npm - @edge-base/server - Versions diffs - 0.1.1 - Mend

@edge-base/server 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (309) hide show

package/admin-build/.gitkeep +0 -0
package/admin-build/_app/env.js +1 -0
package/admin-build/_app/immutable/assets/0.Bm6cF078.css +1 -0
package/admin-build/_app/immutable/assets/1.BfW3pUNa.css +1 -0
package/admin-build/_app/immutable/assets/11.CVmQOewb.css +1 -0
package/admin-build/_app/immutable/assets/12.B1EhbRZT.css +1 -0
package/admin-build/_app/immutable/assets/13.BvwYeuwE.css +1 -0
package/admin-build/_app/immutable/assets/14.CdVfcO0R.css +1 -0
package/admin-build/_app/immutable/assets/15.2yeZ66b-.css +1 -0
package/admin-build/_app/immutable/assets/17.BVg0JEVu.css +1 -0
package/admin-build/_app/immutable/assets/18.Rwnl3x_i.css +1 -0
package/admin-build/_app/immutable/assets/20.DsPWA9AV.css +1 -0
package/admin-build/_app/immutable/assets/21.Dz2RJ56c.css +1 -0
package/admin-build/_app/immutable/assets/22.DwNLk5Ai.css +1 -0
package/admin-build/_app/immutable/assets/23.CFpu0gOO.css +1 -0
package/admin-build/_app/immutable/assets/24.Cy5LBeoJ.css +1 -0
package/admin-build/_app/immutable/assets/25.pUyLVf-h.css +1 -0
package/admin-build/_app/immutable/assets/26.DBcGrlXa.css +1 -0
package/admin-build/_app/immutable/assets/27.BswYyAJD.css +1 -0
package/admin-build/_app/immutable/assets/28.B4ueB1Kf.css +1 -0
package/admin-build/_app/immutable/assets/29.B-qU6PdF.css +1 -0
package/admin-build/_app/immutable/assets/3.Dg81Pgmd.css +1 -0
package/admin-build/_app/immutable/assets/30.CsdWum94.css +1 -0
package/admin-build/_app/immutable/assets/31.U6OwIp50.css +1 -0
package/admin-build/_app/immutable/assets/4.CyawCCux.css +1 -0
package/admin-build/_app/immutable/assets/5.C0YO2HTk.css +1 -0
package/admin-build/_app/immutable/assets/8.Br5jd6kD.css +1 -0
package/admin-build/_app/immutable/assets/Badge.EMYLHBxE.css +1 -0
package/admin-build/_app/immutable/assets/Button.DpzMRTjK.css +1 -0
package/admin-build/_app/immutable/assets/ConfirmDialog.DAnaWRRk.css +1 -0
package/admin-build/_app/immutable/assets/EmptyState.CwKsu57Y.css +1 -0
package/admin-build/_app/immutable/assets/Input.BDUSenmU.css +1 -0
package/admin-build/_app/immutable/assets/Modal.Dm5B0Xie.css +1 -0
package/admin-build/_app/immutable/assets/PageShell.CmU-Xh-b.css +1 -0
package/admin-build/_app/immutable/assets/SchemaFieldEditor.g4NsCdno.css +1 -0
package/admin-build/_app/immutable/assets/Select.BW4Keufm.css +1 -0
package/admin-build/_app/immutable/assets/Skeleton.KWUulTKJ.css +1 -0
package/admin-build/_app/immutable/assets/Tabs.CniGYb67.css +1 -0
package/admin-build/_app/immutable/assets/TimeChart.BTCDAvmT.css +1 -0
package/admin-build/_app/immutable/assets/Toggle.Cy_K12OM.css +1 -0
package/admin-build/_app/immutable/assets/TopList.ClFzmPlA.css +1 -0
package/admin-build/_app/immutable/chunks/7B47DvSx.js +1 -0
package/admin-build/_app/immutable/chunks/7f08Id8e.js +1 -0
package/admin-build/_app/immutable/chunks/8wJeQ7LN.js +1 -0
package/admin-build/_app/immutable/chunks/B-h2afW5.js +1 -0
package/admin-build/_app/immutable/chunks/B8vJP3wz.js +1 -0
package/admin-build/_app/immutable/chunks/BR_fL5Yv.js +1 -0
package/admin-build/_app/immutable/chunks/BY92tFS2.js +1 -0
package/admin-build/_app/immutable/chunks/BcR-Rdj9.js +1 -0
package/admin-build/_app/immutable/chunks/BdrwyZv8.js +1 -0
package/admin-build/_app/immutable/chunks/Bh56EfQ_.js +1 -0
package/admin-build/_app/immutable/chunks/BkrCkgYp.js +1 -0
package/admin-build/_app/immutable/chunks/BmRjiP5k.js +1 -0
package/admin-build/_app/immutable/chunks/BsokvhWC.js +1 -0
package/admin-build/_app/immutable/chunks/C4D51vTW.js +1 -0
package/admin-build/_app/immutable/chunks/C6puvcoR.js +2 -0
package/admin-build/_app/immutable/chunks/CCKNu7m7.js +1 -0
package/admin-build/_app/immutable/chunks/CWj6FrbW.js +1 -0
package/admin-build/_app/immutable/chunks/Ce-ngf4p.js +5 -0
package/admin-build/_app/immutable/chunks/Cs0GwzJA.js +1 -0
package/admin-build/_app/immutable/chunks/CwROoZK0.js +1 -0
package/admin-build/_app/immutable/chunks/CxCPv_Ut.js +1 -0
package/admin-build/_app/immutable/chunks/CxbRue-5.js +1 -0
package/admin-build/_app/immutable/chunks/CyqB6g-D.js +1 -0
package/admin-build/_app/immutable/chunks/D5h5A1cc.js +2 -0
package/admin-build/_app/immutable/chunks/DnyL7Zq-.js +1 -0
package/admin-build/_app/immutable/chunks/DoPXzH7F.js +1 -0
package/admin-build/_app/immutable/chunks/DrQSgw-f.js +1 -0
package/admin-build/_app/immutable/chunks/DttM2zNO.js +1 -0
package/admin-build/_app/immutable/chunks/DuXuUBWN.js +1 -0
