@ichibase/client 0.1.0

package/dist/index.d.cts

@@ -0,0 +1,742 @@
+/**
+ * Configuration shared by every service package. All fields are
+ * optional — when running inside an ichibase Edge Function, sane
+ * defaults are read from env (ICHIBASE_PROJECT_URL +
+ * ICHIBASE_SERVICE_KEY / ICHIBASE_ANON_KEY).
+ */
+interface IchibaseConfig {
+    /** Base URL like `https://abc.ichibase.net`. Defaults to ICHIBASE_PROJECT_URL. */
+    url?: string;
+    /** API key: ich_pub_<jwt> (anon) or ich_admin_<jwt> (service). Defaults to ICHIBASE_SERVICE_KEY then ICHIBASE_ANON_KEY. */
+    key?: string;
+    /** Optional fetch override (testing). Defaults to globalThis.fetch. */
+    fetch?: typeof fetch;
+}
+interface IchibaseError {
+    code: string;
+    detail?: string;
+    /** HTTP status. */
+    status: number;
+}
+type Result<T> = {
+    data: T;
+    error: null;
+} | {
+    data: null;
+    error: IchibaseError;
+};
+
+type Method = 'GET' | 'POST' | 'PATCH' | 'DELETE' | 'HEAD';
+interface BuilderState {
+    base: string;
+    key: string;
+    table: string;
+    fetchFn: typeof fetch;
+    /** Encoded "col=op.val" pieces. */
+    filters: string[];
+    body?: unknown;
+    method?: Method;
+    returnRepresentation?: boolean;
+    /** PostgREST "object+json" Accept — enforce exactly-one. */
+    acceptSingle?: boolean;
+    /** Return first row of an array or null; no server-side enforcement. */
+    acceptMaybeSingle?: boolean;
+    /** Return CSV text instead of JSON. */
+    acceptCsv?: boolean;
+    /** Count mode for Prefer header. Also makes the result a {rows,count}. */
+    countMode?: 'exact' | 'planned' | 'estimated';
+    /** Upsert resolution. */
+    upsertResolution?: 'merge-duplicates' | 'ignore-duplicates';
+    /** Columns for on_conflict on upsert. */
+    onConflict?: string;
+    /** HTTP Range header values (server returns 206 + Content-Range). */
+    rangeFrom?: number;
+    rangeTo?: number;
+    /** Non-public schema name (Accept-Profile / Content-Profile header). */
+    schemaName?: string;
+    /** Free-form headers the caller wants to override. */
+    extraHeaders?: Record<string, string>;
+}
+/** What `.count()` resolves to. */
+interface CountedResult<T> {
+    rows: T[];
+    count: number;
+}
+/** PostgREST filter operators usable with `not()` / `filter()` escape hatches. */
+type FilterOp = 'eq' | 'neq' | 'gt' | 'gte' | 'lt' | 'lte' | 'like' | 'ilike' | 'match' | 'imatch' | 'in' | 'is' | 'isdistinct' | 'fts' | 'plfts' | 'phfts' | 'wfts' | 'cs' | 'cd' | 'ov' | 'sl' | 'sr' | 'nxr' | 'nxl' | 'adj';
+declare class QueryBuilder<T, R = T[]> implements PromiseLike<Result<R>> {
+    private state;
+    constructor(state: BuilderState);
+    eq(col: string, val: unknown): this;
+    neq(col: string, val: unknown): this;
+    gt(col: string, val: unknown): this;
+    gte(col: string, val: unknown): this;
+    lt(col: string, val: unknown): this;
+    lte(col: string, val: unknown): this;
+    like(col: string, pattern: string): this;
+    ilike(col: string, pattern: string): this;
+    /** Full-text search (PostgreSQL @@). `mode` picks the parser. */
+    fts(col: string, query: string, opts?: {
+        config?: string;
+        type?: 'plain' | 'phrase' | 'websearch';
+    }): this;
+    in(col: string, values: unknown[]): this;
+    /** is.null, is.true, is.false, is.unknown */
+    is(col: string, val: null | boolean | 'unknown'): this;
+    /** array/jsonb `@>` — col contains the given values. */
+    contains(col: string, val: unknown): this;
+    /** `<@` — col is contained by the given values. */
+    containedBy(col: string, val: unknown): this;
+    /** `&&` — arrays/ranges overlap. */
+    overlaps(col: string, val: unknown): this;
+    /** Range strictly left of (`<<`). */
+    rangeLt(col: string, val: string): this;
+    /** Range strictly right of (`>>`). */
+    rangeGt(col: string, val: string): this;
+    /** Range does not extend to the right of (`&<`). */
+    rangeLte(col: string, val: string): this;
+    /** Range does not extend to the left of (`&>`). */
