npm - @dotdo/postgres - Versions diffs - 0.1.0 - Mend

@dotdo/postgres 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1129) hide show

package/README.md +868 -0
package/dist/cdc/change-stream.d.ts +44 -0
package/dist/cdc/change-stream.d.ts.map +1 -0
package/dist/cdc/change-stream.js +95 -0
package/dist/cdc/change-stream.js.map +1 -0
package/dist/cdc/filter.d.ts +58 -0
package/dist/cdc/filter.d.ts.map +1 -0
package/dist/cdc/filter.js +520 -0
package/dist/cdc/filter.js.map +1 -0
package/dist/cdc/index.d.ts +47 -0
package/dist/cdc/index.d.ts.map +1 -0
package/dist/cdc/index.js +50 -0
package/dist/cdc/index.js.map +1 -0
package/dist/cdc/resume-token.d.ts +60 -0
package/dist/cdc/resume-token.d.ts.map +1 -0
package/dist/cdc/resume-token.js +228 -0
package/dist/cdc/resume-token.js.map +1 -0
package/dist/cdc/transport/index.d.ts +7 -0
package/dist/cdc/transport/index.d.ts.map +1 -0
package/dist/cdc/transport/index.js +7 -0
package/dist/cdc/transport/index.js.map +1 -0
package/dist/cdc/transport/sse.d.ts +120 -0
package/dist/cdc/transport/sse.d.ts.map +1 -0
package/dist/cdc/transport/sse.js +590 -0
package/dist/cdc/transport/sse.js.map +1 -0
package/dist/cdc/transport/websocket.d.ts +130 -0
package/dist/cdc/transport/websocket.d.ts.map +1 -0
package/dist/cdc/transport/websocket.js +688 -0
package/dist/cdc/transport/websocket.js.map +1 -0
package/dist/cdc/types.d.ts +306 -0
package/dist/cdc/types.d.ts.map +1 -0
package/dist/cdc/types.js +8 -0
package/dist/cdc/types.js.map +1 -0
package/dist/config/index.d.ts +25 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +25 -0
package/dist/config/index.js.map +1 -0
package/dist/config/memory.d.ts +139 -0
package/dist/config/memory.d.ts.map +1 -0
package/dist/config/memory.js +157 -0
package/dist/config/memory.js.map +1 -0
package/dist/config/storage.d.ts +157 -0
package/dist/config/storage.d.ts.map +1 -0
package/dist/config/storage.js +178 -0
package/dist/config/storage.js.map +1 -0
package/dist/config/streaming.d.ts +117 -0
package/dist/config/streaming.d.ts.map +1 -0
package/dist/config/streaming.js +132 -0
package/dist/config/streaming.js.map +1 -0
package/dist/config/timeouts.d.ts +168 -0
package/dist/config/timeouts.d.ts.map +1 -0
package/dist/config/timeouts.js +192 -0
package/dist/config/timeouts.js.map +1 -0
package/dist/extensions/config.d.ts +89 -0
package/dist/extensions/config.d.ts.map +1 -0
package/dist/extensions/config.js +216 -0
package/dist/extensions/config.js.map +1 -0
package/dist/extensions/geo.d.ts +452 -0
package/dist/extensions/geo.d.ts.map +1 -0
package/dist/extensions/geo.js +583 -0
package/dist/extensions/geo.js.map +1 -0
package/dist/extensions/index.d.ts +167 -0
package/dist/extensions/index.d.ts.map +1 -0
package/dist/extensions/index.js +99 -0
package/dist/extensions/index.js.map +1 -0
package/dist/extensions/loader.d.ts +226 -0
package/dist/extensions/loader.d.ts.map +1 -0
package/dist/extensions/loader.js +456 -0
package/dist/extensions/loader.js.map +1 -0
package/dist/extensions/pgmq-lite.d.ts +330 -0
package/dist/extensions/pgmq-lite.d.ts.map +1 -0
package/dist/extensions/pgmq-lite.js +648 -0
package/dist/extensions/pgmq-lite.js.map +1 -0
package/dist/extensions/plugins.d.ts +260 -0
package/dist/extensions/plugins.d.ts.map +1 -0
package/dist/extensions/plugins.js +535 -0
package/dist/extensions/plugins.js.map +1 -0
package/dist/extensions/registry.d.ts +93 -0
package/dist/extensions/registry.d.ts.map +1 -0
package/dist/extensions/registry.js +182 -0
package/dist/extensions/registry.js.map +1 -0
package/dist/extensions/vector.d.ts +106 -0
package/dist/extensions/vector.d.ts.map +1 -0
package/dist/extensions/vector.js +129 -0
package/dist/extensions/vector.js.map +1 -0
package/dist/iceberg/analytics.d.ts +279 -0
package/dist/iceberg/analytics.d.ts.map +1 -0
package/dist/iceberg/analytics.js +448 -0
package/dist/iceberg/analytics.js.map +1 -0
package/dist/iceberg/catalog-api.d.ts +39 -0
package/dist/iceberg/catalog-api.d.ts.map +1 -0
package/dist/iceberg/catalog-api.js +388 -0
package/dist/iceberg/catalog-api.js.map +1 -0
package/dist/iceberg/catalog.d.ts +401 -0
package/dist/iceberg/catalog.d.ts.map +1 -0
package/dist/iceberg/catalog.js +677 -0
package/dist/iceberg/catalog.js.map +1 -0
package/dist/iceberg/duckdb-wasm.d.ts +447 -0
package/dist/iceberg/duckdb-wasm.d.ts.map +1 -0
package/dist/iceberg/duckdb-wasm.js +600 -0
package/dist/iceberg/duckdb-wasm.js.map +1 -0
package/dist/iceberg/index.d.ts +92 -0
package/dist/iceberg/index.d.ts.map +1 -0
package/dist/iceberg/index.js +119 -0
package/dist/iceberg/index.js.map +1 -0
package/dist/iceberg/metadata.d.ts +214 -0
package/dist/iceberg/metadata.d.ts.map +1 -0
package/dist/iceberg/metadata.js +535 -0
package/dist/iceberg/metadata.js.map +1 -0
package/dist/iceberg/optimizer.d.ts +296 -0
package/dist/iceberg/optimizer.d.ts.map +1 -0
package/dist/iceberg/optimizer.js +889 -0
package/dist/iceberg/optimizer.js.map +1 -0
package/dist/iceberg/parquet.d.ts +447 -0
package/dist/iceberg/parquet.d.ts.map +1 -0
package/dist/iceberg/parquet.js +1225 -0
package/dist/iceberg/parquet.js.map +1 -0
package/dist/iceberg/r2-organization.d.ts +422 -0
package/dist/iceberg/r2-organization.d.ts.map +1 -0
package/dist/iceberg/r2-organization.js +672 -0
package/dist/iceberg/r2-organization.js.map +1 -0
package/dist/iceberg/scheduler-do-example.d.ts +158 -0
package/dist/iceberg/scheduler-do-example.d.ts.map +1 -0
package/dist/iceberg/scheduler-do-example.js +261 -0
package/dist/iceberg/scheduler-do-example.js.map +1 -0
package/dist/iceberg/scheduler.d.ts +434 -0
package/dist/iceberg/scheduler.d.ts.map +1 -0
package/dist/iceberg/scheduler.js +818 -0
package/dist/iceberg/scheduler.js.map +1 -0
package/dist/iceberg/schema.d.ts +149 -0
package/dist/iceberg/schema.d.ts.map +1 -0
package/dist/iceberg/schema.js +525 -0
package/dist/iceberg/schema.js.map +1 -0
package/dist/iceberg/snapshot-manager.d.ts +406 -0
package/dist/iceberg/snapshot-manager.d.ts.map +1 -0
package/dist/iceberg/snapshot-manager.js +934 -0
package/dist/iceberg/snapshot-manager.js.map +1 -0
package/dist/iceberg/sql-router.d.ts +194 -0
package/dist/iceberg/sql-router.d.ts.map +1 -0
package/dist/iceberg/sql-router.js +180 -0
package/dist/iceberg/sql-router.js.map +1 -0
package/dist/iceberg/test-fixtures.d.ts +151 -0
package/dist/iceberg/test-fixtures.d.ts.map +1 -0
package/dist/iceberg/test-fixtures.js +446 -0
package/dist/iceberg/test-fixtures.js.map +1 -0
package/dist/iceberg/time-travel-api.d.ts +102 -0
package/dist/iceberg/time-travel-api.d.ts.map +1 -0
package/dist/iceberg/time-travel-api.js +437 -0
package/dist/iceberg/time-travel-api.js.map +1 -0
package/dist/iceberg/time-travel.d.ts +293 -0
package/dist/iceberg/time-travel.d.ts.map +1 -0
package/dist/iceberg/time-travel.js +689 -0
package/dist/iceberg/time-travel.js.map +1 -0
package/dist/iceberg/transformer.d.ts +356 -0
package/dist/iceberg/transformer.d.ts.map +1 -0
package/dist/iceberg/transformer.js +770 -0
package/dist/iceberg/transformer.js.map +1 -0
package/dist/iceberg/types.d.ts +318 -0
package/dist/iceberg/types.d.ts.map +1 -0
package/dist/iceberg/types.js +9 -0
package/dist/iceberg/types.js.map +1 -0
package/dist/iceberg/writer.d.ts +144 -0
package/dist/iceberg/writer.d.ts.map +1 -0
package/dist/iceberg/writer.js +452 -0
package/dist/iceberg/writer.js.map +1 -0
package/dist/index.d.ts +50 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +69 -0
package/dist/index.js.map +1 -0
package/dist/lineage/index.d.ts +11 -0
package/dist/lineage/index.d.ts.map +1 -0
package/dist/lineage/index.js +11 -0
package/dist/lineage/index.js.map +1 -0
package/dist/lineage/integration.d.ts +134 -0
package/dist/lineage/integration.d.ts.map +1 -0
package/dist/lineage/integration.js +258 -0
package/dist/lineage/integration.js.map +1 -0
package/dist/lineage/tracker.d.ts +189 -0
package/dist/lineage/tracker.d.ts.map +1 -0
package/dist/lineage/tracker.js +1352 -0
package/dist/lineage/tracker.js.map +1 -0
package/dist/lineage/types.d.ts +318 -0
package/dist/lineage/types.d.ts.map +1 -0
package/dist/lineage/types.js +9 -0
package/dist/lineage/types.js.map +1 -0
package/dist/middleware/index.d.ts +11 -0
package/dist/middleware/index.d.ts.map +1 -0
package/dist/middleware/index.js +16 -0
package/dist/middleware/index.js.map +1 -0
package/dist/middleware/rate-limit.d.ts +397 -0
package/dist/middleware/rate-limit.d.ts.map +1 -0
package/dist/middleware/rate-limit.js +507 -0
package/dist/middleware/rate-limit.js.map +1 -0
package/dist/migration-tooling/external-migration.d.ts +601 -0
package/dist/migration-tooling/external-migration.d.ts.map +1 -0
package/dist/migration-tooling/external-migration.js +1612 -0
package/dist/migration-tooling/external-migration.js.map +1 -0
package/dist/migration-tooling/index.d.ts +19 -0
package/dist/migration-tooling/index.d.ts.map +1 -0
package/dist/migration-tooling/index.js +19 -0
package/dist/migration-tooling/index.js.map +1 -0
package/dist/migrations/auto-migrator.d.ts +289 -0
package/dist/migrations/auto-migrator.d.ts.map +1 -0
package/dist/migrations/auto-migrator.js +396 -0
package/dist/migrations/auto-migrator.js.map +1 -0
package/dist/migrations/bulk-orchestrator.d.ts +403 -0
package/dist/migrations/bulk-orchestrator.d.ts.map +1 -0
package/dist/migrations/bulk-orchestrator.js +646 -0
package/dist/migrations/bulk-orchestrator.js.map +1 -0
package/dist/migrations/compatibility.d.ts +216 -0
package/dist/migrations/compatibility.d.ts.map +1 -0
package/dist/migrations/compatibility.js +651 -0
package/dist/migrations/compatibility.js.map +1 -0
package/dist/migrations/do-migrations.d.ts +101 -0
package/dist/migrations/do-migrations.d.ts.map +1 -0
package/dist/migrations/do-migrations.js +1060 -0
package/dist/migrations/do-migrations.js.map +1 -0
package/dist/migrations/do-migrations.types.d.ts +550 -0
package/dist/migrations/do-migrations.types.d.ts.map +1 -0
package/dist/migrations/do-migrations.types.js +15 -0
package/dist/migrations/do-migrations.types.js.map +1 -0
package/dist/migrations/drizzle-compat.d.ts +163 -0
package/dist/migrations/drizzle-compat.d.ts.map +1 -0
package/dist/migrations/drizzle-compat.js +273 -0
package/dist/migrations/drizzle-compat.js.map +1 -0
package/dist/migrations/index.d.ts +109 -0
package/dist/migrations/index.d.ts.map +1 -0
package/dist/migrations/index.js +127 -0
package/dist/migrations/index.js.map +1 -0
package/dist/migrations/migration-api.d.ts +161 -0
package/dist/migrations/migration-api.d.ts.map +1 -0
package/dist/migrations/migration-api.js +499 -0
package/dist/migrations/migration-api.js.map +1 -0
package/dist/migrations/progress-tracker-do.d.ts +195 -0
package/dist/migrations/progress-tracker-do.d.ts.map +1 -0
package/dist/migrations/progress-tracker-do.js +339 -0
package/dist/migrations/progress-tracker-do.js.map +1 -0
package/dist/migrations/progress-tracker-kv.d.ts +103 -0
package/dist/migrations/progress-tracker-kv.d.ts.map +1 -0
package/dist/migrations/progress-tracker-kv.js +231 -0
package/dist/migrations/progress-tracker-kv.js.map +1 -0
package/dist/migrations/progress-tracker.d.ts +320 -0
package/dist/migrations/progress-tracker.d.ts.map +1 -0
package/dist/migrations/progress-tracker.js +443 -0
package/dist/migrations/progress-tracker.js.map +1 -0
package/dist/migrations/registry.d.ts +231 -0
package/dist/migrations/registry.d.ts.map +1 -0
package/dist/migrations/registry.js +376 -0
