npm - @edge-base/server - Versions diffs - 0.1.1 - Mend

@edge-base/server 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (309) hide show

package/admin-build/.gitkeep +0 -0
package/admin-build/_app/env.js +1 -0
package/admin-build/_app/immutable/assets/0.Bm6cF078.css +1 -0
package/admin-build/_app/immutable/assets/1.BfW3pUNa.css +1 -0
package/admin-build/_app/immutable/assets/11.CVmQOewb.css +1 -0
package/admin-build/_app/immutable/assets/12.B1EhbRZT.css +1 -0
package/admin-build/_app/immutable/assets/13.BvwYeuwE.css +1 -0
package/admin-build/_app/immutable/assets/14.CdVfcO0R.css +1 -0
package/admin-build/_app/immutable/assets/15.2yeZ66b-.css +1 -0
package/admin-build/_app/immutable/assets/17.BVg0JEVu.css +1 -0
package/admin-build/_app/immutable/assets/18.Rwnl3x_i.css +1 -0
package/admin-build/_app/immutable/assets/20.DsPWA9AV.css +1 -0
package/admin-build/_app/immutable/assets/21.Dz2RJ56c.css +1 -0
package/admin-build/_app/immutable/assets/22.DwNLk5Ai.css +1 -0
package/admin-build/_app/immutable/assets/23.CFpu0gOO.css +1 -0
package/admin-build/_app/immutable/assets/24.Cy5LBeoJ.css +1 -0
package/admin-build/_app/immutable/assets/25.pUyLVf-h.css +1 -0
package/admin-build/_app/immutable/assets/26.DBcGrlXa.css +1 -0
package/admin-build/_app/immutable/assets/27.BswYyAJD.css +1 -0
package/admin-build/_app/immutable/assets/28.B4ueB1Kf.css +1 -0
package/admin-build/_app/immutable/assets/29.B-qU6PdF.css +1 -0
package/admin-build/_app/immutable/assets/3.Dg81Pgmd.css +1 -0
package/admin-build/_app/immutable/assets/30.CsdWum94.css +1 -0
package/admin-build/_app/immutable/assets/31.U6OwIp50.css +1 -0
package/admin-build/_app/immutable/assets/4.CyawCCux.css +1 -0
package/admin-build/_app/immutable/assets/5.C0YO2HTk.css +1 -0
package/admin-build/_app/immutable/assets/8.Br5jd6kD.css +1 -0
package/admin-build/_app/immutable/assets/Badge.EMYLHBxE.css +1 -0
package/admin-build/_app/immutable/assets/Button.DpzMRTjK.css +1 -0
package/admin-build/_app/immutable/assets/ConfirmDialog.DAnaWRRk.css +1 -0
package/admin-build/_app/immutable/assets/EmptyState.CwKsu57Y.css +1 -0
package/admin-build/_app/immutable/assets/Input.BDUSenmU.css +1 -0
package/admin-build/_app/immutable/assets/Modal.Dm5B0Xie.css +1 -0
package/admin-build/_app/immutable/assets/PageShell.CmU-Xh-b.css +1 -0
package/admin-build/_app/immutable/assets/SchemaFieldEditor.g4NsCdno.css +1 -0
package/admin-build/_app/immutable/assets/Select.BW4Keufm.css +1 -0
package/admin-build/_app/immutable/assets/Skeleton.KWUulTKJ.css +1 -0
package/admin-build/_app/immutable/assets/Tabs.CniGYb67.css +1 -0
package/admin-build/_app/immutable/assets/TimeChart.BTCDAvmT.css +1 -0
package/admin-build/_app/immutable/assets/Toggle.Cy_K12OM.css +1 -0
package/admin-build/_app/immutable/assets/TopList.ClFzmPlA.css +1 -0
package/admin-build/_app/immutable/chunks/7B47DvSx.js +1 -0
package/admin-build/_app/immutable/chunks/7f08Id8e.js +1 -0
package/admin-build/_app/immutable/chunks/8wJeQ7LN.js +1 -0
package/admin-build/_app/immutable/chunks/B-h2afW5.js +1 -0
package/admin-build/_app/immutable/chunks/B8vJP3wz.js +1 -0
package/admin-build/_app/immutable/chunks/BR_fL5Yv.js +1 -0
package/admin-build/_app/immutable/chunks/BY92tFS2.js +1 -0
package/admin-build/_app/immutable/chunks/BcR-Rdj9.js +1 -0
package/admin-build/_app/immutable/chunks/BdrwyZv8.js +1 -0
package/admin-build/_app/immutable/chunks/Bh56EfQ_.js +1 -0
package/admin-build/_app/immutable/chunks/BkrCkgYp.js +1 -0
package/admin-build/_app/immutable/chunks/BmRjiP5k.js +1 -0
package/admin-build/_app/immutable/chunks/BsokvhWC.js +1 -0
package/admin-build/_app/immutable/chunks/C4D51vTW.js +1 -0
package/admin-build/_app/immutable/chunks/C6puvcoR.js +2 -0
package/admin-build/_app/immutable/chunks/CCKNu7m7.js +1 -0
package/admin-build/_app/immutable/chunks/CWj6FrbW.js +1 -0
package/admin-build/_app/immutable/chunks/Ce-ngf4p.js +5 -0
package/admin-build/_app/immutable/chunks/Cs0GwzJA.js +1 -0
package/admin-build/_app/immutable/chunks/CwROoZK0.js +1 -0
package/admin-build/_app/immutable/chunks/CxCPv_Ut.js +1 -0
package/admin-build/_app/immutable/chunks/CxbRue-5.js +1 -0
package/admin-build/_app/immutable/chunks/CyqB6g-D.js +1 -0
package/admin-build/_app/immutable/chunks/D5h5A1cc.js +2 -0
package/admin-build/_app/immutable/chunks/DnyL7Zq-.js +1 -0
package/admin-build/_app/immutable/chunks/DoPXzH7F.js +1 -0
package/admin-build/_app/immutable/chunks/DrQSgw-f.js +1 -0
package/admin-build/_app/immutable/chunks/DttM2zNO.js +1 -0
package/admin-build/_app/immutable/chunks/DuXuUBWN.js +1 -0
package/admin-build/_app/immutable/chunks/MdeqaOQx.js +10 -0
package/admin-build/_app/immutable/chunks/NuUjtcO2.js +1 -0
package/admin-build/_app/immutable/chunks/Q2nPFxS6.js +1 -0
package/admin-build/_app/immutable/chunks/R6arueIl.js +1 -0
package/admin-build/_app/immutable/chunks/UUazaC_N.js +1 -0
package/admin-build/_app/immutable/chunks/cOYbrQxx.js +1 -0
package/admin-build/_app/immutable/chunks/eFQHTGwA.js +1 -0
package/admin-build/_app/immutable/chunks/ehbppgYb.js +1 -0
package/admin-build/_app/immutable/chunks/glwixJlP.js +1 -0
package/admin-build/_app/immutable/chunks/vApWTCBs.js +1 -0
package/admin-build/_app/immutable/chunks/w89G9Xpi.js +1 -0
package/admin-build/_app/immutable/chunks/wJsUhbfZ.js +1 -0
package/admin-build/_app/immutable/chunks/zfauFM8P.js +1 -0
package/admin-build/_app/immutable/entry/app.CcO-Uos3.js +2 -0
package/admin-build/_app/immutable/entry/start.COebYq3I.js +1 -0
package/admin-build/_app/immutable/nodes/0.CjtHKU-6.js +1 -0
package/admin-build/_app/immutable/nodes/1.DEisjlM0.js +1 -0
package/admin-build/_app/immutable/nodes/10.CvhdyWVB.js +1 -0
