@env-hopper/backend-core 2.0.1-alpha → 2.0.1-alpha-20260224145405

package/dist/index.js

@@ -0,0 +1,2571 @@
+import z$1, { z } from "zod";
+import { Prisma, PrismaClient } from "@prisma/client";
+import { group, mapValues, omit, pick } from "radashi";
+import { tableSync } from "@env-hopper/table-sync";
+import { readFile, readdir, stat } from "node:fs/promises";
+import { createHash } from "node:crypto";
+import sharp from "sharp";
+import { TRPCError, initTRPC } from "@trpc/server";
+import { betterAuth } from "better-auth";
+import { prismaAdapter } from "better-auth/adapters/prisma";
+import { toNodeHandler } from "better-auth/node";
+import { stepCountIs, streamText, tool } from "ai";
+import multer from "multer";
+import { readFileSync, readdirSync } from "node:fs";
+import { extname, join } from "node:path";
+import express, { Router } from "express";
+import * as trpcExpress from "@trpc/server/adapters/express";
+
+//#region src/db/client.ts
+let prismaClient = null;
+/**
+* Gets the internal Prisma client instance.
+* Creates one if it doesn't exist.
+*/
+function getDbClient() {
+	if (!prismaClient) prismaClient = new PrismaClient();
+	return prismaClient;
+}
+/**
+* Sets the internal Prisma client instance.
+* Used by middleware to bridge with existing getDbClient() usage.
+*/
+function setDbClient(client) {
+	prismaClient = client;
+}
+/**
+* Connects to the database.
+* Call this before performing database operations.
+*/
+async function connectDb() {
+	await getDbClient().$connect();
+}
+/**
+* Disconnects from the database.
+* Call this when done with database operations (e.g., in scripts).
+*/
+async function disconnectDb() {
+	if (prismaClient) {
+		await prismaClient.$disconnect();
+		prismaClient = null;
+	}
+}
+
+//#endregion
+//#region src/modules/appCatalog/service.ts
+async function getGroupingTagDefinitionsFromPrisma() {
+	return (await getDbClient().dbAppTagDefinition.findMany()).map((row) => omit(row, [
+		"id",
+		"updatedAt",
+		"createdAt"
+	]));
+}
+async function getApprovalMethodsFromPrisma() {
+	return (await getDbClient().dbApprovalMethod.findMany()).map((row) => {
+		const baseFields = {
+			slug: row.slug,
+			displayName: row.displayName
+		};
+		const config = row.config ?? {};
+		switch (row.type) {
+			case "service": return {
+				...baseFields,
+				type: "service",
+				config
+			};
+			case "personTeam": return {
+				...baseFields,
+				type: "personTeam",
+				config
+			};
+			case "custom": return {
+				...baseFields,
+				type: "custom",
+				config
+			};
+		}
+	});
+}
+async function getAppsFromPrisma() {
+	return (await getDbClient().dbAppForCatalog.findMany()).map((row) => {
+		const accessRequest = row.accessRequest;
+		const teams = row.teams ?? [];
+		const tags = row.tags ?? [];
+		const screenshotIds = row.screenshotIds ?? [];
+		const notes = row.notes == null ? void 0 : row.notes;
+		const appUrl = row.appUrl == null ? void 0 : row.appUrl;
+		const iconName = row.iconName == null ? void 0 : row.iconName;
+		return {
+			id: row.id,
+			slug: row.slug,
+			displayName: row.displayName,
+			description: row.description,
+			accessRequest,
+			teams,
+			notes,
+			tags,
+			appUrl,
+			iconName,
+			screenshotIds
+		};
+	});
+}
+async function getAppCatalogData(getAppsOptional) {
+	return {
+		apps: getAppsOptional ? await getAppsOptional() : await getAppsFromPrisma(),
+		tagsDefinitions: await getGroupingTagDefinitionsFromPrisma(),
+		approvalMethods: await getApprovalMethodsFromPrisma()
+	};
+}
+
+//#endregion
+//#region src/db/tableSyncPrismaAdapter.ts
+function getPrismaModelOperations(prisma, prismaModelName) {
+	return prisma[prismaModelName.slice(0, 1).toLowerCase() + prismaModelName.slice(1)];
+}
+function tableSyncPrisma(params) {
+	const { prisma, prismaModelName, uniqColumns, where: whereGlobal, upsertOnly } = params;
+	const prismOperations = getPrismaModelOperations(prisma, prismaModelName);
+	const idColumn = params.id ?? "id";
+	return tableSync({
+		id: idColumn,
+		uniqColumns,
+		readAll: async () => {
+			const findManyArgs = whereGlobal ? { where: whereGlobal } : {};
+			return await prismOperations.findMany(findManyArgs);
+		},
+		writeAll: async (createData, update, deleteIds) => {
+			const prismaUniqKey = params.uniqColumns.join("_");
+			const relationColumnList = params.relationColumns ?? [];
+			return prisma.$transaction(async (tx) => {
+				const txOps = getPrismaModelOperations(tx, prismaModelName);
+				for (const { data, where } of update) {
+					const uniqKeyWhere = Object.keys(where).length > 1 ? { [prismaUniqKey]: where } : where;
+					const dataScalar = omit(data, relationColumnList);
+					const dataRelations = mapValues(pick(data, relationColumnList), (value) => {
+						return { set: value };
+					});
+					await txOps.update({
+						data: {
+							...dataScalar,
+							...dataRelations
+						},
+						where: { ...uniqKeyWhere }
+					});
+				}
+				if (upsertOnly !== true) await txOps.deleteMany({ where: { [idColumn]: { in: deleteIds } } });
+				const createDataMapped = createData.map((data) => {
+					const dataScalar = omit(data, relationColumnList);
+					const dataRelations = mapValues(pick(data, relationColumnList), (value) => {
+						return { connect: value };
+					});
+					return {
+						...dataScalar,
+						...dataRelations
+					};
+				});
+				if (createDataMapped.length > 0) {
+					const uniqKeysInCreate = /* @__PURE__ */ new Set();
+					const duplicateKeys = [];
+					for (const data of createDataMapped) {
+						const key = params.uniqColumns.map((col) => {
+							const value = data[col];
+							return value === null || value === void 0 ? "null" : String(value);
+						}).join(":");
+						if (uniqKeysInCreate.has(key)) duplicateKeys.push(key);
+						else uniqKeysInCreate.add(key);
+					}
+					if (duplicateKeys.length > 0) {
+						const uniqColumnsStr = params.uniqColumns.join(", ");
+						throw new Error(`Duplicate unique key values found in data to be created. Model: ${prismaModelName}, Unique columns: [${uniqColumnsStr}], Duplicate keys: [${duplicateKeys.join(", ")}]`);
+					}
+				}
+				const results = [];
+				if (relationColumnList.length === 0) {
+					const batchResult = await txOps.createManyAndReturn({ data: createDataMapped });
+					results.push(...batchResult);
+				} else for (const dataMappedElement of createDataMapped) {
+					const newVar = await txOps.create({ data: dataMappedElement });
+					results.push(newVar);
+				}
+				return results;
+			});
+		}
+	});
+}
+
+//#endregion
+//#region src/db/tableSyncMagazine.ts
+const TABLE_SYNC_MAGAZINE = {
+	DbAppForCatalog: {
+		prismaModelName: "DbAppForCatalog",
+		uniqColumns: ["slug"]
+	},
+	DbAppTagDefinition: {
+		prismaModelName: "DbAppTagDefinition",
+		uniqColumns: ["prefix"]
+	},
+	DbApprovalMethod: {
+		id: "slug",
+		prismaModelName: "DbApprovalMethod",
+		uniqColumns: ["slug"]
+	}
+};
+
+//#endregion
+//#region src/modules/assets/assetUtils.ts
+/**
+* Extract image dimensions from a buffer using sharp
+*/
+async function getImageDimensions(buffer) {
+	try {
+		const metadata = await sharp(buffer).metadata();
+		return {
+			width: metadata.width,
+			height: metadata.height
+		};
+	} catch (error) {
+		console.error("Error extracting image dimensions:", error);
+		return {
+			width: void 0,
+			height: void 0
+		};
+	}
+}
+/**
+* Resize an image buffer to the specified dimensions
+* @param buffer - The image buffer to resize
+* @param width - Target width (optional)
+* @param height - Target height (optional)
+* @param format - Output format ('png', 'jpeg', 'webp'), auto-detected if not provided
+*/
+async function resizeImage(buffer, width, height, format) {
+	let pipeline = sharp(buffer);
+	if (width || height) pipeline = pipeline.resize({
+		width,
+		height,
+		fit: "inside",
+		withoutEnlargement: true
+	});
+	if (format === "png") pipeline = pipeline.png();
+	else if (format === "webp") pipeline = pipeline.webp();
+	else if (format === "jpeg") pipeline = pipeline.jpeg();
+	return pipeline.toBuffer();
+}
+/**
+* Generate SHA-256 checksum for a buffer
+*/
+function generateChecksum(buffer) {
+	return createHash("sha256").update(buffer).digest("hex");
+}
+/**
+* Detect image format from mime type
+*/
+function getImageFormat(mimeType) {
+	if (mimeType.includes("png")) return "png";
+	if (mimeType.includes("webp")) return "webp";
+	if (mimeType.includes("jpeg") || mimeType.includes("jpg")) return "jpeg";
+	return null;
+}
+/**
+* Check if a mime type represents a raster image (not SVG)
+*/
+function isRasterImage(mimeType) {
+	return mimeType.startsWith("image/") && !mimeType.includes("svg");
+}
+async function parseAssetMeta(p) {
+	const { width, height, format, size } = await sharp(p.buffer).metadata();
+	return {
+		checksum: generateChecksum(p.buffer),
+		width,
+		height,
+		mimeType: format ? {
+			jpeg: "image/jpeg",
+			jpg: "image/jpeg",
+			png: "image/png",
+			webp: "image/webp",
+			avif: "image/avif",
+			tiff: "image/tiff",
+			gif: "image/gif",
+			heif: "image/heif",
+			raw: "application/octet-stream"
+		}[format] ?? `image/${format}` : "application/octet-stream",
+		fileSize: size || 0
+	};
+}
+
+//#endregion
+//#region src/modules/assets/upsertAsset.ts
+async function upsertAsset({ prisma, buffer, name, originalFilename, assetType }) {
+	const { checksum, fileSize, width, height, mimeType } = await parseAssetMeta({
+		buffer,
+		originalFilename
+	});
+	const existing = await prisma.dbAsset.findUnique({ where: { name } });
+	if (existing) return existing.id;
+	return (await prisma.dbAsset.create({ data: {
+		name,
+		checksum,
+		assetType,
+		content: new Uint8Array(buffer),
+		mimeType,
+		fileSize,
+		width,
+		height
+	} })).id;
+}
+
+//#endregion
+//#region src/db/syncAppCatalog.ts
+function isFileNotFoundError(error) {
+	return error instanceof Error && "code" in error && error.code === "ENOENT";
+}
+async function processAssetDirectory(dirPath, appSlug, assetType, prisma) {
+	try {
+		const files = await readdir(dirPath);
+		const assetIds = [];
+		for (let i = 0; i < files.length; i++) {
+			const fileName = files[i];
+			if (!fileName) continue;
+			const assetName = assetType === "screenshot" ? `${appSlug}-screenshot-${i + 1}` : `${appSlug}-icon`;
+			const id = await upsertAsset({
+				prisma,
+				buffer: await readFile(`${dirPath}/${fileName}`),
+				originalFilename: fileName,
+				name: assetName,
+				assetType
+			});
+			assetIds.push(id);
+			if (assetType === "icon") break;
+		}
+		return assetIds;
+	} catch (error) {
+		if (isFileNotFoundError(error)) return [];
+		throw error;
+	}
+}
+async function syncAppAssets(appSlug, appPath, prisma) {
+	return {
+		screenshotIds: await processAssetDirectory(`${appPath}/screenshots`, appSlug, "screenshot", prisma),
+		iconName: (await processAssetDirectory(`${appPath}/icons`, appSlug, "icon", prisma)).length > 0 ? `${appSlug}-icon` : null
+	};
+}
+async function syncAssetsFromFileSystem(apps, allAppsAssetsPath) {
+	const appDirectories = await readdir(allAppsAssetsPath);
+	const prisma = getDbClient();
+	const bySlug = group(apps, (a) => a.slug);
+	for (const appDirName of appDirectories) {
+		try {
+			if (!(await stat(`${allAppsAssetsPath}/${appDirName}`)).isDirectory()) continue;
+		} catch (error) {
+			if (isFileNotFoundError(error)) continue;
+			throw error;
+		}
+		const appSlug = appDirName;
+		if (!bySlug[appSlug]) throw new Error(`App '${appSlug}' does not exist in the app catalog. Existing apps: ${Object.keys(bySlug).join(", ")}`);
+		try {
+			const { screenshotIds, iconName } = await syncAppAssets(appSlug, `${allAppsAssetsPath}/${appDirName}`, prisma);
+			const updateData = {};
+			if (screenshotIds.length > 0) updateData.screenshotIds = screenshotIds;
+			if (iconName !== null) updateData.iconName = iconName;
+			if (Object.keys(updateData).length > 0) await prisma.dbAppForCatalog.update({
+				where: { slug: appSlug },
+				data: updateData
+			});
+		} catch (error) {
+			const errorMessage = error instanceof Error ? error.message : String(error);
+			throw new Error(`Error while upserting assets for app '${appSlug}': ${errorMessage}`);
+		}
+	}
+}
+/**
+* Syncs app catalog data to the database using table sync.
