npm - @edge-base/server - Versions diffs - 0.1.1 - Mend

@edge-base/server 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (309) hide show

package/admin-build/.gitkeep +0 -0
package/admin-build/_app/env.js +1 -0
package/admin-build/_app/immutable/assets/0.Bm6cF078.css +1 -0
package/admin-build/_app/immutable/assets/1.BfW3pUNa.css +1 -0
package/admin-build/_app/immutable/assets/11.CVmQOewb.css +1 -0
package/admin-build/_app/immutable/assets/12.B1EhbRZT.css +1 -0
package/admin-build/_app/immutable/assets/13.BvwYeuwE.css +1 -0
package/admin-build/_app/immutable/assets/14.CdVfcO0R.css +1 -0
package/admin-build/_app/immutable/assets/15.2yeZ66b-.css +1 -0
package/admin-build/_app/immutable/assets/17.BVg0JEVu.css +1 -0
package/admin-build/_app/immutable/assets/18.Rwnl3x_i.css +1 -0
package/admin-build/_app/immutable/assets/20.DsPWA9AV.css +1 -0
package/admin-build/_app/immutable/assets/21.Dz2RJ56c.css +1 -0
package/admin-build/_app/immutable/assets/22.DwNLk5Ai.css +1 -0
package/admin-build/_app/immutable/assets/23.CFpu0gOO.css +1 -0
package/admin-build/_app/immutable/assets/24.Cy5LBeoJ.css +1 -0
package/admin-build/_app/immutable/assets/25.pUyLVf-h.css +1 -0
package/admin-build/_app/immutable/assets/26.DBcGrlXa.css +1 -0
package/admin-build/_app/immutable/assets/27.BswYyAJD.css +1 -0
package/admin-build/_app/immutable/assets/28.B4ueB1Kf.css +1 -0
package/admin-build/_app/immutable/assets/29.B-qU6PdF.css +1 -0
package/admin-build/_app/immutable/assets/3.Dg81Pgmd.css +1 -0
package/admin-build/_app/immutable/assets/30.CsdWum94.css +1 -0
package/admin-build/_app/immutable/assets/31.U6OwIp50.css +1 -0
package/admin-build/_app/immutable/assets/4.CyawCCux.css +1 -0
package/admin-build/_app/immutable/assets/5.C0YO2HTk.css +1 -0
package/admin-build/_app/immutable/assets/8.Br5jd6kD.css +1 -0
package/admin-build/_app/immutable/assets/Badge.EMYLHBxE.css +1 -0
package/admin-build/_app/immutable/assets/Button.DpzMRTjK.css +1 -0
package/admin-build/_app/immutable/assets/ConfirmDialog.DAnaWRRk.css +1 -0
package/admin-build/_app/immutable/assets/EmptyState.CwKsu57Y.css +1 -0
package/admin-build/_app/immutable/assets/Input.BDUSenmU.css +1 -0
package/admin-build/_app/immutable/assets/Modal.Dm5B0Xie.css +1 -0
package/admin-build/_app/immutable/assets/PageShell.CmU-Xh-b.css +1 -0
package/admin-build/_app/immutable/assets/SchemaFieldEditor.g4NsCdno.css +1 -0
package/admin-build/_app/immutable/assets/Select.BW4Keufm.css +1 -0
package/admin-build/_app/immutable/assets/Skeleton.KWUulTKJ.css +1 -0
package/admin-build/_app/immutable/assets/Tabs.CniGYb67.css +1 -0
package/admin-build/_app/immutable/assets/TimeChart.BTCDAvmT.css +1 -0
package/admin-build/_app/immutable/assets/Toggle.Cy_K12OM.css +1 -0
package/admin-build/_app/immutable/assets/TopList.ClFzmPlA.css +1 -0
package/admin-build/_app/immutable/chunks/7B47DvSx.js +1 -0
package/admin-build/_app/immutable/chunks/7f08Id8e.js +1 -0
package/admin-build/_app/immutable/chunks/8wJeQ7LN.js +1 -0
package/admin-build/_app/immutable/chunks/B-h2afW5.js +1 -0
package/admin-build/_app/immutable/chunks/B8vJP3wz.js +1 -0
package/admin-build/_app/immutable/chunks/BR_fL5Yv.js +1 -0
package/admin-build/_app/immutable/chunks/BY92tFS2.js +1 -0
package/admin-build/_app/immutable/chunks/BcR-Rdj9.js +1 -0
package/admin-build/_app/immutable/chunks/BdrwyZv8.js +1 -0
package/admin-build/_app/immutable/chunks/Bh56EfQ_.js +1 -0
package/admin-build/_app/immutable/chunks/BkrCkgYp.js +1 -0
package/admin-build/_app/immutable/chunks/BmRjiP5k.js +1 -0
package/admin-build/_app/immutable/chunks/BsokvhWC.js +1 -0
package/admin-build/_app/immutable/chunks/C4D51vTW.js +1 -0
package/admin-build/_app/immutable/chunks/C6puvcoR.js +2 -0
package/admin-build/_app/immutable/chunks/CCKNu7m7.js +1 -0
package/admin-build/_app/immutable/chunks/CWj6FrbW.js +1 -0
package/admin-build/_app/immutable/chunks/Ce-ngf4p.js +5 -0
package/admin-build/_app/immutable/chunks/Cs0GwzJA.js +1 -0
package/admin-build/_app/immutable/chunks/CwROoZK0.js +1 -0
package/admin-build/_app/immutable/chunks/CxCPv_Ut.js +1 -0
package/admin-build/_app/immutable/chunks/CxbRue-5.js +1 -0
package/admin-build/_app/immutable/chunks/CyqB6g-D.js +1 -0
package/admin-build/_app/immutable/chunks/D5h5A1cc.js +2 -0
package/admin-build/_app/immutable/chunks/DnyL7Zq-.js +1 -0
package/admin-build/_app/immutable/chunks/DoPXzH7F.js +1 -0
package/admin-build/_app/immutable/chunks/DrQSgw-f.js +1 -0
package/admin-build/_app/immutable/chunks/DttM2zNO.js +1 -0
