@env-hopper/backend-core 2.0.1-alpha → 2.0.1-alpha.2

package/dist/index.js

@@ -0,0 +1,1806 @@
+import { initTRPC } from "@trpc/server";
+import z$1, { z } from "zod";
+import { PrismaClient } from "@prisma/client";
+import { tableSync } from "@env-hopper/table-sync";
+import { mapValues, omit, pick } from "radashi";
+import { createHash } from "node:crypto";
+import sharp from "sharp";
+import { betterAuth } from "better-auth";
+import { prismaAdapter } from "better-auth/adapters/prisma";
+import { toNodeHandler } from "better-auth/node";
+import { genericOAuth, okta } from "better-auth/plugins";
+import { stepCountIs, streamText, tool } from "ai";
+import multer from "multer";
+import { readFileSync, readdirSync } from "node:fs";
+import { extname, join } from "node:path";
+
+//#region src/db/client.ts
+let prismaClient = null;
+/**
+* Gets the internal Prisma client instance.
+* Creates one if it doesn't exist.
+*/
+function getDbClient() {
+	if (!prismaClient) prismaClient = new PrismaClient();
+	return prismaClient;
+}
+/**
+* Connects to the database.
+* Call this before performing database operations.
+*/
+async function connectDb() {
+	await getDbClient().$connect();
+}
+/**
+* Disconnects from the database.
+* Call this when done with database operations (e.g., in scripts).
+*/
+async function disconnectDb() {
+	if (prismaClient) {
+		await prismaClient.$disconnect();
+		prismaClient = null;
+	}
+}
+
+//#endregion
+//#region src/modules/appCatalog/service.ts
+function capitalize(word) {
+	if (!word) return word;
+	return word.charAt(0).toUpperCase() + word.slice(1);
+}
+async function getAppsFromPrisma() {
+	return (await getDbClient().dbAppForCatalog.findMany()).map((row) => {
+		const access = row.access;
+		const roles = row.roles == null ? void 0 : row.roles;
+		const teams = row.teams ?? [];
+		const tags = row.tags ?? [];
+		const screenshotIds = row.screenshotIds ?? [];
+		const notes = row.notes == null ? void 0 : row.notes;
+		const appUrl = row.appUrl == null ? void 0 : row.appUrl;
+		const iconName = row.iconName == null ? void 0 : row.iconName;
+		return {
+			id: row.id,
+			slug: row.slug,
+			displayName: row.displayName,
+			description: row.description,
+			access,
+			teams,
+			roles,
+			approver: row.approverName && row.approverEmail ? {
+				name: row.approverName,
+				email: row.approverEmail
+			} : void 0,
+			notes,
+			tags,
+			appUrl,
+			iconName,
+			screenshotIds
+		};
+	});
+}
+function deriveCategories(apps) {
+	const tagSet = /* @__PURE__ */ new Set();
+	for (const app of apps) for (const tag of app.tags ?? []) {
+		const normalized = tag.trim().toLowerCase();
+		if (normalized) tagSet.add(normalized);
+	}
+	const categories = [{
+		id: "all",
+		name: "All"
+	}];
+	for (const tag of Array.from(tagSet).sort()) categories.push({
+		id: tag,
+		name: capitalize(tag)
+	});
+	return categories;
+}
+async function getAppCatalogData(getAppsOptional) {
+	const apps = getAppsOptional ? await getAppsOptional() : await getAppsFromPrisma();
+	return {
+		apps,
+		categories: deriveCategories(apps)
+	};
+}
+
+//#endregion
+//#region src/db/tableSyncPrismaAdapter.ts
+function getPrismaModelOperations(prisma, prismaModelName) {
+	return prisma[prismaModelName.slice(0, 1).toLowerCase() + prismaModelName.slice(1)];
+}
+function tableSyncPrisma(params) {
+	const { prisma, prismaModelName, uniqColumns, where: whereGlobal, upsertOnly } = params;
+	const prismOperations = getPrismaModelOperations(prisma, prismaModelName);
+	return tableSync({
+		id: "id",
+		uniqColumns,
+		readAll: async () => {
+			const findManyArgs = whereGlobal ? { where: whereGlobal } : {};
+			return await prismOperations.findMany(findManyArgs);
+		},
+		writeAll: async (createData, update, deleteIds) => {
+			const prismaUniqKey = params.uniqColumns.join("_");
+			const relationColumnList = params.relationColumns ?? [];
+			return prisma.$transaction(async (tx) => {
+				const txOps = getPrismaModelOperations(tx, prismaModelName);
+				for (const { data, where } of update) {
+					const uniqKeyWhere = Object.keys(where).length > 1 ? { [prismaUniqKey]: where } : where;
+					const dataScalar = omit(data, relationColumnList);
+					const dataRelations = mapValues(pick(data, relationColumnList), (value) => {
+						return { set: value };
+					});
+					await txOps.update({
+						data: {
+							...dataScalar,
+							...dataRelations
+						},
+						where: { ...uniqKeyWhere }
+					});
+				}
+				if (upsertOnly !== true) await txOps.deleteMany({ where: { id: { in: deleteIds } } });
+				const createDataMapped = createData.map((data) => {
+					const dataScalar = omit(data, relationColumnList);
+					const dataRelations = mapValues(pick(data, relationColumnList), (value) => {
+						return { connect: value };
+					});
+					return {
+						...dataScalar,
+						...dataRelations
+					};
+				});
+				if (createDataMapped.length > 0) {
+					const uniqKeysInCreate = /* @__PURE__ */ new Set();
+					const duplicateKeys = [];
+					for (const data of createDataMapped) {
+						const key = params.uniqColumns.map((col) => {
+							const value = data[col];
+							return value === null || value === void 0 ? "null" : String(value);
+						}).join(":");
+						if (uniqKeysInCreate.has(key)) duplicateKeys.push(key);
+						else uniqKeysInCreate.add(key);
+					}
+					if (duplicateKeys.length > 0) {
+						const uniqColumnsStr = params.uniqColumns.join(", ");
+						throw new Error(`Duplicate unique key values found in data to be created. Model: ${prismaModelName}, Unique columns: [${uniqColumnsStr}], Duplicate keys: [${duplicateKeys.join(", ")}]`);
+					}
+				}
+				const results = [];
+				if (relationColumnList.length === 0) {
+					const batchResult = await txOps.createManyAndReturn({ data: createDataMapped });
+					results.push(...batchResult);
+				} else for (const dataMappedElement of createDataMapped) {
+					const newVar = await txOps.create({ data: dataMappedElement });
+					results.push(newVar);
+				}
+				return results;
+			});
+		}
+	});
+}
+
+//#endregion
+//#region src/db/tableSyncMagazine.ts
+const TABLE_SYNC_MAGAZINE = { DbAppForCatalog: {
+	prismaModelName: "DbAppForCatalog",
+	uniqColumns: ["slug"]
+} };
+
+//#endregion
+//#region src/db/syncAppCatalog.ts
+/**
+* Syncs app catalog data to the database using table sync.
+* This will create new apps, update existing ones, and delete any that are no longer in the input.
+*
+* Note: Call connectDb() before and disconnectDb() after if running in a script.
