npm - @edge-base/server - Versions diffs - 0.1.1 - Mend

@edge-base/server 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (309) hide show

package/admin-build/.gitkeep +0 -0
package/admin-build/_app/env.js +1 -0
package/admin-build/_app/immutable/assets/0.Bm6cF078.css +1 -0
package/admin-build/_app/immutable/assets/1.BfW3pUNa.css +1 -0
package/admin-build/_app/immutable/assets/11.CVmQOewb.css +1 -0
package/admin-build/_app/immutable/assets/12.B1EhbRZT.css +1 -0
package/admin-build/_app/immutable/assets/13.BvwYeuwE.css +1 -0
package/admin-build/_app/immutable/assets/14.CdVfcO0R.css +1 -0
package/admin-build/_app/immutable/assets/15.2yeZ66b-.css +1 -0
package/admin-build/_app/immutable/assets/17.BVg0JEVu.css +1 -0
package/admin-build/_app/immutable/assets/18.Rwnl3x_i.css +1 -0
package/admin-build/_app/immutable/assets/20.DsPWA9AV.css +1 -0
package/admin-build/_app/immutable/assets/21.Dz2RJ56c.css +1 -0
package/admin-build/_app/immutable/assets/22.DwNLk5Ai.css +1 -0
package/admin-build/_app/immutable/assets/23.CFpu0gOO.css +1 -0
package/admin-build/_app/immutable/assets/24.Cy5LBeoJ.css +1 -0
package/admin-build/_app/immutable/assets/25.pUyLVf-h.css +1 -0
package/admin-build/_app/immutable/assets/26.DBcGrlXa.css +1 -0
package/admin-build/_app/immutable/assets/27.BswYyAJD.css +1 -0
package/admin-build/_app/immutable/assets/28.B4ueB1Kf.css +1 -0
package/admin-build/_app/immutable/assets/29.B-qU6PdF.css +1 -0
package/admin-build/_app/immutable/assets/3.Dg81Pgmd.css +1 -0
package/admin-build/_app/immutable/assets/30.CsdWum94.css +1 -0
package/admin-build/_app/immutable/assets/31.U6OwIp50.css +1 -0
package/admin-build/_app/immutable/assets/4.CyawCCux.css +1 -0
package/admin-build/_app/immutable/assets/5.C0YO2HTk.css +1 -0
package/admin-build/_app/immutable/assets/8.Br5jd6kD.css +1 -0
package/admin-build/_app/immutable/assets/Badge.EMYLHBxE.css +1 -0
package/admin-build/_app/immutable/assets/Button.DpzMRTjK.css +1 -0
package/admin-build/_app/immutable/assets/ConfirmDialog.DAnaWRRk.css +1 -0
package/admin-build/_app/immutable/assets/EmptyState.CwKsu57Y.css +1 -0
package/admin-build/_app/immutable/assets/Input.BDUSenmU.css +1 -0
package/admin-build/_app/immutable/assets/Modal.Dm5B0Xie.css +1 -0
package/admin-build/_app/immutable/assets/PageShell.CmU-Xh-b.css +1 -0
package/admin-build/_app/immutable/assets/SchemaFieldEditor.g4NsCdno.css +1 -0
package/admin-build/_app/immutable/assets/Select.BW4Keufm.css +1 -0
package/admin-build/_app/immutable/assets/Skeleton.KWUulTKJ.css +1 -0
package/admin-build/_app/immutable/assets/Tabs.CniGYb67.css +1 -0
package/admin-build/_app/immutable/assets/TimeChart.BTCDAvmT.css +1 -0
package/admin-build/_app/immutable/assets/Toggle.Cy_K12OM.css +1 -0
package/admin-build/_app/immutable/assets/TopList.ClFzmPlA.css +1 -0
package/admin-build/_app/immutable/chunks/7B47DvSx.js +1 -0
package/admin-build/_app/immutable/chunks/7f08Id8e.js +1 -0
package/admin-build/_app/immutable/chunks/8wJeQ7LN.js +1 -0
package/admin-build/_app/immutable/chunks/B-h2afW5.js +1 -0
package/admin-build/_app/immutable/chunks/B8vJP3wz.js +1 -0
package/admin-build/_app/immutable/chunks/BR_fL5Yv.js +1 -0
package/admin-build/_app/immutable/chunks/BY92tFS2.js +1 -0
package/admin-build/_app/immutable/chunks/BcR-Rdj9.js +1 -0
package/admin-build/_app/immutable/chunks/BdrwyZv8.js +1 -0
package/admin-build/_app/immutable/chunks/Bh56EfQ_.js +1 -0
package/admin-build/_app/immutable/chunks/BkrCkgYp.js +1 -0
package/admin-build/_app/immutable/chunks/BmRjiP5k.js +1 -0
package/admin-build/_app/immutable/chunks/BsokvhWC.js +1 -0
package/admin-build/_app/immutable/chunks/C4D51vTW.js +1 -0
package/admin-build/_app/immutable/chunks/C6puvcoR.js +2 -0
package/admin-build/_app/immutable/chunks/CCKNu7m7.js +1 -0
package/admin-build/_app/immutable/chunks/CWj6FrbW.js +1 -0
package/admin-build/_app/immutable/chunks/Ce-ngf4p.js +5 -0
package/admin-build/_app/immutable/chunks/Cs0GwzJA.js +1 -0
package/admin-build/_app/immutable/chunks/CwROoZK0.js +1 -0
package/admin-build/_app/immutable/chunks/CxCPv_Ut.js +1 -0
package/admin-build/_app/immutable/chunks/CxbRue-5.js +1 -0
package/admin-build/_app/immutable/chunks/CyqB6g-D.js +1 -0
package/admin-build/_app/immutable/chunks/D5h5A1cc.js +2 -0
package/admin-build/_app/immutable/chunks/DnyL7Zq-.js +1 -0
package/admin-build/_app/immutable/chunks/DoPXzH7F.js +1 -0
package/admin-build/_app/immutable/chunks/DrQSgw-f.js +1 -0
package/admin-build/_app/immutable/chunks/DttM2zNO.js +1 -0
package/admin-build/_app/immutable/chunks/DuXuUBWN.js +1 -0
package/admin-build/_app/immutable/chunks/MdeqaOQx.js +10 -0
package/admin-build/_app/immutable/chunks/NuUjtcO2.js +1 -0
package/admin-build/_app/immutable/chunks/Q2nPFxS6.js +1 -0
package/admin-build/_app/immutable/chunks/R6arueIl.js +1 -0
package/admin-build/_app/immutable/chunks/UUazaC_N.js +1 -0
package/admin-build/_app/immutable/chunks/cOYbrQxx.js +1 -0
package/admin-build/_app/immutable/chunks/eFQHTGwA.js +1 -0
package/admin-build/_app/immutable/chunks/ehbppgYb.js +1 -0
package/admin-build/_app/immutable/chunks/glwixJlP.js +1 -0
package/admin-build/_app/immutable/chunks/vApWTCBs.js +1 -0
package/admin-build/_app/immutable/chunks/w89G9Xpi.js +1 -0
package/admin-build/_app/immutable/chunks/wJsUhbfZ.js +1 -0
package/admin-build/_app/immutable/chunks/zfauFM8P.js +1 -0
package/admin-build/_app/immutable/entry/app.CcO-Uos3.js +2 -0
package/admin-build/_app/immutable/entry/start.COebYq3I.js +1 -0
package/admin-build/_app/immutable/nodes/0.CjtHKU-6.js +1 -0
