/api/open-api.json", title: "CMS Collections" },
+            { url: "/api/auth/open-api/generate-schema", title: "Auth APIs" }
+          ]
+        }
+      })(c, next);
+    });
+  }
+  firePluginInitComplete(config, settings, logger, env);
+  app.route("/api", router);
+  app.get("/", (c) => c.redirect("/api"));
+  app.notFound((c) => {
+    console.error(`[OpacaRouter] 404 Not Found: ${c.req.method} ${c.req.url}`);
+    return c.json({ message: "Not Found", path: c.req.path }, 404);
+  });
+  return app;
+}
+
+// src/runtimes/cloudflare-workers.ts
 var cachedApp;
 function createCloudflareWorkersHandler(configOrFactory, options) {
-  const app = new Hono;
+  const app = new Hono5;
   app.use("/api/*", async (c, next) => {
     if (cachedApp)
       return cachedApp.fetch(c.req.raw, c.env, c.executionCtx);
     const config = typeof configOrFactory === "function" ? await configOrFactory(c.env, c.req.raw) : configOrFactory;
     const apiRouter = createAPIRouter(config, {}, c.env);
-    const innerApp = new Hono;
+    const innerApp = new Hono5;
     innerApp.route("/", apiRouter);
     cachedApp = innerApp;
     return cachedApp.fetch(c.req.raw, c.env, c.executionCtx);