+*/
+async function syncAppCatalog(apps) {
+	const sync = tableSyncPrisma({
+		prisma: getDbClient(),
+		...TABLE_SYNC_MAGAZINE.DbAppForCatalog
+	});
+	const dbApps = apps.map((app) => {
+		var _app$approver, _app$approver2;
+		return {
+			slug: app.slug || app.displayName.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, ""),
+			displayName: app.displayName,
+			description: app.description,
+			access: app.access,
+			teams: app.teams ?? [],
+			roles: app.roles ?? null,
+			approverName: ((_app$approver = app.approver) === null || _app$approver === void 0 ? void 0 : _app$approver.name) ?? null,
+			approverEmail: ((_app$approver2 = app.approver) === null || _app$approver2 === void 0 ? void 0 : _app$approver2.email) ?? null,
+			notes: app.notes ?? null,
+			tags: app.tags ?? [],
+			appUrl: app.appUrl ?? null,
+			links: app.links ?? null,
+			iconName: app.iconName ?? null,
+			screenshotIds: app.screenshotIds ?? []
+		};
+	});
+	const actual = (await sync.sync(dbApps)).getActual();
+	return {
+		created: actual.length - apps.length + (apps.length - actual.length),
+		updated: 0,
+		deleted: 0,
+		total: actual.length
+	};
+}
+
+//#endregion
+//#region src/modules/appCatalogAdmin/appCatalogAdminRouter.ts
+const AccessMethodSchema = z.object({ type: z.enum([
+	"bot",
+	"ticketing",
+	"email",
+	"self-service",
+	"documentation",
+	"manual"
+]) }).passthrough();
+const AppLinkSchema = z.object({
+	displayName: z.string().optional(),
+	url: z.string().url()
+});
+const AppRoleSchema = z.object({
+	id: z.string(),
+	name: z.string(),
+	description: z.string().optional()
+});
+const ApproverSchema = z.object({
+	name: z.string(),
+	email: z.string().email()
+});
+const CreateAppForCatalogSchema = z.object({
+	slug: z.string().min(1).regex(/^[a-z0-9-]+$/, "Slug must be lowercase alphanumeric with hyphens"),
+	displayName: z.string().min(1),
+	description: z.string(),
+	access: AccessMethodSchema,
+	teams: z.array(z.string()).optional(),
+	roles: z.array(AppRoleSchema).optional(),
+	approver: ApproverSchema.optional(),
+	notes: z.string().optional(),
+	tags: z.array(z.string()).optional(),
+	appUrl: z.string().url().optional(),
+	links: z.array(AppLinkSchema).optional(),
+	iconName: z.string().optional(),
+	screenshotIds: z.array(z.string()).optional()
+});
+const UpdateAppForCatalogSchema = CreateAppForCatalogSchema.partial().extend({ id: z.string() });
+function createAppCatalogAdminRouter(t$1) {
+	const router$1 = t$1.router;
+	const publicProcedure$1 = t$1.procedure;
+	return router$1({
+		list: publicProcedure$1.query(async () => {
+			return getDbClient().dbAppForCatalog.findMany({ orderBy: { displayName: "asc" } });
+		}),
+		getById: publicProcedure$1.input(z.object({ id: z.string() })).query(async ({ input }) => {
+			return getDbClient().dbAppForCatalog.findUnique({ where: { id: input.id } });
+		}),
+		create: publicProcedure$1.input(CreateAppForCatalogSchema).mutation(async ({ input }) => {
+			const prisma = getDbClient();
+			const { approver,...rest } = input;
+			return prisma.dbAppForCatalog.create({ data: {
+				...rest,
+				approverName: (approver === null || approver === void 0 ? void 0 : approver.name) ?? null,
+				approverEmail: (approver === null || approver === void 0 ? void 0 : approver.email) ?? null,
+				teams: input.teams ?? [],
+				tags: input.tags ?? [],
+				screenshotIds: input.screenshotIds ?? []
+			} });
+		}),
+		update: publicProcedure$1.input(UpdateAppForCatalogSchema).mutation(async ({ input }) => {
+			const prisma = getDbClient();
+			const { id, approver,...rest } = input;
+			return prisma.dbAppForCatalog.update({
+				where: { id },
+				data: {
+					...rest,
+					...approver !== void 0 && {
+						approverName: approver.name || null,
+						approverEmail: approver.email || null
+					}
+				}
+			});
+		}),
+		delete: publicProcedure$1.input(z.object({ id: z.string() })).mutation(async ({ input }) => {
+			return getDbClient().dbAppForCatalog.delete({ where: { id: input.id } });
+		})
+	});
+}
+
+//#endregion
+//#region src/modules/assets/screenshotRouter.ts
+function createScreenshotRouter(t$1) {
+	const router$1 = t$1.router;
+	const publicProcedure$1 = t$1.procedure;
+	return router$1({
+		list: publicProcedure$1.query(async () => {
+			return getDbClient().dbAsset.findMany({
+				where: { assetType: "screenshot" },
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					width: true,
+					height: true,
+					createdAt: true,
+					updatedAt: true
+				},
+				orderBy: { createdAt: "desc" }
+			});
+		}),
+		getOne: publicProcedure$1.input(z.object({ id: z.string() })).query(async ({ input }) => {
+			return getDbClient().dbAsset.findFirst({
+				where: {
+					id: input.id,
+					assetType: "screenshot"
+				},
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					width: true,
+					height: true,
+					createdAt: true,
+					updatedAt: true
+				}
+			});
+		}),
+		getByAppSlug: publicProcedure$1.input(z.object({ appSlug: z.string() })).query(async ({ input }) => {
+			const prisma = getDbClient();
+			const app = await prisma.dbAppForCatalog.findUnique({
+				where: { slug: input.appSlug },
+				select: { screenshotIds: true }
+			});
+			if (!app) return [];
+			return prisma.dbAsset.findMany({
+				where: {
+					id: { in: app.screenshotIds },
+					assetType: "screenshot"
+				},
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					width: true,
+					height: true,
+					createdAt: true,
+					updatedAt: true
+				}
+			});
+		}),
+		getFirstByAppSlug: publicProcedure$1.input(z.object({ appSlug: z.string() })).query(async ({ input }) => {
+			const prisma = getDbClient();
+			const app = await prisma.dbAppForCatalog.findUnique({
+				where: { slug: input.appSlug },
+				select: { screenshotIds: true }
+			});
+			if (!app || app.screenshotIds.length === 0) return null;
+			return prisma.dbAsset.findUnique({
+				where: { id: app.screenshotIds[0] },
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					width: true,
+					height: true,
+					createdAt: true,
+					updatedAt: true
+				}
+			});
+		})
+	});
+}
+
+//#endregion
+//#region src/modules/auth/authRouter.ts
+/**
+* Create auth tRPC procedures
+* @param t - tRPC instance
+* @param auth - Better Auth instance (optional, for future extensions)
+* @returns tRPC router with auth procedures
+*/
+function createAuthRouter(t$1, auth) {
+	const router$1 = t$1.router;
+	const publicProcedure$1 = t$1.procedure;
+	return router$1({
+		getSession: publicProcedure$1.query(async ({ ctx }) => {
+			const contextWithUser = ctx;
+			return {
+				user: contextWithUser.user ?? null,
+				isAuthenticated: !!contextWithUser.user
+			};
+		}),
+		getProviders: publicProcedure$1.query(() => {
+			const providers = [];
+			const authOptions = auth === null || auth === void 0 ? void 0 : auth.options;
+			if (authOptions === null || authOptions === void 0 ? void 0 : authOptions.socialProviders) {
+				const socialProviders = authOptions.socialProviders;
+				Object.keys(socialProviders).forEach((key) => {
+					if (socialProviders[key]) providers.push(key);
+				});
+			}
+			if (authOptions === null || authOptions === void 0 ? void 0 : authOptions.plugins) authOptions.plugins.forEach((plugin) => {