+* This will create new apps, update existing ones, and delete any that are no longer in the input.
+*
+* Note: Call connectDb() before and disconnectDb() after if running in a script.
+*/
+async function syncAppCatalog(apps, tagsDefinitions, approvalMethods, sreenshotsPath) {
+	try {
+		const prisma = getDbClient();
+		await tableSyncPrisma({
+			prisma,
+			...TABLE_SYNC_MAGAZINE.DbApprovalMethod
+		}).sync(approvalMethods);
+		const sync = tableSyncPrisma({
+			prisma,
+			...TABLE_SYNC_MAGAZINE.DbAppForCatalog
+		});
+		await tableSyncPrisma({
+			prisma,
+			...TABLE_SYNC_MAGAZINE.DbAppTagDefinition
+		}).sync(tagsDefinitions);
+		const dbApps = apps.map((app) => {
+			return {
+				slug: app.slug || app.displayName.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, ""),
+				displayName: app.displayName,
+				description: app.description,
+				teams: app.teams ?? [],
+				accessRequest: app.accessRequest ?? null,
+				notes: app.notes ?? null,
+				tags: app.tags ?? [],
+				appUrl: app.appUrl ?? null,
+				links: app.links ?? null,
+				iconName: app.iconName ?? null,
+				screenshotIds: app.screenshotIds ?? []
+			};
+		});
+		const actual = (await sync.sync(dbApps)).getActual();
+		if (sreenshotsPath) await syncAssetsFromFileSystem(apps, sreenshotsPath);
+		return {
+			created: actual.length - apps.length + (apps.length - actual.length),
+			updated: 0,
+			deleted: 0,
+			total: actual.length
+		};
+	} catch (error) {
+		const errorMessage = error instanceof Error ? error.message : String(error);
+		const errorStack = error instanceof Error ? error.stack : void 0;
+		throw new Error(`Error syncing app catalog: ${errorMessage}\n\nDetails:\n${errorStack || "No stack trace available"}`);
+	}
+}
+
+//#endregion
+//#region src/modules/auth/authorizationUtils.ts
+/**
+* Extract groups from user object
+* Groups can be stored in different locations depending on the OAuth provider
+*/
+function getUserGroups(user) {
+	if (!user) {
+		console.log("[getUserGroups] No user provided");
+		return [];
+	}
+	console.log("[getUserGroups] === USER OBJECT DEBUG ===");
+	console.log("[getUserGroups] User ID:", user.id);
+	console.log("[getUserGroups] User email:", user.email);
+	console.log("[getUserGroups] User.env_hopper_groups:", user.env_hopper_groups);
+	console.log("[getUserGroups] User.groups:", user.groups);
+	console.log("[getUserGroups] User.oktaGroups:", user.oktaGroups);
+	console.log("[getUserGroups] User.roles:", user.roles);
+	console.log("[getUserGroups] All user keys:", Object.keys(user));
+	console.log("[getUserGroups] Full user object:", JSON.stringify(user, null, 2));
+	const groups = user.env_hopper_groups || user.groups || user.oktaGroups || user.roles || [];
+	const result = Array.isArray(groups) ? groups : [];
+	console.log("[getUserGroups] Final groups result:", result);
+	return result;
+}
+/**
+* Check if user is a member of any of the specified groups
+*/
+function isMemberOfAnyGroup(user, allowedGroups) {
+	const userGroups = getUserGroups(user);
+	return allowedGroups.some((group$1) => userGroups.includes(group$1));
+}
+/**
+* Check if user is a member of all specified groups
+*/
+function isMemberOfAllGroups(user, requiredGroups) {
+	const userGroups = getUserGroups(user);
+	return requiredGroups.every((group$1) => userGroups.includes(group$1));
+}
+/**
+* Check if user has admin permissions
+* @param user User object with groups
+* @param adminGroups List of admin group names (default: ['env_hopper_ui_super_admins'])
+*/
+function isAdmin(user, adminGroups = ["env_hopper_ui_super_admins"]) {
+	return isMemberOfAnyGroup(user, adminGroups);
+}
+/**
+* Require admin permissions - throws error if not admin
+* @param user User object with groups
+* @param adminGroups List of admin group names (default: ['env_hopper_ui_super_admins'])
+*/
+function requireAdmin(user, adminGroups = ["env_hopper_ui_super_admins"]) {
+	if (!isAdmin(user, adminGroups)) throw new Error("Forbidden: Admin access required");
+}
+/**
+* Require membership in specific groups - throws error if not member
+*/
+function requireGroups(user, groups) {
+	if (!isMemberOfAnyGroup(user, groups)) throw new Error(`Forbidden: Membership in one of these groups required: ${groups.join(", ")}`);
+}
+
+//#endregion
+//#region src/server/trpcSetup.ts
+/**
+* Initialization of tRPC backend
+* Should be done only once per backend!
+*/
+const t = initTRPC.context().create({ errorFormatter({ error, shape }) {
+	var _data;
+	console.error("[tRPC Error]", {
+		path: (_data = shape.data) === null || _data === void 0 ? void 0 : _data.path,
+		code: error.code,
+		message: error.message,
+		cause: error.cause,
+		stack: error.stack
+	});
+	return shape;
+} });
+/**
+* Export reusable router and procedure helpers
+*/
+const router = t.router;
+const publicProcedure = t.procedure;
+/**
+* Middleware to check if user is authenticated
+*/
+const isAuthenticated = t.middleware(({ ctx, next }) => {
+	if (!ctx.user) throw new TRPCError({
+		code: "UNAUTHORIZED",
+		message: "You must be logged in to access this resource"
+	});
+	return next({ ctx: {
+		...ctx,
+		user: ctx.user
+	} });
+});
+/**
+* Middleware to check if user is an admin
+*/
+const isAdminMiddleware = t.middleware(({ ctx, next }) => {
+	if (!ctx.user) throw new TRPCError({
+		code: "UNAUTHORIZED",
+		message: "You must be logged in to access this resource"
+	});
+	console.log("[isAdminMiddleware] === ADMIN CHECK DEBUG ===");
+	console.log("[isAdminMiddleware] User:", ctx.user.email);
+	console.log("[isAdminMiddleware] Required admin groups:", ctx.adminGroups);
+	console.log("[isAdminMiddleware] Calling isAdmin()...");
+	const hasAdminAccess = isAdmin(ctx.user, ctx.adminGroups);
+	console.log("[isAdminMiddleware] Has admin access:", hasAdminAccess);
+	if (!hasAdminAccess) throw new TRPCError({
+		code: "FORBIDDEN",
+		message: `You must be an admin to access this resource. Required groups: ${ctx.adminGroups.join(", ") || "env_hopper_ui_super_admins"}`
+	});
+	return next({ ctx: {
+		...ctx,
+		user: ctx.user
+	} });
+});
+/**
+* Admin procedure that requires admin permissions
+*/
+const adminProcedure = t.procedure.use(isAdminMiddleware);
+/**
+* Protected procedure that requires authentication (but not admin)
+*/
+const protectedProcedure = t.procedure.use(isAuthenticated);
+
+//#endregion
+//#region src/modules/appCatalogAdmin/appCatalogAdminRouter.ts
+const AccessMethodSchema = z.object({ type: z.enum([
+	"bot",
+	"ticketing",
+	"email",
+	"self-service",
+	"documentation",
+	"manual"
+]) }).loose();
+const AppLinkSchema = z.object({
+	displayName: z.string().optional(),
+	url: z.url()
+});
+const AppRoleSchema = z.object({
+	name: z.string(),
+	description: z.string().optional()
+});
+const ApproverContactSchema = z.object({
+	displayName: z.string(),
+	contact: z.string().optional()
+});
+const ApprovalUrlSchema = z.object({
+	label: z.string().optional(),
+	url: z.url()
+});
+const AppAccessRequestSchema = z.object({
+	approvalMethodId: z.string(),
+	comments: z.string().optional(),
+	requestPrompt: z.string().optional(),
+	postApprovalInstructions: z.string().optional(),
+	roles: z.array(AppRoleSchema).optional(),
+	approvers: z.array(ApproverContactSchema).optional(),
+	urls: z.array(ApprovalUrlSchema).optional(),
+	whoToReachOut: z.string().optional()
+});
+const CreateAppForCatalogSchema = z.object({
+	slug: z.string().min(1).regex(/^[a-z0-9-]+$/, "Slug must be lowercase alphanumeric with hyphens"),
+	displayName: z.string().min(1),
+	description: z.string(),
+	access: AccessMethodSchema.optional(),
+	teams: z.array(z.string()).optional(),
+	accessRequest: AppAccessRequestSchema.optional(),
+	notes: z.string().optional(),
+	tags: z.array(z.string()).optional(),
+	appUrl: z.url().optional(),
+	links: z.array(AppLinkSchema).optional(),
+	iconName: z.string().optional(),
+	screenshotIds: z.array(z.string()).optional()
+});
+const UpdateAppForCatalogSchema = CreateAppForCatalogSchema.partial().extend({ id: z.string() });
+function createAppCatalogAdminRouter() {
+	const prisma = getDbClient();
+	return router({
+		list: adminProcedure.query(async () => {
+			return prisma.dbAppForCatalog.findMany({ orderBy: { displayName: "asc" } });
+		}),
+		getById: adminProcedure.input(z.object({ id: z.string() })).query(async ({ input }) => {
+			return prisma.dbAppForCatalog.findUnique({ where: { id: input.id } });
+		}),
+		getBySlug: adminProcedure.input(z.object({ slug: z.string() })).query(async ({ input }) => {
+			return prisma.dbAppForCatalog.findUnique({ where: { slug: input.slug } });
+		}),
+		create: adminProcedure.input(CreateAppForCatalogSchema).mutation(async ({ input }) => {
+			return prisma.dbAppForCatalog.create({ data: {
+				slug: input.slug,
+				displayName: input.displayName,
+				description: input.description,
+				teams: input.teams ?? [],
+				accessRequest: input.accessRequest,
+				notes: input.notes,
+				tags: input.tags ?? [],
+				appUrl: input.appUrl,
+				links: input.links,
+				iconName: input.iconName,
+				screenshotIds: input.screenshotIds ?? []
+			} });
+		}),
+		update: adminProcedure.input(UpdateAppForCatalogSchema).mutation(async ({ input }) => {
+			const { id,...updateData } = input;
+			return prisma.dbAppForCatalog.update({
+				where: { id },
+				data: {
+					...updateData.slug !== void 0 && { slug: updateData.slug },
+					...updateData.displayName !== void 0 && { displayName: updateData.displayName },
+					...updateData.description !== void 0 && { description: updateData.description },
+					...updateData.teams !== void 0 && { teams: updateData.teams },
+					...updateData.accessRequest !== void 0 && { accessRequest: updateData.accessRequest },
+					...updateData.notes !== void 0 && { notes: updateData.notes },
+					...updateData.tags !== void 0 && { tags: updateData.tags },
+					...updateData.appUrl !== void 0 && { appUrl: updateData.appUrl },
+					...updateData.links !== void 0 && { links: updateData.links },
+					...updateData.iconName !== void 0 && { iconName: updateData.iconName },
+					...updateData.screenshotIds !== void 0 && { screenshotIds: updateData.screenshotIds }
+				}
+			});
+		}),
+		updateScreenshots: adminProcedure.input(z.object({
+			id: z.string(),
+			screenshotIds: z.array(z.string())
+		})).mutation(async ({ input }) => {
+			return prisma.dbAppForCatalog.update({
+				where: { id: input.id },
+				data: { screenshotIds: input.screenshotIds }
+			});
+		}),
+		delete: adminProcedure.input(z.object({ id: z.string() })).mutation(async ({ input }) => {
+			return prisma.dbAppForCatalog.delete({ where: { id: input.id } });
+		})
+	});
+}
+
+//#endregion
+//#region src/modules/approvalMethod/slugUtils.ts
+/**
+* Generates a URL-friendly slug from a display name.