package/admin-build/_app/immutable/chunks/DuXuUBWN.js +1 -0
package/admin-build/_app/immutable/chunks/MdeqaOQx.js +10 -0
package/admin-build/_app/immutable/chunks/NuUjtcO2.js +1 -0
package/admin-build/_app/immutable/chunks/Q2nPFxS6.js +1 -0
package/admin-build/_app/immutable/chunks/R6arueIl.js +1 -0
package/admin-build/_app/immutable/chunks/UUazaC_N.js +1 -0
package/admin-build/_app/immutable/chunks/cOYbrQxx.js +1 -0
package/admin-build/_app/immutable/chunks/eFQHTGwA.js +1 -0
package/admin-build/_app/immutable/chunks/ehbppgYb.js +1 -0
package/admin-build/_app/immutable/chunks/glwixJlP.js +1 -0
package/admin-build/_app/immutable/chunks/vApWTCBs.js +1 -0
package/admin-build/_app/immutable/chunks/w89G9Xpi.js +1 -0
package/admin-build/_app/immutable/chunks/wJsUhbfZ.js +1 -0
package/admin-build/_app/immutable/chunks/zfauFM8P.js +1 -0
package/admin-build/_app/immutable/entry/app.CcO-Uos3.js +2 -0
package/admin-build/_app/immutable/entry/start.COebYq3I.js +1 -0
package/admin-build/_app/immutable/nodes/0.CjtHKU-6.js +1 -0
package/admin-build/_app/immutable/nodes/1.DEisjlM0.js +1 -0
package/admin-build/_app/immutable/nodes/10.CvhdyWVB.js +1 -0
package/admin-build/_app/immutable/nodes/11.DjHqcOvy.js +1 -0
package/admin-build/_app/immutable/nodes/12.mQLz4Mj_.js +1 -0
package/admin-build/_app/immutable/nodes/13.CBonZZyP.js +110 -0
package/admin-build/_app/immutable/nodes/14.d-oiZL0j.js +3 -0
package/admin-build/_app/immutable/nodes/15.CKPQsUYF.js +1 -0
package/admin-build/_app/immutable/nodes/16.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/17.DayhKyEZ.js +1 -0
package/admin-build/_app/immutable/nodes/18.DKwS0Ir0.js +1 -0
package/admin-build/_app/immutable/nodes/19.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/2.BKoKrw1i.js +1 -0
package/admin-build/_app/immutable/nodes/20.BvIkkkrW.js +1 -0
package/admin-build/_app/immutable/nodes/21.DMaFhdHk.js +128 -0
package/admin-build/_app/immutable/nodes/22.3xdgwuK1.js +1 -0
package/admin-build/_app/immutable/nodes/23.8Bvgjbsl.js +112 -0
package/admin-build/_app/immutable/nodes/24.DzSSzRhG.js +2 -0
package/admin-build/_app/immutable/nodes/25.9KKYBnAE.js +2 -0
package/admin-build/_app/immutable/nodes/26.Bhn9dfhY.js +1 -0
package/admin-build/_app/immutable/nodes/27.kRLiC24G.js +1 -0
package/admin-build/_app/immutable/nodes/28.BVIN1-7N.js +1 -0
package/admin-build/_app/immutable/nodes/29.3yabZWj4.js +1 -0
package/admin-build/_app/immutable/nodes/3.BFtSOkX7.js +2 -0
package/admin-build/_app/immutable/nodes/30.CyCQlwaP.js +1 -0
package/admin-build/_app/immutable/nodes/31.C4LDXjES.js +1 -0
package/admin-build/_app/immutable/nodes/4.CvbiMlCa.js +1 -0
package/admin-build/_app/immutable/nodes/5.C6BLv2eM.js +1 -0
package/admin-build/_app/immutable/nodes/6.BcXvfl2P.js +1 -0
package/admin-build/_app/immutable/nodes/7.CIuqhPiK.js +1 -0
package/admin-build/_app/immutable/nodes/8.BQOR_JfO.js +1 -0
package/admin-build/_app/immutable/nodes/9.NZqXQxPy.js +1 -0
package/admin-build/_app/version.json +1 -0
package/admin-build/favicon.svg +26 -0
package/admin-build/index.html +45 -0
package/openapi.json +19543 -0
package/package.json +66 -0
package/src/__tests__/admin-assets.test.ts +55 -0
package/src/__tests__/admin-data-routes.test.ts +488 -0
package/src/__tests__/admin-db-target.test.ts +103 -0
package/src/__tests__/admin-routing.test.ts +31 -0
package/src/__tests__/admin-user-management.test.ts +311 -0
package/src/__tests__/analytics-query.test.ts +75 -0
package/src/__tests__/auth-d1.test.ts +749 -0
package/src/__tests__/auth-db-adapter.test.ts +73 -0
package/src/__tests__/auth-jwt.test.ts +440 -0
package/src/__tests__/auth-oauth.test.ts +389 -0
package/src/__tests__/auth-password.test.ts +367 -0
package/src/__tests__/auth-redirect.test.ts +87 -0
package/src/__tests__/backup-restore.test.ts +711 -0
package/src/__tests__/broadcast.test.ts +128 -0
package/src/__tests__/cli.test.ts +178 -0
package/src/__tests__/cloudflare-realtime.test.ts +113 -0
package/src/__tests__/config.test.ts +469 -0
package/src/__tests__/cors.test.ts +154 -0
package/src/__tests__/cron.test.ts +302 -0
package/src/__tests__/d1-handler.test.ts +402 -0
package/src/__tests__/d1-sql.test.ts +120 -0
package/src/__tests__/database-live-config.test.ts +42 -0
package/src/__tests__/database-live-emitter.test.ts +56 -0
package/src/__tests__/database-live-filters.test.ts +63 -0
package/src/__tests__/database-live-route.test.ts +113 -0
package/src/__tests__/db-sql.test.ts +163 -0
package/src/__tests__/do-lifecycle.test.ts +263 -0
