@archlast/server 0.1.7 → 0.1.9

package/LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2025 Archlast Team
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2025 Archlast Team
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -22,10 +22,10 @@ by the CLI (`archlast start`).
 import { defineSchema, defineTable, v } from "@archlast/server/schema/definition";
 
 export default defineSchema({
-  tasks: defineTable({
-    id: v.id(),
-    text: v.string(),
-  }),
+    tasks: defineTable({
+        id: v.id(),
+        text: v.string(),
+    }),
 });
 ```
 
@@ -36,16 +36,17 @@ import { query, mutation } from "@archlast/server/functions/definition";
 import { z } from "zod";
 
 export const list = query({
-  handler: async (ctx) => ctx.db.table("tasks").findMany(),
+    handler: async (ctx) => ctx.db.table("tasks").findMany(),
 });
 
 export const create = mutation({
-  args: { text: z.string() },
-  handler: async (ctx, args) => ctx.db.table("tasks").insert({ text: args.text }),
+    args: { text: z.string() },
+    handler: async (ctx, args) => ctx.db.table("tasks").insert({ text: args.text }),
 });
 ```
 
 Other function types:
+
 - `action` for long running tasks
 - `http` for explicit HTTP routes
 - `webhook` for signed incoming events
@@ -58,14 +59,15 @@ optional, and attach permissions.
 
 ```ts
 export const publicPing = query({
-  auth: "public",
-  handler: async () => "pong",
+    auth: "public",
+    handler: async () => "pong",
 });
 ```
 
 ## Runtime exports
 
 Common entry points:
+
 - `@archlast/server/schema/definition` and `@archlast/server/schema/validators`
 - `@archlast/server/functions/definition` and `@archlast/server/functions/types`
 - `@archlast/server/http` and `@archlast/server/webhook`
@@ -76,6 +78,7 @@ Common entry points:
 ## Docker templates
 
 Templates live under `templates/` in this package:
+
 - `docker-compose.yml`, `docker-compose.dev.yml`, `docker-compose.prod.yml`
 - `.env.example`
 - `archlast.config.js`
@@ -85,6 +88,7 @@ The CLI uses these templates to generate a local Docker setup.
 ## Environment configuration
 
 Key variables used by the server runtime:
+
 - `PORT` (default: 4000)
 - `ARCHLAST_DB_ROOT` (default: `./data`)
 - `ARCHLAST_ALLOWED_ORIGINS` (CSV)
@@ -97,4 +101,4 @@ Key variables used by the server runtime:
 
 ## Publishing (maintainers)
 
-See `docs/npm-publishing.md` for release and publish steps.
+See `docs/npm-publishing.md` for release and publish steps.

package/dist/admin/auth.d.ts

@@ -29,11 +29,23 @@ export declare function isSetupRequired(db: IDatabaseClient): Promise<boolean>;
 /**
  * Setup: Create the first admin user
  */
-export declare function setupFirstAdmin(db: IDatabaseClient, username: string, password: string, userAgent: string | null, ipAddress: string | null): Promise<SetupResult | AuthError>;
+export declare function setupFirstAdmin(
+    db: IDatabaseClient,
+    username: string,
+    password: string,
+    userAgent: string | null,
+    ipAddress: string | null
+): Promise<SetupResult | AuthError>;
 /**
  * Login: Authenticate admin user
  */
-export declare function loginAdmin(db: IDatabaseClient, username: string, password: string, userAgent: string | null, ipAddress: string | null): Promise<LoginResult | AuthError>;
+export declare function loginAdmin(
+    db: IDatabaseClient,
+    username: string,
+    password: string,
+    userAgent: string | null,
+    ipAddress: string | null
+): Promise<LoginResult | AuthError>;
 /**
  * Logout: Invalidate session
  */
@@ -41,7 +53,10 @@ export declare function logoutAdmin(db: IDatabaseClient, token: string): Promise
 /**
  * Verify session and get admin user
  */
-export declare function verifyAdminSession(db: IDatabaseClient, token: string): Promise<{
+export declare function verifyAdminSession(
+    db: IDatabaseClient,
+    token: string
+): Promise<{
     user: Omit<AdminUser, "password_hash">;
     session: AdminSession;
 } | null>;
@@ -56,7 +71,11 @@ export declare function extractAdminSessionTokens(req: Request): string[];
  * 2. ast_ session tokens (login sessions) - not obfuscated (for browser)
  * 3. ak_ API keys (legacy, user-created) - not obfuscated
  */
-export declare function requireAdminAuth(db: IDatabaseClient, req: Request, requestPath?: string): Promise<{
+export declare function requireAdminAuth(
+    db: IDatabaseClient,
+    req: Request,
+    requestPath?: string
+): Promise<{
     user: Omit<AdminUser, "password_hash">;
     session: AdminSession;
 } | null>;
@@ -76,4 +95,4 @@ export declare function getUserAgent(req: Request): string | null;
  * Get IP address from request
  */
 export declare function getIpAddress(req: Request): string | null;
-//# sourceMappingURL=auth.d.ts.map
+//# sourceMappingURL=auth.d.ts.map

