npm - @budibase/backend-core - Versions diffs - 3.2.3 → 3.2.4 - Mend

@budibase/backend-core 3.2.3 → 3.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/dist/index.js +768 -769
package/dist/index.js.map +4 -4
package/dist/index.js.meta.json +1 -1
package/dist/package.json +4 -4
package/dist/plugins.js.meta.json +1 -1
package/dist/src/db/couch/DatabaseImpl.js +1 -3
package/dist/src/db/couch/DatabaseImpl.js.map +1 -1
package/dist/src/environment.d.ts +2 -3
package/dist/src/environment.js +7 -4
package/dist/src/environment.js.map +1 -1
package/dist/src/features/features.d.ts +0 -2
package/dist/src/features/features.js +0 -2
package/dist/src/features/features.js.map +1 -1
package/dist/src/middleware/contentSecurityPolicy.js +0 -4
package/dist/src/middleware/contentSecurityPolicy.js.map +1 -1
package/package.json +4 -4
package/src/db/couch/DatabaseImpl.ts +1 -6
package/src/environment.ts +7 -5
package/src/features/features.ts +0 -2
package/src/middleware/contentSecurityPolicy.ts +0 -5
package/src/security/tests/encryption.spec.ts +1 -1

package/dist/index.js CHANGED Viewed

@@ -61902,7 +61902,7 @@ __export(src_exports, {
   sql: () => sql_exports,
   tenancy: () => tenancy,
   timers: () => timers_exports,
-  userUtils: () => utils_exports6,
+  userUtils: () => utils_exports5,
   users: () => users_exports3,
   utils: () => utils_exports4,
   withEnv: () => withEnv
@@ -63417,7 +63417,12 @@ function fixupFilterArrays(filters) {
 function search(docs, query) {
   let result = runQuery(docs, query.query);
   if (query.sort) {
-    result = sort(result, query.sort, query.sortOrder || "ascending" /* ASCENDING */);
+    result = sort(
+      result,
+      query.sort,
+      query.sortOrder || "ascending" /* ASCENDING */,
+      query.sortType
+    );
   }
   const totalRows = result.length;
   if (query.limit) {
@@ -64192,6 +64197,7 @@ function getAccountUserId(account) {
 // src/environment.ts
 var import_fs = require("fs");
 var import_lodash4 = require("lodash");
+var import_crypto = require("crypto");
 function isTest() {
   return isJest();
 }
@@ -64281,8 +64287,8 @@ var environment = {
   },
   BUDIBASE_ENVIRONMENT: process.env.BUDIBASE_ENVIRONMENT,
   JS_BCRYPT: process.env.JS_BCRYPT,
-  JWT_SECRET: process.env.JWT_SECRET,
-  JWT_SECRET_FALLBACK: process.env.JWT_SECRET_FALLBACK,
+  JWT_SECRET: process.env.JWT_SECRET ? (0, import_crypto.createSecretKey)(Buffer.from(process.env.JWT_SECRET)) : void 0,
+  JWT_SECRET_FALLBACK: process.env.JWT_SECRET_FALLBACK ? (0, import_crypto.createSecretKey)(Buffer.from(process.env.JWT_SECRET_FALLBACK)) : void 0,
   ENCRYPTION_KEY: process.env.ENCRYPTION_KEY,
   API_ENCRYPTION_KEY: getAPIEncryptionKey(),
   COUCH_DB_URL: process.env.COUCH_DB_URL || "http://localhost:4005",
@@ -64370,9 +64376,7 @@ var environment = {
   BB_ADMIN_USER_PASSWORD: process.env.BB_ADMIN_USER_PASSWORD,
   OPENAI_API_KEY: process.env.OPENAI_API_KEY,
   MIN_VERSION_WITHOUT_POWER_ROLE: process.env.MIN_VERSION_WITHOUT_POWER_ROLE || "3.0.0",
-  DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY,
-  // stopgap migration strategy until we can ensure backwards compat without unsafe-inline in CSP
-  DISABLE_CSP_UNSAFE_INLINE_SCRIPTS: process.env.DISABLE_CSP_UNSAFE_INLINE_SCRIPTS
+  DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY
 };
 function setEnv(newEnvVars) {
   const oldEnv = (0, import_lodash4.cloneDeep)(environment);
@@ -67830,753 +67834,133 @@ function validateManyToMany(relationship) {
   return void 0;
 }
-// src/features/index.ts
-var features_exports = {};
-__export(features_exports, {
-  Flag: () => Flag,
-  FlagSet: () => FlagSet,
-  flags: () => flags,
-  init: () => init4,
-  parseEnvFlags: () => parseEnvFlags,
-  shutdown: () => shutdown2,
-  testutils: () => utils_exports5
-});
-// src/features/features.ts
-var crypto = __toESM(require("crypto"));
-var import_posthog_node = require("posthog-node");
-var import_dd_trace3 = __toESM(require("dd-trace"));
-// src/utils/index.ts
-var utils_exports4 = {};
-__export(utils_exports4, {
-  Duration: () => Duration,
-  DurationType: () => DurationType,
-  clearCookie: () => clearCookie,
-  compare: () => compare,
-  getAppIdFromCtx: () => getAppIdFromCtx,
-  getCookie: () => getCookie,
-  hasCircularStructure: () => hasCircularStructure,
-  hash: () => hash,
-  isAudited: () => isAudited,
-  isClient: () => isClient,
-  isPublicApiRequest: () => isPublicApiRequest,
-  isServingApp: () => isServingApp,
-  isServingBuilder: () => isServingBuilder,
-  isServingBuilderPreview: () => isServingBuilderPreview,
-  isValidInternalAPIKey: () => isValidInternalAPIKey,
-  newid: () => newid,
-  openJwt: () => openJwt,
-  resolveAppUrl: () => resolveAppUrl,
-  setCookie: () => setCookie,
-  timeout: () => timeout,
-  validEmail: () => validEmail
-});
-// src/utils/hashing.ts
-var bcrypt = environment_default.JS_BCRYPT ? require("bcryptjs") : require("bcrypt");
-var SALT_ROUNDS = environment_default.SALT_ROUNDS || 10;
-async function hash(data) {
-  const salt = await bcrypt.genSalt(SALT_ROUNDS);
-  return bcrypt.hash(data, salt);
-}
-async function compare(data, encrypted) {
-  return bcrypt.compare(data, encrypted);
-}
-// src/tenancy/index.ts
-var tenancy_exports = {};
-__export(tenancy_exports, {
-  addTenantToUrl: () => addTenantToUrl,
-  getTenantDB: () => getTenantDB,
-  getTenantIDFromCtx: () => getTenantIDFromCtx,
-  isUserInAppTenant: () => isUserInAppTenant
-});
-// src/tenancy/db.ts
-function getTenantDB(tenantId) {
-  return getDB(getGlobalDBName(tenantId));
-}
-// src/tenancy/tenancy.ts
-function addTenantToUrl(url) {
-  const tenantId = getTenantId();
-  if (isMultiTenant()) {
-    const char = url.indexOf("?") === -1 ? "?" : "&";
-    url += `${char}tenantId=${tenantId}`;
-  }
-  return url;
+// src/db/couch/DatabaseImpl.ts
+var DATABASE_NOT_FOUND = "Database does not exist.";
+function buildNano(couchInfo) {
+  return (0, import_nano.default)({
+    url: couchInfo.url,
+    requestDefaults: {
+      headers: {
+        Authorization: couchInfo.cookie
+      }
+    },
+    parseUrl: false
+  });
 }
-var isUserInAppTenant = (appId, user) => {
-  let userTenantId;
-  if (user) {
-    userTenantId = user.tenantId || DEFAULT_TENANT_ID;
-  } else {
-    userTenantId = getTenantId();
+var CouchDBError = class extends Error {
+  constructor(message, info) {
+    super(message);
+    const statusCode = info.status || info.statusCode || 500;
+    this.status = statusCode;
+    this.statusCode = statusCode;
+    this.reason = info.reason || "Unknown";
+    this.name = info.name;
+    this.errid = info.errid || "Unknown";
+    this.description = info.description || "Unknown";
+    this.error = info.error || "Not found";
   }
-  const tenantId = getTenantIDFromAppID(appId) || DEFAULT_TENANT_ID;
-  return tenantId === userTenantId;
 };
-var ALL_STRATEGIES = Object.values(TenantResolutionStrategy);
-var getTenantIDFromCtx = (ctx, opts) => {
-  if (!isMultiTenant()) {
-    return DEFAULT_TENANT_ID;
-  }
-  if (opts.allowNoTenant === void 0) {
-    opts.allowNoTenant = false;
+function DatabaseWithConnection(dbName, connection, opts) {
+  if (!dbName || !connection) {
+    throw new Error(
+      "Unable to create database without database name or connection"
+    );
   }