+				var _pluginWithConfig$opt;
+				const pluginWithConfig = plugin;
+				if (pluginWithConfig.id === "generic-oauth" && ((_pluginWithConfig$opt = pluginWithConfig.options) === null || _pluginWithConfig$opt === void 0 ? void 0 : _pluginWithConfig$opt.config)) (Array.isArray(pluginWithConfig.options.config) ? pluginWithConfig.options.config : [pluginWithConfig.options.config]).forEach((config) => {
+					if (config.providerId) providers.push(config.providerId);
+				});
+			});
+			return { providers };
+		})
+	});
+}
+
+//#endregion
+//#region src/modules/assets/assetUtils.ts
+/**
+* Extract image dimensions from a buffer using sharp
+*/
+async function getImageDimensions(buffer) {
+	try {
+		const metadata = await sharp(buffer).metadata();
+		return {
+			width: metadata.width ?? null,
+			height: metadata.height ?? null
+		};
+	} catch (error) {
+		console.error("Error extracting image dimensions:", error);
+		return {
+			width: null,
+			height: null
+		};
+	}
+}
+/**
+* Resize an image buffer to the specified dimensions
+* @param buffer - The image buffer to resize
+* @param width - Target width (optional)
+* @param height - Target height (optional)
+* @param format - Output format ('png', 'jpeg', 'webp'), auto-detected if not provided
+*/
+async function resizeImage(buffer, width, height, format) {
+	let pipeline = sharp(buffer);
+	if (width || height) pipeline = pipeline.resize({
+		width,
+		height,
+		fit: "inside",
+		withoutEnlargement: true
+	});
+	if (format === "png") pipeline = pipeline.png();
+	else if (format === "webp") pipeline = pipeline.webp();
+	else if (format === "jpeg") pipeline = pipeline.jpeg();
+	return pipeline.toBuffer();
+}
+/**
+* Generate SHA-256 checksum for a buffer
+*/
+function generateChecksum(buffer) {
+	return createHash("sha256").update(buffer).digest("hex");
+}
+/**
+* Detect image format from mime type
+*/
+function getImageFormat(mimeType) {
+	if (mimeType.includes("png")) return "png";
+	if (mimeType.includes("webp")) return "webp";
+	if (mimeType.includes("jpeg") || mimeType.includes("jpg")) return "jpeg";
+	return null;
+}
+/**
+* Check if a mime type represents a raster image (not SVG)
+*/
+function isRasterImage(mimeType) {
+	return mimeType.startsWith("image/") && !mimeType.includes("svg");
+}
+
+//#endregion
+//#region src/modules/icons/iconRouter.ts
+function createIconRouter(t$1) {
+	const router$1 = t$1.router;
+	const publicProcedure$1 = t$1.procedure;
+	return router$1({
+		list: publicProcedure$1.query(async () => {
+			return getDbClient().dbAsset.findMany({
+				where: { assetType: "icon" },
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					createdAt: true,
+					updatedAt: true
+				},
+				orderBy: { name: "asc" }
+			});
+		}),
+		getOne: publicProcedure$1.input(z.object({ id: z.string() })).query(async ({ input }) => {
+			return getDbClient().dbAsset.findFirst({ where: {
+				id: input.id,
+				assetType: "icon"
+			} });
+		}),
+		create: publicProcedure$1.input(z.object({
+			name: z.string().min(1),
+			content: z.string(),
+			mimeType: z.string(),
+			fileSize: z.number().int().positive()
+		})).mutation(async ({ input }) => {
+			const prisma = getDbClient();
+			const buffer = Buffer.from(input.content, "base64");
+			const checksum = generateChecksum(buffer);
+			const { width, height } = await getImageDimensions(buffer);
+			const existing = await prisma.dbAsset.findFirst({ where: {
+				checksum,
+				assetType: "icon"
+			} });
+			if (existing) return existing;
+			return prisma.dbAsset.create({ data: {
+				name: input.name,
+				assetType: "icon",
+				content: new Uint8Array(buffer),
+				checksum,
+				mimeType: input.mimeType,
+				fileSize: input.fileSize,
+				width,
+				height
+			} });
+		}),
+		update: publicProcedure$1.input(z.object({
+			id: z.string(),
+			name: z.string().min(1).optional(),
+			content: z.string().optional(),
+			mimeType: z.string().optional(),
+			fileSize: z.number().int().positive().optional()
+		})).mutation(async ({ input }) => {
+			const prisma = getDbClient();
+			const { id, content,...rest } = input;
+			const data = { ...rest };
+			if (content) {
+				const buffer = Buffer.from(content, "base64");
+				data.content = new Uint8Array(buffer);
+				data.checksum = generateChecksum(buffer);
+				const { width, height } = await getImageDimensions(buffer);
+				data.width = width;
+				data.height = height;
+			}
+			return prisma.dbAsset.update({
+				where: { id },
+				data
+			});
+		}),
+		delete: publicProcedure$1.input(z.object({ id: z.string() })).mutation(async ({ input }) => {
+			return getDbClient().dbAsset.delete({ where: { id: input.id } });
+		}),
+		deleteMany: publicProcedure$1.input(z.object({ ids: z.array(z.string()) })).mutation(async ({ input }) => {
+			return getDbClient().dbAsset.deleteMany({ where: {
+				id: { in: input.ids },
+				assetType: "icon"
+			} });
+		}),
+		getContent: publicProcedure$1.input(z.object({ id: z.string() })).query(async ({ input }) => {
+			const asset = await getDbClient().dbAsset.findFirst({
+				where: {
+					id: input.id,
+					assetType: "icon"
+				},
+				select: {
+					content: true,
+					mimeType: true
+				}
+			});
+			if (!asset) throw new Error("Icon not found");
+			return {
+				content: Buffer.from(asset.content).toString("base64"),
+				mimeType: asset.mimeType
+			};
+		})
+	});
+}
+
+//#endregion
+//#region src/server/controller.ts
+/**
+* Initialization of tRPC backend
+* Should be done only once per backend!
+*/
+const t = initTRPC.context().create({ errorFormatter({ error, shape }) {
+	var _data;
+	console.error("[tRPC Error]", {
+		path: (_data = shape.data) === null || _data === void 0 ? void 0 : _data.path,
+		code: error.code,
+		message: error.message,
+		cause: error.cause,
+		stack: error.stack
+	});
+	return shape;
+} });
+/**
+* Export reusable router and procedure helpers
+* that can be used throughout the router
+*/
+const router = t.router;
+const publicProcedure = t.procedure;
+/**
+* Create the main tRPC router with optional auth instance
+* @param auth - Optional Better Auth instance for auth-related queries
+*/
+function createTrpcRouter(auth) {
+	return router({
+		bootstrap: publicProcedure.query(async ({ ctx }) => {
+			return await ctx.companySpecificBackend.getBootstrapData();
+		}),
+		availabilityMatrix: publicProcedure.query(async ({ ctx }) => {
+			return await ctx.companySpecificBackend.getAvailabilityMatrix();
+		}),
+		tryFindRenameRule: publicProcedure.input(z$1.object({
+			envSlug: z$1.string().optional(),
+			resourceSlug: z$1.string().optional()
+		})).query(async ({ input, ctx }) => {
+			return await ctx.companySpecificBackend.getNameMigrations(input);
+		}),
+		resourceJumps: publicProcedure.query(async ({ ctx }) => {
+			return await ctx.companySpecificBackend.getResourceJumps();
+		}),
+		resourceJumpsExtended: publicProcedure.query(async ({ ctx }) => {
+			return await ctx.companySpecificBackend.getResourceJumpsExtended();
+		}),
+		resourceJumpBySlugAndEnv: publicProcedure.input(z$1.object({
+			jumpResourceSlug: z$1.string(),
+			envSlug: z$1.string()
+		})).query(async ({ input, ctx }) => {