package/dist/admin/auth.js

@@ -43,7 +43,10 @@ async function setupFirstAdmin(db, username, password, userAgent, ipAddress) {
         // Validate username
         const normalizedUsername = (0, schema_js_1.normalizeUsername)(username);
         if (!(0, schema_js_1.isValidUsername)(normalizedUsername)) {
-            return { success: false, error: "Invalid username. Must be 3-32 characters, alphanumeric and underscore only." };
+            return {
+                success: false,
+                error: "Invalid username. Must be 3-32 characters, alphanumeric and underscore only.",
+            };
         }
         // Validate password
         if (!password || password.length < 8) {
@@ -52,10 +55,21 @@ async function setupFirstAdmin(db, username, password, userAgent, ipAddress) {
         // Hash password
         const passwordHash = await (0, crypto_js_1.hashPassword)(password);
         // Create first admin user (always super admin)
-        const user = await (0, schema_js_1.createFirstAdminUser)(db, normalizedUsername, passwordHash);
+        const user = await (0, schema_js_1.createFirstAdminUser)(
+            db,
+            normalizedUsername,
+            passwordHash
+        );
         // Create session
         const token = `ast_${(0, cuid2_1.createId)()}`; // Admin Session Token
-        const session = await (0, schema_js_1.createAdminSession)(db, user._id, token, exports.ADMIN_SESSION_TTL_MS, userAgent, ipAddress);
+        const session = await (0, schema_js_1.createAdminSession)(
+            db,
+            user._id,
+            token,
+            exports.ADMIN_SESSION_TTL_MS,
+            userAgent,
+            ipAddress
+        );
         return {
             success: true,
             token: session.token,
@@ -70,8 +84,7 @@ async function setupFirstAdmin(db, username, password, userAgent, ipAddress) {
                 updated_at: user.updated_at,
             },
         };
-    }
-    catch (err) {
+    } catch (err) {
         logger_js_1.logger.log({
             timestamp: Date.now(),
             level: "error",
@@ -100,7 +113,14 @@ async function loginAdmin(db, username, password, userAgent, ipAddress) {
         }
         // Create session
         const token = `ast_${(0, cuid2_1.createId)()}`;
-        const session = await (0, schema_js_1.createAdminSession)(db, user._id, token, exports.ADMIN_SESSION_TTL_MS, userAgent, ipAddress);
+        const session = await (0, schema_js_1.createAdminSession)(
+            db,
+            user._id,
+            token,
+            exports.ADMIN_SESSION_TTL_MS,
+            userAgent,
+            ipAddress
+        );
         return {
             success: true,
             token: session.token,
@@ -115,8 +135,7 @@ async function loginAdmin(db, username, password, userAgent, ipAddress) {
                 updated_at: user.updated_at,
             },
         };
-    }
-    catch (err) {
+    } catch (err) {
         logger_js_1.logger.log({
             timestamp: Date.now(),
             level: "error",
@@ -167,8 +186,7 @@ async function verifyAdminSession(db, token) {
             },
             session,
         };
-    }
-    catch (err) {
+    } catch (err) {
         logger_js_1.logger.log({
             timestamp: Date.now(),
             level: "error",
@@ -185,7 +203,8 @@ async function verifyAdminSession(db, token) {
 // ============================================================================
 // TOKEN OBFUSCATION
 // ============================================================================
-const TOKEN_OBFUSCATION_SECRET = process.env.ARCHLAST_TOKEN_OBFUSCATION_SECRET || "archlast-default-secret-change-in-production";
+const TOKEN_OBFUSCATION_SECRET =
+    process.env.ARCHLAST_TOKEN_OBFUSCATION_SECRET || "archlast-default-secret-change-in-production";
 const TIMESTAMP_WINDOW_MS = 5 * 60 * 1000; // 5 minutes
 /**
  * Deobfuscate a dynamic token and return the raw token
@@ -219,7 +238,9 @@ function deobfuscateToken(obfuscated, requestPath) {
             .update(message)
             .digest("base64url");
         // Use timing-safe comparison to prevent timing attacks
-        if (!(0, crypto_1.timingSafeEqual)(Buffer.from(signature), Buffer.from(expectedSignature))) {
+        if (
+            !(0, crypto_1.timingSafeEqual)(Buffer.from(signature), Buffer.from(expectedSignature))
+        ) {
