@giaeulate/baas-sdk 1.2.0 → 1.3.0

package/dist/index.d.ts

@@ -45,13 +45,27 @@ type RealtimeCallback<T = any> = (payload: RealtimePayload<T>) => void;
  * Base class providing HTTP request infrastructure for all SDK modules
  */
 
+/** Privilege class of the API key. anon = RLS applies (safe for browsers);
+ *  service_role = RLS bypass / admin (server-side only). Both share the
+ *  `baas_sk_` prefix, so the type cannot be inferred — it must be declared. */
+type KeyType = 'anon' | 'service_role';
+interface ClientOptions {
+    /** Defaults to 'service_role' for backward-compat. Set 'anon' in any client
+     *  bundle (browser / mobile app) — see warnIfUnsafeKey. */
+    keyType?: KeyType;
+}
 declare class HttpClient {
     url: string;
     apiKey: string;
+    keyType: KeyType;
     token: string | null;
     private environment;
     private _onForceLogout;
-    constructor(url?: string, apiKey?: string);
+    constructor(url?: string, apiKey?: string, options?: ClientOptions);
+    /** SECURITY: a service_role key bypasses RLS and grants admin over every
+     *  tenant. If it ends up in a browser bundle, anyone can extract it. Warn
+     *  loudly when a non-anon key is constructed in a browser context. */
+    private warnIfUnsafeKey;
     /**
      * Set the auth token manually (e.g. restoring from SecureStore in React Native).
      * Persists to both the in-memory property and localStorage so getDynamicToken() works.
@@ -133,7 +147,23 @@ declare class QueryBuilder {
     is(column: string, value: any): this;
     in(column: string, values: any[]): this;
     not(column: string, operator: string, value: any): this;
+    /** Array/jsonb/range contains (@>). Arrays become a `{a,b}` literal. */
+    contains(column: string, values: any): this;
+    /** Array/jsonb/range contained-by (<@). */
+    containedBy(column: string, values: any): this;
+    /** Array/range overlap (&&). */
+    overlaps(column: string, values: any): this;
+    /** Full-text search (@@). type: fts|plfts|phfts|wfts (tsquery flavour). */
+    textSearch(column: string, query: string, type?: 'fts' | 'plfts' | 'phfts' | 'wfts'): this;
+    private arrayLiteral;
+    /** OR group: `or=(c1,c2)`. Members are dotted `col.op.value` strings. */
     or(filters: string): this;
+    /** AND group: `and=(c1,c2)` — e.g. a range `qty.gt.5,qty.lt.20`. */
+    and(filters: string): this;
+    /** Negated AND group: `not.and=(...)`. */
+    notAnd(filters: string): this;
+    /** Negated OR group: `not.or=(...)`. */
+    notOr(filters: string): this;
     order(column: string, { ascending }?: {
         ascending?: boolean | undefined;
     }): this;
@@ -177,6 +207,26 @@ declare class QueryBuilder {
     } | {
         success: boolean;
     }>;
+    /** Insert-or-update on conflict. [onConflict] is the conflict-target column(s). */
+    upsert(data: any, onConflict: string): Promise<{
+        data: null;
+        error: any;
+        status: number;
+    } | {
+        data: any;
+        error: null;
+        status: number;
+    }>;
+    /**
+     * Count rows matching the current filters (PostgREST parity). Sends
+     * `Prefer: count=exact` and parses the total from the `Content-Range`
+     * response header. Returns `{ count, error, status }`.