+* Converts to lowercase and replaces non-alphanumeric characters with hyphens.
+*
+* @param displayName - The display name to convert
+* @returns A slug suitable for use as a primary key
+*
+* @example
+* generateSlugFromDisplayName("My Service") // "my-service"
+* generateSlugFromDisplayName("John's Team") // "john-s-team"
+*/
+function generateSlugFromDisplayName(displayName) {
+	return displayName.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
+}
+
+//#endregion
+//#region src/modules/approvalMethod/approvalMethodRouter.ts
+const ReachOutContactSchema = z.object({
+	displayName: z.string(),
+	contact: z.string()
+});
+const ServiceConfigSchema = z.object({
+	url: z.url().optional(),
+	icon: z.string().optional()
+});
+const PersonTeamConfigSchema = z.object({ reachOutContacts: z.array(ReachOutContactSchema).optional() });
+const CustomConfigSchema = z.object({});
+const ApprovalMethodConfigSchema = z.union([
+	ServiceConfigSchema,
+	PersonTeamConfigSchema,
+	CustomConfigSchema
+]);
+const CreateApprovalMethodSchema = z.object({
+	type: z.enum([
+		"service",
+		"personTeam",
+		"custom"
+	]),
+	displayName: z.string().min(1),
+	config: ApprovalMethodConfigSchema.optional()
+});
+const UpdateApprovalMethodSchema = z.object({
+	slug: z.string(),
+	type: z.enum([
+		"service",
+		"personTeam",
+		"custom"
+	]).optional(),
+	displayName: z.string().min(1).optional(),
+	config: ApprovalMethodConfigSchema.optional()
+});
+/**
+* Convert Prisma DbApprovalMethod to our ApprovalMethod type.
+* This ensures tRPC infers proper types for frontend consumers.
+*/
+function toApprovalMethod(db) {
+	const baseFields = {
+		slug: db.slug,
+		displayName: db.displayName,
+		createdAt: db.createdAt,
+		updatedAt: db.updatedAt
+	};
+	const config = db.config ?? {};
+	switch (db.type) {
+		case "service": return {
+			...baseFields,
+			type: "service",
+			config
+		};
+		case "personTeam": return {
+			...baseFields,
+			type: "personTeam",
+			config
+		};
+		case "custom": return {
+			...baseFields,
+			type: "custom",
+			config
+		};
+	}
+}
+function createApprovalMethodRouter() {
+	return router({
+		list: publicProcedure.query(async () => {
+			return (await getDbClient().dbApprovalMethod.findMany({ orderBy: { displayName: "asc" } })).map(toApprovalMethod);
+		}),
+		getById: publicProcedure.input(z.object({ slug: z.string() })).query(async ({ input }) => {
+			const result = await getDbClient().dbApprovalMethod.findUnique({ where: { slug: input.slug } });
+			return result ? toApprovalMethod(result) : null;
+		}),
+		create: adminProcedure.input(CreateApprovalMethodSchema).mutation(async ({ input }) => {
+			return toApprovalMethod(await getDbClient().dbApprovalMethod.create({ data: {
+				slug: generateSlugFromDisplayName(input.displayName),
+				type: input.type,
+				displayName: input.displayName,
+				config: input.config ?? Prisma.JsonNull
+			} }));
+		}),
+		update: adminProcedure.input(UpdateApprovalMethodSchema).mutation(async ({ input }) => {
+			const prisma = getDbClient();
+			const { slug,...updateData } = input;
+			return toApprovalMethod(await prisma.dbApprovalMethod.update({
+				where: { slug },
+				data: {
+					...updateData.type !== void 0 && { type: updateData.type },
+					...updateData.displayName !== void 0 && { displayName: updateData.displayName },
+					...updateData.config !== void 0 && { config: updateData.config ?? Prisma.JsonNull }
+				}
+			}));
+		}),
+		delete: adminProcedure.input(z.object({ slug: z.string() })).mutation(async ({ input }) => {
+			return toApprovalMethod(await getDbClient().dbApprovalMethod.delete({ where: { slug: input.slug } }));
+		}),
+		listByType: publicProcedure.input(z.object({ type: z.enum([
+			"service",
+			"personTeam",
+			"custom"
+		]) })).query(async ({ input }) => {
+			return (await getDbClient().dbApprovalMethod.findMany({
+				where: { type: input.type },
+				orderBy: { displayName: "asc" }
+			})).map(toApprovalMethod);
+		})
+	});
+}
+
+//#endregion
+//#region src/modules/assets/screenshotRouter.ts
+function createScreenshotRouter() {
+	return router({
+		list: publicProcedure.query(async () => {
+			return getDbClient().dbAsset.findMany({
+				where: { assetType: "screenshot" },
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					width: true,
+					height: true,
+					createdAt: true,
+					updatedAt: true
+				},
+				orderBy: { createdAt: "desc" }
+			});
+		}),
+		getOne: publicProcedure.input(z.object({ id: z.string() })).query(async ({ input }) => {
+			return getDbClient().dbAsset.findFirst({
+				where: {
+					id: input.id,
+					assetType: "screenshot"
+				},
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					width: true,
+					height: true,
+					createdAt: true,
+					updatedAt: true
+				}
+			});
+		}),
+		getByAppSlug: publicProcedure.input(z.object({ appSlug: z.string() })).query(async ({ input }) => {
+			const prisma = getDbClient();
+			const app = await prisma.dbAppForCatalog.findUnique({
+				where: { slug: input.appSlug },
+				select: { screenshotIds: true }
+			});
+			if (!app) return [];
+			return prisma.dbAsset.findMany({
+				where: {
+					id: { in: app.screenshotIds },
+					assetType: "screenshot"
+				},
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					width: true,
+					height: true,
+					createdAt: true,
+					updatedAt: true
+				}
+			});
+		}),
+		getFirstByAppSlug: publicProcedure.input(z.object({ appSlug: z.string() })).query(async ({ input }) => {
+			const prisma = getDbClient();
+			const app = await prisma.dbAppForCatalog.findUnique({
+				where: { slug: input.appSlug },
+				select: { screenshotIds: true }
+			});
+			if (!app || app.screenshotIds.length === 0) return null;
+			return prisma.dbAsset.findUnique({
+				where: { id: app.screenshotIds[0] },
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					width: true,
+					height: true,
+					createdAt: true,
+					updatedAt: true
+				}
+			});
+		})
+	});
+}
+
+//#endregion
+//#region src/modules/auth/authRouter.ts
+/**
+* Create auth tRPC procedures
+* @param t - tRPC instance
+* @param auth - Better Auth instance (optional, for future extensions)
+* @returns tRPC router with auth procedures
+*/
+function createAuthRouter(t$1, auth) {
+	const router$1 = t$1.router;
+	const publicProcedure$1 = t$1.procedure;
+	return router$1({
+		getSession: publicProcedure$1.query(async ({ ctx }) => {
+			return {
+				user: ctx.user ?? null,
+				isAuthenticated: !!ctx.user
+			};
+		}),
+		getProviders: publicProcedure$1.query(() => {
+			const providers = [];
+			const authOptions = auth === null || auth === void 0 ? void 0 : auth.options;
+			if (authOptions === null || authOptions === void 0 ? void 0 : authOptions.socialProviders) {
+				const socialProviders = authOptions.socialProviders;
+				Object.keys(socialProviders).forEach((key) => {
+					if (socialProviders[key]) providers.push(key);
+				});
+			}
+			if (authOptions === null || authOptions === void 0 ? void 0 : authOptions.plugins) authOptions.plugins.forEach((plugin) => {
+				var _pluginWithConfig$opt;
+				const pluginWithConfig = plugin;
+				if (pluginWithConfig.id === "generic-oauth" && ((_pluginWithConfig$opt = pluginWithConfig.options) === null || _pluginWithConfig$opt === void 0 ? void 0 : _pluginWithConfig$opt.config)) (Array.isArray(pluginWithConfig.options.config) ? pluginWithConfig.options.config : [pluginWithConfig.options.config]).forEach((config) => {
+					if (config.providerId) providers.push(config.providerId);
+				});
+			});
+			return { providers };
+		})
+	});
+}
+
+//#endregion
+//#region src/modules/icons/iconUtils.ts
+/**
+* Get file extension from MIME type
+*/
+function getExtensionFromMimeType(mimeType) {
+	return {
+		"image/svg+xml": "svg",
+		"image/png": "png",
+		"image/jpeg": "jpg",
+		"image/jpg": "jpg",
+		"image/webp": "webp",
+		"image/gif": "gif",
+		"image/bmp": "bmp",
+		"image/tiff": "tiff",
+		"image/x-icon": "ico",
+		"image/vnd.microsoft.icon": "ico"
+	}[mimeType.toLowerCase()] || "bin";
+}
+/**
+* Get file extension from filename
+*/
+function getExtensionFromFilename(filename) {
+	var _match$;
+	const match = filename.match(/\.([^.]+)$/);
+	return (match === null || match === void 0 || (_match$ = match[1]) === null || _match$ === void 0 ? void 0 : _match$.toLowerCase()) || "";
+}
+
+//#endregion
+//#region src/modules/icons/iconRouter.ts
+function createIconRouter() {
+	return router({
+		list: publicProcedure.query(async () => {
+			return getDbClient().dbAsset.findMany({
+				where: { assetType: "icon" },
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					createdAt: true,
+					updatedAt: true
+				},
+				orderBy: { name: "asc" }
+			});
+		}),
+		getOne: publicProcedure.input(z.object({ id: z.string() })).query(async ({ input }) => {
+			return getDbClient().dbAsset.findFirst({
+				where: {
+					id: input.id,
+					assetType: "icon"
+				},
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					createdAt: true,
+					updatedAt: true
+				}
+			});
+		}),
+		create: adminProcedure.input(z.object({
+			name: z.string().min(1),
+			content: z.string(),
+			mimeType: z.string(),
+			fileSize: z.number().int().positive()
+		})).mutation(async ({ input }) => {
+			const prisma = getDbClient();
+			const buffer = Buffer.from(input.content, "base64");
+			const checksum = generateChecksum(buffer);