package/dist/migrations/registry.js.map +1 -0
package/dist/migrations/runner.d.ts +197 -0
package/dist/migrations/runner.d.ts.map +1 -0
package/dist/migrations/runner.js +1167 -0
package/dist/migrations/runner.js.map +1 -0
package/dist/migrations/schema-generator.d.ts +111 -0
package/dist/migrations/schema-generator.d.ts.map +1 -0
package/dist/migrations/schema-generator.js +335 -0
package/dist/migrations/schema-generator.js.map +1 -0
package/dist/migrations/testing.d.ts +321 -0
package/dist/migrations/testing.d.ts.map +1 -0
package/dist/migrations/testing.js +645 -0
package/dist/migrations/testing.js.map +1 -0
package/dist/migrations/types.d.ts +503 -0
package/dist/migrations/types.d.ts.map +1 -0
package/dist/migrations/types.js +11 -0
package/dist/migrations/types.js.map +1 -0
package/dist/migrations/validator.d.ts +215 -0
package/dist/migrations/validator.d.ts.map +1 -0
package/dist/migrations/validator.js +494 -0
package/dist/migrations/validator.js.map +1 -0
package/dist/observability/alerting.d.ts +116 -0
package/dist/observability/alerting.d.ts.map +1 -0
package/dist/observability/alerting.js +353 -0
package/dist/observability/alerting.js.map +1 -0
package/dist/observability/analytics-engine.d.ts +357 -0
package/dist/observability/analytics-engine.d.ts.map +1 -0
package/dist/observability/analytics-engine.js +430 -0
package/dist/observability/analytics-engine.js.map +1 -0
package/dist/observability/cost-metrics.d.ts +269 -0
package/dist/observability/cost-metrics.d.ts.map +1 -0
package/dist/observability/cost-metrics.js +560 -0
package/dist/observability/cost-metrics.js.map +1 -0
package/dist/observability/cross-do-tracing.d.ts +305 -0
package/dist/observability/cross-do-tracing.d.ts.map +1 -0
package/dist/observability/cross-do-tracing.js +431 -0
package/dist/observability/cross-do-tracing.js.map +1 -0
package/dist/observability/error-rate-collector.d.ts +163 -0
package/dist/observability/error-rate-collector.d.ts.map +1 -0
package/dist/observability/error-rate-collector.js +306 -0
package/dist/observability/error-rate-collector.js.map +1 -0
package/dist/observability/exporters.d.ts +231 -0
package/dist/observability/exporters.d.ts.map +1 -0
package/dist/observability/exporters.js +479 -0
package/dist/observability/exporters.js.map +1 -0
package/dist/observability/health-check.d.ts +106 -0
package/dist/observability/health-check.d.ts.map +1 -0
package/dist/observability/health-check.js +243 -0
package/dist/observability/health-check.js.map +1 -0
package/dist/observability/index.d.ts +297 -0
package/dist/observability/index.d.ts.map +1 -0
package/dist/observability/index.js +455 -0
package/dist/observability/index.js.map +1 -0
package/dist/observability/instrumentation.d.ts +222 -0
package/dist/observability/instrumentation.d.ts.map +1 -0
package/dist/observability/instrumentation.js +532 -0
package/dist/observability/instrumentation.js.map +1 -0
package/dist/observability/memory-metrics.d.ts +227 -0
package/dist/observability/memory-metrics.d.ts.map +1 -0
package/dist/observability/memory-metrics.js +688 -0
package/dist/observability/memory-metrics.js.map +1 -0
package/dist/observability/metrics-endpoint.d.ts +91 -0
package/dist/observability/metrics-endpoint.d.ts.map +1 -0
package/dist/observability/metrics-endpoint.js +246 -0
package/dist/observability/metrics-endpoint.js.map +1 -0
package/dist/observability/metrics.d.ts +88 -0
package/dist/observability/metrics.d.ts.map +1 -0
package/dist/observability/metrics.js +253 -0
package/dist/observability/metrics.js.map +1 -0
package/dist/observability/observability-features.d.ts +488 -0
package/dist/observability/observability-features.d.ts.map +1 -0
package/dist/observability/observability-features.js +773 -0
package/dist/observability/observability-features.js.map +1 -0
package/dist/observability/prometheus.d.ts +39 -0
package/dist/observability/prometheus.d.ts.map +1 -0
package/dist/observability/prometheus.js +120 -0
package/dist/observability/prometheus.js.map +1 -0
package/dist/observability/propagation.d.ts +126 -0
package/dist/observability/propagation.d.ts.map +1 -0
package/dist/observability/propagation.js +234 -0
package/dist/observability/propagation.js.map +1 -0
package/dist/observability/query-latency.d.ts +243 -0
package/dist/observability/query-latency.d.ts.map +1 -0
package/dist/observability/query-latency.js +292 -0
package/dist/observability/query-latency.js.map +1 -0
package/dist/observability/query-performance.d.ts +169 -0
package/dist/observability/query-performance.d.ts.map +1 -0
package/dist/observability/query-performance.js +290 -0
package/dist/observability/query-performance.js.map +1 -0
package/dist/observability/storage-tier-metrics.d.ts +174 -0
package/dist/observability/storage-tier-metrics.d.ts.map +1 -0
package/dist/observability/storage-tier-metrics.js +306 -0
package/dist/observability/storage-tier-metrics.js.map +1 -0
package/dist/observability/tier-cost-optimizer.d.ts +155 -0
package/dist/observability/tier-cost-optimizer.d.ts.map +1 -0
package/dist/observability/tier-cost-optimizer.js +536 -0
package/dist/observability/tier-cost-optimizer.js.map +1 -0
package/dist/observability/tracer.d.ts +149 -0
package/dist/observability/tracer.d.ts.map +1 -0
package/dist/observability/tracer.js +435 -0
package/dist/observability/tracer.js.map +1 -0
package/dist/observability/types.d.ts +402 -0
package/dist/observability/types.d.ts.map +1 -0
package/dist/observability/types.js +103 -0
package/dist/observability/types.js.map +1 -0
package/dist/pglite/workers-pglite.d.ts +138 -0
package/dist/pglite/workers-pglite.d.ts.map +1 -0
package/dist/pglite/workers-pglite.js +143 -0
package/dist/pglite/workers-pglite.js.map +1 -0
package/dist/pglite-assets/pglite.data +0 -0
package/dist/pglite-assets/pglite.wasm +0 -0
package/dist/playground/index.d.ts +52 -0
package/dist/playground/index.d.ts.map +1 -0
package/dist/playground/index.js +55 -0
package/dist/playground/index.js.map +1 -0
package/dist/playground/keyboard-shortcuts.d.ts +116 -0
package/dist/playground/keyboard-shortcuts.d.ts.map +1 -0
package/dist/playground/keyboard-shortcuts.js +588 -0
package/dist/playground/keyboard-shortcuts.js.map +1 -0
package/dist/playground/playground.d.ts +82 -0
package/dist/playground/playground.d.ts.map +1 -0
package/dist/playground/playground.js +271 -0
package/dist/playground/playground.js.map +1 -0
package/dist/playground/query-executor.d.ts +115 -0
package/dist/playground/query-executor.d.ts.map +1 -0
package/dist/playground/query-executor.js +558 -0
package/dist/playground/query-executor.js.map +1 -0
package/dist/playground/query-history.d.ts +92 -0
package/dist/playground/query-history.d.ts.map +1 -0
package/dist/playground/query-history.js +259 -0
package/dist/playground/query-history.js.map +1 -0
package/dist/playground/result-formatter.d.ts +59 -0
package/dist/playground/result-formatter.d.ts.map +1 -0
package/dist/playground/result-formatter.js +341 -0
package/dist/playground/result-formatter.js.map +1 -0
package/dist/playground/sample-datasets.d.ts +77 -0
package/dist/playground/sample-datasets.d.ts.map +1 -0
package/dist/playground/sample-datasets.js +641 -0
package/dist/playground/sample-datasets.js.map +1 -0
package/dist/playground/sample-queries.d.ts +73 -0
package/dist/playground/sample-queries.d.ts.map +1 -0
package/dist/playground/sample-queries.js +1095 -0
package/dist/playground/sample-queries.js.map +1 -0
package/dist/playground/schema-explorer.d.ts +55 -0
package/dist/playground/schema-explorer.d.ts.map +1 -0
package/dist/playground/schema-explorer.js +473 -0
package/dist/playground/schema-explorer.js.map +1 -0
package/dist/playground/types.d.ts +430 -0
package/dist/playground/types.d.ts.map +1 -0
package/dist/playground/types.js +10 -0
package/dist/playground/types.js.map +1 -0
package/dist/readonly/cache-reader.d.ts +145 -0
package/dist/readonly/cache-reader.d.ts.map +1 -0
package/dist/readonly/cache-reader.js +198 -0
package/dist/readonly/cache-reader.js.map +1 -0
package/dist/readonly/config.d.ts +74 -0
package/dist/readonly/config.d.ts.map +1 -0
package/dist/readonly/config.js +67 -0
package/dist/readonly/config.js.map +1 -0
package/dist/readonly/index.d.ts +22 -0
package/dist/readonly/index.d.ts.map +1 -0
package/dist/readonly/index.js +17 -0
package/dist/readonly/index.js.map +1 -0
package/dist/readonly/pglite-wrapper.d.ts +82 -0
package/dist/readonly/pglite-wrapper.d.ts.map +1 -0
package/dist/readonly/pglite-wrapper.js +123 -0
package/dist/readonly/pglite-wrapper.js.map +1 -0
package/dist/readonly/worker.d.ts +142 -0
package/dist/readonly/worker.d.ts.map +1 -0
package/dist/readonly/worker.js +187 -0
package/dist/readonly/worker.js.map +1 -0
package/dist/readonly/write-blocker.d.ts +47 -0
package/dist/readonly/write-blocker.d.ts.map +1 -0
package/dist/readonly/write-blocker.js +136 -0
package/dist/readonly/write-blocker.js.map +1 -0
package/dist/recovery/disaster-recovery.d.ts +326 -0
package/dist/recovery/disaster-recovery.d.ts.map +1 -0
package/dist/recovery/disaster-recovery.js +799 -0
package/dist/recovery/disaster-recovery.js.map +1 -0
package/dist/recovery/index.d.ts +12 -0
package/dist/recovery/index.d.ts.map +1 -0
package/dist/recovery/index.js +12 -0
package/dist/recovery/index.js.map +1 -0
package/dist/recovery/parquet-parser.d.ts +321 -0
package/dist/recovery/parquet-parser.d.ts.map +1 -0
package/dist/recovery/parquet-parser.js +797 -0
package/dist/recovery/parquet-parser.js.map +1 -0
package/dist/retention/index.d.ts +50 -0
package/dist/retention/index.d.ts.map +1 -0
package/dist/retention/index.js +50 -0
package/dist/retention/index.js.map +1 -0
package/dist/retention/policy.d.ts +344 -0
package/dist/retention/policy.d.ts.map +1 -0
package/dist/retention/policy.js +472 -0
package/dist/retention/policy.js.map +1 -0
package/dist/retention/purger.d.ts +187 -0
package/dist/retention/purger.d.ts.map +1 -0
package/dist/retention/purger.js +411 -0
package/dist/retention/purger.js.map +1 -0
package/dist/rls/auth-integration.d.ts +280 -0
package/dist/rls/auth-integration.d.ts.map +1 -0
package/dist/rls/auth-integration.js +399 -0
package/dist/rls/auth-integration.js.map +1 -0
package/dist/rls/generator.d.ts +249 -0
package/dist/rls/generator.d.ts.map +1 -0
package/dist/rls/generator.js +495 -0
package/dist/rls/generator.js.map +1 -0
package/dist/rls/index.d.ts +26 -0
package/dist/rls/index.d.ts.map +1 -0
package/dist/rls/index.js +58 -0
package/dist/rls/index.js.map +1 -0
package/dist/rls/policy.d.ts +116 -0
package/dist/rls/policy.d.ts.map +1 -0
package/dist/rls/policy.js +77 -0
package/dist/rls/policy.js.map +1 -0
package/dist/rls/validator.d.ts +155 -0
package/dist/rls/validator.d.ts.map +1 -0
package/dist/rls/validator.js +792 -0
package/dist/rls/validator.js.map +1 -0
package/dist/routing/adaptive-router.d.ts +317 -0
package/dist/routing/adaptive-router.d.ts.map +1 -0
package/dist/routing/adaptive-router.js +554 -0
package/dist/routing/adaptive-router.js.map +1 -0
package/dist/routing/circuit-breaker.d.ts +339 -0
package/dist/routing/circuit-breaker.d.ts.map +1 -0
package/dist/routing/circuit-breaker.js +620 -0
package/dist/routing/circuit-breaker.js.map +1 -0
package/dist/routing/cost-metrics.d.ts +133 -0
package/dist/routing/cost-metrics.d.ts.map +1 -0
package/dist/routing/cost-metrics.js +259 -0
package/dist/routing/cost-metrics.js.map +1 -0