-  if (!opts.includeStrategies) {
-    opts.includeStrategies = ALL_STRATEGIES;
+  const db = new DatabaseImpl(dbName, opts, connection);
+  return new DDInstrumentedDatabase(db);
+}
+var DatabaseImpl = class _DatabaseImpl {
+  constructor(dbName, opts, connection) {
+    this.couchInfo = getCouchInfo();
+    this.name = dbName;
+    this.pouchOpts = opts || {};
+    if (connection) {
+      this.couchInfo = getCouchInfo(connection);
+      this.instanceNano = buildNano(this.couchInfo);
+    }
+    if (!_DatabaseImpl.nano) {
+      _DatabaseImpl.init();
+    }
   }
-  if (!opts.excludeStrategies) {
-    opts.excludeStrategies = [];
+  static init() {
+    const couchInfo = getCouchInfo();
+    _DatabaseImpl.nano = buildNano(couchInfo);
   }
-  const isAllowed = (strategy) => {
-    if (opts.excludeStrategies?.includes(strategy)) {
-      return false;
+  exists(docId) {
+    if (docId === void 0) {
+      return this.dbExists();
     }
-    if (opts.includeStrategies?.includes(strategy)) {
+    return this.docExists(docId);
+  }
+  async dbExists() {
+    const response = await directCouchUrlCall({
+      url: `${this.couchInfo.url}/${this.name}`,
+      method: "HEAD",
+      cookie: this.couchInfo.cookie
+    });
+    return response.status === 200;
+  }
+  async docExists(id) {
+    try {
+      await this.performCall((db) => () => db.head(id));
       return true;
-    }
-  };
-  if (isAllowed("user" /* USER */)) {
-    const userTenantId = ctx.user?.tenantId;
-    if (userTenantId) {
-      return userTenantId;
+    } catch {
+      return false;
     }
   }
-  if (isAllowed("header" /* HEADER */)) {
-    const headerTenantId = ctx.request.headers["x-budibase-tenant-id" /* TENANT_ID */];
-    if (headerTenantId) {
-      return headerTenantId;
-    }
+  nano() {
+    return this.instanceNano || _DatabaseImpl.nano;
   }
-  if (isAllowed("query" /* QUERY */)) {
-    const queryTenantId = ctx.request.query.tenantId;
-    if (queryTenantId) {
-      return queryTenantId;
+  getDb() {
+    return this.nano().db.use(this.name);
+  }
+  async checkAndCreateDb() {
+    let shouldCreate = !this.pouchOpts?.skip_setup;
+    let exists2 = await this.exists();
+    if (!shouldCreate && !exists2) {
+      throw new Error("DB does not exist");
+    }
+    if (!exists2) {
+      try {
+        await this.nano().db.create(this.name);
+      } catch (err) {
+        if (err.statusCode !== 412) {
+          throw new CouchDBError(err.message, err);
+        }
+      }
     }
+    return this.getDb();
   }
-  if (isAllowed("subdomain" /* SUBDOMAIN */)) {
-    let platformHost;
+  // this function fetches the DB and handles if DB creation is needed
+  async performCallWithDBCreation(call) {
+    const db = this.getDb();
+    const fnc = await call(db);
     try {
-      platformHost = new URL(getPlatformURL()).host.split(":")[0];
+      return await fnc();
     } catch (err) {
-      if (err.code !== "ERR_INVALID_URL") {
-        throw err;
-      }
-    }
-    const requestHost = ctx.host;
-    if (platformHost && requestHost.includes(platformHost)) {
-      const tenantId = requestHost.substring(
-        0,
-        requestHost.indexOf(`.${platformHost}`)
-      );
-      if (tenantId) {
-        return tenantId;
+      if (err.statusCode === 404 && err.reason === DATABASE_NOT_FOUND) {
+        await this.checkAndCreateDb();
+        return await this.performCallWithDBCreation(call);
       }
+      throw new CouchDBError(`CouchDB error: ${err.message}`, err);
     }
   }
-  if (isAllowed("path" /* PATH */)) {
-    const match = ctx.matched.find(
-      (m) => !!m.paramNames.find((p) => p.name === "tenantId")
-    );
-    const ctxUrl = ctx.originalUrl;
-    let url;
-    if (ctxUrl.includes("?")) {
-      url = ctxUrl.split("?")[0];
-    } else {
-      url = ctxUrl;
-    }
-    if (match) {
-      const params2 = match.params(url, match.captures(url), {});
-      if (params2.tenantId) {
-        return params2.tenantId;
-      }
+  async performCall(call) {
+    const db = this.getDb();
+    const fnc = await call(db);
+    try {
+      return await fnc();
+    } catch (err) {
+      throw new CouchDBError(`CouchDB error: ${err.message}`, err);
     }
   }
-  if (!opts.allowNoTenant) {
-    ctx.throw(403, "Tenant id not set");
-  }
-  return void 0;
-};
-// src/utils/utils.ts
-var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
-var APP_PREFIX3 = "app" /* APP */ + SEPARATOR;
-var PROD_APP_PREFIX = "/app/";
-var BUILDER_PREVIEW_PATH = "/app/preview";
-var BUILDER_PREFIX = "/builder";
-var BUILDER_APP_PREFIX = `${BUILDER_PREFIX}/app/`;
-var PUBLIC_API_PREFIX = "/api/public/v";
-function confirmAppId(possibleAppId) {
-  return possibleAppId && possibleAppId.startsWith(APP_PREFIX3) ? possibleAppId : void 0;
-}
-async function resolveAppUrl(ctx) {
-  const appUrl = ctx.path.split("/")[2];
-  let possibleAppUrl = `/${appUrl.toLowerCase()}`;
-  let tenantId = getTenantId();
-  if (!environment_default.isDev() && environment_default.MULTI_TENANCY) {
-    tenantId = getTenantIDFromCtx(ctx, {
-      includeStrategies: ["subdomain" /* SUBDOMAIN */]
-    });
-  }
-  const apps = await doInTenant(
-    tenantId,
-    () => getAllApps({ dev: false })
-  );
-  const app = apps.filter(
-    (a) => a.url && a.url.toLowerCase() === possibleAppUrl
-  )[0];
-  return app && app.appId ? app.appId : void 0;
-}
-function isServingApp(ctx) {
-  if (ctx.path.startsWith(`/${APP_PREFIX3}`)) {
-    return true;
-  }
-  return ctx.path.startsWith(PROD_APP_PREFIX);
-}
-function isServingBuilder(ctx) {
-  return ctx.path.startsWith(BUILDER_APP_PREFIX);
-}
-function isServingBuilderPreview(ctx) {
-  return ctx.path.startsWith(BUILDER_PREVIEW_PATH);
-}
-function isPublicApiRequest(ctx) {
-  return ctx.path.startsWith(PUBLIC_API_PREFIX);
-}
-async function getAppIdFromCtx(ctx) {
-  const options2 = [ctx.request.headers["x-budibase-app-id" /* APP_ID */]];
-  let appId;
-  for (let option of options2) {
-    appId = confirmAppId(option);
-    if (appId) {
-      break;
-    }
-  }
-  if (!appId && ctx.request.body && ctx.request.body.appId) {
-    appId = confirmAppId(ctx.request.body.appId);
-  }
-  const pathId = parseAppIdFromUrlPath(ctx.path);
-  if (!appId && pathId) {
-    appId = confirmAppId(pathId);
-  }
-  const isBuilderPreview = ctx.path.startsWith(BUILDER_PREVIEW_PATH);
-  const isViewingProdApp = ctx.path.startsWith(PROD_APP_PREFIX) && !isBuilderPreview;
-  if (!appId && isViewingProdApp) {
-    appId = confirmAppId(await resolveAppUrl(ctx));
-  }
-  const referer = ctx.request.headers.referer;
-  if (!appId && referer?.includes(BUILDER_APP_PREFIX)) {
-    const refererId = parseAppIdFromUrlPath(ctx.request.headers.referer);
-    appId = confirmAppId(refererId);
-  }
-  return appId;
-}
-function parseAppIdFromUrlPath(url) {
-  if (!url) {
-    return;
-  }
-  return url.split("?")[0].split("/").find((subPath) => subPath.startsWith(APP_PREFIX3));
-}
-function openJwt(token) {
-  if (!token) {
-    return void 0;
-  }
-  try {
-    return import_jsonwebtoken.default.verify(token, environment_default.JWT_SECRET);
-  } catch (e) {
-    if (environment_default.JWT_SECRET_FALLBACK) {
-      return import_jsonwebtoken.default.verify(token, environment_default.JWT_SECRET_FALLBACK);
