@hasna/logs 0.3.26 → 0.3.28

package/dist/server/index.js

@@ -5,12 +5,17 @@ import {
   runRetentionForProject,
   setPageAuth,
   setRetentionPolicy,
-  startScheduler
-} from "../index-gc0zvs88.js";
+  startScheduler,
+  structuredLogPayloadToEntries,
+  validateStructuredLogReferences
+} from "../index-y2y0mdtd.js";
+import {
+  countLogs
+} from "../index-gcd14q2f.js";
 import {
   exportToCsv,
   exportToJson
-} from "../index-eh9bkbpa.js";
+} from "../index-e72k53yq.js";
 import {
   getHealth
 } from "../index-cpvq9np9.js";
@@ -20,43 +25,60 @@ import {
   createProject,
   deleteAlertRule,
   exitIfMetadataRequest,
-  getDb,
-  getIssue,
+  exportEventsToJson,
+  getEvent,
   getLatestSnapshot,
   getPerfTrend,
   getProject,
+  getTestReport,
+  hasBufferedEventCatalogEvent,
+  hasBufferedLogEvent,
+  hasOption,
   ingestBatch,
   ingestLog,
+  ingestUniversalEvent,
   listAlertRules,
-  listIssues,
   listPages,
   listProjects,
   readOptionValue,
   resolveProjectId,
+  searchEvents,
+  searchTestReports,
+  subscribeEventCatalogEvents,
+  subscribeLogEvents,
   summarizeLogs,
   updateAlertRule,
-  updateIssueStatus,
-  updateProject
-} from "../index-pen6t0yc.js";
+  updateProject,
+  validateUniversalEventInput
+} from "../index-qk8dbvbc.js";
+import {
+  getDb,
+  getIssue,
+  listIssues,
+  updateIssueStatus
+} from "../index-t3x838zw.js";
 import {
   createJob,
   deleteJob,
   listJobs,
   updateJob
-} from "../index-3dr7d80h.js";
+} from "../index-e1930v9b.js";
 import {
   getLogContext,
   searchLogs,
   tailLogs
-} from "../index-ww5ggfv3.js";
-import {
-  countLogs
-} from "../index-edn08m6f.js";
+} from "../index-zkb3z95a.js";
+import"../index-b5c72f1p.js";
 import {
   parseTime
-} from "../index-997bkzr2.js";
+} from "../index-hq6kzaah.js";
 import"../index-re3ntm60.js";
 
+// src/server/index.ts
+import { existsSync } from "fs";
+import { dirname as dirname2, resolve } from "path";
+import { fileURLToPath } from "url";
+
 // node_modules/hono/dist/compose.js
 var compose = (middleware, onError, onNotFound) => {
   return (context, next) => {
@@ -429,7 +451,7 @@ var HonoRequest = class {
     return headerData;
   }
   async parseBody(options) {
-    return this.bodyCache.parsedBody ??= await parseBody(this, options);
+    return parseBody(this, options);
   }
   #cachedBody = (key) => {
     const { bodyCache, raw } = this;
@@ -457,6 +479,9 @@ var HonoRequest = class {
   arrayBuffer() {
     return this.#cachedBody("arrayBuffer");
   }
+  bytes() {
+    return this.#cachedBody("arrayBuffer").then((buffer) => new Uint8Array(buffer));
+  }
   blob() {
     return this.#cachedBody("blob");
   }
@@ -793,7 +818,7 @@ var Hono = class _Hono {
         handler = async (c, next) => (await compose([], app.errorHandler)(c, () => r.handler(c, next))).res;
         handler[COMPOSED_HANDLER] = r.handler;
       }
-      subApp.#addRoute(r.method, r.path, handler);
+      subApp.#addRoute(r.method, r.path, handler, r.basePath);
     });
     return this;
   }
@@ -840,7 +865,7 @@ var Hono = class _Hono {
       const pathPrefixLength = mergedPath === "/" ? 0 : mergedPath.length;
       return (request) => {
         const url = new URL(request.url);
-        url.pathname = url.pathname.slice(pathPrefixLength) || "/";
+        url.pathname = this.getPath(request).slice(pathPrefixLength) || "/";
         return new Request(url, request);
       };
     })();
@@ -854,10 +879,15 @@ var Hono = class _Hono {
     this.#addRoute(METHOD_NAME_ALL, mergePath(path, "*"), handler);
     return this;
   }
-  #addRoute(method, path, handler) {
+  #addRoute(method, path, handler, baseRoutePath) {
     method = method.toUpperCase();
     path = mergePath(this._basePath, path);
-    const r = { basePath: this._basePath, path, method, handler };
+    const r = {
+      basePath: baseRoutePath !== undefined ? mergePath(this._basePath, baseRoutePath) : this._basePath,
+      path,
+      method,
+      handler
+    };
     this.router.add(method, path, [handler, r]);
     this.routes.push(r);
   }
@@ -1595,97 +1625,12 @@ var Hono2 = class extends Hono {
   }
 };
 
-// node_modules/hono/dist/middleware/cors/index.js
-var cors = (options) => {
-  const defaults = {
-    origin: "*",
-    allowMethods: ["GET", "HEAD", "PUT", "POST", "DELETE", "PATCH"],
-    allowHeaders: [],
-    exposeHeaders: []
-  };
-  const opts = {
-    ...defaults,
-    ...options
-  };
-  const findAllowOrigin = ((optsOrigin) => {
-    if (typeof optsOrigin === "string") {
-      if (optsOrigin === "*") {
-        return () => optsOrigin;
-      } else {
-        return (origin) => optsOrigin === origin ? origin : null;
-      }
-    } else if (typeof optsOrigin === "function") {
-      return optsOrigin;
-    } else {
-      return (origin) => optsOrigin.includes(origin) ? origin : null;
-    }
-  })(opts.origin);
-  const findAllowMethods = ((optsAllowMethods) => {
-    if (typeof optsAllowMethods === "function") {
-      return optsAllowMethods;
-    } else if (Array.isArray(optsAllowMethods)) {
-      return () => optsAllowMethods;
-    } else {
-      return () => [];
-    }
-  })(opts.allowMethods);
-  return async function cors2(c, next) {
-    function set(key, value) {
-      c.res.headers.set(key, value);
-    }
-    const allowOrigin = await findAllowOrigin(c.req.header("origin") || "", c);
-    if (allowOrigin) {
-      set("Access-Control-Allow-Origin", allowOrigin);
-    }
-    if (opts.credentials) {
-      set("Access-Control-Allow-Credentials", "true");
-    }
-    if (opts.exposeHeaders?.length) {
-      set("Access-Control-Expose-Headers", opts.exposeHeaders.join(","));
-    }
-    if (c.req.method === "OPTIONS") {
-      if (opts.origin !== "*") {
-        set("Vary", "Origin");
-      }
-      if (opts.maxAge != null) {
-        set("Access-Control-Max-Age", opts.maxAge.toString());
-      }
-      const allowMethods = await findAllowMethods(c.req.header("origin") || "", c);
-      if (allowMethods.length) {
-        set("Access-Control-Allow-Methods", allowMethods.join(","));
-      }
-      let headers = opts.allowHeaders;
-      if (!headers?.length) {
-        const requestHeaders = c.req.header("Access-Control-Request-Headers");
-        if (requestHeaders) {
-          headers = requestHeaders.split(/\s*,\s*/);
-        }
-      }
-      if (headers?.length) {
-        set("Access-Control-Allow-Headers", headers.join(","));
-        c.res.headers.append("Vary", "Access-Control-Request-Headers");
-      }
-      c.res.headers.delete("Content-Length");
-      c.res.headers.delete("Content-Type");
-      return new Response(null, {
-        headers: c.res.headers,
-        status: 204,
-        statusText: "No Content"
-      });
-    }
-    await next();
-    if (opts.origin !== "*") {
-      c.header("Vary", "Origin", { append: true });
-    }
-  };
-};
-
 // node_modules/hono/dist/adapter/bun/serve-static.js
 import { stat } from "fs/promises";
 import { join } from "path";
 
 // node_modules/hono/dist/utils/compress.js
-var COMPRESSIBLE_CONTENT_TYPE_REGEX = /^\s*(?:text\/(?!event-stream(?:[;\s]|$))[^;\s]+|application\/(?:javascript|json|xml|xml-dtd|ecmascript|dart|postscript|rtf|tar|toml|vnd\.dart|vnd\.ms-fontobject|vnd\.ms-opentype|wasm|x-httpd-php|x-javascript|x-ns-proxy-autoconfig|x-sh|x-tar|x-virtualbox-hdd|x-virtualbox-ova|x-virtualbox-ovf|x-virtualbox-vbox|x-virtualbox-vdi|x-virtualbox-vhd|x-virtualbox-vmdk|x-www-form-urlencoded)|font\/(?:otf|ttf)|image\/(?:bmp|vnd\.adobe\.photoshop|vnd\.microsoft\.icon|vnd\.ms-dds|x-icon|x-ms-bmp)|message\/rfc822|model\/gltf-binary|x-shader\/x-fragment|x-shader\/x-vertex|[^;\s]+?\+(?:json|text|xml|yaml))(?:[;\s]|$)/i;
+var COMPRESSIBLE_CONTENT_TYPE_REGEX = /^\s*(?:text\/(?!event-stream(?:[;\s]|$))[^;\s]+|application\/(?:javascript|json|xml|xml-dtd|ecmascript|dart|msgpack|postscript|rtf|tar|toml|vnd\.dart|vnd\.ms-fontobject|vnd\.ms-opentype|vnd\.msgpack|wasm|x-httpd-php|x-javascript|x-msgpack|x-ns-proxy-autoconfig|x-sh|x-tar|x-virtualbox-hdd|x-virtualbox-ova|x-virtualbox-ovf|x-virtualbox-vbox|x-virtualbox-vdi|x-virtualbox-vhd|x-virtualbox-vmdk|x-www-form-urlencoded)|font\/(?:otf|ttf)|image\/(?:bmp|vnd\.adobe\.photoshop|vnd\.microsoft\.icon|vnd\.ms-dds|x-icon|x-ms-bmp)|message\/rfc822|model\/gltf-binary|x-shader\/x-fragment|x-shader\/x-vertex|[^;\s]+?\+(?:json|text|xml|yaml|msgpack))(?:[;\s]|$)/i;
 
 // node_modules/hono/dist/utils/mime.js
 var getMimeType = (filename, mimes = baseMimes) => {
@@ -1694,11 +1639,7 @@ var getMimeType = (filename, mimes = baseMimes) => {
   if (!match2) {
     return;
   }
-  let mimeType = mimes[match2[1].toLowerCase()];
-  if (mimeType && mimeType.startsWith("text")) {
-    mimeType += "; charset=utf-8";
-  }
-  return mimeType;
+  return mimes[match2[1].toLowerCase()];
 };
 var _baseMimes = {
   aac: "audio/aac",
@@ -1707,25 +1648,25 @@ var _baseMimes = {
   av1: "video/av1",
   bin: "application/octet-stream",
   bmp: "image/bmp",
-  css: "text/css",
-  csv: "text/csv",
+  css: "text/css; charset=utf-8",
+  csv: "text/csv; charset=utf-8",
   eot: "application/vnd.ms-fontobject",
   epub: "application/epub+zip",
   gif: "image/gif",
   gz: "application/gzip",
-  htm: "text/html",
-  html: "text/html",
+  htm: "text/html; charset=utf-8",
+  html: "text/html; charset=utf-8",
   ico: "image/x-icon",
-  ics: "text/calendar",
+  ics: "text/calendar; charset=utf-8",
   jpeg: "image/jpeg",
   jpg: "image/jpeg",
-  js: "text/javascript",
+  js: "text/javascript; charset=utf-8",
   json: "application/json",
   jsonld: "application/ld+json",
   map: "application/json",
   mid: "audio/x-midi",
   midi: "audio/x-midi",
-  mjs: "text/javascript",
+  mjs: "text/javascript; charset=utf-8",
   mp3: "audio/mpeg",
   mp4: "video/mp4",
   mpeg: "video/mpeg",
@@ -1737,12 +1678,12 @@ var _baseMimes = {
   pdf: "application/pdf",
   png: "image/png",
   rtf: "application/rtf",
-  svg: "image/svg+xml",
+  svg: "image/svg+xml; charset=utf-8",
   tif: "image/tiff",
   tiff: "image/tiff",
   ts: "video/mp2t",
   ttf: "font/ttf",
-  txt: "text/plain",
+  txt: "text/plain; charset=utf-8",
   wasm: "application/wasm",
   webm: "video/webm",
   weba: "audio/webm",
@@ -1750,8 +1691,8 @@ var _baseMimes = {
   webp: "image/webp",
   woff: "font/woff",
   woff2: "font/woff2",
-  xhtml: "application/xhtml+xml",
-  xml: "application/xml",
+  xhtml: "application/xhtml+xml; charset=utf-8",
+  xml: "application/xml; charset=utf-8",
   zip: "application/zip",
   "3gp": "video/3gpp",
   "3g2": "video/3gpp2",
@@ -1798,7 +1739,7 @@ var serveStatic = (options) => {
     } else {
       try {
         filename = tryDecodeURI(c.req.path);
-        if (/(?:^|[\/\\])\.\.(?:$|[\/\\])/.test(filename)) {
+        if (/(?:^|[\/\\])\.{1,2}(?:$|[\/\\])|[\/\\]{2,}|\\/.test(filename)) {
           throw new Error;
         }
       } catch {
@@ -1843,7 +1784,7 @@ var serveStatic = (options) => {
 };
 
 // node_modules/hono/dist/adapter/bun/serve-static.js
-var serveStatic2 = (options) => {
+var serveStatic2 = (options = {}) => {
   return async function serveStatic22(c, next) {
     const getContent = async (path) => {
       const file = Bun.file(path);
@@ -1951,14 +1892,96 @@ var upgradeWebSocket = defineWebSocketHelper((c, events) => {
   return;
 });
 
+// node_modules/hono/dist/middleware/cors/index.js
+var cors = (options) => {
+  const opts = {
+    origin: "*",
+    allowMethods: ["GET", "HEAD", "PUT", "POST", "DELETE", "PATCH"],
+    allowHeaders: [],
+    exposeHeaders: [],
+    ...options
+  };
+  const findAllowOrigin = ((optsOrigin) => {
+    if (typeof optsOrigin === "string") {
+      if (optsOrigin === "*") {
+        return () => optsOrigin;
+      } else {
+        return (origin) => optsOrigin === origin ? origin : null;
+      }
+    } else if (typeof optsOrigin === "function") {
+      return optsOrigin;
+    } else {
+      return (origin) => optsOrigin.includes(origin) ? origin : null;
+    }
+  })(opts.origin);
+  const findAllowMethods = ((optsAllowMethods) => {
+    if (typeof optsAllowMethods === "function") {
+      return optsAllowMethods;
+    } else if (Array.isArray(optsAllowMethods)) {
+      return () => optsAllowMethods;
+    } else {
+      return () => [];
+    }
+  })(opts.allowMethods);
+  return async function cors2(c, next) {
+    function set(key, value) {
+      c.res.headers.set(key, value);
+    }
+    const allowOrigin = await findAllowOrigin(c.req.header("origin") || "", c);
+    if (allowOrigin) {
+      set("Access-Control-Allow-Origin", allowOrigin);
+    }
+    if (opts.credentials) {
+      set("Access-Control-Allow-Credentials", "true");
+    }
+    if (opts.exposeHeaders?.length) {
+      set("Access-Control-Expose-Headers", opts.exposeHeaders.join(","));
+    }
+    if (c.req.method === "OPTIONS") {
+      if (opts.origin !== "*") {
+        set("Vary", "Origin");
+      }
+      if (opts.maxAge != null) {
+        set("Access-Control-Max-Age", opts.maxAge.toString());
+      }
+      const allowMethods = await findAllowMethods(c.req.header("origin") || "", c);
+      if (allowMethods.length) {
+        set("Access-Control-Allow-Methods", allowMethods.join(","));
+      }
+      let headers = opts.allowHeaders;
+      if (!headers?.length) {
+        const requestHeaders = c.req.header("Access-Control-Request-Headers");
+        if (requestHeaders) {
+          headers = requestHeaders.split(/\s*,\s*/);
+        }
+      }
+      if (headers?.length) {
+        set("Access-Control-Allow-Headers", headers.join(","));
+        c.res.headers.append("Vary", "Access-Control-Request-Headers");
+      }
+      c.res.headers.delete("Content-Length");
+      c.res.headers.delete("Content-Type");
+      return new Response(null, {
+        headers: c.res.headers,
+        status: 204,
+        statusText: "No Content"
+      });
+    }
+    await next();
+    if (opts.origin !== "*") {
+      c.header("Vary", "Origin", { append: true });
+    }
+  };
+};
+
 // src/lib/browser-script.ts
 function getBrowserScript(serverUrl) {
   return `(function(){
-var cfg={url:'${serverUrl}',projectId:null};
+var cfg={url:'${serverUrl}',projectId:null,browserToken:null};
 var el=document.currentScript;
-if(el){cfg.projectId=el.getAttribute('data-project')||null;}
+if(el){cfg.projectId=el.getAttribute('data-project')||null;cfg.browserToken=el.getAttribute('data-browser-token')||el.getAttribute('data-write-token')||null;}
 var q=[];
-function flush(){if(!q.length)return;var b=q.splice(0);fetch(cfg.url+'/api/logs',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify(b),keepalive:true}).catch(function(){});}
+function flush(){if(!q.length)return;var b=q.splice(0);var h={'Content-Type':'application/json'};if(cfg.browserToken)h['X-Logs-Browser-Token']=cfg.browserToken;fetch(cfg.url+'/api/logs',{method:'POST',headers:h,body:JSON.stringify(b),keepalive:true}).catch(function(){});}
 setInterval(flush,2000);
 function push(level,msg,extra){
   q.push(Object.assign({level:level,message:String(msg),source:'script',url:location.href,timestamp:new Date().toISOString()},cfg.projectId?{project_id:cfg.projectId}:{},extra||{}));
@@ -1975,112 +1998,1421 @@ window.__logs={push:push,flush:flush,config:cfg};
 })();`;
 }
 
-// src/server/routes/alerts.ts
-function alertsRoutes(db) {
-  const app = new Hono2;
-  app.post("/", async (c) => {
-    const body = await c.req.json();
-    if (!body.project_id || !body.name)
