@lastshotlabs/bunshot 0.0.25 → 0.0.28

package/dist/adapters/sqliteAuth.js

@@ -1,707 +0,0 @@
-import { Database } from "bun:sqlite";
-import { HttpError } from "../lib/HttpError";
-// ---------------------------------------------------------------------------
-// DB singleton — call setSqliteDb(path) once at startup
-// ---------------------------------------------------------------------------
-let _db = null;
-export const setSqliteDb = (path) => {
-    _db = new Database(path, { create: true });
-    _db.run("PRAGMA journal_mode = WAL");
-    _db.run("PRAGMA foreign_keys = ON");
-    initSchema(_db);
-};
-export function getDb() {
-    if (!_db)
-        throw new Error("SQLite not initialized — call setSqliteDb(path) before using sqliteAuthAdapter or sessionStore: 'sqlite'");
-    return _db;
-}
-// ---------------------------------------------------------------------------
-// Schema
-// ---------------------------------------------------------------------------
-function initSchema(db) {
-    db.run(`CREATE TABLE IF NOT EXISTS users (
-    id            TEXT PRIMARY KEY,
-    email         TEXT UNIQUE,
-    passwordHash  TEXT,
-    providerIds   TEXT NOT NULL DEFAULT '[]',
-    roles         TEXT NOT NULL DEFAULT '[]',
-    emailVerified INTEGER NOT NULL DEFAULT 0
-  )`);
-    // Add emailVerified to pre-existing databases that lack the column
-    try {
-        db.run("ALTER TABLE users ADD COLUMN emailVerified INTEGER NOT NULL DEFAULT 0");
-    }
-    catch { /* already exists */ }
-    // Add MFA columns to pre-existing databases
-    try {
-        db.run("ALTER TABLE users ADD COLUMN mfaSecret TEXT");
-    }
-    catch { /* already exists */ }
-    try {
-        db.run("ALTER TABLE users ADD COLUMN mfaEnabled INTEGER NOT NULL DEFAULT 0");
-    }
-    catch { /* already exists */ }
-    try {
-        db.run("ALTER TABLE users ADD COLUMN recoveryCodes TEXT NOT NULL DEFAULT '[]'");
-    }
-    catch { /* already exists */ }
-    try {
-        db.run("ALTER TABLE users ADD COLUMN mfaMethods TEXT NOT NULL DEFAULT '[]'");
-    }
-    catch { /* already exists */ }
-    // Migrate legacy sessions table (userId PK) to new multi-session schema (sessionId PK)
-    try {
-        db.run("ALTER TABLE sessions RENAME TO sessions_legacy");
-    }
-    catch { /* already migrated */ }
-    db.run(`CREATE TABLE IF NOT EXISTS sessions (
-    sessionId    TEXT PRIMARY KEY,
-    userId       TEXT NOT NULL,
-    token        TEXT,
-    createdAt    INTEGER NOT NULL,
-    lastActiveAt INTEGER NOT NULL,
-    expiresAt    INTEGER NOT NULL,
-    ipAddress    TEXT,
-    userAgent    TEXT
-  )`);
-    db.run("CREATE INDEX IF NOT EXISTS idx_sessions_userId ON sessions(userId)");
-    // Add refresh token columns to pre-existing databases
-    try {
-        db.run("ALTER TABLE sessions ADD COLUMN refreshToken TEXT");
-    }
-    catch { /* already exists */ }
-    try {
-        db.run("ALTER TABLE sessions ADD COLUMN prevRefreshToken TEXT");
-    }
-    catch { /* already exists */ }
-    try {
-        db.run("ALTER TABLE sessions ADD COLUMN prevTokenExpiresAt INTEGER");
-    }
-    catch { /* already exists */ }
-    try {
-        db.run("ALTER TABLE sessions ADD COLUMN fingerprint TEXT");
-    }
-    catch { /* already exists */ }
-    db.run("CREATE UNIQUE INDEX IF NOT EXISTS idx_sessions_refreshToken ON sessions(refreshToken) WHERE refreshToken IS NOT NULL");
-    db.run(`CREATE TABLE IF NOT EXISTS oauth_states (
-    state        TEXT PRIMARY KEY,
-    codeVerifier TEXT,
-    linkUserId   TEXT,
-    expiresAt    INTEGER NOT NULL
-  )`);
-    db.run(`CREATE TABLE IF NOT EXISTS cache_entries (
-    key       TEXT PRIMARY KEY,
-    value     TEXT NOT NULL,
-    expiresAt INTEGER  -- NULL = indefinite
-  )`);
-    db.run(`CREATE TABLE IF NOT EXISTS email_verifications (
-    token     TEXT PRIMARY KEY,
-    userId    TEXT NOT NULL,
-    email     TEXT NOT NULL,
-    expiresAt INTEGER NOT NULL
-  )`);
-    db.run(`CREATE TABLE IF NOT EXISTS password_resets (
-    token     TEXT PRIMARY KEY,
-    userId    TEXT NOT NULL,
-    email     TEXT NOT NULL,
-    expiresAt INTEGER NOT NULL
-  )`);
-    db.run(`CREATE TABLE IF NOT EXISTS tenant_roles (
-    userId    TEXT NOT NULL,
-    tenantId  TEXT NOT NULL,
-    role      TEXT NOT NULL,
-    PRIMARY KEY (userId, tenantId, role)
-  )`);
-    db.run("CREATE INDEX IF NOT EXISTS idx_tenant_roles_tenant ON tenant_roles(tenantId)");