             logger_js_1.logger.log({
                 timestamp: Date.now(),
                 level: "warn",
@@ -235,8 +256,7 @@ function deobfuscateToken(obfuscated, requestPath) {
             message: `[Token Obfuscation] ✓ Token deobfuscated successfully`,
         });
         return token;
-    }
-    catch (error) {
+    } catch (error) {
         logger_js_1.logger.log({
             timestamp: Date.now(),
             level: "error",
@@ -256,16 +276,14 @@ function extractAndDeobfuscateTokens(req, requestPath) {
     const xAdminToken = req.headers.get("x-admin-token");
     if (xAdminToken) {
         const deobfuscated = deobfuscateToken(xAdminToken, requestPath);
-        if (deobfuscated)
-            tokens.push(deobfuscated);
+        if (deobfuscated) tokens.push(deobfuscated);
     }
     // 2. Authorization header
     const authHeader = req.headers.get("authorization");
     if (authHeader?.startsWith("Bearer ")) {
         const token = authHeader.slice(7);
         const deobfuscated = deobfuscateToken(token, requestPath);
-        if (deobfuscated)
-            tokens.push(deobfuscated);
+        if (deobfuscated) tokens.push(deobfuscated);
     }
     // 3. Cookie (session tokens are not obfuscated)
     const cookieHeader = req.headers.get("cookie");
@@ -287,8 +305,7 @@ function extractAdminSessionTokens(req) {
     const tokens = [];
     // 1. X-Admin-Token header (highest priority, manual bypass)
     const xAdminToken = req.headers.get("x-admin-token");
-    if (xAdminToken)
-        tokens.push(xAdminToken);
+    if (xAdminToken) tokens.push(xAdminToken);
     // 2. Authorization header
     const authHeader = req.headers.get("authorization");
     if (authHeader?.startsWith("Bearer ")) {
@@ -334,7 +351,7 @@ async function requireAdminAuth(db, req, requestPath) {
         level: "debug",
         kind: "system",
         message: `[Admin Auth] Found ${tokens.length} token(s)`,
-        context: { tokenTypes: tokens.map(t => `${t.slice(0, 4)}...${t.slice(-4)}`) },
+        context: { tokenTypes: tokens.map((t) => `${t.slice(0, 4)}...${t.slice(-4)}`) },
     });
     for (const token of tokens) {
         // 1. Check for sat_ admin tokens (Server Admin Tokens - dashboard-generated)
@@ -357,7 +374,10 @@ async function requireAdminAuth(db, req, requestPath) {
                 });
             }
             if (adminTokenRecord) {
-                const user = await (0, schema_js_1.findAdminUserById)(db, adminTokenRecord.created_by_admin_id);
+                const user = await (0, schema_js_1.findAdminUserById)(
+                    db,
+                    adminTokenRecord.created_by_admin_id
+                );
                 if (user) {
                     await (0, schema_js_1.updateAdminTokenLastUsed)(db, adminTokenRecord._id);
                     const now = Date.now();
@@ -384,7 +404,8 @@ async function requireAdminAuth(db, req, requestPath) {
                             _collection: "admin_tokens",
                             admin_user_id: user._id,
                             token: adminTokenRecord.token,
-                            expires_at: adminTokenRecord.expires_at ?? now + exports.ADMIN_SESSION_TTL_MS,
+                            expires_at:
+                                adminTokenRecord.expires_at ?? now + exports.ADMIN_SESSION_TTL_MS,
                             user_agent: req.headers.get("user-agent"),
                             ip_address: getIpAddress(req),
                             created_at: adminTokenRecord.created_at,
@@ -405,7 +426,10 @@ async function requireAdminAuth(db, req, requestPath) {
         if (token.startsWith("ak_")) {
             const apiKey = await (0, schema_js_1.findApiKeyByKey)(db, token);
             if (apiKey) {
-                const user = await (0, schema_js_1.findAdminUserById)(db, apiKey.created_by_admin_id);
+                const user = await (0, schema_js_1.findAdminUserById)(
+                    db,
+                    apiKey.created_by_admin_id
+                );
                 if (user) {
                     await (0, schema_js_1.updateApiKeyLastUsed)(db, apiKey._id);
                     const now = Date.now();
@@ -484,4 +508,4 @@ function getIpAddress(req) {
     // Fallback to direct connection (may be proxy IP in production)
     return null;
 }
-//# sourceMappingURL=auth.js.map
+//# sourceMappingURL=auth.js.map