package/src/__tests__/do-router.test.ts +729 -0
package/src/__tests__/email-provider.test.ts +128 -0
package/src/__tests__/email-templates.test.ts +528 -0
package/src/__tests__/error-format.test.ts +250 -0
package/src/__tests__/field-ops.test.ts +242 -0
package/src/__tests__/functions-context.test.ts +334 -0
package/src/__tests__/functions-d1-proxy.test.ts +229 -0
package/src/__tests__/functions-registry-runtime-config.test.ts +17 -0
package/src/__tests__/functions-route.test.ts +139 -0
package/src/__tests__/internal-request.test.ts +77 -0
package/src/__tests__/log-writer.test.ts +44 -0
package/src/__tests__/logger.test.ts +58 -0
package/src/__tests__/meta-admin-proxy.test.ts +48 -0
package/src/__tests__/meta-export-coverage.test.ts +191 -0
package/src/__tests__/meta-route-registration.test.ts +47 -0
package/src/__tests__/namespace-dump.test.ts +28 -0
package/src/__tests__/oauth-providers.test.ts +337 -0
package/src/__tests__/openapi-coverage.test.ts +144 -0
package/src/__tests__/pagination.test.ts +59 -0
package/src/__tests__/password-policy.test.ts +191 -0
package/src/__tests__/plugin-migrations.test.ts +379 -0
package/src/__tests__/postgres-batch-compat.test.ts +133 -0
package/src/__tests__/postgres-dialect.test.ts +328 -0
package/src/__tests__/postgres-executor.test.ts +79 -0
package/src/__tests__/postgres-field-ops-compat.test.ts +222 -0
package/src/__tests__/postgres-schema-init.test.ts +105 -0
package/src/__tests__/postgres-table-utils.test.ts +107 -0
package/src/__tests__/presence.test.ts +199 -0
package/src/__tests__/provider.test.ts +550 -0
package/src/__tests__/public-user-profile.test.ts +339 -0
package/src/__tests__/push-handlers.test.ts +179 -0
package/src/__tests__/push-provider.test.ts +80 -0
package/src/__tests__/push-token.test.ts +418 -0
package/src/__tests__/query.test.ts +771 -0
package/src/__tests__/rate-limit.test.ts +260 -0
package/src/__tests__/room-access-policy.test.ts +101 -0
package/src/__tests__/room-handler-context.test.ts +130 -0
package/src/__tests__/room-monitoring.test.ts +138 -0
package/src/__tests__/room-runtime-routing.test.ts +222 -0
package/src/__tests__/room.test.ts +254 -0
package/src/__tests__/route-parser.test.ts +490 -0
package/src/__tests__/rules.test.ts +234 -0
package/src/__tests__/runtime-surface-accounting.test.ts +120 -0
package/src/__tests__/scheduled.test.ts +80 -0
package/src/__tests__/schema.test.ts +1273 -0
package/src/__tests__/security-hardening.test.ts +312 -0
package/src/__tests__/server.unit.test.ts +333 -0
package/src/__tests__/service-key-db-proxy.test.ts +650 -0
package/src/__tests__/service-key-provider-bypass.test.ts +138 -0
package/src/__tests__/service-key.test.ts +757 -0
package/src/__tests__/smoke-skip-report.test.ts +72 -0
package/src/__tests__/sms-provider.test.ts +39 -0
package/src/__tests__/sql-route.test.ts +218 -0
package/src/__tests__/storage-hook-context.test.ts +115 -0
package/src/__tests__/totp.test.ts +200 -0
package/src/__tests__/uuid.test.ts +144 -0
package/src/__tests__/validation.test.ts +773 -0
package/src/__tests__/websocket-pending.test.ts +163 -0
package/src/_functions-registry.ts +51 -0
package/src/bench-entry.ts +9 -0
package/src/cloudflare-test.d.ts +1 -0
package/src/durable-objects/auth-do.ts +49 -0
package/src/durable-objects/database-do.ts +2240 -0
package/src/durable-objects/database-live-do.ts +949 -0
package/src/durable-objects/logs-do.ts +1200 -0
package/src/durable-objects/room-runtime-base.ts +1604 -0
package/src/durable-objects/rooms-do.ts +2191 -0
package/src/generated-config.ts +6 -0
package/src/index.ts +382 -0
package/src/lib/admin-assets.ts +54 -0
package/src/lib/admin-db-target.ts +301 -0
package/src/lib/admin-routing.ts +35 -0
package/src/lib/admin-user-management.ts +464 -0
package/src/lib/analytics-adapter.ts +103 -0
package/src/lib/analytics-query.ts +579 -0
package/src/lib/auth-d1-service.ts +1193 -0
package/src/lib/auth-d1.ts +1056 -0
package/src/lib/auth-db-adapter.ts +289 -0
package/src/lib/auth-redirect.ts +116 -0
package/src/lib/cidr.ts +115 -0
package/src/lib/client-ip.ts +51 -0
package/src/lib/cloudflare-realtime.ts +251 -0
package/src/lib/control-db.ts +36 -0
package/src/lib/cron.ts +163 -0
package/src/lib/d1-handler.ts +1425 -0
package/src/lib/d1-schema-init.ts +255 -0
package/src/lib/d1-sql.ts +33 -0
package/src/lib/database-live-config.ts +24 -0
package/src/lib/database-live-emitter.ts +111 -0
package/src/lib/db-sql.ts +66 -0
package/src/lib/do-retry.ts +36 -0
package/src/lib/do-router.ts +270 -0