-    db.run(`CREATE TABLE IF NOT EXISTS webauthn_credentials (
-    credentialId TEXT PRIMARY KEY,
-    userId       TEXT NOT NULL,
-    publicKey    TEXT NOT NULL,
-    signCount    INTEGER NOT NULL DEFAULT 0,
-    transports   TEXT NOT NULL DEFAULT '[]',
-    name         TEXT,
-    createdAt    INTEGER NOT NULL
-  )`);
-    db.run("CREATE INDEX IF NOT EXISTS idx_webauthn_userId ON webauthn_credentials(userId)");
-    db.run(`CREATE TABLE IF NOT EXISTS groups (
-    id          TEXT    PRIMARY KEY,
-    name        TEXT    NOT NULL,
-    displayName TEXT,
-    description TEXT,
-    roles       TEXT    NOT NULL DEFAULT '[]',
-    tenantId    TEXT,
-    createdAt   INTEGER NOT NULL,
-    updatedAt   INTEGER NOT NULL
-  )`);
-    // SQLite UNIQUE treats each NULL as distinct, so we use partial indexes instead of
-    // a simple UNIQUE constraint on (name, tenantId). This correctly enforces name
-    // uniqueness within app-wide scope and within each tenant scope separately.
-    db.run("CREATE UNIQUE INDEX IF NOT EXISTS idx_groups_name_appwide ON groups(name) WHERE tenantId IS NULL");
-    db.run("CREATE UNIQUE INDEX IF NOT EXISTS idx_groups_name_tenant ON groups(name, tenantId) WHERE tenantId IS NOT NULL");
-    db.run("CREATE INDEX IF NOT EXISTS idx_groups_tenantId ON groups(tenantId)");
-    db.run(`CREATE TABLE IF NOT EXISTS group_memberships (
-    userId    TEXT    NOT NULL,
-    groupId   TEXT    NOT NULL REFERENCES groups(id) ON DELETE CASCADE,
-    roles     TEXT    NOT NULL DEFAULT '[]',
-    tenantId  TEXT,
-    createdAt INTEGER NOT NULL,
-    PRIMARY KEY (userId, groupId)
-  )`);
-    // NOTE: PRAGMA foreign_keys = ON is set in setSqliteDb() and must run per-connection.
-    // If any code path opens SQLite without going through setSqliteDb, ON DELETE CASCADE
-    // for group_memberships will silently not fire. All SQLite access must use setSqliteDb.
-    db.run("CREATE INDEX IF NOT EXISTS idx_gm_groupId ON group_memberships(groupId)");
-    db.run("CREATE INDEX IF NOT EXISTS idx_gm_userId_tenantId ON group_memberships(userId, tenantId)");
-    db.run(`CREATE TABLE IF NOT EXISTS oauth_codes (
-    codeHash     TEXT PRIMARY KEY,
-    token        TEXT NOT NULL,
-    userId       TEXT NOT NULL,
-    email        TEXT,
-    refreshToken TEXT,
-    expiresAt    INTEGER NOT NULL
-  )`);
-    db.run(`CREATE TABLE IF NOT EXISTS deletion_cancel_tokens (
-    token     TEXT PRIMARY KEY,
-    userId    TEXT NOT NULL,
-    jobId     TEXT NOT NULL,
-    expiresAt INTEGER NOT NULL
-  )`);
-}
-// ---------------------------------------------------------------------------
-// Auth adapter
-// ---------------------------------------------------------------------------
-export const sqliteAuthAdapter = {
-    async findByEmail(email) {
-        const row = getDb().query("SELECT id, passwordHash FROM users WHERE email = ?").get(email);
-        return row ?? null;
-    },
-    async create(email, passwordHash) {
-        const id = crypto.randomUUID();
-        try {
-            getDb().run("INSERT INTO users (id, email, passwordHash) VALUES (?, ?, ?)", [id, email, passwordHash]);
-            return { id };
-        }
-        catch (err) {
-            if (err?.code === "SQLITE_CONSTRAINT_UNIQUE")
-                throw new HttpError(409, "Email already registered");
-            throw err;
-        }
-    },
-    async setPassword(userId, passwordHash) {
-        getDb().run("UPDATE users SET passwordHash = ? WHERE id = ?", [passwordHash, userId]);
-    },
-    async findOrCreateByProvider(provider, providerId, profile) {
-        const key = `${provider}:${providerId}`;
-        const db = getDb();
-        // Find by provider key using json_each
-        const existing = db.query("SELECT u.id FROM users u, json_each(u.providerIds) p WHERE p.value = ?").get(key);
-        if (existing)
-            return { id: existing.id, created: false };
-        // Reject if email belongs to a credential account
-        if (profile.email) {
-            const emailUser = db.query("SELECT id FROM users WHERE email = ?").get(profile.email);
-            if (emailUser)
-                throw new HttpError(409, "An account with this email already exists. Sign in with your credentials, then link Google from your account settings.");
-        }
-        const id = crypto.randomUUID();
-        db.run("INSERT INTO users (id, email, providerIds) VALUES (?, ?, ?)", [id, profile.email ?? null, JSON.stringify([key])]);
