npm - @concavejs/runtime-node - Versions diffs - 0.0.1-alpha.6 → 0.0.1-alpha.7 - Mend

@concavejs/runtime-node 0.0.1-alpha.6 → 0.0.1-alpha.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.js CHANGED Viewed

@@ -12514,6 +12514,30 @@ class BaseSqliteDocStore {
     return scored.slice(0, limit);
   }
 }
+function createSerializedTransactionRunner(hooks) {
+  let queue = Promise.resolve();
+  return async function runInTransaction(fn) {
+    const run = queue.then(async () => {
+      await hooks.begin();
+      try {
+        const result = await fn();
+        await hooks.commit();
+        return result;
+      } catch (error) {
+        try {
+          await hooks.rollback();
+        } catch {}
+        throw error;
+      }
+    });
+    queue = run.then(() => {
+      return;
+    }, () => {
+      return;
+    });
+    return run;
+  };
+}
 class Long22 {
   low;
@@ -12666,8 +12690,14 @@ class NodePreparedStatement {
 class NodeSqliteAdapter {
   db;
+  runSerializedTransaction;
   constructor(db) {
     this.db = db;
+    this.runSerializedTransaction = createSerializedTransactionRunner({
+      begin: () => this.db.exec("BEGIN TRANSACTION"),
+      commit: () => this.db.exec("COMMIT"),
+      rollback: () => this.db.exec("ROLLBACK")
+    });
   }
   exec(sql) {
     this.db.exec(sql);
@@ -12676,15 +12706,7 @@ class NodeSqliteAdapter {
     return new NodePreparedStatement(this.db.prepare(sql));
   }
   async transaction(fn) {
-    try {
-      this.db.exec("BEGIN TRANSACTION");
-      const result = await fn();
-      this.db.exec("COMMIT");
-      return result;
-    } catch (error) {
-      this.db.exec("ROLLBACK");
-      throw error;
-    }
+    return this.runSerializedTransaction(fn);
   }
   hexToBuffer(hex) {
     return Buffer.from(hexToArrayBuffer32(hex));
@@ -12788,7 +12810,7 @@ var __defProp14, __export5 = (target, all) => {
   } catch {
     return;
   }
-}, AsyncLocalStorageCtor5, snapshotContext5, transactionContext5, idGeneratorContext5, CALL_CONTEXT_SYMBOL5, globalCallContext5, callContext5, JWKS_CACHE5, debug5 = () => {}, Convex25, UZERO22, TWO_PWR_16_DBL22, TWO_PWR_32_DBL22, TWO_PWR_64_DBL22, MAX_UNSIGNED_VALUE22, SqliteDocStore;
+}, AsyncLocalStorageCtor5, snapshotContext5, transactionContext5, idGeneratorContext5, CALL_CONTEXT_SYMBOL5, globalCallContext5, callContext5, DEFAULT_JWKS_CACHE_TTL_MS5, MAX_JWKS_CACHE_TTL_MS5, JWKS_CACHE5, debug5 = () => {}, Convex25, UZERO22, TWO_PWR_16_DBL22, TWO_PWR_32_DBL22, TWO_PWR_64_DBL22, MAX_UNSIGNED_VALUE22, SqliteDocStore;
 var init_dist = __esm(() => {
   __defProp14 = Object.defineProperty;
   init_base645 = __esm5(() => {
@@ -13886,6 +13908,8 @@ var init_dist = __esm(() => {
   init_values5();
   init_index_manager5();
   init_interface6();
+  DEFAULT_JWKS_CACHE_TTL_MS5 = 5 * 60 * 1000;
+  MAX_JWKS_CACHE_TTL_MS5 = 24 * 60 * 60 * 1000;
   JWKS_CACHE5 = new Map;
   init_values5();
   init_schema_service5();
@@ -13941,6 +13965,9 @@ class FsBlobStore {
       return false;
     }
   }
+  isNotFoundError(error) {
+    return !!error && typeof error === "object" && "code" in error && error.code === "ENOENT";
+  }
   generateStorageId() {
     return crypto.randomUUID();
   }
@@ -13981,31 +14008,25 @@ class FsBlobStore {
   async get(storageId) {
     const objectPath = this.getObjectPath(storageId);
     try {
-      const fileExists = await this.pathExists(objectPath);
-      if (!fileExists) {
-        return null;
-      }
       const data = await readFile(objectPath);
       const metadata = await this.getMetadata(storageId);
       const arrayBuffer = data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength);
       return new Blob([arrayBuffer], { type: metadata?.contentType || "application/octet-stream" });
     } catch (error) {
+      if (this.isNotFoundError(error)) {
+        return null;
+      }
       console.error("Error reading object from filesystem:", error);
-      return null;
+      throw error;
     }
   }
   async delete(storageId) {
     const objectPath = this.getObjectPath(storageId);
     const metadataPath = this.getMetadataPath(storageId);
-    try {
-      await Promise.all([
-        unlink(objectPath).catch(() => {}),
-        unlink(metadataPath).catch(() => {})
-      ]);
-    } catch (error) {
-      console.error("Error deleting object from filesystem:", error);
-      throw error;
-    }
+    await Promise.all([
+      this.unlinkIfExists(objectPath),
+      this.unlinkIfExists(metadataPath)
+    ]);
   }
   async getUrl(storageId) {
     const objectPath = this.getObjectPath(storageId);
@@ -14019,15 +14040,25 @@ class FsBlobStore {
   async getMetadata(storageId) {
     const metadataPath = this.getMetadataPath(storageId);
     try {
-      const fileExists = await this.pathExists(metadataPath);
-      if (!fileExists) {
-        return null;
-      }
       const data = await readFile(metadataPath, "utf-8");
       return JSON.parse(data);
     } catch (error) {
+      if (this.isNotFoundError(error)) {
+        return null;
+      }
       console.error("Error reading metadata from filesystem:", error);
-      return null;
+      throw error;
+    }
+  }
+  async unlinkIfExists(path2) {
+    try {
+      await unlink(path2);
+    } catch (error) {
+      if (this.isNotFoundError(error)) {
+        return;
+      }
+      console.error("Error deleting object from filesystem:", error);
+      throw error;
     }
   }
 }
@@ -18555,12 +18586,15 @@ var WELL_KNOWN_JWKS_URLS = {
   firebase: () => "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com"
 };
 var DEFAULT_CLOCK_TOLERANCE_SECONDS = 60;
+var DEFAULT_JWKS_CACHE_TTL_MS = 5 * 60 * 1000;
+var MAX_JWKS_CACHE_TTL_MS = 24 * 60 * 60 * 1000;
 var JWKS_CACHE = new Map;
 var defaultValidationConfig;
 var adminAuthConfig;
 var systemAuthConfig;
 function setJwtValidationConfig(config) {
   defaultValidationConfig = config;
+  JWKS_CACHE.clear();
 }
 function getJwtValidationConfig() {
   return defaultValidationConfig;
@@ -18688,7 +18722,8 @@ function resolveJwtValidationConfigFromEnv(env) {
   const secret = getEnvValue("AUTH_SECRET", env) ?? getEnvValue("CONCAVE_JWT_SECRET", env) ?? getEnvValue("JWT_SECRET", env);
   const skipVerification = parseBoolean(getEnvValue("AUTH_SKIP_VERIFICATION", env)) ?? parseBoolean(getEnvValue("CONCAVE_JWT_SKIP_VERIFICATION", env));
   const clockTolerance = parseNumber(getEnvValue("AUTH_CLOCK_TOLERANCE", env)) ?? parseNumber(getEnvValue("CONCAVE_JWT_CLOCK_TOLERANCE", env));
-  if (!jwksUrl && !issuer && !audience && !secret && skipVerification === undefined && clockTolerance === undefined) {
+  const jwksCacheTtlMs = parseNumber(getEnvValue("AUTH_JWKS_CACHE_TTL_MS", env)) ?? parseNumber(getEnvValue("CONCAVE_JWT_JWKS_CACHE_TTL_MS", env));
+  if (!jwksUrl && !issuer && !audience && !secret && skipVerification === undefined && clockTolerance === undefined && jwksCacheTtlMs === undefined) {
     return;
   }
   return {
@@ -18697,7 +18732,8 @@ function resolveJwtValidationConfigFromEnv(env) {
     audience,
     secret,
     skipVerification,
-    clockTolerance
+    clockTolerance,
+    jwksCacheTtlMs
   };
 }
 function normalizeList(value) {