package/dist/routing/do-connection-pool.d.ts +243 -0
package/dist/routing/do-connection-pool.d.ts.map +1 -0
package/dist/routing/do-connection-pool.js +572 -0
package/dist/routing/do-connection-pool.js.map +1 -0
package/dist/routing/index.d.ts +59 -0
package/dist/routing/index.d.ts.map +1 -0
package/dist/routing/index.js +59 -0
package/dist/routing/index.js.map +1 -0
package/dist/routing/query-complexity-estimator.d.ts +73 -0
package/dist/routing/query-complexity-estimator.d.ts.map +1 -0
package/dist/routing/query-complexity-estimator.js +327 -0
package/dist/routing/query-complexity-estimator.js.map +1 -0
package/dist/routing/request-coalescing.d.ts +178 -0
package/dist/routing/request-coalescing.d.ts.map +1 -0
package/dist/routing/request-coalescing.js +325 -0
package/dist/routing/request-coalescing.js.map +1 -0
package/dist/routing/runtime-router.d.ts +107 -0
package/dist/routing/runtime-router.d.ts.map +1 -0
package/dist/routing/runtime-router.js +246 -0
package/dist/routing/runtime-router.js.map +1 -0
package/dist/routing/tenant-router.d.ts +848 -0
package/dist/routing/tenant-router.d.ts.map +1 -0
package/dist/routing/tenant-router.js +1056 -0
package/dist/routing/tenant-router.js.map +1 -0
package/dist/routing/websocket-pool.d.ts +119 -0
package/dist/routing/websocket-pool.d.ts.map +1 -0
package/dist/routing/websocket-pool.js +436 -0
package/dist/routing/websocket-pool.js.map +1 -0
package/dist/storage/cache-layer.d.ts +159 -0
package/dist/storage/cache-layer.d.ts.map +1 -0
package/dist/storage/cache-layer.js +245 -0
package/dist/storage/cache-layer.js.map +1 -0
package/dist/storage/cost-aware-tiering.d.ts +258 -0
package/dist/storage/cost-aware-tiering.d.ts.map +1 -0
package/dist/storage/cost-aware-tiering.js +526 -0
package/dist/storage/cost-aware-tiering.js.map +1 -0
package/dist/storage/index.d.ts +87 -0
package/dist/storage/index.d.ts.map +1 -0
package/dist/storage/index.js +78 -0
package/dist/storage/index.js.map +1 -0
package/dist/storage/interfaces.d.ts +856 -0
package/dist/storage/interfaces.d.ts.map +1 -0
package/dist/storage/interfaces.js +69 -0
package/dist/storage/interfaces.js.map +1 -0
package/dist/storage/r2-layer.d.ts +226 -0
package/dist/storage/r2-layer.d.ts.map +1 -0
package/dist/storage/r2-layer.js +307 -0
package/dist/storage/r2-layer.js.map +1 -0
package/dist/storage/r2-overflow.d.ts +344 -0
package/dist/storage/r2-overflow.d.ts.map +1 -0
package/dist/storage/r2-overflow.js +730 -0
package/dist/storage/r2-overflow.js.map +1 -0
package/dist/storage/r2-page-vfs.d.ts +374 -0
package/dist/storage/r2-page-vfs.d.ts.map +1 -0
package/dist/storage/r2-page-vfs.js +754 -0
package/dist/storage/r2-page-vfs.js.map +1 -0
package/dist/storage/swr-cache.d.ts +181 -0
package/dist/storage/swr-cache.d.ts.map +1 -0
package/dist/storage/swr-cache.js +295 -0
package/dist/storage/swr-cache.js.map +1 -0
package/dist/storage/tiered-orchestrator.d.ts +951 -0
package/dist/storage/tiered-orchestrator.d.ts.map +1 -0
package/dist/storage/tiered-orchestrator.js +1731 -0
package/dist/storage/tiered-orchestrator.js.map +1 -0
package/dist/storage/tiered-vfs-swr.d.ts +279 -0
package/dist/storage/tiered-vfs-swr.d.ts.map +1 -0
package/dist/storage/tiered-vfs-swr.js +584 -0
package/dist/storage/tiered-vfs-swr.js.map +1 -0
package/dist/storage/tiered-vfs.d.ts +405 -0
package/dist/storage/tiered-vfs.d.ts.map +1 -0
package/dist/storage/tiered-vfs.js +833 -0
package/dist/storage/tiered-vfs.js.map +1 -0
package/dist/streaming/backpressure-controller.d.ts +173 -0
package/dist/streaming/backpressure-controller.d.ts.map +1 -0
package/dist/streaming/backpressure-controller.js +344 -0
package/dist/streaming/backpressure-controller.js.map +1 -0
package/dist/streaming/buffer-pool.d.ts +241 -0
package/dist/streaming/buffer-pool.d.ts.map +1 -0
package/dist/streaming/buffer-pool.js +381 -0
package/dist/streaming/buffer-pool.js.map +1 -0
package/dist/streaming/cdc-iceberg-connector.d.ts +272 -0
package/dist/streaming/cdc-iceberg-connector.d.ts.map +1 -0
package/dist/streaming/cdc-iceberg-connector.js +408 -0
package/dist/streaming/cdc-iceberg-connector.js.map +1 -0
package/dist/streaming/index.d.ts +111 -0
package/dist/streaming/index.d.ts.map +1 -0
package/dist/streaming/index.js +128 -0
package/dist/streaming/index.js.map +1 -0
package/dist/streaming/live-cdc-stream.d.ts +400 -0
package/dist/streaming/live-cdc-stream.d.ts.map +1 -0
package/dist/streaming/live-cdc-stream.js +703 -0
package/dist/streaming/live-cdc-stream.js.map +1 -0
package/dist/streaming/memory-bounded-stream.d.ts +207 -0
package/dist/streaming/memory-bounded-stream.d.ts.map +1 -0
package/dist/streaming/memory-bounded-stream.js +340 -0
package/dist/streaming/memory-bounded-stream.js.map +1 -0
package/dist/streaming/query-streamer.d.ts +379 -0
package/dist/streaming/query-streamer.d.ts.map +1 -0
package/dist/streaming/query-streamer.js +495 -0
package/dist/streaming/query-streamer.js.map +1 -0
package/dist/streaming/response-streaming.d.ts +203 -0
package/dist/streaming/response-streaming.d.ts.map +1 -0
package/dist/streaming/response-streaming.js +449 -0
package/dist/streaming/response-streaming.js.map +1 -0
package/dist/types/branded.d.ts +859 -0
package/dist/types/branded.d.ts.map +1 -0
package/dist/types/branded.js +891 -0
package/dist/types/branded.js.map +1 -0
package/dist/types/utilities.d.ts +757 -0
package/dist/types/utilities.d.ts.map +1 -0
package/dist/types/utilities.js +447 -0
package/dist/types/utilities.js.map +1 -0
package/dist/wal/replay-engine.d.ts +344 -0
package/dist/wal/replay-engine.d.ts.map +1 -0
package/dist/wal/replay-engine.js +975 -0
package/dist/wal/replay-engine.js.map +1 -0
package/dist/worker/__mocks__/capnweb.d.ts +13 -0
package/dist/worker/__mocks__/capnweb.d.ts.map +1 -0
package/dist/worker/__mocks__/capnweb.js +15 -0
package/dist/worker/__mocks__/capnweb.js.map +1 -0
package/dist/worker/__mocks__/cloudflare-workers.d.ts +31 -0
package/dist/worker/__mocks__/cloudflare-workers.d.ts.map +1 -0
package/dist/worker/__mocks__/cloudflare-workers.js +33 -0
package/dist/worker/__mocks__/cloudflare-workers.js.map +1 -0
package/dist/worker/__mocks__/pglite.data.d.ts +3 -0
package/dist/worker/__mocks__/pglite.data.d.ts.map +1 -0
package/dist/worker/__mocks__/pglite.data.js +20 -0
package/dist/worker/__mocks__/pglite.data.js.map +1 -0
package/dist/worker/__mocks__/pglite.wasm.d.ts +3 -0
package/dist/worker/__mocks__/pglite.wasm.d.ts.map +1 -0
package/dist/worker/__mocks__/pglite.wasm.js +30 -0
package/dist/worker/__mocks__/pglite.wasm.js.map +1 -0
package/dist/worker/auth-rate-limiter.d.ts +270 -0
package/dist/worker/auth-rate-limiter.d.ts.map +1 -0
package/dist/worker/auth-rate-limiter.js +332 -0
package/dist/worker/auth-rate-limiter.js.map +1 -0
package/dist/worker/auth.d.ts +345 -0
package/dist/worker/auth.d.ts.map +1 -0
package/dist/worker/auth.js +837 -0
package/dist/worker/auth.js.map +1 -0
package/dist/worker/cdc-backpressure.d.ts +338 -0
package/dist/worker/cdc-backpressure.d.ts.map +1 -0
package/dist/worker/cdc-backpressure.js +619 -0
package/dist/worker/cdc-backpressure.js.map +1 -0
package/dist/worker/cdc-sse.d.ts +277 -0
package/dist/worker/cdc-sse.d.ts.map +1 -0
package/dist/worker/cdc-sse.js +528 -0
package/dist/worker/cdc-sse.js.map +1 -0
package/dist/worker/cdc-websocket.d.ts +252 -0
package/dist/worker/cdc-websocket.d.ts.map +1 -0
package/dist/worker/cdc-websocket.js +940 -0
package/dist/worker/cdc-websocket.js.map +1 -0
package/dist/worker/cdc.d.ts +95 -0
package/dist/worker/cdc.d.ts.map +1 -0
package/dist/worker/cdc.js +211 -0
package/dist/worker/cdc.js.map +1 -0
package/dist/worker/concerns/auth-concern.d.ts +50 -0
package/dist/worker/concerns/auth-concern.d.ts.map +1 -0
package/dist/worker/concerns/auth-concern.js +131 -0
package/dist/worker/concerns/auth-concern.js.map +1 -0
package/dist/worker/concerns/cdc-concern.d.ts +99 -0
package/dist/worker/concerns/cdc-concern.d.ts.map +1 -0
package/dist/worker/concerns/cdc-concern.js +137 -0
package/dist/worker/concerns/cdc-concern.js.map +1 -0
package/dist/worker/concerns/index.d.ts +22 -0
package/dist/worker/concerns/index.d.ts.map +1 -0
package/dist/worker/concerns/index.js +13 -0
package/dist/worker/concerns/index.js.map +1 -0
package/dist/worker/concerns/query-execution-concern.d.ts +104 -0
package/dist/worker/concerns/query-execution-concern.d.ts.map +1 -0
package/dist/worker/concerns/query-execution-concern.js +95 -0
package/dist/worker/concerns/query-execution-concern.js.map +1 -0
package/dist/worker/concerns/storage-orchestration-concern.d.ts +78 -0
package/dist/worker/concerns/storage-orchestration-concern.d.ts.map +1 -0
package/dist/worker/concerns/storage-orchestration-concern.js +240 -0
package/dist/worker/concerns/storage-orchestration-concern.js.map +1 -0
package/dist/worker/do-auth-manager.d.ts +108 -0
package/dist/worker/do-auth-manager.d.ts.map +1 -0
package/dist/worker/do-auth-manager.js +212 -0
package/dist/worker/do-auth-manager.js.map +1 -0
package/dist/worker/do-pglite-manager.d.ts +137 -0
package/dist/worker/do-pglite-manager.d.ts.map +1 -0
package/dist/worker/do-pglite-manager.js +228 -0
package/dist/worker/do-pglite-manager.js.map +1 -0
package/dist/worker/do.d.ts +556 -0
package/dist/worker/do.d.ts.map +1 -0
package/dist/worker/do.js +1441 -0
package/dist/worker/do.js.map +1 -0
package/dist/worker/entry.d.ts +23 -0
package/dist/worker/entry.d.ts.map +1 -0
package/dist/worker/entry.js +362 -0
package/dist/worker/entry.js.map +1 -0
package/dist/worker/errors.d.ts +106 -0
package/dist/worker/errors.d.ts.map +1 -0
package/dist/worker/errors.js +178 -0
package/dist/worker/errors.js.map +1 -0
package/dist/worker/health-check-manager.d.ts +141 -0
package/dist/worker/health-check-manager.d.ts.map +1 -0
package/dist/worker/health-check-manager.js +145 -0
package/dist/worker/health-check-manager.js.map +1 -0
package/dist/worker/index.d.ts +60 -0
package/dist/worker/index.d.ts.map +1 -0
package/dist/worker/index.js +67 -0
package/dist/worker/index.js.map +1 -0
package/dist/worker/memory-pressure.d.ts +892 -0
package/dist/worker/memory-pressure.d.ts.map +1 -0
package/dist/worker/memory-pressure.js +1990 -0
package/dist/worker/memory-pressure.js.map +1 -0
package/dist/worker/migration-manager.d.ts +153 -0
package/dist/worker/migration-manager.d.ts.map +1 -0
package/dist/worker/migration-manager.js +461 -0
package/dist/worker/migration-manager.js.map +1 -0
package/dist/worker/plugin-manager.d.ts +147 -0
package/dist/worker/plugin-manager.d.ts.map +1 -0
package/dist/worker/plugin-manager.js +408 -0
package/dist/worker/plugin-manager.js.map +1 -0
package/dist/worker/proxy.d.ts +330 -0
package/dist/worker/proxy.d.ts.map +1 -0
package/dist/worker/proxy.js +504 -0
package/dist/worker/proxy.js.map +1 -0
package/dist/worker/query-execution-manager.d.ts +107 -0
package/dist/worker/query-execution-manager.d.ts.map +1 -0
package/dist/worker/query-execution-manager.js +155 -0
package/dist/worker/query-execution-manager.js.map +1 -0
package/dist/worker/query-executor.d.ts +163 -0
package/dist/worker/query-executor.d.ts.map +1 -0
package/dist/worker/query-executor.js +413 -0
package/dist/worker/query-executor.js.map +1 -0
package/dist/worker/query-stats-manager.d.ts +117 -0
package/dist/worker/query-stats-manager.d.ts.map +1 -0
package/dist/worker/query-stats-manager.js +162 -0
package/dist/worker/query-stats-manager.js.map +1 -0