package/src/lib/do-sql.ts +73 -0
package/src/lib/email-provider.ts +379 -0
package/src/lib/email-templates.ts +285 -0
package/src/lib/email-translations.ts +422 -0
package/src/lib/errors.ts +151 -0
package/src/lib/functions.ts +2091 -0
package/src/lib/hono.ts +56 -0
package/src/lib/internal-request.ts +56 -0
package/src/lib/jwt.ts +354 -0
package/src/lib/log-writer.ts +272 -0
package/src/lib/namespace-dump.ts +125 -0
package/src/lib/oauth-providers.ts +1225 -0
package/src/lib/op-parser.ts +99 -0
package/src/lib/openapi.ts +146 -0
package/src/lib/pagination.ts +19 -0
package/src/lib/password-policy.ts +102 -0
package/src/lib/password.ts +145 -0
package/src/lib/plugin-migrations.ts +612 -0
package/src/lib/postgres-executor.ts +203 -0
package/src/lib/postgres-handler.ts +1102 -0
package/src/lib/postgres-schema-init.ts +341 -0
package/src/lib/postgres-table-utils.ts +87 -0
package/src/lib/public-user-profile.ts +187 -0
package/src/lib/push-provider.ts +409 -0
package/src/lib/push-token.ts +294 -0
package/src/lib/query-engine.ts +768 -0
package/src/lib/room-monitoring.ts +97 -0
package/src/lib/room-runtime.ts +14 -0
package/src/lib/route-parser.ts +434 -0
package/src/lib/schema.ts +538 -0
package/src/lib/schemas.ts +152 -0
package/src/lib/service-key.ts +419 -0
package/src/lib/sms-provider.ts +230 -0
package/src/lib/startup-config.ts +99 -0
package/src/lib/totp.ts +242 -0
package/src/lib/uuid.ts +87 -0
package/src/lib/validation.ts +205 -0
package/src/lib/version.ts +2 -0
package/src/lib/websocket-pending.ts +40 -0
package/src/middleware/auth.ts +169 -0
package/src/middleware/captcha-verify.ts +217 -0
package/src/middleware/cors.ts +159 -0
package/src/middleware/error-handler.ts +54 -0
package/src/middleware/internal-guard.ts +26 -0
package/src/middleware/logger.ts +126 -0
package/src/middleware/rate-limit.ts +283 -0
package/src/middleware/rules.ts +475 -0
package/src/routes/admin-auth.ts +447 -0
package/src/routes/admin.ts +3501 -0
package/src/routes/analytics-api.ts +290 -0
package/src/routes/auth.ts +4222 -0
package/src/routes/backup.ts +1466 -0
package/src/routes/config.ts +53 -0
package/src/routes/d1.ts +109 -0
package/src/routes/database-live.ts +281 -0
package/src/routes/functions.ts +155 -0
package/src/routes/health.ts +32 -0
package/src/routes/kv.ts +167 -0
package/src/routes/oauth.ts +1055 -0
package/src/routes/push.ts +1465 -0
package/src/routes/room.ts +639 -0
package/src/routes/schema-endpoint.ts +76 -0
package/src/routes/sql.ts +176 -0
package/src/routes/storage.ts +1674 -0
package/src/routes/tables.ts +699 -0
package/src/routes/users.ts +21 -0
package/src/routes/vectorize.ts +372 -0
package/src/types.ts +99 -0

package/src/__tests__/service-key-db-proxy.test.ts ADDED Viewed

@@ -0,0 +1,650 @@
+import { afterEach, describe, expect, it } from 'vitest';
+import { defineConfig } from '@edge-base/shared';
+import { EdgeBaseError } from '@edge-base/shared';
+import { setConfig } from '../lib/do-router.js';
+import { OpenAPIHono, type HonoEnv } from '../lib/hono.js';
+import { authMiddleware } from '../middleware/auth.js';
+import { errorHandlerMiddleware } from '../middleware/error-handler.js';
+import { rulesMiddleware } from '../middleware/rules.js';
+import { tablesRoute } from '../routes/tables.js';
+import type { Env } from '../types.js';
+function createApp() {
+  const app = new OpenAPIHono<HonoEnv>();
+  app.onError((err, c) => {
+    if (err instanceof EdgeBaseError) {
+      return c.json(err.toJSON(), err.code as 400);
+    }
+    return c.json({ code: 500, message: 'Internal server error.' }, 500);
+  });
+  app.use('*', errorHandlerMiddleware);
+  app.use('/api/*', authMiddleware);
+  app.use('/api/db/*', rulesMiddleware);
+  app.route('/api/db', tablesRoute);
+  return app;
+}
+function createEnv(
+  onFetch: (input: RequestInfo, init?: RequestInit) => void | Response | Promise<void | Response>,
+  overrides: Partial<Env> = {},
+): Env {
+  return {
+    DATABASE: {
+      idFromName: (name: string) => name as unknown as DurableObjectId,
+      get: () => ({
+        fetch: async (input: RequestInfo, init?: RequestInit) => {
+          const result = await onFetch(input, init);
+          if (result instanceof Response) {
+            return result;
+          }
+          return new Response(JSON.stringify({ ok: true }), {
+            status: 200,
+            headers: { 'Content-Type': 'application/json' },
+          });
+        },
+      }),
