@lunora/server 0.0.0 → 1.0.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (39) hide show
  1. package/LICENSE.md +105 -0
  2. package/README.md +130 -9
  3. package/__assets__/package-og.svg +14 -0
  4. package/dist/data-model.d.mts +328 -0
  5. package/dist/data-model.d.ts +328 -0
  6. package/dist/data-model.mjs +1 -0
  7. package/dist/drizzle.d.mts +1 -0
  8. package/dist/drizzle.d.ts +1 -0
  9. package/dist/drizzle.mjs +1 -0
  10. package/dist/index.d.mts +1741 -0
  11. package/dist/index.d.ts +1741 -0
  12. package/dist/index.mjs +24 -0
  13. package/dist/packem_shared/LunoraError-DhggBJZF.mjs +51 -0
  14. package/dist/packem_shared/asBucketStorage-Cnxd9y2q.mjs +11 -0
  15. package/dist/packem_shared/bindTableFacade-DCuyr46L.mjs +71 -0
  16. package/dist/packem_shared/defineAggregateIndex-DzqxtAyV.mjs +236 -0
  17. package/dist/packem_shared/defineEnv-DjFkpkSP.mjs +187 -0
  18. package/dist/packem_shared/defineMigration-CAJLr6fx.mjs +8 -0
  19. package/dist/packem_shared/definePolicy-De67zPDS.mjs +29 -0
  20. package/dist/packem_shared/definePresence-D5LtwGl0.mjs +114 -0
  21. package/dist/packem_shared/defineSchemaExtension-Ck5_TUO8.mjs +100 -0
  22. package/dist/packem_shared/defineStorageRule-qu0mpilX.mjs +20 -0
  23. package/dist/packem_shared/httpAction-B7FYUEgr.mjs +340 -0
  24. package/dist/packem_shared/initLunora-CATvPsVt.mjs +86 -0
  25. package/dist/packem_shared/mask-CkZJHHMM.mjs +211 -0
  26. package/dist/packem_shared/onConnect-CIPXKPyw.mjs +13 -0
  27. package/dist/packem_shared/protectPublic-BjFkQ_Or.mjs +15 -0
  28. package/dist/packem_shared/rls-Zhf5wEeJ.mjs +551 -0
  29. package/dist/packem_shared/run-middleware-CYQOuoV6.mjs +18 -0
  30. package/dist/packem_shared/storageRules-4a30FSpI.mjs +88 -0
  31. package/dist/packem_shared/types.d-BDY0FYHK.d.ts +135 -0
  32. package/dist/packem_shared/types.d-DmvyEMD6.d.mts +135 -0
  33. package/dist/rls/testing.d.mts +63 -0
  34. package/dist/rls/testing.d.ts +63 -0
  35. package/dist/rls/testing.mjs +49 -0
  36. package/dist/types.d.mts +1029 -0
  37. package/dist/types.d.ts +1029 -0
  38. package/dist/types.mjs +31 -0
  39. package/package.json +59 -17
@@ -0,0 +1,1029 @@
1
+ import { ValidatorMap, InferValidatorMap, Id, Validator, Infer } from '@lunora/values';
2
+ /** Map of validators describing a function's args record. Alias of `@lunora/values`' shared {@link ValidatorMap}. */
3
+ type ArgsValidator = ValidatorMap;
4
+ /** Infer the args object type from an {@link ArgsValidator}. Alias of `@lunora/values`' shared {@link InferValidatorMap}. */
5
+ type InferArgs<A extends ArgsValidator> = InferValidatorMap<A>;
6
+ /** Storage backend for a `.global()` table: D1 (default) or a Postgres/MySQL database via Cloudflare Hyperdrive (PlanetScale, Neon, …). */
7
+ type GlobalBackend = "d1" | "hyperdrive";
8
+ /** How a table is routed at runtime. */
9
+ type ShardMode = {
10
+ backend?: GlobalBackend;
11
+ kind: "global";
12
+ } | {
13
+ field: string;
14
+ kind: "shardBy";
15
+ } | {
16
+ kind: "root";
17
+ };
18
+ interface IndexDefinition {
19
+ fields: ReadonlyArray<string>;
20
+ name: string;
21
+ unique?: boolean;
22
+ }
23
+ interface SearchIndexDefinition {
24
+ field: string;
25
+ filterFields?: ReadonlyArray<string>;
26
+ name: string;
27
+ }
28
+ /** Reducer applied by an aggregate index. */
29
+ type AggregateOp = "avg" | "count" | "max" | "min" | "sum";
30
+ /**
31
+ * Declared aggregate index — the schema-level seam that lets the runtime keep
32
+ * O(1) counters/sums in step with row writes (via the trigger runner) and
33
+ * route matching reads through them.
