@hachej/boring-core 0.1.0

package/dist/chunk-HSRBZLKT.js

@@ -0,0 +1,1684 @@
+import {
+  ERROR_CODES,
+  HttpError
+} from "./chunk-H5KU6R6Y.js";
+import {
+  __export
+} from "./chunk-MLKGABMK.js";
+
+// src/server/db/connection.ts
+import { drizzle } from "drizzle-orm/postgres-js";
+import postgres from "postgres";
+function createDatabase(config) {
+  if (!config.databaseUrl) {
+    throw new Error("databaseUrl is required to create a database connection");
+  }
+  const sql6 = postgres(config.databaseUrl, {
+    max: 10,
+    idle_timeout: 20,
+    connect_timeout: 10
+  });
+  const db = drizzle(sql6);
+  return { db, sql: sql6 };
+}
+
+// src/server/db/migrate.ts
+import { migrate } from "drizzle-orm/postgres-js/migrator";
+import postgres2 from "postgres";
+import { drizzle as drizzle2 } from "drizzle-orm/postgres-js";
+import { sql } from "drizzle-orm";
+import { resolve, dirname } from "path";
+import { fileURLToPath } from "url";
+import { existsSync } from "fs";
+var ADVISORY_LOCK_ID = 1651470949;
+var JOURNAL = "meta/_journal.json";
+function defaultMigrationsFolder() {
+  const thisDir = dirname(fileURLToPath(import.meta.url));
+  const candidates = [
+    resolve(thisDir, "../../../drizzle"),
+    resolve(thisDir, "../../drizzle"),
+    resolve(thisDir, "../drizzle")
+  ];
+  for (const candidate of candidates) {
+    if (existsSync(resolve(candidate, JOURNAL))) return candidate;
+  }
+  return candidates[0];
+}
+async function runMigrations(config, options) {
+  if (!config.databaseUrl) {
+    throw new Error("databaseUrl is required to run migrations");
+  }
+  const migrationClient = postgres2(config.databaseUrl, { max: 1 });
+  const db = drizzle2(migrationClient);
+  try {
+    await db.execute(sql.raw(`SELECT pg_advisory_lock(${ADVISORY_LOCK_ID})`));
+    try {
+      await db.execute(sql.raw("CREATE EXTENSION IF NOT EXISTS pgcrypto"));
+      const migrationsFolder = options?.migrationsFolder ?? defaultMigrationsFolder();
+      await migrate(db, { migrationsFolder });
+    } finally {
+      await db.execute(sql.raw(`SELECT pg_advisory_unlock(${ADVISORY_LOCK_ID})`));
+    }
+  } finally {
+    await migrationClient.end();
+  }
+}
+
+// src/server/db/stores/LocalUserStore.ts
+var LocalUserStore = class {
+  users = /* @__PURE__ */ new Map();
+  usersByEmail = /* @__PURE__ */ new Map();
+  settings = /* @__PURE__ */ new Map();
+  // key: `${userId}:${appId}`
+  seed(user) {
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const full = { ...user, createdAt: now, updatedAt: now };
+    this.users.set(full.id, full);
+    this.usersByEmail.set(full.email.toLowerCase(), full);
+  }
+  async getById(id) {
+    return this.users.get(id) ?? null;
+  }
+  async getByEmail(email) {
+    return this.usersByEmail.get(email.toLowerCase()) ?? null;
+  }
+  async upsert(userId, data) {
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const existing = this.users.get(userId);
+    if (existing) {
+      const updated = {
+        ...existing,
+        email: data.email,
+        name: data.name ?? existing.name,
+        updatedAt: now
+      };
+      this.usersByEmail.delete(existing.email.toLowerCase());
+      this.users.set(userId, updated);
+      this.usersByEmail.set(updated.email.toLowerCase(), updated);
+      return updated;
+    }
+    const user = {
+      id: userId,
+      email: data.email,
+      name: data.name ?? null,
+      emailVerified: false,
+      image: null,
+      createdAt: now,
+      updatedAt: now
+    };
+    this.users.set(userId, user);
+    this.usersByEmail.set(user.email.toLowerCase(), user);
+    return user;
+  }
+  async getUserSettings(userId, appId) {
+    const key = `${userId}:${appId}`;
+    const existing = this.settings.get(key);
+    if (existing) return { ...existing };
+    const user = this.users.get(userId);
+    return {
+      displayName: user?.name ?? "",
+      email: user?.email ?? "",
+      settings: {}
+    };
+  }
+  async putUserSettings(userId, appId, updates) {
+    const key = `${userId}:${appId}`;
+    const current = await this.getUserSettings(userId, appId);
+    const updated = {
+      displayName: updates.displayName ?? current.displayName,
+      email: updates.email ?? current.email,
+      settings: updates.settings ?? current.settings
+    };
+    this.settings.set(key, updated);
+    return { ...updated };
+  }
+};
+
+// src/server/db/stores/LocalWorkspaceStore.ts
+import { randomUUID, createHash } from "crypto";
+var LocalWorkspaceStore = class {
+  // key: `${userId}:${workspaceId}`
+  constructor(userStore) {
+    this.userStore = userStore;
+  }
+  userStore;
+  workspaces = /* @__PURE__ */ new Map();
+  members = /* @__PURE__ */ new Map();
+  // key: `${workspaceId}:${userId}`
+  invites = /* @__PURE__ */ new Map();
+  runtimes = /* @__PURE__ */ new Map();
+  runtimeResources = /* @__PURE__ */ new Map();
+  wsSettings = /* @__PURE__ */ new Map();
+  uiStates = /* @__PURE__ */ new Map();
+  async create(userId, name, appId, opts) {
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const ws = {
+      id: randomUUID(),
+      appId,
+      name,
+      createdBy: userId,
+      createdAt: now,
+      deletedAt: null,
+      isDefault: opts?.isDefault ?? false
+    };
+    this.workspaces.set(ws.id, ws);
+    const memberKey = `${ws.id}:${userId}`;
+    this.members.set(memberKey, {
+      workspaceId: ws.id,
+      userId,
+      role: "owner",
+      createdAt: now
+    });
+    this.runtimes.set(ws.id, {
+      workspaceId: ws.id,
+      spriteUrl: null,
+      spriteName: null,
+      state: "ready",
+      lastError: null,
+      volumePath: null,
+      lastErrorOp: null,
+      sandboxProvider: null,
+      sandboxId: null,
+      sandboxStatus: null,
+      sandboxSnapshotId: null,
+      sandboxCreatedAt: null,
+      sandboxLastUsedAt: null,
+      sandboxLastSeenAt: null,
+      sandboxExpiresAt: null,
+      provisioningStep: null,
+      stepStartedAt: null,
+      updatedAt: now
+    });
+    return ws;
+  }
+  async list(userId, appId) {
+    const result = [];
+    for (const ws of this.workspaces.values()) {
+      if (ws.deletedAt) continue;
+      if (ws.appId !== appId) continue;
+      const memberKey = `${ws.id}:${userId}`;
+      if (this.members.has(memberKey)) result.push(ws);
+    }
+    result.sort((a, b) => {
+      if (a.isDefault !== b.isDefault) return a.isDefault ? -1 : 1;
+      return b.createdAt.localeCompare(a.createdAt);
+    });
+    return result;
+  }
+  async get(id) {
+    const ws = this.workspaces.get(id);
+    if (!ws || ws.deletedAt) return null;
+    return ws;
+  }
+  async update(id, updates) {
+    const ws = this.workspaces.get(id);
+    if (!ws || ws.deletedAt) return null;
+    const updated = { ...ws, ...updates };
+    this.workspaces.set(id, updated);
+    return updated;
+  }
+  async delete(id) {
+    const ws = this.workspaces.get(id);
+    if (!ws || ws.deletedAt) return { removed: false, code: ERROR_CODES.NOT_FOUND };
+    ws.deletedAt = (/* @__PURE__ */ new Date()).toISOString();
+    this.workspaces.set(id, ws);
+    return { removed: true };
+  }
+  async getWorkspacesWhereSoleOwner(userId) {
+    const result = [];
+    for (const ws of this.workspaces.values()) {
+      if (ws.deletedAt) continue;
+      const memberKey = `${ws.id}:${userId}`;
+      const membership = this.members.get(memberKey);
+      if (!membership || membership.role !== "owner") continue;
+      let otherOwnerExists = false;
+      for (const [key, m] of this.members) {
+        if (m.workspaceId === ws.id && m.userId !== userId && m.role === "owner") {
+          otherOwnerExists = true;
+          break;
+        }
+      }
+      if (!otherOwnerExists) result.push(ws);
+    }
+    return result;
+  }
+  async isMember(workspaceId, userId) {
