npm - @better-media/framework - Versions diffs - 0.1.0 - Mend

@better-media/framework 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/index.mjs ADDED Viewed

@@ -0,0 +1,1044 @@
+import { isPgPoolLike, TrustedMetadataSchema, HOOK_NAMES, schema, serializeData, toDbFieldName, deserializeData, toCamelCase, getColumnType, markFileContentVerified, resolveHookMode } from '@better-media/core';
+export { HOOK_NAMES, MigrationPlanner, applyOperationsToMetadata, compileMigrationOperationsSql, deserializeData, getAdapter, getColumnType, getMigrations, isPgPoolLike, runHooks, runMigrations, schema, serializeData, toCamelCase, toDbFieldName } from '@better-media/core';
+import fs2 from 'fs/promises';
+import { randomUUID } from 'crypto';
+import { memoryJobAdapter } from '@better-media/adapter-jobs';
+import path from 'path';
+import { createWriteStream } from 'fs';
+import os from 'os';
+import { Readable } from 'stream';
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+// src/core/lifecycle-engine.ts
+var lifecycle_engine_exports = {};
+__export(lifecycle_engine_exports, {
+  LifecycleEngine: () => LifecycleEngine,
+  createSecureContext: () => createSecureContext
+});
+function createSecureContext(context, pluginName, namespace, trustLevel, capabilities) {
+  const api = {
+    emitMetadata(patch) {
+      if (!capabilities.includes("metadata.write.own")) {
+        console.warn(`[AUDIT] Denied metadata.write.own for plugin "${pluginName}"`);
+        throw new Error(`Plugin "${pluginName}" lacks "metadata.write.own" capability`);
+      }
+      context.metadata[namespace] = {
+        ...context.metadata[namespace] ?? {},
+        ...patch
+      };
+    },
+    emitProcessing(patch) {
+      if (!capabilities.includes("processing.write.own")) {
+        console.warn(`[AUDIT] Denied processing.write.own for plugin "${pluginName}"`);
+        throw new Error(`Plugin "${pluginName}" lacks "processing.write.own" capability`);
+      }
+      context.processing[namespace] = {
+        ...context.processing[namespace] ?? {},
+        ...patch
+      };
+    },
+    proposeTrusted(patch) {
+      if (trustLevel !== "trusted" || !capabilities.includes("trusted.propose")) {
+        console.warn(
+          `[AUDIT] Security Violation: Unauthorized trusted.propose from plugin "${pluginName}"`
+        );
+        throw new Error(`Plugin "${pluginName}" is not authorized to propose trusted metadata`);
+      }
+      const secureContext = context;
+      const verified = secureContext._verifiedSources ?? /* @__PURE__ */ new Set();
+      if (!verified.has("file:content") && (patch.file || patch.checksums || patch.media)) {
+        console.warn(
+          `[AUDIT] Provenance Failure: Plugin "${pluginName}" attempted to propose trusted metadata without independent verification (no file content read).`
+        );
+        throw new Error(
+          `Plugin "${pluginName}" must verify file content before proposing trusted metadata`
+        );
+      }
+      TrustedMetadataSchema.parse(patch);
+      const auditLog = secureContext._auditLog ??= [];
+      auditLog.push({
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        plugin: pluginName,
+        action: "proposeTrusted",
+        patch: JSON.parse(JSON.stringify(patch))
+        // Snapshot the patch
+      });
+      console.info(
+        `[AUDIT] Accepted trusted proposal from plugin "${pluginName}" for file "${context.file.key}"`
+      );
+      context.trusted = {
+        ...context.trusted,
+        ...patch,
+        file: { ...context.trusted.file, ...patch.file },
+        checksums: { ...context.trusted.checksums, ...patch.checksums },
+        media: { ...context.trusted.media, ...patch.media }
+      };
+      if (patch.file) {
+        if (patch.file.mimeType != null) context.file.mimeType = patch.file.mimeType;
+        if (patch.file.size != null) context.file.size = patch.file.size;
+        if (patch.file.originalName != null) context.file.originalName = patch.file.originalName;
+        if (patch.file.extension != null) context.file.extension = patch.file.extension;
+      }
+      if (patch.checksums) {
+        context.file.checksums = { ...context.file.checksums, ...patch.checksums };
+      }
+    }
+  };
+  const proxy = new Proxy(context, {
+    get(target, prop, receiver) {
+      const value = Reflect.get(target, prop, receiver);
+      if (prop === "metadata" || prop === "processing" || prop === "trusted" || prop === "file") {
+        return new Proxy(value, {
+          set() {
+            throw new Error(
+              `Direct mutation of "context.${String(prop)}" is blocked. Use PluginApi instead. (Plugin: ${pluginName})`
+            );
+          },
+          deleteProperty() {
+            throw new Error(
+              `Direct deletion of "context.${String(prop)}" properties is blocked. (Plugin: ${pluginName})`
+            );
+          }
+        });
+      }
+      return value;
+    },
+    set(target, prop) {