-      return c.json({ error: "project_id and name required" }, 422);
-    return c.json(createAlertRule(db, body), 201);
-  });
-  app.get("/", (c) => {
-    const { project_id } = c.req.query();
-    return c.json(listAlertRules(db, project_id || undefined));
-  });
-  app.put("/:id", async (c) => {
-    const body = await c.req.json();
-    const updated = updateAlertRule(db, c.req.param("id"), body);
-    if (!updated)
-      return c.json({ error: "not found" }, 404);
-    return c.json(updated);
-  });
-  app.delete("/:id", (c) => {
-    deleteAlertRule(db, c.req.param("id"));
-    return c.json({ deleted: true });
+// src/lib/browser-ingest-tokens.ts
+import { createHash, randomBytes } from "crypto";
+function createBrowserIngestToken(db, projectId, opts = {}) {
+  const token = `olb_${randomBytes(32).toString("hex")}`;
+  const tokenHash = hashBrowserToken(token);
+  const allowedOrigins = normalizeAllowedOrigins(opts.allowed_origins ?? []);
+  const row = db.prepare(`
+    INSERT INTO browser_ingest_tokens (project_id, token_hash, token_prefix, name, allowed_origins)
+    VALUES ($project_id, $token_hash, $token_prefix, $name, $allowed_origins)
+    RETURNING id, project_id, token_prefix, name, allowed_origins, enabled, created_at, last_used_at
+  `).get({
+    $project_id: projectId,
+    $token_hash: tokenHash,
+    $token_prefix: token.slice(0, 12),
+    $name: opts.name ?? null,
+    $allowed_origins: allowedOrigins.length > 0 ? JSON.stringify(allowedOrigins) : null
   });
-  return app;
+  return { ...row, token };
 }
-
-// src/server/routes/issues.ts
-function issuesRoutes(db) {
-  const app = new Hono2;
-  app.get("/", (c) => {
-    const { project_id, status, limit } = c.req.query();
-    return c.json(listIssues(db, project_id || undefined, status || undefined, limit ? Number(limit) : 50));
-  });
-  app.get("/:id", (c) => {
-    const issue = getIssue(db, c.req.param("id"));
-    if (!issue)
-      return c.json({ error: "not found" }, 404);
-    return c.json(issue);
-  });
-  app.get("/:id/logs", (c) => {
-    const issue = getIssue(db, c.req.param("id"));
-    if (!issue)
-      return c.json({ error: "not found" }, 404);
-    const rows = searchLogs(db, {
-      project_id: issue.project_id ?? undefined,
-      level: issue.level,
-      service: issue.service ?? undefined,
-      text: issue.message_template.slice(0, 50),
-      limit: 50
-    });
-    return c.json(rows);
-  });
-  app.put("/:id", async (c) => {
-    const { status } = await c.req.json();
-    if (!["open", "resolved", "ignored"].includes(status))
-      return c.json({ error: "invalid status" }, 422);
-    const updated = updateIssueStatus(db, c.req.param("id"), status);
-    if (!updated)
-      return c.json({ error: "not found" }, 404);
-    return c.json(updated);
-  });
-  return app;
+function listBrowserIngestTokens(db, projectId) {
+  return db.prepare(`
+    SELECT id, project_id, token_prefix, name, allowed_origins, enabled, created_at, last_used_at
+    FROM browser_ingest_tokens
+    WHERE project_id = ?
+    ORDER BY created_at DESC
+  `).all(projectId);
 }
-
-// src/server/routes/jobs.ts
-function jobsRoutes(db) {
-  const app = new Hono2;
-  app.post("/", async (c) => {
-    const body = await c.req.json();
-    if (!body.project_id || !body.schedule)
-      return c.json({ error: "project_id and schedule are required" }, 422);
-    return c.json(createJob(db, body), 201);
-  });
-  app.get("/", (c) => {
-    const { project_id } = c.req.query();
-    return c.json(listJobs(db, project_id || undefined));
-  });
-  app.put("/:id", async (c) => {
-    const body = await c.req.json();
-    const updated = updateJob(db, c.req.param("id"), body);
-    if (!updated)
-      return c.json({ error: "not found" }, 404);
-    return c.json(updated);
-  });
-  app.delete("/:id", (c) => {
-    deleteJob(db, c.req.param("id"));
-    return c.json({ deleted: true });
-  });
-  return app;
+function revokeBrowserIngestToken(db, projectId, tokenId) {
+  const result = db.prepare("UPDATE browser_ingest_tokens SET enabled = 0 WHERE id = ? AND project_id = ? AND enabled = 1").run(tokenId, projectId);
+  return result.changes > 0;
+}
+function validateBrowserIngestToken(db, token, origin) {
+  if (!token || !token.startsWith("olb_"))
+    return null;
+  const row = db.prepare(`
+    SELECT id, project_id, token_prefix, allowed_origins
+    FROM browser_ingest_tokens
+    WHERE token_hash = ? AND enabled = 1
+  `).get(hashBrowserToken(token));
+  if (!row)
+    return null;
+  const allowedOrigins = parseAllowedOrigins(row.allowed_origins);
+  if (allowedOrigins.length > 0) {
+    if (!origin)
+      return null;
+    const normalizedOrigin = normalizeOrigin(origin);
+    if (!normalizedOrigin || !allowedOrigins.includes(normalizedOrigin))
+      return null;
+  }
+  return {
+    id: row.id,
+    project_id: row.project_id,
+    token_prefix: row.token_prefix,
+    allowed_origins: allowedOrigins
+  };
+}
+function touchBrowserIngestToken(db, tokenId) {
+  db.prepare("UPDATE browser_ingest_tokens SET last_used_at = strftime('%Y-%m-%dT%H:%M:%fZ','now') WHERE id = ?").run(tokenId);
+}
+function normalizeAllowedOrigins(origins) {
+  const normalized = new Set;
+  for (const origin of origins) {
+    const value = normalizeOrigin(origin);
+    if (value)
+      normalized.add(value);
+  }
+  return [...normalized];
+}
+function parseAllowedOrigins(value) {
+  if (!value)
+    return [];
+  try {
+    const parsed = JSON.parse(value);
+    return Array.isArray(parsed) ? normalizeAllowedOrigins(parsed.filter((item) => typeof item === "string")) : [];
+  } catch {
+    return [];
+  }
+}
+function normalizeOrigin(origin) {
+  try {
+    return new URL(origin).origin;
+  } catch {
+    return null;
+  }
+}
+function hashBrowserToken(token) {
+  return createHash("sha256").update(token).digest("hex");
+}
+
+// src/server/auth.ts
+var TRUE_ENV_VALUES = new Set(["1", "true", "yes", "on"]);
+function getConfiguredApiToken() {
+  const token = process.env.HASNA_LOGS_API_TOKEN?.trim() || process.env.LOGS_API_TOKEN?.trim();
+  return token || null;
+}
+function isApiRequestAuthorized(c) {
+  const token = getConfiguredApiToken();
+  if (!token)
+    return isLocalOpenModeEnabled() && isTrustedLocalRequest(c);
+  const authorization = c.req.header("authorization") ?? "";
+  const bearer = /^Bearer\s+(.+)$/i.exec(authorization)?.[1];
+  const headerToken = c.req.header("x-logs-token");
+  return bearer === token || headerToken === token;
+}
+function apiUnauthorizedResponse(c) {
+  return c.json({
+    error: "Unauthorized. Configure HASNA_LOGS_API_TOKEN/LOGS_API_TOKEN or explicitly enable trusted local mode with --local-open."
+  }, 401);
+}
+function requireApiTokenOrBrowserIngest(db) {
+  return async (c, next) => {
+    if (isApiRequestAuthorized(c)) {
+      await next();
+      return;
+    }
+    if (isBrowserWriteRequest(c) && getBrowserIngestAuthorization(db, c)) {
+      await next();
+      return;
+    }
+    return apiUnauthorizedResponse(c);
+  };
+}
+function authorizeLogIngest(db, c) {
+  const token = getConfiguredApiToken();
+  if (!token) {
+    const browserToken2 = getBrowserIngestAuthorization(db, c);
+    if (browserToken2)
+      return { kind: "browser-token", token: browserToken2 };
+    return isLocalOpenModeEnabled() && isTrustedLocalRequest(c) ? { kind: "trusted-local" } : null;
+  }
+  if (isApiRequestAuthorized(c))
+    return { kind: "api-token" };
+  const browserToken = getBrowserIngestAuthorization(db, c);
+  return browserToken ? { kind: "browser-token", token: browserToken } : null;
+}
+function getBrowserIngestAuthorization(db, c) {
+  const token = c.req.header("x-logs-browser-token") ?? c.req.header("x-logs-write-token");
+  return validateBrowserIngestToken(db, token, c.req.header("origin"));
+}
+function isBrowserWriteRequest(c) {
+  if (c.req.method.toUpperCase() !== "POST")
+    return false;
+  const path = new URL(c.req.url).pathname.replace(/\/+$/, "");
+  return path === "/api/logs" || path === "/api/events";
+}
+function isLocalOpenModeEnabled() {
+  return ["HASNA_LOGS_LOCAL_OPEN", "LOGS_LOCAL_OPEN"].some((name) => TRUE_ENV_VALUES.has(process.env[name]?.trim().toLowerCase() ?? ""));
+}
+function isTrustedLocalRequest(c) {
+  const url = new URL(c.req.url);
+  const host = forwardedHost(c.req.header("x-forwarded-host")) ?? hostWithoutPort(c.req.header("host")) ?? url.hostname;
+  return isLocalHost(host) && isLocalOrigin(c.req.header("origin"));
+}
+function forwardedHost(value) {
+  const first = value?.split(",")[0]?.trim();
+  return first ? hostWithoutPort(first) : null;
+}
+function hostWithoutPort(value) {
+  if (!value)
+    return null;
+  if (value.startsWith("["))
+    return value.slice(1, value.indexOf("]"));
+  return value.split(":")[0] || null;
+}
+function isLocalOrigin(origin) {
+  if (!origin)
+    return true;
+  try {
+    return isLocalHost(new URL(origin).hostname);
+  } catch {
+    return false;
+  }
+}
+function isLocalHost(host) {
+  return host === "localhost" || host === "127.0.0.1" || host === "::1" || host === "[::1]";
+}
+
+// src/server/cors.ts
+function resolveCorsOrigin(origin) {
+  if (!origin)
+    return "";
+  const configured = readCorsOrigins();
+  if (configured.includes("*"))
+    return origin;
+  if (configured.includes(origin))
+    return origin;
+  if (isLocalOrigin2(origin))
+    return origin;
+  return "";
+}
+function readCorsOrigins() {
+  const value = process.env.HASNA_LOGS_CORS_ORIGINS ?? process.env.LOGS_CORS_ORIGINS ?? "";
+  return value.split(",").map((origin) => origin.trim()).filter(Boolean);
+}
+function isLocalOrigin2(origin) {
+  try {
+    const parsed = new URL(origin);
+    return ["localhost", "127.0.0.1", "::1"].includes(parsed.hostname);
+  } catch {
+    return false;
+  }
+}
+
+// src/server/request.ts
+async function readJsonObject(c, opts = {}) {
+  const contentType = c.req.header("content-type") ?? "";
+  if (!contentType.toLowerCase().includes("application/json")) {
+    return {
+      ok: false,
+      status: 415,
+      message: "Content-Type must be application/json"
+    };
+  }
+  const maxPayloadBytes = opts.maxPayloadBytes ?? readPositiveInt("HASNA_LOGS_MAX_PAYLOAD_BYTES", 1048576);
+  const contentLength = Number(c.req.header("content-length") ?? "0");
+  if (Number.isFinite(contentLength) && contentLength > maxPayloadBytes) {
+    return {
+      ok: false,
+      status: 413,
+      message: `Payload exceeds ${maxPayloadBytes} bytes`
+    };
+  }
+  let raw2 = "";
+  try {
+    raw2 = await c.req.text();
+  } catch {
+    return { ok: false, status: 400, message: "Unable to read request body" };
+  }
+  if (Buffer.byteLength(raw2, "utf8") > maxPayloadBytes) {
+    return {
+      ok: false,
+      status: 413,
+      message: `Payload exceeds ${maxPayloadBytes} bytes`
+    };
+  }
+  let body;
+  try {
+    body = JSON.parse(raw2);
+  } catch {
+    return { ok: false, status: 400, message: "Invalid JSON body" };
+  }
+  if (!body || typeof body !== "object" || Array.isArray(body)) {
+    return { ok: false, status: 422, message: "body must be an object" };
+  }
+  const objectBody = body;
+  if (opts.allowedKeys) {
+    const allowed = new Set(opts.allowedKeys);
+    for (const key of Object.keys(objectBody)) {
+      if (!allowed.has(key)) {
+        return {
+          ok: false,
+          status: 422,
+          message: `body.${key} is not a supported field`
+        };
+      }
+    }
+  }
+  return { ok: true, value: objectBody };
+}
+function requiredString(body, key) {
+  const value = body[key];
+  if (typeof value !== "string" || value.length === 0) {
+    return {
+      ok: false,
+      status: 422,
+      message: `body.${key} must be a non-empty string`
+    };
+  }
+  return { ok: true, value };
+}
+function optionalString(body, key) {
+  const value = body[key];
+  if (value === undefined)
+    return { ok: true, value: undefined };
+  if (typeof value !== "string") {
+    return { ok: false, status: 422, message: `body.${key} must be a string` };
+  }
+  return { ok: true, value };
+}
+function optionalStringArray(body, key, opts = {}) {
+  const value = body[key];
+  if (value === undefined)
+    return { ok: true, value: undefined };
+  if (!Array.isArray(value)) {
+    return {
+      ok: false,
+      status: 422,
+      message: `body.${key} must be an array of strings`
+    };
+  }
+  if (opts.maxItems !== undefined && value.length > opts.maxItems) {
+    return {
+      ok: false,
+      status: 422,
+      message: `body.${key} must have at most ${opts.maxItems} item(s)`
+    };
+  }
+  const strings = [];
+  for (const item of value) {
+    if (typeof item !== "string" || item.length === 0) {
+      return {
+        ok: false,
+        status: 422,
+        message: `body.${key} must be an array of non-empty strings`
+      };
+    }
+    strings.push(item);
+  }
+  return { ok: true, value: strings };
+}
+function optionalNumber(body, key, opts = {}) {
+  const value = body[key];
+  if (value === undefined)
+    return { ok: true, value: undefined };
+  if (typeof value !== "number" || !Number.isFinite(value)) {
+    return { ok: false, status: 422, message: `body.${key} must be a number` };
+  }
+  if (opts.integer && !Number.isInteger(value)) {
+    return {
+      ok: false,
+      status: 422,
+      message: `body.${key} must be an integer`
+    };
+  }
+  if (opts.min !== undefined && value < opts.min) {
+    return {
+      ok: false,
+      status: 422,
+      message: `body.${key} must be >= ${opts.min}`
+    };
+  }
+  if (opts.max !== undefined && value > opts.max) {
+    return {
+      ok: false,
+      status: 422,
+      message: `body.${key} must be <= ${opts.max}`
+    };
+  }
+  return { ok: true, value };
+}
+function optionalEnum(body, key, values) {
+  const value = body[key];
+  if (value === undefined)
+    return { ok: true, value: undefined };
+  if (typeof value !== "string" || !values.includes(value)) {
+    return {
+      ok: false,
+      status: 422,
+      message: `body.${key} must be one of ${values.join(", ")}`
+    };
+  }
+  return { ok: true, value };
+}
+function requiredEnum(body, key, values) {
+  const value = body[key];
+  if (typeof value !== "string" || !values.includes(value)) {
+    return {
+      ok: false,
+      status: 422,
+      message: `body.${key} must be one of ${values.join(", ")}`
+    };
+  }
+  return { ok: true, value };
+}
+function readPositiveInt(name, fallback) {
+  const parsed = Number.parseInt(process.env[name] ?? "", 10);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : fallback;
+}
+
+// src/server/routes/alerts.ts
+var ALERT_CREATE_KEYS = [
+  "project_id",
+  "name",
+  "service",
+  "level",
+  "threshold_count",
+  "window_seconds",
+  "action",
+  "webhook_url"
+];
+var ALERT_UPDATE_KEYS = [
+  "enabled",
+  "threshold_count",
+  "window_seconds",
+  "webhook_url"
+];
+var LOG_LEVELS = ["debug", "info", "warn", "error", "fatal"];
+var ALERT_ACTIONS = ["webhook", "log"];
+function alertsRoutes(db) {
+  const app = new Hono2;
+  app.post("/", async (c) => {
+    const parsed = await readJsonObject(c, { allowedKeys: ALERT_CREATE_KEYS });
+    if (!parsed.ok)
+      return c.json({ error: parsed.message }, parsed.status);
+    const alertInput = validateAlertCreate(parsed.value);
+    if (!alertInput.ok)