+			const { width, height } = await getImageDimensions(buffer);
+			let name = input.name;
+			if (!name.includes(".")) {
+				const extension = getExtensionFromMimeType(input.mimeType);
+				name = `${name}.${extension}`;
+			}
+			const existing = await prisma.dbAsset.findFirst({ where: {
+				checksum,
+				assetType: "icon"
+			} });
+			if (existing) return existing;
+			return prisma.dbAsset.create({ data: {
+				name,
+				assetType: "icon",
+				content: new Uint8Array(buffer),
+				checksum,
+				mimeType: input.mimeType,
+				fileSize: input.fileSize,
+				width,
+				height
+			} });
+		}),
+		update: adminProcedure.input(z.object({
+			id: z.string(),
+			name: z.string().min(1).optional(),
+			content: z.string().optional(),
+			mimeType: z.string().optional(),
+			fileSize: z.number().int().positive().optional()
+		})).mutation(async ({ input }) => {
+			const prisma = getDbClient();
+			const { id, content, name,...rest } = input;
+			const data = { ...rest };
+			if (content) {
+				const buffer = Buffer.from(content, "base64");
+				data.content = new Uint8Array(buffer);
+				data.checksum = generateChecksum(buffer);
+				const { width, height } = await getImageDimensions(buffer);
+				data.width = width;
+				data.height = height;
+			}
+			if (name) if (!name.includes(".") && input.mimeType) data.name = `${name}.${getExtensionFromMimeType(input.mimeType)}`;
+			else data.name = name;
+			return prisma.dbAsset.update({
+				where: { id },
+				data
+			});
+		}),
+		delete: adminProcedure.input(z.object({ id: z.string() })).mutation(async ({ input }) => {
+			return getDbClient().dbAsset.delete({ where: { id: input.id } });
+		}),
+		deleteMany: adminProcedure.input(z.object({ ids: z.array(z.string()) })).mutation(async ({ input }) => {
+			return getDbClient().dbAsset.deleteMany({ where: {
+				id: { in: input.ids },
+				assetType: "icon"
+			} });
+		}),
+		getContent: publicProcedure.input(z.object({ id: z.string() })).query(async ({ input }) => {
+			const asset = await getDbClient().dbAsset.findFirst({
+				where: {
+					id: input.id,
+					assetType: "icon"
+				},
+				select: {
+					content: true,
+					mimeType: true,
+					name: true
+				}
+			});
+			if (!asset) throw new Error("Icon not found");
+			return {
+				content: Buffer.from(asset.content).toString("base64"),
+				mimeType: asset.mimeType,
+				name: asset.name
+			};
+		})
+	});
+}
+
+//#endregion
+//#region src/server/controller.ts
+/**
+* Create the main tRPC router with optional auth instance
+* @param auth - Optional Better Auth instance for auth-related queries
+*/
+function createTrpcRouter(auth) {
+	return router({
+		bootstrap: publicProcedure.query(async ({ ctx }) => {
+			return await ctx.companySpecificBackend.getBootstrapData();
+		}),
+		authConfig: publicProcedure.query(async ({ ctx }) => {
+			return { adminGroups: ctx.adminGroups };
+		}),
+		availabilityMatrix: publicProcedure.query(async ({ ctx }) => {
+			return await ctx.companySpecificBackend.getAvailabilityMatrix();
+		}),
+		tryFindRenameRule: publicProcedure.input(z$1.object({
+			envSlug: z$1.string().optional(),
+			resourceSlug: z$1.string().optional()
+		})).query(async ({ input, ctx }) => {
+			return await ctx.companySpecificBackend.getNameMigrations(input);
+		}),
+		resourceJumps: publicProcedure.query(async ({ ctx }) => {
+			return await ctx.companySpecificBackend.getResourceJumps();
+		}),
+		resourceJumpsExtended: publicProcedure.query(async ({ ctx }) => {
+			return await ctx.companySpecificBackend.getResourceJumpsExtended();
+		}),
+		resourceJumpBySlugAndEnv: publicProcedure.input(z$1.object({
+			jumpResourceSlug: z$1.string(),
+			envSlug: z$1.string()
+		})).query(async ({ input, ctx }) => {
+			return filterSingleResourceJump(await ctx.companySpecificBackend.getResourceJumps(), input.jumpResourceSlug, input.envSlug);
+		}),
+		appCatalog: publicProcedure.query(async ({ ctx }) => {
+			return await getAppCatalogData(ctx.companySpecificBackend.getApps);
+		}),
+		icon: createIconRouter(),
+		screenshot: createScreenshotRouter(),
+		appCatalogAdmin: createAppCatalogAdminRouter(),
+		approvalMethod: createApprovalMethodRouter(),
+		auth: createAuthRouter(t, auth)
+	});
+}
+function filterSingleResourceJump(resourceJumps, jumpResourceSlug, envSlug) {
+	const filteredResourceJump = resourceJumps.resourceJumps.find((item) => item.slug === jumpResourceSlug);
+	const filteredEnv = resourceJumps.envs.find((item) => item.slug === envSlug);
+	return {
+		resourceJumps: filteredResourceJump ? [filteredResourceJump] : [],
+		envs: filteredEnv ? [filteredEnv] : [],
+		lateResolvableParams: resourceJumps.lateResolvableParams
+	};
+}
+
+//#endregion
+//#region src/server/ehTrpcContext.ts
+function createEhTrpcContext({ companySpecificBackend, user = null, adminGroups }) {
+	return {
+		companySpecificBackend,
+		user,
+		adminGroups
+	};
+}
+
+//#endregion
+//#region src/server/ehStaticControllerContract.ts
+const staticControllerContract = { methods: {
+	getIcon: {
+		method: "get",
+		url: "icon/:icon"
+	},
+	getScreenshot: {
+		method: "get",
+		url: "screenshot/:id"
+	}
+} };
+
+//#endregion
+//#region src/modules/auth/auth.ts
+function createAuth(config) {
+	const prisma = getDbClient();
+	const isProduction = process.env.NODE_ENV === "production";
+	return betterAuth({
+		appName: config.appName || "EnvHopper",
+		baseURL: config.baseURL,
+		basePath: "/api/auth",
+		secret: config.secret,
+		database: prismaAdapter(prisma, { provider: "postgresql" }),
+		socialProviders: config.providers || {},
+		plugins: config.plugins || [],
+		emailAndPassword: { enabled: true },
+		session: {
+			expiresIn: config.sessionExpiresIn ?? 3600 * 24 * 30,
+			updateAge: config.sessionUpdateAge ?? 3600 * 24,
+			cookieCache: {
+				enabled: true,
+				maxAge: 300
+			}
+		},
+		advanced: { useSecureCookies: isProduction }
+	});
+}
+
+//#endregion
+//#region src/modules/auth/registerAuthRoutes.ts
+/**
+* Register Better Auth routes with Express
+* @param app - Express application instance
+* @param auth - Better Auth instance
+*/
+function registerAuthRoutes(app, auth) {
+	app.get("/api/auth/session", async (req, res) => {
+		try {
+			const session = await auth.api.getSession({ headers: req.headers });
+			if (session) res.json(session);
+			else res.status(401).json({ error: "Not authenticated" });
+		} catch (error) {
+			console.error("[Auth Session Error]", error);
+			res.status(500).json({ error: "Internal server error" });
+		}
+	});
+	const authHandler = toNodeHandler(auth);
+	app.all("/api/auth/{*any}", authHandler);
+}
+
+//#endregion
+//#region src/modules/admin/chat/createAdminChatHandler.ts
+function convertToCoreMessages(messages) {
+	return messages.map((msg) => {
+		var _msg$parts;
+		if (msg.content) return {
+			role: msg.role,
+			content: msg.content
+		};
+		const textContent = ((_msg$parts = msg.parts) === null || _msg$parts === void 0 ? void 0 : _msg$parts.filter((part) => part.type === "text").map((part) => part.text).join("")) ?? "";
+		return {
+			role: msg.role,
+			content: textContent
+		};
+	});
+}
+/**
+* Creates an Express handler for the admin chat endpoint.
+*
+* Usage in thin wrappers:
+*
+* ```typescript
+* // With OpenAI
+* import { openai } from '@ai-sdk/openai'
+* app.post('/api/admin/chat', createAdminChatHandler({
+*   model: openai('gpt-4o-mini'),
+* }))
+*
+* // With Claude
+* import { anthropic } from '@ai-sdk/anthropic'
+* app.post('/api/admin/chat', createAdminChatHandler({
+*   model: anthropic('claude-sonnet-4-20250514'),
+* }))
+* ```
+*/
+function createAdminChatHandler(options) {
+	const { model, systemPrompt = "You are a helpful admin assistant for the Env Hopper application. Help users manage apps, data sources, and MCP server configurations.", tools = {}, validateConfig } = options;
+	return async (req, res) => {
+		try {
+			if (validateConfig) validateConfig();
+			const { messages } = req.body;
+			const coreMessages = convertToCoreMessages(messages);
+			console.log("[Admin Chat] Received messages:", JSON.stringify(coreMessages, null, 2));
+			console.log("[Admin Chat] Available tools:", Object.keys(tools));
+			const response = streamText({
+				model,
+				system: systemPrompt,
+				messages: coreMessages,
+				tools,
+				stopWhen: stepCountIs(5),
+				onFinish: (event) => {
+					console.log("[Admin Chat] Finished:", {
+						finishReason: event.finishReason,
+						usage: event.usage,
+						hasText: !!event.text,
+						textLength: event.text.length
+					});
+				}
+			}).toUIMessageStreamResponse();
+			response.headers.forEach((value, key) => {
+				res.setHeader(key, value);
+			});
+			if (response.body) {
+				const reader = response.body.getReader();
+				const pump = async () => {
+					const { done, value } = await reader.read();
+					if (done) {
+						res.end();
+						return;
+					}
+					res.write(value);
+					return pump();
+				};
+				await pump();
+			} else {
+				console.error("[Admin Chat] No response body");
+				res.status(500).json({ error: "No response from AI model" });
+			}
+		} catch (error) {
+			console.error("[Admin Chat] Error:", error);
+			res.status(500).json({ error: "Failed to process chat request" });
+		}
+	};
+}
+
+//#endregion
+//#region src/modules/admin/chat/createDatabaseTools.ts
+/**
+* Creates a DatabaseClient from a Prisma client.