package/admin-build/_app/immutable/chunks/MdeqaOQx.js +10 -0
package/admin-build/_app/immutable/chunks/NuUjtcO2.js +1 -0
package/admin-build/_app/immutable/chunks/Q2nPFxS6.js +1 -0
package/admin-build/_app/immutable/chunks/R6arueIl.js +1 -0
package/admin-build/_app/immutable/chunks/UUazaC_N.js +1 -0
package/admin-build/_app/immutable/chunks/cOYbrQxx.js +1 -0
package/admin-build/_app/immutable/chunks/eFQHTGwA.js +1 -0
package/admin-build/_app/immutable/chunks/ehbppgYb.js +1 -0
package/admin-build/_app/immutable/chunks/glwixJlP.js +1 -0
package/admin-build/_app/immutable/chunks/vApWTCBs.js +1 -0
package/admin-build/_app/immutable/chunks/w89G9Xpi.js +1 -0
package/admin-build/_app/immutable/chunks/wJsUhbfZ.js +1 -0
package/admin-build/_app/immutable/chunks/zfauFM8P.js +1 -0
package/admin-build/_app/immutable/entry/app.CcO-Uos3.js +2 -0
package/admin-build/_app/immutable/entry/start.COebYq3I.js +1 -0
package/admin-build/_app/immutable/nodes/0.CjtHKU-6.js +1 -0
package/admin-build/_app/immutable/nodes/1.DEisjlM0.js +1 -0
package/admin-build/_app/immutable/nodes/10.CvhdyWVB.js +1 -0
package/admin-build/_app/immutable/nodes/11.DjHqcOvy.js +1 -0
package/admin-build/_app/immutable/nodes/12.mQLz4Mj_.js +1 -0
package/admin-build/_app/immutable/nodes/13.CBonZZyP.js +110 -0
package/admin-build/_app/immutable/nodes/14.d-oiZL0j.js +3 -0
package/admin-build/_app/immutable/nodes/15.CKPQsUYF.js +1 -0
package/admin-build/_app/immutable/nodes/16.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/17.DayhKyEZ.js +1 -0
package/admin-build/_app/immutable/nodes/18.DKwS0Ir0.js +1 -0
package/admin-build/_app/immutable/nodes/19.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/2.BKoKrw1i.js +1 -0
package/admin-build/_app/immutable/nodes/20.BvIkkkrW.js +1 -0
package/admin-build/_app/immutable/nodes/21.DMaFhdHk.js +128 -0
package/admin-build/_app/immutable/nodes/22.3xdgwuK1.js +1 -0
package/admin-build/_app/immutable/nodes/23.8Bvgjbsl.js +112 -0
package/admin-build/_app/immutable/nodes/24.DzSSzRhG.js +2 -0
package/admin-build/_app/immutable/nodes/25.9KKYBnAE.js +2 -0
package/admin-build/_app/immutable/nodes/26.Bhn9dfhY.js +1 -0
package/admin-build/_app/immutable/nodes/27.kRLiC24G.js +1 -0
package/admin-build/_app/immutable/nodes/28.BVIN1-7N.js +1 -0
package/admin-build/_app/immutable/nodes/29.3yabZWj4.js +1 -0
package/admin-build/_app/immutable/nodes/3.BFtSOkX7.js +2 -0
package/admin-build/_app/immutable/nodes/30.CyCQlwaP.js +1 -0
package/admin-build/_app/immutable/nodes/31.C4LDXjES.js +1 -0
package/admin-build/_app/immutable/nodes/4.CvbiMlCa.js +1 -0
package/admin-build/_app/immutable/nodes/5.C6BLv2eM.js +1 -0
package/admin-build/_app/immutable/nodes/6.BcXvfl2P.js +1 -0
package/admin-build/_app/immutable/nodes/7.CIuqhPiK.js +1 -0
package/admin-build/_app/immutable/nodes/8.BQOR_JfO.js +1 -0
package/admin-build/_app/immutable/nodes/9.NZqXQxPy.js +1 -0
package/admin-build/_app/version.json +1 -0
package/admin-build/favicon.svg +26 -0
package/admin-build/index.html +45 -0
package/openapi.json +19543 -0
package/package.json +66 -0
package/src/__tests__/admin-assets.test.ts +55 -0
package/src/__tests__/admin-data-routes.test.ts +488 -0
package/src/__tests__/admin-db-target.test.ts +103 -0
package/src/__tests__/admin-routing.test.ts +31 -0
package/src/__tests__/admin-user-management.test.ts +311 -0
package/src/__tests__/analytics-query.test.ts +75 -0
package/src/__tests__/auth-d1.test.ts +749 -0
package/src/__tests__/auth-db-adapter.test.ts +73 -0
package/src/__tests__/auth-jwt.test.ts +440 -0
package/src/__tests__/auth-oauth.test.ts +389 -0
package/src/__tests__/auth-password.test.ts +367 -0
package/src/__tests__/auth-redirect.test.ts +87 -0
package/src/__tests__/backup-restore.test.ts +711 -0
package/src/__tests__/broadcast.test.ts +128 -0
package/src/__tests__/cli.test.ts +178 -0
package/src/__tests__/cloudflare-realtime.test.ts +113 -0
package/src/__tests__/config.test.ts +469 -0
package/src/__tests__/cors.test.ts +154 -0
package/src/__tests__/cron.test.ts +302 -0
package/src/__tests__/d1-handler.test.ts +402 -0
package/src/__tests__/d1-sql.test.ts +120 -0
package/src/__tests__/database-live-config.test.ts +42 -0
package/src/__tests__/database-live-emitter.test.ts +56 -0
package/src/__tests__/database-live-filters.test.ts +63 -0
package/src/__tests__/database-live-route.test.ts +113 -0
package/src/__tests__/db-sql.test.ts +163 -0
package/src/__tests__/do-lifecycle.test.ts +263 -0
package/src/__tests__/do-router.test.ts +729 -0
package/src/__tests__/email-provider.test.ts +128 -0
