npm - @edge-base/server - Versions diffs - 0.1.1 - Mend

@edge-base/server 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (309) hide show

package/admin-build/.gitkeep +0 -0
package/admin-build/_app/env.js +1 -0
package/admin-build/_app/immutable/assets/0.Bm6cF078.css +1 -0
package/admin-build/_app/immutable/assets/1.BfW3pUNa.css +1 -0
package/admin-build/_app/immutable/assets/11.CVmQOewb.css +1 -0
package/admin-build/_app/immutable/assets/12.B1EhbRZT.css +1 -0
package/admin-build/_app/immutable/assets/13.BvwYeuwE.css +1 -0
package/admin-build/_app/immutable/assets/14.CdVfcO0R.css +1 -0
package/admin-build/_app/immutable/assets/15.2yeZ66b-.css +1 -0
package/admin-build/_app/immutable/assets/17.BVg0JEVu.css +1 -0
package/admin-build/_app/immutable/assets/18.Rwnl3x_i.css +1 -0
package/admin-build/_app/immutable/assets/20.DsPWA9AV.css +1 -0
package/admin-build/_app/immutable/assets/21.Dz2RJ56c.css +1 -0
package/admin-build/_app/immutable/assets/22.DwNLk5Ai.css +1 -0
package/admin-build/_app/immutable/assets/23.CFpu0gOO.css +1 -0
package/admin-build/_app/immutable/assets/24.Cy5LBeoJ.css +1 -0
package/admin-build/_app/immutable/assets/25.pUyLVf-h.css +1 -0
package/admin-build/_app/immutable/assets/26.DBcGrlXa.css +1 -0
package/admin-build/_app/immutable/assets/27.BswYyAJD.css +1 -0
package/admin-build/_app/immutable/assets/28.B4ueB1Kf.css +1 -0
package/admin-build/_app/immutable/assets/29.B-qU6PdF.css +1 -0
package/admin-build/_app/immutable/assets/3.Dg81Pgmd.css +1 -0
package/admin-build/_app/immutable/assets/30.CsdWum94.css +1 -0
package/admin-build/_app/immutable/assets/31.U6OwIp50.css +1 -0
package/admin-build/_app/immutable/assets/4.CyawCCux.css +1 -0
package/admin-build/_app/immutable/assets/5.C0YO2HTk.css +1 -0
package/admin-build/_app/immutable/assets/8.Br5jd6kD.css +1 -0
package/admin-build/_app/immutable/assets/Badge.EMYLHBxE.css +1 -0
package/admin-build/_app/immutable/assets/Button.DpzMRTjK.css +1 -0
package/admin-build/_app/immutable/assets/ConfirmDialog.DAnaWRRk.css +1 -0
package/admin-build/_app/immutable/assets/EmptyState.CwKsu57Y.css +1 -0
package/admin-build/_app/immutable/assets/Input.BDUSenmU.css +1 -0
package/admin-build/_app/immutable/assets/Modal.Dm5B0Xie.css +1 -0
package/admin-build/_app/immutable/assets/PageShell.CmU-Xh-b.css +1 -0
package/admin-build/_app/immutable/assets/SchemaFieldEditor.g4NsCdno.css +1 -0
package/admin-build/_app/immutable/assets/Select.BW4Keufm.css +1 -0
package/admin-build/_app/immutable/assets/Skeleton.KWUulTKJ.css +1 -0
package/admin-build/_app/immutable/assets/Tabs.CniGYb67.css +1 -0
package/admin-build/_app/immutable/assets/TimeChart.BTCDAvmT.css +1 -0
package/admin-build/_app/immutable/assets/Toggle.Cy_K12OM.css +1 -0
package/admin-build/_app/immutable/assets/TopList.ClFzmPlA.css +1 -0
package/admin-build/_app/immutable/chunks/7B47DvSx.js +1 -0
package/admin-build/_app/immutable/chunks/7f08Id8e.js +1 -0
package/admin-build/_app/immutable/chunks/8wJeQ7LN.js +1 -0
package/admin-build/_app/immutable/chunks/B-h2afW5.js +1 -0
package/admin-build/_app/immutable/chunks/B8vJP3wz.js +1 -0
package/admin-build/_app/immutable/chunks/BR_fL5Yv.js +1 -0
package/admin-build/_app/immutable/chunks/BY92tFS2.js +1 -0
package/admin-build/_app/immutable/chunks/BcR-Rdj9.js +1 -0
package/admin-build/_app/immutable/chunks/BdrwyZv8.js +1 -0
package/admin-build/_app/immutable/chunks/Bh56EfQ_.js +1 -0
package/admin-build/_app/immutable/chunks/BkrCkgYp.js +1 -0
package/admin-build/_app/immutable/chunks/BmRjiP5k.js +1 -0
package/admin-build/_app/immutable/chunks/BsokvhWC.js +1 -0
package/admin-build/_app/immutable/chunks/C4D51vTW.js +1 -0
package/admin-build/_app/immutable/chunks/C6puvcoR.js +2 -0
package/admin-build/_app/immutable/chunks/CCKNu7m7.js +1 -0
package/admin-build/_app/immutable/chunks/CWj6FrbW.js +1 -0
package/admin-build/_app/immutable/chunks/Ce-ngf4p.js +5 -0
package/admin-build/_app/immutable/chunks/Cs0GwzJA.js +1 -0
package/admin-build/_app/immutable/chunks/CwROoZK0.js +1 -0
package/admin-build/_app/immutable/chunks/CxCPv_Ut.js +1 -0
package/admin-build/_app/immutable/chunks/CxbRue-5.js +1 -0
package/admin-build/_app/immutable/chunks/CyqB6g-D.js +1 -0
package/admin-build/_app/immutable/chunks/D5h5A1cc.js +2 -0
package/admin-build/_app/immutable/chunks/DnyL7Zq-.js +1 -0
package/admin-build/_app/immutable/chunks/DoPXzH7F.js +1 -0
package/admin-build/_app/immutable/chunks/DrQSgw-f.js +1 -0
package/admin-build/_app/immutable/chunks/DttM2zNO.js +1 -0
package/admin-build/_app/immutable/chunks/DuXuUBWN.js +1 -0
package/admin-build/_app/immutable/chunks/MdeqaOQx.js +10 -0
package/admin-build/_app/immutable/chunks/NuUjtcO2.js +1 -0
package/admin-build/_app/immutable/chunks/Q2nPFxS6.js +1 -0
package/admin-build/_app/immutable/chunks/R6arueIl.js +1 -0
package/admin-build/_app/immutable/chunks/UUazaC_N.js +1 -0
package/admin-build/_app/immutable/chunks/cOYbrQxx.js +1 -0
package/admin-build/_app/immutable/chunks/eFQHTGwA.js +1 -0
package/admin-build/_app/immutable/chunks/ehbppgYb.js +1 -0
package/admin-build/_app/immutable/chunks/glwixJlP.js +1 -0
package/admin-build/_app/immutable/chunks/vApWTCBs.js +1 -0
package/admin-build/_app/immutable/chunks/w89G9Xpi.js +1 -0
package/admin-build/_app/immutable/chunks/wJsUhbfZ.js +1 -0
package/admin-build/_app/immutable/chunks/zfauFM8P.js +1 -0
package/admin-build/_app/immutable/entry/app.CcO-Uos3.js +2 -0
package/admin-build/_app/immutable/entry/start.COebYq3I.js +1 -0
package/admin-build/_app/immutable/nodes/0.CjtHKU-6.js +1 -0
package/admin-build/_app/immutable/nodes/1.DEisjlM0.js +1 -0
package/admin-build/_app/immutable/nodes/10.CvhdyWVB.js +1 -0
package/admin-build/_app/immutable/nodes/11.DjHqcOvy.js +1 -0
package/admin-build/_app/immutable/nodes/12.mQLz4Mj_.js +1 -0
package/admin-build/_app/immutable/nodes/13.CBonZZyP.js +110 -0
package/admin-build/_app/immutable/nodes/14.d-oiZL0j.js +3 -0
package/admin-build/_app/immutable/nodes/15.CKPQsUYF.js +1 -0
package/admin-build/_app/immutable/nodes/16.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/17.DayhKyEZ.js +1 -0
package/admin-build/_app/immutable/nodes/18.DKwS0Ir0.js +1 -0
