@lastshotlabs/bunshot 0.0.25 → 0.0.27

package/dist/adapters/localStorage.js

@@ -1,10 +1,25 @@
 import { unlink } from "node:fs/promises";
-import { join } from "node:path";
+import { resolve, sep, dirname } from "node:path";
+import { HttpError } from "../lib/HttpError";
+function resolveKey(directory, key) {
+    if (!key || !key.trim())
+        throw new HttpError(400, "Invalid storage key");
+    const normalized = key.replace(/\\/g, "/");
+    if (normalized.startsWith("/") || /^[a-zA-Z]:/.test(normalized) || normalized.startsWith("//")) {
+        throw new HttpError(400, "Invalid storage key");
+    }
+    const root = resolve(directory);
+    const candidate = resolve(root, normalized);
+    if (candidate === root || !candidate.startsWith(root + sep)) {
+        throw new HttpError(400, "Invalid storage key");
+    }
+    return candidate;
+}
 export const localStorage = (config) => ({
     async put(key, data, _meta) {
-        const filePath = join(config.directory, key);
+        const filePath = resolveKey(config.directory, key);
         // Ensure parent directory exists
-        const dir = filePath.substring(0, filePath.lastIndexOf("/"));
+        const dir = dirname(filePath);
         if (dir) {
             const { mkdir } = await import("node:fs/promises");
             await mkdir(dir, { recursive: true });
@@ -24,7 +39,7 @@ export const localStorage = (config) => ({
         return { ...(url !== undefined ? { url } : {}) };
     },
     async get(key) {
-        const filePath = join(config.directory, key);
+        const filePath = resolveKey(config.directory, key);
         const file = Bun.file(filePath);
         const exists = await file.exists();
         if (!exists)
@@ -33,7 +48,7 @@ export const localStorage = (config) => ({
         return { stream, size: file.size };
     },
     async delete(key) {
-        const filePath = join(config.directory, key);
+        const filePath = resolveKey(config.directory, key);
         try {
             await unlink(filePath);
         }

package/dist/adapters/memoryAuth.d.ts

@@ -12,6 +12,8 @@ export declare const memoryEvictOldestSession: (userId: string) => void;
 export declare const memoryUpdateSessionLastActive: (sessionId: string) => void;
 export declare const memoryGetSessionFingerprint: (sessionId: string) => string | null;
 export declare const memorySetSessionFingerprint: (sessionId: string, fingerprint: string) => void;
+export declare const memoryGetMfaVerifiedAt: (sessionId: string) => number | null;
+export declare const memorySetMfaVerifiedAt: (sessionId: string, ts: number) => void;
 export declare const memorySetRefreshToken: (sessionId: string, refreshToken: string) => void;
 import type { RefreshResult } from "../lib/session";
 export declare const memoryGetSessionByRefreshToken: (refreshToken: string) => RefreshResult | null;
@@ -31,6 +33,10 @@ export declare const memoryGetVerificationToken: (token: string) => {
     email: string;
 } | null;
 export declare const memoryDeleteVerificationToken: (token: string) => void;
+export declare const memoryConsumeVerificationToken: (token: string) => {
+    userId: string;
+    email: string;
+} | null;
 export declare const memoryCreateResetToken: (token: string, userId: string, email: string, ttlSeconds: number) => void;
 export declare const memoryConsumeResetToken: (hash: string) => {
     userId: string;

package/dist/adapters/memoryAuth.js

@@ -7,6 +7,7 @@ import { clearPresenceStore } from "../lib/wsPresence";
 import { clearWsMessageMemoryStore } from "../lib/wsMessages";
 import { clearHeartbeatState } from "../lib/wsHeartbeat";
 import { clearMemoryUploadStore } from "./memoryStorage";
+import { clearUploadRegistry } from "../lib/uploadRegistry";
 const _users = new Map();
 const _byEmail = new Map();
 const _sessions = new Map(); // sessionId → session
@@ -21,6 +22,7 @@ const _oauthCodes = new Map();
 const _tenantRoles = new Map(); // "userId:tenantId" → roles
 const _groups = new Map(); // groupId → GroupRecord
 const _groupMemberships = new Map();
+const _m2mClients = new Map();
 /** Reset all in-memory state. Useful for test isolation. */
 export const clearMemoryStore = () => {
     _users.clear();
@@ -37,6 +39,7 @@ export const clearMemoryStore = () => {