package/src/__tests__/email-templates.test.ts +528 -0
package/src/__tests__/error-format.test.ts +250 -0
package/src/__tests__/field-ops.test.ts +242 -0
package/src/__tests__/functions-context.test.ts +334 -0
package/src/__tests__/functions-d1-proxy.test.ts +229 -0
package/src/__tests__/functions-registry-runtime-config.test.ts +17 -0
package/src/__tests__/functions-route.test.ts +139 -0
package/src/__tests__/internal-request.test.ts +77 -0
package/src/__tests__/log-writer.test.ts +44 -0
package/src/__tests__/logger.test.ts +58 -0
package/src/__tests__/meta-admin-proxy.test.ts +48 -0
package/src/__tests__/meta-export-coverage.test.ts +191 -0
package/src/__tests__/meta-route-registration.test.ts +47 -0
package/src/__tests__/namespace-dump.test.ts +28 -0
package/src/__tests__/oauth-providers.test.ts +337 -0
package/src/__tests__/openapi-coverage.test.ts +144 -0
package/src/__tests__/pagination.test.ts +59 -0
package/src/__tests__/password-policy.test.ts +191 -0
package/src/__tests__/plugin-migrations.test.ts +379 -0
package/src/__tests__/postgres-batch-compat.test.ts +133 -0
package/src/__tests__/postgres-dialect.test.ts +328 -0
package/src/__tests__/postgres-executor.test.ts +79 -0
package/src/__tests__/postgres-field-ops-compat.test.ts +222 -0
package/src/__tests__/postgres-schema-init.test.ts +105 -0
package/src/__tests__/postgres-table-utils.test.ts +107 -0
package/src/__tests__/presence.test.ts +199 -0
package/src/__tests__/provider.test.ts +550 -0
package/src/__tests__/public-user-profile.test.ts +339 -0
package/src/__tests__/push-handlers.test.ts +179 -0
package/src/__tests__/push-provider.test.ts +80 -0
package/src/__tests__/push-token.test.ts +418 -0
package/src/__tests__/query.test.ts +771 -0
package/src/__tests__/rate-limit.test.ts +260 -0
package/src/__tests__/room-access-policy.test.ts +101 -0
package/src/__tests__/room-handler-context.test.ts +130 -0
package/src/__tests__/room-monitoring.test.ts +138 -0
package/src/__tests__/room-runtime-routing.test.ts +222 -0
package/src/__tests__/room.test.ts +254 -0
package/src/__tests__/route-parser.test.ts +490 -0
package/src/__tests__/rules.test.ts +234 -0
package/src/__tests__/runtime-surface-accounting.test.ts +120 -0
package/src/__tests__/scheduled.test.ts +80 -0
package/src/__tests__/schema.test.ts +1273 -0
package/src/__tests__/security-hardening.test.ts +312 -0
package/src/__tests__/server.unit.test.ts +333 -0
package/src/__tests__/service-key-db-proxy.test.ts +650 -0
package/src/__tests__/service-key-provider-bypass.test.ts +138 -0
package/src/__tests__/service-key.test.ts +757 -0
package/src/__tests__/smoke-skip-report.test.ts +72 -0
package/src/__tests__/sms-provider.test.ts +39 -0
package/src/__tests__/sql-route.test.ts +218 -0
package/src/__tests__/storage-hook-context.test.ts +115 -0
package/src/__tests__/totp.test.ts +200 -0
package/src/__tests__/uuid.test.ts +144 -0
package/src/__tests__/validation.test.ts +773 -0
package/src/__tests__/websocket-pending.test.ts +163 -0
package/src/_functions-registry.ts +51 -0
package/src/bench-entry.ts +9 -0
package/src/cloudflare-test.d.ts +1 -0
package/src/durable-objects/auth-do.ts +49 -0
package/src/durable-objects/database-do.ts +2240 -0
package/src/durable-objects/database-live-do.ts +949 -0
package/src/durable-objects/logs-do.ts +1200 -0
package/src/durable-objects/room-runtime-base.ts +1604 -0
package/src/durable-objects/rooms-do.ts +2191 -0
package/src/generated-config.ts +6 -0
package/src/index.ts +382 -0
package/src/lib/admin-assets.ts +54 -0
package/src/lib/admin-db-target.ts +301 -0
package/src/lib/admin-routing.ts +35 -0
package/src/lib/admin-user-management.ts +464 -0
package/src/lib/analytics-adapter.ts +103 -0
package/src/lib/analytics-query.ts +579 -0
package/src/lib/auth-d1-service.ts +1193 -0
package/src/lib/auth-d1.ts +1056 -0
package/src/lib/auth-db-adapter.ts +289 -0
package/src/lib/auth-redirect.ts +116 -0
package/src/lib/cidr.ts +115 -0
package/src/lib/client-ip.ts +51 -0
package/src/lib/cloudflare-realtime.ts +251 -0
package/src/lib/control-db.ts +36 -0
package/src/lib/cron.ts +163 -0
package/src/lib/d1-handler.ts +1425 -0
package/src/lib/d1-schema-init.ts +255 -0
package/src/lib/d1-sql.ts +33 -0
package/src/lib/database-live-config.ts +24 -0
package/src/lib/database-live-emitter.ts +111 -0
package/src/lib/db-sql.ts +66 -0
package/src/lib/do-retry.ts +36 -0
package/src/lib/do-router.ts +270 -0
package/src/lib/do-sql.ts +73 -0
package/src/lib/email-provider.ts +379 -0
package/src/lib/email-templates.ts +285 -0
package/src/lib/email-translations.ts +422 -0