package/admin-build/_app/immutable/nodes/19.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/2.BKoKrw1i.js +1 -0
package/admin-build/_app/immutable/nodes/20.BvIkkkrW.js +1 -0
package/admin-build/_app/immutable/nodes/21.DMaFhdHk.js +128 -0
package/admin-build/_app/immutable/nodes/22.3xdgwuK1.js +1 -0
package/admin-build/_app/immutable/nodes/23.8Bvgjbsl.js +112 -0
package/admin-build/_app/immutable/nodes/24.DzSSzRhG.js +2 -0
package/admin-build/_app/immutable/nodes/25.9KKYBnAE.js +2 -0
package/admin-build/_app/immutable/nodes/26.Bhn9dfhY.js +1 -0
package/admin-build/_app/immutable/nodes/27.kRLiC24G.js +1 -0
package/admin-build/_app/immutable/nodes/28.BVIN1-7N.js +1 -0
package/admin-build/_app/immutable/nodes/29.3yabZWj4.js +1 -0
package/admin-build/_app/immutable/nodes/3.BFtSOkX7.js +2 -0
package/admin-build/_app/immutable/nodes/30.CyCQlwaP.js +1 -0
package/admin-build/_app/immutable/nodes/31.C4LDXjES.js +1 -0
package/admin-build/_app/immutable/nodes/4.CvbiMlCa.js +1 -0
package/admin-build/_app/immutable/nodes/5.C6BLv2eM.js +1 -0
package/admin-build/_app/immutable/nodes/6.BcXvfl2P.js +1 -0
package/admin-build/_app/immutable/nodes/7.CIuqhPiK.js +1 -0
package/admin-build/_app/immutable/nodes/8.BQOR_JfO.js +1 -0
package/admin-build/_app/immutable/nodes/9.NZqXQxPy.js +1 -0
package/admin-build/_app/version.json +1 -0
package/admin-build/favicon.svg +26 -0
package/admin-build/index.html +45 -0
package/openapi.json +19543 -0
package/package.json +66 -0
package/src/__tests__/admin-assets.test.ts +55 -0
package/src/__tests__/admin-data-routes.test.ts +488 -0
package/src/__tests__/admin-db-target.test.ts +103 -0
package/src/__tests__/admin-routing.test.ts +31 -0
package/src/__tests__/admin-user-management.test.ts +311 -0
package/src/__tests__/analytics-query.test.ts +75 -0
package/src/__tests__/auth-d1.test.ts +749 -0
package/src/__tests__/auth-db-adapter.test.ts +73 -0
package/src/__tests__/auth-jwt.test.ts +440 -0
package/src/__tests__/auth-oauth.test.ts +389 -0
package/src/__tests__/auth-password.test.ts +367 -0
package/src/__tests__/auth-redirect.test.ts +87 -0
package/src/__tests__/backup-restore.test.ts +711 -0
package/src/__tests__/broadcast.test.ts +128 -0
package/src/__tests__/cli.test.ts +178 -0
package/src/__tests__/cloudflare-realtime.test.ts +113 -0
package/src/__tests__/config.test.ts +469 -0
package/src/__tests__/cors.test.ts +154 -0
package/src/__tests__/cron.test.ts +302 -0
package/src/__tests__/d1-handler.test.ts +402 -0
package/src/__tests__/d1-sql.test.ts +120 -0
package/src/__tests__/database-live-config.test.ts +42 -0
package/src/__tests__/database-live-emitter.test.ts +56 -0
package/src/__tests__/database-live-filters.test.ts +63 -0
package/src/__tests__/database-live-route.test.ts +113 -0
package/src/__tests__/db-sql.test.ts +163 -0
package/src/__tests__/do-lifecycle.test.ts +263 -0
package/src/__tests__/do-router.test.ts +729 -0
package/src/__tests__/email-provider.test.ts +128 -0
package/src/__tests__/email-templates.test.ts +528 -0
package/src/__tests__/error-format.test.ts +250 -0
package/src/__tests__/field-ops.test.ts +242 -0
package/src/__tests__/functions-context.test.ts +334 -0
package/src/__tests__/functions-d1-proxy.test.ts +229 -0
package/src/__tests__/functions-registry-runtime-config.test.ts +17 -0
package/src/__tests__/functions-route.test.ts +139 -0
package/src/__tests__/internal-request.test.ts +77 -0
package/src/__tests__/log-writer.test.ts +44 -0
package/src/__tests__/logger.test.ts +58 -0
package/src/__tests__/meta-admin-proxy.test.ts +48 -0
package/src/__tests__/meta-export-coverage.test.ts +191 -0
package/src/__tests__/meta-route-registration.test.ts +47 -0
package/src/__tests__/namespace-dump.test.ts +28 -0
package/src/__tests__/oauth-providers.test.ts +337 -0
package/src/__tests__/openapi-coverage.test.ts +144 -0
package/src/__tests__/pagination.test.ts +59 -0
package/src/__tests__/password-policy.test.ts +191 -0
package/src/__tests__/plugin-migrations.test.ts +379 -0
package/src/__tests__/postgres-batch-compat.test.ts +133 -0
package/src/__tests__/postgres-dialect.test.ts +328 -0
package/src/__tests__/postgres-executor.test.ts +79 -0
package/src/__tests__/postgres-field-ops-compat.test.ts +222 -0
package/src/__tests__/postgres-schema-init.test.ts +105 -0
package/src/__tests__/postgres-table-utils.test.ts +107 -0
package/src/__tests__/presence.test.ts +199 -0
package/src/__tests__/provider.test.ts +550 -0
package/src/__tests__/public-user-profile.test.ts +339 -0
package/src/__tests__/push-handlers.test.ts +179 -0
package/src/__tests__/push-provider.test.ts +80 -0
package/src/__tests__/push-token.test.ts +418 -0
package/src/__tests__/query.test.ts +771 -0
package/src/__tests__/rate-limit.test.ts +260 -0
package/src/__tests__/room-access-policy.test.ts +101 -0
package/src/__tests__/room-handler-context.test.ts +130 -0
package/src/__tests__/room-monitoring.test.ts +138 -0
package/src/__tests__/room-runtime-routing.test.ts +222 -0
package/src/__tests__/room.test.ts +254 -0
package/src/__tests__/route-parser.test.ts +490 -0
package/src/__tests__/rules.test.ts +234 -0
package/src/__tests__/runtime-surface-accounting.test.ts +120 -0
package/src/__tests__/scheduled.test.ts +80 -0
package/src/__tests__/schema.test.ts +1273 -0
package/src/__tests__/security-hardening.test.ts +312 -0
package/src/__tests__/server.unit.test.ts +333 -0
package/src/__tests__/service-key-db-proxy.test.ts +650 -0
package/src/__tests__/service-key-provider-bypass.test.ts +138 -0
package/src/__tests__/service-key.test.ts +757 -0
package/src/__tests__/smoke-skip-report.test.ts +72 -0
package/src/__tests__/sms-provider.test.ts +39 -0
package/src/__tests__/sql-route.test.ts +218 -0
package/src/__tests__/storage-hook-context.test.ts +115 -0
package/src/__tests__/totp.test.ts +200 -0
package/src/__tests__/uuid.test.ts +144 -0
package/src/__tests__/validation.test.ts +773 -0
package/src/__tests__/websocket-pending.test.ts +163 -0
package/src/_functions-registry.ts +51 -0
package/src/bench-entry.ts +9 -0
package/src/cloudflare-test.d.ts +1 -0
package/src/durable-objects/auth-do.ts +49 -0
package/src/durable-objects/database-do.ts +2240 -0
