@ichibase/cli 0.1.0

package/dist/infer.js

@@ -0,0 +1,171 @@
+// Schema inference for NoSQL → Postgres migrations.
+//
+// A Mongo collection / Firestore collection is schemaless, but the user wants
+// real typed tables, not one JSONB blob. So we scan EVERY document in a
+// collection, build a per-field type profile, and emit a Postgres BundleTable
+// the existing importer can CREATE + load:
+//   - the document id (Mongo _id / Firestore docId) → `id text primary key`
+//   - each top-level field → a typed column (bigint / double precision /
+//     boolean / timestamptz / text), or `jsonb` when the field holds nested
+//     objects/arrays, or `text` when a field's scalar type is inconsistent
+//     across documents.
+//
+// Callers (mongo.ts, firebase.ts) pre-normalize source-specific values into
+// plain JS (BSON ObjectId→string, Mongo/Firestore timestamps→Date, etc.) so this
+// module only reasons about: null, boolean, number, string, Date, array, object.
+function classify(v) {
+    if (v === null || v === undefined)
+        return null;
+    if (typeof v === 'boolean')
+        return 'bool';
+    if (typeof v === 'bigint')
+        return 'int';
+    if (typeof v === 'number')
+        return Number.isInteger(v) ? 'int' : 'float';
+    if (v instanceof Date)
+        return 'date';
+    if (Array.isArray(v))
+        return 'array';
+    if (typeof v === 'string')
+        return 'string';
+    if (typeof v === 'object')
+        return 'object';
+    return 'string';
+}
+// Resolve a field's observed scalar classes to a single Postgres column type.
+// Nested objects/arrays → jsonb; an inconsistent scalar mix → text (safe).
+function resolveType(classes) {
+    if (classes.size === 0)
+        return 'text'; // field was always null/absent
+    if (classes.has('object') || classes.has('array'))
+        return 'jsonb';
+    if (classes.size === 1) {
+        if (classes.has('bool'))
+            return 'boolean';
+        if (classes.has('int'))
+            return 'bigint';
+        if (classes.has('float'))
+            return 'double precision';
+        if (classes.has('date'))
+            return 'timestamptz';
+        if (classes.has('string'))
+            return 'text';
+    }
+    // int + float together → a single numeric column.
+    if ([...classes].every((c) => c === 'int' || c === 'float'))
+        return 'double precision';
+    // any other scalar mix (e.g. string + number) → text.
+    return 'text';
+}
+function sanitizeIdent(name, used) {
+    let s = name.toLowerCase().replace(/[^a-z0-9_]/g, '_');
+    if (!/^[a-z_]/.test(s))
+        s = '_' + s;
+    s = s.slice(0, 63);
+    if (!s)
+        s = 'field';
+    let candidate = s;
+    let i = 2;
+    while (used.has(candidate)) {
+        candidate = `${s.slice(0, 60)}_${i}`;
+        i++;
+    }
+    used.add(candidate);
+    return candidate;
+}
+/** Sanitize a collection name into a Postgres table name. */
+export function sanitizeTableName(name) {
+    return sanitizeIdent(name, new Set());
+}
+// Two-pass over an in-memory collection: pass 1 here builds the type profile and
+// the table; coerceRow (below) is pass 2, called per row by the caller.
+export function inferCollection(tableName, rows) {
+    // First-seen order, union of all field names across every document.
+    const fieldOrder = [];
+    const classesByField = new Map();
+    const seenField = new Set();
+    const nullableField = new Set();
+    for (const row of rows) {
+        const keys = Object.keys(row.data);
+        const present = new Set(keys);
+        for (const k of keys) {
+            if (!classesByField.has(k)) {
+                classesByField.set(k, new Set());
+                fieldOrder.push(k);
+            }
+            const cls = classify(row.data[k]);
+            if (cls === null)
+                nullableField.add(k);
+            else
+                classesByField.get(k).add(cls);
+        }
+        // A field missing from this doc makes the column nullable.
+        for (const k of seenField)
+            if (!present.has(k))
+                nullableField.add(k);
+        for (const k of keys)
+            seenField.add(k);
+    }
+    // Fields that appeared only after other rows existed are nullable too.
