@ichibase/client 0.1.0

package/dist/index.js

@@ -0,0 +1,1066 @@
+// src/core.ts
+function urlJoin(base, path) {
+  return base.replace(/\/$/, "") + (path.startsWith("/") ? path : "/" + path);
+}
+async function parseBody(res) {
+  const text = await res.text();
+  if (!text) return null;
+  try {
+    return JSON.parse(text);
+  } catch {
+    return text;
+  }
+}
+async function asResult(res) {
+  if (res.ok) {
+    return { data: await parseBody(res), error: null };
+  }
+  const body = await parseBody(res);
+  return {
+    data: null,
+    error: {
+      code: body?.code ?? `http_${res.status}`,
+      detail: body?.detail ?? body?.message ?? `HTTP ${res.status}`,
+      status: res.status
+    }
+  };
+}
+
+// src/postgrest.ts
+var QueryBuilder = class {
+  // deno-lint-ignore no-explicit-any
+  constructor(state) {
+    this.state = state;
+  }
+  // ── Eq family ─────────────────────────────────────────────────────
+  eq(col, val) {
+    return this.appendFilter(col, "eq", val);
+  }
+  neq(col, val) {
+    return this.appendFilter(col, "neq", val);
+  }
+  gt(col, val) {
+    return this.appendFilter(col, "gt", val);
+  }
+  gte(col, val) {
+    return this.appendFilter(col, "gte", val);
+  }
+  lt(col, val) {
+    return this.appendFilter(col, "lt", val);
+  }
+  lte(col, val) {
+    return this.appendFilter(col, "lte", val);
+  }
+  // ── Pattern / text search ─────────────────────────────────────────
+  like(col, pattern) {
+    return this.appendFilter(col, "like", pattern);
+  }
+  ilike(col, pattern) {
+    return this.appendFilter(col, "ilike", pattern);
+  }
+  /** Full-text search (PostgreSQL @@). `mode` picks the parser. */
+  fts(col, query, opts = {}) {
+    const op = opts.type === "phrase" ? "phfts" : opts.type === "websearch" ? "wfts" : "plfts";
+    const cfg = opts.config ? `(${opts.config})` : "";
+    this.state.filters.push(`${col}=${op}${cfg}.${encodeURIComponent(query)}`);
+    return this;
+  }
+  // ── Membership / null / boolean ───────────────────────────────────
+  in(col, values) {
+    this.state.filters.push(
+      `${col}=in.(${values.map((v) => encodeURIComponent(String(v))).join(",")})`
+    );
+    return this;
+  }
+  /** is.null, is.true, is.false, is.unknown */
+  is(col, val) {
+    const v = val === null ? "null" : val === "unknown" ? "unknown" : String(val);
+    this.state.filters.push(`${col}=is.${v}`);
+    return this;
+  }
+  // ── Array / range operators ───────────────────────────────────────
+  /** array/jsonb `@>` — col contains the given values. */
+  contains(col, val) {
+    return this.appendFilter(col, "cs", this.formatArrayOrJson(val));
+  }
+  /** `<@` — col is contained by the given values. */
+  containedBy(col, val) {
+    return this.appendFilter(col, "cd", this.formatArrayOrJson(val));
+  }
+  /** `&&` — arrays/ranges overlap. */
+  overlaps(col, val) {
+    return this.appendFilter(col, "ov", this.formatArrayOrJson(val));
+  }
+  /** Range strictly left of (`<<`). */
+  rangeLt(col, val) {
+    return this.appendFilter(col, "sl", val);
+  }
+  /** Range strictly right of (`>>`). */
+  rangeGt(col, val) {
+    return this.appendFilter(col, "sr", val);
+  }
+  /** Range does not extend to the right of (`&<`). */
+  rangeLte(col, val) {
+    return this.appendFilter(col, "nxr", val);
+  }
+  /** Range does not extend to the left of (`&>`). */
+  rangeGte(col, val) {
+    return this.appendFilter(col, "nxl", val);
+  }
+  /** Adjacent ranges (`-|-`). */
+  rangeAdjacent(col, val) {
+    return this.appendFilter(col, "adj", val);
+  }
+  // ── Logical / negation ────────────────────────────────────────────
+  /** Negate a filter: `not(col, 'gt', 18)` → `col=not.gt.18`. */
+  not(col, op, val) {
+    this.state.filters.push(`${col}=not.${op}.${encodeURIComponent(String(val))}`);
+    return this;
+  }
+  /**
+   * Logical OR. Pass a comma-separated filter string in PostgREST syntax:
+   *   .or('age.gt.18,status.eq.active')
+   *   .or('and(status.eq.paid,total.gt.100),user_id.eq.42')
+   */
+  or(filters) {
+    this.state.filters.push(`or=(${encodeURIComponent(filters)})`);
+    return this;
+  }
+  /** Logical AND group (rarely needed — multiple chained filters are already ANDed). */
+  and(filters) {
+    this.state.filters.push(`and=(${encodeURIComponent(filters)})`);
+    return this;
+  }
+  /** Multiple eq() in one call: `.match({ status: 'paid', user_id: 42 })`. */
+  match(query) {
+    for (const [k, v] of Object.entries(query)) this.eq(k, v);
+    return this;
+  }
+  /** Escape hatch — any column/op/value combo PostgREST supports. */
+  filter(col, op, val) {
+    return this.appendFilter(col, op, val);
+  }
+  // ── Ordering & paging ─────────────────────────────────────────────
+  order(col, opts = {}) {
+    const dir = opts.ascending === false ? "desc" : "asc";
+    const nulls = opts.nullsFirst === true ? ".nullsfirst" : opts.nullsFirst === false ? ".nullslast" : "";
+    this.state.filters.push(`order=${encodeURIComponent(col + "." + dir + nulls)}`);
+    return this;
+  }
+  limit(n) {
+    this.state.filters.push(`limit=${n}`);
+    return this;
+  }
+  offset(n) {
+    this.state.filters.push(`offset=${n}`);
+    return this;
+  }
+  /**
+   * HTTP Range pagination — `from` and `to` are inclusive 0-based.