-        return { id, created: true };
-    },
-    async linkProvider(userId, provider, providerId) {
-        const key = `${provider}:${providerId}`;
-        const db = getDb();
-        const row = db.query("SELECT id, providerIds FROM users WHERE id = ?").get(userId);
-        if (!row)
-            throw new HttpError(404, "User not found");
-        const ids = JSON.parse(row.providerIds);
-        if (!ids.includes(key)) {
-            db.run("UPDATE users SET providerIds = ? WHERE id = ?", [JSON.stringify([...ids, key]), userId]);
-        }
-    },
-    async getRoles(userId) {
-        const row = getDb().query("SELECT roles FROM users WHERE id = ?").get(userId);
-        return row ? JSON.parse(row.roles) : [];
-    },
-    async setRoles(userId, roles) {
-        getDb().run("UPDATE users SET roles = ? WHERE id = ?", [JSON.stringify(roles), userId]);
-    },
-    async addRole(userId, role) {
-        const db = getDb();
-        const row = db.query("SELECT roles FROM users WHERE id = ?").get(userId);
-        if (!row)
-            return;
-        const roles = JSON.parse(row.roles);
-        if (!roles.includes(role)) {
-            db.run("UPDATE users SET roles = ? WHERE id = ?", [JSON.stringify([...roles, role]), userId]);
-        }
-    },
-    async removeRole(userId, role) {
-        const db = getDb();
-        const row = db.query("SELECT roles FROM users WHERE id = ?").get(userId);
-        if (!row)
-            return;
-        const roles = JSON.parse(row.roles);
-        db.run("UPDATE users SET roles = ? WHERE id = ?", [JSON.stringify(roles.filter((r) => r !== role)), userId]);
-    },
-    async getUser(userId) {
-        const row = getDb().query("SELECT email, providerIds, emailVerified FROM users WHERE id = ?").get(userId);
-        if (!row)
-            return null;
-        return {
-            email: row.email ?? undefined,
-            providerIds: JSON.parse(row.providerIds),
-            emailVerified: row.emailVerified === 1,
-        };
-    },
-    async unlinkProvider(userId, provider) {
-        const db = getDb();
-        const row = db.query("SELECT providerIds FROM users WHERE id = ?").get(userId);
-        if (!row)
-            throw new HttpError(404, "User not found");
-        const ids = JSON.parse(row.providerIds);
-        db.run("UPDATE users SET providerIds = ? WHERE id = ?", [JSON.stringify(ids.filter((id) => !id.startsWith(`${provider}:`))), userId]);
-    },
-    async findByIdentifier(value) {
-        const row = getDb().query("SELECT id, passwordHash FROM users WHERE email = ?").get(value);
-        return row ?? null;
-    },
-    async setEmailVerified(userId, verified) {
-        getDb().run("UPDATE users SET emailVerified = ? WHERE id = ?", [verified ? 1 : 0, userId]);
-    },
-    async getEmailVerified(userId) {
-        const row = getDb().query("SELECT emailVerified FROM users WHERE id = ?").get(userId);
-        return row?.emailVerified === 1;
-    },
-    async deleteUser(userId) {
-        getDb().run("DELETE FROM users WHERE id = ?", [userId]);
-    },
-    async hasPassword(userId) {
-        const row = getDb().query("SELECT passwordHash FROM users WHERE id = ?").get(userId);
-        return !!row?.passwordHash;
-    },
-    async setMfaSecret(userId, secret) {
-        getDb().run("UPDATE users SET mfaSecret = ? WHERE id = ?", [secret, userId]);
-    },
-    async getMfaSecret(userId) {
-        const row = getDb().query("SELECT mfaSecret FROM users WHERE id = ?").get(userId);
-        return row?.mfaSecret ?? null;
-    },
-    async isMfaEnabled(userId) {
-        const row = getDb().query("SELECT mfaEnabled FROM users WHERE id = ?").get(userId);
-        return row?.mfaEnabled === 1;
-    },
-    async setMfaEnabled(userId, enabled) {
-        getDb().run("UPDATE users SET mfaEnabled = ? WHERE id = ?", [enabled ? 1 : 0, userId]);
-    },
-    async setRecoveryCodes(userId, codes) {
-        getDb().run("UPDATE users SET recoveryCodes = ? WHERE id = ?", [JSON.stringify(codes), userId]);
-    },
-    async getRecoveryCodes(userId) {
-        const row = getDb().query("SELECT recoveryCodes FROM users WHERE id = ?").get(userId);
-        return row?.recoveryCodes ? JSON.parse(row.recoveryCodes) : [];
-    },
-    async removeRecoveryCode(userId, code) {
-        const current = await sqliteAuthAdapter.getRecoveryCodes(userId);
-        const idx = current.indexOf(code);