+      throw new Error(
+        `Direct mutation of "context.${String(prop)}" is blocked. (Plugin: ${pluginName})`
+      );
+    }
+  });
+  return { proxy, api };
+}
+var JOB_QUEUE_NAME, LifecycleEngine;
+var init_lifecycle_engine = __esm({
+  "src/core/lifecycle-engine.ts"() {
+    JOB_QUEUE_NAME = "better-media:background";
+    LifecycleEngine = class {
+      constructor(registry, jobAdapter) {
+        this.registry = registry;
+        this.jobAdapter = jobAdapter;
+      }
+      async trigger(hookName, context) {
+        const handlers = this.registry.get(hookName) ?? [];
+        const syncHandlers = handlers.filter((h) => h.mode === "sync");
+        const backgroundHandlers = handlers.filter((h) => h.mode === "background");
+        for (const { name, fn, manifest } of syncHandlers) {
+          const { proxy, api } = createSecureContext(
+            context,
+            name,
+            manifest.namespace,
+            manifest.trustLevel,
+            manifest.capabilities
+          );
+          const result = await fn(proxy, api);
+          if (result !== void 0 && typeof result === "object" && "valid" in result) {
+            if (result.valid === false) return result;
+          }
+        }
+        for (const { name, manifest } of backgroundHandlers) {
+          const payload = {
+            recordId: context.recordId,
+            metadata: JSON.parse(JSON.stringify(context.metadata)),
+            file: JSON.parse(JSON.stringify(context.file)),
+            storageLocation: JSON.parse(JSON.stringify(context.storageLocation)),
+            processing: JSON.parse(JSON.stringify(context.processing)),
+            hookName,
+            pluginName: name,
+            manifest: JSON.parse(JSON.stringify(manifest))
+          };
+          await this.jobAdapter.enqueue(JOB_QUEUE_NAME, payload);
+        }
+      }
+    };
+  }
+});
+// src/plugins/plugin-registry.ts
+init_lifecycle_engine();
+function createEmptyRegistry() {
+  const reg = /* @__PURE__ */ new Map();
+  for (const name of HOOK_NAMES) {
+    reg.set(name, []);
+  }
+  return reg;
+}
+function clearRegistry(registry) {
+  for (const [, list] of registry) {
+    list.length = 0;
+  }
+}
+function createHook(registry, hookName, manifest) {
+  return {
+    tap(name, fn, options) {
+      const requested = options?.mode ?? "sync";
+      const { effective, overridden } = resolveHookMode(hookName, requested);
+      if (overridden) {
+        console.warn(
+          `[better-media] Hook '${hookName}' does not support mode '${requested}'. Overriding to '${effective}'. Plugin: ${name}`
+        );
+      }
+      const list = registry.get(hookName);
+      list.push({ name, fn, mode: effective, manifest });
+    }
+  };
+}
+function createPluginRuntime(registry, plugin) {
+  const hooks = {};
+  for (const name of HOOK_NAMES) {
+    const baseTap = createHook(registry, name, plugin.runtimeManifest).tap;
+    hooks[name] = {
+      tap(handlerName, fn, options) {
+        const mode = options?.mode ?? (plugin.intensive ? "background" : "sync");
+        baseTap(handlerName, fn, { ...options, mode });
+      }
+    };
+  }
+  return { hooks };
+}
+var SYSTEM_MANIFEST = {
+  id: "better-media-system",
+  version: "1.0.0",
+  trustLevel: "trusted",
+  capabilities: ["file.read", "metadata.write.own", "processing.write.own", "trusted.propose"],
+  namespace: "system"
+};
+function createMediaRuntime(plugins, registry) {
+  const runtime = createPluginRuntime(registry, {
+    runtimeManifest: SYSTEM_MANIFEST
+  });
+  for (const plugin of plugins) {
+    const pluginRuntime = createPluginRuntime(registry, plugin);
+    if (plugin.apply) {
+      plugin.apply(pluginRuntime);
+    } else if (plugin.execute) {
+      const mode = plugin.executionMode ?? (plugin.intensive ? "background" : "sync");
+      const wrappedExecute = (ctx, _api) => plugin.execute(ctx);
+      pluginRuntime.hooks["process:run"].tap(plugin.name, wrappedExecute, { mode });
+    }
+  }
+  return runtime;
+}
+var DEFAULT_TRUSTED_POLICY = {
+  isAuthorized(id) {
+    const allowed = ["better-media-validation"];
+    return allowed.includes(id);
+  }
+};
+function buildPluginRegistry(plugins, policy = DEFAULT_TRUSTED_POLICY) {
+  const seenIds = /* @__PURE__ */ new Set();
+  const seenNamespaces = /* @__PURE__ */ new Set();
+  for (const plugin of plugins) {
+    validatePlugin(plugin);
+    const { id, namespace, trustLevel } = plugin.runtimeManifest;
+    if (trustLevel === "trusted" && !policy.isAuthorized(id, namespace)) {
+      throw new Error(
+        `Security Violation: Plugin "${plugin.name}" (${id}) is not authorized for "trusted" status.`
+      );
+    }
+    if (seenIds.has(id)) {
+      throw new Error(`Duplicate plugin ID detected: ${id} (Plugin: ${plugin.name})`);
+    }
+    if (seenNamespaces.has(namespace)) {
+      throw new Error(`Duplicate namespace detected: ${namespace} (Plugin: ${plugin.name})`);
+    }
+    seenIds.add(id);