     _verificationTokens.clear();
     _resetTokens.clear();
     _cancelTokens.clear();
+    _m2mClients.clear();
     clearMemoryRateLimitStore();
     clearMemoryMfaChallenges();
     clearAuditLogMemoryStore();
@@ -44,6 +47,7 @@ export const clearMemoryStore = () => {
     clearWsMessageMemoryStore();
     clearHeartbeatState();
     clearMemoryUploadStore();
+    clearUploadRegistry();
 };
 // ---------------------------------------------------------------------------
 // Auth adapter
@@ -63,7 +67,7 @@ export const memoryAuthAdapter = {
         if (_byEmail.has(normalised))
             throw new HttpError(409, "Email already registered");
         const id = crypto.randomUUID();
-        const user = { id, email: normalised, passwordHash, providerIds: [], roles: [], emailVerified: false, mfaSecret: null, mfaEnabled: false, recoveryCodes: [], mfaMethods: [], webauthnCredentials: [] };
+        const user = { id, email: normalised, passwordHash, providerIds: [], roles: [], emailVerified: false, mfaSecret: null, mfaEnabled: false, recoveryCodes: [], mfaMethods: [], webauthnCredentials: [], suspended: false };
         _users.set(id, user);
         _byEmail.set(normalised, id);
         return { id };
@@ -89,7 +93,7 @@ export const memoryAuthAdapter = {
         }
         const id = crypto.randomUUID();
         const email = profile.email ? profile.email.toLowerCase() : null;
-        const user = { id, email, passwordHash: null, providerIds: [key], roles: [], emailVerified: false, mfaSecret: null, mfaEnabled: false, recoveryCodes: [], mfaMethods: [], webauthnCredentials: [] };
+        const user = { id, email, passwordHash: null, providerIds: [key], roles: [], emailVerified: false, mfaSecret: null, mfaEnabled: false, recoveryCodes: [], mfaMethods: [], webauthnCredentials: [], suspended: false };
         _users.set(id, user);
         if (email)
             _byEmail.set(email, id);
@@ -133,6 +137,12 @@ export const memoryAuthAdapter = {
             email: user.email ?? undefined,
             providerIds: [...user.providerIds],
             emailVerified: user.emailVerified,
+            displayName: user.displayName,
+            firstName: user.firstName,
+            lastName: user.lastName,
+            externalId: user.externalId,
+            suspended: user.suspended,
+            suspendedReason: user.suspendedReason,
         };
     },
     async unlinkProvider(userId, provider) {
@@ -258,6 +268,68 @@ export const memoryAuthAdapter = {
             _tenantRoles.set(key, current.filter((r) => r !== role));
         }
     },
+    async setSuspended(userId, suspended, reason) {
+        const user = _users.get(userId);
+        if (!user)
+            return;
+        user.suspended = suspended;
+        if (suspended) {
+            user.suspendedAt = new Date();
+            user.suspendedReason = reason;
+        }
+        else {
+            user.suspendedAt = undefined;
+            user.suspendedReason = undefined;
+        }
+    },
+    async getSuspended(userId) {
+        const user = _users.get(userId);
+        if (!user)
+            return null;
+        return { suspended: user.suspended, suspendedReason: user.suspendedReason };
+    },
+    async updateProfile(userId, fields) {
+        const user = _users.get(userId);
+        if (!user)
+            return;
+        if ("displayName" in fields)
+            user.displayName = fields.displayName;
+        if ("firstName" in fields)
+            user.firstName = fields.firstName;
+        if ("lastName" in fields)
+            user.lastName = fields.lastName;
+        if ("externalId" in fields)
+            user.externalId = fields.externalId;
+    },
+    async listUsers(query) {
+        let users = [..._users.values()];
+        if (query.email !== undefined)
+            users = users.filter((u) => u.email === query.email);
+        if (query.externalId !== undefined)
+            users = users.filter((u) => u.externalId === query.externalId);
+        if (query.suspended !== undefined)
+            users = users.filter((u) => u.suspended === query.suspended);
+        const totalResults = users.length;
+        const startIndex = query.startIndex ?? 0;
+        const count = query.count ?? 100;
+        const page = users.slice(startIndex, startIndex + count);
