npm - @edge-base/server - Versions diffs - 0.1.1 - Mend

@edge-base/server 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (309) hide show

package/admin-build/.gitkeep +0 -0
package/admin-build/_app/env.js +1 -0
package/admin-build/_app/immutable/assets/0.Bm6cF078.css +1 -0
package/admin-build/_app/immutable/assets/1.BfW3pUNa.css +1 -0
package/admin-build/_app/immutable/assets/11.CVmQOewb.css +1 -0
package/admin-build/_app/immutable/assets/12.B1EhbRZT.css +1 -0
package/admin-build/_app/immutable/assets/13.BvwYeuwE.css +1 -0
package/admin-build/_app/immutable/assets/14.CdVfcO0R.css +1 -0
package/admin-build/_app/immutable/assets/15.2yeZ66b-.css +1 -0
package/admin-build/_app/immutable/assets/17.BVg0JEVu.css +1 -0
package/admin-build/_app/immutable/assets/18.Rwnl3x_i.css +1 -0
package/admin-build/_app/immutable/assets/20.DsPWA9AV.css +1 -0
package/admin-build/_app/immutable/assets/21.Dz2RJ56c.css +1 -0
package/admin-build/_app/immutable/assets/22.DwNLk5Ai.css +1 -0
package/admin-build/_app/immutable/assets/23.CFpu0gOO.css +1 -0
package/admin-build/_app/immutable/assets/24.Cy5LBeoJ.css +1 -0
package/admin-build/_app/immutable/assets/25.pUyLVf-h.css +1 -0
package/admin-build/_app/immutable/assets/26.DBcGrlXa.css +1 -0
package/admin-build/_app/immutable/assets/27.BswYyAJD.css +1 -0
package/admin-build/_app/immutable/assets/28.B4ueB1Kf.css +1 -0
package/admin-build/_app/immutable/assets/29.B-qU6PdF.css +1 -0
package/admin-build/_app/immutable/assets/3.Dg81Pgmd.css +1 -0
package/admin-build/_app/immutable/assets/30.CsdWum94.css +1 -0
package/admin-build/_app/immutable/assets/31.U6OwIp50.css +1 -0
package/admin-build/_app/immutable/assets/4.CyawCCux.css +1 -0
package/admin-build/_app/immutable/assets/5.C0YO2HTk.css +1 -0
package/admin-build/_app/immutable/assets/8.Br5jd6kD.css +1 -0
package/admin-build/_app/immutable/assets/Badge.EMYLHBxE.css +1 -0
package/admin-build/_app/immutable/assets/Button.DpzMRTjK.css +1 -0
package/admin-build/_app/immutable/assets/ConfirmDialog.DAnaWRRk.css +1 -0
package/admin-build/_app/immutable/assets/EmptyState.CwKsu57Y.css +1 -0
package/admin-build/_app/immutable/assets/Input.BDUSenmU.css +1 -0
package/admin-build/_app/immutable/assets/Modal.Dm5B0Xie.css +1 -0
package/admin-build/_app/immutable/assets/PageShell.CmU-Xh-b.css +1 -0
package/admin-build/_app/immutable/assets/SchemaFieldEditor.g4NsCdno.css +1 -0
package/admin-build/_app/immutable/assets/Select.BW4Keufm.css +1 -0
package/admin-build/_app/immutable/assets/Skeleton.KWUulTKJ.css +1 -0
package/admin-build/_app/immutable/assets/Tabs.CniGYb67.css +1 -0
package/admin-build/_app/immutable/assets/TimeChart.BTCDAvmT.css +1 -0
package/admin-build/_app/immutable/assets/Toggle.Cy_K12OM.css +1 -0
package/admin-build/_app/immutable/assets/TopList.ClFzmPlA.css +1 -0
package/admin-build/_app/immutable/chunks/7B47DvSx.js +1 -0
package/admin-build/_app/immutable/chunks/7f08Id8e.js +1 -0
package/admin-build/_app/immutable/chunks/8wJeQ7LN.js +1 -0
package/admin-build/_app/immutable/chunks/B-h2afW5.js +1 -0
package/admin-build/_app/immutable/chunks/B8vJP3wz.js +1 -0
package/admin-build/_app/immutable/chunks/BR_fL5Yv.js +1 -0
package/admin-build/_app/immutable/chunks/BY92tFS2.js +1 -0
package/admin-build/_app/immutable/chunks/BcR-Rdj9.js +1 -0
package/admin-build/_app/immutable/chunks/BdrwyZv8.js +1 -0
package/admin-build/_app/immutable/chunks/Bh56EfQ_.js +1 -0
package/admin-build/_app/immutable/chunks/BkrCkgYp.js +1 -0
package/admin-build/_app/immutable/chunks/BmRjiP5k.js +1 -0
package/admin-build/_app/immutable/chunks/BsokvhWC.js +1 -0
package/admin-build/_app/immutable/chunks/C4D51vTW.js +1 -0
package/admin-build/_app/immutable/chunks/C6puvcoR.js +2 -0
package/admin-build/_app/immutable/chunks/CCKNu7m7.js +1 -0
package/admin-build/_app/immutable/chunks/CWj6FrbW.js +1 -0
package/admin-build/_app/immutable/chunks/Ce-ngf4p.js +5 -0
package/admin-build/_app/immutable/chunks/Cs0GwzJA.js +1 -0
package/admin-build/_app/immutable/chunks/CwROoZK0.js +1 -0
package/admin-build/_app/immutable/chunks/CxCPv_Ut.js +1 -0
package/admin-build/_app/immutable/chunks/CxbRue-5.js +1 -0
package/admin-build/_app/immutable/chunks/CyqB6g-D.js +1 -0