+    } as unknown as DurableObjectNamespace,
+    ...overrides,
+  } as Env;
+}
+function createAuthedApp(auth: Record<string, unknown>) {
+  const app = new OpenAPIHono<HonoEnv>();
+  app.onError((err, c) => {
+    if (err instanceof EdgeBaseError) {
+      return c.json(err.toJSON(), err.code as 400);
+    }
+    return c.json({ code: 500, message: 'Internal server error.' }, 500);
+  });
+  app.use('*', errorHandlerMiddleware);
+  app.use('/api/*', async (c, next) => {
+    c.set('auth' as never, auth as never);
+    return next();
+  });
+  app.use('/api/db/*', rulesMiddleware);
+  app.route('/api/db', tablesRoute);
+  return app;
+}
+describe('DB proxy service key forwarding', () => {
+  afterEach(() => {
+    setConfig({});
+  });
+  it('forwards X-Is-Service-Key for scoped Bearer keys that pass db scope validation', async () => {
+    setConfig(defineConfig({
+      release: true,
+      databases: {
+        shared: {
+          provider: 'do',
+          tables: {
+            users: {},
+          },
+        },
+      },
+      serviceKeys: {
+        keys: [
+          {
+            kid: 'db1',
+            tier: 'scoped',
+            scopes: ['db:table:users:read'],
+            secretSource: 'inline',
+            inlineSecret: 'jb_db1_scoped',
+          },
+        ],
+      },
+    }));
+    let forwardedHeaders: Headers | null = null;
+    const app = createApp();
+    const response = await app.request('/api/db/shared/tables/users', {
+      method: 'GET',
+      headers: {
+        Authorization: 'Bearer jb_db1_scoped',
+      },
+    }, createEnv((_input, init) => {
+      forwardedHeaders = new Headers(init?.headers);
+    }));
+    expect(response.status).toBe(200);
+    expect(forwardedHeaders).not.toBeNull();
+    expect(forwardedHeaders!.get('X-Is-Service-Key')).toBe('true');
+  });
+  it('forwards X-Is-Service-Key for tenant-constrained Bearer keys when the db id matches', async () => {
+    setConfig(defineConfig({
+      release: true,
+      databases: {
+        workspace: {
+          provider: 'do',
+          tables: {
+            users: {},
+          },
+        },
+      },
+      serviceKeys: {
+        keys: [
+          {
+            kid: 'tenant-db',
+            tier: 'scoped',
+            scopes: ['db:table:users:read'],
+            secretSource: 'inline',
+            inlineSecret: 'jb_tenant-db_scoped',
+            constraints: {
+              tenant: 'ws-123',
+              env: ['prod'],
+            },
+          },
+        ],
+      },
+    }));
+    let forwardedHeaders: Headers | null = null;
+    const app = createApp();
+    const response = await app.request('/api/db/workspace/ws-123/tables/users', {
+      method: 'GET',
+      headers: {
+        Authorization: 'Bearer jb_tenant-db_scoped',
+      },
+    }, createEnv((_input, init) => {
+      forwardedHeaders = new Headers(init?.headers);
+    }, {
+      ENVIRONMENT: 'prod',
+    }));
+    expect(response.status).toBe(200);
+    expect(forwardedHeaders).not.toBeNull();
+    expect(forwardedHeaders!.get('X-Is-Service-Key')).toBe('true');
+    expect(forwardedHeaders!.get('X-DO-Name')).toBe('workspace:ws-123');
+  });
+  it('does not bypass db rules when scoped Bearer key lacks the required db scope', async () => {
+    setConfig(defineConfig({
+      release: true,
+      databases: {
+        shared: {
+          provider: 'do',
+          tables: {
+            users: {},
+          },
+        },
+      },
+      serviceKeys: {
+        keys: [
+          {
+            kid: 'db2',
+            tier: 'scoped',
+            scopes: ['storage:bucket:avatars:read'],
+            secretSource: 'inline',
+            inlineSecret: 'jb_db2_scoped',
+          },
+        ],
+      },
+    }));
+    let forwarded = false;
+    const app = createApp();
+    const response = await app.request('/api/db/shared/tables/users', {
+      method: 'GET',
+      headers: {
+        Authorization: 'Bearer jb_db2_scoped',
+      },
+    }, createEnv(() => {
+      forwarded = true;
+    }));
+    expect(response.status).toBe(401);
+    expect(forwarded).toBe(false);
+  });
+  it('does not bypass db rules when a tenant-constrained Bearer key targets another db id', async () => {
+    setConfig(defineConfig({
+      release: true,
+      databases: {
+        workspace: {
+          provider: 'do',
+          tables: {
+            users: {},
+          },
+        },
+      },
+      serviceKeys: {
+        keys: [