package/src/durable-objects/database-live-do.ts +949 -0
package/src/durable-objects/logs-do.ts +1200 -0
package/src/durable-objects/room-runtime-base.ts +1604 -0
package/src/durable-objects/rooms-do.ts +2191 -0
package/src/generated-config.ts +6 -0
package/src/index.ts +382 -0
package/src/lib/admin-assets.ts +54 -0
package/src/lib/admin-db-target.ts +301 -0
package/src/lib/admin-routing.ts +35 -0
package/src/lib/admin-user-management.ts +464 -0
package/src/lib/analytics-adapter.ts +103 -0
package/src/lib/analytics-query.ts +579 -0
package/src/lib/auth-d1-service.ts +1193 -0
package/src/lib/auth-d1.ts +1056 -0
package/src/lib/auth-db-adapter.ts +289 -0
package/src/lib/auth-redirect.ts +116 -0
package/src/lib/cidr.ts +115 -0
package/src/lib/client-ip.ts +51 -0
package/src/lib/cloudflare-realtime.ts +251 -0
package/src/lib/control-db.ts +36 -0
package/src/lib/cron.ts +163 -0
package/src/lib/d1-handler.ts +1425 -0
package/src/lib/d1-schema-init.ts +255 -0
package/src/lib/d1-sql.ts +33 -0
package/src/lib/database-live-config.ts +24 -0
package/src/lib/database-live-emitter.ts +111 -0
package/src/lib/db-sql.ts +66 -0
package/src/lib/do-retry.ts +36 -0
package/src/lib/do-router.ts +270 -0
package/src/lib/do-sql.ts +73 -0
package/src/lib/email-provider.ts +379 -0
package/src/lib/email-templates.ts +285 -0
package/src/lib/email-translations.ts +422 -0
package/src/lib/errors.ts +151 -0
package/src/lib/functions.ts +2091 -0
package/src/lib/hono.ts +56 -0
package/src/lib/internal-request.ts +56 -0
package/src/lib/jwt.ts +354 -0
package/src/lib/log-writer.ts +272 -0
package/src/lib/namespace-dump.ts +125 -0
package/src/lib/oauth-providers.ts +1225 -0
package/src/lib/op-parser.ts +99 -0
package/src/lib/openapi.ts +146 -0
package/src/lib/pagination.ts +19 -0
package/src/lib/password-policy.ts +102 -0
package/src/lib/password.ts +145 -0
package/src/lib/plugin-migrations.ts +612 -0
package/src/lib/postgres-executor.ts +203 -0
package/src/lib/postgres-handler.ts +1102 -0
package/src/lib/postgres-schema-init.ts +341 -0
package/src/lib/postgres-table-utils.ts +87 -0
package/src/lib/public-user-profile.ts +187 -0
package/src/lib/push-provider.ts +409 -0
package/src/lib/push-token.ts +294 -0
package/src/lib/query-engine.ts +768 -0
package/src/lib/room-monitoring.ts +97 -0
package/src/lib/room-runtime.ts +14 -0
package/src/lib/route-parser.ts +434 -0
package/src/lib/schema.ts +538 -0
package/src/lib/schemas.ts +152 -0
package/src/lib/service-key.ts +419 -0
package/src/lib/sms-provider.ts +230 -0
package/src/lib/startup-config.ts +99 -0
package/src/lib/totp.ts +242 -0
package/src/lib/uuid.ts +87 -0
package/src/lib/validation.ts +205 -0
package/src/lib/version.ts +2 -0
package/src/lib/websocket-pending.ts +40 -0
package/src/middleware/auth.ts +169 -0
package/src/middleware/captcha-verify.ts +217 -0
package/src/middleware/cors.ts +159 -0
package/src/middleware/error-handler.ts +54 -0
package/src/middleware/internal-guard.ts +26 -0
package/src/middleware/logger.ts +126 -0
package/src/middleware/rate-limit.ts +283 -0
package/src/middleware/rules.ts +475 -0
package/src/routes/admin-auth.ts +447 -0
package/src/routes/admin.ts +3501 -0
package/src/routes/analytics-api.ts +290 -0
package/src/routes/auth.ts +4222 -0
package/src/routes/backup.ts +1466 -0
package/src/routes/config.ts +53 -0
package/src/routes/d1.ts +109 -0
package/src/routes/database-live.ts +281 -0
package/src/routes/functions.ts +155 -0
package/src/routes/health.ts +32 -0
package/src/routes/kv.ts +167 -0
package/src/routes/oauth.ts +1055 -0
package/src/routes/push.ts +1465 -0
package/src/routes/room.ts +639 -0
package/src/routes/schema-endpoint.ts +76 -0
package/src/routes/sql.ts +176 -0
package/src/routes/storage.ts +1674 -0
package/src/routes/tables.ts +699 -0
package/src/routes/users.ts +21 -0
package/src/routes/vectorize.ts +372 -0
package/src/types.ts +99 -0

package/src/lib/postgres-handler.ts ADDED Viewed

@@ -0,0 +1,1102 @@
+/**
+ * PostgreSQL request handler for provider='neon'|'postgres'.
+ *
+ * Runs in Worker context (not DO) — handles:
+ * - Hyperdrive binding resolution
+ * - Lazy schema initialization (via postgres-schema-init)
+ * - CRUD operations (via query-engine + postgres-executor)
+ * - Rules evaluation (Worker level)
+ * - Hooks execution (Worker level)
+ *
+ * Database Live: After successful writes, emits events to DatabaseLiveDO
+ * via fire-and-forget stub.fetch() — same pattern as database-do.ts.
+ *
+ * Mirrors database-do.ts CRUD logic but uses PostgreSQL instead of SQLite.
+ */
+import type { Context } from 'hono';
+import type { HonoEnv } from './hono.js';
+import type { Env } from '../types.js';
+import type {
+  AuthContext,
+  TableConfig,
+  TableRules,
+  HookCtx,
+  DbBlock,
+} from '@edge-base/shared';
+import { EdgeBaseError, getTableAccess, getTableHooks } from '@edge-base/shared';
+import { parseConfig } from './do-router.js';
+import {
+  ensureLocalDevPostgresSchema,
+  getLocalDevPostgresExecOptions,
+  getProviderBindingName,
+  executePostgresQuery,
+  withPostgresConnection,
+  type PostgresExecutor,
+} from './postgres-executor.js';
+import { ensurePgSchema } from './postgres-schema-init.js';
+import {
+  buildListQuery, buildCountQuery, buildGetQuery, buildSearchQuery,
+  parseQueryParams,
+  type FilterTuple,
+} from './query-engine.js';
+import { summarizeValidationErrors, validateInsert, validateUpdate } from './validation.js';
+import { emitDbLiveEvent, emitDbLiveBatchEvent } from './database-live-emitter.js';
+import { forbiddenError, hookRejectedError } from './errors.js';
+import {
+  escapePgIdentifier,
+  preparePgInsertData,
+  preparePgUpdateData,
+  stripInternalPgFields,
+} from './postgres-table-utils.js';
+import { isTrustedInternalContext } from './internal-request.js';
+import { executeDbTriggers } from './functions.js';
+import { parseUpdateBody } from './op-parser.js';
+// ─── Types ───
+interface PgResolvedDb {
+  connectionString: string;
+  dbBlock: DbBlock;
+  namespace: string;
+}
+// ─── Main Handler ───
+/**
+ * Handle a request to a PostgreSQL-backed database table.
+ * Called from tables.ts when provider is 'neon' or 'postgres'.