package/src/lib/errors.ts +151 -0
package/src/lib/functions.ts +2091 -0
package/src/lib/hono.ts +56 -0
package/src/lib/internal-request.ts +56 -0
package/src/lib/jwt.ts +354 -0
package/src/lib/log-writer.ts +272 -0
package/src/lib/namespace-dump.ts +125 -0
package/src/lib/oauth-providers.ts +1225 -0
package/src/lib/op-parser.ts +99 -0
package/src/lib/openapi.ts +146 -0
package/src/lib/pagination.ts +19 -0
package/src/lib/password-policy.ts +102 -0
package/src/lib/password.ts +145 -0
package/src/lib/plugin-migrations.ts +612 -0
package/src/lib/postgres-executor.ts +203 -0
package/src/lib/postgres-handler.ts +1102 -0
package/src/lib/postgres-schema-init.ts +341 -0
package/src/lib/postgres-table-utils.ts +87 -0
package/src/lib/public-user-profile.ts +187 -0
package/src/lib/push-provider.ts +409 -0
package/src/lib/push-token.ts +294 -0
package/src/lib/query-engine.ts +768 -0
package/src/lib/room-monitoring.ts +97 -0
package/src/lib/room-runtime.ts +14 -0
package/src/lib/route-parser.ts +434 -0
package/src/lib/schema.ts +538 -0
package/src/lib/schemas.ts +152 -0
package/src/lib/service-key.ts +419 -0
package/src/lib/sms-provider.ts +230 -0
package/src/lib/startup-config.ts +99 -0
package/src/lib/totp.ts +242 -0
package/src/lib/uuid.ts +87 -0
package/src/lib/validation.ts +205 -0
package/src/lib/version.ts +2 -0
package/src/lib/websocket-pending.ts +40 -0
package/src/middleware/auth.ts +169 -0
package/src/middleware/captcha-verify.ts +217 -0
package/src/middleware/cors.ts +159 -0
package/src/middleware/error-handler.ts +54 -0
package/src/middleware/internal-guard.ts +26 -0
package/src/middleware/logger.ts +126 -0
package/src/middleware/rate-limit.ts +283 -0
package/src/middleware/rules.ts +475 -0
package/src/routes/admin-auth.ts +447 -0
package/src/routes/admin.ts +3501 -0
package/src/routes/analytics-api.ts +290 -0
package/src/routes/auth.ts +4222 -0
package/src/routes/backup.ts +1466 -0
package/src/routes/config.ts +53 -0
package/src/routes/d1.ts +109 -0
package/src/routes/database-live.ts +281 -0
package/src/routes/functions.ts +155 -0
package/src/routes/health.ts +32 -0
package/src/routes/kv.ts +167 -0
package/src/routes/oauth.ts +1055 -0
package/src/routes/push.ts +1465 -0
package/src/routes/room.ts +639 -0
package/src/routes/schema-endpoint.ts +76 -0
package/src/routes/sql.ts +176 -0
package/src/routes/storage.ts +1674 -0
package/src/routes/tables.ts +699 -0
package/src/routes/users.ts +21 -0
package/src/routes/vectorize.ts +372 -0
package/src/types.ts +99 -0

package/src/lib/admin-user-management.ts ADDED Viewed

@@ -0,0 +1,464 @@
+import { EdgeBaseError } from '@edge-base/shared';
+import type { AuthDb } from './auth-db-adapter.js';
+import {
+  confirmEmail,
+  confirmPhone,
+  deleteEmail,
+  deleteEmailPending,
+  deletePhone,
+  registerEmailPending,
+  registerPhonePending,
+} from './auth-d1.js';
+import * as authService from './auth-d1-service.js';
+import { deletePublicUserProjection, invalidatePublicUserCache, syncPublicUserProjection } from './public-user-profile.js';
+import { unregisterAllTokens } from './push-token.js';
+import { hashPassword, isPasswordHash } from './password.js';
+const EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+const VALID_STATUSES = new Set(['active', 'suspended', 'banned', 'disabled']);
+const VALID_EMAIL_VISIBILITY = new Set(['public', 'private']);
+const UPDATABLE_USER_FIELDS = new Set([
+  'email',
+  'passwordHash',
+  'displayName',
+  'avatarUrl',
+  'emailVisibility',
+  'role',
+  'status',
+  'verified',
+  'isAnonymous',
+  'customClaims',
+  'phone',
+  'phoneVerified',
+  'metadata',
+  'appMetadata',
+  'disabled',
+  'locale',
+]);
+interface ManagedUserOptions {
+  executionCtx?: ExecutionContext;
+  kv?: KVNamespace;
+}
+export interface CreateManagedUserInput {
+  userId: string;
+  email: string;
+  passwordHash: string;
+  displayName?: string | null;
+  avatarUrl?: string | null;
+  role?: string;
+  verified?: boolean;
+  locale?: string;
+  metadata?: Record<string, unknown> | null;
+  appMetadata?: Record<string, unknown> | null;
+}
+function hasOwn<T extends object>(value: T, key: string): boolean {
+  return Object.prototype.hasOwnProperty.call(value, key);
+}
+function normalizeOptionalRole(role: unknown): string | undefined {
+  if (role === undefined) return undefined;
+  if (typeof role !== 'string') {
+    throw new EdgeBaseError(400, 'Role must be a non-empty string.');
+  }
+  const normalized = role.trim();
+  if (!normalized) {
+    throw new EdgeBaseError(400, 'Role must be a non-empty string.');