+			return filterSingleResourceJump(await ctx.companySpecificBackend.getResourceJumps(), input.jumpResourceSlug, input.envSlug);
+		}),
+		appCatalog: publicProcedure.query(async ({ ctx }) => {
+			return await getAppCatalogData(ctx.companySpecificBackend.getApps);
+		}),
+		icon: createIconRouter(t),
+		screenshot: createScreenshotRouter(t),
+		appCatalogAdmin: createAppCatalogAdminRouter(t),
+		auth: createAuthRouter(t, auth)
+	});
+}
+function filterSingleResourceJump(resourceJumps, jumpResourceSlug, envSlug) {
+	const filteredResourceJump = resourceJumps.resourceJumps.find((item) => item.slug === jumpResourceSlug);
+	const filteredEnv = resourceJumps.envs.find((item) => item.slug === envSlug);
+	return {
+		resourceJumps: filteredResourceJump ? [filteredResourceJump] : [],
+		envs: filteredEnv ? [filteredEnv] : [],
+		lateResolvableParams: resourceJumps.lateResolvableParams
+	};
+}
+
+//#endregion
+//#region src/server/ehTrpcContext.ts
+function createEhTrpcContext({ companySpecificBackend }) {
+	return { companySpecificBackend };
+}
+
+//#endregion
+//#region src/server/ehStaticControllerContract.ts
+const staticControllerContract = { methods: {
+	getIcon: {
+		method: "get",
+		url: "icon/:icon"
+	},
+	getScreenshot: {
+		method: "get",
+		url: "screenshot/:id"
+	}
+} };
+
+//#endregion
+//#region src/modules/auth/auth.ts
+function createAuth(config) {
+	const prisma = getDbClient();
+	const isProduction = process.env.NODE_ENV === "production";
+	return betterAuth({
+		appName: config.appName || "EnvHopper",
+		baseURL: config.baseURL,
+		basePath: "/api/auth",
+		secret: config.secret,
+		database: prismaAdapter(prisma, { provider: "postgresql" }),
+		socialProviders: config.providers || {},
+		plugins: config.plugins || [],
+		emailAndPassword: { enabled: true },
+		session: {
+			expiresIn: config.sessionExpiresIn ?? 3600 * 24 * 30,
+			updateAge: config.sessionUpdateAge ?? 3600 * 24,
+			cookieCache: {
+				enabled: true,
+				maxAge: 300
+			}
+		},
+		advanced: { useSecureCookies: isProduction }
+	});
+}
+
+//#endregion
+//#region src/modules/auth/registerAuthRoutes.ts
+/**
+* Register Better Auth routes with Express
+* @param app - Express application instance
+* @param auth - Better Auth instance
+*/
+function registerAuthRoutes(app, auth) {
+	app.get("/api/auth/session", async (req, res) => {
+		try {
+			const session = await auth.api.getSession({ headers: req.headers });
+			if (session) res.json(session);
+			else res.status(401).json({ error: "Not authenticated" });
+		} catch (error) {
+			console.error("[Auth Session Error]", error);
+			res.status(500).json({ error: "Internal server error" });
+		}
+	});
+	const authHandler = toNodeHandler(auth);
+	app.all("/api/auth/{*any}", authHandler);
+}
+
+//#endregion
+//#region src/modules/auth/authProviders.ts
+function getAuthProvidersFromEnv() {
+	const providers = {};
+	if (process.env.AUTH_GITHUB_CLIENT_ID && process.env.AUTH_GITHUB_CLIENT_SECRET) providers.github = {
+		clientId: process.env.AUTH_GITHUB_CLIENT_ID,
+		clientSecret: process.env.AUTH_GITHUB_CLIENT_SECRET
+	};
+	if (process.env.AUTH_GOOGLE_CLIENT_ID && process.env.AUTH_GOOGLE_CLIENT_SECRET) providers.google = {
+		clientId: process.env.AUTH_GOOGLE_CLIENT_ID,
+		clientSecret: process.env.AUTH_GOOGLE_CLIENT_SECRET
+	};
+	return providers;
+}
+/**
+* Get auth plugins from environment variables
+* Currently supports: Okta
+*
+* Example .env:
+* AUTH_OKTA_CLIENT_ID=your_okta_client_id
+* AUTH_OKTA_CLIENT_SECRET=your_okta_client_secret
+* AUTH_OKTA_ISSUER=https://your-org.okta.com/oauth2/ausxb83g4wY1x09ec0h7
+*
+* Note: If you get "User is not assigned to the client application" errors,
+* you need to configure your Okta application to allow all users:
+* 1. In Okta Admin Console, go to Applications → Your App
+* 2. Assignments tab → Assign to Groups → Add "Everyone" group
+* OR
+* 3. Edit the application → In "User consent" section, enable appropriate settings
+*
+* For group-based authorization:
+* 1. Add "groups" scope to your auth server policy rule
+* 2. Create a groups claim in your auth server
+* 3. Groups will be available in the user object after authentication
+*/
+function getAuthPluginsFromEnv() {
+	const plugins = [];
+	const oktaConfig = [];
+	if (process.env.AUTH_OKTA_CLIENT_ID && process.env.AUTH_OKTA_CLIENT_SECRET && process.env.AUTH_OKTA_ISSUER) oktaConfig.push(okta({
+		clientId: process.env.AUTH_OKTA_CLIENT_ID,
+		clientSecret: process.env.AUTH_OKTA_CLIENT_SECRET,
+		issuer: process.env.AUTH_OKTA_ISSUER
+	}));
+	if (oktaConfig.length > 0) plugins.push(genericOAuth({ config: oktaConfig }));
+	return plugins;
+}
+/**
+* Validate required auth environment variables
+*/
+function validateAuthConfig() {
+	const secret = process.env.BETTER_AUTH_SECRET;
+	const baseUrl = process.env.BETTER_AUTH_URL;
+	if (!secret) console.warn("BETTER_AUTH_SECRET not set. Using development fallback. Set this in production!");
+	if (!baseUrl) console.info("BETTER_AUTH_URL not set. Using default http://localhost:3000");
+}
+
+//#endregion
+//#region src/modules/auth/authorizationUtils.ts
+/**
+* Extract groups from user object
+* Groups can be stored in different locations depending on the OAuth provider
+*/
+function getUserGroups(user) {
+	if (!user) return [];
+	const groups = user.groups || user.env_hopper_groups || user.oktaGroups || user.roles || [];
+	return Array.isArray(groups) ? groups : [];
+}
+/**
+* Check if user is a member of any of the specified groups
+*/
+function isMemberOfAnyGroup(user, allowedGroups) {
+	const userGroups = getUserGroups(user);
+	return allowedGroups.some((group) => userGroups.includes(group));
+}
+/**
+* Check if user is a member of all specified groups
+*/
+function isMemberOfAllGroups(user, requiredGroups) {
+	const userGroups = getUserGroups(user);
+	return requiredGroups.every((group) => userGroups.includes(group));
+}
+/**
+* Get admin group names from environment variables
+* Default: env_hopper_ui_super_admins
+*/
+function getAdminGroupsFromEnv() {
+	return (process.env.AUTH_ADMIN_GROUPS || "env_hopper_ui_super_admins").split(",").map((g) => g.trim()).filter(Boolean);
+}
+/**
+* Check if user has admin permissions
+*/
+function isAdmin(user) {
+	return isMemberOfAnyGroup(user, getAdminGroupsFromEnv());
+}
+/**
+* Require admin permissions - throws error if not admin
+*/
+function requireAdmin(user) {
+	if (!isAdmin(user)) throw new Error("Forbidden: Admin access required");
+}
+/**
+* Require membership in specific groups - throws error if not member
+*/
+function requireGroups(user, groups) {
+	if (!isMemberOfAnyGroup(user, groups)) throw new Error(`Forbidden: Membership in one of these groups required: ${groups.join(", ")}`);
+}
+
+//#endregion
+//#region src/modules/admin/chat/createAdminChatHandler.ts
+function convertToCoreMessages(messages) {
+	return messages.map((msg) => {
+		var _msg$parts;
+		if (msg.content) return {
+			role: msg.role,
+			content: msg.content
+		};
+		const textContent = ((_msg$parts = msg.parts) === null || _msg$parts === void 0 ? void 0 : _msg$parts.filter((part) => part.type === "text").map((part) => part.text).join("")) ?? "";
+		return {
+			role: msg.role,
+			content: textContent
+		};
+	});
+}
+/**
+* Creates an Express handler for the admin chat endpoint.