34
+ *
35
+ * - `on` — the table whose rows feed the aggregate.
36
+ * - `op` — the reducer. `count` is field-less; the others take `field`.
37
+ * - `field` — the column the reducer applies to (required for non-count ops).
38
+ * - `by` — group keys. When all `where` keys in a read participate in `by`, the
39
+ * reader can answer from the counter table without scanning rows.
40
+ * - `where` — optional static predicate baked into the counter (only the rows
41
+ * matching it ever land in the counter).
42
+ */
43
+ interface AggregateIndexDefinition {
44
+ by?: ReadonlyArray<string>;
45
+ field?: string;
46
+ name: string;
47
+ on: string;
48
+ op: AggregateOp;
49
+ where?: Record<string, unknown>;
50
+ }
51
+ /**
52
+ * One ordering key on a `rankIndex.sortBy`: which column to sort by, and the
53
+ * direction. The runtime breaks ties on the row's `_id` ASC so the order is
54
+ * total and `rank()` always returns a deterministic 1-based position.
55
+ */
56
+ interface RankSortKey {
57
+ direction: "asc" | "desc";
58
+ field: string;
59
+ }
60
+ /**
61
+ * Declared rank index — a sorted companion table per `(partition tuple, sortBy)`
62
+ * maintained by triggers, so:
63
+ *
64
+ * - `rank(row)` returns the row's 1-based position within its partition under
65
+ * the declared `sortBy` order, plus the partition's total row count, in
66
+ * O(log n) lookups against the SQLite btree on the companion table.
67
+ * - `rankPage({ where, take, from })` walks the same companion table to return
68
+ * rows in the declared order — a sorted-pagination accelerator.
69
+ *
70
+ * Fields mirror `AggregateIndexDefinition`:
71
+ *
72
+ * - `on` — the source table whose rows feed the rank.
73
+ * - `sortBy` — ordered keys driving the rank. Required.
74
+ * - `partitionBy` — columns that scope each rank context (e.g. `["channelId"]`
75
+ * to rank within a channel). Omitted ⇒ one global rank across the table.
76
+ * - `where` — static predicate baked into the index; only matching rows enter.
77
+ */
78
+ interface RankIndexDefinition {
79
+ name: string;
80
+ on: string;
81
+ partitionBy?: ReadonlyArray<string>;
82
+ sortBy: ReadonlyArray<RankSortKey>;
83
+ where?: Record<string, unknown>;
84
+ }
85
+ /** FK behavior when a referenced parent row is deleted (mirrors SQL `ON DELETE`). */
86
+ type OnDeleteAction = "cascade" | "restrict" | "set null";
87
+ /**
88
+ * A declared relation between two tables, recorded by `.relations((r) => …)`.
89
+ *
90
+ * - `one` (many-to-one): the FK column `field` lives on **this** table and
91
+ * points at `table`.`references` (default `_id`). Loads a single doc.
92
+ * - `many` (one-to-many): the FK column `field` lives on the **target** table
93
+ * and points back at this table's `references` (default `_id`). Loads an array.
94
+ *
95
+ * `onDelete` is meaningful only on `one`: it is the action applied to the
96
+ * holder rows when the referenced parent row is deleted.
97
+ */
98
+ interface RelationDefinition {
99
+ field: string;
100
+ kind: "many" | "one";
101
+ onDelete?: OnDeleteAction;
102
+ references: string;
103
+ table: string;
104
+ }
105
+ /** Distance metric used by a Vectorize index. */
106
+ type VectorMetric = "cosine" | "dot-product" | "euclidean";
107
+ /**
108
+ * Bring-your-own-embedder: a user-supplied fn turning a source string into a
109
+ * numeric vector. The runtime calls it at upsert/query time so the framework
110
+ * never couples to a single embedding provider.
111
+ */
112
+ type VectorEmbedder = (input: string) => Promise<ReadonlyArray<number>> | ReadonlyArray<number>;
113
+ /**
114
+ * Vector index declared inline on a table via `.vectorize(field, opts)`
115
+ * (DSL Shape A). The source is always a single column on the owning table.