+      return c.json({ error: alertInput.message }, alertInput.status);
+    const body = alertInput.value;
+    return c.json(createAlertRule(db, body), 201);
+  });
+  app.get("/", (c) => {
+    const { project_id } = c.req.query();
+    return c.json(listAlertRules(db, project_id || undefined));
+  });
+  app.put("/:id", async (c) => {
+    const parsed = await readJsonObject(c, { allowedKeys: ALERT_UPDATE_KEYS });
+    if (!parsed.ok)
+      return c.json({ error: parsed.message }, parsed.status);
+    const alertInput = validateAlertUpdate(parsed.value);
+    if (!alertInput.ok)
+      return c.json({ error: alertInput.message }, alertInput.status);
+    const body = alertInput.value;
+    const updated = updateAlertRule(db, c.req.param("id"), body);
+    if (!updated)
+      return c.json({ error: "not found" }, 404);
+    return c.json(updated);
+  });
+  app.delete("/:id", (c) => {
+    deleteAlertRule(db, c.req.param("id"));
+    return c.json({ deleted: true });
+  });
+  return app;
+}
+function validateAlertCreate(body) {
+  const project_id = requiredString(body, "project_id");
+  if (!project_id.ok)
+    return project_id;
+  const name = requiredString(body, "name");
+  if (!name.ok)
+    return name;
+  const service = optionalString(body, "service");
+  if (!service.ok)
+    return service;
+  const level = optionalEnum(body, "level", LOG_LEVELS);
+  if (!level.ok)
+    return level;
+  const threshold_count = optionalNumber(body, "threshold_count", {
+    integer: true,
+    min: 1
+  });
+  if (!threshold_count.ok)
+    return threshold_count;
+  const window_seconds = optionalNumber(body, "window_seconds", {
+    integer: true,
+    min: 1
+  });
+  if (!window_seconds.ok)
+    return window_seconds;
+  const action = optionalEnum(body, "action", ALERT_ACTIONS);
+  if (!action.ok)
+    return action;
+  const webhook_url = optionalString(body, "webhook_url");
+  if (!webhook_url.ok)
+    return webhook_url;
+  if (webhook_url.value !== undefined && !isUrl(webhook_url.value)) {
+    return {
+      ok: false,
+      status: 422,
+      message: "body.webhook_url must be a valid URL"
+    };
+  }
+  return {
+    ok: true,
+    value: {
+      project_id: project_id.value,
+      name: name.value,
+      service: service.value,
+      level: level.value,
+      threshold_count: threshold_count.value,
+      window_seconds: window_seconds.value,
+      action: action.value,
+      webhook_url: webhook_url.value
+    }
+  };
+}
+function validateAlertUpdate(body) {
+  const enabled = optionalNumber(body, "enabled", {
+    integer: true,
+    min: 0,
+    max: 1
+  });
+  if (!enabled.ok)
+    return enabled;
+  const threshold_count = optionalNumber(body, "threshold_count", {
+    integer: true,
+    min: 1
+  });
+  if (!threshold_count.ok)
+    return threshold_count;
+  const window_seconds = optionalNumber(body, "window_seconds", {
+    integer: true,
+    min: 1
+  });
+  if (!window_seconds.ok)
+    return window_seconds;
+  const webhook_url = optionalString(body, "webhook_url");
+  if (!webhook_url.ok)
+    return webhook_url;
+  if (webhook_url.value !== undefined && webhook_url.value !== "" && !isUrl(webhook_url.value)) {
+    return {
+      ok: false,
+      status: 422,
+      message: "body.webhook_url must be a valid URL"
+    };
+  }
+  return {
+    ok: true,
+    value: {
+      enabled: enabled.value,
+      threshold_count: threshold_count.value,
+      window_seconds: window_seconds.value,
+      webhook_url: webhook_url.value
+    }
+  };
+}
+function isUrl(value) {
+  try {
+    new URL(value);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// src/server/routes/events.ts
+import { createHash as createHash2 } from "crypto";
+
+// node_modules/hono/dist/utils/stream.js
+var StreamingApi = class {
+  writer;
+  encoder;
+  writable;
+  abortSubscribers = [];
+  responseReadable;
+  aborted = false;
+  closed = false;
+  constructor(writable, _readable) {
+    this.writable = writable;
+    this.writer = writable.getWriter();
+    this.encoder = new TextEncoder;
+    const reader = _readable.getReader();
+    this.abortSubscribers.push(async () => {
+      await reader.cancel();
+    });
+    this.responseReadable = new ReadableStream({
+      async pull(controller) {
+        const { done, value } = await reader.read();
+        done ? controller.close() : controller.enqueue(value);
+      },
+      cancel: () => {
+        if (!this.closed) {
+          this.abort();
+        }
+      }
+    });
+  }
+  async write(input) {
+    try {
+      if (typeof input === "string") {
+        input = this.encoder.encode(input);
+      }
+      await this.writer.write(input);
+    } catch {}
+    return this;
+  }
+  async writeln(input) {
+    await this.write(input + `
+`);
+    return this;
+  }
+  sleep(ms) {
+    return new Promise((res) => setTimeout(res, ms));
+  }
+  async close() {
+    this.closed = true;
+    try {
+      await this.writer.close();
+    } catch {}
+  }
+  async pipe(body) {
+    this.writer.releaseLock();
+    await body.pipeTo(this.writable, { preventClose: true });
+    this.writer = this.writable.getWriter();
+  }
+  onAbort(listener) {
+    this.abortSubscribers.push(listener);
+  }
+  abort() {
+    if (!this.aborted) {
+      this.aborted = true;
+      this.abortSubscribers.forEach((subscriber) => subscriber());
+    }
+  }
+};
+
+// node_modules/hono/dist/helper/streaming/utils.js
+var isOldBunVersion = () => {
+  const version = typeof Bun !== "undefined" ? Bun.version : undefined;
+  if (version === undefined) {
+    return false;
+  }
+  const result = version.startsWith("1.1") || version.startsWith("1.0") || version.startsWith("0.");
+  isOldBunVersion = () => result;
+  return result;
+};
+
+// node_modules/hono/dist/helper/streaming/sse.js
+var SSEStreamingApi = class extends StreamingApi {
+  constructor(writable, readable) {
+    super(writable, readable);
+  }
+  async writeSSE(message) {
+    const data = await resolveCallback(message.data, HtmlEscapedCallbackPhase.Stringify, false, {});
+    const dataLines = data.split(/\r\n|\r|\n/).map((line) => {
+      return `data: ${line}`;
+    }).join(`
+`);
+    for (const key of ["event", "id", "retry"]) {
+      if (message[key] && /[\r\n]/.test(message[key])) {
+        throw new Error(`${key} must not contain "\\r" or "\\n"`);
+      }
+    }
+    const sseData = [
+      message.event && `event: ${message.event}`,
+      dataLines,
+      message.id && `id: ${message.id}`,
+      message.retry && `retry: ${message.retry}`
+    ].filter(Boolean).join(`
+`) + `
+
+`;
+    await this.write(sseData);
+  }
+};
+var run = async (stream, cb, onError) => {
+  try {
+    await cb(stream);
+  } catch (e) {
+    if (e instanceof Error && onError) {
+      await onError(e, stream);
+      await stream.writeSSE({
+        event: "error",
+        data: e.message
+      });
+    } else {
+      console.error(e);
+    }
+  } finally {
+    stream.close();
+  }
+};
+var contextStash = /* @__PURE__ */ new WeakMap;
+var streamSSE = (c, cb, onError) => {
+  const { readable, writable } = new TransformStream;
+  const stream = new SSEStreamingApi(writable, readable);
+  if (isOldBunVersion()) {
+    c.req.raw.signal.addEventListener("abort", () => {
+      if (!stream.closed) {
+        stream.abort();
+      }
+    });
+  }
+  contextStash.set(stream.responseReadable, c);
+  c.header("Transfer-Encoding", "chunked");
+  c.header("Content-Type", "text/event-stream");
+  c.header("Cache-Control", "no-cache");
+  c.header("Connection", "keep-alive");
+  run(stream, cb, onError);
+  return c.newResponse(stream.responseReadable);
+};
+
+// src/server/routes/events.ts
+function eventsRoutes(db) {
+  const app = new Hono2;
+  app.post("/", async (c) => {
+    const parsed = await readEventIngestBody(db, c);
+    if (!parsed.ok)
+      return c.json({ error: parsed.message }, parsed.status);
+    try {
+      if (!parsed.batch && parsed.events.length === 1) {
+        const [event] = parsed.events;
+        if (!event)
+          return c.json({ error: "body must contain at least one event" }, 422);
+        const result = ingestUniversalEvent(db, event);
+        if (parsed.authorization.kind === "browser-token")
+          touchBrowserIngestToken(db, parsed.authorization.token.id);
+        return c.json(result.event, result.inserted ? 201 : 200);
+      }
+      const results = parsed.events.map((event) => ingestUniversalEvent(db, event));
+      if (parsed.authorization.kind === "browser-token")
+        touchBrowserIngestToken(db, parsed.authorization.token.id);
+      return c.json({
+        inserted: results.filter((result) => result.inserted).length,
+        events: results.map((result) => result.event)
+      }, 201);
+    } catch (error) {
+      return c.json({ error: error instanceof Error ? error.message : String(error) }, 422);
+    }
+  });
+  app.get("/", (c) => {
+    return c.json(searchEvents(db, queryFromRequest(c.req.query())));
+  });
+  app.get("/export", (c) => {
+    const query = queryFromRequest(c.req.query());
+    const chunks = [];
+    exportEventsToJson(db, query, (line) => chunks.push(line));
+    c.header("Content-Type", "application/json");
+    c.header("Content-Disposition", "attachment; filename=events.json");
+    return c.text(chunks.join(`
+`));
+  });
+  app.get("/stream", (c) => {
+    const query = c.req.query();
+    const filter = streamFilterFromRequest(query);
+    const includeRaw = query.include_raw === "true";
+    const eventNameMode = query.event_name === "event" ? "event" : "type";
+    const requestedLastId = c.req.header("last-event-id") || query.last_event_id || null;
+    const debugOptions = streamDebugOptionsFromRequest(query);
+    return streamSSE(c, async (stream2) => {
+      const writer = debugOptions.writeDelayMs > 0 ? delayedSseWriter(stream2, debugOptions.writeDelayMs) : stream2;
+      const seen = new Set;
+      let lastId = requestedLastId;
+      let rowidCursor = null;
+      if (lastId) {
+        const anchor = eventCursorById(db, lastId);
+        if (!anchor) {
+          const requestedLastId2 = lastId;
+          const latest = latestEventCursor(db, filter);
+          lastId = latest?.event_id ?? null;
+          rowidCursor = latest?.rowid ?? 0;
+          await writeEventOverflow(writer, {
+            reason: "last_event_id_unknown",
+            dropped: 0,
+            last_event_id: lastId,
+            requested_last_event_id: requestedLastId2
+          });
+        } else {
+          if (!hasBufferedEventCatalogEvent(lastId)) {
+            await writeEventOverflow(writer, {
+              reason: "buffer_miss_sqlite_catchup",
+              dropped: 0,
+              last_event_id: lastId
+            });
+          }
+          const catchup = await writeCatchupEventsAfterRowid(db, writer, filter, anchor.rowid, seen, includeRaw, eventNameMode);
+          rowidCursor = catchup.last_rowid;
+          if (catchup.last_id) {
+            lastId = catchup.last_id;
+          }
+        }
+      } else {
+        const latest = latestEventCursor(db, filter);
+        lastId = latest?.event_id ?? null;
+        rowidCursor = latest?.rowid ?? 0;
+      }
+      const subscription = subscribeEventCatalogEvents(filter, debugOptions.subscriberQueue ? { maxQueue: debugOptions.subscriberQueue } : undefined);
+      let pendingBusEvent = subscription.next();
+      try {
+        while (true) {
+          const next = await Promise.race([
+            pendingBusEvent.then((result) => ({
+              kind: "bus",
+              result
+            })),
+            sleep(500).then(() => ({ kind: "tick" }))
+          ]);
+          if (next.kind === "tick") {
+            const catchup2 = await writeCatchupEventsAfterRowid(db, writer, filter, rowidCursor ?? 0, seen, includeRaw, eventNameMode);
+            rowidCursor = catchup2.last_rowid;
+            if (catchup2.last_id)
+              lastId = catchup2.last_id;
+            continue;
+          }
+          if (next.result.done)
+            break;
+          const event = next.result.value;
+          pendingBusEvent = subscription.next();
+          if (event.kind === "overflow") {
+            await writeEventOverflow(writer, event);
+            const catchup2 = await writeCatchupEventsAfterRowid(db, writer, filter, rowidCursor ?? 0, seen, includeRaw, eventNameMode);
+            rowidCursor = catchup2.last_rowid;
+            if (catchup2.last_id)
+              lastId = catchup2.last_id;
+            continue;
+          }
+          const catchup = await writeCatchupEventsAfterRowid(db, writer, filter, rowidCursor ?? 0, seen, includeRaw, eventNameMode);
+          rowidCursor = catchup.last_rowid;
+          if (catchup.last_id)
+            lastId = catchup.last_id;
+          if (seen.has(event.id))
+            continue;
+          await writeEventCatalogEntryById(db, writer, event.id, includeRaw, event.entry, eventNameMode);
+          seen.add(event.id);
+          lastId = event.id;
+          const cursor = eventCursorById(db, event.id);
+          if (cursor)
+            rowidCursor = Math.max(rowidCursor ?? 0, cursor.rowid);
+          trimSeen(seen);
+        }
+      } finally {
+        await subscription.return?.();
+      }
+    });
+  });
+  app.get("/:event_id", (c) => {
+    const includeRaw = c.req.query("include_raw") !== "false";
+    const event = getEvent(db, c.req.param("event_id"), includeRaw);
+    if (!event)
+      return c.json({ error: "Event not found" }, 404);
+    return c.json(event);
+  });
+  return app;
+}
+async function readEventIngestBody(db, c) {
+  const authorization = authorizeLogIngest(db, c);
+  if (!authorization) {
+    return { ok: false, status: 401, message: "Unauthorized" };
+  }
+  const request = c.req.raw;
+  const contentType = c.req.header("content-type") ?? "";
+  if (!contentType.toLowerCase().includes("application/json")) {
+    return {
+      ok: false,
+      status: 415,
+      message: "Content-Type must be application/json"
+    };
+  }
+  const maxPayloadBytes = readPositiveInt("HASNA_LOGS_MAX_PAYLOAD_BYTES", 1048576);
+  const contentLength = Number(c.req.header("content-length") ?? "0");
+  if (Number.isFinite(contentLength) && contentLength > maxPayloadBytes) {
+    return {
+      ok: false,
+      status: 413,
+      message: `Payload exceeds ${maxPayloadBytes} bytes`
+    };
+  }
+  let raw2 = "";
+  try {
+    raw2 = await request.text();
+  } catch {
+    return { ok: false, status: 400, message: "Unable to read request body" };
+  }
+  if (Buffer.byteLength(raw2, "utf8") > maxPayloadBytes) {
+    return {
+      ok: false,
+      status: 413,
+      message: `Payload exceeds ${maxPayloadBytes} bytes`
+    };
+  }
+  let body;
+  try {
+    body = JSON.parse(raw2);
+  } catch {
+    return { ok: false, status: 400, message: "Invalid JSON body" };
+  }
+  const maxBatchSize = readPositiveInt("HASNA_LOGS_MAX_EVENT_BATCH_SIZE", readPositiveInt("HASNA_LOGS_MAX_BATCH_SIZE", 1000));
+  const batch = Array.isArray(body) || Boolean(body && typeof body === "object" && !Array.isArray(body) && Array.isArray(body.events));
+  const rawEvents = Array.isArray(body) ? body : eventArrayFromObject(body);
+  if (rawEvents.length > maxBatchSize) {
+    return {
+      ok: false,
+      status: 413,
+      message: `Batch exceeds ${maxBatchSize} events`
+    };
+  }