+*
+* Usage in thin wrappers:
+*
+* ```typescript
+* // With OpenAI
+* import { openai } from '@ai-sdk/openai'
+* app.post('/api/admin/chat', createAdminChatHandler({
+*   model: openai('gpt-4o-mini'),
+* }))
+*
+* // With Claude
+* import { anthropic } from '@ai-sdk/anthropic'
+* app.post('/api/admin/chat', createAdminChatHandler({
+*   model: anthropic('claude-sonnet-4-20250514'),
+* }))
+* ```
+*/
+function createAdminChatHandler(options) {
+	const { model, systemPrompt = "You are a helpful admin assistant for the Env Hopper application. Help users manage apps, data sources, and MCP server configurations.", tools = {}, validateConfig } = options;
+	return async (req, res) => {
+		try {
+			if (validateConfig) validateConfig();
+			const { messages } = req.body;
+			const coreMessages = convertToCoreMessages(messages);
+			console.log("[Admin Chat] Received messages:", JSON.stringify(coreMessages, null, 2));
+			console.log("[Admin Chat] Available tools:", Object.keys(tools));
+			const response = streamText({
+				model,
+				system: systemPrompt,
+				messages: coreMessages,
+				tools,
+				stopWhen: stepCountIs(5),
+				onFinish: (event) => {
+					console.log("[Admin Chat] Finished:", {
+						finishReason: event.finishReason,
+						usage: event.usage,
+						hasText: !!event.text,
+						textLength: event.text.length
+					});
+				}
+			}).toUIMessageStreamResponse();
+			response.headers.forEach((value, key) => {
+				res.setHeader(key, value);
+			});
+			if (response.body) {
+				const reader = response.body.getReader();
+				const pump = async () => {
+					const { done, value } = await reader.read();
+					if (done) {
+						res.end();
+						return;
+					}
+					res.write(value);
+					return pump();
+				};
+				await pump();
+			} else {
+				console.error("[Admin Chat] No response body");
+				res.status(500).json({ error: "No response from AI model" });
+			}
+		} catch (error) {
+			console.error("[Admin Chat] Error:", error);
+			res.status(500).json({ error: "Failed to process chat request" });
+		}
+	};
+}
+
+//#endregion
+//#region src/modules/admin/chat/createDatabaseTools.ts
+/**
+* Creates a DatabaseClient from a Prisma client.
+*/
+function createPrismaDatabaseClient(prisma) {
+	return {
+		query: async (sql) => {
+			return await prisma.$queryRawUnsafe(sql);
+		},
+		execute: async (sql) => {
+			return { affectedRows: await prisma.$executeRawUnsafe(sql) };
+		},
+		getTables: async () => {
+			return (await prisma.$queryRawUnsafe(`SELECT tablename FROM pg_tables WHERE schemaname = 'public'`)).map((t$1) => t$1.tablename);
+		},
+		getColumns: async (tableName) => {
+			return (await prisma.$queryRawUnsafe(`SELECT column_name, data_type, is_nullable
+         FROM information_schema.columns
+         WHERE table_name = '${tableName}' AND table_schema = 'public'`)).map((c) => ({
+				name: c.column_name,
+				type: c.data_type,
+				nullable: c.is_nullable === "YES"
+			}));
+		}
+	};
+}
+const querySchema = z.object({ sql: z.string().describe("The SELECT SQL query to execute") });
+const modifySchema = z.object({
+	sql: z.string().describe("The INSERT, UPDATE, or DELETE SQL query to execute"),
+	confirmed: z.boolean().describe("Must be true to execute destructive operations")
+});
+const schemaParamsSchema = z.object({ tableName: z.string().optional().describe("Specific table name to get columns for. If not provided, returns list of all tables.") });
+/**
+* Creates a DatabaseClient using the internal backend-core Prisma client.
+* This is a convenience function for apps that don't need to pass their own Prisma client.
+*/
+function createInternalDatabaseClient() {
+	return createPrismaDatabaseClient(getDbClient());
+}
+/**
+* Creates AI tools for generic database access.
+*
+* The AI uses these internally - users interact via natural language.
+* Results are formatted as tables by the AI based on the system prompt.
+* Uses the internal backend-core Prisma client automatically.
+*/
+function createDatabaseTools() {
+	const db = createInternalDatabaseClient();
+	return {
+		queryDatabase: {
+			description: `Execute a SELECT query to read data from the database.
+Use this to list, search, or filter records from any table.
+Always use double quotes around table and column names for PostgreSQL (e.g., SELECT * FROM "App").
+Return results will be formatted as a table for the user.`,
+			inputSchema: querySchema,
+			execute: async ({ sql }) => {
+				console.log(`Executing ${sql}`);
+				if (!sql.trim().toUpperCase().startsWith("SELECT")) return { error: "Only SELECT queries are allowed with queryDatabase. Use modifyDatabase for changes." };
+				try {
+					const results = await db.query(sql);
+					return {
+						success: true,
+						rowCount: Array.isArray(results) ? results.length : 0,
+						data: results
+					};
+				} catch (error) {
+					return {
+						success: false,
+						error: error instanceof Error ? error.message : "Query failed"
+					};
+				}
+			}
+		},
+		modifyDatabase: {
+			description: `Execute an INSERT, UPDATE, or DELETE query to modify data.
+Use double quotes around table and column names for PostgreSQL.
+IMPORTANT: Always ask for user confirmation before executing. Set confirmed=true only after user confirms.
+For UPDATE/DELETE, always include a WHERE clause to avoid affecting all rows.`,
+			inputSchema: modifySchema,
+			execute: async ({ sql, confirmed }) => {
+				if (!confirmed) return {
+					needsConfirmation: true,
+					message: "Please confirm you want to execute this operation.",
+					sql
+				};
+				const normalizedSql = sql.trim().toUpperCase();
+				if (normalizedSql.startsWith("SELECT")) return { error: "Use queryDatabase for SELECT queries." };
+				if ((normalizedSql.startsWith("UPDATE") || normalizedSql.startsWith("DELETE")) && !normalizedSql.includes("WHERE")) return {
+					error: "UPDATE and DELETE queries must include a WHERE clause for safety.",
+					sql
+				};
+				try {
+					const result = await db.execute(sql);
+					return {
+						success: true,
+						affectedRows: result.affectedRows,
+						message: `Operation completed. ${result.affectedRows} row(s) affected.`
+					};
+				} catch (error) {
+					return {
+						success: false,
+						error: error instanceof Error ? error.message : "Operation failed"
+					};
+				}
+			}
+		},
+		getDatabaseSchema: {
+			description: `Get information about database tables and their columns.
+Use this to understand the database structure before writing queries.
+Call without tableName to list all tables, or with tableName to get columns for a specific table.`,
+			inputSchema: schemaParamsSchema,
+			execute: async ({ tableName }) => {
+				try {
+					if (tableName) return {
+						success: true,
+						table: tableName,
+						columns: await db.getColumns(tableName)
+					};
+					else return {
+						success: true,
+						tables: await db.getTables()
+					};
+				} catch (error) {
+					return {
+						success: false,
+						error: error instanceof Error ? error.message : "Failed to get schema"
+					};
+				}
+			}
+		}
+	};
+}
+/**
+* Default system prompt for the database admin assistant.
+* Can be customized or extended.
+*/
+const DEFAULT_ADMIN_SYSTEM_PROMPT = `You are a helpful database admin assistant. You help users view and manage data in the database.
+
+IMPORTANT RULES:
+1. When showing data, ALWAYS format it as a numbered ASCII table so users can reference rows by number
+2. NEVER show raw SQL to users - just describe what you're doing in plain language
+3. When users ask to modify data (update, delete, create), ALWAYS confirm before executing
+4. For updates, show the current value and ask for confirmation before changing
+5. Keep responses concise and focused on the data
+
+FORMATTING EXAMPLE:
+When user asks "show me all apps", respond like:
+"Here are all the apps:
+
+| # | ID | Slug    | Display Name    | Icon   |
+|---|----|---------|-----------------| -------|
+| 1 | 1  | portal  | Portal          | portal |
+| 2 | 2  | admin   | Admin Dashboard | admin  |
+| 3 | 3  | api     | API Service     | null   |
+
+Found 3 apps total."
+
+When user says "update row 2 display name to 'Admin Panel'":
+1. First confirm: "I'll update the app 'Admin Dashboard' (ID: 2) to have display name 'Admin Panel'. Proceed?"