package/admin-build/_app/immutable/nodes/11.DjHqcOvy.js +1 -0
package/admin-build/_app/immutable/nodes/12.mQLz4Mj_.js +1 -0
package/admin-build/_app/immutable/nodes/13.CBonZZyP.js +110 -0
package/admin-build/_app/immutable/nodes/14.d-oiZL0j.js +3 -0
package/admin-build/_app/immutable/nodes/15.CKPQsUYF.js +1 -0
package/admin-build/_app/immutable/nodes/16.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/17.DayhKyEZ.js +1 -0
package/admin-build/_app/immutable/nodes/18.DKwS0Ir0.js +1 -0
package/admin-build/_app/immutable/nodes/19.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/2.BKoKrw1i.js +1 -0
package/admin-build/_app/immutable/nodes/20.BvIkkkrW.js +1 -0
package/admin-build/_app/immutable/nodes/21.DMaFhdHk.js +128 -0
package/admin-build/_app/immutable/nodes/22.3xdgwuK1.js +1 -0
package/admin-build/_app/immutable/nodes/23.8Bvgjbsl.js +112 -0
package/admin-build/_app/immutable/nodes/24.DzSSzRhG.js +2 -0
package/admin-build/_app/immutable/nodes/25.9KKYBnAE.js +2 -0
package/admin-build/_app/immutable/nodes/26.Bhn9dfhY.js +1 -0
package/admin-build/_app/immutable/nodes/27.kRLiC24G.js +1 -0
package/admin-build/_app/immutable/nodes/28.BVIN1-7N.js +1 -0
package/admin-build/_app/immutable/nodes/29.3yabZWj4.js +1 -0
package/admin-build/_app/immutable/nodes/3.BFtSOkX7.js +2 -0
package/admin-build/_app/immutable/nodes/30.CyCQlwaP.js +1 -0
package/admin-build/_app/immutable/nodes/31.C4LDXjES.js +1 -0
package/admin-build/_app/immutable/nodes/4.CvbiMlCa.js +1 -0
package/admin-build/_app/immutable/nodes/5.C6BLv2eM.js +1 -0
package/admin-build/_app/immutable/nodes/6.BcXvfl2P.js +1 -0
package/admin-build/_app/immutable/nodes/7.CIuqhPiK.js +1 -0
package/admin-build/_app/immutable/nodes/8.BQOR_JfO.js +1 -0
package/admin-build/_app/immutable/nodes/9.NZqXQxPy.js +1 -0
package/admin-build/_app/version.json +1 -0
package/admin-build/favicon.svg +26 -0
package/admin-build/index.html +45 -0
package/openapi.json +19543 -0
package/package.json +66 -0
package/src/__tests__/admin-assets.test.ts +55 -0
package/src/__tests__/admin-data-routes.test.ts +488 -0
package/src/__tests__/admin-db-target.test.ts +103 -0
package/src/__tests__/admin-routing.test.ts +31 -0
package/src/__tests__/admin-user-management.test.ts +311 -0
package/src/__tests__/analytics-query.test.ts +75 -0
package/src/__tests__/auth-d1.test.ts +749 -0
package/src/__tests__/auth-db-adapter.test.ts +73 -0
package/src/__tests__/auth-jwt.test.ts +440 -0
package/src/__tests__/auth-oauth.test.ts +389 -0
package/src/__tests__/auth-password.test.ts +367 -0
package/src/__tests__/auth-redirect.test.ts +87 -0
package/src/__tests__/backup-restore.test.ts +711 -0
package/src/__tests__/broadcast.test.ts +128 -0
package/src/__tests__/cli.test.ts +178 -0
package/src/__tests__/cloudflare-realtime.test.ts +113 -0
package/src/__tests__/config.test.ts +469 -0
package/src/__tests__/cors.test.ts +154 -0
package/src/__tests__/cron.test.ts +302 -0
package/src/__tests__/d1-handler.test.ts +402 -0
package/src/__tests__/d1-sql.test.ts +120 -0
package/src/__tests__/database-live-config.test.ts +42 -0
package/src/__tests__/database-live-emitter.test.ts +56 -0
package/src/__tests__/database-live-filters.test.ts +63 -0
package/src/__tests__/database-live-route.test.ts +113 -0
package/src/__tests__/db-sql.test.ts +163 -0
package/src/__tests__/do-lifecycle.test.ts +263 -0
package/src/__tests__/do-router.test.ts +729 -0
package/src/__tests__/email-provider.test.ts +128 -0
package/src/__tests__/email-templates.test.ts +528 -0
package/src/__tests__/error-format.test.ts +250 -0
package/src/__tests__/field-ops.test.ts +242 -0
package/src/__tests__/functions-context.test.ts +334 -0
package/src/__tests__/functions-d1-proxy.test.ts +229 -0
package/src/__tests__/functions-registry-runtime-config.test.ts +17 -0
package/src/__tests__/functions-route.test.ts +139 -0
package/src/__tests__/internal-request.test.ts +77 -0
package/src/__tests__/log-writer.test.ts +44 -0
package/src/__tests__/logger.test.ts +58 -0
package/src/__tests__/meta-admin-proxy.test.ts +48 -0
package/src/__tests__/meta-export-coverage.test.ts +191 -0
package/src/__tests__/meta-route-registration.test.ts +47 -0
package/src/__tests__/namespace-dump.test.ts +28 -0
package/src/__tests__/oauth-providers.test.ts +337 -0
package/src/__tests__/openapi-coverage.test.ts +144 -0
package/src/__tests__/pagination.test.ts +59 -0
package/src/__tests__/password-policy.test.ts +191 -0
package/src/__tests__/plugin-migrations.test.ts +379 -0
package/src/__tests__/postgres-batch-compat.test.ts +133 -0
package/src/__tests__/postgres-dialect.test.ts +328 -0
package/src/__tests__/postgres-executor.test.ts +79 -0
package/src/__tests__/postgres-field-ops-compat.test.ts +222 -0
package/src/__tests__/postgres-schema-init.test.ts +105 -0
package/src/__tests__/postgres-table-utils.test.ts +107 -0
package/src/__tests__/presence.test.ts +199 -0
package/src/__tests__/provider.test.ts +550 -0
package/src/__tests__/public-user-profile.test.ts +339 -0
package/src/__tests__/push-handlers.test.ts +179 -0
package/src/__tests__/push-provider.test.ts +80 -0
package/src/__tests__/push-token.test.ts +418 -0
package/src/__tests__/query.test.ts +771 -0
package/src/__tests__/rate-limit.test.ts +260 -0
package/src/__tests__/room-access-policy.test.ts +101 -0
package/src/__tests__/room-handler-context.test.ts +130 -0
package/src/__tests__/room-monitoring.test.ts +138 -0
package/src/__tests__/room-runtime-routing.test.ts +222 -0
package/src/__tests__/room.test.ts +254 -0
package/src/__tests__/route-parser.test.ts +490 -0
package/src/__tests__/rules.test.ts +234 -0
