npm - @edge-base/server - Versions diffs - 0.1.1 - Mend

@edge-base/server 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (309) hide show

package/admin-build/.gitkeep +0 -0
package/admin-build/_app/env.js +1 -0
package/admin-build/_app/immutable/assets/0.Bm6cF078.css +1 -0
package/admin-build/_app/immutable/assets/1.BfW3pUNa.css +1 -0
package/admin-build/_app/immutable/assets/11.CVmQOewb.css +1 -0
package/admin-build/_app/immutable/assets/12.B1EhbRZT.css +1 -0
package/admin-build/_app/immutable/assets/13.BvwYeuwE.css +1 -0
package/admin-build/_app/immutable/assets/14.CdVfcO0R.css +1 -0
package/admin-build/_app/immutable/assets/15.2yeZ66b-.css +1 -0
package/admin-build/_app/immutable/assets/17.BVg0JEVu.css +1 -0
package/admin-build/_app/immutable/assets/18.Rwnl3x_i.css +1 -0
package/admin-build/_app/immutable/assets/20.DsPWA9AV.css +1 -0
package/admin-build/_app/immutable/assets/21.Dz2RJ56c.css +1 -0
package/admin-build/_app/immutable/assets/22.DwNLk5Ai.css +1 -0
package/admin-build/_app/immutable/assets/23.CFpu0gOO.css +1 -0
package/admin-build/_app/immutable/assets/24.Cy5LBeoJ.css +1 -0
package/admin-build/_app/immutable/assets/25.pUyLVf-h.css +1 -0
package/admin-build/_app/immutable/assets/26.DBcGrlXa.css +1 -0
package/admin-build/_app/immutable/assets/27.BswYyAJD.css +1 -0
package/admin-build/_app/immutable/assets/28.B4ueB1Kf.css +1 -0
package/admin-build/_app/immutable/assets/29.B-qU6PdF.css +1 -0
package/admin-build/_app/immutable/assets/3.Dg81Pgmd.css +1 -0
package/admin-build/_app/immutable/assets/30.CsdWum94.css +1 -0
package/admin-build/_app/immutable/assets/31.U6OwIp50.css +1 -0
package/admin-build/_app/immutable/assets/4.CyawCCux.css +1 -0
package/admin-build/_app/immutable/assets/5.C0YO2HTk.css +1 -0
package/admin-build/_app/immutable/assets/8.Br5jd6kD.css +1 -0
package/admin-build/_app/immutable/assets/Badge.EMYLHBxE.css +1 -0
package/admin-build/_app/immutable/assets/Button.DpzMRTjK.css +1 -0
package/admin-build/_app/immutable/assets/ConfirmDialog.DAnaWRRk.css +1 -0
package/admin-build/_app/immutable/assets/EmptyState.CwKsu57Y.css +1 -0
package/admin-build/_app/immutable/assets/Input.BDUSenmU.css +1 -0
package/admin-build/_app/immutable/assets/Modal.Dm5B0Xie.css +1 -0
package/admin-build/_app/immutable/assets/PageShell.CmU-Xh-b.css +1 -0
package/admin-build/_app/immutable/assets/SchemaFieldEditor.g4NsCdno.css +1 -0
package/admin-build/_app/immutable/assets/Select.BW4Keufm.css +1 -0
package/admin-build/_app/immutable/assets/Skeleton.KWUulTKJ.css +1 -0
package/admin-build/_app/immutable/assets/Tabs.CniGYb67.css +1 -0
package/admin-build/_app/immutable/assets/TimeChart.BTCDAvmT.css +1 -0
package/admin-build/_app/immutable/assets/Toggle.Cy_K12OM.css +1 -0
package/admin-build/_app/immutable/assets/TopList.ClFzmPlA.css +1 -0
package/admin-build/_app/immutable/chunks/7B47DvSx.js +1 -0
package/admin-build/_app/immutable/chunks/7f08Id8e.js +1 -0
package/admin-build/_app/immutable/chunks/8wJeQ7LN.js +1 -0
package/admin-build/_app/immutable/chunks/B-h2afW5.js +1 -0
package/admin-build/_app/immutable/chunks/B8vJP3wz.js +1 -0
package/admin-build/_app/immutable/chunks/BR_fL5Yv.js +1 -0
package/admin-build/_app/immutable/chunks/BY92tFS2.js +1 -0
package/admin-build/_app/immutable/chunks/BcR-Rdj9.js +1 -0
package/admin-build/_app/immutable/chunks/BdrwyZv8.js +1 -0
package/admin-build/_app/immutable/chunks/Bh56EfQ_.js +1 -0
package/admin-build/_app/immutable/chunks/BkrCkgYp.js +1 -0
package/admin-build/_app/immutable/chunks/BmRjiP5k.js +1 -0
package/admin-build/_app/immutable/chunks/BsokvhWC.js +1 -0
package/admin-build/_app/immutable/chunks/C4D51vTW.js +1 -0
package/admin-build/_app/immutable/chunks/C6puvcoR.js +2 -0
package/admin-build/_app/immutable/chunks/CCKNu7m7.js +1 -0
package/admin-build/_app/immutable/chunks/CWj6FrbW.js +1 -0
package/admin-build/_app/immutable/chunks/Ce-ngf4p.js +5 -0
package/admin-build/_app/immutable/chunks/Cs0GwzJA.js +1 -0
package/admin-build/_app/immutable/chunks/CwROoZK0.js +1 -0