+   * Server returns 206 + Content-Range: from-to/total.
+   * Pairs naturally with `.count()`.
+   */
+  range(from, to) {
+    this.state.rangeFrom = from;
+    this.state.rangeTo = to;
+    return this;
+  }
+  // ── Column projection & embeds ────────────────────────────────────
+  /**
+   * Pick columns and embed related resources:
+   *   .select('id, total, customer:profiles(name, email)')
+   * Defaults to '*'.
+   */
+  select(cols = "*") {
+    this.state.method = this.state.method ?? "GET";
+    this.state.filters.push(`select=${encodeURIComponent(cols)}`);
+    return this;
+  }
+  // ── Schema (for non-public) ───────────────────────────────────────
+  /** Target a non-public schema for this call. */
+  schema(name) {
+    this.state.schemaName = name;
+    return this;
+  }
+  // ── Write ops ─────────────────────────────────────────────────────
+  insert(rows) {
+    this.state.method = "POST";
+    this.state.body = Array.isArray(rows) ? rows : [rows];
+    return this;
+  }
+  /**
+   * INSERT ... ON CONFLICT ... DO UPDATE / DO NOTHING.
+   *   .upsert([row1, row2], { onConflict: 'email' })
+   *   .upsert(row, { onConflict: 'id', ignoreDuplicates: true })
+   */
+  upsert(rows, opts = {}) {
+    this.state.method = "POST";
+    this.state.body = Array.isArray(rows) ? rows : [rows];
+    this.state.upsertResolution = opts.ignoreDuplicates ? "ignore-duplicates" : "merge-duplicates";
+    if (opts.onConflict) this.state.onConflict = opts.onConflict;
+    return this;
+  }
+  update(values) {
+    this.state.method = "PATCH";
+    this.state.body = values;
+    return this;
+  }
+  delete() {
+    this.state.method = "DELETE";
+    return this;
+  }
+  /** Mark write op to return the affected row(s). */
+  returning() {
+    this.state.returnRepresentation = true;
+    return this;
+  }
+  // ── Shape modifiers (re-type the resolved value) ──────────────────
+  /**
+   * Expect exactly one row — server returns 406 otherwise.
+   * After this, the result data is T (not T[]).
+   */
+  single() {
+    this.state.acceptSingle = true;
+    return this;
+  }
+  /**
+   * Expect zero or one row — never errors on shape.
+   * After this, the result data is T | null.
+   */
+  maybeSingle() {
+    this.state.acceptMaybeSingle = true;
+    this.state.filters.push("limit=1");
+    return this;
+  }
+  /** Return CSV text instead of JSON rows. */
+  csv() {
+    this.state.acceptCsv = true;
+    return this;
+  }
+  /**
+   * Include the total row count in the result. The resolved value
+   * becomes `{ rows: T[]; count: number }` — count is the size of
+   * the FULL result set ignoring limit/offset/range.
+   * `mode='exact'` is accurate (slow on big tables);
+   * `'planned'` uses the planner estimate;
+   * `'estimated'` uses planner then exact-counts only if small.
