@byline/db-postgres 0.9.3

package/dist/lib/test-helper.js

@@ -0,0 +1,47 @@
+import { drizzle } from 'drizzle-orm/node-postgres';
+import pg from 'pg';
+import * as schema from '../database/schema/index.js';
+import { createCommandBuilders } from '../modules/storage/storage-commands.js';
+import { createQueryBuilders } from '../modules/storage/storage-queries.js';
+let pool;
+let db;
+let commandBuilders;
+let queryBuilders;
+export function setupTestDB(collections = []) {
+    if (!pool) {
+        pool = new pg.Pool({
+            connectionString: process.env.POSTGRES_CONNECTION_STRING,
+            // Integration tests share the dev database with the running webapp,
+            // and node:test may run multiple test files in separate processes.
+            // A pool-per-file of 20 connections × N files + the webapp's own
+            // pool of 20 blows past Postgres's default `max_connections=100`
+            // and throws `FATAL: sorry, too many clients already`. The tests
+            // are serial and run one query at a time, so a small pool is
+            // sufficient — keep total test connections low regardless of
+            // process / file parallelism.
+            max: 4,
+            idleTimeoutMillis: 2000,
+            connectionTimeoutMillis: 1000,
+        });
+    }
+    if (!db) {
+        db = drizzle(pool, { schema });
+    }
+    if (!commandBuilders) {
+        commandBuilders = createCommandBuilders(db);
+    }
+    // Recreate queryBuilders when collections are provided so that
+    // DocumentQueries can resolve collection definitions by path.
+    queryBuilders = createQueryBuilders(db, collections);
+    return { pool, db, commandBuilders, queryBuilders };
+}
+export async function teardownTestDB() {
+    if (pool) {
+        await pool.end();
+        pool = undefined;
+        db = undefined;
+        commandBuilders = undefined;
+        queryBuilders = undefined;
+    }
+}
+//# sourceMappingURL=test-helper.js.map

package/dist/lib/test-helper.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"test-helper.js","sourceRoot":"","sources":["../../src/lib/test-helper.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAuB,MAAM,2BAA2B,CAAA;AACxE,OAAO,EAAE,MAAM,IAAI,CAAA;AAEnB,OAAO,KAAK,MAAM,MAAM,6BAA6B,CAAA;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,wCAAwC,CAAA;AAC9E,OAAO,EAAE,mBAAmB,EAAE,MAAM,uCAAuC,CAAA;AAE3E,IAAI,IAAa,CAAA;AACjB,IAAI,EAAiC,CAAA;AACrC,IAAI,eAAyD,CAAA;AAC7D,IAAI,aAAqD,CAAA;AAEzD,MAAM,UAAU,WAAW,CAAC,cAAsC,EAAE;IAClE,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,GAAG,IAAI,EAAE,CAAC,IAAI,CAAC;YACjB,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,0BAA0B;YACxD,oEAAoE;YACpE,mEAAmE;YACnE,iEAAiE;YACjE,iEAAiE;YACjE,iEAAiE;YACjE,6DAA6D;YAC7D,6DAA6D;YAC7D,8BAA8B;YAC9B,GAAG,EAAE,CAAC;YACN,iBAAiB,EAAE,IAAI;YACvB,uBAAuB,EAAE,IAAI;SAC9B,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,EAAE,GAAG,OAAO,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAA;IAChC,CAAC;IAED,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,eAAe,GAAG,qBAAqB,CAAC,EAAE,CAAC,CAAA;IAC7C,CAAC;IAED,+DAA+D;IAC/D,8DAA8D;IAC9D,aAAa,GAAG,mBAAmB,CAAC,EAAE,EAAE,WAAW,CAAC,CAAA;IAEpD,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,eAAe,EAAE,aAAa,EAAE,CAAA;AACrD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc;IAClC,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,IAAI,CAAC,GAAG,EAAE,CAAA;QAChB,IAAI,GAAG,SAAgB,CAAA;QACvB,EAAE,GAAG,SAAgB,CAAA;QACrB,eAAe,GAAG,SAAgB,CAAA;QAClC,aAAa,GAAG,SAAgB,CAAA;IAClC,CAAC;AACH,CAAC"}

package/dist/modules/admin/admin-permissions-repository.d.ts

@@ -0,0 +1,17 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import type { AdminPermissionsRepository } from '@byline/admin/admin-permissions';
+import type { NodePgDatabase } from 'drizzle-orm/node-postgres';
+import type * as schema from '../../database/schema/index.js';
+/**
+ * Postgres implementation of `AdminPermissionsRepository` — per-role
+ * ability grants and the distinct-abilities-for-user join that drives
+ * `resolveActor()`.
+ */
+export declare function createAdminPermissionsRepository(db: NodePgDatabase<typeof schema>): AdminPermissionsRepository;
+//# sourceMappingURL=admin-permissions-repository.d.ts.map

package/dist/modules/admin/admin-permissions-repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-permissions-repository.d.ts","sourceRoot":"","sources":["../../../src/modules/admin/admin-permissions-repository.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAA;AAEjF,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAA;AAI/D,OAAO,KAAK,KAAK,MAAM,MAAM,gCAAgC,CAAA;AAE7D;;;;GAIG;AACH,wBAAgB,gCAAgC,CAC9C,EAAE,EAAE,cAAc,CAAC,OAAO,MAAM,CAAC,GAChC,0BAA0B,CAwE5B"}