+     */
+    count(): Promise<{
+        count: number;
+        error: string | null;
+        status: number;
+    }>;
     private getHeaders;
     private handleResponse;
 }
@@ -205,6 +255,10 @@ interface AuthModule {
     validateResetToken(token: string): Promise<any>;
     verifyEmail(token: string): Promise<any>;
     requestEmailVerification(): Promise<any>;
+    signInAnonymous(): Promise<any>;
+    requestOtp(email: string, createUser?: boolean): Promise<any>;
+    verifyOtp(type: 'email_otp' | 'magic_link', email: string, token: string): Promise<any>;
+    upgradeAnonymous(email: string, password: string): Promise<any>;
     getAuthProviders(): Promise<any>;
     getAuthProvider(provider: string): Promise<any>;
     configureAuthProvider(provider: string, clientID: string, clientSecret: string, enabled: boolean): Promise<any>;
@@ -310,12 +364,21 @@ interface StorageModule {
     upload(file: File, bucketId?: string): Promise<StorageFile>;
     /** List all files across buckets. */
     listFiles(): Promise<StorageFile[]>;
-    /** Get file metadata + a 15-min presigned download URL. */
-    getFile(fileId: string): Promise<StorageFileWithUrl>;
+    /** Get file metadata + a presigned download URL. expiresIn (seconds) controls
+     *  the URL lifetime (default 15m, server cap 7d). */
+    getFile(fileId: string, expiresIn?: number): Promise<StorageFileWithUrl>;
+    /** Create a time-limited signed download URL (Supabase createSignedUrl parity). */
+    createSignedUrl(fileId: string, expiresIn?: number): Promise<{
+        signedUrl: string;
+    }>;
     /** Delete a file by ID. */
     deleteFile(fileId: string): Promise<void>;
     /** Create a new bucket. */
     createBucket(name: string, isPublic?: boolean): Promise<StorageBucket>;
+    /** Update mutable bucket fields (is_public). */
+    updateBucket(bucketId: string, opts: {
+        isPublic?: boolean;
+    }): Promise<StorageBucket>;
     /** List all buckets. */
     listBuckets(): Promise<StorageBucket[]>;
     /** Get bucket info by ID. */
@@ -324,6 +387,10 @@ interface StorageModule {
     deleteBucket(bucketId: string): Promise<void>;
     /** List files inside a specific bucket. */
     listBucketFiles(bucketId: string): Promise<StorageFile[]>;
+    /** Download a file's bytes via the backend download route (streams + enforces
+     *  the bucket's public/RLS rules; the Bearer is sent so private files work).
+     *  Returns a Blob. */
+    download(fileId: string): Promise<Blob>;
     /** @deprecated Use upload(file, bucketId?) instead. */
     upload(table: string, file: File): Promise<any>;
 }
@@ -562,6 +629,9 @@ interface AuditLogsOptions {
 interface AuditModule {
     list(options?: AuditLogsOptions): Promise<any>;
     getActions(): Promise<any>;
+    exportLogs(format: 'csv' | 'json', options?: AuditLogsOptions): Promise<any>;
+    purgePreview(olderThanDays: number): Promise<any>;
+    purge(olderThanDays: number): Promise<any>;
 }
 
 /**
@@ -712,6 +782,69 @@ interface IPWhitelistModule {
     delete(id: string): Promise<any>;
 }
 
+/**
+ * Cache Management Module
+ */
+
+type CacheStrategy = 'no_cache' | 'ttl_only' | 'cdc_invalidation' | 'write_through';
+interface CacheStatus {
+    connected: boolean;
+    backend: string;
+    version: string;
+    ping_latency_ms: number;
+    circuit_state: string;
+    cdc_lag_seconds: number;
+}
+interface CacheStats {
+    memory_used: string;
+    memory_used_bytes: number;