@@ -18741,15 +18777,33 @@ function validateClaims(claims, config) {
     throw new JWTValidationError("CLAIM_VALIDATION_FAILED", "JWT claim validation failed: aud");
   }
 }
-function getRemoteJwks(jwksUrl) {
+function getRemoteJwks(jwksUrl, config) {
+  const now = Date.now();
   const cached = JWKS_CACHE.get(jwksUrl);
+  if (cached && cached.expiresAtMs > now) {
+    return cached.resolver;
+  }
   if (cached) {
-    return cached;
+    JWKS_CACHE.delete(jwksUrl);
   }
   const jwks = createRemoteJWKSet(new URL(jwksUrl));
-  JWKS_CACHE.set(jwksUrl, jwks);
+  const configuredTtl = config?.jwksCacheTtlMs ?? defaultValidationConfig?.jwksCacheTtlMs;
+  const ttlMs = resolveJwksCacheTtlMs(configuredTtl);
+  JWKS_CACHE.set(jwksUrl, {
+    resolver: jwks,
+    expiresAtMs: now + ttlMs
+  });
   return jwks;
 }
+function resolveJwksCacheTtlMs(configuredTtl) {
+  if (configuredTtl === undefined) {
+    return DEFAULT_JWKS_CACHE_TTL_MS;
+  }
+  if (!Number.isFinite(configuredTtl)) {
+    return DEFAULT_JWKS_CACHE_TTL_MS;
+  }
+  return Math.max(0, Math.min(MAX_JWKS_CACHE_TTL_MS, Math.floor(configuredTtl)));
+}
 function decodeJwtUnsafe(token) {
   if (!token)
     return null;
@@ -18782,7 +18836,7 @@ async function verifyJwt(token, config) {
       const key = new TextEncoder().encode(effectiveConfig.secret);
       ({ payload } = await jwtVerify(token, key, options));
     } else {
-      ({ payload } = await jwtVerify(token, getRemoteJwks(effectiveConfig.jwksUrl), options));
+      ({ payload } = await jwtVerify(token, getRemoteJwks(effectiveConfig.jwksUrl, effectiveConfig), options));
     }
     const claims = payload;
     validateClaims(claims, effectiveConfig);
@@ -19870,7 +19924,7 @@ class ForbiddenInQueriesOrMutations extends Error {
     this.name = "ForbiddenInQueriesOrMutations";
   }
 }
-async function runUdfAndGetLogs(docstore, fn, ops, auth, udfType, storage2, deterministicSeed, mutationTransaction, udfExecutor, componentPath) {
+async function runUdfAndGetLogs(docstore, fn, ops, auth, udfType, storage2, deterministicSeed, mutationTransaction, udfExecutor, componentPath, snapshotOverride) {
   const ambientIdentity = getAuthContext();
   let effectiveAuth;
   if (auth && typeof auth === "object" && "tokenType" in auth) {
@@ -19885,7 +19939,7 @@ async function runUdfAndGetLogs(docstore, fn, ops, auth, udfType, storage2, dete
   const inheritedSnapshot = snapshotContext.getStore() ?? null;
   const existingIdGenerator = idGeneratorContext.getStore() ?? undefined;
   const idGenerator = existingIdGenerator ?? (deterministicSeed ? createDeterministicIdGenerator(deterministicSeed) : undefined);
-  const convex = new UdfKernel(docstore, effectiveAuth, storage2, inheritedSnapshot, mutationTransaction, udfExecutor, componentPath, idGenerator);
+  const convex = new UdfKernel(docstore, effectiveAuth, storage2, snapshotOverride ?? inheritedSnapshot, mutationTransaction, udfExecutor, componentPath, idGenerator);
   convex.clearAccessLogs();
   const logLines = [];
   const logger = (level) => {
@@ -19941,7 +19995,7 @@ async function runUdfAndGetLogs(docstore, fn, ops, auth, udfType, storage2, dete
     };
   } finally {}
 }
-function runUdfQuery(docstore, fn, auth, storage2, requestId, udfExecutor, componentPath) {
+function runUdfQuery(docstore, fn, auth, storage2, requestId, udfExecutor, componentPath, snapshotOverride) {
   const tnow = Date.now();
   const seed = resolveSeed("query", requestId, tnow);
   const rng = udfRng(seed);
@@ -19953,7 +20007,7 @@ function runUdfQuery(docstore, fn, auth, storage2, requestId, udfExecutor, compo
     fetch: forbiddenAsyncOp("fetch"),
     setInterval: forbiddenAsyncOp("setInterval"),
     setTimeout: forbiddenAsyncOp("setTimeout")
-  }, auth, "query", storage2, seed, undefined, udfExecutor, componentPath);
+  }, auth, "query", storage2, seed, undefined, udfExecutor, componentPath, snapshotOverride);
 }
 function runUdfMutation(docstore, fn, auth, storage2, requestId, udfExecutor, componentPath) {
   const tnow = Date.now();
@@ -20397,7 +20451,7 @@ class InlineUdfExecutor {
     this.moduleRegistry = options.moduleRegistry;
     this.logSink = options.logSink;
   }
-  async execute(functionPath, args, udfType, auth, componentPath, requestId) {
+  async execute(functionPath, args, udfType, auth, componentPath, requestId, snapshotTimestamp) {
     const [moduleName, functionName2] = this.parseUdfPath(functionPath);
     const finalRequestId = requestId ?? this.requestIdFactory(udfType, functionPath);
     const isSystemFunction = moduleName === "_system" || functionPath.startsWith("_system:");
@@ -20422,7 +20476,7 @@ class InlineUdfExecutor {
     const runWithType = () => {
       switch (udfType) {
         case "query":
-          return runUdfQuery(this.docstore, runUdf2, auth, this.blobstore, finalRequestId, this, componentPath);
+          return runUdfQuery(this.docstore, runUdf2, auth, this.blobstore, finalRequestId, this, componentPath, snapshotTimestamp);
         case "mutation":
           return runUdfMutation(this.docstore, runUdf2, auth, this.blobstore, finalRequestId, this, componentPath);
         case "action":
@@ -20476,7 +20530,7 @@ class InlineUdfExecutor {
   async executeHttp(request, auth, requestId) {
     const url = new URL(request.url);
     const runHttpUdf = async () => {
-      const httpModule = await this.loadModule("http", request.url);
+      const httpModule = await this.loadModule("http");
       const router = httpModule?.default;
       if (!router?.isRouter || typeof router.lookup !== "function") {
         throw new Error("convex/http.ts must export a default httpRouter()");
@@ -20610,7 +20664,7 @@ class UdfExecutionAdapter {
     this.executor = executor;
     this.callType = callType;
   }
-  async executeUdf(path, jsonArgs, type, auth, componentPath, requestId) {
+  async executeUdf(path, jsonArgs, type, auth, componentPath, requestId, snapshotTimestamp) {
     const convexArgs = convertClientArgs(jsonArgs);
     const target = normalizeExecutionTarget(path, componentPath);
     let authContext2;
@@ -20648,7 +20702,7 @@ class UdfExecutionAdapter {
     return runWithAuth(userIdentity, async () => {
       const executeWithContext = this.callType === "client" ? runAsClientCall : runAsServerCall;
       return executeWithContext(async () => {
-        return await this.executor.execute(target.path, convexArgs, type, authContext2 ?? userIdentity, normalizeComponentPath2(target.componentPath), requestId);
+        return await this.executor.execute(target.path, convexArgs, type, authContext2 ?? userIdentity, normalizeComponentPath2(target.componentPath), requestId, snapshotTimestamp);
       });
     });
   }
@@ -20960,6 +21014,39 @@ async function resolveAuthContext(bodyAuth, headerToken, headerIdentity) {
   }
   return bodyAuth;
 }
+function parseTimestampInput(value) {
+  if (value === undefined || value === null) {
+    return;
+  }
+  if (typeof value === "bigint") {
+    return value >= 0n ? value : undefined;
+  }
+  if (typeof value === "number") {
+    if (!Number.isFinite(value) || !Number.isInteger(value) || value < 0) {
+      return;
+    }
+    return BigInt(value);