package/dist/modules/admin/admin-permissions-repository.js

@@ -0,0 +1,76 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { and, eq } from 'drizzle-orm';
+import { v7 as uuidv7 } from 'uuid';
+import { adminPermissions, adminRoleAdminUser } from '../../database/schema/auth.js';
+/**
+ * Postgres implementation of `AdminPermissionsRepository` — per-role
+ * ability grants and the distinct-abilities-for-user join that drives
+ * `resolveActor()`.
+ */
+export function createAdminPermissionsRepository(db) {
+    return {
+        async grantAbility(roleId, ability) {
+            await db
+                .insert(adminPermissions)
+                .values({ id: uuidv7(), admin_role_id: roleId, ability })
+                .onConflictDoNothing({
+                target: [adminPermissions.admin_role_id, adminPermissions.ability],
+            });
+        },
+        async revokeAbility(roleId, ability) {
+            await db
+                .delete(adminPermissions)
+                .where(and(eq(adminPermissions.admin_role_id, roleId), eq(adminPermissions.ability, ability)));
+        },
+        async listAbilities(roleId) {
+            const rows = await db
+                .select({ ability: adminPermissions.ability })
+                .from(adminPermissions)
+                .where(eq(adminPermissions.admin_role_id, roleId));
+            return rows.map((r) => r.ability);
+        },
+        async setAbilities(roleId, abilities) {
+            await db.transaction(async (tx) => {
+                await tx.delete(adminPermissions).where(eq(adminPermissions.admin_role_id, roleId));
+                if (abilities.length === 0)
+                    return;
+                const rows = abilities.map((ability) => ({
+                    id: uuidv7(),
+                    admin_role_id: roleId,
+                    ability,
+                }));
+                await tx.insert(adminPermissions).values(rows);
+            });
+        },
+        async listAbilitiesForUser(userId) {
+            const rows = await db
+                .selectDistinct({ ability: adminPermissions.ability })
+                .from(adminPermissions)
+                .innerJoin(adminRoleAdminUser, eq(adminRoleAdminUser.admin_role_id, adminPermissions.admin_role_id))
+                .where(eq(adminRoleAdminUser.admin_user_id, userId));
+            return rows.map((r) => r.ability);
+        },
+        async listRolesForAbility(ability) {
+            const rows = await db
+                .select({ admin_role_id: adminPermissions.admin_role_id })
+                .from(adminPermissions)
+                .where(eq(adminPermissions.ability, ability));
+            return rows.map((r) => r.admin_role_id);
+        },
+        async listUsersForAbility(ability) {
+            const rows = await db
+                .selectDistinct({ admin_user_id: adminRoleAdminUser.admin_user_id })
+                .from(adminRoleAdminUser)
+                .innerJoin(adminPermissions, eq(adminPermissions.admin_role_id, adminRoleAdminUser.admin_role_id))
+                .where(eq(adminPermissions.ability, ability));
+            return rows.map((r) => r.admin_user_id);
+        },
+    };
+}
+//# sourceMappingURL=admin-permissions-repository.js.map