+    return this.members.has(`${workspaceId}:${userId}`);
+  }
+  async getMemberRole(workspaceId, userId) {
+    const m = this.members.get(`${workspaceId}:${userId}`);
+    return m?.role ?? null;
+  }
+  async listMembers(workspaceId) {
+    const result = [];
+    for (const m of this.members.values()) {
+      if (m.workspaceId !== workspaceId) continue;
+      const user = await this.userStore.getById(m.userId);
+      result.push({
+        ...m,
+        user: {
+          id: m.userId,
+          email: user?.email ?? "",
+          name: user?.name ?? null,
+          image: user?.image ?? null
+        }
+      });
+    }
+    return result;
+  }
+  async upsertMember(workspaceId, userId, role) {
+    const key = `${workspaceId}:${userId}`;
+    const existing = this.members.get(key);
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const member = {
+      workspaceId,
+      userId,
+      role,
+      createdAt: existing?.createdAt ?? now
+    };
+    this.members.set(key, member);
+    return member;
+  }
+  async updateMemberRole(workspaceId, userId, role) {
+    const key = `${workspaceId}:${userId}`;
+    const membership = this.members.get(key);
+    if (!membership) return { code: ERROR_CODES.NOT_MEMBER };
+    if (membership.role === "owner" && role !== "owner") {
+      let otherOwnerExists = false;
+      for (const m of this.members.values()) {
+        if (m.workspaceId === workspaceId && m.userId !== userId && m.role === "owner") {
+          otherOwnerExists = true;
+          break;
+        }
+      }
+      if (!otherOwnerExists) return { code: ERROR_CODES.LAST_OWNER };
+    }
+    const updated = { ...membership, role };
+    this.members.set(key, updated);
+    return { member: updated };
+  }
+  async removeMember(workspaceId, userId) {
+    const key = `${workspaceId}:${userId}`;
+    const membership = this.members.get(key);
+    if (!membership) return { removed: false, code: ERROR_CODES.NOT_MEMBER };
+    if (membership.role === "owner") {
+      let otherOwnerExists = false;
+      for (const m of this.members.values()) {
+        if (m.workspaceId === workspaceId && m.userId !== userId && m.role === "owner") {
+          otherOwnerExists = true;
+          break;
+        }
+      }
+      if (!otherOwnerExists) return { removed: false, code: ERROR_CODES.LAST_OWNER };
+    }
+    this.members.delete(key);
+    return { removed: true };
+  }
+  async listInvites(workspaceId) {
+    const result = [];
+    for (const inv of this.invites.values()) {
+      if (inv.workspaceId === workspaceId) result.push(inv);
+    }
+    return result;
+  }
+  async createInvite(workspaceId, email, role, invitedBy, opts) {
+    const rawToken = randomUUID();
+    const tokenHash = createHash("sha256").update(rawToken).digest("hex");
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const ttlDays = opts?.ttlDays ?? 7;
+    const expiresAt = new Date(Date.now() + ttlDays * 24 * 60 * 60 * 1e3).toISOString();
+    const invite = {
+      id: randomUUID(),
+      workspaceId,
+      email,
+      tokenHash,
+      role,
+      expiresAt,
+      acceptedAt: null,
+      createdBy: invitedBy,
+      createdAt: now,
+      failedAttempts: 0,
+      lockedUntil: null
+    };
+    this.invites.set(invite.id, invite);
+    return { invite, rawToken };
+  }
+  async getInvite(workspaceId, inviteId) {
+    const inv = this.invites.get(inviteId);
+    if (!inv || inv.workspaceId !== workspaceId) return null;
+    return inv;
+  }
+  async getInviteByTokenHash(tokenHash) {
+    for (const inv of this.invites.values()) {
+      if (inv.tokenHash === tokenHash) return inv;
+    }
+    return null;
+  }
+  async revokeInvite(workspaceId, inviteId) {
+    const inv = this.invites.get(inviteId);
+    if (!inv || inv.workspaceId !== workspaceId) return false;
+    this.invites.delete(inviteId);
+    return true;
+  }
+  async acceptInvite(workspaceId, inviteId, userId) {
+    const inv = this.invites.get(inviteId);
+    if (!inv || inv.workspaceId !== workspaceId) {
+      throw new HttpError({ status: 404, code: ERROR_CODES.INVITE_NOT_FOUND, message: "Invite not found" });
+    }
+    if (inv.acceptedAt) {
+      throw new HttpError({ status: 410, code: ERROR_CODES.INVITE_ALREADY_ACCEPTED, message: "Invite already accepted" });
+    }
+    if (new Date(inv.expiresAt) <= /* @__PURE__ */ new Date()) {
+      throw new HttpError({ status: 410, code: ERROR_CODES.INVITE_EXPIRED, message: "Invite has expired" });
+    }
+    const user = await this.userStore.getById(userId);
+    if (!user || inv.email.toLowerCase() !== user.email.toLowerCase()) {
+      throw new HttpError({ status: 403, code: ERROR_CODES.INVITE_EMAIL_MISMATCH, message: "Invite email does not match your account" });
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    inv.acceptedAt = now;
+    this.invites.set(inviteId, inv);
+    const member = await this.upsertMember(workspaceId, userId, inv.role);
+    return { invite: inv, member };
+  }
+  async incrementInviteFailedAttempts(inviteId) {
+    const inv = this.invites.get(inviteId);
+    if (!inv) return { failedAttempts: 0, lockedUntil: null };
+    inv.failedAttempts = (inv.failedAttempts ?? 0) + 1;
+    if (inv.failedAttempts >= 50) {
+      inv.lockedUntil = new Date(Date.now() + 60 * 60 * 1e3).toISOString();
+    }
+    this.invites.set(inviteId, inv);
+    return { failedAttempts: inv.failedAttempts, lockedUntil: inv.lockedUntil };
+  }
+  async resetInviteFailedAttempts(inviteId) {
+    const inv = this.invites.get(inviteId);
+    if (!inv) return;
+    inv.failedAttempts = 0;
+    inv.lockedUntil = null;
+    this.invites.set(inviteId, inv);
+  }
+  async getWorkspaceSettings(workspaceId) {
+    const settings = this.wsSettings.get(workspaceId);
+    if (!settings) return [];
+    return Array.from(settings.entries()).map(([key, { updatedAt }]) => ({
+      key,
+      configured: true,
+      updated_at: updatedAt
+    }));
+  }
+  async putWorkspaceSettings(workspaceId, settings) {
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    let wsSettings = this.wsSettings.get(workspaceId);
+    if (!wsSettings) {
+      wsSettings = /* @__PURE__ */ new Map();
+      this.wsSettings.set(workspaceId, wsSettings);
+    }
+    for (const [key, value] of Object.entries(settings)) {
+      wsSettings.set(key, { value: JSON.stringify(value), updatedAt: now });
+    }
+    return this.getWorkspaceSettings(workspaceId);
+  }
+  async getWorkspaceRuntime(workspaceId) {
+    const ws = this.workspaces.get(workspaceId);
+    if (!ws || ws.deletedAt) return null;
+    const existing = this.runtimes.get(workspaceId);
+    if (existing) return existing;
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const runtime = {
+      workspaceId,
+      spriteUrl: null,
+      spriteName: null,
+      state: "ready",
+      lastError: null,
+      volumePath: null,
+      lastErrorOp: null,
+      provisioningStep: null,
+      stepStartedAt: null,
+      updatedAt: now
+    };
+    this.runtimes.set(workspaceId, runtime);
+    return runtime;
+  }
+  async putWorkspaceRuntime(workspaceId, state) {
+    const existing = await this.getWorkspaceRuntime(workspaceId);
+    if (!existing) throw new Error(`Workspace ${workspaceId} not found`);
+    const updated = {
+      ...existing,
+      ...state,
+      workspaceId,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.runtimes.set(workspaceId, updated);
+    return updated;
+  }
+  async listWorkspaceRuntimes() {
+    return Array.from(this.runtimes.values());
+  }
+  runtimeResourceKey(workspaceId, selector) {
+    return `${workspaceId}:${selector.kind}:${selector.purpose}:${selector.provider}`;
+  }
+  async getWorkspaceRuntimeResource(workspaceId, selector) {
