@jami-studio/core 0.92.19 → 0.92.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,5 +1,11 @@
1
1
  # @agent-native/core
2
2
 
3
+ ## 0.92.20
4
+
5
+ ### Patch Changes
6
+
7
+ - 7a019a3: Complete the Neon-on-workerd fix: the better-auth Neon pool (third pool site) now also routes over stateless HTTP with single-use WebSocket clients on Cloudflare Workers, and buildResilientNeonPool gains an httpPerQuery mode so the Drizzle path actually goes through pool.query() (its manual connect()/client.query() checkout was bypassing poolQueryViaFetch and pinning queries to per-request WebSocket clients). Fixes worker hangs on the request following an authenticated write under wrangler pages dev.
8
+
3
9
  ## 0.92.19
4
10
 
5
11
  ### Patch Changes
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@agent-native/core",
3
- "version": "0.92.19",
3
+ "version": "0.92.20",
4
4
  "description": "Framework for agent-native application development — where AI agents and UI share SQL state, actions, and context",
5
5
  "homepage": "https://github.com/studio-jami/jami-studio#readme",
6
6
  "bugs": {
@@ -88,15 +88,28 @@ export function isSqlRead(sql: string): boolean {
88
88
  * connection the transaction needs. The pool-level error logger still fires
89
89
  * on idle-client drops inside transactions.
90
90
  */
91
- export function buildResilientNeonPool(pool: {
92
- connect(): Promise<any>;
93
- query(
94
- sql: string,
95
- args?: any[],
96
- ): Promise<{ rows: unknown[]; rowCount?: number }>;
97
- end(): Promise<void>;
98
- on(event: string, listener: (...args: any[]) => void): unknown;
99
- }): typeof pool {
91
+ export function buildResilientNeonPool(
92
+ pool: {
93
+ connect(): Promise<any>;
94
+ query(
95
+ sql: string,
96
+ args?: any[],
97
+ ): Promise<{ rows: unknown[]; rowCount?: number }>;
98
+ end(): Promise<void>;
99
+ on(event: string, listener: (...args: any[]) => void): unknown;
100
+ },
101
+ options?: {
102
+ /**
103
+ * Route plain queries through pool.query() instead of a manual
104
+ * connect()/client.query()/release() checkout. Required on Cloudflare
105
+ * Workers where neonConfig.poolQueryViaFetch routes pool.query() over
106
+ * Neon's stateless HTTP transport — the manual checkout would bypass
107
+ * that and pin queries to per-request WebSocket clients.
108
+ */
109
+ httpPerQuery?: boolean;
110
+ },
111
+ ): typeof pool {
112
+ const httpPerQuery = options?.httpPerQuery === true;
100
113
  // Preserve all original pool methods and properties; only override `connect`
101
114
  // and `query` at the Pool level (used by drizzle's neon-serverless adapter
102
115
  // when it calls pool.query() directly, e.g. outside a transaction).
@@ -110,6 +123,19 @@ export function buildResilientNeonPool(pool: {
110
123
  rows: unknown[];
111
124
  rowCount?: number;
112
125
  }> => {
126
+ if (httpPerQuery) {
127
+ // Stateless HTTP transport (poolQueryViaFetch): no connection
128
+ // checkout, no persistent socket — just bound the query itself.
129
+ return withDbTimeout(
130
+ "query",
131
+ () =>
132
+ pool.query(sql, args ?? []) as Promise<{
133
+ rows: unknown[];
134
+ rowCount?: number;
135
+ }>,
136
+ dbOpTimeoutMs(),
137
+ );
138
+ }
113
139
  // Bound the pool.connect() acquire — a frozen Neon WebSocket stalls here
114
140
  // before the query ever starts, so a query-level timeout alone won't help.
115
141
  let acquireTimedOut = false;
@@ -490,7 +516,9 @@ export function createGetDb<T extends Record<string, unknown>>(schema: T) {
490
516
  // same withDbTimeout + retryOnConnectionError protection as the raw
491
517
  // DbExec path in client.ts. Reads retry freely; writes only retry on
492
518
  // acquire-timeout (pre-send) errors to avoid double-execution.
493
- const pool = buildResilientNeonPool(rawPool);
519
+ const pool = buildResilientNeonPool(rawPool, {
520
+ httpPerQuery: cfWorker,
521
+ });
494
522
  _db = drizzle(pool, { schema });
495
523
  },
496
524
  );
@@ -48,6 +48,7 @@ import { getAppProductionUrl } from "./app-url.js";
48
48
  import { signupAttributionFromCookieHeader } from "./attribution.js";
49
49
  import { resolveAuthCookieNamespace } from "./cookie-namespace.js";
50
50
  import { getWorkspaceA2ADerivedSecret } from "./derived-secret.js";
51
+ import { isCloudflareRuntime } from "../shared/runtime.js";
51
52
  import {
52
53
  renderResetPasswordEmail,
53
54
  renderVerifySignupEmail,
@@ -1122,14 +1123,27 @@ async function buildDatabaseConfig(
1122
1123
  // opens a raw TCP connection on port 5432 which frequently times out on
1123
1124
  // Netlify Functions / Vercel / CF Workers when Neon's pooler is cold.
1124
1125
  if (isNeonUrl(url)) {
1125
- const { Pool } = await import("@neondatabase/serverless");
1126
+ const { Pool, neonConfig } = await import("@neondatabase/serverless");
1126
1127
  // Cap the auth pool the same way as the app pool. Better Auth runs a
1127
1128
  // session lookup on essentially every authenticated request, so an
1128
1129
  // un-capped pool here is a primary contributor to "Max client
1129
1130
  // connections reached" across concurrent serverless instances.
1131
+ //
1132
+ // Cloudflare Workers (workerd) forbids reusing I/O objects across
1133
+ // requests — a pooled WebSocket client created by one request and
1134
+ // handed to a later one hangs the worker ("Cannot perform I/O on
1135
+ // behalf of a different request"). Route plain queries over Neon's
1136
+ // stateless HTTP transport and cap WebSocket clients to a single use,
1137
+ // mirroring the app pools in db/client.ts and db/create-get-db.ts.
1138
+ const cfWorker = isCloudflareRuntime();
1139
+ if (cfWorker) {
1140
+ (neonConfig as { poolQueryViaFetch?: boolean }).poolQueryViaFetch =
1141
+ true;
1142
+ }
1130
1143
  _neonAuthPool = new Pool({
1131
1144
  connectionString: url,
1132
1145
  max: neonPoolMax(),
1146
+ ...(cfWorker ? { maxUses: 1 } : {}),
1133
1147
  });
1134
1148
  attachNeonPoolErrorLogger(_neonAuthPool, "db/neon-auth");
1135
1149
  const { drizzle } = await import("drizzle-orm/neon-serverless");
@@ -26,8 +26,8 @@ export declare const getCollabState: import("h3").EventHandlerWithFetch<import("
26
26
  * Body: { update: string (base64), requestSource?: string }
27
27
  */
28
28
  export declare const postCollabUpdate: import("h3").EventHandlerWithFetch<import("h3").EventHandlerRequest, Promise<{
29
- ok?: undefined;
30
29
  error: string;
30
+ ok?: undefined;
31
31
  } | {
32
32
  error?: undefined;
33
33
  ok: boolean;
@@ -13,8 +13,8 @@
13
13
  * Body: { json: any, fieldName?: string, type?: "map"|"array", requestSource?: string }
14
14
  */
15
15
  export declare const postCollabJson: import("h3").EventHandlerWithFetch<import("h3").EventHandlerRequest, Promise<{
16
- ok?: undefined;
17
16
  error: string;
17
+ ok?: undefined;
18
18
  } | {
19
19
  error?: undefined;
20
20
  ok: boolean;
@@ -36,6 +36,15 @@ export declare function buildResilientNeonPool(pool: {
36
36
  }>;
37
37
  end(): Promise<void>;
38
38
  on(event: string, listener: (...args: any[]) => void): unknown;
39
+ }, options?: {
40
+ /**
41
+ * Route plain queries through pool.query() instead of a manual
42
+ * connect()/client.query()/release() checkout. Required on Cloudflare
43
+ * Workers where neonConfig.poolQueryViaFetch routes pool.query() over
44
+ * Neon's stateless HTTP transport — the manual checkout would bypass
45
+ * that and pin queries to per-request WebSocket clients.
46
+ */
47
+ httpPerQuery?: boolean;
39
48
  }): typeof pool;
40
49
  /**
41
50
  * Wraps a postgres.js client so Drizzle queries on the non-Neon Postgres
@@ -1 +1 @@
1
- {"version":3,"file":"create-get-db.d.ts","sourceRoot":"","sources":["../../src/db/create-get-db.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAuDzD;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAE9C;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE;IAC3C,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC;IACxB,KAAK,CACH,GAAG,EAAE,MAAM,EACX,IAAI,CAAC,EAAE,GAAG,EAAE,GACX,OAAO,CAAC;QAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACnD,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACrB,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,IAAI,GAAG,OAAO,CAAC;CAChE,GAAG,OAAO,IAAI,CAyFd;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,8BAA8B,CAC5C,CAAC,SAAS;IACR,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,GAAG,EAAE,EAAE,OAAO,CAAC,EAAE,GAAG,GAAG,GAAG,CAAC;CAC3D,EACD,MAAM,EAAE,CAAC,GAAG,CAAC,CAyDd;AAED;;;;;;;;;GASG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAK9C;AA0BD;;;;;;;;;;;;;;;;GAgBG;AACH,2DAA2D;AAC3D,wBAAgB,6BAA6B,CAC3C,EAAE,SAAS;IAAE,WAAW,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAC;IAAC,OAAO,EAAE,GAAG,CAAA;CAAE,EACjE,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;IAAE,aAAa,EAAE,OAAO,CAAC;IAAC,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;CAAE,GAAG,EAAE,CAsG7E;AAKD,wBAAgB,WAAW,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC,SA2IpD,cAAc,CAAC,CAAC,CAAC,CASpC"}
1
+ {"version":3,"file":"create-get-db.d.ts","sourceRoot":"","sources":["../../src/db/create-get-db.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAuDzD;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAE9C;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,sBAAsB,CACpC,IAAI,EAAE;IACJ,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC;IACxB,KAAK,CACH,GAAG,EAAE,MAAM,EACX,IAAI,CAAC,EAAE,GAAG,EAAE,GACX,OAAO,CAAC;QAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACnD,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACrB,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,IAAI,GAAG,OAAO,CAAC;CAChE,EACD,OAAO,CAAC,EAAE;IACR;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB,GACA,OAAO,IAAI,CAuGb;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,8BAA8B,CAC5C,CAAC,SAAS;IACR,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,GAAG,EAAE,EAAE,OAAO,CAAC,EAAE,GAAG,GAAG,GAAG,CAAC;CAC3D,EACD,MAAM,EAAE,CAAC,GAAG,CAAC,CAyDd;AAED;;;;;;;;;GASG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAK9C;AA0BD;;;;;;;;;;;;;;;;GAgBG;AACH,2DAA2D;AAC3D,wBAAgB,6BAA6B,CAC3C,EAAE,SAAS;IAAE,WAAW,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAC;IAAC,OAAO,EAAE,GAAG,CAAA;CAAE,EACjE,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;IAAE,aAAa,EAAE,OAAO,CAAC;IAAC,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;CAAE,GAAG,EAAE,CAsG7E;AAKD,wBAAgB,WAAW,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC,SA6IpD,cAAc,CAAC,CAAC,CAAC,CASpC"}
@@ -61,13 +61,19 @@ export function isSqlRead(sql) {
61
61
  * connection the transaction needs. The pool-level error logger still fires
62
62
  * on idle-client drops inside transactions.
63
63
  */
64
- export function buildResilientNeonPool(pool) {
64
+ export function buildResilientNeonPool(pool, options) {
65
+ const httpPerQuery = options?.httpPerQuery === true;
65
66
  // Preserve all original pool methods and properties; only override `connect`
66
67
  // and `query` at the Pool level (used by drizzle's neon-serverless adapter
67
68
  // when it calls pool.query() directly, e.g. outside a transaction).
68
69
  const resilientQuery = async (sql, args) => {
69
70
  const isRead = isSqlRead(sql);
70
71
  const runAttempt = async () => {
72
+ if (httpPerQuery) {
73
+ // Stateless HTTP transport (poolQueryViaFetch): no connection
74
+ // checkout, no persistent socket — just bound the query itself.
75
+ return withDbTimeout("query", () => pool.query(sql, args ?? []), dbOpTimeoutMs());
76
+ }
71
77
  // Bound the pool.connect() acquire — a frozen Neon WebSocket stalls here
72
78
  // before the query ever starts, so a query-level timeout alone won't help.
73
79
  let acquireTimedOut = false;
@@ -397,7 +403,9 @@ export function createGetDb(schema) {
397
403
  // same withDbTimeout + retryOnConnectionError protection as the raw
398
404
  // DbExec path in client.ts. Reads retry freely; writes only retry on
399
405
  // acquire-timeout (pre-send) errors to avoid double-execution.
400
- const pool = buildResilientNeonPool(rawPool);
406
+ const pool = buildResilientNeonPool(rawPool, {
407
+ httpPerQuery: cfWorker,
408
+ });
401
409
  _db = drizzle(pool, { schema });
402
410
  });
403
411
  }
@@ -1 +1 @@
1
- {"version":3,"file":"create-get-db.js","sourceRoot":"","sources":["../../src/db/create-get-db.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAErD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAGtD,OAAO,EACL,UAAU,EACV,sBAAsB,EACtB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,WAAW,EACX,iBAAiB,EACjB,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,qBAAqB,EACrB,aAAa,EACb,WAAW,EACX,yBAAyB,EACzB,aAAa,EACb,sBAAsB,EACtB,aAAa,GACd,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAE3D,0EAA0E;AAC1E,IAAI,UAAgE,CAAC;AACrE,SAAS,YAAY;IACnB,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC;YACvB,MAAM,CAAC,yBAAyB,CAAC;YACjC,MAAM,CAAC,UAAU,CAAC;SACnB,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;YAChC,OAAO,EAAE,UAAU,CAAC,OAAO;YAC3B,QAAQ,EAAE,KAAK,CAAC,OAAO;SACxB,CAAC,CAAC,CAAC;IACN,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,IAAI,sBAES,CAAC;AACd,SAAS,wBAAwB;IAC/B,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC5B,sBAAsB,GAAG,OAAO,CAAC,GAAG,CAAC;YACnC,MAAM,CAAC,6BAA6B,CAAC;YACrC,MAAM,CAAC,0BAA0B,CAAC;SACnC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;YAClC,OAAO,EAAE,UAAU,CAAC,OAAO;YAC3B,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,UAAU,EAAE,OAAO,CAAC,UAAU;SAC/B,CAAC,CAAC,CAAC;IACN,CAAC;IACD,OAAO,sBAAsB,CAAC;AAChC,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,SAAS,CAAC,GAAW;IACnC,OAAO,sBAAsB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC1C,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,sBAAsB,CAAC,IAQtC;IACC,6EAA6E;IAC7E,2EAA2E;IAC3E,oEAAoE;IACpE,MAAM,cAAc,GAAG,KAAK,EAC1B,GAAW,EACX,IAAY,EACqC,EAAE;QACnD,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;QAE9B,MAAM,UAAU,GAAG,KAAK,IAGrB,EAAE;YACH,yEAAyE;YACzE,2EAA2E;YAC3E,IAAI,eAAe,GAAG,KAAK,CAAC;YAC5B,MAAM,MAAM,GAAG,MAAM,aAAa,CAChC,SAAS,EACT,GAAG,EAAE,CACH,IAAI,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE;gBAC7B,gEAAgE;gBAChE,2CAA2C;gBAC3C,IAAI,eAAe;oBAAE,CAAC,CAAC,OAAO,EAAE,CAAC;gBACjC,OAAO,CAAC,CAAC;YACX,CAAC,CAAC,EACJ,aAAa,EAAE,EACf,GAAG,EAAE;gBACH,eAAe,GAAG,IAAI,CAAC;YACzB,CAAC,CACF,CAAC;YAEF,IAAI,QAAQ,GAAG,KAAK,CAAC;YACrB,MAAM,aAAa,GAAG,CAAC,GAAqB,EAAE,EAAE;gBAC9C,IAAI,QAAQ;oBAAE,OAAO;gBACrB,QAAQ,GAAG,IAAI,CAAC;gBAChB,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACtB,CAAC,CAAC;YAEF,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,aAAa,CAChC,OAAO,EACP,GAAG,EAAE,CACH,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,IAAI,IAAI,EAAE,CAG1B,EACJ,aAAa,EAAE,EACf,GAAG,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,CAC1B,CAAC;gBACF,aAAa,EAAE,CAAC;gBAChB,OAAO,MAAM,CAAC;YAChB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,aAAa,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;gBACzD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC,CAAC;QAEF,IAAI,MAAM,EAAE,CAAC;YACX,uEAAuE;YACvE,OAAO,sBAAsB,CAAC,UAAU,CAAC,CAAC;QAC5C,CAAC;QAED,sEAAsE;QACtE,wEAAwE;QACxE,0EAA0E;QAC1E,mEAAmE;QACnE,oBAAoB;QACpB,IAAI,CAAC;YACH,OAAO,MAAM,UAAU,EAAE,CAAC;QAC5B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,mEAAmE;YACnE,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAK,GAAW,EAAE,IAAI,KAAK,iBAAiB,EAAE,CAAC;gBACvE,OAAO,UAAU,EAAE,CAAC;YACtB,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC,CAAC;IAEF,uEAAuE;IACvE,2EAA2E;IAC3E,6EAA6E;IAC7E,OAAO,IAAI,KAAK,CAAC,IAAI,EAAE;QACrB,GAAG,CAAC,MAAM,EAAE,IAAI;YACd,IAAI,IAAI,KAAK,OAAO;gBAAE,OAAO,cAAc,CAAC;YAC5C,MAAM,GAAG,GAAI,MAAc,CAAC,IAAI,CAAC,CAAC;YAClC,OAAO,OAAO,GAAG,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QAC5D,CAAC;KACF,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,8BAA8B,CAI5C,MAAS;IACT,MAAM,UAAU,GAAG,CAAC,KAAa,EAAE,MAAc,EAAE,OAAa,EAAE,EAAE;QAClE,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAEhC,MAAM,UAAU,GAAG,CAAC,IAAuB,EAAE,EAAE,CAAC,KAAK,IAAkB,EAAE;YACvE,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;YACtD,OAAO,aAAa,CAClB,OAAO,EACP,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAC5D,aAAa,EAAE,EACf,GAAG,EAAE;gBACH,6DAA6D;gBAC7D,8DAA8D;gBAC9D,IAAI,CAAC;oBACH,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;gBACrB,CAAC;gBAAC,MAAM,CAAC;oBACP,oCAAoC;gBACtC,CAAC;YACH,CAAC,CACF,CAAC;QACJ,CAAC,CAAC;QAEF,MAAM,OAAO,GAAG,KAAK,EAAE,IAAuB,EAAgB,EAAE;YAC9D,IAAI,MAAM;gBAAE,OAAO,sBAAsB,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;YAC5D,IAAI,CAAC;gBACH,OAAO,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAClC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,oEAAoE;gBACpE,wBAAwB;gBACxB,IACE,iBAAiB,CAAC,GAAG,CAAC;oBACrB,GAAW,EAAE,IAAI,KAAK,iBAAiB,EACxC,CAAC;oBACD,OAAO,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC5B,CAAC;gBACD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC,CAAC;QAEF,kEAAkE;QAClE,8DAA8D;QAC9D,OAAO;YACL,IAAI,EAAE,CAAC,WAAiB,EAAE,UAAgB,EAAE,EAAE,CAC5C,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC;YAC/C,KAAK,EAAE,CAAC,UAAgB,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC;YAC9D,OAAO,EAAE,CAAC,SAAe,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;YAChE,MAAM,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;SAChC,CAAC;IACJ,CAAC,CAAC;IAEF,OAAO,IAAI,KAAK,CAAC,MAAa,EAAE;QAC9B,GAAG,CAAC,MAAM,EAAE,IAAI;YACd,IAAI,IAAI,KAAK,QAAQ;gBAAE,OAAO,UAAU,CAAC;YACzC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;YACzB,OAAO,OAAO,GAAG,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QAC5D,CAAC;KACF,CAAM,CAAC;AACV,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,SAAS,CAAC,GAAW;IACnC,wEAAwE;IACxE,0EAA0E;IAC1E,sDAAsD;IACtD,OAAO,uBAAuB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC3C,CAAC;AAED,IAAI,iBAAwD,CAAC;AAC7D,SAAS,mBAAmB;IAC1B,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,iBAAiB,GAAG,MAAM,CAAC,wBAAwB,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YAClE,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,CAAC,CAAC,CAAC;IACN,CAAC;IACD,OAAO,iBAAiB,CAAC;AAC3B,CAAC;AAED,IAAI,oBAA0E,CAAC;AAC/E,SAAS,sBAAsB;IAC7B,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,oBAAoB,GAAG,OAAO,CAAC,GAAG,CAAC;YACjC,MAAM,CAAC,4BAA4B,CAAC;YACpC,MAAM,CAAC,gBAAgB,CAAC;SACzB,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;YACpC,OAAO,EAAE,UAAU,CAAC,OAAO;YAC3B,QAAQ,EAAE,SAAS,CAAC,OAAO;SAC5B,CAAC,CAAC,CAAC;IACN,CAAC;IACD,OAAO,oBAAoB,CAAC;AAC9B,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,2DAA2D;AAC3D,MAAM,UAAU,6BAA6B,CAE3C,EAAM,EAAE,MAA+D;IACvE,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,uEAAuE;IACvE,0EAA0E;IAC1E,0EAA0E;IAC1E,oEAAoE;IACpE,yEAAyE;IACzE,wEAAwE;IACxE,wEAAwE;IACxE,qDAAqD;IACrD,MAAM,SAAS,GAAG,IAAI,iBAAiB,EAAW,CAAC;IACnD,IAAI,OAAO,GAAqB,OAAO,CAAC,OAAO,EAAE,CAAC;IAElD,SAAS,oBAAoB,CAC3B,mBAA4C;QAE5C,KAAK,UAAU,kBAAkB,CAC/B,EAA4B;YAE5B,wEAAwE;YACxE,sEAAsE;YACtE,qEAAqE;YACrE,4DAA4D;YAC5D,IAAI,UAAmB,CAAC;YACxB,IAAI,CAAC;gBACH,mBAAmB,CAAC,CAAC,EAAW,EAAE,EAAE;oBAClC,UAAU,GAAG,EAAE,CAAC;oBAChB,MAAM,WAAW,CAAC;gBACpB,CAAC,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,KAAK,WAAW;oBAAE,MAAM,CAAC,CAAC;YACjC,CAAC;YAED,yEAAyE;YACzE,MAAM,EAAE,GAAG,UAAmD,CAAC;YAC/D,IAAI,EAAE,IAAI,OAAO,EAAE,CAAC,WAAW,KAAK,UAAU,EAAE,CAAC;gBAC/C,EAAE,CAAC,WAAW,GAAG,oBAAoB,CAAC,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YACjE,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,CAAC,aAAa,CAAC;YACpC,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,EAAE,GAAG,YAAY,EAAE,YAAY,EAAE,CAAC;gBACxC,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;gBAC/B,IAAI,QAAQ,GAAG,KAAK,CAAC;gBACrB,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC;oBAC5B,MAAM,CAAC,IAAI,CAAC,qBAAqB,EAAE,EAAE,CAAC,CAAC;oBACvC,QAAQ,GAAG,IAAI,CAAC;oBAChB,OAAO,MAAM,CAAC;gBAChB,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,IAAI,CAAC,QAAQ,EAAE,CAAC;wBACd,IAAI,CAAC;4BACH,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,CAAC,CAAC;4BAC3C,MAAM,CAAC,IAAI,CAAC,qBAAqB,EAAE,EAAE,CAAC,CAAC;wBACzC,CAAC;wBAAC,MAAM,CAAC;4BACP,yDAAyD;wBAC3D,CAAC;oBACH,CAAC;oBACD,MAAM,GAAG,CAAC;gBACZ,CAAC;YACH,CAAC;YAED,kDAAkD;YAClD,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YAC/B,IAAI,SAAS,GAAG,KAAK,CAAC;YACtB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC;gBAC5B,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACtB,SAAS,GAAG,IAAI,CAAC;gBACjB,OAAO,MAAM,CAAC;YAChB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,SAAS,EAAE,CAAC;oBACf,IAAI,CAAC;wBACH,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;oBAC1B,CAAC;oBAAC,MAAM,CAAC;wBACP,iDAAiD;oBACnD,CAAC;gBACH,CAAC;gBACD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QAED,OAAO,SAAS,gBAAgB,CAC9B,EAA4B;YAE5B,IAAI,SAAS,CAAC,QAAQ,EAAE,EAAE,CAAC;gBACzB,kEAAkE;gBAClE,kEAAkE;gBAClE,OAAO,kBAAkB,CAAC,EAAE,CAAC,CAAC;YAChC,CAAC;YACD,MAAM,GAAG,GAAG,GAAG,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,kBAAkB,CAAC,EAAE,CAAC,CAAC,CAAC;YACpE,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YACpC,OAAO,GAAG,IAAI,CAAC,IAAI,CACjB,GAAG,EAAE,CAAC,SAAS,EACf,GAAG,EAAE,CAAC,SAAS,CAChB,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;IACJ,CAAC;IAED,EAAE,CAAC,WAAW,GAAG,oBAAoB,CAAC,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;IAC/D,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,+EAA+E;AAC/E,MAAM,WAAW,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;AAEzC,MAAM,UAAU,WAAW,CAAoC,MAAS;IACtE,IAAI,GAAQ,CAAC;IACb,IAAI,QAAkC,CAAC;IAEvC,SAAS,SAAS;QAChB,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAC;QAE9B,MAAM,GAAG,GAAG,cAAc,CAAC,oBAAoB,CAAC,CAAC;QACjD,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;QAE7B,+DAA+D;QAC/D,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YACrB,MAAM,EAAE,GAAG,sBAAsB,EAEpB,CAAC;YACd,IAAI,EAAE,EAAE,CAAC;gBACP,GAAG,GAAG,SAAS,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,CAAiC,CAAC;gBAChE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBAChC,OAAO,QAAQ,CAAC;YAClB,CAAC;QACH,CAAC;QAED,IAAI,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,QAAQ,GAAG,iBAAiB,EAAE,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;gBACxD,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,GAAG,CAAC,CAAC;gBAC1C,GAAG,GAAG,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;YACpC,CAAC,CAAC,CAAC;YACH,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,IAAI,OAAO,KAAK,UAAU,EAAE,CAAC;YAC3B,IAAI,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnB,QAAQ,GAAG,wBAAwB,EAAE,CAAC,IAAI,CACxC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE;oBAChC,kEAAkE;oBAClE,oEAAoE;oBACpE,gEAAgE;oBAChE,oEAAoE;oBACpE,mEAAmE;oBACnE,oEAAoE;oBACpE,gCAAgC;oBAChC,MAAM,QAAQ,GAAG,mBAAmB,EAAE,CAAC;oBACvC,IAAI,QAAQ;wBAAE,UAAU,CAAC,iBAAiB,GAAG,IAAI,CAAC;oBAClD,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC;wBACvB,gBAAgB,EAAE,GAAG;wBACrB,GAAG,EAAE,WAAW,EAAE;wBAClB,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBACpC,CAAC,CAAC;oBACH,yBAAyB,CAAC,OAAO,CAAC,CAAC;oBACnC,qEAAqE;oBACrE,oEAAoE;oBACpE,qEAAqE;oBACrE,+DAA+D;oBAC/D,MAAM,IAAI,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;oBAC7C,GAAG,GAAG,OAAO,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;gBAClC,CAAC,CACF,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,QAAQ,GAAG,YAAY,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE;oBACvD,+DAA+D;oBAC/D,2DAA2D;oBAC3D,uDAAuD;oBACvD,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;oBACjD,GAAG,GAAG,OAAO,CAAC,8BAA8B,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;gBACpE,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;aAAM,IAAI,gBAAgB,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC;gBACrB,qBAAqB,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,GAAG,EAAE,CAAC;gBACpE,sBAAsB,EAAE;aACzB,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,EAAE;gBAC7C,MAAM,MAAM,GAAG,IAAI,QAAQ,CAAC,qBAAqB,CAAC,SAAS,CAAC,CAAC,CAAC;gBAC9D,iEAAiE;gBACjE,sEAAsE;gBACtE,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;gBACtC,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;gBACpC,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;gBACvC,GAAG,GAAG,6BAA6B,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;YAClD,CAAC,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,mBAAmB,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE;gBACpD,GAAG,GAAG,OAAO,CAAC;oBACZ,UAAU,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,oBAAoB,EAAE,EAAE;oBACtD,MAAM;iBACP,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;;;;;OAOG;IACH,SAAS,eAAe,CACtB,KAAmB,EACnB,KAAqD;QAErD,OAAO,IAAI,KAAK,CAAC,cAAa,CAAQ,EAAE;YACtC,GAAG,CAAC,OAAO,EAAE,IAAI;gBACf,gDAAgD;gBAChD,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;oBAC9D,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE;wBAC9B,IAAI,MAAM,GAAQ,GAAG,CAAC;wBACtB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;4BACzB,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;4BAC9B,MAAM;gCACJ,OAAO,GAAG,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;wBACnE,CAAC;wBACD,OAAO,MAAM,CAAC;oBAChB,CAAC,CAAC,CAAC;oBACH,OAAQ,OAAe,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC9C,CAAC;gBACD,mEAAmE;gBACnE,oEAAoE;gBACpE,OAAO,eAAe,CAAC,KAAK,EAAE,CAAC,GAAG,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YACtD,CAAC;YACD,KAAK,CAAC,OAAO,EAAE,QAAQ,EAAE,IAAI;gBAC3B,yEAAyE;gBACzE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO,eAAe,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBAC1D,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBACrC,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;gBACpC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;gBACzC,OAAO,eAAe,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YAC1C,CAAC;SACF,CAAC,CAAC;IACL,CAAC;IAED;;;;;;OAMG;IACH,SAAS,KAAK;QACZ,IAAI,GAAG;YAAE,OAAO,GAAG,CAAC;QACpB,SAAS,EAAE,CAAC;QACZ,IAAI,GAAG;YAAE,OAAO,GAAG,CAAC;QAEpB,OAAO,eAAe,CAAC,QAAS,EAAE,EAAE,CAAsB,CAAC;IAC7D,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["import { AsyncLocalStorage } from \"node:async_hooks\";\r\n\r\nimport { drizzle as drizzleD1 } from \"drizzle-orm/d1\";\r\nimport type { LibSQLDatabase } from \"drizzle-orm/libsql\";\r\n\r\nimport {\r\n getDialect,\r\n getCloudflareD1Binding,\r\n getDatabaseUrl,\r\n getDatabaseAuthToken,\r\n isLocalSqliteUrl,\r\n isPgliteUrl,\r\n isConnectionError,\r\n getPgliteClient,\r\n loadPgliteDrizzle,\r\n prepareLocalSqliteUrl,\r\n sqliteFilenameFromUrl,\r\n pgPoolOptions,\r\n neonPoolMax,\r\n attachNeonPoolErrorLogger,\r\n withDbTimeout,\r\n retryOnConnectionError,\r\n dbOpTimeoutMs,\r\n} from \"./client.js\";\r\nimport { isCloudflareRuntime } from \"../shared/runtime.js\";\r\n\r\n// Lazy driver loaders — cached promises so dynamic import only runs once.\r\nlet _pgDrizzle: Promise<{ drizzle: any; postgres: any }> | undefined;\r\nfunction getPgDrizzle() {\r\n if (!_pgDrizzle) {\r\n _pgDrizzle = Promise.all([\r\n import(\"drizzle-orm/postgres-js\"),\r\n import(\"postgres\"),\r\n ]).then(([drizzleMod, pgMod]) => ({\r\n drizzle: drizzleMod.drizzle,\r\n postgres: pgMod.default,\r\n }));\r\n }\r\n return _pgDrizzle;\r\n}\r\n\r\nlet _neonServerlessDrizzle:\r\n | Promise<{ drizzle: any; Pool: any; neonConfig: any }>\r\n | undefined;\r\nfunction getNeonServerlessDrizzle() {\r\n if (!_neonServerlessDrizzle) {\r\n _neonServerlessDrizzle = Promise.all([\r\n import(\"drizzle-orm/neon-serverless\"),\r\n import(\"@neondatabase/serverless\"),\r\n ]).then(([drizzleMod, neonMod]) => ({\r\n drizzle: drizzleMod.drizzle,\r\n Pool: neonMod.Pool,\r\n neonConfig: neonMod.neonConfig,\r\n }));\r\n }\r\n return _neonServerlessDrizzle;\r\n}\r\n\r\n/**\r\n * Returns true when a SQL string starts with a SELECT-class verb.\r\n * Used by the Neon resilience wrapper to decide retry safety:\r\n * - reads (SELECT) → retryable on any connection-class error\r\n * - writes (INSERT/UPDATE/DELETE/…) → only retryable on errors that\r\n * provably occurred BEFORE the statement was sent (e.g. an acquire /\r\n * connect timeout). Post-send write failures must propagate to the caller\r\n * to avoid double-execution.\r\n */\r\nexport function isSqlRead(sql: string): boolean {\r\n return /^\\s*(SELECT|WITH\\s)/i.test(sql);\r\n}\r\n\r\n/**\r\n * Wraps a @neondatabase/serverless Pool so every query goes through\r\n * the same withDbTimeout + retryOnConnectionError resilience that the\r\n * raw DbExec path in client.ts uses. This protects Drizzle queries\r\n * (which bypass DbExec) from the frozen-WebSocket failure mode documented\r\n * in client.ts (~lines 378–408).