package/admin-build/_app/immutable/chunks/CxCPv_Ut.js +1 -0
package/admin-build/_app/immutable/chunks/CxbRue-5.js +1 -0
package/admin-build/_app/immutable/chunks/CyqB6g-D.js +1 -0
package/admin-build/_app/immutable/chunks/D5h5A1cc.js +2 -0
package/admin-build/_app/immutable/chunks/DnyL7Zq-.js +1 -0
package/admin-build/_app/immutable/chunks/DoPXzH7F.js +1 -0
package/admin-build/_app/immutable/chunks/DrQSgw-f.js +1 -0
package/admin-build/_app/immutable/chunks/DttM2zNO.js +1 -0
package/admin-build/_app/immutable/chunks/DuXuUBWN.js +1 -0
package/admin-build/_app/immutable/chunks/MdeqaOQx.js +10 -0
package/admin-build/_app/immutable/chunks/NuUjtcO2.js +1 -0
package/admin-build/_app/immutable/chunks/Q2nPFxS6.js +1 -0
package/admin-build/_app/immutable/chunks/R6arueIl.js +1 -0
package/admin-build/_app/immutable/chunks/UUazaC_N.js +1 -0
package/admin-build/_app/immutable/chunks/cOYbrQxx.js +1 -0
package/admin-build/_app/immutable/chunks/eFQHTGwA.js +1 -0
package/admin-build/_app/immutable/chunks/ehbppgYb.js +1 -0
package/admin-build/_app/immutable/chunks/glwixJlP.js +1 -0
package/admin-build/_app/immutable/chunks/vApWTCBs.js +1 -0
package/admin-build/_app/immutable/chunks/w89G9Xpi.js +1 -0
package/admin-build/_app/immutable/chunks/wJsUhbfZ.js +1 -0
package/admin-build/_app/immutable/chunks/zfauFM8P.js +1 -0
package/admin-build/_app/immutable/entry/app.CcO-Uos3.js +2 -0
package/admin-build/_app/immutable/entry/start.COebYq3I.js +1 -0
package/admin-build/_app/immutable/nodes/0.CjtHKU-6.js +1 -0
package/admin-build/_app/immutable/nodes/1.DEisjlM0.js +1 -0
package/admin-build/_app/immutable/nodes/10.CvhdyWVB.js +1 -0
package/admin-build/_app/immutable/nodes/11.DjHqcOvy.js +1 -0
package/admin-build/_app/immutable/nodes/12.mQLz4Mj_.js +1 -0
package/admin-build/_app/immutable/nodes/13.CBonZZyP.js +110 -0
package/admin-build/_app/immutable/nodes/14.d-oiZL0j.js +3 -0
package/admin-build/_app/immutable/nodes/15.CKPQsUYF.js +1 -0
package/admin-build/_app/immutable/nodes/16.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/17.DayhKyEZ.js +1 -0
package/admin-build/_app/immutable/nodes/18.DKwS0Ir0.js +1 -0
package/admin-build/_app/immutable/nodes/19.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/2.BKoKrw1i.js +1 -0
package/admin-build/_app/immutable/nodes/20.BvIkkkrW.js +1 -0
package/admin-build/_app/immutable/nodes/21.DMaFhdHk.js +128 -0
package/admin-build/_app/immutable/nodes/22.3xdgwuK1.js +1 -0
package/admin-build/_app/immutable/nodes/23.8Bvgjbsl.js +112 -0
package/admin-build/_app/immutable/nodes/24.DzSSzRhG.js +2 -0
package/admin-build/_app/immutable/nodes/25.9KKYBnAE.js +2 -0
package/admin-build/_app/immutable/nodes/26.Bhn9dfhY.js +1 -0
package/admin-build/_app/immutable/nodes/27.kRLiC24G.js +1 -0
package/admin-build/_app/immutable/nodes/28.BVIN1-7N.js +1 -0
package/admin-build/_app/immutable/nodes/29.3yabZWj4.js +1 -0
package/admin-build/_app/immutable/nodes/3.BFtSOkX7.js +2 -0
package/admin-build/_app/immutable/nodes/30.CyCQlwaP.js +1 -0
package/admin-build/_app/immutable/nodes/31.C4LDXjES.js +1 -0
package/admin-build/_app/immutable/nodes/4.CvbiMlCa.js +1 -0
package/admin-build/_app/immutable/nodes/5.C6BLv2eM.js +1 -0
package/admin-build/_app/immutable/nodes/6.BcXvfl2P.js +1 -0
package/admin-build/_app/immutable/nodes/7.CIuqhPiK.js +1 -0
package/admin-build/_app/immutable/nodes/8.BQOR_JfO.js +1 -0
package/admin-build/_app/immutable/nodes/9.NZqXQxPy.js +1 -0
package/admin-build/_app/version.json +1 -0
package/admin-build/favicon.svg +26 -0
package/admin-build/index.html +45 -0
package/openapi.json +19543 -0
package/package.json +66 -0
package/src/__tests__/admin-assets.test.ts +55 -0
package/src/__tests__/admin-data-routes.test.ts +488 -0
package/src/__tests__/admin-db-target.test.ts +103 -0
package/src/__tests__/admin-routing.test.ts +31 -0
package/src/__tests__/admin-user-management.test.ts +311 -0
package/src/__tests__/analytics-query.test.ts +75 -0