package/admin-build/_app/immutable/chunks/D5h5A1cc.js +2 -0
package/admin-build/_app/immutable/chunks/DnyL7Zq-.js +1 -0
package/admin-build/_app/immutable/chunks/DoPXzH7F.js +1 -0
package/admin-build/_app/immutable/chunks/DrQSgw-f.js +1 -0
package/admin-build/_app/immutable/chunks/DttM2zNO.js +1 -0
package/admin-build/_app/immutable/chunks/DuXuUBWN.js +1 -0
package/admin-build/_app/immutable/chunks/MdeqaOQx.js +10 -0
package/admin-build/_app/immutable/chunks/NuUjtcO2.js +1 -0
package/admin-build/_app/immutable/chunks/Q2nPFxS6.js +1 -0
package/admin-build/_app/immutable/chunks/R6arueIl.js +1 -0
package/admin-build/_app/immutable/chunks/UUazaC_N.js +1 -0
package/admin-build/_app/immutable/chunks/cOYbrQxx.js +1 -0
package/admin-build/_app/immutable/chunks/eFQHTGwA.js +1 -0
package/admin-build/_app/immutable/chunks/ehbppgYb.js +1 -0
package/admin-build/_app/immutable/chunks/glwixJlP.js +1 -0
package/admin-build/_app/immutable/chunks/vApWTCBs.js +1 -0
package/admin-build/_app/immutable/chunks/w89G9Xpi.js +1 -0
package/admin-build/_app/immutable/chunks/wJsUhbfZ.js +1 -0
package/admin-build/_app/immutable/chunks/zfauFM8P.js +1 -0
package/admin-build/_app/immutable/entry/app.CcO-Uos3.js +2 -0
package/admin-build/_app/immutable/entry/start.COebYq3I.js +1 -0
package/admin-build/_app/immutable/nodes/0.CjtHKU-6.js +1 -0
package/admin-build/_app/immutable/nodes/1.DEisjlM0.js +1 -0
package/admin-build/_app/immutable/nodes/10.CvhdyWVB.js +1 -0
package/admin-build/_app/immutable/nodes/11.DjHqcOvy.js +1 -0
package/admin-build/_app/immutable/nodes/12.mQLz4Mj_.js +1 -0
package/admin-build/_app/immutable/nodes/13.CBonZZyP.js +110 -0
package/admin-build/_app/immutable/nodes/14.d-oiZL0j.js +3 -0
package/admin-build/_app/immutable/nodes/15.CKPQsUYF.js +1 -0
package/admin-build/_app/immutable/nodes/16.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/17.DayhKyEZ.js +1 -0
package/admin-build/_app/immutable/nodes/18.DKwS0Ir0.js +1 -0
package/admin-build/_app/immutable/nodes/19.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/2.BKoKrw1i.js +1 -0
package/admin-build/_app/immutable/nodes/20.BvIkkkrW.js +1 -0
package/admin-build/_app/immutable/nodes/21.DMaFhdHk.js +128 -0
package/admin-build/_app/immutable/nodes/22.3xdgwuK1.js +1 -0
package/admin-build/_app/immutable/nodes/23.8Bvgjbsl.js +112 -0
package/admin-build/_app/immutable/nodes/24.DzSSzRhG.js +2 -0
package/admin-build/_app/immutable/nodes/25.9KKYBnAE.js +2 -0
package/admin-build/_app/immutable/nodes/26.Bhn9dfhY.js +1 -0
package/admin-build/_app/immutable/nodes/27.kRLiC24G.js +1 -0
package/admin-build/_app/immutable/nodes/28.BVIN1-7N.js +1 -0
package/admin-build/_app/immutable/nodes/29.3yabZWj4.js +1 -0
package/admin-build/_app/immutable/nodes/3.BFtSOkX7.js +2 -0
package/admin-build/_app/immutable/nodes/30.CyCQlwaP.js +1 -0
package/admin-build/_app/immutable/nodes/31.C4LDXjES.js +1 -0
package/admin-build/_app/immutable/nodes/4.CvbiMlCa.js +1 -0
package/admin-build/_app/immutable/nodes/5.C6BLv2eM.js +1 -0
package/admin-build/_app/immutable/nodes/6.BcXvfl2P.js +1 -0
package/admin-build/_app/immutable/nodes/7.CIuqhPiK.js +1 -0
package/admin-build/_app/immutable/nodes/8.BQOR_JfO.js +1 -0
package/admin-build/_app/immutable/nodes/9.NZqXQxPy.js +1 -0
package/admin-build/_app/version.json +1 -0
package/admin-build/favicon.svg +26 -0
package/admin-build/index.html +45 -0
package/openapi.json +19543 -0
package/package.json +66 -0
package/src/__tests__/admin-assets.test.ts +55 -0
package/src/__tests__/admin-data-routes.test.ts +488 -0
package/src/__tests__/admin-db-target.test.ts +103 -0
package/src/__tests__/admin-routing.test.ts +31 -0
package/src/__tests__/admin-user-management.test.ts +311 -0
package/src/__tests__/analytics-query.test.ts +75 -0
package/src/__tests__/auth-d1.test.ts +749 -0
package/src/__tests__/auth-db-adapter.test.ts +73 -0
package/src/__tests__/auth-jwt.test.ts +440 -0
package/src/__tests__/auth-oauth.test.ts +389 -0
package/src/__tests__/auth-password.test.ts +367 -0
package/src/__tests__/auth-redirect.test.ts +87 -0
package/src/__tests__/backup-restore.test.ts +711 -0