\r\n *\r\n * Retry-safety rule (prevents double-execution on writes):\r\n * - Reads (SELECT / WITH …): retry freely on any connection-class error.\r\n * - Writes: only retry when the error occurred during connection acquire\r\n * (i.e. withDbTimeout \"connect\" timed out before the statement was ever\r\n * sent). Post-send failures on writes are rethrown immediately.\r\n *\r\n * Transactions: we do NOT wrap individual queries inside a drizzle\r\n * transaction — drizzle-neon-serverless manages the session itself, so\r\n * interposing a per-query client acquire/release would break the sticky\r\n * connection the transaction needs. The pool-level error logger still fires\r\n * on idle-client drops inside transactions.\r\n */\r\nexport function buildResilientNeonPool(pool: {\r\n connect(): Promise<any>;\r\n query(\r\n sql: string,\r\n args?: any[],\r\n ): Promise<{ rows: unknown[]; rowCount?: number }>;\r\n end(): Promise<void>;\r\n on(event: string, listener: (...args: any[]) => void): unknown;\r\n}): typeof pool {\r\n // Preserve all original pool methods and properties; only override `connect`\r\n // and `query` at the Pool level (used by drizzle's neon-serverless adapter\r\n // when it calls pool.query() directly, e.g. outside a transaction).\r\n const resilientQuery = async (\r\n sql: string,\r\n args?: any[],\r\n ): Promise<{ rows: unknown[]; rowCount?: number }> => {\r\n const isRead = isSqlRead(sql);\r\n\r\n const runAttempt = async (): Promise<{\r\n rows: unknown[];\r\n rowCount?: number;\r\n }> => {\r\n // Bound the pool.connect() acquire — a frozen Neon WebSocket stalls here\r\n // before the query ever starts, so a query-level timeout alone won't help.\r\n let acquireTimedOut = false;\r\n const client = await withDbTimeout(\r\n \"connect\",\r\n () =>\r\n pool.connect().then((c: any) => {\r\n // If we already gave up on this slot, immediately release it so\r\n // the scarce pool connection isn't leaked.\r\n if (acquireTimedOut) c.release();\r\n return c;\r\n }),\r\n dbOpTimeoutMs(),\r\n () => {\r\n acquireTimedOut = true;\r\n },\r\n );\r\n\r\n let released = false;\r\n const releaseClient = (err?: Error | boolean) => {\r\n if (released) return;\r\n released = true;\r\n client.release(err);\r\n };\r\n\r\n try {\r\n const result = await withDbTimeout(\r\n \"query\",\r\n () =>\r\n client.query(sql, args ?? []) as Promise<{\r\n rows: unknown[];\r\n rowCount?: number;\r\n }>,\r\n dbOpTimeoutMs(),\r\n () => releaseClient(true),\r\n );\r\n releaseClient();\r\n return result;\r\n } catch (err) {\r\n releaseClient(isConnectionError(err) ? true : undefined);\r\n throw err;\r\n }\r\n };\r\n\r\n if (isRead) {\r\n // Reads: retry on any connection-class error (safe — no side effects).\r\n return retryOnConnectionError(runAttempt);\r\n }\r\n\r\n // Writes: attempt once. If the acquire itself times out (error occurs\r\n // before the statement was sent), that produces a CONNECT_TIMEOUT which\r\n // isConnectionError() recognises → retry is safe. Any error that surfaces\r\n // AFTER the statement was sent must propagate immediately to avoid\r\n // double-execution.\r\n try {\r\n return await runAttempt();\r\n } catch (err) {\r\n // acquire-timeout fires before the statement → safe to retry once.\r\n if (isConnectionError(err) && (err as any)?.code === \"CONNECT_TIMEOUT\") {\r\n return runAttempt();\r\n }\r\n throw err;\r\n }\r\n };\r\n\r\n // Return a proxy so every pool property/method is forwarded as-is, but\r\n // pool.query() goes through the resilient wrapper. drizzle-neon-serverless\r\n // calls pool.connect() for transactions and pool.query() for simple queries.\r\n return new Proxy(pool, {\r\n get(target, prop) {\r\n if (prop === \"query\") return resilientQuery;\r\n const val = (target as any)[prop];\r\n return typeof val === \"function\" ? val.bind(target) : val;\r\n },\r\n });\r\n}\r\n\r\n/**\r\n * Wraps a postgres.js client so Drizzle queries on the non-Neon Postgres\r\n * path get the same withDbTimeout + retryOnConnectionError protection as\r\n * every other Postgres path (raw DbExec postgres.js, raw DbExec Neon, and\r\n * the Drizzle Neon pool above). Without this, one hung query on a BYO\r\n * Postgres deployment stalls its request forever.\r\n *\r\n * Drizzle's postgres-js session only calls `client.unsafe(query, params)` —\r\n * awaited directly for row-object results or via `.values()` for row-array\r\n * results — plus `client.begin(...)` for transactions. We interpose on\r\n * `unsafe` with a lazy thenable that re-issues the query per retry attempt,\r\n * and leave transactions unwrapped (same rule as the Neon wrapper: the\r\n * driver manages the sticky connection inside `begin`).\r\n *\r\n * Retry-safety mirrors buildResilientNeonPool: reads retry freely on\r\n * connection-class errors; writes retry only on CONNECT_TIMEOUT (postgres.js\r\n * raises it before the statement is ever sent), so writes can't\r\n * double-execute.\r\n */\r\nexport function buildResilientPostgresJsClient<\r\n T extends {\r\n unsafe(query: string, params?: any[], options?: any): any;\r\n },\r\n>(client: T): T {\r\n const wrapUnsafe = (query: string, params?: any[], options?: any) => {\r\n const isRead = isSqlRead(query);\r\n\r\n const runAttempt = (mode: \"rows\" | \"values\") => async (): Promise<any> => {\r\n const pending = client.unsafe(query, params, options);\r\n return withDbTimeout(\r\n \"query\",\r\n async () => (mode === \"values\" ? pending.values() : pending),\r\n dbOpTimeoutMs(),\r\n () => {\r\n // Best-effort cancel so the timed-out statement doesn't keep\r\n // occupying one of the (small, serverless-capped) pool slots.\r\n try {\r\n pending.cancel?.();\r\n } catch {\r\n // ignore — cancellation is advisory\r\n }\r\n },\r\n );\r\n };\r\n\r\n const execute = async (mode: \"rows\" | \"values\"): Promise<any> => {\r\n if (isRead) return retryOnConnectionError(runAttempt(mode));\r\n try {\r\n return await runAttempt(mode)();\r\n } catch (err) {\r\n // Connect timeout fires before the statement is sent → one retry is\r\n // safe even for writes.\r\n if (\r\n isConnectionError(err) &&\r\n (err as any)?.code === \"CONNECT_TIMEOUT\"\r\n ) {\r\n return runAttempt(mode)();\r\n }\r\n throw err;\r\n }\r\n };\r\n\r\n // Lazy thenable mirroring the slice of postgres.js's PendingQuery\r\n // surface that Drizzle uses: `await q` or `await q.values()`.\r\n return {\r\n then: (onFulfilled?: any, onRejected?: any) =>\r\n execute(\"rows\").then(onFulfilled, onRejected),\r\n catch: (onRejected?: any) => execute(\"rows\").catch(onRejected),\r\n finally: (onFinally?: any) => execute(\"rows\").finally(onFinally),\r\n values: () => execute(\"values\"),\r\n };\r\n };\r\n\r\n return new Proxy(client as any, {\r\n get(target, prop) {\r\n if (prop === \"unsafe\") return wrapUnsafe;\r\n const val = target[prop];\r\n return typeof val === \"function\" ? val.bind(target) : val;\r\n },\r\n }) as T;\r\n}\r\n\r\n/**\r\n * Neon's pooler endpoints cold-start in 5–10s. Serverless environments\r\n * (Netlify Functions, Vercel Edge, CF Workers) have short cold-start\r\n * budgets of their own, and `postgres-js` opens a raw TCP connection on\r\n * port 5432 that can't negotiate around Neon's wake-up window — every\r\n * request after an idle period 502s. `@neondatabase/serverless` rides\r\n * over WebSockets (HTTP/443 upgrade) and handles Neon wake-up\r\n * transparently, supports transactions, and works in every serverless\r\n * runtime we deploy to, so we prefer it whenever the URL points at Neon.\r\n */\r\nexport function isNeonUrl(url: string): boolean {\r\n // Must match neon.tech followed by port/path/query/end — include `?` so\r\n // URLs like `postgres://…@ep.neon.tech?sslmode=require` (no explicit port\r\n // or path) still route through the serverless driver.\r\n return /\\.neon\\.tech([:/?]|$)/.test(url);\r\n}\r\n\r\nlet _libsqlWebDrizzle: Promise<{ drizzle: any }> | undefined;\r\nfunction getLibsqlWebDrizzle() {\r\n if (!_libsqlWebDrizzle) {\r\n _libsqlWebDrizzle = import(\"drizzle-orm/libsql/web\").then((mod) => ({\r\n drizzle: mod.drizzle,\r\n }));\r\n }\r\n return _libsqlWebDrizzle;\r\n}\r\n\r\nlet _betterSqliteDrizzle: Promise<{ drizzle: any; Database: any }> | undefined;\r\nfunction getBetterSqliteDrizzle() {\r\n if (!_betterSqliteDrizzle) {\r\n _betterSqliteDrizzle = Promise.all([\r\n import(\"drizzle-orm/better-sqlite3\"),\r\n import(\"better-sqlite3\"),\r\n ]).then(([drizzleMod, sqliteMod]) => ({\r\n drizzle: drizzleMod.drizzle,\r\n Database: sqliteMod.default,\r\n }));\r\n }\r\n return _betterSqliteDrizzle;\r\n}\r\n\r\n/**\r\n * Patch a drizzle-orm/better-sqlite3 instance so that db.transaction(async …)\r\n * works. The native better-sqlite3 Transaction wrapper is sync-only — passing\r\n * an async callback throws \"Transaction function cannot return a promise\".\r\n *\r\n * This wrapper bypasses the native path by issuing raw SQL control statements\r\n * on the single better-sqlite3 connection, which is safe because:\r\n * - better-sqlite3 is single-connection (no concurrency inside one process)\r\n * - the framework serialises all async work through one Database instance\r\n *\r\n * Nesting: if a transaction is already open (sqlite.inTransaction === true),\r\n * SAVEPOINT / RELEASE / ROLLBACK TO is used instead of BEGIN / COMMIT /\r\n * ROLLBACK, matching drizzle's own BetterSQLiteTransaction.transaction().\r\n *\r\n * The patched transaction also patches the tx object it passes to the callback\r\n * so that nested async calls (tx.transaction(async …)) work recursively.\r\n */\r\n/** @internal exported for the async-tx concurrency spec */\r\nexport function patchBetterSqliteTransactions<\r\n DB extends { transaction: (...args: any[]) => any; session: any },\r\n>(db: DB, sqlite: { inTransaction: boolean; exec: (sql: string) => void }): DB {\r\n let savepointSeq = 0;\r\n // Concurrent TOP-LEVEL async transactions on the single better-sqlite3\r\n // connection must not interleave: a second transaction starting while the\r\n // first is open would see `inTransaction` and open a savepoint INSIDE the\r\n // first transaction, which then commits out from under it (\"no such\r\n // savepoint\"). Serialize top-level transactions through a promise chain;\r\n // genuine same-task nesting (tx.transaction or db.transaction inside an\r\n // open callback) is detected via AsyncLocalStorage and keeps the direct\r\n // savepoint path so it cannot deadlock on the queue.\r\n const txContext = new AsyncLocalStorage<boolean>();\r\n let txChain: Promise<unknown> = Promise.resolve();\r\n\r\n function makeAsyncTransaction(\r\n originalTransaction: (...args: any[]) => any,\r\n ): (...args: any[]) => Promise<unknown> {\r\n async function runTransactionBody(\r\n cb: (tx: unknown) => unknown,\r\n ): Promise<unknown> {\r\n // Extract the drizzle tx proxy synchronously — call the original with a\r\n // stub that captures the tx arg then immediately throws a sentinel so\r\n // better-sqlite3's native wrapper rolls back the stub and re-throws.\r\n // The sentinel is caught here and never propagates further.\r\n let capturedTx: unknown;\r\n try {\r\n originalTransaction((tx: unknown) => {\r\n capturedTx = tx;\r\n throw _EXTRACT_TX;\r\n });\r\n } catch (e) {\r\n if (e !== _EXTRACT_TX) throw e;\r\n }\r\n\r\n // Recursively patch the nested tx so tx.transaction(async …) also works.\r\n const tx = capturedTx as { transaction: (...a: any[]) => any };\r\n if (tx && typeof tx.transaction === \"function\") {\r\n tx.transaction = makeAsyncTransaction(tx.transaction.bind(tx));\r\n }\r\n\r\n const nested = sqlite.inTransaction;\r\n if (nested) {\r\n const sp = `sp_async_${++savepointSeq}`;\r\n sqlite.exec(`SAVEPOINT ${sp}`);\r\n let released = false;\r\n try {\r\n const result = await cb(tx);\r\n sqlite.exec(`RELEASE SAVEPOINT ${sp}`);\r\n released = true;\r\n return result;\r\n } catch (err) {\r\n if (!released) {\r\n try {\r\n sqlite.exec(`ROLLBACK TO SAVEPOINT ${sp}`);\r\n sqlite.exec(`RELEASE SAVEPOINT ${sp}`);\r\n } catch {\r\n /* ignore: connection may already be in an error state */\r\n }\r\n }\r\n throw err;\r\n }\r\n }\r\n\r\n // Top-level: BEGIN IMMEDIATE … COMMIT / ROLLBACK.\r\n sqlite.exec(\"BEGIN IMMEDIATE\");\r\n let committed = false;\r\n try {\r\n const result = await cb(tx);\r\n sqlite.exec(\"COMMIT\");\r\n committed = true;\r\n return result;\r\n } catch (err) {\r\n if (!committed) {\r\n try {\r\n sqlite.exec(\"ROLLBACK\");\r\n } catch {\r\n /* swallow: connection may already be unusable */\r\n }\r\n }\r\n throw err;\r\n }\r\n }\r\n\r\n return function asyncTransaction(\r\n cb: (tx: unknown) => unknown,\r\n ): Promise<unknown> {\r\n if (txContext.getStore()) {\r\n // Same-task nesting: run directly (savepoint path inside the open\r\n // transaction). Queueing here would deadlock behind the outer tx.\r\n return runTransactionBody(cb);\r\n }\r\n const run = () => txContext.run(true, () => runTransactionBody(cb));\r\n const next = txChain.then(run, run);\r\n txChain = next.then(\r\n () => undefined,\r\n () => undefined,\r\n );\r\n return next;\r\n };\r\n }\r\n\r\n db.transaction = makeAsyncTransaction(db.transaction.bind(db));\r\n return db;\r\n}\r\n\r\n/** Sentinel thrown inside the tx-extraction stub — never escapes the catch. */\r\nconst _EXTRACT_TX = Symbol(\"extract-tx\");\r\n\r\nexport function createGetDb<T extends Record<string, unknown>>(schema: T) {\r\n let _db: any;\r\n let _dbReady: Promise<any> | undefined;\r\n\r\n function startInit(): Promise<any> {\r\n if (_dbReady) return _dbReady;\r\n\r\n const url = getDatabaseUrl(\"file:./data/app.db\");\r\n const dialect = getDialect();\r\n\r\n // D1 only if dialect detected it (DATABASE_URL takes priority)\r\n if (dialect === \"d1\") {\r\n const d1 = getCloudflareD1Binding() as\r\n | Parameters<typeof drizzleD1>[0]\r\n | undefined;\r\n if (d1) {\r\n _db = drizzleD1(d1, { schema }) as unknown as LibSQLDatabase<T>;\r\n _dbReady = Promise.resolve(_db);\r\n return _dbReady;\r\n }\r\n }\r\n\r\n if (isPgliteUrl(url)) {\r\n _dbReady = loadPgliteDrizzle().then(async ({ drizzle }) => {\r\n const client = await getPgliteClient(url);\r\n _db = drizzle({ client, schema });\r\n });\r\n return _dbReady;\r\n }\r\n\r\n if (dialect === \"postgres\") {\r\n if (isNeonUrl(url)) {\r\n _dbReady = getNeonServerlessDrizzle().then(\r\n ({ drizzle, Pool, neonConfig }) => {\r\n // Cloudflare Workers (workerd) forbids reusing I/O objects across\r\n // requests — a WebSocket client cached in the pool by request A and\r\n // handed to request B throws \"Cannot perform I/O on behalf of a\r\n // different request\" and hangs the worker. Route plain queries over\r\n // Neon's stateless HTTP transport (poolQueryViaFetch) and cap each\r\n // WebSocket client (used for transactions) to a single use so it is\r\n // never reused across requests.\r\n const cfWorker = isCloudflareRuntime();\r\n if (cfWorker) neonConfig.poolQueryViaFetch = true;\r\n const rawPool = new Pool({\r\n connectionString: url,\r\n max: neonPoolMax(),\r\n ...(cfWorker ? { maxUses: 1 } : {}),\r\n });\r\n attachNeonPoolErrorLogger(rawPool);\r\n // Wrap the pool with the resilience layer so Drizzle queries get the\r\n // same withDbTimeout + retryOnConnectionError protection as the raw\r\n // DbExec path in client.ts. Reads retry freely; writes only retry on\r\n // acquire-timeout (pre-send) errors to avoid double-execution.\r\n const pool = buildResilientNeonPool(rawPool);\r\n _db = drizzle(pool, { schema });\r\n },\r\n );\r\n } else {\r\n _dbReady = getPgDrizzle().then(({ drizzle, postgres }) => {\r\n // pgPoolOptions caps the pool to a small size on serverless so\r\n // concurrent frozen instances don't exhaust Neon/Postgres'\r\n // connection limit (\"Max client connections reached\").\r\n const client = postgres(url, pgPoolOptions(url));\r\n _db = drizzle(buildResilientPostgresJsClient(client), { schema });\r\n });\r\n }\r\n } else if (isLocalSqliteUrl(url)) {\r\n _dbReady = Promise.all([\r\n prepareLocalSqliteUrl(url.startsWith(\"file:\") ? url : `file:${url}`),\r\n getBetterSqliteDrizzle(),\r\n ]).then(([sqliteUrl, { drizzle, Database }]) => {\r\n const sqlite = new Database(sqliteFilenameFromUrl(sqliteUrl));\r\n // Wait up to 10s for a concurrent writer instead of failing fast\r\n // with SQLITE_BUSY — mirrors the raw DbExec SQLite path in client.ts.\r\n sqlite.pragma(\"busy_timeout = 10000\");\r\n sqlite.pragma(\"journal_mode = WAL\");\r\n const db = drizzle(sqlite, { schema });\r\n _db = patchBetterSqliteTransactions(db, sqlite);\r\n });\r\n } else {\r\n _dbReady = getLibsqlWebDrizzle().then(({ drizzle }) => {\r\n _db = drizzle({\r\n connection: { url, authToken: getDatabaseAuthToken() },\r\n schema,\r\n });\r\n });\r\n }\r\n return _dbReady;\r\n }\r\n\r\n /**\r\n * Create a lazy proxy that records property accesses and method calls,\r\n * then replays them on the real DB once init completes. Supports\r\n * Drizzle's chained API: db.select().from(table).where(...).\r\n *\r\n * When `.then()` is called (i.e. the chain is awaited), the proxy\r\n * awaits _dbReady and replays the recorded chain on the real _db.\r\n */\r\n function createLazyProxy(\r\n ready: Promise<any>,\r\n chain: Array<{ prop: string | symbol; args?: any[] }>,\r\n ): any {\r\n return new Proxy(function () {} as any, {\r\n get(_target, prop) {\r\n // When awaited, replay the chain on the real db\r\n if (prop === \"then\" || prop === \"catch\" || prop === \"finally\") {\r\n const promise = ready.then(() => {\r\n let result: any = _db;\r\n for (const step of chain) {\r\n const val = result[step.prop];\r\n result =\r\n typeof val === \"function\" ? val.apply(result, step.args) : val;\r\n }\r\n return result;\r\n });\r\n return (promise as any)[prop].bind(promise);\r\n }\r\n // Symbol.toStringTag, Symbol.iterator, etc. — return another proxy\r\n // Property access (e.g. db.query) — record and return another proxy\r\n return createLazyProxy(ready, [...chain, { prop }]);\r\n },\r\n apply(_target, _thisArg, args) {\r\n // Method call (e.g. .from(table)) — record args and return another proxy\r\n if (chain.length === 0) return createLazyProxy(ready, []);\r\n const last = chain[chain.length - 1];\r\n const newChain = chain.slice(0, -1);\r\n newChain.push({ prop: last.prop, args });\r\n return createLazyProxy(ready, newChain);\r\n },\r\n });\r\n }\r\n\r\n /**\r\n * Get the Drizzle DB instance. Kicks off lazy init on first call.\r\n * If the async init hasn't completed yet, returns a lazy Proxy that\r\n * records the Drizzle chain (select/from/where/etc.) and replays it\r\n * once the DB driver finishes loading. Since callers always `await`\r\n * the final result, the proxy is transparent.\r\n */\r\n function getDb(): LibSQLDatabase<T> {\r\n if (_db) return _db;\r\n startInit();\r\n if (_db) return _db;\r\n\r\n return createLazyProxy(_dbReady!, []) as LibSQLDatabase<T>;\r\n }\r\n\r\n return getDb;\r\n}\r\n"]}
1
+ {"version":3,"file":"create-get-db.js","sourceRoot":"","sources":["../../src/db/create-get-db.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAErD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAGtD,OAAO,EACL,UAAU,EACV,sBAAsB,EACtB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,WAAW,EACX,iBAAiB,EACjB,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,qBAAqB,EACrB,aAAa,EACb,WAAW,EACX,yBAAyB,EACzB,aAAa,EACb,sBAAsB,EACtB,aAAa,GACd,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAE3D,0EAA0E;AAC1E,IAAI,UAAgE,CAAC;AACrE,SAAS,YAAY;IACnB,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC;YACvB,MAAM,CAAC,yBAAyB,CAAC;YACjC,MAAM,CAAC,UAAU,CAAC;SACnB,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;YAChC,OAAO,EAAE,UAAU,CAAC,OAAO;YAC3B,QAAQ,EAAE,KAAK,CAAC,OAAO;SACxB,CAAC,CAAC,CAAC;IACN,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,IAAI,sBAES,CAAC;AACd,SAAS,wBAAwB;IAC/B,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC5B,sBAAsB,GAAG,OAAO,CAAC,GAAG,CAAC;YACnC,MAAM,CAAC,6BAA6B,CAAC;YACrC,MAAM,CAAC,0BAA0B,CAAC;SACnC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;YAClC,OAAO,EAAE,UAAU,CAAC,OAAO;YAC3B,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,UAAU,EAAE,OAAO,CAAC,UAAU;SAC/B,CAAC,CAAC,CAAC;IACN,CAAC;IACD,OAAO,sBAAsB,CAAC;AAChC,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,SAAS,CAAC,GAAW;IACnC,OAAO,sBAAsB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC1C,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,sBAAsB,CACpC,IAQC,EACD,OASC;IAED,MAAM,YAAY,GAAG,OAAO,EAAE,YAAY,KAAK,IAAI,CAAC;IACpD,6EAA6E;IAC7E,2EAA2E;IAC3E,oEAAoE;IACpE,MAAM,cAAc,GAAG,KAAK,EAC1B,GAAW,EACX,IAAY,EACqC,EAAE;QACnD,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;QAE9B,MAAM,UAAU,GAAG,KAAK,IAGrB,EAAE;YACH,IAAI,YAAY,EAAE,CAAC;gBACjB,8DAA8D;gBAC9D,gEAAgE;gBAChE,OAAO,aAAa,CAClB,OAAO,EACP,GAAG,EAAE,CACH,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,IAAI,IAAI,EAAE,CAGxB,EACJ,aAAa,EAAE,CAChB,CAAC;YACJ,CAAC;YACD,yEAAyE;YACzE,2EAA2E;YAC3E,IAAI,eAAe,GAAG,KAAK,CAAC;YAC5B,MAAM,MAAM,GAAG,MAAM,aAAa,CAChC,SAAS,EACT,GAAG,EAAE,CACH,IAAI,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE;gBAC7B,gEAAgE;gBAChE,2CAA2C;gBAC3C,IAAI,eAAe;oBAAE,CAAC,CAAC,OAAO,EAAE,CAAC;gBACjC,OAAO,CAAC,CAAC;YACX,CAAC,CAAC,EACJ,aAAa,EAAE,EACf,GAAG,EAAE;gBACH,eAAe,GAAG,IAAI,CAAC;YACzB,CAAC,CACF,CAAC;YAEF,IAAI,QAAQ,GAAG,KAAK,CAAC;YACrB,MAAM,aAAa,GAAG,CAAC,GAAqB,EAAE,EAAE;gBAC9C,IAAI,QAAQ;oBAAE,OAAO;gBACrB,QAAQ,GAAG,IAAI,CAAC;gBAChB,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACtB,CAAC,CAAC;YAEF,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,aAAa,CAChC,OAAO,EACP,GAAG,EAAE,CACH,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,IAAI,IAAI,EAAE,CAG1B,EACJ,aAAa,EAAE,EACf,GAAG,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,CAC1B,CAAC;gBACF,aAAa,EAAE,CAAC;gBAChB,OAAO,MAAM,CAAC;YAChB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,aAAa,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;gBACzD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC,CAAC;QAEF,IAAI,MAAM,EAAE,CAAC;YACX,uEAAuE;YACvE,OAAO,sBAAsB,CAAC,UAAU,CAAC,CAAC;QAC5C,CAAC;QAED,sEAAsE;QACtE,wEAAwE;QACxE,0EAA0E;QAC1E,mEAAmE;QACnE,oBAAoB;QACpB,IAAI,CAAC;YACH,OAAO,MAAM,UAAU,EAAE,CAAC;QAC5B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,mEAAmE;YACnE,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAK,GAAW,EAAE,IAAI,KAAK,iBAAiB,EAAE,CAAC;gBACvE,OAAO,UAAU,EAAE,CAAC;YACtB,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC,CAAC;IAEF,uEAAuE;IACvE,2EAA2E;IAC3E,6EAA6E;IAC7E,OAAO,IAAI,KAAK,CAAC,IAAI,EAAE;QACrB,GAAG,CAAC,MAAM,EAAE,IAAI;YACd,IAAI,IAAI,KAAK,OAAO;gBAAE,OAAO,cAAc,CAAC;YAC5C,MAAM,GAAG,GAAI,MAAc,CAAC,IAAI,CAAC,CAAC;YAClC,OAAO,OAAO,GAAG,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QAC5D,CAAC;KACF,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,8BAA8B,CAI5C,MAAS;IACT,MAAM,UAAU,GAAG,CAAC,KAAa,EAAE,MAAc,EAAE,OAAa,EAAE,EAAE;QAClE,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAEhC,MAAM,UAAU,GAAG,CAAC,IAAuB,EAAE,EAAE,CAAC,KAAK,IAAkB,EAAE;YACvE,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;YACtD,OAAO,aAAa,CAClB,OAAO,EACP,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAC5D,aAAa,EAAE,EACf,GAAG,EAAE;gBACH,6DAA6D;gBAC7D,8DAA8D;gBAC9D,IAAI,CAAC;oBACH,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;gBACrB,CAAC;gBAAC,MAAM,CAAC;oBACP,oCAAoC;gBACtC,CAAC;YACH,CAAC,CACF,CAAC;QACJ,CAAC,CAAC;QAEF,MAAM,OAAO,GAAG,KAAK,EAAE,IAAuB,EAAgB,EAAE;YAC9D,IAAI,MAAM;gBAAE,OAAO,sBAAsB,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;YAC5D,IAAI,CAAC;gBACH,OAAO,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAClC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,oEAAoE;gBACpE,wBAAwB;gBACxB,IACE,iBAAiB,CAAC,GAAG,CAAC;oBACrB,GAAW,EAAE,IAAI,KAAK,iBAAiB,EACxC,CAAC;oBACD,OAAO,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC5B,CAAC;gBACD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC,CAAC;QAEF,kEAAkE;QAClE,8DAA8D;QAC9D,OAAO;YACL,IAAI,EAAE,CAAC,WAAiB,EAAE,UAAgB,EAAE,EAAE,CAC5C,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC;YAC/C,KAAK,EAAE,CAAC,UAAgB,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC;YAC9D,OAAO,EAAE,CAAC,SAAe,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;YAChE,MAAM,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;SAChC,CAAC;IACJ,CAAC,CAAC;IAEF,OAAO,IAAI,KAAK,CAAC,MAAa,EAAE;QAC9B,GAAG,CAAC,MAAM,EAAE,IAAI;YACd,IAAI,IAAI,KAAK,QAAQ;gBAAE,OAAO,UAAU,CAAC;YACzC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;YACzB,OAAO,OAAO,GAAG,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QAC5D,CAAC;KACF,CAAM,CAAC;AACV,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,SAAS,CAAC,GAAW;IACnC,wEAAwE;IACxE,0EAA0E;IAC1E,sDAAsD;IACtD,OAAO,uBAAuB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC3C,CAAC;AAED,IAAI,iBAAwD,CAAC;AAC7D,SAAS,mBAAmB;IAC1B,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,iBAAiB,GAAG,MAAM,CAAC,wBAAwB,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YAClE,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,CAAC,CAAC,CAAC;IACN,CAAC;IACD,OAAO,iBAAiB,CAAC;AAC3B,CAAC;AAED,IAAI,oBAA0E,CAAC;AAC/E,SAAS,sBAAsB;IAC7B,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,oBAAoB,GAAG,OAAO,CAAC,GAAG,CAAC;YACjC,MAAM,CAAC,4BAA4B,CAAC;YACpC,MAAM,CAAC,gBAAgB,CAAC;SACzB,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;YACpC,OAAO,EAAE,UAAU,CAAC,OAAO;YAC3B,QAAQ,EAAE,SAAS,CAAC,OAAO;SAC5B,CAAC,CAAC,CAAC;IACN,CAAC;IACD,OAAO,oBAAoB,CAAC;AAC9B,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,2DAA2D;AAC3D,MAAM,UAAU,6BAA6B,CAE3C,EAAM,EAAE,MAA+D;IACvE,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,uEAAuE;IACvE,0EAA0E;IAC1E,0EAA0E;IAC1E,oEAAoE;IACpE,yEAAyE;IACzE,wEAAwE;IACxE,wEAAwE;IACxE,qDAAqD;IACrD,MAAM,SAAS,GAAG,IAAI,iBAAiB,EAAW,CAAC;IACnD,IAAI,OAAO,GAAqB,OAAO,CAAC,OAAO,EAAE,CAAC;IAElD,SAAS,oBAAoB,CAC3B,mBAA4C;QAE5C,KAAK,UAAU,kBAAkB,CAC/B,EAA4B;YAE5B,wEAAwE;YACxE,sEAAsE;YACtE,qEAAqE;YACrE,4DAA4D;YAC5D,IAAI,UAAmB,CAAC;YACxB,IAAI,CAAC;gBACH,mBAAmB,CAAC,CAAC,EAAW,EAAE,EAAE;oBAClC,UAAU,GAAG,EAAE,CAAC;oBAChB,MAAM,WAAW,CAAC;gBACpB,CAAC,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,KAAK,WAAW;oBAAE,MAAM,CAAC,CAAC;YACjC,CAAC;YAED,yEAAyE;YACzE,MAAM,EAAE,GAAG,UAAmD,CAAC;YAC/D,IAAI,EAAE,IAAI,OAAO,EAAE,CAAC,WAAW,KAAK,UAAU,EAAE,CAAC;gBAC/C,EAAE,CAAC,WAAW,GAAG,oBAAoB,CAAC,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YACjE,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,CAAC,aAAa,CAAC;YACpC,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,EAAE,GAAG,YAAY,EAAE,YAAY,EAAE,CAAC;gBACxC,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;gBAC/B,IAAI,QAAQ,GAAG,KAAK,CAAC;gBACrB,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC;oBAC5B,MAAM,CAAC,IAAI,CAAC,qBAAqB,EAAE,EAAE,CAAC,CAAC;oBACvC,QAAQ,GAAG,IAAI,CAAC;oBAChB,OAAO,MAAM,CAAC;gBAChB,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,IAAI,CAAC,QAAQ,EAAE,CAAC;wBACd,IAAI,CAAC;4BACH,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,CAAC,CAAC;4BAC3C,MAAM,CAAC,IAAI,CAAC,qBAAqB,EAAE,EAAE,CAAC,CAAC;wBACzC,CAAC;wBAAC,MAAM,CAAC;4BACP,yDAAyD;wBAC3D,CAAC;oBACH,CAAC;oBACD,MAAM,GAAG,CAAC;gBACZ,CAAC;YACH,CAAC;YAED,kDAAkD;YAClD,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YAC/B,IAAI,SAAS,GAAG,KAAK,CAAC;YACtB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC;gBAC5B,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACtB,SAAS,GAAG,IAAI,CAAC;gBACjB,OAAO,MAAM,CAAC;YAChB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,SAAS,EAAE,CAAC;oBACf,IAAI,CAAC;wBACH,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;oBAC1B,CAAC;oBAAC,MAAM,CAAC;wBACP,iDAAiD;oBACnD,CAAC;gBACH,CAAC;gBACD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QAED,OAAO,SAAS,gBAAgB,CAC9B,EAA4B;YAE5B,IAAI,SAAS,CAAC,QAAQ,EAAE,EAAE,CAAC;gBACzB,kEAAkE;gBAClE,kEAAkE;gBAClE,OAAO,kBAAkB,CAAC,EAAE,CAAC,CAAC;YAChC,CAAC;YACD,MAAM,GAAG,GAAG,GAAG,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,kBAAkB,CAAC,EAAE,CAAC,CAAC,CAAC;YACpE,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YACpC,OAAO,GAAG,IAAI,CAAC,IAAI,CACjB,GAAG,EAAE,CAAC,SAAS,EACf,GAAG,EAAE,CAAC,SAAS,CAChB,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;IACJ,CAAC;IAED,EAAE,CAAC,WAAW,GAAG,oBAAoB,CAAC,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;IAC/D,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,+EAA+E;AAC/E,MAAM,WAAW,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