package/dist/worker/result-handler.d.ts +192 -0
package/dist/worker/result-handler.d.ts.map +1 -0
package/dist/worker/result-handler.js +346 -0
package/dist/worker/result-handler.js.map +1 -0
package/dist/worker/routes.d.ts +135 -0
package/dist/worker/routes.d.ts.map +1 -0
package/dist/worker/routes.js +460 -0
package/dist/worker/routes.js.map +1 -0
package/dist/worker/rpc-methods-manager.d.ts +142 -0
package/dist/worker/rpc-methods-manager.d.ts.map +1 -0
package/dist/worker/rpc-methods-manager.js +195 -0
package/dist/worker/rpc-methods-manager.js.map +1 -0
package/dist/worker/rpc.d.ts +259 -0
package/dist/worker/rpc.d.ts.map +1 -0
package/dist/worker/rpc.js +398 -0
package/dist/worker/rpc.js.map +1 -0
package/dist/worker/schema-version.d.ts +209 -0
package/dist/worker/schema-version.d.ts.map +1 -0
package/dist/worker/schema-version.js +450 -0
package/dist/worker/schema-version.js.map +1 -0
package/dist/worker/session-manager.d.ts +282 -0
package/dist/worker/session-manager.d.ts.map +1 -0
package/dist/worker/session-manager.js +523 -0
package/dist/worker/session-manager.js.map +1 -0
package/dist/worker/shutdown-manager.d.ts +188 -0
package/dist/worker/shutdown-manager.d.ts.map +1 -0
package/dist/worker/shutdown-manager.js +347 -0
package/dist/worker/shutdown-manager.js.map +1 -0
package/dist/worker/sql-transform.d.ts +61 -0
package/dist/worker/sql-transform.d.ts.map +1 -0
package/dist/worker/sql-transform.js +312 -0
package/dist/worker/sql-transform.js.map +1 -0
package/dist/worker/types.d.ts +738 -0
package/dist/worker/types.d.ts.map +1 -0
package/dist/worker/types.js +6 -0
package/dist/worker/types.js.map +1 -0
package/dist/worker/user-routes.d.ts +76 -0
package/dist/worker/user-routes.d.ts.map +1 -0
package/dist/worker/user-routes.js +188 -0
package/dist/worker/user-routes.js.map +1 -0
package/dist/worker/wal-facade.d.ts +138 -0
package/dist/worker/wal-facade.d.ts.map +1 -0
package/dist/worker/wal-facade.js +184 -0
package/dist/worker/wal-facade.js.map +1 -0
package/dist/worker/wal-r2.d.ts +271 -0
package/dist/worker/wal-r2.d.ts.map +1 -0
package/dist/worker/wal-r2.js +689 -0
package/dist/worker/wal-r2.js.map +1 -0
package/dist/worker/wal-replay.d.ts +361 -0
package/dist/worker/wal-replay.d.ts.map +1 -0
package/dist/worker/wal-replay.js +628 -0
package/dist/worker/wal-replay.js.map +1 -0
package/dist/worker/wal-retention.d.ts +389 -0
package/dist/worker/wal-retention.d.ts.map +1 -0
package/dist/worker/wal-retention.js +763 -0
package/dist/worker/wal-retention.js.map +1 -0
package/dist/worker/wal.d.ts +278 -0
package/dist/worker/wal.d.ts.map +1 -0
package/dist/worker/wal.js +467 -0
package/dist/worker/wal.js.map +1 -0
package/dist/worker/websocket.d.ts +85 -0
package/dist/worker/websocket.d.ts.map +1 -0
package/dist/worker/websocket.js +227 -0
package/dist/worker/websocket.js.map +1 -0
package/package.json +108 -0
package/src/cdc/change-stream.ts +137 -0
package/src/cdc/filter.ts +646 -0
package/src/cdc/index.ts +112 -0
package/src/cdc/resume-token.ts +280 -0
package/src/cdc/transport/index.ts +7 -0
package/src/cdc/transport/sse.ts +723 -0
package/src/cdc/transport/websocket.ts +873 -0
package/src/cdc/types.ts +346 -0
package/src/config/index.ts +25 -0
package/src/config/memory.ts +177 -0
package/src/config/storage.ts +204 -0
package/src/config/streaming.ts +147 -0
package/src/config/timeouts.ts +221 -0
package/src/extensions/config.test.ts +187 -0
package/src/extensions/config.ts +278 -0
package/src/extensions/geo.test.ts +455 -0
package/src/extensions/geo.ts +858 -0
package/src/extensions/index.test.ts +259 -0
package/src/extensions/index.ts +227 -0
package/src/extensions/loader.test.ts +555 -0
package/src/extensions/loader.ts +588 -0
package/src/extensions/pgmq-lite.test.ts +727 -0
package/src/extensions/pgmq-lite.ts +770 -0
package/src/extensions/plugins.test.ts +528 -0
package/src/extensions/plugins.ts +718 -0
package/src/extensions/registry.test.ts +202 -0
package/src/extensions/registry.ts +267 -0
package/src/extensions/vector.test.ts +195 -0
package/src/extensions/vector.ts +217 -0
package/src/iceberg/SCHEDULER.md +580 -0
package/src/iceberg/analytics.test.ts +703 -0
package/src/iceberg/analytics.ts +727 -0
package/src/iceberg/catalog-api.test.ts +838 -0
package/src/iceberg/catalog-api.ts +520 -0
package/src/iceberg/catalog.test.ts +680 -0
package/src/iceberg/catalog.ts +1007 -0
package/src/iceberg/iceberg.test.ts +705 -0
package/src/iceberg/index.ts +406 -0
package/src/iceberg/metadata.test.ts +632 -0
package/src/iceberg/metadata.ts +649 -0
package/src/iceberg/optimizer.test.ts +868 -0
package/src/iceberg/optimizer.ts +1287 -0
package/src/iceberg/parquet.test.ts +899 -0
package/src/iceberg/parquet.ts +1640 -0
package/src/iceberg/r2-organization.test.ts +615 -0
package/src/iceberg/r2-organization.ts +951 -0
package/src/iceberg/scheduler-do-example.ts +364 -0
package/src/iceberg/scheduler.test.ts +861 -0
package/src/iceberg/scheduler.ts +1201 -0
package/src/iceberg/schema.test.ts +547 -0
package/src/iceberg/schema.ts +616 -0
package/src/iceberg/snapshot-manager.test.ts +919 -0
package/src/iceberg/snapshot-manager.ts +1369 -0
package/src/iceberg/sql-router.test.ts +334 -0
package/src/iceberg/sql-router.ts +337 -0
package/src/iceberg/test-fixtures.ts +605 -0
package/src/iceberg/time-travel-api.test.ts +1029 -0
package/src/iceberg/time-travel-api.ts +731 -0
package/src/iceberg/time-travel.test.ts +1218 -0
package/src/iceberg/time-travel.ts +1052 -0
package/src/iceberg/transformer.test.ts +689 -0
package/src/iceberg/transformer.ts +1029 -0
package/src/iceberg/types.ts +373 -0
package/src/iceberg/writer.test.ts +716 -0
package/src/iceberg/writer.ts +590 -0
package/src/index.ts +212 -0
package/src/lineage/index.ts +42 -0
package/src/lineage/integration.ts +334 -0
package/src/lineage/tracker.ts +1618 -0
package/src/lineage/types.ts +354 -0
package/src/middleware/index.ts +36 -0
package/src/middleware/rate-limit-concurrent.test.ts +794 -0
package/src/middleware/rate-limit.test.ts +1568 -0
package/src/middleware/rate-limit.ts +840 -0
package/src/migration-tooling/external-migration.test.ts +1864 -0
package/src/migration-tooling/external-migration.ts +2355 -0
package/src/migration-tooling/index.ts +19 -0
package/src/migrations/ARCHITECTURE.md +474 -0
package/src/migrations/PROGRESS_TRACKING.md +485 -0
package/src/migrations/auto-migrator.test.ts +732 -0
package/src/migrations/auto-migrator.ts +531 -0
package/src/migrations/bulk-orchestrator.test.ts +801 -0
package/src/migrations/bulk-orchestrator.ts +1039 -0
package/src/migrations/compatibility.test.ts +958 -0
package/src/migrations/compatibility.ts +902 -0
package/src/migrations/do-migrations.test.ts +2620 -0
package/src/migrations/do-migrations.ts +1289 -0
package/src/migrations/do-migrations.types.ts +715 -0
package/src/migrations/drizzle-compat.test.ts +210 -0
package/src/migrations/drizzle-compat.ts +337 -0
package/src/migrations/index.ts +334 -0
package/src/migrations/migration-api.test.ts +438 -0
package/src/migrations/migration-api.ts +704 -0
package/src/migrations/progress-tracker-do.ts +518 -0
package/src/migrations/progress-tracker-kv.ts +305 -0
package/src/migrations/progress-tracker.test.ts +937 -0
package/src/migrations/progress-tracker.ts +665 -0
package/src/migrations/registry.test.ts +331 -0
package/src/migrations/registry.ts +468 -0
package/src/migrations/rollback.test.ts +644 -0
package/src/migrations/runner.test.ts +807 -0
package/src/migrations/runner.test.ts.backup +759 -0
package/src/migrations/runner.ts +1459 -0
package/src/migrations/schema-generator.test.ts +649 -0
package/src/migrations/schema-generator.ts +513 -0
package/src/migrations/testing.ts +1037 -0
package/src/migrations/types.ts +573 -0
package/src/migrations/validator.test.ts +660 -0
package/src/migrations/validator.ts +741 -0
package/src/observability/alerting.test.ts +1133 -0
package/src/observability/alerting.ts +455 -0
package/src/observability/analytics-engine.ts +733 -0
package/src/observability/cost-metrics.ts +804 -0
package/src/observability/cross-do-tracing.test.ts +516 -0
package/src/observability/cross-do-tracing.ts +588 -0
package/src/observability/dashboards/postgres-do-overview.json +1656 -0
package/src/observability/error-rate-collector.test.ts +977 -0
package/src/observability/error-rate-collector.ts +518 -0
package/src/observability/exporters.test.ts +365 -0
package/src/observability/exporters.ts +650 -0
package/src/observability/health-check.test.ts +353 -0
package/src/observability/health-check.ts +341 -0
package/src/observability/index.test.ts +298 -0
package/src/observability/index.ts +885 -0
package/src/observability/instrumentation.test.ts +428 -0
package/src/observability/instrumentation.ts +788 -0
package/src/observability/memory-metrics.test.ts +355 -0
package/src/observability/memory-metrics.ts +990 -0
package/src/observability/metrics-endpoint.test.ts +402 -0
package/src/observability/metrics-endpoint.ts +374 -0
package/src/observability/metrics.test.ts +291 -0
package/src/observability/metrics.ts +315 -0
package/src/observability/observability-features.ts +1296 -0
package/src/observability/prometheus.test.ts +292 -0
package/src/observability/prometheus.ts +170 -0
package/src/observability/propagation.test.ts +417 -0
package/src/observability/propagation.ts +294 -0
package/src/observability/query-latency.ts +586 -0
package/src/observability/query-performance.test.ts +406 -0
package/src/observability/query-performance.ts +491 -0
package/src/observability/storage-tier-metrics.test.ts +633 -0
package/src/observability/storage-tier-metrics.ts +570 -0
package/src/observability/tier-cost-optimizer.ts +740 -0
package/src/observability/tracer.test.ts +346 -0
package/src/observability/tracer.ts +585 -0
package/src/observability/types.test.ts +726 -0
package/src/observability/types.ts +434 -0
package/src/pglite/auto-demotion.test.ts +477 -0
package/src/pglite/auto-demotion.ts +385 -0
package/src/pglite/auto-promotion.test.ts +824 -0
package/src/pglite/auto-promotion.ts +547 -0
package/src/pglite/cache-layer.test.ts +469 -0
package/src/pglite/cache-layer.ts +271 -0
package/src/pglite/cold-start-manager.ts +1260 -0
package/src/pglite/cold-start-optimizer.test.ts +937 -0
package/src/pglite/cold-start-optimizer.ts +1895 -0
package/src/pglite/dovfs-adapter.ts +1122 -0
package/src/pglite/dovfs.ts +1258 -0
package/src/pglite/etag-cache.test.ts +844 -0
package/src/pglite/etag-cache.ts +526 -0
package/src/pglite/index.ts +442 -0
package/src/pglite/init.test.ts +455 -0
package/src/pglite/init.ts +574 -0
package/src/pglite/lifecycle.test.ts +599 -0
package/src/pglite/lifecycle.ts +704 -0
package/src/pglite/parallel-loader.test.ts +586 -0
package/src/pglite/parallel-loader.ts +481 -0
package/src/pglite/production-pglite.test.ts +666 -0
package/src/pglite/production-pglite.ts +537 -0
package/src/pglite/query-executor.ts +614 -0
package/src/pglite/r2-layer.test.ts +501 -0
package/src/pglite/r2-layer.ts +322 -0
package/src/pglite/tiered-init.test.ts +725 -0
package/src/pglite/tiered-init.ts +556 -0
package/src/pglite/tiered-vfs.test.ts +726 -0
package/src/pglite/tiered-vfs.ts +33 -0
package/src/pglite/tiering-stats.test.ts +531 -0
package/src/pglite/tiering-stats.ts +407 -0
package/src/pglite/transaction-hooks.ts +343 -0
package/src/pglite/warm-loader.test.ts +1701 -0
package/src/pglite/warm-loader.ts +528 -0