-    } else {
-      throw e;
-    }
-  }
-}
-function isValidInternalAPIKey(apiKey) {
-  if (environment_default.INTERNAL_API_KEY && environment_default.INTERNAL_API_KEY === apiKey) {
-    return true;
-  }
-  return !!(environment_default.INTERNAL_API_KEY_FALLBACK && environment_default.INTERNAL_API_KEY_FALLBACK === apiKey);
-}
-function getCookie(ctx, name) {
-  const cookie = ctx.cookies.get(name);
-  if (!cookie) {
-    return void 0;
-  }
-  return openJwt(cookie);
-}
-function setCookie(ctx, value, name = "builder", opts = { sign: true }) {
-  if (value && opts && opts.sign) {
-    value = import_jsonwebtoken.default.sign(value, environment_default.JWT_SECRET);
-  }
-  const config = {
-    expires: MAX_VALID_DATE,
-    path: "/",
-    httpOnly: false,
-    overwrite: true
-  };
-  if (environment_default.COOKIE_DOMAIN) {
-    config.domain = environment_default.COOKIE_DOMAIN;
-  }
-  ctx.cookies.set(name, value, config);
-}
-function clearCookie(ctx, name) {
-  setCookie(ctx, null, name);
-}
-function isClient(ctx) {
-  return ctx.headers["x-budibase-type" /* TYPE */] === "client";
-}
-function timeout(timeMs) {
-  return new Promise((resolve) => setTimeout(resolve, timeMs));
-}
-function isAudited(event) {
-  return !!AuditedEventFriendlyName[event];
-}
-function hasCircularStructure(json) {
-  if (typeof json !== "object") {
-    return false;
-  }
-  try {
-    JSON.stringify(json);
-  } catch (err) {
-    if (err instanceof Error && err?.message.includes("circular structure")) {
-      return true;
-    }
-  }
-  return false;
-}
-// src/utils/stringUtils.ts
-function validEmail(value) {
-  return value && !!value.match(
-    /^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/
-  );
-}
-// src/utils/Duration.ts
-var DurationType = /* @__PURE__ */ ((DurationType2) => {
-  DurationType2["MILLISECONDS"] = "milliseconds";
-  DurationType2["SECONDS"] = "seconds";
-  DurationType2["MINUTES"] = "minutes";
-  DurationType2["HOURS"] = "hours";
-  DurationType2["DAYS"] = "days";
-  return DurationType2;
-})(DurationType || {});
-var conversion = {
-  milliseconds: 1,
-  seconds: 1e3,
-  minutes: 60 * 1e3,
-  hours: 60 * 60 * 1e3,
-  days: 24 * 60 * 60 * 1e3
-};
-var Duration = class _Duration {
-  static convert(from, to, duration) {
-    const milliseconds = duration * conversion[from];
-    return milliseconds / conversion[to];
-  }
-  static from(from, duration) {
-    return {
-      to: (to) => {
-        return _Duration.convert(from, to, duration);
-      },
-      toMs: () => {
-        return _Duration.convert(from, "milliseconds" /* MILLISECONDS */, duration);
-      },
-      toSeconds: () => {
-        return _Duration.convert(from, "seconds" /* SECONDS */, duration);
-      }
-    };
-  }
-  static fromSeconds(duration) {
-    return _Duration.from("seconds" /* SECONDS */, duration);
-  }
-  static fromMinutes(duration) {
-    return _Duration.from("minutes" /* MINUTES */, duration);
-  }
-  static fromHours(duration) {
-    return _Duration.from("hours" /* HOURS */, duration);
-  }
-  static fromDays(duration) {
-    return _Duration.from("days" /* DAYS */, duration);
-  }
-  static fromMilliseconds(duration) {
-    return _Duration.from("milliseconds" /* MILLISECONDS */, duration);
-  }
-};
-// src/features/features.ts
-var posthog;
-function init4(opts) {
-  if (environment_default.POSTHOG_TOKEN && environment_default.POSTHOG_API_HOST && !environment_default.SELF_HOSTED && environment_default.POSTHOG_FEATURE_FLAGS_ENABLED) {
-    console.log("initializing posthog client...");
-    posthog = new import_posthog_node.PostHog(environment_default.POSTHOG_TOKEN, {
-      host: environment_default.POSTHOG_API_HOST,
-      personalApiKey: environment_default.POSTHOG_PERSONAL_TOKEN,
-      featureFlagsPollingInterval: Duration.fromMinutes(3).toMs(),
-      ...opts
-    });
-  } else {
-    console.log("posthog disabled");
-  }
-}
-function shutdown2() {
-  posthog?.shutdown();
-}
-var Flag = class {
-  constructor(defaultValue) {
-    this.defaultValue = defaultValue;
-  }
-  static boolean(defaultValue) {
-    return new BooleanFlag(defaultValue);
-  }
-  static string(defaultValue) {
-    return new StringFlag(defaultValue);
-  }
-  static number(defaultValue) {
-    return new NumberFlag(defaultValue);
-  }
-};
-var BooleanFlag = class extends Flag {
-  parse(value) {
-    if (typeof value === "string") {
-      return ["true", "t", "1"].includes(value.toLowerCase());
-    }
-    if (typeof value === "boolean") {
-      return value;
-    }
-    throw new Error(`could not parse value "${value}" as boolean`);
-  }
-};
-var StringFlag = class extends Flag {
-  parse(value) {
-    if (typeof value === "string") {
-      return value;
-    }
-    throw new Error(`could not parse value "${value}" as string`);
-  }
-};
-var NumberFlag = class extends Flag {
-  parse(value) {
-    if (typeof value === "number") {
-      return value;
-    }
-    if (typeof value === "string") {
-      const parsed = parseFloat(value);
-      if (!isNaN(parsed)) {
-        return parsed;
-      }
-    }
-    throw new Error(`could not parse value "${value}" as number`);
-  }
-};
-function parseEnvFlags(flags2) {
-  const split = flags2.split(",").map((x) => x.split(":"));
-  const result = [];
-  for (const [tenantId, ...features] of split) {
-    for (let feature of features) {
-      let value = true;
-      if (feature.startsWith("!")) {
-        feature = feature.slice(1);
-        value = false;
-      }
-      result.push({ tenantId, key: feature, value });
-    }
-  }
-  return result;
-}
-var FlagSet = class {
-  constructor(flagSchema) {
-    this.flagSchema = flagSchema;
-    this.setId = crypto.randomUUID();
-  }
-  defaults() {
-    return Object.keys(this.flagSchema).reduce((acc, key) => {
-      const typedKey = key;
-      acc[typedKey] = this.flagSchema[key].defaultValue;
-      return acc;
-    }, {});
-  }
-  isFlagName(name) {
-    return this.flagSchema[name] !== void 0;
-  }
-  async get(key) {
-    const flags2 = await this.fetch();
-    return flags2[key];
-  }
-  async isEnabled(key) {
-    const flags2 = await this.fetch();
-    return flags2[key];
-  }
-  async fetch() {
-    return await import_dd_trace3.default.trace("features.fetch", async (span) => {
-      const cachedFlags = getFeatureFlags(this.setId);
-      if (cachedFlags) {
-        span?.addTags({ fromCache: true });
-        return cachedFlags;
-      }
-      const tags = {};
-      const flagValues = this.defaults();
-      const currentTenantId = getTenantId();
-      const specificallySetFalse = /* @__PURE__ */ new Set();
-      for (const { tenantId: tenantId2, key, value } of parseEnvFlags(
-        environment_default.TENANT_FEATURE_FLAGS || ""
-      )) {
-        if (!tenantId2 || tenantId2 !== "*" && tenantId2 !== currentTenantId) {
-          continue;
-        }
-        tags[`readFromEnvironmentVars`] = true;
-        if (value === false) {
-          specificallySetFalse.add(key);
-        }
-        if (!this.isFlagName(key)) {
-          continue;
-        }
-        if (typeof flagValues[key] !== "boolean") {
-          throw new Error(`Feature: ${key} is not a boolean`);
-        }
-        flagValues[key] = value;