package/src/__tests__/auth-d1.test.ts +749 -0
package/src/__tests__/auth-db-adapter.test.ts +73 -0
package/src/__tests__/auth-jwt.test.ts +440 -0
package/src/__tests__/auth-oauth.test.ts +389 -0
package/src/__tests__/auth-password.test.ts +367 -0
package/src/__tests__/auth-redirect.test.ts +87 -0
package/src/__tests__/backup-restore.test.ts +711 -0
package/src/__tests__/broadcast.test.ts +128 -0
package/src/__tests__/cli.test.ts +178 -0
package/src/__tests__/cloudflare-realtime.test.ts +113 -0
package/src/__tests__/config.test.ts +469 -0
package/src/__tests__/cors.test.ts +154 -0
package/src/__tests__/cron.test.ts +302 -0
package/src/__tests__/d1-handler.test.ts +402 -0
package/src/__tests__/d1-sql.test.ts +120 -0
package/src/__tests__/database-live-config.test.ts +42 -0
package/src/__tests__/database-live-emitter.test.ts +56 -0
package/src/__tests__/database-live-filters.test.ts +63 -0
package/src/__tests__/database-live-route.test.ts +113 -0
package/src/__tests__/db-sql.test.ts +163 -0
package/src/__tests__/do-lifecycle.test.ts +263 -0
package/src/__tests__/do-router.test.ts +729 -0
package/src/__tests__/email-provider.test.ts +128 -0
package/src/__tests__/email-templates.test.ts +528 -0
package/src/__tests__/error-format.test.ts +250 -0
package/src/__tests__/field-ops.test.ts +242 -0
package/src/__tests__/functions-context.test.ts +334 -0
package/src/__tests__/functions-d1-proxy.test.ts +229 -0
package/src/__tests__/functions-registry-runtime-config.test.ts +17 -0
package/src/__tests__/functions-route.test.ts +139 -0
package/src/__tests__/internal-request.test.ts +77 -0
package/src/__tests__/log-writer.test.ts +44 -0
package/src/__tests__/logger.test.ts +58 -0
package/src/__tests__/meta-admin-proxy.test.ts +48 -0
package/src/__tests__/meta-export-coverage.test.ts +191 -0
package/src/__tests__/meta-route-registration.test.ts +47 -0
package/src/__tests__/namespace-dump.test.ts +28 -0
package/src/__tests__/oauth-providers.test.ts +337 -0
package/src/__tests__/openapi-coverage.test.ts +144 -0
package/src/__tests__/pagination.test.ts +59 -0
package/src/__tests__/password-policy.test.ts +191 -0
package/src/__tests__/plugin-migrations.test.ts +379 -0
package/src/__tests__/postgres-batch-compat.test.ts +133 -0
package/src/__tests__/postgres-dialect.test.ts +328 -0
package/src/__tests__/postgres-executor.test.ts +79 -0
package/src/__tests__/postgres-field-ops-compat.test.ts +222 -0
package/src/__tests__/postgres-schema-init.test.ts +105 -0
package/src/__tests__/postgres-table-utils.test.ts +107 -0
package/src/__tests__/presence.test.ts +199 -0
package/src/__tests__/provider.test.ts +550 -0
package/src/__tests__/public-user-profile.test.ts +339 -0
package/src/__tests__/push-handlers.test.ts +179 -0
package/src/__tests__/push-provider.test.ts +80 -0
package/src/__tests__/push-token.test.ts +418 -0
package/src/__tests__/query.test.ts +771 -0
package/src/__tests__/rate-limit.test.ts +260 -0
package/src/__tests__/room-access-policy.test.ts +101 -0
package/src/__tests__/room-handler-context.test.ts +130 -0
package/src/__tests__/room-monitoring.test.ts +138 -0
package/src/__tests__/room-runtime-routing.test.ts +222 -0
package/src/__tests__/room.test.ts +254 -0
package/src/__tests__/route-parser.test.ts +490 -0
package/src/__tests__/rules.test.ts +234 -0
package/src/__tests__/runtime-surface-accounting.test.ts +120 -0
package/src/__tests__/scheduled.test.ts +80 -0
package/src/__tests__/schema.test.ts +1273 -0
package/src/__tests__/security-hardening.test.ts +312 -0
package/src/__tests__/server.unit.test.ts +333 -0
package/src/__tests__/service-key-db-proxy.test.ts +650 -0
package/src/__tests__/service-key-provider-bypass.test.ts +138 -0
package/src/__tests__/service-key.test.ts +757 -0
package/src/__tests__/smoke-skip-report.test.ts +72 -0
package/src/__tests__/sms-provider.test.ts +39 -0
package/src/__tests__/sql-route.test.ts +218 -0
package/src/__tests__/storage-hook-context.test.ts +115 -0
package/src/__tests__/totp.test.ts +200 -0