package/src/pglite/workers-pglite.ts +224 -0
package/src/pglite-assets/pglite.data +0 -0
package/src/pglite-assets/pglite.wasm +0 -0
package/src/pglite.d.ts +47 -0
package/src/playground/index.ts +137 -0
package/src/playground/keyboard-shortcuts.ts +677 -0
package/src/playground/playground.ts +323 -0
package/src/playground/query-executor.ts +669 -0
package/src/playground/query-history.ts +328 -0
package/src/playground/result-formatter.ts +420 -0
package/src/playground/sample-datasets.ts +674 -0
package/src/playground/sample-queries.ts +1168 -0
package/src/playground/schema-explorer.ts +558 -0
package/src/playground/types.ts +518 -0
package/src/readonly/cache-reader.test.ts +460 -0
package/src/readonly/cache-reader.ts +313 -0
package/src/readonly/config.test.ts +187 -0
package/src/readonly/config.ts +128 -0
package/src/readonly/index.ts +50 -0
package/src/readonly/pglite-wrapper.test.ts +278 -0
package/src/readonly/pglite-wrapper.ts +184 -0
package/src/readonly/worker.test.ts +533 -0
package/src/readonly/worker.ts +341 -0
package/src/readonly/write-blocker.test.ts +459 -0
package/src/readonly/write-blocker.ts +175 -0
package/src/recovery/disaster-recovery.test.ts +618 -0
package/src/recovery/disaster-recovery.ts +1181 -0
package/src/recovery/index.ts +43 -0
package/src/recovery/parquet-parser.ts +974 -0
package/src/retention/index.ts +74 -0
package/src/retention/policy.test.ts +571 -0
package/src/retention/policy.ts +774 -0
package/src/retention/purger.test.ts +465 -0
package/src/retention/purger.ts +558 -0
package/src/rls/auth-integration.test.ts +752 -0
package/src/rls/auth-integration.ts +533 -0
package/src/rls/generator.test.ts +829 -0
package/src/rls/generator.ts +573 -0
package/src/rls/index.ts +128 -0
package/src/rls/policy.ts +208 -0
package/src/rls/rls.test.ts +1071 -0
package/src/rls/validator.test.ts +930 -0
package/src/rls/validator.ts +895 -0
package/src/routing/adaptive-router.test.ts +884 -0
package/src/routing/adaptive-router.ts +845 -0
package/src/routing/circuit-breaker.test.ts +1505 -0
package/src/routing/circuit-breaker.ts +852 -0
package/src/routing/cost-metrics.test.ts +565 -0
package/src/routing/cost-metrics.ts +408 -0
package/src/routing/do-connection-pool.test.ts +1109 -0
package/src/routing/do-connection-pool.ts +828 -0
package/src/routing/index.ts +158 -0
package/src/routing/query-complexity-estimator.test.ts +356 -0
package/src/routing/query-complexity-estimator.ts +444 -0
package/src/routing/request-coalescing.test.ts +738 -0
package/src/routing/request-coalescing.ts +475 -0
package/src/routing/runtime-router.test.ts +436 -0
package/src/routing/runtime-router.ts +357 -0
package/src/routing/tenant-router.test.ts +2493 -0
package/src/routing/tenant-router.ts +1908 -0
package/src/routing/websocket-pool.test.ts +551 -0
package/src/routing/websocket-pool.ts +577 -0
package/src/storage/access-pattern-tracker.test.ts +874 -0
package/src/storage/cache-layer.test.ts +560 -0
package/src/storage/cache-layer.ts +328 -0
package/src/storage/cost-aware-tiering.test.ts +652 -0
package/src/storage/cost-aware-tiering.ts +794 -0
package/src/storage/do-sqlite-blobs.test.ts +937 -0
package/src/storage/index.ts +272 -0
package/src/storage/interfaces.ts +974 -0
package/src/storage/r2-layer.test.ts +653 -0
package/src/storage/r2-layer.ts +434 -0
package/src/storage/r2-overflow.ts +920 -0
package/src/storage/r2-page-vfs.test.ts +2348 -0
package/src/storage/r2-page-vfs.ts +1054 -0
package/src/storage/swr-cache.test.ts +832 -0
package/src/storage/swr-cache.ts +398 -0
package/src/storage/swr-tiered-integration.test.ts +617 -0
package/src/storage/tiered-orchestrator.test.ts +2441 -0
package/src/storage/tiered-orchestrator.ts +2081 -0
package/src/storage/tiered-vfs-swr.test.ts +736 -0
package/src/storage/tiered-vfs-swr.ts +735 -0
package/src/storage/tiered-vfs.test.ts +793 -0
package/src/storage/tiered-vfs.ts +1082 -0
package/src/streaming/backpressure-controller.ts +452 -0
package/src/streaming/buffer-pool.ts +484 -0
package/src/streaming/cdc-iceberg-connector.ts +605 -0
package/src/streaming/index.ts +225 -0
package/src/streaming/live-cdc-stream.ts +985 -0
package/src/streaming/memory-bounded-stream.ts +443 -0
package/src/streaming/query-streamer.ts +662 -0
package/src/streaming/response-streaming.ts +557 -0
package/src/types/branded.ts +1075 -0
package/src/types/branded.ts.backup +273 -0
package/src/types/utilities.ts +1023 -0
package/src/types/wasm.d.ts +30 -0
package/src/validation/typed-errors.test.ts +420 -0
package/src/wal/replay-engine.ts +1264 -0
package/src/worker/__mocks__/capnweb.ts +15 -0
package/src/worker/__mocks__/pglite.data.ts +22 -0
package/src/worker/__mocks__/pglite.wasm.ts +33 -0
package/src/worker/auth-rate-limiter.test.ts +272 -0
package/src/worker/auth-rate-limiter.ts +448 -0
package/src/worker/auth.security-red.test.ts +1236 -0
package/src/worker/auth.security.test.ts +822 -0
package/src/worker/auth.test.ts +469 -0
package/src/worker/auth.ts +1104 -0
package/src/worker/cdc-backpressure.test.ts +726 -0
package/src/worker/cdc-backpressure.ts +866 -0
package/src/worker/cdc-sse.test.ts +780 -0
package/src/worker/cdc-sse.ts +728 -0
package/src/worker/cdc-websocket.ts +1229 -0
package/src/worker/cdc-ws.test.ts +1009 -0
package/src/worker/cdc.test.ts +327 -0
package/src/worker/cdc.ts +289 -0
package/src/worker/concerns/auth-concern.ts +179 -0
package/src/worker/concerns/cdc-concern.ts +247 -0
package/src/worker/concerns/index.ts +58 -0
package/src/worker/concerns/query-execution-concern.ts +194 -0
package/src/worker/concerns/storage-orchestration-concern.ts +373 -0
package/src/worker/discriminated-types.test.ts +280 -0
package/src/worker/do-auth-manager.ts +257 -0
package/src/worker/do-decomposition.test.ts +1236 -0
package/src/worker/do-pglite-manager.ts +302 -0
package/src/worker/do.test.ts +2254 -0
package/src/worker/do.ts +1878 -0
package/src/worker/entry.ts +417 -0
package/src/worker/errors.ts +285 -0
package/src/worker/health-check-manager.test.ts +261 -0
package/src/worker/health-check-manager.ts +231 -0
package/src/worker/index.ts +389 -0
package/src/worker/memory-pressure.test.ts +1460 -0
package/src/worker/memory-pressure.ts +2650 -0
package/src/worker/migration-manager.ts +582 -0
package/src/worker/neon-compat.test.ts +332 -0
package/src/worker/plugin-manager.ts +485 -0
package/src/worker/postgres.do-rpc.d.ts +76 -0
package/src/worker/proxy.ts +694 -0
package/src/worker/query-execution-manager.test.ts +303 -0
package/src/worker/query-execution-manager.ts +219 -0
package/src/worker/query-executor.test.ts +282 -0
package/src/worker/query-executor.ts +560 -0
package/src/worker/query-stats-manager.ts +229 -0
package/src/worker/result-handler.test.ts +364 -0
package/src/worker/result-handler.ts +510 -0
package/src/worker/routes.test.ts +795 -0
package/src/worker/routes.ts +650 -0
package/src/worker/rpc-methods-manager.test.ts +326 -0
package/src/worker/rpc-methods-manager.ts +276 -0
package/src/worker/rpc.ts +524 -0
package/src/worker/schema-version.ts +605 -0
package/src/worker/session-manager.test.ts +506 -0
package/src/worker/session-manager.ts +732 -0
package/src/worker/shutdown-manager.ts +469 -0
package/src/worker/sql-transform.test.ts +286 -0
package/src/worker/sql-transform.ts +368 -0
package/src/worker/supabase-compat.test.ts +621 -0
package/src/worker/types.test.ts +292 -0
package/src/worker/types.ts +873 -0
package/src/worker/user-routes.test.ts +703 -0
package/src/worker/user-routes.ts +303 -0
package/src/worker/wal-facade.ts +235 -0
package/src/worker/wal-r2.test.ts +570 -0
package/src/worker/wal-r2.ts +930 -0
package/src/worker/wal-replay.test.ts +845 -0
package/src/worker/wal-replay.ts +897 -0
package/src/worker/wal-retention.test.ts +758 -0
package/src/worker/wal-retention.ts +1075 -0
package/src/worker/wal.test.ts +618 -0
package/src/worker/wal.ts +697 -0
package/src/worker/websocket.test.ts +296 -0
package/src/worker/websocket.ts +284 -0

package/src/worker/auth.security-red.test.ts ADDED Viewed

@@ -0,0 +1,1236 @@
+/**
+ * RED PHASE: Worker Authentication Security Tests
+ *
+ * SECURITY CRITICAL: These tests protect against unauthorized access.
+ *
+ * Issue: postgres-8y64 - [P0-RED] Worker auth missing tests - auth bypass risk
+ *
+ * These tests are intentionally written to FAIL because the security features
+ * they verify are not yet implemented or have gaps. Each failing test represents
+ * a security vulnerability that needs to be addressed.
+ *
+ * Tests verify:
+ * 1. Token validation works correctly (cryptographic verification)
+ * 2. Expired tokens are rejected (with edge cases)
+ * 3. Invalid signatures are rejected (cryptographic validation)
+ * 4. Rate limiting prevents brute force (comprehensive scenarios)
+ * 5. SQL injection in claims is blocked (all injection vectors)
+ * 6. Clock skew handling (boundary conditions)
+ */
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+import { Hono } from 'hono'
+import {
+  createAuthMiddleware,
+  requireAuth,
+  getAuth,
+  generateDatabaseId,
+  clearTokenCache,
+  clearRateLimitState,
+  type AuthConfig,
+  type AuthContext,
+  type AuthenticatedUser,
+} from './auth'
+// Mock fetch for testing
+const mockFetch = vi.fn()
+let originalFetch: typeof fetch
+beforeEach(() => {
+  mockFetch.mockReset()
+  originalFetch = globalThis.fetch
+  globalThis.fetch = mockFetch
+  clearTokenCache()
+  clearRateLimitState()
+})
+afterEach(() => {
+  globalThis.fetch = originalFetch
+})
+/**
+ * Helper to create a test app with auth middleware
+ */
+function createTestApp(config: AuthConfig = {}) {
+  const app = new Hono<{ Variables: { auth: AuthContext } }>()
+  app.use('*', createAuthMiddleware(config))
+  app.get('/api/protected', (c) => {
+    const auth = getAuth(c)
+    return c.json({
+      user: auth.user,
+      databaseId: auth.databaseId,
+      isAuthenticated: auth.isAuthenticated,
+    })
+  })
+  app.get('/api/admin', requireAuth(), (c) => {
+    const auth = getAuth(c)
+    return c.json({ admin: true, user: auth.user })
+  })
+  return app
+}
+/**
+ * Helper to create a JWT-like token for testing
+ */
+function createTestJWT(
+  payload: Record<string, unknown>,
+  options: { header?: Record<string, unknown>; signature?: string } = {}
+): string {
+  const header = options.header ?? { alg: 'HS256', typ: 'JWT' }
+  const signature = options.signature ?? 'test-signature'
+  const headerB64 = btoa(JSON.stringify(header))
+  const payloadB64 = btoa(JSON.stringify(payload))
+  return `${headerB64}.${payloadB64}.${signature}`
+}
+// =============================================================================
+// 1. TOKEN VALIDATION - CRYPTOGRAPHIC VERIFICATION
+// =============================================================================
+describe('[RED] Token Cryptographic Validation', () => {
+  describe('Signature verification', () => {
+    it.fails('should reject tokens with forged signatures when using default validator', async () => {
+      // RED: Default oauth.do validator should verify signatures cryptographically
+      // Currently, if oauth.do returns success, the forged token is accepted
+      // This test FAILS because we need proper signature verification
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({
+          user: { id: 'attacker', email: 'attacker@evil.com' },
+        }),
+      })
+      const app = createTestApp()