-        if (idx !== -1) {
-            current.splice(idx, 1);
-            await sqliteAuthAdapter.setRecoveryCodes(userId, current);
-        }
-    },
-    async getMfaMethods(userId) {
-        const row = getDb().query("SELECT mfaMethods, mfaEnabled FROM users WHERE id = ?").get(userId);
-        const methods = row?.mfaMethods ? JSON.parse(row.mfaMethods) : [];
-        // Backward compat: if mfaEnabled but no methods recorded, assume TOTP
-        if (methods.length === 0 && row?.mfaEnabled === 1)
-            return ["totp"];
-        return methods;
-    },
-    async setMfaMethods(userId, methods) {
-        getDb().run("UPDATE users SET mfaMethods = ? WHERE id = ?", [JSON.stringify(methods), userId]);
-    },
-    async getWebAuthnCredentials(userId) {
-        const rows = getDb().query("SELECT credentialId, publicKey, signCount, transports, name, createdAt FROM webauthn_credentials WHERE userId = ?").all(userId);
-        return rows.map((r) => ({
-            credentialId: r.credentialId,
-            publicKey: r.publicKey,
-            signCount: r.signCount,
-            transports: JSON.parse(r.transports),
-            name: r.name ?? undefined,
-            createdAt: r.createdAt,
-        }));
-    },
-    async addWebAuthnCredential(userId, credential) {
-        getDb().run("INSERT INTO webauthn_credentials (credentialId, userId, publicKey, signCount, transports, name, createdAt) VALUES (?, ?, ?, ?, ?, ?, ?)", [credential.credentialId, userId, credential.publicKey, credential.signCount, JSON.stringify(credential.transports ?? []), credential.name ?? null, credential.createdAt]);
-    },
-    async removeWebAuthnCredential(userId, credentialId) {
-        getDb().run("DELETE FROM webauthn_credentials WHERE credentialId = ? AND userId = ?", [credentialId, userId]);
-    },
-    async updateWebAuthnCredentialSignCount(userId, credentialId, signCount) {
-        getDb().run("UPDATE webauthn_credentials SET signCount = ? WHERE credentialId = ? AND userId = ?", [signCount, credentialId, userId]);
-    },
-    async findUserByWebAuthnCredentialId(credentialId) {
-        const row = getDb().query("SELECT userId FROM webauthn_credentials WHERE credentialId = ?").get(credentialId);
-        return row?.userId ?? null;
-    },
-    async getTenantRoles(userId, tenantId) {
-        const rows = getDb().query("SELECT role FROM tenant_roles WHERE userId = ? AND tenantId = ?").all(userId, tenantId);
-        return rows.map((r) => r.role);
-    },
-    async setTenantRoles(userId, tenantId, roles) {
-        const db = getDb();
-        db.run("DELETE FROM tenant_roles WHERE userId = ? AND tenantId = ?", [userId, tenantId]);
-        const stmt = db.prepare("INSERT INTO tenant_roles (userId, tenantId, role) VALUES (?, ?, ?)");
-        for (const role of roles) {
-            stmt.run(userId, tenantId, role);
-        }
-    },
-    async addTenantRole(userId, tenantId, role) {
-        try {
-            getDb().run("INSERT INTO tenant_roles (userId, tenantId, role) VALUES (?, ?, ?)", [userId, tenantId, role]);
-        }
-        catch { /* already exists */ }
-    },
-    async removeTenantRole(userId, tenantId, role) {
-        getDb().run("DELETE FROM tenant_roles WHERE userId = ? AND tenantId = ? AND role = ?", [userId, tenantId, role]);
-    },
-    // ---------------------------------------------------------------------------
-    // Groups
-    // ---------------------------------------------------------------------------
-    async createGroup(group) {
-        const id = crypto.randomUUID();
-        const now = Date.now();
-        try {
-            getDb().run("INSERT INTO groups (id, name, displayName, description, roles, tenantId, createdAt, updatedAt) VALUES (?, ?, ?, ?, ?, ?, ?, ?)", [id, group.name, group.displayName ?? null, group.description ?? null, JSON.stringify(group.roles ?? []), group.tenantId ?? null, now, now]);
-        }
-        catch (err) {
-            if (err?.code === "SQLITE_CONSTRAINT_UNIQUE" || err?.code === "SQLITE_CONSTRAINT_PRIMARYKEY") {
-                throw new HttpError(409, "A group with this name already exists in this scope");
-            }
-            throw err;
-        }
-        return { id };
-    },
-    async deleteGroup(groupId) {
-        // group_memberships are cascade-deleted via ON DELETE CASCADE (requires PRAGMA foreign_keys = ON)
-        getDb().run("DELETE FROM groups WHERE id = ?", [groupId]);