package/src/__tests__/runtime-surface-accounting.test.ts +120 -0
package/src/__tests__/scheduled.test.ts +80 -0
package/src/__tests__/schema.test.ts +1273 -0
package/src/__tests__/security-hardening.test.ts +312 -0
package/src/__tests__/server.unit.test.ts +333 -0
package/src/__tests__/service-key-db-proxy.test.ts +650 -0
package/src/__tests__/service-key-provider-bypass.test.ts +138 -0
package/src/__tests__/service-key.test.ts +757 -0
package/src/__tests__/smoke-skip-report.test.ts +72 -0
package/src/__tests__/sms-provider.test.ts +39 -0
package/src/__tests__/sql-route.test.ts +218 -0
package/src/__tests__/storage-hook-context.test.ts +115 -0
package/src/__tests__/totp.test.ts +200 -0
package/src/__tests__/uuid.test.ts +144 -0
package/src/__tests__/validation.test.ts +773 -0
package/src/__tests__/websocket-pending.test.ts +163 -0
package/src/_functions-registry.ts +51 -0
package/src/bench-entry.ts +9 -0
package/src/cloudflare-test.d.ts +1 -0
package/src/durable-objects/auth-do.ts +49 -0
package/src/durable-objects/database-do.ts +2240 -0
package/src/durable-objects/database-live-do.ts +949 -0
package/src/durable-objects/logs-do.ts +1200 -0
package/src/durable-objects/room-runtime-base.ts +1604 -0
package/src/durable-objects/rooms-do.ts +2191 -0
package/src/generated-config.ts +6 -0
package/src/index.ts +382 -0
package/src/lib/admin-assets.ts +54 -0
package/src/lib/admin-db-target.ts +301 -0
package/src/lib/admin-routing.ts +35 -0
package/src/lib/admin-user-management.ts +464 -0
package/src/lib/analytics-adapter.ts +103 -0
package/src/lib/analytics-query.ts +579 -0
package/src/lib/auth-d1-service.ts +1193 -0
package/src/lib/auth-d1.ts +1056 -0
package/src/lib/auth-db-adapter.ts +289 -0
package/src/lib/auth-redirect.ts +116 -0
package/src/lib/cidr.ts +115 -0
package/src/lib/client-ip.ts +51 -0
package/src/lib/cloudflare-realtime.ts +251 -0
package/src/lib/control-db.ts +36 -0
package/src/lib/cron.ts +163 -0
package/src/lib/d1-handler.ts +1425 -0
package/src/lib/d1-schema-init.ts +255 -0
package/src/lib/d1-sql.ts +33 -0
package/src/lib/database-live-config.ts +24 -0
package/src/lib/database-live-emitter.ts +111 -0
package/src/lib/db-sql.ts +66 -0
package/src/lib/do-retry.ts +36 -0
package/src/lib/do-router.ts +270 -0
package/src/lib/do-sql.ts +73 -0
package/src/lib/email-provider.ts +379 -0
package/src/lib/email-templates.ts +285 -0
package/src/lib/email-translations.ts +422 -0
package/src/lib/errors.ts +151 -0
package/src/lib/functions.ts +2091 -0
package/src/lib/hono.ts +56 -0
package/src/lib/internal-request.ts +56 -0
package/src/lib/jwt.ts +354 -0
package/src/lib/log-writer.ts +272 -0
package/src/lib/namespace-dump.ts +125 -0
package/src/lib/oauth-providers.ts +1225 -0
package/src/lib/op-parser.ts +99 -0
package/src/lib/openapi.ts +146 -0
package/src/lib/pagination.ts +19 -0
package/src/lib/password-policy.ts +102 -0
package/src/lib/password.ts +145 -0
package/src/lib/plugin-migrations.ts +612 -0
package/src/lib/postgres-executor.ts +203 -0
package/src/lib/postgres-handler.ts +1102 -0
package/src/lib/postgres-schema-init.ts +341 -0
package/src/lib/postgres-table-utils.ts +87 -0
package/src/lib/public-user-profile.ts +187 -0
package/src/lib/push-provider.ts +409 -0
package/src/lib/push-token.ts +294 -0
package/src/lib/query-engine.ts +768 -0
package/src/lib/room-monitoring.ts +97 -0
package/src/lib/room-runtime.ts +14 -0
package/src/lib/route-parser.ts +434 -0
package/src/lib/schema.ts +538 -0
package/src/lib/schemas.ts +152 -0
package/src/lib/service-key.ts +419 -0
package/src/lib/sms-provider.ts +230 -0
package/src/lib/startup-config.ts +99 -0
package/src/lib/totp.ts +242 -0
package/src/lib/uuid.ts +87 -0
package/src/lib/validation.ts +205 -0
package/src/lib/version.ts +2 -0
package/src/lib/websocket-pending.ts +40 -0
package/src/middleware/auth.ts +169 -0
package/src/middleware/captcha-verify.ts +217 -0
package/src/middleware/cors.ts +159 -0
package/src/middleware/error-handler.ts +54 -0
package/src/middleware/internal-guard.ts +26 -0
package/src/middleware/logger.ts +126 -0
package/src/middleware/rate-limit.ts +283 -0
package/src/middleware/rules.ts +475 -0
package/src/routes/admin-auth.ts +447 -0
package/src/routes/admin.ts +3501 -0
package/src/routes/analytics-api.ts +290 -0
package/src/routes/auth.ts +4222 -0
package/src/routes/backup.ts +1466 -0
package/src/routes/config.ts +53 -0
package/src/routes/d1.ts +109 -0
package/src/routes/database-live.ts +281 -0
package/src/routes/functions.ts +155 -0
package/src/routes/health.ts +32 -0
package/src/routes/kv.ts +167 -0
package/src/routes/oauth.ts +1055 -0
package/src/routes/push.ts +1465 -0
package/src/routes/room.ts +639 -0
package/src/routes/schema-endpoint.ts +76 -0
package/src/routes/sql.ts +176 -0
package/src/routes/storage.ts +1674 -0
package/src/routes/tables.ts +699 -0
package/src/routes/users.ts +21 -0
package/src/routes/vectorize.ts +372 -0
package/src/types.ts +99 -0

package/src/lib/auth-d1-service.ts ADDED Viewed

@@ -0,0 +1,1193 @@
+/**
+ * auth-d1-service.ts — Auth service layer (supports D1 + PostgreSQL backends)
+ *
+ * Uses the AuthDb adapter interface for provider-agnostic database access.
+ * All SQL uses `?` bind params — the adapter converts to `$1, $2, ...` for PostgreSQL.
+ *
+ * Key patterns:
+ * - No `RETURNING *` — re-fetch after INSERT/UPDATE (portable across D1/pg)
+ * - `db.batch()` → atomic transaction (D1 batch / pg BEGIN/COMMIT)
+ * - `datetime('now')` replaced with JS `new Date().toISOString()` (portable)
+ * - `INSERT OR IGNORE` → adapter converts to `ON CONFLICT DO NOTHING` for pg
+ *
+ * All functions are async (both D1 and pg are HTTP-based).