+   */
+  count(mode = "exact") {
+    this.state.countMode = mode;
+    return this;
+  }
+  // ── Misc ──────────────────────────────────────────────────────────
+  /** Add an arbitrary header to the request (e.g. `Prefer: missing=null`). */
+  setHeader(name, value) {
+    this.state.extraHeaders = { ...this.state.extraHeaders ?? {}, [name]: value };
+    return this;
+  }
+  /** HEAD request — no body returned. Pair with `.count()` to fetch just a total. */
+  head() {
+    this.state.method = "HEAD";
+    return this;
+  }
+  // ── Thenable ──────────────────────────────────────────────────────
+  then(onFulfilled, onRejected) {
+    return this.execute().then(onFulfilled, onRejected);
+  }
+  // ── Internals ─────────────────────────────────────────────────────
+  appendFilter(col, op, val) {
+    this.state.filters.push(`${col}=${op}.${encodeURIComponent(String(val))}`);
+    return this;
+  }
+  formatArrayOrJson(val) {
+    if (Array.isArray(val)) return `{${val.map((v) => String(v)).join(",")}}`;
+    if (typeof val === "object" && val !== null) return JSON.stringify(val);
+    return String(val);
+  }
+  buildHeaders() {
+    const h = { "Authorization": `Bearer ${this.state.key}` };
+    if (this.state.body !== void 0) h["Content-Type"] = "application/json";
+    if (this.state.acceptSingle) h["Accept"] = "application/vnd.pgrst.object+json";
+    else if (this.state.acceptCsv) h["Accept"] = "text/csv";
+    const prefer = [];
+    if (this.state.returnRepresentation) prefer.push("return=representation");
+    if (this.state.countMode) prefer.push(`count=${this.state.countMode}`);
+    if (this.state.upsertResolution) prefer.push(`resolution=${this.state.upsertResolution}`);
+    if (prefer.length) h["Prefer"] = prefer.join(",");
+    if (this.state.rangeFrom !== void 0 && this.state.rangeTo !== void 0) {
+      h["Range"] = `${this.state.rangeFrom}-${this.state.rangeTo}`;
+      h["Range-Unit"] = "items";
+    }
+    if (this.state.schemaName) {
+      const m = this.state.method ?? "GET";
+      if (m === "GET" || m === "HEAD") h["Accept-Profile"] = this.state.schemaName;
+      else h["Content-Profile"] = this.state.schemaName;
+    }
+    if (this.state.extraHeaders) Object.assign(h, this.state.extraHeaders);
+    return h;
+  }
+  async execute() {
+    const method = this.state.method ?? "GET";
+    const filters = [...this.state.filters];
+    if (this.state.onConflict) filters.push(`on_conflict=${encodeURIComponent(this.state.onConflict)}`);
+    const qs = filters.length ? "?" + filters.join("&") : "";
+    const url = urlJoin(this.state.base, `/postgres/${this.state.table}${qs}`);
+    const headers = this.buildHeaders();
+    const res = await this.state.fetchFn(url, {
+      method,
+      headers,
+      body: this.state.body !== void 0 ? JSON.stringify(this.state.body) : void 0
+    });
+    if (this.state.acceptCsv) {
+      if (!res.ok) return await asResult(res);
+      return { data: await res.text(), error: null };
+    }
+    if (this.state.countMode) {
+      const contentRange = res.headers.get("Content-Range");
+      const total = contentRange?.split("/")[1];
+      const count = total && total !== "*" ? parseInt(total, 10) : 0;
+      if (method === "HEAD") {
+        if (!res.ok) return await asResult(res);
+        return { data: { rows: [], count }, error: null };
+      }
+      const inner = await asResult(res);
+      if (inner.error) return inner;
+      return { data: { rows: inner.data, count }, error: null };
+    }
+    if (this.state.acceptMaybeSingle) {
+      if (!res.ok) return await asResult(res);
+      const body = await parseBody(res);
+      if (Array.isArray(body)) {
+        return { data: body[0] ?? null, error: null };
+      }
+      return { data: body ?? null, error: null };
+    }
+    return await asResult(res);
+  }
+};
+var Postgrest = class _Postgrest {
+  constructor(url, key, fetchFn) {
+    this.url = url;
+    this.key = key;
+    this.fetchFn = fetchFn;
+  }
+  /** Start a query against a table or view. */
+  from(table) {
+    return new QueryBuilder({
+      base: this.url,
+      key: this.key,
+      table,
+      fetchFn: this.fetchFn,
+      filters: []
+    });
+  }
+  /**
+   * Call a stored procedure (PostgREST RPC). Returns whatever the
+   * function returns — set the generic to type it. Pass `count:'exact'`
+   * if you want a total in the same envelope.
+   */
+  async rpc(fnName, args = {}, opts = {}) {
+    const url = urlJoin(this.url, `/postgres/rpc/${fnName}`);
+    const headers = {
+      "Authorization": `Bearer ${this.key}`,
+      "Content-Type": "application/json"
+    };
+    const prefer = [];
+    if (opts.count) prefer.push(`count=${opts.count}`);
+    if (prefer.length) headers["Prefer"] = prefer.join(",");
+    if (opts.schema) headers["Content-Profile"] = opts.schema;
+    const res = await this.fetchFn(url, {
+      method: opts.head ? "HEAD" : "POST",
+      headers,
+      body: opts.head ? void 0 : JSON.stringify(args)
+    });
+    return await asResult(res);
+  }
+  /** Return a new Postgrest authenticated as a specific end-user (RLS applies). */
+  asUser(accessToken) {
+    return new _Postgrest(this.url, accessToken, this.fetchFn);
+  }
+};
+
+// src/mongo.ts
+var MongoCollection = class {
+  constructor(base, key, collection, fetchFn, userToken) {
+    this.base = base;
+    this.key = key;
+    this.collection = collection;
+    this.fetchFn = fetchFn;
+    this.userToken = userToken;
+  }
+  async op(op, body, query) {
+    let url = urlJoin(this.base, `/mongo/v1/${op}/${this.collection}`);
+    if (query) {
+      const qs = new URLSearchParams(query).toString();
+      if (qs) url += (url.includes("?") ? "&" : "?") + qs;
+    }
+    const headers = {
+      "apikey": this.key,
+      "Content-Type": "application/json"
+    };
+    if (this.userToken) headers["Authorization"] = `Bearer ${this.userToken}`;
+    const res = await this.fetchFn(url, {
+      method: "POST",
+      headers,
+      body: JSON.stringify(body)
+    });
+    return asResult(res);
+  }
+  // Build the realtime query suffix for a write. `realtime: false` tells the
+  // gateway to skip the realtime emit for THIS write (honoured only for
+  // service_role / admin keys server-side). undefined/true emits as normal.