;AAEzC,MAAM,UAAU,WAAW,CAAoC,MAAS;IACtE,IAAI,GAAQ,CAAC;IACb,IAAI,QAAkC,CAAC;IAEvC,SAAS,SAAS;QAChB,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAC;QAE9B,MAAM,GAAG,GAAG,cAAc,CAAC,oBAAoB,CAAC,CAAC;QACjD,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;QAE7B,+DAA+D;QAC/D,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YACrB,MAAM,EAAE,GAAG,sBAAsB,EAEpB,CAAC;YACd,IAAI,EAAE,EAAE,CAAC;gBACP,GAAG,GAAG,SAAS,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,CAAiC,CAAC;gBAChE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBAChC,OAAO,QAAQ,CAAC;YAClB,CAAC;QACH,CAAC;QAED,IAAI,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,QAAQ,GAAG,iBAAiB,EAAE,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;gBACxD,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,GAAG,CAAC,CAAC;gBAC1C,GAAG,GAAG,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;YACpC,CAAC,CAAC,CAAC;YACH,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,IAAI,OAAO,KAAK,UAAU,EAAE,CAAC;YAC3B,IAAI,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnB,QAAQ,GAAG,wBAAwB,EAAE,CAAC,IAAI,CACxC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE;oBAChC,kEAAkE;oBAClE,oEAAoE;oBACpE,gEAAgE;oBAChE,oEAAoE;oBACpE,mEAAmE;oBACnE,oEAAoE;oBACpE,gCAAgC;oBAChC,MAAM,QAAQ,GAAG,mBAAmB,EAAE,CAAC;oBACvC,IAAI,QAAQ;wBAAE,UAAU,CAAC,iBAAiB,GAAG,IAAI,CAAC;oBAClD,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC;wBACvB,gBAAgB,EAAE,GAAG;wBACrB,GAAG,EAAE,WAAW,EAAE;wBAClB,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBACpC,CAAC,CAAC;oBACH,yBAAyB,CAAC,OAAO,CAAC,CAAC;oBACnC,qEAAqE;oBACrE,oEAAoE;oBACpE,qEAAqE;oBACrE,+DAA+D;oBAC/D,MAAM,IAAI,GAAG,sBAAsB,CAAC,OAAO,EAAE;wBAC3C,YAAY,EAAE,QAAQ;qBACvB,CAAC,CAAC;oBACH,GAAG,GAAG,OAAO,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;gBAClC,CAAC,CACF,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,QAAQ,GAAG,YAAY,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE;oBACvD,+DAA+D;oBAC/D,2DAA2D;oBAC3D,uDAAuD;oBACvD,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;oBACjD,GAAG,GAAG,OAAO,CAAC,8BAA8B,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;gBACpE,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;aAAM,IAAI,gBAAgB,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC;gBACrB,qBAAqB,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,GAAG,EAAE,CAAC;gBACpE,sBAAsB,EAAE;aACzB,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,EAAE;gBAC7C,MAAM,MAAM,GAAG,IAAI,QAAQ,CAAC,qBAAqB,CAAC,SAAS,CAAC,CAAC,CAAC;gBAC9D,iEAAiE;gBACjE,sEAAsE;gBACtE,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;gBACtC,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;gBACpC,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;gBACvC,GAAG,GAAG,6BAA6B,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;YAClD,CAAC,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,mBAAmB,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE;gBACpD,GAAG,GAAG,OAAO,CAAC;oBACZ,UAAU,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,oBAAoB,EAAE,EAAE;oBACtD,MAAM;iBACP,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;;;;;OAOG;IACH,SAAS,eAAe,CACtB,KAAmB,EACnB,KAAqD;QAErD,OAAO,IAAI,KAAK,CAAC,cAAa,CAAQ,EAAE;YACtC,GAAG,CAAC,OAAO,EAAE,IAAI;gBACf,gDAAgD;gBAChD,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;oBAC9D,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE;wBAC9B,IAAI,MAAM,GAAQ,GAAG,CAAC;wBACtB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;4BACzB,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;4BAC9B,MAAM;gCACJ,OAAO,GAAG,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;wBACnE,CAAC;wBACD,OAAO,MAAM,CAAC;oBAChB,CAAC,CAAC,CAAC;oBACH,OAAQ,OAAe,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC9C,CAAC;gBACD,mEAAmE;gBACnE,oEAAoE;gBACpE,OAAO,eAAe,CAAC,KAAK,EAAE,CAAC,GAAG,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YACtD,CAAC;YACD,KAAK,CAAC,OAAO,EAAE,QAAQ,EAAE,IAAI;gBAC3B,yEAAyE;gBACzE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO,eAAe,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBAC1D,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBACrC,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;gBACpC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;gBACzC,OAAO,eAAe,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YAC1C,CAAC;SACF,CAAC,CAAC;IACL,CAAC;IAED;;;;;;OAMG;IACH,SAAS,KAAK;QACZ,IAAI,GAAG;YAAE,OAAO,GAAG,CAAC;QACpB,SAAS,EAAE,CAAC;QACZ,IAAI,GAAG;YAAE,OAAO,GAAG,CAAC;QAEpB,OAAO,eAAe,CAAC,QAAS,EAAE,EAAE,CAAsB,CAAC;IAC7D,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["import { AsyncLocalStorage } from \"node:async_hooks\";\r\n\r\nimport { drizzle as drizzleD1 } from \"drizzle-orm/d1\";\r\nimport type { LibSQLDatabase } from \"drizzle-orm/libsql\";\r\n\r\nimport {\r\n getDialect,\r\n getCloudflareD1Binding,\r\n getDatabaseUrl,\r\n getDatabaseAuthToken,\r\n isLocalSqliteUrl,\r\n isPgliteUrl,\r\n isConnectionError,\r\n getPgliteClient,\r\n loadPgliteDrizzle,\r\n prepareLocalSqliteUrl,\r\n sqliteFilenameFromUrl,\r\n pgPoolOptions,\r\n neonPoolMax,\r\n attachNeonPoolErrorLogger,\r\n withDbTimeout,\r\n retryOnConnectionError,\r\n dbOpTimeoutMs,\r\n} from \"./client.js\";\r\nimport { isCloudflareRuntime } from \"../shared/runtime.js\";\r\n\r\n// Lazy driver loaders — cached promises so dynamic import only runs once.\r\nlet _pgDrizzle: Promise<{ drizzle: any; postgres: any }> | undefined;\r\nfunction getPgDrizzle() {\r\n if (!_pgDrizzle) {\r\n _pgDrizzle = Promise.all([\r\n import(\"drizzle-orm/postgres-js\"),\r\n import(\"postgres\"),\r\n ]).then(([drizzleMod, pgMod]) => ({\r\n drizzle: drizzleMod.drizzle,\r\n postgres: pgMod.default,\r\n }));\r\n }\r\n return _pgDrizzle;\r\n}\r\n\r\nlet _neonServerlessDrizzle:\r\n | Promise<{ drizzle: any; Pool: any; neonConfig: any }>\r\n | undefined;\r\nfunction getNeonServerlessDrizzle() {\r\n if (!_neonServerlessDrizzle) {\r\n _neonServerlessDrizzle = Promise.all([\r\n import(\"drizzle-orm/neon-serverless\"),\r\n import(\"@neondatabase/serverless\"),\r\n ]).then(([drizzleMod, neonMod]) => ({\r\n drizzle: drizzleMod.drizzle,\r\n Pool: neonMod.Pool,\r\n neonConfig: neonMod.neonConfig,\r\n }));\r\n }\r\n return _neonServerlessDrizzle;\r\n}\r\n\r\n/**\r\n * Returns true when a SQL string starts with a SELECT-class verb.\r\n * Used by the Neon resilience wrapper to decide retry safety:\r\n * - reads (SELECT) → retryable on any connection-class error\r\n * - writes (INSERT/UPDATE/DELETE/…) → only retryable on errors that\r\n * provably occurred BEFORE the statement was sent (e.g. an acquire /\r\n * connect timeout). Post-send write failures must propagate to the caller\r\n * to avoid double-execution.\r\n */\r\nexport function isSqlRead(sql: string): boolean {\r\n return /^\\s*(SELECT|WITH\\s)/i.test(sql);\r\n}\r\n\r\n/**\r\n * Wraps a @neondatabase/serverless Pool so every query goes through\r\n * the same withDbTimeout + retryOnConnectionError resilience that the\r\n * raw DbExec path in client.ts uses. This protects Drizzle queries\r\n * (which bypass DbExec) from the frozen-WebSocket failure mode documented\r\n * in client.ts (~lines 378–408).\r\n *\r\n * Retry-safety rule (prevents double-execution on writes):\r\n * - Reads (SELECT / WITH …): retry freely on any connection-class error.\r\n * - Writes: only retry when the error occurred during connection acquire\r\n * (i.e. withDbTimeout \"connect\" timed out before the statement was ever\r\n * sent). Post-send failures on writes are rethrown immediately.\r\n *\r\n * Transactions: we do NOT wrap individual queries inside a drizzle\r\n * transaction — drizzle-neon-serverless manages the session itself, so\r\n * interposing a per-query client acquire/release would break the sticky\r\n * connection the transaction needs. The pool-level error logger still fires\r\n * on idle-client drops inside transactions.\r\n */\r\nexport function buildResilientNeonPool(\r\n pool: {\r\n connect(): Promise<any>;\r\n query(\r\n sql: string,\r\n args?: any[],\r\n ): Promise<{ rows: unknown[]; rowCount?: number }>;\r\n end(): Promise<void>;\r\n on(event: string, listener: (...args: any[]) => void): unknown;\r\n },\r\n options?: {\r\n /**\r\n * Route plain queries through pool.query() instead of a manual\r\n * connect()/client.query()/release() checkout. Required on Cloudflare\r\n * Workers where neonConfig.poolQueryViaFetch routes pool.query() over\r\n * Neon's stateless HTTP transport — the manual checkout would bypass\r\n * that and pin queries to per-request WebSocket clients.\r\n */\r\n httpPerQuery?: boolean;\r\n },\r\n): typeof pool {\r\n const httpPerQuery = options?.httpPerQuery === true;\r\n // Preserve all original pool methods and properties; only override `connect`\r\n // and `query` at the Pool level (used by drizzle's neon-serverless adapter\r\n // when it calls pool.query() directly, e.g. outside a transaction).\r\n const resilientQuery = async (\r\n sql: string,\r\n args?: any[],\r\n ): Promise<{ rows: unknown[]; rowCount?: number }> => {\r\n const isRead = isSqlRead(sql);\r\n\r\n const runAttempt = async (): Promise<{\r\n rows: unknown[];\r\n rowCount?: number;\r\n }> => {\r\n if (httpPerQuery) {\r\n // Stateless HTTP transport (poolQueryViaFetch): no connection\r\n // checkout, no persistent socket — just bound the query itself.\r\n return withDbTimeout(\r\n \"query\",\r\n () =>\r\n pool.query(sql, args ?? []) as Promise<{\r\n rows: unknown[];\r\n rowCount?: number;\r\n }>,\r\n dbOpTimeoutMs(),\r\n );\r\n }\r\n // Bound the pool.connect() acquire — a frozen Neon WebSocket stalls here\r\n // before the query ever starts, so a query-level timeout alone won't help.\r\n let acquireTimedOut = false;\r\n const client = await withDbTimeout(\r\n \"connect\",\r\n () =>\r\n pool.connect().then((c: any) => {\r\n // If we already gave up on this slot, immediately release it so\r\n // the scarce pool connection isn't leaked.\r\n if (acquireTimedOut) c.release();\r\n return c;\r\n }),\r\n dbOpTimeoutMs(),\r\n () => {\r\n acquireTimedOut = true;\r\n },\r\n );\r\n\r\n let released = false;\r\n const releaseClient = (err?: Error | boolean) => {\r\n if (released) return;\r\n released = true;\r\n client.release(err);\r\n };\r\n\r\n try {\r\n const result = await withDbTimeout(\r\n \"query\",\r\n () =>\r\n client.query(sql, args ?? []) as Promise<{\r\n rows: unknown[];\r\n rowCount?: number;\r\n }>,\r\n dbOpTimeoutMs(),\r\n () => releaseClient(true),\r\n );\r\n releaseClient();\r\n return result;\r\n } catch (err) {\r\n releaseClient(isConnectionError(err) ? true : undefined);\r\n throw err;\r\n }\r\n };\r\n\r\n if (isRead) {\r\n // Reads: retry on any connection-class error (safe — no side effects).\r\n return retryOnConnectionError(runAttempt);\r\n }\r\n\r\n // Writes: attempt once. If the acquire itself times out (error occurs\r\n // before the statement was sent), that produces a CONNECT_TIMEOUT which\r\n // isConnectionError() recognises → retry is safe. Any error that surfaces\r\n // AFTER the statement was sent must propagate immediately to avoid\r\n // double-execution.\r\n try {\r\n return await runAttempt();\r\n } catch (err) {\r\n // acquire-timeout fires before the statement → safe to retry once.\r\n if (isConnectionError(err) && (err as any)?.code === \"CONNECT_TIMEOUT\") {\r\n return runAttempt();\r\n }\r\n throw err;\r\n }\r\n };\r\n\r\n // Return a proxy so every pool property/method is forwarded as-is, but\r\n // pool.query() goes through the resilient wrapper. drizzle-neon-serverless\r\n // calls pool.connect() for transactions and pool.query() for simple queries.\r\n return new Proxy(pool, {\r\n get(target, prop) {\r\n if (prop === \"query\") return resilientQuery;\r\n const val = (target as any)[prop];\r\n return typeof val === \"function\" ? val.bind(target) : val;\r\n },\r\n });\r\n}\r\n\r\n/**\r\n * Wraps a postgres.js client so Drizzle queries on the non-Neon Postgres\r\n * path get the same withDbTimeout + retryOnConnectionError protection as\r\n * every other Postgres path (raw DbExec postgres.js, raw DbExec Neon, and\r\n * the Drizzle Neon pool above). Without this, one hung query on a BYO\r\n * Postgres deployment stalls its request forever.\r\n *\r\n * Drizzle's postgres-js session only calls `client.unsafe(query, params)` —\r\n * awaited directly for row-object results or via `.values()` for row-array\r\n * results — plus `client.begin(...)` for transactions. We interpose on\r\n * `unsafe` with a lazy thenable that re-issues the query per retry attempt,\r\n * and leave transactions unwrapped (same rule as the Neon wrapper: the\r\n * driver manages the sticky connection inside `begin`).\r\n *\r\n * Retry-safety mirrors buildResilientNeonPool: reads retry freely on\r\n * connection-class errors; writes retry only on CONNECT_TIMEOUT (postgres.js\r\n * raises it before the statement is ever sent), so writes can't\r\n * double-execute.\r\n */\r\nexport function buildResilientPostgresJsClient<\r\n T extends {\r\n unsafe(query: string, params?: any[], options?: any): any;\r\n },\r\n>(client: T): T {\r\n const wrapUnsafe = (query: string, params?: any[], options?: any) => {\r\n const isRead = isSqlRead(query);\r\n\r\n const runAttempt = (mode: \"rows\" | \"values\") => async (): Promise<any> => {\r\n const pending = client.unsafe(query, params, options);\r\n return withDbTimeout(\r\n \"query\",\r\n async () => (mode === \"values\" ? pending.values() : pending),\r\n dbOpTimeoutMs(),\r\n () => {\r\n // Best-effort cancel so the timed-out statement doesn't keep\r\n // occupying one of the (small, serverless-capped) pool slots.\r\n try {\r\n pending.cancel?.();\r\n } catch {\r\n // ignore — cancellation is advisory\r\n }\r\n },\r\n );\r\n };\r\n\r\n const execute = async (mode: \"rows\" | \"values\"): Promise<any> => {\r\n if (isRead) return retryOnConnectionError(runAttempt(mode));\r\n try {\r\n return await runAttempt(mode)();\r\n } catch (err) {\r\n // Connect timeout fires before the statement is sent → one retry is\r\n // safe even for writes.\r\n if (\r\n isConnectionError(err) &&\r\n (err as any)?.code === \"CONNECT_TIMEOUT\"\r\n ) {\r\n return runAttempt(mode)();\r\n }\r\n throw err;\r\n }\r\n };\r\n\r\n // Lazy thenable mirroring the slice of postgres.js's PendingQuery\r\n // surface that Drizzle uses: `await q` or `await q.values()`.\r\n return {\r\n then: (onFulfilled?: any, onRejected?: any) =>\r\n execute(\"rows\").then(onFulfilled, onRejected),\r\n catch: (onRejected?: any) => execute(\"rows\").catch(onRejected),\r\n finally: (onFinally?: any) => execute(\"rows\").finally(onFinally),\r\n values: () => execute(\"values\"),\r\n };\r\n };\r\n\r\n return new Proxy(client as any, {\r\n get(target, prop) {\r\n if (prop === \"unsafe\") return wrapUnsafe;\r\n const val = target[prop];\r\n return typeof val === \"function\" ? val.bind(target) : val;\r\n },\r\n }) as T;\r\n}\r\n\r\n/**\r\n * Neon's pooler endpoints cold-start in 5–10s. Serverless environments\r\n * (Netlify Functions, Vercel Edge, CF Workers) have short cold-start\r\n * budgets of their own, and `postgres-js` opens a raw TCP connection on\r\n * port 5432 that can't negotiate around Neon's wake-up window — every\r\n * request after an idle period 502s. `@neondatabase/serverless` rides\r\n * over WebSockets (HTTP/443 upgrade) and handles Neon wake-up\r\n * transparently, supports transactions, and works in every serverless\r\n * runtime we deploy to, so we prefer it whenever the URL points at Neon.\r\n */\r\nexport function isNeonUrl(url: string): boolean {\r\n // Must match neon.tech followed by port/path/query/end — include `?` so\r\n // URLs like `postgres://…@ep.neon.tech?sslmode=require` (no explicit port\r\n // or path) still route through the serverless driver.\r\n return /\\.neon\\.tech([:/?]|$)/.test(url);\r\n}\r\n\r\nlet _libsqlWebDrizzle: Promise<{ drizzle: any }> | undefined;\r\nfunction getLibsqlWebDrizzle() {\r\n if (!_libsqlWebDrizzle) {\r\n _libsqlWebDrizzle = import(\"drizzle-orm/libsql/web\").then((mod) => ({\r\n drizzle: mod.drizzle,\r\n }));\r\n }\r\n return _libsqlWebDrizzle;\r\n}\r\n\r\nlet _betterSqliteDrizzle: Promise<{ drizzle: any; Database: any }> | undefined;\r\nfunction getBetterSqliteDrizzle() {\r\n if (!_betterSqliteDrizzle) {\r\n _betterSqliteDrizzle = Promise.all([\r\n import(\"drizzle-orm/better-sqlite3\"),\r\n import(\"better-sqlite3\"),\r\n ]).then(([drizzleMod, sqliteMod]) => ({\r\n drizzle: drizzleMod.drizzle,\r\n Database: sqliteMod.default,\r\n }));\r\n }\r\n return _betterSqliteDrizzle;\r\n}\r\n\r\n/**\r\n * Patch a drizzle-orm/better-sqlite3 instance so that db.transaction(async …)\r\n * works. The native better-sqlite3 Transaction wrapper is sync-only — passing\r\n * an async callback throws \"Transaction function cannot return a promise\".\r\n *\r\n * This wrapper bypasses the native path by issuing raw SQL control statements\r\n * on the single better-sqlite3 connection, which is safe because:\r\n * - better-sqlite3 is single-connection (no concurrency inside one process)\r\n * - the framework serialises all async work through one Database instance\r\n *\r\n * Nesting: if a transaction is already open (sqlite.inTransaction === true),\r\n * SAVEPOINT / RELEASE / ROLLBACK TO is used instead of BEGIN / COMMIT /\r\n * ROLLBACK, matching drizzle's own BetterSQLiteTransaction.transaction().\r\n *\r\n * The patched transaction also patches the tx object it passes to the callback\r\n * so that nested async calls (tx.transaction(async …)) work recursively.\r\n */\r\n/** @internal exported for the async-tx concurrency spec */\r\nexport function patchBetterSqliteTransactions<\r\n DB extends { transaction: (...args: any[]) => any; session: any },\r\n>(db: DB, sqlite: { inTransaction: boolean; exec: (sql: string) => void }): DB {\r\n let savepointSeq = 0;\r\n // Concurrent TOP-LEVEL async transactions on the single better-sqlite3\r\n // connection must not interleave: a second transaction starting while the\r\n // first is open would see `inTransaction` and open a savepoint INSIDE the\r\n // first transaction, which then commits out from under it (\"no such\r\n // savepoint\"). Serialize top-level transactions through a promise chain;\r\n // genuine same-task nesting (tx.transaction or db.transaction inside an\r\n // open callback) is detected via AsyncLocalStorage and keeps the direct\r\n // savepoint path so it cannot deadlock on the queue.\r\n const txContext = new AsyncLocalStorage<boolean>();\r\n let txChain: Promise<unknown> = Promise.resolve();\r\n\r\n function makeAsyncTransaction(\r\n originalTransaction: (...args: any[]) => any,\r\n ): (...args: any[]) => Promise<unknown> {\r\n async function runTransactionBody(\r\n cb: (tx: unknown) => unknown,\r\n ): Promise<unknown> {\r\n // Extract the drizzle tx proxy synchronously — call the original with a\r\n // stub that captures the tx arg then immediately throws a sentinel so\r\n // better-sqlite3's native wrapper rolls back the stub and re-throws.\r\n // The sentinel is caught here and never propagates further.\r\n let capturedTx: unknown;\r\n try {\r\n originalTransaction((tx: unknown) => {\r\n capturedTx = tx;\r\n throw _EXTRACT_TX;\r\n });\r\n } catch (e) {\r\n if (e !== _EXTRACT_TX) throw e;\r\n }\r\n\r\n // Recursively patch the nested tx so tx.transaction(async …) also works.\r\n const tx = capturedTx as { transaction: (...a: any[]) => any };\r\n if (tx && typeof tx.transaction === \"function\") {\r\n tx.transaction = makeAsyncTransaction(tx.transaction.bind(tx));\r\n }\r\n\r\n const nested = sqlite.inTransaction;\r\n if (nested) {\r\n const sp = `sp_async_${++savepointSeq}`;\r\n sqlite.exec(`SAVEPOINT ${sp}`);\r\n let released = false;\r\n try {\r\n const result = await cb(tx);\r\n sqlite.exec(`RELEASE SAVEPOINT ${sp}`);\r\n released = true;\r\n return result;\r\n } catch (err) {\r\n if (!released) {\r\n try {\r\n sqlite.exec(`ROLLBACK TO SAVEPOINT ${sp}`);\r\n sqlite.exec(`RELEASE SAVEPOINT ${sp}`);\r\n } catch {\r\n /* ignore: connection may already be in an error state */\r\n }\r\n }\r\n throw err;\r\n }\r\n }\r\n\r\n // Top-level: BEGIN IMMEDIATE … COMMIT / ROLLBACK.\r\n sqlite.exec(\"BEGIN IMMEDIATE\");\r\n let committed = false;\r\n try {\r\n const result = await cb(tx);\r\n sqlite.exec(\"COMMIT\");\r\n committed = true;\r\n return result;\r\n } catch (err) {\r\n if (!committed) {\r\n try {\r\n sqlite.exec(\"ROLLBACK\");\r\n } catch {\r\n /* swallow: connection may already be unusable */\r\n }\r\n }\r\n throw err;\r\n }\r\n }\r\n\r\n return function asyncTransaction(\r\n cb: (tx: unknown) => unknown,\r\n ): Promise<unknown> {\r\n if (txContext.getStore()) {\r\n // Same-task nesting: run directly (savepoint path inside the open\r\n // transaction). Queueing here would deadlock behind the outer tx.\r\n return runTransactionBody(cb);\r\n }\r\n const run = () => txContext.run(true, () => runTransactionBody(cb));\r\n const next = txChain.then(run, run);\r\n txChain = next.then(\r\n () => undefined,\r\n () => undefined,\r\n );\r\n return next;\r\n };\r\n }\r\n\r\n db.transaction = makeAsyncTransaction(db.transaction.bind(db));\r\n return db;\r\n}\r\n\r\n/** Sentinel thrown inside the tx-extraction stub — never escapes the catch. */\r\nconst _EXTRACT_TX = Symbol(\"extract-tx\");\r\n\r\nexport function createGetDb<T extends Record<string, unknown>>(schema: T) {\r\n let _db: any;\r\n let _dbReady: Promise<any> | undefined;\r\n\r\n function startInit(): Promise<any> {\r\n if (_dbReady) return _dbReady;\r\n\r\n const url = getDatabaseUrl(\"file:./data/app.db\");\r\n const dialect = getDialect();\r\n\r\n // D1 only if dialect detected it (DATABASE_URL takes priority)\r\n if (dialect === \"d1\") {\r\n const d1 = getCloudflareD1Binding() as\r\n | Parameters<typeof drizzleD1>[0]\r\n | undefined;\r\n if (d1) {\r\n _db = drizzleD1(d1, { schema }) as unknown as LibSQLDatabase<T>;\r\n _dbReady = Promise.resolve(_db);\r\n return _dbReady;\r\n }\r\n }\r\n\r\n if (isPgliteUrl(url)) {\r\n _dbReady = loadPgliteDrizzle().then(async ({ drizzle }) => {\r\n const client = await getPgliteClient(url);\r\n _db = drizzle({ client, schema });\r\n });\r\n return _dbReady;\r\n }\r\n\r\n if (dialect === \"postgres\") {\r\n if (isNeonUrl(url)) {\r\n _dbReady = getNeonServerlessDrizzle().then(\r\n ({ drizzle, Pool, neonConfig }) => {\r\n // Cloudflare Workers (workerd) forbids reusing I/O objects across\r\n // requests — a WebSocket client cached in the pool by request A and\r\n // handed to request B throws \"Cannot perform I/O on behalf of a\r\n // different request\" and hangs the worker. Route plain queries over\r\n // Neon's stateless HTTP transport (poolQueryViaFetch) and cap each\r\n // WebSocket client (used for transactions) to a single use so it is\r\n // never reused across requests.\r\n const cfWorker = isCloudflareRuntime();\r\n if (cfWorker) neonConfig.poolQueryViaFetch = true;\r\n const rawPool = new Pool({\r\n connectionString: url,\r\n max: neonPoolMax(),\r\n ...(cfWorker ? { maxUses: 1 } : {}),\r\n });\r\n attachNeonPoolErrorLogger(rawPool);\r\n // Wrap the pool with the resilience layer so Drizzle queries get the\r\n // same withDbTimeout + retryOnConnectionError protection as the raw\r\n // DbExec path in client.ts. Reads retry freely; writes only retry on\r\n // acquire-timeout (pre-send) errors to avoid double-execution.\r\n const pool = buildResilientNeonPool(rawPool, {\r\n httpPerQuery: cfWorker,\r\n });\r\n _db = drizzle(pool, { schema });\r\n },\r\n );\r\n } else {\r\n _dbReady = getPgDrizzle().then(({ drizzle, postgres }) => {\r\n // pgPoolOptions caps the pool to a small size on serverless so\r\n // concurrent frozen instances don't exhaust Neon/Postgres'\r\n // connection limit (\"Max client connections reached\").\r\n const client = postgres(url, pgPoolOptions(url));\r\n _db = drizzle(buildResilientPostgresJsClient(client), { schema });\r\n });\r\n }\r\n } else if (isLocalSqliteUrl(url)) {\r\n _dbReady = Promise.all([\r\n prepareLocalSqliteUrl(url.startsWith(\"file:\") ? url : `file:${url}`),\r\n getBetterSqliteDrizzle(),\r\n ]).then(([sqliteUrl, { drizzle, Database }]) => {\r\n const sqlite = new Database(sqliteFilenameFromUrl(sqliteUrl));\r\n // Wait up to 10s for a concurrent writer instead of failing fast\r\n // with SQLITE_BUSY — mirrors the raw DbExec SQLite path in client.ts.\r\n sqlite.pragma(\"busy_timeout = 10000\");\r\n sqlite.pragma(\"journal_mode = WAL\");\r\n const db = drizzle(sqlite, { schema });\r\n _db = patchBetterSqliteTransactions(db, sqlite);\r\n });\r\n } else {\r\n _dbReady = getLibsqlWebDrizzle().then(({ drizzle }) => {\r\n _db = drizzle({\r\n connection: { url, authToken: getDatabaseAuthToken() },\r\n schema,\r\n });\r\n });\r\n }\r\n return _dbReady;\r\n }\r\n\r\n /**\r\n * Create a lazy proxy that records property accesses and method calls,\r\n * then replays them on the real DB once init completes. Supports\r\n * Drizzle's chained API: db.select().from(table).where(...).\r\n *\r\n * When `.then()` is called (i.e. the chain is awaited), the proxy\r\n * awaits _dbReady and replays the recorded chain on the real _db.\r\n */\r\n function createLazyProxy(\r\n ready: Promise<any>,\r\n chain: Array<{ prop: string | symbol; args?: any[] }>,\r\n ): any {\r\n return new Proxy(function () {} as any, {\r\n get(_target, prop) {\r\n // When awaited, replay the chain on the real db\r\n if (prop === \"then\" || prop === \"catch\" || prop === \"finally\") {\r\n const promise = ready.then(() => {\r\n let result: any = _db;\r\n for (const step of chain) {\r\n const val = result[step.prop];\r\n result =\r\n typeof val === \"function\" ? val.apply(result, step.args) : val;\r\n }\r\n return result;\r\n });\r\n return (promise as any)[prop].bind(promise);\r\n }\r\n // Symbol.toStringTag, Symbol.iterator, etc. — return another proxy\r\n // Property access (e.g. db.query) — record and return another proxy\r\n return createLazyProxy(ready, [...chain, { prop }]);\r\n },\r\n apply(_target, _thisArg, args) {\r\n // Method call (e.g. .from(table)) — record args and return another proxy\r\n if (chain.length === 0) return createLazyProxy(ready, []);\r\n const last = chain[chain.length - 1];\r\n const newChain = chain.slice(0, -1);\r\n newChain.push({ prop: last.prop, args });\r\n return createLazyProxy(ready, newChain);\r\n },\r\n });\r\n }\r\n\r\n /**\r\n * Get the Drizzle DB instance. Kicks off lazy init on first call.\r\n * If the async init hasn't completed yet, returns a lazy Proxy that\r\n * records the Drizzle chain (select/from/where/etc.) and replays it\r\n * once the DB driver finishes loading. Since callers always `await`\r\n * the final result, the proxy is transparent.\r\n */\r\n function getDb(): LibSQLDatabase<T> {\r\n if (_db) return _db;\r\n startInit();\r\n if (_db) return _db;\r\n\r\n return createLazyProxy(_dbReady!, []) as LibSQLDatabase<T>;\r\n }\r\n\r\n return getDb;\r\n}\r\n"]}
@@ -13,13 +13,13 @@
13
13
  export declare function createNotificationsHandler(): import("h3").EventHandlerWithFetch<import("h3").EventHandlerRequest, Promise<"" | import("./types.js").Notification[] | {
14
14
  count: number;
15
15
  updated?: undefined;
16
- ok?: undefined;
17
16
  error?: undefined;
17
+ ok?: undefined;
18
18
  } | {
19
19
  count?: undefined;
20
20
  updated: number;
21
- ok?: undefined;
22
21
  error?: undefined;
22
+ ok?: undefined;
23
23
  } | {
24
24
  count?: undefined;
25
25
  updated?: undefined;
@@ -34,37 +34,37 @@ export declare function createListSecretsHandler(): import("h3").EventHandlerWit
34
34
  /** POST /_agent-native/secrets/:key — write a secret. */
35
35
  export declare function createWriteSecretHandler(): import("h3").EventHandlerWithFetch<import("h3").EventHandlerRequest, Promise<{
36
36
  error: string;
37
- ok?: undefined;
38
37
  status?: undefined;
38
+ ok?: undefined;
39
39
  } | {
40
- error?: undefined;
41
40
  ok: boolean;
42
41
  status: string;
42
+ error?: undefined;
43
43
  } | {
44
- ok?: undefined;
45
44
  error: string;
46
45
  removed?: undefined;
46
+ ok?: undefined;
47
47
  } | {
48
- error?: undefined;
49
48
  ok: boolean;
50
49
  removed: boolean;
50
+ error?: undefined;
51
51
  }>>;
52
52
  /**
53
53
  * POST /_agent-native/secrets/:key/test — re-run the validator against the
54
54
  * current stored value without changing anything. Useful for the "Test" button.