+ *
+ * @param c - Hono context
+ * @param namespace - Database namespace (e.g. 'shared')
+ * @param tableName - Table name (e.g. 'posts')
+ * @param doPath - Internal path (e.g. '/tables/posts', '/tables/posts/abc123')
+ */
+export async function handlePgRequest(
+  c: Context<HonoEnv>,
+  namespace: string,
+  tableName: string,
+  doPath: string,
+): Promise<Response> {
+  const resolved = resolvePgConnection(c.env, namespace);
+  const tableConfig = resolved.dbBlock.tables?.[tableName];
+  if (!tableConfig) {
+    return c.json({ code: 404, message: `Table '${tableName}' not found in database '${namespace}'.` }, 404);
+  }
+  const isServiceKey = checkServiceKey(c);
+  const auth = c.get('auth') as AuthContext | null | undefined ?? null;
+  const method = c.req.raw.method;
+  const pathSuffix = doPath.replace(`/tables/${tableName}`, '');
+  const localDevOptions = getLocalDevPostgresExecOptions(c.env as unknown as Record<string, unknown>, namespace);
+  if (localDevOptions) {
+    await ensureLocalDevPostgresSchema(localDevOptions);
+  }
+  return withPostgresConnection(
+    resolved.connectionString,
+    async (query) => {
+      if (!localDevOptions) {
+        await ensurePgSchema(
+          resolved.connectionString,
+          namespace,
+          resolved.dbBlock.tables ?? {},
+          query,
+        );
+      }
+      if (method === 'GET') {
+        if (pathSuffix === '/count') {
+          return handleCount(c, resolved, tableName, tableConfig, auth, isServiceKey, query);
+        }
+        if (pathSuffix === '/search') {
+          return handleSearch(c, resolved, tableName, tableConfig, auth, isServiceKey, query);
+        }
+        if (pathSuffix && pathSuffix !== '/') {
+          const id = pathSuffix.slice(1);
+          return handleGet(c, resolved, tableName, tableConfig, id, auth, isServiceKey, query);
+        }
+        return handleList(c, resolved, tableName, tableConfig, auth, isServiceKey, query);
+      }
+      if (method === 'POST') {
+        if (pathSuffix === '/batch') {
+          return handleBatch(c, resolved, tableName, tableConfig, auth, isServiceKey, query);
+        }
+        if (pathSuffix === '/batch-by-filter') {
+          return handleBatchByFilter(c, resolved, tableName, tableConfig, auth, isServiceKey, query);
+        }
+        return handleInsert(c, resolved, tableName, tableConfig, auth, isServiceKey, query);
+      }
+      if (method === 'PATCH' || method === 'PUT') {
+        const id = pathSuffix.slice(1);
+        return handleUpdate(c, resolved, tableName, tableConfig, id, auth, isServiceKey, query);
+      }
+      if (method === 'DELETE') {
+        const id = pathSuffix.slice(1);
+        return handleDelete(c, resolved, tableName, tableConfig, id, auth, isServiceKey, query);
+      }
+      return c.json({ code: 405, message: 'Method not allowed' }, 405);
+    },
+    localDevOptions,
+  );
+}
+// ─── Connection Resolution ───
+function resolvePgConnection(env: Env, namespace: string): PgResolvedDb {
+  const config = parseConfig(env);
+  const dbBlock = config.databases?.[namespace];
+  if (!dbBlock) {
+    throw new EdgeBaseError(404, `Database '${namespace}' not found in config.`);
+  }
+  const bindingName = getProviderBindingName(namespace);
+  const envRecord = env as unknown as Record<string, unknown>;
+  // 1. Try Hyperdrive binding (production — object with .connectionString)
+  const hyperdrive = envRecord[bindingName] as { connectionString: string } | undefined;
+  if (hyperdrive?.connectionString) {
+    return { connectionString: hyperdrive.connectionString, dbBlock, namespace };
+  }
+  // 2. Fallback: direct connection string from env (local dev — {BINDING}_URL string)
+  const envKey = dbBlock.connectionString ?? `${bindingName}_URL`;
+  const directUrl = envRecord[envKey] as string | undefined;
+  if (directUrl) {
+    return { connectionString: directUrl, dbBlock, namespace };
+  }
+  throw new EdgeBaseError(500,
+    `PostgreSQL connection for '${namespace}' not found. ` +
+    `In production: run 'edgebase deploy' to auto-provision Hyperdrive. ` +
+    `In development: add ${envKey}=postgres://... to .env.development`,
+  );
+}
+// ─── Service Key Check ───
+function checkServiceKey(c: Context<HonoEnv>): boolean {
+  if (isTrustedInternalContext(c)) return true;
+  // Public request paths must be validated upstream (rules middleware / admin route)
+  // so provider-backed handlers observe the same scoped + constrained bypass result.
+  return c.get('isServiceKey' as never) === true;
+}
+// ─── Rule Evaluation ───
+async function evalRowRule(
+  rule: TableRules['read'],
+  auth: AuthContext | null,
+  row: Record<string, unknown>,
+): Promise<boolean> {
+  if (rule === undefined || rule === null) return true;
+  if (typeof rule === 'boolean') return rule;
+  if (typeof rule === 'function') {
+    try {
+      const result = await Promise.race([
+        Promise.resolve(rule(auth, row)),
+        new Promise<boolean>((_, reject) => setTimeout(() => reject(new Error('Rule timeout')), 50)),
+      ]);
+      return result;
+    } catch {
+      return false; // fail-closed
+    }
+  }
+  return true;
+}
+async function evalInsertRule(
+  rule: TableRules['insert'],
+  auth: AuthContext | null,
+): Promise<boolean> {
+  if (rule === undefined || rule === null) return true;
+  if (typeof rule === 'boolean') return rule;
+  if (typeof rule === 'function') {
+    try {
+      const result = await Promise.race([
+        Promise.resolve((rule as (a: AuthContext | null) => boolean | Promise<boolean>)(auth)),
+        new Promise<boolean>((_, reject) => setTimeout(() => reject(new Error('Rule timeout')), 50)),
+      ]);
+      return result;
+    } catch {
+      return false;
+    }
+  }
+  return true;
+}
+// ─── Hook Context Builder ───
+function buildHookCtx(
+  connectionString: string,
+  tables: Record<string, TableConfig>,
+  executionCtx?: ExecutionContext,
+  queryExecutor?: PostgresExecutor,
+): HookCtx {
+  const query =
+    queryExecutor ??