+  rt(realtime) {
+    return realtime === false ? { realtime: "false" } : void 0;
+  }
+  find(filter = {}, opts = {}) {
+    return this.op("find", { filter, ...opts });
+  }
+  findOne(filter = {}) {
+    return this.op("findOne", { filter });
+  }
+  insertOne(doc, opts = {}) {
+    return this.op("insertOne", { doc }, this.rt(opts.realtime));
+  }
+  insertMany(docs, opts = {}) {
+    return this.op("insertMany", { docs }, this.rt(opts.realtime));
+  }
+  updateOne(filter, update, opts = {}) {
+    const { realtime, ...rest } = opts;
+    return this.op(
+      "updateOne",
+      { filter, update, ...rest },
+      this.rt(realtime)
+    );
+  }
+  updateMany(filter, update, opts = {}) {
+    return this.op(
+      "updateMany",
+      { filter, update },
+      this.rt(opts.realtime)
+    );
+  }
+  deleteOne(filter, opts = {}) {
+    return this.op("deleteOne", { filter }, this.rt(opts.realtime));
+  }
+  deleteMany(filter, opts = {}) {
+    return this.op("deleteMany", { filter }, this.rt(opts.realtime));
+  }
+  count(filter = {}) {
+    return this.op("count", { filter });
+  }
+  aggregate(pipeline) {
+    return this.op("aggregate", { pipeline });
+  }
+  // ── Phase 2 (v0.3.x) operations ────────────────────────────────
+  /**
+   * Atomic find-and-update. Returns the matched document (post-update
+   * by default; pass `returnDocument: 'before'` for the pre-update
+   * snapshot). Honours upsert; on upsert with no match the returned
+   * doc is null.
+   *
+   *   await users.findOneAndUpdate(
+   *     { _id: 1 },
+   *     { $inc: { visits: 1 } },
+   *     { returnDocument: 'after' },
+   *   );
+   */
+  findOneAndUpdate(filter, update, opts = {}) {
+    return this.op("findOneAndUpdate", {
+      filter,
+      update,
+      ...opts.projection ? { projection: opts.projection } : {},
+      ...opts.sort ? { sort: opts.sort } : {},
+      ...opts.upsert !== void 0 ? { upsert: opts.upsert } : {},
+      ...opts.returnDocument ? { return_document: opts.returnDocument } : {}
+    }, this.rt(opts.realtime));
+  }
+  /** Atomic find-and-delete. Returns the deleted document or null. */
+  findOneAndDelete(filter, opts = {}) {
+    return this.op("findOneAndDelete", {
+      filter,
+      ...opts.projection ? { projection: opts.projection } : {},
+      ...opts.sort ? { sort: opts.sort } : {}
+    }, this.rt(opts.realtime));
+  }
+  /**
+   * Replace a single matched document with a full replacement.
+   * Unlike updateOne, the body is the new document — no $set / $inc.
+   * Keys starting with `$` are rejected.
+   */
+  replaceOne(filter, replacement, opts = {}) {
+    return this.op(
+      "replaceOne",
+      { filter, replacement, ...opts.upsert !== void 0 ? { upsert: opts.upsert } : {} },
+      this.rt(opts.realtime)
+    );
+  }
+  /**
+   * Batched write — multiple ops in one HTTP round trip. Each op is
+   * one of insertOne / updateOne / updateMany / replaceOne /
+   * deleteOne / deleteMany. The whole batch shares one policy check.
+   *
+   *   await users.bulkWrite([
+   *     { op: 'insertOne', doc: { name: 'a' } },
+   *     { op: 'updateOne', filter: { _id: 1 }, update: { $set: { name: 'b' } } },
+   *     { op: 'deleteOne', filter: { _id: 2 } },
+   *   ]);
+   *
+   * Set `ordered: true` to stop on first error; default is unordered
+   * (continue past errors). Subject to your plan's mongo_max_docs cap.
+   */
+  bulkWrite(ops, opts = {}) {
+    return this.op("bulkWrite", {
+      ops,
+      ...opts.ordered !== void 0 ? { ordered: opts.ordered } : {}
+    }, this.rt(opts.realtime));
+  }
+  /**
+   * Distinct values of a field across docs matching filter.