+ */
+import type { AuthDb } from './auth-db-adapter.js';
+// ─── Types ───
+export interface CreateUserInput {
+  userId: string;
+  email: string | null;
+  passwordHash: string;
+  displayName?: string | null;
+  avatarUrl?: string | null;
+  emailVisibility?: string;
+  role?: string;
+  verified?: boolean;
+  locale?: string;
+  metadata?: Record<string, unknown> | null;
+  appMetadata?: Record<string, unknown> | null;
+}
+export interface UpdateUserInput {
+  email?: string;
+  passwordHash?: string;
+  displayName?: string | null;
+  avatarUrl?: string | null;
+  emailVisibility?: string;
+  role?: string;
+  verified?: boolean | number;
+  isAnonymous?: boolean | number;
+  customClaims?: Record<string, unknown> | string | null;
+  phone?: string | null;
+  phoneVerified?: boolean | number;
+  metadata?: Record<string, unknown> | string | null;
+  appMetadata?: Record<string, unknown> | string | null;
+  disabled?: boolean | number;
+  status?: string;
+  locale?: string;
+}
+export interface CreateSessionInput {
+  id: string;
+  userId: string;
+  refreshToken: string;
+  expiresAt: string;
+  metadata?: string | null;
+  previousRefreshToken?: string | null;
+  rotatedAt?: string | null;
+}
+export interface CreateOAuthAccountInput {
+  id: string;
+  userId: string;
+  provider: string;
+  providerUserId: string;
+}
+export interface CreateEmailTokenInput {
+  token: string;
+  userId: string;
+  type: string;
+  expiresAt: string;
+}
+export interface CreateMfaFactorInput {
+  id: string;
+  userId: string;
+  type?: string;
+  secret: string;
+}
+export interface CreateWebAuthnCredentialInput {
+  id: string;
+  userId: string;
+  credentialId: string;
+  credentialPublicKey: string;
+  counter?: number;
+  transports?: string | null;
+}
+// ─── A. User CRUD ───
+/**
+ * Create a new user record.
+ * INSERT + re-fetch (portable, works on both D1 and pg).
+ */
+export async function createUser(
+  db: AuthDb,
+  input: CreateUserInput,
+): Promise<Record<string, unknown>> {
+  const now = new Date().toISOString();
+  const metadataStr = input.metadata ? JSON.stringify(input.metadata) : null;
+  const appMetadataStr = input.appMetadata ? JSON.stringify(input.appMetadata) : null;
+  await db.run(
+    `INSERT INTO _users (id, email, passwordHash, displayName, avatarUrl, emailVisibility, role, verified, isAnonymous, locale, metadata, appMetadata, createdAt, updatedAt)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, 0, ?, ?, ?, ?, ?)`,
+    [
+      input.userId,
+      input.email,
+      input.passwordHash,
+      input.displayName ?? null,
+      input.avatarUrl ?? null,
+      input.emailVisibility ?? 'private',
+      input.role ?? 'user',
+      input.verified ? 1 : 0,
+      input.locale ?? 'en',
+      metadataStr,
+      appMetadataStr,
+      now,
+      now,
+    ],
+  );
+  // Re-fetch
+  const user = await db.first(`SELECT * FROM _users WHERE id = ?`, [input.userId]);
+  return user as Record<string, unknown>;
+}
+/**
+ * Create an anonymous user record.
+ * INSERT + re-fetch.
+ */
+export async function createAnonymousUser(
+  db: AuthDb,
+  userId: string,
+): Promise<Record<string, unknown>> {
+  const now = new Date().toISOString();
+  await db.run(
+    `INSERT INTO _users (id, email, passwordHash, displayName, avatarUrl, emailVisibility, role, verified, isAnonymous, createdAt, updatedAt)
+     VALUES (?, NULL, NULL, NULL, NULL, 'private', 'user', 0, 1, ?, ?)`,
+    [userId, now, now],
+  );
+  // Re-fetch
+  const user = await db.first(`SELECT * FROM _users WHERE id = ?`, [userId]);
+  return user as Record<string, unknown>;
+}
+/**
+ * Get user by ID.
+ */
+export async function getUserById(
+  db: AuthDb,
+  userId: string,
+): Promise<Record<string, unknown> | null> {
+  return await db.first(`SELECT * FROM _users WHERE id = ?`, [userId]);
+}
+/**
+ * Get user by email.
+ */
+export async function getUserByEmail(
+  db: AuthDb,
+  email: string,
+): Promise<Record<string, unknown> | null> {
+  return await db.first(`SELECT * FROM _users WHERE email = ?`, [email]);
+}
+/**
+ * Get user by phone.
+ */
+export async function getUserByPhone(
+  db: AuthDb,
+  phone: string,
+): Promise<Record<string, unknown> | null> {
+  return await db.first(`SELECT * FROM _users WHERE phone = ?`, [phone]);
+}
+/**
+ * Update user with dynamic fields.
+ * Builds SET clause dynamically. Re-fetches after UPDATE.
+ */
+export async function updateUser(
+  db: AuthDb,
+  userId: string,
+  updates: UpdateUserInput,
+): Promise<Record<string, unknown> | null> {
+  // Allowlist of _users columns that can be updated
+  const ALLOWED_COLUMNS = new Set([
+    'email', 'passwordHash', 'displayName', 'avatarUrl', 'emailVisibility',
+    'role', 'status', 'verified', 'isAnonymous', 'locale', 'metadata', 'appMetadata',
+    'customClaims', 'phone', 'phoneVerified', 'disabled', 'bannedUntil',
+    'lastSignInAt', 'updatedAt',
+  ]);
+  const sets: string[] = [];
+  const params: unknown[] = [];
+  const normalizeRoleValue = (value: unknown): string | null => {
+    if (typeof value !== 'string') return null;
+    const normalized = value.trim();
+    return normalized.length > 0 ? normalized : null;
+  };
+  for (const [key, value] of Object.entries(updates)) {
+    if (key === 'id' || key === 'createdAt') continue;
+    // Skip unknown columns to prevent errors from arbitrary input
+    if (!ALLOWED_COLUMNS.has(key)) continue;
+    // Skip non-bindable values (Symbol, Function, etc.)
+    if (typeof value === 'symbol' || typeof value === 'function') continue;
+    // Enum validation: reject invalid values for constrained fields
+    if (key === 'status' && !['active', 'suspended', 'banned', 'disabled'].includes(value as string)) continue;
+    if (key === 'emailVisibility' && !['public', 'private'].includes(value as string)) continue;
+    if (key === 'role') {
+      const normalizedRole = normalizeRoleValue(value);
+      if (!normalizedRole) continue;
+      sets.push('"role" = ?');
+      params.push(normalizedRole);
+      continue;
+    }
+    // JSON fields: serialize to string
+    if ((key === 'customClaims' || key === 'metadata' || key === 'appMetadata') && value !== null && typeof value === 'object') {
+      sets.push(`"${key}" = ?`);
+      params.push(JSON.stringify(value));
+    }
+    // Boolean fields: convert to integer
+    else if ((key === 'verified' || key === 'isAnonymous' || key === 'phoneVerified' || key === 'disabled') && typeof value === 'boolean') {
+      sets.push(`"${key}" = ?`);
+      params.push(value ? 1 : 0);
+    }
+    else {
+      sets.push(`"${key}" = ?`);
+      params.push(value);
+    }
+  }
+  if (sets.length === 0) return null;
+  const now = new Date().toISOString();
+  sets.push('"updatedAt" = ?');
+  params.push(now);
+  params.push(userId);
+  await db.run(
+    `UPDATE _users SET ${sets.join(', ')} WHERE "id" = ?`,
+    params,
+  );
+  // Re-fetch
+  return await db.first(`SELECT * FROM _users WHERE id = ?`, [userId]);
+}
+/**
+ * Delete user and all related records (cascade).