+    ((sql: string, params: unknown[] = []) => executePostgresQuery(connectionString, sql, params));
+  return {
+    db: {
+      async get(table: string, id: string): Promise<Record<string, unknown> | null> {
+        const { sql, params } = buildGetQuery(table, id, undefined, 'postgres');
+        const result = await query(sql, params);
+        return result.rows.length > 0
+          ? stripInternalPgFields(result.rows[0] as Record<string, unknown>)
+          : null;
+      },
+      async list(table: string, filter?: Record<string, unknown>): Promise<Array<Record<string, unknown>>> {
+        let sql = `SELECT * FROM "${table.replace(/"/g, '""')}"`;
+        const params: unknown[] = [];
+        if (filter && Object.keys(filter).length > 0) {
+          const conditions: string[] = [];
+          let idx = 1;
+          for (const [key, value] of Object.entries(filter)) {
+            conditions.push(`"${key.replace(/"/g, '""')}" = $${idx++}`);
+            params.push(value);
+          }
+          sql += ` WHERE ${conditions.join(' AND ')}`;
+        }
+        sql += ' LIMIT 100';
+        const result = await query(sql, params);
+        return result.rows.map(r => stripInternalPgFields(r as Record<string, unknown>));
+      },
+      async exists(table: string, filter: Record<string, unknown>): Promise<boolean> {
+        const conditions: string[] = [];
+        const params: unknown[] = [];
+        let idx = 1;
+        for (const [key, value] of Object.entries(filter)) {
+          conditions.push(`"${key.replace(/"/g, '""')}" = $${idx++}`);
+          params.push(value);
+        }
+        const where = conditions.length > 0 ? ` WHERE ${conditions.join(' AND ')}` : '';
+        const sql = `SELECT 1 FROM "${table.replace(/"/g, '""')}"${where} LIMIT 1`;
+        const result = await query(sql, params);
+        return result.rows.length > 0;
+      },
+    },
+    databaseLive: {
+      async broadcast(_channel: string, _event: string, _data: unknown): Promise<void> {
+        // HookCtx broadcast — not implemented for PostgreSQL provider (no direct env access)
+        // Use database-live subscription from client SDK instead
+      },
+    },
+    push: {
+      async send(_userId: string, _payload: { title?: string; body: string }): Promise<void> {
+        // Push notifications — same mechanism as DO (via Worker env)
+      },
+    },
+    waitUntil(promise: Promise<unknown>): void {
+      if (executionCtx) {
+        executionCtx.waitUntil(promise);
+      }
+    },
+  };
+}
+function toFieldErrorData(
+  errors: Record<string, string>,
+): Record<string, { code: string; message: string }> {
+  return Object.fromEntries(
+    Object.entries(errors).map(([key, message]) => [key, { code: 'invalid', message }]),
+  );
+}
+// ═══════════════════════════════════════════════════════════════════════════
+// CRUD Operations
+// ═══════════════════════════════════════════════════════════════════════════
+// ─── LIST ───
+async function handleList(
+  c: Context<HonoEnv>,
+  resolved: PgResolvedDb,
+  tableName: string,
+  tableConfig: TableConfig,
+  auth: AuthContext | null,
+  isServiceKey: boolean,
+  query: PostgresExecutor,
+): Promise<Response> {
+  const tableAccess = getTableAccess(tableConfig);
+  if (!isServiceKey && tableAccess?.read === false) {
+    const error = forbiddenError('Access denied.');
+    return c.json(error.toJSON(), error.status as 403);
+  }
+  const queryOpts = parseQueryParams(Object.fromEntries(new URL(c.req.url).searchParams));
+  const { sql, params, countSql, countParams } = buildListQuery(tableName, queryOpts, 'postgres');
+  const result = await query(sql, params);
+  // Apply read rules per row
+  let items = result.rows.map(r => stripInternalPgFields(r as Record<string, unknown>));
+  const tableHooks = getTableHooks(tableConfig);
+  if (!isServiceKey && tableAccess?.read !== undefined) {
+    const filtered: Record<string, unknown>[] = [];
+    for (const row of items) {
+      if (await evalRowRule(tableAccess.read, auth, row)) {
+        filtered.push(row);
+      }
+    }
+    items = filtered;
+  }
+  // Apply onEnrich hook
+  if (tableHooks?.onEnrich) {
+    const hookCtx = buildHookCtx(resolved.connectionString, resolved.dbBlock.tables ?? {}, c.executionCtx, query);
+    for (let i = 0; i < items.length; i++) {
+      try {
+        const enriched = await tableHooks.onEnrich(auth, items[i], hookCtx);
+        if (enriched && typeof enriched === 'object') items[i] = { ...items[i], ...enriched };
+      } catch (err) {
+        console.error(`[EdgeBase] onEnrich hook error for table "${tableName}":`, err);
+      }
+    }
+  }
+  // Get total count
+  let total: number | null = null;
+  const includeTotal = !['0', 'false'].includes((c.req.query('includeTotal') ?? '').toLowerCase());
+  if (includeTotal && countSql && countParams) {
+    const countResult = await query(countSql, countParams);
+    total = Number(countResult.rows[0]?.total ?? 0);
+  }
+  const perPage = queryOpts.pagination?.limit ?? queryOpts.pagination?.perPage ?? 20;
+  const page = queryOpts.pagination?.page ?? 1;
+  const hasMore = queryOpts.pagination?.after || queryOpts.pagination?.before
+    ? items.length >= perPage
+    : null;
+  const cursor = hasMore && items.length > 0
+    ? String((items[items.length - 1] as Record<string, unknown>).id ?? '')
+    : null;
+  return c.json({ items, total, hasMore, cursor, page: hasMore !== null ? null : page, perPage });
+}
+// ─── COUNT ───
+async function handleCount(
+  c: Context<HonoEnv>,
+  resolved: PgResolvedDb,
+  tableName: string,
+  tableConfig: TableConfig,
+  _auth: AuthContext | null,
+  isServiceKey: boolean,
+  query: PostgresExecutor,
+): Promise<Response> {
+  const tableAccess = getTableAccess(tableConfig);
+  if (!isServiceKey && tableAccess?.read === false) {
+    const error = forbiddenError('Access denied.');
+    return c.json(error.toJSON(), error.status as 403);
+  }
+  const queryOpts = parseQueryParams(Object.fromEntries(new URL(c.req.url).searchParams));
+  const { sql, params } = buildCountQuery(tableName, queryOpts.filters, queryOpts.orFilters, 'postgres');
+  const result = await query(sql, params);
+  const total = result.rows[0]?.total ?? 0;
+  return c.json({ total });
+}
+// ─── SEARCH ───
+async function handleSearch(
+  c: Context<HonoEnv>,
+  resolved: PgResolvedDb,
+  tableName: string,
+  tableConfig: TableConfig,
+  auth: AuthContext | null,
+  isServiceKey: boolean,
+  query: PostgresExecutor,
+): Promise<Response> {
+  const tableAccess = getTableAccess(tableConfig);
+  if (!isServiceKey && tableAccess?.read === false) {
+    const error = forbiddenError('Access denied.');
+    return c.json(error.toJSON(), error.status as 403);
+  }
+  const queryOpts = parseQueryParams(Object.fromEntries(new URL(c.req.url).searchParams));
+  const searchTerm = queryOpts.search || '';
+  if (!searchTerm) {
+    return c.json({ code: 400, message: 'Search term is required (use ?search=)' }, 400);
+  }
+  // Use FTS fields from config, or fallback to text columns from schema
+  const ftsFields = tableConfig.fts?.length
+    ? tableConfig.fts
+    : getTextFields(tableConfig);
+  const limit = queryOpts.pagination?.limit ?? queryOpts.pagination?.perPage ?? 20;
+  const offset = queryOpts.pagination?.offset ?? ((queryOpts.pagination?.page ?? 1) - 1) * limit;
+  const searchQuery = buildSearchQuery(tableName, searchTerm, {
+    pagination: queryOpts.pagination,
+    filters: queryOpts.filters,