+  }
+  if (typeof value === "string") {
+    const trimmed = value.trim();
+    if (!/^\d+$/.test(trimmed)) {
+      return;
+    }
+    try {
+      return BigInt(trimmed);
+    } catch {
+      return;
+    }
+  }
+  return;
+}
+async function resolveSnapshotTimestamp(options, request) {
+  const fromCallback = options.getSnapshotTimestamp ? await options.getSnapshotTimestamp(request) : undefined;
+  if (typeof fromCallback === "bigint") {
+    return fromCallback;
+  }
+  return BigInt(Date.now());
+}
 async function handleCoreHttpApiRequest(request, options) {
   const url = new URL(request.url);
   const segments = url.pathname.split("/").filter(Boolean);
@@ -20999,6 +21086,19 @@ async function handleCoreHttpApiRequest(request, options) {
     throw error;
   }
   const route = routeSegments[0];
+  if (route === "query_ts") {
+    if (request.method !== "POST") {
+      return {
+        handled: true,
+        response: apply(Response.json({ error: "Method not allowed" }, { status: 405 }))
+      };
+    }
+    const snapshotTimestamp = await resolveSnapshotTimestamp(options, request);
+    return {
+      handled: true,
+      response: apply(Response.json({ ts: snapshotTimestamp.toString() }))
+    };
+  }
   if (route === "storage") {
     if (!options.storage) {
       return {
@@ -21056,7 +21156,7 @@ async function handleCoreHttpApiRequest(request, options) {
       }
     }
   }
-  if (route === "query" || route === "mutation" || route === "action") {
+  if (route === "query" || route === "mutation" || route === "action" || route === "query_at_ts") {
     if (request.method !== "POST") {
       return {
         handled: true,
@@ -21079,7 +21179,7 @@ async function handleCoreHttpApiRequest(request, options) {
           response: apply(Response.json({ error: "Invalid request body" }, { status: 400 }))
         };
       }
-      const { path, args, format, auth: bodyAuth, componentPath } = body;
+      const { path, args, format, auth: bodyAuth, componentPath, ts } = body;
       if (!path || typeof path !== "string") {
         return {
           handled: true,
@@ -21108,6 +21208,14 @@ async function handleCoreHttpApiRequest(request, options) {
         };
       }
       const jsonArgs = rawArgs ?? {};
+      const executionType = route === "query_at_ts" ? "query" : route;
+      const snapshotTimestamp = route === "query_at_ts" ? parseTimestampInput(ts) : undefined;
+      if (route === "query_at_ts" && snapshotTimestamp === undefined) {
+        return {
+          handled: true,
+          response: apply(Response.json({ error: "Invalid or missing ts" }, { status: 400 }))
+        };
+      }
       let authForExecution;
       try {
         authForExecution = await resolveAuthContext(bodyAuth, headerToken, headerIdentity);
@@ -21121,11 +21229,12 @@ async function handleCoreHttpApiRequest(request, options) {
         throw error;
       }
       const executionParams = {
-        type: route,
+        type: executionType,
         path,
         args: jsonArgs,
         auth: authForExecution,
         componentPath,
+        snapshotTimestamp,
         request
       };
       try {
@@ -21140,7 +21249,7 @@ async function handleCoreHttpApiRequest(request, options) {
         throw validationError;
       }
       const result = await options.executeFunction(executionParams);
-      if (options.notifyWrites && (route === "mutation" || route === "action") && (result.writtenRanges?.length || result.writtenTables?.length)) {
+      if (options.notifyWrites && (executionType === "mutation" || executionType === "action") && (result.writtenRanges?.length || result.writtenTables?.length)) {
         await options.notifyWrites(result.writtenRanges, result.writtenTables ?? writtenTablesFromRanges(result.writtenRanges));
       }
       return {
@@ -21191,7 +21300,7 @@ function stripApiVersionPrefix(pathname) {
 }
 function isReservedApiPath(pathname) {
   const normalizedPath = stripApiVersionPrefix(pathname);
-  if (normalizedPath === "/api/execute" || normalizedPath === "/api/sync" || normalizedPath === "/api/reset-test-state" || normalizedPath === "/api/query" || normalizedPath === "/api/mutation" || normalizedPath === "/api/action") {
+  if (normalizedPath === "/api/execute" || normalizedPath === "/api/sync" || normalizedPath === "/api/reset-test-state" || normalizedPath === "/api/query" || normalizedPath === "/api/query_ts" || normalizedPath === "/api/query_at_ts" || normalizedPath === "/api/mutation" || normalizedPath === "/api/action") {
     return true;
   }
   if (normalizedPath === "/api/storage" || normalizedPath.startsWith("/api/storage/")) {
@@ -21262,7 +21371,7 @@ class HttpHandler {
       }
     };
     const coreResult = await handleCoreHttpApiRequest(request, {
-      executeFunction: async ({ type, path, args, auth, componentPath }) => this.adapter.executeUdf(path, args, type, auth, componentPath),
+      executeFunction: async ({ type, path, args, auth, componentPath, snapshotTimestamp }) => this.adapter.executeUdf(path, args, type, auth, componentPath, undefined, snapshotTimestamp),
       notifyWrites,
       storage: this.docstore && this.blobstore ? {
         store: async (blob) => {
@@ -21281,7 +21390,16 @@ class HttpHandler {
           return { blob: blob ?? null };
         }
       } : undefined,
-      corsHeaders
+      corsHeaders,
+      getSnapshotTimestamp: () => {
+        const oracle = this.docstore?.timestampOracle;
+        const oracleTimestamp = typeof oracle?.beginSnapshot === "function" ? oracle.beginSnapshot() : typeof oracle?.getCurrentTimestamp === "function" ? oracle.getCurrentTimestamp() : undefined;
+        const wallClock = BigInt(Date.now());
+        if (typeof oracleTimestamp === "bigint" && oracleTimestamp > wallClock) {
+          return oracleTimestamp;
+        }
+        return wallClock;
+      }
     });
     if (coreResult?.handled) {
       return coreResult.response;
@@ -21656,6 +21774,18 @@ function encodeServerMessage(message2) {
     }
   }
 }
+// ../core/dist/docstore/index.js
+init_interface();
+// ../core/dist/docstore/vector-index-registration.js
+async function getVectorIndexesFromSchema(schemaService) {
+  try {
+    return await schemaService.getAllVectorIndexes();
+  } catch (error) {
+    console.warn("[Vector] Failed to extract vector indexes from schema:", error);
+    return [];
+  }
+}
 // ../core/dist/scheduler/scheduled-function-executor.js
 var SCHEDULED_FUNCTIONS_TABLE = "_scheduled_functions";
@@ -21668,6 +21798,8 @@ class ScheduledFunctionExecutor {
   logger;
   runMutationInTransaction;
   tableName;
+  maxConcurrentJobs;
+  scanPageSize;
   constructor(options) {
     this.docstore = options.docstore;
     this.udfExecutor = options.udfExecutor;
@@ -21677,46 +21809,68 @@ class ScheduledFunctionExecutor {
     this.logger = options.logger ?? console;
     this.runMutationInTransaction = options.runMutationInTransaction;
     this.tableName = options.tableName ?? SCHEDULED_FUNCTIONS_TABLE;
+    this.maxConcurrentJobs = Math.max(1, options.maxConcurrentJobs ?? 8);
+    this.scanPageSize = Math.max(1, options.scanPageSize ?? 256);