-    },
-    async getGroup(groupId) {
-        const row = getDb().query("SELECT id, name, displayName, description, roles, tenantId, createdAt, updatedAt FROM groups WHERE id = ?").get(groupId);
-        if (!row)
-            return null;
-        return { ...row, displayName: row.displayName ?? undefined, description: row.description ?? undefined, roles: JSON.parse(row.roles) };
-    },
-    async listGroups(tenantId, opts) {
-        const limit = Math.min(opts?.limit ?? 50, 200);
-        const offset = opts?.offset ?? 0;
-        const db = getDb();
-        const cols = "id, name, displayName, description, roles, tenantId, createdAt, updatedAt";
-        let rows;
-        let total;
-        if (tenantId === null) {
-            rows = db.query(`SELECT ${cols} FROM groups WHERE tenantId IS NULL LIMIT ? OFFSET ?`).all(limit, offset);
-            total = (db.query("SELECT COUNT(*) as c FROM groups WHERE tenantId IS NULL").get()?.c ?? 0);
-        }
-        else {
-            rows = db.query(`SELECT ${cols} FROM groups WHERE tenantId = ? LIMIT ? OFFSET ?`).all(tenantId, limit, offset);
-            total = (db.query("SELECT COUNT(*) as c FROM groups WHERE tenantId = ?").get(tenantId)?.c ?? 0);
-        }
-        const items = rows.map((r) => ({ ...r, displayName: r.displayName ?? undefined, description: r.description ?? undefined, roles: JSON.parse(r.roles) }));
-        return { items, total, limit, offset };
-    },
-    async updateGroup(groupId, updates) {
-        const db = getDb();
-        const now = Date.now();
-        const sets = ["updatedAt = ?"];
-        const params = [now];
-        if (updates.name !== undefined) {
-            sets.push("name = ?");
-            params.push(updates.name);
-        }
-        if ("displayName" in updates) {
-            sets.push("displayName = ?");
-            params.push(updates.displayName ?? null);
-        }
-        if ("description" in updates) {
-            sets.push("description = ?");
-            params.push(updates.description ?? null);
-        }
-        if (updates.roles !== undefined) {
-            sets.push("roles = ?");
-            params.push(JSON.stringify(updates.roles));
-        }
-        params.push(groupId);
-        db.run(`UPDATE groups SET ${sets.join(", ")} WHERE id = ?`, params);
-    },
-    async addGroupMember(groupId, userId, roles = []) {
-        const group = getDb().query("SELECT tenantId FROM groups WHERE id = ?").get(groupId);
-        if (!group)
-            throw new HttpError(404, "Group not found");
-        try {
-            getDb().run("INSERT INTO group_memberships (userId, groupId, roles, tenantId, createdAt) VALUES (?, ?, ?, ?, ?)", [userId, groupId, JSON.stringify(roles), group.tenantId ?? null, Date.now()]);
-        }
-        catch (err) {
-            if (err?.code === "SQLITE_CONSTRAINT_PRIMARYKEY" || err?.code === "SQLITE_CONSTRAINT_UNIQUE") {
-                throw new HttpError(409, "User is already a member of this group");
-            }
-            throw err;
-        }
-    },
-    async updateGroupMembership(groupId, userId, roles) {
-        getDb().run("UPDATE group_memberships SET roles = ? WHERE userId = ? AND groupId = ?", [JSON.stringify(roles), userId, groupId]);
-    },
-    async removeGroupMember(groupId, userId) {
-        getDb().run("DELETE FROM group_memberships WHERE userId = ? AND groupId = ?", [userId, groupId]);
-    },
-    async getGroupMembers(groupId, opts) {
-        const limit = Math.min(opts?.limit ?? 50, 200);
-        const offset = opts?.offset ?? 0;
-        const db = getDb();
-        const rows = db.query("SELECT userId, roles FROM group_memberships WHERE groupId = ? LIMIT ? OFFSET ?").all(groupId, limit, offset);
-        const total = db.query("SELECT COUNT(*) as c FROM group_memberships WHERE groupId = ?").get(groupId)?.c ?? 0;
-        return { items: rows.map((r) => ({ userId: r.userId, roles: JSON.parse(r.roles) })), total, limit, offset };
-    },
-    async getUserGroups(userId, tenantId) {
-        const db = getDb();
-        let memberRows;
-        if (tenantId === null) {
-            memberRows = db.query("SELECT groupId, roles as memberRoles FROM group_memberships WHERE userId = ? AND tenantId IS NULL").all(userId);
-        }
-        else {
-            memberRows = db.query("SELECT groupId, roles as memberRoles FROM group_memberships WHERE userId = ? AND tenantId = ?").all(userId, tenantId);