+    rangeGte(col: string, val: string): this;
+    /** Adjacent ranges (`-|-`). */
+    rangeAdjacent(col: string, val: string): this;
+    /** Negate a filter: `not(col, 'gt', 18)` → `col=not.gt.18`. */
+    not(col: string, op: FilterOp, val: unknown): this;
+    /**
+     * Logical OR. Pass a comma-separated filter string in PostgREST syntax:
+     *   .or('age.gt.18,status.eq.active')
+     *   .or('and(status.eq.paid,total.gt.100),user_id.eq.42')
+     */
+    or(filters: string): this;
+    /** Logical AND group (rarely needed — multiple chained filters are already ANDed). */
+    and(filters: string): this;
+    /** Multiple eq() in one call: `.match({ status: 'paid', user_id: 42 })`. */
+    match(query: Record<string, unknown>): this;
+    /** Escape hatch — any column/op/value combo PostgREST supports. */
+    filter(col: string, op: FilterOp, val: unknown): this;
+    order(col: string, opts?: {
+        ascending?: boolean;
+        nullsFirst?: boolean;
+    }): this;
+    limit(n: number): this;
+    offset(n: number): this;
+    /**
+     * HTTP Range pagination — `from` and `to` are inclusive 0-based.
+     * Server returns 206 + Content-Range: from-to/total.
+     * Pairs naturally with `.count()`.
+     */
+    range(from: number, to: number): this;
+    /**
+     * Pick columns and embed related resources:
+     *   .select('id, total, customer:profiles(name, email)')
+     * Defaults to '*'.
+     */
+    select(cols?: string): this;
+    /** Target a non-public schema for this call. */
+    schema(name: string): this;
+    insert(rows: Record<string, unknown> | Record<string, unknown>[]): this;
+    /**
+     * INSERT ... ON CONFLICT ... DO UPDATE / DO NOTHING.
+     *   .upsert([row1, row2], { onConflict: 'email' })
+     *   .upsert(row, { onConflict: 'id', ignoreDuplicates: true })
+     */
+    upsert(rows: Record<string, unknown> | Record<string, unknown>[], opts?: {
+        onConflict?: string;
+        ignoreDuplicates?: boolean;
+    }): this;
+    update(values: Record<string, unknown>): this;
+    delete(): this;
+    /** Mark write op to return the affected row(s). */
+    returning(): this;
+    /**
+     * Expect exactly one row — server returns 406 otherwise.
+     * After this, the result data is T (not T[]).
+     */
+    single(): QueryBuilder<T, T>;
+    /**
+     * Expect zero or one row — never errors on shape.
+     * After this, the result data is T | null.
+     */
+    maybeSingle(): QueryBuilder<T, T | null>;
+    /** Return CSV text instead of JSON rows. */
+    csv(): QueryBuilder<T, string>;
+    /**
+     * Include the total row count in the result. The resolved value
+     * becomes `{ rows: T[]; count: number }` — count is the size of
+     * the FULL result set ignoring limit/offset/range.
+     * `mode='exact'` is accurate (slow on big tables);
+     * `'planned'` uses the planner estimate;
+     * `'estimated'` uses planner then exact-counts only if small.
+     */
+    count(mode?: 'exact' | 'planned' | 'estimated'): QueryBuilder<T, CountedResult<T>>;
+    /** Add an arbitrary header to the request (e.g. `Prefer: missing=null`). */
+    setHeader(name: string, value: string): this;
+    /** HEAD request — no body returned. Pair with `.count()` to fetch just a total. */
+    head(): this;
+    then<TR1 = Result<R>, TR2 = never>(onFulfilled?: ((value: Result<R>) => TR1 | PromiseLike<TR1>) | null, onRejected?: ((reason: unknown) => TR2 | PromiseLike<TR2>) | null): PromiseLike<TR1 | TR2>;
+    private appendFilter;
+    private formatArrayOrJson;
+    private buildHeaders;
+    private execute;
+}
+declare class Postgrest {
+    private readonly url;
+    private readonly key;
+    private readonly fetchFn;
+    constructor(url: string, key: string, fetchFn: typeof fetch);
+    /** Start a query against a table or view. */
+    from<T = Record<string, unknown>>(table: string): QueryBuilder<T>;
+    /**
+     * Call a stored procedure (PostgREST RPC). Returns whatever the
+     * function returns — set the generic to type it. Pass `count:'exact'`
+     * if you want a total in the same envelope.