+  if (rawEvents.length === 0) {
+    return {
+      ok: false,
+      status: 422,
+      message: "body must contain at least one event"
+    };
+  }
+  try {
+    const events = rawEvents.map((event, index) => {
+      const validated = validateUniversalEventInput(event, `event[${index}]`);
+      return applyEventIngestAuthorization(validated, authorization, `event[${index}]`);
+    });
+    return { ok: true, events, batch, authorization };
+  } catch (error) {
+    return {
+      ok: false,
+      status: 422,
+      message: error instanceof Error ? error.message : String(error)
+    };
+  }
+}
+var BROWSER_EVENT_TYPES = new Set([
+  "log",
+  "exception",
+  "span",
+  "metric",
+  "network",
+  "replay",
+  "session"
+]);
+var BROWSER_FORBIDDEN_IDENTITY_FIELDS = [
+  "project_id",
+  "page_id",
+  "machine_id",
+  "repo_id",
+  "process_id",
+  "run_id",
+  "artifact_id"
+];
+var BROWSER_FORBIDDEN_IDENTITY_FIELD_SET = new Set(BROWSER_FORBIDDEN_IDENTITY_FIELDS);
+function applyEventIngestAuthorization(event, authorization, path) {
+  if (authorization.kind !== "browser-token")
+    return event;
+  if (!BROWSER_EVENT_TYPES.has(event.type)) {
+    throw new Error(`${path}.type cannot be ${event.type} when using a browser ingest token`);
+  }
+  if (event.source !== undefined && event.source !== "script" && event.source !== "browser") {
+    throw new Error(`${path}.source must be script or browser when using a browser ingest token`);
+  }
+  for (const field of BROWSER_FORBIDDEN_IDENTITY_FIELDS) {
+    if (event[field] !== undefined && event[field] !== null) {
+      throw new Error(`${path}.${field} cannot be set when using a browser ingest token`);
+    }
+  }
+  rejectBrowserScopedIdentity(event.attributes, `${path}.attributes`);
+  rejectBrowserScopedIdentity(event.metadata, `${path}.metadata`);
+  const browserMetadata = {
+    browser_token_id: authorization.token.id,
+    browser_token_prefix: authorization.token.token_prefix,
+    ingest_scope: "browser"
+  };
+  const producerId = event.event_id ?? event.id ?? event.source_event_id ?? undefined;
+  const source = event.source ?? "browser";
+  return {
+    ...event,
+    event_id: producerId ? browserScopedEventId(authorization.token.project_id, source, producerId) : undefined,
+    source_event_id: event.source_event_id ?? event.event_id ?? event.id ?? undefined,
+    project_id: authorization.token.project_id,
+    source,
+    attributes: {
+      ...event.attributes ?? {},
+      ...browserMetadata,
+      project_id: authorization.token.project_id
+    },
+    metadata: {
+      ...event.metadata ?? {},
+      ...browserMetadata
+    }
+  };
+}
+function browserScopedEventId(projectId, source, producerId) {
+  const digest = createHash2("sha256").update(projectId).update("\x00").update(source).update("\x00").update(producerId).digest("hex").slice(0, 32);
+  return `evt_browser_${digest}`;
+}
+function rejectBrowserScopedIdentity(value, path) {
+  if (!value)
+    return;
+  for (const key of Object.keys(value)) {
+    if (BROWSER_FORBIDDEN_IDENTITY_FIELD_SET.has(key) && value[key] !== undefined && value[key] !== null) {
+      throw new Error(`${path}.${key} cannot be set when using a browser ingest token`);
+    }
+  }
+}
+async function writeCatchupEventsAfterRowid(db, stream2, filter, afterRowid, seen, includeRaw, eventNameMode) {
+  let cursor = afterRowid;
+  let lastWritten = null;
+  let total = 0;
+  while (total < 1000) {
+    const rows = queryEventsAfterRowid(db, filter, cursor, 100);
+    if (rows.length === 0)
+      break;
+    for (const row of rows) {
+      cursor = row.rowid;
+      if (seen.has(row.event_id))
+        continue;
+      const written = await writeEventCatalogEntryById(db, stream2, row.event_id, includeRaw, undefined, eventNameMode);
+      if (!written)
+        continue;
+      seen.add(row.event_id);
+      lastWritten = row.event_id;
+      total += 1;
+      trimSeen(seen);
+    }
+    if (rows.length < 100)
+      break;
+  }
+  if (total >= 1000) {
+    await writeEventOverflow(stream2, {
+      reason: "sqlite_catchup_truncated",
+      dropped: 0,
+      last_event_id: lastWritten
+    });
+  }
+  return { last_id: lastWritten, last_rowid: cursor };
+}
+function latestEventCursor(db, filter) {
+  const { where, params } = buildEventRecordWhere(filter, null);
+  const row = db.prepare(`SELECT rowid, event_id FROM event_records ${where} ORDER BY rowid DESC LIMIT 1`).get(...params);
+  return row ?? null;
+}
+function eventCursorById(db, eventId) {
+  const row = db.prepare("SELECT rowid, event_id FROM event_records WHERE event_id = ?").get(eventId);
+  return row ?? null;
+}
+function queryEventsAfterRowid(db, filter, rowid, limit) {
+  const { where, params } = buildEventRecordWhere(filter, rowid);
+  return db.prepare(`SELECT rowid, event_id FROM event_records ${where} ORDER BY rowid ASC LIMIT ?`).all(...params, limit);
+}
+function buildEventRecordWhere(filter, afterRowid) {
+  const conditions = [];
+  const params = [];
+  if (afterRowid !== null) {
+    conditions.push("rowid > ?");
+    params.push(afterRowid);
+  }
+  addListCondition(conditions, params, "event_type", filter.event_type);
+  addListCondition(conditions, params, "source", filter.source);
+  addListCondition(conditions, params, "severity", filter.severity);
+  addScalarCondition(conditions, params, "project_id", filter.project_id);
+  addScalarCondition(conditions, params, "page_id", filter.page_id);
+  addScalarCondition(conditions, params, "machine_id", filter.machine_id);
+  addScalarCondition(conditions, params, "repo_id", filter.repo_id);
+  addScalarCondition(conditions, params, "app_id", filter.app_id);
+  addScalarCondition(conditions, params, "process_id", filter.process_id);
+  addScalarCondition(conditions, params, "run_id", filter.run_id);
+  addScalarCondition(conditions, params, "trace_id", filter.trace_id);
+  addScalarCondition(conditions, params, "span_id", filter.span_id);
+  addScalarCondition(conditions, params, "session_id", filter.session_id);
+  addScalarCondition(conditions, params, "release_id", filter.release_id);
+  addScalarCondition(conditions, params, "environment", filter.environment);
+  return {
+    where: conditions.length ? `WHERE ${conditions.join(" AND ")}` : "",
+    params
+  };
+}
+function streamFilterFromRequest(query) {
+  return {
+    event_type: splitCsv(query.type || query.event_type),
+    source: splitCsv(query.source),
+    severity: splitCsv(query.severity || query.level),
+    project_id: query.project_id || undefined,
+    page_id: query.page_id || undefined,
+    machine_id: query.machine_id || undefined,
+    repo_id: query.repo_id || undefined,
+    app_id: query.app_id || undefined,
+    process_id: query.process_id || undefined,
+    run_id: query.run_id || undefined,
+    trace_id: query.trace_id || undefined,
+    span_id: query.span_id || undefined,
+    session_id: query.session_id || undefined,
+    release_id: query.release_id || undefined,
+    environment: query.environment || undefined
+  };
+}
+function splitCsv(value) {
+  const values = value?.split(",").map((item) => item.trim()).filter(Boolean) ?? [];
+  return values.length > 0 ? values : undefined;
+}
+function streamDebugOptionsFromRequest(query) {
+  if (process.env.HASNA_LOGS_STREAM_TEST_HOOKS !== "1") {
+    return { writeDelayMs: 0 };
+  }
+  return {
+    subscriberQueue: boundedIntQuery(query.debug_subscriber_queue, {
+      min: 1,
+      max: 1e4
+    }),
+    writeDelayMs: boundedIntQuery(query.debug_write_delay_ms, { min: 0, max: 5000 }) ?? 0
+  };
+}
+function boundedIntQuery(value, bounds) {
+  if (value === undefined || value.length === 0)
+    return;
+  const parsed = Number.parseInt(value, 10);
+  if (!Number.isFinite(parsed) || parsed < bounds.min)
+    return;
+  return Math.min(parsed, bounds.max);
+}
+function delayedSseWriter(stream2, delayMs) {
+  return {
+    async writeSSE(message) {
+      await sleep(delayMs);
+      await stream2.writeSSE(message);
+    }
+  };
+}
+function addScalarCondition(conditions, params, column, value) {
+  if (!value)
+    return;
+  conditions.push(`${column} = ?`);
+  params.push(value);
+}
+function addListCondition(conditions, params, column, values) {
+  if (!values || values.length === 0)
+    return;
+  conditions.push(`${column} IN (${values.map(() => "?").join(",")})`);
+  params.push(...values);
+}
+async function writeEventCatalogEntry(stream2, entry, eventNameMode) {
+  await stream2.writeSSE({
+    data: JSON.stringify(entry),
+    id: entry.event_id,
+    event: eventNameMode === "event" ? "event" : entry.event_type
+  });
+}
+async function writeEventCatalogEntryById(db, stream2, eventId, includeRaw, fallback, eventNameMode = "type") {
+  try {
+    const entry = includeRaw ? getEvent(db, eventId, true) : fallback ?? getEvent(db, eventId, false);
+    if (!entry)
+      return false;
+    await writeEventCatalogEntry(stream2, entry, eventNameMode);
+    return true;
+  } catch (error) {
+    await writeEventOverflow(stream2, {
+      reason: "raw_event_unreadable",
+      dropped: 0,
+      last_event_id: eventId
+    });
+    const entry = fallback ?? getEvent(db, eventId, false);
+    if (!entry)
+      return false;
+    await writeEventCatalogEntry(stream2, entry, eventNameMode);
+    return true;
+  }
+}
+async function writeEventOverflow(stream2, data) {
+  await stream2.writeSSE({
+    event: "overflow",
+    data: JSON.stringify({
+      type: "overflow",
+      reason: data.reason,
+      dropped: data.dropped,
+      last_event_id: "last_event_id" in data ? data.last_event_id : null,
+      requested_last_event_id: "requested_last_event_id" in data ? data.requested_last_event_id : null,
+      created_at: "created_at" in data ? data.created_at : new Date().toISOString()
+    })
+  });
+}
+function trimSeen(seen) {
+  while (seen.size > 2000) {
+    const first = seen.values().next().value;
+    if (!first)
+      return;
+    seen.delete(first);
+  }
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function eventArrayFromObject(body) {
+  if (body && typeof body === "object" && !Array.isArray(body) && Array.isArray(body.events)) {
+    return body.events;
+  }
+  return [body];
+}
+function queryFromRequest(query) {
+  return {
+    event_type: query.type || query.event_type || undefined,
+    source: query.source || undefined,
+    severity: query.severity || query.level || undefined,
+    project_id: query.project_id || undefined,
+    page_id: query.page_id || undefined,
+    machine_id: query.machine_id || undefined,
+    repo_id: query.repo_id || undefined,
+    app_id: query.app_id || undefined,
+    process_id: query.process_id || undefined,
+    run_id: query.run_id || undefined,
+    trace_id: query.trace_id || undefined,
+    span_id: query.span_id || undefined,
+    session_id: query.session_id || undefined,
+    release_id: query.release_id || undefined,
+    environment: query.environment || undefined,
+    since: query.since || undefined,
+    until: query.until || undefined,
+    text: query.text || undefined,
+    limit: query.limit ? Number(query.limit) : 100,
+    offset: query.offset ? Number(query.offset) : 0,
+    include_raw: query.include_raw === "true"
+  };
+}
+
+// src/server/routes/issues.ts
+var ISSUE_UPDATE_KEYS = ["status"];
+var ISSUE_STATUSES = ["open", "resolved", "ignored"];
+function issuesRoutes(db) {
+  const app = new Hono2;
+  app.get("/", (c) => {
+    const { project_id, status, limit } = c.req.query();
+    return c.json(listIssues(db, project_id || undefined, status || undefined, limit ? Number(limit) : 50));
+  });
+  app.get("/:id", (c) => {
+    const issue = getIssue(db, c.req.param("id"));
+    if (!issue)
+      return c.json({ error: "not found" }, 404);
+    return c.json(issue);
+  });
+  app.get("/:id/logs", (c) => {
+    const issue = getIssue(db, c.req.param("id"));
+    if (!issue)
+      return c.json({ error: "not found" }, 404);
+    const rows = searchLogs(db, {
+      project_id: issue.project_id ?? undefined,
+      level: issue.level,
+      service: issue.service ?? undefined,
+      text: issue.message_template.slice(0, 50),
+      limit: 50
+    });
+    return c.json(rows);
+  });
+  app.put("/:id", async (c) => {
+    const parsed = await readJsonObject(c, { allowedKeys: ISSUE_UPDATE_KEYS });
+    if (!parsed.ok)
+      return c.json({ error: parsed.message }, parsed.status);
+    const statusInput = requiredEnum(parsed.value, "status", ISSUE_STATUSES);
+    if (!statusInput.ok)
+      return c.json({ error: statusInput.message }, statusInput.status);
+    const status = statusInput.value;
+    const updated = updateIssueStatus(db, c.req.param("id"), status);
+    if (!updated)
+      return c.json({ error: "not found" }, 404);
+    return c.json(updated);
+  });
+  return app;
+}
+
+// src/server/routes/jobs.ts
+var JOB_CREATE_KEYS = ["project_id", "schedule", "page_id"];
+var JOB_UPDATE_KEYS = ["enabled", "schedule", "last_run_at"];
+function jobsRoutes(db) {
+  const app = new Hono2;
+  app.post("/", async (c) => {
+    const parsed = await readJsonObject(c, { allowedKeys: JOB_CREATE_KEYS });
+    if (!parsed.ok)
+      return c.json({ error: parsed.message }, parsed.status);
+    const jobInput = validateJobCreate(parsed.value);
+    if (!jobInput.ok)
+      return c.json({ error: jobInput.message }, jobInput.status);
+    const body = jobInput.value;
+    return c.json(createJob(db, body), 201);
+  });
+  app.get("/", (c) => {
+    const { project_id } = c.req.query();
+    return c.json(listJobs(db, project_id || undefined));
+  });
+  app.put("/:id", async (c) => {
+    const parsed = await readJsonObject(c, { allowedKeys: JOB_UPDATE_KEYS });
+    if (!parsed.ok)
+      return c.json({ error: parsed.message }, parsed.status);
+    const jobInput = validateJobUpdate(parsed.value);
+    if (!jobInput.ok)
+      return c.json({ error: jobInput.message }, jobInput.status);
+    const body = jobInput.value;
+    const updated = updateJob(db, c.req.param("id"), body);
+    if (!updated)
+      return c.json({ error: "not found" }, 404);
+    return c.json(updated);
+  });
+  app.delete("/:id", (c) => {
+    deleteJob(db, c.req.param("id"));
+    return c.json({ deleted: true });
+  });
+  return app;
+}
+function validateJobCreate(body) {
+  const project_id = requiredString(body, "project_id");
+  if (!project_id.ok)
+    return project_id;
+  const schedule = requiredString(body, "schedule");
+  if (!schedule.ok)
+    return schedule;
+  const page_id = optionalString(body, "page_id");
+  if (!page_id.ok)
+    return page_id;
+  return {
+    ok: true,
+    value: {
+      project_id: project_id.value,
+      schedule: schedule.value,
+      page_id: page_id.value
+    }
+  };
+}
+function validateJobUpdate(body) {
+  const enabled = optionalNumber(body, "enabled", {
+    integer: true,
+    min: 0,
+    max: 1
+  });
+  if (!enabled.ok)
+    return enabled;
+  const schedule = optionalString(body, "schedule");
+  if (!schedule.ok)
+    return schedule;
+  const last_run_at = optionalString(body, "last_run_at");
+  if (!last_run_at.ok)
+    return last_run_at;
+  return {
+    ok: true,
+    value: {
+      enabled: enabled.value,
+      schedule: schedule.value,
+      last_run_at: last_run_at.value
+    }
+  };
 }
 
 // src/server/routes/logs.ts
+var LOG_LEVELS2 = new Set([