+        return {
+            users: page.map((u) => ({
+                id: u.id,
+                email: u.email ?? undefined,
+                displayName: u.displayName,
+                firstName: u.firstName,
+                lastName: u.lastName,
+                externalId: u.externalId,
+                suspended: u.suspended,
+                suspendedAt: u.suspendedAt,
+                suspendedReason: u.suspendedReason,
+                emailVerified: u.emailVerified,
+                providerIds: [...u.providerIds],
+            })),
+            totalResults,
+        };
+    },
     // ---------------------------------------------------------------------------
     // Groups
     // ---------------------------------------------------------------------------
@@ -358,6 +430,32 @@ export const memoryAuthAdapter = {
         ]);
         return [...new Set([...direct, ...groupRoles])];
     },
+    // ---------------------------------------------------------------------------
+    // M2M client credentials
+    // ---------------------------------------------------------------------------
+    async getM2MClient(clientId) {
+        for (const c of _m2mClients.values()) {
+            if (c.clientId === clientId && c.active)
+                return { ...c };
+        }
+        return null;
+    },
+    async createM2MClient(data) {
+        const id = crypto.randomUUID();
+        _m2mClients.set(id, { id, ...data, active: true });
+        return { id };
+    },
+    async deleteM2MClient(clientId) {
+        for (const [key, c] of _m2mClients.entries()) {
+            if (c.clientId === clientId) {
+                _m2mClients.delete(key);
+                return;
+            }
+        }
+    },
+    async listM2MClients() {
+        return Array.from(_m2mClients.values()).map(({ clientSecretHash: _, ...rest }) => rest);
+    },
 };
 // ---------------------------------------------------------------------------
 // Session helpers (used by src/lib/session.ts)
@@ -473,6 +571,14 @@ export const memorySetSessionFingerprint = (sessionId, fingerprint) => {
     if (entry)
         entry.fingerprint = fingerprint;
 };
+export const memoryGetMfaVerifiedAt = (sessionId) => {
+    return _sessions.get(sessionId)?.mfaVerifiedAt ?? null;
+};
+export const memorySetMfaVerifiedAt = (sessionId, ts) => {
+    const entry = _sessions.get(sessionId);
+    if (entry)
+        entry.mfaVerifiedAt = ts;
+};
 export const memorySetRefreshToken = (sessionId, refreshToken) => {
     const entry = _sessions.get(sessionId);
     if (!entry)
@@ -579,6 +685,15 @@ export const memoryGetVerificationToken = (token) => {
 export const memoryDeleteVerificationToken = (token) => {
     _verificationTokens.delete(token);
 };
+export const memoryConsumeVerificationToken = (token) => {
+    const entry = _verificationTokens.get(token);
+    if (!entry || entry.expiresAt <= Date.now()) {
+        _verificationTokens.delete(token);
+        return null;
+    }
+    _verificationTokens.delete(token);
+    return { userId: entry.userId, email: entry.email };
+};
 // ---------------------------------------------------------------------------
 // Password reset token helpers (used by src/lib/resetPassword.ts)
 // ---------------------------------------------------------------------------

package/dist/adapters/mongoAuth.js

@@ -2,6 +2,7 @@ import { AuthUser } from "../models/AuthUser";
 import { TenantRole } from "../models/TenantRole";
 import { Group } from "../models/Group";
 import { GroupMembership } from "../models/GroupMembership";
+import { M2MClient } from "../models/M2MClient";
 import { HttpError } from "../lib/HttpError";
 export const mongoAuthAdapter = {
     async findByEmail(email) {
@@ -64,13 +65,19 @@ export const mongoAuthAdapter = {
         await AuthUser.findByIdAndUpdate(userId, { $pull: { roles: role } });
     },
     async getUser(userId) {
-        const user = await AuthUser.findById(userId, "email providerIds emailVerified").lean();
+        const user = await AuthUser.findById(userId, "email providerIds emailVerified displayName firstName lastName externalId suspended suspendedReason").lean();
         if (!user)
             return null;
         return {
             email: user.email,