+    seenNamespaces.add(namespace);
+  }
+  const registry = createEmptyRegistry();
+  const runtime = createMediaRuntime(plugins, registry);
+  return { registry, runtime };
+}
+function validatePlugin(plugin) {
+  if (!plugin.name || typeof plugin.name !== "string") {
+    throw new Error("Plugin must have a non-empty string name");
+  }
+  if (!plugin.apply && !plugin.execute) {
+    throw new Error(`Plugin "${plugin.name}" must define apply() or execute()`);
+  }
+  if (!plugin.runtimeManifest) {
+    throw new Error(
+      `Plugin "${plugin.name}" is missing runtimeManifest. V1 Secure Model requires manifests.`
+    );
+  }
+  const { id, version, trustLevel, capabilities, namespace } = plugin.runtimeManifest;
+  if (!id || !version || !namespace) {
+    throw new Error(
+      `Plugin "${plugin.name}" manifest is missing required fields (id, version, namespace)`
+    );
+  }
+  if (!["untrusted", "trusted"].includes(trustLevel)) {
+    throw new Error(`Plugin "${plugin.name}" has invalid trustLevel: ${trustLevel}`);
+  }
+  if (!Array.isArray(capabilities)) {
+    throw new Error(`Plugin "${plugin.name}" capabilities must be an array`);
+  }
+  if (trustLevel === "untrusted" && capabilities.includes("trusted.propose")) {
+    throw new Error(
+      `Untrusted plugin "${plugin.name}" cannot request "trusted.propose" capability`
+    );
+  }
+}
+var PluginRegistry = class {
+  plugins = [];
+  registry = createEmptyRegistry();
+  engine;
+  constructor(jobAdapter, initialPlugins = []) {
+    this.engine = new LifecycleEngine(this.registry, jobAdapter);
+    for (const plugin of initialPlugins) {
+      this.register(plugin);
+    }
+  }
+  /** Register a plugin and rebuild the hook map */
+  register(plugin) {
+    validatePlugin(plugin);
+    this.plugins.push(plugin);
+    clearRegistry(this.registry);
+    createMediaRuntime(this.plugins, this.registry);
+  }
+  /** Get all registered plugins (shallow copy) */
+  getPlugins() {
+    return [...this.plugins];
+  }
+  /**
+   * Execute all handlers for a hook. Runs sync handlers in series.
+   * Enqueues background handlers via JobAdapter.
+   * @returns ValidationResult if validation phase aborts (valid: false)
+   */
+  async executeHook(hookName, context) {
+    return this.engine.trigger(hookName, context);
+  }
+  /** Access the internal hook registry (for framework wiring) */
+  getRegistry() {
+    return this.registry;
+  }
+};
+function hasBackgroundHandlers(registry) {
+  for (const handlers of registry.values()) {
+    if (handlers.some((h) => h.mode === "background")) return true;
+  }
+  return false;
+}
+// src/index.ts
+init_lifecycle_engine();
+async function loadTrustedFromDb(database, recordId) {
+  const record = await database.findOne({
+    model: "media",
+    where: [{ field: "id", value: recordId }]
+  });
+  if (!record || typeof record !== "object") return null;
+  const rawTrusted = {
+    file: {
+      mimeType: record.mimeType ?? void 0,
+      size: record.size ?? void 0,
+      originalName: record.filename ?? void 0
+    },
+    checksums: {
+      sha256: record.checksum ?? void 0
+    },
+    media: {
+      width: record.width ?? void 0,
+      height: record.height ?? void 0,
+      duration: record.duration ?? void 0
+    }
+  };
+  const result = TrustedMetadataSchema.safeParse(rawTrusted);
+  if (!result.success) {
+    console.error(`[QUARANTINE] Invalid TrustedMetadata mapped from media record "${recordId}"!`);
+    console.error(`[QUARANTINE] Reason: ${JSON.stringify(result.error.format())}`);
+    console.error(`[QUARANTINE] Data: ${JSON.stringify(rawTrusted)}`);
+    return null;
+  }
+  const validated = result.data;
+  return validated.file || validated.checksums || validated.media ? validated : null;
+}
+async function saveTrustedToDb(database, recordId, fileKey, trusted, initialArgs) {
+  const updatePayload = {};
+  if (trusted.file?.mimeType !== void 0) updatePayload.mimeType = trusted.file.mimeType;
+  else if (initialArgs?.mimeType !== void 0) updatePayload.mimeType = initialArgs.mimeType;
+  if (trusted.file?.size !== void 0) updatePayload.size = trusted.file.size;
+  else if (initialArgs?.size !== void 0) updatePayload.size = initialArgs.size;
+  if (trusted.file?.originalName !== void 0) updatePayload.filename = trusted.file.originalName;
+  else if (initialArgs?.filename !== void 0) updatePayload.filename = initialArgs.filename;
+  if (trusted.checksums?.sha256 !== void 0) updatePayload.checksum = trusted.checksums.sha256;
+  if (trusted.media?.width !== void 0) updatePayload.width = trusted.media.width;
+  if (trusted.media?.height !== void 0) updatePayload.height = trusted.media.height;
+  if (trusted.media?.duration !== void 0) updatePayload.duration = trusted.media.duration;
+  if (initialArgs?.context !== void 0) updatePayload.context = initialArgs.context;
+  const existing = await database.findOne({
+    model: "media",
+    where: [{ field: "id", value: recordId }]
+  });
+  updatePayload.storageKey = fileKey;