116
+ */
117
+ interface TableVectorIndex {
118
+ dimensions: number;
119
+ embed: VectorEmbedder;
120
+ field: string;
121
+ metadata?: ReadonlyArray<string>;
122
+ metric: VectorMetric;
123
+ name: string;
124
+ }
125
+ interface TableDefinition<Shape extends Record<string, Validator> = Record<string, Validator>> {
126
+ /**
127
+ * Aggregate indexes declared via `.aggregateIndex(name, opts)`. The runtime
128
+ * maintains a counter row per `by` group via the trigger seam, so reads
129
+ * whose `where` keys all participate in the index's `by` set are answered
130
+ * without scanning the underlying table.
131
+ */
132
+ aggregateIndexes: ReadonlyArray<AggregateIndexDefinition>;
133
+ indexes: ReadonlyArray<IndexDefinition>;
134
+ /**
135
+ * `true` when `.externallyManaged()` was called — the table's rows are
136
+ * written outside Lunora's discoverable insert path (an adapter, a
137
+ * migration, or framework middleware), e.g. `@lunora/auth`'s better-auth
138
+ * tables or `@lunora/ratelimit`'s store. Advisor insert-path lints
139
+ * (`table_without_insert`) skip such tables instead of flagging the absent
140
+ * `ctx.db.insert(...)`.
141
+ */
142
+ isExternallyManaged?: boolean;
143
+ /**
144
+ * `true` when `.public()` was called — the table opts OUT of secure-by-default
145
+ * RLS. Under a schema marked `.rls("required")`, every table is protected (the
146
+ * DO/D1 write path denies raw, non-RLS `ctx.db` access) UNLESS it is `isPublic`.
147
+ * Has no effect when the schema does not require RLS.
148
+ */
149
+ isPublic?: boolean;
150
+ /**
151
+ * Rank indexes declared via `.rankIndex(name, opts)`. The runtime maintains
152
+ * a sorted companion table per declared rank with a btree on
153
+ * `(partition, sortBy)` so `rank(row)` returns the row's 1-based position
154
+ * within its partition in O(log n), and `rankPage()` walks the index for
155
+ * sorted pagination.
156
+ */
157
+ rankIndexes: ReadonlyArray<RankIndexDefinition>;
158
+ /**
159
+ * Declared relations keyed by accessor name; empty unless `.relations()`
160
+ * was called. Named `relationMap` (not `relations`) so the fluent
161
+ * `.relations((r) => …)` builder method doesn't collide with this field.
162
+ */
163
+ relationMap: Record<string, RelationDefinition>;
164
+ searchIndexes: ReadonlyArray<SearchIndexDefinition>;
165
+ shape: Shape;
166
+ shardMode: ShardMode;
167
+ /**
168
+ * Declared lifecycle triggers keyed by accessor name; empty unless
169
+ * `.triggers()` was called. Named `triggerMap` (not `triggers`) so the
170
+ * fluent `.triggers((t) => …)` builder method doesn't collide with this
171
+ * field — same reasoning as {@link TableDefinition.relationMap}.
172
+ */
173
+ triggerMap: Record<string, TriggerDefinition>;
174
+ vectorIndexes: ReadonlyArray<TableVectorIndex>;
175
+ }
176
+ /**
177
+ * Standalone vector index declared via `defineVectorIndex(...)` (DSL Shape B).
178
+ * Unlike {@link TableVectorIndex}, the source is a `select` function so it can
179
+ * derive the embedded text from any computation (e.g. `title + body`).
180
+ */
181
+ interface VectorIndexDefinition {
182
+ readonly dimensions: number;
183
+ readonly embed: VectorEmbedder;
184
+ readonly kind: "vectorIndex";
185
+ readonly metadata?: (row: Record<string, unknown>) => Record<string, unknown>;
186
+ readonly metric: VectorMetric;
187
+ readonly select: (row: Record<string, unknown>) => string;
188
+ readonly table: string;
189
+ }
190
+ interface Schema<T extends Record<string, TableDefinition> = Record<string, TableDefinition>> {
191
+ /**
192
+ * Secure-by-default RLS mode declared via `.rls("required")`. When
193
+ * `"required"`, every table is protected: the DO/D1 write path denies raw
194
+ * (non-RLS-wrapped) `ctx.db` access at runtime, so a procedure that forgets
195
+ * `.use(rls(...))` fails closed instead of silently exposing the table. A
196
+ * table opts out with `.public()` (→ {@link TableDefinition.isPublic}).
197
+ * Absent ⇒ legacy opt-in behavior (RLS only where a policy is applied).