+    const resource = this.runtimeResources.get(this.runtimeResourceKey(workspaceId, selector));
+    if (!resource || resource.state === "deleted") return null;
+    return resource;
+  }
+  async putWorkspaceRuntimeResource(workspaceId, resource) {
+    const ws = this.workspaces.get(workspaceId);
+    if (!ws || ws.deletedAt) throw new Error(`Workspace ${workspaceId} not found`);
+    const key = this.runtimeResourceKey(workspaceId, resource);
+    const existing = this.runtimeResources.get(key);
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const next = {
+      id: resource.id ?? existing?.id ?? randomUUID(),
+      workspaceId,
+      kind: resource.kind,
+      purpose: resource.purpose,
+      provider: resource.provider,
+      handleKind: resource.handleKind,
+      stableKey: resource.stableKey ?? null,
+      providerResourceId: resource.providerResourceId ?? null,
+      parentResourceId: resource.parentResourceId ?? null,
+      state: resource.state,
+      persistenceMode: resource.persistenceMode,
+      config: resource.config ?? {},
+      providerMeta: resource.providerMeta ?? {},
+      lastError: resource.lastError ?? null,
+      lastErrorCode: resource.lastErrorCode ?? null,
+      createdAt: existing?.createdAt ?? now,
+      updatedAt: now,
+      lastSeenAt: resource.lastSeenAt ?? null,
+      lastUsedAt: resource.lastUsedAt ?? null,
+      expiresAt: resource.expiresAt ?? null,
+      generation: resource.generation ?? (existing?.generation ?? -1) + 1
+    };
+    this.runtimeResources.set(key, next);
+    return next;
+  }
+  async deleteWorkspaceRuntimeResource(workspaceId, selector) {
+    const key = this.runtimeResourceKey(workspaceId, selector);
+    const existing = this.runtimeResources.get(key);
+    if (!existing) return;
+    this.runtimeResources.set(key, {
+      ...existing,
+      state: "deleted",
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  }
+  async listWorkspaceRuntimeResources(workspaceId) {
+    return Array.from(this.runtimeResources.values()).filter(
+      (resource) => !workspaceId || resource.workspaceId === workspaceId
+    );
+  }
+  async retryWorkspaceRuntime(workspaceId) {
+    const existing = this.runtimes.get(workspaceId);
+    if (!existing || existing.state !== "error") return null;
+    const updated = {
+      ...existing,
+      state: "pending",
+      lastError: null,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.runtimes.set(workspaceId, updated);
+    return updated;
+  }
+  async getUiState(userId, workspaceId) {
+    return this.uiStates.get(`${userId}:${workspaceId}`) ?? null;
+  }
+  async putUiState(userId, workspaceId, state) {
+    this.uiStates.set(`${userId}:${workspaceId}`, state);
+  }
+};
+
+// src/server/db/stores/PostgresWorkspaceStore.ts
+import { createHash as createHash2, randomBytes } from "crypto";
+import { and, eq, isNull, sql as sql4, desc } from "drizzle-orm";
+
+// src/server/db/schema.ts
+var schema_exports = {};
+__export(schema_exports, {
+  accounts: () => accounts,
+  accountsRelations: () => accountsRelations,
+  idempotencyKeys: () => idempotencyKeys,
+  sessions: () => sessions,
+  sessionsRelations: () => sessionsRelations,
+  userSettings: () => userSettings,
+  userSettingsRelations: () => userSettingsRelations,
+  users: () => users,
+  usersRelations: () => usersRelations,
+  verification_tokens: () => verification_tokens,
+  workspaceInvites: () => workspaceInvites,
+  workspaceInvitesRelations: () => workspaceInvitesRelations,
+  workspaceMembers: () => workspaceMembers,
+  workspaceMembersRelations: () => workspaceMembersRelations,
+  workspaceRuntimeResources: () => workspaceRuntimeResources,
+  workspaceRuntimeResourcesRelations: () => workspaceRuntimeResourcesRelations,
+  workspaceRuntimes: () => workspaceRuntimes,
+  workspaceRuntimesRelations: () => workspaceRuntimesRelations,
+  workspaceSettings: () => workspaceSettings,
+  workspaceSettingsRelations: () => workspaceSettingsRelations,
+  workspaces: () => workspaces,
+  workspacesRelations: () => workspacesRelations
+});
+
+// drizzle/schema.ts
+import { relations, sql as sql2 } from "drizzle-orm";
+import {
+  pgTable,
+  text,
+  timestamp,
+  boolean,
+  uuid,
+  index
+} from "drizzle-orm/pg-core";
+var users = pgTable("users", {
+  id: uuid("id").default(sql2`pg_catalog.gen_random_uuid()`).primaryKey(),
+  name: text("name").notNull(),
+  email: text("email").notNull().unique(),
+  email_verified: boolean("email_verified").default(false).notNull(),
+  image: text("image"),
+  created_at: timestamp("created_at").defaultNow().notNull(),
+  updated_at: timestamp("updated_at").defaultNow().$onUpdate(() => /* @__PURE__ */ new Date()).notNull()
+});
+var sessions = pgTable(
+  "sessions",
+  {
+    id: uuid("id").default(sql2`pg_catalog.gen_random_uuid()`).primaryKey(),
+    expires_at: timestamp("expires_at").notNull(),
+    token: text("token").notNull().unique(),
+    created_at: timestamp("created_at").defaultNow().notNull(),
+    updated_at: timestamp("updated_at").defaultNow().$onUpdate(() => /* @__PURE__ */ new Date()).notNull(),
+    ip_address: text("ip_address"),
+    user_agent: text("user_agent"),
+    userId: uuid("user_id").notNull().references(() => users.id, { onDelete: "cascade" })
+  },
+  (table) => [index("sessions_userId_idx").on(table.userId)]
+);
+var accounts = pgTable(
+  "accounts",
+  {
+    id: uuid("id").default(sql2`pg_catalog.gen_random_uuid()`).primaryKey(),
+    account_id: text("account_id").notNull(),
+    provider_id: text("provider_id").notNull(),
+    userId: uuid("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    access_token: text("access_token"),
+    refresh_token: text("refresh_token"),
+    id_token: text("id_token"),
+    access_token_expires_at: timestamp("access_token_expires_at"),
+    refresh_token_expires_at: timestamp("refresh_token_expires_at"),
+    scope: text("scope"),
+    password: text("password"),
+    created_at: timestamp("created_at").defaultNow().notNull(),
+    updated_at: timestamp("updated_at").defaultNow().$onUpdate(() => /* @__PURE__ */ new Date()).notNull()
+  },
+  (table) => [index("accounts_userId_idx").on(table.userId)]
+);
+var verification_tokens = pgTable(
+  "verification_tokens",
+  {
+    id: uuid("id").default(sql2`pg_catalog.gen_random_uuid()`).primaryKey(),
+    identifier: text("identifier").notNull(),
+    value: text("value").notNull(),
+    expires_at: timestamp("expires_at").notNull(),
+    created_at: timestamp("created_at").defaultNow().notNull(),
+    updated_at: timestamp("updated_at").defaultNow().$onUpdate(() => /* @__PURE__ */ new Date()).notNull()
+  },
+  (table) => [index("verification_tokens_identifier_idx").on(table.identifier)]
+);
+var usersRelations = relations(users, ({ many }) => ({
+  sessionss: many(sessions),
+  accountss: many(accounts)
+}));
+var sessionsRelations = relations(sessions, ({ one }) => ({
+  users: one(users, {
+    fields: [sessions.userId],
+    references: [users.id]
+  })
+}));
+var accountsRelations = relations(accounts, ({ one }) => ({
+  users: one(users, {
+    fields: [accounts.userId],
+    references: [users.id]
+  })
+}));
+
+// src/server/db/schema.ts
+import { pgTable as pgTable2, text as text2, uuid as uuid2, jsonb, timestamp as timestamp2, primaryKey, index as index2, integer, boolean as boolean2, uniqueIndex, check, customType } from "drizzle-orm/pg-core";
+import { relations as relations2, sql as sql3 } from "drizzle-orm";
+var bytea = customType({
+  dataType() {
+    return "bytea";
+  }
+});
+var userSettings = pgTable2(
+  "user_settings",
+  {
+    userId: uuid2("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    appId: text2("app_id").notNull(),
+    displayName: text2("display_name").notNull().default(""),