55
55
  */
56
56
  export declare function createTestSecretHandler(): import("h3").EventHandlerWithFetch<import("h3").EventHandlerRequest, Promise<{
57
- ok?: undefined;
58
57
  error: string;
59
58
  note?: undefined;
59
+ ok?: undefined;
60
60
  } | {
61
- error?: undefined;
62
61
  ok: boolean;
63
62
  note?: undefined;
64
- } | {
65
63
  error?: undefined;
64
+ } | {
66
65
  ok: boolean;
67
66
  note: string;
67
+ error?: undefined;
68
68
  } | {
69
69
  note?: undefined;
70
70
  ok: boolean;
@@ -95,12 +95,12 @@ export interface AdHocSecretPayload {
95
95
  export declare function createAdHocSecretHandler(): import("h3").EventHandlerWithFetch<import("h3").EventHandlerRequest, Promise<AdHocSecretPayload[] | {
96
96
  error: string;
97
97
  } | {
98
- error?: undefined;
99
98
  ok: boolean;
100
99
  key: string;
101
- } | {
102
100
  error?: undefined;
101
+ } | {
103
102
  ok: boolean;
104
103
  removed: boolean;
104
+ error?: undefined;
105
105
  }>>;
106
106
  //# sourceMappingURL=routes.d.ts.map
@@ -27,11 +27,11 @@ export declare function resolveAgentEngineApiKeyWriteTarget(event: H3Event, scop
27
27
  export declare function createAgentEngineApiKeyHandler(): import("h3").EventHandlerWithFetch<import("h3").EventHandlerRequest, Promise<{
28
28
  error: any;
29
29
  } | {
30
+ error?: undefined;
30
31
  ok: boolean;
31
32
  key: string;
32
33
  baseUrlKey?: string;
33
34
  scope: AgentEngineApiKeyScope;
34
- error?: undefined;
35
35
  }>>;
36
36
  export {};
37
37
  //# sourceMappingURL=agent-engine-api-key-route.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"better-auth-instance.d.ts","sourceRoot":"","sources":["../../src/server/better-auth-instance.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,OAAO,EAAc,KAAK,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAwDjE,wBAAsB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAO5E;AAED,wBAAsB,gBAAgB,CAAC,EACrC,YAAY,EACZ,UAAU,EACV,KAAK,EACL,IAAI,EACJ,WAAW,GACZ,EAAE;IACD,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB;;;;;;OAMG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;CAClD,GAAG,OAAO,CAAC,IAAI,CAAC,CAyBhB;AAkJD,gBAAgB;AAChB,wBAAgB,6BAA6B,IAAI;IAC/C,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAiCA;AAED,gBAAgB;AAChB,wBAAgB,+BAA+B,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAOxE;AAED,wBAAgB,2BAA2B,IAAI,OAAO,CASrD;AAED,uDAAuD;AACvD,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAMD,4FAA4F;AAC5F,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IACjD,GAAG,EAAE;QACH,UAAU,EAAE,CAAC,IAAI,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,KAAK,OAAO,CAAC;YAClD,IAAI,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,KAAK,EAAE,MAAM,CAAC;gBAAC,IAAI,EAAE,MAAM,CAAA;aAAE,CAAC;YAClD,OAAO,EAAE;gBACP,EAAE,EAAE,MAAM,CAAC;gBACX,KAAK,EAAE,MAAM,CAAC;gBACd,SAAS,EAAE,IAAI,CAAC;aACjB,CAAC;SACH,GAAG,IAAI,CAAC,CAAC;QACV,WAAW,EAAE,CAAC,IAAI,EAAE;YAClB,IAAI,EAAE;gBAAE,KAAK,EAAE,MAAM,CAAC;gBAAC,QAAQ,EAAE,MAAM,CAAA;aAAE,CAAC;SAC3C,KAAK,OAAO,CAAC;YAAE,KAAK,CAAC,EAAE,MAAM,CAAC;YAAC,IAAI,CAAC,EAAE,GAAG,CAAA;SAAE,GAAG,IAAI,CAAC,CAAC;QACrD,WAAW,EAAE,CAAC,IAAI,EAAE;YAClB,IAAI,EAAE;gBACJ,KAAK,EAAE,MAAM,CAAC;gBACd,QAAQ,EAAE,MAAM,CAAC;gBACjB,IAAI,EAAE,MAAM,CAAC;gBACb,WAAW,CAAC,EAAE,MAAM,CAAC;aACtB,CAAC;YACF,OAAO,CAAC,EAAE,OAAO,CAAC;SACnB,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;QACnB,OAAO,EAAE,CAAC,IAAI,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;KACvD,CAAC;CACH;AAED,MAAM,WAAW,gBAAgB;IAC/B,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,mEAAmE;IACnE,eAAe,CAAC,EAAE,iBAAiB,CAAC,iBAAiB,CAAC,CAAC;IACvD,qCAAqC;IACrC,OAAO,CAAC,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC;IACvC;;;;;;;;;;;;;OAaG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAqUD;;;GAGG;AACH,wBAAsB,aAAa,CACjC,MAAM,CAAC,EAAE,gBAAgB,GACxB,OAAO,CAAC,kBAAkB,CAAC,CAO7B;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,kBAAkB,GAAG,SAAS,CAElE;AAED;;;;;;GAMG;AACH,MAAM,WAAW,yBAAyB;IACxC,eAAe,EAAE,CACf,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE;QAAE,eAAe,EAAE,OAAO,CAAA;KAAE,KACnC,OAAO,CAAC;QACX,IAAI,EAAE;YAAE,EAAE,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAC;YAAC,IAAI,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;QACnD,QAAQ,EAAE,KAAK,CAAC;YAAE,UAAU,EAAE,MAAM,CAAC;YAAC,SAAS,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KAC5D,GAAG,IAAI,CAAC,CAAC;IACV,WAAW,EAAE,CAAC,OAAO,EAAE;QACrB,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,EAAE,MAAM,CAAC;QACnB,SAAS,EAAE,MAAM,CAAC;KACnB,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IACvB,UAAU,EAAE,CAAC,IAAI,EAAE;QACjB,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,aAAa,CAAC,EAAE,OAAO,CAAC;KACzB,KAAK,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC/B;AAED;;;;;;;GAOG;AACH,wBAAsB,4BAA4B,CAChD,MAAM,CAAC,EAAE,gBAAgB,GACxB,OAAO,CAAC,yBAAyB,GAAG,SAAS,CAAC,CAmBhD;AAED,wBAAwB;AACxB,wBAAsB,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAYrD"}
1
+ {"version":3,"file":"better-auth-instance.d.ts","sourceRoot":"","sources":["../../src/server/better-auth-instance.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,OAAO,EAAc,KAAK,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAyDjE,wBAAsB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAO5E;AAED,wBAAsB,gBAAgB,CAAC,EACrC,YAAY,EACZ,UAAU,EACV,KAAK,EACL,IAAI,EACJ,WAAW,GACZ,EAAE;IACD,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB;;;;;;OAMG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;CAClD,GAAG,OAAO,CAAC,IAAI,CAAC,CAyBhB;AAkJD,gBAAgB;AAChB,wBAAgB,6BAA6B,IAAI;IAC/C,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAiCA;AAED,gBAAgB;AAChB,wBAAgB,+BAA+B,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAOxE;AAED,wBAAgB,2BAA2B,IAAI,OAAO,CASrD;AAED,uDAAuD;AACvD,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAMD,4FAA4F;AAC5F,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IACjD,GAAG,EAAE;QACH,UAAU,EAAE,CAAC,IAAI,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,KAAK,OAAO,CAAC;YAClD,IAAI,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,KAAK,EAAE,MAAM,CAAC;gBAAC,IAAI,EAAE,MAAM,CAAA;aAAE,CAAC;YAClD,OAAO,EAAE;gBACP,EAAE,EAAE,MAAM,CAAC;gBACX,KAAK,EAAE,MAAM,CAAC;gBACd,SAAS,EAAE,IAAI,CAAC;aACjB,CAAC;SACH,GAAG,IAAI,CAAC,CAAC;QACV,WAAW,EAAE,CAAC,IAAI,EAAE;YAClB,IAAI,EAAE;gBAAE,KAAK,EAAE,MAAM,CAAC;gBAAC,QAAQ,EAAE,MAAM,CAAA;aAAE,CAAC;SAC3C,KAAK,OAAO,CAAC;YAAE,KAAK,CAAC,EAAE,MAAM,CAAC;YAAC,IAAI,CAAC,EAAE,GAAG,CAAA;SAAE,GAAG,IAAI,CAAC,CAAC;QACrD,WAAW,EAAE,CAAC,IAAI,EAAE;YAClB,IAAI,EAAE;gBACJ,KAAK,EAAE,MAAM,CAAC;gBACd,QAAQ,EAAE,MAAM,CAAC;gBACjB,IAAI,EAAE,MAAM,CAAC;gBACb,WAAW,CAAC,EAAE,MAAM,CAAC;aACtB,CAAC;YACF,OAAO,CAAC,EAAE,OAAO,CAAC;SACnB,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;QACnB,OAAO,EAAE,CAAC,IAAI,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;KACvD,CAAC;CACH;AAED,MAAM,WAAW,gBAAgB;IAC/B,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,mEAAmE;IACnE,eAAe,CAAC,EAAE,iBAAiB,CAAC,iBAAiB,CAAC,CAAC;IACvD,qCAAqC;IACrC,OAAO,CAAC,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC;IACvC;;;;;;;;;;;;;OAaG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAqUD;;;GAGG;AACH,wBAAsB,aAAa,CACjC,MAAM,CAAC,EAAE,gBAAgB,GACxB,OAAO,CAAC,kBAAkB,CAAC,CAO7B;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,kBAAkB,GAAG,SAAS,CAElE;AAED;;;;;;GAMG;AACH,MAAM,WAAW,yBAAyB;IACxC,eAAe,EAAE,CACf,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE;QAAE,eAAe,EAAE,OAAO,CAAA;KAAE,KACnC,OAAO,CAAC;QACX,IAAI,EAAE;YAAE,EAAE,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAC;YAAC,IAAI,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;QACnD,QAAQ,EAAE,KAAK,CAAC;YAAE,UAAU,EAAE,MAAM,CAAC;YAAC,SAAS,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KAC5D,GAAG,IAAI,CAAC,CAAC;IACV,WAAW,EAAE,CAAC,OAAO,EAAE;QACrB,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,EAAE,MAAM,CAAC;QACnB,SAAS,EAAE,MAAM,CAAC;KACnB,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IACvB,UAAU,EAAE,CAAC,IAAI,EAAE;QACjB,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,aAAa,CAAC,EAAE,OAAO,CAAC;KACzB,KAAK,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC/B;AAED;;;;;;;GAOG;AACH,wBAAsB,4BAA4B,CAChD,MAAM,CAAC,EAAE,gBAAgB,GACxB,OAAO,CAAC,yBAAyB,GAAG,SAAS,CAAC,CAmBhD;AAED,wBAAwB;AACxB,wBAAsB,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAYrD"}
@@ -25,6 +25,7 @@ import { getAppProductionUrl } from "./app-url.js";
25
25
  import { signupAttributionFromCookieHeader } from "./attribution.js";
26
26
  import { resolveAuthCookieNamespace } from "./cookie-namespace.js";
27
27
  import { getWorkspaceA2ADerivedSecret } from "./derived-secret.js";
28
+ import { isCloudflareRuntime } from "../shared/runtime.js";
28
29
  import { renderResetPasswordEmail, renderVerifySignupEmail, } from "./email-templates.js";
29
30
  import { sendEmail, isEmailConfigured } from "./email.js";
30
31
  import { resolveGoogleSignInCredentials } from "./google-oauth-credentials.js";
@@ -896,14 +897,27 @@ async function buildDatabaseConfig(dialect) {
896
897
  // opens a raw TCP connection on port 5432 which frequently times out on
897
898
  // Netlify Functions / Vercel / CF Workers when Neon's pooler is cold.
898
899
  if (isNeonUrl(url)) {
899
- const { Pool } = await import("@neondatabase/serverless");
900
+ const { Pool, neonConfig } = await import("@neondatabase/serverless");
900
901
  // Cap the auth pool the same way as the app pool. Better Auth runs a
901
902
  // session lookup on essentially every authenticated request, so an
902
903
  // un-capped pool here is a primary contributor to "Max client
903
904
  // connections reached" across concurrent serverless instances.
905
+ //
906
+ // Cloudflare Workers (workerd) forbids reusing I/O objects across
907
+ // requests — a pooled WebSocket client created by one request and
908
+ // handed to a later one hangs the worker ("Cannot perform I/O on
909
+ // behalf of a different request"). Route plain queries over Neon's
910
+ // stateless HTTP transport and cap WebSocket clients to a single use,
911
+ // mirroring the app pools in db/client.ts and db/create-get-db.ts.
912
+ const cfWorker = isCloudflareRuntime();
913
+ if (cfWorker) {
914
+ neonConfig.poolQueryViaFetch =
915
+ true;
916
+ }
904
917
  _neonAuthPool = new Pool({
905
918
  connectionString: url,
906
919
  max: neonPoolMax(),
920
+ ...(cfWorker ? { maxUses: 1 } : {}),
907
921
  });
908
922
  attachNeonPoolErrorLogger(_neonAuthPool, "db/neon-auth");
909
923
  const { drizzle } = await import("drizzle-orm/neon-serverless");
@@ -1 +1 @@
1
- {"version":3,"file":"better-auth-instance.js","sourceRoot":"","sources":["../../src/server/better-auth-instance.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,UAAU,EAA0B,MAAM,aAAa,CAAC;AACjE,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AACpD,OAAO,EAAE,GAAG,EAAE,MAAM,yBAAyB,CAAC;AAC9C,OAAO,EACL,OAAO,EACP,IAAI,IAAI,MAAM,EACd,SAAS,IAAI,WAAW,EACxB,OAAO,IAAI,SAAS,GACrB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,WAAW,EACX,IAAI,IAAI,UAAU,EAClB,OAAO,IAAI,aAAa,GACzB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,EACL,UAAU,EACV,cAAc,EACd,oBAAoB,EACpB,kBAAkB,EAClB,eAAe,EACf,WAAW,EACX,iBAAiB,EACjB,aAAa,EACb,WAAW,EACX,yBAAyB,GAC1B,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,gCAAgC,EAAE,MAAM,0BAA0B,CAAC;AAC5E,OAAO,EAAE,0BAA0B,EAAE,MAAM,4BAA4B,CAAC;AACxE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAC;AACtE,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACnD,OAAO,EAAE,iCAAiC,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EAAE,0BAA0B,EAAE,MAAM,uBAAuB,CAAC;AACnE,OAAO,EAAE,4BAA4B,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,EACL,wBAAwB,EACxB,uBAAuB,GACxB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC1D,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAE/E,KAAK,UAAU,mBAAmB;IAChC,IAAI,CAAC;QACH,MAAM,OAAO,CAAC,IAAI,CAAC;YACjB,aAAa,EAAE;YACf,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;SAC1D,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,2DAA2D;IAC7D,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,KAAa;IACxD,MAAM,OAAO,GAAG,MAAM,4BAA4B,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IAC5E,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,MAAM,QAAQ,GAAG,MAAM,OAAO;SAC3B,eAAe,CAAC,KAAK,EAAE,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC;SAClD,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACrB,OAAO,CAAC,CAAC,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC;AACjC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,EACrC,YAAY,EACZ,UAAU,EACV,KAAK,EACL,IAAI,EACJ,WAAW,GAcZ;IACC,QAAQ,CAAC,KAAK,EAAE;QACd,KAAK;QACL,IAAI,EAAE,IAAI,IAAI,SAAS;QACvB,UAAU;KACX,CAAC,CAAC;IACH,MAAM,gBAAgB,GAA2B,EAAE,CAAC;IACpD,IAAI,WAAW,EAAE,CAAC;QAChB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;YACvD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClD,gBAAgB,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC;IACD,KAAK,CACH,QAAQ,EACR;QACE,GAAG,+BAA+B,EAAE;QACpC,aAAa,EAAE,YAAY;QAC3B,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACnD,GAAG,gBAAgB;KACpB,EACD,EAAE,MAAM,EAAE,KAAK,EAAE,CAClB,CAAC;IACF,MAAM,mBAAmB,EAAE,CAAC;AAC9B,CAAC;AAED,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E,IAAI,qBAAyC,CAAC;AAE9C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,SAAS,iBAAiB;IACxB,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAAE,OAAO,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAC1E,MAAM,sBAAsB,GAAG,4BAA4B,CAAC,aAAa,CAAC,CAAC;IAC3E,IAAI,sBAAsB;QAAE,OAAO,sBAAsB,CAAC;IAE1D,wEAAwE;IACxE,8EAA8E;IAC9E,uEAAuE;IACvE,4EAA4E;IAC5E,8EAA8E;IAC9E,2BAA2B;IAC3B,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACtD,MAAM,IAAI,KAAK,CACb,+EAA+E;YAC7E,0EAA0E;YAC1E,0DAA0D;YAC1D,wBAAwB,MAAM,MAAM;YACpC,uEAAuE;YACvE,wEAAwE;YACxE,uEAAuE;YACvE,+CAA+C;YAC/C,wEAAwE;YACxE,kCAAkC,CACrC,CAAC;IACJ,CAAC;IAED,yDAAyD;IACzD,+DAA+D;IAC/D,qEAAqE;IACrE,sEAAsE;IACtE,mDAAmD;IACnD,MAAM,QAAQ,GAAG,kBAAkB,CACjC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,YAAY,CAAC,CAC1C,CAAC;IACF,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAE9B,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC3B,qBAAqB,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CACV,0EAA0E;YACxE,oEAAoE;YACpE,uEAAuE;YACvE,iCAAiC,CACpC,CAAC;IACJ,CAAC;IACD,OAAO,qBAAqB,CAAC;AAC/B,CAAC;AAED,SAAS,kBAAkB,CAAC,YAAoB;IAC9C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QACtD,oEAAoE;QACpE,oEAAoE;QACpE,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CACrB,8DAA8D,CAC/D,CAAC;QACF,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAyB;IACtD,MAAM,OAAO,GAAG,KAAK,EAAE,IAAI,EAAE,CAAC;IAC9B,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACtC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,OAAO,CAAC;QACvC,CAAC,CAAC,OAAO,CAAC;IACZ,MAAM,IAAI,GAAG,QAAQ;SAClB,WAAW,EAAE;SACb,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC;SAC3B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC3B,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAyB;IAClD,MAAM,IAAI,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IAC1C,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,MAAM,aAAa,GAAG,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC;QACpD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC;QACpC,CAAC,CAAC,IAAI,CAAC;IACT,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,KAAK,aAAa,CAAC;QAClE,CAAC,CAAC,aAAa;QACf,CAAC,CAAC,SAAS,CAAC;AAChB,CAAC;AAED,SAAS,eAAe;IACtB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,cAAc,CAAC,CAAC;QACzD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAEtD,CAAC;QACF,OAAO,GAAG,CAAC,IAAI,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAAyB;IAC/C,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE;QAAE,OAAO,SAAS,CAAC;IACrC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,0BAA0B,CAAC,IAAI,CAAC,KAAK,CAAC;YAChD,CAAC,CAAC,KAAK;YACP,CAAC,CAAC,WAAW,KAAK,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QACrD,IAAI,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACtC,OAAO,qBAAqB,CAC1B,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,cAAc,CAAC,MAAM,CAAC,CAC1C,CAAC;QACJ,CAAC;QACD,OAAO,qBAAqB,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,gBAAgB;AAChB,MAAM,UAAU,6BAA6B;IAI3C,MAAM,WAAW,GACf,qBAAqB,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;QACnD,qBAAqB,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IAC3D,MAAM,UAAU,GACd,qBAAqB,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;QACnD,qBAAqB,CAAC,eAAe,EAAE,CAAC,CAAC;IAC3C,MAAM,MAAM,GACV,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;QACnC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;QAC3C,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;QAC/B,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QACtC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC;QACzD,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACzC,MAAM,GAAG,GACP,WAAW;QACX,MAAM;QACN,UAAU;QACV,qBAAqB,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAE9C,MAAM,QAAQ,GACZ,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;QACpD,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC;QACzD,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;QAC3C,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;QAChD,iBAAiB,CAAC,GAAG,CAAC;QACtB,iBAAiB,CAAC,UAAU,CAAC;QAC7B,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAE5B,OAAO;QACL,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvB,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAClC,CAAC;AACJ,CAAC;AAED,gBAAgB;AAChB,MAAM,UAAU,+BAA+B;IAC7C,MAAM,QAAQ,GAAG,6BAA6B,EAAE,CAAC;IACjD,OAAO;QACL,GAAG,QAAQ;QACX,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3D,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,qBAAqB,EAAE,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC3E,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,2BAA2B;IACzC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC;IACvD,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;QAClB,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,CAC1E,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9C,OAAO,UAAU,KAAK,EAAE,IAAI,UAAU,KAAK,GAAG,IAAI,UAAU,KAAK,OAAO,CAAC;AAC3E,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,aAAa;IAC3B,OAAO,iBAAiB,EAAE,CAAC;AAC7B,CAAC;AA0DD,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E,IAAI,KAAqC,CAAC;AAC1C,IAAI,YAAqD,CAAC;AAC1D,8EAA8E;AAC9E,6EAA6E;AAC7E,wEAAwE;AACxE,IAAI,aAAkB,CAAC;AAEvB,MAAM,YAAY,GAAG;IACnB,IAAI,EAAE,OAAO,CAAC,MAAM,EAAE;QACpB,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;QAC9B,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QACzC,aAAa,EAAE,SAAS,CAAC,gBAAgB,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;QACnE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC;QACtB,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,OAAO,EAAE,OAAO,CAAC,SAAS,EAAE;QAC1B,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QACzC,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC;QAC/B,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC;QAC/B,MAAM,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACnC,oBAAoB,EAAE,MAAM,CAAC,wBAAwB,CAAC;KACvD,CAAC;IACF,OAAO,EAAE,OAAO,CAAC,SAAS,EAAE;QAC1B,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QACzC,UAAU,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE;QAC3C,MAAM,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACnC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC;QACnC,YAAY,EAAE,MAAM,CAAC,eAAe,CAAC;QACrC,OAAO,EAAE,MAAM,CAAC,UAAU,CAAC;QAC3B,oBAAoB,EAAE,WAAW,CAAC,yBAAyB,EAAE;YAC3D,YAAY,EAAE,IAAI;SACnB,CAAC;QACF,qBAAqB,EAAE,WAAW,CAAC,0BAA0B,EAAE;YAC7D,YAAY,EAAE,IAAI;SACnB,CAAC;QACF,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC;QACtB,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC;QAC5B,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,YAAY,EAAE,OAAO,CAAC,cAAc,EAAE;QACpC,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,UAAU,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC1C,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;QAChC,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,YAAY,EAAE,OAAO,CAAC,cAAc,EAAE;QACpC,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;QAC9B,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QACvC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC;QACpB,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC;QAC5B,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,MAAM,EAAE,OAAO,CAAC,QAAQ,EAAE;QACxB,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,cAAc,EAAE,MAAM,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE;QACnD,MAAM,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACnC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;QAChD,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,UAAU,EAAE,OAAO,CAAC,YAAY,EAAE;QAChC,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,cAAc,EAAE,MAAM,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE;QACnD,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;QAChC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;QACrD,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QACzC,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,IAAI,EAAE,OAAO,CAAC,MAAM,EAAE;QACpB,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QACzC,UAAU,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE;QAC3C,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;KAC7D,CAAC;CACH,CAAC;AAEF,MAAM,gBAAgB,GAAG;IACvB,IAAI,EAAE,WAAW,CAAC,MAAM,EAAE;QACxB,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;QAClC,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QAC7C,aAAa,EAAE,aAAa,CAAC,gBAAgB,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;aAChE,OAAO,EAAE;aACT,OAAO,CAAC,KAAK,CAAC;QACjB,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC;QAC1B,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,OAAO,EAAE,WAAW,CAAC,SAAS,EAAE;QAC9B,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QAC7C,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC;QACnC,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC;QACnC,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACvC,oBAAoB,EAAE,UAAU,CAAC,wBAAwB,CAAC;KAC3D,CAAC;IACF,OAAO,EAAE,WAAW,CAAC,SAAS,EAAE;QAC9B,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC7C,UAAU,EAAE,UAAU,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE;QAC/C,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACvC,WAAW,EAAE,UAAU,CAAC,cAAc,CAAC;QACvC,YAAY,EAAE,UAAU,CAAC,eAAe,CAAC;QACzC,OAAO,EAAE,UAAU,CAAC,UAAU,CAAC;QAC/B,oBAAoB,EAAE,aAAa,CAAC,yBAAyB,EAAE;YAC7D,IAAI,EAAE,cAAc;SACrB,CAAC;QACF,qBAAqB,EAAE,aAAa,CAAC,0BAA0B,EAAE;YAC/D,IAAI,EAAE,cAAc;SACrB,CAAC;QACF,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC;QAC1B,QAAQ,EAAE,UAAU,CAAC,UAAU,CAAC;QAChC,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,YAAY,EAAE,WAAW,CAAC,cAAc,EAAE;QACxC,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,UAAU,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC9C,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;QACpC,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,YAAY,EAAE,WAAW,CAAC,cAAc,EAAE;QACxC,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;QAClC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QAC3C,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC;QACxB,QAAQ,EAAE,UAAU,CAAC,UAAU,CAAC;QAChC,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,MAAM,EAAE,WAAW,CAAC,QAAQ,EAAE;QAC5B,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,cAAc,EAAE,UAAU,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE;QACvD,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACvC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;QACpD,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,UAAU,EAAE,WAAW,CAAC,YAAY,EAAE;QACpC,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,cAAc,EAAE,UAAU,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE;QACvD,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;QACpC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC;QACxB,MAAM,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;QACzD,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC7C,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,IAAI,EAAE,WAAW,CAAC,MAAM,EAAE;QACxB,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC7C,UAAU,EAAE,UAAU,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE;QAC/C,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;KACjE,CAAC;CACH,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,KAAK,UAAU,gCAAgC,CAAC,OAS/C;IACC,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,KAAK,QAAQ;QAAE,OAAO;IACxD,IAAI,CAAC,OAAO,CAAC,MAAM;QAAE,OAAO;IAE5B,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,SAAS,CAAC;IACrD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,iEAAiE;QACjE,kEAAkE;QAClE,oDAAoD;QACpD,OAAO;IACT,CAAC;IAED,kCAAkC;IAClC,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;IACvB,IAAI,KAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;YAChC,GAAG,EAAE,uCAAuC;YAC5C,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;SACvB,CAAC,CAAC;QACH,KAAK,GAAI,IAAI,CAAC,CAAC,CAAC,EAAE,KAA4B,IAAI,SAAS,CAAC;IAC9D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CACX,uEAAuE,EACvE,GAAG,CACJ,CAAC;QACF,OAAO;IACT,CAAC;IACD,IAAI,CAAC,KAAK;QAAE,OAAO;IAEnB,uEAAuE;IACvE,6BAA6B;IAC7B,IAAI,UAA8B,CAAC;IACnC,MAAM,GAAG,GAAG,OAAO,CAAC,oBAAoB,CAAC;IACzC,IAAI,GAAG,YAAY,IAAI,EAAE,CAAC;QACxB,UAAU,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;IAC7B,CAAC;SAAM,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnC,UAAU,GAAG,GAAG,CAAC;IACnB,CAAC;SAAM,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnC,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC3B,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IACpD,CAAC;IAED,MAAM,MAAM,GAA4B;QACtC,YAAY,EAAE,WAAW;QACzB,UAAU,EAAE,QAAQ;KACrB,CAAC;IACF,IAAI,OAAO,CAAC,YAAY;QAAE,MAAM,CAAC,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC;IACtE,IAAI,UAAU;QAAE,MAAM,CAAC,WAAW,GAAG,UAAU,CAAC;IAChD,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAChD,IAAI,OAAO,CAAC,OAAO;QAAE,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IAEvD,MAAM,eAAe,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;AACxD,CAAC;AAED,KAAK,UAAU,sBAAsB;IACnC,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;IAEvB,yEAAyE;IACzE,uEAAuE;IACvE,+EAA+E;IAC/E,2EAA2E;IAC3E,IAAI,UAAU,EAAE,EAAE,CAAC;QACjB,MAAM,QAAQ,GAA6C;YACzD;gBACE,MAAM;gBACN,sOAAsO;aACvO;YACD;gBACE,SAAS;gBACT,iRAAiR;aAClR;YACD;gBACE,SAAS;gBACT,sWAAsW;aACvW;YACD;gBACE,cAAc;gBACd,mNAAmN;aACpN;YACD;gBACE,cAAc;gBACd,4MAA4M;aAC7M;YACD;gBACE,QAAQ;gBACR,wNAAwN;aACzN;YACD;gBACE,YAAY;gBACZ,mSAAmS;aACpS;YACD;gBACE,MAAM;gBACN,uKAAuK;aACxK;SACF,CAAC;QACF,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,QAAQ;YAAE,MAAM,iBAAiB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACvE,OAAO;IACT,CAAC;IAED,qEAAqE;IACrE,MAAM,gBAAgB,GAAG;QACvB,wNAAwN;QACxN,mQAAmQ;QACnQ,oVAAoV;QACpV,qMAAqM;QACrM,kMAAkM;QAClM,8MAA8M;QAC9M,qRAAqR;QACrR,6JAA6J;KAC9J,CAAC;IACF,KAAK,MAAM,GAAG,IAAI,gBAAgB;QAAE,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;AAC5D,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAyB;IAEzB,IAAI,KAAK;QAAE,OAAO,KAAK,CAAC;IACxB,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IAEtC,YAAY,GAAG,wBAAwB,CAAC,MAAM,CAAC,CAAC;IAChD,KAAK,GAAG,MAAM,YAAY,CAAC;IAC3B,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,KAAK,CAAC;AACf,CAAC;AA6BD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,MAAyB;IAEzB,MAAM,IAAI,GAAG,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,CAExC,CAAC;IACF,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC;QAChC,MAAM,EAAE,GAAG,GAAG,EAAE,eAAe,CAAC;QAChC,IACE,EAAE;YACF,OAAO,EAAE,CAAC,eAAe,KAAK,UAAU;YACxC,OAAO,EAAE,CAAC,WAAW,KAAK,UAAU;YACpC,OAAO,EAAE,CAAC,UAAU,KAAK,UAAU,EACnC,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,oEAAoE;IACtE,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,wBAAwB;AACxB,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,KAAK,GAAG,SAAS,CAAC;IAClB,YAAY,GAAG,SAAS,CAAC;IACzB,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,aAAa,CAAC,GAAG,EAAE,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,4EAA4E;QAC9E,CAAC;QACD,aAAa,GAAG,SAAS,CAAC;IAC5B,CAAC;IACD,MAAM,kBAAkB,EAAE,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,KAAK,UAAU,wBAAwB,CACrC,MAAyB;IAEzB,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;IAC7B,MAAM,QAAQ,GAAG,MAAM,EAAE,QAAQ,IAAI,wBAAwB,CAAC;IAC9D,MAAM,sBAAsB,EAAE,CAAC;IAE/B,uCAAuC;IACvC,MAAM,eAAe,GAAyC;QAC5D,GAAG,MAAM,EAAE,eAAe;KAC3B,CAAC;IAEF,MAAM,WAAW,GAAG,MAAM,EAAE,YAAY,IAAI,EAAE,CAAC;IAC/C,MAAM,iBAAiB,GACrB,WAAW,CAAC,MAAM,GAAG,CAAC;QACpB,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB;YAChE,CAAC,CAAC;gBACE,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB;gBACtC,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB;aAC/C;YACH,CAAC,CAAC,IAAI;QACR,CAAC,CAAC,8BAA8B,EAAE,CAAC;IACvC,IAAI,iBAAiB,EAAE,CAAC;QACtB,oEAAoE;QACpE,kEAAkE;QAClE,gEAAgE;QAChE,uEAAuE;QACvE,qEAAqE;QACrE,mEAAmE;QACnE,wCAAwC;QACxC,MAAM,UAAU,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;QAClD,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,UAAU,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;QAC1E,eAAe,CAAC,MAAM,GAAG;YACvB,QAAQ,EAAE,iBAAiB,CAAC,QAAQ;YACpC,YAAY,EAAE,iBAAiB,CAAC,YAAY;YAC5C,GAAG,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC;gBACxB,CAAC,CAAC;oBACE,KAAK,EAAE,YAAY;oBACnB,UAAU,EAAE,SAAkB;oBAC9B,MAAM,EAAE,SAAkB;iBAC3B;gBACH,CAAC,CAAC,EAAE,CAAC;SACR,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC;QACrE,eAAe,CAAC,MAAM,GAAG;YACvB,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB;YACtC,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB;SAC/C,CAAC;IACJ,CAAC;IAED,wBAAwB;IACxB,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAEpD,MAAM,MAAM,GAAG,iBAAiB,EAAE,CAAC;IAEnC,MAAM,MAAM,GAAG,mBAAmB,EAAE,CAAC;IACrC,MAAM,eAAe,GAAG,0BAA0B,EAAE,CAAC;IACrD,MAAM,wBAAwB,GAC5B,CAAC,MAAM,iBAAiB,EAAE,CAAC,IAAI,CAAC,2BAA2B,EAAE,CAAC;IAEhE,MAAM,+BAA+B,GACnC,CAAC,MAAM,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IAE1C,MAAM,IAAI,GAAG,UAAU,CAAC;QACtB,QAAQ;QACR,OAAO,EAAE,MAAM;QACf,QAAQ;QACR,MAAM;QACN,gBAAgB,EAAE;YAChB,OAAO,EAAE,IAAI;YACb,iBAAiB,EAAE,CAAC;YACpB,wEAAwE;YACxE,sEAAsE;YACtE,uEAAuE;YACvE,uEAAuE;YACvE,yEAAyE;YACzE,wBAAwB;YACxB,iBAAiB,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE;gBAC3C,qEAAqE;gBACrE,sEAAsE;gBACtE,MAAM,WAAW,GAAG,CAClB,OAAO,CAAC,GAAG,CAAC,kBAAkB;oBAC9B,OAAO,CAAC,GAAG,CAAC,aAAa;oBACzB,EAAE,CACH,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACrB,MAAM,QAAQ,GAAG,GAAG,MAAM,GAAG,WAAW,mCAAmC,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;gBACvG,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,wBAAwB,CAAC;oBACvD,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,QAAQ;iBACT,CAAC,CAAC;gBACH,MAAM,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;YAC3D,CAAC;SACF;QACD,iBAAiB,EAAE;YACjB,oEAAoE;YACpE,oEAAoE;YACpE,wCAAwC;YACxC,YAAY,EAAE,wBAAwB;YACtC,qEAAqE;YACrE,sEAAsE;YACtE,6CAA6C;YAC7C,2BAA2B,EAAE,IAAI;YACjC,qBAAqB,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE;gBAC7C,qEAAqE;gBACrE,6EAA6E;gBAC7E,MAAM,cAAc,GAAG,CACrB,OAAO,CAAC,GAAG,CAAC,kBAAkB;oBAC9B,OAAO,CAAC,GAAG,CAAC,aAAa;oBACzB,EAAE,CACH,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACrB,MAAM,SAAS,GAAG,cAAc;oBAC9B,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,iBAAiB,EAAE,KAAK,cAAc,IAAI,CAAC;oBACzD,CAAC,CAAC,GAAG,CAAC;gBACR,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,uBAAuB,CAAC;oBACtD,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,SAAS;iBACV,CAAC,CAAC;gBACH,MAAM,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;YAC3D,CAAC;SACF;QACD,eAAe;QACf,OAAO,EAAE;YACP,sEAAsE;YACtE,yEAAyE;YACzE,wEAAwE;YACxE,sEAAsE;YACtE,mEAAmE;YACnE,2BAA2B;YAC3B,cAAc,EAAE;gBACd,OAAO,EAAE,IAAI;gBACb,gBAAgB,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;aACvC;SACF;QACD,aAAa,EAAE;YACb,IAAI,EAAE;gBACJ,MAAM,EAAE;oBACN,KAAK,EAAE,KAAK,EACV,IAIC;oBACD,kEAAkE;oBAClE,6DAA6D;oBAC7D,8DAA8D;oBAC9D,iDAAiD;oBACjD,OAGQ,EACR,EAAE;wBACF,gEAAgE;wBAChE,+DAA+D;wBAC/D,8DAA8D;wBAC9D,sDAAsD;wBACtD,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,CAAC;wBAC1B,IAAI,CAAC,KAAK;4BAAE,OAAO;wBACnB,6DAA6D;wBAC7D