+  if (existing) {
+    if (Object.keys(updatePayload).length > 0) {
+      await database.update({
+        model: "media",
+        where: [{ field: "id", value: recordId }],
+        update: updatePayload
+      });
+    }
+  } else {
+    updatePayload.id = recordId;
+    updatePayload.status = "PROCESSING";
+    updatePayload.createdAt = /* @__PURE__ */ new Date();
+    await database.create({
+      model: "media",
+      data: updatePayload
+    });
+  }
+}
+async function streamToTempFile(stream, fileKey) {
+  const ext = path.extname(fileKey) || ".bin";
+  const tmpPath = path.join(os.tmpdir(), `better-media-${randomUUID()}${ext}`);
+  const nodeStream = stream instanceof Readable ? stream : Readable.fromWeb(stream);
+  const writeStream = createWriteStream(tmpPath);
+  await new Promise((resolve, reject) => {
+    nodeStream.pipe(writeStream);
+    nodeStream.on("error", reject);
+    writeStream.on("error", reject);
+    writeStream.on("finish", resolve);
+  });
+  return tmpPath;
+}
+async function loadFileIntoContext(context, fileHandling) {
+  const { file, storage } = context;
+  const fileKey = file.key;
+  const maxBufferBytes = fileHandling.maxBufferBytes;
+  const storageWithExtras = storage;
+  if (!context.utilities) context.utilities = {};
+  const fileContent = {};
+  let useStream = false;
+  if (maxBufferBytes != null && typeof storageWithExtras.getSize === "function" && typeof storageWithExtras.getStream === "function") {
+    const size = await storageWithExtras.getSize(fileKey);
+    if (size != null && size > maxBufferBytes) {
+      useStream = true;
+    }
+  }
+  if (useStream && typeof storageWithExtras.getStream === "function") {
+    const stream = await storageWithExtras.getStream(fileKey);
+    if (stream != null) {
+      const tmpPath = await streamToTempFile(stream, fileKey);
+      fileContent.tempPath = tmpPath;
+    } else {
+      const buffer = await storage.get(fileKey);
+      if (buffer != null) fileContent.buffer = buffer;
+    }
+  } else {
+    const buffer = await storage.get(fileKey);
+    if (buffer != null) fileContent.buffer = buffer;
+  }
+  context.utilities.fileContent = fileContent;
+  if (fileContent.buffer != null || fileContent.tempPath != null) {
+    markFileContentVerified(context);
+  }
+}
+async function cleanupTempFile(context) {
+  const tmpPath = context.utilities?.fileContent?.tempPath;
+  if (tmpPath) {
+    await fs2.unlink(tmpPath).catch(() => {
+    });
+    if (context.utilities?.fileContent) {
+      context.utilities.fileContent.tempPath = void 0;
+    }
+  }
+}
+// src/core/pipeline-executor.ts
+function buildFileInfo(fileKey, metadata) {
+  const mime = metadata.contentType ?? metadata.mimeType ?? metadata["content-type"];
+  const size = typeof metadata.size === "number" ? metadata.size : void 0;
+  const originalName = metadata.originalName ?? metadata.originalname;
+  const ext = originalName ? path.extname(originalName).toLowerCase() : path.extname(fileKey).toLowerCase();
+  return {
+    key: fileKey,
+    size,
+    mimeType: typeof mime === "string" ? mime : void 0,
+    originalName: typeof originalName === "string" ? originalName : void 0,
+    extension: ext || void 0,
+    checksums: void 0
+  };
+}
+function buildStorageLocation(fileKey) {
+  return {
+    key: fileKey,
+    bucket: void 0,
+    region: void 0,
+    url: void 0
+  };
+}
+function syncTrustedToFile(context) {
+  const { trusted, file } = context;
+  if (trusted.file?.mimeType != null) file.mimeType = trusted.file.mimeType;
+  if (trusted.file?.size != null) file.size = trusted.file.size;
+  if (trusted.file?.originalName != null) file.originalName = trusted.file.originalName;
+  if (trusted.checksums) file.checksums = { ...file.checksums, ...trusted.checksums };
+}
+var ValidationError = class extends Error {
+  constructor(recordId, fileKey, result) {
+    super(result.message ?? "Validation failed");
+    this.recordId = recordId;
+    this.fileKey = fileKey;
+    this.result = result;
+    this.name = "ValidationError";
+  }
+};
+var PipelineExecutor = class {
+  constructor(engine, storage, database, jobs, fileHandling = {}) {
+    this.engine = engine;
+    this.storage = storage;
+    this.database = database;
+    this.jobs = jobs;
+    this.fileHandling = fileHandling;
+  }
+  async run(recordId, fileKey, metadata = {}, appContext = {}) {
+    const meta = { ...metadata };
+    const trustedFromDb = await loadTrustedFromDb(this.database, recordId);
+    const context = {
+      recordId,
+      file: buildFileInfo(fileKey, meta),
+      storageLocation: buildStorageLocation(fileKey),
+      processing: {},
+      metadata: { ...meta, ...appContext },
+      // Merge for plugins to read backwards-compatibly
+      trusted: trustedFromDb ?? {},
+      utilities: {},
+      storage: this.storage,
+      database: this.database,
+      jobs: this.jobs
+    };
+    if (trustedFromDb) {
+      syncTrustedToFile(context);
+    }