+2. Only after user confirms, execute the update
+3. Then show the updated row
+
+AVAILABLE TABLES:
+Use getDatabaseSchema tool to discover tables and their columns.
+`;
+
+//#endregion
+//#region src/modules/icons/iconRestController.ts
+const upload$1 = multer({
+	storage: multer.memoryStorage(),
+	limits: { fileSize: 10 * 1024 * 1024 },
+	fileFilter: (_req, file, cb) => {
+		if (!file.mimetype.startsWith("image/")) {
+			cb(/* @__PURE__ */ new Error("Only image files are allowed"));
+			return;
+		}
+		cb(null, true);
+	}
+});
+/**
+* Registers REST endpoints for icon upload and retrieval
+*
+* Endpoints:
+* - POST {basePath}/upload - Upload a new icon (multipart/form-data with 'icon' field and 'name' field)
+* - GET {basePath}/:id - Get icon binary by ID
+* - GET {basePath}/:id/metadata - Get icon metadata only
+*/
+function registerIconRestController(router$1, config) {
+	const { basePath } = config;
+	router$1.post(`${basePath}/upload`, upload$1.single("icon"), async (req, res) => {
+		try {
+			if (!req.file) {
+				res.status(400).json({ error: "No file uploaded" });
+				return;
+			}
+			const name = req.body["name"];
+			if (!name) {
+				res.status(400).json({ error: "Name is required" });
+				return;
+			}
+			const prisma = getDbClient();
+			const checksum = createHash("sha256").update(req.file.buffer).digest("hex");
+			const icon = await prisma.dbAsset.create({ data: {
+				name,
+				assetType: "icon",
+				content: new Uint8Array(req.file.buffer),
+				mimeType: req.file.mimetype,
+				fileSize: req.file.size,
+				checksum
+			} });
+			res.status(201).json({
+				id: icon.id,
+				name: icon.name,
+				mimeType: icon.mimeType,
+				fileSize: icon.fileSize,
+				createdAt: icon.createdAt
+			});
+		} catch (error) {
+			console.error("Error uploading icon:", error);
+			res.status(500).json({ error: "Failed to upload icon" });
+		}
+	});
+	router$1.get(`${basePath}/:id`, async (req, res) => {
+		try {
+			const { id } = req.params;
+			const icon = await getDbClient().dbAsset.findUnique({
+				where: { id },
+				select: {
+					content: true,
+					mimeType: true,
+					name: true
+				}
+			});
+			if (!icon) {
+				res.status(404).json({ error: "Icon not found" });
+				return;
+			}
+			res.setHeader("Content-Type", icon.mimeType);
+			res.setHeader("Content-Disposition", `inline; filename="${icon.name}"`);
+			res.setHeader("Cache-Control", "public, max-age=86400");
+			res.send(icon.content);
+		} catch (error) {
+			console.error("Error fetching icon:", error);
+			res.status(500).json({ error: "Failed to fetch icon" });
+		}
+	});
+	router$1.get(`${basePath}/:id/metadata`, async (req, res) => {
+		try {
+			const { id } = req.params;
+			const icon = await getDbClient().dbAsset.findUnique({
+				where: { id },
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					createdAt: true,
+					updatedAt: true
+				}
+			});
+			if (!icon) {
+				res.status(404).json({ error: "Icon not found" });
+				return;
+			}
+			res.json(icon);
+		} catch (error) {
+			console.error("Error fetching icon metadata:", error);
+			res.status(500).json({ error: "Failed to fetch icon metadata" });
+		}
+	});
+	router$1.get(`${basePath}/by-name/:name`, async (req, res) => {
+		try {
+			const { name } = req.params;
+			const icon = await getDbClient().dbAsset.findUnique({
+				where: { name },
+				select: {
+					content: true,
+					mimeType: true,
+					name: true
+				}
+			});
+			if (!icon) {
+				res.status(404).json({ error: "Icon not found" });
+				return;
+			}
+			res.setHeader("Content-Type", icon.mimeType);
+			res.setHeader("Content-Disposition", `inline; filename="${icon.name}"`);
+			res.setHeader("Cache-Control", "public, max-age=86400");
+			res.send(icon.content);
+		} catch (error) {
+			console.error("Error fetching icon by name:", error);
+			res.status(500).json({ error: "Failed to fetch icon" });
+		}
+	});
+}
+
+//#endregion
+//#region src/modules/icons/iconService.ts
+/**
+* Upsert an icon to the database.
+* If an icon with the same name exists, it will be updated.
+* Otherwise, a new icon will be created.
+*/
+async function upsertIcon(input) {
+	const prisma = getDbClient();
+	const checksum = generateChecksum(input.content);
+	const { width, height } = await getImageDimensions(input.content);
+	return prisma.dbAsset.upsert({
+		where: { name: input.name },
+		update: {
+			content: new Uint8Array(input.content),
+			checksum,
+			mimeType: input.mimeType,
+			fileSize: input.fileSize,
+			width,
+			height
+		},
+		create: {
+			name: input.name,
+			assetType: "icon",
+			content: new Uint8Array(input.content),
+			checksum,
+			mimeType: input.mimeType,
+			fileSize: input.fileSize,
+			width,
+			height
+		}
+	});
+}
+/**
+* Upsert multiple icons to the database.
+* This is more efficient than calling upsertIcon multiple times.
+*/
+async function upsertIcons(icons) {
+	const results = [];
+	for (const icon of icons) {
+		const result = await upsertIcon(icon);
+		results.push(result);
+	}
+	return results;
+}
+/**
+* Get an asset (icon or screenshot) by name from the database.
+* Returns the asset content, mimeType, and name if found.
+*/
+async function getAssetByName(name) {
+	return getDbClient().dbAsset.findUnique({
+		where: { name },
+		select: {
+			content: true,
+			mimeType: true,
+			name: true
+		}
+	});
+}
+
+//#endregion
+//#region src/modules/assets/assetRestController.ts
+const upload = multer({
+	storage: multer.memoryStorage(),
+	limits: { fileSize: 10 * 1024 * 1024 },
+	fileFilter: (_req, file, cb) => {
+		if (!file.mimetype.startsWith("image/")) {
+			cb(/* @__PURE__ */ new Error("Only image files are allowed"));
+			return;
+		}
+		cb(null, true);
+	}
+});
+/**
+* Registers REST endpoints for universal asset upload and retrieval
+*
+* Endpoints:
+* - POST {basePath}/upload - Upload a new asset (multipart/form-data)
+* - GET {basePath}/:id - Get asset binary by ID
+* - GET {basePath}/:id/metadata - Get asset metadata only
+* - GET {basePath}/by-name/:name - Get asset binary by name
+*/
+function registerAssetRestController(router$1, config) {
+	const { basePath } = config;
+	router$1.post(`${basePath}/upload`, upload.single("asset"), async (req, res) => {
+		try {
+			if (!req.file) {
+				res.status(400).json({ error: "No file uploaded" });
+				return;
+			}
+			const name = req.body["name"];
+			const assetType = req.body["assetType"] ?? "icon";
+			if (!name) {
+				res.status(400).json({ error: "Name is required" });
+				return;
+			}
+			const prisma = getDbClient();
+			const checksum = generateChecksum(req.file.buffer);
+			const existing = await prisma.dbAsset.findUnique({
+				where: { checksum },
+				select: {
+					id: true,
+					name: true,
+					assetType: true,
+					checksum: true,
+					mimeType: true,
+					fileSize: true,
+					width: true,
+					height: true,
+					createdAt: true
+				}
+			});
+			if (existing) {
+				res.status(200).json(existing);
+				return;
+			}
+			const { width, height } = await getImageDimensions(req.file.buffer);
+			const asset = await prisma.dbAsset.create({ data: {
+				name,
+				checksum,
+				assetType,
+				content: new Uint8Array(req.file.buffer),
+				mimeType: req.file.mimetype,
+				fileSize: req.file.size,
+				width,
+				height
+			} });
+			res.status(201).json({
+				id: asset.id,
+				name: asset.name,
+				assetType: asset.assetType,
+				mimeType: asset.mimeType,
+				fileSize: asset.fileSize,
+				width: asset.width,
+				height: asset.height,
+				createdAt: asset.createdAt
+			});
+		} catch (error) {
+			console.error("Error uploading asset:", error);
+			res.status(500).json({ error: "Failed to upload asset" });
+		}
+	});
+	router$1.get(`${basePath}/:id`, async (req, res) => {
+		try {
+			const { id } = req.params;
+			const asset = await getDbClient().dbAsset.findUnique({
+				where: { id },