-        tags[`flags.${key}.source`] = "environment";
-      }
-      const identity = getIdentity();
-      let userId = identity?._id;
-      if (!userId) {
-        const ip = getIP();
-        if (ip) {
-          userId = crypto.createHash("sha512").update(ip).digest("hex");
-        }
-      }
-      let tenantId = identity?.tenantId;
-      if (!tenantId) {
-        tenantId = currentTenantId;
-      }
-      tags[`identity.type`] = identity?.type;
-      tags[`identity._id`] = identity?._id;
-      tags[`tenantId`] = tenantId;
-      tags[`userId`] = userId;
-      if (posthog && userId) {
-        tags[`readFromPostHog`] = true;
-        const personProperties = { tenantId };
-        const posthogFlags = await posthog.getAllFlagsAndPayloads(userId, {
-          personProperties
-        });
-        for (const [name, value] of Object.entries(posthogFlags.featureFlags)) {
-          if (!this.isFlagName(name)) {
-            console.warn(`Unexpected posthog flag "${name}": ${value}`);
-            continue;
-          }
-          if (flagValues[name] === true || specificallySetFalse.has(name)) {
-            continue;
-          }
-          const payload = posthogFlags.featureFlagPayloads?.[name];
-          const flag = this.flagSchema[name];
-          try {
-            flagValues[name] = flag.parse(payload || value);
-            tags[`flags.${name}.source`] = "posthog";
-          } catch (err) {
-            console.warn(`Error parsing posthog flag "${name}": ${value}`, err);
-          }
-        }
-      }
-      setFeatureFlags(this.setId, flagValues);
-      for (const [key, value] of Object.entries(flagValues)) {
-        tags[`flags.${key}.value`] = value;
-      }
-      span?.addTags(tags);
-      return flagValues;
-    });
-  }
-};
-var flags = new FlagSet({
-  ["DEFAULT_VALUES" /* DEFAULT_VALUES */]: Flag.boolean(true),
-  ["AUTOMATION_BRANCHING" /* AUTOMATION_BRANCHING */]: Flag.boolean(true),
-  ["SQS" /* SQS */]: Flag.boolean(true),
-  ["ENRICHED_RELATIONSHIPS" /* ENRICHED_RELATIONSHIPS */]: Flag.boolean(true),
-  ["AI_CUSTOM_CONFIGS" /* AI_CUSTOM_CONFIGS */]: Flag.boolean(true),
-  ["BUDIBASE_AI" /* BUDIBASE_AI */]: Flag.boolean(true)
-});
-// src/features/tests/utils.ts
-var utils_exports5 = {};
-__export(utils_exports5, {
-  setFeatureFlags: () => setFeatureFlags2,
-  withFeatureFlags: () => withFeatureFlags
-});
-function getCurrentFlags() {
-  const result = {};
-  for (const { tenantId, key, value } of parseEnvFlags(
-    process.env.TENANT_FEATURE_FLAGS || ""
-  )) {
-    const tenantFlags = result[tenantId] || {};
-    if (tenantFlags[key] === false) {
-      continue;
-    }
-    tenantFlags[key] = value;
-    result[tenantId] = tenantFlags;
-  }
-  return result;
-}
-function buildFlagString(flags2) {
-  const parts = [];
-  for (const [tenantId, tenantFlags] of Object.entries(flags2)) {
-    for (const [key, value] of Object.entries(tenantFlags)) {
-      if (value === false) {
-        parts.push(`${tenantId}:!${key}`);
-      } else {
-        parts.push(`${tenantId}:${key}`);
-      }
-    }
-  }
-  return parts.join(",");
-}
-function setFeatureFlags2(tenantId, flags2) {
-  const current = getCurrentFlags();
-  for (const [key, value] of Object.entries(flags2)) {
-    const tenantFlags = current[tenantId] || {};
-    tenantFlags[key] = value;
-    current[tenantId] = tenantFlags;
-  }
-  const flagString = buildFlagString(current);
-  return setEnv({ TENANT_FEATURE_FLAGS: flagString });
-}
-function withFeatureFlags(tenantId, flags2, f) {
-  const cleanup3 = setFeatureFlags2(tenantId, flags2);
-  const result = f();
-  if (result instanceof Promise) {
-    return result.finally(cleanup3);
-  } else {
-    cleanup3();
-    return result;
-  }
-}
-// src/db/couch/DatabaseImpl.ts
-var DATABASE_NOT_FOUND = "Database does not exist.";
-function buildNano(couchInfo) {
-  return (0, import_nano.default)({
-    url: couchInfo.url,
-    requestDefaults: {
-      headers: {
-        Authorization: couchInfo.cookie
-      }
-    },
-    parseUrl: false
-  });
-}
-var CouchDBError = class extends Error {
-  constructor(message, info) {
-    super(message);
-    const statusCode = info.status || info.statusCode || 500;
-    this.status = statusCode;
-    this.statusCode = statusCode;
-    this.reason = info.reason || "Unknown";
-    this.name = info.name;
-    this.errid = info.errid || "Unknown";
-    this.description = info.description || "Unknown";
-    this.error = info.error || "Not found";
-  }
-};
-function DatabaseWithConnection(dbName, connection, opts) {
-  if (!dbName || !connection) {
-    throw new Error(
-      "Unable to create database without database name or connection"
-    );
-  }
-  const db = new DatabaseImpl(dbName, opts, connection);
-  return new DDInstrumentedDatabase(db);
-}
-var DatabaseImpl = class _DatabaseImpl {
-  constructor(dbName, opts, connection) {
-    this.couchInfo = getCouchInfo();
-    this.name = dbName;
-    this.pouchOpts = opts || {};
-    if (connection) {
-      this.couchInfo = getCouchInfo(connection);
-      this.instanceNano = buildNano(this.couchInfo);
-    }
-    if (!_DatabaseImpl.nano) {
-      _DatabaseImpl.init();
-    }
-  }
-  static init() {
-    const couchInfo = getCouchInfo();
-    _DatabaseImpl.nano = buildNano(couchInfo);
-  }
-  exists(docId) {
-    if (docId === void 0) {
-      return this.dbExists();
-    }
-    return this.docExists(docId);
-  }
-  async dbExists() {
-    const response = await directCouchUrlCall({
-      url: `${this.couchInfo.url}/${this.name}`,
-      method: "HEAD",
-      cookie: this.couchInfo.cookie
-    });
-    return response.status === 200;
-  }
-  async docExists(id) {
-    try {
-      await this.performCall((db) => () => db.head(id));
-      return true;
-    } catch {
-      return false;
-    }
-  }
-  nano() {
-    return this.instanceNano || _DatabaseImpl.nano;
-  }
-  getDb() {
-    return this.nano().db.use(this.name);
-  }
-  async checkAndCreateDb() {
-    let shouldCreate = !this.pouchOpts?.skip_setup;
-    let exists2 = await this.exists();
-    if (!shouldCreate && !exists2) {
-      throw new Error("DB does not exist");
-    }
-    if (!exists2) {
-      try {
-        await this.nano().db.create(this.name);
-      } catch (err) {
-        if (err.statusCode !== 412) {
-          throw new CouchDBError(err.message, err);
-        }
-      }
-    }
-    return this.getDb();
-  }
-  // this function fetches the DB and handles if DB creation is needed
-  async performCallWithDBCreation(call) {
-    const db = this.getDb();
-    const fnc = await call(db);
-    try {
-      return await fnc();
-    } catch (err) {
-      if (err.statusCode === 404 && err.reason === DATABASE_NOT_FOUND) {
-        await this.checkAndCreateDb();
-        return await this.performCallWithDBCreation(call);
-      }
-      throw new CouchDBError(`CouchDB error: ${err.message}`, err);
-    }
-  }
-  async performCall(call) {
-    const db = this.getDb();
-    const fnc = await call(db);
-    try {
-      return await fnc();
-    } catch (err) {
-      throw new CouchDBError(`CouchDB error: ${err.message}`, err);
-    }
-  }
-  async get(id) {
-    return this.performCall((db) => {
-      if (!id) {