   }
   async runDueJobs() {
     const tableId = stringToHex(this.tableName);
-    const allJobs = await this.docstore.scan(tableId);
     const now = this.now();
-    const pendingJobs = allJobs.filter((doc) => {
-      const value = doc.value?.value;
-      if (!value || typeof value !== "object") {
-        return false;
-      }
-      const state = value.state;
-      const scheduledTime = value.scheduledTime;
-      return state?.kind === "pending" && typeof scheduledTime === "number" && scheduledTime <= now;
-    });
-    if (pendingJobs.length === 0) {
-      return {
-        executed: 0,
-        nextScheduledTime: this.computeNextScheduledTime(allJobs)
-      };
-    }
-    await Promise.all(pendingJobs.map((job) => {
-      const jobValue = job.value?.value;
-      if (!jobValue) {
-        throw new Error("Job value unexpectedly missing after filter");
+    let executed = 0;
+    const inFlight = new Set;
+    const schedule = async (jobValue) => {
+      const run = this.executeJob(jobValue, tableId).then(() => {
+        executed += 1;
+      }).finally(() => {
+        inFlight.delete(run);
+      });
+      inFlight.add(run);
+      if (inFlight.size >= this.maxConcurrentJobs) {
+        await Promise.race(inFlight);
       }
-      return this.executeJob(jobValue, tableId);
-    }));
-    return {
-      executed: pendingJobs.length,
-      nextScheduledTime: this.computeNextScheduledTime(await this.docstore.scan(tableId))
     };
+    await this.forEachScheduledJob(async (jobValue) => {
+      const state = jobValue.state;
+      const scheduledTime = jobValue.scheduledTime;
+      if (state?.kind !== "pending" || typeof scheduledTime !== "number") {
+        return;
+      }
+      if (scheduledTime <= now) {
+        await schedule(jobValue);
+      }
+    });
+    await Promise.all(inFlight);
+    return { executed, nextScheduledTime: await this.getNextScheduledTime() };
   }
   async getNextScheduledTime() {
-    const tableId = stringToHex(this.tableName);
-    const allJobs = await this.docstore.scan(tableId);
-    return this.computeNextScheduledTime(allJobs);
+    let nextScheduledTime = null;
+    await this.forEachScheduledJob(async (jobValue) => {
+      const state = jobValue.state;
+      const scheduledTime = jobValue.scheduledTime;
+      if (state?.kind !== "pending" || typeof scheduledTime !== "number") {
+        return;
+      }
+      if (nextScheduledTime === null || scheduledTime < nextScheduledTime) {
+        nextScheduledTime = scheduledTime;
+      }
+    });
+    return nextScheduledTime;
   }
-  computeNextScheduledTime(allJobs) {
-    const pending = allJobs.map((doc) => doc.value?.value).filter((value) => !!value && value.state?.kind === "pending").map((value) => value.scheduledTime).filter((time) => typeof time === "number").sort((a, b) => a - b);
-    return pending.length > 0 ? pending[0] : null;
+  async forEachScheduledJob(visitor) {
+    const tableId = stringToHex(this.tableName);
+    let cursor2 = null;
+    while (true) {
+      const page = await this.docstore.scanPaginated(tableId, cursor2, this.scanPageSize, Order.Asc);
+      for (const doc of page.documents) {
+        const value = doc.value?.value;
+        if (value && typeof value === "object") {
+          await visitor(value);
+        }
+      }
+      if (!page.hasMore || !page.nextCursor) {
+        break;
+      }
+      cursor2 = page.nextCursor;
+    }
   }
   async executeJob(jobValue, tableId) {
     const jobId = jobValue?._id;
@@ -21849,6 +22003,8 @@ class CronExecutor {
   allocateTimestamp;
   now;
   logger;
+  maxConcurrentJobs;
+  scanPageSize;
   constructor(options) {
     this.docstore = options.docstore;
     this.udfExecutor = options.udfExecutor;
@@ -21856,6 +22012,8 @@ class CronExecutor {
     this.allocateTimestamp = options.allocateTimestamp;
     this.now = options.now ?? (() => Date.now());
     this.logger = options.logger ?? console;
+    this.maxConcurrentJobs = Math.max(1, options.maxConcurrentJobs ?? 8);
+    this.scanPageSize = Math.max(1, options.scanPageSize ?? 256);
   }
   async syncCronSpecs(cronSpecs) {
     const tableId = stringToHex(CRONS_TABLE);
@@ -21941,33 +22099,58 @@ class CronExecutor {
   }
   async runDueJobs() {
     const tableId = stringToHex(CRONS_TABLE);
-    const allJobs = await this.docstore.scan(tableId);
     const now = this.now();
-    const dueJobs = allJobs.filter((doc) => {
-      const value = doc.value?.value;
-      return value && value.nextRun <= now;
-    });
-    if (dueJobs.length === 0) {
-      return {
-        executed: 0,
-        nextScheduledTime: this.computeNextScheduledTime(allJobs)
-      };
-    }
-    await Promise.all(dueJobs.map((job) => this.executeJob(job, tableId)));
-    const updatedJobs = await this.docstore.scan(tableId);
-    return {
-      executed: dueJobs.length,
-      nextScheduledTime: this.computeNextScheduledTime(updatedJobs)
+    let executed = 0;
+    const inFlight = new Set;
+    const schedule = async (job) => {
+      const run = this.executeJob(job, tableId).then(() => {
+        executed += 1;
+      }).finally(() => {
+        inFlight.delete(run);
+      });
+      inFlight.add(run);
+      if (inFlight.size >= this.maxConcurrentJobs) {
+        await Promise.race(inFlight);
+      }
     };
+    await this.forEachCronJob(async (job) => {
+      const value = job.value?.value;
+      if (!value || typeof value.nextRun !== "number") {
+        return;
+      }
+      if (value.nextRun <= now) {
+        await schedule(job);
+      }
+    });
+    await Promise.all(inFlight);
+    return { executed, nextScheduledTime: await this.getNextScheduledTime() };
   }
   async getNextScheduledTime() {
-    const tableId = stringToHex(CRONS_TABLE);
-    const allJobs = await this.docstore.scan(tableId);
-    return this.computeNextScheduledTime(allJobs);
+    let nextScheduledTime = null;
+    await this.forEachCronJob(async (job) => {
+      const nextRun = job.value?.value?.nextRun;
+      if (typeof nextRun !== "number") {
+        return;
+      }
+      if (nextScheduledTime === null || nextRun < nextScheduledTime) {
+        nextScheduledTime = nextRun;
+      }
+    });
+    return nextScheduledTime;
   }
-  computeNextScheduledTime(allJobs) {
-    const nextTimes = allJobs.map((doc) => doc.value?.value?.nextRun).filter((time) => typeof time === "number").sort((a, b) => a - b);
-    return nextTimes.length > 0 ? nextTimes[0] : null;
+  async forEachCronJob(visitor) {
+    const tableId = stringToHex(CRONS_TABLE);
+    let cursor2 = null;
+    while (true) {
+      const page = await this.docstore.scanPaginated(tableId, cursor2, this.scanPageSize, Order.Asc);
+      for (const job of page.documents) {
+        await visitor(job);
+      }
+      if (!page.hasMore || !page.nextCursor) {
+        break;
+      }
+      cursor2 = page.nextCursor;
+    }
   }
   async executeJob(job, tableId) {
     const value = job.value?.value;
@@ -22187,18 +22370,6 @@ var import_sender = __toESM(require_sender(), 1);
 var import_websocket = __toESM(require_websocket(), 1);
 var import_websocket_server = __toESM(require_websocket_server(), 1);