             providerIds: user.providerIds,
             emailVerified: user.emailVerified ?? false,
+            displayName: user.displayName ?? undefined,
+            firstName: user.firstName ?? undefined,
+            lastName: user.lastName ?? undefined,
+            externalId: user.externalId ?? undefined,
+            suspended: user.suspended ?? false,
+            suspendedReason: user.suspendedReason ?? undefined,
         };
     },
     async unlinkProvider(userId, provider) {
@@ -186,6 +193,62 @@ export const mongoAuthAdapter = {
     async removeTenantRole(userId, tenantId, role) {
         await TenantRole.findOneAndUpdate({ userId, tenantId }, { $pull: { roles: role } });
     },
+    async setSuspended(userId, suspended, reason) {
+        const update = { suspended };
+        if (suspended) {
+            update.suspendedAt = new Date();
+            update.suspendedReason = reason ?? null;
+        }
+        else {
+            update.suspendedAt = null;
+            update.suspendedReason = null;
+        }
+        await AuthUser.updateOne({ _id: userId }, { $set: update });
+    },
+    async getSuspended(userId) {
+        const user = await AuthUser.findById(userId, { suspended: 1, suspendedReason: 1 }).lean();
+        if (!user)
+            return null;
+        return { suspended: user.suspended ?? false, suspendedReason: user.suspendedReason ?? undefined };
+    },
+    async updateProfile(userId, fields) {
+        await AuthUser.updateOne({ _id: userId }, { $set: fields });
+    },
+    async listUsers(query) {
+        const filter = {};
+        if (query.email !== undefined)
+            filter.email = query.email;
+        if (query.externalId !== undefined)
+            filter.externalId = query.externalId;
+        if (query.suspended !== undefined)
+            filter.suspended = query.suspended;
+        const startIndex = query.startIndex ?? 0;
+        const count = query.count ?? 100;
+        const [users, totalResults] = await Promise.all([
+            AuthUser.find(filter, {
+                _id: 1, email: 1, displayName: 1, firstName: 1, lastName: 1,
+                externalId: 1, suspended: 1, suspendedAt: 1, suspendedReason: 1,
+                emailVerified: 1, providerIds: 1,
+            }).skip(startIndex).limit(count).lean(),
+            AuthUser.countDocuments(filter),
+        ]);
+        return {
+            users: users.map((u) => ({
+                id: String(u._id),
+                email: u.email ?? undefined,
+                displayName: u.displayName ?? undefined,
+                firstName: u.firstName ?? undefined,
+                lastName: u.lastName ?? undefined,
+                externalId: u.externalId ?? undefined,
+                suspended: u.suspended ?? false,
+                suspendedAt: u.suspendedAt ?? undefined,
+                suspendedReason: u.suspendedReason ?? undefined,
+                emailVerified: u.emailVerified ?? undefined,
+                providerIds: u.providerIds ?? undefined,
+            })),
+            totalResults,
+        };
+    },
     // ---------------------------------------------------------------------------
     // Groups
     // ---------------------------------------------------------------------------
@@ -292,6 +355,39 @@ export const mongoAuthAdapter = {
         ]);
         return [...new Set([...direct, ...groupRoles])];
     },
+    // ---------------------------------------------------------------------------
+    // M2M client credentials
+    // ---------------------------------------------------------------------------
+    async getM2MClient(clientId) {
+        const client = await M2MClient.findOne({ clientId, active: true }).lean();
+        if (!client)
+            return null;
+        return {
+            id: String(client._id),
+            clientId: client.clientId,
+            name: client.name,
+            scopes: client.scopes,
+            active: client.active,
+            clientSecretHash: client.clientSecretHash,
+        };
+    },
+    async createM2MClient(data) {
+        const client = await M2MClient.create(data);
+        return { id: String(client._id) };
+    },
+    async deleteM2MClient(clientId) {
+        await M2MClient.deleteOne({ clientId });