+    try {
+      await loadFileIntoContext(context, this.fileHandling);
+      await saveTrustedToDb(this.database, recordId, fileKey, context.trusted, {
+        filename: context.file.originalName,
+        mimeType: context.file.mimeType,
+        size: context.file.size,
+        context: appContext
+      });
+      for (const phase of HOOK_NAMES) {
+        const result = await this.engine.trigger(phase, context);
+        if (result !== void 0 && typeof result === "object" && result.valid === false) {
+          throw new ValidationError(recordId, fileKey, result);
+        }
+      }
+      await saveTrustedToDb(this.database, recordId, fileKey, context.trusted, {
+        filename: context.file.originalName,
+        mimeType: context.file.mimeType,
+        size: context.file.size,
+        context: appContext
+      });
+    } finally {
+      await cleanupTempFile(context);
+    }
+  }
+};
+function syncTrustedToFile2(context) {
+  const { trusted, file } = context;
+  if (trusted.file?.mimeType != null) file.mimeType = trusted.file.mimeType;
+  if (trusted.file?.size != null) file.size = trusted.file.size;
+  if (trusted.file?.originalName != null) file.originalName = trusted.file.originalName;
+  if (trusted.checksums) file.checksums = { ...file.checksums, ...trusted.checksums };
+}
+async function runBackgroundJob(payload, registry, storage, database, jobs, fileHandling = {}) {
+  const {
+    recordId: payloadRecordId,
+    metadata = {},
+    file: payloadFile,
+    storageLocation: payloadStorage,
+    processing: payloadProcessing,
+    hookName,
+    pluginName
+  } = payload;
+  const meta = { ...metadata };
+  const legacyKey = payload.fileKey;
+  if (!payloadFile && !legacyKey) {
+    throw new Error("Background job payload must include file or fileKey");
+  }
+  const file = payloadFile ?? (legacyKey ? {
+    key: legacyKey,
+    size: typeof meta.size === "number" ? meta.size : void 0,
+    mimeType: typeof (meta.contentType ?? meta.mimeType ?? meta["content-type"]) === "string" ? meta.contentType ?? meta.mimeType ?? meta["content-type"] : void 0,
+    originalName: typeof (meta.originalName ?? meta.originalname) === "string" ? meta.originalName ?? meta.originalname : void 0,
+    extension: path.extname(legacyKey).toLowerCase() || void 0
+  } : { key: "" });
+  const recordId = payloadRecordId ?? file.key ?? "unknown";
+  const storageLocation = payloadStorage ?? { key: file.key };
+  const processing = payloadProcessing ?? {};
+  const trustedFromDb = await loadTrustedFromDb(database, recordId);
+  const context = {
+    recordId,
+    file,
+    storageLocation,
+    processing,
+    metadata: meta,
+    trusted: trustedFromDb ?? {},
+    utilities: {},
+    storage,
+    database,
+    jobs
+  };
+  if (trustedFromDb) {
+    syncTrustedToFile2(context);
+  }
+  try {
+    await loadFileIntoContext(context, fileHandling);
+    const handlers = registry.get(hookName) ?? [];
+    const handler = handlers.find((h) => h.name === pluginName);
+    if (!handler) {
+      throw new Error(`Handler not found: ${hookName}/${pluginName}`);
+    }
+    const manifest = handler.manifest;
+    const { createSecureContext: createSecureContext2 } = await Promise.resolve().then(() => (init_lifecycle_engine(), lifecycle_engine_exports));
+    const { proxy, api } = createSecureContext2(
+      context,
+      pluginName,
+      manifest.namespace,
+      manifest.trustLevel,
+      manifest.capabilities
+    );
+    await handler.fn(proxy, api);
+    if (context.trusted.file ?? context.trusted.checksums) {
+      await saveTrustedToDb(database, recordId, file.key, context.trusted);
+    }
+  } finally {
+    await cleanupTempFile(context);
+  }
+}
+function quote(name) {
+  return `"${name.replace(/"/g, '""')}"`;
+}
+function rowToAppKeys(row) {
+  const mapped = {};
+  for (const [key, value] of Object.entries(row)) {
+    mapped[toCamelCase(key)] = value;
+  }
+  return mapped;
+}
+function buildWhere(where, startAt = 1) {
+  if (!where?.length) return { sql: "", values: [] };
+  const parts = [];
+  const values = [];
+  let idx = startAt;
+  for (let i = 0; i < where.length; i++) {
+    const condition = where[i];
+    if (!condition) continue;
+    const connector = i > 0 ? where[i - 1]?.connector ?? "AND" : "AND";
+    const field = quote(toDbFieldName(condition.field));
+    const op = condition.operator ?? "=";
+    if (i > 0) parts.push(connector);
+    if (op === "contains" || op === "starts_with" || op === "ends_with") {
+      const raw = String(condition.value ?? "");
+      const value = op === "contains" ? `%${raw}%` : op === "starts_with" ? `${raw}%` : `%${raw}`;
+      parts.push(`${field} LIKE $${idx}`);
+      values.push(value);
+      idx += 1;
+      continue;
+    }
+    if (op === "in" || op === "not_in") {
+      const list = Array.isArray(condition.value) ? condition.value : [condition.value];
+      if (!list.length) {
+        parts.push(op === "in" ? "FALSE" : "TRUE");