+    db_size: number;
+    uptime_seconds: number;
+    ops_per_sec: number;
+    namespaces_total: number;
+}
+interface CachePolicy {
+    namespace: string;
+    strategy: CacheStrategy;
+    ttl_seconds: number;
+    use_versioning: boolean;
+    is_default: boolean;
+}
+interface CacheKey {
+    key: string;
+    ttl_seconds: number;
+}
+interface CacheKeysResponse {
+    keys: CacheKey[];
+    next_cursor: number;
+    has_more: boolean;
+}
+interface CacheKeyInspect {
+    key: string;
+    exists: boolean;
+    ttl_seconds: number;
+    size_bytes: number;
+    value_preview: string;
+    value_truncated: boolean;
+}
+interface CacheModule {
+    getStatus(): Promise<CacheStatus>;
+    getStats(): Promise<CacheStats>;
+    listPolicies(): Promise<{
+        policies: CachePolicy[];
+    }>;
+    updatePolicy(namespace: string, body: {
+        strategy: CacheStrategy;
+        ttl_seconds: number;
+        use_versioning: boolean;
+    }): Promise<any>;
+    removePolicy(namespace: string): Promise<any>;
+    invalidateNamespace(namespace: string): Promise<any>;
+    invalidateAll(): Promise<any>;
+    listKeys(prefix: string, cursor?: number, count?: number): Promise<CacheKeysResponse>;
+    inspectKey(key: string): Promise<CacheKeyInspect>;
+}
+
 /**
  * Main BaaS Client - Composes all feature modules
  *
@@ -753,11 +886,20 @@ declare class BaasClient extends HttpClient {
     readonly corsOrigins: CorsOriginsModule;
     readonly policies: PoliciesModule;
     readonly ipWhitelist: IPWhitelistModule;
-    constructor(url?: string, apiKey?: string);
+    readonly cache: CacheModule;
+    constructor(url?: string, apiKey?: string, options?: ClientOptions);
     /**
      * Create a query builder for fluent data queries
      */
     from(table: string): QueryBuilder;
+    /**
+     * Invoke a PL/pgSQL function (PostgREST `.rpc()` parity). Runs under the
+     * caller's RLS context; args bind by name and are $N-safe. Pass [params] for
+     * POST (named args in the body) or set `opts.get = true` for the GET variant.
+     */
+    rpc(fn: string, params?: Record<string, any>, opts?: {
+        get?: boolean;
+    }): Promise<any>;
     login(email: string, password: string): Promise<any>;
     verifyMFA(mfaToken: string, code: string): Promise<any>;
     getProfile(): Promise<any>;
@@ -873,6 +1015,9 @@ declare class BaasClient extends HttpClient {
     testWebhook(id: string): Promise<any>;
     listAuditLogs(options?: any): Promise<any>;
     getAuditActions(): Promise<any>;
+    exportAuditLogs(format: 'csv' | 'json', options?: any): Promise<any>;
+    previewPurgeAuditLogs(olderThanDays: number): Promise<any>;
+    purgeAuditLogs(olderThanDays: number): Promise<any>;
     subscribe<T = any>(table: string, action: RealtimeAction, callback: RealtimeCallback<T>): Promise<Subscription>;
     getEnvironmentStatus(): Promise<EnvironmentStatus>;
     initTestEnvironment(): Promise<any>;
@@ -889,4 +1034,4 @@ declare class BaasClient extends HttpClient {
     deleteIPWhitelistEntry(id: string): Promise<any>;
 }
 