package/admin-build/_app/immutable/nodes/1.DEisjlM0.js +1 -0
package/admin-build/_app/immutable/nodes/10.CvhdyWVB.js +1 -0
package/admin-build/_app/immutable/nodes/11.DjHqcOvy.js +1 -0
package/admin-build/_app/immutable/nodes/12.mQLz4Mj_.js +1 -0
package/admin-build/_app/immutable/nodes/13.CBonZZyP.js +110 -0
package/admin-build/_app/immutable/nodes/14.d-oiZL0j.js +3 -0
package/admin-build/_app/immutable/nodes/15.CKPQsUYF.js +1 -0
package/admin-build/_app/immutable/nodes/16.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/17.DayhKyEZ.js +1 -0
package/admin-build/_app/immutable/nodes/18.DKwS0Ir0.js +1 -0
package/admin-build/_app/immutable/nodes/19.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/2.BKoKrw1i.js +1 -0
package/admin-build/_app/immutable/nodes/20.BvIkkkrW.js +1 -0
package/admin-build/_app/immutable/nodes/21.DMaFhdHk.js +128 -0
package/admin-build/_app/immutable/nodes/22.3xdgwuK1.js +1 -0
package/admin-build/_app/immutable/nodes/23.8Bvgjbsl.js +112 -0
package/admin-build/_app/immutable/nodes/24.DzSSzRhG.js +2 -0
package/admin-build/_app/immutable/nodes/25.9KKYBnAE.js +2 -0
package/admin-build/_app/immutable/nodes/26.Bhn9dfhY.js +1 -0
package/admin-build/_app/immutable/nodes/27.kRLiC24G.js +1 -0
package/admin-build/_app/immutable/nodes/28.BVIN1-7N.js +1 -0
package/admin-build/_app/immutable/nodes/29.3yabZWj4.js +1 -0
package/admin-build/_app/immutable/nodes/3.BFtSOkX7.js +2 -0
package/admin-build/_app/immutable/nodes/30.CyCQlwaP.js +1 -0
package/admin-build/_app/immutable/nodes/31.C4LDXjES.js +1 -0
package/admin-build/_app/immutable/nodes/4.CvbiMlCa.js +1 -0
package/admin-build/_app/immutable/nodes/5.C6BLv2eM.js +1 -0
package/admin-build/_app/immutable/nodes/6.BcXvfl2P.js +1 -0
package/admin-build/_app/immutable/nodes/7.CIuqhPiK.js +1 -0
package/admin-build/_app/immutable/nodes/8.BQOR_JfO.js +1 -0
package/admin-build/_app/immutable/nodes/9.NZqXQxPy.js +1 -0
package/admin-build/_app/version.json +1 -0
package/admin-build/favicon.svg +26 -0
package/admin-build/index.html +45 -0
package/openapi.json +19543 -0
package/package.json +66 -0
package/src/__tests__/admin-assets.test.ts +55 -0
package/src/__tests__/admin-data-routes.test.ts +488 -0
package/src/__tests__/admin-db-target.test.ts +103 -0
package/src/__tests__/admin-routing.test.ts +31 -0
package/src/__tests__/admin-user-management.test.ts +311 -0
package/src/__tests__/analytics-query.test.ts +75 -0
package/src/__tests__/auth-d1.test.ts +749 -0
package/src/__tests__/auth-db-adapter.test.ts +73 -0
package/src/__tests__/auth-jwt.test.ts +440 -0
package/src/__tests__/auth-oauth.test.ts +389 -0
package/src/__tests__/auth-password.test.ts +367 -0
package/src/__tests__/auth-redirect.test.ts +87 -0
package/src/__tests__/backup-restore.test.ts +711 -0
package/src/__tests__/broadcast.test.ts +128 -0
package/src/__tests__/cli.test.ts +178 -0
package/src/__tests__/cloudflare-realtime.test.ts +113 -0
package/src/__tests__/config.test.ts +469 -0
package/src/__tests__/cors.test.ts +154 -0
package/src/__tests__/cron.test.ts +302 -0
package/src/__tests__/d1-handler.test.ts +402 -0
package/src/__tests__/d1-sql.test.ts +120 -0
package/src/__tests__/database-live-config.test.ts +42 -0
package/src/__tests__/database-live-emitter.test.ts +56 -0
package/src/__tests__/database-live-filters.test.ts +63 -0
package/src/__tests__/database-live-route.test.ts +113 -0
package/src/__tests__/db-sql.test.ts +163 -0
package/src/__tests__/do-lifecycle.test.ts +263 -0
package/src/__tests__/do-router.test.ts +729 -0
package/src/__tests__/email-provider.test.ts +128 -0
package/src/__tests__/email-templates.test.ts +528 -0
package/src/__tests__/error-format.test.ts +250 -0
package/src/__tests__/field-ops.test.ts +242 -0
package/src/__tests__/functions-context.test.ts +334 -0
package/src/__tests__/functions-d1-proxy.test.ts +229 -0
package/src/__tests__/functions-registry-runtime-config.test.ts +17 -0
package/src/__tests__/functions-route.test.ts +139 -0
package/src/__tests__/internal-request.test.ts +77 -0
package/src/__tests__/log-writer.test.ts +44 -0
package/src/__tests__/logger.test.ts +58 -0
package/src/__tests__/meta-admin-proxy.test.ts +48 -0
package/src/__tests__/meta-export-coverage.test.ts +191 -0
package/src/__tests__/meta-route-registration.test.ts +47 -0
package/src/__tests__/namespace-dump.test.ts +28 -0
package/src/__tests__/oauth-providers.test.ts +337 -0
package/src/__tests__/openapi-coverage.test.ts +144 -0
package/src/__tests__/pagination.test.ts +59 -0
package/src/__tests__/password-policy.test.ts +191 -0
package/src/__tests__/plugin-migrations.test.ts +379 -0
package/src/__tests__/postgres-batch-compat.test.ts +133 -0
package/src/__tests__/postgres-dialect.test.ts +328 -0
package/src/__tests__/postgres-executor.test.ts +79 -0
package/src/__tests__/postgres-field-ops-compat.test.ts +222 -0
package/src/__tests__/postgres-schema-init.test.ts +105 -0
package/src/__tests__/postgres-table-utils.test.ts +107 -0
package/src/__tests__/presence.test.ts +199 -0
package/src/__tests__/provider.test.ts +550 -0
package/src/__tests__/public-user-profile.test.ts +339 -0
package/src/__tests__/push-handlers.test.ts +179 -0
package/src/__tests__/push-provider.test.ts +80 -0
package/src/__tests__/push-token.test.ts +418 -0
package/src/__tests__/query.test.ts +771 -0
package/src/__tests__/rate-limit.test.ts +260 -0
package/src/__tests__/room-access-policy.test.ts +101 -0
package/src/__tests__/room-handler-context.test.ts +130 -0
package/src/__tests__/room-monitoring.test.ts +138 -0
package/src/__tests__/room-runtime-routing.test.ts +222 -0