+    email: text2("email").notNull().default(""),
+    settings: jsonb("settings").notNull().default({}),
+    updatedAt: timestamp2("updated_at").defaultNow().notNull()
+  },
+  (table) => [
+    primaryKey({ columns: [table.userId, table.appId] }),
+    index2("user_settings_user_id_idx").on(table.userId)
+  ]
+);
+var userSettingsRelations = relations2(userSettings, ({ one }) => ({
+  user: one(users, {
+    fields: [userSettings.userId],
+    references: [users.id]
+  })
+}));
+var workspaces = pgTable2(
+  "workspaces",
+  {
+    id: uuid2("id").default(sql3`gen_random_uuid()`).primaryKey(),
+    appId: text2("app_id").notNull(),
+    name: text2("name").notNull(),
+    createdBy: uuid2("created_by").notNull().references(() => users.id),
+    createdAt: timestamp2("created_at").defaultNow().notNull(),
+    deletedAt: timestamp2("deleted_at"),
+    isDefault: boolean2("is_default").notNull().default(false)
+  },
+  (table) => [
+    index2("workspaces_created_by_idx").on(table.createdBy),
+    uniqueIndex("idx_workspaces_default_per_user_app").on(table.createdBy, table.appId).where(sql3`${table.isDefault} = true`)
+  ]
+);
+var workspacesRelations = relations2(workspaces, ({ one }) => ({
+  creator: one(users, {
+    fields: [workspaces.createdBy],
+    references: [users.id]
+  })
+}));
+var workspaceMembers = pgTable2(
+  "workspace_members",
+  {
+    workspaceId: uuid2("workspace_id").notNull().references(() => workspaces.id, { onDelete: "no action" }),
+    userId: uuid2("user_id").notNull().references(() => users.id, { onDelete: "restrict" }),
+    role: text2("role").notNull(),
+    createdAt: timestamp2("created_at").defaultNow().notNull()
+  },
+  (table) => [
+    primaryKey({ columns: [table.workspaceId, table.userId] }),
+    index2("workspace_members_user_id_idx").on(table.userId),
+    check("workspace_members_role_check", sql3`${table.role} IN ('owner', 'editor', 'viewer')`)
+  ]
+);
+var workspaceMembersRelations = relations2(workspaceMembers, ({ one }) => ({
+  workspace: one(workspaces, {
+    fields: [workspaceMembers.workspaceId],
+    references: [workspaces.id]
+  }),
+  user: one(users, {
+    fields: [workspaceMembers.userId],
+    references: [users.id]
+  })
+}));
+var workspaceSettings = pgTable2(
+  "workspace_settings",
+  {
+    workspaceId: uuid2("workspace_id").notNull().references(() => workspaces.id, { onDelete: "no action" }),
+    key: text2("key").notNull(),
+    value: bytea("value").notNull(),
+    updatedAt: timestamp2("updated_at").defaultNow().notNull()
+  },
+  (table) => [
+    primaryKey({ columns: [table.workspaceId, table.key] })
+  ]
+);
+var workspaceSettingsRelations = relations2(workspaceSettings, ({ one }) => ({
+  workspace: one(workspaces, {
+    fields: [workspaceSettings.workspaceId],
+    references: [workspaces.id]
+  })
+}));
+var workspaceRuntimes = pgTable2(
+  "workspace_runtimes",
+  {
+    workspaceId: uuid2("workspace_id").primaryKey().references(() => workspaces.id),
+    spriteUrl: text2("sprite_url"),
+    spriteName: text2("sprite_name"),
+    state: text2("state").notNull().default("pending"),
+    lastError: text2("last_error"),
+    volumePath: text2("volume_path"),
+    lastErrorOp: text2("last_error_op"),
+    sandboxProvider: text2("sandbox_provider"),
+    sandboxId: text2("sandbox_id"),
+    sandboxStatus: text2("sandbox_status"),
+    sandboxSnapshotId: text2("sandbox_snapshot_id"),
+    sandboxCreatedAt: timestamp2("sandbox_created_at"),
+    sandboxLastUsedAt: timestamp2("sandbox_last_used_at"),
+    sandboxLastSeenAt: timestamp2("sandbox_last_seen_at"),
+    sandboxExpiresAt: timestamp2("sandbox_expires_at"),
+    updatedAt: timestamp2("updated_at").defaultNow().notNull(),
+    provisioningStep: text2("provisioning_step"),
+    stepStartedAt: timestamp2("step_started_at")
+  },
+  (table) => [
+    check(
+      "workspace_runtimes_state_check",
+      sql3`${table.state} IN ('pending', 'ready', 'error')`
+    )
+  ]
+);
+var workspaceRuntimesRelations = relations2(
+  workspaceRuntimes,
+  ({ one }) => ({
+    workspace: one(workspaces, {
+      fields: [workspaceRuntimes.workspaceId],
+      references: [workspaces.id]
+    })
+  })
+);
+var workspaceRuntimeResources = pgTable2(
+  "workspace_runtime_resources",
+  {
+    id: uuid2("id").default(sql3`gen_random_uuid()`).primaryKey(),
+    workspaceId: uuid2("workspace_id").notNull().references(() => workspaces.id, { onDelete: "cascade" }),
+    kind: text2("kind").notNull(),
+    purpose: text2("purpose").notNull().default("main"),
+    provider: text2("provider").notNull(),
+    handleKind: text2("handle_kind").notNull(),
+    stableKey: text2("stable_key"),
+    providerResourceId: text2("provider_resource_id"),
+    parentResourceId: uuid2("parent_resource_id"),
+    state: text2("state").notNull(),
+    persistenceMode: text2("persistence_mode").notNull(),
+    config: jsonb("config").notNull().default({}),
+    providerMeta: jsonb("provider_meta").notNull().default({}),
+    lastError: text2("last_error"),
+    lastErrorCode: text2("last_error_code"),
+    createdAt: timestamp2("created_at").defaultNow().notNull(),
+    updatedAt: timestamp2("updated_at").defaultNow().notNull(),
+    lastSeenAt: timestamp2("last_seen_at"),
+    lastUsedAt: timestamp2("last_used_at"),
+    expiresAt: timestamp2("expires_at"),
+    generation: integer("generation").notNull().default(0)
+  },
+  (table) => [
+    uniqueIndex("workspace_runtime_resources_active_idx").on(table.workspaceId, table.kind, table.purpose, table.provider).where(sql3`${table.state} <> 'deleted'`),
+    index2("workspace_runtime_resources_workspace_kind_idx").on(table.workspaceId, table.kind),
+    index2("workspace_runtime_resources_provider_stable_key_idx").on(table.provider, table.stableKey),
+    index2("workspace_runtime_resources_provider_resource_id_idx").on(table.provider, table.providerResourceId)
+  ]
+);
+var workspaceRuntimeResourcesRelations = relations2(
+  workspaceRuntimeResources,
+  ({ one }) => ({
+    workspace: one(workspaces, {
+      fields: [workspaceRuntimeResources.workspaceId],
+      references: [workspaces.id]
+    })
+  })
+);
+var workspaceInvites = pgTable2(
+  "workspace_invites",
+  {
+    id: uuid2("id").default(sql3`gen_random_uuid()`).primaryKey(),
+    workspaceId: uuid2("workspace_id").notNull().references(() => workspaces.id),
+    email: text2("email").notNull(),
+    tokenHash: text2("token_hash").notNull(),
+    role: text2("role").notNull(),
+    expiresAt: timestamp2("expires_at").notNull(),
+    acceptedAt: timestamp2("accepted_at"),
+    failedAttempts: integer("failed_attempts").notNull().default(0),
+    lockedUntil: timestamp2("locked_until"),
+    createdBy: uuid2("created_by").references(() => users.id, {
+      onDelete: "restrict"
+    }),
+    createdAt: timestamp2("created_at").defaultNow().notNull()
+  },
+  (table) => [
+    uniqueIndex("workspace_invites_token_hash_idx").on(table.tokenHash),
+    index2("workspace_invites_workspace_id_idx").on(table.workspaceId),
+    check(
+      "workspace_invites_role_check",
+      sql3`${table.role} IN ('owner', 'editor', 'viewer')`
+    )
+  ]
+);
+var workspaceInvitesRelations = relations2(
+  workspaceInvites,
+  ({ one }) => ({
+    workspace: one(workspaces, {
+      fields: [workspaceInvites.workspaceId],
+      references: [workspaces.id]
+    }),
+    creator: one(users, {
+      fields: [workspaceInvites.createdBy],
+      references: [users.id]
+    })
+  })
+);
+var idempotencyKeys = pgTable2(
+  "idempotency_keys",
+  {
+    key: text2("key").primaryKey(),
+    scope: text2("scope").notNull(),
+    responseStatus: integer("response_status").notNull(),
+    responseBody: jsonb("response_body").notNull(),
+    createdAt: timestamp2("created_at").defaultNow().notNull()
+  },