+*/
+function createPrismaDatabaseClient(prisma) {
+	return {
+		query: async (sql) => {
+			return await prisma.$queryRawUnsafe(sql);
+		},
+		execute: async (sql) => {
+			return { affectedRows: await prisma.$executeRawUnsafe(sql) };
+		},
+		getTables: async () => {
+			return (await prisma.$queryRawUnsafe(`SELECT tablename FROM pg_tables WHERE schemaname = 'public'`)).map((t$1) => t$1.tablename);
+		},
+		getColumns: async (tableName) => {
+			return (await prisma.$queryRawUnsafe(`SELECT column_name, data_type, is_nullable
+         FROM information_schema.columns
+         WHERE table_name = '${tableName}' AND table_schema = 'public'`)).map((c) => ({
+				name: c.column_name,
+				type: c.data_type,
+				nullable: c.is_nullable === "YES"
+			}));
+		}
+	};
+}
+const querySchema = z.object({ sql: z.string().describe("The SELECT SQL query to execute") });
+const modifySchema = z.object({
+	sql: z.string().describe("The INSERT, UPDATE, or DELETE SQL query to execute"),
+	confirmed: z.boolean().describe("Must be true to execute destructive operations")
+});
+const schemaParamsSchema = z.object({ tableName: z.string().optional().describe("Specific table name to get columns for. If not provided, returns list of all tables.") });
+/**
+* Creates a DatabaseClient using the internal backend-core Prisma client.
+* This is a convenience function for apps that don't need to pass their own Prisma client.
+*/
+function createInternalDatabaseClient() {
+	return createPrismaDatabaseClient(getDbClient());
+}
+/**
+* Creates AI tools for generic database access.
+*
+* The AI uses these internally - users interact via natural language.
+* Results are formatted as tables by the AI based on the system prompt.
+* Uses the internal backend-core Prisma client automatically.
+*/
+function createDatabaseTools() {
+	const db = createInternalDatabaseClient();
+	return {
+		queryDatabase: {
+			description: `Execute a SELECT query to read data from the database.
+Use this to list, search, or filter records from any table.
+Always use double quotes around table and column names for PostgreSQL (e.g., SELECT * FROM "App").
+Return results will be formatted as a table for the user.`,
+			inputSchema: querySchema,
+			execute: async ({ sql }) => {
+				console.log(`Executing ${sql}`);
+				if (!sql.trim().toUpperCase().startsWith("SELECT")) return { error: "Only SELECT queries are allowed with queryDatabase. Use modifyDatabase for changes." };
+				try {
+					const results = await db.query(sql);
+					return {
+						success: true,
+						rowCount: Array.isArray(results) ? results.length : 0,
+						data: results
+					};
+				} catch (error) {
+					return {
+						success: false,
+						error: error instanceof Error ? error.message : "Query failed"
+					};
+				}
+			}
+		},
+		modifyDatabase: {
+			description: `Execute an INSERT, UPDATE, or DELETE query to modify data.
+Use double quotes around table and column names for PostgreSQL.
+IMPORTANT: Always ask for user confirmation before executing. Set confirmed=true only after user confirms.
+For UPDATE/DELETE, always include a WHERE clause to avoid affecting all rows.`,
+			inputSchema: modifySchema,
+			execute: async ({ sql, confirmed }) => {
+				if (!confirmed) return {
+					needsConfirmation: true,
+					message: "Please confirm you want to execute this operation.",
+					sql
+				};
+				const normalizedSql = sql.trim().toUpperCase();
+				if (normalizedSql.startsWith("SELECT")) return { error: "Use queryDatabase for SELECT queries." };
+				if ((normalizedSql.startsWith("UPDATE") || normalizedSql.startsWith("DELETE")) && !normalizedSql.includes("WHERE")) return {
+					error: "UPDATE and DELETE queries must include a WHERE clause for safety.",
+					sql
+				};
+				try {
+					const result = await db.execute(sql);
+					return {
+						success: true,
+						affectedRows: result.affectedRows,
+						message: `Operation completed. ${result.affectedRows} row(s) affected.`
+					};
+				} catch (error) {
+					return {
+						success: false,
+						error: error instanceof Error ? error.message : "Operation failed"
+					};
+				}
+			}
+		},
+		getDatabaseSchema: {
+			description: `Get information about database tables and their columns.
+Use this to understand the database structure before writing queries.
+Call without tableName to list all tables, or with tableName to get columns for a specific table.`,
+			inputSchema: schemaParamsSchema,
+			execute: async ({ tableName }) => {
+				try {
+					if (tableName) return {
+						success: true,
+						table: tableName,
+						columns: await db.getColumns(tableName)
+					};
+					else return {
+						success: true,
+						tables: await db.getTables()
+					};
+				} catch (error) {
+					return {
+						success: false,
+						error: error instanceof Error ? error.message : "Failed to get schema"
+					};
+				}
+			}
+		}
+	};
+}
+/**
+* Default system prompt for the database admin assistant.
+* Can be customized or extended.
+*/
+const DEFAULT_ADMIN_SYSTEM_PROMPT = `You are a helpful database admin assistant. You help users view and manage data in the database.
+
+IMPORTANT RULES:
+1. When showing data, ALWAYS format it as a numbered ASCII table so users can reference rows by number
+2. NEVER show raw SQL to users - just describe what you're doing in plain language
+3. When users ask to modify data (update, delete, create), ALWAYS confirm before executing
+4. For updates, show the current value and ask for confirmation before changing
+5. Keep responses concise and focused on the data
+
+FORMATTING EXAMPLE:
+When user asks "show me all apps", respond like:
+"Here are all the apps:
+
+| # | ID | Slug    | Display Name    | Icon   |
+|---|----|---------|-----------------| -------|
+| 1 | 1  | portal  | Portal          | portal |
+| 2 | 2  | admin   | Admin Dashboard | admin  |
+| 3 | 3  | api     | API Service     | null   |
+
+Found 3 apps total."
+
+When user says "update row 2 display name to 'Admin Panel'":
+1. First confirm: "I'll update the app 'Admin Dashboard' (ID: 2) to have display name 'Admin Panel'. Proceed?"
+2. Only after user confirms, execute the update
+3. Then show the updated row
+
+AVAILABLE TABLES:
+Use getDatabaseSchema tool to discover tables and their columns.
+`;
+
+//#endregion
+//#region src/modules/icons/iconRestController.ts
+const upload$1 = multer({
+	storage: multer.memoryStorage(),
+	limits: { fileSize: 10 * 1024 * 1024 },
+	fileFilter: (_req, file, cb) => {
+		if (!file.mimetype.startsWith("image/")) {
+			cb(/* @__PURE__ */ new Error("Only image files are allowed"));
+			return;
+		}
+		cb(null, true);
+	}
+});
+/**
+* Registers REST endpoints for icon upload and retrieval
+*
+* Endpoints:
+* - POST {basePath}/upload - Upload a new icon (multipart/form-data with 'icon' field and 'name' field)
+* - GET {basePath}/:id - Get icon binary by ID
+* - GET {basePath}/:id/metadata - Get icon metadata only
+*/
+function registerIconRestController(router$1, config) {
+	const { basePath } = config;
+	router$1.post(`${basePath}/upload`, upload$1.single("icon"), async (req, res) => {
+		try {
+			if (!req.file) {
+				res.status(400).json({ error: "No file uploaded" });
+				return;
+			}
+			let name = req.body["name"];
+			if (!name) {
+				res.status(400).json({ error: "Name is required" });
+				return;
+			}
+			const extension = getExtensionFromFilename(req.file.originalname) || getExtensionFromMimeType(req.file.mimetype);
+			if (!name.includes(".")) name = `${name}.${extension}`;
+			const prisma = getDbClient();
+			const checksum = createHash("sha256").update(req.file.buffer).digest("hex");
+			const icon = await prisma.dbAsset.create({ data: {
+				name,
+				assetType: "icon",
+				content: new Uint8Array(req.file.buffer),
+				mimeType: req.file.mimetype,
+				fileSize: req.file.size,
+				checksum
+			} });
+			res.status(201).json({
+				id: icon.id,
+				name: icon.name,
+				mimeType: icon.mimeType,
+				fileSize: icon.fileSize,
+				createdAt: icon.createdAt
+			});
+		} catch (error) {
+			console.error("Error uploading icon:", error);
+			res.status(500).json({ error: "Failed to upload icon" });
+		}
+	});
+	router$1.get(`${basePath}/:name`, async (req, res) => {
+		try {
+			const { name } = req.params;
+			const icon = await getDbClient().dbAsset.findFirst({
+				where: {
+					name,
+					assetType: "icon"
+				},
+				select: {
+					content: true,
+					mimeType: true,
+					name: true
+				}
+			});
+			if (!icon) {
+				res.status(404).json({ error: "Icon not found" });
+				return;
+			}
+			res.setHeader("Content-Type", icon.mimeType);
+			res.setHeader("Content-Disposition", `inline; filename="${icon.name}"`);
+			res.setHeader("Cache-Control", "public, max-age=86400");
+			res.send(icon.content);
+		} catch (error) {
+			console.error("Error fetching icon:", error);
+			res.status(500).json({ error: "Failed to fetch icon" });
+		}
+	});
+	router$1.get(`${basePath}/:name/metadata`, async (req, res) => {
+		try {
+			const { name } = req.params;
+			const icon = await getDbClient().dbAsset.findFirst({
+				where: {
+					name,
+					assetType: "icon"
+				},
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					createdAt: true,
+					updatedAt: true
+				}
+			});
+			if (!icon) {
+				res.status(404).json({ error: "Icon not found" });
+				return;
+			}
+			res.json(icon);
+		} catch (error) {
+			console.error("Error fetching icon metadata:", error);
+			res.status(500).json({ error: "Failed to fetch icon metadata" });
+		}
+	});
+}
+
+//#endregion
+//#region src/modules/icons/iconService.ts
+/**
+* Upsert an icon to the database.
+* If an icon with the same name exists, it will be updated.
+* Otherwise, a new icon will be created.
+*/
+async function upsertIcon(input) {
+	const prisma = getDbClient();
+	const checksum = generateChecksum(input.content);
+	const { width, height } = await getImageDimensions(input.content);
+	return prisma.dbAsset.upsert({
+		where: { name: input.name },
+		update: {
+			content: new Uint8Array(input.content),
+			checksum,
+			mimeType: input.mimeType,
+			fileSize: input.fileSize,
+			width,
+			height
+		},
+		create: {
+			name: input.name,
+			assetType: "icon",
+			content: new Uint8Array(input.content),
+			checksum,
+			mimeType: input.mimeType,
+			fileSize: input.fileSize,
+			width,
+			height
+		}
+	});
+}
+/**
+* Upsert multiple icons to the database.