+				select: {
+					content: true,
+					mimeType: true,
+					name: true,
+					width: true,
+					height: true
+				}
+			});
+			if (!asset) {
+				res.status(404).json({ error: "Asset not found" });
+				return;
+			}
+			const resizeEnabled = String(process.env.EH_ASSETS_RESIZE_ENABLED || "true") === "true";
+			const wParam = req.query["w"];
+			const width = wParam ? Number.parseInt(wParam, 10) : void 0;
+			let outBuffer = asset.content;
+			let outMime = asset.mimeType;
+			if (resizeEnabled && isRasterImage(asset.mimeType) && !!width && Number.isFinite(width) && width > 0) {
+				const fmt = getImageFormat(asset.mimeType) || "jpeg";
+				const buf = await resizeImage(Buffer.from(asset.content), width, void 0, fmt);
+				outBuffer = new Uint8Array(buf);
+				outMime = `image/${fmt}`;
+			}
+			res.setHeader("Content-Type", outMime);
+			res.setHeader("Content-Disposition", `inline; filename="${asset.name}"`);
+			res.setHeader("Cache-Control", "public, max-age=86400");
+			res.send(outBuffer);
+		} catch (error) {
+			console.error("Error fetching asset:", error);
+			res.status(500).json({ error: "Failed to fetch asset" });
+		}
+	});
+	router$1.get(`${basePath}/:id/metadata`, async (req, res) => {
+		try {
+			const { id } = req.params;
+			const asset = await getDbClient().dbAsset.findUnique({
+				where: { id },
+				select: {
+					id: true,
+					name: true,
+					assetType: true,
+					mimeType: true,
+					fileSize: true,
+					width: true,
+					height: true,
+					createdAt: true,
+					updatedAt: true
+				}
+			});
+			if (!asset) {
+				res.status(404).json({ error: "Asset not found" });
+				return;
+			}
+			res.json(asset);
+		} catch (error) {
+			console.error("Error fetching asset metadata:", error);
+			res.status(500).json({ error: "Failed to fetch asset metadata" });
+		}
+	});
+	router$1.get(`${basePath}/by-name/:name`, async (req, res) => {
+		try {
+			const { name } = req.params;
+			const asset = await getDbClient().dbAsset.findUnique({
+				where: { name },
+				select: {
+					content: true,
+					mimeType: true,
+					name: true,
+					width: true,
+					height: true
+				}
+			});
+			if (!asset) {
+				res.status(404).json({ error: "Asset not found" });
+				return;
+			}
+			const resizeEnabled = String(process.env.EH_ASSETS_RESIZE_ENABLED || "true") === "true";
+			const wParam = req.query["w"];
+			const width = wParam ? Number.parseInt(wParam, 10) : void 0;
+			let outBuffer = asset.content;
+			let outMime = asset.mimeType;
+			const isRaster = asset.mimeType.startsWith("image/") && !asset.mimeType.includes("svg");
+			if (resizeEnabled && isRaster && !!width && Number.isFinite(width) && width > 0) {
+				const fmt = asset.mimeType.includes("png") ? "png" : asset.mimeType.includes("webp") ? "webp" : "jpeg";
+				let buf;
+				const pipeline = sharp(Buffer.from(asset.content)).resize({
+					width,
+					fit: "inside",
+					withoutEnlargement: true
+				});
+				if (fmt === "png") {
+					buf = await pipeline.png().toBuffer();
+					outMime = "image/png";
+				} else if (fmt === "webp") {
+					buf = await pipeline.webp().toBuffer();
+					outMime = "image/webp";
+				} else {
+					buf = await pipeline.jpeg().toBuffer();
+					outMime = "image/jpeg";
+				}
+				outBuffer = new Uint8Array(buf);
+			}
+			res.setHeader("Content-Type", outMime);
+			res.setHeader("Content-Disposition", `inline; filename="${asset.name}"`);
+			res.setHeader("Cache-Control", "public, max-age=86400");
+			res.send(outBuffer);
+		} catch (error) {
+			console.error("Error fetching asset by name:", error);
+			res.status(500).json({ error: "Failed to fetch asset" });
+		}
+	});
+}
+
+//#endregion
+//#region src/modules/assets/screenshotRestController.ts
+/**
+* Registers REST endpoints for screenshot retrieval
+* 
+* Endpoints:
+* - GET {basePath}/app/:appId - Get all screenshots for an app
+* - GET {basePath}/:id - Get screenshot binary by ID
+* - GET {basePath}/:id/metadata - Get screenshot metadata only
+*/
+function registerScreenshotRestController(router$1, config) {
+	const { basePath } = config;
+	router$1.get(`${basePath}/app/:appSlug`, async (req, res) => {
+		try {
+			const { appSlug } = req.params;
+			const prisma = getDbClient();
+			const app = await prisma.dbAppForCatalog.findUnique({
+				where: { slug: appSlug },
+				select: { screenshotIds: true }
+			});
+			if (!app) {
+				res.status(404).json({ error: "App not found" });
+				return;
+			}
+			const screenshots = await prisma.dbAsset.findMany({
+				where: {
+					id: { in: app.screenshotIds },
+					assetType: "screenshot"
+				},
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					width: true,
+					height: true,
+					createdAt: true
+				}
+			});
+			res.json(screenshots);
+		} catch (error) {
+			console.error("Error fetching app screenshots:", error);
+			res.status(500).json({ error: "Failed to fetch screenshots" });
+		}
+	});
+	router$1.get(`${basePath}/app/:appSlug/first`, async (req, res) => {
+		try {
+			const { appSlug } = req.params;
+			const prisma = getDbClient();
+			const app = await prisma.dbAppForCatalog.findUnique({
+				where: { slug: appSlug },
+				select: { screenshotIds: true }
+			});
+			if (!app || app.screenshotIds.length === 0) {
+				res.status(404).json({ error: "No screenshots found" });
+				return;
+			}
+			const screenshot = await prisma.dbAsset.findUnique({
+				where: { id: app.screenshotIds[0] },
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					width: true,
+					height: true,
+					createdAt: true
+				}
+			});
+			if (!screenshot) {
+				res.status(404).json({ error: "Screenshot not found" });
+				return;
+			}
+			res.json(screenshot);
+		} catch (error) {
+			console.error("Error fetching first screenshot:", error);
+			res.status(500).json({ error: "Failed to fetch screenshot" });
+		}
+	});
+	router$1.get(`${basePath}/:id`, async (req, res) => {
+		try {
+			const { id } = req.params;
+			const sizeParam = req.query.size;
+			const targetSize = sizeParam ? parseInt(sizeParam, 10) : void 0;
+			const screenshot = await getDbClient().dbAsset.findUnique({
+				where: { id },
+				select: {
+					content: true,
+					mimeType: true,
+					name: true
+				}
+			});
+			if (!screenshot) {
+				res.status(404).json({ error: "Screenshot not found" });
+				return;
+			}
+			let content = screenshot.content;
+			if (targetSize && targetSize > 0) try {
+				content = await sharp(screenshot.content).resize(targetSize, targetSize, {
+					fit: "inside",
+					withoutEnlargement: true
+				}).toBuffer();
+			} catch (resizeError) {
+				console.error("Error resizing screenshot:", resizeError);
+			}
+			res.setHeader("Content-Type", screenshot.mimeType);
+			res.setHeader("Content-Disposition", `inline; filename="${screenshot.name}"`);
+			res.setHeader("Cache-Control", "public, max-age=86400");
+			res.send(content);
+		} catch (error) {
+			console.error("Error fetching screenshot:", error);
+			res.status(500).json({ error: "Failed to fetch screenshot" });
+		}
+	});
+	router$1.get(`${basePath}/:id/metadata`, async (req, res) => {
+		try {
+			const { id } = req.params;
+			const screenshot = await getDbClient().dbAsset.findUnique({
+				where: { id },
+				select: {
+					id: true,
+					name: true,
+					mimeType: true,
+					fileSize: true,
+					width: true,
+					height: true,
+					createdAt: true,
+					updatedAt: true
+				}
+			});
+			if (!screenshot) {
+				res.status(404).json({ error: "Screenshot not found" });
+				return;
+			}
+			res.json(screenshot);
+		} catch (error) {
+			console.error("Error fetching screenshot metadata:", error);
+			res.status(500).json({ error: "Failed to fetch screenshot metadata" });
+		}
+	});
+}
+
+//#endregion
+//#region src/modules/assets/syncAssets.ts
+/**
+* Sync local asset files (icons and screenshots) from directories into the database.