+     */
+    rpc<T = unknown>(fnName: string, args?: Record<string, unknown>, opts?: {
+        schema?: string;
+        count?: 'exact' | 'planned' | 'estimated';
+        head?: boolean;
+    }): Promise<Result<T>>;
+    /** Return a new Postgrest authenticated as a specific end-user (RLS applies). */
+    asUser(accessToken: string): Postgrest;
+}
+
+/** Per-collection client. */
+declare class MongoCollection {
+    private base;
+    private key;
+    private collection;
+    private fetchFn;
+    private userToken?;
+    constructor(base: string, key: string, collection: string, fetchFn: typeof fetch, userToken?: string | undefined);
+    private op;
+    private rt;
+    find(filter?: Record<string, unknown>, opts?: {
+        projection?: Record<string, 0 | 1>;
+        sort?: Record<string, 1 | -1>;
+        limit?: number;
+        skip?: number;
+    }): Promise<Result<Record<string, unknown>[]>>;
+    findOne(filter?: Record<string, unknown>): Promise<Result<Record<string, unknown> | null>>;
+    insertOne(doc: Record<string, unknown>, opts?: {
+        realtime?: boolean;
+    }): Promise<Result<{
+        insertedId: string;
+    }>>;
+    insertMany(docs: Record<string, unknown>[], opts?: {
+        realtime?: boolean;
+    }): Promise<Result<{
+        insertedIds: string[];
+    }>>;
+    updateOne(filter: Record<string, unknown>, update: Record<string, unknown>, opts?: {
+        upsert?: boolean;
+        realtime?: boolean;
+    }): Promise<Result<{
+        matched: number;
+        modified: number;
+        upsertedId?: string;
+    }>>;
+    updateMany(filter: Record<string, unknown>, update: Record<string, unknown>, opts?: {
+        realtime?: boolean;
+    }): Promise<Result<{
+        matched: number;
+        modified: number;
+    }>>;
+    deleteOne(filter: Record<string, unknown>, opts?: {
+        realtime?: boolean;
+    }): Promise<Result<{
+        deleted: number;
+    }>>;
+    deleteMany(filter: Record<string, unknown>, opts?: {
+        realtime?: boolean;
+    }): Promise<Result<{
+        deleted: number;
+    }>>;
+    count(filter?: Record<string, unknown>): Promise<Result<{
+        count: number;
+    }>>;
+    aggregate(pipeline: Record<string, unknown>[]): Promise<Result<Record<string, unknown>[]>>;
+    /**
+     * Atomic find-and-update. Returns the matched document (post-update
+     * by default; pass `returnDocument: 'before'` for the pre-update
+     * snapshot). Honours upsert; on upsert with no match the returned
+     * doc is null.
+     *
+     *   await users.findOneAndUpdate(
+     *     { _id: 1 },
+     *     { $inc: { visits: 1 } },
+     *     { returnDocument: 'after' },
+     *   );
+     */
+    findOneAndUpdate(filter: Record<string, unknown>, update: Record<string, unknown>, opts?: {
+        projection?: Record<string, 0 | 1>;
+        sort?: Record<string, 1 | -1>;
+        upsert?: boolean;
+        /** Default 'after'. Picks which snapshot of the doc to return. */
+        returnDocument?: 'before' | 'after';
+        realtime?: boolean;
+    }): Promise<Result<{
+        doc: Record<string, unknown> | null;
+    }>>;
+    /** Atomic find-and-delete. Returns the deleted document or null. */
+    findOneAndDelete(filter: Record<string, unknown>, opts?: {
+        projection?: Record<string, 0 | 1>;
+        sort?: Record<string, 1 | -1>;
+        realtime?: boolean;
+    }): Promise<Result<{
+        doc: Record<string, unknown> | null;
+    }>>;
+    /**
+     * Replace a single matched document with a full replacement.