+        continue;
+      }
+      const placeholders = list.map(() => `$${idx++}`).join(", ");
+      parts.push(`${field} ${op === "in" ? "IN" : "NOT IN"} (${placeholders})`);
+      values.push(...list);
+      continue;
+    }
+    if (condition.value === null && (op === "=" || op === "!=")) {
+      parts.push(`${field} ${op === "=" ? "IS" : "IS NOT"} NULL`);
+      continue;
+    }
+    const sqlOp = op === "!=" ? "<>" : op;
+    parts.push(`${field} ${sqlOp} $${idx}`);
+    values.push(condition.value);
+    idx += 1;
+  }
+  if (!parts.length) return { sql: "", values: [] };
+  return { sql: ` WHERE ${parts.join(" ")}`, values };
+}
+var PostgresDatabaseAdapter = class _PostgresDatabaseAdapter {
+  constructor(db) {
+    this.db = db;
+  }
+  id = "postgres";
+  modelFields(model) {
+    return schema[model]?.fields ?? {};
+  }
+  async create(options) {
+    const fields = this.modelFields(options.model);
+    const serialized = serializeData(fields, options.data);
+    const keys = Object.keys(serialized);
+    const columns = keys.map((k) => quote(toDbFieldName(k))).join(", ");
+    const placeholders = keys.map((_, i) => `$${i + 1}`).join(", ");
+    const values = keys.map((k) => serialized[k]);
+    const result = await this.db.query(
+      `INSERT INTO ${quote(options.model)} (${columns}) VALUES (${placeholders}) RETURNING *`,
+      values
+    );
+    return deserializeData(fields, rowToAppKeys(result.rows[0] ?? serialized));
+  }
+  async findOne(options) {
+    const rows = await this.findMany({ ...options, limit: 1 });
+    return rows[0] ?? null;
+  }
+  async findMany(options) {
+    const fields = this.modelFields(options.model);
+    const select = options.select && options.select.length > 0 ? options.select.map((f) => `${quote(toDbFieldName(f))} AS ${quote(f)}`).join(", ") : "*";
+    let query = `SELECT ${select} FROM ${quote(options.model)}`;
+    const where = buildWhere(options.where);
+    query += where.sql;
+    const values = [...where.values];
+    if (options.sortBy) {
+      query += ` ORDER BY ${quote(toDbFieldName(options.sortBy.field))} ${options.sortBy.direction.toUpperCase()}`;
+    }
+    if (typeof options.limit === "number") {
+      query += ` LIMIT $${values.length + 1}`;
+      values.push(options.limit);
+    }
+    if (typeof options.offset === "number") {
+      query += ` OFFSET $${values.length + 1}`;
+      values.push(options.offset);
+    }
+    const result = await this.db.query(query, values);
+    return result.rows.map((r) => deserializeData(fields, rowToAppKeys(r)));
+  }
+  async update(options) {
+    const updated = await this.updateMany(options);
+    if (!updated) return null;
+    return this.findOne({ model: options.model, where: options.where });
+  }
+  async updateMany(options) {
+    const fields = this.modelFields(options.model);
+    const serialized = serializeData(fields, options.update);
+    const entries = Object.entries(serialized);
+    if (!entries.length) return 0;
+    const setSql = entries.map(([key], i) => `${quote(toDbFieldName(key))} = $${i + 1}`).join(", ");
+    const setValues = entries.map(([, value]) => value);
+    const where = buildWhere(options.where, setValues.length + 1);
+    const query = `UPDATE ${quote(options.model)} SET ${setSql}${where.sql}`;
+    const result = await this.db.query(query, [...setValues, ...where.values]);
+    return Number(result.rowCount ?? 0);
+  }
+  async delete(options) {
+    await this.deleteMany(options);
+  }
+  async deleteMany(options) {
+    const where = buildWhere(options.where);
+    const query = `DELETE FROM ${quote(options.model)}${where.sql}`;
+    const result = await this.db.query(query, where.values);
+    return Number(result.rowCount ?? 0);
+  }
+  async count(options) {
+    const where = buildWhere(options.where);
+    const result = await this.db.query(
+      `SELECT COUNT(*)::int AS c FROM ${quote(options.model)}${where.sql}`,
+      where.values
+    );
+    return Number(result.rows[0]?.c ?? 0);
+  }
+  async raw(query, params) {
+    const result = await this.db.query(query, params);
+    return result.rows;
+  }
+  async transaction(callback) {
+    const pool = this.db;
+    if (typeof pool.connect !== "function") {
+      throw new Error("[better-media] The provided Postgres client does not support transactions.");
+    }
+    const client = await pool.connect();
+    try {
+      await client.query("BEGIN");
+      const trxAdapter = new _PostgresDatabaseAdapter(client);
+      const result = await callback(trxAdapter);
+      await client.query("COMMIT");
+      return result;
+    } catch (error) {
+      await client.query("ROLLBACK");
+      throw error;
+    } finally {
+      client.release?.();
+    }
+  }
+  __getDialect() {
+    return "postgres";
+  }
+  async __getMetadata() {
+    const result = await this.db.query(
+      `SELECT table_name AS "tableName", column_name AS "columnName", data_type AS "dataType", is_nullable AS "isNullable"