+* This is more efficient than calling upsertIcon multiple times.
+*/
+async function upsertIcons(icons) {
+	const results = [];
+	for (const icon of icons) {
+		const result = await upsertIcon(icon);
+		results.push(result);
+	}
+	return results;
+}
+/**
+* Get an asset (icon or screenshot) by name from the database.
+* Returns the asset content, mimeType, and name if found.
+*/
+async function getAssetByName(name) {
+	return getDbClient().dbAsset.findUnique({
+		where: { name },
+		select: {
+			content: true,
+			mimeType: true,
+			name: true
+		}
+	});
+}
+
+//#endregion
+//#region src/modules/assets/assetRestController.ts
+const upload = multer({
+	storage: multer.memoryStorage(),
+	limits: { fileSize: 10 * 1024 * 1024 },
+	fileFilter: (_req, file, cb) => {
+		if (!file.mimetype.startsWith("image/")) {
+			cb(/* @__PURE__ */ new Error("Only image files are allowed"));
+			return;
+		}
+		cb(null, true);
+	}
+});
+/**
+* Registers REST endpoints for universal asset upload and retrieval
+*
+* Endpoints:
+* - POST {basePath}/upload - Upload a new asset (multipart/form-data)
+* - GET {basePath}/:id - Get asset binary by ID
+* - GET {basePath}/:id/metadata - Get asset metadata only
+* - GET {basePath}/by-name/:name - Get asset binary by name
+*/
+function registerAssetRestController(router$1, config) {
+	const { basePath } = config;
+	const prisma = getDbClient();
+	router$1.post(`${basePath}/upload`, upload.single("asset"), async (req, res) => {
+		try {
+			if (!req.file) {
+				res.status(400).json({ error: "No file uploaded" });
+				return;
+			}
+			const name = req.body["name"];
+			const assetType = req.body["assetType"];
+			if (!name) {
+				res.status(400).json({ error: "Name is required" });
+				return;
+			}
+			const id = await upsertAsset({
+				prisma,
+				buffer: req.file.buffer,
+				name,
+				originalFilename: req.file.filename,
+				assetType
+			});
+			res.status(201).json({ id });
+		} catch (error) {
+			console.error("Error uploading asset:", error);
+			res.status(500).json({ error: "Failed to upload asset" });
+		}
+	});
+	router$1.get(`${basePath}/:id`, async (req, res) => {
+		try {
+			const { id } = req.params;
+			const asset = await prisma.dbAsset.findUnique({
+				where: { id },
+				select: {
+					content: true,
+					mimeType: true,
+					name: true,
+					width: true,
+					height: true
+				}
+			});
+			if (!asset) {
+				res.status(404).json({ error: "Asset not found" });
+				return;
+			}
+			const resizeEnabled = String(process.env.EH_ASSETS_RESIZE_ENABLED || "true") === "true";
+			const wParam = req.query["w"];
+			const width = wParam ? Number.parseInt(wParam, 10) : void 0;
+			let outBuffer = asset.content;
+			let outMime = asset.mimeType;
+			if (resizeEnabled && isRasterImage(asset.mimeType) && !!width && Number.isFinite(width) && width > 0) {
+				const fmt = getImageFormat(asset.mimeType) || "jpeg";
+				const buf = await resizeImage(Buffer.from(asset.content), width, void 0, fmt);
+				outBuffer = new Uint8Array(buf);
+				outMime = `image/${fmt}`;
+			}
+			res.setHeader("Content-Type", outMime);
+			res.setHeader("Content-Disposition", `inline; filename="${asset.name}"`);
+			res.setHeader("Cache-Control", "public, max-age=86400");
+			res.send(outBuffer);
+		} catch (error) {
+			console.error("Error fetching asset:", error);
+			res.status(500).json({ error: "Failed to fetch asset" });
+		}
+	});
+	router$1.get(`${basePath}/:id/metadata`, async (req, res) => {
+		try {
+			const { id } = req.params;
+			const asset = await prisma.dbAsset.findUnique({
+				where: { id },
+				select: {
+					id: true,
+					name: true,
+					assetType: true,
+					mimeType: true,
+					fileSize: true,
+					width: true,
+					height: true,
+					createdAt: true,
+					updatedAt: true
+				}
+			});
+			if (!asset) {
+				res.status(404).json({ error: "Asset not found" });
+				return;
+			}
+			res.json(asset);
+		} catch (error) {
+			console.error("Error fetching asset metadata:", error);
+			res.status(500).json({ error: "Failed to fetch asset metadata" });
+		}
+	});
+	router$1.get(`${basePath}/by-name/:name`, async (req, res) => {
+		try {
+			const { name } = req.params;
+			const asset = await prisma.dbAsset.findUnique({
+				where: { name },
+				select: {
+					content: true,
+					mimeType: true,
+					name: true,
+					width: true,
+					height: true
+				}
+			});
+			if (!asset) {
+				res.status(404).json({ error: "Asset not found" });
+				return;
+			}
+			const resizeEnabled = String(process.env.EH_ASSETS_RESIZE_ENABLED || "true") === "true";
+			const wParam = req.query["w"];
+			const width = wParam ? Number.parseInt(wParam, 10) : void 0;
+			let outBuffer = asset.content;
+			let outMime = asset.mimeType;
+			const isRaster = asset.mimeType.startsWith("image/") && !asset.mimeType.includes("svg");
+			if (resizeEnabled && isRaster && !!width && Number.isFinite(width) && width > 0) {
+				const fmt = asset.mimeType.includes("png") ? "png" : asset.mimeType.includes("webp") ? "webp" : "jpeg";
+				let buf;
+				const pipeline = sharp(Buffer.from(asset.content)).resize({
+					width,
+					fit: "inside",
+					withoutEnlargement: true
+				});
+				if (fmt === "png") {
+					buf = await pipeline.png().toBuffer();
+					outMime = "image/png";
+				} else if (fmt === "webp") {
+					buf = await pipeline.webp().toBuffer();
+					outMime = "image/webp";
+				} else {
+					buf = await pipeline.jpeg().toBuffer();
+					outMime = "image/jpeg";
+				}
+				outBuffer = new Uint8Array(buf);
+			}
+			res.setHeader("Content-Type", outMime);
+			res.setHeader("Content-Disposition", `inline; filename="${asset.name}"`);
+			res.setHeader("Cache-Control", "public, max-age=86400");
+			res.send(outBuffer);
+		} catch (error) {
+			console.error("Error fetching asset by name:", error);
+			res.status(500).json({ error: "Failed to fetch asset" });
+		}
+	});
+}
+
+//#endregion
+//#region src/modules/assets/screenshotRestController.ts
+/**
+* Registers REST endpoints for screenshot retrieval
+* 
+* Endpoints:
+* - GET {basePath}/app/:appId - Get all screenshots for an app
+* - GET {basePath}/:id - Get screenshot binary by ID
+* - GET {basePath}/:id/metadata - Get screenshot metadata only
+*/
+function registerScreenshotRestController(router$1, config) {
+	const { basePath } = config;
+	router$1.get(`${basePath}/app/:appSlug`, async (req, res) => {
+		try {
+			const { appSlug } = req.params;
+			const prisma = getDbClient();
+			const app = await prisma.dbAppForCatalog.findUnique({
+				where: { slug: appSlug },
+				select: { screenshotIds: true }
+			});
+			if (!app) {
+				res.status(404).json({ error: "App not found" });
+				return;
+			}
+			const screenshots = await prisma.dbAsset.findMany({
+				where: {
+					id: { in: app.screenshotIds },
+					assetType: "screenshot"
+				},
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					width: true,
+					height: true,
+					createdAt: true
+				}
+			});
+			res.json(screenshots);
+		} catch (error) {
+			console.error("Error fetching app screenshots:", error);
+			res.status(500).json({ error: "Failed to fetch screenshots" });
+		}
+	});
+	router$1.get(`${basePath}/app/:appSlug/first`, async (req, res) => {
+		try {
+			const { appSlug } = req.params;
+			const prisma = getDbClient();
+			const app = await prisma.dbAppForCatalog.findUnique({
+				where: { slug: appSlug },
+				select: { screenshotIds: true }
+			});
+			if (!app || app.screenshotIds.length === 0) {
+				res.status(404).json({ error: "No screenshots found" });
+				return;
+			}
+			const screenshot = await prisma.dbAsset.findUnique({
+				where: { id: app.screenshotIds[0] },
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					width: true,
+					height: true,
+					createdAt: true
+				}
+			});
+			if (!screenshot) {
+				res.status(404).json({ error: "Screenshot not found" });
+				return;
+			}
+			res.json(screenshot);
+		} catch (error) {
+			console.error("Error fetching first screenshot:", error);
+			res.status(500).json({ error: "Failed to fetch screenshot" });
+		}
+	});
+	router$1.get(`${basePath}/:id`, async (req, res) => {
+		try {
+			const { id } = req.params;
+			const sizeParam = req.query.size;
+			const targetSize = sizeParam ? parseInt(sizeParam, 10) : void 0;
+			const screenshot = await getDbClient().dbAsset.findUnique({
+				where: { id },
+				select: {
+					content: true,
+					mimeType: true,
+					name: true
+				}
+			});
+			if (!screenshot) {
+				res.status(404).json({ error: "Screenshot not found" });
+				return;
+			}
+			let content = screenshot.content;
+			if (targetSize && targetSize > 0) try {
+				content = await sharp(screenshot.content).resize(targetSize, targetSize, {
+					fit: "inside",
+					withoutEnlargement: true
+				}).toBuffer();
+			} catch (resizeError) {
+				console.error("Error resizing screenshot:", resizeError);
+			}
+			res.setHeader("Content-Type", screenshot.mimeType);
+			res.setHeader("Content-Disposition", `inline; filename="${screenshot.name}"`);
+			res.setHeader("Cache-Control", "public, max-age=86400");
+			res.send(content);
+		} catch (error) {
+			console.error("Error fetching screenshot:", error);
+			res.status(500).json({ error: "Failed to fetch screenshot" });
+		}
+	});
+	router$1.get(`${basePath}/:id/metadata`, async (req, res) => {
+		try {
+			const { id } = req.params;
+			const screenshot = await getDbClient().dbAsset.findUnique({
+				where: { id },
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					width: true,
+					height: true,
+					createdAt: true,
+					updatedAt: true
+				}
+			});
+			if (!screenshot) {
+				res.status(404).json({ error: "Screenshot not found" });
+				return;
+			}
+			res.json(screenshot);
+		} catch (error) {
+			console.error("Error fetching screenshot metadata:", error);
+			res.status(500).json({ error: "Failed to fetch screenshot metadata" });
+		}
+	});
+}
+
+//#endregion
+//#region src/modules/assets/syncAssets.ts
+/**
+* Sync local asset files (icons and screenshots) from directories into the database.