+    },
+    async listM2MClients() {
+        const clients = await M2MClient.find({}).lean();
+        return clients.map((c) => ({
+            id: String(c._id),
+            clientId: c.clientId,
+            name: c.name,
+            scopes: c.scopes,
+            active: c.active,
+        }));
+    },
 };
 function mongoGroupToRecord(doc) {
     return {

package/dist/adapters/sqliteAuth.d.ts

@@ -17,6 +17,8 @@ export declare const sqliteGetSessionByRefreshToken: (refreshToken: string) => R
 export declare const sqliteRotateRefreshToken: (sessionId: string, newRefreshToken: string, newAccessToken: string) => void;
 export declare const sqliteGetSessionFingerprint: (sessionId: string) => string | null;
 export declare const sqliteSetSessionFingerprint: (sessionId: string, fingerprint: string) => void;
+export declare const sqliteGetMfaVerifiedAt: (sessionId: string) => number | null;
+export declare const sqliteSetMfaVerifiedAt: (sessionId: string, ts: number) => void;
 export declare const sqliteStoreOAuthState: (state: string, codeVerifier?: string, linkUserId?: string) => void;
 export declare const sqliteConsumeOAuthState: (state: string) => {
     codeVerifier?: string;
@@ -33,6 +35,10 @@ export declare const sqliteGetVerificationToken: (token: string) => {
     email: string;
 } | null;
 export declare const sqliteDeleteVerificationToken: (token: string) => void;
+export declare const sqliteConsumeVerificationToken: (token: string) => {
+    userId: string;
+    email: string;
+} | null;
 export declare const sqliteCreateResetToken: (token: string, userId: string, email: string, ttlSeconds: number) => void;
 export declare const sqliteConsumeResetToken: (hash: string) => {
     userId: string;
@@ -47,3 +53,20 @@ import type { OAuthCodePayload } from "../lib/oauthCode";
 export declare const sqliteStoreOAuthCode: (hash: string, payload: OAuthCodePayload, ttlSeconds: number) => void;
 export declare const sqliteConsumeOAuthCode: (hash: string) => OAuthCodePayload | null;
 export declare const startSqliteCleanup: (intervalMs?: number) => ReturnType<typeof setInterval>;
+export declare const sqliteRegisterUpload: (record: {
+    key: string;
+    ownerUserId?: string;
+    tenantId?: string;
+    mimeType?: string;
+    bucket?: string;
+    createdAt: number;
+}) => void;
+export declare const sqliteGetUploadRecord: (key: string) => {
+    key: string;
+    ownerUserId?: string;
+    tenantId?: string;
+    mimeType?: string;
+    bucket?: string;
+    createdAt: number;
+} | null;
+export declare const sqliteDeleteUploadRecord: (key: string) => boolean;

package/dist/adapters/sqliteAuth.js

@@ -25,13 +25,35 @@ function initSchema(db) {
     passwordHash  TEXT,
     providerIds   TEXT NOT NULL DEFAULT '[]',
     roles         TEXT NOT NULL DEFAULT '[]',
-    emailVerified INTEGER NOT NULL DEFAULT 0
+    emailVerified INTEGER NOT NULL DEFAULT 0,
+    displayName   TEXT,
+    firstName     TEXT,
+    lastName      TEXT,
+    externalId    TEXT,
+    suspended     INTEGER NOT NULL DEFAULT 0,
+    suspendedAt   TEXT,
+    suspendedReason TEXT
   )`);
     // Add emailVerified to pre-existing databases that lack the column
     try {
         db.run("ALTER TABLE users ADD COLUMN emailVerified INTEGER NOT NULL DEFAULT 0");
     }
     catch { /* already exists */ }
+    // Add profile and suspension columns to pre-existing databases
+    for (const col of [
+        "ALTER TABLE users ADD COLUMN displayName TEXT",
+        "ALTER TABLE users ADD COLUMN firstName TEXT",
+        "ALTER TABLE users ADD COLUMN lastName TEXT",
+        "ALTER TABLE users ADD COLUMN externalId TEXT",
+        "ALTER TABLE users ADD COLUMN suspended INTEGER NOT NULL DEFAULT 0",
+        "ALTER TABLE users ADD COLUMN suspendedAt TEXT",
+        "ALTER TABLE users ADD COLUMN suspendedReason TEXT",
+    ]) {
+        try {
+            db.run(col);
+        }
+        catch { /* column already exists */ }
+    }
     // Add MFA columns to pre-existing databases
     try {
         db.run("ALTER TABLE users ADD COLUMN mfaSecret TEXT");
@@ -82,6 +104,10 @@ function initSchema(db) {
         db.run("ALTER TABLE sessions ADD COLUMN fingerprint TEXT");
     }
     catch { /* already exists */ }
+    try {
+        db.run("ALTER TABLE sessions ADD COLUMN mfaVerifiedAt INTEGER");