+       FROM information_schema.columns
+       WHERE table_schema = current_schema()
+       ORDER BY table_name, ordinal_position`
+    );
+    const grouped = /* @__PURE__ */ new Map();
+    for (const row of result.rows) {
+      const tableName = String(row.tableName);
+      if (!grouped.has(tableName)) grouped.set(tableName, { name: tableName, columns: [] });
+      grouped.get(tableName).columns.push({
+        name: toCamelCase(String(row.columnName)),
+        dataType: String(row.dataType),
+        isNullable: String(row.isNullable).toUpperCase() === "YES"
+      });
+    }
+    return [...grouped.values()];
+  }
+  async __executeMigration(operation) {
+    if (operation.type === "createTable") {
+      const columns = Object.entries(operation.definition.fields).map(([name, field]) => {
+        const parts = [quote(toDbFieldName(name)), getColumnType(field, "postgres")];
+        if (field.primaryKey) parts.push("PRIMARY KEY");
+        if (field.required) parts.push("NOT NULL");
+        if (field.unique) parts.push("UNIQUE");
+        if (field.references) {
+          parts.push(
+            `REFERENCES ${quote(field.references.model)}(${quote(toDbFieldName(field.references.field))}) ON DELETE ${String(
+              field.references.onDelete ?? "CASCADE"
+            ).toUpperCase()}`
+          );
+        }
+        return parts.join(" ");
+      }).join(", ");
+      await this.db.query(`CREATE TABLE IF NOT EXISTS ${quote(operation.table)} (${columns})`);
+      for (const index of operation.definition.indexes ?? []) {
+        const indexName = `idx_${operation.table}_${index.fields.map((f) => toDbFieldName(f)).join("_")}`;
+        await this.db.query(
+          `CREATE ${index.unique ? "UNIQUE " : ""}INDEX IF NOT EXISTS ${quote(indexName)} ON ${quote(
+            operation.table
+          )} (${index.fields.map((f) => quote(toDbFieldName(f))).join(", ")})`
+        );
+      }
+      return;
+    }
+    if (operation.type === "addColumn") {
+      const field = operation.definition;
+      const parts = [
+        quote(toDbFieldName(operation.field)),
+        getColumnType(operation.definition, "postgres")
+      ];
+      if (field.required) parts.push("NOT NULL");
+      if (field.unique) parts.push("UNIQUE");
+      if (field.references) {
+        parts.push(
+          `REFERENCES ${quote(field.references.model)}(${quote(toDbFieldName(field.references.field))}) ON DELETE ${String(
+            field.references.onDelete ?? "CASCADE"
+          ).toUpperCase()}`
+        );
+      }
+      await this.db.query(
+        `ALTER TABLE ${quote(operation.table)} ADD COLUMN IF NOT EXISTS ${parts.join(" ")}`
+      );
+      return;
+    }
+    if (operation.type === "createIndex") {
+      await this.db.query(
+        `CREATE ${operation.unique ? "UNIQUE " : ""}INDEX IF NOT EXISTS ${quote(
+          operation.name
+        )} ON ${quote(operation.table)} (${operation.fields.map((f) => quote(toDbFieldName(f))).join(", ")})`
+      );
+    }
+  }
+};
+function postgresDatabase(pool) {
+  return new PostgresDatabaseAdapter(pool);
+}
+function toDatabaseAdapter(database) {
+  if (isPgPoolLike(database) && typeof database.create !== "function") {
+    return postgresDatabase(database);
+  }
+  return database;
+}
+function createNoopJobAdapter() {
+  return {
+    async enqueue(_name, _payload) {
+    }
+  };
+}
+async function normalizeInput(input, fileHandling) {
+  const { file, metadata = {}, deleteAfterUpload = true } = input;
+  const maxBufferBytes = fileHandling.maxBufferBytes;
+  let data;
+  let shouldDeleteSource = false;
+  let sourcePath;
+  if ("buffer" in file && file.buffer) {
+    data = file.buffer;
+  } else if ("path" in file && file.path) {
+    if (maxBufferBytes != null) {
+      const stat = await fs2.stat(file.path);
+      if (stat.size > maxBufferBytes) {
+        throw new Error(
+          `File at "${file.path}" is ${stat.size} bytes, which exceeds the configured maxBufferBytes limit of ${maxBufferBytes}. Use a storage adapter that supports streaming uploads, or increase maxBufferBytes.`
+        );
+      }
+    }
+    data = await fs2.readFile(file.path);
+    if (deleteAfterUpload) {
+      shouldDeleteSource = true;
+      sourcePath = file.path;
+    }
+  } else if ("stream" in file && file.stream) {
+    const chunks = [];
+    let totalBytes = 0;
+    for await (const chunk of file.stream) {
+      const buf = Buffer.from(chunk);
+      totalBytes += buf.length;
+      if (maxBufferBytes != null && totalBytes > maxBufferBytes) {
+        throw new Error(
+          `Stream exceeded the configured maxBufferBytes limit of ${maxBufferBytes}. Use a storage adapter that supports streaming uploads, or increase maxBufferBytes.`
+        );
+      }
+      chunks.push(buf);
+    }
+    data = Buffer.concat(chunks);
+  } else if ("url" in file && file.url) {
+    if (file.mode === "reference") {
+      throw new Error("URL reference mode is not fully implemented yet.");