+    orFilters: queryOpts.orFilters,
+    sort: queryOpts.sort,
+    ftsFields,
+  }, 'postgres');
+  const result = await query(searchQuery.sql, searchQuery.params);
+  let items = result.rows.map(r => stripInternalPgFields(r as Record<string, unknown>));
+  let total = items.length;
+  if (searchQuery.countSql) {
+    const countResult = await query(searchQuery.countSql, searchQuery.countParams ?? []);
+    total = Number(countResult.rows[0]?.total ?? items.length);
+  }
+  // Apply read rules
+  if (!isServiceKey && tableAccess?.read !== undefined) {
+    const filtered: Record<string, unknown>[] = [];
+    for (const row of items) {
+      if (await evalRowRule(tableAccess.read, auth, row)) {
+        filtered.push(row);
+      }
+    }
+    items = filtered;
+  }
+  return c.json({ items, total, hasMore: total > offset + items.length, cursor: null, page: null, perPage: limit });
+}
+// ─── GET ───
+async function handleGet(
+  c: Context<HonoEnv>,
+  resolved: PgResolvedDb,
+  tableName: string,
+  tableConfig: TableConfig,
+  id: string,
+  auth: AuthContext | null,
+  isServiceKey: boolean,
+  query: PostgresExecutor,
+): Promise<Response> {
+  const fieldsParam = new URL(c.req.url).searchParams.get('fields');
+  const fields = fieldsParam ? fieldsParam.split(',').map(f => f.trim()) : undefined;
+  const { sql, params } = buildGetQuery(tableName, id, fields, 'postgres');
+  const result = await query(sql, params);
+  if (result.rows.length === 0) {
+    return c.json({ code: 404, message: `Record '${id}' not found in '${tableName}'.` }, 404);
+  }
+  const row = stripInternalPgFields(result.rows[0] as Record<string, unknown>);
+  // Check read rule
+  const tableAccess = getTableAccess(tableConfig);
+  const tableHooks = getTableHooks(tableConfig);
+  if (!isServiceKey && tableAccess?.read !== undefined) {
+    if (!(await evalRowRule(tableAccess.read, auth, row))) {
+      return c.json({ code: 403, message: 'Access denied.' }, 403);
+    }
+  }
+  // Apply onEnrich hook
+  if (tableHooks?.onEnrich) {
+    const hookCtx = buildHookCtx(resolved.connectionString, resolved.dbBlock.tables ?? {}, c.executionCtx, query);
+    try {
+      const enriched = await tableHooks.onEnrich(auth, row, hookCtx);
+      if (enriched && typeof enriched === 'object') return c.json({ ...row, ...enriched });
+    } catch (err) {
+      console.error(`[EdgeBase] onEnrich hook error for table "${tableName}":`, err);
+    }
+  }
+  return c.json(row);
+}
+// ─── INSERT ───
+async function handleInsert(
+  c: Context<HonoEnv>,
+  resolved: PgResolvedDb,
+  tableName: string,
+  tableConfig: TableConfig,
+  auth: AuthContext | null,
+  isServiceKey: boolean,
+  query: PostgresExecutor,
+): Promise<Response> {
+  let body: Record<string, unknown>;
+  try {
+    body = await c.req.json();
+  } catch {
+    return c.json({ code: 400, message: 'Invalid JSON body' }, 400);
+  }
+  // Check insert rule
+  const tableAccess = getTableAccess(tableConfig);
+  const tableHooks = getTableHooks(tableConfig);
+  if (!isServiceKey && tableAccess?.insert !== undefined) {
+    if (!(await evalInsertRule(tableAccess.insert, auth))) {
+      return c.json({ code: 403, message: 'Insert not allowed.' }, 403);
+    }
+  }
+  // Validate against schema
+  const validation = validateInsert(body, tableConfig.schema);
+  if (!validation.valid) {
+    return c.json({
+      code: 400,
+      message: summarizeValidationErrors(validation.errors),
+      data: toFieldErrorData(validation.errors),
+      errors: validation.errors,
+    }, 400);
+  }
+  // Run beforeInsert hook
+  const requestHookCtx = buildHookCtx(resolved.connectionString, resolved.dbBlock.tables ?? {}, c.executionCtx, query);
+  if (tableHooks?.beforeInsert) {
+    try {
+      const transformed = await tableHooks.beforeInsert(auth, body, requestHookCtx);
+      if (transformed && typeof transformed === 'object') {
+        body = { ...body, ...transformed };
+      }
+    } catch (err) {
+      const hookError = hookRejectedError(err, 'Insert rejected by beforeInsert hook.');
+      return c.json(hookError.toJSON(), hookError.status as 400);
+    }
+  }
+  const { data } = preparePgInsertData(body, tableConfig);
+  // Check upsert mode
+  const url = new URL(c.req.url);
+  const isUpsert = url.searchParams.get('upsert') === 'true';
+  const conflictTarget = url.searchParams.get('conflictTarget') || 'id';
+  let isUpdate = false;
+  let upsertBeforeRow: Record<string, unknown> | null = null;
+  if (isUpsert && data[conflictTarget] !== undefined) {
+    const checkSql = `SELECT * FROM ${escapePgIdentifier(tableName)} WHERE ${escapePgIdentifier(conflictTarget)} = $1 LIMIT 1`;
+    const checkResult = await query(checkSql, [data[conflictTarget]]);
+    isUpdate = checkResult.rows.length > 0;
+    upsertBeforeRow = isUpdate
+      ? stripInternalPgFields(checkResult.rows[0] as Record<string, unknown>)
+      : null;
+  }
+  // Build INSERT SQL
+  const columns = Object.keys(data);
+  const values = columns.map(col => data[col] ?? null);
+  const placeholders = values.map((_, i) => `$${i + 1}`).join(', ');
+  let sql: string;
+  if (isUpsert) {
+    const setClauses = columns
+      .filter(col => col !== 'id' && col !== conflictTarget && col !== 'createdAt')
+      .map(col => `${escapePgIdentifier(col)} = EXCLUDED.${escapePgIdentifier(col)}`);
+    sql = `INSERT INTO ${escapePgIdentifier(tableName)} (${columns.map(escapePgIdentifier).join(', ')}) VALUES (${placeholders})` +
+      ` ON CONFLICT (${escapePgIdentifier(conflictTarget)}) DO UPDATE SET ${setClauses.join(', ')}` +
+      ` RETURNING *`;
+  } else {
+    sql = `INSERT INTO ${escapePgIdentifier(tableName)} (${columns.map(escapePgIdentifier).join(', ')}) VALUES (${placeholders}) RETURNING *`;
+  }
+  const result = await query(sql, values);
+  const inserted = stripInternalPgFields(result.rows[0] as Record<string, unknown>);
+  // Run afterInsert hook (fire-and-forget)
+  if (tableHooks?.afterInsert) {
+    const hook = tableHooks.afterInsert;
+    const backgroundHookCtx = buildHookCtx(resolved.connectionString, resolved.dbBlock.tables ?? {}, c.executionCtx);
+    backgroundHookCtx.waitUntil(Promise.resolve(hook(inserted, backgroundHookCtx)).catch(() => {}));
+  }
+  // Emit database-live event (fire-and-forget)
+  c.executionCtx.waitUntil(
+    emitDbLiveEvent(
+      c.env,
+      resolved.namespace,
+      tableName,
+      isUpsert && isUpdate ? 'modified' : 'added',
+      String(inserted.id ?? ''),
+      inserted,
+    ),
+  );
+  c.executionCtx.waitUntil(
+    executeDbTriggers(
+      tableName,
+      isUpsert && isUpdate ? 'update' : 'insert',
+      isUpsert && isUpdate ? { before: upsertBeforeRow ?? inserted, after: inserted } : { after: inserted },
+      {
+        databaseNamespace: c.env.DATABASE,
+        authNamespace: c.env.AUTH,
+        kvNamespace: c.env.KV,
+        config: parseConfig(c.env),
+        env: c.env as never,
+        executionCtx: c.executionCtx as never,
+      },
+      { namespace: resolved.namespace },
+    ),
+  );
+  if (isUpsert) {
+    const statusCode = isUpdate ? 200 : 201;
+    const action = isUpdate ? 'updated' : 'inserted';
+    return c.json({ ...inserted, action }, statusCode as 200);
+  }
+  return c.json(inserted, 201);
+}
+// ─── UPDATE ───
+async function handleUpdate(
+  c: Context<HonoEnv>,
+  resolved: PgResolvedDb,
+  tableName: string,
+  tableConfig: TableConfig,
+  id: string,
+  auth: AuthContext | null,
+  isServiceKey: boolean,
+  query: PostgresExecutor,
+): Promise<Response> {