+     * Unlike updateOne, the body is the new document — no $set / $inc.
+     * Keys starting with `$` are rejected.
+     */
+    replaceOne(filter: Record<string, unknown>, replacement: Record<string, unknown>, opts?: {
+        upsert?: boolean;
+        realtime?: boolean;
+    }): Promise<Result<{
+        matched: number;
+        modified: number;
+        upserted: number;
+        upserted_id?: unknown;
+    }>>;
+    /**
+     * Batched write — multiple ops in one HTTP round trip. Each op is
+     * one of insertOne / updateOne / updateMany / replaceOne /
+     * deleteOne / deleteMany. The whole batch shares one policy check.
+     *
+     *   await users.bulkWrite([
+     *     { op: 'insertOne', doc: { name: 'a' } },
+     *     { op: 'updateOne', filter: { _id: 1 }, update: { $set: { name: 'b' } } },
+     *     { op: 'deleteOne', filter: { _id: 2 } },
+     *   ]);
+     *
+     * Set `ordered: true` to stop on first error; default is unordered
+     * (continue past errors). Subject to your plan's mongo_max_docs cap.
+     */
+    bulkWrite(ops: BulkWriteOp[], opts?: {
+        ordered?: boolean;
+        realtime?: boolean;
+    }): Promise<Result<{
+        inserted: number;
+        matched: number;
+        modified: number;
+        deleted: number;
+        upserted: number;
+        upserted_ids: Record<string, unknown>;
+    }>>;
+    /**
+     * Distinct values of a field across docs matching filter.
+     *
+     *   await events.distinct('category', { tenant_id: 'acme' });
+     *   // → { data: { values: ['ui', 'api', 'cron'], truncated: false } }
+     */
+    distinct(field: string, filter?: Record<string, unknown>): Promise<Result<{
+        values: unknown[];
+        truncated: boolean;
+    }>>;
+}
+type BulkWriteOp = {
+    op: 'insertOne';
+    doc: Record<string, unknown>;
+} | {
+    op: 'updateOne';
+    filter: Record<string, unknown>;
+    update: Record<string, unknown>;
+    upsert?: boolean;
+} | {
+    op: 'updateMany';
+    filter: Record<string, unknown>;
+    update: Record<string, unknown>;
+    upsert?: boolean;
+} | {
+    op: 'replaceOne';
+    filter: Record<string, unknown>;
+    replacement: Record<string, unknown>;
+    upsert?: boolean;
+} | {
+    op: 'deleteOne';
+    filter: Record<string, unknown>;
+} | {
+    op: 'deleteMany';
+    filter: Record<string, unknown>;
+};
+/** Top-level mongo client. Use `.collection(name)`. */
+declare class Mongo {
+    private readonly base;
+    private readonly key;
+    private readonly fetchFn;
+    private readonly userToken?;
+    constructor(base: string, key: string, fetchFn: typeof fetch, userToken?: string | undefined);
+    /**
+     * Return a Mongo client that acts AS the signed-in end user: their JWT is
+     * sent as `Authorization: Bearer`, so your `_mongo_policy` and realtime rules
+     * see the real `$auth.uid` / role. The project key still gates anon vs
+     * service_role. Pass the access token you got from ichibase auth.
+     */
+    asUser(token: string): Mongo;
+    collection(name: string): MongoCollection;
+}
+
+interface InvokeOptions {
+    /** HTTP method. Defaults to POST. */
+    method?: string;
+    /**
+     * Request body. A string / Blob / FormData / ArrayBuffer / typed array is
+     * sent as-is; anything else is JSON-encoded (with Content-Type json).
+     */
+    body?: unknown;
+    /** Extra headers (don't set Authorization here — sign in instead). */
+    headers?: Record<string, string>;
+    /** Extra path appended after the function name, e.g. '/items/42'. */
+    path?: string;
+}
+declare class Functions {
+    private base;
+    private key;
+    private fetchFn;
+    private userToken?;
+    constructor(base: string, key: string, // project (anon) key — sent as the `apikey` header
+    fetchFn: typeof fetch, userToken?: string | undefined);
+    /** Return a Functions client that calls AS a specific end user. */
+    asUser(accessToken: string): Functions;
+    /**
+     * Invoke an Edge Function by name.