+  }
+  if (normalized.length > 100) {
+    throw new EdgeBaseError(400, 'Role must not exceed 100 characters.');
+  }
+  return normalized;
+}
+function normalizePhone(phone: string): string {
+  const cleaned = phone.replace(/[\s\-()]/g, '');
+  if (!/^\+[1-9]\d{6,14}$/.test(cleaned)) {
+    throw new EdgeBaseError(400, 'Invalid phone number. Must be in E.164 format (e.g. +15551234567).');
+  }
+  return cleaned;
+}
+async function ensureConfirmedEmailIndex(
+  db: AuthDb,
+  email: string,
+  userId: string,
+): Promise<void> {
+  try {
+    await registerEmailPending(db, email, userId);
+  } catch (err) {
+    if ((err as Error).message !== 'EMAIL_ALREADY_REGISTERED') {
+      throw err;
+    }
+  }
+  await confirmEmail(db, email, userId);
+}
+async function ensureConfirmedPhoneIndex(
+  db: AuthDb,
+  phone: string,
+  userId: string,
+): Promise<void> {
+  try {
+    await registerPhonePending(db, phone, userId);
+  } catch (err) {
+    if ((err as Error).message !== 'PHONE_ALREADY_REGISTERED') {
+      throw err;
+    }
+  }
+  await confirmPhone(db, phone, userId);
+}
+function toNullableString(value: unknown): string | null {
+  return typeof value === 'string' && value.length > 0 ? value : null;
+}
+function toRollbackValue(existing: Record<string, unknown>, key: string): unknown {
+  if (hasOwn(existing, key)) return existing[key];
+  return null;
+}
+function toEdgeBaseError(
+  error: unknown,
+  fallbackCode: number,
+  fallbackMessage: string,
+): EdgeBaseError {
+  if (error instanceof EdgeBaseError) return error;
+  const message = error instanceof Error && error.message ? error.message : fallbackMessage;
+  return new EdgeBaseError(fallbackCode, message);
+}
+function invalidateManagedUserCaches(
+  userId: string,
+  options: ManagedUserOptions,
+): void {
+  const profileTask = invalidatePublicUserCache(userId, {
+    kv: options.kv,
+    executionCtx: options.executionCtx,
+    awaitCacheWrites: false,
+  }).catch((err) => {
+    console.error(`[EdgeBase] Failed to invalidate public profile cache for ${userId}:`, err);
+  });
+  if (!options.kv) {
+    void profileTask;
+    return;
+  }
+  const pushTask = unregisterAllTokens(options.kv, userId).catch((err) => {
+    console.error(`[EdgeBase] Failed to invalidate push token cache for ${userId}:`, err);
+  });
+  const task = Promise.all([profileTask, pushTask]).then(() => undefined);
+  if (options.executionCtx) {
+    options.executionCtx.waitUntil(task);
+    return;
+  }
+  void task;
+}
+export async function normalizeAdminUserUpdates(
+  raw: Record<string, unknown>,
+): Promise<authService.UpdateUserInput> {
+  const updates = { ...raw } as Record<string, unknown>;
+  if (hasOwn(updates, 'email')) {
+    if (typeof updates.email !== 'string' || !EMAIL_RE.test(updates.email.trim())) {
+      throw new EdgeBaseError(400, 'Invalid email format.');
+    }
+    updates.email = updates.email.trim().toLowerCase();
+  }
+  if (hasOwn(updates, 'password')) {
+    if (typeof updates.password !== 'string') {
+      throw new EdgeBaseError(400, 'Password must be a string.');
+    }
+    if (updates.password.length < 8) {
+      throw new EdgeBaseError(400, 'Password must be at least 8 characters.');
+    }
+    if (updates.password.length > 256) {
+      throw new EdgeBaseError(400, 'Password must not exceed 256 characters.');
+    }
+    updates.passwordHash = await hashPassword(updates.password);
+    delete updates.password;
+  }
+  if (hasOwn(updates, 'passwordHash')) {
+    if (typeof updates.passwordHash !== 'string' || updates.passwordHash.length === 0) {
+      throw new EdgeBaseError(400, 'Password hash must be a non-empty string.');
+    }
+  }
+  if (hasOwn(updates, 'role')) {
+    updates.role = normalizeOptionalRole(updates.role);
+  }
+  if (hasOwn(updates, 'status')) {
+    if (typeof updates.status !== 'string' || !VALID_STATUSES.has(updates.status)) {
+      throw new EdgeBaseError(400, 'Invalid status. Must be "active", "suspended", "banned", or "disabled".');
+    }
+  }
+  if (hasOwn(updates, 'displayName')) {
+    if (updates.displayName !== null && (typeof updates.displayName !== 'string' || updates.displayName.length > 200)) {
+      throw new EdgeBaseError(400, 'Display name must not exceed 200 characters.');
+    }
+  }
+  if (hasOwn(updates, 'avatarUrl')) {
+    if (updates.avatarUrl !== null && (typeof updates.avatarUrl !== 'string' || updates.avatarUrl.length > 2048)) {
+      throw new EdgeBaseError(400, 'Avatar URL must not exceed 2048 characters.');