package/src/__tests__/room.test.ts +254 -0
package/src/__tests__/route-parser.test.ts +490 -0
package/src/__tests__/rules.test.ts +234 -0
package/src/__tests__/runtime-surface-accounting.test.ts +120 -0
package/src/__tests__/scheduled.test.ts +80 -0
package/src/__tests__/schema.test.ts +1273 -0
package/src/__tests__/security-hardening.test.ts +312 -0
package/src/__tests__/server.unit.test.ts +333 -0
package/src/__tests__/service-key-db-proxy.test.ts +650 -0
package/src/__tests__/service-key-provider-bypass.test.ts +138 -0
package/src/__tests__/service-key.test.ts +757 -0
package/src/__tests__/smoke-skip-report.test.ts +72 -0
package/src/__tests__/sms-provider.test.ts +39 -0
package/src/__tests__/sql-route.test.ts +218 -0
package/src/__tests__/storage-hook-context.test.ts +115 -0
package/src/__tests__/totp.test.ts +200 -0
package/src/__tests__/uuid.test.ts +144 -0
package/src/__tests__/validation.test.ts +773 -0
package/src/__tests__/websocket-pending.test.ts +163 -0
package/src/_functions-registry.ts +51 -0
package/src/bench-entry.ts +9 -0
package/src/cloudflare-test.d.ts +1 -0
package/src/durable-objects/auth-do.ts +49 -0
package/src/durable-objects/database-do.ts +2240 -0
package/src/durable-objects/database-live-do.ts +949 -0
package/src/durable-objects/logs-do.ts +1200 -0
package/src/durable-objects/room-runtime-base.ts +1604 -0
package/src/durable-objects/rooms-do.ts +2191 -0
package/src/generated-config.ts +6 -0
package/src/index.ts +382 -0
package/src/lib/admin-assets.ts +54 -0
package/src/lib/admin-db-target.ts +301 -0
package/src/lib/admin-routing.ts +35 -0
package/src/lib/admin-user-management.ts +464 -0
package/src/lib/analytics-adapter.ts +103 -0
package/src/lib/analytics-query.ts +579 -0
package/src/lib/auth-d1-service.ts +1193 -0
package/src/lib/auth-d1.ts +1056 -0
package/src/lib/auth-db-adapter.ts +289 -0
package/src/lib/auth-redirect.ts +116 -0
package/src/lib/cidr.ts +115 -0
package/src/lib/client-ip.ts +51 -0
package/src/lib/cloudflare-realtime.ts +251 -0
package/src/lib/control-db.ts +36 -0
package/src/lib/cron.ts +163 -0
package/src/lib/d1-handler.ts +1425 -0
package/src/lib/d1-schema-init.ts +255 -0
package/src/lib/d1-sql.ts +33 -0
package/src/lib/database-live-config.ts +24 -0
package/src/lib/database-live-emitter.ts +111 -0
package/src/lib/db-sql.ts +66 -0
package/src/lib/do-retry.ts +36 -0
package/src/lib/do-router.ts +270 -0
package/src/lib/do-sql.ts +73 -0
package/src/lib/email-provider.ts +379 -0
package/src/lib/email-templates.ts +285 -0
package/src/lib/email-translations.ts +422 -0
package/src/lib/errors.ts +151 -0
package/src/lib/functions.ts +2091 -0
package/src/lib/hono.ts +56 -0
package/src/lib/internal-request.ts +56 -0
package/src/lib/jwt.ts +354 -0
package/src/lib/log-writer.ts +272 -0
package/src/lib/namespace-dump.ts +125 -0
package/src/lib/oauth-providers.ts +1225 -0
package/src/lib/op-parser.ts +99 -0
package/src/lib/openapi.ts +146 -0
package/src/lib/pagination.ts +19 -0
package/src/lib/password-policy.ts +102 -0
package/src/lib/password.ts +145 -0
package/src/lib/plugin-migrations.ts +612 -0
package/src/lib/postgres-executor.ts +203 -0
package/src/lib/postgres-handler.ts +1102 -0
package/src/lib/postgres-schema-init.ts +341 -0
package/src/lib/postgres-table-utils.ts +87 -0
package/src/lib/public-user-profile.ts +187 -0
package/src/lib/push-provider.ts +409 -0
package/src/lib/push-token.ts +294 -0
package/src/lib/query-engine.ts +768 -0
package/src/lib/room-monitoring.ts +97 -0
package/src/lib/room-runtime.ts +14 -0
package/src/lib/route-parser.ts +434 -0
package/src/lib/schema.ts +538 -0
package/src/lib/schemas.ts +152 -0
package/src/lib/service-key.ts +419 -0
package/src/lib/sms-provider.ts +230 -0
package/src/lib/startup-config.ts +99 -0
package/src/lib/totp.ts +242 -0
package/src/lib/uuid.ts +87 -0
package/src/lib/validation.ts +205 -0
package/src/lib/version.ts +2 -0
package/src/lib/websocket-pending.ts +40 -0
package/src/middleware/auth.ts +169 -0
package/src/middleware/captcha-verify.ts +217 -0
package/src/middleware/cors.ts +159 -0
package/src/middleware/error-handler.ts +54 -0
package/src/middleware/internal-guard.ts +26 -0
package/src/middleware/logger.ts +126 -0
package/src/middleware/rate-limit.ts +283 -0
package/src/middleware/rules.ts +475 -0
package/src/routes/admin-auth.ts +447 -0
package/src/routes/admin.ts +3501 -0
package/src/routes/analytics-api.ts +290 -0
package/src/routes/auth.ts +4222 -0
package/src/routes/backup.ts +1466 -0
package/src/routes/config.ts +53 -0
package/src/routes/d1.ts +109 -0
package/src/routes/database-live.ts +281 -0
package/src/routes/functions.ts +155 -0
package/src/routes/health.ts +32 -0
package/src/routes/kv.ts +167 -0
package/src/routes/oauth.ts +1055 -0
package/src/routes/push.ts +1465 -0
package/src/routes/room.ts +639 -0
package/src/routes/schema-endpoint.ts +76 -0
package/src/routes/sql.ts +176 -0
package/src/routes/storage.ts +1674 -0
package/src/routes/tables.ts +699 -0
package/src/routes/users.ts +21 -0
package/src/routes/vectorize.ts +372 -0
package/src/types.ts +99 -0

package/src/durable-objects/database-live-do.ts ADDED Viewed

@@ -0,0 +1,949 @@
+import { DurableObject } from 'cloudflare:workers';
+import {
+  getTableAccess,
+  type EdgeBaseConfig,
+} from '@edge-base/shared';
+import { verifyAccessToken } from '../lib/jwt.js';
+import { parseConfig as getGlobalConfig } from '../lib/do-router.js';
+import { isDbLiveChannel } from '../lib/database-live-emitter.js';