+     *
+     *   const { data, error } = await ichi.functions.invoke('hello', { body: { name: 'world' } });
+     */
+    invoke<T = unknown>(name: string, opts?: InvokeOptions): Promise<Result<T>>;
+}
+
+interface SignupResult {
+    user_id: string;
+    email: string;
+    needs_verification: boolean;
+}
+interface LoginResult {
+    access_token: string;
+    refresh_token: string;
+    expires_in: number;
+    user: {
+        id: string;
+        email: string;
+    };
+}
+interface RefreshResult {
+    access_token: string;
+    refresh_token: string;
+    expires_in: number;
+}
+interface UserProfile {
+    id: string;
+    email: string;
+    verified_at: string | null;
+}
+/** Auth client. */
+declare class Auth {
+    private base;
+    private key;
+    private fetchFn;
+    constructor(base: string, key: string, fetchFn: typeof fetch);
+    private call;
+    signup(input: {
+        email: string;
+        password: string;
+    }): Promise<Result<SignupResult>>;
+    login(input: {
+        email: string;
+        password: string;
+    }): Promise<Result<LoginResult>>;
+    refresh(refresh_token: string): Promise<Result<RefreshResult>>;
+    /** Get the user identified by the given access token (or the SDK's key if none given). */
+    getUser(accessToken?: string): Promise<Result<UserProfile>>;
+    logout(refresh_token: string, accessToken: string): Promise<Result<unknown>>;
+    logoutAll(accessToken: string): Promise<Result<unknown>>;
+    requestPasswordReset(email: string): Promise<Result<{
+        sent: boolean;
+    }>>;
+    confirmPasswordReset(token: string, new_password: string): Promise<Result<{
+        reset: boolean;
+    }>>;
+    verifyEmail(token: string): Promise<Result<{
+        verified: boolean;
+    }>>;
+    verifyEmailOtp(email: string, code: string): Promise<Result<{
+        verified: boolean;
+    }>>;
+    resendVerification(email: string): Promise<Result<{
+        sent: boolean;
+    }>>;
+    /**
+     * Update the user's metadata JSONB. **Full replacement** — to merge,
+     * read `getUser()` first and pass the merged object.
+     *
+     *   await auth.updateUser(accessToken, { metadata: { theme: 'dark', tz: 'UTC' } });
+     *
+     * Server enforces an 8 KB cap on the encoded metadata.
+     */
+    updateUser(accessToken: string, patch: {
+        metadata: Record<string, unknown>;
+    }): Promise<Result<UpdatedUser>>;
+    /**
+     * Change the user's password. Requires the current password — does
+     * NOT use a reset token (that's `confirmPasswordReset`). On success,
+     * existing access tokens KEEP working (short TTL); call `refresh()`
+     * after to mint a new pair if you want a fresh access token.
+     *
+     * Returns `{ changed: true, hint: '...' }`.
+     */
+    changePassword(accessToken: string, currentPassword: string, newPassword: string): Promise<Result<{
+        changed: boolean;
+        hint: string;
+    }>>;
+    /**
+     * List the user's active refresh-token sessions (one row per
+     * device / login). Returns up to 100, ordered by most-recently-used.
+     * Each row includes the user-agent + IP captured at login so the
+     * user can identify devices.
+     */
+    listSessions(accessToken: string): Promise<Result<{
+        sessions: SessionInfo[];
+    }>>;
+    /**
+     * Revoke a single session by its id. Idempotent — revoking a
+     * session that's already revoked returns `{ revoked: true }`.
+     * The session must belong to the bearer user (404 otherwise).