+  "debug",
+  "info",
+  "warn",
+  "error",
+  "fatal"
+]);
+var LOG_SOURCES = new Set([
+  "sdk",
+  "script",
+  "scanner",
+  "browser",
+  "node",
+  "bun",
+  "next",
+  "vite",
+  "cli",
+  "build",
+  "test",
+  "mcp",
+  "agent",
+  "otel",
+  "system",
+  "pino",
+  "winston",
+  "structured"
+]);
+var PRIVACY_CLASSES = new Set([
+  "public",
+  "internal",
+  "sensitive",
+  "secret",
+  "pii"
+]);
+var LOG_ENTRY_KEYS = new Set([
+  "id",
+  "timestamp",
+  "source_event_id",
+  "project_id",
+  "page_id",
+  "level",
+  "source",
+  "service",
+  "message",
+  "privacy",
+  "machine_id",
+  "repo_id",
+  "app_id",
+  "process_id",
+  "run_id",
+  "trace_id",
+  "span_id",
+  "parent_span_id",
+  "session_id",
+  "release_id",
+  "environment",
+  "agent",
+  "url",
+  "stack_trace",
+  "metadata"
+]);
 function logsRoutes(db) {
   const app = new Hono2;
+  app.post("/structured", async (c) => {
+    const validation = await validateStructuredIngestRequest(db, c);
+    if (!validation.ok)
+      return c.json({ error: validation.message }, validation.status);
+    const rows = validation.entries.map((entry) => ingestLog(db, entry));
+    return c.json({
+      inserted: rows.length,
+      events: rows.map((row) => ({
+        id: row.id,
+        timestamp: row.timestamp,
+        level: row.level,
+        source: row.source,
+        service: row.service,
+        message: row.message,
+        trace_id: row.trace_id
+      }))
+    }, 201);
+  });
   app.post("/", async (c) => {
-    const body = await c.req.json();
-    if (Array.isArray(body)) {
-      const rows = ingestBatch(db, body);
+    const validation = await validateIngestRequest(db, c);
+    if (!validation.ok)
+      return c.json({ error: validation.message }, validation.status);
+    if (validation.batch) {
+      const rows = ingestBatch(db, validation.entries);
+      if (validation.authorization.kind === "browser-token")
+        touchBrowserIngestToken(db, validation.authorization.token.id);
       return c.json({ inserted: rows.length }, 201);
     }
-    const row = ingestLog(db, body);
+    const [entry] = validation.entries;
+    if (!entry)
+      return c.json({ error: "No log entry provided" }, 422);
+    const row = ingestLog(db, entry);
+    if (validation.authorization.kind === "browser-token")
+      touchBrowserIngestToken(db, validation.authorization.token.id);
     return c.json(row, 201);
   });
   app.get("/", (c) => {
-    const { project_id, page_id, level, service, since, until, text, trace_id, limit, offset, fields } = c.req.query();
+    const {
+      project_id,
+      page_id,
+      level,
+      service,
+      since,
+      until,
+      text,
+      trace_id,
+      limit,
+      offset,
+      fields
+    } = c.req.query();
     const rows = searchLogs(db, {
       project_id: project_id || undefined,
       page_id: page_id || undefined,
@@ -2127,31 +3459,944 @@ function logsRoutes(db) {
       since: parseTime(since || "1h"),
       limit: limit ? Number(limit) : 20
     });
-    return c.json(rows.map((r) => ({ id: r.id, timestamp: r.timestamp, level: r.level, message: r.message, service: r.service, age_seconds: Math.floor((Date.now() - new Date(r.timestamp).getTime()) / 1000) })));
+    return c.json(rows.map((r) => ({
+      id: r.id,
+      timestamp: r.timestamp,
+      level: r.level,
+      message: r.message,
+      service: r.service,
+      age_seconds: Math.floor((Date.now() - new Date(r.timestamp).getTime()) / 1000)
+    })));
   });
   app.get("/:trace_id/context", (c) => {
     const rows = getLogContext(db, c.req.param("trace_id"));
     return c.json(rows);
   });
-  app.get("/export", (c) => {
-    const { project_id, since, until, level, service, format, limit } = c.req.query();
-    const opts = { project_id: project_id || undefined, since: since || undefined, until: until || undefined, level: level || undefined, service: service || undefined, limit: limit ? Number(limit) : undefined };
-    if (format === "csv") {
-      c.header("Content-Type", "text/csv");
-      c.header("Content-Disposition", "attachment; filename=logs.csv");
-      const chunks2 = [];
-      exportToCsv(db, opts, (s) => chunks2.push(s));
-      return c.text(chunks2.join(""));
-    }
-    c.header("Content-Type", "application/json");
-    c.header("Content-Disposition", "attachment; filename=logs.json");
-    const chunks = [];
-    exportToJson(db, opts, (s) => chunks.push(s));
-    return c.text(chunks.join(`
-`));
+  app.get("/export", (c) => {
+    const { project_id, since, until, level, service, format, limit } = c.req.query();
+    const opts = {
+      project_id: project_id || undefined,
+      since: since || undefined,
+      until: until || undefined,
+      level: level || undefined,
+      service: service || undefined,
+      limit: limit ? Number(limit) : undefined
+    };
+    if (format === "csv") {
+      c.header("Content-Type", "text/csv");
+      c.header("Content-Disposition", "attachment; filename=logs.csv");
+      const chunks2 = [];
+      exportToCsv(db, opts, (s) => chunks2.push(s));
+      return c.text(chunks2.join(""));
+    }
+    c.header("Content-Type", "application/json");
+    c.header("Content-Disposition", "attachment; filename=logs.json");
+    const chunks = [];
+    exportToJson(db, opts, (s) => chunks.push(s));
+    return c.text(chunks.join(`
+`));
+  });
+  return app;
+}
+async function validateStructuredIngestRequest(db, c) {
+  const authorization = authorizeLogIngest(db, c);
+  if (!authorization || authorization.kind === "browser-token") {
+    return {
+      ok: false,
+      status: 401,
+      message: "Structured server log ingest requires a trusted API token"
+    };
+  }
+  const contentType = c.req.header("content-type") ?? "";
+  if (!contentType.toLowerCase().includes("application/json")) {
+    return {
+      ok: false,
+      status: 415,
+      message: "Content-Type must be application/json"
+    };
+  }
+  const maxPayloadBytes = readPositiveInt2("HASNA_LOGS_MAX_PAYLOAD_BYTES", 1048576);
+  const contentLength = Number(c.req.header("content-length") ?? "0");
+  if (Number.isFinite(contentLength) && contentLength > maxPayloadBytes) {
+    return {
+      ok: false,
+      status: 413,
+      message: `Payload exceeds ${maxPayloadBytes} bytes`
+    };
+  }
+  let raw2 = "";
+  try {
+    raw2 = await c.req.text();
+  } catch {
+    return { ok: false, status: 400, message: "Unable to read request body" };
+  }
+  if (Buffer.byteLength(raw2, "utf8") > maxPayloadBytes) {
+    return {
+      ok: false,
+      status: 413,
+      message: `Payload exceeds ${maxPayloadBytes} bytes`
+    };
+  }
+  let body;
+  try {
+    body = JSON.parse(raw2);
+  } catch {
+    return { ok: false, status: 400, message: "Invalid JSON body" };
+  }
+  const maxBatchSize = readPositiveInt2("HASNA_LOGS_MAX_BATCH_SIZE", 1000);
+  const count = structuredPayloadCount(body);
+  if (count > maxBatchSize) {
+    return {
+      ok: false,
+      status: 413,
+      message: `Batch exceeds ${maxBatchSize} entries`
+    };
+  }
+  let result;
+  try {
+    result = structuredLogPayloadToEntries(body, structuredOptionsFromRequest(c));
+  } catch (error) {
+    return {
+      ok: false,
+      status: 422,
+      message: error instanceof Error ? error.message : String(error)
+    };
+  }
+  for (let index = 0;index < result.entries.length; index += 1) {
+    const entry = result.entries[index];
+    if (entry?.source === "browser" || entry?.source === "script") {
+      return {
+        ok: false,
+        status: 422,
+        message: `entry[${index}].source cannot be browser or script for structured server log ingest`
+      };
+    }
+  }
+  try {
+    validateStructuredLogReferences(db, result.entries);
+  } catch (error) {
+    return {
+      ok: false,
+      status: 422,
+      message: error instanceof Error ? error.message : String(error)
+    };
+  }
+  const maxMessageChars = readPositiveInt2("HASNA_LOGS_MAX_MESSAGE_CHARS", 262144);
+  for (let index = 0;index < result.entries.length; index += 1) {
+    const entry = result.entries[index];
+    if (entry && entry.message.length > maxMessageChars) {
+      return {
+        ok: false,
+        status: 413,
+        message: `entry[${index}].message is too large`
+      };
+    }
+  }
+  return {
+    ok: true,
+    entries: result.entries,
+    batch: result.batch,
+    authorization
+  };
+}
+async function validateIngestRequest(db, c) {
+  const authorization = authorizeLogIngest(db, c);
+  if (!authorization) {
+    return { ok: false, status: 401, message: "Unauthorized" };
+  }
+  const contentType = c.req.header("content-type") ?? "";
+  if (!contentType.toLowerCase().includes("application/json")) {
+    return {
+      ok: false,
+      status: 415,
+      message: "Content-Type must be application/json"
+    };
+  }
+  const maxPayloadBytes = readPositiveInt2("HASNA_LOGS_MAX_PAYLOAD_BYTES", 1048576);
+  const contentLength = Number(c.req.header("content-length") ?? "0");
+  if (Number.isFinite(contentLength) && contentLength > maxPayloadBytes) {
+    return {
+      ok: false,
+      status: 413,
+      message: `Payload exceeds ${maxPayloadBytes} bytes`
+    };
+  }
+  let raw2 = "";
+  try {
+    raw2 = await c.req.text();
+  } catch {
+    return { ok: false, status: 400, message: "Unable to read request body" };
+  }
+  if (Buffer.byteLength(raw2, "utf8") > maxPayloadBytes) {
+    return {
+      ok: false,
+      status: 413,
+      message: `Payload exceeds ${maxPayloadBytes} bytes`
+    };
+  }
+  let body;
+  try {
+    body = JSON.parse(raw2);
+  } catch {
+    return { ok: false, status: 400, message: "Invalid JSON body" };
+  }
+  const maxBatchSize = readPositiveInt2("HASNA_LOGS_MAX_BATCH_SIZE", 1000);
+  if (Array.isArray(body)) {
+    if (body.length > maxBatchSize) {
+      return {
+        ok: false,
+        status: 413,
+        message: `Batch exceeds ${maxBatchSize} entries`
+      };
+    }
+    const entries = [];
+    for (let index = 0;index < body.length; index += 1) {
+      const result2 = validateLogEntry(body[index], `entry[${index}]`);
+      if (!result2.ok)
+        return result2;
+      const authorized2 = applyLogIngestAuthorization(result2.entry, authorization, `entry[${index}]`);
+      if (!authorized2.ok)
+        return authorized2;
+      entries.push(authorized2.entry);
+    }
+    return { ok: true, entries, batch: true, authorization };
+  }
+  const result = validateLogEntry(body, "entry");
+  if (!result.ok)
+    return result;
+  const authorized = applyLogIngestAuthorization(result.entry, authorization, "entry");
+  if (!authorized.ok)
+    return authorized;
+  return { ok: true, entries: [authorized.entry], batch: false, authorization };
+}
+function structuredOptionsFromRequest(c) {
+  const query = c.req.query();
+  const format = query.format;
+  if (format !== undefined && format !== "auto" && format !== "pino" && format !== "winston" && format !== "json") {
+    throw new Error("format must be auto, pino, winston, or json");
+  }
+  return {
+    format,
+    source: query.source,
+    service: query.service,
+    project_id: query.project_id,
+    page_id: query.page_id,
+    machine_id: query.machine_id,
+    repo_id: query.repo_id,
+    app_id: query.app_id,
+    process_id: query.process_id,
+    run_id: query.run_id,
+    trace_id: query.trace_id,
+    span_id: query.span_id,
+    parent_span_id: query.parent_span_id,
+    session_id: query.session_id,
+    release_id: query.release_id,
+    environment: query.environment,
+    agent: query.agent,
+    url: query.url
+  };
+}
+function structuredPayloadCount(value) {
+  if (Array.isArray(value))
+    return value.length;
+  if (value && typeof value === "object" && !Array.isArray(value) && Array.isArray(value.logs)) {
+    return value.logs.length;
+  }
+  return 1;
+}
+function applyLogIngestAuthorization(entry, authorization, path) {
+  if (authorization.kind !== "browser-token")
+    return { ok: true, entry };
+  if (entry.source !== undefined && entry.source !== "script" && entry.source !== "browser") {
+    return {
+      ok: false,
+      status: 422,
+      message: `${path}.source must be script or browser when using a browser ingest token`
+    };
+  }
+  return {
+    ok: true,
+    entry: {
+      ...entry,
+      project_id: authorization.token.project_id,
+      source: entry.source ?? "browser"
+    }
+  };
+}
+function validateLogEntry(value, path) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return { ok: false, status: 422, message: `${path} must be an object` };
+  }
+  const input = value;
+  for (const key of Object.keys(input)) {
+    if (!LOG_ENTRY_KEYS.has(key)) {
+      return {
+        ok: false,
+        status: 422,
+        message: `${path}.${key} is not a supported log field`
+      };
+    }
+  }
+  if (!LOG_LEVELS2.has(input.level)) {
+    return {
+      ok: false,
+      status: 422,
+      message: `${path}.level must be one of debug, info, warn, error, fatal`
+    };
+  }
+  if (typeof input.message !== "string" || input.message.length === 0) {
+    return {
+      ok: false,
+      status: 422,
+      message: `${path}.message must be a non-empty string`
+    };
+  }
+  if (input.message.length > readPositiveInt2("HASNA_LOGS_MAX_MESSAGE_CHARS", 262144)) {
+    return { ok: false, status: 413, message: `${path}.message is too large` };
+  }
+  if (input.source !== undefined && !LOG_SOURCES.has(input.source)) {
+    return {
+      ok: false,
+      status: 422,
+      message: `${path}.source is not supported`
+    };
+  }
+  if (input.privacy !== undefined && !PRIVACY_CLASSES.has(input.privacy)) {
+    return {
+      ok: false,
+      status: 422,
+      message: `${path}.privacy is not supported`
+    };
+  }
+  if (input.metadata !== undefined && (!input.metadata || typeof input.metadata !== "object" || Array.isArray(input.metadata))) {
+    return {
+      ok: false,
+      status: 422,
+      message: `${path}.metadata must be an object`
+    };
+  }
+  const entry = {
+    level: input.level,
+    message: input.message
+  };
+  const entryRecord = entry;
+  const optionalStringKeys = [
+    "id",
+    "timestamp",
+    "source_event_id",
+    "project_id",
+    "page_id",
+    "source",
+    "service",
+    "privacy",
+    "machine_id",
+    "repo_id",
+    "app_id",
+    "process_id",
+    "run_id",
+    "trace_id",
+    "span_id",
+    "parent_span_id",
+    "session_id",
+    "release_id",
+    "environment",
+    "agent",
+    "url",
+    "stack_trace"
+  ];
+  for (const key of optionalStringKeys) {
+    const copied = copyOptionalString(input, entryRecord, key, path);
+    if (!copied.ok)
+      return copied;
+  }
+  if (input.metadata !== undefined)
+    entry.metadata = input.metadata;
+  return { ok: true, entry };
+}
+function copyOptionalString(input, entry, key, path) {
+  const value = input[key];
+  if (value === undefined)
+    return { ok: true };
+  if (typeof value !== "string") {
+    return {
+      ok: false,
+      status: 422,
+      message: `${path}.${key} must be a string`
+    };
+  }
+  entry[key] = value;
+  return { ok: true };
+}
+function readPositiveInt2(name, fallback) {
+  const parsed = Number.parseInt(process.env[name] ?? "", 10);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : fallback;
+}
+
+// src/lib/otlp-ingest.ts