package/src/__tests__/broadcast.test.ts +128 -0
package/src/__tests__/cli.test.ts +178 -0
package/src/__tests__/cloudflare-realtime.test.ts +113 -0
package/src/__tests__/config.test.ts +469 -0
package/src/__tests__/cors.test.ts +154 -0
package/src/__tests__/cron.test.ts +302 -0
package/src/__tests__/d1-handler.test.ts +402 -0
package/src/__tests__/d1-sql.test.ts +120 -0
package/src/__tests__/database-live-config.test.ts +42 -0
package/src/__tests__/database-live-emitter.test.ts +56 -0
package/src/__tests__/database-live-filters.test.ts +63 -0
package/src/__tests__/database-live-route.test.ts +113 -0
package/src/__tests__/db-sql.test.ts +163 -0
package/src/__tests__/do-lifecycle.test.ts +263 -0
package/src/__tests__/do-router.test.ts +729 -0
package/src/__tests__/email-provider.test.ts +128 -0
package/src/__tests__/email-templates.test.ts +528 -0
package/src/__tests__/error-format.test.ts +250 -0
package/src/__tests__/field-ops.test.ts +242 -0
package/src/__tests__/functions-context.test.ts +334 -0
package/src/__tests__/functions-d1-proxy.test.ts +229 -0
package/src/__tests__/functions-registry-runtime-config.test.ts +17 -0
package/src/__tests__/functions-route.test.ts +139 -0
package/src/__tests__/internal-request.test.ts +77 -0
package/src/__tests__/log-writer.test.ts +44 -0
package/src/__tests__/logger.test.ts +58 -0
package/src/__tests__/meta-admin-proxy.test.ts +48 -0
package/src/__tests__/meta-export-coverage.test.ts +191 -0
package/src/__tests__/meta-route-registration.test.ts +47 -0
package/src/__tests__/namespace-dump.test.ts +28 -0
package/src/__tests__/oauth-providers.test.ts +337 -0
package/src/__tests__/openapi-coverage.test.ts +144 -0
package/src/__tests__/pagination.test.ts +59 -0
package/src/__tests__/password-policy.test.ts +191 -0
package/src/__tests__/plugin-migrations.test.ts +379 -0
package/src/__tests__/postgres-batch-compat.test.ts +133 -0
package/src/__tests__/postgres-dialect.test.ts +328 -0
package/src/__tests__/postgres-executor.test.ts +79 -0
package/src/__tests__/postgres-field-ops-compat.test.ts +222 -0
package/src/__tests__/postgres-schema-init.test.ts +105 -0
package/src/__tests__/postgres-table-utils.test.ts +107 -0
package/src/__tests__/presence.test.ts +199 -0
package/src/__tests__/provider.test.ts +550 -0
package/src/__tests__/public-user-profile.test.ts +339 -0
package/src/__tests__/push-handlers.test.ts +179 -0
package/src/__tests__/push-provider.test.ts +80 -0
package/src/__tests__/push-token.test.ts +418 -0
package/src/__tests__/query.test.ts +771 -0
package/src/__tests__/rate-limit.test.ts +260 -0
package/src/__tests__/room-access-policy.test.ts +101 -0
package/src/__tests__/room-handler-context.test.ts +130 -0
package/src/__tests__/room-monitoring.test.ts +138 -0
package/src/__tests__/room-runtime-routing.test.ts +222 -0
package/src/__tests__/room.test.ts +254 -0
package/src/__tests__/route-parser.test.ts +490 -0
package/src/__tests__/rules.test.ts +234 -0
package/src/__tests__/runtime-surface-accounting.test.ts +120 -0
package/src/__tests__/scheduled.test.ts +80 -0
package/src/__tests__/schema.test.ts +1273 -0
package/src/__tests__/security-hardening.test.ts +312 -0
package/src/__tests__/server.unit.test.ts +333 -0
package/src/__tests__/service-key-db-proxy.test.ts +650 -0
package/src/__tests__/service-key-provider-bypass.test.ts +138 -0
package/src/__tests__/service-key.test.ts +757 -0
package/src/__tests__/smoke-skip-report.test.ts +72 -0
package/src/__tests__/sms-provider.test.ts +39 -0
package/src/__tests__/sql-route.test.ts +218 -0
package/src/__tests__/storage-hook-context.test.ts +115 -0
package/src/__tests__/totp.test.ts +200 -0
package/src/__tests__/uuid.test.ts +144 -0
package/src/__tests__/validation.test.ts +773 -0
package/src/__tests__/websocket-pending.test.ts +163 -0
package/src/_functions-registry.ts +51 -0
package/src/bench-entry.ts +9 -0
package/src/cloudflare-test.d.ts +1 -0
package/src/durable-objects/auth-do.ts +49 -0
package/src/durable-objects/database-do.ts +2240 -0
package/src/durable-objects/database-live-do.ts +949 -0
package/src/durable-objects/logs-do.ts +1200 -0
package/src/durable-objects/room-runtime-base.ts +1604 -0