-export { type ApiKeysModule, type ApiResponse, type ApplicationLogsOptions, type AuditLogsOptions, type AuditModule, type AuthModule, BaasClient, type BackupsModule, type BranchesModule, type CorsOriginsModule, type CreatePolicyInput, type DatabaseModule, type EmailConfig, type EmailModule, type EmailTemplate, type EnvVarsModule, type EnvironmentsModule, type FunctionsModule, type GraphQLModule, HttpClient, type HttpMethod, type IPWhitelistEntry, type IPWhitelistModule, type JobInput, type JobUpdateInput, type JobsModule, type LogDrainInput, type LogDrainUpdateInput, type LogDrainsModule, type MetricsModule, type MigrationsModule, type PaginationOptions, type PoliciesModule, type Policy, QueryBuilder, type QueryFilter, type RealtimeModule, type RequestLogsOptions, type RequestOptions, type SearchModule, type SearchOptions, type SendEmailInput, type StorageBucket, type StorageFile, type StorageFileWithUrl, type StorageModule, type Subscription, type TimeseriesOptions, type UsersModule, type WebhookInput, type WebhookUpdateInput, type WebhooksModule };
+export { type ApiKeysModule, type ApiResponse, type ApplicationLogsOptions, type AuditLogsOptions, type AuditModule, type AuthModule, BaasClient, type BackupsModule, type BranchesModule, type CacheKey, type CacheKeyInspect, type CacheKeysResponse, type CacheModule, type CachePolicy, type CacheStats, type CacheStatus, type CacheStrategy, type CorsOriginsModule, type CreatePolicyInput, type DatabaseModule, type EmailConfig, type EmailModule, type EmailTemplate, type EnvVarsModule, type EnvironmentsModule, type FunctionsModule, type GraphQLModule, HttpClient, type HttpMethod, type IPWhitelistEntry, type IPWhitelistModule, type JobInput, type JobUpdateInput, type JobsModule, type LogDrainInput, type LogDrainUpdateInput, type LogDrainsModule, type MetricsModule, type MigrationsModule, type PaginationOptions, type PoliciesModule, type Policy, QueryBuilder, type QueryFilter, type RealtimeModule, type RequestLogsOptions, type RequestOptions, type SearchModule, type SearchOptions, type SendEmailInput, type StorageBucket, type StorageFile, type StorageFileWithUrl, type StorageModule, type Subscription, type TimeseriesOptions, type UsersModule, type WebhookInput, type WebhookUpdateInput, type WebhooksModule };

package/dist/index.js

@@ -2,14 +2,28 @@
 var HttpClient = class {
   url;
   apiKey = "";
+  keyType;
   token = null;
   environment = "prod";
   _onForceLogout = null;
-  constructor(url, apiKey) {
+  constructor(url, apiKey, options) {
     let baseUrl = url || (typeof window !== "undefined" ? window.location.origin : "http://localhost:8080");
     this.url = baseUrl.endsWith("/") ? baseUrl.slice(0, -1) : baseUrl;
     if (apiKey) this.apiKey = apiKey;
-    this.token = this.cleanValue(localStorage.getItem("baas_token"));
+    this.keyType = options?.keyType ?? "service_role";
+    this.warnIfUnsafeKey();
+    this.token = typeof localStorage !== "undefined" ? this.cleanValue(localStorage.getItem("baas_token")) : null;
+  }
+  /** SECURITY: a service_role key bypasses RLS and grants admin over every
+   *  tenant. If it ends up in a browser bundle, anyone can extract it. Warn
+   *  loudly when a non-anon key is constructed in a browser context. */
+  warnIfUnsafeKey() {
+    const inBrowser = typeof window !== "undefined" && typeof document !== "undefined";
+    if (inBrowser && this.apiKey && this.keyType !== "anon") {
+      console.warn(
+        '[baas-sdk] SECURITY WARNING: a non-anon (service_role) key is running in a browser. It bypasses Row-Level Security and grants admin over ALL tenants, and is extractable from the bundle. Mint an anon key in the dashboard and construct the client with { keyType: "anon" }.'
+      );
+    }
   }
   /**
    * Set the auth token manually (e.g. restoring from SecureStore in React Native).