+    if (rows.length) {
+        for (const k of fieldOrder) {
+            const count = rows.reduce((n, r) => n + (k in r.data ? 1 : 0), 0);
+            if (count < rows.length)
+                nullableField.add(k);
+        }
+    }
+    const usedNames = new Set();
+    const idCol = { name: 'id', type: 'text', nullable: false };
+    usedNames.add('id');
+    const columns = [{ pgName: 'id', sourceField: null, type: 'text' }];
+    const bundleColumns = [idCol];
+    for (const field of fieldOrder) {
+        const type = resolveType(classesByField.get(field) ?? new Set());
+        const pgName = sanitizeIdent(field, usedNames);
+        columns.push({ pgName, sourceField: field, type });
+        bundleColumns.push({ name: pgName, type, nullable: nullableField.has(field) || true });
+    }
+    const table = {
+        name: tableName,
+        columns: bundleColumns,
+        primary_key: ['id'],
+    };
+    return { table, columns };
+}
+function coerceValue(v, pgType) {
+    if (v === null || v === undefined)
+        return null;
+    switch (pgType) {
+        case 'jsonb':
+            return v; // importer JSON-encodes + casts ::jsonb
+        case 'boolean':
+            return Boolean(v);
+        case 'bigint':
+            return typeof v === 'bigint' ? Number(v) : typeof v === 'number' ? v : Number(v);
+        case 'double precision':
+            return typeof v === 'number' ? v : Number(v);
+        case 'timestamptz':
+            return v instanceof Date ? v.toISOString() : String(v);
+        default: // text
+            if (typeof v === 'string')
+                return v;
+            if (v instanceof Date)
+                return v.toISOString();
+            if (typeof v === 'object')
+                return JSON.stringify(v);
+            return String(v);
+    }
+}
+/** Pass 2: produce a NDJSON-ready row object keyed by Postgres column name. */
+export function coerceRow(row, inf) {
+    const out = {};
+    for (const col of inf.columns) {
+        if (col.sourceField === null) {
+            out[col.pgName] = row.id;
+        }
+        else {
+            out[col.pgName] = coerceValue(row.data[col.sourceField], col.type);
+        }
+    }
+    return out;
+}

package/dist/mongo.js

@@ -0,0 +1,157 @@
+// Extract a MongoDB / Atlas source.
+//
+//   --target mongo    (default) → native `mongodump --archive --gzip`. Highest
+//                       fidelity; the server restores it with mongorestore and
+//                       remaps namespaces onto db_<slug>. Needs mongodump on PATH.
+//   --target postgres → read every document with the driver, infer a typed
+//                       Postgres schema per collection (one table each), and emit
+//                       a Postgres-shaped bundle the existing importer consumes.
+import { spawnSync } from 'node:child_process';
+import { inferCollection, coerceRow, sanitizeTableName } from './infer.js';
+import { mapAuthRecord } from './auth-map.js';
+export async function extractMongo(conn, dbName, out, source, target, authMap) {
+    if (!dbName) {
+        throw new Error('--db <name> is required for a MongoDB/Atlas source (the source database to import)');
+    }
+    const base = target === 'postgres'
+        ? await extractMongoToPostgres(conn, dbName, out, source)
+        : await extractMongoDump(conn, dbName, out, source);
+    // Bring-your-own-users: map a chosen collection into ichibase Auth (works for
+    // both targets — auth.ndjson is imported regardless of where the data landed).
+    let users = 0;
+    if (authMap) {
+        users = await dumpMongoMappedAuth(conn, dbName, authMap, out);
+        process.stderr.write(`  • ${authMap.source} (custom auth): ${users} users\n`);
+    }
+    return { ...base, users };
+}
+async function dumpMongoMappedAuth(conn, dbName, authMap, out) {
+    const { MongoClient } = await import('mongodb');
+    const client = new MongoClient(conn);
+    await client.connect();
+    try {
+        const docs = await client.db(dbName).collection(authMap.source).find({}).toArray();
+        let n = 0;
+        for (const d of docs) {
+            const rec = mapAuthRecord(normalizeDoc(d), authMap);
+            if (rec) {
+                await out.writeJsonLine('auth.ndjson', rec);
+                n++;
+            }
+        }
+        return n;
+    }
+    finally {
+        await client.close();
+    }
+}
+// ── target=mongo: native dump ─────────────────────────────────────────────
+function extractMongoDump(conn, dbName, out, source) {
+    const archivePath = out.dataPath('mongo.archive');
+    process.stderr.write(`  • mongodump --db ${dbName} → data/mongo.archive\n`);
+    const res = spawnSync('mongodump', [`--uri=${conn}`, `--db=${dbName}`, `--archive=${archivePath}`, '--gzip'], { stdio: ['ignore', 'inherit', 'inherit'] });
+    if (res.error) {
+        throw new Error(`could not run mongodump (${res.error.message}). Install the MongoDB Database Tools: https://www.mongodb.com/docs/database-tools/`);
+    }
+    if (res.status !== 0)
+        throw new Error(`mongodump exited with code ${res.status}`);
+    return out
+        .writeManifest({
+        source_kind: source,
+        created_at: new Date().toISOString(),
+        target_flavor: 'mongo',
+        mongo_source_db: dbName,
+    })
+        .then(() => ({ db: dbName }));
+}
+// ── target=postgres: driver read + schema inference ───────────────────────
+async function extractMongoToPostgres(conn, dbName, out, source) {
+    // Imported lazily so a `--target mongo` run never needs the driver installed.