package/src/durable-objects/rooms-do.ts +2191 -0
package/src/generated-config.ts +6 -0
package/src/index.ts +382 -0
package/src/lib/admin-assets.ts +54 -0
package/src/lib/admin-db-target.ts +301 -0
package/src/lib/admin-routing.ts +35 -0
package/src/lib/admin-user-management.ts +464 -0
package/src/lib/analytics-adapter.ts +103 -0
package/src/lib/analytics-query.ts +579 -0
package/src/lib/auth-d1-service.ts +1193 -0
package/src/lib/auth-d1.ts +1056 -0
package/src/lib/auth-db-adapter.ts +289 -0
package/src/lib/auth-redirect.ts +116 -0
package/src/lib/cidr.ts +115 -0
package/src/lib/client-ip.ts +51 -0
package/src/lib/cloudflare-realtime.ts +251 -0
package/src/lib/control-db.ts +36 -0
package/src/lib/cron.ts +163 -0
package/src/lib/d1-handler.ts +1425 -0
package/src/lib/d1-schema-init.ts +255 -0
package/src/lib/d1-sql.ts +33 -0
package/src/lib/database-live-config.ts +24 -0
package/src/lib/database-live-emitter.ts +111 -0
package/src/lib/db-sql.ts +66 -0
package/src/lib/do-retry.ts +36 -0
package/src/lib/do-router.ts +270 -0
package/src/lib/do-sql.ts +73 -0
package/src/lib/email-provider.ts +379 -0
package/src/lib/email-templates.ts +285 -0
package/src/lib/email-translations.ts +422 -0
package/src/lib/errors.ts +151 -0
package/src/lib/functions.ts +2091 -0
package/src/lib/hono.ts +56 -0
package/src/lib/internal-request.ts +56 -0
package/src/lib/jwt.ts +354 -0
package/src/lib/log-writer.ts +272 -0
package/src/lib/namespace-dump.ts +125 -0
package/src/lib/oauth-providers.ts +1225 -0
package/src/lib/op-parser.ts +99 -0
package/src/lib/openapi.ts +146 -0
package/src/lib/pagination.ts +19 -0
package/src/lib/password-policy.ts +102 -0
package/src/lib/password.ts +145 -0
package/src/lib/plugin-migrations.ts +612 -0
package/src/lib/postgres-executor.ts +203 -0
package/src/lib/postgres-handler.ts +1102 -0
package/src/lib/postgres-schema-init.ts +341 -0
package/src/lib/postgres-table-utils.ts +87 -0
package/src/lib/public-user-profile.ts +187 -0
package/src/lib/push-provider.ts +409 -0
package/src/lib/push-token.ts +294 -0
package/src/lib/query-engine.ts +768 -0
package/src/lib/room-monitoring.ts +97 -0
package/src/lib/room-runtime.ts +14 -0
package/src/lib/route-parser.ts +434 -0
package/src/lib/schema.ts +538 -0
package/src/lib/schemas.ts +152 -0
package/src/lib/service-key.ts +419 -0
package/src/lib/sms-provider.ts +230 -0
package/src/lib/startup-config.ts +99 -0
package/src/lib/totp.ts +242 -0
package/src/lib/uuid.ts +87 -0
package/src/lib/validation.ts +205 -0
package/src/lib/version.ts +2 -0
package/src/lib/websocket-pending.ts +40 -0
package/src/middleware/auth.ts +169 -0
package/src/middleware/captcha-verify.ts +217 -0
package/src/middleware/cors.ts +159 -0
package/src/middleware/error-handler.ts +54 -0
package/src/middleware/internal-guard.ts +26 -0
package/src/middleware/logger.ts +126 -0
package/src/middleware/rate-limit.ts +283 -0
package/src/middleware/rules.ts +475 -0
package/src/routes/admin-auth.ts +447 -0
package/src/routes/admin.ts +3501 -0
package/src/routes/analytics-api.ts +290 -0
package/src/routes/auth.ts +4222 -0
package/src/routes/backup.ts +1466 -0
package/src/routes/config.ts +53 -0
package/src/routes/d1.ts +109 -0
package/src/routes/database-live.ts +281 -0
package/src/routes/functions.ts +155 -0
package/src/routes/health.ts +32 -0
package/src/routes/kv.ts +167 -0
package/src/routes/oauth.ts +1055 -0
package/src/routes/push.ts +1465 -0
package/src/routes/room.ts +639 -0
package/src/routes/schema-endpoint.ts +76 -0
package/src/routes/sql.ts +176 -0
package/src/routes/storage.ts +1674 -0
package/src/routes/tables.ts +699 -0
package/src/routes/users.ts +21 -0
package/src/routes/vectorize.ts +372 -0
package/src/types.ts +99 -0

package/src/routes/config.ts ADDED Viewed

@@ -0,0 +1,53 @@
+/**
+ * Public Config Route
+ *
+ * GET /api/config — Returns publicly-safe configuration.
+ * No authentication required.
+ * Currently exposes captcha siteKey for client-side Turnstile rendering.
+ *
+ * siteKey is served from CAPTCHA_SITE_KEY env var (set by deploy.ts after provisioning).
+ * Falls back to bundled runtime config for advanced captcha object configs.