package/src/__tests__/uuid.test.ts +144 -0
package/src/__tests__/validation.test.ts +773 -0
package/src/__tests__/websocket-pending.test.ts +163 -0
package/src/_functions-registry.ts +51 -0
package/src/bench-entry.ts +9 -0
package/src/cloudflare-test.d.ts +1 -0
package/src/durable-objects/auth-do.ts +49 -0
package/src/durable-objects/database-do.ts +2240 -0
package/src/durable-objects/database-live-do.ts +949 -0
package/src/durable-objects/logs-do.ts +1200 -0
package/src/durable-objects/room-runtime-base.ts +1604 -0
package/src/durable-objects/rooms-do.ts +2191 -0
package/src/generated-config.ts +6 -0
package/src/index.ts +382 -0
package/src/lib/admin-assets.ts +54 -0
package/src/lib/admin-db-target.ts +301 -0
package/src/lib/admin-routing.ts +35 -0
package/src/lib/admin-user-management.ts +464 -0
package/src/lib/analytics-adapter.ts +103 -0
package/src/lib/analytics-query.ts +579 -0
package/src/lib/auth-d1-service.ts +1193 -0
package/src/lib/auth-d1.ts +1056 -0
package/src/lib/auth-db-adapter.ts +289 -0
package/src/lib/auth-redirect.ts +116 -0
package/src/lib/cidr.ts +115 -0
package/src/lib/client-ip.ts +51 -0
package/src/lib/cloudflare-realtime.ts +251 -0
package/src/lib/control-db.ts +36 -0
package/src/lib/cron.ts +163 -0
package/src/lib/d1-handler.ts +1425 -0
package/src/lib/d1-schema-init.ts +255 -0
package/src/lib/d1-sql.ts +33 -0
package/src/lib/database-live-config.ts +24 -0
package/src/lib/database-live-emitter.ts +111 -0
package/src/lib/db-sql.ts +66 -0
package/src/lib/do-retry.ts +36 -0
package/src/lib/do-router.ts +270 -0
package/src/lib/do-sql.ts +73 -0
package/src/lib/email-provider.ts +379 -0
package/src/lib/email-templates.ts +285 -0
package/src/lib/email-translations.ts +422 -0
package/src/lib/errors.ts +151 -0
package/src/lib/functions.ts +2091 -0
package/src/lib/hono.ts +56 -0
package/src/lib/internal-request.ts +56 -0
package/src/lib/jwt.ts +354 -0
package/src/lib/log-writer.ts +272 -0
package/src/lib/namespace-dump.ts +125 -0
package/src/lib/oauth-providers.ts +1225 -0
package/src/lib/op-parser.ts +99 -0
package/src/lib/openapi.ts +146 -0
package/src/lib/pagination.ts +19 -0
package/src/lib/password-policy.ts +102 -0
package/src/lib/password.ts +145 -0
package/src/lib/plugin-migrations.ts +612 -0
package/src/lib/postgres-executor.ts +203 -0
package/src/lib/postgres-handler.ts +1102 -0
package/src/lib/postgres-schema-init.ts +341 -0
package/src/lib/postgres-table-utils.ts +87 -0
package/src/lib/public-user-profile.ts +187 -0
package/src/lib/push-provider.ts +409 -0
package/src/lib/push-token.ts +294 -0
package/src/lib/query-engine.ts +768 -0
package/src/lib/room-monitoring.ts +97 -0
package/src/lib/room-runtime.ts +14 -0
package/src/lib/route-parser.ts +434 -0
package/src/lib/schema.ts +538 -0
package/src/lib/schemas.ts +152 -0
package/src/lib/service-key.ts +419 -0
package/src/lib/sms-provider.ts +230 -0
package/src/lib/startup-config.ts +99 -0
package/src/lib/totp.ts +242 -0
package/src/lib/uuid.ts +87 -0
package/src/lib/validation.ts +205 -0
package/src/lib/version.ts +2 -0
package/src/lib/websocket-pending.ts +40 -0
package/src/middleware/auth.ts +169 -0
package/src/middleware/captcha-verify.ts +217 -0
package/src/middleware/cors.ts +159 -0
package/src/middleware/error-handler.ts +54 -0
package/src/middleware/internal-guard.ts +26 -0
package/src/middleware/logger.ts +126 -0
package/src/middleware/rate-limit.ts +283 -0
package/src/middleware/rules.ts +475 -0
package/src/routes/admin-auth.ts +447 -0
package/src/routes/admin.ts +3501 -0
package/src/routes/analytics-api.ts +290 -0
package/src/routes/auth.ts +4222 -0
package/src/routes/backup.ts +1466 -0
package/src/routes/config.ts +53 -0
package/src/routes/d1.ts +109 -0
package/src/routes/database-live.ts +281 -0
package/src/routes/functions.ts +155 -0
package/src/routes/health.ts +32 -0
package/src/routes/kv.ts +167 -0
package/src/routes/oauth.ts +1055 -0
package/src/routes/push.ts +1465 -0