+  (table) => [
+    index2("idempotency_keys_created_at_idx").on(table.createdAt)
+  ]
+);
+
+// src/server/db/stores/PostgresWorkspaceStore.ts
+var UI_STATE_KEY_PREFIX = "workspace_ui_state:";
+function normalizeEmail(email) {
+  return email.trim().toLowerCase();
+}
+function toIso(value) {
+  if (value === null) return null;
+  if (typeof value === "string") return value;
+  return value.toISOString();
+}
+function toDate(value) {
+  return value ? new Date(value) : null;
+}
+function asRecord(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : {};
+}
+function toWorkspaceRuntime(row) {
+  return {
+    workspaceId: row.workspaceId,
+    spriteUrl: row.spriteUrl,
+    spriteName: row.spriteName,
+    state: row.state,
+    lastError: row.lastError,
+    volumePath: row.volumePath,
+    lastErrorOp: row.lastErrorOp,
+    sandboxProvider: row.sandboxProvider,
+    sandboxId: row.sandboxId,
+    sandboxStatus: row.sandboxStatus,
+    sandboxSnapshotId: row.sandboxSnapshotId,
+    sandboxCreatedAt: toIso(row.sandboxCreatedAt),
+    sandboxLastUsedAt: toIso(row.sandboxLastUsedAt),
+    sandboxLastSeenAt: toIso(row.sandboxLastSeenAt),
+    sandboxExpiresAt: toIso(row.sandboxExpiresAt),
+    provisioningStep: row.provisioningStep,
+    stepStartedAt: toIso(row.stepStartedAt),
+    updatedAt: toIso(row.updatedAt)
+  };
+}
+function toWorkspaceRuntimeResource(row) {
+  return {
+    id: row.id,
+    workspaceId: row.workspaceId,
+    kind: row.kind,
+    purpose: row.purpose,
+    provider: row.provider,
+    handleKind: row.handleKind,
+    stableKey: row.stableKey,
+    providerResourceId: row.providerResourceId,
+    parentResourceId: row.parentResourceId,
+    state: row.state,
+    persistenceMode: row.persistenceMode,
+    config: asRecord(row.config),
+    providerMeta: asRecord(row.providerMeta),
+    lastError: row.lastError,
+    lastErrorCode: row.lastErrorCode,
+    createdAt: toIso(row.createdAt),
+    updatedAt: toIso(row.updatedAt),
+    lastSeenAt: toIso(row.lastSeenAt),
+    lastUsedAt: toIso(row.lastUsedAt),
+    expiresAt: toIso(row.expiresAt),
+    generation: row.generation
+  };
+}
+function toWorkspaceInvite(row) {
+  return {
+    id: row.id,
+    workspaceId: row.workspaceId,
+    email: row.email,
+    tokenHash: row.tokenHash,
+    role: row.role,
+    expiresAt: toIso(row.expiresAt),
+    acceptedAt: toIso(row.acceptedAt),
+    createdBy: row.createdBy,
+    createdAt: toIso(row.createdAt),
+    failedAttempts: row.failedAttempts,
+    lockedUntil: toIso(row.lockedUntil)
+  };
+}
+function toWorkspaceMember(row) {
+  return {
+    workspaceId: row.workspaceId,
+    userId: row.userId,
+    role: row.role,
+    createdAt: toIso(row.createdAt)
+  };
+}
+function toWorkspace(row) {
+  return {
+    id: row.id,
+    appId: row.appId,
+    name: row.name,
+    createdBy: row.createdBy,
+    createdAt: row.createdAt.toISOString(),
+    deletedAt: row.deletedAt?.toISOString() ?? null,
+    isDefault: row.isDefault
+  };
+}
+var PostgresWorkspaceStore = class {
+  constructor(db, workspaceSettingsKey = process.env.WORKSPACE_SETTINGS_ENCRYPTION_KEY ?? "") {
+    this.db = db;
+    this.workspaceSettingsKey = workspaceSettingsKey;
+  }
+  db;
+  workspaceSettingsKey;
+  uiStateKey(workspaceId) {
+    return `${UI_STATE_KEY_PREFIX}${workspaceId}`;
+  }
+  async getWorkspaceAppId(workspaceId) {
+    const rows = await this.db.select({ appId: workspaces.appId }).from(workspaces).where(and(eq(workspaces.id, workspaceId), isNull(workspaces.deletedAt))).limit(1);
+    return rows[0]?.appId ?? null;
+  }
+  // ---------------------------------------------------------------------------
+  // Workspace CRUD (Sub-PR 1)
+  // ---------------------------------------------------------------------------
+  async create(userId, name, appId, opts) {
+    return this.db.transaction(async (tx) => {
+      const [row] = await tx.insert(workspaces).values({ appId, name, createdBy: userId, isDefault: opts?.isDefault ?? false }).returning();
+      await tx.insert(workspaceMembers).values({
+        workspaceId: row.id,
+        userId,
+        role: "owner"
+      });
+      return toWorkspace(row);
+    });
+  }
+  async list(userId, appId) {
+    const rows = await this.db.select({ ws: workspaces }).from(workspaces).innerJoin(
+      workspaceMembers,
+      and(
+        eq(workspaceMembers.workspaceId, workspaces.id),
+        eq(workspaceMembers.userId, userId)
+      )
+    ).where(and(eq(workspaces.appId, appId), isNull(workspaces.deletedAt))).orderBy(desc(workspaces.isDefault), desc(workspaces.createdAt));
+    return rows.map((r) => toWorkspace(r.ws));
+  }
+  async get(id) {
+    const rows = await this.db.select().from(workspaces).where(and(eq(workspaces.id, id), isNull(workspaces.deletedAt))).limit(1);
+    return rows.length > 0 ? toWorkspace(rows[0]) : null;
+  }
+  async update(id, updates) {
+    const rows = await this.db.update(workspaces).set(updates).where(and(eq(workspaces.id, id), isNull(workspaces.deletedAt))).returning();
+    return rows.length > 0 ? toWorkspace(rows[0]) : null;
+  }
+  async delete(id) {
+    const ws = await this.get(id);
+    if (!ws) return { removed: false, code: ERROR_CODES.NOT_FOUND };
+    await this.db.update(workspaces).set({ deletedAt: /* @__PURE__ */ new Date() }).where(eq(workspaces.id, id));
+    return { removed: true };
+  }
+  // ---------------------------------------------------------------------------
+  // Sole-owner query (Sub-PR 1)
+  // ---------------------------------------------------------------------------
+  async getWorkspacesWhereSoleOwner(userId) {
+    const rows = await this.db.select({ ws: workspaces }).from(workspaces).innerJoin(
+      workspaceMembers,
+      and(
+        eq(workspaceMembers.workspaceId, workspaces.id),
+        eq(workspaceMembers.userId, userId),
+        eq(workspaceMembers.role, sql4`'owner'`)
+      )
+    ).where(
+      and(
+        isNull(workspaces.deletedAt),
+        sql4`(SELECT count(*) FROM workspace_members WHERE workspace_id = ${workspaces.id} AND role = 'owner') = 1`
+      )
+    );
+    return rows.map((r) => toWorkspace(r.ws));
+  }
+  // ---------------------------------------------------------------------------
+  // Member methods (Sub-PR 1)
+  // ---------------------------------------------------------------------------
+  async isMember(workspaceId, userId) {
+    const rows = await this.db.select({ n: sql4`1` }).from(workspaceMembers).where(
+      and(
+        eq(workspaceMembers.workspaceId, workspaceId),
+        eq(workspaceMembers.userId, userId)
+      )
+    ).limit(1);
+    return rows.length > 0;
+  }
+  async getMemberRole(workspaceId, userId) {
+    const rows = await this.db.select({ role: workspaceMembers.role }).from(workspaceMembers).where(
+      and(
+        eq(workspaceMembers.workspaceId, workspaceId),
+        eq(workspaceMembers.userId, userId)
+      )
+    ).limit(1);
+    return rows.length > 0 ? rows[0].role : null;
+  }
+  async listMembers(workspaceId) {
+    const rows = await this.db.select({
+      member: workspaceMembers,
+      user: {
+        id: users.id,
+        email: users.email,
+        name: users.name,
+        image: users.image
+      }
+    }).from(workspaceMembers).innerJoin(users, eq(users.id, workspaceMembers.userId)).where(eq(workspaceMembers.workspaceId, workspaceId));
+    return rows.map((r) => ({
+      ...toWorkspaceMember(r.member),
+      user: {
+        id: r.user.id,
+        email: r.user.email,
+        name: r.user.name,
+        image: r.user.image
+      }
+    }));
+  }
+  async upsertMember(workspaceId, userId, role) {
+    const [row] = await this.db.insert(workspaceMembers).values({ workspaceId, userId, role }).onConflictDoUpdate({
+      target: [workspaceMembers.workspaceId, workspaceMembers.userId],