@@ -86,7 +100,14 @@ var HttpClient = class {
       if (res.status === 403 && data?.error === "ip_not_allowed") {
         this.handleIPBlocked(data.ip);
       }
-      return { error: data?.error || `Request failed: ${res.status}`, ...data };
+      const rateLimited = res.status === 429;
+      const retryHint = res.headers.get("retry-after") || res.headers.get("x-ratelimit-reset");
+      return {
+        error: data?.error || `Request failed: ${res.status}`,
+        status: res.status,
+        ...rateLimited ? { rateLimited: true, retryAfter: retryHint ? parseInt(retryHint, 10) : void 0 } : {},
+        ...data
+      };
     }
     return data;
   }
@@ -203,10 +224,49 @@ var QueryBuilder = class {
     this.queryParams.set(column, `not.${operator}.${value}`);
     return this;
   }
+  /** Array/jsonb/range contains (@>). Arrays become a `{a,b}` literal. */
+  contains(column, values) {
+    this.queryParams.set(column, `cs.${this.arrayLiteral(values)}`);
+    return this;
+  }
+  /** Array/jsonb/range contained-by (<@). */
+  containedBy(column, values) {
+    this.queryParams.set(column, `cd.${this.arrayLiteral(values)}`);
+    return this;
+  }
+  /** Array/range overlap (&&). */
+  overlaps(column, values) {
+    this.queryParams.set(column, `ov.${this.arrayLiteral(values)}`);
+    return this;
+  }
+  /** Full-text search (@@). type: fts|plfts|phfts|wfts (tsquery flavour). */
+  textSearch(column, query, type = "fts") {
+    this.queryParams.set(column, `${type}.${query}`);
+    return this;
+  }
+  arrayLiteral(values) {
+    return Array.isArray(values) ? `{${values.join(",")}}` : `${values}`;
+  }
+  /** OR group: `or=(c1,c2)`. Members are dotted `col.op.value` strings. */
   or(filters) {
     this.queryParams.set("or", `(${filters})`);
     return this;
   }
+  /** AND group: `and=(c1,c2)` — e.g. a range `qty.gt.5,qty.lt.20`. */
+  and(filters) {
+    this.queryParams.set("and", `(${filters})`);
+    return this;
+  }
+  /** Negated AND group: `not.and=(...)`. */
+  notAnd(filters) {
+    this.queryParams.set("not.and", `(${filters})`);
+    return this;
+  }
+  /** Negated OR group: `not.or=(...)`. */
+  notOr(filters) {
+    this.queryParams.set("not.or", `(${filters})`);
+    return this;
+  }
   order(column, { ascending = true } = {}) {
     this.queryParams.set("order", `${column}.${ascending ? "asc" : "desc"}`);
     return this;
@@ -250,6 +310,34 @@ var QueryBuilder = class {
     if (res.status === 204) return { success: true };
     return await this.handleResponse(res);
   }
+  /** Insert-or-update on conflict. [onConflict] is the conflict-target column(s). */
+  async upsert(data, onConflict) {
+    const res = await fetch(`${this.url}/api/v1/data/${this.table}/upsert`, {
+      method: "POST",
+      headers: this.getHeaders(),
+      body: JSON.stringify({ ...data, on_conflict: onConflict })
+    });
+    return await this.handleResponse(res);
+  }
+  /**
+   * Count rows matching the current filters (PostgREST parity). Sends
+   * `Prefer: count=exact` and parses the total from the `Content-Range`
+   * response header. Returns `{ count, error, status }`.
+   */
+  async count() {
+    const res = await fetch(`${this.url}/api/v1/data/${this.table}?${this.queryParams.toString()}`, {
+      headers: { ...this.getHeaders(), Prefer: "count=exact", "Cache-Control": "no-cache" },
+      cache: "no-store"
+    });
+    if (!res.ok) {
+      if (res.status === 401) this.client.forceLogout();
+      const body = await res.json().catch(() => null);
+      return { count: 0, error: body?.error || "Request failed", status: res.status };
+    }
+    const cr = res.headers.get("content-range");
+    const total = cr && cr.includes("/") ? parseInt(cr.split("/").pop() || "", 10) : NaN;
+    return { count: Number.isNaN(total) ? 0 : total, error: null, status: res.status };
+  }
   getHeaders() {
     return this.client.getHeaders();
   }
@@ -305,6 +393,43 @@ function createAuthModule(client) {
         localStorage.removeItem("baas_token");
       }
     },
+    // Anonymous sign-in (Supabase parity). Response carries access_token (+ a
+    // back-compat `token`); store whichever is present.
+    async signInAnonymous() {
+      const data = await post("/api/auth/anonymous");
+      const tok = data?.access_token || data?.token;
+      if (tok) {
+        client.token = tok;
+        localStorage.setItem("baas_token", tok);
+      }
+      return data;
+    },
+    // Passwordless: request a magic link + 6-digit email OTP. Always resolves on
+    // a well-formed request (no account enumeration).