+   *
+   *   await events.distinct('category', { tenant_id: 'acme' });
+   *   // → { data: { values: ['ui', 'api', 'cron'], truncated: false } }
+   */
+  distinct(field, filter = {}) {
+    return this.op("distinct", { field, filter });
+  }
+};
+var Mongo = class _Mongo {
+  constructor(base, key, fetchFn, userToken) {
+    this.base = base;
+    this.key = key;
+    this.fetchFn = fetchFn;
+    this.userToken = userToken;
+  }
+  /**
+   * Return a Mongo client that acts AS the signed-in end user: their JWT is
+   * sent as `Authorization: Bearer`, so your `_mongo_policy` and realtime rules
+   * see the real `$auth.uid` / role. The project key still gates anon vs
+   * service_role. Pass the access token you got from ichibase auth.
+   */
+  asUser(token) {
+    return new _Mongo(this.base, this.key, this.fetchFn, token);
+  }
+  collection(name) {
+    return new MongoCollection(this.base, this.key, name, this.fetchFn, this.userToken);
+  }
+};
+
+// src/functions.ts
+var Functions = class _Functions {
+  constructor(base, key, fetchFn, userToken) {
+    this.base = base;
+    this.key = key;
+    this.fetchFn = fetchFn;
+    this.userToken = userToken;
+  }
+  /** Return a Functions client that calls AS a specific end user. */
+  asUser(accessToken) {
+    return new _Functions(this.base, this.key, this.fetchFn, accessToken);
+  }
+  /**
+   * Invoke an Edge Function by name.
+   *
+   *   const { data, error } = await ichi.functions.invoke('hello', { body: { name: 'world' } });
+   */
+  async invoke(name, opts = {}) {
+    const url = urlJoin(this.base, `/functions/${name}${opts.path ?? ""}`);
+    const headers = { apikey: this.key, ...opts.headers };
+    if (this.userToken) headers["Authorization"] = `Bearer ${this.userToken}`;
+    let body;
+    const b = opts.body;
+    if (b !== void 0) {
+      const isRaw = typeof b === "string" || b instanceof ArrayBuffer || ArrayBuffer.isView(b) || typeof Blob !== "undefined" && b instanceof Blob || typeof FormData !== "undefined" && b instanceof FormData;
+      if (isRaw) {
+        body = b;
+      } else {
+        body = JSON.stringify(b);
+        if (!("Content-Type" in headers)) headers["Content-Type"] = "application/json";
+      }
+    }
+    const res = await this.fetchFn(url, {
+      method: opts.method ?? "POST",
+      headers,
+      body
+    });
+    return asResult(res);
+  }
+};
+
+// src/auth.ts
+var Auth = class {
+  constructor(base, key, fetchFn) {
+    this.base = base;
+    this.key = key;
+    this.fetchFn = fetchFn;
+  }
+  call(path, opts = {}) {
+    const headers = {
+      "Authorization": `Bearer ${opts.auth ?? this.key}`
+    };
+    if (opts.body !== void 0) headers["Content-Type"] = "application/json";
+    return this.fetchFn(urlJoin(this.base, `/auth${path}`), {
+      method: opts.method ?? "POST",
+      headers,
+      body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0
+    }).then((res) => asResult(res));
+  }
+  signup(input) {
+    return this.call("/signup", { body: input });
+  }
+  login(input) {
+    return this.call("/login", { body: input });
+  }
+  refresh(refresh_token) {
+    return this.call("/refresh", { body: { refresh_token } });
+  }
+  /** Get the user identified by the given access token (or the SDK's key if none given). */
+  getUser(accessToken) {
+    return this.call("/me", { method: "GET", auth: accessToken });
+  }
+  logout(refresh_token, accessToken) {
+    return this.call("/logout", { body: { refresh_token }, auth: accessToken });
+  }
+  logoutAll(accessToken) {
+    return this.call("/logout-all", { auth: accessToken });
+  }
+  requestPasswordReset(email) {
+    return this.call("/password-reset/request", { body: { email } });
+  }
+  confirmPasswordReset(token, new_password) {
+    return this.call("/password-reset/confirm", {
+      body: { token, new_password }
+    });
+  }
+  verifyEmail(token) {
+    return this.call("/verify-email", { body: { token } });
+  }
+  verifyEmailOtp(email, code) {
+    return this.call("/verify-email/otp", { body: { email, code } });
+  }
+  resendVerification(email) {
+    return this.call("/verify-email/resend", { body: { email } });
+  }
+  // ── Phase 2 (v0.3.x) — bearer-authed profile + session mgmt ──────
+  /**
+   * Update the user's metadata JSONB. **Full replacement** — to merge,
+   * read `getUser()` first and pass the merged object.
+   *
+   *   await auth.updateUser(accessToken, { metadata: { theme: 'dark', tz: 'UTC' } });
+   *
+   * Server enforces an 8 KB cap on the encoded metadata.