+ * Uses db.batch() for atomic transaction.
+ * Returns cleanup info for index cleanup.
+ */
+export async function deleteUserCascade(
+  db: AuthDb,
+  userId: string,
+): Promise<{
+  email: string | null;
+  phone: string | null;
+  oauthAccounts: Array<{ provider: string; providerUserId: string }>;
+}> {
+  // First, gather data needed for external cleanup before deleting
+  const user = await db.first<{ email: string | null; phone: string | null }>(
+    `SELECT email, phone FROM _users WHERE id = ?`,
+    [userId],
+  );
+  const oauthAccounts = await db.query<{ provider: string; providerUserId: string }>(
+    `SELECT provider, providerUserId FROM _oauth_accounts WHERE userId = ?`,
+    [userId],
+  );
+  // Batch delete all related records + user
+  await db.batch([
+    { sql: `DELETE FROM _email_tokens WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _sessions WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _oauth_accounts WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _mfa_recovery_codes WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _mfa_factors WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _webauthn_credentials WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _users WHERE id = ?`, params: [userId] },
+  ]);
+  return {
+    email: user?.email ?? null,
+    phone: user?.phone ?? null,
+    oauthAccounts: oauthAccounts.map((a) => ({
+      provider: a.provider,
+      providerUserId: a.providerUserId,
+    })),
+  };
+}
+/**
+ * List users with pagination.
+ */
+export async function listUsers(
+  db: AuthDb,
+  limit: number,
+  offset: number,
+): Promise<{ users: Record<string, unknown>[]; total: number }> {
+  const countResult = await db.first<{ cnt: number }>(
+    `SELECT COUNT(*) as cnt FROM _users`,
+  );
+  const total = countResult?.cnt ?? 0;
+  const users = await db.query(
+    `SELECT * FROM _users ORDER BY createdAt DESC LIMIT ? OFFSET ?`,
+    [limit, offset],
+  );
+  return { users, total };
+}
+/**
+ * Batch get users by IDs.
+ */
+export async function batchGetUsers(
+  db: AuthDb,
+  userIds: string[],
+): Promise<Record<string, unknown>[]> {
+  if (userIds.length === 0) return [];
+  const placeholders = userIds.map(() => '?').join(', ');
+  return await db.query(
+    `SELECT * FROM _users WHERE id IN (${placeholders})`,
+    userIds,
+  );
+}
+// ─── B. Session CRUD ───
+/**
+ * Create a new session.
+ * INSERT + re-fetch.
+ */
+export async function createSession(
+  db: AuthDb,
+  input: CreateSessionInput,
+): Promise<Record<string, unknown>> {
+  const now = new Date().toISOString();
+  await db.run(
+    `INSERT INTO _sessions (id, userId, refreshToken, previousRefreshToken, rotatedAt, expiresAt, createdAt, metadata)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+    [
+      input.id,
+      input.userId,
+      input.refreshToken,
+      input.previousRefreshToken ?? null,
+      input.rotatedAt ?? null,
+      input.expiresAt,
+      now,
+      input.metadata ?? null,
+    ],
+  );
+  // Re-fetch
+  const session = await db.first(`SELECT * FROM _sessions WHERE id = ?`, [input.id]);
+  return session as Record<string, unknown>;
+}
+/**
+ * Get session by refresh token.
+ * Also checks previousRefreshToken for grace period handling.
+ * Returns { session, matchType: 'current' | 'previous' | null }
+ */
+export async function getSessionByRefreshToken(
+  db: AuthDb,
+  token: string,
+  userId: string,
+): Promise<{ session: Record<string, unknown>; matchType: 'current' | 'previous' } | null> {
+  // Step 1: Check current refreshToken match
+  const currentSession = await db.first(
+    `SELECT * FROM _sessions WHERE refreshToken = ? AND userId = ?`,
+    [token, userId],
+  );
+  if (currentSession) {
+    return { session: currentSession, matchType: 'current' };
+  }
+  // Step 2: Check previousRefreshToken (Grace Period)
+  const prevSession = await db.first(
+    `SELECT * FROM _sessions WHERE previousRefreshToken = ? AND userId = ?`,
+    [token, userId],
+  );
+  if (prevSession) {
+    return { session: prevSession, matchType: 'previous' };
+  }
+  return null;
+}
+/**
+ * Rotate refresh token on a session.
+ * current -> previous, new -> current.
+ *
+ * Uses dialect-aware SQL for json_set (SQLite) vs jsonb_set (PostgreSQL).
+ */
+export async function rotateRefreshToken(
+  db: AuthDb,
+  sessionId: string,
+  newRefreshToken: string,
+  oldRefreshToken: string,
+  newExpiresAt: string,
+): Promise<void> {
+  const now = new Date().toISOString();
+  if (db.dialect === 'postgres') {
+    // PostgreSQL: use jsonb_set + to_jsonb for JSONB column
+    await db.run(
+      `UPDATE _sessions SET "refreshToken" = ?, "previousRefreshToken" = ?, "rotatedAt" = ?, "expiresAt" = ?, metadata = jsonb_set(COALESCE(metadata::jsonb, '{}'), '{lastActiveAt}', to_jsonb(?::text))::text WHERE id = ?`,
+      [newRefreshToken, oldRefreshToken, now, newExpiresAt, now, sessionId],
+    );
+  } else {
+    // SQLite (D1): use json_set
+    await db.run(
+      `UPDATE _sessions SET refreshToken = ?, previousRefreshToken = ?, rotatedAt = ?, expiresAt = ?, metadata = json_set(COALESCE(metadata, '{}'), '$.lastActiveAt', ?) WHERE id = ?`,
+      [newRefreshToken, oldRefreshToken, now, newExpiresAt, now, sessionId],
+    );
+  }
+}
+/**
+ * Delete a single session by ID.
+ */
+export async function deleteSession(
+  db: AuthDb,
+  sessionId: string,
+): Promise<void> {
+  await db.run(`DELETE FROM _sessions WHERE id = ?`, [sessionId]);
+}
+/**
+ * Delete a session by refresh token (signout).
+ * Also checks previousRefreshToken for grace period cleanup.
+ */
+export async function deleteSessionByRefreshToken(
+  db: AuthDb,
+  refreshToken: string,
+): Promise<void> {
+  await db.batch([
+    { sql: `DELETE FROM _sessions WHERE refreshToken = ?`, params: [refreshToken] },
+    { sql: `DELETE FROM _sessions WHERE previousRefreshToken = ?`, params: [refreshToken] },
+  ]);
+}
+/**
+ * Find session userId by refresh token (for signout hooks).
+ */
+export async function findSessionUserByRefreshToken(
+  db: AuthDb,
+  refreshToken: string,
+): Promise<string | null> {
+  const session = await db.first<{ userId: string }>(
+    `SELECT userId FROM _sessions WHERE refreshToken = ? OR previousRefreshToken = ?`,
+    [refreshToken, refreshToken],
+  );
+  return session?.userId ?? null;
+}
+/**
+ * Delete all sessions for a user.