+      set: { role }
+    }).returning();
+    return toWorkspaceMember(row);
+  }
+  async updateMemberRole(workspaceId, userId, role) {
+    return this.db.transaction(async (tx) => {
+      await tx.execute(sql4`
+        SELECT user_id
+        FROM workspace_members
+        WHERE workspace_id = ${workspaceId}
+        FOR UPDATE
+      `);
+      const memberRows = await tx.select({ role: workspaceMembers.role }).from(workspaceMembers).where(
+        and(
+          eq(workspaceMembers.workspaceId, workspaceId),
+          eq(workspaceMembers.userId, userId)
+        )
+      ).limit(1);
+      const currentRole = memberRows[0]?.role;
+      if (!currentRole) return { code: ERROR_CODES.NOT_MEMBER };
+      if (currentRole === "owner" && role !== "owner") {
+        const [{ count }] = await tx.select({ count: sql4`count(*)::int` }).from(workspaceMembers).where(
+          and(
+            eq(workspaceMembers.workspaceId, workspaceId),
+            eq(workspaceMembers.role, sql4`'owner'`)
+          )
+        );
+        if (Number(count) <= 1) {
+          return { code: ERROR_CODES.LAST_OWNER };
+        }
+      }
+      const [updated] = await tx.update(workspaceMembers).set({ role }).where(
+        and(
+          eq(workspaceMembers.workspaceId, workspaceId),
+          eq(workspaceMembers.userId, userId)
+        )
+      ).returning();
+      return { member: toWorkspaceMember(updated) };
+    });
+  }
+  async removeMember(workspaceId, userId) {
+    return this.db.transaction(async (tx) => {
+      await tx.execute(sql4`
+        SELECT user_id
+        FROM workspace_members
+        WHERE workspace_id = ${workspaceId}
+          AND role = 'owner'
+        FOR UPDATE
+      `);
+      const memberRows = await tx.select({ role: workspaceMembers.role }).from(workspaceMembers).where(
+        and(
+          eq(workspaceMembers.workspaceId, workspaceId),
+          eq(workspaceMembers.userId, userId)
+        )
+      ).limit(1);
+      const role = memberRows[0]?.role;
+      if (!role) return { removed: false, code: ERROR_CODES.NOT_MEMBER };
+      if (role === "owner") {
+        const [{ count }] = await tx.select({ count: sql4`count(*)::int` }).from(workspaceMembers).where(
+          and(
+            eq(workspaceMembers.workspaceId, workspaceId),
+            eq(workspaceMembers.role, sql4`'owner'`)
+          )
+        );
+        if (Number(count) <= 1) {
+          return { removed: false, code: ERROR_CODES.LAST_OWNER };
+        }
+      }
+      const deletedRows = await tx.delete(workspaceMembers).where(
+        and(
+          eq(workspaceMembers.workspaceId, workspaceId),
+          eq(workspaceMembers.userId, userId)
+        )
+      ).returning({ userId: workspaceMembers.userId });
+      if (deletedRows.length === 0) {
+        return { removed: false, code: ERROR_CODES.NOT_MEMBER };
+      }
+      return { removed: true };
+    });
+  }
+  // ---------------------------------------------------------------------------
+  // Invite methods (Sub-PR 2)
+  // ---------------------------------------------------------------------------
+  async createInvite(workspaceId, email, role, invitedBy, opts) {
+    const rawToken = randomBytes(32).toString("base64url");
+    const tokenHash = createHash2("sha256").update(rawToken).digest("hex");
+    const ttlDays = opts?.ttlDays ?? 7;
+    const expiresAt = new Date(Date.now() + ttlDays * 24 * 60 * 60 * 1e3);
+    const rows = await this.db.insert(workspaceInvites).values({
+      workspaceId,
+      email: normalizeEmail(email),
+      tokenHash,
+      role,
+      expiresAt,
+      createdBy: invitedBy
+    }).returning();
+    return {
+      invite: toWorkspaceInvite(rows[0]),
+      rawToken
+    };
+  }
+  async listInvites(workspaceId) {
+    const rows = await this.db.select().from(workspaceInvites).where(eq(workspaceInvites.workspaceId, workspaceId)).orderBy(workspaceInvites.createdAt);
+    return rows.map(toWorkspaceInvite);
+  }
+  async getInvite(workspaceId, inviteId) {
+    const rows = await this.db.select().from(workspaceInvites).where(
+      and(
+        eq(workspaceInvites.workspaceId, workspaceId),
+        eq(workspaceInvites.id, inviteId)
+      )
+    ).limit(1);
+    return rows[0] ? toWorkspaceInvite(rows[0]) : null;
+  }
+  async getInviteByTokenHash(tokenHash) {
+    const rows = await this.db.select().from(workspaceInvites).where(eq(workspaceInvites.tokenHash, tokenHash)).limit(1);
+    return rows[0] ? toWorkspaceInvite(rows[0]) : null;
+  }
+  async revokeInvite(workspaceId, inviteId) {
+    const rows = await this.db.delete(workspaceInvites).where(
+      and(
+        eq(workspaceInvites.workspaceId, workspaceId),
+        eq(workspaceInvites.id, inviteId)
+      )
+    ).returning({ id: workspaceInvites.id });
+    return rows.length > 0;
+  }
+  async acceptInvite(workspaceId, inviteId, userId) {
+    return this.db.transaction(async (tx) => {
+      const inviteRows = await tx.select().from(workspaceInvites).where(
+        and(
+          eq(workspaceInvites.workspaceId, workspaceId),
+          eq(workspaceInvites.id, inviteId)
+        )
+      ).limit(1);
+      const invite = inviteRows[0];
+      if (!invite) {
+        throw new HttpError({
+          status: 404,
+          code: ERROR_CODES.INVITE_NOT_FOUND,
+          message: "Invite not found"
+        });
+      }
+      if (invite.acceptedAt) {
+        throw new HttpError({
+          status: 410,
+          code: ERROR_CODES.INVITE_ALREADY_ACCEPTED,
+          message: "Invite already accepted"
+        });
+      }
+      if (invite.expiresAt.getTime() <= Date.now()) {
+        throw new HttpError({
+          status: 410,
+          code: ERROR_CODES.INVITE_EXPIRED,
+          message: "Invite expired"
+        });
+      }
+      const userRows = await tx.select({ email: users.email }).from(users).where(eq(users.id, userId)).limit(1);
+      const user = userRows[0];
+      const userEmail = user ? normalizeEmail(user.email) : null;
+      if (!userEmail || userEmail !== normalizeEmail(invite.email)) {
+        throw new HttpError({
+          status: 403,
+          code: ERROR_CODES.INVITE_EMAIL_MISMATCH,
+          message: "Invite email mismatch"
+        });
+      }
+      const acceptedRows = await tx.update(workspaceInvites).set({ acceptedAt: /* @__PURE__ */ new Date() }).where(
+        and(
+          eq(workspaceInvites.workspaceId, workspaceId),
+          eq(workspaceInvites.id, inviteId),
+          isNull(workspaceInvites.acceptedAt)
+        )
+      ).returning();
+      if (acceptedRows.length === 0) {
+        const refreshedRows = await tx.select().from(workspaceInvites).where(
+          and(
+            eq(workspaceInvites.workspaceId, workspaceId),
+            eq(workspaceInvites.id, inviteId)
+          )
+        ).limit(1);
+        const refreshed = refreshedRows[0];
+        if (!refreshed) {
+          throw new HttpError({
+            status: 404,
+            code: ERROR_CODES.INVITE_NOT_FOUND,
+            message: "Invite not found"
+          });
+        }
+        throw new HttpError({
+          status: 410,
+          code: ERROR_CODES.INVITE_ALREADY_ACCEPTED,
+          message: "Invite already accepted"
+        });
+      }
+      const memberRows = await tx.insert(workspaceMembers).values({
+        workspaceId,
+        userId,
+        role: invite.role
+      }).onConflictDoUpdate({
+        target: [workspaceMembers.workspaceId, workspaceMembers.userId],
+        set: { role: invite.role }
+      }).returning();
+      const acceptedInvite = acceptedRows[0];
+      const member = memberRows[0];
+      if (!acceptedInvite || !member) {
+        throw new HttpError({
+          status: 500,