+import { resolveDbLiveAuthTimeoutMs } from '../lib/database-live-config.js';
+interface DOEnv {
+  JWT_USER_SECRET?: string;
+}
+interface DatabaseLiveEvent {
+  type: 'added' | 'modified' | 'removed';
+  channel: string;
+  table: string;
+  docId: string;
+  data: Record<string, unknown> | null;
+  timestamp: string;
+}
+export type DatabaseLiveFilterCondition = [
+  string,
+  '==' | '!=' | '<' | '<=' | '>' | '>=' | 'in' | 'contains' | 'contains-any' | 'not in',
+  unknown,
+];
+type FilterCondition = DatabaseLiveFilterCondition;
+type FilterOperator = FilterCondition[1];
+interface WSMeta {
+  authenticated: boolean;
+  userId?: string;
+  role?: string;
+  connectionId: string;
+  subscribedChannels: string[];
+  channelFilters: Map<string, FilterCondition[]>;
+  channelOrFilters: Map<string, FilterCondition[]>;
+  sdkVersion?: string;
+  supportsBatch: boolean;
+}
+const MAX_FILTER_CONDITIONS = 5;
+const VALID_FILTER_OPERATORS = new Set<FilterOperator>([
+  '==',
+  '!=',
+  '<',
+  '<=',
+  '>',
+  '>=',
+  'in',
+  'contains',
+  'contains-any',
+  'not in',
+]);
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return value !== null && typeof value === 'object' && !Array.isArray(value);
+}
+function normalizeFilterCondition(input: unknown): FilterCondition | null {
+  if (Array.isArray(input)) {
+    if (input.length !== 3) return null;
+    const [field, op, value] = input;
+    if (typeof field !== 'string' || typeof op !== 'string' || !VALID_FILTER_OPERATORS.has(op as FilterOperator)) {
+      return null;
+    }
+    return [field, op as FilterOperator, value];
+  }
+  if (!isRecord(input)) return null;
+  const field = input.field;
+  const op = input.op;
+  if (typeof field !== 'string' || typeof op !== 'string' || !VALID_FILTER_OPERATORS.has(op as FilterOperator)) {
+    return null;
+  }
+  return [field, op as FilterOperator, input.value];
+}
+export function normalizeDatabaseLiveFilterPayload(
+  input: unknown,
+  label: string,
+): { ok: true; value: FilterCondition[] | null | undefined } | { ok: false; message: string } {
+  if (input === undefined) {
+    return { ok: true, value: undefined };
+  }
+  if (input === null) {
+    return { ok: true, value: null };
+  }
+  if (Array.isArray(input)) {
+    if (input.length > MAX_FILTER_CONDITIONS) {
+      return {
+        ok: false,
+        message: `${label} must be an array with at most ${MAX_FILTER_CONDITIONS} conditions`,
+      };
+    }
+    const normalized = input.map(normalizeFilterCondition);
+    if (normalized.some((condition) => condition === null)) {
+      return {
+        ok: false,
+        message: `${label} must contain [field, op, value] tuples or { field, op, value } objects`,
+      };
+    }
+    return { ok: true, value: normalized as FilterCondition[] };
+  }
+  if (isRecord(input)) {
+    const singleCondition = normalizeFilterCondition(input);
+    if (singleCondition) {
+      return { ok: true, value: [singleCondition] };
+    }
+    const entries = Object.entries(input);
+    if (entries.length > MAX_FILTER_CONDITIONS) {
+      return {
+        ok: false,
+        message: `${label} must define at most ${MAX_FILTER_CONDITIONS} equality conditions`,
+      };
+    }
+    return {
+      ok: true,
+      value: entries.map(([field, value]) => [field, '==', value] as FilterCondition),
+    };
+  }
+  return {
+    ok: false,
+    message: `${label} must be an array, a filter object, or an equality map`,
+  };
+}
+export class DatabaseLiveDO extends DurableObject<DOEnv> {
+  private config: EdgeBaseConfig;
+  private filterRecoveryNeeded = true;
+  private pendingAuth = new Map<string, ReturnType<typeof setTimeout>>();
+  private metaCache = new Map<WebSocket, WSMeta>();
+  constructor(ctx: DurableObjectState, env: DOEnv) {
+    super(ctx, env);
+    this.config = getGlobalConfig(env);
+  }
+  async fetch(request: Request): Promise<Response> {
+    const url = new URL(request.url);
+    if (url.pathname === '/internal/event') {
+      return this.handleInternalEvent(request);
+    }
+    if (url.pathname === '/internal/batch-event') {
+      return this.handleInternalBatchEvent(request);
+    }
+    if (url.pathname === '/internal/broadcast') {
+      return this.handleInternalBroadcast(request);
+    }
+    if (url.pathname === '/internal/stats') {
+      return this.handleStats();
+    }
+    if (request.headers.get('Upgrade') === 'websocket') {
+      return this.handleWebSocketUpgrade();
+    }
+    return Response.json({ error: 'Expected WebSocket or internal request' }, { status: 400 });
+  }
+  private handleWebSocketUpgrade(): Response {
+    const pair = new WebSocketPair();
+    const [client, server] = Object.values(pair);
+    const connectionId = crypto.randomUUID();
+    const meta: WSMeta = {
+      authenticated: false,
+      connectionId,
+      subscribedChannels: [],
+      channelFilters: new Map(),
+      channelOrFilters: new Map(),
+      supportsBatch: false,
+    };
+    this.ctx.acceptWebSocket(server, [connectionId]);
+    this.metaCache.set(server, meta);
+    const authTimeoutMs = resolveDbLiveAuthTimeoutMs(this.config);
+    const timer = setTimeout(() => {
+      const currentMeta = this.getWSMeta(server);
+      if (currentMeta && !currentMeta.authenticated) {
+        try {
+          server.send(JSON.stringify({
+            type: 'error',
+            code: 'AUTH_TIMEOUT',
+            message: `Authentication required within ${authTimeoutMs}ms`,
+          }));
+        } catch {
+          // Socket may already be closed.