+    }
+  }
+  if (hasOwn(updates, 'emailVisibility')) {
+    if (typeof updates.emailVisibility !== 'string' || !VALID_EMAIL_VISIBILITY.has(updates.emailVisibility)) {
+      throw new EdgeBaseError(400, 'emailVisibility must be "public" or "private".');
+    }
+  }
+  if (hasOwn(updates, 'phone')) {
+    if (updates.phone === null) {
+      updates.phoneVerified = false;
+    } else if (typeof updates.phone === 'string') {
+      updates.phone = normalizePhone(updates.phone);
+      if (!hasOwn(updates, 'phoneVerified')) {
+        updates.phoneVerified = false;
+      }
+    } else {
+      throw new EdgeBaseError(400, 'Phone must be a string in E.164 format or null.');
+    }
+  }
+  if (hasOwn(updates, 'locale')) {
+    if (updates.locale !== null && (typeof updates.locale !== 'string' || !/^[a-z]{2}(-[A-Z]{2})?$/.test(updates.locale))) {
+      throw new EdgeBaseError(400, 'Invalid locale format. Expected format: "en" or "en-US".');
+    }
+  }
+  const hasSupportedField = Object.keys(updates).some((key) => UPDATABLE_USER_FIELDS.has(key));
+  if (!hasSupportedField) {
+    throw new EdgeBaseError(
+      400,
+      'No valid fields to update. Allowed fields include email, phone, password, displayName, avatarUrl, role, status, metadata, and appMetadata.',
+    );
+  }
+  return updates as authService.UpdateUserInput;
+}
+async function cleanupCreatedUser(
+  db: AuthDb,
+  userId: string,
+  email: string,
+  options: ManagedUserOptions,
+): Promise<void> {
+  await authService.deleteUserCascade(db, userId).catch(() => {});
+  await deletePublicUserProjection(db, userId, {
+    executionCtx: options.executionCtx,
+    kv: options.kv,
+    awaitCacheWrites: true,
+  }).catch(() => {});
+  await deleteEmailPending(db, email).catch(() => {});
+  await deleteEmail(db, email).catch(() => {});
+}
+export async function createManagedAdminUser(
+  db: AuthDb,
+  input: CreateManagedUserInput,
+  options: ManagedUserOptions = {},
+): Promise<Record<string, unknown>> {
+  try {
+    await registerEmailPending(db, input.email, input.userId);
+  } catch (err) {
+    if ((err as Error).message === 'EMAIL_ALREADY_REGISTERED') {
+      throw new EdgeBaseError(409, 'Email already registered.');
+    }
+    throw new EdgeBaseError(500, 'User creation failed.');
+  }
+  let user: Record<string, unknown> | null = null;
+  try {
+    user = await authService.createUser(db, {
+      userId: input.userId,
+      email: input.email,
+      passwordHash: input.passwordHash,
+      displayName: input.displayName,
+      avatarUrl: input.avatarUrl,
+      role: input.role || 'user',
+      verified: input.verified ?? true,
+      locale: input.locale,
+      metadata: input.metadata,
+      appMetadata: input.appMetadata,
+    });
+    await confirmEmail(db, input.email, input.userId);
+    await syncPublicUserProjection(db, input.userId, authService.buildPublicUserData(user), {
+      executionCtx: options.executionCtx,
+      kv: options.kv,
+      awaitCacheWrites: false,
+    });
+    return user;
+  } catch (err) {
+    await cleanupCreatedUser(db, input.userId, input.email, options);
+    throw toEdgeBaseError(err, 500, 'User creation failed.');
+  }
+}
+export async function deleteManagedAdminUser(
+  db: AuthDb,
+  userId: string,
+  options: ManagedUserOptions = {},
+): Promise<boolean> {
+  const user = await authService.getUserById(db, userId);
+  if (!user) return false;
+  await db.batch([
+    { sql: `DELETE FROM _email_tokens WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _sessions WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _oauth_accounts WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _mfa_recovery_codes WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _mfa_factors WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _webauthn_credentials WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _passkey_index WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _email_index WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _phone_index WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _oauth_index WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _anon_index WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _push_devices WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _users_public WHERE id = ?`, params: [userId] },
+    { sql: `DELETE FROM _users WHERE id = ?`, params: [userId] },
+  ]);
+  invalidateManagedUserCaches(userId, options);
+  return true;
+}
+export async function updateManagedAdminUser(