+ */
+import { OpenAPIHono, createRoute, type HonoEnv } from '../lib/hono.js';
+import { parseConfig } from '../lib/do-router.js';
+import { zodDefaultHook, jsonResponseSchema } from '../lib/schemas.js';
+export const configRoute = new OpenAPIHono<HonoEnv>({ defaultHook: zodDefaultHook });
+const getConfig = createRoute({
+  operationId: 'getConfig',
+  method: 'get',
+  path: '/',
+  tags: ['client'],
+  summary: 'Get public configuration',
+  responses: {
+    200: { description: 'Public config', content: { 'application/json': { schema: jsonResponseSchema } } },
+  },
+});
+configRoute.openapi(getConfig, (c) => {
+  let captcha: { siteKey: string } | null = null;
+  try {
+    // §34: CAPTCHA_SITE_KEY env var takes priority (set by deploy.ts)
+    if (c.env.CAPTCHA_SITE_KEY) {
+      captcha = { siteKey: c.env.CAPTCHA_SITE_KEY };
+    } else {
+      // Fallback: parseConfig() singleton for advanced captcha object configs
+      const config = parseConfig(c.env);
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const captchaCfg = (config as any)?.captcha;
+      if (captchaCfg && typeof captchaCfg === 'object' && captchaCfg.siteKey) {
+        captcha = { siteKey: captchaCfg.siteKey };
+      }
+    }
+  } catch {
+    // Return null captcha on error
+  }
+  return c.json({ captcha }, 200, {
+    'Cache-Control': 'public, max-age=60, s-maxage=60',
+    'CDN-Cache-Control': 'public, max-age=60',
+  });
+});

package/src/routes/d1.ts ADDED Viewed

@@ -0,0 +1,109 @@
+/**
+ * D1 route — POST /api/d1/:database
+ *
+ * Allows server SDK (with Service Key) to execute raw SQL on user-defined D1 databases.
+ * NOT available to client SDK (server-only,).
+ *
+ * Security:
+ * - Config Allowlist: database must be declared in config.d1
+ * - Service Key required with scoped validation
+ * - Internal D1 binding (AUTH_DB) is never exposed
+ * - DDL allowed — Service Key holders are admin-level trusted (#75)
+ * - ? bind variables enforced (SQL injection prevention)
+ *
+ * Flow: Server SDK → POST /api/d1/:database → Worker → D1 binding → JSON
+ */
+import { OpenAPIHono, createRoute, z, type HonoEnv } from '../lib/hono.js';
+import { EdgeBaseError } from '@edge-base/shared';
+import { parseConfig } from '../lib/do-router.js';
+import { validateKey, buildConstraintCtx } from '../lib/service-key.js';
+import { zodDefaultHook, d1BodySchema, jsonResponseSchema, errorResponseSchema } from '../lib/schemas.js';
+export const d1Route = new OpenAPIHono<HonoEnv>({ defaultHook: zodDefaultHook });
+/**
+ * POST /api/d1/:database
+ * Body: { query: string, params?: unknown[] }
+ */
+const executeD1Query = createRoute({
+  operationId: 'executeD1Query',
+  method: 'post',
+  path: '/{database}',
+  tags: ['admin'],
+  summary: 'Execute raw SQL on D1 database',
+  request: {
+    params: z.object({ database: z.string() }),
+    body: { content: { 'application/json': { schema: d1BodySchema } }, required: true },
+  },
+  responses: {
+    200: { description: 'Query results', content: { 'application/json': { schema: jsonResponseSchema } } },
+    400: { description: 'Bad request', content: { 'application/json': { schema: errorResponseSchema } } },
+    401: { description: 'Unauthorized', content: { 'application/json': { schema: errorResponseSchema } } },
+    403: { description: 'Forbidden', content: { 'application/json': { schema: errorResponseSchema } } },
+  },
+});
+d1Route.openapi(executeD1Query, async (c) => {
+  const nameParam = c.req.param('database')!;
+  let body: { query?: string; params?: unknown[] };
+  try {
+    body = await c.req.json();
+  } catch {
+    return c.json({ code: 400, message: 'Invalid JSON body' }, 400);
+  }
+  const { query, params } = body;
+  if (!query || typeof query !== 'string') {
+    return c.json({ code: 400, message: 'query is required' }, 400);
+  }
+  // §2 Allowlist: validate database is declared in config
+  const config = parseConfig(c.env);
+  const d1Config = config.d1?.[nameParam];
+  if (!d1Config) {
+    return c.json({ code: 404, message: `D1 database '${nameParam}' not found in config.` }, 404);
+  }
+  // §4 Scope: d1:database:{name}:exec
+  const { result: skResult } = validateKey(
+    c.req.header('X-EdgeBase-Service-Key'),
+    `d1:database:${nameParam}:exec`,
+    config,
+    c.env,
+    undefined,
+    buildConstraintCtx(c.env, c.req),
+  );
+  if (skResult === 'missing') {
+    return c.json({ code: 403, message: 'Service Key required to access D1' }, 403);
+  }
+  if (skResult === 'invalid') {
+    return c.json({ code: 401, message: 'Unauthorized. Invalid Service Key.' }, 401);
+  }
+  // §1 Env type — dynamic binding access via type assertion
+  const binding = (c.env as unknown as Record<string, unknown>)[d1Config.binding] as D1Database | undefined;
+  if (!binding) {
+    return c.json({ code: 500, message: `D1 binding '${d1Config.binding}' not available.` }, 500);
+  }
+  // Execute D1 query — all SQL allowed (DDL included), ? bind variables enforced
+  try {
+    const stmt = binding.prepare(query);
+    const boundStmt = params && params.length > 0 ? stmt.bind(...params) : stmt;
+    const result = await boundStmt.all();
+    return c.json({
+      results: result.results,
+      meta: {
+        changes: result.meta?.changes,
+        duration: result.meta?.duration,
+        rows_read: result.meta?.rows_read,
+        rows_written: result.meta?.rows_written,