+          code: ERROR_CODES.INTERNAL_ERROR,
+          message: "Failed to accept invite"
+        });
+      }
+      return {
+        invite: toWorkspaceInvite(acceptedInvite),
+        member: toWorkspaceMember(member)
+      };
+    });
+  }
+  async incrementInviteFailedAttempts(inviteId) {
+    const rows = await this.db.update(workspaceInvites).set({
+      failedAttempts: sql4`${workspaceInvites.failedAttempts} + 1`,
+      lockedUntil: sql4`CASE WHEN ${workspaceInvites.failedAttempts} + 1 >= 50 THEN now() + interval '1 hour' ELSE ${workspaceInvites.lockedUntil} END`
+    }).where(eq(workspaceInvites.id, inviteId)).returning({
+      failedAttempts: workspaceInvites.failedAttempts,
+      lockedUntil: workspaceInvites.lockedUntil
+    });
+    if (rows.length === 0) return { failedAttempts: 0, lockedUntil: null };
+    return {
+      failedAttempts: rows[0].failedAttempts,
+      lockedUntil: toIso(rows[0].lockedUntil)
+    };
+  }
+  async resetInviteFailedAttempts(inviteId) {
+    await this.db.update(workspaceInvites).set({ failedAttempts: 0, lockedUntil: null }).where(eq(workspaceInvites.id, inviteId));
+  }
+  async decryptSetting(workspaceId, key, db = this.db) {
+    try {
+      const rows = await db.select({
+        plaintext: sql4`pgp_sym_decrypt(${workspaceSettings.value}, ${this.workspaceSettingsKey})::text`
+      }).from(workspaceSettings).where(
+        and(
+          eq(workspaceSettings.workspaceId, workspaceId),
+          eq(workspaceSettings.key, key)
+        )
+      ).limit(1);
+      return rows[0]?.plaintext ?? null;
+    } catch (err) {
+      const code = err instanceof Error ? err.constructor.name : "unknown";
+      console.error(`[workspace-store] decryptSetting failed for key="${key}" workspace="${workspaceId}": ${code}`);
+      return null;
+    }
+  }
+  async encryptAndPut(workspaceId, key, value, db = this.db) {
+    if (!this.workspaceSettingsKey) {
+      throw new Error("WORKSPACE_SETTINGS_ENCRYPTION_KEY is not configured \u2014 cannot store encrypted settings");
+    }
+    await db.execute(sql4`
+      INSERT INTO workspace_settings (workspace_id, key, value, updated_at)
+      VALUES (${workspaceId}::uuid, ${key}, pgp_sym_encrypt(${value}, ${this.workspaceSettingsKey}), NOW())
+      ON CONFLICT (workspace_id, key)
+      DO UPDATE SET value = pgp_sym_encrypt(${value}, ${this.workspaceSettingsKey}), updated_at = NOW()
+    `);
+  }
+  async getWorkspaceSettings(workspaceId) {
+    const rows = await this.db.select({ key: workspaceSettings.key, updatedAt: workspaceSettings.updatedAt }).from(workspaceSettings).where(eq(workspaceSettings.workspaceId, workspaceId)).orderBy(workspaceSettings.key);
+    const metadata = [];
+    for (const row of rows) {
+      const decrypted = await this.decryptSetting(workspaceId, row.key);
+      metadata.push({
+        key: row.key,
+        configured: decrypted !== null,
+        updated_at: row.updatedAt.toISOString()
+      });
+    }
+    return metadata;
+  }
+  async putWorkspaceSettings(workspaceId, settings) {
+    await this.db.transaction(async (tx) => {
+      for (const [key, value] of Object.entries(settings)) {
+        await this.encryptAndPut(workspaceId, key, value, tx);
+      }
+    });
+    return this.getWorkspaceSettings(workspaceId);
+  }
+  async getWorkspaceRuntime(workspaceId) {
+    const appId = await this.getWorkspaceAppId(workspaceId);
+    if (!appId) return null;
+    const existingRows = await this.db.select().from(workspaceRuntimes).where(eq(workspaceRuntimes.workspaceId, workspaceId)).limit(1);
+    if (existingRows.length > 0) {
+      return toWorkspaceRuntime(existingRows[0]);
+    }
+    await this.db.insert(workspaceRuntimes).values({
+      workspaceId,
+      spriteUrl: null,
+      spriteName: null,
+      state: "ready",
+      lastError: null,
+      sandboxProvider: null,
+      sandboxId: null,
+      sandboxStatus: null,
+      sandboxSnapshotId: null,
+      sandboxCreatedAt: null,
+      sandboxLastUsedAt: null,
+      sandboxLastSeenAt: null,
+      sandboxExpiresAt: null,
+      provisioningStep: null,
+      stepStartedAt: null,
+      updatedAt: /* @__PURE__ */ new Date()
+    }).onConflictDoNothing();
+    const createdRows = await this.db.select().from(workspaceRuntimes).where(eq(workspaceRuntimes.workspaceId, workspaceId)).limit(1);
+    if (createdRows.length === 0) return null;
+    return toWorkspaceRuntime(createdRows[0]);
+  }
+  async putWorkspaceRuntime(workspaceId, state) {
+    const existing = await this.getWorkspaceRuntime(workspaceId);
+    if (!existing) {
+      throw new Error(`Workspace ${workspaceId} not found`);
+    }
+    const merged = {
+      ...existing,
+      ...state,
+      workspaceId,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    const rows = await this.db.insert(workspaceRuntimes).values({
+      workspaceId,
+      spriteUrl: merged.spriteUrl,
+      spriteName: merged.spriteName,
+      state: merged.state,
+      lastError: merged.lastError,
+      volumePath: merged.volumePath,
+      lastErrorOp: merged.lastErrorOp,
+      sandboxProvider: merged.sandboxProvider ?? null,
+      sandboxId: merged.sandboxId ?? null,
+      sandboxStatus: merged.sandboxStatus ?? null,
+      sandboxSnapshotId: merged.sandboxSnapshotId ?? null,
+      sandboxCreatedAt: merged.sandboxCreatedAt ? new Date(merged.sandboxCreatedAt) : null,
+      sandboxLastUsedAt: merged.sandboxLastUsedAt ? new Date(merged.sandboxLastUsedAt) : null,
+      sandboxLastSeenAt: merged.sandboxLastSeenAt ? new Date(merged.sandboxLastSeenAt) : null,
+      sandboxExpiresAt: merged.sandboxExpiresAt ? new Date(merged.sandboxExpiresAt) : null,
+      provisioningStep: merged.provisioningStep,
+      stepStartedAt: merged.stepStartedAt ? new Date(merged.stepStartedAt) : null,
+      updatedAt: new Date(merged.updatedAt)
+    }).onConflictDoUpdate({
+      target: workspaceRuntimes.workspaceId,
+      set: {
+        spriteUrl: merged.spriteUrl,
+        spriteName: merged.spriteName,
+        state: merged.state,
+        lastError: merged.lastError,
+        volumePath: merged.volumePath,
+        lastErrorOp: merged.lastErrorOp,
+        sandboxProvider: merged.sandboxProvider ?? null,
+        sandboxId: merged.sandboxId ?? null,
+        sandboxStatus: merged.sandboxStatus ?? null,
+        sandboxSnapshotId: merged.sandboxSnapshotId ?? null,
+        sandboxCreatedAt: merged.sandboxCreatedAt ? new Date(merged.sandboxCreatedAt) : null,
+        sandboxLastUsedAt: merged.sandboxLastUsedAt ? new Date(merged.sandboxLastUsedAt) : null,
+        sandboxLastSeenAt: merged.sandboxLastSeenAt ? new Date(merged.sandboxLastSeenAt) : null,
+        sandboxExpiresAt: merged.sandboxExpiresAt ? new Date(merged.sandboxExpiresAt) : null,
+        provisioningStep: merged.provisioningStep,
+        stepStartedAt: merged.stepStartedAt ? new Date(merged.stepStartedAt) : null,
+        updatedAt: /* @__PURE__ */ new Date()
+      }
+    }).returning();
+    return toWorkspaceRuntime(rows[0]);
+  }
+  async retryWorkspaceRuntime(workspaceId) {
+    const rows = await this.db.update(workspaceRuntimes).set({
+      state: "pending",
+      lastError: null,
+      updatedAt: /* @__PURE__ */ new Date()
+    }).where(
+      and(
+        eq(workspaceRuntimes.workspaceId, workspaceId),
+        eq(workspaceRuntimes.state, "error")
+      )
+    ).returning();
+    if (rows.length === 0) return null;
+    return toWorkspaceRuntime(rows[0]);
+  }
+  async listWorkspaceRuntimes() {
+    const rows = await this.db.select().from(workspaceRuntimes);
+    return rows.map((row) => toWorkspaceRuntime(row));
+  }
+  async getWorkspaceRuntimeResource(workspaceId, selector) {
+    const rows = await this.db.select().from(workspaceRuntimeResources).where(