-// ../core/dist/docstore/index.js
-init_interface();
-// ../core/dist/docstore/vector-index-registration.js
-async function getVectorIndexesFromSchema(schemaService) {
-  try {
-    return await schemaService.getAllVectorIndexes();
-  } catch (error) {
-    console.warn("[Vector] Failed to extract vector indexes from schema:", error);
-    return [];
-  }
-}
 // ../runtime-base/dist/sync/index.js
 import { AsyncLocalStorage as AsyncLocalStorage32 } from "node:async_hooks";
 import { AsyncLocalStorage as AsyncLocalStorage5 } from "node:async_hooks";
@@ -28047,6 +28218,8 @@ class SystemAuthError2 extends Error {
   }
 }
 var DEFAULT_CLOCK_TOLERANCE_SECONDS2 = 60;
+var DEFAULT_JWKS_CACHE_TTL_MS2 = 5 * 60 * 1000;
+var MAX_JWKS_CACHE_TTL_MS2 = 24 * 60 * 60 * 1000;
 var JWKS_CACHE2 = new Map;
 var defaultValidationConfig2;
 var adminAuthConfig2;
@@ -28142,7 +28315,8 @@ function resolveJwtValidationConfigFromEnv2(env) {
   const secret = getEnvValue2("AUTH_SECRET", env) ?? getEnvValue2("CONCAVE_JWT_SECRET", env) ?? getEnvValue2("JWT_SECRET", env);
   const skipVerification = parseBoolean2(getEnvValue2("AUTH_SKIP_VERIFICATION", env)) ?? parseBoolean2(getEnvValue2("CONCAVE_JWT_SKIP_VERIFICATION", env));
   const clockTolerance = parseNumber2(getEnvValue2("AUTH_CLOCK_TOLERANCE", env)) ?? parseNumber2(getEnvValue2("CONCAVE_JWT_CLOCK_TOLERANCE", env));
-  if (!jwksUrl && !issuer && !audience && !secret && skipVerification === undefined && clockTolerance === undefined) {
+  const jwksCacheTtlMs = parseNumber2(getEnvValue2("AUTH_JWKS_CACHE_TTL_MS", env)) ?? parseNumber2(getEnvValue2("CONCAVE_JWT_JWKS_CACHE_TTL_MS", env));
+  if (!jwksUrl && !issuer && !audience && !secret && skipVerification === undefined && clockTolerance === undefined && jwksCacheTtlMs === undefined) {
     return;
   }
   return {
@@ -28151,7 +28325,8 @@ function resolveJwtValidationConfigFromEnv2(env) {
     audience,
     secret,
     skipVerification,
-    clockTolerance
+    clockTolerance,
+    jwksCacheTtlMs
   };
 }
 function normalizeList2(value) {
@@ -28195,15 +28370,33 @@ function validateClaims2(claims, config) {
     throw new JWTValidationError2("CLAIM_VALIDATION_FAILED", "JWT claim validation failed: aud");
   }
 }
-function getRemoteJwks2(jwksUrl) {
+function getRemoteJwks2(jwksUrl, config) {
+  const now = Date.now();
   const cached = JWKS_CACHE2.get(jwksUrl);
+  if (cached && cached.expiresAtMs > now) {
+    return cached.resolver;
+  }
   if (cached) {
-    return cached;
+    JWKS_CACHE2.delete(jwksUrl);
   }
   const jwks = createRemoteJWKSet2(new URL(jwksUrl));
-  JWKS_CACHE2.set(jwksUrl, jwks);
+  const configuredTtl = config?.jwksCacheTtlMs ?? defaultValidationConfig2?.jwksCacheTtlMs;
+  const ttlMs = resolveJwksCacheTtlMs2(configuredTtl);
+  JWKS_CACHE2.set(jwksUrl, {
+    resolver: jwks,
+    expiresAtMs: now + ttlMs
+  });
   return jwks;
 }
+function resolveJwksCacheTtlMs2(configuredTtl) {
+  if (configuredTtl === undefined) {
+    return DEFAULT_JWKS_CACHE_TTL_MS2;
+  }
+  if (!Number.isFinite(configuredTtl)) {
+    return DEFAULT_JWKS_CACHE_TTL_MS2;
+  }
+  return Math.max(0, Math.min(MAX_JWKS_CACHE_TTL_MS2, Math.floor(configuredTtl)));
+}
 function decodeJwtUnsafe2(token) {
   if (!token)
     return null;
@@ -28236,7 +28429,7 @@ async function verifyJwt2(token, config) {
       const key = new TextEncoder().encode(effectiveConfig.secret);
       ({ payload } = await jwtVerify2(token, key, options));
     } else {
-      ({ payload } = await jwtVerify2(token, getRemoteJwks2(effectiveConfig.jwksUrl), options));
+      ({ payload } = await jwtVerify2(token, getRemoteJwks2(effectiveConfig.jwksUrl, effectiveConfig), options));
     }
     const claims = payload;
     validateClaims2(claims, effectiveConfig);
@@ -28291,7 +28484,7 @@ class UdfExecutionAdapter2 {
     this.executor = executor2;
     this.callType = callType;
   }
-  async executeUdf(path, jsonArgs, type, auth2, componentPath, requestId) {
+  async executeUdf(path, jsonArgs, type, auth2, componentPath, requestId, snapshotTimestamp) {
     const convexArgs = convertClientArgs2(jsonArgs);
     const target = normalizeExecutionTarget2(path, componentPath);
     let authContext22;
@@ -28329,7 +28522,7 @@ class UdfExecutionAdapter2 {
     return runWithAuth2(userIdentity, async () => {
       const executeWithContext = this.callType === "client" ? runAsClientCall2 : runAsServerCall2;
       return executeWithContext(async () => {
-        return await this.executor.execute(target.path, convexArgs, type, authContext22 ?? userIdentity, normalizeComponentPath3(target.componentPath), requestId);
+        return await this.executor.execute(target.path, convexArgs, type, authContext22 ?? userIdentity, normalizeComponentPath3(target.componentPath), requestId, snapshotTimestamp);
       });
     });
   }
@@ -30603,6 +30796,11 @@ var WEBSOCKET_READY_STATE_OPEN = 1;
 var BACKPRESSURE_HIGH_WATER_MARK = 100;
 var BACKPRESSURE_BUFFER_LIMIT = 1024 * 1024;
 var SLOW_CLIENT_TIMEOUT_MS = 30000;
+var DEFAULT_RATE_LIMIT_WINDOW_MS = 5000;
+var DEFAULT_MAX_MESSAGES_PER_WINDOW = 1000;
+var DEFAULT_OPERATION_TIMEOUT_MS = 15000;
+var DEFAULT_MAX_ACTIVE_QUERIES_PER_SESSION = 1000;
+var RATE_LIMIT_HARD_MULTIPLIER = 5;
 class SyncSession {
   websocket;
@@ -30631,15 +30829,25 @@ class SyncSession {
 class SyncProtocolHandler {
   udfExecutor;
   sessions = new Map;
+  rateLimitStates = new Map;
   subscriptionManager;
   instanceName;
   backpressureController;
   heartbeatController;
   isDev;
+  maxMessagesPerWindow;
+  rateLimitWindowMs;
+  operationTimeoutMs;
+  maxActiveQueriesPerSession;
   constructor(instanceName, udfExecutor, options) {
     this.udfExecutor = udfExecutor;
     this.instanceName = instanceName;
     this.isDev = options?.isDev ?? true;
+    this.maxMessagesPerWindow = Math.max(1, options?.maxMessagesPerWindow ?? DEFAULT_MAX_MESSAGES_PER_WINDOW);
+    this.rateLimitWindowMs = Math.max(1, options?.rateLimitWindowMs ?? DEFAULT_RATE_LIMIT_WINDOW_MS);
+    const configuredOperationTimeout = options?.operationTimeoutMs ?? DEFAULT_OPERATION_TIMEOUT_MS;
+    this.operationTimeoutMs = Number.isFinite(configuredOperationTimeout) ? Math.max(0, Math.floor(configuredOperationTimeout)) : DEFAULT_OPERATION_TIMEOUT_MS;
+    this.maxActiveQueriesPerSession = Math.max(1, options?.maxActiveQueriesPerSession ?? DEFAULT_MAX_ACTIVE_QUERIES_PER_SESSION);
     this.subscriptionManager = new SubscriptionManager2;
     this.backpressureController = new SessionBackpressureController({
       websocketReadyStateOpen: WEBSOCKET_READY_STATE_OPEN,
@@ -30657,6 +30865,10 @@ class SyncProtocolHandler {
   createSession(sessionId, websocket) {
     const session = new SyncSession(websocket);
     this.sessions.set(sessionId, session);
+    this.rateLimitStates.set(sessionId, {
+      windowStartedAt: Date.now(),
+      messagesInWindow: 0
+    });
     return session;
   }
   getSession(sessionId) {
@@ -30671,6 +30883,7 @@ class SyncProtocolHandler {
       session.isDraining = false;
       this.subscriptionManager.unsubscribeAll(sessionId);
       this.sessions.delete(sessionId);
+      this.rateLimitStates.delete(sessionId);