+    }
+    catch { /* already exists */ }
     db.run("CREATE UNIQUE INDEX IF NOT EXISTS idx_sessions_refreshToken ON sessions(refreshToken) WHERE refreshToken IS NOT NULL");
     db.run(`CREATE TABLE IF NOT EXISTS oauth_states (
     state        TEXT PRIMARY KEY,
@@ -166,6 +192,14 @@ function initSchema(db) {
     jobId     TEXT NOT NULL,
     expiresAt INTEGER NOT NULL
   )`);
+    db.run(`CREATE TABLE IF NOT EXISTS upload_registry (
+    key           TEXT PRIMARY KEY,
+    ownerUserId   TEXT,
+    tenantId      TEXT,
+    mimeType      TEXT,
+    bucket        TEXT,
+    createdAt     INTEGER NOT NULL
+  )`);
 }
 // ---------------------------------------------------------------------------
 // Auth adapter
@@ -244,13 +278,19 @@ export const sqliteAuthAdapter = {
         db.run("UPDATE users SET roles = ? WHERE id = ?", [JSON.stringify(roles.filter((r) => r !== role)), userId]);
     },
     async getUser(userId) {
-        const row = getDb().query("SELECT email, providerIds, emailVerified FROM users WHERE id = ?").get(userId);
+        const row = getDb().query("SELECT email, providerIds, emailVerified, displayName, firstName, lastName, externalId, suspended, suspendedReason FROM users WHERE id = ?").get(userId);
         if (!row)
             return null;
         return {
             email: row.email ?? undefined,
             providerIds: JSON.parse(row.providerIds),
             emailVerified: row.emailVerified === 1,
+            displayName: row.displayName ?? undefined,
+            firstName: row.firstName ?? undefined,
+            lastName: row.lastName ?? undefined,
+            externalId: row.externalId ?? undefined,
+            suspended: row.suspended === 1,
+            suspendedReason: row.suspendedReason ?? undefined,
         };
     },
     async unlinkProvider(userId, provider) {
@@ -364,6 +404,85 @@ export const sqliteAuthAdapter = {
     async removeTenantRole(userId, tenantId, role) {
         getDb().run("DELETE FROM tenant_roles WHERE userId = ? AND tenantId = ? AND role = ?", [userId, tenantId, role]);
     },
+    async setSuspended(userId, suspended, reason) {
+        if (suspended) {
+            getDb().run("UPDATE users SET suspended = 1, suspendedAt = ?, suspendedReason = ? WHERE id = ?", [new Date().toISOString(), reason ?? null, userId]);
+        }
+        else {
+            getDb().run("UPDATE users SET suspended = 0, suspendedAt = NULL, suspendedReason = NULL WHERE id = ?", [userId]);
+        }
+    },
+    async getSuspended(userId) {
+        const row = getDb().query("SELECT suspended, suspendedReason FROM users WHERE id = ?").get(userId);
+        if (!row)
+            return null;
+        return { suspended: row.suspended === 1, suspendedReason: row.suspendedReason ?? undefined };
+    },
+    async updateProfile(userId, fields) {
+        const sets = [];
+        const params = [];
+        if ("displayName" in fields) {
+            sets.push("displayName = ?");
+            params.push(fields.displayName ?? null);
+        }
+        if ("firstName" in fields) {
+            sets.push("firstName = ?");
+            params.push(fields.firstName ?? null);
+        }
+        if ("lastName" in fields) {
+            sets.push("lastName = ?");
+            params.push(fields.lastName ?? null);
+        }
+        if ("externalId" in fields) {
+            sets.push("externalId = ?");
+            params.push(fields.externalId ?? null);
+        }
+        if (sets.length === 0)
+            return;
+        params.push(userId);
+        getDb().run(`UPDATE users SET ${sets.join(", ")} WHERE id = ?`, params);
+    },
+    async listUsers(query) {
+        const db = getDb();
+        const conditions = [];
+        const params = [];
+        if (query.email !== undefined) {
+            conditions.push("email = ?");
+            params.push(query.email);
+        }
+        if (query.externalId !== undefined) {
+            conditions.push("externalId = ?");
+            params.push(query.externalId);
+        }
+        if (query.suspended !== undefined) {
+            conditions.push("suspended = ?");
+            params.push(query.suspended ? 1 : 0);
+        }