198
+ */
199
+ readonly rlsMode?: "required";
200
+ readonly tables: T;
201
+ readonly vectorIndexes: Record<string, VectorIndexDefinition>;
202
+ }
203
+ type FunctionKind = "action" | "mutation" | "query" | "stream";
204
+ /**
205
+ * Call surface a function is exposed on. `public` functions are reachable from
206
+ * clients via the generated `api`; `internal` functions are reachable only
207
+ * server-to-server (`ctx.runQuery`/`runMutation`/`runAction`) and are rejected
208
+ * by the DO's external RPC path. Absence is treated as `public` for
209
+ * back-compat with functions registered before visibility existed.
210
+ */
211
+ type FunctionVisibility = "internal" | "public";
212
+ interface RegisteredFunction<A extends ArgsValidator, R, Kind extends FunctionKind> {
213
+ readonly args: A;
214
+ readonly handler: (context: unknown, args: InferArgs<A>) => Promise<R> | R;
215
+ readonly kind: Kind;
216
+ /**
217
+ * Set on connection-lifecycle hooks (`onConnect` / `onDisconnect`).
218
+ * Marks the function for the generated `LUNORA_LIFECYCLE_HOOKS` manifest so the
219
+ * DO dispatches it on socket connect/disconnect rather than via a client RPC.
220
+ * Absent on ordinary registrations.
221
+ */
222
+ readonly lifecycle?: LifecycleEventKind;
223
+ readonly visibility?: FunctionVisibility;
224
+ }
225
+ type RegisteredQuery<A extends ArgsValidator, R> = RegisteredFunction<A, R, "query">;
226
+ type RegisteredMutation<A extends ArgsValidator, R> = RegisteredFunction<A, R, "mutation">;
227
+ type RegisteredAction<A extends ArgsValidator, R> = RegisteredFunction<A, R, "action">;
228
+ /** Which side of the WebSocket lifecycle a hook fires on. */
229
+ type LifecycleEventKind = "connect" | "disconnect";
230
+ /**
231
+ * The event a connection-lifecycle hook receives as its second argument. It is
232
+ * the JSON-serializable payload the DO forwards on socket connect/disconnect;
233
+ * the verified caller identity is also reflected on `ctx.auth` (the hook runs
234
+ * under the connecting user via `resolveIdentity`).
235
+ */
236
+ interface LifecycleEvent {
237
+ /** Stable per-socket id, minted at upgrade and replayed verbatim on disconnect. */
238
+ readonly connectionId: string;
239
+ /** App-supplied connection context from the client `connect` envelope (e.g. `{ roomId, sessionId }`). */
240
+ readonly context?: Record<string, unknown>;
241
+ /** The shard this socket is bound to. */
242
+ readonly shardKey: string;
243
+ /** Verified user id resolved at upgrade, or `null` for an anonymous socket. */
244
+ readonly userId: string | null;
245
+ }
246
+ /**
247
+ * A registered connection-lifecycle hook — an internal mutation tagged with the
248
+ * lifecycle side it fires on. Produced by `onConnect` / `onDisconnect`.
249
+ */
250
+ type RegisteredLifecycleHook = RegisteredFunction<Record<string, never>, void, "mutation"> & {
251
+ readonly lifecycle: LifecycleEventKind;
252
+ };
253
+ /**
254
+ * A streaming query registration. Unlike {@link RegisteredFunction} the handler
255
+ * returns an `AsyncIterable&lt;R>` synchronously (it does NOT `Promise&lt;R>`); the
256
+ * runtime drives it frame by frame and forwards each chunk to the caller. The
257
+ * third `signal` argument is wired to the caller's cancel signal so the handler
258
+ * can stop early — break out of the loop or check `signal.aborted` between
259
+ * yields.
260
+ */
261
+ interface RegisteredStream<A extends ArgsValidator, R> {
262
+ readonly args: A;
263
+ readonly handler: (context: unknown, args: InferArgs<A>, signal: AbortSignal) => AsyncIterable<R>;
264
+ readonly kind: "stream";
265
+ readonly visibility?: FunctionVisibility;
266
+ }
267
+ /** The system tables `ctx.db.system` can read. */
268
+ type SystemTableName = "_scheduled_functions" | "_storage";
269
+ /**
270
+ * A pending scheduled invocation as surfaced by the `_scheduled_functions`
271
+ * system table. Mirrors {@link ScheduledJob} (the `ctx.scheduler` view); the
272
+ * separate name keeps the system-table read surface self-describing.