+    async requestOtp(email, createUser = true) {
+      return post("/api/auth/otp", { email, create_user: createUser });
+    },
+    // Verify a passwordless OTP/magic-link and complete sign-in.
+    async verifyOtp(type, email, token) {
+      const data = await post("/api/auth/verify", { type, email, token });
+      const tok = data?.access_token || data?.token;
+      if (tok) {
+        client.token = tok;
+        localStorage.setItem("baas_token", tok);
+      }
+      return data;
+    },
+    // Upgrade the current anonymous guest to a real account (preserves user id).
+    // Requires the anonymous Bearer to be set (call after signInAnonymous).
+    async upgradeAnonymous(email, password) {
+      const data = await post("/api/auth/upgrade", { email, password });
+      const tok = data?.access_token || data?.token;
+      if (tok) {
+        client.token = tok;
+        localStorage.setItem("baas_token", tok);
+      }
+      return data;
+    },
     async verifyMFA(mfaToken, code) {
       const data = await post("/api/mfa/finalize", { mfa_token: mfaToken, code });
       if (data.token) {
@@ -502,6 +627,7 @@ function createDatabaseModule(client) {
 function createStorageModule(client) {
   const get = (endpoint) => client.get(endpoint);
   const post = (endpoint, body) => client.post(endpoint, body);
+  const put = (endpoint, body) => client.put(endpoint, body);
   const del = (endpoint) => client.delete(endpoint);
   async function uploadFile(fileOrTable, fileOrBucketId) {
     let file;
@@ -536,8 +662,15 @@ function createStorageModule(client) {
     async listFiles() {
       return get("/api/storage/files");
     },
-    async getFile(fileId) {
-      return get(`/api/storage/files/${fileId}`);
+    async getFile(fileId, expiresIn) {
+      const q = expiresIn && expiresIn > 0 ? `?expiresIn=${expiresIn}` : "";
+      return get(`/api/storage/files/${fileId}${q}`);
+    },
+    async createSignedUrl(fileId, expiresIn) {
+      const res = await get(
+        `/api/storage/files/${fileId}${expiresIn && expiresIn > 0 ? `?expiresIn=${expiresIn}` : ""}`
+      );
+      return { signedUrl: res?.url };
     },
     async deleteFile(fileId) {
       return del(`/api/storage/files/${fileId}`);
@@ -545,6 +678,9 @@ function createStorageModule(client) {
     async createBucket(name, isPublic = false) {
       return post("/api/storage/buckets", { name, is_public: isPublic });
     },
+    async updateBucket(bucketId, opts) {
+      return put(`/api/storage/buckets/${bucketId}`, { is_public: opts.isPublic });
+    },
     async listBuckets() {
       return get("/api/storage/buckets");
     },
@@ -556,6 +692,17 @@ function createStorageModule(client) {
     },
     async listBucketFiles(bucketId) {
       return get(`/api/storage/buckets/${bucketId}/files`);
+    },
+    async download(fileId) {
+      const res = await fetch(`${client.url}/api/storage/files/${fileId}/download`, {
+        headers: client.getHeaders("")
+      });
+      if (!res.ok) {
+        if (res.status === 401) client.forceLogout();
+        const err = await res.json().catch(() => ({ error: `Download failed: ${res.status}` }));
+        throw new Error(err.error ?? `Download failed: ${res.status}`);
+      }
+      return res.blob();
     }
   };
 }
@@ -656,7 +803,9 @@ function createFunctionsModule(client) {
       return del(`/api/functions/${id}`);
     },
     async update(id, code, options) {
-      return put(`/api/functions/${id}`, { code, ...options });
+      const current = await get(`/api/functions/${id}`);
+      const name = current?.name ?? current?.data?.name;
+      return post("/api/functions", { name, code, ...options });
     },
     async executeCode(code, options) {
       return post("/api/functions/execute", { code, ...options });