+        }
+        try {
+          server.close(4001, 'Authentication timeout');
+        } catch {
+          // Ignore redundant close attempts.
+        }
+      }
+      this.pendingAuth.delete(connectionId);
+    }, authTimeoutMs);
+    this.pendingAuth.set(connectionId, timer);
+    return new Response(null, { status: 101, webSocket: client });
+  }
+  async webSocketMessage(ws: WebSocket, message: string | ArrayBuffer): Promise<void> {
+    if (typeof message !== 'string') return;
+    let msg: Record<string, unknown>;
+    try {
+      msg = JSON.parse(message);
+    } catch {
+      ws.send(JSON.stringify({ type: 'error', code: 'INVALID_JSON', message: 'Invalid JSON' }));
+      return;
+    }
+    const meta = this.getWSMeta(ws);
+    if (!meta) return;
+    if (msg.type === 'auth') {
+      await this.handleAuth(ws, meta, msg.token as string, msg.sdkVersion as string | undefined);
+      return;
+    }
+    if (!meta.authenticated) {
+      ws.send(JSON.stringify({
+        type: 'error',
+        code: 'NOT_AUTHENTICATED',
+        message: 'Send auth message first',
+      }));
+      return;
+    }
+    if (this.filterRecoveryNeeded) {
+      this.broadcastToAuthenticated({ type: 'FILTER_RESYNC' });
+      this.filterRecoveryNeeded = false;
+    }
+    switch (msg.type) {
+      case 'subscribe':
+        await this.handleSubscribe(
+          ws,
+          meta,
+          msg.channel as string,
+          msg.filters as FilterCondition[] | undefined,
+          msg.orFilters as FilterCondition[] | undefined,
+        );
+        break;
+      case 'unsubscribe':
+        this.handleUnsubscribe(ws, meta, msg.channel as string);
+        break;
+      case 'update_filters':
+        this.handleUpdateFilters(
+          ws,
+          meta,
+          msg.channel as string,
+          msg.filters as FilterCondition[] | null,
+          msg.orFilters as FilterCondition[] | null,
+        );
+        break;
+      case 'ping':
+        ws.send(JSON.stringify({ type: 'pong' }));
+        break;
+      default:
+        ws.send(JSON.stringify({ type: 'error', code: 'UNKNOWN_TYPE', message: `Unknown message type: ${msg.type}` }));
+    }
+  }
+  webSocketClose(ws: WebSocket): void {
+    const meta = this.getWSMeta(ws);
+    if (!meta) return;
+    const timer = this.pendingAuth.get(meta.connectionId);
+    if (timer) {
+      clearTimeout(timer);
+      this.pendingAuth.delete(meta.connectionId);
+    }
+    this.metaCache.delete(ws);
+  }
+  webSocketError(ws: WebSocket): void {
+    this.webSocketClose(ws);
+  }
+  private async handleAuth(
+    ws: WebSocket,
+    meta: WSMeta,
+    token: string,
+    sdkVersion?: string,
+  ): Promise<void> {
+    const isReAuth = meta.authenticated;
+    if (!token) {
+      ws.send(JSON.stringify({ type: 'error', code: 'AUTH_FAILED', message: 'Token required' }));
+      ws.close(4002, 'Authentication failed');
+      return;
+    }
+    const secret = this.env.JWT_USER_SECRET;
+    if (!secret) {
+      ws.send(JSON.stringify({ type: 'error', code: 'SERVER_ERROR', message: 'JWT secret not configured' }));
+      ws.close(4003, 'Server configuration error');
+      return;
+    }
+    try {
+      const verified = await verifyAccessToken(token, secret);
+      meta.authenticated = true;
+      meta.userId = verified.sub;
+      meta.role = (verified as Record<string, unknown>).role as string | undefined;
+      if (sdkVersion) {
+        meta.sdkVersion = sdkVersion;
+        meta.supportsBatch = true;
+      }
+      this.setWSMeta(ws, meta);
+      const timer = this.pendingAuth.get(meta.connectionId);
+      if (timer) {
+        clearTimeout(timer);
+        this.pendingAuth.delete(meta.connectionId);
+      }
+      if (isReAuth) {
+        const revokedChannels: string[] = [];
+        for (const channel of [...meta.subscribedChannels]) {
+          const allowed = await this.evaluateChannelAccess(channel, meta);
+          if (!allowed) {
+            meta.subscribedChannels = meta.subscribedChannels.filter((value) => value !== channel);
+            meta.channelFilters.delete(channel);
+            meta.channelOrFilters.delete(channel);
+            revokedChannels.push(channel);
+          }
+        }
+        this.setWSMeta(ws, meta);
+        ws.send(JSON.stringify({
+          type: 'auth_refreshed',
+          userId: verified.sub,
+          revokedChannels,
+        }));
+        return;
+      }
+      ws.send(JSON.stringify({
+        type: 'auth_success',
+        userId: verified.sub,
+      }));
+    } catch {
+      if (isReAuth) {
+        ws.send(JSON.stringify({
+          type: 'error',
+          code: 'AUTH_REFRESH_FAILED',
+          message: 'Token refresh failed — existing auth preserved',
+        }));
+        return;
+      }
+      ws.send(JSON.stringify({ type: 'error', code: 'AUTH_FAILED', message: 'Invalid or expired token' }));
+      ws.close(4002, 'Authentication failed');
+    }
+  }
+  private async handleSubscribe(
+    ws: WebSocket,
+    meta: WSMeta,
+    channel: string,
+    filters?: unknown,
+    orFilters?: unknown,
+  ): Promise<void> {
+    if (!channel) {
+      ws.send(JSON.stringify({ type: 'error', code: 'INVALID_CHANNEL', message: 'Channel name required' }));
+      return;
+    }
+    if (!isDbLiveChannel(channel)) {
+      ws.send(JSON.stringify({
+        type: 'error',
+        code: 'INVALID_CHANNEL',
+        message: `Database live only supports DB channels: ${channel}`,
+      }));
+      return;
+    }
+    const normalizedFilters = normalizeDatabaseLiveFilterPayload(filters, 'Filters');
+    if (!normalizedFilters.ok) {
+      ws.send(JSON.stringify({
+        type: 'error',
+        code: 'INVALID_FILTERS',
+        message: normalizedFilters.message,
+      }));
+      return;
+    }
+    const normalizedOrFilters = normalizeDatabaseLiveFilterPayload(orFilters, 'OR filters');
+    if (!normalizedOrFilters.ok) {
+      ws.send(JSON.stringify({
+        type: 'error',
+        code: 'INVALID_FILTERS',
+        message: normalizedOrFilters.message,
+      }));
+      return;
+    }
+    if (!(await this.evaluateChannelAccess(channel, meta))) {
+      ws.send(JSON.stringify({
+        type: 'error',
+        code: 'CHANNEL_ACCESS_DENIED',