+ */
+export async function deleteAllUserSessions(
+  db: AuthDb,
+  userId: string,
+): Promise<void> {
+  await db.run(`DELETE FROM _sessions WHERE userId = ?`, [userId]);
+}
+/**
+ * List sessions for a user.
+ * Parses metadata JSON for ip, userAgent, lastActiveAt.
+ */
+export async function listUserSessions(
+  db: AuthDb,
+  userId: string,
+): Promise<Array<{
+  id: string;
+  createdAt: string;
+  expiresAt: string;
+  ip: string | null;
+  userAgent: string | null;
+  lastActiveAt: string | null;
+}>> {
+  const results = await db.query<{ id: string; createdAt: string; expiresAt: string; metadata: string | null }>(
+    `SELECT id, createdAt, expiresAt, metadata FROM _sessions WHERE userId = ? ORDER BY createdAt DESC`,
+    [userId],
+  );
+  return results.map((s) => {
+    const meta = s.metadata ? JSON.parse(s.metadata) : {};
+    return {
+      id: s.id,
+      createdAt: s.createdAt,
+      expiresAt: s.expiresAt,
+      ip: meta.ip || null,
+      userAgent: meta.userAgent || null,
+      lastActiveAt: meta.lastActiveAt || null,
+    };
+  });
+}
+/**
+ * Delete a session for a specific user (ownership check).
+ */
+export async function deleteSessionForUser(
+  db: AuthDb,
+  sessionId: string,
+  userId: string,
+): Promise<void> {
+  await db.run(
+    `DELETE FROM _sessions WHERE id = ? AND userId = ?`,
+    [sessionId, userId],
+  );
+}
+/**
+ * Clean expired sessions.
+ * Uses JS-computed timestamp (portable across D1/pg).
+ */
+export async function cleanExpiredSessions(
+  db: AuthDb,
+): Promise<void> {
+  const now = new Date().toISOString();
+  await db.run(`DELETE FROM _sessions WHERE expiresAt < ?`, [now]);
+}
+/**
+ * Clean expired sessions for a specific user (lazy cleanup).
+ */
+export async function cleanExpiredSessionsForUser(
+  db: AuthDb,
+  userId: string,
+): Promise<void> {
+  const now = new Date().toISOString();
+  await db.run(
+    `DELETE FROM _sessions WHERE userId = ? AND expiresAt < ?`,
+    [userId, now],
+  );
+}
+/**
+ * Evict oldest sessions if maxActiveSessions is exceeded.
+ */
+export async function evictOldestSessions(
+  db: AuthDb,
+  userId: string,
+  maxSessions: number,
+): Promise<void> {
+  if (maxSessions <= 0) return;
+  const countResult = await db.first<{ cnt: number }>(
+    `SELECT COUNT(*) as cnt FROM _sessions WHERE userId = ?`,
+    [userId],
+  );
+  const currentCount = countResult?.cnt ?? 0;
+  if (currentCount >= maxSessions) {
+    const excess = currentCount - maxSessions + 1;
+    await db.run(
+      `DELETE FROM _sessions WHERE id IN (SELECT id FROM _sessions WHERE userId = ? ORDER BY createdAt ASC LIMIT ?)`,
+      [userId, excess],
+    );
+  }
+}
+// ─── C. OAuth ───
+/**
+ * Create an OAuth account link.
+ * Uses INSERT OR IGNORE (adapter converts to ON CONFLICT DO NOTHING for pg).
+ */
+export async function createOAuthAccount(
+  db: AuthDb,
+  input: CreateOAuthAccountInput,
+): Promise<void> {
+  const now = new Date().toISOString();
+  await db.run(
+    `INSERT OR IGNORE INTO _oauth_accounts (id, userId, provider, providerUserId, createdAt)
+     VALUES (?, ?, ?, ?, ?)`,
+    [input.id, input.userId, input.provider, input.providerUserId, now],
+  );
+}
+/**
+ * Get OAuth account by provider + providerUserId.
+ */
+export async function getOAuthAccount(
+  db: AuthDb,
+  provider: string,
+  providerUserId: string,
+): Promise<Record<string, unknown> | null> {
+  return await db.first(
+    `SELECT * FROM _oauth_accounts WHERE provider = ? AND providerUserId = ?`,
+    [provider, providerUserId],
+  );
+}
+/**
+ * List OAuth accounts for a user.
+ */
+export async function listOAuthAccounts(
+  db: AuthDb,
+  userId: string,
+): Promise<Record<string, unknown>[]> {
+  return await db.query(
+    `SELECT * FROM _oauth_accounts WHERE userId = ?`,
+    [userId],
+  );
+}
+/**
+ * Delete an OAuth account by ID.
+ */
+export async function deleteOAuthAccount(
+  db: AuthDb,
+  id: string,
+): Promise<void> {
+  await db.run(`DELETE FROM _oauth_accounts WHERE id = ?`, [id]);
+}
+/**
+ * Delete an OAuth account by provider + providerUserId.
+ */
+export async function deleteOAuthAccountByProvider(
+  db: AuthDb,
+  provider: string,
+  providerUserId: string,
+): Promise<void> {
+  await db.run(
+    `DELETE FROM _oauth_accounts WHERE provider = ? AND providerUserId = ?`,
+    [provider, providerUserId],
+  );
+}
+// ─── D. Email Tokens ───
+/**
+ * Create an email token (verify, password-reset, magic-link).
+ */
+export async function createEmailToken(
+  db: AuthDb,
+  input: CreateEmailTokenInput,
+): Promise<void> {
+  const now = new Date().toISOString();
+  await db.run(
+    `INSERT INTO _email_tokens (token, userId, type, expiresAt, createdAt)
+     VALUES (?, ?, ?, ?, ?)`,
+    [input.token, input.userId, input.type, input.expiresAt, now],
+  );
+}
+/**
+ * Get email token by token string.
+ * Returns null if not found or expired.
+ */
+export async function getEmailToken(
+  db: AuthDb,
+  token: string,
+): Promise<Record<string, unknown> | null> {
+  const row = await db.first(
+    `SELECT * FROM _email_tokens WHERE token = ?`,
+    [token],
+  );
+  if (!row) return null;
+  // Check expiration
+  if (new Date(row.expiresAt as string) < new Date()) {
+    // Clean up expired token
+    await db.run(`DELETE FROM _email_tokens WHERE token = ?`, [token]);
+    return null;
+  }
+  return row;
+}
+/**
+ * Get email token by token string and type.
+ * Does NOT auto-delete on expiry (caller decides).
+ */
+export async function getEmailTokenByType(
+  db: AuthDb,
+  token: string,
+  type: string,
+): Promise<Record<string, unknown> | null> {
+  return await db.first(
+    `SELECT * FROM _email_tokens WHERE token = ? AND type = ?`,
+    [token, type],
+  );
+}
+/**
+ * Delete a specific email token.
+ */
+export async function deleteEmailToken(
+  db: AuthDb,
+  token: string,
+): Promise<void> {
+  await db.run(`DELETE FROM _email_tokens WHERE token = ?`, [token]);
+}
+/**
+ * Delete all email tokens for a user (by type).
+ */
+export async function deleteEmailTokensByUserAndType(
+  db: AuthDb,
+  userId: string,
+  type: string,
+): Promise<void> {
+  await db.run(
+    `DELETE FROM _email_tokens WHERE userId = ? AND type = ?`,
+    [userId, type],
+  );
+}
+/**
+ * Delete all email tokens for a user (all types).