package/dist/modules/admin/admin-permissions-repository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-permissions-repository.js","sourceRoot":"","sources":["../../../src/modules/admin/admin-permissions-repository.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,MAAM,aAAa,CAAA;AAErC,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAA;AAEnC,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAA;AAGpF;;;;GAIG;AACH,MAAM,UAAU,gCAAgC,CAC9C,EAAiC;IAEjC,OAAO;QACL,KAAK,CAAC,YAAY,CAAC,MAAM,EAAE,OAAO;YAChC,MAAM,EAAE;iBACL,MAAM,CAAC,gBAAgB,CAAC;iBACxB,MAAM,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;iBACxD,mBAAmB,CAAC;gBACnB,MAAM,EAAE,CAAC,gBAAgB,CAAC,aAAa,EAAE,gBAAgB,CAAC,OAAO,CAAC;aACnE,CAAC,CAAA;QACN,CAAC;QAED,KAAK,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO;YACjC,MAAM,EAAE;iBACL,MAAM,CAAC,gBAAgB,CAAC;iBACxB,KAAK,CACJ,GAAG,CAAC,EAAE,CAAC,gBAAgB,CAAC,aAAa,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CACvF,CAAA;QACL,CAAC;QAED,KAAK,CAAC,aAAa,CAAC,MAAM;YACxB,MAAM,IAAI,GAAG,MAAM,EAAE;iBAClB,MAAM,CAAC,EAAE,OAAO,EAAE,gBAAgB,CAAC,OAAO,EAAE,CAAC;iBAC7C,IAAI,CAAC,gBAAgB,CAAC;iBACtB,KAAK,CAAC,EAAE,CAAC,gBAAgB,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC,CAAA;YACpD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAA;QACnC,CAAC;QAED,KAAK,CAAC,YAAY,CAAC,MAAM,EAAE,SAAS;YAClC,MAAM,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;gBAChC,MAAM,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,gBAAgB,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC,CAAA;gBACnF,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAM;gBAClC,MAAM,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;oBACvC,EAAE,EAAE,MAAM,EAAE;oBACZ,aAAa,EAAE,MAAM;oBACrB,OAAO;iBACR,CAAC,CAAC,CAAA;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;YAChD,CAAC,CAAC,CAAA;QACJ,CAAC;QAED,KAAK,CAAC,oBAAoB,CAAC,MAAM;YAC/B,MAAM,IAAI,GAAG,MAAM,EAAE;iBAClB,cAAc,CAAC,EAAE,OAAO,EAAE,gBAAgB,CAAC,OAAO,EAAE,CAAC;iBACrD,IAAI,CAAC,gBAAgB,CAAC;iBACtB,SAAS,CACR,kBAAkB,EAClB,EAAE,CAAC,kBAAkB,CAAC,aAAa,EAAE,gBAAgB,CAAC,aAAa,CAAC,CACrE;iBACA,KAAK,CAAC,EAAE,CAAC,kBAAkB,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC,CAAA;YACtD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAA;QACnC,CAAC;QAED,KAAK,CAAC,mBAAmB,CAAC,OAAO;YAC/B,MAAM,IAAI,GAAG,MAAM,EAAE;iBAClB,MAAM,CAAC,EAAE,aAAa,EAAE,gBAAgB,CAAC,aAAa,EAAE,CAAC;iBACzD,IAAI,CAAC,gBAAgB,CAAC;iBACtB,KAAK,CAAC,EAAE,CAAC,gBAAgB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAA;YAC/C,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAA;QACzC,CAAC;QAED,KAAK,CAAC,mBAAmB,CAAC,OAAO;YAC/B,MAAM,IAAI,GAAG,MAAM,EAAE;iBAClB,cAAc,CAAC,EAAE,aAAa,EAAE,kBAAkB,CAAC,aAAa,EAAE,CAAC;iBACnE,IAAI,CAAC,kBAAkB,CAAC;iBACxB,SAAS,CACR,gBAAgB,EAChB,EAAE,CAAC,gBAAgB,CAAC,aAAa,EAAE,kBAAkB,CAAC,aAAa,CAAC,CACrE;iBACA,KAAK,CAAC,EAAE,CAAC,gBAAgB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAA;YAC/C,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAA;QACzC,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/modules/admin/admin-roles-repository.d.ts

@@ -0,0 +1,12 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { type AdminRolesRepository } from '@byline/admin/admin-roles';
+import type { NodePgDatabase } from 'drizzle-orm/node-postgres';
+import type * as schema from '../../database/schema/index.js';
+export declare function createAdminRolesRepository(db: NodePgDatabase<typeof schema>): AdminRolesRepository;
+//# sourceMappingURL=admin-roles-repository.d.ts.map

package/dist/modules/admin/admin-roles-repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-roles-repository.d.ts","sourceRoot":"","sources":["../../../src/modules/admin/admin-roles-repository.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAEL,KAAK,oBAAoB,EAE1B,MAAM,2BAA2B,CAAA;AAElC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAA;AAI/D,OAAO,KAAK,KAAK,MAAM,MAAM,gCAAgC,CAAA;AAwB7D,wBAAgB,0BAA0B,CACxC,EAAE,EAAE,cAAc,CAAC,OAAO,MAAM,CAAC,GAChC,oBAAoB,CAkJtB"}