+  db: AuthDb,
+  userId: string,
+  rawUpdates: Record<string, unknown>,
+  options: ManagedUserOptions = {},
+): Promise<Record<string, unknown> | null> {
+  const updates = await normalizeAdminUserUpdates(rawUpdates);
+  const existing = await authService.getUserById(db, userId);
+  if (!existing) return null;
+  const oldEmail = toNullableString(existing.email);
+  const oldPhone = toNullableString(existing.phone);
+  const newEmail = hasOwn(updates as Record<string, unknown>, 'email')
+    ? toNullableString((updates as Record<string, unknown>).email)
+    : undefined;
+  const newPhone = hasOwn(updates as Record<string, unknown>, 'phone')
+    ? ((updates as Record<string, unknown>).phone as string | null)
+    : undefined;
+  const emailChanged = newEmail !== undefined && newEmail !== oldEmail;
+  const phoneChanged = newPhone !== undefined && newPhone !== oldPhone;
+  if (emailChanged && newEmail) {
+    try {
+      await registerEmailPending(db, newEmail, userId);
+    } catch (err) {
+      if ((err as Error).message === 'EMAIL_ALREADY_REGISTERED') {
+        throw new EdgeBaseError(409, 'Email already registered.');
+      }
+      throw new EdgeBaseError(500, 'User update failed.');
+    }
+  }
+  if (phoneChanged && typeof newPhone === 'string') {
+    try {
+      await registerPhonePending(db, newPhone, userId);
+    } catch (err) {
+      if (newEmail) {
+        await deleteEmailPending(db, newEmail).catch(() => {});
+      }
+      if ((err as Error).message === 'PHONE_ALREADY_REGISTERED') {
+        throw new EdgeBaseError(409, 'Phone number is already registered.');
+      }
+      throw new EdgeBaseError(500, 'User update failed.');
+    }
+  }
+  const user = await authService.updateUser(db, userId, updates);
+  if (!user) {
+    if (newEmail) await deleteEmailPending(db, newEmail).catch(() => {});
+    if (typeof newPhone === 'string') await deletePhone(db, newPhone).catch(() => {});
+    return null;
+  }
+  const rollbackUpdates: authService.UpdateUserInput = {};
+  for (const key of Object.keys(updates as Record<string, unknown>)) {
+    if (UPDATABLE_USER_FIELDS.has(key)) {
+      (rollbackUpdates as Record<string, unknown>)[key] = toRollbackValue(existing, key);
+    }
+  }
+  try {
+    if (emailChanged && newEmail) {
+      await confirmEmail(db, newEmail, userId);
+    }
+    if (phoneChanged && typeof newPhone === 'string') {
+      await confirmPhone(db, newPhone, userId);
+    }
+    await syncPublicUserProjection(db, userId, authService.buildPublicUserData(user), {
+      executionCtx: options.executionCtx,
+      kv: options.kv,
+      awaitCacheWrites: false,
+    });
+    if (emailChanged && oldEmail) {
+      await deleteEmail(db, oldEmail);
+    }
+    if (phoneChanged && oldPhone) {
+      await deletePhone(db, oldPhone);
+    }
+    return user;
+  } catch (err) {
+    await authService.updateUser(db, userId, rollbackUpdates).catch(() => {});
+    await syncPublicUserProjection(db, userId, authService.buildPublicUserData(existing), {
+      executionCtx: options.executionCtx,
+      kv: options.kv,
+      awaitCacheWrites: false,
+    }).catch(() => {});
+    if (newEmail) await deleteEmail(db, newEmail).catch(() => {});
+    if (emailChanged && oldEmail) {
+      await ensureConfirmedEmailIndex(db, oldEmail, userId).catch((restoreErr) => {
+        console.error(`[EdgeBase] Failed to restore old email index for ${userId}:`, restoreErr);
+      });
+    }
+    if (typeof newPhone === 'string') await deletePhone(db, newPhone).catch(() => {});
+    if (phoneChanged && oldPhone) {
+      await ensureConfirmedPhoneIndex(db, oldPhone, userId).catch((restoreErr) => {
+        console.error(`[EdgeBase] Failed to restore old phone index for ${userId}:`, restoreErr);
+      });
+    }
+    throw toEdgeBaseError(err, 500, 'User update failed.');
+  }
+}
+export async function prepareImportedPasswordHash(user: {
+  passwordHash?: string;
+  password?: string;
+}): Promise<string> {
+  if (user.passwordHash && isPasswordHash(user.passwordHash)) {
+    return user.passwordHash;
+  }
+  if (user.password) {
+    if (user.password.length < 8) {
+      throw new EdgeBaseError(400, 'Password must be at least 8 characters.');
+    }
+    if (user.password.length > 256) {
+      throw new EdgeBaseError(400, 'Password must not exceed 256 characters.');
+    }
+    return hashPassword(user.password);
+  }
+  return '';
+}

package/src/lib/analytics-adapter.ts ADDED Viewed

@@ -0,0 +1,103 @@
+/**
+ * AnalyticsAdapter pattern.