+          {
+            kid: 'tenant-db-mismatch',
+            tier: 'scoped',
+            scopes: ['db:table:users:read'],
+            secretSource: 'inline',
+            inlineSecret: 'jb_tenant-db-mismatch_payload',
+            constraints: {
+              tenant: 'ws-123',
+              env: ['prod'],
+            },
+          },
+        ],
+      },
+    }));
+    let forwarded = false;
+    const app = createApp();
+    const response = await app.request('/api/db/workspace/ws-999/tables/users', {
+      method: 'GET',
+      headers: {
+        Authorization: 'Bearer jb_tenant-db-mismatch_payload',
+      },
+    }, createEnv(() => {
+      forwarded = true;
+    }, {
+      ENVIRONMENT: 'prod',
+    }));
+    expect(response.status).toBe(401);
+    expect(forwarded).toBe(false);
+  });
+  it('allows service-key dynamic DB bootstrap even when canCreate returns false', async () => {
+    setConfig(defineConfig({
+      release: true,
+      databases: {
+        workspace: {
+          provider: 'do',
+          instance: true,
+          access: {
+            canCreate: () => false,
+          },
+          tables: {
+            users: {},
+          },
+        },
+      },
+      serviceKeys: {
+        keys: [
+          {
+            kid: 'dynamic-bootstrap',
+            tier: 'scoped',
+            scopes: ['db:table:users:write'],
+            secretSource: 'inline',
+            inlineSecret: 'jb_dynamic-bootstrap_scoped',
+          },
+        ],
+      },
+    }));
+    const forwardedHeaders: Headers[] = [];
+    let callCount = 0;
+    const app = createApp();
+    const response = await app.request('/api/db/workspace/ws-123/tables/users', {
+      method: 'POST',
+      headers: {
+        Authorization: 'Bearer jb_dynamic-bootstrap_scoped',
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({ id: 'u1' }),
+    }, createEnv((_input, init) => {
+      forwardedHeaders.push(new Headers(init?.headers));
+      callCount += 1;
+    }, {
+      DATABASE: {
+        idFromName: (name: string) => name as unknown as DurableObjectId,
+        get: () => ({
+          fetch: async (_input: RequestInfo, init?: RequestInit) => {
+            forwardedHeaders.push(new Headers(init?.headers));
+            callCount += 1;
+            if (callCount === 1) {
+              return new Response(JSON.stringify({ needsCreate: true, namespace: 'workspace', id: 'ws-123' }), {
+                status: 201,
+                headers: { 'Content-Type': 'application/json' },
+              });
+            }
+            return new Response(JSON.stringify({ ok: true }), {
+              status: 200,
+              headers: { 'Content-Type': 'application/json' },
+            });
+          },
+        }),
+      } as unknown as DurableObjectNamespace,
+    }));
+    expect(response.status).toBe(200);
+    expect(forwardedHeaders).toHaveLength(2);
+    expect(forwardedHeaders[0].get('X-Is-Service-Key')).toBe('true');
+    expect(forwardedHeaders[1].get('X-Is-Service-Key')).toBe('true');
+    expect(forwardedHeaders[1].get('X-DO-Create-Authorized')).toBe('1');
+  });
+  it('preserves the final 201 response body after dynamic DB bootstrap retry', async () => {
+    setConfig(defineConfig({
+      release: true,
+      databases: {
+        workspace: {
+          provider: 'do',
+          instance: true,
+          access: {
+            canCreate: () => false,
+          },
+          tables: {
+            users: {},
+          },
+        },
+      },
+      serviceKeys: {
+        keys: [
+          {
+            kid: 'dynamic-create-body',
+            tier: 'scoped',
+            scopes: ['db:table:users:write'],
+            secretSource: 'inline',
+            inlineSecret: 'jb_dynamic-create-body_scoped',
+          },
+        ],
+      },
+    }));
+    let callCount = 0;
+    const app = createApp();
+    const response = await app.request('/api/db/workspace/ws-123/tables/users', {
+      method: 'POST',
+      headers: {
+        Authorization: 'Bearer jb_dynamic-create-body_scoped',
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({ id: 'u1', name: 'June' }),
+    }, {
+      ...createEnv(() => {}),
+      DATABASE: {
+        idFromName: (name: string) => name as unknown as DurableObjectId,
+        get: () => ({
+          fetch: async () => {
+            callCount += 1;
+            if (callCount === 1) {
+              return new Response(JSON.stringify({ needsCreate: true, namespace: 'workspace', id: 'ws-123' }), {