package/src/routes/room.ts +639 -0
package/src/routes/schema-endpoint.ts +76 -0
package/src/routes/sql.ts +176 -0
package/src/routes/storage.ts +1674 -0
package/src/routes/tables.ts +699 -0
package/src/routes/users.ts +21 -0
package/src/routes/vectorize.ts +372 -0
package/src/types.ts +99 -0

package/src/middleware/rules.ts ADDED Viewed

@@ -0,0 +1,475 @@
+/**
+ * Rules Middleware — Function-based access rules evaluation
+ *
+ * Pipeline: Auth → Rules → Handler(DO proxy)
+ *
+ * Worker level (before DO):
+ *   - DB-level access: canCreate(auth, id) / access(auth, id) — §4
+ *   - Table-level create: create(auth) — no row needed
+ *   - Service Key bypass — §1
+ *
+ * DO level (inside database-do.ts):
+ *   - Table-level read/update/delete: evaluated per-row with actual row data
+ *   - All-or-Nothing: any row failing read → full 403 — §7
+ *
+ * Rules are TypeScript functions — no string DSL, no Pratt parser — §3.
+ * Timeout: Worker rules 50ms, DO rules 10ms — fail-closed — §12①.
+ */
+import type { Context, Next } from 'hono';
+import type { Env } from '../types.js';
+import {
+  validateKey,
+  buildKeymap,
+  resolveServiceKeyCandidate,
+  type ConstraintContext,
+} from '../lib/service-key.js';
+import {
+  callDO,
+  findTableNamespace,
+  getDbDoName,
+  parseConfig,
+  shouldRouteToD1,
+} from '../lib/do-router.js';
+import type { AuthContext, TableRules, DbLevelRules } from '@edge-base/shared';
+import { EdgeBaseError, getDbAccess, getTableAccess } from '@edge-base/shared';
+import { handleD1Request } from '../lib/d1-handler.js';
+import { handlePgRequest } from '../lib/postgres-handler.js';
+import { buildInternalHandlerContext } from '../lib/internal-request.js';
+import { getTrustedClientIp } from '../lib/client-ip.js';
+type HonoContext = Context<{ Bindings: Env }>;
+const WORKER_RULE_TIMEOUT_MS = 50;
+const DB_ACCESS_RULE_TIMEOUT_MS = 2000;
+/**
+ * Normalize a raw rule value (function | boolean | string) into a callable.
+ *
+ * JSON-deserialized test config cannot encode
+ * functions — rules arrive as boolean literals or expression strings like
+ * "auth != null" or "auth.id == resource.authorId".
+ * Live edgebase.config.js rules are real JS functions.
+ */
+function normalizeRule<T extends unknown[]>(
+  rule: ((...args: T) => boolean | Promise<boolean>) | boolean | string | undefined,
+): ((...args: T) => boolean) | null {
+  if (rule === undefined || rule === null) return null;
+  if (typeof rule === 'boolean') return () => rule;
+  if (typeof rule === 'function') return rule as (...args: T) => boolean;
+  // String expression — simple interpreter for common patterns
+  if (typeof rule === 'string') {
+    return (...args: T) => evalStringRule(rule, args[0] as AuthContext | null, args[1] as Record<string, unknown> | undefined);
+  }
+  return null;
+}
+/**
+ * Evaluate a simple string rule expression against auth and resource.
+ * Supports: 'true', 'false', 'auth != null', 'auth !== null',
+ *           'auth.id == resource.X', 'auth.id === resource.X'.
+ */
+function evalStringRule(
+  expr: string,
+  auth: AuthContext | null,
+  resource?: Record<string, unknown>,
+): boolean {
+  const e = expr.trim().replace(/\s+/g, ' ');
+  if (e === 'true') return true;
+  if (e === 'false') return false;
+  if (e === 'auth != null' || e === 'auth !== null') return auth !== null;
+  if (e === 'auth == null' || e === 'auth === null') return auth === null;
+  // auth.id == resource.X
+  const authIdEqResource = /^auth\.id ===? resource\.(\w+)$/.exec(e);
+  if (authIdEqResource) {
+    const field = authIdEqResource[1];
+    return auth !== null && resource !== undefined && auth.id === resource[field];
+  }
+  // Default: deny (fail-closed for unknown/unsupported expressions)
+  console.warn(`[Rules] Unrecognized string rule expression: "${expr}" — denied (fail-closed).`);
+  return false;
+}
+// ─── Rule Evaluation with Timeout (§12①) ───
+/**
+ * Evaluate a rule function with a timeout.