273
+ */
274
+ interface ScheduledFunctionDoc {
275
+ /** Function arguments the job will be dispatched with. */
276
+ args: Record<string, unknown>;
277
+ /** Number of dispatch attempts already made (absent until the first retry). */
278
+ attempts?: number;
279
+ /** When the job was enqueued (epoch ms). */
280
+ enqueuedAt: number;
281
+ /** Fully-qualified path of the function to invoke. */
282
+ functionPath: string;
283
+ /** The job's id (the `_scheduled_functions` row id). */
284
+ id: string;
285
+ /** When the job is scheduled to fire (epoch ms). */
286
+ scheduledFor: number;
287
+ /** Routing hint forwarded so dispatch lands on the right shard. */
288
+ shardKey?: string;
289
+ }
290
+ /** Maps each system table name to the document shape its reads return. */
291
+ interface SystemDocMap {
292
+ _scheduled_functions: ScheduledFunctionDoc;
293
+ _storage: StorageMetadata;
294
+ }
295
+ /** Document type for a given system table name. */
296
+ type SystemDoc<T extends SystemTableName> = SystemDocMap[T];
297
+ /** Terminal returned by {@link SystemDatabaseReader.query}; only `.collect()` is supported. */
298
+ interface SystemQuery<T extends SystemTableName> {
299
+ /** Resolve the full list of rows in the backing source. */
300
+ collect: () => Promise<SystemDoc<T>[]>;
301
+ }
302
+ /**
303
+ * Read-only reader over Lunora's system tables (`_scheduled_functions`,
304
+ * `_storage`), exposed as `ctx.db.system`. Mirrors Convex's `ctx.db.system`.
305
+ *
306
+ * **Best-effort and eventually consistent.** Unlike `ctx.db.&lt;table>` — which
307
+ * reads the shard's transactional SQLite snapshot — the data behind these tables
308
+ * lives OUTSIDE the shard (scheduled functions in the `SchedulerDO`, storage
309
+ * objects in R2). Every `collect()` / `get()` reaches across to that source.
310
+ *
311
+ * It is **not part of the mutation transaction snapshot** (no OCC guard, no
312
+ * subscription dependency recorded — reading it inside a mutation does not pin
313
+ * it), and results are **eventually consistent** with writes a mutation just
314
+ * made (e.g. a freshly scheduled job may not appear yet).
315
+ *
316
+ * Read-only by design: mutate scheduled jobs via `ctx.scheduler`, storage
317
+ * objects via `ctx.storage`.
318
+ */
319
+ interface SystemDatabaseReader {
320
+ /**
321
+ * Resolve a single system-table row by id, or `null` when absent.
322
+ * (`_scheduled_functions` → job id; `_storage` → object key.)
323
+ */
324
+ get: <T extends SystemTableName>(table: T, id: string) => Promise<SystemDoc<T> | null>;
325
+ /**
326
+ * Begin a read over a system table; call `.collect()` to resolve the full
327
+ * list. No filtering, indexing, or pagination — the backing source is remote
328
+ * and the surface stays deliberately minimal.
329
+ */
330
+ query: <T extends SystemTableName>(table: T) => SystemQuery<T>;
331
+ }
332
+ /**
333
+ * Read-only handle bound to a table. Used by `query`/`mutation`/`action`. The
334
+ * actual SQL implementation lives in `@lunora/do`; these are signatures only.
335
+ */
336
+ interface DatabaseReader {
337
+ get: <T extends string>(id: Id<T>) => Promise<Record<string, unknown> | null>;
338
+ /**
339
+ * Validate an untrusted `id` string against the structural shape of an id
340
+ * for `tableName`, returning the branded {@link Id} when it is well-formed
341
+ * and `null` otherwise. Pure structural validation — it never reads the
342
+ * database, so a structurally valid id for a row that doesn't exist still
343
+ * returns the branded id (mirrors Convex's `db.normalizeId`).
344
+ */
345
+ normalizeId: <T extends string>(tableName: T, id: string) => Id<T> | null;
346
+ query: (tableName: string) => TableReader;
347
+ /**
348
+ * Best-effort, read-only reader over Lunora's system tables
349
+ * (`_scheduled_functions`, `_storage`). Eventually consistent and **not**
350
+ * part of the transaction snapshot — see {@link SystemDatabaseReader}.