     }
   }
   updateSessionId(oldSessionId, newSessionId) {
@@ -30678,6 +30891,11 @@ class SyncProtocolHandler {
     if (session) {
       this.sessions.delete(oldSessionId);
       this.sessions.set(newSessionId, session);
+      const rateLimitState = this.rateLimitStates.get(oldSessionId);
+      if (rateLimitState) {
+        this.rateLimitStates.delete(oldSessionId);
+        this.rateLimitStates.set(newSessionId, rateLimitState);
+      }
       this.subscriptionManager.updateSessionId(oldSessionId, newSessionId);
     }
   }
@@ -30686,6 +30904,29 @@ class SyncProtocolHandler {
     if (!session && message22.type !== "Connect") {
       throw new Error("Session not found");
     }
+    if (session) {
+      const rateLimitDecision = this.consumeRateLimit(sessionId);
+      if (rateLimitDecision === "reject") {
+        return [
+          {
+            type: "FatalError",
+            error: "Rate limit exceeded, retry shortly"
+          }
+        ];
+      }
+      if (rateLimitDecision === "close") {
+        try {
+          session.websocket.close(1013, "Rate limit exceeded");
+        } catch {}
+        this.destroySession(sessionId);
+        return [
+          {
+            type: "FatalError",
+            error: "Rate limit exceeded"
+          }
+        ];
+      }
+    }
     switch (message22.type) {
       case "Connect":
         return this.handleConnect(sessionId, message22);
@@ -30742,6 +30983,15 @@ class SyncProtocolHandler {
         return [fatalError];
       }
       const startVersion = makeStateVersion(session.querySetVersion, session.identityVersion, session.timestamp);
+      const projectedActiveQueryCount = this.computeProjectedActiveQueryCount(session, message22);
+      if (projectedActiveQueryCount > this.maxActiveQueriesPerSession) {
+        return [
+          {
+            type: "FatalError",
+            error: `Too many active queries: ${projectedActiveQueryCount} exceeds limit ${this.maxActiveQueriesPerSession}`
+          }
+        ];
+      }
       session.querySetVersion = message22.newVersion;
       const modifications = [];
       for (const mod of message22.modifications) {
@@ -31065,7 +31315,54 @@ class SyncProtocolHandler {
     }, () => {
       return;
     });
-    return run;
+    return this.withOperationTimeout(run);
+  }
+  withOperationTimeout(promise) {
+    if (this.operationTimeoutMs <= 0) {
+      return promise;
+    }
+    let timeoutHandle;
+    const timeoutPromise = new Promise((_, reject) => {
+      timeoutHandle = setTimeout(() => {
+        reject(new Error(`Sync operation timed out after ${this.operationTimeoutMs}ms`));
+      }, this.operationTimeoutMs);
+    });
+    return Promise.race([promise, timeoutPromise]).finally(() => {
+      if (timeoutHandle) {
+        clearTimeout(timeoutHandle);
+      }
+    });
+  }
+  consumeRateLimit(sessionId) {
+    const state = this.rateLimitStates.get(sessionId);
+    if (!state) {
+      return "allow";
+    }
+    const now = Date.now();
+    if (now - state.windowStartedAt >= this.rateLimitWindowMs) {
+      state.windowStartedAt = now;
+      state.messagesInWindow = 0;
+    }
+    state.messagesInWindow += 1;
+    if (state.messagesInWindow <= this.maxMessagesPerWindow) {
+      return "allow";
+    }
+    const hardLimit = Math.max(this.maxMessagesPerWindow + 1, this.maxMessagesPerWindow * RATE_LIMIT_HARD_MULTIPLIER);
+    if (state.messagesInWindow >= hardLimit) {
+      return "close";
+    }
+    return "reject";
+  }
+  computeProjectedActiveQueryCount(session, message22) {
+    const projected = new Set(session.activeQueries.keys());
+    for (const mod of message22.modifications) {
+      if (mod.type === "Add") {
+        projected.add(mod.queryId);
+      } else if (mod.type === "Remove") {
+        projected.delete(mod.queryId);
+      }
+    }
+    return projected.size;
   }
   sendPing(session) {
     if (!session.websocket || session.websocket.readyState !== WEBSOCKET_READY_STATE_OPEN) {
@@ -37311,6 +37608,8 @@ function decodeJwtClaimsToken3(token) {
     return null;
   }
 }
+var DEFAULT_JWKS_CACHE_TTL_MS3 = 5 * 60 * 1000;
+var MAX_JWKS_CACHE_TTL_MS3 = 24 * 60 * 60 * 1000;
 var JWKS_CACHE3 = new Map;
 function decodeJwtUnsafe3(token) {
   if (!token)
@@ -38128,6 +38427,8 @@ class ScheduledFunctionExecutor2 {
   logger;
   runMutationInTransaction;
   tableName;
+  maxConcurrentJobs;
+  scanPageSize;
   constructor(options) {
     this.docstore = options.docstore;
     this.udfExecutor = options.udfExecutor;
@@ -38137,46 +38438,68 @@ class ScheduledFunctionExecutor2 {
     this.logger = options.logger ?? console;
     this.runMutationInTransaction = options.runMutationInTransaction;
     this.tableName = options.tableName ?? SCHEDULED_FUNCTIONS_TABLE2;
+    this.maxConcurrentJobs = Math.max(1, options.maxConcurrentJobs ?? 8);
+    this.scanPageSize = Math.max(1, options.scanPageSize ?? 256);
   }
   async runDueJobs() {
     const tableId = stringToHex4(this.tableName);
-    const allJobs = await this.docstore.scan(tableId);
     const now = this.now();
-    const pendingJobs = allJobs.filter((doc) => {
-      const value = doc.value?.value;
-      if (!value || typeof value !== "object") {
-        return false;
-      }
-      const state = value.state;
-      const scheduledTime = value.scheduledTime;
-      return state?.kind === "pending" && typeof scheduledTime === "number" && scheduledTime <= now;
-    });
-    if (pendingJobs.length === 0) {
-      return {
-        executed: 0,
-        nextScheduledTime: this.computeNextScheduledTime(allJobs)
-      };
-    }
-    await Promise.all(pendingJobs.map((job) => {
-      const jobValue = job.value?.value;
-      if (!jobValue) {
-        throw new Error("Job value unexpectedly missing after filter");
+    let executed = 0;
+    const inFlight = new Set;
+    const schedule = async (jobValue) => {
+      const run = this.executeJob(jobValue, tableId).then(() => {
+        executed += 1;
+      }).finally(() => {
+        inFlight.delete(run);
+      });
+      inFlight.add(run);
+      if (inFlight.size >= this.maxConcurrentJobs) {
+        await Promise.race(inFlight);
       }
-      return this.executeJob(jobValue, tableId);
-    }));
-    return {
-      executed: pendingJobs.length,
-      nextScheduledTime: this.computeNextScheduledTime(await this.docstore.scan(tableId))
     };
+    await this.forEachScheduledJob(async (jobValue) => {
+      const state = jobValue.state;
+      const scheduledTime = jobValue.scheduledTime;
+      if (state?.kind !== "pending" || typeof scheduledTime !== "number") {
+        return;
+      }
+      if (scheduledTime <= now) {
+        await schedule(jobValue);
+      }
+    });
+    await Promise.all(inFlight);
+    return { executed, nextScheduledTime: await this.getNextScheduledTime() };
   }
   async getNextScheduledTime() {
-    const tableId = stringToHex4(this.tableName);
-    const allJobs = await this.docstore.scan(tableId);
-    return this.computeNextScheduledTime(allJobs);
+    let nextScheduledTime = null;
+    await this.forEachScheduledJob(async (jobValue) => {
+      const state = jobValue.state;