+        message: `Access denied to channel: ${channel}`,
+      }));
+      return;
+    }
+    if (!meta.subscribedChannels.includes(channel)) {
+      meta.subscribedChannels.push(channel);
+    }
+    if (normalizedFilters.value && normalizedFilters.value.length > 0) {
+      meta.channelFilters.set(channel, normalizedFilters.value);
+    } else {
+      meta.channelFilters.delete(channel);
+    }
+    if (normalizedOrFilters.value && normalizedOrFilters.value.length > 0) {
+      meta.channelOrFilters.set(channel, normalizedOrFilters.value);
+    } else {
+      meta.channelOrFilters.delete(channel);
+    }
+    this.setWSMeta(ws, meta);
+    ws.send(JSON.stringify({
+      type: 'subscribed',
+      channel,
+      serverFilter: meta.channelFilters.has(channel) || meta.channelOrFilters.has(channel),
+    }));
+  }
+  private handleUnsubscribe(ws: WebSocket, meta: WSMeta, channel: string): void {
+    meta.subscribedChannels = meta.subscribedChannels.filter((value) => value !== channel);
+    meta.channelFilters.delete(channel);
+    meta.channelOrFilters.delete(channel);
+    this.setWSMeta(ws, meta);
+    ws.send(JSON.stringify({ type: 'unsubscribed', channel }));
+  }
+  private handleUpdateFilters(
+    ws: WebSocket,
+    meta: WSMeta,
+    channel: string,
+    filters: unknown,
+    orFilters?: unknown,
+  ): void {
+    if (!channel || !meta.subscribedChannels.includes(channel)) {
+      ws.send(JSON.stringify({ type: 'error', code: 'NOT_SUBSCRIBED', message: `Not subscribed to channel: ${channel}` }));
+      return;
+    }
+    if (filters === null) {
+      meta.channelFilters.delete(channel);
+    } else if (filters !== undefined) {
+      const normalizedFilters = normalizeDatabaseLiveFilterPayload(filters, 'Filters');
+      if (!normalizedFilters.ok || normalizedFilters.value === null) {
+        ws.send(JSON.stringify({
+          type: 'error',
+          code: 'INVALID_FILTERS',
+          message: normalizedFilters.ok ? 'Filters update must not be null.' : normalizedFilters.message,
+        }));
+        return;
+      }
+      const nextFilters = normalizedFilters.value ?? [];
+      if (nextFilters.length > 0) {
+        meta.channelFilters.set(channel, nextFilters);
+      } else {
+        meta.channelFilters.delete(channel);
+      }
+    }
+    if (orFilters === null) {
+      meta.channelOrFilters.delete(channel);
+    } else if (orFilters !== undefined) {
+      const normalizedOrFilters = normalizeDatabaseLiveFilterPayload(orFilters, 'OR filters');
+      if (!normalizedOrFilters.ok || normalizedOrFilters.value === null) {
+        ws.send(JSON.stringify({
+          type: 'error',
+          code: 'INVALID_FILTERS',
+          message: normalizedOrFilters.ok ? 'OR filters update must not be null.' : normalizedOrFilters.message,
+        }));
+        return;
+      }
+      const nextOrFilters = normalizedOrFilters.value ?? [];
+      if (nextOrFilters.length > 0) {
+        meta.channelOrFilters.set(channel, nextOrFilters);
+      } else {
+        meta.channelOrFilters.delete(channel);
+      }
+    }
+    this.setWSMeta(ws, meta);
+    ws.send(JSON.stringify({
+      type: 'filters_updated',
+      channel,
+      serverFilter: meta.channelFilters.has(channel) || meta.channelOrFilters.has(channel),
+    }));
+  }
+  private async handleInternalEvent(request: Request): Promise<Response> {
+    let event: DatabaseLiveEvent;
+    try {
+      event = await request.json() as DatabaseLiveEvent;
+    } catch {
+      return Response.json({ error: 'Invalid event body' }, { status: 400 });
+    }
+    await this.broadcastWithFilters({
+      type: 'db_change',
+      channel: event.channel,
+      changeType: event.type,
+      table: event.table,
+      docId: event.docId,
+      data: event.data,
+      timestamp: event.timestamp,
+    }, event.data);
+    return Response.json({ ok: true });
+  }
+  private async handleInternalBatchEvent(request: Request): Promise<Response> {
+    let batch: {
+      type: 'batch_changes';
+      channel: string;
+      table: string;
+      changes: Array<{ type: string; docId: string; data: Record<string, unknown> | null; timestamp: string }>;
+      total: number;
+    };
+    try {
+      batch = await request.json() as typeof batch;
+    } catch {
+      return Response.json({ error: 'Invalid batch event body' }, { status: 400 });
+    }
+    const sockets = this.ctx.getWebSockets();
+    const batchMsg = {
+      type: 'batch_changes' as const,
+      channel: batch.channel,
+      changes: batch.changes.map((change) => ({
+        event: change.type,
+        docId: change.docId,
+        data: change.data,
+        timestamp: change.timestamp,
+      })),
+      total: batch.total,
+    };
+    const batchMsgStr = JSON.stringify(batchMsg);
+    for (const ws of sockets) {
+      const meta = this.getWSMeta(ws);
+      if (!meta?.authenticated) continue;
+      if (!meta.subscribedChannels.includes(batch.channel)) continue;
+      if (meta.supportsBatch) {
+        const filteredChanges: typeof batchMsg.changes = [];
+        for (const change of batchMsg.changes) {
+          const canRead = await this.evaluateRowReadAccess(batch.table, meta, change.data as Record<string, unknown> | null);
+          if (!canRead) continue;
+          let shouldSend = true;
+          if (change.data && (meta.channelFilters.size > 0 || meta.channelOrFilters.size > 0)) {
+            const filters = meta.channelFilters.get(batch.channel) || [];
+            const orFilters = meta.channelOrFilters.get(batch.channel) || [];
+            if (filters.length > 0 || orFilters.length > 0) {
+              shouldSend = evaluateDatabaseLiveFilters(change.data as Record<string, unknown>, filters, orFilters);
+            }
+          }
+          if (shouldSend) {
+            filteredChanges.push(change);
+          }
+        }
+        if (filteredChanges.length > 0) {
+          const payload = filteredChanges.length === batchMsg.changes.length
+            ? batchMsgStr
+            : JSON.stringify({
+                ...batchMsg,
+                changes: filteredChanges,
+                total: filteredChanges.length,
+              });
+          try {
+            ws.send(payload);
+          } catch {
+            // Socket may be closing.