+        const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+        const startIndex = query.startIndex ?? 0;
+        const count = query.count ?? 100;
+        const queryParams = [...params, count, startIndex];
+        const countParams = params;
+        const rows = db.prepare(`SELECT id, email, displayName, firstName, lastName, externalId, suspended, suspendedAt, suspendedReason, emailVerified, providerIds FROM users ${where} LIMIT ? OFFSET ?`).all(...queryParams);
+        const totalRow = db.prepare(`SELECT COUNT(*) as c FROM users ${where}`).get(...countParams);
+        const totalResults = totalRow?.c ?? 0;
+        return {
+            users: rows.map((r) => ({
+                id: r.id,
+                email: r.email ?? undefined,
+                displayName: r.displayName ?? undefined,
+                firstName: r.firstName ?? undefined,
+                lastName: r.lastName ?? undefined,
+                externalId: r.externalId ?? undefined,
+                suspended: r.suspended === 1,
+                suspendedAt: r.suspendedAt ? new Date(r.suspendedAt) : undefined,
+                suspendedReason: r.suspendedReason ?? undefined,
+                emailVerified: r.emailVerified === 1,
+                providerIds: JSON.parse(r.providerIds),
+            })),
+            totalResults,
+        };
+    },
     // ---------------------------------------------------------------------------
     // Groups
     // ---------------------------------------------------------------------------
@@ -601,6 +720,13 @@ export const sqliteGetSessionFingerprint = (sessionId) => {
 export const sqliteSetSessionFingerprint = (sessionId, fingerprint) => {
     getDb().run("UPDATE sessions SET fingerprint = ? WHERE sessionId = ?", [fingerprint, sessionId]);
 };
+export const sqliteGetMfaVerifiedAt = (sessionId) => {
+    const row = getDb().query("SELECT mfaVerifiedAt FROM sessions WHERE sessionId = ?").get(sessionId);
+    return row?.mfaVerifiedAt ?? null;
+};
+export const sqliteSetMfaVerifiedAt = (sessionId, ts) => {
+    getDb().run("UPDATE sessions SET mfaVerifiedAt = ? WHERE sessionId = ?", [ts, sessionId]);
+};
 // ---------------------------------------------------------------------------
 // OAuth state helpers (used by src/lib/oauth.ts)
 // ---------------------------------------------------------------------------
@@ -652,6 +778,10 @@ export const sqliteGetVerificationToken = (token) => {
 export const sqliteDeleteVerificationToken = (token) => {
     getDb().run("DELETE FROM email_verifications WHERE token = ?", [token]);
 };
+export const sqliteConsumeVerificationToken = (token) => {
+    const row = getDb().query("DELETE FROM email_verifications WHERE token = ? AND expiresAt > ? RETURNING userId, email").get(token, Date.now());
+    return row ?? null;
+};
 // ---------------------------------------------------------------------------
 // Password reset token helpers (used by src/lib/resetPassword.ts)
 // ---------------------------------------------------------------------------
@@ -705,3 +835,24 @@ export const startSqliteCleanup = (intervalMs = 3_600_000) => {
         db.run("DELETE FROM oauth_codes WHERE expiresAt <= ?", [now]);
     }, intervalMs);
 };
+export const sqliteRegisterUpload = (record) => {
+    getDb().run(`INSERT OR REPLACE INTO upload_registry (key, ownerUserId, tenantId, mimeType, bucket, createdAt)
+     VALUES (?, ?, ?, ?, ?, ?)`, [record.key, record.ownerUserId ?? null, record.tenantId ?? null, record.mimeType ?? null, record.bucket ?? null, record.createdAt]);
+};
+export const sqliteGetUploadRecord = (key) => {
+    const row = getDb().query("SELECT key, ownerUserId, tenantId, mimeType, bucket, createdAt FROM upload_registry WHERE key = ?").get(key);
+    if (!row)
+        return null;
+    return {
+        key: row.key,
+        ...(row.ownerUserId !== null ? { ownerUserId: row.ownerUserId } : {}),
+        ...(row.tenantId !== null ? { tenantId: row.tenantId } : {}),
+        ...(row.mimeType !== null ? { mimeType: row.mimeType } : {}),
+        ...(row.bucket !== null ? { bucket: row.bucket } : {}),
+        createdAt: row.createdAt,
+    };
+};
+export const sqliteDeleteUploadRecord = (key) => {
+    const result = getDb().run("DELETE FROM upload_registry WHERE key = ?", [key]);
+    return result.changes > 0;
+};