package/dist/admin/schema.d.ts

@@ -37,9 +37,15 @@ export declare const adminSchema: {
             _id: import("../schema/validators.js").FieldSchema<import("zod").ZodString>;
             username: import("../schema/validators.js").FieldSchema<import("zod").ZodString>;
             password_hash: import("../schema/validators.js").FieldSchema<import("zod").ZodString>;
-            name: import("../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
-            avatar_url: import("../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
-            is_super_admin: import("../schema/validators.js").FieldSchema<import("zod").ZodDefault<import("zod").ZodBoolean>>;
+            name: import("../schema/validators.js").FieldSchema<
+                import("zod").ZodOptional<import("zod").ZodString>
+            >;
+            avatar_url: import("../schema/validators.js").FieldSchema<
+                import("zod").ZodOptional<import("zod").ZodString>
+            >;
+            is_super_admin: import("../schema/validators.js").FieldSchema<
+                import("zod").ZodDefault<import("zod").ZodBoolean>
+            >;
             created_at: import("../schema/validators.js").FieldSchema<import("zod").ZodNumber>;
             updated_at: import("../schema/validators.js").FieldSchema<import("zod").ZodNumber>;
         }>;
@@ -49,28 +55,50 @@ export declare const adminSchema: {
             token: import("../schema/validators.js").FieldSchema<import("zod").ZodString>;
             expires_at: import("../schema/validators.js").FieldSchema<import("zod").ZodNumber>;
             created_at: import("../schema/validators.js").FieldSchema<import("zod").ZodNumber>;
-            last_accessed_at: import("../schema/validators.js").FieldSchema<import("zod").ZodNumber>;
-            user_agent: import("../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
-            ip_address: import("../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+            last_accessed_at: import("../schema/validators.js").FieldSchema<
+                import("zod").ZodNumber
+            >;
+            user_agent: import("../schema/validators.js").FieldSchema<
+                import("zod").ZodOptional<import("zod").ZodString>
+            >;
+            ip_address: import("../schema/validators.js").FieldSchema<
+                import("zod").ZodOptional<import("zod").ZodString>
+            >;
         }>;
         _api_keys: import("../schema/definition.js").TableDefinition<{
             _id: import("../schema/validators.js").FieldSchema<import("zod").ZodString>;
             key: import("../schema/validators.js").FieldSchema<import("zod").ZodString>;
             name: import("../schema/validators.js").FieldSchema<import("zod").ZodString>;
-            created_by_admin_id: import("../schema/validators.js").FieldSchema<import("zod").ZodString>;
+            created_by_admin_id: import("../schema/validators.js").FieldSchema<
+                import("zod").ZodString
+            >;
             created_at: import("../schema/validators.js").FieldSchema<import("zod").ZodNumber>;
-            last_used_at: import("../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
-            is_revoked: import("../schema/validators.js").FieldSchema<import("zod").ZodDefault<import("zod").ZodBoolean>>;
+            last_used_at: import("../schema/validators.js").FieldSchema<
+                import("zod").ZodOptional<import("zod").ZodNumber>
+            >;
+            is_revoked: import("../schema/validators.js").FieldSchema<
+                import("zod").ZodDefault<import("zod").ZodBoolean>
+            >;
         }>;
         _admin_tokens: import("../schema/definition.js").TableDefinition<{
             _id: import("../schema/validators.js").FieldSchema<import("zod").ZodString>;
             token: import("../schema/validators.js").FieldSchema<import("zod").ZodString>;
             name: import("../schema/validators.js").FieldSchema<import("zod").ZodString>;