-        }
-        if (memberRows.length === 0)
-            return [];
-        const result = [];
-        for (const m of memberRows) {
-            const row = db.query("SELECT id, name, displayName, description, roles, tenantId, createdAt, updatedAt FROM groups WHERE id = ?").get(m.groupId);
-            if (row) {
-                result.push({
-                    group: { ...row, displayName: row.displayName ?? undefined, description: row.description ?? undefined, roles: JSON.parse(row.roles) },
-                    membershipRoles: JSON.parse(m.memberRoles),
-                });
-            }
-        }
-        return result;
-    },
-    async getEffectiveRoles(userId, tenantId) {
-        const db = getDb();
-        // Direct roles
-        let direct = [];
-        if (tenantId) {
-            const rows = db.query("SELECT role FROM tenant_roles WHERE userId = ? AND tenantId = ?").all(userId, tenantId);
-            direct = rows.map((r) => r.role);
-        }
-        else {
-            const row = db.query("SELECT roles FROM users WHERE id = ?").get(userId);
-            direct = row ? JSON.parse(row.roles) : [];
-        }
-        let memberRows;
-        if (tenantId === null) {
-            memberRows = db.query("SELECT g.roles as groupRoles, gm.roles as memberRoles FROM group_memberships gm JOIN groups g ON g.id = gm.groupId WHERE gm.userId = ? AND gm.tenantId IS NULL").all(userId);
-        }
-        else {
-            memberRows = db.query("SELECT g.roles as groupRoles, gm.roles as memberRoles FROM group_memberships gm JOIN groups g ON g.id = gm.groupId WHERE gm.userId = ? AND gm.tenantId = ?").all(userId, tenantId);
-        }
-        const groupRoles = memberRows.flatMap((r) => [...JSON.parse(r.groupRoles), ...JSON.parse(r.memberRoles)]);
-        return [...new Set([...direct, ...groupRoles])];
-    },
-};
-import { getPersistSessionMetadata, getIncludeInactiveSessions } from "../lib/appConfig";
-const SESSION_TTL_MS = 60 * 60 * 24 * 7 * 1000; // 7 days
-export const sqliteCreateSession = (userId, token, sessionId, metadata) => {
-    const now = Date.now();
-    const expiresAt = now + SESSION_TTL_MS;
-    getDb().run("INSERT INTO sessions (sessionId, userId, token, createdAt, lastActiveAt, expiresAt, ipAddress, userAgent) VALUES (?, ?, ?, ?, ?, ?, ?, ?)", [sessionId, userId, token, now, now, expiresAt, metadata?.ipAddress ?? null, metadata?.userAgent ?? null]);
-};
-export const sqliteGetSession = (sessionId) => {
-    const row = getDb().query("SELECT token FROM sessions WHERE sessionId = ? AND expiresAt > ?").get(sessionId, Date.now());
-    if (!row || !row.token)
-        return null;
-    return row.token;
-};
-export const sqliteDeleteSession = (sessionId) => {
-    if (getPersistSessionMetadata()) {
-        getDb().run("UPDATE sessions SET token = NULL, refreshToken = NULL, prevRefreshToken = NULL, prevTokenExpiresAt = NULL WHERE sessionId = ?", [sessionId]);
-    }
-    else {
-        getDb().run("DELETE FROM sessions WHERE sessionId = ?", [sessionId]);
-    }
-};
-export const sqliteGetUserSessions = (userId) => {
-    const now = Date.now();
-    const rows = getDb().query("SELECT sessionId, token, createdAt, lastActiveAt, expiresAt, ipAddress, userAgent FROM sessions WHERE userId = ? ORDER BY createdAt ASC").all(userId);
-    const includeInactive = getIncludeInactiveSessions();
-    const persist = getPersistSessionMetadata();
-    const results = [];
-    for (const row of rows) {
-        const isActive = !!row.token && row.expiresAt > now;
-        if (!isActive && !persist)
-            continue;
-        if (!isActive && !includeInactive)
-            continue;
-        results.push({
-            sessionId: row.sessionId,
-            createdAt: row.createdAt,
-            lastActiveAt: row.lastActiveAt,
-            expiresAt: row.expiresAt,
-            ipAddress: row.ipAddress ?? undefined,
-            userAgent: row.userAgent ?? undefined,
-            isActive,
-        });
-    }
-    return results;
-};
-export const sqliteGetActiveSessionCount = (userId) => {
-    const row = getDb().query("SELECT COUNT(*) AS count FROM sessions WHERE userId = ? AND token IS NOT NULL AND expiresAt > ?").get(userId, Date.now());
-    return row?.count ?? 0;
-};
-export const sqliteEvictOldestSession = (userId) => {
-    const now = Date.now();