+      const scheduledTime = jobValue.scheduledTime;
+      if (state?.kind !== "pending" || typeof scheduledTime !== "number") {
+        return;
+      }
+      if (nextScheduledTime === null || scheduledTime < nextScheduledTime) {
+        nextScheduledTime = scheduledTime;
+      }
+    });
+    return nextScheduledTime;
   }
-  computeNextScheduledTime(allJobs) {
-    const pending = allJobs.map((doc) => doc.value?.value).filter((value) => !!value && value.state?.kind === "pending").map((value) => value.scheduledTime).filter((time) => typeof time === "number").sort((a, b) => a - b);
-    return pending.length > 0 ? pending[0] : null;
+  async forEachScheduledJob(visitor) {
+    const tableId = stringToHex4(this.tableName);
+    let cursor22 = null;
+    while (true) {
+      const page = await this.docstore.scanPaginated(tableId, cursor22, this.scanPageSize, Order3.Asc);
+      for (const doc of page.documents) {
+        const value = doc.value?.value;
+        if (value && typeof value === "object") {
+          await visitor(value);
+        }
+      }
+      if (!page.hasMore || !page.nextCursor) {
+        break;
+      }
+      cursor22 = page.nextCursor;
+    }
   }
   async executeJob(jobValue, tableId) {
     const jobId = jobValue?._id;
@@ -38308,6 +38631,8 @@ class CronExecutor2 {
   allocateTimestamp;
   now;
   logger;
+  maxConcurrentJobs;
+  scanPageSize;
   constructor(options) {
     this.docstore = options.docstore;
     this.udfExecutor = options.udfExecutor;
@@ -38315,6 +38640,8 @@ class CronExecutor2 {
     this.allocateTimestamp = options.allocateTimestamp;
     this.now = options.now ?? (() => Date.now());
     this.logger = options.logger ?? console;
+    this.maxConcurrentJobs = Math.max(1, options.maxConcurrentJobs ?? 8);
+    this.scanPageSize = Math.max(1, options.scanPageSize ?? 256);
   }
   async syncCronSpecs(cronSpecs) {
     const tableId = stringToHex4(CRONS_TABLE2);
@@ -38400,33 +38727,58 @@ class CronExecutor2 {
   }
   async runDueJobs() {
     const tableId = stringToHex4(CRONS_TABLE2);
-    const allJobs = await this.docstore.scan(tableId);
     const now = this.now();
-    const dueJobs = allJobs.filter((doc) => {
-      const value = doc.value?.value;
-      return value && value.nextRun <= now;
-    });
-    if (dueJobs.length === 0) {
-      return {
-        executed: 0,
-        nextScheduledTime: this.computeNextScheduledTime(allJobs)
-      };
-    }
-    await Promise.all(dueJobs.map((job) => this.executeJob(job, tableId)));
-    const updatedJobs = await this.docstore.scan(tableId);
-    return {
-      executed: dueJobs.length,
-      nextScheduledTime: this.computeNextScheduledTime(updatedJobs)
+    let executed = 0;
+    const inFlight = new Set;
+    const schedule = async (job) => {
+      const run = this.executeJob(job, tableId).then(() => {
+        executed += 1;
+      }).finally(() => {
+        inFlight.delete(run);
+      });
+      inFlight.add(run);
+      if (inFlight.size >= this.maxConcurrentJobs) {
+        await Promise.race(inFlight);
+      }
     };
+    await this.forEachCronJob(async (job) => {
+      const value = job.value?.value;
+      if (!value || typeof value.nextRun !== "number") {
+        return;
+      }
+      if (value.nextRun <= now) {
+        await schedule(job);
+      }
+    });
+    await Promise.all(inFlight);
+    return { executed, nextScheduledTime: await this.getNextScheduledTime() };
   }
   async getNextScheduledTime() {
-    const tableId = stringToHex4(CRONS_TABLE2);
-    const allJobs = await this.docstore.scan(tableId);
-    return this.computeNextScheduledTime(allJobs);
+    let nextScheduledTime = null;
+    await this.forEachCronJob(async (job) => {
+      const nextRun = job.value?.value?.nextRun;
+      if (typeof nextRun !== "number") {
+        return;
+      }
+      if (nextScheduledTime === null || nextRun < nextScheduledTime) {
+        nextScheduledTime = nextRun;
+      }
+    });
+    return nextScheduledTime;
   }
-  computeNextScheduledTime(allJobs) {
-    const nextTimes = allJobs.map((doc) => doc.value?.value?.nextRun).filter((time) => typeof time === "number").sort((a, b) => a - b);
-    return nextTimes.length > 0 ? nextTimes[0] : null;
+  async forEachCronJob(visitor) {
+    const tableId = stringToHex4(CRONS_TABLE2);
+    let cursor22 = null;
+    while (true) {
+      const page = await this.docstore.scanPaginated(tableId, cursor22, this.scanPageSize, Order3.Asc);
+      for (const job of page.documents) {
+        await visitor(job);
+      }
+      if (!page.hasMore || !page.nextCursor) {
+        break;
+      }
+      cursor22 = page.nextCursor;
+    }
   }
   async executeJob(job, tableId) {
     const value = job.value?.value;
@@ -46034,6 +46386,8 @@ class SystemAuthError3 extends Error {
   }
 }
 var DEFAULT_CLOCK_TOLERANCE_SECONDS3 = 60;
+var DEFAULT_JWKS_CACHE_TTL_MS4 = 5 * 60 * 1000;
+var MAX_JWKS_CACHE_TTL_MS4 = 24 * 60 * 60 * 1000;
 var JWKS_CACHE4 = new Map;
 var defaultValidationConfig3;
 var adminAuthConfig3;
@@ -46129,7 +46483,8 @@ function resolveJwtValidationConfigFromEnv3(env) {
   const secret = getEnvValue3("AUTH_SECRET", env) ?? getEnvValue3("CONCAVE_JWT_SECRET", env) ?? getEnvValue3("JWT_SECRET", env);
   const skipVerification = parseBoolean3(getEnvValue3("AUTH_SKIP_VERIFICATION", env)) ?? parseBoolean3(getEnvValue3("CONCAVE_JWT_SKIP_VERIFICATION", env));
   const clockTolerance = parseNumber3(getEnvValue3("AUTH_CLOCK_TOLERANCE", env)) ?? parseNumber3(getEnvValue3("CONCAVE_JWT_CLOCK_TOLERANCE", env));
-  if (!jwksUrl && !issuer && !audience && !secret && skipVerification === undefined && clockTolerance === undefined) {
+  const jwksCacheTtlMs = parseNumber3(getEnvValue3("AUTH_JWKS_CACHE_TTL_MS", env)) ?? parseNumber3(getEnvValue3("CONCAVE_JWT_JWKS_CACHE_TTL_MS", env));
+  if (!jwksUrl && !issuer && !audience && !secret && skipVerification === undefined && clockTolerance === undefined && jwksCacheTtlMs === undefined) {
     return;
   }
   return {
@@ -46138,7 +46493,8 @@ function resolveJwtValidationConfigFromEnv3(env) {
     audience,
     secret,
     skipVerification,
-    clockTolerance
+    clockTolerance,
+    jwksCacheTtlMs
   };
 }
 function normalizeList3(value) {
@@ -46182,15 +46538,33 @@ function validateClaims3(claims, config) {
     throw new JWTValidationError3("CLAIM_VALIDATION_FAILED", "JWT claim validation failed: aud");
   }
 }
-function getRemoteJwks3(jwksUrl) {
+function getRemoteJwks3(jwksUrl, config) {
+  const now = Date.now();
   const cached = JWKS_CACHE4.get(jwksUrl);
+  if (cached && cached.expiresAtMs > now) {
+    return cached.resolver;
+  }
   if (cached) {
-    return cached;
+    JWKS_CACHE4.delete(jwksUrl);
   }
   const jwks = createRemoteJWKSet3(new URL(jwksUrl));
-  JWKS_CACHE4.set(jwksUrl, jwks);
+  const configuredTtl = config?.jwksCacheTtlMs ?? defaultValidationConfig3?.jwksCacheTtlMs;
+  const ttlMs = resolveJwksCacheTtlMs3(configuredTtl);
+  JWKS_CACHE4.set(jwksUrl, {
+    resolver: jwks,
+    expiresAtMs: now + ttlMs
+  });
   return jwks;
 }
+function resolveJwksCacheTtlMs3(configuredTtl) {
+  if (configuredTtl === undefined) {