+ * Accepts function, boolean or string rule values.
+ * Fail-closed: timeout or error → false (deny).
+ */
+async function evalWithTimeout(
+  fn: (() => boolean | Promise<boolean>),
+  timeoutMs: number,
+): Promise<boolean> {
+  try {
+    const result = fn();
+    if (typeof result === 'boolean') return result;
+    // Promise — race with timeout
+    return await Promise.race([
+      result,
+      new Promise<boolean>((resolve) => setTimeout(() => resolve(false), timeoutMs)),
+    ]);
+  } catch {
+    // Any error → deny (fail-closed)
+    return false;
+  }
+}
+// ─── Main Rules Middleware ───
+/**
+ * Rules middleware for database table endpoints.
+ * Must be mounted on /api/db/* in the main app.
+ */
+export async function rulesMiddleware(c: HonoContext, next: Next): Promise<Response | void> {
+  const path = new URL(c.req.raw.url).pathname;
+  // Extract namespace, instanceId, tableName from /api/db/:namespace/tables/:table[/*]
+  // or /api/db/:namespace/:instanceId/tables/:table[/*]
+  // pathParts: ['api','db','shared','tables','posts'] or ['api','db','workspace','ws-456','tables','docs']
+  const pathParts = path.split('/').filter(Boolean);
+  const tablesIdx = pathParts.indexOf('tables');
+  if (pathParts[1] !== 'db' || tablesIdx === -1) {
+    return next();
+  }
+  const rawTableName = pathParts[tablesIdx + 1];
+  const tableName = rawTableName ? decodeURIComponent(rawTableName) : rawTableName;
+  const namespace = pathParts[2];
+  // instanceId present when path is /api/db/:ns/:id/tables/:name
+  const instanceId = tablesIdx === 4 ? pathParts[3] : undefined;
+  if (!tableName) return next();
+  // ── Step 0: Internal call bypass ──
+  const isInternal = c.get('isInternalRequest' as never) === true;
+  if (isInternal) {
+    return next();
+  }
+  const config = parseConfig(c.env);
+  const auth = c.get('auth') as AuthContext | null;
+  const dbId = instanceId ||
+    c.req.header('X-EdgeBase-DB-Id') ||
+    extractAuthIdForUserNamespace(namespace, auth);
+  // ── Step 1: Service Key check ──
+  const provided = resolveServiceKeyCandidate(
+    c.req,
+    c.get('serviceKeyToken') as string | null | undefined,
+  );
+  const httpMethod = c.req.raw.method.toUpperCase();
+  const isReadMethod = httpMethod === 'GET' || httpMethod === 'HEAD';
+  const scopeAction = isReadMethod ? 'read' : 'write';
+  const requiredScope = `db:table:${tableName}:${scopeAction}`;
+  const constraintCtx: ConstraintContext = {
+    env: c.env.ENVIRONMENT,
+    ip: getTrustedClientIp(c.env, c.req),
+  };
+  if (dbId) constraintCtx.tenantId = dbId;
+  // BUG-007 fix: build keymap once per request (not internally on every validateKey call)
+  const keymap = buildKeymap(config, c.env);
+  const { result: keyResult } = validateKey(provided, requiredScope, config, c.env, keymap, constraintCtx);
+  if (keyResult === 'valid') {
+    c.set('isServiceKey' as never, true);
+    return next();
+  }
+  if (keyResult === 'invalid') {
+    throw new EdgeBaseError(401, 'Unauthorized. Invalid Service Key.');
+  }
+  // keyResult === 'missing' → continue to normal rules evaluation
+  // ── Step 2: Find DB block by namespace (from URL — §2) ──
+  if (!config.databases) {
+    // No databases config → release mode check
+    if (!config.release) return next();
+    throw new EdgeBaseError(403, `Access denied. No databases config defined.`);
+  }
+  // namespace comes directly from the URL (/api/db/:namespace/...)
+  const tableNamespace = namespace;
+  const dbBlock = config.databases[tableNamespace];
+  if (!dbBlock) {
+    // Namespace not found in config → deny
+    if (!config.release) return next();
+    throw new EdgeBaseError(403, `Access denied. Namespace '${tableNamespace}' is not configured.`);
+  }
+  if (dbBlock.tables && !dbBlock.tables[tableName]) {
+    // Table not defined in this DB block
+    if (!config.release) return next();
+    throw new EdgeBaseError(403, `Access denied. Table '${tableName}' has no access rules defined.`);
+  }
+  // ── Step 3: DB-level access check (§4) ──
+  // instanceId from URL (/api/db/:ns/:id/tables/:name) or fallback for 'user' namespace
+  const dbRules = getDbAccess(dbBlock) as DbLevelRules | undefined;
+  if (dbRules && dbId !== undefined) {
+    // access: check if user can access this DO instance
+    if (dbRules.access) {
+      const dbRuleCtx = buildDbRuleCtx(c, config, namespace, dbId);
+      const canAccess = await evalWithTimeout(
+        () => dbRules.access!(auth, dbId, dbRuleCtx),
+        // Dynamic DB access rules often perform an internal DB/DO lookup.