,8DAA8D;wBAC9D,+CAA+C;wBAC/C,IAAI,WAA+C,CAAC;wBACpD,IAAI,CAAC;4BACH,MAAM,YAAY,GAChB,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC;gCAC/B,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC;gCACxC,IAAI,CAAC;4BACP,WAAW,GAAG,iCAAiC,CAAC,YAAY,CAAC,CAAC;wBAChE,CAAC;wBAAC,OAAO,GAAG,EAAE,CAAC;4BACb,OAAO,CAAC,KAAK,CAAC,4CAA4C,EAAE,GAAG,CAAC,CAAC;4BACjE,WAAW,GAAG,SAAS,CAAC;wBAC1B,CAAC;wBACD,MAAM,gBAAgB,CAAC;4BACrB,YAAY,EAAE,aAAa;4BAC3B,UAAU,EAAE,IAAI,CAAC,EAAE;4BACnB,KAAK;4BACL,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,WAAW;yBACZ,CAAC,CAAC;wBACH,IAAI,CAAC;4BACH,MAAM,gCAAgC,CAAC,KAAK,CAAC,CAAC;wBAChD,CAAC;wBAAC,OAAO,GAAG,EAAE,CAAC;4BACb,+DAA+D;4BAC/D,OAAO,CAAC,KAAK,CACX,kDAAkD,EAClD,GAAG,CACJ,CAAC;wBACJ,CAAC;wBACD,IAAI,CAAC;4BACH,2DAA2D;4BAC3D,yDAAyD;4BACzD,wDAAwD;4BACxD,0DAA0D;4BAC1D,MAAM,0BAA0B,CAAC,KAAK,CAAC,CAAC;wBAC1C,CAAC;wBAAC,OAAO,GAAG,EAAE,CAAC;4BACb,OAAO,CAAC,KAAK,CACX,iDAAiD,EACjD,GAAG,CACJ,CAAC;wBACJ,CAAC;oBACH,CAAC;iBACF;aACF;YACD,OAAO,EAAE;gBACP,+DAA+D;gBAC/D,iEAAiE;gBACjE,kEAAkE;gBAClE,oDAAoD;gBACpD,EAAE;gBACF,+DAA+D;gBAC/D,+DAA+D;gBAC/D,+DAA+D;gBAC/D,gDAAgD;gBAChD,MAAM,EAAE;oBACN,KAAK,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;wBAC5B,IAAI,CAAC,+BAA+B;4BAAE,OAAO;wBAC7C,MAAM,gCAAgC,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;4BAC5D,OAAO,CAAC,KAAK,CACX,wEAAwE,EACxE,GAAG,CACJ,CAAC;wBACJ,CAAC,CAAC,CAAC;oBACL,CAAC;iBACF;gBACD,MAAM,EAAE;oBACN,KAAK,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;wBAC5B,IAAI,CAAC,+BAA+B;4BAAE,OAAO;wBAC7C,MAAM,gCAAgC,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;4BAC5D,OAAO,CAAC,KAAK,CACX,wEAAwE,EACxE,GAAG,CACJ,CAAC;wBACJ,CAAC,CAAC,CAAC;oBACL,CAAC;iBACF;aACF;SACF;QACD,OAAO,EAAE;YACP,SAAS,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,UAAU;YACxC,SAAS,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,gBAAgB;YACzC,WAAW,EAAE;gBACX,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,cAAc;aAC/B;SACF;QACD,QAAQ,EAAE;YACR,YAAY,EAAE,eAAe,CAAC,sBAAsB;YACpD,oEAAoE;YACpE,qEAAqE;YACrE,qEAAqE;YACrE,mCAAmC;YACnC,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC;gBAC/B,CAAC,CAAC;oBACE,uBAAuB,EAAE;wBACvB,QAAQ,EAAE,MAAe;wBACzB,MAAM,EAAE,IAAI;wBACZ,WAAW,EAAE,IAAI;qBAClB;iBACF;gBACH,CAAC,CAAC,EAAE,CAAC;YACP,qEAAqE;YACrE,iEAAiE;YACjE,qEAAqE;YACrE,oEAAoE;YACpE,GAAG,CAAC,eAAe,CAAC,sBAAsB;gBACxC,CAAC,CAAC;oBACE,qBAAqB,EAAE;wBACrB,OAAO,EAAE,IAAI;wBACb,MAAM,EAAE,eAAe,CAAC,sBAAsB;qBAC/C;iBACF;gBACH,CAAC,CAAC,EAAE,CAAC;SACR;QACD,OAAO,EAAE;YACP,kEAAkE;YAClE,GAAG,CAAC;gBACF,GAAG,EAAE;oBACH,MAAM,EAAE,MAAM;oBACd,cAAc,EAAE,KAAK;iBACtB;aACF,CAAC;YACF,+CAA+C;YAC/C,MAAM,EAAE;YACR,GAAG,CAAC,MAAM,EAAE,OAAO,IAAI,EAAE,CAAC;SAC3B;KACF,CAAC,CAAC;IAEH,OAAO,IAAqC,CAAC;AAC/C,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,OAAe;IAEf,IAAI,OAAO,KAAK,UAAU,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,cAAc,EAAE,CAAC;QAC7B,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;QAE7D,IAAI,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,iBAAiB,EAAE,CAAC;YAC9C,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,GAAG,CAAC,CAAC;YAC1C,MAAM,EAAE,GAAG,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;YACrD,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;YACxE,OAAO,cAAc,CAAC,EAAE,EAAE;gBACxB,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,YAAY;aACrB,CAAC,CAAC;QACL,CAAC;QAED,yEAAyE;QACzE,wEAAwE;QACxE,sEAAsE;QACtE,IAAI,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;YACnB,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;YAC1D,qEAAqE;YACrE,mEAAmE;YACnE,8DAA8D;YAC9D,+DAA+D;YAC/D,aAAa,GAAG,IAAI,IAAI,CAAC;gBACvB,gBAAgB,EAAE,GAAG;gBACrB,GAAG,EAAE,WAAW,EAAE;aACnB,CAAC,CAAC;YACH,yBAAyB,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;YACzD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;YAChE,MAAM,EAAE,GAAG,OAAO,CAAC,aAAa,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;YAC5D,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;YACxE,OAAO,cAAc,CAAC,EAAE,EAAE;gBACxB,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,YAAY;aACrB,CAAC,CAAC;QACL,CAAC;QAED,iEAAiE;QACjE,0EAA0E;QAC1E,0EAA0E;QAC1E,0EAA0E;QAC1E,mDAAmD;QACnD,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;QACvD,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;QAC5D,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;QAClD,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;QACxE,OAAO,cAAc,CAAC,EAAE,EAAE;YACxB,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,YAAY;SACrB,CAAC,CAAC;IACL,CAAC;IAED,kBAAkB;IAClB,MAAM,GAAG,GAAG,cAAc,CAAC,oBAAoB,CAAC,CAAC;IAEjD,IAAI,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,kCAAkC;QAClC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC7D,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC3C,MAAM,MAAM,GAAG,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QACpC,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,4BAA4B,CAAC,CAAC;QAC/D,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;QACzD,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;QACxE,OAAO,cAAc,CAAC,EAAE,EAAE;YACxB,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,gBAAgB;SACzB,CAAC,CAAC;IACL,CAAC;IAED,wEAAwE;IACxE,2DAA2D;IAC3D,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,oBAAoB,EAAE,EAAE,CAAC,CAAC;IACxE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;IAC3D,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;IACzD,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;IACxE,OAAO,cAAc,CAAC,EAAE,EAAE;QACxB,QAAQ,EAAE,QAAQ;QAClB,MAAM,EAAE,gBAAgB;KACzB,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\r\n * Internal Better Auth instance — lazily created, not exported to templates.\r\n *\r\n * Templates interact with auth via the existing `getSession()`, `autoMountAuth()`,\r\n * `createAuthPlugin()`, and `createGoogleAuthPlugin()` APIs. Better Auth is an\r\n * implementation detail behind those interfaces.\r\n */\r\n\r\nimport crypto from \"node:crypto\";\r\nimport fs from \"node:fs\";\r\nimport path from \"node:path\";\r\n\r\nimport { betterAuth, type BetterAuthOptions } from \"better-auth\";\r\nimport { bearer } from \"better-auth/plugins/bearer\";\r\nimport { jwt } from \"better-auth/plugins/jwt\";\r\nimport {\r\n pgTable,\r\n text as pgText,\r\n timestamp as pgTimestamp,\r\n boolean as pgBoolean,\r\n} from \"drizzle-orm/pg-core\";\r\nimport {\r\n sqliteTable,\r\n text as sqliteText,\r\n integer as sqliteInteger,\r\n} from \"drizzle-orm/sqlite-core\";\r\n\r\nimport { TEMPLATES } from \"../cli/templates-meta.js\";\r\nimport { getDbExec, isPostgres } from \"../db/client.js\";\r\nimport {\r\n getDialect,\r\n getDatabaseUrl,\r\n getDatabaseAuthToken,\r\n closePgliteClients,\r\n getPgliteClient,\r\n isPgliteUrl,\r\n loadPgliteDrizzle,\r\n pgPoolOptions,\r\n neonPoolMax,\r\n attachNeonPoolErrorLogger,\r\n} from \"../db/client.js\";\r\nimport { ensureTableExists } from \"../db/ddl-guard.js\";\r\nimport { saveOAuthTokens } from \"../oauth-tokens/store.js\";\r\nimport { acceptPendingInvitationsForEmail } from \"../org/accept-pending.js\";\r\nimport { autoJoinDomainMatchingOrgs } from \"../org/auto-join-domain.js\";\r\nimport { flushTracking, identify, track } from \"../tracking/index.js\";\r\nimport { getAppProductionUrl } from \"./app-url.js\";\r\nimport { signupAttributionFromCookieHeader } from \"./attribution.js\";\r\nimport { resolveAuthCookieNamespace } from \"./cookie-namespace.js\";\r\nimport { getWorkspaceA2ADerivedSecret } from \"./derived-secret.js\";\r\nimport {\r\n renderResetPasswordEmail,\r\n renderVerifySignupEmail,\r\n} from \"./email-templates.js\";\r\nimport { sendEmail, isEmailConfigured } from \"./email.js\";\r\nimport { resolveGoogleSignInCredentials } from \"./google-oauth-credentials.js\";\r\n\r\nasync function flushSignupTracking(): Promise<void> {\r\n try {\r\n await Promise.race([\r\n flushTracking(),\r\n new Promise<void>((resolve) => setTimeout(resolve, 1500)),\r\n ]);\r\n } catch {\r\n // Signup should never fail because analytics delivery did.\r\n }\r\n}\r\n\r\nexport async function hasBetterAuthUserEmail(email: string): Promise<boolean> {\r\n const adapter = await getBetterAuthInternalAdapter().catch(() => undefined);\r\n if (!adapter) return false;\r\n const existing = await adapter\r\n .findUserByEmail(email, { includeAccounts: false })\r\n .catch(() => null);\r\n return !!existing?.user?.email;\r\n}\r\n\r\nexport async function trackSignupEvent({\r\n authProvider,\r\n authUserId,\r\n email,\r\n name,\r\n attribution,\r\n}: {\r\n authProvider: string;\r\n authUserId?: string;\r\n email: string;\r\n name?: string | null;\r\n /**\r\n * First-touch referral attribution derived from the visitor's `an_ft`\r\n * cookie (see `server/attribution.ts`). Snake_case keys such as\r\n * `referral_source`, `referrer_user`, and the UTM passthrough are merged\r\n * into the `signup` event so we can measure where new users came from.\r\n * `undefined` values are dropped; a missing object is a clean no-op.\r\n */\r\n attribution?: Record<string, string | undefined>;\r\n}): Promise<void> {\r\n identify(email, {\r\n email,\r\n name: name ?? undefined,\r\n authUserId,\r\n });\r\n const cleanAttribution: Record<string, string> = {};\r\n if (attribution) {\r\n for (const [key, value] of Object.entries(attribution)) {\r\n if (typeof value === \"string\" && value.length > 0) {\r\n cleanAttribution[key] = value;\r\n }\r\n }\r\n }\r\n track(\r\n \"signup\",\r\n {\r\n ...resolveSignupTrackingProperties(),\r\n auth_provider: authProvider,\r\n ...(authUserId ? { auth_user_id: authUserId } : {}),\r\n ...cleanAttribution,\r\n },\r\n { userId: email },\r\n );\r\n await flushSignupTracking();\r\n}\r\n\r\n// ---------------------------------------------------------------------------\r\n// Persistent auth secret\r\n// ---------------------------------------------------------------------------\r\n\r\nlet inMemoryDevAuthSecret: string | undefined;\r\n\r\n/**\r\n * Resolve the Better Auth signing secret.\r\n *\r\n * Resolution order:\r\n * 1. `BETTER_AUTH_SECRET` env var — explicit, recommended for prod.\r\n * 2. Hosted workspace deploys can derive a per-purpose secret from the\r\n * already-required `A2A_SECRET` root. This keeps fresh workspace branches\r\n * bootable without reusing the raw A2A key as a cookie-signing key.\r\n * 3. Existing `.env.local` values in the template cwd — read-only\r\n * compatibility for projects that already configured this secret.\r\n * 4. Generate a per-process in-memory random 32-byte hex in development.\r\n *\r\n * Why this matters: before this helper existed, missing `BETTER_AUTH_SECRET`\r\n * fell through to `GOOGLE_CLIENT_SECRET` / `ACCESS_TOKEN` / a hardcoded\r\n * string. If a template happened to have none of those, each dev-server\r\n * boot would re-fall back to the hardcoded value (still stable) — but\r\n * rotating Google credentials, toggling `ACCESS_TOKEN`, or churning the\r\n * fallback chain would invalidate every signed cookie and force everyone\r\n * to sign in again. We still read explicit env configuration, but never\r\n * auto-write a generated secret into env files.\r\n */\r\nfunction resolveAuthSecret(): string {\r\n if (process.env.BETTER_AUTH_SECRET) return process.env.BETTER_AUTH_SECRET;\r\n const workspaceDerivedSecret = getWorkspaceA2ADerivedSecret(\"better-auth\");\r\n if (workspaceDerivedSecret) return workspaceDerivedSecret;\r\n\r\n // In production, beyond the workspace A2A-derived fallback above, never\r\n // auto-generate or use legacy fallbacks. A generated secret invalidates every\r\n // signed session cookie on the next cold start (serverless filesystems\r\n // aren't persistent), and the legacy hardcoded fallback is identical across\r\n // every deploy that hits it — both are serious enough to fail the boot loudly\r\n // so the deployer notices.\r\n if (process.env.NODE_ENV === \"production\") {\r\n const sample = crypto.randomBytes(32).toString(\"hex\");\r\n throw new Error(\r\n \"[agent-native] BETTER_AUTH_SECRET is not set. This is required in production \" +\r\n \"so signed session cookies stay valid across deploys. Set it as a deploy \" +\r\n \"environment variable (any 32-byte hex string), e.g.:\\n\\n\" +\r\n ` BETTER_AUTH_SECRET=${sample}\\n\\n` +\r\n \"Generate your own with `openssl rand -hex 32`. If you already have a \" +\r\n \"running deploy and need to preserve existing sessions, set it to your \" +\r\n \"previously-deployed BETTER_AUTH_SECRET value first, then rotate to a \" +\r\n \"fresh one. Hosted workspace deploys may also \" +\r\n \"set A2A_SECRET; agent-native derives a per-purpose Better Auth secret \" +\r\n \"from that workspace root secret.\",\r\n );\r\n }\r\n\r\n // SECURITY (audit 09 LOW-2): the previous fallback chain\r\n // (`GOOGLE_CLIENT_SECRET || ACCESS_TOKEN || hardcoded`) reused\r\n // cross-purpose secrets and a public hardcoded literal as the cookie\r\n // HMAC. Dropped entirely — better to mint an ephemeral secret than to\r\n // re-use a Google client secret or a known string.\r\n const existing = readEnvLocalSecret(\r\n path.resolve(process.cwd(), \".env.local\"),\r\n );\r\n if (existing) return existing;\r\n\r\n if (!inMemoryDevAuthSecret) {\r\n inMemoryDevAuthSecret = crypto.randomBytes(32).toString(\"hex\");\r\n console.warn(\r\n \"[agent-native] BETTER_AUTH_SECRET is not configured. Using an ephemeral \" +\r\n \"in-memory development secret. Sessions will reset every time this \" +\r\n \"process restarts. Set BETTER_AUTH_SECRET in your environment to keep \" +\r\n \"sessions valid across restarts.\",\r\n );\r\n }\r\n return inMemoryDevAuthSecret;\r\n}\r\n\r\nfunction readEnvLocalSecret(envLocalPath: string): string | undefined {\r\n try {\r\n const content = fs.readFileSync(envLocalPath, \"utf8\");\r\n // Match `BETTER_AUTH_SECRET=...` on its own line. Tolerate optional\r\n // quotes and leading `export `. Stop at the first newline or quote.\r\n const m = content.match(\r\n /^(?:export\\s+)?BETTER_AUTH_SECRET\\s*=\\s*\"?([^\"\\r\\n]+)\"?\\s*$/m,\r\n );\r\n return m?.[1]?.trim() || undefined;\r\n } catch {\r\n return undefined;\r\n }\r\n}\r\n\r\nfunction normalizeTrackingSlug(value: string | undefined): string | undefined {\r\n const trimmed = value?.trim();\r\n if (!trimmed) return undefined;\r\n const unscoped = trimmed.startsWith(\"@\")\r\n ? (trimmed.split(\"/\").pop() ?? trimmed)\r\n : trimmed;\r\n const slug = unscoped\r\n .toLowerCase()\r\n .replace(/[^a-z0-9]+/g, \"-\")\r\n .replace(/^-+|-+$/g, \"\");\r\n return slug || undefined;\r\n}\r\n\r\nfunction knownTemplateSlug(value: string | undefined): string | undefined {\r\n const slug = normalizeTrackingSlug(value);\r\n if (!slug) return undefined;\r\n const withoutPrefix = slug.startsWith(\"agent-native-\")\r\n ? slug.slice(\"agent-native-\".length)\r\n : slug;\r\n return TEMPLATES.some((template) => template.name === withoutPrefix)\r\n ? withoutPrefix\r\n : undefined;\r\n}\r\n\r\nfunction readPackageName(): string | undefined {\r\n try {\r\n const pkgPath = path.join(process.cwd(), \"package.json\");\r\n const pkg = JSON.parse(fs.readFileSync(pkgPath, \"utf8\")) as {\r\n name?: string;\r\n };\r\n return pkg.name;\r\n } catch {\r\n return undefined;\r\n }\r\n}\r\n\r\nfunction appSlugFromUrl(value: string | undefined): string | undefined {\r\n if (!value?.trim()) return undefined;\r\n try {\r\n const raw = /^[a-z][a-z0-9+.-]*:\\/\\//i.test(value)\r\n ? value\r\n : `https://${value}`;\r\n const hostname = new URL(raw).hostname.toLowerCase();\r\n if (hostname.endsWith(\".jami.studio\")) {\r\n return normalizeTrackingSlug(\r\n hostname.slice(0, -\".jami.studio\".length),\r\n );\r\n }\r\n return normalizeTrackingSlug(hostname.split(\".\")[0]);\r\n } catch {\r\n return undefined;\r\n }\r\n}\r\n\r\n/** @internal */\r\nexport function resolveSignupTrackingIdentity(): {\r\n app?: string;\r\n template?: string;\r\n} {\r\n const explicitApp =\r\n normalizeTrackingSlug(process.env.AGENT_NATIVE_APP) ||\r\n normalizeTrackingSlug(process.env.VITE_AGENT_NATIVE_APP);\r\n const packageApp =\r\n normalizeTrackingSlug(process.env.npm_package_name) ||\r\n normalizeTrackingSlug(readPackageName());\r\n const urlApp =\r\n appSlugFromUrl(process.env.APP_URL) ||\r\n appSlugFromUrl(process.env.BETTER_AUTH_URL) ||\r\n appSlugFromUrl(process.env.URL) ||\r\n appSlugFromUrl(process.env.DEPLOY_URL) ||\r\n appSlugFromUrl(process.env.VERCEL_PROJECT_PRODUCTION_URL) ||\r\n appSlugFromUrl(process.env.VERCEL_URL);\r\n const app =\r\n explicitApp ||\r\n urlApp ||\r\n packageApp ||\r\n normalizeTrackingSlug(process.env.APP_NAME);\r\n\r\n const template =\r\n knownTemplateSlug(process.env.AGENT_NATIVE_TEMPLATE) ||\r\n knownTemplateSlug(process.env.VITE_AGENT_NATIVE_TEMPLATE) ||\r\n knownTemplateSlug(process.env.APP_TEMPLATE) ||\r\n knownTemplateSlug(process.env.VITE_APP_TEMPLATE) ||\r\n knownTemplateSlug(app) ||\r\n knownTemplateSlug(packageApp) ||\r\n knownTemplateSlug(urlApp);\r\n\r\n return {\r\n ...(app ? { app } : {}),\r\n ...(template ? { template } : {}),\r\n };\r\n}\r\n\r\n/** @internal */\r\nexport function resolveSignupTrackingProperties(): Record<string, string> {\r\n const identity = resolveSignupTrackingIdentity();\r\n return {\r\n ...identity,\r\n ...(identity.app ? { agent_native_app: identity.app } : {}),\r\n ...(identity.template ? { agent_native_template: identity.template } : {}),\r\n };\r\n}\r\n\r\nexport function shouldSkipEmailVerification(): boolean {\r\n const value = process.env.AUTH_SKIP_EMAIL_VERIFICATION;\r\n if (value == null) {\r\n return (\r\n process.env.NODE_ENV === \"development\" || process.env.NODE_ENV === \"test\"\r\n );\r\n }\r\n const normalized = value.trim().toLowerCase();\r\n return normalized !== \"\" && normalized !== \"0\" && normalized !== \"false\";\r\n}\r\n\r\n/** Read-only accessor for the resolved auth secret. */\r\nexport function getAuthSecret(): string {\r\n return resolveAuthSecret();\r\n}\r\n\r\n// ---------------------------------------------------------------------------\r\n// Types\r\n// ---------------------------------------------------------------------------\r\n\r\n/** The shape we need from a Better Auth instance (internal — not exported to templates). */\r\nexport interface BetterAuthInstance {\r\n handler: (request: Request) => Promise<Response>;\r\n api: {\r\n getSession: (opts: { headers: Headers }) => Promise<{\r\n user: { id: string; email: string; name: string };\r\n session: {\r\n id: string;\r\n token: string;\r\n expiresAt: Date;\r\n };\r\n } | null>;\r\n signInEmail: (opts: {\r\n body: { email: string; password: string };\r\n }) => Promise<{ token?: string; user?: any } | null>;\r\n signUpEmail: (opts: {\r\n body: {\r\n email: string;\r\n password: string;\r\n name: string;\r\n callbackURL?: string;\r\n };\r\n headers?: Headers;\r\n }) => Promise<any>;\r\n signOut: (opts: { headers: Headers }) => Promise<any>;\r\n };\r\n}\r\n\r\nexport interface BetterAuthConfig {\r\n /** Base path for Better Auth routes. Default: \"/_agent-native/auth/ba\" */\r\n basePath?: string;\r\n /** Additional social providers beyond what env vars auto-detect */\r\n socialProviders?: BetterAuthOptions[\"socialProviders\"];\r\n /** Additional Better Auth plugins */\r\n plugins?: BetterAuthOptions[\"plugins\"];\r\n /**\r\n * Additional Google OAuth scopes (Gmail, Calendar, etc.) to request\r\n * up front during the primary \"Sign in with Google\" flow, beyond the\r\n * default identity scopes (`openid`, `email`, `profile`).\r\n *\r\n * When set, the Google social provider also opts into:\r\n * - `accessType: \"offline\"` — so a refresh token is issued\r\n * - `prompt: \"consent\"` — so the refresh token is reissued every sign-in\r\n *\r\n * Tokens are mirrored into `oauth_tokens` via a databaseHooks.account\r\n * hook so existing template code that reads from `oauth_tokens` (mail's\r\n * Gmail client, calendar's events fetcher) works without any separate\r\n * \"Connect Google\" page.\r\n */\r\n googleScopes?: string[];\r\n}\r\n\r\n// ---------------------------------------------------------------------------\r\n// Lazy instance\r\n// ---------------------------------------------------------------------------\r\n\r\nlet _auth: BetterAuthInstance | undefined;\r\nlet _initPromise: Promise<BetterAuthInstance> | undefined;\r\n// Track the Neon serverless Pool we open for Better Auth so closeBetterAuth()\r\n// can release it. The Pool keeps WebSocket connections open; leaking them on\r\n// hot-reload or process restart exhausts Neon's connection slot budget.\r\nlet _neonAuthPool: any;\r\n\r\nconst pgAuthSchema = {\r\n user: pgTable(\"user\", {\r\n id: pgText(\"id\").primaryKey(),\r\n name: pgText(\"name\").notNull(),\r\n email: pgText(\"email\").notNull().unique(),\r\n emailVerified: pgBoolean(\"email_verified\").notNull().default(false),\r\n image: pgText(\"image\"),\r\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\r\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\r\n }),\r\n session: pgTable(\"session\", {\r\n id: pgText(\"id\").primaryKey(),\r\n expiresAt: pgTimestamp(\"expires_at\", { withTimezone: true }).notNull(),\r\n token: pgText(\"token\").notNull().unique(),\r\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\r\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\r\n ipAddress: pgText(\"ip_address\"),\r\n userAgent: pgText(\"user_agent\"),\r\n userId: pgText(\"user_id\").notNull(),\r\n activeOrganizationId: pgText(\"active_organization_id\"),\r\n }),\r\n account: pgTable(\"account\", {\r\n id: pgText(\"id\").primaryKey(),\r\n accountId: pgText(\"account_id\").notNull(),\r\n providerId: pgText(\"provider_id\").notNull(),\r\n userId: pgText(\"user_id\").notNull(),\r\n accessToken: pgText(\"access_token\"),\r\n refreshToken: pgText(\"refresh_token\"),\r\n idToken: pgText(\"id_token\"),\r\n accessTokenExpiresAt: pgTimestamp(\"access_token_expires_at\", {\r\n withTimezone: true,\r\n }),\r\n refreshTokenExpiresAt: pgTimestamp(\"refresh_token_expires_at\", {\r\n withTimezone: true,\r\n }),\r\n scope: pgText(\"scope\"),\r\n password: pgText(\"password\"),\r\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\r\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\r\n }),\r\n verification: pgTable(\"verification\", {\r\n id: pgText(\"id\").primaryKey(),\r\n identifier: pgText(\"identifier\").notNull(),\r\n value: pgText(\"value\").notNull(),\r\n expiresAt: pgTimestamp(\"expires_at\", { withTimezone: true }).notNull(),\r\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\r\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\r\n }),\r\n organization: pgTable(\"organization\", {\r\n id: pgText(\"id\").primaryKey(),\r\n name: pgText(\"name\").notNull(),\r\n slug: pgText(\"slug\").notNull().unique(),\r\n logo: pgText(\"logo\"),\r\n metadata: pgText(\"metadata\"),\r\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\r\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\r\n }),\r\n member: pgTable(\"member\", {\r\n id: pgText(\"id\").primaryKey(),\r\n organizationId: pgText(\"organization_id\").notNull(),\r\n userId: pgText(\"user_id\").notNull(),\r\n role: pgText(\"role\").notNull().default(\"member\"),\r\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\r\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\r\n }),\r\n invitation: pgTable(\"invitation\", {\r\n id: pgText(\"id\").primaryKey(),\r\n organizationId: pgText(\"organization_id\").notNull(),\r\n email: pgText(\"email\").notNull(),\r\n role: pgText(\"role\"),\r\n status: pgText(\"status\").notNull().default(\"pending\"),\r\n expiresAt: pgTimestamp(\"expires_at\", { withTimezone: true }).notNull(),\r\n inviterId: pgText(\"inviter_id\").notNull(),\r\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\r\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\r\n }),\r\n jwks: pgTable(\"jwks\", {\r\n id: pgText(\"id\").primaryKey(),\r\n publicKey: pgText(\"public_key\").notNull(),\r\n privateKey: pgText(\"private_key\").notNull(),\r\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\r\n expiresAt: pgTimestamp(\"expires_at\", { withTimezone: true }),\r\n }),\r\n};\r\n\r\nconst sqliteAuthSchema = {\r\n user: sqliteTable(\"user\", {\r\n id: sqliteText(\"id\").primaryKey(),\r\n name: sqliteText(\"name\").notNull(),\r\n email: sqliteText(\"email\").notNull().unique(),\r\n emailVerified: sqliteInteger(\"email_verified\", { mode: \"boolean\" })\r\n .notNull()\r\n .default(false),\r\n image: sqliteText(\"image\"),\r\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n }),\r\n session: sqliteTable(\"session\", {\r\n id: sqliteText(\"id\").primaryKey(),\r\n expiresAt: sqliteInteger(\"expires_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n token: sqliteText(\"token\").notNull().unique(),\r\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n ipAddress: sqliteText(\"ip_address\"),\r\n userAgent: sqliteText(\"user_agent\"),\r\n userId: sqliteText(\"user_id\").notNull(),\r\n activeOrganizationId: sqliteText(\"active_organization_id\"),\r\n }),\r\n account: sqliteTable(\"account\", {\r\n id: sqliteText(\"id\").primaryKey(),\r\n accountId: sqliteText(\"account_id\").notNull(),\r\n providerId: sqliteText(\"provider_id\").notNull(),\r\n userId: sqliteText(\"user_id\").notNull(),\r\n accessToken: sqliteText(\"access_token\"),\r\n refreshToken: sqliteText(\"refresh_token\"),\r\n idToken: sqliteText(\"id_token\"),\r\n accessTokenExpiresAt: sqliteInteger(\"access_token_expires_at\", {\r\n mode: \"timestamp_ms\",\r\n }),\r\n refreshTokenExpiresAt: sqliteInteger(\"refresh_token_expires_at\", {\r\n mode: \"timestamp_ms\",\r\n }),\r\n scope: sqliteText(\"scope\"),\r\n password: sqliteText(\"password\"),\r\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n }),\r\n verification: sqliteTable(\"verification\", {\r\n id: sqliteText(\"id\").primaryKey(),\r\n identifier: sqliteText(\"identifier\").notNull(),\r\n value: sqliteText(\"value\").notNull(),\r\n expiresAt: sqliteInteger(\"expires_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n }),\r\n organization: sqliteTable(\"organization\", {\r\n id: sqliteText(\"id\").primaryKey(),\r\n name: sqliteText(\"name\").notNull(),\r\n slug: sqliteText(\"slug\").notNull().unique(),\r\n logo: sqliteText(\"logo\"),\r\n metadata: sqliteText(\"metadata\"),\r\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n }),\r\n member: sqliteTable(\"member\", {\r\n id: sqliteText(\"id\").primaryKey(),\r\n organizationId: sqliteText(\"organization_id\").notNull(),\r\n userId: sqliteText(\"user_id\").notNull(),\r\n role: sqliteText(\"role\").notNull().default(\"member\"),\r\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n }),\r\n invitation: sqliteTable(\"invitation\", {\r\n id: sqliteText(\"id\").primaryKey(),\r\n organizationId: sqliteText(\"organization_id\").notNull(),\r\n email: sqliteText(\"email\").notNull(),\r\n role: sqliteText(\"role\"),\r\n status: sqliteText(\"status\").notNull().default(\"pending\"),\r\n expiresAt: sqliteInteger(\"expires_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n inviterId: sqliteText(\"inviter_id\").notNull(),\r\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n }),\r\n jwks: sqliteTable(\"jwks\", {\r\n id: sqliteText(\"id\").primaryKey(),\r\n publicKey: sqliteText(\"public_key\").notNull(),\r\n privateKey: sqliteText(\"private_key\").notNull(),\r\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n expiresAt: sqliteInteger(\"expires_at\", { mode: \"timestamp_ms\" }),\r\n }),\r\n};\r\n\r\n/**\r\n * Mirror a Better Auth `account` row for Google into the `oauth_tokens`\r\n * table that template code (mail's Gmail client, calendar's events fetcher)\r\n * reads from. Called from the `databaseHooks.account.create.after` and\r\n * `.update.after` hooks so tokens captured during the primary \"Sign in\r\n * with Google\" flow flow straight to the apps that need them — no\r\n * separate \"Connect Google\" page required.\r\n *\r\n * Resolves `account.userId` to the user's email by querying the `user`\r\n * table (Better Auth always quotes \"user\" because it's a reserved word\r\n * in Postgres; SQLite accepts the quotes too).\r\n *\r\n * The hook is fire-and-forget from the caller's perspective — every\r\n * failure is caught upstream so a flake in `oauth_tokens` never blocks\r\n * sign-in. We still no-op on missing fields here as a defense in depth.\r\n */\r\nasync function mirrorGoogleAccountToOAuthTokens(account: {\r\n providerId?: string;\r\n userId?: string;\r\n accountId?: string;\r\n accessToken?: string | null;\r\n refreshToken?: string | null;\r\n accessTokenExpiresAt?: Date | string | number | null;\r\n scope?: string | null;\r\n idToken?: string | null;\r\n}): Promise<void> {\r\n if (!account || account.providerId !== \"google\") return;\r\n if (!account.userId) return;\r\n\r\n const accessToken = account.accessToken ?? undefined;\r\n if (!accessToken) {\r\n // Better Auth sometimes upserts an account row before tokens are\r\n // attached (e.g. linking flows). Nothing to mirror yet — the next\r\n // update hook will run once the access token lands.\r\n return;\r\n }\r\n\r\n // Resolve user email from userId.\r\n const db = getDbExec();\r\n let email: string | undefined;\r\n try {\r\n const { rows } = await db.execute({\r\n sql: 'SELECT email FROM \"user\" WHERE id = ?',\r\n args: [account.userId],\r\n });\r\n email = (rows[0]?.email as string | undefined) ?? undefined;\r\n } catch (err) {\r\n console.error(\r\n \"[auth] mirror Google tokens: failed to resolve user email from userId\",\r\n err,\r\n );\r\n return;\r\n }\r\n if (!email) return;\r\n\r\n // Normalise expiry to epoch ms (Google's \"expiry_date\" convention used\r\n // throughout the templates).\r\n let expiryDate: number | undefined;\r\n const raw = account.accessTokenExpiresAt;\r\n if (raw instanceof Date) {\r\n expiryDate = raw.getTime();\r\n } else if (typeof raw === \"number\") {\r\n expiryDate = raw;\r\n } else if (typeof raw === \"string\") {\r\n const ms = Date.parse(raw);\r\n expiryDate = Number.isFinite(ms) ? ms : undefined;\r\n }\r\n\r\n const tokens: Record<string, unknown> = {\r\n access_token: accessToken,\r\n token_type: \"Bearer\",\r\n };\r\n if (account.refreshToken) tokens.refresh_token = account.refreshToken;\r\n if (expiryDate) tokens.expiry_date = expiryDate;\r\n if (account.scope) tokens.scope = account.scope;\r\n if (account.idToken) tokens.id_token = account.idToken;\r\n\r\n await saveOAuthTokens(\"google\", email, tokens, email);\r\n}\r\n\r\nasync function ensureBetterAuthTables(): Promise<void> {\r\n const db = getDbExec();\r\n\r\n // PG guard: probe information_schema first (no lock) for each table; run\r\n // DDL only when missing, bounded by a transaction-scoped lock_timeout.\r\n // Probe names are UNQUOTED (what information_schema.tables.table_name stores);\r\n // createSql keeps the QUOTED \"user\"/\"session\"/… form required by Postgres.