+          }
+        }
+        continue;
+      }
+      for (const change of batch.changes) {
+        const canRead = await this.evaluateRowReadAccess(batch.table, meta, change.data);
+        if (!canRead) continue;
+        let shouldSend = true;
+        if (change.data && (meta.channelFilters.size > 0 || meta.channelOrFilters.size > 0)) {
+          const filters = meta.channelFilters.get(batch.channel) || [];
+          const orFilters = meta.channelOrFilters.get(batch.channel) || [];
+          if (filters.length > 0 || orFilters.length > 0) {
+            shouldSend = evaluateDatabaseLiveFilters(change.data as Record<string, unknown>, filters, orFilters);
+          }
+        }
+        if (!shouldSend) continue;
+        try {
+          ws.send(JSON.stringify({
+            type: 'db_change',
+            channel: batch.channel,
+            changeType: change.type,
+            table: batch.table,
+            docId: change.docId,
+            data: change.data,
+            timestamp: change.timestamp,
+          }));
+        } catch {
+          // Socket may be closing.
+        }
+      }
+    }
+    return Response.json({ ok: true });
+  }
+  /**
+   * Handle server-side broadcast from HookCtx.databaseLive.broadcast().
+   * Sends a custom broadcast_event to all clients subscribed to matching DB channels.
+   */
+  private async handleInternalBroadcast(request: Request): Promise<Response> {
+    let body: { channel?: string; event?: string; payload?: Record<string, unknown> };
+    try {
+      body = await request.json() as typeof body;
+    } catch {
+      return Response.json({ error: 'Invalid broadcast body' }, { status: 400 });
+    }
+    const { channel, event, payload } = body;
+    if (!channel || typeof channel !== 'string') {
+      return Response.json({ error: 'channel is required' }, { status: 400 });
+    }
+    if (!event || typeof event !== 'string') {
+      return Response.json({ error: 'event is required' }, { status: 400 });
+    }
+    const msg = JSON.stringify({
+      type: 'broadcast_event',
+      channel,
+      event,
+      payload: payload ?? {},
+    });
+    const sockets = this.ctx.getWebSockets();
+    for (const ws of sockets) {
+      const meta = this.getWSMeta(ws);
+      if (!meta?.authenticated) continue;
+      // Deliver to clients subscribed to the target channel or any parent channel
+      if (!meta.subscribedChannels.some(sub => channel === sub || channel.startsWith(`${sub}:`))) {
+        continue;
+      }
+      try {
+        ws.send(msg);
+      } catch {
+        // Socket may be closing.
+      }
+    }
+    return Response.json({ ok: true });
+  }
+  private handleStats(): Response {
+    const sockets = this.ctx.getWebSockets();
+    const channelMap = new Map<string, number>();
+    let authenticated = 0;
+    for (const ws of sockets) {
+      const meta = this.getWSMeta(ws);
+      if (!meta) continue;
+      if (meta.authenticated) authenticated++;
+      for (const channel of meta.subscribedChannels) {
+        channelMap.set(channel, (channelMap.get(channel) ?? 0) + 1);
+      }
+    }
+    const channelDetails = Array.from(channelMap.entries())
+      .map(([channel, subscribers]) => ({ channel, subscribers }))
+      .sort((a, b) => b.subscribers - a.subscribers);
+    return Response.json({
+      subsystem: 'database-live',
+      activeConnections: sockets.length,
+      authenticatedConnections: authenticated,
+      channels: channelMap.size,
+      channelDetails,
+    });
+  }
+  private async broadcastWithFilters(
+    msg: Record<string, unknown>,
+    eventData: Record<string, unknown> | null,
+  ): Promise<void> {
+    const msgStr = JSON.stringify(msg);
+    const sockets = this.ctx.getWebSockets();
+    const msgChannel = typeof msg.channel === 'string' ? msg.channel : null;
+    const tableName = typeof msg.table === 'string' ? msg.table : '';
+    for (const ws of sockets) {
+      const meta = this.getWSMeta(ws);
+      if (!meta?.authenticated) continue;
+      if (msgChannel && !meta.subscribedChannels.includes(msgChannel)) continue;
+      const canRead = await this.evaluateRowReadAccess(tableName, meta, eventData);
+      if (!canRead) continue;
+      let shouldSend = true;
+      if (eventData && (meta.channelFilters.size > 0 || meta.channelOrFilters.size > 0) && msgChannel) {
+        const filters = meta.channelFilters.get(msgChannel) || [];
+        const orFilters = meta.channelOrFilters.get(msgChannel) || [];
+        if (filters.length > 0 || orFilters.length > 0) {
+          shouldSend = evaluateDatabaseLiveFilters(eventData, filters, orFilters);
+        }
+      }
+      if (!shouldSend) continue;
+      try {
+        ws.send(msgStr);
+      } catch {
+        // Socket may be closing.
+      }
+    }
+  }
+  private broadcastToAuthenticated(msg: Record<string, unknown>): void {
+    const payload = JSON.stringify(msg);
+    for (const ws of this.ctx.getWebSockets()) {
+      const meta = this.getWSMeta(ws);
+      if (!meta?.authenticated) continue;
+      try {
+        ws.send(payload);
+      } catch {
+        // Socket may be closing.