+ */
+export async function deleteEmailTokensByUser(
+  db: AuthDb,
+  userId: string,
+): Promise<void> {
+  await db.run(`DELETE FROM _email_tokens WHERE userId = ?`, [userId]);
+}
+// ─── E. MFA ───
+/**
+ * Create an MFA factor (unverified by default).
+ * INSERT + re-fetch.
+ */
+export async function createMfaFactor(
+  db: AuthDb,
+  input: CreateMfaFactorInput,
+): Promise<Record<string, unknown>> {
+  const now = new Date().toISOString();
+  await db.run(
+    `INSERT INTO _mfa_factors (id, userId, type, secret, verified, createdAt)
+     VALUES (?, ?, ?, ?, 0, ?)`,
+    [input.id, input.userId, input.type ?? 'totp', input.secret, now],
+  );
+  // Re-fetch
+  const factor = await db.first(`SELECT * FROM _mfa_factors WHERE id = ?`, [input.id]);
+  return factor as Record<string, unknown>;
+}
+/**
+ * Get MFA factor by ID.
+ */
+export async function getMfaFactor(
+  db: AuthDb,
+  factorId: string,
+): Promise<Record<string, unknown> | null> {
+  return await db.first(`SELECT * FROM _mfa_factors WHERE id = ?`, [factorId]);
+}
+/**
+ * Get MFA factor by ID and userId (ownership check).
+ */
+export async function getMfaFactorForUser(
+  db: AuthDb,
+  factorId: string,
+  userId: string,
+  type?: string,
+): Promise<Record<string, unknown> | null> {
+  let query = `SELECT * FROM _mfa_factors WHERE id = ? AND userId = ?`;
+  const params: unknown[] = [factorId, userId];
+  if (type) {
+    query += ` AND type = ?`;
+    params.push(type);
+  }
+  return await db.first(query, params);
+}
+/**
+ * Get the first verified MFA factor for a user (by type).
+ */
+export async function getMfaFactorByUser(
+  db: AuthDb,
+  userId: string,
+  type: string = 'totp',
+  verifiedOnly: boolean = true,
+): Promise<Record<string, unknown> | null> {
+  const verifiedClause = verifiedOnly ? ` AND verified = 1` : '';
+  return await db.first(
+    `SELECT * FROM _mfa_factors WHERE userId = ? AND type = ?${verifiedClause} LIMIT 1`,
+    [userId, type],
+  );
+}
+/**
+ * List MFA factors for a user (id, type, verified, createdAt).
+ */
+export async function listMfaFactors(
+  db: AuthDb,
+  userId: string,
+): Promise<Array<{ id: string; type: string; verified: boolean; createdAt: string }>> {
+  const results = await db.query<{ id: string; type: string; verified: number; createdAt: string }>(
+    `SELECT id, type, verified, createdAt FROM _mfa_factors WHERE userId = ?`,
+    [userId],
+  );
+  return results.map((f) => ({
+    id: f.id,
+    type: f.type,
+    verified: f.verified === 1,
+    createdAt: f.createdAt,
+  }));
+}
+/**
+ * List verified MFA factors (id + type only, for MFA check during signin).
+ */
+export async function listVerifiedMfaFactors(
+  db: AuthDb,
+  userId: string,
+): Promise<Array<{ id: string; type: string }>> {
+  return await db.query<{ id: string; type: string }>(
+    `SELECT id, type FROM _mfa_factors WHERE userId = ? AND verified = 1`,
+    [userId],
+  );
+}
+/**
+ * Verify (confirm) an MFA factor. UPDATE verified=1.
+ */
+export async function verifyMfaFactor(
+  db: AuthDb,
+  factorId: string,
+): Promise<void> {
+  await db.run(`UPDATE _mfa_factors SET verified = 1 WHERE id = ?`, [factorId]);
+}
+/**
+ * Delete an MFA factor by ID.
+ */
+export async function deleteMfaFactor(
+  db: AuthDb,
+  factorId: string,
+): Promise<void> {
+  await db.run(`DELETE FROM _mfa_factors WHERE id = ?`, [factorId]);
+}
+/**
+ * Delete all MFA factors for a user (used by disable MFA).
+ */
+export async function deleteAllMfaFactors(
+  db: AuthDb,
+  userId: string,
+): Promise<void> {
+  await db.run(`DELETE FROM _mfa_factors WHERE userId = ?`, [userId]);
+}
+/**
+ * Delete unverified (pending) MFA factors for a user by type.
+ */
+export async function deleteUnverifiedMfaFactors(
+  db: AuthDb,
+  userId: string,
+  type: string = 'totp',
+): Promise<void> {
+  await db.run(
+    `DELETE FROM _mfa_factors WHERE userId = ? AND type = ? AND verified = 0`,
+    [userId, type],
+  );
+}
+/**
+ * Delete all MFA factors AND recovery codes for a user (atomic disable).
+ * Uses db.batch() for atomic transaction.
+ */
+export async function disableMfa(
+  db: AuthDb,
+  userId: string,
+): Promise<void> {
+  await db.batch([
+    { sql: `DELETE FROM _mfa_factors WHERE userId = ?`, params: [userId] },
+    { sql: `DELETE FROM _mfa_recovery_codes WHERE userId = ?`, params: [userId] },
+  ]);
+}
+/**
+ * Create recovery codes (batch insert).
+ */
+export async function createRecoveryCodes(
+  db: AuthDb,
+  userId: string,
+  codes: Array<{ id: string; codeHash: string }>,
+): Promise<void> {
+  if (codes.length === 0) return;
+  const now = new Date().toISOString();
+  await db.batch(
+    codes.map((code) => ({
+      sql: `INSERT INTO _mfa_recovery_codes (id, userId, codeHash, used, createdAt)
+         VALUES (?, ?, ?, 0, ?)`,
+      params: [code.id, userId, code.codeHash, now],
+    })),
+  );
+}
+/**
+ * List unused recovery codes for a user.
+ */
+export async function listRecoveryCodes(
+  db: AuthDb,
+  userId: string,
+): Promise<Record<string, unknown>[]> {
+  return await db.query(
+    `SELECT * FROM _mfa_recovery_codes WHERE userId = ? AND used = 0`,
+    [userId],
+  );
+}
+/**
+ * Mark a recovery code as used. UPDATE used=1.
+ */
+export async function useRecoveryCode(
+  db: AuthDb,
+  codeId: string,
+): Promise<void> {
+  await db.run(`UPDATE _mfa_recovery_codes SET used = 1 WHERE id = ?`, [codeId]);
+}
+// ─── F. WebAuthn ───
+/**
+ * Create a WebAuthn credential.
+ * INSERT + re-fetch.
+ */
+export async function createWebAuthnCredential(
+  db: AuthDb,
+  input: CreateWebAuthnCredentialInput,
+): Promise<Record<string, unknown>> {
+  const now = new Date().toISOString();
+  await db.run(
+    `INSERT INTO _webauthn_credentials (id, userId, credentialId, credentialPublicKey, counter, transports, createdAt)
+     VALUES (?, ?, ?, ?, ?, ?, ?)`,
+    [
+      input.id,
+      input.userId,
+      input.credentialId,
+      input.credentialPublicKey,
+      input.counter ?? 0,
+      input.transports ?? null,
+      now,
+    ],
+  );
+  // Re-fetch
+  const cred = await db.first(`SELECT * FROM _webauthn_credentials WHERE id = ?`, [input.id]);
+  return cred as Record<string, unknown>;
+}
+/**
+ * Get WebAuthn credential by credentialId.