+    return DEFAULT_JWKS_CACHE_TTL_MS4;
+  }
+  if (!Number.isFinite(configuredTtl)) {
+    return DEFAULT_JWKS_CACHE_TTL_MS4;
+  }
+  return Math.max(0, Math.min(MAX_JWKS_CACHE_TTL_MS4, Math.floor(configuredTtl)));
+}
 function decodeJwtUnsafe4(token) {
   if (!token)
     return null;
@@ -46223,7 +46597,7 @@ async function verifyJwt3(token, config) {
       const key = new TextEncoder().encode(effectiveConfig.secret);
       ({ payload } = await jwtVerify3(token, key, options));
     } else {
-      ({ payload } = await jwtVerify3(token, getRemoteJwks3(effectiveConfig.jwksUrl), options));
+      ({ payload } = await jwtVerify3(token, getRemoteJwks3(effectiveConfig.jwksUrl, effectiveConfig), options));
     }
     const claims = payload;
     validateClaims3(claims, effectiveConfig);
@@ -47366,6 +47740,11 @@ var WEBSOCKET_READY_STATE_OPEN2 = 1;
 var BACKPRESSURE_HIGH_WATER_MARK2 = 100;
 var BACKPRESSURE_BUFFER_LIMIT2 = 1024 * 1024;
 var SLOW_CLIENT_TIMEOUT_MS2 = 30000;
+var DEFAULT_RATE_LIMIT_WINDOW_MS2 = 5000;
+var DEFAULT_MAX_MESSAGES_PER_WINDOW2 = 1000;
+var DEFAULT_OPERATION_TIMEOUT_MS2 = 15000;
+var DEFAULT_MAX_ACTIVE_QUERIES_PER_SESSION2 = 1000;
+var RATE_LIMIT_HARD_MULTIPLIER2 = 5;
 class SyncSession2 {
   websocket;
@@ -47394,15 +47773,25 @@ class SyncSession2 {
 class SyncProtocolHandler2 {
   udfExecutor;
   sessions = new Map;
+  rateLimitStates = new Map;
   subscriptionManager;
   instanceName;
   backpressureController;
   heartbeatController;
   isDev;
+  maxMessagesPerWindow;
+  rateLimitWindowMs;
+  operationTimeoutMs;
+  maxActiveQueriesPerSession;
   constructor(instanceName, udfExecutor, options) {
     this.udfExecutor = udfExecutor;
     this.instanceName = instanceName;
     this.isDev = options?.isDev ?? true;
+    this.maxMessagesPerWindow = Math.max(1, options?.maxMessagesPerWindow ?? DEFAULT_MAX_MESSAGES_PER_WINDOW2);
+    this.rateLimitWindowMs = Math.max(1, options?.rateLimitWindowMs ?? DEFAULT_RATE_LIMIT_WINDOW_MS2);
+    const configuredOperationTimeout = options?.operationTimeoutMs ?? DEFAULT_OPERATION_TIMEOUT_MS2;
+    this.operationTimeoutMs = Number.isFinite(configuredOperationTimeout) ? Math.max(0, Math.floor(configuredOperationTimeout)) : DEFAULT_OPERATION_TIMEOUT_MS2;
+    this.maxActiveQueriesPerSession = Math.max(1, options?.maxActiveQueriesPerSession ?? DEFAULT_MAX_ACTIVE_QUERIES_PER_SESSION2);
     this.subscriptionManager = new SubscriptionManager4;
     this.backpressureController = new SessionBackpressureController2({
       websocketReadyStateOpen: WEBSOCKET_READY_STATE_OPEN2,
@@ -47420,6 +47809,10 @@ class SyncProtocolHandler2 {
   createSession(sessionId, websocket) {
     const session = new SyncSession2(websocket);
     this.sessions.set(sessionId, session);
+    this.rateLimitStates.set(sessionId, {
+      windowStartedAt: Date.now(),
+      messagesInWindow: 0
+    });
     return session;
   }
   getSession(sessionId) {
@@ -47434,6 +47827,7 @@ class SyncProtocolHandler2 {
       session.isDraining = false;
       this.subscriptionManager.unsubscribeAll(sessionId);
       this.sessions.delete(sessionId);
+      this.rateLimitStates.delete(sessionId);
     }
   }
   updateSessionId(oldSessionId, newSessionId) {
@@ -47441,6 +47835,11 @@ class SyncProtocolHandler2 {
     if (session) {
       this.sessions.delete(oldSessionId);
       this.sessions.set(newSessionId, session);
+      const rateLimitState = this.rateLimitStates.get(oldSessionId);
+      if (rateLimitState) {
+        this.rateLimitStates.delete(oldSessionId);
+        this.rateLimitStates.set(newSessionId, rateLimitState);
+      }
       this.subscriptionManager.updateSessionId(oldSessionId, newSessionId);
     }
   }
@@ -47449,6 +47848,29 @@ class SyncProtocolHandler2 {
     if (!session && message22.type !== "Connect") {
       throw new Error("Session not found");
     }
+    if (session) {
+      const rateLimitDecision = this.consumeRateLimit(sessionId);
+      if (rateLimitDecision === "reject") {
+        return [
+          {
+            type: "FatalError",
+            error: "Rate limit exceeded, retry shortly"
+          }
+        ];
+      }
+      if (rateLimitDecision === "close") {
+        try {
+          session.websocket.close(1013, "Rate limit exceeded");
+        } catch {}
+        this.destroySession(sessionId);
+        return [
+          {
+            type: "FatalError",
+            error: "Rate limit exceeded"
+          }
+        ];
+      }
+    }
     switch (message22.type) {
       case "Connect":
         return this.handleConnect(sessionId, message22);
@@ -47505,6 +47927,15 @@ class SyncProtocolHandler2 {
         return [fatalError];
       }
       const startVersion = makeStateVersion2(session.querySetVersion, session.identityVersion, session.timestamp);
+      const projectedActiveQueryCount = this.computeProjectedActiveQueryCount(session, message22);
+      if (projectedActiveQueryCount > this.maxActiveQueriesPerSession) {
+        return [
+          {
+            type: "FatalError",
+            error: `Too many active queries: ${projectedActiveQueryCount} exceeds limit ${this.maxActiveQueriesPerSession}`
+          }
+        ];
+      }
       session.querySetVersion = message22.newVersion;
       const modifications = [];
       for (const mod of message22.modifications) {
@@ -47828,7 +48259,54 @@ class SyncProtocolHandler2 {
     }, () => {
       return;
     });
-    return run;
+    return this.withOperationTimeout(run);
+  }
+  withOperationTimeout(promise) {
+    if (this.operationTimeoutMs <= 0) {
+      return promise;
+    }
+    let timeoutHandle;
+    const timeoutPromise = new Promise((_, reject) => {
+      timeoutHandle = setTimeout(() => {
+        reject(new Error(`Sync operation timed out after ${this.operationTimeoutMs}ms`));
+      }, this.operationTimeoutMs);
+    });
+    return Promise.race([promise, timeoutPromise]).finally(() => {
+      if (timeoutHandle) {
+        clearTimeout(timeoutHandle);
+      }
+    });
+  }
+  consumeRateLimit(sessionId) {
+    const state = this.rateLimitStates.get(sessionId);
+    if (!state) {
+      return "allow";
+    }
+    const now = Date.now();
+    if (now - state.windowStartedAt >= this.rateLimitWindowMs) {
+      state.windowStartedAt = now;
+      state.messagesInWindow = 0;
+    }
+    state.messagesInWindow += 1;
+    if (state.messagesInWindow <= this.maxMessagesPerWindow) {
+      return "allow";
+    }
+    const hardLimit = Math.max(this.maxMessagesPerWindow + 1, this.maxMessagesPerWindow * RATE_LIMIT_HARD_MULTIPLIER2);
+    if (state.messagesInWindow >= hardLimit) {
+      return "close";
+    }
+    return "reject";
+  }
+  computeProjectedActiveQueryCount(session, message22) {
+    const projected = new Set(session.activeQueries.keys());
+    for (const mod of message22.modifications) {
+      if (mod.type === "Add") {
+        projected.add(mod.queryId);
+      } else if (mod.type === "Remove") {
+        projected.delete(mod.queryId);
+      }
+    }
+    return projected.size;
   }
   sendPing(session) {
     if (!session.websocket || session.websocket.readyState !== WEBSOCKET_READY_STATE_OPEN2) {