+ *
+ * Provides environment-aware analytics storage for App Functions:
+ * - Cloud:         AnalyticsEngineAdapter (separate ANALYTICS_APP dataset)
+ * - Self-hosted:   ConsoleAnalyticsAdapter (fallback)
+ *
+ * Separate from LogWriter (#83) — different lifecycle & retention policy.
+ * LogWriter = operational metrics, AnalyticsAdapter = business analytics.
+ *
+ * Usage (inside App Functions):
+ *   ctx.analytics.write({ event: 'page_view', blobs: ['/home'], doubles: [1] });
+ *   const result = await ctx.analytics.query({ sql: 'SELECT ...' });
+ */
+// ─── Types ───
+export interface AnalyticsDataPoint {
+  event: string;              // e.g. 'page_view', 'button_click'
+  blobs?: string[];           // String dimensions (max 20)
+  doubles?: number[];         // Numeric metrics (max 20)
+  timestamp?: number;         // Default: Date.now()
+}
+export interface AnalyticsQuery {
+  sql: string;                // Cloud: Analytics Engine SQL API, self-hosted: SQLite SQL
+  timeRange?: { start: string; end: string };
+}
+export interface AnalyticsResult {
+  data: Record<string, unknown>[];
+}
+export interface AnalyticsAdapter {
+  write(dataPoint: AnalyticsDataPoint): void;
+  query(params: AnalyticsQuery): Promise<AnalyticsResult>;
+}
+// ─── AnalyticsEngineAdapter (Cloud) ───
+/**
+ * Analytics adapter using a dedicated Cloudflare Analytics Engine dataset.
+ * Separate from LogWriter's ANALYTICS binding — uses ANALYTICS_APP binding.
+ * Non-blocking fire-and-forget write. SQL API for queries.
+ */
+export class AnalyticsEngineAdapter implements AnalyticsAdapter {
+  constructor(private engine: AnalyticsEngineDataset) {}
+  write(dp: AnalyticsDataPoint): void {
+    this.engine.writeDataPoint({
+      indexes: [dp.event],
+      blobs: [dp.event, ...(dp.blobs || [])],
+      doubles: [...(dp.doubles || []), dp.timestamp || Date.now()],
+    });
+  }
+  async query(_params: AnalyticsQuery): Promise<AnalyticsResult> {
+    // Analytics Engine SQL API requires account-level credentials
+    // and is called via the Cloudflare REST API, not from Workers.
+    // App Functions should use client.functions.call() → server-side query endpoint.
+    return { data: [] };
+  }
+}
+// ─── ConsoleAnalyticsAdapter (Self-hosted / Dev fallback) ───
+/**
+ * Fallback analytics adapter using console.log.
+ * Used when neither Analytics Engine nor SQLite analytics DB is available.
+ *
+ * Note: In production self-hosted, this would use a dedicated SQLite file (analytics.db).
+ * For M19, we implement the interface and fall back to console logging
+ * when ANALYTICS_APP binding is not present.
+ */
+export class ConsoleAnalyticsAdapter implements AnalyticsAdapter {
+  write(dp: AnalyticsDataPoint): void {
+    const ts = new Date(dp.timestamp || Date.now()).toISOString();
+    console.log(
+      `[EdgeBase:Analytics] ${ts} event=${dp.event}` +
+      (dp.blobs?.length ? ` blobs=[${dp.blobs.join(',')}]` : '') +
+      (dp.doubles?.length ? ` doubles=[${dp.doubles.join(',')}]` : ''),
+    );
+  }
+  async query(_params: AnalyticsQuery): Promise<AnalyticsResult> {
+    return { data: [] };
+  }
+}
+// ─── Factory ───
+/**
+ * Create the appropriate AnalyticsAdapter based on environment bindings.
+ * - `env.ANALYTICS_APP` exists → AnalyticsEngineAdapter (separate from LogWriter's ANALYTICS)
+ * - Otherwise → ConsoleAnalyticsAdapter (fallback)
+ */
+export function createAnalyticsAdapter(env: Record<string, unknown>): AnalyticsAdapter {
+  const analyticsApp = env.ANALYTICS_APP as AnalyticsEngineDataset | undefined;
+  if (analyticsApp) {
+    return new AnalyticsEngineAdapter(analyticsApp);
+  }
+  return new ConsoleAnalyticsAdapter();
+}