+     */
+    revokeSession(accessToken: string, sessionId: string): Promise<Result<{
+        revoked: boolean;
+    }>>;
+}
+interface UpdatedUser {
+    id: string;
+    email: string;
+    email_verified: boolean;
+    created_at: string;
+    metadata: Record<string, unknown>;
+}
+interface SessionInfo {
+    id: string;
+    user_agent: string | null;
+    ip: string | null;
+    issued_at: string;
+    last_used_at: string;
+    expires_at: string;
+}
+
+type ChangeEvent = 'INSERT' | 'UPDATE' | 'DELETE';
+type MongoChangeEvent = 'insert' | 'update' | 'delete';
+/** A row/document change frame delivered to a postgres/mongo subscriber. */
+interface ChangeMessage {
+    type: 'change';
+    event: ChangeEvent | MongoChangeEvent;
+    table?: string;
+    collection?: string;
+    /** The new row/document (absent on DELETE for some engines). */
+    record?: Record<string, unknown>;
+    /** The previous row, when the engine captures it (UPDATE/DELETE). */
+    old?: Record<string, unknown>;
+}
+/** A broadcast message on a channel. */
+interface BroadcastMessage {
+    type: 'broadcast';
+    channel: string;
+    event?: string;
+    payload: unknown;
+    /** user id of the sender (empty for anonymous). */
+    from?: string;
+}
+/** Presence snapshot / diff. */
+interface PresenceMessage {
+    type: 'presence_state' | 'presence_diff';
+    channel?: string;
+    presences?: Record<string, {
+        uid: string;
+        state?: unknown;
+    }>;
+    joins?: Record<string, {
+        uid: string;
+        state?: unknown;
+    }>;
+    leaves?: Record<string, {
+        uid: string;
+        state?: unknown;
+    }>;
+}
+type RealtimeMessage = ChangeMessage | BroadcastMessage | PresenceMessage;
+interface PostgresSubscribeOptions {
+    kind: 'postgres';
+    /** `public.orders` or just `orders` (defaults to the public schema). */
+    table: string;
+    events?: ChangeEvent[];
+    /** Optional client-side narrowing (rule grammar). */
+    filter?: unknown;
+}
+interface MongoSubscribeOptions {
+    kind: 'mongo';
+    collection: string;
+    events?: MongoChangeEvent[];
+    filter?: unknown;
+}
+interface BroadcastSubscribeOptions {
+    kind: 'broadcast';
+    channel: string;
+    /** Also track presence on this channel. */
+    presence?: boolean;
+    /** Initial presence state to publish on join. */
+    state?: Record<string, unknown>;
+}
+type SubscribeOptions = PostgresSubscribeOptions | MongoSubscribeOptions | BroadcastSubscribeOptions;
+/** Handle to one live subscription. */
+interface Subscription {
+    /** Stop this subscription. */
+    unsubscribe(): void;
+    /** Publish to the channel (broadcast subscriptions only). */
+    send(event: string, payload: unknown): void;
+    /** Update this connection's presence state (broadcast + presence only). */
+    track(state: Record<string, unknown>): void;
+}
+interface RealtimeOptions {
+    /** Base project URL, e.g. https://abc.ichibase.net. */
+    url: string;
+    /** Returns the current bearer (user access token, or the anon key). */
+    getToken: () => string | undefined;
+    /** Override the WebSocket constructor (testing / non-global envs). */
+    WebSocketImpl?: typeof WebSocket;
+}
+declare class RealtimeClient {
+    private url;
+    private getToken;
+    private WS;
+    private ws;
+    private subs;
+    private refSeq;
+    private connecting;
+    private closedByUser;
+    private reconnectAttempts;
+    private heartbeat;
+    private outbox;
+    constructor(opts: RealtimeOptions);
+    /** Subscribe to postgres/mongo changes or a broadcast channel. */
+    subscribe(opts: SubscribeOptions, handler: (msg: RealtimeMessage) => void): Subscription;
+    /** Close the socket and drop all subscriptions. */
+    disconnect(): void;
+    private isOpen;
+    private ensureConnected;
+    private scheduleReconnect;
+    private startHeartbeat;
+    private stopHeartbeat;
+    private sendSubscribe;
+    private send;
+    private onFrame;
+}
+
+interface SessionStorage {
+    getItem(key: string): string | null | Promise<string | null>;
+    setItem(key: string, value: string): void | Promise<void>;
+    removeItem(key: string): void | Promise<void>;
+}
+/** In-memory adapter (default) — session is lost on reload. */
+declare class MemoryStorage implements SessionStorage {
+    private m;
+    getItem(key: string): string | null;
+    setItem(key: string, value: string): void;
+    removeItem(key: string): void;
+}
+