package/dist/modules/admin/admin-roles-repository.js

@@ -0,0 +1,168 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { ERR_ADMIN_ROLE_VERSION_CONFLICT, } from '@byline/admin/admin-roles';
+import { and, asc, eq, sql } from 'drizzle-orm';
+import { v7 as uuidv7 } from 'uuid';
+import { adminRoleAdminUser, adminRoles } from '../../database/schema/auth.js';
+/**
+ * Postgres implementation of `AdminRolesRepository` — role CRUD,
+ * reorder, and role ↔ user assignments. Ability grants live on
+ * `AdminPermissionsRepository` (see `admin-permissions-repository.ts`).
+ *
+ * Optimistic-concurrency writes (`update`, `delete`) gate on
+ * `WHERE id = $id AND vid = $expected` — zero rows means another writer
+ * bumped the row first; throw `VERSION_CONFLICT`. Reorder is vid-less
+ * (see contract docs) and runs as a single transaction.
+ */
+const PUBLIC_ROLE_COLUMNS = {
+    id: adminRoles.id,
+    vid: adminRoles.vid,
+    name: adminRoles.name,
+    machine_name: adminRoles.machine_name,
+    description: adminRoles.description,
+    order: adminRoles.order,
+    created_at: adminRoles.created_at,
+    updated_at: adminRoles.updated_at,
+};
+export function createAdminRolesRepository(db) {
+    return {
+        // -----------------------------------------------------------------
+        // Role CRUD
+        // -----------------------------------------------------------------
+        async create(input) {
+            const [row] = await db
+                .insert(adminRoles)
+                .values({
+                id: uuidv7(),
+                name: input.name,
+                machine_name: input.machine_name,
+                description: input.description ?? null,
+                order: input.order ?? 0,
+            })
+                .returning(PUBLIC_ROLE_COLUMNS);
+            if (!row)
+                throw new Error('createAdminRole: insert returned no row');
+            return row;
+        },
+        async getById(id) {
+            const [row] = await db
+                .select(PUBLIC_ROLE_COLUMNS)
+                .from(adminRoles)
+                .where(eq(adminRoles.id, id));
+            return row ?? null;
+        },
+        async getByMachineName(machineName) {
+            const [row] = await db
+                .select(PUBLIC_ROLE_COLUMNS)
+                .from(adminRoles)
+                .where(eq(adminRoles.machine_name, machineName));
+            return row ?? null;
+        },
+        async list() {
+            return db
+                .select(PUBLIC_ROLE_COLUMNS)
+                .from(adminRoles)
+                .orderBy(asc(adminRoles.order), asc(adminRoles.created_at));
+        },
+        async update(id, expectedVid, patch) {
+            const updateSet = {
+                updated_at: new Date(),
+                vid: sql `${adminRoles.vid} + 1`,
+            };
+            if (patch.name !== undefined)
+                updateSet.name = patch.name;
+            if (patch.description !== undefined)
+                updateSet.description = patch.description;
+            if (patch.order !== undefined)
+                updateSet.order = patch.order;
+            const [row] = await db
+                .update(adminRoles)
+                .set(updateSet)
+                .where(and(eq(adminRoles.id, id), eq(adminRoles.vid, expectedVid)))
+                .returning(PUBLIC_ROLE_COLUMNS);
+            if (!row)
+                throw ERR_ADMIN_ROLE_VERSION_CONFLICT();
+            return row;
+        },
+        async delete(id, expectedVid) {
+            // Cascades remove role ↔ user assignments and per-role permissions.
+            const result = await db
+                .delete(adminRoles)
+                .where(and(eq(adminRoles.id, id), eq(adminRoles.vid, expectedVid)))
+                .returning({ id: adminRoles.id });
+            if (result.length === 0)
+                throw ERR_ADMIN_ROLE_VERSION_CONFLICT();
+        },
+        async reorder(ids) {
+            if (ids.length === 0)
+                return;
+            // Single transaction so the list is never observed half-reordered.
+            // No vid gate: see `AdminRolesRepository.reorder` contract docs.
+            await db.transaction(async (tx) => {
+                const now = new Date();
+                for (let i = 0; i < ids.length; i++) {
+                    await tx
+                        .update(adminRoles)
+                        .set({
+                        order: i,
+                        updated_at: now,
+                        vid: sql `${adminRoles.vid} + 1`,
+                    })
+                        .where(eq(adminRoles.id, ids[i]));
+                }
+            });
+        },
+        // -----------------------------------------------------------------
+        // Role ↔ user assignments
+        // -----------------------------------------------------------------
+        async assignToUser(roleId, userId) {
+            await db
+                .insert(adminRoleAdminUser)
+                .values({ admin_role_id: roleId, admin_user_id: userId })
+                .onConflictDoNothing({
+                target: [adminRoleAdminUser.admin_role_id, adminRoleAdminUser.admin_user_id],
+            });
+        },
+        async unassignFromUser(roleId, userId) {
+            await db
+                .delete(adminRoleAdminUser)
+                .where(and(eq(adminRoleAdminUser.admin_role_id, roleId), eq(adminRoleAdminUser.admin_user_id, userId)));
+        },
+        async listRolesForUser(userId) {
+            const rows = await db
+                .select(PUBLIC_ROLE_COLUMNS)
+                .from(adminRoles)
+                .innerJoin(adminRoleAdminUser, eq(adminRoleAdminUser.admin_role_id, adminRoles.id))
+                .where(eq(adminRoleAdminUser.admin_user_id, userId))
+                .orderBy(asc(adminRoles.order));
+            return rows;
+        },
+        async listUsersForRole(roleId) {
+            const rows = await db
+                .select({ admin_user_id: adminRoleAdminUser.admin_user_id })
+                .from(adminRoleAdminUser)
+                .where(eq(adminRoleAdminUser.admin_role_id, roleId));
+            return rows.map((r) => r.admin_user_id);
+        },
+        async setRolesForUser(userId, roleIds) {
+            // Single transaction — user assignments are never observed
+            // half-edited. Symmetric to AdminPermissionsRepository.setAbilities.
+            await db.transaction(async (tx) => {
+                await tx.delete(adminRoleAdminUser).where(eq(adminRoleAdminUser.admin_user_id, userId));
+                if (roleIds.length === 0)
+                    return;
+                const rows = roleIds.map((admin_role_id) => ({
+                    admin_role_id,
+                    admin_user_id: userId,
+                }));
+                await tx.insert(adminRoleAdminUser).values(rows);
+            });
+        },
+    };
+}
+//# sourceMappingURL=admin-roles-repository.js.map