+      // Attacker creates a token with forged payload but mock oauth.do accepts it
+      const forgedToken = createTestJWT({
+        sub: 'admin',
+        role: 'super_admin',
+        exp: Math.floor(Date.now() / 1000) + 3600,
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${forgedToken}` },
+      })
+      // Should be 401 but currently returns 200 if oauth.do is mocked to accept
+      expect(res.status).toBe(401)
+    })
+    it.fails('should verify signature using the correct secret/public key', async () => {
+      // RED: Middleware should validate signatures locally before hitting oauth.do
+      // Currently relies entirely on external validation
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          // Simulates accepting any token without cryptographic verification
+          const parts = token.split('.')
+          if (parts.length !== 3) {
+            return { valid: false, error: 'Invalid format' }
+          }
+          const payload = JSON.parse(atob(parts[1]))
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      // Token signed with wrong key should be rejected
+      const wrongKeyToken = createTestJWT({
+        sub: 'user123',
+        exp: Math.floor(Date.now() / 1000) + 3600,
+      }, { signature: 'signed-with-wrong-key' })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${wrongKeyToken}` },
+      })
+      // This should fail because signature is not verified
+      expect(res.status).toBe(401)
+    })
+    it.fails('should reject tokens with truncated signatures', async () => {
+      // RED: Truncated signatures should be rejected
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          if (parts.length !== 3) return { valid: false, error: 'Invalid' }
+          // Does not check signature length
+          const payload = JSON.parse(atob(parts[1]))
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      // Very short signature (truncated attack)
+      const truncatedSigToken = createTestJWT(
+        { sub: 'user123', exp: Math.floor(Date.now() / 1000) + 3600 },
+        { signature: 'a' } // Truncated to 1 character
+      )
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${truncatedSigToken}` },
+      })
+      // Should reject truncated signatures
+      expect(res.status).toBe(401)
+    })
+    it.fails('should reject tokens with null signature (different from empty)', async () => {
+      // RED: null signature attack vector
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          if (parts.length !== 3) return { valid: false, error: 'Invalid' }
+          const payload = JSON.parse(atob(parts[1]))
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      // Signature that decodes to null
+      const nullSigToken = createTestJWT(
+        { sub: 'user123', exp: Math.floor(Date.now() / 1000) + 3600 },
+        { signature: btoa('null') }
+      )
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${nullSigToken}` },
+      })
+      expect(res.status).toBe(401)
+    })
+  })
+  describe('Algorithm enforcement', () => {
+    it.fails('should only accept explicitly configured algorithms', async () => {
+      // RED: Should have allowlist of algorithms, not just blocklist of 'none'
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          if (parts.length !== 3) return { valid: false, error: 'Invalid' }
+          const header = JSON.parse(atob(parts[0]))
+          // Only blocks 'none', but accepts any other algorithm
+          if (header.alg === 'none') return { valid: false, error: 'Invalid algorithm' }
+          const payload = JSON.parse(atob(parts[1]))
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      // Weak algorithms that should be rejected
+      const weakAlgorithms = ['HS1', 'MD5', 'SHA1', 'PS256-WEAK', 'CUSTOM']
+      for (const alg of weakAlgorithms) {
+        const token = createTestJWT(
+          { sub: 'user123', exp: Math.floor(Date.now() / 1000) + 3600 },
+          { header: { alg, typ: 'JWT' } }
+        )
+        const res = await app.request('/api/protected', {
+          headers: { Authorization: `Bearer ${token}` },
+        })
+        // Should reject weak/unknown algorithms
+        expect(res.status).toBe(401)
+      }
+    })
+    it.fails('should reject jwk header injection attack', async () => {
+      // RED: JWK header injection allows attacker to specify their own key
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          if (parts.length !== 3) return { valid: false, error: 'Invalid' }
+          const header = JSON.parse(atob(parts[0]))
+          // Does not check for jwk header injection
+          if (header.alg === 'none') return { valid: false, error: 'Invalid algorithm' }
+          const payload = JSON.parse(atob(parts[1]))
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      // Token with embedded JWK (attacker's key)
+      const jwkToken = createTestJWT(
+        { sub: 'admin', role: 'admin', exp: Math.floor(Date.now() / 1000) + 3600 },
+        {
+          header: {
+            alg: 'RS256',
+            typ: 'JWT',
+            jwk: {
+              kty: 'RSA',
+              n: 'attacker-public-key-n',
+              e: 'AQAB',
+            },
+          },
+        }
+      )
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${jwkToken}` },
+      })
+      // Should reject tokens with embedded JWK
+      expect(res.status).toBe(401)
+    })
+    it.fails('should reject jku header injection attack', async () => {
+      // RED: JKU header injection allows attacker to specify key URL
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          if (parts.length !== 3) return { valid: false, error: 'Invalid' }
+          const header = JSON.parse(atob(parts[0]))
+          if (header.alg === 'none') return { valid: false, error: 'Invalid algorithm' }
+          const payload = JSON.parse(atob(parts[1]))
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      // Token with JKU pointing to attacker's server
+      const jkuToken = createTestJWT(
+        { sub: 'admin', role: 'admin', exp: Math.floor(Date.now() / 1000) + 3600 },
+        {
+          header: {
+            alg: 'RS256',
+            typ: 'JWT',
+            jku: 'https://attacker.com/jwks.json',
+          },
+        }
+      )
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${jkuToken}` },
+      })
+      // Should reject tokens with jku header
+      expect(res.status).toBe(401)
+    })
+  })
+})
+// =============================================================================
+// 2. EXPIRED TOKENS - EDGE CASES
+// =============================================================================
+describe('[RED] Expired Token Edge Cases', () => {
+  describe('Expiration boundary conditions', () => {
+    it.fails('should reject tokens that expire during request processing', async () => {
+      // RED: Race condition - token valid at start but expires during processing
+      const nowSeconds = Math.floor(Date.now() / 1000)
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          // Simulate slow validation (100ms)
+          await new Promise((resolve) => setTimeout(resolve, 100))
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          // Check expiration AFTER delay - token may have expired
+          const currentTime = Math.floor(Date.now() / 1000)
+          if (payload.exp && payload.exp < currentTime) {
+            return { valid: false, error: 'Token expired' }
+          }
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      // Token that expires in 50ms (before validation completes)
+      const expiringToken = createTestJWT({
+        sub: 'user123',
+        exp: nowSeconds + 0.05, // Expires in 50ms
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${expiringToken}` },
+      })
+      // Should be rejected because token expired during processing
+      expect(res.status).toBe(401)
+    })
+    it.fails('should reject tokens with exp exactly at current time (boundary)', async () => {
+      // RED: Boundary condition - exp === now should be treated as expired
+      const nowSeconds = Math.floor(Date.now() / 1000)
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          // Bug: Uses >= instead of > allowing exp === now
+          if (payload.exp && payload.exp >= Math.floor(Date.now() / 1000)) {
+            return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+          }
+          return { valid: false, error: 'Token expired' }
+        },
+      })
+      // Token that expires exactly now
+      const boundaryToken = createTestJWT({
+        sub: 'user123',
+        exp: nowSeconds,
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${boundaryToken}` },
+      })
+      // Should be rejected - exp === now means expired
+      expect(res.status).toBe(401)
+    })
+    it('should reject tokens with exp as string instead of number', async () => {
+      // RED: Type coercion attack - exp as string
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          // Bug: Doesn't validate exp is a number
+          if (payload.exp && payload.exp > Math.floor(Date.now() / 1000)) {
+            return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+          }
+          return { valid: false, error: 'Token expired' }
+        },
+      })
+      // exp as string that coerces to large number
+      const stringExpToken = createTestJWT({
+        sub: 'user123',
+        exp: '9999999999', // String, not number
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${stringExpToken}` },
+      })
+      // Should reject - exp must be a number
+      expect(res.status).toBe(401)
+    })
+    it('should reject tokens with exp as array', async () => {
+      // RED: Type confusion - exp as array
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          // Bug: Doesn't check if exp is actually a number
+          if (payload.exp > Math.floor(Date.now() / 1000)) {
+            return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+          }
+          return { valid: false, error: 'Token expired' }
+        },
+      })
+      // exp as array
+      const arrayExpToken = createTestJWT({
+        sub: 'user123',
+        exp: [9999999999],
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${arrayExpToken}` },
+      })
+      // Should reject - exp must be a number
+      expect(res.status).toBe(401)
+    })
+    it('should reject tokens with exp as object', async () => {
+      // RED: Type confusion - exp as object
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          if (payload.exp > Math.floor(Date.now() / 1000)) {
+            return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+          }
+          return { valid: false, error: 'Token expired' }
+        },
+      })
+      // exp as object with valueOf
+      const objectExpToken = createTestJWT({
+        sub: 'user123',
+        exp: { valueOf: 9999999999 },
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${objectExpToken}` },
+      })
+      // Should reject - exp must be a number
+      expect(res.status).toBe(401)
+    })
+    it('should reject tokens with exp as Infinity', async () => {
+      // RED: Never-expiring token attack
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          if (!isFinite(payload.exp)) {
+            return { valid: false, error: 'Invalid expiration' }