\r\n if (isPostgres()) {\r\n const pgTables: Array<[name: string, createSql: string]> = [\r\n [\r\n \"user\",\r\n `CREATE TABLE IF NOT EXISTS \"user\" (id TEXT PRIMARY KEY, name TEXT NOT NULL, email TEXT NOT NULL UNIQUE, email_verified BOOLEAN NOT NULL DEFAULT FALSE, image TEXT, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\r\n ],\r\n [\r\n \"session\",\r\n `CREATE TABLE IF NOT EXISTS \"session\" (id TEXT PRIMARY KEY, expires_at TIMESTAMPTZ NOT NULL, token TEXT NOT NULL UNIQUE, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL, ip_address TEXT, user_agent TEXT, user_id TEXT NOT NULL, active_organization_id TEXT)`,\r\n ],\r\n [\r\n \"account\",\r\n `CREATE TABLE IF NOT EXISTS \"account\" (id TEXT PRIMARY KEY, account_id TEXT NOT NULL, provider_id TEXT NOT NULL, user_id TEXT NOT NULL, access_token TEXT, refresh_token TEXT, id_token TEXT, access_token_expires_at TIMESTAMPTZ, refresh_token_expires_at TIMESTAMPTZ, scope TEXT, password TEXT, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\r\n ],\r\n [\r\n \"verification\",\r\n `CREATE TABLE IF NOT EXISTS \"verification\" (id TEXT PRIMARY KEY, identifier TEXT NOT NULL, value TEXT NOT NULL, expires_at TIMESTAMPTZ NOT NULL, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\r\n ],\r\n [\r\n \"organization\",\r\n `CREATE TABLE IF NOT EXISTS \"organization\" (id TEXT PRIMARY KEY, name TEXT NOT NULL, slug TEXT NOT NULL UNIQUE, logo TEXT, metadata TEXT, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\r\n ],\r\n [\r\n \"member\",\r\n `CREATE TABLE IF NOT EXISTS \"member\" (id TEXT PRIMARY KEY, organization_id TEXT NOT NULL, user_id TEXT NOT NULL, role TEXT NOT NULL DEFAULT 'member', created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\r\n ],\r\n [\r\n \"invitation\",\r\n `CREATE TABLE IF NOT EXISTS \"invitation\" (id TEXT PRIMARY KEY, organization_id TEXT NOT NULL, email TEXT NOT NULL, role TEXT, status TEXT NOT NULL DEFAULT 'pending', expires_at TIMESTAMPTZ NOT NULL, inviter_id TEXT NOT NULL, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\r\n ],\r\n [\r\n \"jwks\",\r\n `CREATE TABLE IF NOT EXISTS \"jwks\" (id TEXT PRIMARY KEY, public_key TEXT NOT NULL, private_key TEXT NOT NULL, created_at TIMESTAMPTZ NOT NULL, expires_at TIMESTAMPTZ)`,\r\n ],\r\n ];\r\n for (const [name, sql] of pgTables) await ensureTableExists(name, sql);\r\n return;\r\n }\r\n\r\n // SQLite (local dev): no lock problem — keep the original behaviour.\r\n const sqliteStatements = [\r\n `CREATE TABLE IF NOT EXISTS user (id TEXT PRIMARY KEY, name TEXT NOT NULL, email TEXT NOT NULL UNIQUE, email_verified INTEGER NOT NULL DEFAULT 0, image TEXT, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\r\n `CREATE TABLE IF NOT EXISTS session (id TEXT PRIMARY KEY, expires_at INTEGER NOT NULL, token TEXT NOT NULL UNIQUE, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL, ip_address TEXT, user_agent TEXT, user_id TEXT NOT NULL, active_organization_id TEXT)`,\r\n `CREATE TABLE IF NOT EXISTS account (id TEXT PRIMARY KEY, account_id TEXT NOT NULL, provider_id TEXT NOT NULL, user_id TEXT NOT NULL, access_token TEXT, refresh_token TEXT, id_token TEXT, access_token_expires_at INTEGER, refresh_token_expires_at INTEGER, scope TEXT, password TEXT, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\r\n `CREATE TABLE IF NOT EXISTS verification (id TEXT PRIMARY KEY, identifier TEXT NOT NULL, value TEXT NOT NULL, expires_at INTEGER NOT NULL, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\r\n `CREATE TABLE IF NOT EXISTS organization (id TEXT PRIMARY KEY, name TEXT NOT NULL, slug TEXT NOT NULL UNIQUE, logo TEXT, metadata TEXT, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\r\n `CREATE TABLE IF NOT EXISTS member (id TEXT PRIMARY KEY, organization_id TEXT NOT NULL, user_id TEXT NOT NULL, role TEXT NOT NULL DEFAULT 'member', created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\r\n `CREATE TABLE IF NOT EXISTS invitation (id TEXT PRIMARY KEY, organization_id TEXT NOT NULL, email TEXT NOT NULL, role TEXT, status TEXT NOT NULL DEFAULT 'pending', expires_at INTEGER NOT NULL, inviter_id TEXT NOT NULL, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\r\n `CREATE TABLE IF NOT EXISTS jwks (id TEXT PRIMARY KEY, public_key TEXT NOT NULL, private_key TEXT NOT NULL, created_at INTEGER NOT NULL, expires_at INTEGER)`,\r\n ];\r\n for (const sql of sqliteStatements) await db.execute(sql);\r\n}\r\n\r\n/**\r\n * Get or create the Better Auth instance.\r\n * Lazily initialized on first call — the database must be reachable by then.\r\n */\r\nexport async function getBetterAuth(\r\n config?: BetterAuthConfig,\r\n): Promise<BetterAuthInstance> {\r\n if (_auth) return _auth;\r\n if (_initPromise) return _initPromise;\r\n\r\n _initPromise = createBetterAuthInstance(config);\r\n _auth = await _initPromise;\r\n return _auth;\r\n}\r\n\r\n/**\r\n * Synchronous getter — returns the instance if already initialized, else undefined.\r\n * Use this in hot paths where you know init has already happened.\r\n */\r\nexport function getBetterAuthSync(): BetterAuthInstance | undefined {\r\n return _auth;\r\n}\r\n\r\n/**\r\n * The subset of Better Auth's internal adapter we use for federated-SSO\r\n * JIT account linking. Better Auth owns these writes (id + timestamp +\r\n * schema handling), so callers never hand-roll SQL against `user`/`account`.\r\n * Read-only lookups + strictly-additive `linkAccount`/`createUser` only — no\r\n * update/delete of existing identity rows.\r\n */\r\nexport interface BetterAuthInternalAdapter {\r\n findUserByEmail: (\r\n email: string,\r\n options?: { includeAccounts: boolean },\r\n ) => Promise<{\r\n user: { id: string; email: string; name?: string };\r\n accounts: Array<{ providerId: string; accountId: string }>;\r\n } | null>;\r\n linkAccount: (account: {\r\n userId: string;\r\n providerId: string;\r\n accountId: string;\r\n }) => Promise<unknown>;\r\n createUser: (user: {\r\n email: string;\r\n name: string;\r\n emailVerified?: boolean;\r\n }) => Promise<{ id: string }>;\r\n}\r\n\r\n/**\r\n * Resolve Better Auth's internal adapter via the live instance's\r\n * `$context`. The framework's narrowed `BetterAuthInstance` interface omits\r\n * `$context`, but the underlying object created by `betterAuth(...)` always\r\n * exposes it (see Better Auth's `Auth` type) — so this is a safe, typed\r\n * accessor for the federated-SSO client. Returns `undefined` if the context\r\n * shape is unexpected (older/newer Better Auth) so callers can fall back.\r\n */\r\nexport async function getBetterAuthInternalAdapter(\r\n config?: BetterAuthConfig,\r\n): Promise<BetterAuthInternalAdapter | undefined> {\r\n const auth = (await getBetterAuth(config)) as unknown as {\r\n $context?: Promise<{ internalAdapter?: BetterAuthInternalAdapter }>;\r\n };\r\n try {\r\n const ctx = await auth.$context;\r\n const ia = ctx?.internalAdapter;\r\n if (\r\n ia &&\r\n typeof ia.findUserByEmail === \"function\" &&\r\n typeof ia.linkAccount === \"function\" &&\r\n typeof ia.createUser === \"function\"\r\n ) {\r\n return ia;\r\n }\r\n } catch {\r\n // Context resolution failed — caller falls back to the signup path.\r\n }\r\n return undefined;\r\n}\r\n\r\n/** Reset for testing */\r\nexport async function resetBetterAuth(): Promise<void> {\r\n _auth = undefined;\r\n _initPromise = undefined;\r\n if (_neonAuthPool) {\r\n try {\r\n await _neonAuthPool.end();\r\n } catch {\r\n // Pool may have already closed (process exiting, etc.) — don't block reset.\r\n }\r\n _neonAuthPool = undefined;\r\n }\r\n await closePgliteClients();\r\n}\r\n\r\n// ---------------------------------------------------------------------------\r\n// Instance creation\r\n// ---------------------------------------------------------------------------\r\n\r\nasync function createBetterAuthInstance(\r\n config?: BetterAuthConfig,\r\n): Promise<BetterAuthInstance> {\r\n const dialect = getDialect();\r\n const basePath = config?.basePath ?? \"/_agent-native/auth/ba\";\r\n await ensureBetterAuthTables();\r\n\r\n // Build social providers from env vars\r\n const socialProviders: BetterAuthOptions[\"socialProviders\"] = {\r\n ...config?.socialProviders,\r\n };\r\n\r\n const extraScopes = config?.googleScopes ?? [];\r\n const googleCredentials =\r\n extraScopes.length > 0\r\n ? process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET\r\n ? {\r\n clientId: process.env.GOOGLE_CLIENT_ID,\r\n clientSecret: process.env.GOOGLE_CLIENT_SECRET,\r\n }\r\n : null\r\n : resolveGoogleSignInCredentials();\r\n if (googleCredentials) {\r\n // When the template requests broader scopes (Gmail, Calendar, etc.)\r\n // ask for them on the primary sign-in flow so a separate \"Connect\r\n // Google\" round-trip isn't needed. `accessType: \"offline\"` plus\r\n // `prompt: \"consent\"` ensures we always receive a refresh token back —\r\n // Google only re-issues a refresh token on consent, so re-signing in\r\n // (e.g. after switching machines) would otherwise leave us with an\r\n // access token that can't be refreshed.\r\n const baseScopes = [\"openid\", \"email\", \"profile\"];\r\n const mergedScopes = Array.from(new Set([...baseScopes, ...extraScopes]));\r\n socialProviders.google = {\r\n clientId: googleCredentials.clientId,\r\n clientSecret: googleCredentials.clientSecret,\r\n ...(extraScopes.length > 0\r\n ? {\r\n scope: mergedScopes,\r\n accessType: \"offline\" as const,\r\n prompt: \"consent\" as const,\r\n }\r\n : {}),\r\n };\r\n }\r\n\r\n if (process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET) {\r\n socialProviders.github = {\r\n clientId: process.env.GITHUB_CLIENT_ID,\r\n clientSecret: process.env.GITHUB_CLIENT_SECRET,\r\n };\r\n }\r\n\r\n // Build database config\r\n const database = await buildDatabaseConfig(dialect);\r\n\r\n const secret = resolveAuthSecret();\r\n\r\n const appUrl = getAppProductionUrl();\r\n const cookieNamespace = resolveAuthCookieNamespace();\r\n const requireEmailVerification =\r\n (await isEmailConfigured()) && !shouldSkipEmailVerification();\r\n\r\n const shouldMirrorGoogleAccountTokens =\r\n (config?.googleScopes?.length ?? 0) > 0;\r\n\r\n const auth = betterAuth({\r\n basePath,\r\n baseURL: appUrl,\r\n database,\r\n secret,\r\n emailAndPassword: {\r\n enabled: true,\r\n minPasswordLength: 8,\r\n // Only require email verification when an email provider is configured.\r\n // Without a provider, verification emails can't be sent, so requiring\r\n // verification would lock users out of signup entirely. Local dev/test\r\n // skip verification by default so +qa accounts can be created quickly;\r\n // hosted QA deployments can opt out with AUTH_SKIP_EMAIL_VERIFICATION=1.\r\n requireEmailVerification,\r\n sendResetPassword: async ({ user, token }) => {\r\n // APP_BASE_PATH lets this app mount under a prefix (e.g. /mail). The\r\n // reset link must include that prefix so the page resolves correctly.\r\n const appBasePath = (\r\n process.env.VITE_APP_BASE_PATH ||\r\n process.env.APP_BASE_PATH ||\r\n \"\"\r\n ).replace(/\\/$/, \"\");\r\n const resetUrl = `${appUrl}${appBasePath}/_agent-native/auth/reset?token=${encodeURIComponent(token)}`;\r\n const { subject, html, text } = renderResetPasswordEmail({\r\n email: user.email,\r\n resetUrl,\r\n });\r\n await sendEmail({ to: user.email, subject, html, text });\r\n },\r\n },\r\n emailVerification: {\r\n // Fire verification email right after signup, before the user has a\r\n // session — pairs with requireEmailVerification above. Only enabled\r\n // when an email provider is configured.\r\n sendOnSignUp: requireEmailVerification,\r\n // Auto-create a session once the user clicks the link. Without this,\r\n // verified users would have to go back and sign in manually, which is\r\n // a confusing dead-end on the verify screen.\r\n autoSignInAfterVerification: true,\r\n sendVerificationEmail: async ({ user, url }) => {\r\n // APP_BASE_PATH lets this app mount under a prefix (e.g. /mail). The\r\n // verification link must include that prefix so the page resolves correctly.\r\n const verifyBasePath = (\r\n process.env.VITE_APP_BASE_PATH ||\r\n process.env.APP_BASE_PATH ||\r\n \"\"\r\n ).replace(/\\/$/, \"\");\r\n const verifyUrl = verifyBasePath\r\n ? url.replace(/(\\/\\/[^/]+)(\\/)/, `$1${verifyBasePath}$2`)\r\n : url;\r\n const { subject, html, text } = renderVerifySignupEmail({\r\n email: user.email,\r\n verifyUrl,\r\n });\r\n await sendEmail({ to: user.email, subject, html, text });\r\n },\r\n },\r\n socialProviders,\r\n account: {\r\n // Merge accounts when a user signs in with a social provider using an\r\n // email that already has a local email/password account (or vice versa).\r\n // Only providers listed in `trustedProviders` auto-link — these are the\r\n // ones that verify emails at the identity layer. Never add a provider\r\n // here that lets users claim an unverified email; that would be an\r\n // account-takeover vector.\r\n accountLinking: {\r\n enabled: true,\r\n trustedProviders: [\"google\", \"github\"],\r\n },\r\n },\r\n databaseHooks: {\r\n user: {\r\n create: {\r\n after: async (\r\n user: {\r\n id?: string;\r\n email?: string;\r\n name?: string | null;\r\n },\r\n // Better Auth (1.6.x) passes the endpoint context as the 2nd arg.\r\n // It carries the originating request's headers (and on OAuth\r\n // signups the callback request's headers), which is where the\r\n // browser's `an_ft` first-touch cookie rides in.\r\n context?: {\r\n headers?: Headers | null;\r\n request?: { headers?: Headers | null } | null;\r\n } | null,\r\n ) => {\r\n // When a newly-created user's email has pending org invitations\r\n // (common when someone is invited *before* they've signed up),\r\n // auto-accept them so the user lands in the org on their very\r\n // first page load instead of a blank-slate workspace.\r\n const email = user?.email;\r\n if (!email) return;\r\n // Derive first-touch referral attribution from the request's\r\n // cookie header. Never let attribution parsing throw or block\r\n // signup — on any error fall back to `direct`.\r\n let attribution: Record<string, string> | undefined;\r\n try {\r\n const cookieHeader =\r\n context?.headers?.get(\"cookie\") ??\r\n context?.request?.headers?.get(\"cookie\") ??\r\n null;\r\n attribution = signupAttributionFromCookieHeader(cookieHeader);\r\n } catch (err) {\r\n console.error(\"[auth] failed to derive signup attribution\", err);\r\n attribution = undefined;\r\n }\r\n await trackSignupEvent({\r\n authProvider: \"better-auth\",\r\n authUserId: user.id,\r\n email,\r\n name: user.name,\r\n attribution,\r\n });\r\n try {\r\n await acceptPendingInvitationsForEmail(email);\r\n } catch (err) {\r\n // Never block signup on invite bookkeeping — log and continue.\r\n console.error(\r\n \"[auth] failed to auto-accept pending invitations\",\r\n err,\r\n );\r\n }\r\n try {\r\n // Auto-join orgs whose `allowed_domain` matches this email\r\n // domain. Lets a fresh `@builder.io` (or any org-domain)\r\n // signup land inside the company org on first page load\r\n // without going through the picker. No-ops when no match.\r\n await autoJoinDomainMatchingOrgs(email);\r\n } catch (err) {\r\n console.error(\r\n \"[auth] failed to auto-join domain-matching orgs\",\r\n err,\r\n );\r\n }\r\n },\r\n },\r\n },\r\n account: {\r\n // Mirror Google account tokens into `oauth_tokens` so existing\r\n // template code (mail's Gmail client, calendar's events fetcher)\r\n // can pick up Gmail/Calendar credentials from the primary sign-in\r\n // flow — no separate \"Set up Google\" page required.\r\n //\r\n // Better Auth fires `create` for first-time social sign-in and\r\n // `update` whenever a session re-issues tokens (e.g., the user\r\n // re-signs in to refresh the token). Both branches do the same\r\n // mirroring work; failures never block sign-in.\r\n create: {\r\n after: async (account: any) => {\r\n if (!shouldMirrorGoogleAccountTokens) return;\r\n await mirrorGoogleAccountToOAuthTokens(account).catch((err) => {\r\n console.error(\r\n \"[auth] failed to mirror Google account tokens to oauth_tokens (create)\",\r\n err,\r\n );\r\n });\r\n },\r\n },\r\n update: {\r\n after: async (account: any) => {\r\n if (!shouldMirrorGoogleAccountTokens) return;\r\n await mirrorGoogleAccountToOAuthTokens(account).catch((err) => {\r\n console.error(\r\n \"[auth] failed to mirror Google account tokens to oauth_tokens (update)\",\r\n err,\r\n );\r\n });\r\n },\r\n },\r\n },\r\n },\r\n session: {\r\n expiresIn: 60 * 60 * 24 * 30, // 30 days\r\n updateAge: 60 * 60 * 24, // refresh daily\r\n cookieCache: {\r\n enabled: true,\r\n maxAge: 5 * 60, // 5 min cache\r\n },\r\n },\r\n advanced: {\r\n cookiePrefix: cookieNamespace.betterAuthCookiePrefix,\r\n // Emit `SameSite=None; Secure` when the app is served over HTTPS so\r\n // session cookies are delivered inside third-party iframes (e.g. the\r\n // Builder.io editor). Plain-HTTP dev keeps the default (Lax) because\r\n // `SameSite=None` requires Secure.\r\n ...(appUrl.startsWith(\"https://\")\r\n ? {\r\n defaultCookieAttributes: {\r\n sameSite: \"none\" as const,\r\n secure: true,\r\n partitioned: true,\r\n },\r\n }\r\n : {}),\r\n // When an effective shared cookie domain is set, share Better Auth's\r\n // session cookie across that domain. First-party `*.jami.studio`\r\n // apps intentionally do not use this path because their auth DBs are\r\n // separate; Dispatch identity federation handles cross-app sign-in.\r\n ...(cookieNamespace.betterAuthCookieDomain\r\n ? {\r\n crossSubDomainCookies: {\r\n enabled: true,\r\n domain: cookieNamespace.betterAuthCookieDomain,\r\n },\r\n }\r\n : {}),\r\n },\r\n plugins: [\r\n // JWT: issue tokens for A2A calls, JWKS endpoint for verification\r\n jwt({\r\n jwt: {\r\n issuer: appUrl,\r\n expirationTime: \"15m\",\r\n },\r\n }),\r\n // Bearer: accept Bearer tokens on API requests\r\n bearer(),\r\n ...(config?.plugins ?? []),\r\n ],\r\n });\r\n\r\n return auth as unknown as BetterAuthInstance;\r\n}\r\n\r\nasync function buildDatabaseConfig(\r\n dialect: string,\r\n): Promise<BetterAuthOptions[\"database\"]> {\r\n if (dialect === \"postgres\") {\r\n const url = getDatabaseUrl();\r\n const { isNeonUrl } = await import(\"../db/create-get-db.js\");\r\n\r\n if (isPgliteUrl(url)) {\r\n const { drizzle } = await loadPgliteDrizzle();\r\n const client = await getPgliteClient(url);\r\n const db = drizzle({ client, schema: pgAuthSchema });\r\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\r\n return drizzleAdapter(db, {\r\n provider: \"pg\",\r\n schema: pgAuthSchema,\r\n });\r\n }\r\n\r\n // Neon via @neondatabase/serverless (WebSockets over HTTPS). postgres-js\r\n // opens a raw TCP connection on port 5432 which frequently times out on\r\n // Netlify Functions / Vercel / CF Workers when Neon's pooler is cold.\r\n if (isNeonUrl(url)) {\r\n const { Pool } = await import(\"@neondatabase/serverless\");\r\n // Cap the auth pool the same way as the app pool. Better Auth runs a\r\n // session lookup on essentially every authenticated request, so an\r\n // un-capped pool here is a primary contributor to \"Max client\r\n // connections reached\" across concurrent serverless instances.\r\n _neonAuthPool = new Pool({\r\n connectionString: url,\r\n max: neonPoolMax(),\r\n });\r\n attachNeonPoolErrorLogger(_neonAuthPool, \"db/neon-auth\");\r\n const { drizzle } = await import(\"drizzle-orm/neon-serverless\");\r\n const db = drizzle(_neonAuthPool, { schema: pgAuthSchema });\r\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\r\n return drizzleAdapter(db, {\r\n provider: \"pg\",\r\n schema: pgAuthSchema,\r\n });\r\n }\r\n\r\n // Non-Neon Postgres (Supabase, self-hosted, etc.) → postgres-js.\r\n // pgPoolOptions caps this pool to a small size on serverless. Better Auth\r\n // runs a session lookup on essentially every authenticated request, so an\r\n // un-capped pool here is a primary contributor to \"Max client connections\r\n // reached\" across concurrent serverless instances.\r\n const { default: postgres } = await import(\"postgres\");\r\n const sql = postgres(url, pgPoolOptions(url));\r\n const { drizzle } = await import(\"drizzle-orm/postgres-js\");\r\n const db = drizzle(sql, { schema: pgAuthSchema });\r\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\r\n return drizzleAdapter(db, {\r\n provider: \"pg\",\r\n schema: pgAuthSchema,\r\n });\r\n }\r\n\r\n // SQLite / libsql\r\n const url = getDatabaseUrl(\"file:./data/app.db\");\r\n\r\n if (url.startsWith(\"file:\") || !url.includes(\"://\")) {\r\n // Local SQLite via better-sqlite3\r\n const { default: Database } = await import(\"better-sqlite3\");\r\n const filePath = url.replace(/^file:/, \"\");\r\n const sqlite = new Database(filePath);\r\n sqlite.pragma(\"journal_mode = WAL\");\r\n const { drizzle } = await import(\"drizzle-orm/better-sqlite3\");\r\n const db = drizzle(sqlite, { schema: sqliteAuthSchema });\r\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\r\n return drizzleAdapter(db, {\r\n provider: \"sqlite\",\r\n schema: sqliteAuthSchema,\r\n });\r\n }\r\n\r\n // Remote libsql (Turso). Use the web client to avoid serverless bundles\r\n // depending on libsql's platform-specific native packages.\r\n const { createClient } = await import(\"@libsql/client/web\");\r\n const client = createClient({ url, authToken: getDatabaseAuthToken() });\r\n const { drizzle } = await import(\"drizzle-orm/libsql/web\");\r\n const db = drizzle(client, { schema: sqliteAuthSchema });\r\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\r\n return drizzleAdapter(db, {\r\n provider: \"sqlite\",\r\n schema: sqliteAuthSchema,\r\n });\r\n}\r\n"]}
1
+ {"version":3,"file":"better-auth-instance.js","sourceRoot":"","sources":["../../src/server/better-auth-instance.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,UAAU,EAA0B,MAAM,aAAa,CAAC;AACjE,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AACpD,OAAO,EAAE,GAAG,EAAE,MAAM,yBAAyB,CAAC;AAC9C,OAAO,EACL,OAAO,EACP,IAAI,IAAI,MAAM,EACd,SAAS,IAAI,WAAW,EACxB,OAAO,IAAI,SAAS,GACrB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,WAAW,EACX,IAAI,IAAI,UAAU,EAClB,OAAO,IAAI,aAAa,GACzB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,EACL,UAAU,EACV,cAAc,EACd,oBAAoB,EACpB,kBAAkB,EAClB,eAAe,EACf,WAAW,EACX,iBAAiB,EACjB,aAAa,EACb,WAAW,EACX,yBAAyB,GAC1B,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,gCAAgC,EAAE,MAAM,0BAA0B,CAAC;AAC5E,OAAO,EAAE,0BAA0B,EAAE,MAAM,4BAA4B,CAAC;AACxE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAC;AACtE,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACnD,OAAO,EAAE,iCAAiC,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EAAE,0BAA0B,EAAE,MAAM,uBAAuB,CAAC;AACnE,OAAO,EAAE,4BAA4B,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,EACL,wBAAwB,EACxB,uBAAuB,GACxB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC1D,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAE/E,KAAK,UAAU,mBAAmB;IAChC,IAAI,CAAC;QACH,MAAM,OAAO,CAAC,IAAI,CAAC;YACjB,aAAa,EAAE;YACf,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;SAC1D,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,2DAA2D;IAC7D,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,KAAa;IACxD,MAAM,OAAO,GAAG,MAAM,4BAA4B,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IAC5E,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,MAAM,QAAQ,GAAG,MAAM,OAAO;SAC3B,eAAe,CAAC,KAAK,EAAE,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC;SAClD,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACrB,OAAO,CAAC,CAAC,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC;AACjC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,EACrC,YAAY,EACZ,UAAU,EACV,KAAK,EACL,IAAI,EACJ,WAAW,GAcZ;IACC,QAAQ,CAAC,KAAK,EAAE;QACd,KAAK;QACL,IAAI,EAAE,IAAI,IAAI,SAAS;QACvB,UAAU;KACX,CAAC,CAAC;IACH,MAAM,gBAAgB,GAA2B,EAAE,CAAC;IACpD,IAAI,WAAW,EAAE,CAAC;QAChB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;YACvD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClD,gBAAgB,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC;IACD,KAAK,CACH,QAAQ,EACR;QACE,GAAG,+BAA+B,EAAE;QACpC,aAAa,EAAE,YAAY;QAC3B,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACnD,GAAG,gBAAgB;KACpB,EACD,EAAE,MAAM,EAAE,KAAK,EAAE,CAClB,CAAC;IACF,MAAM,mBAAmB,EAAE,CAAC;AAC9B,CAAC;AAED,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E,IAAI,qBAAyC,CAAC;AAE9C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,SAAS,iBAAiB;IACxB,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAAE,OAAO,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAC1E,MAAM,sBAAsB,GAAG,4BAA4B,CAAC,aAAa,CAAC,CAAC;IAC3E,IAAI,sBAAsB;QAAE,OAAO,sBAAsB,CAAC;IAE1D,wEAAwE;IACxE,8EAA8E;IAC9E,uEAAuE;IACvE,4EAA4E;IAC5E,8EAA8E;IAC9E,2BAA2B;IAC3B,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACtD,MAAM,IAAI,KAAK,CACb,+EAA+E;YAC7E,0EAA0E;YAC1E,0DAA0D;YAC1D,wBAAwB,MAAM,MAAM;YACpC,uEAAuE;YACvE,wEAAwE;YACxE,uEAAuE;YACvE,+CAA+C;YAC/C,wEAAwE;YACxE,kCAAkC,CACrC,CAAC;IACJ,CAAC;IAED,yDAAyD;IACzD,+DAA+D;IAC/D,qEAAqE;IACrE,sEAAsE;IACtE,mDAAmD;IACnD,MAAM,QAAQ,GAAG,kBAAkB,CACjC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,YAAY,CAAC,CAC1C,CAAC;IACF,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAE9B,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC3B,qBAAqB,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CACV,0EAA0E;YACxE,oEAAoE;YACpE,uEAAuE;YACvE,iCAAiC,CACpC,CAAC;IACJ,CAAC;IACD,OAAO,qBAAqB,CAAC;AAC/B,CAAC;AAED,SAAS,kBAAkB,CAAC,YAAoB;IAC9C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QACtD,oEAAoE;QACpE,oEAAoE;QACpE,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CACrB,8DAA8D,CAC/D,CAAC;QACF,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAyB;IACtD,MAAM,OAAO,GAAG,KAAK,EAAE,IAAI,EAAE,CAAC;IAC9B,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACtC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,OAAO,CAAC;QACvC,CAAC,CAAC,OAAO,CAAC;IACZ,MAAM,IAAI,GAAG,QAAQ;SAClB,WAAW,EAAE;SACb,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC;SAC3B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC3B,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAyB;IAClD,MAAM,IAAI,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IAC1C,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,MAAM,aAAa,GAAG,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC;QACpD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC;QACpC,CAAC,CAAC,IAAI,CAAC;IACT,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,KAAK,aAAa,CAAC;QAClE,CAAC,CAAC,aAAa;QACf,CAAC,CAAC,SAAS,CAAC;AAChB,CAAC;AAED,SAAS,eAAe;IACtB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,cAAc,CAAC,CAAC;QACzD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAEtD,CAAC;QACF,OAAO,GAAG,CAAC,IAAI,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAAyB;IAC/C,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE;QAAE,OAAO,SAAS,CAAC;IACrC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,0BAA0B,CAAC,IAAI,CAAC,KAAK,CAAC;YAChD,CAAC,CAAC,KAAK;YACP,CAAC,CAAC,WAAW,KAAK,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QACrD,IAAI,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACtC,OAAO,qBAAqB,CAC1B,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,cAAc,CAAC,MAAM,CAAC,CAC1C,CAAC;QACJ,CAAC;QACD,OAAO,qBAAqB,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,gBAAgB;AAChB,MAAM,UAAU,6BAA6B;IAI3C,MAAM,WAAW,GACf,qBAAqB,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;QACnD,qBAAqB,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IAC3D,MAAM,UAAU,GACd,qBAAqB,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;QACnD,qBAAqB,CAAC,eAAe,EAAE,CAAC,CAAC;IAC3C,MAAM,MAAM,GACV,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;QACnC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;QAC3C,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;QAC/B,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QACtC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC;QACzD,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACzC,MAAM,GAAG,GACP,WAAW;QACX,MAAM;QACN,UAAU;QACV,qBAAqB,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAE9C,MAAM,QAAQ,GACZ,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;QACpD,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC;QACzD,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;QAC3C,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;QAChD,iBAAiB,CAAC,GAAG,CAAC;QACtB,iBAAiB,CAAC,UAAU,CAAC;QAC7B,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAE5B,OAAO;QACL,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvB,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAClC,CAAC;AACJ,CAAC;AAED,gBAAgB;AAChB,MAAM,UAAU,+BAA+B;IAC7C,MAAM,QAAQ,GAAG,6BAA6B,EAAE,CAAC;IACjD,OAAO;QACL,GAAG,QAAQ;QACX,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3D,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,qBAAqB,EAAE,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC3E,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,2BAA2B;IACzC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC;IACvD,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;QAClB,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,CAC1E,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9C,OAAO,UAAU,KAAK,EAAE,IAAI,UAAU,KAAK,GAAG,IAAI,UAAU,KAAK,OAAO,CAAC;AAC3E,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,aAAa;IAC3B,OAAO,iBAAiB,EAAE,CAAC;AAC7B,CAAC;AA0DD,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E,IAAI,KAAqC,CAAC;AAC1C,IAAI,YAAqD,CAAC;AAC1D,8EAA8E;AAC9E,6EAA6E;AAC7E,wEAAwE;AACxE,IAAI,aAAkB,CAAC;AAEvB,MAAM,YAAY,GAAG;IACnB,IAAI,EAAE,OAAO,CAAC,MAAM,EAAE;QACpB,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;QAC9B,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QACzC,aAAa,EAAE,SAAS,CAAC,gBAAgB,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;QACnE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC;QACtB,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,OAAO,EAAE,OAAO,CAAC,SAAS,EAAE;QAC1B,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QACzC,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC;QAC/B,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC;QAC/B,MAAM,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACnC,oBAAoB,EAAE,MAAM,CAAC,wBAAwB,CAAC;KACvD,CAAC;IACF,OAAO,EAAE,OAAO,CAAC,SAAS,EAAE;QAC1B,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QACzC,UAAU,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE;QAC3C,MAAM,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACnC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC;QACnC,YAAY,EAAE,MAAM,CAAC,eAAe,CAAC;QACrC,OAAO,EAAE,MAAM,CAAC,UAAU,CAAC;QAC3B,oBAAoB,EAAE,WAAW,CAAC,yBAAyB,EAAE;YAC3D,YAAY,EAAE,IAAI;SACnB,CAAC;QACF,qBAAqB,EAAE,WAAW,CAAC,0BAA0B,EAAE;YAC7D,YAAY,EAAE,IAAI;SACnB,CAAC;QACF,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC;QACtB,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC;QAC5B,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,YAAY,EAAE,OAAO,CAAC,cAAc,EAAE;QACpC,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,UAAU,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC1C,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;QAChC,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,YAAY,EAAE,OAAO,CAAC,cAAc,EAAE;QACpC,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;QAC9B,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QACvC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC;QACpB,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC;QAC5B,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,MAAM,EAAE,OAAO,CAAC,QAAQ,EAAE;QACxB,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,cAAc,EAAE,MAAM,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE;QACnD,MAAM,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACnC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;QAChD,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,UAAU,EAAE,OAAO,CAAC,YAAY,EAAE;QAChC,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,cAAc,EAAE,MAAM,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE;QACnD,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;QAChC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;QACrD,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QACzC,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,IAAI,EAAE,OAAO,CAAC,MAAM,EAAE;QACpB,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QACzC,UAAU,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE;QAC3C,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;KAC7D,CAAC;CACH,CAAC;AAEF,MAAM,gBAAgB,GAAG;IACvB,IAAI,EAAE,WAAW,CAAC,MAAM,EAAE;QACxB,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;QAClC,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QAC7C,aAAa,EAAE,aAAa,CAAC,gBAAgB,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;aAChE,OAAO,EAAE;aACT,OAAO,CAAC,KAAK,CAAC;QACjB,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC;QAC1B,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,OAAO,EAAE,WAAW,CAAC,SAAS,EAAE;QAC9B,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QAC7C,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC;QACnC,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC;QACnC,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACvC,oBAAoB,EAAE,UAAU,CAAC,wBAAwB,CAAC;KAC3D,CAAC;IACF,OAAO,EAAE,WAAW,CAAC,SAAS,EAAE;QAC9B,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC7C,UAAU,EAAE,UAAU,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE;QAC/C,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACvC,WAAW,EAAE,UAAU,CAAC,cAAc,CAAC;QACvC,YAAY,EAAE,UAAU,CAAC,eAAe,CAAC;QACzC,OAAO,EAAE,UAAU,CAAC,UAAU,CAAC;QAC/B,oBAAoB,EAAE,aAAa,CAAC,yBAAyB,EAAE;YAC7D,IAAI,EAAE,cAAc;SACrB,CAAC;QACF,qBAAqB,EAAE,aAAa,CAAC,0BAA0B,EAAE;YAC/D,IAAI,EAAE,cAAc;SACrB,CAAC;QACF,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC;QAC1B,QAAQ,EAAE,UAAU,CAAC,UAAU,CAAC;QAChC,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,YAAY,EAAE,WAAW,CAAC,cAAc,EAAE;QACxC,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,UAAU,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC9C,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;QACpC,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,YAAY,EAAE,WAAW,CAAC,cAAc,EAAE;QACxC,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;QAClC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QAC3C,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC;QACxB,QAAQ,EAAE,UAAU,CAAC,UAAU,CAAC;QAChC,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,MAAM,EAAE,WAAW,CAAC,QAAQ,EAAE;QAC5B,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,cAAc,EAAE,UAAU,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE;QACvD,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACvC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;QACpD,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,UAAU,EAAE,WAAW,CAAC,YAAY,EAAE;QACpC,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,cAAc,EAAE,UAAU,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE;QACvD,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;QACpC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC;QACxB,MAAM,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;QACzD,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC7C,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,IAAI,EAAE,WAAW,CAAC,MAAM,EAAE;QACxB,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC7C,UAAU,EAAE,UAAU,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE;QAC/C,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;KACjE,CAAC;CACH,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,KAAK,UAAU,gCAAgC,CAAC,OAS/C;IACC,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,KAAK,QAAQ;QAAE,OAAO;IACxD,IAAI,CAAC,OAAO,CAAC,MAAM;QAAE,OAAO;IAE5B,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,SAAS,CAAC;IACrD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,iEAAiE;QACjE,kEAAkE;QAClE,oDAAoD;QACpD,OAAO;IACT,CAAC;IAED,kCAAkC;IAClC,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;IACvB,IAAI,KAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;YAChC,GAAG,EAAE,uCAAuC;YAC5C,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;SACvB,CAAC,CAAC;QACH,KAAK,GAAI,IAAI,CAAC,CAAC,CAAC,EAAE,KAA4B,IAAI,SAAS,CAAC;IAC9D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CACX,uEAAuE,EACvE,GAAG,CACJ,CAAC;QACF,OAAO;IACT,CAAC;IACD,IAAI,CAAC,KAAK;QAAE,OAAO;IAEnB,uEAAuE;IACvE,6BAA6B;IAC7B,IAAI,UAA8B,CAAC;IACnC,MAAM,GAAG,GAAG,OAAO,CAAC,oBAAoB,CAAC;IACzC,IAAI,GAAG,YAAY,IAAI,EAAE,CAAC;QACxB,UAAU,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;IAC7B,CAAC;SAAM,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnC,UAAU,GAAG,GAAG,CAAC;IACnB,CAAC;SAAM,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnC,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC3B,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IACpD,CAAC;IAED,MAAM,MAAM,GAA4B;QACtC,YAAY,EAAE,WAAW;QACzB,UAAU,EAAE,QAAQ;KACrB,CAAC;IACF,IAAI,OAAO,CAAC,YAAY;QAAE,MAAM,CAAC,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC;IACtE,IAAI,UAAU;QAAE,MAAM,CAAC,WAAW,GAAG,UAAU,CAAC;IAChD,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAChD,IAAI,OAAO,CAAC,OAAO;QAAE,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IAEvD,MAAM,eAAe,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;AACxD,CAAC;AAED,KAAK,UAAU,sBAAsB;IACnC,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;IAEvB,yEAAyE;IACzE,uEAAuE;IACvE,+EAA+E;IAC/E,2EAA2E;IAC3E,IAAI,UAAU,EAAE,EAAE,CAAC;QACjB,MAAM,QAAQ,GAA6C;YACzD;gBACE,MAAM;gBACN,sOAAsO;aACvO;YACD;gBACE,SAAS;gBACT,iRAAiR;aAClR;YACD;gBACE,SAAS;gBACT,sWAAsW;aACvW;YACD;gBACE,cAAc;gBACd,mNAAmN;aACpN;YACD;gBACE,cAAc;gBACd,4MAA4M;aAC7M;YACD;gBACE,QAAQ;gBACR,wNAAwN;aACzN;YACD;gBACE,YAAY;gBACZ,mSAAmS;aACpS;YACD;gBACE,MAAM;gBACN,uKAAuK;aACxK;SACF,CAAC;QACF,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,QAAQ;YAAE,MAAM,iBAAiB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACvE,OAAO;IACT,CAAC;IAED,qEAAqE;IACrE,MAAM,gBAAgB,GAAG;QACvB,wNAAwN;QACxN,mQAAmQ;QACnQ,oVAAoV;QACpV,qMAAqM;QACrM,kMAAkM;QAClM,8MAA8M;QAC9M,qRAAqR;QACrR,6JAA6J;KAC9J,CAAC;IACF,KAAK,MAAM,GAAG,IAAI,gBAAgB;QAAE,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;AAC5D,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAyB;IAEzB,IAAI,KAAK;QAAE,OAAO,KAAK,CAAC;IACxB,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IAEtC,YAAY,GAAG,wBAAwB,CAAC,MAAM,CAAC,CAAC;IAChD,KAAK,GAAG,MAAM,YAAY,CAAC;IAC3B,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,KAAK,CAAC;AACf,CAAC;AA6BD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,MAAyB;IAEzB,MAAM,IAAI,GAAG,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,CAExC,CAAC;IACF,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC;QAChC,MAAM,EAAE,GAAG,GAAG,EAAE,eAAe,CAAC;QAChC,IACE,EAAE;YACF,OAAO,EAAE,CAAC,eAAe,KAAK,UAAU;YACxC,OAAO,EAAE,CAAC,WAAW,KAAK,UAAU;YACpC,OAAO,EAAE,CAAC,UAAU,KAAK,UAAU,EACnC,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,oEAAoE;IACtE,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,wBAAwB;AACxB,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,KAAK,GAAG,SAAS,CAAC;IAClB,YAAY,GAAG,SAAS,CAAC;IACzB,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,aAAa,CAAC,GAAG,EAAE,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,4EAA4E;QAC9E,CAAC;QACD,aAAa,GAAG,SAAS,CAAC;IAC5B,CAAC;IACD,MAAM,kBAAkB,EAAE,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,KAAK,UAAU,wBAAwB,CACrC,MAAyB;IAEzB,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;IAC7B,MAAM,QAAQ,GAAG,MAAM,EAAE,QAAQ,IAAI,wBAAwB,CAAC;IAC9D,MAAM,sBAAsB,EAAE,CAAC;IAE/B,uCAAuC;IACvC,MAAM,eAAe,GAAyC;QAC5D,GAAG,MAAM,EAAE,eAAe;KAC3B,CAAC;IAEF,MAAM,WAAW,GAAG,MAAM,EAAE,YAAY,IAAI,EAAE,CAAC;IAC/C,MAAM,iBAAiB,GACrB,WAAW,CAAC,MAAM,GAAG,CAAC;QACpB,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB;YAChE,CAAC,CAAC;gBACE,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB;gBACtC,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB;aAC/C;YACH,CAAC,CAAC,IAAI;QACR,CAAC,CAAC,8BAA8B,EAAE,CAAC;IACvC,IAAI,iBAAiB,EAAE,CAAC;QACtB,oEAAoE;QACpE,kEAAkE;QAClE,gEAAgE;QAChE,uEAAuE;QACvE,qEAAqE;QACrE,mEAAmE;QACnE,wCAAwC;QACxC,MAAM,UAAU,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;QAClD,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,UAAU,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;QAC1E,eAAe,CAAC,MAAM,GAAG;YACvB,QAAQ,EAAE,iBAAiB,CAAC,QAAQ;YACpC,YAAY,EAAE,iBAAiB,CAAC,YAAY;YAC5C,GAAG,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC;gBACxB,CAAC,CAAC;oBACE,KAAK,EAAE,YAAY;oBACnB,UAAU,EAAE,SAAkB;oBAC9B,MAAM,EAAE,SAAkB;iBAC3B;gBACH,CAAC,CAAC,EAAE,CAAC;SACR,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC;QACrE,eAAe,CAAC,MAAM,GAAG;YACvB,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB;YACtC,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB;SAC/C,CAAC;IACJ,CAAC;IAED,wBAAwB;IACxB,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAEpD,MAAM,MAAM,GAAG,iBAAiB,EAAE,CAAC;IAEnC,MAAM,MAAM,GAAG,mBAAmB,EAAE,CAAC;IACrC,MAAM,eAAe,GAAG,0BAA0B,EAAE,CAAC;IACrD,MAAM,wBAAwB,GAC5B,CAAC,MAAM,iBAAiB,EAAE,CAAC,IAAI,CAAC,2BAA2B,EAAE,CAAC;IAEhE,MAAM,+BAA+B,GACnC,CAAC,MAAM,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IAE1C,MAAM,IAAI,GAAG,UAAU,CAAC;QACtB,QAAQ;QACR,OAAO,EAAE,MAAM;QACf,QAAQ;QACR,MAAM;QACN,gBAAgB,EAAE;YAChB,OAAO,EAAE,IAAI;YACb,iBAAiB,EAAE,CAAC;YACpB,wEAAwE;YACxE,sEAAsE;YACtE,uEAAuE;YACvE,uEAAuE;YACvE,yEAAyE;YACzE,wBAAwB;YACxB,iBAAiB,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE;gBAC3C,qEAAqE;gBACrE,sEAAsE;gBACtE,MAAM,WAAW,GAAG,CAClB,OAAO,CAAC,GAAG,CAAC,kBAAkB;oBAC9B,OAAO,CAAC,GAAG,CAAC,aAAa;oBACzB,EAAE,CACH,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACrB,MAAM,QAAQ,GAAG,GAAG,MAAM,GAAG,WAAW,mCAAmC,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;gBACvG,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,wBAAwB,CAAC;oBACvD,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,QAAQ;iBACT,CAAC,CAAC;gBACH,MAAM,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;YAC3D,CAAC;SACF;QACD,iBAAiB,EAAE;YACjB,oEAAoE;YACpE,oEAAoE;YACpE,wCAAwC;YACxC,YAAY,EAAE,wBAAwB;YACtC,qEAAqE;YACrE,sEAAsE;YACtE,6CAA6C;YAC7C,2BAA2B,EAAE,IAAI;YACjC,qBAAqB,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE;gBAC7C,qEAAqE;gBACrE,6EAA6E;gBAC7E,MAAM,cAAc,GAAG,CACrB,OAAO,CAAC,GAAG,CAAC,kBAAkB;oBAC9B,OAAO,CAAC,GAAG,CAAC,aAAa;oBACzB,EAAE,CACH,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACrB,MAAM,SAAS,GAAG,cAAc;oBAC9B,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,iBAAiB,EAAE,KAAK,cAAc,IAAI,CAAC;oBACzD,CAAC,CAAC,GAAG,CAAC;gBACR,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,uBAAuB,CAAC;oBACtD,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,SAAS;iBACV,CAAC,CAAC;gBACH,MAAM,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;YAC3D,CAAC;SACF;QACD,eAAe;QACf,OAAO,EAAE;YACP,sEAAsE;YACtE,yEAAyE;YACzE,wEAAwE;YACxE,sEAAsE;YACtE,mEAAmE;YACnE,2BAA2B;YAC3B,cAAc,EAAE;gBACd,OAAO,EAAE,IAAI;gBACb,gBAAgB,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;aACvC;SACF;QACD,aAAa,EAAE;YACb,IAAI,EAAE;gBACJ,MAAM,EAAE;oBACN,KAAK,EAAE,KAAK,EACV,IAIC;oBACD,kEAAkE;oBAClE,6DAA6D;oBAC7D,8DAA8D;oBAC9D,iDAAiD;oBACjD,OAGQ,EACR,EAAE;wBACF,gEAAgE;wBAChE,+DAA+D;wBAC/D,8DAA8D;wBAC9D,sDAAsD;wBACtD,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,CAAC;wBAC1B,IAAI,CAAC,KAAK;4BAAE,OAAO;wBACnB,6DAA6D;wBAC7D,8DAA8D;wBAC9D,+CAA+C;wBAC/C,IAAI,WAA+C,CAAC;wBACpD,IAAI,CAAC;4BACH,MAAM,YAAY,GAChB,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC;gCAC/B,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC;gCACxC,IAAI,CAAC;4BACP,WAAW,GAAG,iCAAiC,CAAC,YAAY,CAAC,CAAC;wBAChE,CAAC;wBAAC,OAAO,GAAG,EAAE,CAAC;4BACb,OAAO,CAAC,KAAK,CAAC,4CAA4C,EAAE,GAAG,CAAC,CAAC;4BACjE,WAAW,GAAG,SAAS,CAAC;wBAC1B,CAAC;wBACD,MAAM,gBAAgB,CAAC;4BACrB,YAAY,EAAE,aAAa;4BAC3B,UAAU,EAAE,IAAI,CAAC,EAAE;4BACnB,KAAK;4BACL,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,WAAW;yBACZ,CAAC,CAAC;wBACH,IAAI,CAAC;4BACH,MAAM,gCAAgC,CAAC,KAAK,CAAC,CAAC;wBAChD,CAAC;wBAAC,OAAO,GAAG,EAAE,CAAC;4BACb,+DAA+D;4BAC/D,OAAO,CAAC,KAAK,CACX,kDAAkD,EAClD,GAAG,CACJ,CAAC;wBACJ,CAAC;wBACD,IAAI,CAAC;4BACH,2DAA2D;4BAC3D,yDAAyD;4BACzD,wDAAwD;4BACxD,0DAA0D;4BAC1D,MAAM,0BAA0B,CAAC,KAAK,CAAC,CAAC;wBAC1C,CAAC;wBAAC,OAAO,GAAG,EAAE,CAAC;4BACb,OAAO,CAAC,KAAK,CACX,iDAAiD,EACjD,GAAG,CACJ,CAAC;wBACJ,CAAC;oBACH,CAAC;iBACF;aACF;YACD,OAAO,EAAE;gBACP,+DAA+D;gBAC/D,iEAAiE;gBACjE,kEAAkE;gBAClE,oDAAoD;gBACpD,EAAE;gBACF,+DAA+D;gBAC/D,+DAA+D;gBAC/D,+DAA+D;gBAC/D,gDAAgD;gBAChD,MAAM,EAAE;oBACN,KAAK,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;wBAC5B,IAAI,CAAC,+BAA+B;4BAAE,OAAO;wBAC7C,MAAM,gCAAgC,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;4BAC5D,OAAO,CAAC,KAAK,CACX,wEAAwE,EACxE,GAAG,CACJ,CAAC;wBACJ,CAAC,CAAC,CAAC;oBACL,CAAC;iBACF;gBACD,MAAM,EAAE;oBACN,KAAK,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;wBAC5B,IAAI,CAAC,+BAA+B;4BAAE,OAAO;wBAC7C,MAAM,gCAAgC,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;4BAC5D,OAAO,CAAC,KAAK,CACX,wEAAwE,EACxE,GAAG,CACJ,CAAC;wBACJ,CAAC,CAAC,CAAC;oBACL,CAAC;iBACF;aACF;SACF;QACD,OAAO,EAAE;YACP,SAAS,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,UAAU;YACxC,SAAS,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,gBAAgB;YACzC,WAAW,EAAE;gBACX,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,cAAc;aAC/B;SACF;QACD,QAAQ,EAAE;YACR,YAAY,EAAE,eAAe,CAAC,sBAAsB;YACpD,oEAAoE;YACpE,qEAAqE;YACrE,qEAAqE;YACrE,mCAAmC;YACnC,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC;gBAC/B,CAAC,CAAC;oBACE,uBAAuB,EAAE;wBACvB,QAAQ,EAAE,MAAe;wBACzB,MAAM,EAAE,IAAI;wBACZ,WAAW,EAAE,IAAI;qBAClB;iBACF;gBACH,CAAC,CAAC,EAAE,CAAC;YACP,qEAAqE;YACrE,iEAAiE;YACjE,qEAAqE;YACrE,oEAAoE;YACpE,GAAG,CAAC,eAAe,CAAC,sBAAsB;gBACxC,CAAC,CAAC;oBACE,qBAAqB,EAAE;wBACrB,OAAO,EAAE,IAAI;wBACb,MAAM,EAAE,eAAe,CAAC,sBAAsB;qBAC/C;iBACF;gBACH,CAAC,CAAC,EAAE,CAAC;SACR;QACD,OAAO,EAAE;YACP,kEAAkE;YAClE,GAAG,CAAC;gBACF,GAAG,EAAE;oBACH,MAAM,EAAE,MAAM;oBACd,cAAc,EAAE,KAAK;iBACtB;aACF,CAAC;YACF,+CAA+C;YAC/C,MAAM,EAAE;YACR,GAAG,CAAC,MAAM,EAAE,OAAO,IAAI,EAAE,CAAC;SAC3B;KACF,CAAC,CAAC;IAEH,OAAO,IAAqC,CAAC;AAC/C,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,OAAe;IAEf,IAAI,OAAO,KAAK,UAAU,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,cAAc,EAAE,CAAC;QAC7B,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;QAE7D,IAAI,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,iBAAiB,EAAE,CAAC;YAC9C,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,GAAG,CAAC,CAAC;YAC1C,MAAM,EAAE,GAAG,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;YACrD,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;YACxE,OAAO,cAAc,CAAC,EAAE,EAAE;gBACxB,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,YAAY;aACrB,CAAC,CAAC;QACL,CAAC;QAED,yEAAyE;QACzE,wEAAwE;QACxE,sEAAsE;QACtE,IAAI,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;YACnB,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;YACtE,qEAAqE;YACrE,mEAAmE;YACnE,8DAA8D;YAC9D,+DAA+D;YAC/D,EAAE;YACF,kEAAkE;YAClE,kEAAkE;YAClE,iEAAiE;YACjE,mEAAmE;YACnE,sEAAsE;YACtE,mEAAmE;YACnE,MAAM,QAAQ,GAAG,mBAAmB,EAAE,CAAC;YACvC,IAAI,QAAQ,EAAE,CAAC;gBACZ,UAA8C,CAAC,iBAAiB;oBAC/D,IAAI,CAAC;YACT,CAAC;YACD,aAAa,GAAG,IAAI,IAAI,CAAC;gBACvB,gBAAgB,EAAE,GAAG;gBACrB,GAAG,EAAE,WAAW,EAAE;gBAClB,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACpC,CAAC,CAAC;YACH,yBAAyB,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;YACzD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;YAChE,MAAM,EAAE,GAAG,OAAO,CAAC,aAAa,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;YAC5D,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;YACxE,OAAO,cAAc,CAAC,EAAE,EAAE;gBACxB,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,YAAY;aACrB,CAAC,CAAC;QACL,CAAC;QAED,iEAAiE;QACjE,0EAA0E;QAC1E,0EAA0E;QAC1E,0EAA0E;QAC1E,mDAAmD;QACnD,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;QACvD,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;QAC5D,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;QAClD,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;QACxE,OAAO,cAAc,CAAC,EAAE,EAAE;YACxB,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,YAAY;SACrB,CAAC,CAAC;IACL,CAAC;IAED,kBAAkB;IAClB,MAAM,GAAG,GAAG,cAAc,CAAC,oBAAoB,CAAC,CAAC;IAEjD,IAAI,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,kCAAkC;QAClC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC7D,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC3C,MAAM,MAAM,GAAG,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QACpC,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,4BAA4B,CAAC,CAAC;QAC/D,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;QACzD,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;QACxE,OAAO,cAAc,CAAC,EAAE,EAAE;YACxB,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,gBAAgB;SACzB,CAAC,CAAC;IACL,CAAC;IAED,wEAAwE;IACxE,2DAA2D;IAC3D,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,oBAAoB,EAAE,EAAE,CAAC,CAAC;IACxE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;IAC3D,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;IACzD,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;IACxE,OAAO,cAAc,CAAC,EAAE,EAAE;QACxB,QAAQ,EAAE,QAAQ;QAClB,MAAM,EAAE,gBAAgB;KACzB,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\r\n * Internal Better Auth instance — lazily created, not exported to templates.\r\n *\r\n * Templates interact with auth via the existing `getSession()`, `autoMountAuth()`,\r\n * `createAuthPlugin()`, and `createGoogleAuthPlugin()` APIs. Better Auth is an\r\n * implementation detail behind those interfaces.\r\n */\r\n\r\nimport crypto from \"node:crypto\";\r\nimport fs from \"node:fs\";\r\nimport path from \"node:path\";\r\n\r\nimport { betterAuth, type BetterAuthOptions } from \"better-auth\";\r\nimport { bearer } from \"better-auth/plugins/bearer\";\r\nimport { jwt } from \"better-auth/plugins/jwt\";\r\nimport {\r\n pgTable,\r\n text as pgText,\r\n timestamp as pgTimestamp,\r\n boolean as pgBoolean,\r\n} from \"drizzle-orm/pg-core\";\r\nimport {\r\n sqliteTable,\r\n text as sqliteText,\r\n integer as sqliteInteger,\r\n} from \"drizzle-orm/sqlite-core\";\r\n\r\nimport { TEMPLATES } from \"../cli/templates-meta.js\";\r\nimport { getDbExec, isPostgres } from \"../db/client.js\";\r\nimport {\r\n getDialect,\r\n getDatabaseUrl,\r\n getDatabaseAuthToken,\r\n closePgliteClients,\r\n getPgliteClient,\r\n isPgliteUrl,\r\n loadPgliteDrizzle,\r\n pgPoolOptions,\r\n neonPoolMax,\r\n attachNeonPoolErrorLogger,\r\n} from \"../db/client.js\";\r\nimport { ensureTableExists } from \"../db/ddl-guard.js\";\r\nimport { saveOAuthTokens } from \"../oauth-tokens/store.js\";\r\nimport { acceptPendingInvitationsForEmail } from \"../org/accept-pending.js\";\r\nimport { autoJoinDomainMatchingOrgs } from \"../org/auto-join-domain.js\";\r\nimport { flushTracking, identify, track } from \"../tracking/index.js\";\r\nimport { getAppProductionUrl } from \"./app-url.js\";\r\nimport { signupAttributionFromCookieHeader } from \"./attribution.js\";\r\nimport { resolveAuthCookieNamespace } from \"./cookie-namespace.js\";\r\nimport { getWorkspaceA2ADerivedSecret } from \"./derived-secret.js\";\r\nimport { isCloudflareRuntime } from \"../shared/runtime.js\";\r\nimport {\r\n renderResetPasswordEmail,\r\n renderVerifySignupEmail,\r\n} from \"./email-templates.js\";\r\nimport { sendEmail, isEmailConfigured } from \"./email.js\";\r\nimport { resolveGoogleSignInCredentials } from \"./google-oauth-credentials.js\";\r\n\r\nasync function flushSignupTracking(): Promise<void> {\r\n try {\r\n await Promise.race([\r\n flushTracking(),\r\n new Promise<void>((resolve) => setTimeout(resolve, 1500)),\r\n ]);\r\n } catch {\r\n // Signup should never fail because analytics delivery did.\r\n }\r\n}\r\n\r\nexport async function hasBetterAuthUserEmail(email: string): Promise<boolean> {\r\n const adapter = await getBetterAuthInternalAdapter().catch(() => undefined);\r\n if (!adapter) return false;\r\n const existing = await adapter\r\n .findUserByEmail(email, { includeAccounts: false })\r\n .catch(() => null);\r\n return !!existing?.user?.email;\r\n}\r\n\r\nexport async function trackSignupEvent({\r\n authProvider,\r\n authUserId,\r\n email,\r\n name,\r\n attribution,\r\n}: {\r\n authProvider: string;\r\n authUserId?: string;\r\n email: string;\r\n name?: string | null;\r\n /**\r\n * First-touch referral attribution derived from the visitor's `an_ft`\r\n * cookie (see `server/attribution.ts`). Snake_case keys such as\r\n * `referral_source`, `referrer_user`, and the UTM passthrough are merged\r\n * into the `signup` event so we can measure where new users came from.\r\n * `undefined` values are dropped; a missing object is a clean no-op.\r\n */\r\n attribution?: Record<string, string | undefined>;\r\n}): Promise<void> {\r\n identify(email, {\r\n email,\r\n name: name ?? undefined,\r\n authUserId,\r\n });\r\n const cleanAttribution: Record<string, string> = {};\r\n if (attribution) {\r\n for (const [key, value] of Object.entries(attribution)) {\r\n if (typeof value === \"string\" && value.length > 0) {\r\n cleanAttribution[key] = value;\r\n }\r\n }\r\n }\r\n track(\r\n \"signup\",\r\n {\r\n ...resolveSignupTrackingProperties(),\r\n auth_provider: authProvider,\r\n ...(authUserId ? { auth_user_id: authUserId } : {}),\r\n ...cleanAttribution,\r\n },\r\n { userId: email },\r\n );\r\n await flushSignupTracking();\r\n}\r\n\r\n// ---------------------------------------------------------------------------\r\n// Persistent auth secret\r\n// ---------------------------------------------------------------------------\r\n\r\nlet inMemoryDevAuthSecret: string | undefined;\r\n\r\n/**\r\n * Resolve the Better Auth signing secret.\r\n *\r\n * Resolution order:\r\n * 1. `BETTER_AUTH_SECRET` env var — explicit, recommended for prod.\r\n * 2. Hosted workspace deploys can derive a per-purpose secret from the\r\n * already-required `A2A_SECRET` root. This keeps fresh workspace branches\r\n * bootable without reusing the raw A2A key as a cookie-signing key.\r\n * 3. Existing `.env.local` values in the template cwd — read-only\r\n * compatibility for projects that already configured this secret.\r\n * 4. Generate a per-process in-memory random 32-byte hex in development.\r\n *\r\n * Why this matters: before this helper existed, missing `BETTER_AUTH_SECRET`\r\n * fell through to `GOOGLE_CLIENT_SECRET` / `ACCESS_TOKEN` / a hardcoded\r\n * string. If a template happened to have none of those, each dev-server\r\n * boot would re-fall back to the hardcoded value (still stable) — but\r\n * rotating Google credentials, toggling `ACCESS_TOKEN`, or churning the\r\n * fallback chain would invalidate every signed cookie and force everyone\r\n * to sign in again. We still read explicit env configuration, but never\r\n * auto-write a generated secret into env files.\r\n */\r\nfunction resolveAuthSecret(): string {\r\n if (process.env.BETTER_AUTH_SECRET) return process.env.BETTER_AUTH_SECRET;\r\n const workspaceDerivedSecret = getWorkspaceA2ADerivedSecret(\"better-auth\");\r\n if (workspaceDerivedSecret) return workspaceDerivedSecret;\r\n\r\n // In production, beyond the workspace A2A-derived fallback above, never\r\n // auto-generate or use legacy fallbacks. A generated secret invalidates every\r\n // signed session cookie on the next cold start (serverless filesystems\r\n // aren't persistent), and the legacy hardcoded fallback is identical across\r\n // every deploy that hits it — both are serious enough to fail the boot loudly\r\n // so the deployer notices.\r\n if (process.env.NODE_ENV === \"production\") {\r\n const sample = crypto.randomBytes(32).toString(\"hex\");\r\n throw new Error(\r\n \"[agent-native] BETTER_AUTH_SECRET is not set. This is required in production \" +\r\n \"so signed session cookies stay valid across deploys. Set it as a deploy \" +\r\n \"environment variable (any 32-byte hex string), e.g.:\\n\\n\" +\r\n ` BETTER_AUTH_SECRET=${sample}\\n\\n` +\r\n \"Generate your own with `openssl rand -hex 32`. If you already have a \" +\r\n \"running deploy and need to preserve existing sessions, set it to your \" +\r\n \"previously-deployed BETTER_AUTH_SECRET value first, then rotate to a \" +\r\n \"fresh one. Hosted workspace deploys may also \" +\r\n \"set A2A_SECRET; agent-native derives a per-purpose Better Auth secret \" +\r\n \"from that workspace root secret.\",\r\n );\r\n }\r\n\r\n // SECURITY (audit 09 LOW-2): the previous fallback chain\r\n // (`GOOGLE_CLIENT_SECRET || ACCESS_TOKEN || hardcoded`) reused\r\n // cross-purpose secrets and a public hardcoded literal as the cookie\r\n // HMAC. Dropped entirely — better to mint an ephemeral secret than to\r\n // re-use a Google client secret or a known string.\r\n const existing = readEnvLocalSecret(\r\n path.resolve(process.cwd(), \".env.local\"),\r\n );\r\n if (existing) return existing;\r\n\r\n if (!inMemoryDevAuthSecret) {\r\n inMemoryDevAuthSecret = crypto.randomBytes(32).toString(\"hex\");\r\n console.warn(\r\n \"[agent-native] BETTER_AUTH_SECRET is not configured. Using an ephemeral \" +\r\n \"in-memory development secret. Sessions will reset every time this \" +\r\n \"process restarts. Set BETTER_AUTH_SECRET in your environment to keep \" +\r\n \"sessions valid across restarts.\",\r\n );\r\n }\r\n return inMemoryDevAuthSecret;\r\n}\r\n\r\nfunction readEnvLocalSecret(envLocalPath: string): string | undefined {\r\n try {\r\n const content = fs.readFileSync(envLocalPath, \"utf8\");\r\n // Match `BETTER_AUTH_SECRET=...` on its own line. Tolerate optional\r\n // quotes and leading `export `. Stop at the first newline or quote.\r\n const m = content.match(\r\n /^(?:export\\s+)?BETTER_AUTH_SECRET\\s*=\\s*\"?([^\"\\r\\n]+)\"?\\s*$/m,\r\n );\r\n return m?.[1]?.trim() || undefined;\r\n } catch {\r\n return undefined;\r\n }\r\n}\r\n\r\nfunction normalizeTrackingSlug(value: string | undefined): string | undefined {\r\n const trimmed = value?.trim();\r\n if (!trimmed) return undefined;\r\n const unscoped = trimmed.startsWith(\"@\")\r\n ? (trimmed.split(\"/\").pop() ?? trimmed)\r\n : trimmed;\r\n const slug = unscoped\r\n .toLowerCase()\r\n .replace(/[^a-z0-9]+/g, \"-\")\r\n .replace(/^-+|-+$/g, \"\");\r\n return slug || undefined;\r\n}\r\n\r\nfunction knownTemplateSlug(value: string | undefined): string | undefined {\r\n const slug = normalizeTrackingSlug(value);\r\n if (!slug) return undefined;\r\n const withoutPrefix = slug.startsWith(\"agent-native-\")\r\n ? slug.slice(\"agent-native-\".length)\r\n : slug;\r\n return TEMPLATES.some((template) => template.name === withoutPrefix)\r\n ? withoutPrefix\r\n : undefined;\r\n}\r\n\r\nfunction readPackageName(): string | undefined {\r\n try {\r\n const pkgPath = path.join(process.cwd(), \"package.json\");\r\n const pkg = JSON.parse(fs.readFileSync(pkgPath, \"utf8\")) as {\r\n name?: string;\r\n };\r\n return pkg.name;\r\n } catch {\r\n return undefined;\r\n }\r\n}\r\n\r\nfunction appSlugFromUrl(value: string | undefined): string | undefined {\r\n if (!value?.trim()) return undefined;\r\n try {\r\n const raw = /^[a-z][a-z0-9+.-]*:\\/\\//i.test(value)\r\n ? value\r\n : `https://${value}`;\r\n const hostname = new URL(raw).hostname.toLowerCase();\r\n if (hostname.endsWith(\".jami.studio\")) {\r\n return normalizeTrackingSlug(\r\n hostname.slice(0, -\".jami.studio\".length),\r\n );\r\n }\r\n return normalizeTrackingSlug(hostname.split(\".\")[0]);\r\n } catch {\r\n return undefined;\r\n }\r\n}\r\n\r\n/** @internal */\r\nexport function resolveSignupTrackingIdentity(): {\r\n app?: string;\r\n template?: string;\r\n} {\r\n const explicitApp =\r\n normalizeTrackingSlug(process.env.AGENT_NATIVE_APP) ||\r\n normalizeTrackingSlug(process.env.VITE_AGENT_NATIVE_APP);\r\n const packageApp =\r\n normalizeTrackingSlug(process.env.npm_package_name) ||\r\n normalizeTrackingSlug(readPackageName());\r\n const urlApp =\r\n appSlugFromUrl(process.env.APP_URL) ||\r\n appSlugFromUrl(process.env.BETTER_AUTH_URL) ||\r\n appSlugFromUrl(process.env.URL) ||\r\n appSlugFromUrl(process.env.DEPLOY_URL) ||\r\n appSlugFromUrl(process.env.VERCEL_PROJECT_PRODUCTION_URL) ||\r\n appSlugFromUrl(process.env.VERCEL_URL);\r\n const app =\r\n explicitApp ||\r\n urlApp ||\r\n packageApp ||\r\n normalizeTrackingSlug(process.env.APP_NAME);\r\n\r\n const template =\r\n knownTemplateSlug(process.env.AGENT_NATIVE_TEMPLATE) ||\r\n knownTemplateSlug(process.env.VITE_AGENT_NATIVE_TEMPLATE) ||\r\n knownTemplateSlug(process.env.APP_TEMPLATE) ||\r\n knownTemplateSlug(process.env.VITE_APP_TEMPLATE) ||\r\n knownTemplateSlug(app) ||\r\n knownTemplateSlug(packageApp) ||\r\n knownTemplateSlug(urlApp);\r\n\r\n return {\r\n ...(app ? { app } : {}),\r\n ...(template ? { template } : {}),\r\n };\r\n}\r\n\r\n/** @internal */\r\nexport function resolveSignupTrackingProperties(): Record<string, string> {\r\n const identity = resolveSignupTrackingIdentity();\r\n return {\r\n ...identity,\r\n ...(identity.app ? { agent_native_app: identity.app } : {}),\r\n ...(identity.template ? { agent_native_template: identity.template } : {}),\r\n };\r\n}\r\n\r\nexport function shouldSkipEmailVerification(): boolean {\r\n const value = process.env.AUTH_SKIP_EMAIL_VERIFICATION;\r\n if (value == null) {\r\n return (\r\n process.env.NODE_ENV === \"development\" || process.env.NODE_ENV === \"test\"\r\n );\r\n }\r\n const normalized = value.trim().toLowerCase();\r\n return normalized !== \"\" && normalized !== \"0\" && normalized !== \"false\";\r\n}\r\n\r\n/** Read-only accessor for the resolved auth secret. */\r\nexport function getAuthSecret(): string {\r\n return resolveAuthSecret();\r\n}\r\n\r\n// ---------------------------------------------------------------------------\r\n// Types\r\n// ---------------------------------------------------------------------------\r\n\r\n/** The shape we need from a Better Auth instance (internal — not exported to templates). */\r\nexport interface BetterAuthInstance {\r\n handler: (request: Request) => Promise<Response>;\r\n api: {\r\n getSession: (opts: { headers: Headers }) => Promise<{\r\n user: { id: string; email: string; name: string };\r\n session: {\r\n id: string;\r\n token: string;\r\n expiresAt: Date;\r\n };\r\n } | null>;\r\n signInEmail: (opts: {\r\n body: { email: string; password: string };\r\n }) => Promise<{ token?: string; user?: any } | null>;\r\n signUpEmail: (opts: {\r\n body: {\r\n email: string;\r\n password: string;\r\n name: string;\r\n callbackURL?: string;\r\n };\r\n headers?: Headers;\r\n }) => Promise<any>;\r\n signOut: (opts: { headers: Headers }) => Promise<any>;\r\n };\r\n}\r\n\r\nexport interface BetterAuthConfig {\r\n /** Base path for Better Auth routes. Default: \"/_agent-native/auth/ba\" */\r\n basePath?: string;\r\n /** Additional social providers beyond what env vars auto-detect */\r\n socialProviders?: BetterAuthOptions[\"socialProviders\"];\r\n /** Additional Better Auth plugins */\r\n plugins?: BetterAuthOptions[\"plugins\"];\r\n /**\r\n * Additional Google OAuth scopes (Gmail, Calendar, etc.) to request\r\n * up front during the primary \"Sign in with Google\" flow, beyond the\r\n * default identity scopes (`openid`, `email`, `profile`).\r\n *\r\n * When set, the Google social provider also opts into:\r\n * - `accessType: \"offline\"` — so a refresh token is issued\r\n * - `prompt: \"consent\"` — so the refresh token is reissued every sign-in\r\n *\r\n * Tokens are mirrored into `oauth_tokens` via a databaseHooks.account\r\n * hook so existing template code that reads from `oauth_tokens` (mail's\r\n * Gmail client, calendar's events fetcher) works without any separate\r\n * \"Connect Google\" page.\r\n */\r\n googleScopes?: string[];\r\n}\r\n\r\n// ---------------------------------------------------------------------------\r\n// Lazy instance\r\n// ---------------------------------------------------------------------------\r\n\r\nlet _auth: BetterAuthInstance | undefined;\r\nlet _initPromise: Promise<BetterAuthInstance> | undefined;\r\n// Track the Neon serverless Pool we open for Better Auth so closeBetterAuth()\r\n// can release it. The Pool keeps WebSocket connections open; leaking them on\r\n// hot-reload or process restart exhausts Neon's connection slot budget.