-            created_by_admin_id: import("../schema/validators.js").FieldSchema<import("zod").ZodString>;
-            scopes: import("../schema/validators.js").FieldSchema<import("zod").ZodArray<import("zod").ZodString>>;
-            expires_at: import("../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
-            last_used_at: import("../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
-            is_revoked: import("../schema/validators.js").FieldSchema<import("zod").ZodDefault<import("zod").ZodBoolean>>;
+            created_by_admin_id: import("../schema/validators.js").FieldSchema<
+                import("zod").ZodString
+            >;
+            scopes: import("../schema/validators.js").FieldSchema<
+                import("zod").ZodArray<import("zod").ZodString>
+            >;
+            expires_at: import("../schema/validators.js").FieldSchema<
+                import("zod").ZodOptional<import("zod").ZodNumber>
+            >;
+            last_used_at: import("../schema/validators.js").FieldSchema<
+                import("zod").ZodOptional<import("zod").ZodNumber>
+            >;
+            is_revoked: import("../schema/validators.js").FieldSchema<
+                import("zod").ZodDefault<import("zod").ZodBoolean>
+            >;
             created_at: import("../schema/validators.js").FieldSchema<import("zod").ZodNumber>;
         }>;
     };
@@ -126,32 +154,59 @@ export declare function hasAnyAdminUsers(db: IDatabaseClient): Promise<boolean>;
 /**
  * Create the first admin user (setup flow)
  */
-export declare function createFirstAdminUser(db: IDatabaseClient, username: string, passwordHash: string, name?: string): Promise<AdminUser>;
+export declare function createFirstAdminUser(
+    db: IDatabaseClient,
+    username: string,
+    passwordHash: string,
+    name?: string
+): Promise<AdminUser>;
 /**
  * Find admin user by username
  */
-export declare function findAdminUserByUsername(db: IDatabaseClient, username: string): Promise<AdminUser | null>;
+export declare function findAdminUserByUsername(
+    db: IDatabaseClient,
+    username: string
+): Promise<AdminUser | null>;
 /**
  * Find admin user by email (deprecated, use findAdminUserByUsername)
  * @deprecated Use findAdminUserByUsername instead
  */
-export declare function findAdminUserByEmail(db: IDatabaseClient, email: string): Promise<AdminUser | null>;
+export declare function findAdminUserByEmail(
+    db: IDatabaseClient,
+    email: string
+): Promise<AdminUser | null>;
 /**
  * Find admin user by ID
  */
-export declare function findAdminUserById(db: IDatabaseClient, id: string): Promise<AdminUser | null>;
+export declare function findAdminUserById(
+    db: IDatabaseClient,
+    id: string
+): Promise<AdminUser | null>;
 /**
  * Create admin session
  */
-export declare function createAdminSession(db: IDatabaseClient, adminUserId: string, token: string, expiresInMs: number, userAgent: string | null, ipAddress: string | null): Promise<AdminSession>;
+export declare function createAdminSession(
+    db: IDatabaseClient,
+    adminUserId: string,
+    token: string,
+    expiresInMs: number,
+    userAgent: string | null,
+    ipAddress: string | null
+): Promise<AdminSession>;
 /**
  * Find session by token
  */
-export declare function findAdminSessionByToken(db: IDatabaseClient, token: string): Promise<AdminSession | null>;
+export declare function findAdminSessionByToken(
+    db: IDatabaseClient,
+    token: string
+): Promise<AdminSession | null>;
 /**
  * Update session last accessed time
  */
-export declare function updateSessionLastAccessed(db: IDatabaseClient, sessionId: string): Promise<void>;
+export declare function updateSessionLastAccessed(
+    db: IDatabaseClient,
+    sessionId: string
+): Promise<void>;
 /**
  * Delete session (logout)
  */
@@ -159,11 +214,17 @@ export declare function deleteAdminSession(db: IDatabaseClient, token: string):
 /**
  * Delete all sessions for a user
  */