-        throw new Error("Unable to get doc without a valid _id.");
-      }
-      return () => db.get(id);
-    });
+  async get(id) {
+    return this.performCall((db) => {
+      if (!id) {
+        throw new Error("Unable to get doc without a valid _id.");
+      }
+      return () => db.get(id);
+    });
   }
   async tryGet(id) {
     try {
@@ -68781,7 +68165,7 @@ var DatabaseImpl = class _DatabaseImpl {
     });
   }
   async destroy() {
-    if (await flags.isEnabled("SQS" /* SQS */) && await this.exists(SQLITE_DESIGN_DOC_ID)) {
+    if (await this.exists(SQLITE_DESIGN_DOC_ID)) {
       const definition = await this.get(SQLITE_DESIGN_DOC_ID);
       definition.sql.tables = {};
       await this.put(definition);
@@ -69303,6 +68687,123 @@ __export(user_exports, {
   invalidateUser: () => invalidateUser
 });
+// src/tenancy/index.ts
+var tenancy_exports = {};
+__export(tenancy_exports, {
+  addTenantToUrl: () => addTenantToUrl,
+  getTenantDB: () => getTenantDB,
+  getTenantIDFromCtx: () => getTenantIDFromCtx,
+  isUserInAppTenant: () => isUserInAppTenant
+});
+// src/tenancy/db.ts
+function getTenantDB(tenantId) {
+  return getDB(getGlobalDBName(tenantId));
+}
+// src/tenancy/tenancy.ts
+function addTenantToUrl(url) {
+  const tenantId = getTenantId();
+  if (isMultiTenant()) {
+    const char = url.indexOf("?") === -1 ? "?" : "&";
+    url += `${char}tenantId=${tenantId}`;
+  }
+  return url;
+}
+var isUserInAppTenant = (appId, user) => {
+  let userTenantId;
+  if (user) {
+    userTenantId = user.tenantId || DEFAULT_TENANT_ID;
+  } else {
+    userTenantId = getTenantId();
+  }
+  const tenantId = getTenantIDFromAppID(appId) || DEFAULT_TENANT_ID;
+  return tenantId === userTenantId;
+};
+var ALL_STRATEGIES = Object.values(TenantResolutionStrategy);
+var getTenantIDFromCtx = (ctx, opts) => {
+  if (!isMultiTenant()) {
+    return DEFAULT_TENANT_ID;
+  }
+  if (opts.allowNoTenant === void 0) {
+    opts.allowNoTenant = false;
+  }
+  if (!opts.includeStrategies) {
+    opts.includeStrategies = ALL_STRATEGIES;
+  }
+  if (!opts.excludeStrategies) {
+    opts.excludeStrategies = [];
+  }
+  const isAllowed = (strategy) => {
+    if (opts.excludeStrategies?.includes(strategy)) {
+      return false;
+    }
+    if (opts.includeStrategies?.includes(strategy)) {
+      return true;
+    }
+  };
+  if (isAllowed("user" /* USER */)) {
+    const userTenantId = ctx.user?.tenantId;
+    if (userTenantId) {
+      return userTenantId;
+    }
+  }
+  if (isAllowed("header" /* HEADER */)) {
+    const headerTenantId = ctx.request.headers["x-budibase-tenant-id" /* TENANT_ID */];
+    if (headerTenantId) {
+      return headerTenantId;
+    }
+  }
+  if (isAllowed("query" /* QUERY */)) {
+    const queryTenantId = ctx.request.query.tenantId;
+    if (queryTenantId) {
+      return queryTenantId;
+    }
+  }
+  if (isAllowed("subdomain" /* SUBDOMAIN */)) {
+    let platformHost;
+    try {
+      platformHost = new URL(getPlatformURL()).host.split(":")[0];
+    } catch (err) {
+      if (err.code !== "ERR_INVALID_URL") {
+        throw err;
+      }
+    }
+    const requestHost = ctx.host;
+    if (platformHost && requestHost.includes(platformHost)) {
+      const tenantId = requestHost.substring(
+        0,
+        requestHost.indexOf(`.${platformHost}`)
+      );
+      if (tenantId) {
+        return tenantId;
+      }
+    }
+  }
+  if (isAllowed("path" /* PATH */)) {
+    const match = ctx.matched.find(
+      (m) => !!m.paramNames.find((p) => p.name === "tenantId")
+    );
+    const ctxUrl = ctx.originalUrl;
+    let url;
+    if (ctxUrl.includes("?")) {
+      url = ctxUrl.split("?")[0];
+    } else {
+      url = ctxUrl;
+    }
+    if (match) {
+      const params2 = match.params(url, match.captures(url), {});
+      if (params2.tenantId) {
+        return params2.tenantId;
+      }
+    }
+  }
+  if (!opts.allowNoTenant) {
+    ctx.throw(403, "Tenant id not set");
+  }
+  return void 0;
+};
 // src/platform/index.ts
 var platform_exports = {};
 __export(platform_exports, {
@@ -69425,6 +68926,249 @@ __export(redlockImpl_exports, {
   newRedlock: () => newRedlock
 });
 var import_redlock = __toESM(require("redlock"));
+// src/utils/index.ts
+var utils_exports4 = {};
+__export(utils_exports4, {
+  Duration: () => Duration,
+  DurationType: () => DurationType,
+  clearCookie: () => clearCookie,
+  compare: () => compare,
+  getAppIdFromCtx: () => getAppIdFromCtx,
+  getCookie: () => getCookie,
+  hasCircularStructure: () => hasCircularStructure,
+  hash: () => hash,
+  isAudited: () => isAudited,
+  isClient: () => isClient,
+  isPublicApiRequest: () => isPublicApiRequest,
+  isServingApp: () => isServingApp,
+  isServingBuilder: () => isServingBuilder,
+  isServingBuilderPreview: () => isServingBuilderPreview,
+  isValidInternalAPIKey: () => isValidInternalAPIKey,
+  newid: () => newid,
+  openJwt: () => openJwt,
+  resolveAppUrl: () => resolveAppUrl,
+  setCookie: () => setCookie,
+  timeout: () => timeout,
+  validEmail: () => validEmail
+});
+// src/utils/hashing.ts
+var bcrypt = environment_default.JS_BCRYPT ? require("bcryptjs") : require("bcrypt");
+var SALT_ROUNDS = environment_default.SALT_ROUNDS || 10;
+async function hash(data) {
+  const salt = await bcrypt.genSalt(SALT_ROUNDS);
+  return bcrypt.hash(data, salt);
+}
+async function compare(data, encrypted) {
+  return bcrypt.compare(data, encrypted);
+}
+// src/utils/utils.ts
+var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
+var APP_PREFIX3 = "app" /* APP */ + SEPARATOR;
+var PROD_APP_PREFIX = "/app/";
+var BUILDER_PREVIEW_PATH = "/app/preview";
+var BUILDER_PREFIX = "/builder";
+var BUILDER_APP_PREFIX = `${BUILDER_PREFIX}/app/`;
+var PUBLIC_API_PREFIX = "/api/public/v";
+function confirmAppId(possibleAppId) {
+  return possibleAppId && possibleAppId.startsWith(APP_PREFIX3) ? possibleAppId : void 0;
+}
+async function resolveAppUrl(ctx) {
+  const appUrl = ctx.path.split("/")[2];
+  let possibleAppUrl = `/${appUrl.toLowerCase()}`;
+  let tenantId = getTenantId();
+  if (!environment_default.isDev() && environment_default.MULTI_TENANCY) {
+    tenantId = getTenantIDFromCtx(ctx, {
+      includeStrategies: ["subdomain" /* SUBDOMAIN */]
+    });
+  }
+  const apps = await doInTenant(
+    tenantId,
+    () => getAllApps({ dev: false })
+  );
+  const app = apps.filter(
+    (a) => a.url && a.url.toLowerCase() === possibleAppUrl
+  )[0];
+  return app && app.appId ? app.appId : void 0;
+}
+function isServingApp(ctx) {
+  if (ctx.path.startsWith(`/${APP_PREFIX3}`)) {
+    return true;
+  }
+  return ctx.path.startsWith(PROD_APP_PREFIX);
+}
+function isServingBuilder(ctx) {
+  return ctx.path.startsWith(BUILDER_APP_PREFIX);
+}
+function isServingBuilderPreview(ctx) {
+  return ctx.path.startsWith(BUILDER_PREVIEW_PATH);
+}
+function isPublicApiRequest(ctx) {
+  return ctx.path.startsWith(PUBLIC_API_PREFIX);
+}
+async function getAppIdFromCtx(ctx) {
+  const options2 = [ctx.request.headers["x-budibase-app-id" /* APP_ID */]];
+  let appId;
+  for (let option of options2) {
+    appId = confirmAppId(option);
+    if (appId) {
+      break;
+    }
+  }
+  if (!appId && ctx.request.body && ctx.request.body.appId) {
+    appId = confirmAppId(ctx.request.body.appId);
+  }