+        // Cold starts on deployed workers regularly exceed 50ms, so a short
+        // ceiling turns valid tenant memberships into false 403s.
+        DB_ACCESS_RULE_TIMEOUT_MS,
+      );
+      if (!canAccess) {
+        throw new EdgeBaseError(403, `Access denied. You do not have access to ${tableNamespace}:${dbId}.`);
+      }
+    }
+    // NOTE: DbLevelRules.delete exists in the type definition (config.ts) but is not
+    // enforced here because no public/admin endpoint for deleting a DB block instance (DO)
+    // exists yet. canCreate is evaluated in tables.ts (§36 2-RTT flow), access is evaluated
+    // above. When a DB instance deletion endpoint is added, enforce dbRules.delete(auth, dbId)
+    // at the corresponding route handler before allowing the operation.
+  }
+  // ── Step 4: Table-level rules (create at Worker level, others at DO level) ──
+  const tableConfig = dbBlock.tables?.[tableName];
+  const tableRules = getTableAccess(tableConfig) as TableRules | undefined;
+  if (!tableRules) {
+    if (!config.release) return next();
+    throw new EdgeBaseError(403, `Access denied. No access rules defined for '${tableName}'.`);
+  }
+  // Determine action
+  const hasUpsert = c.req.query('upsert') === 'true';
+  const action = getAction(httpMethod, path, hasUpsert);
+  // Handle upsert (§16)
+  if (hasUpsert && httpMethod === 'POST') {
+    const insertRuleFn = normalizeRule(tableRules.insert);
+    const updateRuleFn = normalizeRule(tableRules.update);
+    if (!insertRuleFn && !updateRuleFn) {
+      if (!config.release) return next();
+      throw new EdgeBaseError(403, `Access denied. No insert or update rules for '${tableName}'.`);
+    }
+    // Worker pre-check: insert(auth) OR update(auth, null) — §16
+    // update called with null row since we don't have it yet
+    const insertPass = insertRuleFn
+      ? await evalWithTimeout(() => insertRuleFn(auth), WORKER_RULE_TIMEOUT_MS)
+      : !config.release;
+    const updatePass = updateRuleFn
+      ? await evalWithTimeout(() => updateRuleFn(auth, {}), WORKER_RULE_TIMEOUT_MS) // null-safe: {} simulates missing row
+      : !config.release;
+    if (!insertPass && !updatePass) {
+      throw new EdgeBaseError(403, 'Access denied by access rules.');
+    }
+    return next();
+  }
+  // Handle batch (§16)
+  if (path.includes('/batch')) {
+    if (httpMethod === 'POST') {
+      const insertRuleFn = normalizeRule(tableRules.insert);
+      if (path.includes('/batch-by-filter')) {
+        // batch-by-filter: row-level evaluation happens in DO
+        return next();
+      }
+      if (insertRuleFn) {
+        const canInsert = await evalWithTimeout(() => insertRuleFn(auth), WORKER_RULE_TIMEOUT_MS);
+        if (!canInsert) throw new EdgeBaseError(403, 'Access denied by access rules.');
+      } else if (config.release) {
+        throw new EdgeBaseError(403, 'Access denied by access rules.');
+      }
+    }
+    return next();
+  }
+  if (!action) return next();
+  // ── Step 5: insert — evaluated at Worker level (no row needed) ──
+  if (action === 'insert') {
+    const insertRuleFn = normalizeRule(tableRules.insert);
+    if (!insertRuleFn) {
+      if (!config.release) return next();
+      throw new EdgeBaseError(403, `Access denied. No 'insert' rule defined for '${tableName}'.`);
+    }
+    const canInsert = await evalWithTimeout(() => insertRuleFn(auth), WORKER_RULE_TIMEOUT_MS);
+    if (!canInsert) throw new EdgeBaseError(403, 'Access denied by access rules.');
+    return next();
+  }
+  // ── Step 6: read/update/delete — pass to DO for row-level evaluation ──
+  // DO (database-do.ts) handles: read(auth, row), update(auth, row), delete(auth, row).
+  // All-or-Nothing policy for reads: any row failing → full 403 — §7.
+  // NOTE: Do NOT call c.req.raw.headers.set() here — Request.headers is immutable in
+  // Cloudflare Workers runtime (TypeError). tables.ts copies headers via new Headers(...)
+  // and sets X-DO-Name. auth is already forwarded via X-Auth-Context header in tables.ts.
+  // namespace/dbId are parsed from the URL by the DO directly.