package/dist/modules/admin/admin-roles-repository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-roles-repository.js","sourceRoot":"","sources":["../../../src/modules/admin/admin-roles-repository.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAGL,+BAA+B,GAChC,MAAM,2BAA2B,CAAA;AAClC,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,aAAa,CAAA;AAE/C,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAA;AAEnC,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAA;AAG9E;;;;;;;;;GASG;AAEH,MAAM,mBAAmB,GAAG;IAC1B,EAAE,EAAE,UAAU,CAAC,EAAE;IACjB,GAAG,EAAE,UAAU,CAAC,GAAG;IACnB,IAAI,EAAE,UAAU,CAAC,IAAI;IACrB,YAAY,EAAE,UAAU,CAAC,YAAY;IACrC,WAAW,EAAE,UAAU,CAAC,WAAW;IACnC,KAAK,EAAE,UAAU,CAAC,KAAK;IACvB,UAAU,EAAE,UAAU,CAAC,UAAU;IACjC,UAAU,EAAE,UAAU,CAAC,UAAU;CACzB,CAAA;AAEV,MAAM,UAAU,0BAA0B,CACxC,EAAiC;IAEjC,OAAO;QACL,oEAAoE;QACpE,YAAY;QACZ,oEAAoE;QAEpE,KAAK,CAAC,MAAM,CAAC,KAAK;YAChB,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,EAAE;iBACnB,MAAM,CAAC,UAAU,CAAC;iBAClB,MAAM,CAAC;gBACN,EAAE,EAAE,MAAM,EAAE;gBACZ,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI;gBACtC,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC;aACxB,CAAC;iBACD,SAAS,CAAC,mBAAmB,CAAC,CAAA;YACjC,IAAI,CAAC,GAAG;gBAAE,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAA;YACpE,OAAO,GAAG,CAAA;QACZ,CAAC;QAED,KAAK,CAAC,OAAO,CAAC,EAAE;YACd,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,EAAE;iBACnB,MAAM,CAAC,mBAAmB,CAAC;iBAC3B,IAAI,CAAC,UAAU,CAAC;iBAChB,KAAK,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAA;YAC/B,OAAO,GAAG,IAAI,IAAI,CAAA;QACpB,CAAC;QAED,KAAK,CAAC,gBAAgB,CAAC,WAAW;YAChC,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,EAAE;iBACnB,MAAM,CAAC,mBAAmB,CAAC;iBAC3B,IAAI,CAAC,UAAU,CAAC;iBAChB,KAAK,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAA;YAClD,OAAO,GAAG,IAAI,IAAI,CAAA;QACpB,CAAC;QAED,KAAK,CAAC,IAAI;YACR,OAAO,EAAE;iBACN,MAAM,CAAC,mBAAmB,CAAC;iBAC3B,IAAI,CAAC,UAAU,CAAC;iBAChB,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAA;QAC/D,CAAC;QAED,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,WAAW,EAAE,KAAK;YACjC,MAAM,SAAS,GAA4B;gBACzC,UAAU,EAAE,IAAI,IAAI,EAAE;gBACtB,GAAG,EAAE,GAAG,CAAA,GAAG,UAAU,CAAC,GAAG,MAAM;aAChC,CAAA;YACD,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS;gBAAE,SAAS,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAA;YACzD,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS;gBAAE,SAAS,CAAC,WAAW,GAAG,KAAK,CAAC,WAAW,CAAA;YAC9E,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS;gBAAE,SAAS,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAA;YAE5D,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,EAAE;iBACnB,MAAM,CAAC,UAAU,CAAC;iBAClB,GAAG,CAAC,SAAS,CAAC;iBACd,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,CAAC;iBAClE,SAAS,CAAC,mBAAmB,CAAC,CAAA;YACjC,IAAI,CAAC,GAAG;gBAAE,MAAM,+BAA+B,EAAE,CAAA;YACjD,OAAO,GAAG,CAAA;QACZ,CAAC;QAED,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,WAAW;YAC1B,oEAAoE;YACpE,MAAM,MAAM,GAAG,MAAM,EAAE;iBACpB,MAAM,CAAC,UAAU,CAAC;iBAClB,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,CAAC;iBAClE,SAAS,CAAC,EAAE,EAAE,EAAE,UAAU,CAAC,EAAE,EAAE,CAAC,CAAA;YACnC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;gBAAE,MAAM,+BAA+B,EAAE,CAAA;QAClE,CAAC;QAED,KAAK,CAAC,OAAO,CAAC,GAAG;YACf,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAM;YAC5B,mEAAmE;YACnE,iEAAiE;YACjE,MAAM,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;gBAChC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;gBACtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACpC,MAAM,EAAE;yBACL,MAAM,CAAC,UAAU,CAAC;yBAClB,GAAG,CAAC;wBACH,KAAK,EAAE,CAAC;wBACR,UAAU,EAAE,GAAG;wBACf,GAAG,EAAE,GAAG,CAAA,GAAG,UAAU,CAAC,GAAG,MAAM;qBAChC,CAAC;yBACD,KAAK,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC,CAAW,CAAC,CAAC,CAAA;gBAC/C,CAAC;YACH,CAAC,CAAC,CAAA;QACJ,CAAC;QAED,oEAAoE;QACpE,0BAA0B;QAC1B,oEAAoE;QAEpE,KAAK,CAAC,YAAY,CAAC,MAAM,EAAE,MAAM;YAC/B,MAAM,EAAE;iBACL,MAAM,CAAC,kBAAkB,CAAC;iBAC1B,MAAM,CAAC,EAAE,aAAa,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC;iBACxD,mBAAmB,CAAC;gBACnB,MAAM,EAAE,CAAC,kBAAkB,CAAC,aAAa,EAAE,kBAAkB,CAAC,aAAa,CAAC;aAC7E,CAAC,CAAA;QACN,CAAC;QAED,KAAK,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM;YACnC,MAAM,EAAE;iBACL,MAAM,CAAC,kBAAkB,CAAC;iBAC1B,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,kBAAkB,CAAC,aAAa,EAAE,MAAM,CAAC,EAC5C,EAAE,CAAC,kBAAkB,CAAC,aAAa,EAAE,MAAM,CAAC,CAC7C,CACF,CAAA;QACL,CAAC;QAED,KAAK,CAAC,gBAAgB,CAAC,MAAM;YAC3B,MAAM,IAAI,GAAG,MAAM,EAAE;iBAClB,MAAM,CAAC,mBAAmB,CAAC;iBAC3B,IAAI,CAAC,UAAU,CAAC;iBAChB,SAAS,CAAC,kBAAkB,EAAE,EAAE,CAAC,kBAAkB,CAAC,aAAa,EAAE,UAAU,CAAC,EAAE,CAAC,CAAC;iBAClF,KAAK,CAAC,EAAE,CAAC,kBAAkB,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;iBACnD,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAA;YACjC,OAAO,IAAI,CAAA;QACb,CAAC;QAED,KAAK,CAAC,gBAAgB,CAAC,MAAM;YAC3B,MAAM,IAAI,GAAG,MAAM,EAAE;iBAClB,MAAM,CAAC,EAAE,aAAa,EAAE,kBAAkB,CAAC,aAAa,EAAE,CAAC;iBAC3D,IAAI,CAAC,kBAAkB,CAAC;iBACxB,KAAK,CAAC,EAAE,CAAC,kBAAkB,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC,CAAA;YACtD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAA;QACzC,CAAC;QAED,KAAK,CAAC,eAAe,CAAC,MAAM,EAAE,OAAO;YACnC,2DAA2D;YAC3D,qEAAqE;YACrE,MAAM,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;gBAChC,MAAM,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,kBAAkB,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC,CAAA;gBACvF,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAM;gBAChC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;oBAC3C,aAAa;oBACb,aAAa,EAAE,MAAM;iBACtB,CAAC,CAAC,CAAA;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;YAClD,CAAC,CAAC,CAAA;QACJ,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/modules/admin/admin-store.d.ts