-    const oldest = getDb().query("SELECT sessionId FROM sessions WHERE userId = ? AND token IS NOT NULL AND expiresAt > ? ORDER BY createdAt ASC LIMIT 1").get(userId, now);
-    if (oldest)
-        sqliteDeleteSession(oldest.sessionId);
-};
-export const sqliteUpdateSessionLastActive = (sessionId) => {
-    getDb().run("UPDATE sessions SET lastActiveAt = ? WHERE sessionId = ?", [Date.now(), sessionId]);
-};
-import { getRotationGraceSeconds } from "../lib/appConfig";
-export const sqliteSetRefreshToken = (sessionId, refreshToken) => {
-    getDb().run("UPDATE sessions SET refreshToken = ? WHERE sessionId = ?", [refreshToken, sessionId]);
-};
-export const sqliteGetSessionByRefreshToken = (refreshToken) => {
-    const db = getDb();
-    // Check current refresh token
-    let row = db.query("SELECT sessionId, userId, refreshToken FROM sessions WHERE refreshToken = ?").get(refreshToken);
-    if (row) {
-        return { sessionId: row.sessionId, userId: row.userId, newRefreshToken: refreshToken };
-    }
-    // Check previous refresh token (grace window)
-    row = db.query("SELECT sessionId, userId, refreshToken, prevTokenExpiresAt FROM sessions WHERE prevRefreshToken = ?").get(refreshToken);
-    if (!row)
-        return null;
-    const prevExpiry = row.prevTokenExpiresAt;
-    if (prevExpiry && prevExpiry > Date.now()) {
-        // Within grace window — return current refresh token
-        return { sessionId: row.sessionId, userId: row.userId, newRefreshToken: row.refreshToken };
-    }
-    // Grace window expired — theft detected, invalidate session
-    sqliteDeleteSession(row.sessionId);
-    return null;
-};
-export const sqliteRotateRefreshToken = (sessionId, newRefreshToken, newAccessToken) => {
-    const graceSeconds = getRotationGraceSeconds();
-    const prevTokenExpiresAt = Date.now() + graceSeconds * 1000;
-    getDb().run("UPDATE sessions SET prevRefreshToken = refreshToken, prevTokenExpiresAt = ?, refreshToken = ?, token = ? WHERE sessionId = ?", [prevTokenExpiresAt, newRefreshToken, newAccessToken, sessionId]);
-};
-export const sqliteGetSessionFingerprint = (sessionId) => {
-    const row = getDb().query("SELECT fingerprint FROM sessions WHERE sessionId = ?").get(sessionId);
-    return row?.fingerprint ?? null;
-};
-export const sqliteSetSessionFingerprint = (sessionId, fingerprint) => {
-    getDb().run("UPDATE sessions SET fingerprint = ? WHERE sessionId = ?", [fingerprint, sessionId]);
-};
-// ---------------------------------------------------------------------------
-// OAuth state helpers (used by src/lib/oauth.ts)
-// ---------------------------------------------------------------------------
-const OAUTH_STATE_TTL_MS = 5 * 60 * 1000; // 5 minutes
-export const sqliteStoreOAuthState = (state, codeVerifier, linkUserId) => {
-    const expiresAt = Date.now() + OAUTH_STATE_TTL_MS;
-    getDb().run("INSERT INTO oauth_states (state, codeVerifier, linkUserId, expiresAt) VALUES (?, ?, ?, ?)", [state, codeVerifier ?? null, linkUserId ?? null, expiresAt]);
-};
-export const sqliteConsumeOAuthState = (state) => {
-    const row = getDb().query("DELETE FROM oauth_states WHERE state = ? AND expiresAt > ? RETURNING codeVerifier, linkUserId").get(state, Date.now());
-    if (!row)
-        return null;
-    return {
-        codeVerifier: row.codeVerifier ?? undefined,
-        linkUserId: row.linkUserId ?? undefined,
-    };
-};
-// ---------------------------------------------------------------------------
-// Cache helpers (used by src/middleware/cacheResponse.ts)
-// ---------------------------------------------------------------------------
-export const isSqliteReady = () => _db !== null;
-export const sqliteGetCache = (key) => {
-    const row = getDb().query("SELECT value FROM cache_entries WHERE key = ? AND (expiresAt IS NULL OR expiresAt > ?)").get(key, Date.now());
-    return row?.value ?? null;
-};
-export const sqliteSetCache = (key, value, ttlSeconds) => {
-    const expiresAt = ttlSeconds ? Date.now() + ttlSeconds * 1000 : null;
-    getDb().run("INSERT INTO cache_entries (key, value, expiresAt) VALUES (?, ?, ?) ON CONFLICT(key) DO UPDATE SET value = excluded.value, expiresAt = excluded.expiresAt", [key, value, expiresAt]);
-};
-export const sqliteDelCache = (key) => {
-    getDb().run("DELETE FROM cache_entries WHERE key = ?", [key]);
-};
-export const sqliteDelCachePattern = (pattern) => {
-    // Convert glob pattern (* wildcard) to a SQL LIKE pattern (% wildcard)