@@ -802,7 +951,9 @@ function createGraphQLModule(client) {
       return post("/api/graphql", { query, variables });
     },
     async getSchema() {
-      return get("/api/graphql/schema");
+      return post("/api/graphql", {
+        query: "{ __schema { queryType { name } mutationType { name } types { name kind } } }"
+      });
     },
     getPlaygroundUrl() {
       return `${client.url}/api/graphql/playground`;
@@ -848,6 +999,7 @@ function createMetricsModule(client) {
 // src/modules/audit.ts
 function createAuditModule(client) {
   const get = (endpoint) => client.get(endpoint);
+  const del = (endpoint) => client.delete(endpoint);
   return {
     async list(options) {
       const params = new URLSearchParams();
@@ -864,6 +1016,40 @@ function createAuditModule(client) {
     },
     async getActions() {
       return get("/api/audit/actions");
+    },
+    async exportLogs(format, options) {
+      const params = new URLSearchParams();
+      params.set("format", format);
+      if (options?.action) params.set("action", options.action);
+      if (options?.method) params.set("method", options.method);
+      if (options?.path) params.set("path", options.path);
+      if (options?.status_code) params.set("status_code", options.status_code.toString());
+      if (options?.start_date) params.set("start_date", options.start_date);
+      if (options?.end_date) params.set("end_date", options.end_date);
+      const res = await fetch(`${client.url}/api/audit/export?${params.toString()}`, {
+        headers: client.getHeaders(),
+        credentials: "include"
+      });
+      if (!res.ok) {
+        const data = await res.json();
+        return { error: data.error || `Export failed: ${res.status}` };
+      }
+      const blob = await res.blob();
+      const url = window.URL.createObjectURL(blob);
+      const a = document.createElement("a");
+      a.href = url;
+      a.download = `audit_logs_${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}.${format}`;
+      document.body.appendChild(a);
+      a.click();
+      window.URL.revokeObjectURL(url);
+      document.body.removeChild(a);
+      return { success: true };
+    },
+    async purgePreview(olderThanDays) {
+      return get(`/api/audit/purge/preview?older_than_days=${olderThanDays}`);
+    },
+    async purge(olderThanDays) {
+      return del(`/api/audit/purge?older_than_days=${olderThanDays}`);
     }
   };
 }
@@ -989,6 +1175,9 @@ var RealtimeService = class {
       socket.onopen = () => {
         console.log("BaaS Realtime: Connected");
         this.reconnectAttempts = 0;
+        for (const table of this.subscribers.keys()) {
+          this.sendSub("subscribe", table);
+        }
         resolve();
       };
       socket.onmessage = (event) => {
@@ -1026,11 +1215,15 @@ var RealtimeService = class {
    */
   async subscribe(table, action, callback) {
     await this.connect();
-    if (!this.subscribers.has(table)) {
+    const isNewTable = !this.subscribers.has(table);
+    if (isNewTable) {
       this.subscribers.set(table, /* @__PURE__ */ new Set());
     }
     const sub = { action, callback };
     this.subscribers.get(table).add(sub);
+    if (isNewTable && table !== "*") {
+      this.sendSub("subscribe", table);
+    }
     return {
       unsubscribe: () => {
         const tableSubs = this.subscribers.get(table);
@@ -1038,11 +1231,18 @@ var RealtimeService = class {
           tableSubs.delete(sub);
           if (tableSubs.size === 0) {
             this.subscribers.delete(table);
+            if (table !== "*") this.sendSub("unsubscribe", table);
           }
         }
       }
     };
   }
+  /** Send a subscribe/unsubscribe control frame to the server. */
+  sendSub(event, table) {
+    if (this.socket?.readyState === WebSocket.OPEN) {