@@ -0,0 +1,20 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import type { AdminStore } from '@byline/admin';
+import type { NodePgDatabase } from 'drizzle-orm/node-postgres';
+import type * as schema from '../../database/schema/index.js';
+/**
+ * Wire the four admin repositories against a Drizzle handle and return the
+ * `AdminStore` bundle expected by `@byline/admin` — specifically by the
+ * built-in `JwtSessionProvider`, by `seedSuperAdmin`, and (later) by the
+ * admin-user / admin-role commands.
+ *
+ * Construct once per process, alongside the `pgAdapter` call.
+ */
+export declare function createAdminStore(db: NodePgDatabase<typeof schema>): AdminStore;
+//# sourceMappingURL=admin-store.d.ts.map

package/dist/modules/admin/admin-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-store.d.ts","sourceRoot":"","sources":["../../../src/modules/admin/admin-store.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAA;AAC/C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAA;AAM/D,OAAO,KAAK,KAAK,MAAM,MAAM,gCAAgC,CAAA;AAE7D;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,EAAE,EAAE,cAAc,CAAC,OAAO,MAAM,CAAC,GAAG,UAAU,CAO9E"}

package/dist/modules/admin/admin-store.js

@@ -0,0 +1,28 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { createAdminPermissionsRepository } from './admin-permissions-repository.js';
+import { createAdminRolesRepository } from './admin-roles-repository.js';
+import { createAdminUsersRepository } from './admin-users-repository.js';
+import { createRefreshTokensRepository } from './refresh-tokens-repository.js';
+/**
+ * Wire the four admin repositories against a Drizzle handle and return the
+ * `AdminStore` bundle expected by `@byline/admin` — specifically by the
+ * built-in `JwtSessionProvider`, by `seedSuperAdmin`, and (later) by the
+ * admin-user / admin-role commands.
+ *
+ * Construct once per process, alongside the `pgAdapter` call.
+ */
+export function createAdminStore(db) {
+    return {
+        adminUsers: createAdminUsersRepository(db),
+        adminRoles: createAdminRolesRepository(db),
+        adminPermissions: createAdminPermissionsRepository(db),
+        refreshTokens: createRefreshTokensRepository(db),
+    };
+}
+//# sourceMappingURL=admin-store.js.map