+import { createHash as createHash3 } from "crypto";
+function ingestOtlpTraces(db, payload) {
+  const events = [];
+  for (const [resourceIndex, resourceSpan] of requiredObjectArray(payload, "resourceSpans", "payload.resourceSpans").entries()) {
+    const resource = attributesFromContainer(resourceSpan.resource);
+    for (const [scopeIndex, scopeSpan] of objectArray(resourceSpan.scopeSpans, "payload.resourceSpans[].scopeSpans").entries()) {
+      const scope = scopeInfo(scopeSpan.scope);
+      const context = { resource, scope, resourceIndex, scopeIndex };
+      for (const span of objectArray(scopeSpan.spans, "payload.resourceSpans[].scopeSpans[].spans")) {
+        events.push(spanToEvent(span, context));
+      }
+    }
+  }
+  return ingestOtlpEvents(db, "traces", events);
+}
+function ingestOtlpLogs(db, payload) {
+  const events = [];
+  for (const [resourceIndex, resourceLog] of requiredObjectArray(payload, "resourceLogs", "payload.resourceLogs").entries()) {
+    const resource = attributesFromContainer(resourceLog.resource);
+    for (const [scopeIndex, scopeLog] of objectArray(resourceLog.scopeLogs, "payload.resourceLogs[].scopeLogs").entries()) {
+      const scope = scopeInfo(scopeLog.scope);
+      const context = { resource, scope, resourceIndex, scopeIndex };
+      for (const [recordIndex, logRecord] of objectArray(scopeLog.logRecords, "payload.resourceLogs[].scopeLogs[].logRecords").entries()) {
+        events.push(logRecordToEvent(logRecord, context, recordIndex));
+      }
+    }
+  }
+  return ingestOtlpEvents(db, "logs", events);
+}
+function ingestOtlpMetrics(db, payload) {
+  const events = [];
+  for (const [resourceIndex, resourceMetric] of requiredObjectArray(payload, "resourceMetrics", "payload.resourceMetrics").entries()) {
+    const resource = attributesFromContainer(resourceMetric.resource);
+    for (const [scopeIndex, scopeMetric] of objectArray(resourceMetric.scopeMetrics, "payload.resourceMetrics[].scopeMetrics").entries()) {
+      const scope = scopeInfo(scopeMetric.scope);
+      const context = { resource, scope, resourceIndex, scopeIndex };
+      for (const [metricIndex, metric] of objectArray(scopeMetric.metrics, "payload.resourceMetrics[].scopeMetrics[].metrics").entries()) {
+        events.push(...metricToEvents(metric, context, metricIndex));
+      }
+    }
+  }
+  return ingestOtlpEvents(db, "metrics", events);
+}
+function ingestOtlpEvents(db, signal, inputs) {
+  const events = [];
+  let inserted = 0;
+  for (const input of inputs) {
+    const result = ingestUniversalEvent(db, input);
+    if (result.inserted)
+      inserted += 1;
+    events.push(result.event);
+  }
+  return {
+    signal,
+    accepted: inputs.length,
+    inserted,
+    duplicates: inputs.length - inserted,
+    events
+  };
+}
+function spanToEvent(span, context) {
+  const attributes = attributesFromArray(span.attributes);
+  const traceId = optionalString2(span.traceId);
+  const spanId = optionalString2(span.spanId);
+  const parentSpanId = optionalString2(span.parentSpanId);
+  const startTime = unixNanoToIso(span.startTimeUnixNano);
+  const endTime = unixNanoToIso(span.endTimeUnixNano);
+  const spanDurationMs = durationMs(span.startTimeUnixNano, span.endTimeUnixNano);
+  const status = objectValue(span.status);
+  const statusCode = optionalString2(status?.code) ?? stringFromUnknown(status?.code);
+  const isError = statusCode === "2" || statusCode === "STATUS_CODE_ERROR" || statusCode === "ERROR";
+  const name = optionalString2(span.name) ?? "OTLP span";
+  const spanKind = optionalString2(span.kind) ?? stringFromUnknown(span.kind);
+  return {
+    type: "span",
+    source: "otel",
+    source_event_id: traceId && spanId ? `otlp:span:${traceId}:${spanId}` : stableSourceEventId("span", span),
+    event_time: startTime,
+    severity: isError ? "error" : "info",
+    trace_id: traceId,
+    span_id: spanId,
+    parent_span_id: parentSpanId,
+    app_id: resourceString(context.resource, "service.name"),
+    machine_id: resourceString(context.resource, "host.id") ?? resourceString(context.resource, "host.name"),
+    environment: resourceString(context.resource, "deployment.environment"),
+    message: name,
+    attributes: compactObject({
+      category: "otlp_span",
+      signal: "traces",
+      name,
+      operation: attributes["http.route"] ?? attributes["rpc.method"] ?? attributes["db.operation.name"] ?? spanKind,
+      status: isError ? "error" : "ok",
+      started_at: startTime,
+      ended_at: endTime,
+      duration_ms: spanDurationMs,
+      resource: context.resource,
+      scope: context.scope,
+      span_attributes: attributes,
+      otel: compactObject({
+        signal: "traces",
+        span_kind: spanKind,
+        status_code: statusCode,
+        status_message: optionalString2(status?.message),
+        dropped_attributes_count: numberFromUnknown(span.droppedAttributesCount),
+        dropped_events_count: numberFromUnknown(span.droppedEventsCount),
+        dropped_links_count: numberFromUnknown(span.droppedLinksCount),
+        start_time_unix_nano: stringFromUnknown(span.startTimeUnixNano),
+        end_time_unix_nano: stringFromUnknown(span.endTimeUnixNano)
+      })
+    }),
+    body: {
+      span: compactObject({
+        name,
+        kind: spanKind,
+        status,
+        events: spanEvents(span.events),
+        links: spanLinks(span.links)
+      })
+    }
+  };
+}
+function logRecordToEvent(logRecord, context, recordIndex) {
+  const attributes = attributesFromArray(logRecord.attributes);
+  const body = otlpAnyValue(logRecord.body);
+  const traceId = optionalString2(logRecord.traceId);
+  const spanId = optionalString2(logRecord.spanId);
+  const severityNumber = numberFromUnknown(logRecord.severityNumber);
+  const severityText = optionalString2(logRecord.severityText);
+  const eventTime = unixNanoToIso(logRecord.timeUnixNano) ?? unixNanoToIso(logRecord.observedTimeUnixNano);
+  const message = typeof body === "string" ? body : severityText ? `OTLP ${severityText} log` : "OTLP log";
+  return {
+    type: "log",
+    source: "otel",
+    source_event_id: stableSourceEventId("log", {
+      traceId,
+      spanId,
+      timeUnixNano: logRecord.timeUnixNano,
+      observedTimeUnixNano: logRecord.observedTimeUnixNano,
+      severityNumber,
+      severityText,
+      resourceIndex: context.resourceIndex,
+      scopeIndex: context.scopeIndex,
+      recordIndex,
+      resource: context.resource,
+      scope: context.scope,
+      body,
+      attributes
+    }),
+    event_time: eventTime,
+    severity: otlpSeverity(severityNumber, severityText),
+    trace_id: traceId,
+    span_id: spanId,
+    app_id: resourceString(context.resource, "service.name"),
+    machine_id: resourceString(context.resource, "host.id") ?? resourceString(context.resource, "host.name"),
+    environment: resourceString(context.resource, "deployment.environment"),
+    message,
+    attributes: compactObject({
+      category: "otlp_log",
+      signal: "logs",
+      resource: context.resource,
+      scope: context.scope,
+      log_attributes: attributes,
+      otel: compactObject({
+        signal: "logs",
+        severity_number: severityNumber,
+        severity_text: severityText,
+        time_unix_nano: stringFromUnknown(logRecord.timeUnixNano),
+        observed_time_unix_nano: stringFromUnknown(logRecord.observedTimeUnixNano),
+        dropped_attributes_count: numberFromUnknown(logRecord.droppedAttributesCount),
+        flags: numberFromUnknown(logRecord.flags)
+      })
+    }),
+    body: {
+      log: compactObject({
+        body,
+        severity_number: severityNumber,
+        severity_text: severityText
+      })
+    }
+  };
+}
+function metricToEvents(metric, context, metricIndex) {
+  const name = optionalString2(metric.name) ?? "otel.metric";
+  const description = optionalString2(metric.description);
+  const unit = optionalString2(metric.unit);
+  const points = metricPoints(metric);
+  return points.dataPoints.map((point, index) => {
+    const attributes = attributesFromArray(point.attributes);
+    const eventTime = unixNanoToIso(point.timeUnixNano) ?? unixNanoToIso(point.startTimeUnixNano);
+    return {
+      type: "metric",
+      source: "otel",
+      source_event_id: stableSourceEventId("metric", {
+        name,
+        kind: points.kind,
+        index,
+        startTimeUnixNano: point.startTimeUnixNano,
+        timeUnixNano: point.timeUnixNano,
+        resourceIndex: context.resourceIndex,
+        scopeIndex: context.scopeIndex,
+        metricIndex,
+        pointIndex: index,
+        resource: context.resource,
+        scope: context.scope,
+        attributes,
+        value: metricPointValue(points.kind, point)
+      }),
+      event_time: eventTime,
+      severity: "info",
+      app_id: resourceString(context.resource, "service.name"),
+      machine_id: resourceString(context.resource, "host.id") ?? resourceString(context.resource, "host.name"),
+      environment: resourceString(context.resource, "deployment.environment"),
+      message: name,
+      attributes: compactObject({
+        category: "otlp_metric",
+        signal: "metrics",
+        name,
+        description,
+        unit,
+        resource: context.resource,
+        scope: context.scope,
+        metric_attributes: attributes,
+        otel: compactObject({
+          signal: "metrics",
+          metric_kind: points.kind,
+          aggregation_temporality: points.aggregationTemporality,
+          is_monotonic: points.isMonotonic,
+          start_time_unix_nano: stringFromUnknown(point.startTimeUnixNano),
+          time_unix_nano: stringFromUnknown(point.timeUnixNano),
+          flags: numberFromUnknown(point.flags)
+        })
+      }),
+      body: {
+        metric: compactObject({
+          name,
+          description,
+          unit,
+          kind: points.kind,
+          value: metricPointValue(points.kind, point)
+        })
+      }
+    };
+  });
+}
+function metricPoints(metric) {
+  const metricKinds = [
+    "gauge",
+    "sum",
+    "histogram",
+    "exponentialHistogram",
+    "summary"
+  ];
+  for (const kind of metricKinds) {
+    if (!(kind in metric))
+      continue;
+    const container = objectValue(metric[kind]);
+    if (!container)
+      throw new Error(`metric.${kind} must be an object`);
+    return {
+      kind,
+      dataPoints: objectArray(container.dataPoints, `metric.${kind}.dataPoints`),
+      aggregationTemporality: stringOrNumber(container.aggregationTemporality),
+      isMonotonic: typeof container.isMonotonic === "boolean" ? container.isMonotonic : undefined
+    };
+  }
+  throw new Error(`metric must contain one of ${metricKinds.join(", ")}`);
+}
+function metricPointValue(kind, point) {
+  if (kind === "gauge" || kind === "sum") {
+    return numberOrString(point.asDouble) ?? numberOrString(point.asInt);
+  }
+  if (kind === "histogram") {
+    return compactObject({
+      count: numberOrString(point.count),
+      sum: numberOrString(point.sum),
+      min: numberOrString(point.min),
+      max: numberOrString(point.max),
+      bucket_counts: primitiveArray(point.bucketCounts),
+      explicit_bounds: primitiveArray(point.explicitBounds)
+    });
+  }
+  if (kind === "exponentialHistogram") {
+    return compactObject({
+      count: numberOrString(point.count),
+      sum: numberOrString(point.sum),
+      min: numberOrString(point.min),
+      max: numberOrString(point.max),
+      scale: numberFromUnknown(point.scale),
+      zero_count: numberOrString(point.zeroCount),
+      positive: point.positive,
+      negative: point.negative
+    });
+  }
+  if (kind === "summary") {
+    return compactObject({
+      count: numberOrString(point.count),
+      sum: numberOrString(point.sum),
+      quantile_values: primitiveArray(point.quantileValues)
+    });
+  }
+  return point;
+}
+function attributesFromContainer(value) {
+  return attributesFromArray(objectValue(value)?.attributes);
+}
+function attributesFromArray(value) {
+  const result = {};
+  for (const entry of objectArray(value, "attributes")) {
+    const key = optionalString2(entry.key);
+    if (!key)
+      continue;
+    result[key] = otlpAnyValue(entry.value);
+  }
+  return result;
+}
+function scopeInfo(value) {
+  const scope = objectValue(value);
+  if (!scope)
+    return {};
+  return compactObject({
+    name: optionalString2(scope.name),
+    version: optionalString2(scope.version),
+    attributes: attributesFromArray(scope.attributes),
+    dropped_attributes_count: numberFromUnknown(scope.droppedAttributesCount)
+  });
+}
+function otlpAnyValue(value) {
+  const object = objectValue(value);
+  if (!object)
+    return;
+  if ("stringValue" in object)
+    return optionalString2(object.stringValue) ?? stringFromUnknown(object.stringValue);
+  if ("boolValue" in object)
+    return object.boolValue === true;
+  if ("intValue" in object)
+    return numberOrString(object.intValue);
+  if ("doubleValue" in object)
+    return numberOrString(object.doubleValue);
+  if ("bytesValue" in object)
+    return optionalString2(object.bytesValue);
+  if ("arrayValue" in object)
+    return objectArray(objectValue(object.arrayValue)?.values, "arrayValue.values").map(otlpAnyValue);
+  if ("kvlistValue" in object)
+    return attributesFromArray(objectValue(object.kvlistValue)?.values);
+  return;
+}
+function spanEvents(value) {
+  return objectArray(value, "span.events").map((event) => compactObject({
+    name: optionalString2(event.name),
+    time_unix_nano: stringFromUnknown(event.timeUnixNano),
+    time: unixNanoToIso(event.timeUnixNano),
+    attributes: attributesFromArray(event.attributes),
+    dropped_attributes_count: numberFromUnknown(event.droppedAttributesCount)
+  }));
+}
+function spanLinks(value) {
+  return objectArray(value, "span.links").map((link) => compactObject({
+    trace_id: optionalString2(link.traceId),
+    span_id: optionalString2(link.spanId),
+    trace_state: optionalString2(link.traceState),
+    attributes: attributesFromArray(link.attributes),
+    dropped_attributes_count: numberFromUnknown(link.droppedAttributesCount)
+  }));
+}
+function otlpSeverity(severityNumber, severityText) {
+  if (severityNumber !== undefined) {
+    if (severityNumber >= 21)
+      return "fatal";
+    if (severityNumber >= 17)
+      return "error";
+    if (severityNumber >= 13)
+      return "warn";
+    if (severityNumber >= 1 && severityNumber <= 8)
+      return "debug";
+  }
+  const text = severityText?.toLowerCase() ?? "";
+  if (text.includes("fatal") || text.includes("panic"))
+    return "fatal";
+  if (text.includes("error") || text.includes("err"))
+    return "error";
+  if (text.includes("warn"))
+    return "warn";
+  if (text.includes("debug") || text.includes("trace"))
+    return "debug";
+  return "info";
+}
+function unixNanoToIso(value) {
+  const ns = bigintFromUnknown(value);
+  if (ns === undefined)
+    return;
+  const ms = ns / 1000000n;
+  if (ms > BigInt(Number.MAX_SAFE_INTEGER) || ms < BigInt(Number.MIN_SAFE_INTEGER))
+    return;
+  const date = new Date(Number(ms));
+  return Number.isNaN(date.getTime()) ? undefined : date.toISOString();
+}
+function durationMs(start, end) {
+  const startNs = bigintFromUnknown(start);
+  const endNs = bigintFromUnknown(end);