+                status: 201,
+                headers: { 'Content-Type': 'application/json' },
+              });
+            }
+            return new Response(JSON.stringify({ id: 'u1', name: 'June' }), {
+              status: 201,
+              headers: { 'Content-Type': 'application/json' },
+            });
+          },
+        }),
+      } as unknown as DurableObjectNamespace,
+    } as Env);
+    expect(response.status).toBe(201);
+    await expect(response.json()).resolves.toEqual({ id: 'u1', name: 'June' });
+  });
+  it('does not trust raw X-EdgeBase-Internal on public DB requests', async () => {
+    setConfig(defineConfig({
+      release: true,
+      databases: {
+        workspace: {
+          provider: 'do',
+          instance: true,
+          access: {
+            access: () => false,
+          },
+          tables: {
+            users: {
+              access: {
+                read: () => true,
+              },
+            },
+          },
+        },
+      },
+    }));
+    let forwarded = false;
+    const app = createApp();
+    const response = await app.request('/api/db/workspace/ws-123/tables/users', {
+      method: 'GET',
+      headers: {
+        'X-EdgeBase-Internal': 'true',
+      },
+    }, createEnv(() => {
+      forwarded = true;
+    }));
+    expect(response.status).toBe(403);
+    expect(forwarded).toBe(false);
+  });
+  it('strips client-supplied bypass headers before forwarding to the database DO', async () => {
+    setConfig(defineConfig({
+      release: true,
+      databases: {
+        workspace: {
+          provider: 'do',
+          instance: true,
+          tables: {
+            users: {
+              access: {
+                read: () => true,
+              },
+            },
+          },
+        },
+      },
+    }));
+    let forwardedHeaders: Headers | null = null;
+    const app = createApp();
+    const response = await app.request('/api/db/workspace/ws-123/tables/users', {
+      method: 'GET',
+      headers: {
+        'X-EdgeBase-Internal': 'true',
+        'X-Is-Service-Key': 'true',
+      },
+    }, createEnv((_input, init) => {
+      forwardedHeaders = new Headers(init?.headers);
+    }));
+    expect(response.status).toBe(200);
+    expect(forwardedHeaders).not.toBeNull();
+    expect(forwardedHeaders!.get('X-EdgeBase-Internal')).toBeNull();
+    expect(forwardedHeaders!.get('X-Is-Service-Key')).toBeNull();
+  });
+  it('supports dbRules.access() lookups through ctx.db.get()', async () => {
+    setConfig(defineConfig({
+      release: true,
+      databases: {
+        shared: {
+          provider: 'do',
+          tables: {
+            servers: {
+              access: {
+                read: () => true,
+              },
+            },
+          },
+        },
+        server: {
+          provider: 'do',
+          instance: true,
+          access: {
+            async access(auth, id, ctx) {
+              if (!auth) return false;
+              const server = await ctx.db.get('servers', id);
+              return Array.isArray(server?.memberIds) && server.memberIds.includes(auth.id);
+            },
+          },
+          tables: {
+            serverMessages: {
+              access: {
+                read: () => true,
+              },
+            },
+          },
+        },
+      },
+    }));
+    let sharedLookups = 0;
+    let serverReads = 0;
+    const app = createAuthedApp({ id: 'user-1' });
+    const response = await app.request('/api/db/server/ws-123/tables/serverMessages', {
+      method: 'GET',
+    }, createEnv((_input, init) => {
+      const headers = new Headers(init?.headers);
+      const doName = headers.get('X-DO-Name');
+      if (doName === 'shared') {
+        sharedLookups += 1;
+        return new Response(JSON.stringify({ id: 'ws-123', memberIds: ['user-1'] }), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        });
+      }
+      if (doName === 'server:ws-123') {
+        serverReads += 1;
+        return new Response(JSON.stringify({ items: [] }), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        });
+      }
+      return new Response(JSON.stringify({ code: 404, message: 'missing' }), {
+        status: 404,
+        headers: { 'Content-Type': 'application/json' },
+      });
+    }));
+    expect(response.status).toBe(200);
+    expect(sharedLookups).toBe(1);
+    expect(serverReads).toBe(1);
+  });
