@emdash-cms/cloudflare 0.0.1

package/dist/auth/index.d.mts

@@ -0,0 +1,81 @@
+import { AuthResult } from "emdash";
+import { JWTPayload } from "jose";
+
+//#region src/auth/cloudflare-access.d.ts
+/**
+ * Configuration for Cloudflare Access authentication
+ *
+ * Note: This interface is duplicated in ../index.ts for config-time usage.
+ * Keep them in sync.
+ */
+interface AccessConfig {
+  /**
+   * Your Cloudflare Access team domain
+   * @example "myteam.cloudflareaccess.com"
+   */
+  teamDomain: string;
+  /**
+   * Application Audience (AUD) tag from Access application settings.
+   * For Cloudflare Workers, use `audienceEnvVar` instead to read at runtime.
+   */
+  audience?: string;
+  /**
+   * Environment variable name containing the audience tag.
+   * Read at runtime from environment.
+   * @default "CF_ACCESS_AUDIENCE"
+   */
+  audienceEnvVar?: string;
+  /**
+   * Role level for users not matching any group in roleMapping
+   * @default 30 (Editor)
+   */
+  defaultRole?: number;
+  /**
+   * Map IdP group names to EmDash role levels
+   */
+  roleMapping?: Record<string, number>;
+}
+/**
+ * Cloudflare Access JWT payload extends standard JWT with email claim
+ */
+interface AccessJwtPayload extends JWTPayload {
+  /** User's email address (Access-specific claim) */
+  email: string;
+}
+/**
+ * Group from IdP (returned by get-identity endpoint)
+ */
+interface AccessGroup {
+  id: string;
+  name: string;
+  email?: string;
+}
+/**
+ * Full identity from Access get-identity endpoint
+ */
+interface AccessIdentity {
+  /** Unique identity ID */
+  id: string;
+  /** User's display name (may be undefined if IdP doesn't provide it) */
+  name?: string;
+  /** User's email address */
+  email: string;
+  /** Groups from IdP */
+  groups: AccessGroup[];
+  /** Identity provider info */
+  idp: {
+    id: string;
+    type: string;
+  };
+  /** Custom OIDC claims from IdP */
+  oidc_fields?: Record<string, unknown>;
+  /** SAML attributes from IdP */
+  saml_attributes?: Record<string, unknown>;
+  /** User's country (from geo) */
+  geo?: {
+    country: string;
+  };
+}
+declare function authenticate(request: Request, config: unknown): Promise<AuthResult>;
+//#endregion
+export { type AccessConfig, type AccessGroup, type AccessIdentity, type AccessJwtPayload, authenticate };

package/dist/auth/index.mjs

@@ -0,0 +1,147 @@
+import { createRemoteJWKSet, jwtVerify } from "jose";
+
+//#region src/auth/cloudflare-access.ts
+/**
+* Cloudflare Access Authentication - RUNTIME MODULE
+*
+* When EmDash is deployed behind Cloudflare Access, this module handles
+* JWT validation and user provisioning from Access identity.
+*
+* Uses jose for JWT verification - works in all runtimes.
+*
+* This is loaded at runtime via the auth provider system.
+* Do not import at config time.
+*/
+const jwksCache = /* @__PURE__ */ new Map();
+/** Regex to extract CF_Authorization cookie value */
+const CF_AUTHORIZATION_COOKIE_REGEX = /CF_Authorization=([^;]+)/;
+/**
+* Get or create a JWKS client for the given team domain
+*/
+function getJwks(teamDomain) {
+	let jwks = jwksCache.get(teamDomain);
+	if (!jwks) {
+		jwks = createRemoteJWKSet(new URL(`https://${teamDomain}/cdn-cgi/access/certs`));
+		jwksCache.set(teamDomain, jwks);
+	}
+	return jwks;
+}
+/** Default environment variable name for Access audience */
+const DEFAULT_AUDIENCE_ENV_VAR = "CF_ACCESS_AUDIENCE";
+/**
+* Resolve the audience value from config.
+* Supports direct value or reading from environment variable.
+*/
+function resolveAudience(config) {
+	if (config.audience) return config.audience;
+	const envVarName = config.audienceEnvVar ?? DEFAULT_AUDIENCE_ENV_VAR;
+	const value = process.env[envVarName];
+	if (typeof value === "string" && value) return value;
+	throw new Error(`Environment variable "${envVarName}" not found or empty. Set it via wrangler secret, .dev.vars, or environment.`);
+}
+/**
+* Validate a Cloudflare Access JWT using jose
+*
+* @param jwt The JWT string from header or cookie
+* @param config Access configuration
+* @returns Decoded and validated JWT payload
+* @throws Error if validation fails
+*/
+async function validateAccessJwt(jwt, config) {
+	const audience = resolveAudience(config);
+	const issuer = `https://${config.teamDomain}`;
+	const { payload } = await jwtVerify(jwt, getJwks(config.teamDomain), {
+		issuer,
+		audience,
+		clockTolerance: 60
+	});
+	return payload;
+}
+/**
+* Extract Access JWT from request
+*
+* Checks header first (more reliable), then falls back to cookie.
+*
+* @param request The incoming request
+* @returns JWT string or null if not present
+*/
+function extractAccessJwt(request) {
+	const headerJwt = request.headers.get("Cf-Access-Jwt-Assertion");
+	if (headerJwt) return headerJwt;
+	return (request.headers.get("Cookie") || "").match(CF_AUTHORIZATION_COOKIE_REGEX)?.[1] || null;
+}
+/**
+* Fetch full identity from Access (includes groups)
+*
+* The JWT itself only contains basic claims. To get groups and other
+* IdP attributes, we need to call the get-identity endpoint.
+*
+* @param jwt The JWT string
+* @param teamDomain The Access team domain
+* @returns Full identity including groups
+*/
+async function getAccessIdentity(jwt, teamDomain) {
+	const response = await fetch(`https://${teamDomain}/cdn-cgi/access/get-identity`, { headers: { Cookie: `CF_Authorization=${jwt}` } });
+	if (!response.ok) throw new Error(`Failed to fetch identity: ${response.status}`);
+	return response.json();
+}
+/**
+* Resolve role from IdP groups using roleMapping config
+*
+* @param groups User's groups from IdP
+* @param config Access configuration
+* @returns Role level (e.g., 50 for Admin, 30 for Editor)
+*/
+function resolveRoleFromGroups(groups, config) {
+	const defaultRole = config.defaultRole ?? 30;
+	if (!config.roleMapping) return defaultRole;
+	for (const group of groups) {
+		const role = config.roleMapping[group.name];
+		if (role !== void 0) return role;
+	}
+	return defaultRole;
+}
+/**
+* Authenticate a request using Cloudflare Access
+*
+* This is the main entry point for Access authentication.
+* It validates the JWT, fetches the full identity, and resolves the role.
+*
+* This function implements the AuthProviderModule.authenticate interface.
+*
+* @param request The incoming request
+* @param config Access configuration (passed from AuthDescriptor)
+* @returns Authentication result with user info and role
+* @throws Error if authentication fails
+*/
+function isAccessConfig(value) {
+	return value != null && typeof value === "object" && "teamDomain" in value && typeof value.teamDomain === "string";
+}
+async function authenticate(request, config) {
+	if (!isAccessConfig(config)) throw new Error("Invalid Cloudflare Access config: teamDomain is required");
+	const accessConfig = config;
+	const jwt = extractAccessJwt(request);
+	if (!jwt) throw new Error("No Access JWT present");
+	const payload = await validateAccessJwt(jwt, accessConfig);
+	const identity = await getAccessIdentity(jwt, accessConfig.teamDomain);
+	const role = resolveRoleFromGroups(identity.groups, accessConfig);
+	console.log("[cf-access] Identity from Access:", JSON.stringify({
+		email: identity.email,
+		name: identity.name,
+		groups: identity.groups?.map((g) => g.name),
+		idp: identity.idp
+	}));
+	return {
+		email: identity.email,
+		name: identity.name ?? identity.email.split("@")[0] ?? "Unknown",
+		role,
+		subject: payload.sub,
+		metadata: {
+			groups: identity.groups,
+			idp: identity.idp
+		}
+	};
+}
+
+//#endregion
+export { authenticate };