\r\nlet _neonAuthPool: any;\r\n\r\nconst pgAuthSchema = {\r\n user: pgTable(\"user\", {\r\n id: pgText(\"id\").primaryKey(),\r\n name: pgText(\"name\").notNull(),\r\n email: pgText(\"email\").notNull().unique(),\r\n emailVerified: pgBoolean(\"email_verified\").notNull().default(false),\r\n image: pgText(\"image\"),\r\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\r\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\r\n }),\r\n session: pgTable(\"session\", {\r\n id: pgText(\"id\").primaryKey(),\r\n expiresAt: pgTimestamp(\"expires_at\", { withTimezone: true }).notNull(),\r\n token: pgText(\"token\").notNull().unique(),\r\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\r\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\r\n ipAddress: pgText(\"ip_address\"),\r\n userAgent: pgText(\"user_agent\"),\r\n userId: pgText(\"user_id\").notNull(),\r\n activeOrganizationId: pgText(\"active_organization_id\"),\r\n }),\r\n account: pgTable(\"account\", {\r\n id: pgText(\"id\").primaryKey(),\r\n accountId: pgText(\"account_id\").notNull(),\r\n providerId: pgText(\"provider_id\").notNull(),\r\n userId: pgText(\"user_id\").notNull(),\r\n accessToken: pgText(\"access_token\"),\r\n refreshToken: pgText(\"refresh_token\"),\r\n idToken: pgText(\"id_token\"),\r\n accessTokenExpiresAt: pgTimestamp(\"access_token_expires_at\", {\r\n withTimezone: true,\r\n }),\r\n refreshTokenExpiresAt: pgTimestamp(\"refresh_token_expires_at\", {\r\n withTimezone: true,\r\n }),\r\n scope: pgText(\"scope\"),\r\n password: pgText(\"password\"),\r\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\r\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\r\n }),\r\n verification: pgTable(\"verification\", {\r\n id: pgText(\"id\").primaryKey(),\r\n identifier: pgText(\"identifier\").notNull(),\r\n value: pgText(\"value\").notNull(),\r\n expiresAt: pgTimestamp(\"expires_at\", { withTimezone: true }).notNull(),\r\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\r\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\r\n }),\r\n organization: pgTable(\"organization\", {\r\n id: pgText(\"id\").primaryKey(),\r\n name: pgText(\"name\").notNull(),\r\n slug: pgText(\"slug\").notNull().unique(),\r\n logo: pgText(\"logo\"),\r\n metadata: pgText(\"metadata\"),\r\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\r\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\r\n }),\r\n member: pgTable(\"member\", {\r\n id: pgText(\"id\").primaryKey(),\r\n organizationId: pgText(\"organization_id\").notNull(),\r\n userId: pgText(\"user_id\").notNull(),\r\n role: pgText(\"role\").notNull().default(\"member\"),\r\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\r\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\r\n }),\r\n invitation: pgTable(\"invitation\", {\r\n id: pgText(\"id\").primaryKey(),\r\n organizationId: pgText(\"organization_id\").notNull(),\r\n email: pgText(\"email\").notNull(),\r\n role: pgText(\"role\"),\r\n status: pgText(\"status\").notNull().default(\"pending\"),\r\n expiresAt: pgTimestamp(\"expires_at\", { withTimezone: true }).notNull(),\r\n inviterId: pgText(\"inviter_id\").notNull(),\r\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\r\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\r\n }),\r\n jwks: pgTable(\"jwks\", {\r\n id: pgText(\"id\").primaryKey(),\r\n publicKey: pgText(\"public_key\").notNull(),\r\n privateKey: pgText(\"private_key\").notNull(),\r\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\r\n expiresAt: pgTimestamp(\"expires_at\", { withTimezone: true }),\r\n }),\r\n};\r\n\r\nconst sqliteAuthSchema = {\r\n user: sqliteTable(\"user\", {\r\n id: sqliteText(\"id\").primaryKey(),\r\n name: sqliteText(\"name\").notNull(),\r\n email: sqliteText(\"email\").notNull().unique(),\r\n emailVerified: sqliteInteger(\"email_verified\", { mode: \"boolean\" })\r\n .notNull()\r\n .default(false),\r\n image: sqliteText(\"image\"),\r\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n }),\r\n session: sqliteTable(\"session\", {\r\n id: sqliteText(\"id\").primaryKey(),\r\n expiresAt: sqliteInteger(\"expires_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n token: sqliteText(\"token\").notNull().unique(),\r\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n ipAddress: sqliteText(\"ip_address\"),\r\n userAgent: sqliteText(\"user_agent\"),\r\n userId: sqliteText(\"user_id\").notNull(),\r\n activeOrganizationId: sqliteText(\"active_organization_id\"),\r\n }),\r\n account: sqliteTable(\"account\", {\r\n id: sqliteText(\"id\").primaryKey(),\r\n accountId: sqliteText(\"account_id\").notNull(),\r\n providerId: sqliteText(\"provider_id\").notNull(),\r\n userId: sqliteText(\"user_id\").notNull(),\r\n accessToken: sqliteText(\"access_token\"),\r\n refreshToken: sqliteText(\"refresh_token\"),\r\n idToken: sqliteText(\"id_token\"),\r\n accessTokenExpiresAt: sqliteInteger(\"access_token_expires_at\", {\r\n mode: \"timestamp_ms\",\r\n }),\r\n refreshTokenExpiresAt: sqliteInteger(\"refresh_token_expires_at\", {\r\n mode: \"timestamp_ms\",\r\n }),\r\n scope: sqliteText(\"scope\"),\r\n password: sqliteText(\"password\"),\r\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n }),\r\n verification: sqliteTable(\"verification\", {\r\n id: sqliteText(\"id\").primaryKey(),\r\n identifier: sqliteText(\"identifier\").notNull(),\r\n value: sqliteText(\"value\").notNull(),\r\n expiresAt: sqliteInteger(\"expires_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n }),\r\n organization: sqliteTable(\"organization\", {\r\n id: sqliteText(\"id\").primaryKey(),\r\n name: sqliteText(\"name\").notNull(),\r\n slug: sqliteText(\"slug\").notNull().unique(),\r\n logo: sqliteText(\"logo\"),\r\n metadata: sqliteText(\"metadata\"),\r\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n }),\r\n member: sqliteTable(\"member\", {\r\n id: sqliteText(\"id\").primaryKey(),\r\n organizationId: sqliteText(\"organization_id\").notNull(),\r\n userId: sqliteText(\"user_id\").notNull(),\r\n role: sqliteText(\"role\").notNull().default(\"member\"),\r\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n }),\r\n invitation: sqliteTable(\"invitation\", {\r\n id: sqliteText(\"id\").primaryKey(),\r\n organizationId: sqliteText(\"organization_id\").notNull(),\r\n email: sqliteText(\"email\").notNull(),\r\n role: sqliteText(\"role\"),\r\n status: sqliteText(\"status\").notNull().default(\"pending\"),\r\n expiresAt: sqliteInteger(\"expires_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n inviterId: sqliteText(\"inviter_id\").notNull(),\r\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n }),\r\n jwks: sqliteTable(\"jwks\", {\r\n id: sqliteText(\"id\").primaryKey(),\r\n publicKey: sqliteText(\"public_key\").notNull(),\r\n privateKey: sqliteText(\"private_key\").notNull(),\r\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\r\n expiresAt: sqliteInteger(\"expires_at\", { mode: \"timestamp_ms\" }),\r\n }),\r\n};\r\n\r\n/**\r\n * Mirror a Better Auth `account` row for Google into the `oauth_tokens`\r\n * table that template code (mail's Gmail client, calendar's events fetcher)\r\n * reads from. Called from the `databaseHooks.account.create.after` and\r\n * `.update.after` hooks so tokens captured during the primary \"Sign in\r\n * with Google\" flow flow straight to the apps that need them — no\r\n * separate \"Connect Google\" page required.\r\n *\r\n * Resolves `account.userId` to the user's email by querying the `user`\r\n * table (Better Auth always quotes \"user\" because it's a reserved word\r\n * in Postgres; SQLite accepts the quotes too).\r\n *\r\n * The hook is fire-and-forget from the caller's perspective — every\r\n * failure is caught upstream so a flake in `oauth_tokens` never blocks\r\n * sign-in. We still no-op on missing fields here as a defense in depth.\r\n */\r\nasync function mirrorGoogleAccountToOAuthTokens(account: {\r\n providerId?: string;\r\n userId?: string;\r\n accountId?: string;\r\n accessToken?: string | null;\r\n refreshToken?: string | null;\r\n accessTokenExpiresAt?: Date | string | number | null;\r\n scope?: string | null;\r\n idToken?: string | null;\r\n}): Promise<void> {\r\n if (!account || account.providerId !== \"google\") return;\r\n if (!account.userId) return;\r\n\r\n const accessToken = account.accessToken ?? undefined;\r\n if (!accessToken) {\r\n // Better Auth sometimes upserts an account row before tokens are\r\n // attached (e.g. linking flows). Nothing to mirror yet — the next\r\n // update hook will run once the access token lands.\r\n return;\r\n }\r\n\r\n // Resolve user email from userId.\r\n const db = getDbExec();\r\n let email: string | undefined;\r\n try {\r\n const { rows } = await db.execute({\r\n sql: 'SELECT email FROM \"user\" WHERE id = ?',\r\n args: [account.userId],\r\n });\r\n email = (rows[0]?.email as string | undefined) ?? undefined;\r\n } catch (err) {\r\n console.error(\r\n \"[auth] mirror Google tokens: failed to resolve user email from userId\",\r\n err,\r\n );\r\n return;\r\n }\r\n if (!email) return;\r\n\r\n // Normalise expiry to epoch ms (Google's \"expiry_date\" convention used\r\n // throughout the templates).\r\n let expiryDate: number | undefined;\r\n const raw = account.accessTokenExpiresAt;\r\n if (raw instanceof Date) {\r\n expiryDate = raw.getTime();\r\n } else if (typeof raw === \"number\") {\r\n expiryDate = raw;\r\n } else if (typeof raw === \"string\") {\r\n const ms = Date.parse(raw);\r\n expiryDate = Number.isFinite(ms) ? ms : undefined;\r\n }\r\n\r\n const tokens: Record<string, unknown> = {\r\n access_token: accessToken,\r\n token_type: \"Bearer\",\r\n };\r\n if (account.refreshToken) tokens.refresh_token = account.refreshToken;\r\n if (expiryDate) tokens.expiry_date = expiryDate;\r\n if (account.scope) tokens.scope = account.scope;\r\n if (account.idToken) tokens.id_token = account.idToken;\r\n\r\n await saveOAuthTokens(\"google\", email, tokens, email);\r\n}\r\n\r\nasync function ensureBetterAuthTables(): Promise<void> {\r\n const db = getDbExec();\r\n\r\n // PG guard: probe information_schema first (no lock) for each table; run\r\n // DDL only when missing, bounded by a transaction-scoped lock_timeout.\r\n // Probe names are UNQUOTED (what information_schema.tables.table_name stores);\r\n // createSql keeps the QUOTED \"user\"/\"session\"/… form required by Postgres.\r\n if (isPostgres()) {\r\n const pgTables: Array<[name: string, createSql: string]> = [\r\n [\r\n \"user\",\r\n `CREATE TABLE IF NOT EXISTS \"user\" (id TEXT PRIMARY KEY, name TEXT NOT NULL, email TEXT NOT NULL UNIQUE, email_verified BOOLEAN NOT NULL DEFAULT FALSE, image TEXT, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\r\n ],\r\n [\r\n \"session\",\r\n `CREATE TABLE IF NOT EXISTS \"session\" (id TEXT PRIMARY KEY, expires_at TIMESTAMPTZ NOT NULL, token TEXT NOT NULL UNIQUE, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL, ip_address TEXT, user_agent TEXT, user_id TEXT NOT NULL, active_organization_id TEXT)`,\r\n ],\r\n [\r\n \"account\",\r\n `CREATE TABLE IF NOT EXISTS \"account\" (id TEXT PRIMARY KEY, account_id TEXT NOT NULL, provider_id TEXT NOT NULL, user_id TEXT NOT NULL, access_token TEXT, refresh_token TEXT, id_token TEXT, access_token_expires_at TIMESTAMPTZ, refresh_token_expires_at TIMESTAMPTZ, scope TEXT, password TEXT, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\r\n ],\r\n [\r\n \"verification\",\r\n `CREATE TABLE IF NOT EXISTS \"verification\" (id TEXT PRIMARY KEY, identifier TEXT NOT NULL, value TEXT NOT NULL, expires_at TIMESTAMPTZ NOT NULL, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\r\n ],\r\n [\r\n \"organization\",\r\n `CREATE TABLE IF NOT EXISTS \"organization\" (id TEXT PRIMARY KEY, name TEXT NOT NULL, slug TEXT NOT NULL UNIQUE, logo TEXT, metadata TEXT, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\r\n ],\r\n [\r\n \"member\",\r\n `CREATE TABLE IF NOT EXISTS \"member\" (id TEXT PRIMARY KEY, organization_id TEXT NOT NULL, user_id TEXT NOT NULL, role TEXT NOT NULL DEFAULT 'member', created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\r\n ],\r\n [\r\n \"invitation\",\r\n `CREATE TABLE IF NOT EXISTS \"invitation\" (id TEXT PRIMARY KEY, organization_id TEXT NOT NULL, email TEXT NOT NULL, role TEXT, status TEXT NOT NULL DEFAULT 'pending', expires_at TIMESTAMPTZ NOT NULL, inviter_id TEXT NOT NULL, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\r\n ],\r\n [\r\n \"jwks\",\r\n `CREATE TABLE IF NOT EXISTS \"jwks\" (id TEXT PRIMARY KEY, public_key TEXT NOT NULL, private_key TEXT NOT NULL, created_at TIMESTAMPTZ NOT NULL, expires_at TIMESTAMPTZ)`,\r\n ],\r\n ];\r\n for (const [name, sql] of pgTables) await ensureTableExists(name, sql);\r\n return;\r\n }\r\n\r\n // SQLite (local dev): no lock problem — keep the original behaviour.\r\n const sqliteStatements = [\r\n `CREATE TABLE IF NOT EXISTS user (id TEXT PRIMARY KEY, name TEXT NOT NULL, email TEXT NOT NULL UNIQUE, email_verified INTEGER NOT NULL DEFAULT 0, image TEXT, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\r\n `CREATE TABLE IF NOT EXISTS session (id TEXT PRIMARY KEY, expires_at INTEGER NOT NULL, token TEXT NOT NULL UNIQUE, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL, ip_address TEXT, user_agent TEXT, user_id TEXT NOT NULL, active_organization_id TEXT)`,\r\n `CREATE TABLE IF NOT EXISTS account (id TEXT PRIMARY KEY, account_id TEXT NOT NULL, provider_id TEXT NOT NULL, user_id TEXT NOT NULL, access_token TEXT, refresh_token TEXT, id_token TEXT, access_token_expires_at INTEGER, refresh_token_expires_at INTEGER, scope TEXT, password TEXT, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\r\n `CREATE TABLE IF NOT EXISTS verification (id TEXT PRIMARY KEY, identifier TEXT NOT NULL, value TEXT NOT NULL, expires_at INTEGER NOT NULL, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\r\n `CREATE TABLE IF NOT EXISTS organization (id TEXT PRIMARY KEY, name TEXT NOT NULL, slug TEXT NOT NULL UNIQUE, logo TEXT, metadata TEXT, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\r\n `CREATE TABLE IF NOT EXISTS member (id TEXT PRIMARY KEY, organization_id TEXT NOT NULL, user_id TEXT NOT NULL, role TEXT NOT NULL DEFAULT 'member', created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\r\n `CREATE TABLE IF NOT EXISTS invitation (id TEXT PRIMARY KEY, organization_id TEXT NOT NULL, email TEXT NOT NULL, role TEXT, status TEXT NOT NULL DEFAULT 'pending', expires_at INTEGER NOT NULL, inviter_id TEXT NOT NULL, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\r\n `CREATE TABLE IF NOT EXISTS jwks (id TEXT PRIMARY KEY, public_key TEXT NOT NULL, private_key TEXT NOT NULL, created_at INTEGER NOT NULL, expires_at INTEGER)`,\r\n ];\r\n for (const sql of sqliteStatements) await db.execute(sql);\r\n}\r\n\r\n/**\r\n * Get or create the Better Auth instance.\r\n * Lazily initialized on first call — the database must be reachable by then.\r\n */\r\nexport async function getBetterAuth(\r\n config?: BetterAuthConfig,\r\n): Promise<BetterAuthInstance> {\r\n if (_auth) return _auth;\r\n if (_initPromise) return _initPromise;\r\n\r\n _initPromise = createBetterAuthInstance(config);\r\n _auth = await _initPromise;\r\n return _auth;\r\n}\r\n\r\n/**\r\n * Synchronous getter — returns the instance if already initialized, else undefined.\r\n * Use this in hot paths where you know init has already happened.\r\n */\r\nexport function getBetterAuthSync(): BetterAuthInstance | undefined {\r\n return _auth;\r\n}\r\n\r\n/**\r\n * The subset of Better Auth's internal adapter we use for federated-SSO\r\n * JIT account linking. Better Auth owns these writes (id + timestamp +\r\n * schema handling), so callers never hand-roll SQL against `user`/`account`.\r\n * Read-only lookups + strictly-additive `linkAccount`/`createUser` only — no\r\n * update/delete of existing identity rows.\r\n */\r\nexport interface BetterAuthInternalAdapter {\r\n findUserByEmail: (\r\n email: string,\r\n options?: { includeAccounts: boolean },\r\n ) => Promise<{\r\n user: { id: string; email: string; name?: string };\r\n accounts: Array<{ providerId: string; accountId: string }>;\r\n } | null>;\r\n linkAccount: (account: {\r\n userId: string;\r\n providerId: string;\r\n accountId: string;\r\n }) => Promise<unknown>;\r\n createUser: (user: {\r\n email: string;\r\n name: string;\r\n emailVerified?: boolean;\r\n }) => Promise<{ id: string }>;\r\n}\r\n\r\n/**\r\n * Resolve Better Auth's internal adapter via the live instance's\r\n * `$context`. The framework's narrowed `BetterAuthInstance` interface omits\r\n * `$context`, but the underlying object created by `betterAuth(...)` always\r\n * exposes it (see Better Auth's `Auth` type) — so this is a safe, typed\r\n * accessor for the federated-SSO client. Returns `undefined` if the context\r\n * shape is unexpected (older/newer Better Auth) so callers can fall back.\r\n */\r\nexport async function getBetterAuthInternalAdapter(\r\n config?: BetterAuthConfig,\r\n): Promise<BetterAuthInternalAdapter | undefined> {\r\n const auth = (await getBetterAuth(config)) as unknown as {\r\n $context?: Promise<{ internalAdapter?: BetterAuthInternalAdapter }>;\r\n };\r\n try {\r\n const ctx = await auth.$context;\r\n const ia = ctx?.internalAdapter;\r\n if (\r\n ia &&\r\n typeof ia.findUserByEmail === \"function\" &&\r\n typeof ia.linkAccount === \"function\" &&\r\n typeof ia.createUser === \"function\"\r\n ) {\r\n return ia;\r\n }\r\n } catch {\r\n // Context resolution failed — caller falls back to the signup path.\r\n }\r\n return undefined;\r\n}\r\n\r\n/** Reset for testing */\r\nexport async function resetBetterAuth(): Promise<void> {\r\n _auth = undefined;\r\n _initPromise = undefined;\r\n if (_neonAuthPool) {\r\n try {\r\n await _neonAuthPool.end();\r\n } catch {\r\n // Pool may have already closed (process exiting, etc.) — don't block reset.\r\n }\r\n _neonAuthPool = undefined;\r\n }\r\n await closePgliteClients();\r\n}\r\n\r\n// ---------------------------------------------------------------------------\r\n// Instance creation\r\n// ---------------------------------------------------------------------------\r\n\r\nasync function createBetterAuthInstance(\r\n config?: BetterAuthConfig,\r\n): Promise<BetterAuthInstance> {\r\n const dialect = getDialect();\r\n const basePath = config?.basePath ?? \"/_agent-native/auth/ba\";\r\n await ensureBetterAuthTables();\r\n\r\n // Build social providers from env vars\r\n const socialProviders: BetterAuthOptions[\"socialProviders\"] = {\r\n ...config?.socialProviders,\r\n };\r\n\r\n const extraScopes = config?.googleScopes ?? [];\r\n const googleCredentials =\r\n extraScopes.length > 0\r\n ? process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET\r\n ? {\r\n clientId: process.env.GOOGLE_CLIENT_ID,\r\n clientSecret: process.env.GOOGLE_CLIENT_SECRET,\r\n }\r\n : null\r\n : resolveGoogleSignInCredentials();\r\n if (googleCredentials) {\r\n // When the template requests broader scopes (Gmail, Calendar, etc.)\r\n // ask for them on the primary sign-in flow so a separate \"Connect\r\n // Google\" round-trip isn't needed. `accessType: \"offline\"` plus\r\n // `prompt: \"consent\"` ensures we always receive a refresh token back —\r\n // Google only re-issues a refresh token on consent, so re-signing in\r\n // (e.g. after switching machines) would otherwise leave us with an\r\n // access token that can't be refreshed.\r\n const baseScopes = [\"openid\", \"email\", \"profile\"];\r\n const mergedScopes = Array.from(new Set([...baseScopes, ...extraScopes]));\r\n socialProviders.google = {\r\n clientId: googleCredentials.clientId,\r\n clientSecret: googleCredentials.clientSecret,\r\n ...(extraScopes.length > 0\r\n ? {\r\n scope: mergedScopes,\r\n accessType: \"offline\" as const,\r\n prompt: \"consent\" as const,\r\n }\r\n : {}),\r\n };\r\n }\r\n\r\n if (process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET) {\r\n socialProviders.github = {\r\n clientId: process.env.GITHUB_CLIENT_ID,\r\n clientSecret: process.env.GITHUB_CLIENT_SECRET,\r\n };\r\n }\r\n\r\n // Build database config\r\n const database = await buildDatabaseConfig(dialect);\r\n\r\n const secret = resolveAuthSecret();\r\n\r\n const appUrl = getAppProductionUrl();\r\n const cookieNamespace = resolveAuthCookieNamespace();\r\n const requireEmailVerification =\r\n (await isEmailConfigured()) && !shouldSkipEmailVerification();\r\n\r\n const shouldMirrorGoogleAccountTokens =\r\n (config?.googleScopes?.length ?? 0) > 0;\r\n\r\n const auth = betterAuth({\r\n basePath,\r\n baseURL: appUrl,\r\n database,\r\n secret,\r\n emailAndPassword: {\r\n enabled: true,\r\n minPasswordLength: 8,\r\n // Only require email verification when an email provider is configured.\r\n // Without a provider, verification emails can't be sent, so requiring\r\n // verification would lock users out of signup entirely. Local dev/test\r\n // skip verification by default so +qa accounts can be created quickly;\r\n // hosted QA deployments can opt out with AUTH_SKIP_EMAIL_VERIFICATION=1.\r\n requireEmailVerification,\r\n sendResetPassword: async ({ user, token }) => {\r\n // APP_BASE_PATH lets this app mount under a prefix (e.g. /mail). The\r\n // reset link must include that prefix so the page resolves correctly.\r\n const appBasePath = (\r\n process.env.VITE_APP_BASE_PATH ||\r\n process.env.APP_BASE_PATH ||\r\n \"\"\r\n ).replace(/\\/$/, \"\");\r\n const resetUrl = `${appUrl}${appBasePath}/_agent-native/auth/reset?token=${encodeURIComponent(token)}`;\r\n const { subject, html, text } = renderResetPasswordEmail({\r\n email: user.email,\r\n resetUrl,\r\n });\r\n await sendEmail({ to: user.email, subject, html, text });\r\n },\r\n },\r\n emailVerification: {\r\n // Fire verification email right after signup, before the user has a\r\n // session — pairs with requireEmailVerification above. Only enabled\r\n // when an email provider is configured.\r\n sendOnSignUp: requireEmailVerification,\r\n // Auto-create a session once the user clicks the link. Without this,\r\n // verified users would have to go back and sign in manually, which is\r\n // a confusing dead-end on the verify screen.\r\n autoSignInAfterVerification: true,\r\n sendVerificationEmail: async ({ user, url }) => {\r\n // APP_BASE_PATH lets this app mount under a prefix (e.g. /mail). The\r\n // verification link must include that prefix so the page resolves correctly.\r\n const verifyBasePath = (\r\n process.env.VITE_APP_BASE_PATH ||\r\n process.env.APP_BASE_PATH ||\r\n \"\"\r\n ).replace(/\\/$/, \"\");\r\n const verifyUrl = verifyBasePath\r\n ? url.replace(/(\\/\\/[^/]+)(\\/)/, `$1${verifyBasePath}$2`)\r\n : url;\r\n const { subject, html, text } = renderVerifySignupEmail({\r\n email: user.email,\r\n verifyUrl,\r\n });\r\n await sendEmail({ to: user.email, subject, html, text });\r\n },\r\n },\r\n socialProviders,\r\n account: {\r\n // Merge accounts when a user signs in with a social provider using an\r\n // email that already has a local email/password account (or vice versa).\r\n // Only providers listed in `trustedProviders` auto-link — these are the\r\n // ones that verify emails at the identity layer. Never add a provider\r\n // here that lets users claim an unverified email; that would be an\r\n // account-takeover vector.\r\n accountLinking: {\r\n enabled: true,\r\n trustedProviders: [\"google\", \"github\"],\r\n },\r\n },\r\n databaseHooks: {\r\n user: {\r\n create: {\r\n after: async (\r\n user: {\r\n id?: string;\r\n email?: string;\r\n name?: string | null;\r\n },\r\n // Better Auth (1.6.x) passes the endpoint context as the 2nd arg.\r\n // It carries the originating request's headers (and on OAuth\r\n // signups the callback request's headers), which is where the\r\n // browser's `an_ft` first-touch cookie rides in.\r\n context?: {\r\n headers?: Headers | null;\r\n request?: { headers?: Headers | null } | null;\r\n } | null,\r\n ) => {\r\n // When a newly-created user's email has pending org invitations\r\n // (common when someone is invited *before* they've signed up),\r\n // auto-accept them so the user lands in the org on their very\r\n // first page load instead of a blank-slate workspace.\r\n const email = user?.email;\r\n if (!email) return;\r\n // Derive first-touch referral attribution from the request's\r\n // cookie header. Never let attribution parsing throw or block\r\n // signup — on any error fall back to `direct`.\r\n let attribution: Record<string, string> | undefined;\r\n try {\r\n const cookieHeader =\r\n context?.headers?.get(\"cookie\") ??\r\n context?.request?.headers?.get(\"cookie\") ??\r\n null;\r\n attribution = signupAttributionFromCookieHeader(cookieHeader);\r\n } catch (err) {\r\n console.error(\"[auth] failed to derive signup attribution\", err);\r\n attribution = undefined;\r\n }\r\n await trackSignupEvent({\r\n authProvider: \"better-auth\",\r\n authUserId: user.id,\r\n email,\r\n name: user.name,\r\n attribution,\r\n });\r\n try {\r\n await acceptPendingInvitationsForEmail(email);\r\n } catch (err) {\r\n // Never block signup on invite bookkeeping — log and continue.\r\n console.error(\r\n \"[auth] failed to auto-accept pending invitations\",\r\n err,\r\n );\r\n }\r\n try {\r\n // Auto-join orgs whose `allowed_domain` matches this email\r\n // domain. Lets a fresh `@builder.io` (or any org-domain)\r\n // signup land inside the company org on first page load\r\n // without going through the picker. No-ops when no match.\r\n await autoJoinDomainMatchingOrgs(email);\r\n } catch (err) {\r\n console.error(\r\n \"[auth] failed to auto-join domain-matching orgs\",\r\n err,\r\n );\r\n }\r\n },\r\n },\r\n },\r\n account: {\r\n // Mirror Google account tokens into `oauth_tokens` so existing\r\n // template code (mail's Gmail client, calendar's events fetcher)\r\n // can pick up Gmail/Calendar credentials from the primary sign-in\r\n // flow — no separate \"Set up Google\" page required.\r\n //\r\n // Better Auth fires `create` for first-time social sign-in and\r\n // `update` whenever a session re-issues tokens (e.g., the user\r\n // re-signs in to refresh the token). Both branches do the same\r\n // mirroring work; failures never block sign-in.\r\n create: {\r\n after: async (account: any) => {\r\n if (!shouldMirrorGoogleAccountTokens) return;\r\n await mirrorGoogleAccountToOAuthTokens(account).catch((err) => {\r\n console.error(\r\n \"[auth] failed to mirror Google account tokens to oauth_tokens (create)\",\r\n err,\r\n );\r\n });\r\n },\r\n },\r\n update: {\r\n after: async (account: any) => {\r\n if (!shouldMirrorGoogleAccountTokens) return;\r\n await mirrorGoogleAccountToOAuthTokens(account).catch((err) => {\r\n console.error(\r\n \"[auth] failed to mirror Google account tokens to oauth_tokens (update)\",\r\n err,\r\n );\r\n });\r\n },\r\n },\r\n },\r\n },\r\n session: {\r\n expiresIn: 60 * 60 * 24 * 30, // 30 days\r\n updateAge: 60 * 60 * 24, // refresh daily\r\n cookieCache: {\r\n enabled: true,\r\n maxAge: 5 * 60, // 5 min cache\r\n },\r\n },\r\n advanced: {\r\n cookiePrefix: cookieNamespace.betterAuthCookiePrefix,\r\n // Emit `SameSite=None; Secure` when the app is served over HTTPS so\r\n // session cookies are delivered inside third-party iframes (e.g. the\r\n // Builder.io editor). Plain-HTTP dev keeps the default (Lax) because\r\n // `SameSite=None` requires Secure.\r\n ...(appUrl.startsWith(\"https://\")\r\n ? {\r\n defaultCookieAttributes: {\r\n sameSite: \"none\" as const,\r\n secure: true,\r\n partitioned: true,\r\n },\r\n }\r\n : {}),\r\n // When an effective shared cookie domain is set, share Better Auth's\r\n // session cookie across that domain. First-party `*.jami.studio`\r\n // apps intentionally do not use this path because their auth DBs are\r\n // separate; Dispatch identity federation handles cross-app sign-in.\r\n ...(cookieNamespace.betterAuthCookieDomain\r\n ? {\r\n crossSubDomainCookies: {\r\n enabled: true,\r\n domain: cookieNamespace.betterAuthCookieDomain,\r\n },\r\n }\r\n : {}),\r\n },\r\n plugins: [\r\n // JWT: issue tokens for A2A calls, JWKS endpoint for verification\r\n jwt({\r\n jwt: {\r\n issuer: appUrl,\r\n expirationTime: \"15m\",\r\n },\r\n }),\r\n // Bearer: accept Bearer tokens on API requests\r\n bearer(),\r\n ...(config?.plugins ?? []),\r\n ],\r\n });\r\n\r\n return auth as unknown as BetterAuthInstance;\r\n}\r\n\r\nasync function buildDatabaseConfig(\r\n dialect: string,\r\n): Promise<BetterAuthOptions[\"database\"]> {\r\n if (dialect === \"postgres\") {\r\n const url = getDatabaseUrl();\r\n const { isNeonUrl } = await import(\"../db/create-get-db.js\");\r\n\r\n if (isPgliteUrl(url)) {\r\n const { drizzle } = await loadPgliteDrizzle();\r\n const client = await getPgliteClient(url);\r\n const db = drizzle({ client, schema: pgAuthSchema });\r\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\r\n return drizzleAdapter(db, {\r\n provider: \"pg\",\r\n schema: pgAuthSchema,\r\n });\r\n }\r\n\r\n // Neon via @neondatabase/serverless (WebSockets over HTTPS). postgres-js\r\n // opens a raw TCP connection on port 5432 which frequently times out on\r\n // Netlify Functions / Vercel / CF Workers when Neon's pooler is cold.\r\n if (isNeonUrl(url)) {\r\n const { Pool, neonConfig } = await import(\"@neondatabase/serverless\");\r\n // Cap the auth pool the same way as the app pool. Better Auth runs a\r\n // session lookup on essentially every authenticated request, so an\r\n // un-capped pool here is a primary contributor to \"Max client\r\n // connections reached\" across concurrent serverless instances.\r\n //\r\n // Cloudflare Workers (workerd) forbids reusing I/O objects across\r\n // requests — a pooled WebSocket client created by one request and\r\n // handed to a later one hangs the worker (\"Cannot perform I/O on\r\n // behalf of a different request\"). Route plain queries over Neon's\r\n // stateless HTTP transport and cap WebSocket clients to a single use,\r\n // mirroring the app pools in db/client.ts and db/create-get-db.ts.\r\n const cfWorker = isCloudflareRuntime();\r\n if (cfWorker) {\r\n (neonConfig as { poolQueryViaFetch?: boolean }).poolQueryViaFetch =\r\n true;\r\n }\r\n _neonAuthPool = new Pool({\r\n connectionString: url,\r\n max: neonPoolMax(),\r\n ...(cfWorker ? { maxUses: 1 } : {}),\r\n });\r\n attachNeonPoolErrorLogger(_neonAuthPool, \"db/neon-auth\");\r\n const { drizzle } = await import(\"drizzle-orm/neon-serverless\");\r\n const db = drizzle(_neonAuthPool, { schema: pgAuthSchema });\r\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\r\n return drizzleAdapter(db, {\r\n provider: \"pg\",\r\n schema: pgAuthSchema,\r\n });\r\n }\r\n\r\n // Non-Neon Postgres (Supabase, self-hosted, etc.) → postgres-js.\r\n // pgPoolOptions caps this pool to a small size on serverless. Better Auth\r\n // runs a session lookup on essentially every authenticated request, so an\r\n // un-capped pool here is a primary contributor to \"Max client connections\r\n // reached\" across concurrent serverless instances.\r\n const { default: postgres } = await import(\"postgres\");\r\n const sql = postgres(url, pgPoolOptions(url));\r\n const { drizzle } = await import(\"drizzle-orm/postgres-js\");\r\n const db = drizzle(sql, { schema: pgAuthSchema });\r\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\r\n return drizzleAdapter(db, {\r\n provider: \"pg\",\r\n schema: pgAuthSchema,\r\n });\r\n }\r\n\r\n // SQLite / libsql\r\n const url = getDatabaseUrl(\"file:./data/app.db\");\r\n\r\n if (url.startsWith(\"file:\") || !url.includes(\"://\")) {\r\n // Local SQLite via better-sqlite3\r\n const { default: Database } = await import(\"better-sqlite3\");\r\n const filePath = url.replace(/^file:/, \"\");\r\n const sqlite = new Database(filePath);\r\n sqlite.pragma(\"journal_mode = WAL\");\r\n const { drizzle } = await import(\"drizzle-orm/better-sqlite3\");\r\n const db = drizzle(sqlite, { schema: sqliteAuthSchema });\r\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\r\n return drizzleAdapter(db, {\r\n provider: \"sqlite\",\r\n schema: sqliteAuthSchema,\r\n });\r\n }\r\n\r\n // Remote libsql (Turso). Use the web client to avoid serverless bundles\r\n // depending on libsql's platform-specific native packages.\r\n const { createClient } = await import(\"@libsql/client/web\");\r\n const client = createClient({ url, authToken: getDatabaseAuthToken() });\r\n const { drizzle } = await import(\"drizzle-orm/libsql/web\");\r\n const db = drizzle(client, { schema: sqliteAuthSchema });\r\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\r\n return drizzleAdapter(db, {\r\n provider: \"sqlite\",\r\n schema: sqliteAuthSchema,\r\n });\r\n}\r\n"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@jami-studio/core",
3
- "version": "0.92.19",
3
+ "version": "0.92.20",
4
4
  "description": "Framework for agent-native application development — where AI agents and UI share SQL state, actions, and context",
5
5
  "homepage": "https://github.com/studio-jami/jami-studio#readme",
6
6
  "bugs": {