+   */
+  updateUser(accessToken, patch) {
+    return this.call("/me", {
+      method: "PATCH",
+      body: { metadata: patch.metadata },
+      auth: accessToken
+    });
+  }
+  /**
+   * Change the user's password. Requires the current password — does
+   * NOT use a reset token (that's `confirmPasswordReset`). On success,
+   * existing access tokens KEEP working (short TTL); call `refresh()`
+   * after to mint a new pair if you want a fresh access token.
+   *
+   * Returns `{ changed: true, hint: '...' }`.
+   */
+  changePassword(accessToken, currentPassword, newPassword) {
+    return this.call("/change-password", {
+      body: { current_password: currentPassword, new_password: newPassword },
+      auth: accessToken
+    });
+  }
+  /**
+   * List the user's active refresh-token sessions (one row per
+   * device / login). Returns up to 100, ordered by most-recently-used.
+   * Each row includes the user-agent + IP captured at login so the
+   * user can identify devices.
+   */
+  listSessions(accessToken) {
+    return this.call("/sessions", {
+      method: "GET",
+      auth: accessToken
+    });
+  }
+  /**
+   * Revoke a single session by its id. Idempotent — revoking a
+   * session that's already revoked returns `{ revoked: true }`.
+   * The session must belong to the bearer user (404 otherwise).
+   */
+  revokeSession(accessToken, sessionId) {
+    return this.call(`/sessions/${encodeURIComponent(sessionId)}/revoke`, {
+      auth: accessToken
+    });
+  }
+};
+
+// src/realtime.ts
+var HEARTBEAT_MS = 25e3;
+var RECONNECT_BASE_MS = 1e3;
+var RECONNECT_MAX_MS = 15e3;
+var RealtimeClient = class {
+  constructor(opts) {
+    this.ws = null;
+    this.subs = /* @__PURE__ */ new Map();
+    this.refSeq = 0;
+    this.connecting = false;
+    this.closedByUser = false;
+    this.reconnectAttempts = 0;
+    this.heartbeat = null;
+    this.outbox = [];
+    this.url = opts.url.replace(/\/$/, "");
+    this.getToken = opts.getToken;
+    const impl = opts.WebSocketImpl ?? globalThis.WebSocket;
+    if (!impl) {
+      throw new Error("ichibase realtime: no global WebSocket \u2014 pass opts.WebSocketImpl");
+    }
+    this.WS = impl;
+  }
+  /** Subscribe to postgres/mongo changes or a broadcast channel. */
+  subscribe(opts, handler) {
+    const ref = `s${++this.refSeq}`;
+    this.subs.set(ref, { ref, opts, handler });
+    this.ensureConnected();
+    if (this.isOpen()) this.sendSubscribe(ref);
+    return {
+      unsubscribe: () => {
+        this.subs.delete(ref);
+        if (this.isOpen()) this.send({ type: "unsubscribe", ref });
+        if (this.subs.size === 0) this.disconnect();
+      },
+      send: (event, payload) => {
+        if (opts.kind !== "broadcast") throw new Error("send() is broadcast-only");
+        this.send({ type: "broadcast", channel: opts.channel, event, payload });
+      },
+      track: (state) => {
+        if (opts.kind !== "broadcast") throw new Error("track() is broadcast-only");
+        this.send({ type: "presence", channel: opts.channel, state });
+      }
+    };
+  }
+  /** Close the socket and drop all subscriptions. */
+  disconnect() {
+    this.closedByUser = true;
+    this.stopHeartbeat();
+    this.ws?.close();
+    this.ws = null;
+  }
+  // ── internals ──────────────────────────────────────────────────────
+  isOpen() {
+    return this.ws?.readyState === this.WS.OPEN;
+  }
+  ensureConnected() {
+    if (this.ws || this.connecting) return;
+    this.closedByUser = false;
+    this.connecting = true;
+    const token = this.getToken();
+    const wsUrl = this.url.replace(/^http/, "ws") + "/realtime" + (token ? `?token=${encodeURIComponent(token)}` : "");
+    const ws = new this.WS(wsUrl);
+    this.ws = ws;
+    ws.onopen = () => {
+      this.connecting = false;
+      this.reconnectAttempts = 0;
+      for (const ref of this.subs.keys()) this.sendSubscribe(ref);
+      for (const raw of this.outbox.splice(0)) ws.send(raw);
+      this.startHeartbeat();
+    };
+    ws.onmessage = (ev) => this.onFrame(ev.data);
+    ws.onclose = () => {
+      this.connecting = false;
+      this.stopHeartbeat();
+      this.ws = null;
+      if (!this.closedByUser && this.subs.size > 0) this.scheduleReconnect();
+    };
+    ws.onerror = () => {
+    };
+  }
+  scheduleReconnect() {
+    const delay = Math.min(RECONNECT_BASE_MS * 2 ** this.reconnectAttempts, RECONNECT_MAX_MS);
+    this.reconnectAttempts += 1;
+    setTimeout(() => {
+      if (!this.closedByUser && this.subs.size > 0) this.ensureConnected();
+    }, delay);
+  }
+  startHeartbeat() {
+    this.stopHeartbeat();
+    this.heartbeat = setInterval(() => this.send({ type: "ping" }), HEARTBEAT_MS);
+  }
+  stopHeartbeat() {
+    if (this.heartbeat) clearInterval(this.heartbeat);
+    this.heartbeat = null;
+  }
+  sendSubscribe(ref) {
+    const s = this.subs.get(ref);
+    if (!s) return;
+    const o = s.opts;
+    const msg = { type: "subscribe", ref, kind: o.kind };
+    if (o.kind === "postgres") {
+      msg.table = o.table;