package/dist/cache/config.d.mts

@@ -0,0 +1,52 @@
+import { CloudflareCacheConfig } from "./runtime.mjs";
+import { CacheProviderConfig } from "astro";
+
+//#region src/cache/config.d.ts
+/**
+ * Cloudflare Cache API route cache provider.
+ *
+ * Uses the Workers Cache API (`cache.put()`/`cache.match()`) to cache
+ * rendered route responses at the edge. Invalidation uses the Cloudflare
+ * purge-by-tag REST API for global purge across all edge locations.
+ *
+ * This is a stopgap until CacheW provides native distributed caching
+ * for Workers. Worker responses can't go through the CDN cache today,
+ * so we use the Cache API directly. The standard `Cache-Tag` header is
+ * set on stored responses so the purge-by-tag API can find them.
+ *
+ * Tag-based invalidation requires a Zone ID and an API token with
+ * "Cache Purge" permission. These can be passed directly in the config
+ * or read from environment variables at runtime (default: `CF_ZONE_ID`
+ * and `CF_CACHE_PURGE_TOKEN`).
+ *
+ * @param config Optional configuration.
+ * @returns A {@link CacheProviderConfig} to pass to `experimental.cache.provider`.
+ *
+ * @example Basic usage (reads zone ID and token from env vars)
+ * ```ts
+ * import { defineConfig } from "astro/config";
+ * import cloudflare from "@astrojs/cloudflare";
+ * import { cloudflareCache } from "@emdash-cms/cloudflare";
+ *
+ * export default defineConfig({
+ *   adapter: cloudflare(),
+ *   experimental: {
+ *     cache: {
+ *       provider: cloudflareCache(),
+ *     },
+ *   },
+ * });
+ * ```
+ *
+ * @example With explicit config
+ * ```ts
+ * cloudflareCache({
+ *   cacheName: "my-site",
+ *   zoneId: "abc123...",
+ *   apiToken: "xyz789...",
+ * })
+ * ```
+ */
+declare function cloudflareCache(config?: CloudflareCacheConfig): CacheProviderConfig<CloudflareCacheConfig>;
+//#endregion
+export { type CloudflareCacheConfig, cloudflareCache };

package/dist/cache/config.mjs

@@ -0,0 +1,55 @@
+//#region src/cache/config.ts
+/**
+* Cloudflare Cache API route cache provider.
+*
+* Uses the Workers Cache API (`cache.put()`/`cache.match()`) to cache
+* rendered route responses at the edge. Invalidation uses the Cloudflare
+* purge-by-tag REST API for global purge across all edge locations.
+*
+* This is a stopgap until CacheW provides native distributed caching
+* for Workers. Worker responses can't go through the CDN cache today,
+* so we use the Cache API directly. The standard `Cache-Tag` header is
+* set on stored responses so the purge-by-tag API can find them.
+*
+* Tag-based invalidation requires a Zone ID and an API token with
+* "Cache Purge" permission. These can be passed directly in the config
+* or read from environment variables at runtime (default: `CF_ZONE_ID`
+* and `CF_CACHE_PURGE_TOKEN`).
+*
+* @param config Optional configuration.
+* @returns A {@link CacheProviderConfig} to pass to `experimental.cache.provider`.
+*
+* @example Basic usage (reads zone ID and token from env vars)
+* ```ts
+* import { defineConfig } from "astro/config";
+* import cloudflare from "@astrojs/cloudflare";
+* import { cloudflareCache } from "@emdash-cms/cloudflare";
+*
+* export default defineConfig({
+*   adapter: cloudflare(),
+*   experimental: {
+*     cache: {
+*       provider: cloudflareCache(),
+*     },
+*   },
+* });
+* ```
+*
+* @example With explicit config
+* ```ts
+* cloudflareCache({
+*   cacheName: "my-site",
+*   zoneId: "abc123...",
+*   apiToken: "xyz789...",
+* })
+* ```
+*/
+function cloudflareCache(config = {}) {
+	return {
+		entrypoint: "@emdash-cms/cloudflare/cache",
+		config
+	};
+}
+
+//#endregion
+export { cloudflareCache };

package/dist/cache/runtime.d.mts

@@ -0,0 +1,40 @@
+import { CacheProviderFactory } from "astro";
+
+//#region src/cache/runtime.d.ts
+interface CloudflareCacheConfig {
+  /**
+   * Name of the Cache API cache to use.
+   * @default "emdash"
+   */
+  cacheName?: string;
+  /**
+   * D1 bookmark cookie name. Responses whose only Set-Cookie is this
+   * bookmark will have it stripped before caching. Responses with any
+   * other Set-Cookie headers will not be cached.
+   * @default "__ec_d1_bookmark"
+   */
+  bookmarkCookie?: string;
+  /**
+   * Cloudflare Zone ID. Required for tag-based invalidation.
+   * If not provided, reads from `zoneIdEnvVar` at runtime.
+   */
+  zoneId?: string;
+  /**
+   * Environment variable name containing the Zone ID.
+   * @default "CF_ZONE_ID"
+   */
+  zoneIdEnvVar?: string;
+  /**
+   * Cloudflare API token with Cache Purge permission.
+   * If not provided, reads from `apiTokenEnvVar` at runtime.
+   */
+  apiToken?: string;
+  /**
+   * Environment variable name containing the API token.
+   * @default "CF_CACHE_PURGE_TOKEN"
+   */
+  apiTokenEnvVar?: string;
+}
+declare const factory: CacheProviderFactory<CloudflareCacheConfig>;
+//#endregion
+export { CloudflareCacheConfig, factory as default };