package/dist/modules/admin/admin-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-store.js","sourceRoot":"","sources":["../../../src/modules/admin/admin-store.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,EAAE,gCAAgC,EAAE,MAAM,mCAAmC,CAAA;AACpF,OAAO,EAAE,0BAA0B,EAAE,MAAM,6BAA6B,CAAA;AACxE,OAAO,EAAE,0BAA0B,EAAE,MAAM,6BAA6B,CAAA;AACxE,OAAO,EAAE,6BAA6B,EAAE,MAAM,gCAAgC,CAAA;AAG9E;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAAC,EAAiC;IAChE,OAAO;QACL,UAAU,EAAE,0BAA0B,CAAC,EAAE,CAAC;QAC1C,UAAU,EAAE,0BAA0B,CAAC,EAAE,CAAC;QAC1C,gBAAgB,EAAE,gCAAgC,CAAC,EAAE,CAAC;QACtD,aAAa,EAAE,6BAA6B,CAAC,EAAE,CAAC;KACjD,CAAA;AACH,CAAC"}

package/dist/modules/admin/admin-users-repository.d.ts

@@ -0,0 +1,12 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { type AdminUsersRepository } from '@byline/admin/admin-users';
+import type { NodePgDatabase } from 'drizzle-orm/node-postgres';
+import type * as schema from '../../database/schema/index.js';
+export declare function createAdminUsersRepository(db: NodePgDatabase<typeof schema>): AdminUsersRepository;
+//# sourceMappingURL=admin-users-repository.d.ts.map

package/dist/modules/admin/admin-users-repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-users-repository.d.ts","sourceRoot":"","sources":["../../../src/modules/admin/admin-users-repository.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAEL,KAAK,oBAAoB,EAE1B,MAAM,2BAA2B,CAAA;AAElC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAA;AAI/D,OAAO,KAAK,KAAK,MAAM,MAAM,gCAAgC,CAAA;AA+C7D,wBAAgB,0BAA0B,CACxC,EAAE,EAAE,cAAc,CAAC,OAAO,MAAM,CAAC,GAChC,oBAAoB,CA2KtB"}