+  return next();
+}
+// ─── Helpers ───
+function getAction(method: string, path: string, hasUpsert: boolean): string | null {
+  if (path.includes('/search')) return 'search';
+  if (path.includes('/count')) return 'list';
+  if (path.includes('/batch')) return null;
+  switch (method) {
+    case 'GET':
+      return isIdPath(path) ? 'get' : 'list';
+    case 'POST':
+      if (hasUpsert) return null;
+      return 'insert';
+    case 'PATCH':
+    case 'PUT':
+      return 'update';
+    case 'DELETE':
+      return 'delete';
+    default:
+      return null;
+  }
+}
+function isIdPath(path: string): boolean {
+  // /api/db/:ns/tables/:name/:id or /api/db/:ns/:iid/tables/:name/:id
+  const parts = path.split('/').filter(Boolean);
+  const tabIdx = parts.indexOf('tables');
+  if (parts[1] !== 'db' || tabIdx === -1) return false;
+  // id segment exists after tableName (parts[tabIdx+2])
+  return parts.length > tabIdx + 2;
+}
+/**
+ * For 'user' namespace, auto-extract id from auth.id.
+ * For other namespaces, returns undefined (id must come from X-EdgeBase-DB-Id header).
+ */
+function extractAuthIdForUserNamespace(namespace: string, auth: AuthContext | null): string | undefined {
+  if (namespace === 'user' && auth?.id) {
+    return auth.id;
+  }
+  return undefined;
+}
+/**
+ * Build a read-only DbRuleCtx for DB-level access() evaluation at Worker level.
+ * Resolves table names through the configured provider and performs local internal reads.
+ */
+function buildDbRuleCtx(
+  c: HonoContext,
+  config: ReturnType<typeof parseConfig>,
+  currentNamespace: string,
+  currentDbId: string | undefined,
+): import('@edge-base/shared').DbRuleCtx {
+  return {
+    db: {
+      async get(table, id) {
+        const namespace = findTableNamespace(table, config) ?? currentNamespace;
+        if (!namespace || !id) return null;
+        const path = `/tables/${table}/${id}`;
+        const response = await executeInternalDbRead(
+          c,
+          config,
+          namespace,
+          table,
+          path,
+          currentNamespace,
+          currentDbId,
+        );
+        if (response.status === 404) return null;
+        if (!response.ok) throw new Error(`DB rule ctx get failed: ${response.status}`);
+        return await response.json() as Record<string, unknown>;
+      },
+      async exists(table, filter) {
+        const namespace = findTableNamespace(table, config) ?? currentNamespace;
+        if (!namespace) return false;
+        const query = new URLSearchParams();
+        query.set('limit', '1');
+        query.set(
+          'filter',
+          JSON.stringify(
+            Object.entries(filter).map(([field, value]) => [field, '==', value]),
+          ),
+        );
+        const response = await executeInternalDbRead(
+          c,
+          config,
+          namespace,
+          table,
+          `/tables/${table}?${query.toString()}`,
+          currentNamespace,
+          currentDbId,
+        );
+        if (!response.ok) throw new Error(`DB rule ctx exists failed: ${response.status}`);
+        const result = await response.json() as { items?: Array<Record<string, unknown>> };
+        return (result.items?.length ?? 0) > 0;
+      },
+    },
+  };
+}
+async function executeInternalDbRead(
+  c: HonoContext,
+  config: ReturnType<typeof parseConfig>,
+  namespace: string,
+  tableName: string,
+  path: string,
+  currentNamespace: string,
+  currentDbId: string | undefined,
+): Promise<Response> {
+  const dbBlock = config.databases?.[namespace];
+  const isDynamic = !!(dbBlock?.instance || dbBlock?.access?.canCreate || dbBlock?.access?.access);
+  if (isDynamic && (!currentDbId || namespace !== currentNamespace)) {
+    throw new Error(
+      `DbRuleCtx cannot resolve dynamic namespace table '${tableName}' outside the current db instance.`,
+    );
+  }
+  const request = new Request(`http://internal/api/db/${namespace}${path}`, {
+    method: 'GET',
+    headers: {
+      'Content-Type': 'application/json',
+      'X-EdgeBase-Internal': 'true',
+      'X-Is-Service-Key': 'true',
+    },
+  });
+  if (shouldRouteToD1(namespace, config)) {
+    return handleD1Request(
+      buildInternalHandlerContext({
+        env: c.env,
+        request,
+        executionCtx: c.executionCtx,
+      }),
+      namespace,
+      tableName,
+      path,
+    );
+  }
+  const provider = config.databases?.[namespace]?.provider;
+  if (provider === 'neon' || provider === 'postgres') {
+    return handlePgRequest(
+      buildInternalHandlerContext({
+        env: c.env,
+        request,
+        executionCtx: c.executionCtx,
+      }),
+      namespace,
+      tableName,
+      path,
+    );
+  }
+  const doName = getDbDoName(namespace, isDynamic ? currentDbId : undefined);
+  return callDO(c.env.DATABASE, doName, path, {
+    method: 'GET',
+    headers: {
+      'X-DO-Name': doName,
+      'X-EdgeBase-Internal': 'true',
+      'X-Is-Service-Key': 'true',
+    },
+  });
+}