+      if (o.events) msg.events = o.events;
+      if (o.filter !== void 0) msg.filter = o.filter;
+    } else if (o.kind === "mongo") {
+      msg.collection = o.collection;
+      if (o.events) msg.events = o.events;
+      if (o.filter !== void 0) msg.filter = o.filter;
+    } else {
+      msg.channel = o.channel;
+      if (o.presence) msg.presence = true;
+      if (o.state) msg.state = o.state;
+    }
+    this.send(msg);
+  }
+  send(msg) {
+    const raw = JSON.stringify(msg);
+    if (this.isOpen()) this.ws.send(raw);
+    else this.outbox.push(raw);
+  }
+  onFrame(data) {
+    if (typeof data !== "string") return;
+    let m;
+    try {
+      m = JSON.parse(data);
+    } catch {
+      return;
+    }
+    const type = m.type;
+    if (type === "pong" || type === "subscribed" || type === "unsubscribed" || type === "token_refreshed") {
+      return;
+    }
+    if (type === "change") {
+      for (const s of this.subs.values()) {
+        if (s.opts.kind === "postgres" && m.table === qualify(s.opts.table) || s.opts.kind === "mongo" && m.collection === s.opts.collection) {
+          s.handler(m);
+        }
+      }
+    } else if (type === "broadcast") {
+      for (const s of this.subs.values()) {
+        if (s.opts.kind === "broadcast" && m.channel === s.opts.channel) {
+          s.handler(m);
+        }
+      }
+    } else if (type === "presence_state" || type === "presence_diff") {
+      for (const s of this.subs.values()) {
+        if (s.opts.kind === "broadcast" && (m.channel === s.opts.channel || m.channel === void 0)) {
+          s.handler(m);
+        }
+      }
+    }
+  }
+};
+function qualify(table) {
+  return table.includes(".") ? table : `public.${table}`;
+}
+
+// src/storage-adapter.ts
+var MemoryStorage = class {
+  constructor() {
+    this.m = /* @__PURE__ */ new Map();
+  }
+  getItem(key) {
+    return this.m.has(key) ? this.m.get(key) : null;
+  }
+  setItem(key, value) {
+    this.m.set(key, value);
+  }
+  removeItem(key) {
+    this.m.delete(key);
+  }
+};
+
+// src/client.ts
+var DEFAULT_STORAGE_KEY = "ichibase.session";
+var SessionAuth = class {
+  constructor(inner, client) {
+    this.inner = inner;
+    this.client = client;
+  }
+  async signup(input) {
+    return this.inner.signup(input);
+  }
+  async login(input) {
+    const res = await this.inner.login(input);
+    if (res.data) {
+      await this.client._setSession(
+        {
+          access_token: res.data.access_token,
+          refresh_token: res.data.refresh_token,
+          expires_at: expiresAt(res.data.expires_in),
+          user: res.data.user
+        },
+        "SIGNED_IN"
+      );
+    }
+    return res;
+  }
+  async refresh() {
+    const s = this.client.getSession();
+    if (!s) return { data: null, error: { code: "no_session", detail: "not logged in", status: 401 } };
+    const res = await this.inner.refresh(s.refresh_token);
+    if (res.data) {
+      await this.client._setSession(
+        {
+          access_token: res.data.access_token,
+          refresh_token: res.data.refresh_token,
+          expires_at: expiresAt(res.data.expires_in),
+          user: s.user
+        },
+        "TOKEN_REFRESHED"
+      );
+    }
+    return res;
+  }
+  /** Current signed-in user (from the live access token), or null. */
+  async getUser() {
+    const s = this.client.getSession();
+    if (!s) return null;
+    const res = await this.inner.getUser(s.access_token);
+    return res.data;
+  }
+  async logout() {
+    const s = this.client.getSession();
+    if (s) await this.inner.logout(s.refresh_token, s.access_token).catch(() => {
+    });
+    await this.client._setSession(null, "SIGNED_OUT");
+  }
+  requestPasswordReset(email) {
+    return this.inner.requestPasswordReset(email);
+  }
+  confirmPasswordReset(token, newPassword) {
+    return this.inner.confirmPasswordReset(token, newPassword);
+  }
+  verifyEmail(token) {
+    return this.inner.verifyEmail(token);
+  }
+  verifyEmailOtp(email, code) {
+    return this.inner.verifyEmailOtp(email, code);
+  }
+  resendVerification(email) {
+    return this.inner.resendVerification(email);
+  }
+  /** Hydrate the session from the storage adapter (call once at startup for async adapters). */
+  async loadSession() {
+    return this.client._loadSession();
+  }
+  /** Set the session directly (e.g. from your own SSR cookie). */
+  async setSession(session) {
+    await this.client._setSession(session, session ? "SIGNED_IN" : "SIGNED_OUT");
+  }
+};
+var IchibaseClient = class {
+  constructor(url, anonKey, opts = {}) {
+    this.session = null;
+    this.listeners = /* @__PURE__ */ new Set();
+    this._realtime = null;
+    if (!url) throw new Error("ichibase: url is required");
+    if (!anonKey) throw new Error("ichibase: anon key is required");
+    if (anonKey.startsWith("ich_admin_")) {
+      throw new Error(
+        "ichibase: @ichibase/client is anon-key only. ich_admin_ (service) keys bypass RLS \u2014 never ship them to a client. Use them server-side via the JSR SDKs."