351
+ */
352
+ readonly system: SystemDatabaseReader;
353
+ }
354
+ /** Options for {@link TableReader.paginate} — Convex-compatible page request. */
355
+ interface PaginationOptions {
356
+ /** Opaque cursor from the prior page's `continueCursor`; `null`/omitted starts at the first page. */
357
+ cursor?: null | string;
358
+ /**
359
+ * Optional inclusive upper bound for reactive pagination. When supplied the
360
+ * page covers the fixed half-open range `(cursor, endCursor]` (ignoring
361
+ * `numItems`): every row strictly after `cursor` up to and including the
362
+ * boundary row `endCursor` encodes. The page's `isDone` is `true` and its
363
+ * `continueCursor` echoes `endCursor`, so the next page keeps starting where
364
+ * this one ends even as rows are inserted/deleted inside the range. Omit (or
365
+ * pass `null`) for the legacy "first `numItems` after `cursor`" behaviour.
366
+ */
367
+ endCursor?: null | string;
368
+ /** Maximum rows to return for this page. */
369
+ numItems: number;
370
+ }
371
+ /** One page of a keyset-paginated query. */
372
+ interface PaginationResult<T = Record<string, unknown>> {
373
+ /** Cursor to pass back for the next page, or `null` once `isDone`. */
374
+ continueCursor: null | string;
375
+ /** `true` when this page is the last one. */
376
+ isDone: boolean;
377
+ page: T[];
378
+ /**
379
+ * Reactive-pagination only: the midpoint cursor of a bounded
380
+ * `(cursor, endCursor]` page, used by the client to split an over-grown page
381
+ * into two adjacent ranges. Absent on legacy (open-ended) pages.
382
+ */
383
+ splitCursor?: null | string;
384
+ }
385
+ /**
386
+ * The fluent `ctx.db.query(table)` reader. Generic over the document type
387
+ * `Row` so the generated `ctx.db` can bind it to `Doc&lt;table>` (the chain and
388
+ * every terminal then resolve typed rows — no `as unknown as Doc&lt;...>` casts).
389
+ * Defaults to the untyped `Record&lt;string, unknown>` shape for the base
390
+ * (schema-agnostic) `@lunora/server` reader.
391
+ */
392
+ interface TableReader<Row = Record<string, unknown>> {
393
+ collect: () => Promise<Row[]>;
394
+ filter: (predicate: (document: Row) => boolean) => TableReader<Row>;
395
+ first: () => Promise<Row | null>;
396
+ /**
397
+ * Set the result order. Orders by the active `.withIndex()` (or by
398
+ * `_creationTime` when none is staged), `"asc"` by default; `"desc"`
399
+ * reverses it. Composes with `.withIndex()`, `.filter()`, and every
400
+ * terminal (`collect`/`first`/`take`/`paginate`/`unique`). Mirrors Convex's
401
+ * `.order("asc" | "desc")`.
402
+ */
403
+ order: (direction: "asc" | "desc") => TableReader<Row>;
404
+ paginate: (options: PaginationOptions) => Promise<PaginationResult<Row>>;
405
+ take: (limit: number) => Promise<Row[]>;
406
+ /**
407
+ * Return the single matching document. Returns `null` when nothing matches
408
+ * and throws when more than one row matches. Mirrors Convex's `.unique()`.
409
+ */
410
+ unique: () => Promise<Row | null>;
411
+ withIndex: (indexName: string, range?: (q: IndexRangeBuilder) => IndexRangeBuilder) => TableReader<Row>;
412
+ /**
413
+ * Restrict the query to a declared `.searchIndex()`. The builder's
414
+ * `.search(field, query)` runs a full-text match against the index's
415
+ * searchable field; `.eq(field, value)` narrows by a declared filter
416
+ * field. Results come back ordered by relevance — pair with `.take(n)`
417
+ * (`.paginate()` is not supported on a search query).
418
+ */
419
+ withSearchIndex: (indexName: string, search: (q: SearchFilterBuilder) => SearchFilterBuilder) => TableReader<Row>;
420
+ }
421
+ interface IndexRangeBuilder {
422
+ eq: (field: string, value: unknown) => IndexRangeBuilder;
423
+ gt: (field: string, value: unknown) => IndexRangeBuilder;
424
+ gte: (field: string, value: unknown) => IndexRangeBuilder;
425
+ lt: (field: string, value: unknown) => IndexRangeBuilder;
426
+ lte: (field: string, value: unknown) => IndexRangeBuilder;
427
+ }
428
+ /** Builder passed to {@link TableReader.withSearchIndex}; mirrors Convex's search query. */
429
+ interface SearchFilterBuilder {
430
+ /** Narrow by a declared filter field (exact match). */
431
+ eq: (field: string, value: unknown) => SearchFilterBuilder;
432
+ /** Full-text match `query` against the index's searchable `field`. Call exactly once. */
433
+ search: (field: string, query: string) => SearchFilterBuilder;
434
+ }
435
+ /**
436
+ * Options shared by the batch-write methods (`insertMany`/`deleteMany`/
437
+ * `patchMany`) — a per-call payload cap. The default cap (500) rejects an
438
+ * oversized call up front so an accidental O(n²) or a payload past the Durable
439
+ * Object request limit fails loudly instead of degrading the mutation. Callers
440
+ * with larger sets should chunk their own loop or raise `limit`.