+      },
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : 'D1 query execution failed';
+    throw new EdgeBaseError(400, message);
+  }
+});

package/src/routes/database-live.ts ADDED Viewed

@@ -0,0 +1,281 @@
+import { OpenAPIHono, createRoute, z, type HonoEnv } from '../lib/hono.js';
+import {
+  acquirePendingWebSocketSlot,
+  getPendingWebSocketCount,
+  releasePendingWebSocketSlot,
+} from '../lib/websocket-pending.js';
+import {
+  buildDbLiveChannel,
+  DATABASE_LIVE_HUB_DO_NAME,
+  isDbLiveChannel,
+} from '../lib/database-live-emitter.js';
+import { parseConfig } from '../lib/do-router.js';
+import { validateKey, buildConstraintCtx } from '../lib/service-key.js';
+import { getTrustedClientIp } from '../lib/client-ip.js';
+import {
+  zodDefaultHook,
+  broadcastBodySchema,
+  jsonResponseSchema,
+  errorResponseSchema,
+} from '../lib/schemas.js';
+export const databaseLiveRoute = new OpenAPIHono<HonoEnv>({ defaultHook: zodDefaultHook });
+const MAX_PENDING_PER_IP = 5;
+const PENDING_TTL_SECONDS = 10;
+const dbLiveQuerySchema = z.object({
+  channel: z.string().optional().openapi({ description: 'Legacy DB subscription channel name' }),
+  namespace: z.string().optional().openapi({ description: 'Database namespace', example: 'shared' }),
+  instanceId: z.string().optional().openapi({ description: 'Database instance ID for dynamic DB blocks', example: 'ws-456' }),
+  table: z.string().optional().openapi({ description: 'Table name', example: 'posts' }),
+  docId: z.string().optional().openapi({ description: 'Optional document ID for single-document subscriptions', example: 'post-1' }),
+}).refine(
+  (value) => {
+    if (value.channel) return true;
+    return !!value.namespace && !!value.table;
+  },
+  {
+    message: 'Provide channel or namespace + table',
+    path: ['channel'],
+  },
+);
+const dbConnectDiagnosticSchema = z.object({
+  ok: z.boolean(),
+  type: z.string(),
+  category: z.string(),
+  message: z.string(),
+  channel: z.string().optional(),
+  pendingCount: z.number().optional(),
+  maxPending: z.number().optional(),
+});
+function resolveDatabaseLiveChannel(query: {
+  channel?: string;
+  namespace?: string;
+  instanceId?: string;
+  table?: string;
+  docId?: string;
+}): string | null {
+  if (query.channel) {
+    return isDbLiveChannel(query.channel) ? query.channel : null;
+  }
+  if (!query.namespace || !query.table) return null;
+  return buildDbLiveChannel(query.namespace, query.table, query.instanceId, query.docId);
+}
+function getPendingKey(ip: string): string {
+  return `ws:pending:${ip}`;
+}
+const checkDatabaseConnection = createRoute({
+  operationId: 'checkDatabaseSubscriptionConnection',
+  method: 'get',
+  path: '/connect-check',
+  tags: ['client'],
+  summary: 'Check database live subscription WebSocket prerequisites',
+  request: {
+    query: dbLiveQuerySchema,
+  },
+  responses: {
+    200: { description: 'Database live connection looks ready', content: { 'application/json': { schema: dbConnectDiagnosticSchema } } },
+    400: { description: 'Bad request', content: { 'application/json': { schema: dbConnectDiagnosticSchema } } },
+    429: { description: 'Rate limited', content: { 'application/json': { schema: dbConnectDiagnosticSchema } } },
+  },
+});
+databaseLiveRoute.openapi(checkDatabaseConnection, async (c) => {
+  const channel = resolveDatabaseLiveChannel({
+    channel: c.req.query('channel') ?? undefined,
+    namespace: c.req.query('namespace') ?? undefined,
+    instanceId: c.req.query('instanceId') ?? undefined,
+    table: c.req.query('table') ?? undefined,
+    docId: c.req.query('docId') ?? undefined,
+  });
+  if (!channel) {
+    return c.json({
+      ok: false,
+      type: 'db_connect_invalid_request',
+      category: 'request',
+      message: 'Database subscription target required',
+    }, 400);
+  }
+  const ip = getTrustedClientIp(c.env, c.req) ?? 'unknown';
+  const kvKey = getPendingKey(ip);
+  const pendingCount = await getPendingWebSocketCount(c.env.KV, kvKey).catch(() => 0);
+  if (pendingCount >= MAX_PENDING_PER_IP) {
+    return c.json({
+      ok: false,
+      type: 'db_connect_rate_limited',
+      category: 'rate_limit',
+      message: 'Too many pending WebSocket connections',
+      channel,
+      pendingCount,
+      maxPending: MAX_PENDING_PER_IP,
+    }, 429);
+  }
+  return c.json({
+    ok: true,
+    type: 'db_connect_ready',
+    category: 'ready',
+    message: 'Database live subscription preflight passed',
+    channel,
+    pendingCount,
+    maxPending: MAX_PENDING_PER_IP,
+  }, 200);
+});
+const connectDatabaseSubscription = createRoute({
+  operationId: 'connectDatabaseSubscription',
+  method: 'get',
+  path: '/subscribe',
+  tags: ['client'],
+  summary: 'Connect to database live subscriptions WebSocket',
+  description: 'Database-owned WebSocket entrypoint for onSnapshot subscriptions. Requires Upgrade: websocket header.',
+  request: {
+    query: dbLiveQuerySchema,
+  },
+  responses: {
+    101: { description: 'WebSocket upgrade successful' },
+    400: { description: 'Bad request', content: { 'application/json': { schema: errorResponseSchema } } },
+    429: { description: 'Rate limited', content: { 'application/json': { schema: errorResponseSchema } } },
+  },
+});
+/**
+ * POST /broadcast
+ * Server-side broadcast to a database-live channel.
+ * Service Key required AND validated.