+  let body: Record<string, unknown>;
+  try {
+    body = await c.req.json();
+  } catch {
+    return c.json({ code: 400, message: 'Invalid JSON body' }, 400);
+  }
+  // Validate against schema
+  const validation = validateUpdate(body, tableConfig.schema);
+  if (!validation.valid) {
+    return c.json({
+      code: 400,
+      message: 'Validation failed.',
+      data: toFieldErrorData(validation.errors),
+      errors: validation.errors,
+    }, 400);
+  }
+  // Fetch existing record to check rules
+  const { sql: getSql, params: getParams } = buildGetQuery(tableName, id, undefined, 'postgres');
+  const existing = await query(getSql, getParams);
+  if (existing.rows.length === 0) {
+    return c.json({ code: 404, message: `Record '${id}' not found in '${tableName}'.` }, 404);
+  }
+  const existingRow = existing.rows[0] as Record<string, unknown>;
+  // Check update rule
+  const tableAccess = getTableAccess(tableConfig);
+  const tableHooks = getTableHooks(tableConfig);
+  if (!isServiceKey && tableAccess?.update !== undefined) {
+    if (!(await evalRowRule(tableAccess.update, auth, existingRow))) {
+      return c.json({ code: 403, message: 'Update not allowed.' }, 403);
+    }
+  }
+  // Run beforeUpdate hook
+  const requestHookCtx = buildHookCtx(resolved.connectionString, resolved.dbBlock.tables ?? {}, c.executionCtx, query);
+  if (tableHooks?.beforeUpdate) {
+    try {
+      const transformed = await tableHooks.beforeUpdate(auth, existingRow, body, requestHookCtx);
+      if (transformed && typeof transformed === 'object') {
+        body = { ...body, ...transformed };
+      }
+    } catch (err) {
+      const hookError = hookRejectedError(err, 'Update rejected by beforeUpdate hook.');
+      return c.json(hookError.toJSON(), hookError.status as 400);
+    }
+  }
+  const { data } = preparePgUpdateData(body, tableConfig);
+  if (Object.keys(data).length === 0) {
+    return c.json({ code: 400, message: 'No valid fields to update.' }, 400);
+  }
+  const { setClauses, params, nextParamIndex } = parseUpdateBody(
+    data,
+    ['id'],
+    { dialect: 'postgres', startIndex: 1 },
+  );
+  const sql = `UPDATE ${escapePgIdentifier(tableName)} SET ${setClauses.join(', ')} WHERE "id" = $${nextParamIndex} RETURNING *`;
+  const result = await query(sql, [...params, id]);
+  if (result.rows.length === 0) {
+    return c.json({ code: 404, message: `Record '${id}' not found in '${tableName}'.` }, 404);
+  }
+  const updated = stripInternalPgFields(result.rows[0] as Record<string, unknown>);
+  // Run afterUpdate hook (fire-and-forget)
+  if (tableHooks?.afterUpdate) {
+    const hook = tableHooks.afterUpdate;
+    const backgroundHookCtx = buildHookCtx(resolved.connectionString, resolved.dbBlock.tables ?? {}, c.executionCtx);
+    backgroundHookCtx.waitUntil(
+      Promise.resolve(hook(existingRow, updated, backgroundHookCtx)).catch(() => {}),
+    );
+  }
+  // Emit database-live event (fire-and-forget)
+  c.executionCtx.waitUntil(
+    emitDbLiveEvent(c.env, resolved.namespace, tableName, 'modified', id, updated),
+  );
+  c.executionCtx.waitUntil(
+    executeDbTriggers(
+      tableName,
+      'update',
+      {
+        before: existingRow,
+        after: updated,
+      },
+      {
+        databaseNamespace: c.env.DATABASE,
+        authNamespace: c.env.AUTH,
+        kvNamespace: c.env.KV,
+        config: parseConfig(c.env),
+        env: c.env as never,
+        executionCtx: c.executionCtx as never,
+      },
+      { namespace: resolved.namespace },
+    ),
+  );
+  return c.json(updated);
+}
+// ─── DELETE ───
+async function handleDelete(
+  c: Context<HonoEnv>,
+  resolved: PgResolvedDb,
+  tableName: string,
+  tableConfig: TableConfig,
+  id: string,
+  auth: AuthContext | null,
+  isServiceKey: boolean,
+  query: PostgresExecutor,
+): Promise<Response> {
+  // Fetch existing record
+  const { sql: getSql, params: getParams } = buildGetQuery(tableName, id, undefined, 'postgres');
+  const existing = await query(getSql, getParams);
+  if (existing.rows.length === 0) {
+    return c.json({ code: 404, message: `Record '${id}' not found in '${tableName}'.` }, 404);
+  }
+  const existingRow = existing.rows[0] as Record<string, unknown>;
+  // Check delete rule
+  const tableAccess = getTableAccess(tableConfig);
+  const tableHooks = getTableHooks(tableConfig);
+  if (!isServiceKey && tableAccess?.delete !== undefined) {
+    if (!(await evalRowRule(tableAccess.delete, auth, existingRow))) {
+      return c.json({ code: 403, message: 'Delete not allowed.' }, 403);
+    }
+  }
+  // Run beforeDelete hook
+  const requestHookCtx = buildHookCtx(resolved.connectionString, resolved.dbBlock.tables ?? {}, c.executionCtx, query);
+  if (tableHooks?.beforeDelete) {
+    try {
+      await tableHooks.beforeDelete(auth, existingRow, requestHookCtx);
+    } catch (err) {
+      const hookError = hookRejectedError(err, 'Delete rejected by beforeDelete hook.');
+      return c.json(hookError.toJSON(), hookError.status as 400);
+    }
+  }
+  // Execute DELETE
+  const sql = `DELETE FROM ${escapePgIdentifier(tableName)} WHERE "id" = $1 RETURNING *`;
+  const result = await query(sql, [id]);
+  if (result.rows.length === 0) {
+    return c.json({ code: 404, message: `Record '${id}' not found.` }, 404);
+  }
+  // Run afterDelete hook (fire-and-forget)
+  if (tableHooks?.afterDelete) {
+    const hook = tableHooks.afterDelete;
+    const backgroundHookCtx = buildHookCtx(resolved.connectionString, resolved.dbBlock.tables ?? {}, c.executionCtx);
+    backgroundHookCtx.waitUntil(
+      Promise.resolve(hook(existingRow, backgroundHookCtx)).catch(() => {}),
+    );
+  }
+  // Emit database-live event (fire-and-forget)
+  c.executionCtx.waitUntil(
+    emitDbLiveEvent(c.env, resolved.namespace, tableName, 'removed', id, stripInternalPgFields(existingRow)),
+  );
+  c.executionCtx.waitUntil(
+    executeDbTriggers(
+      tableName,
+      'delete',
+      { before: existingRow },
+      {
+        databaseNamespace: c.env.DATABASE,
+        authNamespace: c.env.AUTH,
+        kvNamespace: c.env.KV,
+        config: parseConfig(c.env),
+        env: c.env as never,
+        executionCtx: c.executionCtx as never,
+      },
+      { namespace: resolved.namespace },
+    ),
+  );
+  return c.json({ success: true, deleted: stripInternalPgFields(existingRow) });
+}
+// ─── BATCH ───
+async function handleBatch(
+  c: Context<HonoEnv>,
+  resolved: PgResolvedDb,
+  tableName: string,
+  tableConfig: TableConfig,
+  auth: AuthContext | null,
+  isServiceKey: boolean,
+  query: PostgresExecutor,
+): Promise<Response> {
+  let body: {
+    items?: Record<string, unknown>[];
+    inserts?: Record<string, unknown>[];
+    updates?: { id: string; data: Record<string, unknown> }[];
+    deletes?: string[];
+  };
+  try {
+    body = await c.req.json();
+  } catch {
+    return c.json({ code: 400, message: 'Invalid JSON body' }, 400);
+  }
+  const inserts = Array.isArray(body.inserts)
+    ? body.inserts
+    : Array.isArray(body.items)
+      ? body.items
+      : [];
+  const updates = Array.isArray(body.updates) ? body.updates : [];
+  const deletes = Array.isArray(body.deletes) ? body.deletes : [];
+  const totalOps = inserts.length + updates.length + deletes.length;
+  if (totalOps === 0) {
+    return c.json({ code: 400, message: 'items array is required and must not be empty' }, 400);
+  }
+  if (totalOps > 500) {
+    return c.json({ code: 400, message: 'Batch size cannot exceed 500 items.' }, 400);