+  if (startNs === undefined || endNs === undefined || endNs < startNs)
+    return;
+  return Number(endNs - startNs) / 1e6;
+}
+function requiredObjectArray(value, key, path) {
+  const object = objectValue(value);
+  if (!object)
+    throw new Error("OTLP payload must be an object");
+  const array = object[key];
+  if (!Array.isArray(array))
+    throw new Error(`${path} must be an array`);
+  return array.map((item, index) => {
+    const itemObject = objectValue(item);
+    if (!itemObject)
+      throw new Error(`${path}[${index}] must be an object`);
+    return itemObject;
+  });
+}
+function objectArray(value, path) {
+  if (value === undefined || value === null)
+    return [];
+  if (!Array.isArray(value))
+    throw new Error(`${path} must be an array`);
+  return value.map((item, index) => {
+    const itemObject = objectValue(item);
+    if (!itemObject)
+      throw new Error(`${path}[${index}] must be an object`);
+    return itemObject;
+  });
+}
+function objectValue(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : null;
+}
+function optionalString2(value) {
+  return typeof value === "string" && value.length > 0 ? value : undefined;
+}
+function stringFromUnknown(value) {
+  if (value === undefined || value === null || value === "")
+    return;
+  if (typeof value === "string")
+    return value;
+  if (typeof value === "number" || typeof value === "bigint" || typeof value === "boolean")
+    return String(value);
+  return;
+}
+function resourceString(resource, key) {
+  return optionalString2(resource[key]) ?? stringFromUnknown(resource[key]);
+}
+function stringOrNumber(value) {
+  if (typeof value === "number" && Number.isFinite(value))
+    return value;
+  return stringFromUnknown(value);
+}
+function numberOrString(value) {
+  if (typeof value === "number" && Number.isFinite(value))
+    return value;
+  if (typeof value === "string" && value.length > 0) {
+    const parsed = Number(value);
+    return Number.isSafeInteger(parsed) ? parsed : value;
+  }
+  return;
+}
+function numberFromUnknown(value) {
+  if (typeof value === "number" && Number.isFinite(value))
+    return value;
+  if (typeof value === "string" && value.length > 0) {
+    const parsed = Number(value);
+    return Number.isFinite(parsed) ? parsed : undefined;
+  }
+  return;
+}
+function bigintFromUnknown(value) {
+  if (typeof value === "bigint")
+    return value;
+  if (typeof value === "number" && Number.isFinite(value))
+    return BigInt(Math.trunc(value));
+  if (typeof value === "string" && /^\d+$/.test(value))
+    return BigInt(value);
+  return;
+}
+function primitiveArray(value) {
+  if (!Array.isArray(value))
+    return;
+  return value.filter((item) => item === null || ["string", "number", "boolean"].includes(typeof item));
+}
+function compactObject(input) {
+  return Object.fromEntries(Object.entries(input).filter(([, value]) => value !== undefined));
+}
+function stableSourceEventId(kind, value) {
+  return `otlp:${kind}:${createHash3("sha256").update(stableJson(value)).digest("hex").slice(0, 32)}`;
+}
+function stableJson(value) {
+  if (value === null || value === undefined)
+    return "null";
+  if (Array.isArray(value))
+    return `[${value.map(stableJson).join(",")}]`;
+  if (typeof value === "object") {
+    const object = value;
+    return `{${Object.keys(object).sort().map((key) => `${JSON.stringify(key)}:${stableJson(object[key])}`).join(",")}}`;
+  }
+  return JSON.stringify(value);
+}
+
+// src/server/routes/otel.ts
+function otelRoutes(db) {
+  const app = new Hono2;
+  app.post("/v1/traces", async (c) => {
+    const authError = requireServerOtlpIngest(db, c);
+    if (authError)
+      return authError;
+    const payload = await readJsonObject(c);
+    if (!payload.ok)
+      return c.json({ error: payload.message }, payload.status);
+    return writeOtlpResponse(c, () => ingestOtlpTraces(db, payload.value));
+  });
+  app.post("/v1/logs", async (c) => {
+    const authError = requireServerOtlpIngest(db, c);
+    if (authError)
+      return authError;
+    const payload = await readJsonObject(c);
+    if (!payload.ok)
+      return c.json({ error: payload.message }, payload.status);
+    return writeOtlpResponse(c, () => ingestOtlpLogs(db, payload.value));
+  });
+  app.post("/v1/metrics", async (c) => {
+    const authError = requireServerOtlpIngest(db, c);
+    if (authError)
+      return authError;
+    const payload = await readJsonObject(c);
+    if (!payload.ok)
+      return c.json({ error: payload.message }, payload.status);
+    return writeOtlpResponse(c, () => ingestOtlpMetrics(db, payload.value));
   });
   return app;
 }
+function requireServerOtlpIngest(db, c) {
+  const authorization = authorizeLogIngest(db, c);
+  if (!authorization)
+    return c.json({ error: "Unauthorized" }, 401);
+  if (authorization.kind === "browser-token") {
+    return c.json({ error: "Browser ingest tokens cannot write OTLP telemetry" }, 403);
+  }
+  return null;
+}
+function writeOtlpResponse(c, ingest) {
+  try {
+    const summary = ingest();
+    return c.json({
+      partialSuccess: {},
+      signal: summary.signal,
+      accepted: summary.accepted,
+      inserted: summary.inserted,
+      duplicates: summary.duplicates,
+      events: summary.events.map((event) => ({
+        event_id: event.event_id,
+        event_type: event.event_type,
+        source: event.source,
+        trace_id: event.trace_id,
+        span_id: event.span_id
+      }))
+    }, 200);
+  } catch (error) {
+    return c.json({ error: error instanceof Error ? error.message : String(error) }, 422);
+  }
+}
 
 // src/server/routes/perf.ts
 function perfRoutes(db) {
@@ -2178,13 +4423,17 @@ async function syncGithubRepo(db, project) {
   if (!project.github_repo)
     return project;
   const repo = project.github_repo.replace(/^https?:\/\/github\.com\//, "");
-  const headers = { Accept: "application/vnd.github.v3+json" };
+  const headers = {
+    Accept: "application/vnd.github.v3+json"
+  };
   if (process.env.GITHUB_TOKEN)
-    headers["Authorization"] = `Bearer ${process.env.GITHUB_TOKEN}`;
+    headers.Authorization = `Bearer ${process.env.GITHUB_TOKEN}`;
   try {
     const [repoRes, commitRes] = await Promise.all([
       fetch(`https://api.github.com/repos/${repo}`, { headers }),
-      fetch(`https://api.github.com/repos/${repo}/commits?per_page=1`, { headers })
+      fetch(`https://api.github.com/repos/${repo}/commits?per_page=1`, {
+        headers
+      })
     ]);
     if (!repoRes.ok)
       return project;
@@ -2202,12 +4451,35 @@ async function syncGithubRepo(db, project) {
 }
 
 // src/server/routes/projects.ts
+var PROJECT_CREATE_KEYS = [
+  "name",
+  "github_repo",
+  "base_url",
+  "description"
+];
+var PAGE_CREATE_KEYS = ["url", "path", "name"];
+var RETENTION_KEYS = [
+  "max_rows",
+  "debug_ttl_hours",
+  "info_ttl_hours",
+  "warn_ttl_hours",
+  "error_ttl_hours"
+];
+var PAGE_AUTH_KEYS = ["type", "credentials"];
+var PAGE_AUTH_TYPES = ["cookie", "bearer", "basic"];
+var BROWSER_TOKEN_KEYS = ["name", "allowed_origins"];
 function projectsRoutes(db) {
   const app = new Hono2;
   app.post("/", async (c) => {
-    const body = await c.req.json();
-    if (!body.name)
-      return c.json({ error: "name is required" }, 422);
+    const parsed = await readJsonObject(c, {
+      allowedKeys: PROJECT_CREATE_KEYS
+    });
+    if (!parsed.ok)
+      return c.json({ error: parsed.message }, parsed.status);
+    const projectInput = validateProjectCreate(parsed.value);
+    if (!projectInput.ok)
+      return c.json({ error: projectInput.message }, projectInput.status);
+    const body = projectInput.value;
     const project = createProject(db, body);
     return c.json(project, 201);
   });
@@ -2219,15 +4491,51 @@ function projectsRoutes(db) {
     return c.json(project);
   });
   app.post("/:id/pages", async (c) => {
-    const body = await c.req.json();
-    if (!body.url)
-      return c.json({ error: "url is required" }, 422);
+    const parsed = await readJsonObject(c, { allowedKeys: PAGE_CREATE_KEYS });
+    if (!parsed.ok)
+      return c.json({ error: parsed.message }, parsed.status);
+    const pageInput = validatePageCreate(parsed.value);
+    if (!pageInput.ok)
+      return c.json({ error: pageInput.message }, pageInput.status);
+    const body = pageInput.value;
     const page = createPage(db, { ...body, project_id: c.req.param("id") });
     return c.json(page, 201);
   });
   app.get("/:id/pages", (c) => c.json(listPages(db, c.req.param("id"))));
+  app.post("/:id/browser-tokens", async (c) => {
+    const project = getProject(db, c.req.param("id"));
+    if (!project)
+      return c.json({ error: "not found" }, 404);
+    const parsed = await readJsonObject(c, { allowedKeys: BROWSER_TOKEN_KEYS });
+    if (!parsed.ok)
+      return c.json({ error: parsed.message }, parsed.status);
+    const tokenInput = validateBrowserTokenCreate(parsed.value);
+    if (!tokenInput.ok)
+      return c.json({ error: tokenInput.message }, tokenInput.status);
+    const token = createBrowserIngestToken(db, project.id, tokenInput.value);
+    return c.json(token, 201);
+  });
+  app.get("/:id/browser-tokens", (c) => {
+    const project = getProject(db, c.req.param("id"));
+    if (!project)
+      return c.json({ error: "not found" }, 404);
+    return c.json(listBrowserIngestTokens(db, project.id));
+  });
+  app.delete("/:id/browser-tokens/:token_id", (c) => {
+    const project = getProject(db, c.req.param("id"));
+    if (!project)
+      return c.json({ error: "not found" }, 404);
+    const revoked = revokeBrowserIngestToken(db, project.id, c.req.param("token_id"));
+    return c.json({ revoked });
+  });
   app.put("/:id/retention", async (c) => {
-    const body = await c.req.json();
+    const parsed = await readJsonObject(c, { allowedKeys: RETENTION_KEYS });
+    if (!parsed.ok)
+      return c.json({ error: parsed.message }, parsed.status);
+    const retentionInput = validateRetention(parsed.value);
+    if (!retentionInput.ok)
+      return c.json({ error: retentionInput.message }, retentionInput.status);
+    const body = retentionInput.value;
     setRetentionPolicy(db, c.req.param("id"), body);
     return c.json({ updated: true });
   });
@@ -2236,9 +4544,13 @@ function projectsRoutes(db) {
     return c.json(result);
   });
   app.post("/:id/pages/:page_id/auth", async (c) => {
-    const { type, credentials } = await c.req.json();
-    if (!type || !credentials)
-      return c.json({ error: "type and credentials required" }, 422);
+    const parsed = await readJsonObject(c, { allowedKeys: PAGE_AUTH_KEYS });
+    if (!parsed.ok)
+      return c.json({ error: parsed.message }, parsed.status);
+    const authInput = validatePageAuth(parsed.value);
+    if (!authInput.ok)
+      return c.json({ error: authInput.message }, authInput.status);
+    const { type, credentials } = authInput.value;
     const result = setPageAuth(db, c.req.param("page_id"), type, credentials);
     return c.json({ id: result.id, type: result.type, created_at: result.created_at }, 201);
   });
@@ -2257,211 +4569,409 @@ function projectsRoutes(db) {
   });
   return app;
 }
-
-// node_modules/hono/dist/utils/stream.js
-var StreamingApi = class {
-  writer;
-  encoder;
-  writable;
-  abortSubscribers = [];
-  responseReadable;
-  aborted = false;
-  closed = false;
-  constructor(writable, _readable) {
-    this.writable = writable;
-    this.writer = writable.getWriter();
-    this.encoder = new TextEncoder;
-    const reader = _readable.getReader();
-    this.abortSubscribers.push(async () => {
-      await reader.cancel();
-    });
-    this.responseReadable = new ReadableStream({
-      async pull(controller) {
-        const { done, value } = await reader.read();
-        done ? controller.close() : controller.enqueue(value);
-      },
-      cancel: () => {
-        this.abort();
-      }
-    });
-  }
-  async write(input) {
-    try {
-      if (typeof input === "string") {
-        input = this.encoder.encode(input);
-      }
-      await this.writer.write(input);
-    } catch {}
-    return this;
-  }
-  async writeln(input) {
-    await this.write(input + `
-`);
-    return this;
-  }
-  sleep(ms) {
-    return new Promise((res) => setTimeout(res, ms));
-  }
-  async close() {
-    try {
-      await this.writer.close();
-    } catch {}
-    this.closed = true;
-  }
-  async pipe(body) {
-    this.writer.releaseLock();
-    await body.pipeTo(this.writable, { preventClose: true });
-    this.writer = this.writable.getWriter();
-  }
-  onAbort(listener) {
-    this.abortSubscribers.push(listener);
+function validateProjectCreate(body) {
+  const name = requiredString(body, "name");
+  if (!name.ok)
+    return name;
+  const github_repo = optionalString(body, "github_repo");
+  if (!github_repo.ok)
+    return github_repo;
+  const base_url = optionalString(body, "base_url");
+  if (!base_url.ok)
+    return base_url;
+  if (base_url.value !== undefined && !isUrl2(base_url.value)) {
+    return {
+      ok: false,
+      status: 422,
+      message: "body.base_url must be a valid URL"
+    };
   }
-  abort() {
-    if (!this.aborted) {
-      this.aborted = true;
-      this.abortSubscribers.forEach((subscriber) => subscriber());
+  const description = optionalString(body, "description");
+  if (!description.ok)
+    return description;
+  return {
+    ok: true,
+    value: {
+      name: name.value,
+      github_repo: github_repo.value,
+      base_url: base_url.value,
+      description: description.value
     }
+  };
+}
+function validatePageCreate(body) {
+  const url = requiredString(body, "url");
+  if (!url.ok)
+    return url;
+  if (!isUrl2(url.value))
+    return { ok: false, status: 422, message: "body.url must be a valid URL" };
+  const path = optionalString(body, "path");
+  if (!path.ok)
+    return path;
+  const name = optionalString(body, "name");
+  if (!name.ok)
+    return name;
+  return {
+    ok: true,
+    value: { url: url.value, path: path.value, name: name.value }
+  };
+}
+function validateRetention(body) {
+  const value = {};
+  for (const key of RETENTION_KEYS) {
+    const field = optionalNumber(body, key, { integer: true, min: 1 });
+    if (!field.ok)
+      return field;
+    if (field.value !== undefined)
+      value[key] = field.value;
   }
-};
-
-// node_modules/hono/dist/helper/streaming/utils.js
-var isOldBunVersion = () => {
-  const version = typeof Bun !== "undefined" ? Bun.version : undefined;
-  if (version === undefined) {
-    return false;
-  }
-  const result = version.startsWith("1.1") || version.startsWith("1.0") || version.startsWith("0.");
-  isOldBunVersion = () => result;
-  return result;
-};
-
-// node_modules/hono/dist/helper/streaming/sse.js
-var SSEStreamingApi = class extends StreamingApi {
-  constructor(writable, readable) {
-    super(writable, readable);
-  }
-  async writeSSE(message) {
-    const data = await resolveCallback(message.data, HtmlEscapedCallbackPhase.Stringify, false, {});
-    const dataLines = data.split(/\r\n|\r|\n/).map((line) => {
-      return `data: ${line}`;
-    }).join(`
-`);
-    for (const key of ["event", "id", "retry"]) {
-      if (message[key] && /[\r\n]/.test(message[key])) {
-        throw new Error(`${key} must not contain "\\r" or "\\n"`);
-      }
+  return { ok: true, value };
+}
+function validatePageAuth(body) {