+  const pathId = parseAppIdFromUrlPath(ctx.path);
+  if (!appId && pathId) {
+    appId = confirmAppId(pathId);
+  }
+  const isBuilderPreview = ctx.path.startsWith(BUILDER_PREVIEW_PATH);
+  const isViewingProdApp = ctx.path.startsWith(PROD_APP_PREFIX) && !isBuilderPreview;
+  if (!appId && isViewingProdApp) {
+    appId = confirmAppId(await resolveAppUrl(ctx));
+  }
+  const referer = ctx.request.headers.referer;
+  if (!appId && referer?.includes(BUILDER_APP_PREFIX)) {
+    const refererId = parseAppIdFromUrlPath(ctx.request.headers.referer);
+    appId = confirmAppId(refererId);
+  }
+  return appId;
+}
+function parseAppIdFromUrlPath(url) {
+  if (!url) {
+    return;
+  }
+  return url.split("?")[0].split("/").find((subPath) => subPath.startsWith(APP_PREFIX3));
+}
+function openJwt(token) {
+  if (!token) {
+    return void 0;
+  }
+  try {
+    return import_jsonwebtoken.default.verify(token, environment_default.JWT_SECRET);
+  } catch (e) {
+    if (environment_default.JWT_SECRET_FALLBACK) {
+      return import_jsonwebtoken.default.verify(token, environment_default.JWT_SECRET_FALLBACK);
+    } else {
+      throw e;
+    }
+  }
+}
+function isValidInternalAPIKey(apiKey) {
+  if (environment_default.INTERNAL_API_KEY && environment_default.INTERNAL_API_KEY === apiKey) {
+    return true;
+  }
+  return !!(environment_default.INTERNAL_API_KEY_FALLBACK && environment_default.INTERNAL_API_KEY_FALLBACK === apiKey);
+}
+function getCookie(ctx, name) {
+  const cookie = ctx.cookies.get(name);
+  if (!cookie) {
+    return void 0;
+  }
+  return openJwt(cookie);
+}
+function setCookie(ctx, value, name = "builder", opts = { sign: true }) {
+  if (value && opts && opts.sign) {
+    value = import_jsonwebtoken.default.sign(value, environment_default.JWT_SECRET);
+  }
+  const config = {
+    expires: MAX_VALID_DATE,
+    path: "/",
+    httpOnly: false,
+    overwrite: true
+  };
+  if (environment_default.COOKIE_DOMAIN) {
+    config.domain = environment_default.COOKIE_DOMAIN;
+  }
+  ctx.cookies.set(name, value, config);
+}
+function clearCookie(ctx, name) {
+  setCookie(ctx, null, name);
+}
+function isClient(ctx) {
+  return ctx.headers["x-budibase-type" /* TYPE */] === "client";
+}
+function timeout(timeMs) {
+  return new Promise((resolve) => setTimeout(resolve, timeMs));
+}
+function isAudited(event) {
+  return !!AuditedEventFriendlyName[event];
+}
+function hasCircularStructure(json) {
+  if (typeof json !== "object") {
+    return false;
+  }
+  try {
+    JSON.stringify(json);
+  } catch (err) {
+    if (err instanceof Error && err?.message.includes("circular structure")) {
+      return true;
+    }
+  }
+  return false;
+}
+// src/utils/stringUtils.ts
+function validEmail(value) {
+  return value && !!value.match(
+    /^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/
+  );
+}
+// src/utils/Duration.ts
+var DurationType = /* @__PURE__ */ ((DurationType2) => {
+  DurationType2["MILLISECONDS"] = "milliseconds";
+  DurationType2["SECONDS"] = "seconds";
+  DurationType2["MINUTES"] = "minutes";
+  DurationType2["HOURS"] = "hours";
+  DurationType2["DAYS"] = "days";
+  return DurationType2;
+})(DurationType || {});
+var conversion = {
+  milliseconds: 1,
+  seconds: 1e3,
+  minutes: 60 * 1e3,
+  hours: 60 * 60 * 1e3,
+  days: 24 * 60 * 60 * 1e3
+};
+var Duration = class _Duration {
+  static convert(from, to, duration) {
+    const milliseconds = duration * conversion[from];
+    return milliseconds / conversion[to];
+  }
+  static from(from, duration) {
+    return {
+      to: (to) => {
+        return _Duration.convert(from, to, duration);
+      },
+      toMs: () => {
+        return _Duration.convert(from, "milliseconds" /* MILLISECONDS */, duration);
+      },
+      toSeconds: () => {
+        return _Duration.convert(from, "seconds" /* SECONDS */, duration);
+      }
+    };
+  }
+  static fromSeconds(duration) {
+    return _Duration.from("seconds" /* SECONDS */, duration);
+  }
+  static fromMinutes(duration) {
+    return _Duration.from("minutes" /* MINUTES */, duration);
+  }
+  static fromHours(duration) {
+    return _Duration.from("hours" /* HOURS */, duration);
+  }
+  static fromDays(duration) {
+    return _Duration.from("days" /* DAYS */, duration);
+  }
+  static fromMilliseconds(duration) {
+    return _Duration.from("milliseconds" /* MILLISECONDS */, duration);
+  }
+};
+// src/redis/redlockImpl.ts
 async function getClient(type, opts) {
   if (type === "custom" /* CUSTOM */) {
     return newRedlock(opts);
@@ -69759,8 +69503,8 @@ __export(users_exports3, {
 });
 // src/users/utils.ts
-var utils_exports6 = {};
-__export(utils_exports6, {
+var utils_exports5 = {};
+__export(utils_exports5, {
   getAccountHolderFromUsers: () => getAccountHolderFromUsers,
   hasAdminPermissions: () => hasAdminPermissions2,
   hasAppBuilderPermissions: () => hasAppBuilderPermissions2,
@@ -70561,7 +70305,7 @@ __export(events_exports, {
   rows: () => rows_default,
   screen: () => screen_default,
   serve: () => serve_default,
-  shutdown: () => shutdown5,
+  shutdown: () => shutdown4,
   table: () => table_default,
   user: () => user_default,
   view: () => view_default
@@ -70571,7 +70315,7 @@ __export(events_exports, {
 var processors_exports = {};
 __export(processors_exports, {
   analyticsProcessor: () => analyticsProcessor,
-  init: () => init5,
+  init: () => init4,
   processors: () => processors
 });
@@ -70585,7 +70329,7 @@ var enabled = async () => {
 };
 // src/events/processors/posthog/PosthogProcessor.ts
-var import_posthog_node2 = require("posthog-node");
+var import_posthog_node = require("posthog-node");
 // src/events/processors/posthog/rateLimiting.ts
 var isRateLimited = (event) => {
@@ -70669,7 +70413,7 @@ var PosthogProcessor = class {
     if (!token) {
       throw new Error("Posthog token is not defined");
     }
-    this.posthog = new import_posthog_node2.PostHog(token);
+    this.posthog = new import_posthog_node.PostHog(token);
   }
   async processEvent(event, identity, properties, timestamp) {
     if (EXCLUDED_EVENTS.includes(event)) {
@@ -70813,7 +70557,7 @@ __export(queue_exports, {
   Queue: () => import_bull2.Queue,
   QueueOptions: () => import_bull2.QueueOptions,
   createQueue: () => createQueue,
-  shutdown: () => shutdown3
+  shutdown: () => shutdown2
 });
 // src/queue/inMemoryQueue.ts
@@ -71132,7 +70876,7 @@ function createQueue(jobQueue, opts = {}) {
   }
   return queue;
 }
-async function shutdown3() {
+async function shutdown2() {
   if (cleanupInterval) {
     clear(cleanupInterval);
   }
@@ -71244,7 +70988,7 @@ var Processor = class {
 var analyticsProcessor = new AnalyticsProcessor();
 var loggingProcessor = new LoggingProcessor();
 var auditLogsProcessor = new AuditLogsProcessor();
-function init5(auditingFn) {
+function init4(auditingFn) {
   return AuditLogsProcessor.init(auditingFn);
 }
 var processors = new Processor([
@@ -71722,10 +71466,10 @@ var getEventKey = (event, properties) => {
 // src/events/asyncEvents/queue.ts
 var asyncEventQueue;
-function init6() {
+function init5() {
   asyncEventQueue = createQueue("systemEventQueue" /* SYSTEM_EVENT_QUEUE */);
 }
-async function shutdown4() {
+async function shutdown3() {
   if (asyncEventQueue) {
     await asyncEventQueue.close();