+ */
+export async function getWebAuthnCredential(
+  db: AuthDb,
+  credentialId: string,
+): Promise<Record<string, unknown> | null> {
+  return await db.first(
+    `SELECT * FROM _webauthn_credentials WHERE credentialId = ?`,
+    [credentialId],
+  );
+}
+/**
+ * List WebAuthn credentials for a user.
+ */
+export async function listWebAuthnCredentials(
+  db: AuthDb,
+  userId: string,
+): Promise<Array<{
+  id: string;
+  credentialId: string;
+  credentialPublicKey: string;
+  counter: number;
+  transports: string | null;
+  createdAt: string;
+}>> {
+  return await db.query<{
+    id: string;
+    credentialId: string;
+    credentialPublicKey: string;
+    counter: number;
+    transports: string | null;
+    createdAt: string;
+  }>(
+    `SELECT id, credentialId, credentialPublicKey, counter, transports, createdAt FROM _webauthn_credentials WHERE userId = ?`,
+    [userId],
+  );
+}
+/**
+ * Update WebAuthn credential counter.
+ */
+export async function updateWebAuthnCounter(
+  db: AuthDb,
+  credentialId: string,
+  counter: number,
+): Promise<void> {
+  await db.run(
+    `UPDATE _webauthn_credentials SET counter = ? WHERE credentialId = ?`,
+    [counter, credentialId],
+  );
+}
+/**
+ * Delete a WebAuthn credential by credentialId + userId (ownership check).
+ */
+export async function deleteWebAuthnCredential(
+  db: AuthDb,
+  credentialId: string,
+  userId?: string,
+): Promise<void> {
+  if (userId) {
+    await db.run(
+      `DELETE FROM _webauthn_credentials WHERE credentialId = ? AND userId = ?`,
+      [credentialId, userId],
+    );
+  } else {
+    await db.run(
+      `DELETE FROM _webauthn_credentials WHERE credentialId = ?`,
+      [credentialId],
+    );
+  }
+}
+// ─── G. Cleanup ───
+/**
+ * Clean stale anonymous accounts older than retentionDays.
+ * Finds anonymous users, batch deletes sessions + users.
+ * Uses JS-computed cutoff date (portable across D1/pg).
+ */
+export async function cleanStaleAnonymousAccounts(
+  db: AuthDb,
+  retentionDays: number,
+): Promise<string[]> {
+  // Compute cutoff date in JS (portable)
+  const cutoff = new Date(Date.now() - retentionDays * 86_400_000).toISOString();
+  // Find stale anonymous user IDs
+  const staleUsers = await db.query<{ id: string }>(
+    `SELECT id FROM _users WHERE isAnonymous = 1 AND updatedAt < ?`,
+    [cutoff],
+  );
+  if (staleUsers.length === 0) return [];
+  const userIds = staleUsers.map((u) => u.id);
+  // Batch delete in chunks of 50
+  for (let i = 0; i < userIds.length; i += 50) {
+    const chunk = userIds.slice(i, i + 50);
+    const stmts: { sql: string; params: unknown[] }[] = [];
+    for (const uid of chunk) {
+      stmts.push({ sql: `DELETE FROM _sessions WHERE userId = ?`, params: [uid] });
+      stmts.push({ sql: `DELETE FROM _email_tokens WHERE userId = ?`, params: [uid] });
+      stmts.push({ sql: `DELETE FROM _oauth_accounts WHERE userId = ?`, params: [uid] });
+      stmts.push({ sql: `DELETE FROM _mfa_recovery_codes WHERE userId = ?`, params: [uid] });
+      stmts.push({ sql: `DELETE FROM _mfa_factors WHERE userId = ?`, params: [uid] });
+      stmts.push({ sql: `DELETE FROM _webauthn_credentials WHERE userId = ?`, params: [uid] });
+      stmts.push({ sql: `DELETE FROM _users WHERE id = ?`, params: [uid] });
+    }
+    await db.batch(stmts);
+  }
+  return userIds;
+}
+// ─── H. Sanitization ───
+/**
+ * Remove sensitive fields from user record for client response.
+ * - Strips passwordHash
+ * - Strips appMetadata (unless includeAppMetadata is true)
+ * - Parses JSON TEXT fields (customClaims, metadata, appMetadata)
+ * - Converts INTEGER booleans (0/1) to true/false
+ */
+export function sanitizeUser(
+  user: Record<string, unknown>,
+  opts?: { includeAppMetadata?: boolean },
+): Record<string, unknown> {
+  const {
+    passwordHash: _passwordHash,
+    appMetadata: rawAppMetadata,
+    ...safe
+  } = user;
+  // Parse customClaims JSON
+  if (safe.customClaims && typeof safe.customClaims === 'string') {
+    try {
+      safe.customClaims = JSON.parse(safe.customClaims as string);
+    } catch {
+      safe.customClaims = null;
+    }
+  }
+  // Parse metadata JSON
+  if (safe.metadata && typeof safe.metadata === 'string') {
+    try {
+      safe.metadata = JSON.parse(safe.metadata as string);
+    } catch {
+      safe.metadata = null;
+    }
+  }
+  // Include appMetadata only for admin requests
+  if (opts?.includeAppMetadata && rawAppMetadata) {
+    try {
+      safe.appMetadata = typeof rawAppMetadata === 'string'
+        ? JSON.parse(rawAppMetadata as string)
+        : rawAppMetadata;
+    } catch {
+      safe.appMetadata = null;
+    }
+  }
+  // Convert isAnonymous from INTEGER (0/1) to boolean
+  if (typeof safe.isAnonymous === 'number') {
+    safe.isAnonymous = safe.isAnonymous === 1;
+  }
+  // Convert verified from INTEGER (0/1) to boolean
+  if (typeof safe.verified === 'number') {
+    safe.verified = safe.verified === 1;
+  }
+  // Convert phoneVerified from INTEGER (0/1) to boolean
+  if (typeof safe.phoneVerified === 'number') {
+    safe.phoneVerified = safe.phoneVerified === 1;
+  }
+  // Convert disabled from INTEGER (0/1) to boolean
+  if (typeof safe.disabled === 'number') {
+    safe.disabled = safe.disabled === 1;
+  }
+  return safe;
+}
+/**
+ * Build public user data for _users_public sync.
+ * Only exposes email if emailVisibility is 'public'.
+ */
+export function buildPublicUserData(user: Record<string, unknown>): Record<string, unknown> {
+  const data: Record<string, unknown> = {
+    displayName: user.displayName ?? null,
+    avatarUrl: user.avatarUrl ?? null,
+    role: user.role ?? 'user',
+    isAnonymous: user.isAnonymous ?? 0,
+    createdAt: user.createdAt,
+    updatedAt: user.updatedAt,
+  };
+  // Email only if emailVisibility is 'public'
+  if (user.emailVisibility === 'public' && user.email) {
+    data.email = user.email;
+  } else {
+    data.email = null;
+  }
+  return data;
+}