+      );
+    }
+    this.url = url.replace(/\/$/, "");
+    this.anonKey = anonKey;
+    this.fetchFn = opts.fetch ?? globalThis.fetch.bind(globalThis);
+    this.sessionStore = opts.storage ?? new MemoryStorage();
+    this.storageKey = opts.storageKey ?? DEFAULT_STORAGE_KEY;
+    this.wsImpl = opts.WebSocketImpl;
+    this.auth = new SessionAuth(new Auth(this.url, this.anonKey, this.fetchFn), this);
+    try {
+      const raw = this.sessionStore.getItem(this.storageKey);
+      if (typeof raw === "string") this.session = parseSession(raw);
+    } catch {
+    }
+  }
+  /** The bearer to send on data-plane calls: the user token if signed in, else the anon key. */
+  bearer() {
+    return this.session?.access_token ?? this.anonKey;
+  }
+  cfg(key) {
+    return { url: this.url, key, fetch: this.fetchFn };
+  }
+  // ── PostgREST ──────────────────────────────────────────────────────
+  /** Start a PostgREST query against a table or view. */
+  from(table) {
+    return new Postgrest(this.url, this.bearer(), this.fetchFn).from(table);
+  }
+  /** Call a Postgres stored procedure (RPC). */
+  rpc(fn, args, opts) {
+    return new Postgrest(this.url, this.bearer(), this.fetchFn).rpc(fn, args, opts);
+  }
+  // ── Storage ────────────────────────────────────────────────────────
+  // Intentionally NOT exposed on the client. Storage tokens / presigned
+  // upload URLs are minted server-side by the project owner (Edge Function +
+  // service key) and handed to users — never minted from a client. See the
+  // Storage docs. Public files are read directly from cdn.ichibase.net.
+  // ── Mongo ──────────────────────────────────────────────────────────
+  /** Mongo data client (apikey = anon; user token attached when signed in). */
+  get mongo() {
+    const m = new Mongo(this.url, this.anonKey, this.fetchFn);
+    return this.session ? m.asUser(this.session.access_token) : m;
+  }
+  // ── Edge Functions ─────────────────────────────────────────────────
+  /** Invoke your deployed Edge Functions: `ichi.functions.invoke('name', { body })`. */
+  get functions() {
+    const f = new Functions(this.url, this.anonKey, this.fetchFn);
+    return this.session ? f.asUser(this.session.access_token) : f;
+  }
+  // ── Realtime ───────────────────────────────────────────────────────
+  get realtime() {
+    if (!this._realtime) {
+      this._realtime = new RealtimeClient({
+        url: this.url,
+        getToken: () => this.bearer(),
+        WebSocketImpl: this.wsImpl
+      });
+    }
+    return this._realtime;
+  }
+  // ── Session ────────────────────────────────────────────────────────
+  getSession() {
+    return this.session;
+  }
+  /** Subscribe to auth state changes. Returns an unsubscribe fn. */
+  onAuthStateChange(cb) {
+    this.listeners.add(cb);
+    return () => this.listeners.delete(cb);
+  }
+  /** @internal */
+  async _setSession(session, event) {
+    this.session = session;
+    try {
+      if (session) await this.sessionStore.setItem(this.storageKey, JSON.stringify(session));
+      else await this.sessionStore.removeItem(this.storageKey);
+    } catch {
+    }
+    for (const l of this.listeners) l(event, session);
+  }
+  /** @internal */
+  async _loadSession() {
+    try {
+      const raw = await this.sessionStore.getItem(this.storageKey);
+      this.session = typeof raw === "string" ? parseSession(raw) : null;
+    } catch {
+      this.session = null;
+    }
+    return this.session;
+  }
+};
+function createClient(url, anonKey, opts) {
+  return new IchibaseClient(url, anonKey, opts);
+}
+function expiresAt(expiresIn) {
+  if (!expiresIn) return void 0;
+  return Math.floor(Date.now() / 1e3) + expiresIn;
+}
+function parseSession(raw) {
+  try {
+    const s = JSON.parse(raw);
+    return s && typeof s.access_token === "string" ? s : null;
+  } catch {
+    return null;
+  }
+}
+
+export { Auth, Functions, IchibaseClient, MemoryStorage, Mongo, MongoCollection, Postgrest, QueryBuilder, RealtimeClient, createClient };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map