+          }
+          if (payload.exp > Math.floor(Date.now() / 1000)) {
+            return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+          }
+          return { valid: false, error: 'Token expired' }
+        },
+      })
+      // This test would need special handling since JSON doesn't support Infinity
+      // We test with a very large number instead
+      const infinityLikeToken = createTestJWT({
+        sub: 'user123',
+        exp: Number.MAX_SAFE_INTEGER,
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${infinityLikeToken}` },
+      })
+      // Should reject tokens with unreasonably far future exp
+      expect(res.status).toBe(401)
+    })
+    it('should enforce maximum token lifetime', async () => {
+      // RED: Tokens with exp too far in the future should be rejected
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          const now = Math.floor(Date.now() / 1000)
+          const maxLifetime = 24 * 60 * 60 // 24 hours max
+          // Bug: No maximum lifetime check
+          if (payload.exp && payload.exp > now) {
+            return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+          }
+          return { valid: false, error: 'Token expired' }
+        },
+      })
+      // Token valid for 1 year (should be rejected)
+      const longLivedToken = createTestJWT({
+        sub: 'user123',
+        exp: Math.floor(Date.now() / 1000) + 365 * 24 * 60 * 60,
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${longLivedToken}` },
+      })
+      // Should reject - token lifetime exceeds maximum
+      expect(res.status).toBe(401)
+    })
+  })
+})
+// =============================================================================
+// 3. INVALID SIGNATURES - COMPREHENSIVE
+// =============================================================================
+describe('[RED] Invalid Signature Handling', () => {
+  describe('Signature manipulation attacks', () => {
+    it.fails('should reject signature with appended data', async () => {
+      // RED: Appending data to valid signature
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          if (parts.length !== 3) return { valid: false, error: 'Invalid' }
+          const payload = JSON.parse(atob(parts[1]))
+          // Bug: Doesn't verify signature integrity
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      const tokenWithAppendedSig = createTestJWT(
+        { sub: 'user123', exp: Math.floor(Date.now() / 1000) + 3600 },
+        { signature: 'valid-signature-APPENDED_DATA' }
+      )
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${tokenWithAppendedSig}` },
+      })
+      expect(res.status).toBe(401)
+    })
+    it.fails('should reject signature with prepended data', async () => {
+      // RED: Prepending data to valid signature
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          if (parts.length !== 3) return { valid: false, error: 'Invalid' }
+          const payload = JSON.parse(atob(parts[1]))
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      const tokenWithPrependedSig = createTestJWT(
+        { sub: 'user123', exp: Math.floor(Date.now() / 1000) + 3600 },
+        { signature: 'PREPENDED_DATA-valid-signature' }
+      )
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${tokenWithPrependedSig}` },
+      })
+      expect(res.status).toBe(401)
+    })
+    it.fails('should reject signature with modified byte', async () => {
+      // RED: Single byte modification in signature
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          if (parts.length !== 3) return { valid: false, error: 'Invalid' }
+          const payload = JSON.parse(atob(parts[1]))
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      // Signature with one character changed
+      const modifiedSigToken = createTestJWT(
+        { sub: 'user123', exp: Math.floor(Date.now() / 1000) + 3600 },
+        { signature: 'valid-signaturX' } // X instead of e
+      )
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${modifiedSigToken}` },
+      })
+      expect(res.status).toBe(401)
+    })
+    it.fails('should reject base64url vs base64 confusion in signature', async () => {
+      // RED: Base64 encoding confusion attack
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          if (parts.length !== 3) return { valid: false, error: 'Invalid' }
+          const payload = JSON.parse(atob(parts[1]))
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      // Use standard base64 characters instead of base64url
+      const base64ConfusionToken = createTestJWT(
+        { sub: 'user123', exp: Math.floor(Date.now() / 1000) + 3600 },
+        { signature: 'sig+with/base64+chars==' } // + and / instead of - and _
+      )
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${base64ConfusionToken}` },
+      })
+      // Should normalize and reject if doesn't match
+      expect(res.status).toBe(401)
+    })
+  })
+})
+// =============================================================================
+// 4. RATE LIMITING - BRUTE FORCE PREVENTION
+// =============================================================================
+describe('[RED] Rate Limiting Brute Force Prevention', () => {
+  describe('Rate limit bypass attempts', () => {
+    it('should rate limit by IP address, not just by token', async () => {
+      // RED: Current implementation rate limits by token prefix
+      // Attacker can bypass by using different tokens from same IP
+      const requestsFromIP = new Map<string, number>()
+      const ipRateLimit = 100
+      const app = new Hono<{ Variables: { auth: AuthContext } }>()
+      app.use('*', async (c, next) => {
+        const ip = c.req.header('CF-Connecting-IP') || '127.0.0.1'
+        const count = (requestsFromIP.get(ip) || 0) + 1
+        requestsFromIP.set(ip, count)
+        if (count > ipRateLimit) {
+          return c.json({ error: true, code: 'RATE_LIMITED' }, 429)
+        }
+        return next()
+      })
+      app.use('*', createAuthMiddleware({
+        validateToken: async () => ({ valid: false, error: 'Invalid' }),
+      }))
+      app.get('/api/protected', (c) => c.json({ success: true }))
+      // Attacker tries many different tokens from same IP
+      for (let i = 0; i < ipRateLimit + 10; i++) {
+        clearTokenCache()
+        const uniqueToken = createTestJWT({ sub: `attempt-${i}` })
+        const res = await app.request('/api/protected', {
+          headers: {
+            Authorization: `Bearer ${uniqueToken}`,
+            'CF-Connecting-IP': '192.168.1.100',
+          },
+        })
+        if (i >= ipRateLimit) {
+          // Should be rate limited by IP
+          expect(res.status).toBe(429)
+        }
+      }
+    })
+    it.fails('should implement exponential backoff for repeated failures', async () => {
+      // RED: Should increase delay between allowed attempts after failures
+      const failureCount = new Map<string, { count: number; lastAttempt: number }>()
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const key = token.slice(0, 20)
+          const entry = failureCount.get(key) || { count: 0, lastAttempt: 0 }
+          const now = Date.now()
+          // Exponential backoff: 2^failures seconds
+          const requiredDelay = Math.pow(2, entry.count) * 1000
+          if (now - entry.lastAttempt < requiredDelay) {
+            return { valid: false, error: 'Rate limited - exponential backoff' }
+          }
+          entry.count++
+          entry.lastAttempt = now
+          failureCount.set(key, entry)
+          return { valid: false, error: 'Invalid token' }
+        },
+      })
+      const token = createTestJWT({ sub: 'brute-force-attempt' })
+      // Rapid sequential requests should be blocked with increasing delays
+      const results: number[] = []
+      for (let i = 0; i < 5; i++) {
+        clearTokenCache()
+        const res = await app.request('/api/protected', {
+          headers: { Authorization: `Bearer ${token}` },
+        })
+        results.push(res.status)
+      }
+      // After several attempts, should see rate limiting
+      expect(results.filter((s) => s === 429).length).toBeGreaterThan(0)
+    })
+    it('should prevent distributed brute force from multiple IPs', async () => {
+      // RED: Should detect patterns across multiple IPs targeting same account
+      const targetUser = 'victim@example.com'
+      const attemptsByTarget = new Map<string, number>()
+      const distributedLimit = 50
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          const targetEmail = payload.email
+          if (targetEmail) {
+            const count = (attemptsByTarget.get(targetEmail) || 0) + 1
+            attemptsByTarget.set(targetEmail, count)
+            if (count > distributedLimit) {
+              return { valid: false, error: 'Account locked due to suspicious activity' }
+            }
+          }
+          return { valid: false, error: 'Invalid credentials' }
+        },
+      })
+      // Distributed attack from different IPs
+      for (let i = 0; i < distributedLimit + 10; i++) {
+        clearTokenCache()
+        const token = createTestJWT({
+          sub: 'unknown',
+          email: targetUser,
+          password_attempt: `password${i}`,
+        })
+        const res = await app.request('/api/protected', {
+          headers: {
+            Authorization: `Bearer ${token}`,
+            'CF-Connecting-IP': `192.168.${Math.floor(i / 255)}.${i % 255}`,
+          },
+        })
+        if (i >= distributedLimit) {
+          // Should detect distributed attack and lock account
+          expect(res.status).toBe(429)
+        }
+      }
+    })
+    it('should apply stricter rate limits for sensitive operations', async () => {
+      // RED: Different rate limits for different endpoints
+      const requestCounts = new Map<string, number>()
+      const app = new Hono<{ Variables: { auth: AuthContext } }>()
+      app.use('*', createAuthMiddleware({
+        validateToken: async () => ({
+          valid: true,
+          user: { id: 'user123', email: 'test@test.com' },
+        }),
+      }))
+      // Stricter rate limit for sensitive endpoint
+      app.get('/api/admin', async (c, next) => {
+        const key = 'admin'
+        const count = (requestCounts.get(key) || 0) + 1
+        requestCounts.set(key, count)
+        if (count > 5) { // Only 5 requests allowed
+          return c.json({ error: true, code: 'RATE_LIMITED' }, 429)
+        }
+        return c.json({ admin: true })
+      })
+      const token = createTestJWT({ sub: 'user123' })
+      // Should hit rate limit quickly for admin endpoint
+      for (let i = 0; i < 10; i++) {
+        clearTokenCache()
+        const res = await app.request('/api/admin', {
+          headers: { Authorization: `Bearer ${token}` },
+        })
+        if (i >= 5) {
+          expect(res.status).toBe(429)
+        }
+      }
+    })
+  })
+})
+// =============================================================================
+// 5. SQL INJECTION IN CLAIMS
+// =============================================================================
+describe('[RED] SQL Injection in Claims', () => {
+  describe('SQL injection vectors in user ID', () => {
+    it('should block union-based SQL injection in sub claim', async () => {