-    const likePattern = pattern.replace(/%/g, "\\%").replace(/_/g, "\\_").replace(/\*/g, "%");
-    getDb().run("DELETE FROM cache_entries WHERE key LIKE ? ESCAPE '\\'", [likePattern]);
-};
-// ---------------------------------------------------------------------------
-// Email verification token helpers (used by src/lib/emailVerification.ts)
-// ---------------------------------------------------------------------------
-export const sqliteCreateVerificationToken = (token, userId, email, ttlSeconds) => {
-    const expiresAt = Date.now() + ttlSeconds * 1000;
-    getDb().run("INSERT INTO email_verifications (token, userId, email, expiresAt) VALUES (?, ?, ?, ?)", [token, userId, email, expiresAt]);
-};
-export const sqliteGetVerificationToken = (token) => {
-    const row = getDb().query("SELECT userId, email FROM email_verifications WHERE token = ? AND expiresAt > ?").get(token, Date.now());
-    return row ?? null;
-};
-export const sqliteDeleteVerificationToken = (token) => {
-    getDb().run("DELETE FROM email_verifications WHERE token = ?", [token]);
-};
-// ---------------------------------------------------------------------------
-// Password reset token helpers (used by src/lib/resetPassword.ts)
-// ---------------------------------------------------------------------------
-export const sqliteCreateResetToken = (token, userId, email, ttlSeconds) => {
-    const expiresAt = Date.now() + ttlSeconds * 1000;
-    getDb().run("INSERT INTO password_resets (token, userId, email, expiresAt) VALUES (?, ?, ?, ?)", [token, userId, email, expiresAt]);
-};
-export const sqliteConsumeResetToken = (hash) => {
-    const row = getDb().query("DELETE FROM password_resets WHERE token = ? AND expiresAt > ? RETURNING userId, email").get(hash, Date.now());
-    return row ?? null;
-};
-// ---------------------------------------------------------------------------
-// Account deletion cancel token helpers (used by src/lib/deletionCancelToken.ts)
-// ---------------------------------------------------------------------------
-export const sqliteCreateDeletionCancelToken = (token, userId, jobId, ttlSeconds) => {
-    const expiresAt = Date.now() + ttlSeconds * 1000;
-    getDb().run("INSERT INTO deletion_cancel_tokens (token, userId, jobId, expiresAt) VALUES (?, ?, ?, ?)", [token, userId, jobId, expiresAt]);
-};
-export const sqliteConsumeDeletionCancelToken = (hash) => {
-    const row = getDb().query("DELETE FROM deletion_cancel_tokens WHERE token = ? AND expiresAt > ? RETURNING userId, jobId").get(hash, Date.now());
-    return row ?? null;
-};
-export const sqliteStoreOAuthCode = (hash, payload, ttlSeconds) => {
-    const expiresAt = Date.now() + ttlSeconds * 1000;
-    getDb().run("INSERT INTO oauth_codes (codeHash, token, userId, email, refreshToken, expiresAt) VALUES (?, ?, ?, ?, ?, ?)", [hash, payload.token, payload.userId, payload.email ?? null, payload.refreshToken ?? null, expiresAt]);
-};
-export const sqliteConsumeOAuthCode = (hash) => {
-    const row = getDb().query("DELETE FROM oauth_codes WHERE codeHash = ? AND expiresAt > ? RETURNING token, userId, email, refreshToken").get(hash, Date.now());
-    if (!row)
-        return null;
-    return { token: row.token, userId: row.userId, email: row.email ?? undefined, refreshToken: row.refreshToken ?? undefined };
-};
-// ---------------------------------------------------------------------------
-// Optional periodic cleanup of expired rows
-// ---------------------------------------------------------------------------
-export const startSqliteCleanup = (intervalMs = 3_600_000) => {
-    return setInterval(() => {
-        const db = getDb();
-        const now = Date.now();
-        if (getPersistSessionMetadata()) {
-            // Null out tokens for expired sessions but keep the metadata row
-            db.run("UPDATE sessions SET token = NULL WHERE expiresAt <= ? AND token IS NOT NULL", [now]);
-        }
-        else {
-            db.run("DELETE FROM sessions WHERE expiresAt <= ?", [now]);
-        }
-        db.run("DELETE FROM oauth_states WHERE expiresAt <= ?", [now]);
-        db.run("DELETE FROM cache_entries WHERE expiresAt IS NOT NULL AND expiresAt <= ?", [now]);
-        db.run("DELETE FROM email_verifications WHERE expiresAt <= ?", [now]);
-        db.run("DELETE FROM password_resets WHERE expiresAt <= ?", [now]);
-        db.run("DELETE FROM oauth_codes WHERE expiresAt <= ?", [now]);
-    }, intervalMs);
-};