+      }
+    }
+  }
+  private getWSMeta(ws: WebSocket): WSMeta | null {
+    const cached = this.metaCache.get(ws);
+    if (cached) return cached;
+    try {
+      const tags = this.ctx.getTags(ws);
+      if (tags.length === 0) return null;
+      const connectionId = tags[0];
+      const meta: WSMeta = {
+        authenticated: false,
+        connectionId,
+        subscribedChannels: [],
+        channelFilters: new Map(),
+        channelOrFilters: new Map(),
+        supportsBatch: false,
+      };
+      this.metaCache.set(ws, meta);
+      return meta;
+    } catch {
+      return null;
+    }
+  }
+  private setWSMeta(ws: WebSocket, meta: WSMeta): void {
+    this.metaCache.set(ws, meta);
+  }
+  private getTableReadRule(tableName: string):
+    | ((auth: Record<string, unknown> | null, row: Record<string, unknown>) => boolean | Promise<boolean>)
+    | boolean
+    | undefined {
+    for (const dbBlock of Object.values(this.config.databases ?? {})) {
+      const tableConfig = dbBlock.tables?.[tableName];
+      if (tableConfig) {
+        return getTableAccess(tableConfig)?.read as
+          | ((auth: Record<string, unknown> | null, row: Record<string, unknown>) => boolean | Promise<boolean>)
+          | boolean
+          | undefined;
+      }
+    }
+    return undefined;
+  }
+  private async evaluateRowReadAccess(
+    tableName: string,
+    meta: WSMeta,
+    row: Record<string, unknown> | null,
+  ): Promise<boolean> {
+    const rule = this.getTableReadRule(tableName);
+    if (rule === undefined) return meta.authenticated;
+    if (typeof rule === 'boolean') return rule;
+    if (!row) return false;
+    const authCtx = meta.authenticated
+      ? { id: meta.userId ?? '', role: meta.role ?? null, email: null }
+      : null;
+    try {
+      const result = await Promise.race([
+        Promise.resolve(rule(authCtx as Record<string, unknown> | null, row)),
+        new Promise<never>((_, reject) =>
+          setTimeout(() => reject(new Error('Database live row access timeout')), 50),
+        ),
+      ]);
+      return Boolean(result);
+    } catch {
+      return false;
+    }
+  }
+  private async evaluateChannelAccess(channel: string, meta: WSMeta): Promise<boolean> {
+    if (!meta.authenticated || !meta.userId) return false;
+    if (!isDbLiveChannel(channel)) return false;
+    const tableName = this.extractTableName(channel.split(':'));
+    if (!tableName) return false;
+    const tableRules = this.getTableReadRule(tableName);
+    if (tableRules === undefined) return meta.authenticated;
+    if (typeof tableRules === 'boolean') return tableRules;
+    const authCtx = meta.authenticated
+      ? { id: meta.userId ?? '', role: meta.role ?? null, email: null }
+      : null;
+    try {
+      const result = await Promise.race([
+        Promise.resolve(tableRules(authCtx as Record<string, unknown> | null, {})),
+        new Promise<never>((_, reject) =>
+          setTimeout(() => reject(new Error('Database live channel access timeout')), 50),
+        ),
+      ]);
+      return Boolean(result);
+    } catch {
+      return false;
+    }
+  }
+  private extractTableName(parts: string[]): string | null {
+    if (parts.length === 3) return parts[2];
+    if (parts.length === 4) {
+      return parts[1] === 'shared' ? parts[2] : parts[3];
+    }
+    if (parts.length >= 5) return parts[3];
+    return null;
+  }
+}
+export function evaluateDatabaseLiveFilters(
+  data: Record<string, unknown>,
+  filters: readonly unknown[],
+  orFilters?: readonly unknown[],
+): boolean {
+  const normalizedFilters = filters
+    .map(normalizeFilterCondition)
+    .filter((condition): condition is FilterCondition => condition !== null);
+  if (normalizedFilters.length !== filters.length) return false;
+  const andPass = normalizedFilters.every(([field, op, value]) => {
+    const fieldValue = data[field];
+    switch (op) {
+      case '==':
+        return fieldValue === value;
+      case '!=':
+        return fieldValue !== value;
+      case '<':
+        return typeof fieldValue === 'number' && typeof value === 'number' && fieldValue < value;
+      case '<=':
+        return typeof fieldValue === 'number' && typeof value === 'number' && fieldValue <= value;
+      case '>':
+        return typeof fieldValue === 'number' && typeof value === 'number' && fieldValue > value;
+      case '>=':
+        return typeof fieldValue === 'number' && typeof value === 'number' && fieldValue >= value;
+      case 'in':
+        return Array.isArray(value) && value.includes(fieldValue);
+      case 'contains':
+        if (typeof fieldValue === 'string') return fieldValue.includes(String(value));
+        return Array.isArray(fieldValue) && fieldValue.includes(value);
+      case 'contains-any':
+        return Array.isArray(fieldValue) && Array.isArray(value)
+          ? value.some((entry) => fieldValue.includes(entry))
+          : false;
+      case 'not in':
+        return Array.isArray(value) ? !value.includes(fieldValue) : true;
+      default:
+        return false;
+    }
+  });
+  if (!andPass) return false;
+  if (!orFilters || orFilters.length === 0) return true;
+  const normalizedOrFilters = orFilters
+    .map(normalizeFilterCondition)
+    .filter((condition): condition is FilterCondition => condition !== null);
+  if (normalizedOrFilters.length !== orFilters.length) return false;
+  return normalizedOrFilters.some(([field, op, value]) => {
+    const fieldValue = data[field];
+    switch (op) {
+      case '==':
+        return fieldValue === value;
+      case '!=':
+        return fieldValue !== value;
+      case '<':
+        return typeof fieldValue === 'number' && typeof value === 'number' && fieldValue < value;
+      case '<=':
+        return typeof fieldValue === 'number' && typeof value === 'number' && fieldValue <= value;
+      case '>':
+        return typeof fieldValue === 'number' && typeof value === 'number' && fieldValue > value;
+      case '>=':
+        return typeof fieldValue === 'number' && typeof value === 'number' && fieldValue >= value;
+      case 'in':
+        return Array.isArray(value) && value.includes(fieldValue);
+      case 'contains':
+        if (typeof fieldValue === 'string') return fieldValue.includes(String(value));
+        return Array.isArray(fieldValue) && fieldValue.includes(value);
+      case 'contains-any':
+        return Array.isArray(fieldValue) && Array.isArray(value)
+          ? value.some((entry) => fieldValue.includes(entry))
+          : false;
+      case 'not in':
+        return Array.isArray(value) ? !value.includes(fieldValue) : true;
+      default:
+        return false;
+    }
+  });
+}