+    const { MongoClient } = await import('mongodb');
+    const client = new MongoClient(conn);
+    await client.connect();
+    try {
+        const db = client.db(dbName);
+        const collInfos = await db.listCollections({}, { nameOnly: true }).toArray();
+        const tables = [];
+        const counts = {};
+        let rowTotal = 0;
+        for (const ci of collInfos) {
+            if (ci.name.startsWith('system.'))
+                continue;
+            const docs = await db.collection(ci.name).find({}).toArray();
+            const rows = docs.map((d) => {
+                const { _id, ...rest } = d;
+                return { id: stringifyId(_id), data: normalizeDoc(rest) };
+            });
+            const tableName = sanitizeTableName(ci.name);
+            const inf = inferCollection(tableName, rows);
+            tables.push(inf.table);
+            const stream = out.ndjsonStream(`data/${tableName}.ndjson`);
+            for (const r of rows)
+                stream.write(JSON.stringify(coerceRow(r, inf)) + '\n');
+            await new Promise((res) => stream.end(res));
+            counts[tableName] = rows.length;
+            rowTotal += rows.length;
+            process.stderr.write(`  • ${ci.name} → ${tableName}: ${rows.length} rows, ${inf.table.columns.length} cols\n`);
+        }
+        await out.writeSchema({ schema: 'public', tables });
+        await out.writeManifest({
+            source_kind: source,
+            created_at: new Date().toISOString(),
+            target_flavor: 'postgres',
+            counts,
+        });
+        return { db: dbName, tables: tables.length, rows: rowTotal };
+    }
+    finally {
+        await client.close();
+    }
+}
+function stringifyId(id) {
+    const v = normalizeDoc(id);
+    if (v === null || v === undefined)
+        return '';
+    return typeof v === 'string' ? v : String(v);
+}
+// Convert BSON values (ObjectId, Long, Decimal128, Binary, …) into plain JS so
+// the inference engine only sees null/bool/number/string/Date/array/object.
+// Native Date is preserved (it carries timestamp typing).
+export function normalizeDoc(v) {
+    if (v === null || v === undefined)
+        return null;
+    if (v instanceof Date)
+        return v;
+    if (Array.isArray(v))
+        return v.map(normalizeDoc);
+    if (typeof v === 'object') {
+        const bt = v._bsontype;
+        if (bt) {
+            const anyv = v;
+            switch (bt) {
+                case 'ObjectId':
+                case 'ObjectID':
+                case 'UUID':
+                case 'Timestamp':
+                    return anyv.toString();
+                case 'Long':
+                    return typeof anyv.toNumber === 'function' ? anyv.toNumber() : Number(anyv.toString());
+                case 'Decimal128':
+                    return anyv.toString(); // keep precision as text
+                case 'Int32':
+                case 'Double':
+                    return Number(anyv.toString());
+                case 'Binary':
+                    return anyv.buffer ? Buffer.from(anyv.buffer).toString('base64') : anyv.toString();
+                default:
+                    return anyv.toString();
+            }
+        }
+        const o = {};
+        for (const k of Object.keys(v)) {
+            o[k] = normalizeDoc(v[k]);
+        }
+        return o;
+    }
+    return v;
+}

package/dist/postgres.js

@@ -0,0 +1,283 @@
+// Extract a Postgres source (generic Postgres OR Supabase) into a bundle.
+// Runs entirely on the user's machine against their own connection string.