   }
@@ -71734,7 +71478,7 @@ async function shutdown4() {
 // src/events/asyncEvents/publisher.ts
 async function publishAsyncEvent(payload) {
   if (!asyncEventQueue) {
-    init6();
+    init5();
   }
   const { event, identity } = payload;
   if (AsyncEvents.indexOf(event) !== -1 && identity.tenantId) {
@@ -72881,7 +72625,7 @@ var group_default = {
 };
 // src/events/publishers/plugin.ts
-async function init7(plugin) {
+async function init6(plugin) {
   const properties = {
     type: plugin.schema.type,
     name: plugin.name,
@@ -72912,7 +72656,7 @@ async function deleted13(plugin) {
   await publishEvent("plugin:deleted" /* PLUGIN_DELETED */, properties);
 }
 var plugin_default = {
-  init: init7,
+  init: init6,
   imported: imported4,
   deleted: deleted13
 };
@@ -72992,7 +72736,7 @@ var auditLog_default = {
 // src/events/index.ts
 function initAsyncEvents() {
 }
-var shutdown5 = () => {
+var shutdown4 = () => {
   processors.shutdown();
   console.log("Events shutdown");
 };
@@ -74109,7 +73853,7 @@ __export(docWritethrough_exports, {
   DocWritethrough: () => DocWritethrough,
   DocWritethroughProcessor: () => DocWritethroughProcessor,
   getProcessor: () => getProcessor,
-  init: () => init8
+  init: () => init7
 });
 var PERSIST_MAX_ATTEMPTS = 100;
 var processor;
@@ -74174,13 +73918,13 @@ var DocWritethrough = class {
     });
   }
 };
-function init8() {
+function init7() {
   processor = new DocWritethroughProcessor().init();
   return processor;
 }
 function getProcessor() {
   if (!processor) {
-    return init8();
+    return init7();
   }
   return processor;
 }
@@ -74653,6 +74397,264 @@ var BUILDER = "builder" /* BUILDER */;
 var CREATOR = "creator" /* CREATOR */;
 var GLOBAL_BUILDER = "globalBuilder" /* GLOBAL_BUILDER */;
+// src/features/index.ts
+var features_exports = {};
+__export(features_exports, {
+  Flag: () => Flag,
+  FlagSet: () => FlagSet,
+  flags: () => flags,
+  init: () => init8,
+  parseEnvFlags: () => parseEnvFlags,
+  shutdown: () => shutdown5,
+  testutils: () => utils_exports6
+});
+// src/features/features.ts
+var crypto = __toESM(require("crypto"));
+var import_posthog_node2 = require("posthog-node");
+var import_dd_trace3 = __toESM(require("dd-trace"));
+var posthog;
+function init8(opts) {
+  if (environment_default.POSTHOG_TOKEN && environment_default.POSTHOG_API_HOST && !environment_default.SELF_HOSTED && environment_default.POSTHOG_FEATURE_FLAGS_ENABLED) {
+    console.log("initializing posthog client...");
+    posthog = new import_posthog_node2.PostHog(environment_default.POSTHOG_TOKEN, {
+      host: environment_default.POSTHOG_API_HOST,
+      personalApiKey: environment_default.POSTHOG_PERSONAL_TOKEN,
+      featureFlagsPollingInterval: Duration.fromMinutes(3).toMs(),
+      ...opts
+    });
+  } else {
+    console.log("posthog disabled");
+  }
+}
+function shutdown5() {
+  posthog?.shutdown();
+}
+var Flag = class {
+  constructor(defaultValue) {
+    this.defaultValue = defaultValue;
+  }
+  static boolean(defaultValue) {
+    return new BooleanFlag(defaultValue);
+  }
+  static string(defaultValue) {
+    return new StringFlag(defaultValue);
+  }
+  static number(defaultValue) {
+    return new NumberFlag(defaultValue);
+  }
+};
+var BooleanFlag = class extends Flag {
+  parse(value) {
+    if (typeof value === "string") {
+      return ["true", "t", "1"].includes(value.toLowerCase());
+    }
+    if (typeof value === "boolean") {
+      return value;
+    }
+    throw new Error(`could not parse value "${value}" as boolean`);
+  }
+};
+var StringFlag = class extends Flag {
+  parse(value) {
+    if (typeof value === "string") {
+      return value;
+    }
+    throw new Error(`could not parse value "${value}" as string`);
+  }
+};
+var NumberFlag = class extends Flag {
+  parse(value) {
+    if (typeof value === "number") {
+      return value;
+    }
+    if (typeof value === "string") {
+      const parsed = parseFloat(value);
+      if (!isNaN(parsed)) {
+        return parsed;
+      }
+    }
+    throw new Error(`could not parse value "${value}" as number`);
+  }
+};
+function parseEnvFlags(flags2) {
+  const split = flags2.split(",").map((x) => x.split(":"));
+  const result = [];
+  for (const [tenantId, ...features] of split) {
+    for (let feature of features) {
+      let value = true;
+      if (feature.startsWith("!")) {
+        feature = feature.slice(1);
+        value = false;
+      }
+      result.push({ tenantId, key: feature, value });
+    }
+  }
+  return result;
+}
+var FlagSet = class {
+  constructor(flagSchema) {
+    this.flagSchema = flagSchema;
+    this.setId = crypto.randomUUID();
+  }
+  defaults() {
+    return Object.keys(this.flagSchema).reduce((acc, key) => {
+      const typedKey = key;
+      acc[typedKey] = this.flagSchema[key].defaultValue;
+      return acc;
+    }, {});
+  }
+  isFlagName(name) {
+    return this.flagSchema[name] !== void 0;
+  }
+  async get(key) {
+    const flags2 = await this.fetch();
+    return flags2[key];
+  }
+  async isEnabled(key) {
+    const flags2 = await this.fetch();
+    return flags2[key];
+  }
+  async fetch() {
+    return await import_dd_trace3.default.trace("features.fetch", async (span) => {
+      const cachedFlags = getFeatureFlags(this.setId);
+      if (cachedFlags) {
+        span?.addTags({ fromCache: true });
+        return cachedFlags;
+      }
+      const tags = {};
+      const flagValues = this.defaults();
+      const currentTenantId = getTenantId();
+      const specificallySetFalse = /* @__PURE__ */ new Set();
+      for (const { tenantId: tenantId2, key, value } of parseEnvFlags(
+        environment_default.TENANT_FEATURE_FLAGS || ""
+      )) {
+        if (!tenantId2 || tenantId2 !== "*" && tenantId2 !== currentTenantId) {
+          continue;
+        }
+        tags[`readFromEnvironmentVars`] = true;
+        if (value === false) {
+          specificallySetFalse.add(key);
+        }
+        if (!this.isFlagName(key)) {
+          continue;
+        }
+        if (typeof flagValues[key] !== "boolean") {
+          throw new Error(`Feature: ${key} is not a boolean`);
+        }
+        flagValues[key] = value;
+        tags[`flags.${key}.source`] = "environment";
+      }
+      const identity = getIdentity();
+      let userId = identity?._id;
+      if (!userId) {
+        const ip = getIP();
+        if (ip) {
+          userId = crypto.createHash("sha512").update(ip).digest("hex");
+        }
+      }
+      let tenantId = identity?.tenantId;
+      if (!tenantId) {
+        tenantId = currentTenantId;
+      }
+      tags[`identity.type`] = identity?.type;
+      tags[`identity._id`] = identity?._id;
+      tags[`tenantId`] = tenantId;
+      tags[`userId`] = userId;
+      if (posthog && userId) {
+        tags[`readFromPostHog`] = true;
+        const personProperties = { tenantId };
+        const posthogFlags = await posthog.getAllFlagsAndPayloads(userId, {
+          personProperties
+        });
+        for (const [name, value] of Object.entries(posthogFlags.featureFlags)) {
+          if (!this.isFlagName(name)) {
+            console.warn(`Unexpected posthog flag "${name}": ${value}`);
+            continue;
+          }