+* 
+* This function allows consuming applications to sync asset files without directly
+* exposing the Prisma client. It handles:
+* - Icon files: Assigned to apps by matching filename to icon name patterns
+* - Screenshot files: Assigned to apps by matching filename to app ID (format: <app-id>_screenshot_<no>.<ext>)
+* 
+* @param config Configuration with paths to icon and screenshot directories
+*/
+async function syncAssets(config) {
+	const prisma = getDbClient();
+	let iconsUpserted = 0;
+	let screenshotsUpserted = 0;
+	if (config.iconsDir) {
+		console.log(`📁 Syncing icons from ${config.iconsDir}...`);
+		iconsUpserted = await syncIconsFromDirectory(prisma, config.iconsDir);
+		console.log(`   ✓ Upserted ${iconsUpserted} icons`);
+	}
+	if (config.screenshotsDir) {
+		console.log(`📷 Syncing screenshots from ${config.screenshotsDir}...`);
+		screenshotsUpserted = await syncScreenshotsFromDirectory(prisma, config.screenshotsDir);
+		console.log(`   ✓ Upserted ${screenshotsUpserted} screenshots and assigned to apps`);
+	}
+	return {
+		iconsUpserted,
+		screenshotsUpserted
+	};
+}
+/**
+* Sync icon files from a directory
+*/
+async function syncIconsFromDirectory(prisma, iconsDir) {
+	let count = 0;
+	try {
+		const files = readdirSync(iconsDir);
+		for (const file of files) {
+			const filePath = join(iconsDir, file);
+			const ext = extname(file).toLowerCase().slice(1);
+			if (![
+				"png",
+				"jpg",
+				"jpeg",
+				"gif",
+				"webp",
+				"svg"
+			].includes(ext)) continue;
+			try {
+				const content = readFileSync(filePath);
+				const buffer = Buffer.from(content);
+				const checksum = generateChecksum(buffer);
+				const iconName = file.replace(/\.[^/.]+$/, "");
+				if (await prisma.dbAsset.findFirst({ where: {
+					checksum,
+					assetType: "icon"
+				} })) continue;
+				let width = null;
+				let height = null;
+				if (!ext.includes("svg")) {
+					const { width: w, height: h } = await getImageDimensions(buffer);
+					width = w;
+					height = h;
+				}
+				const mimeType = {
+					png: "image/png",
+					jpg: "image/jpeg",
+					jpeg: "image/jpeg",
+					gif: "image/gif",
+					webp: "image/webp",
+					svg: "image/svg+xml"
+				}[ext] || "application/octet-stream";
+				await prisma.dbAsset.create({ data: {
+					name: iconName,
+					assetType: "icon",
+					content: new Uint8Array(buffer),
+					checksum,
+					mimeType,
+					fileSize: buffer.length,
+					width,
+					height
+				} });
+				count++;
+			} catch (error) {
+				console.warn(`  ⚠ Failed to sync icon ${file}:`, error);
+			}
+		}
+	} catch (error) {
+		console.error(`  ❌ Error reading icons directory:`, error);
+	}
+	return count;
+}
+/**
+* Sync screenshot files from a directory and assign to apps
+*/
+async function syncScreenshotsFromDirectory(prisma, screenshotsDir) {
+	let count = 0;
+	try {
+		const files = readdirSync(screenshotsDir);
+		const screenshotsByApp = /* @__PURE__ */ new Map();
+		for (const file of files) {
+			const match = file.match(/^(.+?)_screenshot_(\d+)\.([^.]+)$/);
+			if (!match || !match[1] || !match[3]) continue;
+			const appId = match[1];
+			const ext = match[3];
+			if (!screenshotsByApp.has(appId)) screenshotsByApp.set(appId, []);
+			screenshotsByApp.get(appId).push({
+				path: join(screenshotsDir, file),
+				ext
+			});
+		}
+		for (const [appId, screenshots] of screenshotsByApp) try {
+			if (!await prisma.dbAppForCatalog.findUnique({
+				where: { slug: appId },
+				select: { id: true }
+			})) {
+				console.warn(`  ⚠ App not found: ${appId}`);
+				continue;
+			}
+			for (const screenshot of screenshots) try {
+				const content = readFileSync(screenshot.path);
+				const buffer = Buffer.from(content);
+				const checksum = generateChecksum(buffer);
+				const existing = await prisma.dbAsset.findFirst({ where: {
+					checksum,
+					assetType: "screenshot"
+				} });
+				if (existing) {
+					const existingApp = await prisma.dbAppForCatalog.findUnique({ where: { slug: appId } });
+					if (existingApp && !existingApp.screenshotIds.includes(existing.id)) await prisma.dbAppForCatalog.update({
+						where: { slug: appId },
+						data: { screenshotIds: [...existingApp.screenshotIds, existing.id] }
+					});
+					continue;
+				}
+				const { width, height } = await getImageDimensions(buffer);
+				const mimeType = {
+					png: "image/png",
+					jpg: "image/jpeg",
+					jpeg: "image/jpeg",
+					gif: "image/gif",
+					webp: "image/webp"
+				}[screenshot.ext.toLowerCase()] || "application/octet-stream";
+				const asset = await prisma.dbAsset.create({ data: {
+					name: `${appId}-screenshot-${Date.now()}`,
+					assetType: "screenshot",
+					content: new Uint8Array(buffer),
+					checksum,
+					mimeType,
+					fileSize: buffer.length,
+					width,
+					height
+				} });
+				await prisma.dbAppForCatalog.update({
+					where: { slug: appId },
+					data: { screenshotIds: { push: asset.id } }
+				});
+				count++;
+			} catch (error) {
+				console.warn(`  ⚠ Failed to sync screenshot ${screenshot.path}:`, error);
+			}
+		} catch (error) {
+			console.warn(`  ⚠ Failed to process app ${appId}:`, error);
+		}
+	} catch (error) {
+		console.error(`  ❌ Error reading screenshots directory:`, error);
+	}
+	return count;
+}
+
+//#endregion
+export { DEFAULT_ADMIN_SYSTEM_PROMPT, TABLE_SYNC_MAGAZINE, connectDb, createAdminChatHandler, createAppCatalogAdminRouter, createAuth, createAuthRouter, createDatabaseTools, createEhTrpcContext, createPrismaDatabaseClient, createScreenshotRouter, createTrpcRouter, disconnectDb, getAdminGroupsFromEnv, getAssetByName, getAuthPluginsFromEnv, getAuthProvidersFromEnv, getDbClient, getUserGroups, isAdmin, isMemberOfAllGroups, isMemberOfAnyGroup, registerAssetRestController, registerAuthRoutes, registerIconRestController, registerScreenshotRestController, requireAdmin, requireGroups, staticControllerContract, syncAppCatalog, syncAssets, tableSyncPrisma, tool, upsertIcon, upsertIcons, validateAuthConfig };
+//# sourceMappingURL=index.js.map