+      and(
+        eq(workspaceRuntimeResources.workspaceId, workspaceId),
+        eq(workspaceRuntimeResources.kind, selector.kind),
+        eq(workspaceRuntimeResources.purpose, selector.purpose),
+        eq(workspaceRuntimeResources.provider, selector.provider),
+        sql4`${workspaceRuntimeResources.state} <> 'deleted'`
+      )
+    ).limit(1);
+    return rows[0] ? toWorkspaceRuntimeResource(rows[0]) : null;
+  }
+  async putWorkspaceRuntimeResource(workspaceId, resource) {
+    const workspace = await this.get(workspaceId);
+    if (!workspace) throw new Error(`Workspace ${workspaceId} not found`);
+    const now = /* @__PURE__ */ new Date();
+    const existing = await this.getWorkspaceRuntimeResource(workspaceId, resource);
+    const values = {
+      workspaceId,
+      kind: resource.kind,
+      purpose: resource.purpose,
+      provider: resource.provider,
+      handleKind: resource.handleKind,
+      stableKey: resource.stableKey ?? null,
+      providerResourceId: resource.providerResourceId ?? null,
+      parentResourceId: resource.parentResourceId ?? null,
+      state: resource.state,
+      persistenceMode: resource.persistenceMode,
+      config: resource.config ?? {},
+      providerMeta: resource.providerMeta ?? {},
+      lastError: resource.lastError ?? null,
+      lastErrorCode: resource.lastErrorCode ?? null,
+      updatedAt: now,
+      lastSeenAt: toDate(resource.lastSeenAt),
+      lastUsedAt: toDate(resource.lastUsedAt),
+      expiresAt: toDate(resource.expiresAt),
+      generation: resource.generation ?? (existing?.generation ?? -1) + 1
+    };
+    if (existing) {
+      const rows2 = await this.db.update(workspaceRuntimeResources).set(values).where(eq(workspaceRuntimeResources.id, existing.id)).returning();
+      return toWorkspaceRuntimeResource(rows2[0]);
+    }
+    const rows = await this.db.insert(workspaceRuntimeResources).values({
+      id: resource.id,
+      ...values,
+      createdAt: now
+    }).returning();
+    return toWorkspaceRuntimeResource(rows[0]);
+  }
+  async deleteWorkspaceRuntimeResource(workspaceId, selector) {
+    const existing = await this.getWorkspaceRuntimeResource(workspaceId, selector);
+    if (!existing) return;
+    await this.db.update(workspaceRuntimeResources).set({
+      state: "deleted",
+      updatedAt: /* @__PURE__ */ new Date()
+    }).where(eq(workspaceRuntimeResources.id, existing.id));
+  }
+  async listWorkspaceRuntimeResources(workspaceId) {
+    const base = this.db.select().from(workspaceRuntimeResources);
+    const rows = workspaceId ? await base.where(eq(workspaceRuntimeResources.workspaceId, workspaceId)) : await base;
+    return rows.map((row) => toWorkspaceRuntimeResource(row));
+  }
+  async getUiState(userId, workspaceId) {
+    const appId = await this.getWorkspaceAppId(workspaceId);
+    if (!appId) return null;
+    const rows = await this.db.select({ settings: userSettings.settings }).from(userSettings).where(
+      and(eq(userSettings.userId, userId), eq(userSettings.appId, appId))
+    ).limit(1);
+    const key = this.uiStateKey(workspaceId);
+    const payload = rows[0]?.settings?.[key];
+    if (!payload || typeof payload !== "object" || Array.isArray(payload)) {
+      return null;
+    }
+    return payload;
+  }
+  async putUiState(userId, workspaceId, state) {
+    const appId = await this.getWorkspaceAppId(workspaceId);
+    if (!appId) return;
+    const patch = JSON.stringify({ [this.uiStateKey(workspaceId)]: state });
+    await this.db.execute(sql4`
+      INSERT INTO user_settings (user_id, app_id, display_name, email, settings, updated_at)
+      VALUES (
+        ${userId}::uuid,
+        ${appId},
+        COALESCE(
+          (SELECT us.display_name FROM user_settings us WHERE us.user_id = ${userId}::uuid AND us.app_id = ${appId}),
+          (SELECT COALESCE(u.name, '') FROM users u WHERE u.id = ${userId}::uuid),
+          ''
+        ),
+        COALESCE(
+          (SELECT us.email FROM user_settings us WHERE us.user_id = ${userId}::uuid AND us.app_id = ${appId}),
+          (SELECT u.email FROM users u WHERE u.id = ${userId}::uuid),
+          ''
+        ),
+        COALESCE(
+          (SELECT us.settings FROM user_settings us WHERE us.user_id = ${userId}::uuid AND us.app_id = ${appId}),
+          '{}'::jsonb
+        ) || ${patch}::jsonb,
+        NOW()
+      )
+      ON CONFLICT (user_id, app_id)
+      DO UPDATE SET
+        settings = COALESCE(user_settings.settings, '{}'::jsonb) || ${patch}::jsonb,
+        updated_at = NOW()
+    `);
+  }
+};
+
+// src/server/db/stores/PostgresUserStore.ts
+import { eq as eq2, sql as sql5 } from "drizzle-orm";
+function normalizeEmail2(email) {
+  return email.trim().toLowerCase();
+}
+function rowToUser(row) {
+  return {
+    id: row.id,
+    email: row.email,
+    name: row.name,
+    emailVerified: row.email_verified,
+    image: row.image,
+    createdAt: row.created_at.toISOString(),
+    updatedAt: row.updated_at.toISOString()
+  };
+}
+var PostgresUserStore = class {
+  constructor(db) {
+    this.db = db;
+  }
+  db;
+  async getById(id) {
+    const rows = await this.db.select().from(users).where(eq2(users.id, id)).limit(1);
+    return rows.length > 0 ? rowToUser(rows[0]) : null;
+  }
+  async getByEmail(email) {
+    const normalized = normalizeEmail2(email);
+    const rows = await this.db.select().from(users).where(eq2(users.email, normalized)).limit(1);
+    return rows.length > 0 ? rowToUser(rows[0]) : null;
+  }
+  async upsert(userId, data) {
+    const normalized = normalizeEmail2(data.email);
+    const rows = await this.db.insert(users).values({
+      id: userId,
+      email: normalized,
+      name: data.name ?? "",
+      email_verified: false
+    }).onConflictDoUpdate({
+      target: users.id,
+      set: {
+        email: normalized,
+        ...data.name !== void 0 ? { name: data.name } : {},
+        updated_at: /* @__PURE__ */ new Date()
+      }
+    }).returning();
+    return rowToUser(rows[0]);
+  }
+  async getUserSettings(userId, appId) {
+    const rows = await this.db.select().from(userSettings).where(
+      sql5`${userSettings.userId} = ${userId} AND ${userSettings.appId} = ${appId}`
+    ).limit(1);
+    if (rows.length === 0) {
+      const user = await this.getById(userId);
+      return {
+        displayName: user?.name ?? "",
+        email: user?.email ?? "",
+        settings: {}
+      };
+    }
+    return {
+      displayName: rows[0].displayName,
+      email: rows[0].email,
+      settings: rows[0].settings ?? {}
+    };
+  }
+  async putUserSettings(userId, appId, updates) {
+    const current = await this.getUserSettings(userId, appId);
+    const nextDisplayName = updates.displayName ?? current.displayName;
+    const nextEmail = updates.email ?? current.email;
+    const nextSettings = updates.settings ?? current.settings;
+    const rows = await this.db.insert(userSettings).values({
+      userId,
+      appId,
+      displayName: nextDisplayName,
+      email: nextEmail,
+      settings: nextSettings
+    }).onConflictDoUpdate({
+      target: [userSettings.userId, userSettings.appId],
+      set: {
+        displayName: nextDisplayName,
+        email: nextEmail,
+        settings: nextSettings,
+        updatedAt: /* @__PURE__ */ new Date()
+      }
+    }).returning();
+    return {
+      displayName: rows[0].displayName,
+      email: rows[0].email,
+      settings: rows[0].settings ?? {}
+    };
+  }
+};
+
+export {
+  users,
+  verification_tokens,
+  workspaces,
+  workspaceMembers,
+  workspaceSettings,
+  workspaceRuntimes,
+  workspaceInvites,
+  idempotencyKeys,
+  schema_exports,
+  createDatabase,
+  runMigrations,
+  LocalUserStore,
+  LocalWorkspaceStore,
+  PostgresWorkspaceStore,
+  PostgresUserStore
+};