package/dist/cache/runtime.mjs

@@ -0,0 +1,191 @@
+import { env, waitUntil } from "cloudflare:workers";
+
+//#region src/cache/runtime.ts
+/**
+* Internal headers stored on cached responses for freshness tracking.
+* These are removed before returning to the client.
+*/
+const STORED_AT_HEADER = "X-EmDash-Stored-At";
+const MAX_AGE_HEADER = "X-EmDash-Max-Age";
+const SWR_HEADER = "X-EmDash-SWR";
+/** Cloudflare purge API base */
+const CF_API_BASE = "https://api.cloudflare.com/client/v4";
+/** Matches max-age in CDN-Cache-Control */
+const MAX_AGE_REGEX = /max-age=(\d+)/;
+/** Matches stale-while-revalidate in CDN-Cache-Control */
+const SWR_REGEX = /stale-while-revalidate=(\d+)/;
+/** Internal headers to strip before returning responses to the client */
+const INTERNAL_HEADERS = [
+	STORED_AT_HEADER,
+	MAX_AGE_HEADER,
+	SWR_HEADER
+];
+/** Default D1 bookmark cookie name (from @emdash-cms/cloudflare d1 config) */
+const DEFAULT_BOOKMARK_COOKIE = "__ec_d1_bookmark";
+/**
+* Parse CDN-Cache-Control header for max-age and stale-while-revalidate.
+*/
+function parseCdnCacheControl(header) {
+	let maxAge = 0;
+	let swr = 0;
+	if (!header) return {
+		maxAge,
+		swr
+	};
+	const maxAgeMatch = MAX_AGE_REGEX.exec(header);
+	if (maxAgeMatch) maxAge = parseInt(maxAgeMatch[1], 10) || 0;
+	const swrMatch = SWR_REGEX.exec(header);
+	if (swrMatch) swr = parseInt(swrMatch[1], 10) || 0;
+	return {
+		maxAge,
+		swr
+	};
+}
+/**
+* Normalize a URL for use as a cache key.
+* Strips common tracking query parameters and sorts the rest.
+*/
+function normalizeCacheKey(url) {
+	const normalized = new URL(url.toString());
+	for (const param of [
+		"utm_source",
+		"utm_medium",
+		"utm_campaign",
+		"utm_term",
+		"utm_content",
+		"fbclid",
+		"gclid",
+		"gbraid",
+		"wbraid",
+		"dclid",
+		"msclkid",
+		"twclid",
+		"_ga",
+		"_gl"
+	]) normalized.searchParams.delete(param);
+	normalized.searchParams.sort();
+	return normalized.toString();
+}
+/**
+* Read a config value, falling back to an env var.
+*/
+function resolveEnvValue(explicit, envVarName) {
+	if (explicit) return explicit;
+	return env[envVarName];
+}
+/**
+* Strip internal tracking headers from a response before returning to client.
+*/
+function stripInternalHeaders(response) {
+	for (const header of INTERNAL_HEADERS) response.headers.delete(header);
+}
+/**
+* Check whether all Set-Cookie headers on a response are only the D1
+* bookmark cookie. Returns true if we can safely strip them for caching.
+* Returns false if there are non-bookmark cookies (session, auth, etc.)
+* which means the response should NOT be cached.
+*/
+function hasOnlyBookmarkCookies(response, bookmarkCookie) {
+	const cookies = response.headers.getSetCookie();
+	if (cookies.length === 0) return true;
+	return cookies.every((c) => c.startsWith(`${bookmarkCookie}=`));
+}
+/**
+* Prepare a response for storage in the Cache API.
+* - Adds internal tracking headers (stored-at, max-age, swr)
+* - Strips Set-Cookie (only called when cookies are safe to strip)
+*
+* Returns null if the response has non-bookmark Set-Cookie headers
+* and should not be cached.
+*/
+function prepareForCache(response, maxAge, swr, bookmarkCookie) {
+	if (!hasOnlyBookmarkCookies(response, bookmarkCookie)) return null;
+	const prepared = new Response(response.body, response);
+	prepared.headers.set(STORED_AT_HEADER, String(Date.now()));
+	prepared.headers.set(MAX_AGE_HEADER, String(maxAge));
+	prepared.headers.set(SWR_HEADER, String(swr));