+ * Body: { channel: string, event: string, payload?: Record<string, unknown> }
+ */
+const databaseLiveBroadcast = createRoute({
+  operationId: 'databaseLiveBroadcast',
+  method: 'post',
+  path: '/broadcast',
+  tags: ['admin'],
+  summary: 'Broadcast to database live channel',
+  request: {
+    body: { content: { 'application/json': { schema: broadcastBodySchema } }, required: true },
+  },
+  responses: {
+    200: { description: 'Broadcast sent', content: { 'application/json': { schema: jsonResponseSchema } } },
+    400: { description: 'Bad request', content: { 'application/json': { schema: errorResponseSchema } } },
+    401: { description: 'Unauthorized', content: { 'application/json': { schema: errorResponseSchema } } },
+    403: { description: 'Forbidden', content: { 'application/json': { schema: errorResponseSchema } } },
+  },
+});
+databaseLiveRoute.openapi(databaseLiveBroadcast, async (c) => {
+  let body: { channel?: string; event?: string; payload?: Record<string, unknown> };
+  try {
+    body = await c.req.json();
+  } catch {
+    return c.json({ code: 400, message: 'Invalid JSON body' }, 400);
+  }
+  const { channel, event, payload } = body;
+  if (!channel || typeof channel !== 'string') {
+    return c.json({ code: 400, message: 'channel is required' }, 400);
+  }
+  if (!event || typeof event !== 'string') {
+    return c.json({ code: 400, message: 'event is required' }, 400);
+  }
+  // Service Key required AND validated
+  const config = parseConfig(c.env);
+  const { result: skResult } = validateKey(
+    c.req.header('X-EdgeBase-Service-Key'),
+    `db:channel:${channel}:broadcast`,
+    config,
+    c.env,
+    undefined,
+    buildConstraintCtx(c.env, c.req),
+  );
+  if (skResult === 'missing') {
+    return c.json({ code: 403, message: 'Service Key required for server broadcast' }, 403);
+  }
+  if (skResult === 'invalid') {
+    return c.json({ code: 401, message: 'Unauthorized. Invalid Service Key.' }, 401);
+  }
+  // Route broadcast through the DatabaseLiveDO hub
+  const doId = c.env.DATABASE_LIVE.idFromName(DATABASE_LIVE_HUB_DO_NAME);
+  const doStub = c.env.DATABASE_LIVE.get(doId);
+  const doResponse = await doStub.fetch(new Request('http://do/internal/broadcast', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ channel, event, payload: payload ?? {} }),
+  }));
+  if (!doResponse.ok) {
+    return c.json({ code: doResponse.status, message: 'Broadcast failed' }, doResponse.status as 400 | 500);
+  }
+  return c.json({ ok: true });
+});
+databaseLiveRoute.openapi(connectDatabaseSubscription, async (c) => {
+  const upgradeHeader = c.req.header('Upgrade');
+  if (upgradeHeader !== 'websocket') {
+    return c.json({ code: 400, message: 'Expected WebSocket upgrade' }, 400);
+  }
+  const channel = resolveDatabaseLiveChannel({
+    channel: c.req.query('channel') ?? undefined,
+    namespace: c.req.query('namespace') ?? undefined,
+    instanceId: c.req.query('instanceId') ?? undefined,
+    table: c.req.query('table') ?? undefined,
+    docId: c.req.query('docId') ?? undefined,
+  });
+  if (!channel) {
+    return c.json({ code: 400, message: 'Database subscription target required' }, 400);
+  }
+  const ip = getTrustedClientIp(c.env, c.req) ?? 'unknown';
+  const kvKey = getPendingKey(ip);
+  let pendingTracked = false;
+  try {
+    pendingTracked = await acquirePendingWebSocketSlot(
+      c.env.KV,
+      kvKey,
+      MAX_PENDING_PER_IP,
+      PENDING_TTL_SECONDS,
+    );
+    if (!pendingTracked) {
+      return c.json({
+        code: 429,
+        message: 'Too many pending WebSocket connections',
+      }, 429);
+    }
+  } catch {
+    // KV failure shouldn't block legitimate connections
+  }
+  const doId = c.env.DATABASE_LIVE.idFromName(DATABASE_LIVE_HUB_DO_NAME);
+  const doStub = c.env.DATABASE_LIVE.get(doId);
+  const url = new URL(c.req.url);
+  url.pathname = '/websocket';
+  url.search = '';
+  url.searchParams.set('channel', channel);
+  const doRequest = new Request(url.toString(), {
+    headers: c.req.raw.headers,
+  });
+  try {
+    return await doStub.fetch(doRequest);
+  } finally {
+    if (pendingTracked) {
+      try {
+        await releasePendingWebSocketSlot(c.env.KV, kvKey, PENDING_TTL_SECONDS);
+      } catch {
+        // KV failure shouldn't break an already accepted connection.
+      }
+    }
+  }
+});

package/src/routes/functions.ts ADDED Viewed

@@ -0,0 +1,155 @@
+/**
+ * Functions Route - HTTP trigger handler with file-system routing.