+          if (flagValues[name] === true || specificallySetFalse.has(name)) {
+            continue;
+          }
+          const payload = posthogFlags.featureFlagPayloads?.[name];
+          const flag = this.flagSchema[name];
+          try {
+            flagValues[name] = flag.parse(payload || value);
+            tags[`flags.${name}.source`] = "posthog";
+          } catch (err) {
+            console.warn(`Error parsing posthog flag "${name}": ${value}`, err);
+          }
+        }
+      }
+      setFeatureFlags(this.setId, flagValues);
+      for (const [key, value] of Object.entries(flagValues)) {
+        tags[`flags.${key}.value`] = value;
+      }
+      span?.addTags(tags);
+      return flagValues;
+    });
+  }
+};
+var flags = new FlagSet({
+  ["DEFAULT_VALUES" /* DEFAULT_VALUES */]: Flag.boolean(true),
+  ["AUTOMATION_BRANCHING" /* AUTOMATION_BRANCHING */]: Flag.boolean(true),
+  ["AI_CUSTOM_CONFIGS" /* AI_CUSTOM_CONFIGS */]: Flag.boolean(true),
+  ["BUDIBASE_AI" /* BUDIBASE_AI */]: Flag.boolean(true)
+});
+// src/features/tests/utils.ts
+var utils_exports6 = {};
+__export(utils_exports6, {
+  setFeatureFlags: () => setFeatureFlags2,
+  withFeatureFlags: () => withFeatureFlags
+});
+function getCurrentFlags() {
+  const result = {};
+  for (const { tenantId, key, value } of parseEnvFlags(
+    process.env.TENANT_FEATURE_FLAGS || ""
+  )) {
+    const tenantFlags = result[tenantId] || {};
+    if (tenantFlags[key] === false) {
+      continue;
+    }
+    tenantFlags[key] = value;
+    result[tenantId] = tenantFlags;
+  }
+  return result;
+}
+function buildFlagString(flags2) {
+  const parts = [];
+  for (const [tenantId, tenantFlags] of Object.entries(flags2)) {
+    for (const [key, value] of Object.entries(tenantFlags)) {
+      if (value === false) {
+        parts.push(`${tenantId}:!${key}`);
+      } else {
+        parts.push(`${tenantId}:${key}`);
+      }
+    }
+  }
+  return parts.join(",");
+}
+function setFeatureFlags2(tenantId, flags2) {
+  const current = getCurrentFlags();
+  for (const [key, value] of Object.entries(flags2)) {
+    const tenantFlags = current[tenantId] || {};
+    tenantFlags[key] = value;
+    current[tenantId] = tenantFlags;
+  }
+  const flagString = buildFlagString(current);
+  return setEnv({ TENANT_FEATURE_FLAGS: flagString });
+}
+function withFeatureFlags(tenantId, flags2, f) {
+  const cleanup3 = setFeatureFlags2(tenantId, flags2);
+  const result = f();
+  if (result instanceof Promise) {
+    return result.finally(cleanup3);
+  } else {
+    cleanup3();
+    return result;
+  }
+}
 // src/auth/index.ts
 var auth_exports = {};
 __export(auth_exports, {
@@ -75106,7 +75108,7 @@ __export(encryption_exports, {
   encryptFile: () => encryptFile,
   getSecret: () => getSecret
 });
-var import_crypto = __toESM(require("crypto"));
+var import_crypto2 = __toESM(require("crypto"));
 var import_fs5 = __toESM(require("fs"));
 var import_zlib2 = __toESM(require("zlib"));
 var import_path4 = require("path");
@@ -75140,12 +75142,12 @@ function getSecret(secretOption) {
   return secret;
 }
 function stretchString(secret, salt) {
-  return import_crypto.default.pbkdf2Sync(secret, salt, ITERATIONS, STRETCH_LENGTH, "sha512");
+  return import_crypto2.default.pbkdf2Sync(secret, salt, ITERATIONS, STRETCH_LENGTH, "sha512");
 }
 function encrypt(input, secretOption = "api" /* API */) {
-  const salt = import_crypto.default.randomBytes(SALT_LENGTH);
+  const salt = import_crypto2.default.randomBytes(SALT_LENGTH);
   const stretched = stretchString(getSecret(secretOption), salt);
-  const cipher = import_crypto.default.createCipheriv(ALGO, stretched, salt);
+  const cipher = import_crypto2.default.createCipheriv(ALGO, stretched, salt);
   const base2 = cipher.update(input);
   const final = cipher.final();
   const encrypted = Buffer.concat([base2, final]).toString("hex");
@@ -75155,7 +75157,7 @@ function decrypt(input, secretOption = "api" /* API */) {
   const [salt, encrypted] = input.split(SEPARATOR3);
   const saltBuffer = Buffer.from(salt, "hex");
   const stretched = stretchString(getSecret(secretOption), saltBuffer);
-  const decipher = import_crypto.default.createDecipheriv(ALGO, stretched, saltBuffer);
+  const decipher = import_crypto2.default.createDecipheriv(ALGO, stretched, saltBuffer);
   const base2 = decipher.update(Buffer.from(encrypted, "hex"));
   const final = decipher.final();
   return Buffer.concat([base2, final]).toString();
@@ -75168,10 +75170,10 @@ async function encryptFile({ dir, filename }, secret) {
   }
   const inputFile = import_fs5.default.createReadStream(filePath);
   const outputFile = import_fs5.default.createWriteStream((0, import_path4.join)(dir, outputFileName));
-  const salt = import_crypto.default.randomBytes(SALT_LENGTH);
-  const iv = import_crypto.default.randomBytes(IV_LENGTH);
+  const salt = import_crypto2.default.randomBytes(SALT_LENGTH);
+  const iv = import_crypto2.default.randomBytes(IV_LENGTH);
   const stretched = stretchString(secret, salt);
-  const cipher = import_crypto.default.createCipheriv(ALGO, stretched, iv);
+  const cipher = import_crypto2.default.createCipheriv(ALGO, stretched, iv);
   outputFile.write(salt);
   outputFile.write(iv);
   inputFile.pipe(import_zlib2.default.createGzip()).pipe(cipher).pipe(outputFile);
@@ -75201,7 +75203,7 @@ async function decryptFile(inputPath, outputPath, secret) {
   });
   const outputFile = import_fs5.default.createWriteStream(outputPath);
   const stretched = stretchString(secret, salt);
-  const decipher = import_crypto.default.createDecipheriv(ALGO, stretched, iv);
+  const decipher = import_crypto2.default.createDecipheriv(ALGO, stretched, iv);
   const unzip = import_zlib2.default.createGunzip();
   inputFile.pipe(decipher).pipe(unzip).pipe(outputFile);
   return new Promise((res, rej) => {
@@ -75645,7 +75647,7 @@ function querystringToBody_default(ctx, next) {
 }
 // src/middleware/contentSecurityPolicy.ts
-var import_crypto2 = __toESM(require("crypto"));
+var import_crypto3 = __toESM(require("crypto"));
 var CSP_DIRECTIVES = {
   "default-src": ["'self'"],
   "script-src": [
@@ -75733,15 +75735,12 @@ var CSP_DIRECTIVES = {
 };
 async function contentSecurityPolicy(ctx, next) {
   try {
-    const nonce = import_crypto2.default.randomBytes(16).toString("base64");
+    const nonce = import_crypto3.default.randomBytes(16).toString("base64");
     const directives = { ...CSP_DIRECTIVES };
     directives["script-src"] = [
       ...CSP_DIRECTIVES["script-src"],
       `'nonce-${nonce}'`
     ];
-    if (!environment_default.DISABLE_CSP_UNSAFE_INLINE_SCRIPTS) {
-      directives["script-src"].push("'unsafe-inline'");
-    }
     ctx.state.nonce = nonce;
     const cspHeader = Object.entries(directives).map(([key, sources]) => `${key} ${sources.join(" ")}`).join("; ");
     ctx.set("Content-Security-Policy", cspHeader);
@@ -76196,7 +76195,7 @@ var DocumentUpdateProcessor = class {
     }
   }
   shutdown() {
-    return shutdown4();
+    return shutdown3();
   }
 };
@@ -76205,7 +76204,7 @@ var processingPromise;
 var documentProcessor;
 function init9(processors2) {
   if (!asyncEventQueue) {
-    init6();
+    init5();
   }
   if (!documentProcessor) {
     documentProcessor = new DocumentUpdateProcessor(processors2);