+  }
+  if (updates.length > 0 || deletes.length > 0) {
+    return c.json({
+      code: 400,
+      message: 'PostgreSQL batch currently supports inserts/upserts only. Use batch-by-filter for updates/deletes.',
+    }, 400);
+  }
+  // Check insert rule (table-level, once)
+  const tableAccess = getTableAccess(tableConfig);
+  if (!isServiceKey && inserts.length > 0 && tableAccess?.insert !== undefined) {
+    if (!(await evalInsertRule(tableAccess.insert, auth))) {
+      return c.json({ code: 403, message: 'Insert not allowed.' }, 403);
+    }
+  }
+  const upsertMode = c.req.query('upsert') === 'true';
+  const conflictTarget = c.req.query('conflictTarget') || 'id';
+  const results: Record<string, unknown>[] = [];
+  for (const item of inserts) {
+    // Validate
+    const validation = validateInsert(item, tableConfig.schema);
+    if (!validation.valid) {
+      return c.json({
+        code: 400,
+        message: 'Validation failed.',
+        data: toFieldErrorData(validation.errors),
+        errors: validation.errors,
+      }, 400);
+    }
+    const { data } = preparePgInsertData(item, tableConfig);
+    const columns = Object.keys(data);
+    const values = columns.map(col => data[col] ?? null);
+    const placeholders = values.map((_, i) => `$${i + 1}`).join(', ');
+    let sql = `INSERT INTO ${escapePgIdentifier(tableName)} (${columns.map(escapePgIdentifier).join(', ')}) VALUES (${placeholders})`;
+    if (upsertMode) {
+      const updateCols = columns.filter((col) => col !== 'id' && col !== 'createdAt' && col !== conflictTarget);
+      if (updateCols.length > 0) {
+        const updateSet = updateCols
+          .map((col) => `${escapePgIdentifier(col)} = EXCLUDED.${escapePgIdentifier(col)}`)
+          .join(', ');
+        sql += ` ON CONFLICT (${escapePgIdentifier(conflictTarget)}) DO UPDATE SET ${updateSet}`;
+      } else {
+        sql += ` ON CONFLICT (${escapePgIdentifier(conflictTarget)}) DO NOTHING`;
+      }
+    }
+    sql += ' RETURNING *';
+    const result = await query(sql, values);
+    if (result.rows.length > 0) {
+      results.push(stripInternalPgFields(result.rows[0] as Record<string, unknown>));
+    }
+  }
+  // Emit batch database-live events
+  if (results.length > 0) {
+    const changes = results.map(r => ({
+      type: 'added' as const,
+      docId: String((r as Record<string, unknown>).id ?? ''),
+      data: r as Record<string, unknown>,
+    }));
+    if (changes.length >= 10) {
+      c.executionCtx.waitUntil(
+        emitDbLiveBatchEvent(c.env, resolved.namespace, tableName, changes),
+      );
+    } else {
+      for (const ch of changes) {
+        c.executionCtx.waitUntil(
+          emitDbLiveEvent(c.env, resolved.namespace, tableName, ch.type, ch.docId, ch.data),
+        );
+      }
+    }
+  }
+  return c.json({
+    inserted: results,
+    items: results,
+  });
+}
+// ─── BATCH BY FILTER ───
+async function handleBatchByFilter(
+  c: Context<HonoEnv>,
+  resolved: PgResolvedDb,
+  tableName: string,
+  tableConfig: TableConfig,
+  _auth: AuthContext | null,
+  isServiceKey: boolean,
+  query: PostgresExecutor,
+): Promise<Response> {
+  let body: {
+    action?: string;
+    filter?: FilterTuple[];
+    orFilter?: FilterTuple[];
+    update?: Record<string, unknown>;
+    data?: Record<string, unknown>;
+    limit?: number;
+  };
+  try {
+    body = await c.req.json();
+  } catch {
+    return c.json({ code: 400, message: 'Invalid JSON body' }, 400);
+  }
+  if (!body.action || !['delete', 'update'].includes(body.action)) {
+    return c.json({ code: 400, message: "batch-by-filter requires 'action' to be 'delete' or 'update'." }, 400);
+  }
+  if (!body.filter || !Array.isArray(body.filter)) {
+    return c.json({ code: 400, message: "batch-by-filter requires 'filter' to be a non-empty array." }, 400);
+  }
+  const updateData = body.update ?? body.data;
+  if (body.action === 'update' && !updateData) {
+    return c.json({ code: 400, message: "batch-by-filter with action 'update' requires 'update' data." }, 400);
+  }
+  const limit = Math.min(body.limit ?? 500, 500);
+  const { sql: selectSql, params: selectParams } = buildListQuery(tableName, {
+    filters: body.filter,
+    orFilters: body.orFilter,
+    pagination: { limit },
+    fields: ['id'],
+  }, 'postgres');
+  const selectResult = await query(selectSql, selectParams);
+  const allRows = selectResult.rows;
+  const processed = allRows.length;
+  if (allRows.length === 0) {
+    return c.json({ processed: 0, succeeded: 0 });
+  }
+  const ids = allRows.map((row) => String((row as Record<string, unknown>).id));
+  const idPlaceholders = ids.map((_, index) => `$${index + 1}`).join(', ');
+  let succeeded = 0;
+  if (body.action === 'delete') {
+    // Check delete rule at table level
+    const tableAccess = getTableAccess(tableConfig);
+    if (!isServiceKey && tableAccess?.delete !== undefined) {
+      if (typeof tableAccess.delete === 'boolean' && !tableAccess.delete) {
+        return c.json({ code: 403, message: 'Delete not allowed.' }, 403);
+      }
+    }
+    const sql = `DELETE FROM ${escapePgIdentifier(tableName)} WHERE "id" IN (${idPlaceholders}) RETURNING *`;
+    const result = await query(sql, ids);
+    succeeded = result.rowCount;
+    if (succeeded > 0) {
+      c.executionCtx.waitUntil(
+        emitDbLiveEvent(c.env, resolved.namespace, tableName, 'removed', '_bulk', { action: 'delete', count: succeeded }),
+      );
+    }
+    return c.json({
+      processed,
+      succeeded,
+      deleted: result.rowCount,
+      items: result.rows.map(r => stripInternalPgFields(r as Record<string, unknown>)),
+    });
+  }
+  // action === 'update'
+  if (!updateData || Object.keys(updateData).length === 0) {
+    return c.json({ code: 400, message: 'data is required for update action.' }, 400);
+  }
+  // Check update rule at table level
+  const tableAccess = getTableAccess(tableConfig);
+  if (!isServiceKey && tableAccess?.update !== undefined) {
+    if (typeof tableAccess.update === 'boolean' && !tableAccess.update) {
+      return c.json({ code: 403, message: 'Update not allowed.' }, 403);
+    }
+  }
+  const prepared = preparePgUpdateData(updateData, tableConfig).data;
+  if (Object.keys(prepared).length === 0) {
+    return c.json({ code: 400, message: 'No valid fields to update.' }, 400);
+  }
+  const { setClauses, params: updateValues } = parseUpdateBody(
+    prepared,
+    ['id'],
+    { dialect: 'postgres', startIndex: ids.length + 1 },
+  );
+  const updateParams = [...ids, ...updateValues];
+  const sql = `UPDATE ${escapePgIdentifier(tableName)} SET ${setClauses.join(', ')} WHERE "id" IN (${idPlaceholders}) RETURNING *`;
+  const result = await query(sql, updateParams);
+  succeeded = result.rowCount;
+  if (succeeded > 0) {
+    c.executionCtx.waitUntil(
+      emitDbLiveEvent(c.env, resolved.namespace, tableName, 'modified', '_bulk', { action: 'update', count: succeeded }),
+    );
+  }
+  return c.json({
+    processed,
+    succeeded,
+    updated: result.rowCount,
+    items: result.rows.map(r => stripInternalPgFields(r as Record<string, unknown>)),
+  });
+}
+// ─── Helpers ───
+function getTextFields(config: TableConfig): string[] {
+  if (!config.schema) return ['id'];
+  const fields: string[] = [];
+  for (const [name, field] of Object.entries(config.schema)) {
+    if (field === false) continue;
+    if (field.type === 'string' || field.type === 'text') {
+      fields.push(name);
+    }
+  }
+  return fields.length > 0 ? fields : ['id'];
+}