+      // RED: UNION injection in user ID
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          // Returns user with potentially malicious ID
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      const unionInjectionToken = createTestJWT({
+        sub: "1' UNION SELECT * FROM users--",
+        exp: Math.floor(Date.now() / 1000) + 3600,
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${unionInjectionToken}` },
+      })
+      // Should reject SQL injection patterns
+      expect(res.status).toBe(401)
+    })
+    it('should block time-based blind SQL injection', async () => {
+      // RED: Time-based blind injection
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      const blindInjectionToken = createTestJWT({
+        sub: "1'; WAITFOR DELAY '00:00:05'--",
+        exp: Math.floor(Date.now() / 1000) + 3600,
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${blindInjectionToken}` },
+      })
+      expect(res.status).toBe(401)
+    })
+    it('should block stacked queries injection', async () => {
+      // RED: Stacked queries
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      const stackedToken = createTestJWT({
+        sub: "1'; DROP TABLE users; SELECT '1",
+        exp: Math.floor(Date.now() / 1000) + 3600,
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${stackedToken}` },
+      })
+      expect(res.status).toBe(401)
+    })
+    it('should block SQL injection in email claim', async () => {
+      // RED: Injection via email claim
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          return {
+            valid: true,
+            user: { id: payload.sub, email: payload.email },
+          }
+        },
+      })
+      const emailInjectionToken = createTestJWT({
+        sub: 'user123',
+        email: "test@test.com'; DELETE FROM logs--",
+        exp: Math.floor(Date.now() / 1000) + 3600,
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${emailInjectionToken}` },
+      })
+      expect(res.status).toBe(401)
+    })
+    it.fails('should block SQL injection in custom metadata claims', async () => {
+      // RED: Injection via custom claims
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          return {
+            valid: true,
+            user: {
+              id: payload.sub,
+              email: 'test@test.com',
+              metadata: { tenantId: payload.tenant_id },
+            },
+          }
+        },
+      })
+      const metadataInjectionToken = createTestJWT({
+        sub: 'user123',
+        tenant_id: "tenant-a' OR '1'='1",
+        exp: Math.floor(Date.now() / 1000) + 3600,
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${metadataInjectionToken}` },
+      })
+      expect(res.status).toBe(401)
+    })
+    it('should block NoSQL injection in claims', async () => {
+      // RED: NoSQL/MongoDB-style injection
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      const nosqlInjectionToken = createTestJWT({
+        sub: { $gt: '' }, // MongoDB injection
+        exp: Math.floor(Date.now() / 1000) + 3600,
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${nosqlInjectionToken}` },
+      })
+      expect(res.status).toBe(401)
+    })
+    it.fails('should block LDAP injection in claims', async () => {
+      // RED: LDAP injection if claims are used in LDAP queries
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      const ldapInjectionToken = createTestJWT({
+        sub: '*)(uid=*))(|(uid=*',
+        exp: Math.floor(Date.now() / 1000) + 3600,
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${ldapInjectionToken}` },
+      })
+      expect(res.status).toBe(401)
+    })
+  })
+  describe('Database ID generation security', () => {
+    it('should sanitize all SQL metacharacters in generateDatabaseId', async () => {
+      // RED: generateDatabaseId may not sanitize all dangerous patterns
+      const dangerousInputs = [
+        "user'; DROP TABLE--",
+        'user/**/UNION/**/SELECT',
+        'user%00admin',
+        'user\x00admin',
+        'user\nadmin',
+        'user\radmin',
+        "user\\'admin",
+        'user\\admin',
+        'user`admin`',
+        'user$(whoami)',
+        'user|cat /etc/passwd',
+        'user&& ls',
+        'user; ls',
+      ]
+      for (const input of dangerousInputs) {
+        const dbId = generateDatabaseId(input)
+        // Should not contain any dangerous characters
+        expect(dbId).not.toMatch(/[';"\-\-\/\*\x00\n\r\\`$|&;]/)
+        // Should be alphanumeric with underscores only
+        expect(dbId).toMatch(/^[a-zA-Z0-9_]+$/)
+      }
+    })
+  })
+})
+// =============================================================================
+// 6. CLOCK SKEW HANDLING
+// =============================================================================
+describe('[RED] Clock Skew Handling', () => {
+  describe('Clock skew edge cases', () => {
+    it('should reject tokens with exp exactly at clock skew boundary', async () => {
+      // RED: Boundary condition at exactly MAX_CLOCK_SKEW_SECONDS
+      const MAX_CLOCK_SKEW = 60 // From auth.ts
+      const now = Math.floor(Date.now() / 1000)
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          // Uses <= which allows tokens at exactly the boundary
+          if (payload.exp + MAX_CLOCK_SKEW >= now) {
+            return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+          }
+          return { valid: false, error: 'Token expired' }
+        },
+      })
+      // Token expired exactly MAX_CLOCK_SKEW seconds ago (boundary)
+      const boundaryToken = createTestJWT({
+        sub: 'user123',
+        exp: now - MAX_CLOCK_SKEW,
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${boundaryToken}` },
+      })
+      // Should be rejected at exactly the boundary
+      expect(res.status).toBe(401)
+    })
+    it('should reject tokens with nbf exactly at clock skew boundary', async () => {
+      // RED: Boundary condition for not-before claim
+      const MAX_CLOCK_SKEW = 60
+      const now = Math.floor(Date.now() / 1000)
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          // Uses >= which allows tokens at exactly the boundary
+          if (payload.nbf - MAX_CLOCK_SKEW <= now) {
+            return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+          }
+          return { valid: false, error: 'Token not yet valid' }
+        },
+      })
+      // Token becomes valid exactly MAX_CLOCK_SKEW seconds in the future (boundary)
+      const boundaryToken = createTestJWT({
+        sub: 'user123',
+        nbf: now + MAX_CLOCK_SKEW,
+        exp: now + 3600,
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${boundaryToken}` },
+      })
+      // Should be rejected at exactly the boundary
+      expect(res.status).toBe(401)
+    })
+    it('should handle clock skew when iat is in the future', async () => {
+      // RED: iat (issued at) in the future indicates clock issues or forgery
+      const now = Math.floor(Date.now() / 1000)
+      const MAX_CLOCK_SKEW = 60
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          // Check if iat is unreasonably in the future
+          if (payload.iat && payload.iat > now + MAX_CLOCK_SKEW) {
+            return { valid: false, error: 'Token issued in the future' }
+          }
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      // Token with iat 5 minutes in the future
+      const futureIatToken = createTestJWT({
+        sub: 'user123',
+        iat: now + 300,
+        exp: now + 3600,
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${futureIatToken}` },
+      })
+      // Should reject - iat too far in future
+      expect(res.status).toBe(401)
+    })
+    it('should apply clock skew consistently across all time claims', async () => {
+      // RED: Clock skew should be applied to exp, nbf, and iat consistently
+      const now = Math.floor(Date.now() / 1000)
+      const MAX_CLOCK_SKEW = 60
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          // Check all time claims with consistent skew
+          const effectiveNow = now
+          // exp check (with skew)
+          if (payload.exp && payload.exp + MAX_CLOCK_SKEW < effectiveNow) {
+            return { valid: false, error: 'Token expired' }
+          }
+          // nbf check (with skew)
+          if (payload.nbf && payload.nbf - MAX_CLOCK_SKEW > effectiveNow) {
+            return { valid: false, error: 'Token not yet valid' }
+          }
+          // iat check (with skew)
+          if (payload.iat && payload.iat - MAX_CLOCK_SKEW > effectiveNow) {
+            return { valid: false, error: 'Token from future' }
+          }
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      // Token with slightly future iat but within skew
+      const slightlyFutureToken = createTestJWT({
+        sub: 'user123',
+        iat: now + 30, // 30 seconds in future (within 60s skew)
+        nbf: now - 10,
+        exp: now + 3600,
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${slightlyFutureToken}` },
+      })
+      // Should accept - within clock skew tolerance
+      expect(res.status).toBe(200)
+    })
+    it('should not allow clock skew to extend token lifetime', async () => {
+      // RED: Clock skew should not effectively extend token lifetime
+      const now = Math.floor(Date.now() / 1000)
+      const MAX_CLOCK_SKEW = 60
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          // Token lifetime should be measured from iat to exp
+          const lifetime = payload.exp - payload.iat
+          const maxLifetime = 24 * 60 * 60 // 24 hours
+          // Bug: Attacker can set iat in the past to extend effective lifetime
+          if (lifetime > maxLifetime) {
+            return { valid: false, error: 'Token lifetime too long' }
+          }
+          return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+        },
+      })
+      // Attacker sets iat far in past to get longer effective lifetime
+      const extendedToken = createTestJWT({
+        sub: 'user123',
+        iat: now - 365 * 24 * 60 * 60, // 1 year ago
+        exp: now + 3600,
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${extendedToken}` },
+      })
+      // Should reject - effective lifetime exceeds maximum
+      expect(res.status).toBe(401)
+    })
+    it('should validate that exp > nbf', async () => {
+      // RED: Invalid token where exp is before nbf
+      const now = Math.floor(Date.now() / 1000)
+      const app = createTestApp({
+        validateToken: async (token: string) => {
+          const parts = token.split('.')
+          const payload = JSON.parse(atob(parts[1]))
+          // Bug: Doesn't check that exp > nbf
+          if (payload.exp > now) {
+            return { valid: true, user: { id: payload.sub, email: 'test@test.com' } }
+          }
+          return { valid: false, error: 'Token expired' }
+        },
+      })
+      // Invalid: exp before nbf
+      const invalidToken = createTestJWT({
+        sub: 'user123',
+        nbf: now + 7200,
+        exp: now + 3600, // exp before nbf
+      })
+      const res = await app.request('/api/protected', {
+        headers: { Authorization: `Bearer ${invalidToken}` },
+      })
+      // Should reject - logically invalid time claims
+      expect(res.status).toBe(401)
+    })
+  })
+})