+  const type = requiredEnum(body, "type", PAGE_AUTH_TYPES);
+  if (!type.ok)
+    return type;
+  const credentials = requiredString(body, "credentials");
+  if (!credentials.ok)
+    return credentials;
+  return {
+    ok: true,
+    value: { type: type.value, credentials: credentials.value }
+  };
+}
+function validateBrowserTokenCreate(body) {
+  const name = optionalString(body, "name");
+  if (!name.ok)
+    return name;
+  const allowedOrigins = optionalStringArray(body, "allowed_origins", {
+    maxItems: 20
+  });
+  if (!allowedOrigins.ok)
+    return allowedOrigins;
+  if (allowedOrigins.value) {
+    const normalizedOrigins = [];
+    for (const origin of allowedOrigins.value) {
+      const normalized = normalizeOrigin2(origin);
+      if (!normalized)
+        return {
+          ok: false,
+          status: 422,
+          message: "body.allowed_origins must contain valid URL origins"
+        };
+      normalizedOrigins.push(normalized);
     }
-    const sseData = [
-      message.event && `event: ${message.event}`,
-      dataLines,
-      message.id && `id: ${message.id}`,
-      message.retry && `retry: ${message.retry}`
-    ].filter(Boolean).join(`
-`) + `
-
-`;
-    await this.write(sseData);
+    return {
+      ok: true,
+      value: {
+        name: name.value,
+        allowed_origins: [...new Set(normalizedOrigins)]
+      }
+    };
   }
-};
-var run = async (stream, cb, onError) => {
+  return { ok: true, value: { name: name.value } };
+}
+function isUrl2(value) {
   try {
-    await cb(stream);
-  } catch (e) {
-    if (e instanceof Error && onError) {
-      await onError(e, stream);
-      await stream.writeSSE({
-        event: "error",
-        data: e.message
-      });
-    } else {
-      console.error(e);
-    }
-  } finally {
-    stream.close();
+    new URL(value);
+    return true;
+  } catch {
+    return false;
   }
-};
-var contextStash = /* @__PURE__ */ new WeakMap;
-var streamSSE = (c, cb, onError) => {
-  const { readable, writable } = new TransformStream;
-  const stream = new SSEStreamingApi(writable, readable);
-  if (isOldBunVersion()) {
-    c.req.raw.signal.addEventListener("abort", () => {
-      if (!stream.closed) {
-        stream.abort();
-      }
-    });
+}
+function normalizeOrigin2(value) {
+  try {
+    return new URL(value).origin;
+  } catch {
+    return null;
   }
-  contextStash.set(stream.responseReadable, c);
-  c.header("Transfer-Encoding", "chunked");
-  c.header("Content-Type", "text/event-stream");
-  c.header("Cache-Control", "no-cache");
-  c.header("Connection", "keep-alive");
-  run(stream, cb, onError);
-  return c.newResponse(stream.responseReadable);
-};
+}
 
 // src/server/routes/stream.ts
 function streamRoutes(db) {
   const app = new Hono2;
   app.get("/", (c) => {
-    const { project_id, level, service } = c.req.query();
+    const { project_id, level, service, last_event_id } = c.req.query();
+    const filter = {
+      project_id: project_id || undefined,
+      levels: level ? level.split(",").filter(Boolean) : undefined,
+      service: service || undefined
+    };
+    const requestedLastId = c.req.header("last-event-id") || last_event_id || null;
     return streamSSE(c, async (stream2) => {
-      let lastId = null;
-      const latest = db.prepare("SELECT id FROM logs ORDER BY timestamp DESC LIMIT 1").get();
-      lastId = latest?.id ?? null;
-      while (true) {
-        const conditions = [];
-        const params = {};
-        if (lastId) {
-          conditions.push("rowid > (SELECT rowid FROM logs WHERE id = $lastId)");
-          params.$lastId = lastId;
-        }
-        if (project_id) {
-          conditions.push("project_id = $project_id");
-          params.$project_id = project_id;
-        }
-        if (level) {
-          conditions.push("level IN (" + level.split(",").map((l, i) => `$l${i}`).join(",") + ")");
-          level.split(",").forEach((l, i) => {
-            params[`$l${i}`] = l;
+      const seen = new Set;
+      let lastId = requestedLastId;
+      if (lastId) {
+        if (!logIdExists(db, lastId)) {
+          const requestedLastId2 = lastId;
+          lastId = latestLogId(db, filter);
+          await writeOverflow(stream2, {
+            reason: "last_event_id_unknown",
+            dropped: 0,
+            last_event_id: lastId,
+            requested_last_event_id: requestedLastId2
           });
+        } else {
+          if (!hasBufferedLogEvent(lastId)) {
+            await writeOverflow(stream2, {
+              reason: "buffer_miss_sqlite_catchup",
+              dropped: 0,
+              last_event_id: lastId
+            });
+          }
+          const catchup = await writeCatchupRows(db, stream2, filter, lastId, seen);
+          if (catchup.last_id) {
+            lastId = catchup.last_id;
+          }
         }
-        if (service) {
-          conditions.push("service = $service");
-          params.$service = service;
-        }
-        const where = conditions.length ? `WHERE ${conditions.join(" AND ")}` : "";
-        const rows = db.prepare(`SELECT * FROM logs ${where} ORDER BY timestamp ASC LIMIT 50`).all(params);
-        for (const row of rows) {
-          await stream2.writeSSE({ data: JSON.stringify(row), id: row.id, event: row.level });
-          lastId = row.id;
+      } else {
+        lastId = latestLogId(db, filter);
+      }
+      const subscription = subscribeLogEvents(filter);
+      let pendingBusEvent = subscription.next();
+      try {
+        while (true) {
+          const next = await Promise.race([
+            pendingBusEvent.then((result) => ({
+              kind: "bus",
+              result
+            })),
+            sleep2(500).then(() => ({ kind: "tick" }))
+          ]);
+          if (next.kind === "tick") {
+            if (!lastId) {
+              lastId = latestLogId(db, filter);
+              continue;
+            }
+            const catchup = await writeCatchupRows(db, stream2, filter, lastId, seen);
+            if (catchup.last_id)
+              lastId = catchup.last_id;
+            continue;
+          }
+          if (next.result.done)
+            break;
+          const event = next.result.value;
+          pendingBusEvent = subscription.next();
+          if (event.kind === "overflow") {
+            await writeOverflow(stream2, event);
+            if (lastId) {
+              const catchup = await writeCatchupRows(db, stream2, filter, lastId, seen);
+              if (catchup.last_id)
+                lastId = catchup.last_id;
+            }
+            continue;
+          }
+          if (seen.has(event.id))
+            continue;
+          await writeLogRow(stream2, event.row);
+          seen.add(event.id);
+          lastId = event.id;
+          trimSeen2(seen);
         }
-        await stream2.sleep(500);
+      } finally {
+        await subscription.return?.();
       }
     });
   });
   return app;
 }
+async function writeCatchupRows(db, stream2, filter, lastId, seen) {
+  const anchor = db.prepare("SELECT rowid FROM logs WHERE id = ?").get(lastId);
+  if (!anchor)
+    return { anchor_found: false, last_id: null };
+  let cursor = anchor.rowid;
+  let lastWritten = null;
+  let total = 0;
+  while (total < 1000) {
+    const rows = queryRowsAfterRowid(db, filter, cursor, 100);
+    if (rows.length === 0)
+      break;
+    for (const row of rows) {
+      cursor = row.rowid;
+      if (seen.has(row.id))
+        continue;
+      await writeLogRow(stream2, row);
+      seen.add(row.id);
+      lastWritten = row.id;
+      total += 1;
+      trimSeen2(seen);
+    }
+    if (rows.length < 100)
+      break;
+  }
+  if (total >= 1000) {
+    await writeOverflow(stream2, {
+      reason: "sqlite_catchup_truncated",
+      dropped: 0,
+      last_event_id: lastWritten ?? lastId
+    });
+  }
+  return { anchor_found: true, last_id: lastWritten };
+}
+function latestLogId(db, filter) {
+  const { where, params } = buildWhere(filter, null);
+  const row = db.prepare(`SELECT id FROM logs ${where} ORDER BY rowid DESC LIMIT 1`).get(params);
+  return row?.id ?? null;
+}
+function logIdExists(db, id) {
+  const row = db.prepare("SELECT 1 AS found FROM logs WHERE id = ?").get(id);
+  return Boolean(row);
+}
+function queryRowsAfterRowid(db, filter, rowid, limit) {
+  const { where, params } = buildWhere(filter, rowid);
+  return db.prepare(`SELECT rowid, * FROM logs ${where} ORDER BY rowid ASC LIMIT $limit`).all({ ...params, $limit: limit });
+}
+function buildWhere(filter, afterRowid) {
+  const conditions = [];
+  const params = {};
+  if (afterRowid !== null) {
+    conditions.push("rowid > $rowid");
+    params.$rowid = afterRowid;
+  }
+  if (filter.project_id) {
+    conditions.push("project_id = $project_id");
+    params.$project_id = filter.project_id;
+  }
+  if (filter.levels && filter.levels.length > 0) {
+    const placeholders = filter.levels.map((_, index) => `$level${index}`).join(",");
+    filter.levels.forEach((level, index) => {
+      params[`$level${index}`] = level;
+    });
+    conditions.push(`level IN (${placeholders})`);
+  }
+  if (filter.service) {
+    conditions.push("service = $service");
+    params.$service = filter.service;
+  }
+  return {
+    where: conditions.length ? `WHERE ${conditions.join(" AND ")}` : "",
+    params
+  };
+}
+async function writeLogRow(stream2, row) {
+  await stream2.writeSSE({
+    data: JSON.stringify(row),
+    id: row.id,
+    event: row.level
+  });
+}
+async function writeOverflow(stream2, data) {
+  await stream2.writeSSE({
+    event: "overflow",
+    data: JSON.stringify({
+      type: "overflow",
+      reason: data.reason,
+      dropped: data.dropped,
+      last_event_id: "last_event_id" in data ? data.last_event_id : null,
+      requested_last_event_id: "requested_last_event_id" in data ? data.requested_last_event_id : null,
+      created_at: "created_at" in data ? data.created_at : new Date().toISOString()
+    })
+  });
+}
+function trimSeen2(seen) {
+  while (seen.size > 2000) {
+    const first = seen.values().next().value;
+    if (!first)
+      return;
+    seen.delete(first);
+  }
+}
+function sleep2(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// src/server/routes/test-reports.ts
+function testReportsRoutes(db) {
+  const app = new Hono2;
+  app.get("/", (c) => {
+    return c.json(searchTestReports(db, queryFromRequest2(c.req.query())));
+  });
+  app.get("/:report_id", (c) => {
+    const report = getTestReport(db, c.req.param("report_id"), c.req.query("include_cases") !== "false");
+    if (!report)
+      return c.json({ error: "Test report not found" }, 404);
+    return c.json(report);
+  });
+  return app;
+}
+function queryFromRequest2(query) {
+  return {
+    report_id: query.report_id,
+    event_id: query.event_id,
+    project_id: query.project_id,
+    machine_id: query.machine_id,
+    repo_id: query.repo_id,
+    app_id: query.app_id,
+    process_id: query.process_id,
+    run_id: query.run_id,
+    environment: query.environment,
+    source: query.source,
+    parser: query.parser,
+    parse_status: query.parse_status,
+    path: query.path,
+    case_status: query.case_status,
+    outcome: testReportOutcome(query.outcome),
+    min_failures: query.min_failures ? Number(query.min_failures) : undefined,
+    min_errors: query.min_errors ? Number(query.min_errors) : undefined,
+    min_skipped: query.min_skipped ? Number(query.min_skipped) : undefined,
+    since: query.since,
+    until: query.until,
+    text: query.text,
+    include_cases: query.include_cases === "true" || query.include_cases === "1",
+    limit: query.limit ? Number(query.limit) : undefined,
+    offset: query.offset ? Number(query.offset) : undefined
+  };
+}
+function testReportOutcome(value) {
+  if (value === "failed" || value === "error" || value === "nonpassing" || value === "skipped" || value === "passed" || value === "parse_problem") {
+    return value;
+  }
+  return;
+}
 
 // src/server/index.ts
 exitIfMetadataRequest({
   name: "logs-serve",
   description: "Start the @hasna/logs REST API server.",
-  options: ["  -p, --port <n>  Port to listen on (default: LOGS_PORT or 3460)"]
+  options: [
+    "  -p, --port <n>     Port to listen on (default: LOGS_PORT or 3460)",
+    "      --token <tok>  Require this API token for /api/* requests",
+    "      --local-open   Explicitly allow trusted local loopback API requests without a token"
+  ]
 });
 var portArg = readOptionValue(["--port", "-p"]);
+var tokenArg = readOptionValue(["--token"]);
+if (tokenArg)
+  process.env.HASNA_LOGS_API_TOKEN = tokenArg;
+if (hasOption(["--local-open"]))
+  process.env.HASNA_LOGS_LOCAL_OPEN = "1";
 var PORT = Number(portArg ?? process.env.LOGS_PORT ?? 3460);
 var db = getDb();
 var app = new Hono2;
-app.use("*", cors());
+var serverDir = dirname2(fileURLToPath(import.meta.url));
+var dashboardRoot = resolveDashboardRoot();
+app.use("*", cors({
+  origin: (origin) => resolveCorsOrigin(origin),
+  allowHeaders: [
+    "Content-Type",
+    "Authorization",
+    "X-Logs-Token",
+    "X-Logs-Browser-Token",
+    "X-Logs-Write-Token"
+  ],
+  allowMethods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"]
+}));
 app.get("/script.js", (c) => {
   const host = `${c.req.header("x-forwarded-proto") ?? "http"}://${c.req.header("host") ?? `localhost:${PORT}`}`;
   c.header("Content-Type", "application/javascript");
   c.header("Cache-Control", "public, max-age=300");
   return c.text(getBrowserScript(host));
 });
+app.use("/api/*", requireApiTokenOrBrowserIngest(db));
 app.route("/api/logs", logsRoutes(db));
 app.route("/api/logs/stream", streamRoutes(db));
+app.route("/api/events", eventsRoutes(db));
+app.route("/api/test-reports", testReportsRoutes(db));
+app.route("/api/otel", otelRoutes(db));
 app.route("/api/projects", projectsRoutes(db));
 app.route("/api/jobs", jobsRoutes(db));
 app.route("/api/alerts", alertsRoutes(db));
@@ -2469,14 +4979,31 @@ app.route("/api/issues", issuesRoutes(db));
 app.route("/api/perf", perfRoutes(db));
 app.get("/health", (c) => c.json(getHealth(db)));
 app.get("/dashboard", (c) => c.redirect("/dashboard/"));
-app.use("/dashboard/*", serveStatic2({ root: "./dashboard/dist", rewriteRequestPath: (p) => p.replace(/^\/dashboard/, "") }));
-app.get("/", (c) => c.json({ service: "@hasna/logs", port: PORT, status: "ok", dashboard: `http://localhost:${PORT}/dashboard/` }));
+app.use("/dashboard/*", serveStatic2({
+  root: dashboardRoot,
+  rewriteRequestPath: (p) => p.replace(/^\/dashboard/, "")
+}));
+app.get("/", (c) => c.json({
+  service: "@hasna/logs",
+  port: PORT,
+  status: "ok",
+  dashboard: `http://localhost:${PORT}/dashboard/`
+}));
 startScheduler(db);
-console.log(`@hasna/logs server running on http://localhost:${PORT}`);
+var apiAuthMode = getConfiguredApiToken() ? "token" : isLocalOpenModeEnabled() ? "local-open" : "locked";
+console.log(`@hasna/logs server running on http://localhost:${PORT} (api auth: ${apiAuthMode})`);
 var server_default = {
   port: PORT,
   fetch: app.fetch
 };
+function resolveDashboardRoot() {
+  const cwdDashboardRoot = resolve(process.cwd(), "dashboard/dist");
+  const candidates = [
+    cwdDashboardRoot,
+    resolve(serverDir, "../../dashboard/dist")
+  ];
+  return candidates.find((candidate) => existsSync(candidate)) ?? cwdDashboardRoot;
+}
 export {
   server_default as default
 };