441
+ */
442
+ interface BatchWriteOptions {
443
+ /** Reject the call when the batch size exceeds this value (default 500). */
444
+ limit?: number;
445
+ }
446
+ interface DatabaseWriter extends DatabaseReader {
447
+ delete: <T extends string>(id: Id<T>) => Promise<void>;
448
+ /**
449
+ * Delete many rows by id in one call. Each id is deleted through the full
450
+ * single-row pipeline (triggers + per-row RLS). The returned `deleted` is the
451
+ * number of ids **requested**, not the rows actually removed — an unknown or
452
+ * duplicated id is a silent no-op.
453
+ *
454
+ * **Atomic within a mutation:** the DO wraps a mutation's dispatch in a
455
+ * BEGIN/COMMIT span, so a mid-batch failure (a later RLS denial or handler
456
+ * error) rolls back the whole mutation. (In an action there is no transaction
457
+ * span, so the prior deletes persist; the in-memory test harness mirrors the span.)
458
+ */
459
+ deleteMany: <T extends string>(ids: ReadonlyArray<Id<T>>, options?: BatchWriteOptions) => Promise<{
460
+ deleted: number;
461
+ }>;
462
+ /**
463
+ * Insert a document, returning its server id.
464
+ *
465
+ * Pass `options.clientId` (a UUID) to key the row yourself — for an
466
+ * optimistic client that needs the persisted row to match the key it
467
+ * already rendered. It's validated for shape and still subject to the
468
+ * primary-key uniqueness constraint; omit it and the server mints the id.
469
+ */
470
+ insert: <T extends string>(tableName: T, document: Record<string, unknown>, options?: {
471
+ clientId?: string;
472
+ }) => Promise<Id<T>>;
473
+ /**
474
+ * Insert many documents into one table in a single call, returning the
475
+ * minted ids in input order. Equivalent to a per-row `insert()` loop — each
476
+ * row gets defaults, validators, triggers, and a per-row RLS check — but the
477
+ * caller pays one round-trip instead of N.
478
+ *
479
+ * **Atomic within a mutation:** the DO wraps a mutation's dispatch in a
480
+ * BEGIN/COMMIT span, so a mid-batch failure (an invalid or RLS-denied row)
481
+ * rolls back the whole mutation. (In an action there is no transaction span,
482
+ * so the prior inserts persist; the in-memory test harness mirrors the span.)
483
+ */
484
+ insertMany: <T extends string>(tableName: T, documents: ReadonlyArray<Record<string, unknown>>, options?: BatchWriteOptions) => Promise<Id<T>[]>;
485
+ /**
486
+ * **Trusted** bulk insert: one multi-row `INSERT` that **skips per-row
487
+ * `.check()` validators and before/after triggers** for throughput on data you
488
+ * control (seed, migration, admin import). Defaults, ids, and every companion
489
+ * (search/aggregate/rank/CDC + live subscriptions) are still applied, so reads
490
+ * stay correct.
491
+ *
492
+ * It is **"unsafe" only in that it bypasses the validation/trigger pipeline** —
493
+ * RLS is **not** bypassed: secure-by-default and the table's insert policy still
494
+ * apply (the framework ships no RLS-bypassing writer). Pass `allowExplicitId` to
495
+ * preserve a supplied `_id` (import). Use only for data you trust; prefer
496
+ * `insertMany` for anything user-supplied.
497
+ */
498
+ insertManyUnsafe: <T extends string>(tableName: T, documents: ReadonlyArray<Record<string, unknown>>, options?: BatchWriteOptions & {
499
+ allowExplicitId?: boolean;
500
+ }) => Promise<Id<T>[]>;
501
+ patch: <T extends string>(id: Id<T>, patch: Record<string, unknown>) => Promise<void>;
502
+ /**
503
+ * Patch many rows by id in one call. Each `{ id, patch }` is applied like a
504
+ * single `patch()` (per-row triggers + RLS).