+*
+* This function allows consuming applications to sync asset files without directly
+* exposing the Prisma client. It handles:
+* - Icon files: Assigned to apps by matching filename to icon name patterns
+* - Screenshot files: Assigned to apps by matching filename to app ID (format: <app-id>_screenshot_<no>.<ext>)
+*
+* @param config Configuration with paths to icon and screenshot directories
+*/
+async function syncAssets(config) {
+	const prisma = getDbClient();
+	let iconsUpserted = 0;
+	let screenshotsUpserted = 0;
+	if (config.iconsDir) {
+		console.log(`📁 Syncing icons from ${config.iconsDir}...`);
+		iconsUpserted = await syncIconsFromDirectory(prisma, config.iconsDir);
+		console.log(`   ✓ Upserted ${iconsUpserted} icons`);
+	}
+	if (config.screenshotsDir) {
+		console.log(`📷 Syncing screenshots from ${config.screenshotsDir}...`);
+		screenshotsUpserted = await syncScreenshotsFromDirectory(prisma, config.screenshotsDir);
+		console.log(`   ✓ Upserted ${screenshotsUpserted} screenshots and assigned to apps`);
+	}
+	return {
+		iconsUpserted,
+		screenshotsUpserted
+	};
+}
+/**
+* Sync icon files from a directory
+*/
+async function syncIconsFromDirectory(prisma, iconsDir) {
+	let count = 0;
+	try {
+		const files = readdirSync(iconsDir);
+		for (const file of files) {
+			const filePath = join(iconsDir, file);
+			const ext = extname(file).toLowerCase().slice(1);
+			if (![
+				"png",
+				"jpg",
+				"jpeg",
+				"gif",
+				"webp",
+				"svg"
+			].includes(ext)) continue;
+			try {
+				const content = readFileSync(filePath);
+				const buffer = Buffer.from(content);
+				const checksum = generateChecksum(buffer);
+				const iconName = file.replace(/\.[^/.]+$/, "");
+				if (await prisma.dbAsset.findFirst({ where: {
+					checksum,
+					assetType: "icon"
+				} })) continue;
+				let width = null;
+				let height = null;
+				if (!ext.includes("svg")) {
+					const { width: w, height: h } = await getImageDimensions(buffer);
+					width = w ?? null;
+					height = h ?? null;
+				}
+				const mimeType = {
+					png: "image/png",
+					jpg: "image/jpeg",
+					jpeg: "image/jpeg",
+					gif: "image/gif",
+					webp: "image/webp",
+					svg: "image/svg+xml"
+				}[ext] || "application/octet-stream";
+				await prisma.dbAsset.create({ data: {
+					name: iconName,
+					assetType: "icon",
+					content: new Uint8Array(buffer),
+					checksum,
+					mimeType,
+					fileSize: buffer.length,
+					width,
+					height
+				} });
+				count++;
+			} catch (error) {
+				console.warn(`  ⚠ Failed to sync icon ${file}:`, error);
+			}
+		}
+	} catch (error) {
+		console.error(`  ❌ Error reading icons directory:`, error);
+	}
+	return count;
+}
+/**
+* Sync screenshot files from a directory and assign to apps
+*/
+async function syncScreenshotsFromDirectory(prisma, screenshotsDir) {
+	let count = 0;
+	try {
+		const files = readdirSync(screenshotsDir);
+		const screenshotsByApp = /* @__PURE__ */ new Map();
+		for (const file of files) {
+			const match = file.match(/^(.+?)_screenshot_(\d+)\.([^.]+)$/);
+			if (!match || !match[1] || !match[3]) continue;
+			const appId = match[1];
+			const ext = match[3];
+			if (!screenshotsByApp.has(appId)) screenshotsByApp.set(appId, []);
+			screenshotsByApp.get(appId).push({
+				path: join(screenshotsDir, file),
+				ext
+			});
+		}
+		for (const [appId, screenshots] of screenshotsByApp) try {
+			if (!await prisma.dbAppForCatalog.findUnique({
+				where: { slug: appId },
+				select: { id: true }
+			})) {
+				console.warn(`  ⚠ App not found: ${appId}`);
+				continue;
+			}
+			for (const screenshot of screenshots) try {
+				const content = readFileSync(screenshot.path);
+				const buffer = Buffer.from(content);
+				const checksum = generateChecksum(buffer);
+				const existing = await prisma.dbAsset.findFirst({ where: {
+					checksum,
+					assetType: "screenshot"
+				} });
+				if (existing) {
+					const existingApp = await prisma.dbAppForCatalog.findUnique({ where: { slug: appId } });
+					if (existingApp && !existingApp.screenshotIds.includes(existing.id)) await prisma.dbAppForCatalog.update({
+						where: { slug: appId },
+						data: { screenshotIds: [...existingApp.screenshotIds, existing.id] }
+					});
+					continue;
+				}
+				const { width, height } = await getImageDimensions(buffer);
+				const mimeType = {
+					png: "image/png",
+					jpg: "image/jpeg",
+					jpeg: "image/jpeg",
+					gif: "image/gif",
+					webp: "image/webp"
+				}[screenshot.ext.toLowerCase()] || "application/octet-stream";
+				const asset = await prisma.dbAsset.create({ data: {
+					name: `${appId}-screenshot-${Date.now()}`,
+					assetType: "screenshot",
+					content: new Uint8Array(buffer),
+					checksum,
+					mimeType,
+					fileSize: buffer.length,
+					width: width ?? null,
+					height: height ?? null
+				} });
+				await prisma.dbAppForCatalog.update({
+					where: { slug: appId },
+					data: { screenshotIds: { push: asset.id } }
+				});
+				count++;
+			} catch (error) {
+				console.warn(`  ⚠ Failed to sync screenshot ${screenshot.path}:`, error);
+			}
+		} catch (error) {
+			console.warn(`  ⚠ Failed to process app ${appId}:`, error);
+		}
+	} catch (error) {
+		console.error(`  ❌ Error reading screenshots directory:`, error);
+	}
+	return count;
+}
+
+//#endregion
+//#region src/modules/approvalMethod/syncApprovalMethods.ts
+/**
+* Syncs approval methods to the database using upsert logic based on type + displayName.
+*
+* @param prisma - The PrismaClient instance from the backend-core database
+* @param methods - Array of approval methods to sync
+*/
+async function syncApprovalMethods(prisma, methods) {
+	await prisma.$transaction(methods.map((method) => prisma.dbApprovalMethod.upsert({
+		where: { slug: method.slug },
+		update: {
+			displayName: method.displayName,
+			type: method.type
+		},
+		create: {
+			slug: method.slug,
+			type: method.type,
+			displayName: method.displayName
+		}
+	})));
+}
+
+//#endregion
+//#region src/middleware/database.ts
+/**
+* Formats a database connection URL from structured config.
+*/
+function formatConnectionUrl(config) {
+	if ("url" in config) return config.url;
+	const { host, port, database, username, password, schema = "public" } = config;
+	return `postgresql://${username}:${encodeURIComponent(password)}@${host}:${port}/${database}?schema=${schema}`;
+}
+/**
+* Internal database manager used by the middleware.
+* Handles connection URL formatting and lifecycle.
+*/
+var EhDatabaseManager = class {
+	constructor(config) {
+		this.client = null;
+		this.config = config;
+	}
+	/**
+	* Get or create the Prisma client instance.
+	* Uses lazy initialization for flexibility.
+	*/
+	getClient() {
+		if (!this.client) {
+			this.client = new PrismaClient({
+				datasourceUrl: formatConnectionUrl(this.config),
+				log: process.env.NODE_ENV === "development" ? ["warn", "error"] : ["warn", "error"]
+			});
+			setDbClient(this.client);
+		}
+		return this.client;
+	}
+	async connect() {
+		await this.getClient().$connect();
+	}
+	async disconnect() {
+		if (this.client) {
+			await this.client.$disconnect();
+			this.client = null;
+		}
+	}
+};
+
+//#endregion
+//#region src/middleware/backendResolver.ts
+/**
+* Type guard to check if an object implements EhBackendCompanySpecificBackend.
+*/
+function isBackendInstance(obj) {
+	return typeof obj === "object" && obj !== null && typeof obj.getBootstrapData === "function" && typeof obj.getAvailabilityMatrix === "function" && typeof obj.getNameMigrations === "function" && typeof obj.getResourceJumps === "function" && typeof obj.getResourceJumpsExtended === "function";
+}
+/**
+* Normalizes different backend provider types into a consistent async factory function.