+      this.socket.send(JSON.stringify({ event, table }));
+    }
+  }
   /**
    * Handle incoming CDC events from the server
    */
@@ -1214,6 +1414,44 @@ function createIPWhitelistModule(client) {
   };
 }
 
+// src/modules/cache.ts
+function createCacheModule(client) {
+  const get = (endpoint) => client.get(endpoint);
+  const post = (endpoint, body) => client.post(endpoint, body);
+  const patch = (endpoint, body) => client.patch(endpoint, body);
+  const del = (endpoint) => client.delete(endpoint);
+  return {
+    async getStatus() {
+      return get("/api/cache/status");
+    },
+    async getStats() {
+      return get("/api/cache/stats");
+    },
+    async listPolicies() {
+      return get("/api/cache/policies");
+    },
+    async updatePolicy(namespace, body) {
+      return patch(`/api/cache/policies/${encodeURIComponent(namespace)}`, body);
+    },
+    async removePolicy(namespace) {
+      return del(`/api/cache/policies/${encodeURIComponent(namespace)}`);
+    },
+    async invalidateNamespace(namespace) {
+      return post(`/api/cache/invalidate/${encodeURIComponent(namespace)}`);
+    },
+    async invalidateAll() {
+      return post("/api/cache/invalidate-all");
+    },
+    async listKeys(prefix, cursor = 0, count = 100) {
+      const params = new URLSearchParams({ prefix, cursor: String(cursor), count: String(count) });
+      return get(`/api/cache/keys?${params}`);
+    },
+    async inspectKey(key) {
+      return get(`/api/cache/keys/inspect?key=${encodeURIComponent(key)}`);
+    }
+  };
+}
+
 // src/client.ts
 var BaasClient = class extends HttpClient {
   // Feature modules
@@ -1240,8 +1478,9 @@ var BaasClient = class extends HttpClient {
   corsOrigins;
   policies;
   ipWhitelist;
-  constructor(url, apiKey) {
-    super(url, apiKey);
+  cache;
+  constructor(url, apiKey, options) {
+    super(url, apiKey, options);
     this.auth = createAuthModule(this);
     this.users = createUsersModule(this);
     this.database = createDatabaseModule(this);
@@ -1265,6 +1504,7 @@ var BaasClient = class extends HttpClient {
     this.corsOrigins = createCorsOriginsModule(this);
     this.policies = createPoliciesModule(this);
     this.ipWhitelist = createIPWhitelistModule(this);
+    this.cache = createCacheModule(this);
   }
   /**
    * Create a query builder for fluent data queries
@@ -1272,6 +1512,18 @@ var BaasClient = class extends HttpClient {
   from(table) {
     return new QueryBuilder(table, this.url, this);
   }
+  /**
+   * Invoke a PL/pgSQL function (PostgREST `.rpc()` parity). Runs under the
+   * caller's RLS context; args bind by name and are $N-safe. Pass [params] for
+   * POST (named args in the body) or set `opts.get = true` for the GET variant.
+   */
+  async rpc(fn, params, opts) {
+    if (opts?.get) {
+      const qs = params ? "?" + new URLSearchParams(Object.entries(params).map(([k, v]) => [k, String(v)])).toString() : "";
+      return this.get(`/api/v1/rpc/${fn}${qs}`);
+    }
+    return this.post(`/api/v1/rpc/${fn}`, params ?? {});
+  }
   // ============================================
   // BACKWARD COMPATIBILITY METHODS
   // These delegate to the appropriate modules
@@ -1639,6 +1891,15 @@ var BaasClient = class extends HttpClient {
   async getAuditActions() {
     return this.audit.getActions();
   }
+  async exportAuditLogs(format, options) {
+    return this.audit.exportLogs(format, options);
+  }
+  async previewPurgeAuditLogs(olderThanDays) {
+    return this.audit.purgePreview(olderThanDays);
+  }
+  async purgeAuditLogs(olderThanDays) {
+    return this.audit.purge(olderThanDays);
+  }
   // Realtime shortcuts
   subscribe(table, action, callback) {
     return this.realtime.subscribe(table, action, callback);
@@ -1692,3 +1953,4 @@ export {
   HttpClient,
   QueryBuilder
 };
+//# sourceMappingURL=index.js.map