+interface Session {
+    access_token: string;
+    refresh_token: string;
+    /** Epoch seconds when the access token expires (best-effort, from expires_in). */
+    expires_at?: number;
+    user?: {
+        id: string;
+        email: string;
+    };
+}
+type AuthEvent = 'SIGNED_IN' | 'SIGNED_OUT' | 'TOKEN_REFRESHED';
+interface ClientOptions {
+    /** Custom fetch (SSR, testing). Defaults to globalThis.fetch. */
+    fetch?: typeof fetch;
+    /** Where to persist the session. Browsers pass `localStorage`. */
+    storage?: SessionStorage;
+    /** Key under which the session is persisted. */
+    storageKey?: string;
+    /** WebSocket constructor for realtime (non-global envs). */
+    WebSocketImpl?: typeof WebSocket;
+}
+/** Auth surface with session management layered over the stateless Auth client. */
+declare class SessionAuth {
+    private inner;
+    private client;
+    constructor(inner: Auth, client: IchibaseClient);
+    signup(input: {
+        email: string;
+        password: string;
+    }): Promise<Result<SignupResult>>;
+    login(input: {
+        email: string;
+        password: string;
+    }): Promise<Result<LoginResult>>;
+    refresh(): Promise<Result<RefreshResult>>;
+    /** Current signed-in user (from the live access token), or null. */
+    getUser(): Promise<UserProfile | null>;
+    logout(): Promise<void>;
+    requestPasswordReset(email: string): Promise<Result<{
+        sent: boolean;
+    }>>;
+    confirmPasswordReset(token: string, newPassword: string): Promise<Result<{
+        reset: boolean;
+    }>>;
+    verifyEmail(token: string): Promise<Result<{
+        verified: boolean;
+    }>>;
+    verifyEmailOtp(email: string, code: string): Promise<Result<{
+        verified: boolean;
+    }>>;
+    resendVerification(email: string): Promise<Result<{
+        sent: boolean;
+    }>>;
+    /** Hydrate the session from the storage adapter (call once at startup for async adapters). */
+    loadSession(): Promise<Session | null>;
+    /** Set the session directly (e.g. from your own SSR cookie). */
+    setSession(session: Session | null): Promise<void>;
+}
+declare class IchibaseClient {
+    readonly url: string;
+    /** Auth surface with session management. */
+    readonly auth: SessionAuth;
+    private anonKey;
+    private fetchFn;
+    private sessionStore;
+    private storageKey;
+    private session;
+    private listeners;
+    private _realtime;
+    private wsImpl?;
+    constructor(url: string, anonKey: string, opts?: ClientOptions);
+    /** The bearer to send on data-plane calls: the user token if signed in, else the anon key. */
+    private bearer;
+    private cfg;
+    /** Start a PostgREST query against a table or view. */
+    from<T = Record<string, unknown>>(table: string): QueryBuilder<T, T[]>;
+    /** Call a Postgres stored procedure (RPC). */
+    rpc<T = unknown>(fn: string, args?: Record<string, unknown>, opts?: {
+        schema?: string;
+        count?: 'exact' | 'planned' | 'estimated';
+        head?: boolean;
+    }): Promise<Result<T>>;
+    /** Mongo data client (apikey = anon; user token attached when signed in). */
+    get mongo(): Mongo;
+    /** Invoke your deployed Edge Functions: `ichi.functions.invoke('name', { body })`. */
+    get functions(): Functions;
+    get realtime(): RealtimeClient;
+    getSession(): Session | null;
+    /** Subscribe to auth state changes. Returns an unsubscribe fn. */
+    onAuthStateChange(cb: (event: AuthEvent, session: Session | null) => void): () => void;
+    /** @internal */
+    _setSession(session: Session | null, event: AuthEvent): Promise<void>;
+    /** @internal */
+    _loadSession(): Promise<Session | null>;
+}
+declare function createClient(url: string, anonKey: string, opts?: ClientOptions): IchibaseClient;
+
+export { Auth, type AuthEvent, type BroadcastMessage, type BroadcastSubscribeOptions, type ChangeEvent, type ChangeMessage, type ClientOptions, type CountedResult, type FilterOp, Functions, IchibaseClient, type IchibaseConfig, type IchibaseError, type InvokeOptions, type LoginResult, MemoryStorage, Mongo, type MongoChangeEvent, MongoCollection, type MongoSubscribeOptions, type PostgresSubscribeOptions, Postgrest, type PresenceMessage, QueryBuilder, RealtimeClient, type RealtimeMessage, type RefreshResult, type Result, type Session, type SessionInfo, type SessionStorage, type SignupResult, type SubscribeOptions, type Subscription, type UpdatedUser, type UserProfile, createClient };