+import pg from 'pg';
+import { mapAuthRecord } from './auth-map.js';
+const ON_DELETE = { a: 'no action', r: 'restrict', c: 'cascade', n: 'set null', d: 'set default' };
+export async function extractPostgres(conn, out, source, authMap) {
+    const client = new pg.Client({ connectionString: conn });
+    await client.connect();
+    try {
+        const tables = await introspect(client);
+        const types = await extractEnums(client);
+        const extensions = await extractExtensions(client);
+        const functions = await extractFunctions(client);
+        const schema = { schema: 'public', types, extensions, functions, tables };
+        await out.writeSchema(schema);
+        if (types.length)
+            process.stderr.write(`  • ${types.length} custom enum type(s)\n`);
+        if (extensions.length)
+            process.stderr.write(`  • ${extensions.length} extension(s): ${extensions.join(', ')}\n`);
+        if (functions.length)
+            process.stderr.write(`  • ${functions.length} function(s)\n`);
+        const policyCount = tables.reduce((n, t) => n + (t.policies?.length ?? 0), 0);
+        if (policyCount)
+            process.stderr.write(`  • ${policyCount} RLS policy(ies)\n`);
+        const triggerCount = tables.reduce((n, t) => n + (t.triggers?.length ?? 0), 0);
+        if (triggerCount)
+            process.stderr.write(`  • ${triggerCount} trigger(s)\n`);
+        const counts = {};
+        let rowTotal = 0;
+        for (const t of tables) {
+            const n = await dumpTable(client, t.name, out);
+            counts[t.name] = n;
+            rowTotal += n;
+            process.stderr.write(`  • ${t.name}: ${n} rows\n`);
+        }
+        let users = 0;
+        if (source === 'supabase') {
+            users = await dumpSupabaseAuth(client, out);
+            process.stderr.write(`  • auth.users: ${users} users\n`);
+        }
+        // Bring-your-own-users: a custom table mapped into ichibase Auth (works for
+        // generic Postgres that has no Supabase auth.users; additive for Supabase).
+        if (authMap) {
+            const mapped = await dumpMappedAuth(client, authMap, out);
+            users += mapped;
+            process.stderr.write(`  • ${authMap.source} (custom auth): ${mapped} users\n`);
+        }
+        await out.writeManifest({
+            source_kind: source,
+            created_at: new Date().toISOString(),
+            counts,
+        });
+        return { tables: tables.length, rows: rowTotal, users };
+    }
+    finally {
+        await client.end();
+    }
+}
+// Custom enum types in the public schema (Supabase's own enums live in
+// auth/storage/etc., so public ones are the user's). Recreated before tables.
+async function extractEnums(client) {
+    const r = await client.query(`SELECT t.typname AS name,
+            array_agg(e.enumlabel ORDER BY e.enumsortorder)::text[] AS values
+       FROM pg_type t
+       JOIN pg_enum e ON e.enumtypid = t.oid
+       JOIN pg_namespace n ON n.oid = t.typnamespace
+      WHERE n.nspname = 'public'
+      GROUP BY t.typname
+      ORDER BY t.typname`);
+    return r.rows.map((row) => ({ name: row.name, kind: 'enum', values: row.values }));
+}
+// Installed extensions minus the ones ichibase always provisions.
+async function extractExtensions(client) {
+    const r = await client.query(`SELECT extname FROM pg_extension
+      WHERE extname NOT IN ('plpgsql', 'pgcrypto', 'citext', 'pg_trgm')
+      ORDER BY extname`);
+    return r.rows.map((x) => x.extname);
+}
+// Full definitions of public functions/procedures (not extension-owned, not
+// aggregates/window). pg_get_functiondef emits CREATE OR REPLACE … runnable as-is.