-export declare function deleteAllUserSessions(db: IDatabaseClient, adminUserId: string): Promise<number>;
+export declare function deleteAllUserSessions(
+    db: IDatabaseClient,
+    adminUserId: string
+): Promise<number>;
 /**
  * List all sessions for an admin user
  */
-export declare function listAdminSessions(db: IDatabaseClient, adminUserId: string): Promise<AdminSession[]>;
+export declare function listAdminSessions(
+    db: IDatabaseClient,
+    adminUserId: string
+): Promise<AdminSession[]>;
 /**
  * Clean up expired sessions
  */
@@ -171,11 +232,18 @@ export declare function cleanupExpiredSessions(db: IDatabaseClient): Promise<num
 /**
  * Create admin user (requires existing admin)
  */
-export declare function createAdminUser(db: IDatabaseClient, username: string, passwordHash: string, isSuperAdmin?: boolean): Promise<AdminUser>;
+export declare function createAdminUser(
+    db: IDatabaseClient,
+    username: string,
+    passwordHash: string,
+    isSuperAdmin?: boolean
+): Promise<AdminUser>;
 /**
  * List all admin users
  */
-export declare function listAdminUsers(db: IDatabaseClient): Promise<Omit<AdminUser, "password_hash">[]>;
+export declare function listAdminUsers(
+    db: IDatabaseClient
+): Promise<Omit<AdminUser, "password_hash">[]>;
 /**
  * Delete admin user
  */
@@ -183,11 +251,19 @@ export declare function deleteAdminUser(db: IDatabaseClient, id: string): Promis
 /**
  * Update admin user
  */
-export declare function updateAdminUser(db: IDatabaseClient, id: string, data: Partial<Pick<AdminUser, "name" | "avatar_url">>): Promise<void>;
+export declare function updateAdminUser(
+    db: IDatabaseClient,
+    id: string,
+    data: Partial<Pick<AdminUser, "name" | "avatar_url">>
+): Promise<void>;
 /**
  * Create API key
  */
-export declare function createApiKey(db: IDatabaseClient, name: string, createdByAdminId: string): Promise<ApiKey>;
+export declare function createApiKey(
+    db: IDatabaseClient,
+    name: string,
+    createdByAdminId: string
+): Promise<ApiKey>;
 /**
  * Find API key by key string
  */
@@ -211,15 +287,26 @@ export declare function deleteApiKey(db: IDatabaseClient, id: string): Promise<v
 /**
  * Create admin token (sat_ prefix)
  */
-export declare function createAdminToken(db: IDatabaseClient, name: string, createdByAdminId: string, expiresInDays?: number | null): Promise<AdminToken>;
+export declare function createAdminToken(
+    db: IDatabaseClient,
+    name: string,
+    createdByAdminId: string,
+    expiresInDays?: number | null
+): Promise<AdminToken>;
 /**
  * Find admin token by token string
  */
-export declare function findAdminTokenByToken(db: IDatabaseClient, token: string): Promise<AdminToken | null>;
+export declare function findAdminTokenByToken(
+    db: IDatabaseClient,
+    token: string
+): Promise<AdminToken | null>;
 /**
  * Update admin token last used time
  */
-export declare function updateAdminTokenLastUsed(db: IDatabaseClient, tokenId: string): Promise<void>;
+export declare function updateAdminTokenLastUsed(
+    db: IDatabaseClient,
+    tokenId: string
+): Promise<void>;
 /**
  * List admin tokens (masked, excludes token value)
  */
@@ -228,7 +315,10 @@ export declare function listAdminTokens(db: IDatabaseClient): Promise<Omit<Admin
  * Get admin token by ID with full token value (for copy functionality)
  * Warning: Only use this when user explicitly requests to reveal the token
  */
-export declare function getAdminTokenById(db: IDatabaseClient, id: string): Promise<AdminToken | null>;
+export declare function getAdminTokenById(
+    db: IDatabaseClient,
+    id: string
+): Promise<AdminToken | null>;
 /**
  * Revoke admin token
  */
@@ -237,4 +327,4 @@ export declare function revokeAdminToken(db: IDatabaseClient, id: string): Promi
  * Delete admin token permanently
  */
 export declare function deleteAdminToken(db: IDatabaseClient, id: string): Promise<void>;
-//# sourceMappingURL=schema.d.ts.map
+//# sourceMappingURL=schema.d.ts.map