+  it('supports dbRules.access() lookups through ctx.db.exists() in the current dynamic namespace', async () => {
+    setConfig(defineConfig({
+      release: true,
+      databases: {
+        workspace: {
+          provider: 'do',
+          access: {
+            async access(auth, id, ctx) {
+              if (!auth) return false;
+              return ctx.db.exists('workspace_members', {
+                userId: auth.id,
+                workspaceId: id,
+                membershipStatus: 'active',
+              });
+            },
+          },
+          tables: {
+            workspace_members: {
+              access: {
+                read: () => true,
+              },
+            },
+            issues: {
+              access: {
+                read: () => true,
+              },
+            },
+          },
+        },
+      },
+    }));
+    let membershipLookups = 0;
+    let issueReads = 0;
+    const app = createAuthedApp({ id: 'user-1' });
+    const response = await app.request('/api/db/workspace/ws-123/tables/issues', {
+      method: 'GET',
+    }, createEnv((_input, init) => {
+      const headers = new Headers(init?.headers);
+      const doName = headers.get('X-DO-Name');
+      const url = typeof _input === 'string' ? _input : _input instanceof Request ? _input.url : String(_input);
+      if (doName === 'workspace:ws-123' && url.includes('/tables/workspace_members?')) {
+        membershipLookups += 1;
+        expect(headers.get('X-Is-Service-Key')).toBe('true');
+        expect(headers.get('X-EdgeBase-Internal')).toBe('true');
+        return new Response(JSON.stringify({
+          items: [{ id: 'member-1', userId: 'user-1', workspaceId: 'ws-123', membershipStatus: 'active' }],
+        }), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        });
+      }
+      if (doName === 'workspace:ws-123' && url.endsWith('/tables/issues')) {
+        issueReads += 1;
+        return new Response(JSON.stringify({ items: [] }), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        });
+      }
+      return new Response(JSON.stringify({ code: 404, message: 'missing' }), {
+        status: 404,
+        headers: { 'Content-Type': 'application/json' },
+      });
+    }));
+    expect(response.status).toBe(200);
+    expect(membershipLookups).toBe(1);
+    expect(issueReads).toBe(1);
+  });
+  it('does not fail closed when dynamic db access lookup takes longer than 50ms', async () => {
+    setConfig(defineConfig({
+      release: true,
+      databases: {
+        workspace: {
+          provider: 'do',
+          access: {
+            async access(auth, id, ctx) {
+              if (!auth) return false;
+              return ctx.db.exists('workspace_members', {
+                userId: auth.id,
+                workspaceId: id,
+                membershipStatus: 'active',
+              });
+            },
+          },
+          tables: {
+            workspace_members: {
+              access: {
+                read: () => true,
+              },
+            },
+            issues: {
+              access: {
+                read: () => true,
+              },
+            },
+          },
+        },
+      },
+    }));
+    const app = createAuthedApp({ id: 'user-1' });
+    const response = await app.request('/api/db/workspace/ws-slow/tables/issues', {
+      method: 'GET',
+    }, createEnv(async (_input, init) => {
+      const headers = new Headers(init?.headers);
+      const doName = headers.get('X-DO-Name');
+      const url = typeof _input === 'string' ? _input : _input instanceof Request ? _input.url : String(_input);
+      if (doName === 'workspace:ws-slow' && url.includes('/tables/workspace_members?')) {
+        await new Promise((resolve) => setTimeout(resolve, 75));
+        return new Response(JSON.stringify({
+          items: [{ id: 'member-1', userId: 'user-1', workspaceId: 'ws-slow', membershipStatus: 'active' }],
+        }), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        });
+      }
+      if (doName === 'workspace:ws-slow' && url.endsWith('/tables/issues')) {
+        return new Response(JSON.stringify({ items: [] }), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        });
+      }
+      return new Response(JSON.stringify({ code: 404, message: 'missing' }), {
+        status: 404,
+        headers: { 'Content-Type': 'application/json' },
+      });
+    }));
+    expect(response.status).toBe(200);
+  });
+});