+* Supports:
+* - Direct object implementing EhBackendCompanySpecificBackend
+* - Sync factory function that returns the backend
+* - Async factory function that returns the backend
+*/
+function createBackendResolver(provider) {
+	if (isBackendInstance(provider)) return async () => provider;
+	if (typeof provider === "function") return async () => {
+		const result = provider();
+		return result instanceof Promise ? result : result;
+	};
+	throw new Error("Invalid backend provider: must be an object implementing EhBackendCompanySpecificBackend or a factory function");
+}
+
+//#endregion
+//#region src/modules/appCatalogAdmin/catalogBackupController.ts
+/**
+* Export the complete app catalog as JSON
+* Includes all fields from DbAppForCatalog and DbApprovalMethod
+*/
+async function exportCatalog(_req, res) {
+	try {
+		const prisma = getDbClient();
+		const apps = await prisma.dbAppForCatalog.findMany({ orderBy: { slug: "asc" } });
+		const approvalMethods = await prisma.dbApprovalMethod.findMany({ orderBy: { displayName: "asc" } });
+		res.json({
+			version: "2.0",
+			exportDate: (/* @__PURE__ */ new Date()).toISOString(),
+			apps,
+			approvalMethods
+		});
+	} catch (error) {
+		console.error("Error exporting catalog:", error);
+		res.status(500).json({ error: "Failed to export catalog" });
+	}
+}
+/**
+* Import/restore the complete app catalog from JSON
+* Overwrites existing data
+*/
+async function importCatalog(req, res) {
+	try {
+		const prisma = getDbClient();
+		const { apps, approvalMethods } = req.body;
+		if (!Array.isArray(apps)) {
+			res.status(400).json({ error: "Invalid data format: apps must be an array" });
+			return;
+		}
+		await prisma.$transaction(async (tx) => {
+			if (Array.isArray(approvalMethods)) await tx.dbApprovalMethod.deleteMany({});
+			await tx.dbAppForCatalog.deleteMany({});
+			if (Array.isArray(approvalMethods)) for (const method of approvalMethods) {
+				const { id, createdAt, updatedAt,...methodData } = method;
+				await tx.dbApprovalMethod.create({ data: methodData });
+			}
+			for (const app of apps) {
+				const { id, createdAt, updatedAt,...appData } = app;
+				await tx.dbAppForCatalog.create({ data: appData });
+			}
+		});
+		res.json({
+			success: true,
+			imported: {
+				apps: apps.length,
+				approvalMethods: Array.isArray(approvalMethods) ? approvalMethods.length : 0
+			}
+		});
+	} catch (error) {
+		console.error("Error importing catalog:", error);
+		res.status(500).json({ error: "Failed to import catalog" });
+	}
+}
+/**
+* Export an asset (icon or screenshot) by name
+*/
+async function exportAsset(req, res) {
+	try {
+		const { name } = req.params;
+		const asset = await getDbClient().dbAsset.findUnique({ where: { name } });
+		if (!asset) {
+			res.status(404).json({ error: "Asset not found" });
+			return;
+		}
+		res.set("Content-Type", asset.mimeType);
+		res.set("Content-Disposition", `attachment; filename="${name}"`);
+		res.send(Buffer.from(asset.content));
+	} catch (error) {
+		console.error("Error exporting asset:", error);
+		res.status(500).json({ error: "Failed to export asset" });
+	}
+}
+/**
+* List all assets with metadata
+*/
+async function listAssets(_req, res) {
+	try {
+		const assets = await getDbClient().dbAsset.findMany({
+			select: {
+				id: true,
+				name: true,
+				assetType: true,
+				mimeType: true,
+				fileSize: true,
+				width: true,
+				height: true,
+				checksum: true
+			},
+			orderBy: { name: "asc" }
+		});
+		res.json({ assets });
+	} catch (error) {
+		console.error("Error listing assets:", error);
+		res.status(500).json({ error: "Failed to list assets" });
+	}
+}
+/**
+* Import an asset (icon or screenshot)
+*/
+async function importAsset(req, res) {
+	try {
+		const file = req.file;
+		const { name, assetType, mimeType, width, height } = req.body;
+		if (!file) {
+			res.status(400).json({ error: "No file uploaded" });
+			return;
+		}
+		const prisma = getDbClient();
+		const checksum = (await import("node:crypto")).createHash("sha256").update(file.buffer).digest("hex");
+		const content = new Uint8Array(file.buffer);
+		await prisma.dbAsset.upsert({
+			where: { name },
+			update: {
+				content,
+				checksum,
+				mimeType: mimeType || file.mimetype,
+				fileSize: file.size,
+				width: width ? parseInt(width) : null,
+				height: height ? parseInt(height) : null,
+				assetType: assetType || "icon"
+			},
+			create: {
+				name,
+				content,
+				checksum,
+				mimeType: mimeType || file.mimetype,
+				fileSize: file.size,
+				width: width ? parseInt(width) : null,
+				height: height ? parseInt(height) : null,
+				assetType: assetType || "icon"
+			}
+		});
+		res.json({
+			success: true,
+			name,
+			size: file.size
+		});
+	} catch (error) {
+		console.error("Error importing asset:", error);
+		res.status(500).json({ error: "Failed to import asset" });
+	}
+}
+
+//#endregion
+//#region src/modules/auth/devMockUserUtils.ts
+/**
+* Creates a complete User object from basic dev mock user details
+*/
+function createMockUserFromDevConfig(devUser) {
+	return {
+		id: devUser.id,
+		email: devUser.email,
+		name: devUser.name,
+		emailVerified: true,
+		createdAt: /* @__PURE__ */ new Date(),
+		updatedAt: /* @__PURE__ */ new Date(),
+		env_hopper_groups: devUser.groups
+	};
+}
+/**
+* Creates a mock session response for /api/auth/session endpoint
+*/
+function createMockSessionResponse(devUser) {
+	return {
+		user: {
+			id: devUser.id,
+			email: devUser.email,
+			name: devUser.name,
+			emailVerified: true,
+			createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+			updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+			env_hopper_groups: devUser.groups
+		},
+		session: {
+			id: `${devUser.id}-session`,
+			userId: devUser.id,
+			expiresAt: new Date(Date.now() + 1e3 * 60 * 60 * 24 * 30).toISOString(),
+			token: `${devUser.id}-token`,
+			createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+			updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+		}
+	};
+}
+
+//#endregion
+//#region src/middleware/featureRegistry.ts
+const FEATURES = [
+	{
+		name: "auth",
+		defaultEnabled: true,
+		register: (router$1, options, ctx) => {
+			const basePath = options.basePath;
+			router$1.get(`${basePath}/auth/session`, async (req, res) => {
+				try {
+					if (ctx.authConfig.devMockUser) {
+						res.json(createMockSessionResponse(ctx.authConfig.devMockUser));
+						return;
+					}
+					const session = await ctx.auth.api.getSession({ headers: req.headers });
+					if (session) res.json(session);
+					else res.status(401).json({ error: "Not authenticated" });
+				} catch (error) {
+					console.error("[Auth Session Error]", error);
+					res.status(500).json({ error: "Internal server error" });
+				}
+			});
+			const authHandler = toNodeHandler(ctx.auth);
+			router$1.all(`${basePath}/auth/{*any}`, authHandler);
+		}
+	},
+	{
+		name: "adminChat",
+		defaultEnabled: false,
+		register: (router$1, options) => {
+			if (options.adminChat) router$1.post(`${options.basePath}/admin/chat`, createAdminChatHandler(options.adminChat));
+		}
+	},
+	{
+		name: "legacyIconEndpoint",
+		defaultEnabled: false,
+		register: (router$1) => {
+			router$1.get("/static/icon/:icon", async (req, res) => {
+				const { icon } = req.params;
+				if (!icon || !/^[a-z0-9-]+$/i.test(icon)) {
+					res.status(400).send("Invalid icon name");
+					return;
+				}
+				try {
+					const dbIcon = await getAssetByName(icon);
+					if (!dbIcon) {
+						res.status(404).send("Icon not found");
+						return;
+					}
+					res.setHeader("Content-Type", dbIcon.mimeType);
+					res.setHeader("Cache-Control", "public, max-age=86400");
+					res.send(dbIcon.content);
+				} catch (error) {
+					console.error("Error fetching icon:", error);
+					res.status(404).send("Icon not found");
+				}
+			});
+		}
+	}
+];
+/**
+* Registers all enabled features on the router.
+*/
+function registerFeatures(router$1, options, context) {
+	const basePath = options.basePath;
+	registerIconRestController(router$1, { basePath: `${basePath}/icons` });
+	registerAssetRestController(router$1, { basePath: `${basePath}/assets` });
+	registerScreenshotRestController(router$1, { basePath: `${basePath}/screenshots` });
+	const upload$2 = multer({ storage: multer.memoryStorage() });
+	router$1.get(`${basePath}/catalog/backup/export`, exportCatalog);
+	router$1.post(`${basePath}/catalog/backup/import`, importCatalog);
+	router$1.get(`${basePath}/catalog/backup/assets`, listAssets);
+	router$1.get(`${basePath}/catalog/backup/assets/:name`, exportAsset);
+	router$1.post(`${basePath}/catalog/backup/assets`, upload$2.single("file"), importAsset);
+	const toggles = options.features || {};
+	for (const feature of FEATURES) {
+		const isEnabled = toggles[feature.name] ?? feature.defaultEnabled;
+		if (feature.name === "adminChat" && !options.adminChat) continue;
+		if (isEnabled) feature.register(router$1, options, context);
+	}
+}
+
+//#endregion
+//#region src/middleware/createEhMiddleware.ts
+async function createEhMiddleware(options) {
+	var _normalizedOptions$fe, _options$hooks;
+	const basePath = options.basePath ?? "/api";
+	const normalizedOptions = {
+		...options,
+		basePath
+	};
+	const dbManager = new EhDatabaseManager(options.database);
+	dbManager.getClient();
+	const auth = createAuth({
+		appName: options.auth.appName,
+		baseURL: options.auth.baseURL,
+		secret: options.auth.secret,
+		providers: options.auth.providers,
+		plugins: options.auth.plugins,
+		sessionExpiresIn: options.auth.sessionExpiresIn,
+		sessionUpdateAge: options.auth.sessionUpdateAge
+	});
+	const trpcRouter = createTrpcRouter(auth);
+	const resolveBackend = createBackendResolver(options.backend);
+	const adminGroups = options.auth.adminGroups ?? ["env_hopper_ui_super_admins"];
+	const createContext = async ({ req }) => {
+		const companySpecificBackend = await resolveBackend();
+		let user = null;
+		let userGroups = [];
+		if (options.auth.devMockUser) {
+			user = createMockUserFromDevConfig(options.auth.devMockUser);
+			userGroups = options.auth.devMockUser.groups;
+		} else try {
+			const session = await auth.api.getSession({ headers: req.headers });
+			user = (session === null || session === void 0 ? void 0 : session.user) ?? null;
+			if (user && options.auth.oktaGroupsClaim) try {
+				const tokenResult = await auth.api.getAccessToken({
+					body: { providerId: "okta" },
+					headers: req.headers
+				});
+				if (tokenResult.accessToken) {
+					const parts = tokenResult.accessToken.split(".");
+					if (parts.length === 3 && parts[1]) {
+						const groups = JSON.parse(Buffer.from(parts[1], "base64").toString())[options.auth.oktaGroupsClaim];
+						userGroups = Array.isArray(groups) ? groups : [];
+					}
+				}
+			} catch (error) {
+				console.error("[tRPC Context] Failed to get access token:", error);
+			}
+		} catch (error) {
+			console.error("[tRPC Context] Failed to get session:", error);
+		}
+		return createEhTrpcContext({
+			companySpecificBackend,
+			user: user ? {
+				...user,
+				groups: userGroups
+			} : null,
+			adminGroups
+		});
+	};
+	const router$1 = Router();
+	router$1.use(express.json());
+	const middlewareContext = {
+		auth,
+		trpcRouter,
+		createContext: async () => {
+			return createEhTrpcContext({
+				companySpecificBackend: await resolveBackend(),
+				adminGroups
+			});
+		},
+		authConfig: options.auth
+	};
+	if (((_normalizedOptions$fe = normalizedOptions.features) === null || _normalizedOptions$fe === void 0 ? void 0 : _normalizedOptions$fe.trpc) !== false) router$1.use(`${basePath}/trpc`, trpcExpress.createExpressMiddleware({
+		router: trpcRouter,
+		createContext
+	}));
+	registerFeatures(router$1, normalizedOptions, middlewareContext);
+	if ((_options$hooks = options.hooks) === null || _options$hooks === void 0 ? void 0 : _options$hooks.onRoutesRegistered) await options.hooks.onRoutesRegistered(router$1);
+	return {
+		router: router$1,
+		auth,
+		trpcRouter,
+		async connect() {
+			var _options$hooks2;
+			await dbManager.connect();
+			if ((_options$hooks2 = options.hooks) === null || _options$hooks2 === void 0 ? void 0 : _options$hooks2.onDatabaseConnected) await options.hooks.onDatabaseConnected();
+		},
+		async disconnect() {
+			var _options$hooks3;
+			if ((_options$hooks3 = options.hooks) === null || _options$hooks3 === void 0 ? void 0 : _options$hooks3.onDatabaseDisconnecting) await options.hooks.onDatabaseDisconnecting();
+			await dbManager.disconnect();
+		},
+		addRoutes(callback) {
+			callback(router$1);
+		}
+	};
+}
+
+//#endregion
+export { DEFAULT_ADMIN_SYSTEM_PROMPT, EhDatabaseManager, TABLE_SYNC_MAGAZINE, connectDb, createAdminChatHandler, createAppCatalogAdminRouter, createApprovalMethodRouter, createAuth, createAuthRouter, createDatabaseTools, createEhMiddleware, createEhTrpcContext, createPrismaDatabaseClient, createScreenshotRouter, createTrpcRouter, disconnectDb, getAssetByName, getDbClient, getUserGroups, isAdmin, isMemberOfAllGroups, isMemberOfAnyGroup, registerAssetRestController, registerAuthRoutes, registerIconRestController, registerScreenshotRestController, requireAdmin, requireGroups, setDbClient, staticControllerContract, syncAppCatalog, syncApprovalMethods, syncAssets, tableSyncPrisma, tool, upsertIcon, upsertIcons };
+//# sourceMappingURL=index.js.map