+async function extractFunctions(client) {
+    const r = await client.query(`SELECT pg_get_functiondef(p.oid) AS def
+       FROM pg_proc p
+       JOIN pg_namespace n ON n.oid = p.pronamespace
+      WHERE n.nspname = 'public'
+        AND p.prokind IN ('f', 'p')
+        AND NOT EXISTS (SELECT 1 FROM pg_depend d WHERE d.objid = p.oid AND d.deptype = 'e')
+      ORDER BY p.proname`);
+    return r.rows.map((x) => x.def);
+}
+async function introspect(client) {
+    const tnames = await client.query(`SELECT c.relname AS name
+       FROM pg_class c JOIN pg_namespace n ON n.oid = c.relnamespace
+      WHERE n.nspname = 'public' AND c.relkind = 'r'
+      ORDER BY c.relname`);
+    const out = [];
+    for (const { name } of tnames.rows) {
+        const rel = `public.${quote(name)}`;
+        const cols = await client.query(`SELECT a.attname AS name,
+              format_type(a.atttypid, a.atttypmod) AS type,
+              a.attnotnull AS notnull,
+              pg_get_expr(d.adbin, d.adrelid) AS default,
+              a.attidentity <> '' AS identity
+         FROM pg_attribute a
+         LEFT JOIN pg_attrdef d ON d.adrelid = a.attrelid AND d.adnum = a.attnum
+        WHERE a.attrelid = $1::regclass AND a.attnum > 0 AND NOT a.attisdropped
+        ORDER BY a.attnum`, [rel]);
+        const columns = cols.rows.map((c) => ({
+            name: c.name,
+            type: c.type,
+            nullable: !c.notnull,
+            default: c.default,
+            identity: c.identity,
+        }));
+        const pk = await client.query(`SELECT (SELECT array_agg(att.attname ORDER BY k.ord)::text[]
+                 FROM unnest(con.conkey) WITH ORDINALITY k(attnum, ord)
+                 JOIN pg_attribute att ON att.attrelid = con.conrelid AND att.attnum = k.attnum) AS cols
+         FROM pg_constraint con
+        WHERE con.conrelid = $1::regclass AND con.contype = 'p'`, [rel]);
+        const uniqs = await client.query(`SELECT (SELECT array_agg(att.attname ORDER BY k.ord)::text[]
+                 FROM unnest(con.conkey) WITH ORDINALITY k(attnum, ord)
+                 JOIN pg_attribute att ON att.attrelid = con.conrelid AND att.attnum = k.attnum) AS cols
+         FROM pg_constraint con
+        WHERE con.conrelid = $1::regclass AND con.contype = 'u'`, [rel]);
+        const fks = await client.query(`SELECT
+          (SELECT array_agg(att.attname ORDER BY k.ord)::text[]
+             FROM unnest(con.conkey) WITH ORDINALITY k(attnum, ord)
+             JOIN pg_attribute att ON att.attrelid = con.conrelid AND att.attnum = k.attnum) AS columns,
+          nsp.nspname AS ref_schema,
+          refcl.relname AS ref_table,
+          (SELECT array_agg(att.attname ORDER BY k.ord)::text[]
+             FROM unnest(con.confkey) WITH ORDINALITY k(attnum, ord)
+             JOIN pg_attribute att ON att.attrelid = con.confrelid AND att.attnum = k.attnum) AS ref_columns,
+          con.confdeltype AS on_delete
+        FROM pg_constraint con
+        JOIN pg_class refcl ON refcl.oid = con.confrelid
+        JOIN pg_namespace nsp ON nsp.oid = refcl.relnamespace
+       WHERE con.conrelid = $1::regclass AND con.contype = 'f'`, [rel]);
+        // Standalone indexes via pg_get_indexdef (covers expression/partial). Skip
+        // the PK + any index that backs a constraint (those are recreated as table
+        // constraints, so re-running their CREATE INDEX would duplicate).
+        const idx = await client.query(`SELECT i.relname AS name, pg_get_indexdef(ix.indexrelid) AS def
+         FROM pg_index ix
+         JOIN pg_class i ON i.oid = ix.indexrelid
+        WHERE ix.indrelid = $1::regclass AND NOT ix.indisprimary
+          AND NOT EXISTS (SELECT 1 FROM pg_constraint con WHERE con.conindid = ix.indexrelid)`, [rel]);
+        // User triggers (skip internal FK/constraint triggers). pg_get_triggerdef
+        // emits a runnable CREATE TRIGGER … EXECUTE FUNCTION … (the function itself
+        // is captured separately by extractFunctions).
+        const trg = await client.query(`SELECT tg.tgname AS name, pg_get_triggerdef(tg.oid) AS def
+         FROM pg_trigger tg
+        WHERE tg.tgrelid = $1::regclass AND NOT tg.tgisinternal`, [rel]);
+        // RLS policies on this table.