+ *
+ * Handles requests to /api/functions/:functionName
+ * Supports:
+ * - Static routes: /api/functions/hello
+ * - Dynamic params: /api/functions/users/abc123/profile
+ * - Catch-all: /api/functions/docs/a/b/c
+ * - Directory middleware (_middleware.ts)
+ * - FunctionError structured error responses
+ */
+import { OpenAPIHono, type HonoEnv } from '../lib/hono.js';
+import {
+  matchRoute,
+  routeExistsForPath,
+  buildFunctionContext,
+  getMiddlewareChain,
+  getWorkerUrl,
+} from '../lib/functions.js';
+import { parseConfig } from '../lib/do-router.js';
+import { resolveRootServiceKey } from '../lib/service-key.js';
+import type { AuthContext } from '../lib/functions.js';
+import { captchaMiddleware } from '../middleware/captcha-verify.js';
+import { FunctionError } from '@edge-base/shared';
+function isFunctionErrorLike(
+  value: unknown,
+): value is {
+  code: string;
+  message: string;
+  httpStatus?: number;
+  status?: number;
+  details?: Record<string, unknown>;
+  toJSON?: () => unknown;
+} {
+  if (!value || typeof value !== 'object') return false;
+  const candidate = value as Record<string, unknown>;
+  return (
+    typeof candidate.code === 'string' &&
+    typeof candidate.message === 'string' &&
+    (typeof candidate.httpStatus === 'number' || typeof candidate.status === 'number')
+  );
+}
+export const functionsRoute = new OpenAPIHono<HonoEnv>();
+/**
+ * Dynamic HTTP trigger handler with pattern matching.
+ */
+functionsRoute.all('/:functionName{.+}', async (c) => {
+  const functionName = c.req.param('functionName');
+  const method = c.req.method.toUpperCase();
+  // Match route with pattern matching (handles [param], [...slug], static routes)
+  const matched = matchRoute(functionName, method);
+  if (!matched) {
+    // Check if route exists but method is wrong → 405
+    if (routeExistsForPath(functionName)) {
+      return c.json(
+        { code: 405, message: `Method ${method} not allowed for '${functionName}'.` },
+        405,
+      );
+    }
+    return c.json(
+      { code: 404, message: `Function '${functionName}' not found.` },
+      404,
+    );
+  }
+  const config = parseConfig(c.env);
+  const serviceKey = resolveRootServiceKey(config, c.env);
+  // Auth context from middleware (set by authMiddleware earlier in chain)
+  const auth = (c.get('auth' as never) || null) as AuthContext | null;
+  const workerUrl = getWorkerUrl(c.req.url, c.env) ?? 'http://localhost';
+  const ctx = buildFunctionContext({
+    request: c.req.raw,
+    auth,
+    databaseNamespace: c.env.DATABASE,
+    authNamespace: c.env.AUTH,
+    d1Database: c.env.AUTH_DB,
+    kvNamespace: c.env.KV,
+    env: c.env as never,
+    executionCtx: c.executionCtx as never,
+    config,
+    serviceKey,
+    workerUrl,
+    params: matched.params,
+  });
+  // Captcha check for functions with captcha: true
+  if (matched.route.definition.captcha) {
+    const captchaMw = captchaMiddleware(`function:${matched.route.name}`);
+    await captchaMw(c, async () => {});
+    if (c.res && c.res.status === 403) {
+      return c.res;
+    }
+  }
+  try {
+    // Execute middleware chain (root → nested → handler)
+    const middlewares = getMiddlewareChain(matched.route.name);
+    for (const mw of middlewares) {
+      await mw(ctx);
+    }
+    // Execute handler
+    const result = await matched.route.definition.handler(ctx);
+    // If handler returns a Response, use it directly
+    if (result instanceof Response) {
+      return result;
+    }
+    // If handler returns an object, JSON-serialize it
+    if (result && typeof result === 'object') {
+      return c.json(result);
+    }
+    // If handler returns a string, return as text
+    if (typeof result === 'string') {
+      return c.text(result);
+    }
+    // Default: 204 No Content
+    return c.body(null, 204);
+  } catch (err: unknown) {
+    // Handle FunctionError specially — return structured JSON
+    if (err instanceof FunctionError) {
+      return c.json(err.toJSON(), err.httpStatus as 400);
+    }
+    // Cloudflare/local dev can bundle user functions with a second copy of
+    // @edge-base/shared, so instanceof is not reliable across that boundary.
+    if (isFunctionErrorLike(err)) {
+      const status = err.httpStatus ?? err.status ?? 500;
+      const body =
+        typeof err.toJSON === 'function'
+          ? err.toJSON()
+          : {
+              code: err.code,
+              message: err.message,
+              status,
+              ...(err.details ? { details: err.details } : {}),
+            };
+      return c.json(body, status as 400);
+    }
+    console.error(`[EdgeBase] HTTP function '${matched.route.name}' error:`, err);
+    return c.json({ code: 500, message: 'Function execution failed.' }, 500);
+  }
+});

package/src/routes/health.ts ADDED Viewed

@@ -0,0 +1,32 @@
+import { OpenAPIHono, createRoute, type HonoEnv } from '../lib/hono.js';
+import { healthResponseSchema, zodDefaultHook } from '../lib/schemas.js';
+import { SERVER_VERSION } from '../lib/version.js';
+export const healthRoute = new OpenAPIHono<HonoEnv>({ defaultHook: zodDefaultHook });
+/**
+ * GET /api/health — Health check endpoint.
+ * Returns server status and version information.
+ */
+const getHealth = createRoute({
+  operationId: 'getHealth',
+  method: 'get',
+  path: '/health',
+  tags: ['client'],
+  summary: 'Health check',
+  responses: {
+    200: {
+      description: 'Server is healthy',
+      content: { 'application/json': { schema: healthResponseSchema } },
+    },
+  },
+});
+healthRoute.openapi(getHealth, (c) => {
+  return c.json({
+    status: 'ok',
+    version: SERVER_VERSION,
+    timestamp: new Date().toISOString(),
+  }, 200);
+});