package/dist/modules/admin/admin-users-repository.js

@@ -0,0 +1,208 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { ERR_ADMIN_USER_VERSION_CONFLICT, } from '@byline/admin/admin-users';
+import { and, asc, desc, eq, ilike, or, sql } from 'drizzle-orm';
+import { v7 as uuidv7 } from 'uuid';
+import { adminUsers } from '../../database/schema/auth.js';
+/**
+ * Postgres implementation of `AdminUsersRepository`.
+ *
+ * The DB column for the password hash is `password`; the public interface
+ * exposes it as `password_hash`. The mapping happens entirely inside this
+ * factory — callers speak the interface shape and never see the column
+ * name.
+ *
+ * Password hashing is *not* done here — the interface takes a pre-hashed
+ * PHC string. Callers (seed, admin-user commands) hash first via
+ * `hashPassword` from `@byline/admin/auth`.
+ *
+ * Optimistic-concurrency writes (`update`, `setPasswordHash`, `delete`)
+ * guard the `UPDATE ... WHERE id = $id AND vid = $expected` pattern —
+ * zero rows returned means another writer bumped the row first; throw
+ * `VERSION_CONFLICT`.
+ */
+const PUBLIC_COLUMNS = {
+    id: adminUsers.id,
+    vid: adminUsers.vid,
+    given_name: adminUsers.given_name,
+    family_name: adminUsers.family_name,
+    username: adminUsers.username,
+    email: adminUsers.email,
+    remember_me: adminUsers.remember_me,
+    last_login: adminUsers.last_login,
+    last_login_ip: adminUsers.last_login_ip,
+    failed_login_attempts: adminUsers.failed_login_attempts,
+    is_super_admin: adminUsers.is_super_admin,
+    is_enabled: adminUsers.is_enabled,
+    is_email_verified: adminUsers.is_email_verified,
+    created_at: adminUsers.created_at,
+    updated_at: adminUsers.updated_at,
+};
+const ORDER_COLUMN = {
+    given_name: adminUsers.given_name,
+    family_name: adminUsers.family_name,
+    email: adminUsers.email,
+    username: adminUsers.username,
+    created_at: adminUsers.created_at,
+    updated_at: adminUsers.updated_at,
+};
+export function createAdminUsersRepository(db) {
+    return {
+        async create(input) {
+            const [row] = await db
+                .insert(adminUsers)
+                .values({
+                id: uuidv7(),
+                email: input.email.toLowerCase(),
+                password: input.password_hash,
+                given_name: input.given_name ?? null,
+                family_name: input.family_name ?? null,
+                username: input.username ?? null,
+                is_super_admin: input.is_super_admin ?? false,
+                is_enabled: input.is_enabled ?? false,
+                is_email_verified: input.is_email_verified ?? false,
+            })
+                .returning(PUBLIC_COLUMNS);
+            if (!row)
+                throw new Error('createAdminUser: insert returned no row');
+            return row;
+        },
+        async getById(id) {
+            const [row] = await db.select(PUBLIC_COLUMNS).from(adminUsers).where(eq(adminUsers.id, id));
+            return row ?? null;
+        },
+        async getByEmail(email) {
+            const [row] = await db
+                .select(PUBLIC_COLUMNS)
+                .from(adminUsers)
+                .where(eq(adminUsers.email, email.toLowerCase()));
+            return row ?? null;
+        },
+        async getByUsername(username) {
+            const [row] = await db
+                .select(PUBLIC_COLUMNS)
+                .from(adminUsers)
+                .where(eq(adminUsers.username, username));
+            return row ?? null;
+        },
+        async getByEmailForSignIn(email) {
+            const [row] = await db
+                .select({ ...PUBLIC_COLUMNS, password_hash: adminUsers.password })
+                .from(adminUsers)
+                .where(eq(adminUsers.email, email.toLowerCase()));
+            return row ?? null;
+        },
+        async getByIdForSignIn(id) {
+            const [row] = await db
+                .select({ ...PUBLIC_COLUMNS, password_hash: adminUsers.password })
+                .from(adminUsers)
+                .where(eq(adminUsers.id, id));
+            return row ?? null;
+        },
+        async list(options) {
+            const needle = options.query?.trim();
+            const filter = needle && needle.length > 0
+                ? or(ilike(adminUsers.email, `%${needle}%`), ilike(adminUsers.given_name, `%${needle}%`), ilike(adminUsers.family_name, `%${needle}%`), ilike(adminUsers.username, `%${needle}%`))
+                : undefined;
+            const sortCol = ORDER_COLUMN[options.order];
+            const orderExpr = options.desc ? desc(sortCol) : asc(sortCol);
+            const offset = Math.max(0, (options.page - 1) * options.pageSize);
+            const query = db.select(PUBLIC_COLUMNS).from(adminUsers);
+            const filtered = filter ? query.where(filter) : query;
+            return filtered.orderBy(orderExpr).limit(options.pageSize).offset(offset);
+        },
+        async count(options) {
+            const needle = options?.query?.trim();
+            const filter = needle && needle.length > 0
+                ? or(ilike(adminUsers.email, `%${needle}%`), ilike(adminUsers.given_name, `%${needle}%`), ilike(adminUsers.family_name, `%${needle}%`), ilike(adminUsers.username, `%${needle}%`))
+                : undefined;
+            const base = db.select({ value: sql `count(*)::int` }).from(adminUsers);
+            const [row] = await (filter ? base.where(filter) : base);
+            return row?.value ?? 0;
+        },
+        async update(id, expectedVid, patch) {
+            const updateSet = {
+                updated_at: new Date(),
+                vid: sql `${adminUsers.vid} + 1`,
+            };
+            if (patch.given_name !== undefined)
+                updateSet.given_name = patch.given_name;
+            if (patch.family_name !== undefined)
+                updateSet.family_name = patch.family_name;
+            if (patch.username !== undefined)
+                updateSet.username = patch.username;
+            if (patch.email !== undefined)
+                updateSet.email = patch.email.toLowerCase();
+            if (patch.is_super_admin !== undefined)
+                updateSet.is_super_admin = patch.is_super_admin;
+            if (patch.is_enabled !== undefined)
+                updateSet.is_enabled = patch.is_enabled;
+            if (patch.is_email_verified !== undefined)
+                updateSet.is_email_verified = patch.is_email_verified;
+            if (patch.remember_me !== undefined)
+                updateSet.remember_me = patch.remember_me;
+            const [row] = await db
+                .update(adminUsers)
+                .set(updateSet)
+                .where(and(eq(adminUsers.id, id), eq(adminUsers.vid, expectedVid)))
+                .returning(PUBLIC_COLUMNS);
+            if (!row)
+                throw ERR_ADMIN_USER_VERSION_CONFLICT();
+            return row;
+        },
+        async setPasswordHash(id, expectedVid, passwordHash) {
+            const [row] = await db
+                .update(adminUsers)
+                .set({
+                password: passwordHash,
+                updated_at: new Date(),
+                vid: sql `${adminUsers.vid} + 1`,
+            })
+                .where(and(eq(adminUsers.id, id), eq(adminUsers.vid, expectedVid)))
+                .returning(PUBLIC_COLUMNS);
+            if (!row)
+                throw ERR_ADMIN_USER_VERSION_CONFLICT();
+            return row;
+        },
+        async setEnabled(id, enabled) {
+            await db
+                .update(adminUsers)
+                .set({ is_enabled: enabled, updated_at: new Date(), vid: sql `${adminUsers.vid} + 1` })
+                .where(eq(adminUsers.id, id));
+        },
+        async recordLoginSuccess(id, ip) {
+            await db
+                .update(adminUsers)
+                .set({
+                last_login: new Date(),
+                last_login_ip: ip,
+                failed_login_attempts: 0,
+                updated_at: new Date(),
+            })
+                .where(eq(adminUsers.id, id));
+        },
+        async recordLoginFailure(id) {
+            await db
+                .update(adminUsers)
+                .set({
+                failed_login_attempts: sql `${adminUsers.failed_login_attempts} + 1`,
+                updated_at: new Date(),
+            })
+                .where(eq(adminUsers.id, id));
+        },
+        async delete(id, expectedVid) {
+            const result = await db
+                .delete(adminUsers)
+                .where(and(eq(adminUsers.id, id), eq(adminUsers.vid, expectedVid)))
+                .returning({ id: adminUsers.id });
+            if (result.length === 0)
+                throw ERR_ADMIN_USER_VERSION_CONFLICT();
+        },
+    };
+}
+//# sourceMappingURL=admin-users-repository.js.map