+	prepared.headers.delete("Set-Cookie");
+	return prepared;
+}
+const factory = (config) => {
+	const cacheName = config?.cacheName ?? "emdash";
+	const bookmarkCookie = config?.bookmarkCookie ?? DEFAULT_BOOKMARK_COOKIE;
+	const zoneIdEnvVar = config?.zoneIdEnvVar ?? "CF_ZONE_ID";
+	const apiTokenEnvVar = config?.apiTokenEnvVar ?? "CF_CACHE_PURGE_TOKEN";
+	async function getCache() {
+		return caches.open(cacheName);
+	}
+	return {
+		name: "cloudflare-cache-api",
+		async onRequest(context, next) {
+			if (context.request.method !== "GET") return next();
+			if ((context.request.headers.get("Cookie") ?? "").includes("astro-session=")) return next();
+			const cacheKey = normalizeCacheKey(context.url);
+			const cache = await getCache();
+			const cached = await cache.match(cacheKey);
+			if (cached) {
+				const storedAt = parseInt(cached.headers.get(STORED_AT_HEADER) ?? "0", 10);
+				const maxAge = parseInt(cached.headers.get(MAX_AGE_HEADER) ?? "0", 10);
+				const swr = parseInt(cached.headers.get(SWR_HEADER) ?? "0", 10);
+				const ageSeconds = (Date.now() - storedAt) / 1e3;
+				if (ageSeconds < maxAge) {
+					const hit = new Response(cached.body, cached);
+					hit.headers.set("X-Astro-Cache", "HIT");
+					stripInternalHeaders(hit);
+					return hit;
+				}
+				if (swr > 0 && ageSeconds < maxAge + swr) {
+					const stale = new Response(cached.body, cached);
+					stale.headers.set("X-Astro-Cache", "STALE");
+					stripInternalHeaders(stale);
+					waitUntil((async () => {
+						try {
+							const fresh = await next();
+							const parsed = parseCdnCacheControl(fresh.headers.get("CDN-Cache-Control"));
+							if (parsed.maxAge > 0 && fresh.ok) {
+								const toStore = prepareForCache(fresh, parsed.maxAge, parsed.swr, bookmarkCookie);
+								if (toStore) await cache.put(cacheKey, toStore);
+							}
+						} catch {}
+					})());
+					return stale;
+				}
+				await cache.delete(cacheKey);
+			}
+			const response = await next();
+			const { maxAge, swr } = parseCdnCacheControl(response.headers.get("CDN-Cache-Control"));
+			if (maxAge > 0 && response.ok) {
+				const toStore = prepareForCache(response.clone(), maxAge, swr, bookmarkCookie);
+				if (toStore) await cache.put(cacheKey, toStore);
+				const miss = new Response(response.body, response);
+				miss.headers.set("X-Astro-Cache", "MISS");
+				return miss;
+			}
+			return response;
+		},
+		async invalidate(options) {
+			if (options.tags) {
+				const zoneId = resolveEnvValue(config?.zoneId, zoneIdEnvVar);
+				const apiToken = resolveEnvValue(config?.apiToken, apiTokenEnvVar);
+				if (!zoneId || !apiToken) throw new Error(`[cloudflare-cache-api] Tag-based invalidation requires a Zone ID and API token. Set the ${zoneIdEnvVar} and ${apiTokenEnvVar} environment variables, or pass zoneId/apiToken in the cloudflareCache() config.`);
+				const tags = Array.isArray(options.tags) ? options.tags : [options.tags];
+				const response = await fetch(`${CF_API_BASE}/zones/${zoneId}/purge_cache`, {
+					method: "POST",
+					headers: {
+						Authorization: `Bearer ${apiToken}`,
+						"Content-Type": "application/json"
+					},
+					body: JSON.stringify({ tags })
+				});
+				if (!response.ok) {
+					const body = await response.text().catch(() => "");
+					throw new Error(`[cloudflare-cache-api] Cache purge failed (${response.status}): ${body}`);
+				}
+			}
+			if (options.path) await (await getCache()).delete(options.path);
+		}
+	};
+};
+
+//#endregion
+export { factory as default };