+    }
+    const response = await fetch(file.url);
+    if (!response.ok) throw new Error(`Failed to fetch URL: ${response.statusText}`);
+    data = Buffer.from(await response.arrayBuffer());
+  } else {
+    throw new Error("Invalid MediaFileInput. Must provide buffer, stream, path, or url.");
+  }
+  return { data, metadata, shouldDeleteSource, sourcePath };
+}
+function createBetterMedia(config) {
+  const { storage, plugins, trustedPolicy } = config;
+  const database = toDatabaseAdapter(config.database);
+  const { registry } = buildPluginRegistry(plugins, trustedPolicy);
+  const fileHandling = config.fileHandling ?? {};
+  const jobAdapter = config.jobs ?? (hasBackgroundHandlers(registry) ? (() => {
+    const adapter = memoryJobAdapter({
+      processor: (p) => runBackgroundJob(
+        p,
+        registry,
+        storage,
+        database,
+        adapter,
+        fileHandling
+      )
+    });
+    return adapter;
+  })() : createNoopJobAdapter());
+  const engine = new LifecycleEngine(registry, jobAdapter);
+  const executor = new PipelineExecutor(engine, storage, database, jobAdapter, fileHandling);
+  const runPipeline = (recordId, fileKey, metadata = {}, context = {}) => executor.run(recordId, fileKey, metadata, context);
+  return {
+    upload: {
+      async ingest(input) {
+        const normalized = await normalizeInput(input, fileHandling);
+        const recordId = randomUUID();
+        const finalKey = input.key ?? normalized.metadata.filename ?? recordId;
+        try {
+          await storage.put(finalKey, normalized.data);
+          await runPipeline(
+            recordId,
+            finalKey,
+            normalized.metadata,
+            normalized.metadata.context ?? {}
+          );
+          return {
+            id: recordId,
+            key: finalKey,
+            status: "processed",
+            metadata: normalized.metadata
+          };
+        } finally {
+          if (normalized.shouldDeleteSource && normalized.sourcePath) {
+            await fs2.unlink(normalized.sourcePath).catch((err) => console.warn("Cleanup failed:", err));
+          }
+        }
+      },
+      fromBuffer(buffer, input) {
+        return this.ingest({ file: { buffer }, ...input });
+      },
+      fromStream(stream, input) {
+        return this.ingest({ file: { stream }, ...input });
+      },
+      fromPath(path4, input) {
+        return this.ingest({ file: { path: path4 }, ...input });
+      },
+      fromUrl(url, input) {
+        return this.ingest({ file: { url, mode: input?.mode ?? "import" }, ...input });
+      },
+      async requestPresignedUpload(key, options) {
+        const fn = storage.createPresignedUpload;
+        if (typeof fn !== "function") {
+          throw new Error(
+            "Presigned upload not supported by this storage adapter. Use an S3/GCS adapter."
+          );
+        }
+        return fn.call(storage, key, options);
+      },
+      async complete(key, metadata = {}) {
+        const existing = await database.findOne({
+          model: "media",
+          where: [{ field: "storageKey", value: key }]
+        });
+        const recordId = existing?.id ?? randomUUID();
+        await runPipeline(
+          recordId,
+          key,
+          metadata,
+          metadata.context ?? {}
+        );
+        return {
+          id: recordId,
+          key,
+          status: "processed",
+          metadata
+        };
+      }
+    },
+    files: {
+      get(id) {
+        return database.findOne({ model: "media", where: [{ field: "id", value: id }] });
+      },
+      async delete(id) {
+        const record = await this.get(id);
+        const storageKey = record?.storageKey ?? id;
+        await Promise.all([
+          storage.delete(storageKey),
+          database.delete({ model: "media", where: [{ field: "id", value: id }] })
+        ]);
+      },
+      async getUrl(id, options) {
+        const record = await this.get(id);
+        const storageKey = record?.storageKey ?? id;
+        const fn = storage.getUrl;
+        if (typeof fn !== "function") {
+          throw new Error(
+            "URL generation not supported by this storage adapter. Use an S3/GCS adapter."
+          );
+        }
+        return fn.call(storage, storageKey, options);
+      },
+      async reprocess(id, metadata = {}) {
+        const record = await this.get(id);
+        if (!record) throw new Error(`Media record not found: ${id}`);
+        const storageKey = record.storageKey ?? id;
+        return runPipeline(id, storageKey, metadata);
+      }
+    },
+    async runBackgroundJob(payload) {
+      await runBackgroundJob(payload, registry, storage, database, jobAdapter, fileHandling);
+    }
+  };
+}
+export { PluginRegistry, ValidationError, buildPluginRegistry, createBetterMedia, hasBackgroundHandlers, postgresDatabase, toDatabaseAdapter, validatePlugin };
+//# sourceMappingURL=index.mjs.map
+//# sourceMappingURL=index.mjs.map