+        const pol = await client.query(`SELECT policyname AS name, cmd AS command, roles::text[] AS roles,
+              qual AS using, with_check AS check
+         FROM pg_policies WHERE schemaname = 'public' AND tablename = $1`, [name]);
+        const table = {
+            name,
+            columns,
+            primary_key: pk.rows[0]?.cols ?? undefined,
+            uniques: uniqs.rows.map((u) => u.cols).filter(Boolean),
+            foreign_keys: fks.rows.map((f) => ({
+                columns: f.columns,
+                ref_schema: f.ref_schema,
+                ref_table: f.ref_table,
+                ref_columns: f.ref_columns,
+                on_delete: ON_DELETE[f.on_delete] ?? 'no action',
+            })),
+            indexes: idx.rows.map((i) => ({ name: i.name, def: i.def })),
+            policies: pol.rows.map((p) => ({
+                name: p.name,
+                command: p.command,
+                roles: p.roles,
+                using: p.using ?? undefined,
+                check: p.check ?? undefined,
+            })),
+            triggers: trg.rows.map((t) => ({ name: t.name, def: t.def })),
+        };
+        out.push(table);
+    }
+    return out;
+}
+// Stream a table's rows to data/<table>.ndjson via a server-side cursor, writing
+// row_to_json()::text verbatim (no client-side JSON.parse → full fidelity).
+async function dumpTable(client, table, out) {
+    const stream = out.ndjsonStream(`data/${table}.ndjson`);
+    let n = 0;
+    await client.query('BEGIN');
+    try {
+        await client.query(`DECLARE ich_cur NO SCROLL CURSOR FOR SELECT row_to_json(t)::text AS j FROM public.${quote(table)} t`);
+        for (;;) {
+            const batch = await client.query('FETCH 1000 FROM ich_cur');
+            if (batch.rowCount === 0)
+                break;
+            for (const r of batch.rows) {
+                stream.write(r.j + '\n');
+                n++;
+            }
+        }
+        await client.query('CLOSE ich_cur');
+        await client.query('COMMIT');
+    }
+    catch (e) {
+        await client.query('ROLLBACK').catch(() => { });
+        throw e;
+    }
+    finally {
+        await new Promise((res) => stream.end(res));
+    }
+    return n;
+}
+// Supabase auth.users → auth.ndjson. encrypted_password is bcrypt → passed
+// verbatim (the server stores it tagged and login lazily re-hashes to Argon2id).
+// Original user UUIDs are preserved so migrated data FKs to auth.users stay valid.
+async function dumpSupabaseAuth(client, out) {
+    // OAuth identities (provider + provider uid), grouped by user. Best-effort —
+    // the table/columns vary across Supabase versions.
+    const idByUser = new Map();
+    try {
+        const ids = await client.query(`SELECT user_id::text, provider, COALESCE(provider_id, id::text) AS provider_uid FROM auth.identities`);
+        for (const r of ids.rows) {
+            const list = idByUser.get(r.user_id) ?? [];
+            list.push({ provider: r.provider, provider_uid: r.provider_uid });
+            idByUser.set(r.user_id, list);
+        }
+    }
+    catch {
+        /* no identities table / different shape — skip OAuth links */
+    }
+    const users = await client.query(`SELECT id::text,
+            email::text,
+            encrypted_password AS password_hash,
+            (email_confirmed_at IS NOT NULL) AS email_verified,
+            COALESCE(raw_user_meta_data, '{}'::jsonb)::text AS metadata,
+            created_at
+       FROM auth.users
+      WHERE email IS NOT NULL`);
+    let n = 0;
+    for (const u of users.rows) {
+        let metadata = {};
+        try {
+            metadata = JSON.parse(u.metadata);
+        }
+        catch {
+            metadata = {};
+        }
+        await out.writeJsonLine('auth.ndjson', {
+            id: u.id,
+            email: u.email,
+            password_hash: u.password_hash || null,
+            email_verified: u.email_verified,
+            metadata,
+            created_at: u.created_at,
+            oauth: idByUser.get(u.id) ?? [],
+        });
+        n++;
+    }
+    return n;
+}
+// Bring-your-own-users from a custom Postgres table. row_to_json gives plain JS
+// objects the shared mapper turns into auth records (id/email/hash/verified/…).
+async function dumpMappedAuth(client, authMap, out) {
+    const res = await client.query(`SELECT row_to_json(t) AS j FROM ${quoteRel(authMap.source)} t`);
+    let n = 0;
+    for (const row of res.rows) {
+        const rec = mapAuthRecord(row.j, authMap);
+        if (rec) {
+            await out.writeJsonLine('auth.ndjson', rec);
+            n++;
+        }
+    }
+    return n;
+}
+function quote(ident) {
+    return '"' + ident.replace(/"/g, '""') + '"';
+}
+// Quote a possibly schema-qualified relation ("schema.table" or "table").
+function quoteRel(rel) {
+    return rel
+        .split('.')
+        .map((p) => quote(p))
+        .join('.');
+}