package/dist/d1-introspector-bZf0_ylK.mjs

@@ -0,0 +1,57 @@
+import { sql } from "kysely";
+
+//#region src/db/d1-introspector.ts
+const DEFAULT_MIGRATION_TABLE = "kysely_migration";
+const DEFAULT_MIGRATION_LOCK_TABLE = "kysely_migration_lock";
+const SPLIT_PARENS_PATTERN = /[(),]/;
+const WHITESPACE_PATTERN = /\s+/;
+const QUOTES_PATTERN = /["`]/g;
+var D1Introspector = class {
+	#db;
+	constructor(db) {
+		this.#db = db;
+	}
+	async getSchemas() {
+		return [];
+	}
+	async getTables(options = {}) {
+		let query = this.#db.selectFrom("sqlite_master").where("type", "in", ["table", "view"]).where("name", "not like", "sqlite_%").where("name", "not like", "_cf_%").select([
+			"name",
+			"sql",
+			"type"
+		]).orderBy("name");
+		if (!options.withInternalKyselyTables) query = query.where("name", "!=", DEFAULT_MIGRATION_TABLE).where("name", "!=", DEFAULT_MIGRATION_LOCK_TABLE);
+		const tables = await query.execute();
+		const result = [];
+		for (const table of tables) {
+			const tableName = table.name;
+			const tableType = table.type;
+			const tableSql = table.sql;
+			const columns = await sql`SELECT * FROM pragma_table_info('${sql.raw(tableName)}')`.execute(this.#db);
+			let autoIncrementCol = tableSql?.split(SPLIT_PARENS_PATTERN)?.find((it) => it.toLowerCase().includes("autoincrement"))?.trimStart()?.split(WHITESPACE_PATTERN)?.[0]?.replace(QUOTES_PATTERN, "");
+			if (!autoIncrementCol) {
+				const pkCols = columns.rows.filter((r) => r.pk > 0);
+				if (pkCols.length === 1 && pkCols[0].type.toLowerCase() === "integer") autoIncrementCol = pkCols[0].name;
+			}
+			result.push({
+				name: tableName,
+				isView: tableType === "view",
+				columns: columns.rows.map((col) => ({
+					name: col.name,
+					dataType: col.type,
+					isNullable: !col.notnull,
+					isAutoIncrementing: col.name === autoIncrementCol,
+					hasDefaultValue: col.dflt_value != null,
+					comment: void 0
+				}))
+			});
+		}
+		return result;
+	}
+	async getMetadata(options) {
+		return { tables: await this.getTables(options) };
+	}
+};
+
+//#endregion
+export { D1Introspector as t };

package/dist/db/d1.d.mts

@@ -0,0 +1,43 @@
+import { Dialect } from "kysely";
+
+//#region src/db/d1.d.ts
+/**
+ * D1 configuration (runtime type — matches the config-time type in index.ts)
+ */
+interface D1Config {
+  binding: string;
+  session?: "disabled" | "auto" | "primary-first";
+  bookmarkCookie?: string;
+}
+/**
+ * Create a D1 dialect from config
+ *
+ * @param config - D1 configuration with binding name
+ */
+declare function createDialect(config: D1Config): Dialect;
+/**
+ * Whether D1 sessions are enabled in the config.
+ */
+declare function isSessionEnabled(config: D1Config): boolean;
+/**
+ * Get the raw D1 binding for creating sessions.
+ * Returns null if sessions are disabled.
+ */
+declare function getD1Binding(config: D1Config): D1Database | null;
+/**
+ * Get the default session constraint for the config's session mode.
+ */
+declare function getDefaultConstraint(config: D1Config): string;
+/**
+ * Get the cookie name used for storing D1 session bookmarks.
+ */
+declare function getBookmarkCookieName(config: D1Config): string;
+/**
+ * Create a Kysely dialect from a D1 session object.
+ *
+ * D1DatabaseSession has the same `prepare()` / `batch()` interface
+ * as D1Database, so we pass it directly to D1Dialect.
+ */
+declare function createSessionDialect(session: D1Database): Dialect;
+//#endregion
+export { createDialect, createSessionDialect, getBookmarkCookieName, getD1Binding, getDefaultConstraint, isSessionEnabled };