505
+ *
506
+ * **Atomic within a mutation:** the DO wraps a mutation's dispatch in a
507
+ * BEGIN/COMMIT span, so a mid-batch failure rolls back the whole mutation.
508
+ * (In an action there is no transaction span, so the prior patches persist;
509
+ * the in-memory test harness mirrors the span.)
510
+ */
511
+ patchMany: <T extends string>(patches: ReadonlyArray<{
512
+ id: Id<T>;
513
+ patch: Record<string, unknown>;
514
+ }>, options?: BatchWriteOptions) => Promise<void>;
515
+ replace: <T extends string>(id: Id<T>, document: Record<string, unknown>) => Promise<void>;
516
+ }
517
+ /** Authenticated identity surfaced into every context. */
518
+ interface AuthState {
519
+ getIdentity: () => Promise<Record<string, unknown> | null>;
520
+ readonly userId: string | null;
521
+ }
522
+ /**
523
+ * A pending scheduled invocation as surfaced by {@link Scheduler.list} /
524
+ * {@link Scheduler.get}. A clean public mirror of `@lunora/scheduler`'s internal
525
+ * `ScheduleRecord` — re-declared here so the public ctx surface carries no
526
+ * dependency on the scheduler package's internal types.
527
+ */
528
+ interface ScheduledJob {
529
+ args: Record<string, unknown>;
530
+ /** Number of dispatch attempts already made (absent until the first retry). */
531
+ attempts?: number;
532
+ /** When the job was enqueued (epoch ms). */
533
+ enqueuedAt: number;
534
+ functionPath: string;
535
+ id: string;
536
+ /** When the job is scheduled to fire (epoch ms). */
537
+ scheduledFor: number;
538
+ /** Routing hint forwarded so dispatch lands on the right shard. */
539
+ shardKey?: string;
540
+ }
541
+ interface Scheduler {
542
+ /** Cancel a pending job by id. `cancelled` is `false` when no such job exists. */
543
+ cancel: (id: string) => Promise<{
544
+ cancelled: boolean;
545
+ }>;
546
+ /** Resolve a single pending job by id, or `null` when absent. */
547
+ get: (id: string) => Promise<ScheduledJob | null>;
548
+ /** List all pending scheduled jobs. */
549
+ list: () => Promise<ScheduledJob[]>;
550
+ runAfter: (delayMs: number, functionPath: string, args?: Record<string, unknown>) => Promise<string>;
551
+ runAt: (timestampMs: number, functionPath: string, args?: Record<string, unknown>) => Promise<string>;
552
+ }
553
+ /**
554
+ * A workflow instance's lifecycle status. Clean public mirror of
555
+ * `@lunora/workflow`'s `WorkflowInstanceStatus` (itself a mirror of Cloudflare's
556
+ * `WorkflowInstanceStatus`) — re-declared here so the ctx surface carries no
557
+ * dependency on the workflow package, exactly as {@link Scheduler} avoids a
558
+ * dependency on `@lunora/scheduler`.
559
+ */
560
+ type WorkflowInstanceStatus = "complete" | "errored" | "paused" | "queued" | "running" | "terminated" | "unknown" | "waiting" | "waitingForPause";
561
+ /** Result of {@link WorkflowInstance.status}. Mirrors `@lunora/workflow`'s `WorkflowStatusResult`. */
562
+ interface WorkflowStatusResult {
563
+ error?: {
564
+ message: string;
565
+ name: string;
566
+ };
567
+ output?: unknown;
568
+ status: WorkflowInstanceStatus;
569
+ }
570
+ /** Options accepted by {@link WorkflowHandle.create}. Mirrors `@lunora/workflow`'s `WorkflowCreateOptions`. */
571
+ interface WorkflowCreateOptions<Params = Record<string, unknown>> {
572
+ /** Unique-within-the-workflow instance id. Generated by Cloudflare when omitted. */
573
+ id?: string;
574
+ /** The event payload the instance is triggered with — surfaced as `event.payload`. */
575
+ params?: Params;
576
+ /** Instance retention policy (defaults to the account maximum). */
577
+ retention?: {
578
+ errorRetention?: string;
579
+ successRetention?: string;
580
+ };
581
+ }
582
+ /** A live handle to a single workflow instance. Mirrors `@lunora/workflow`'s `WorkflowInstanceLike`. */
583
+ interface WorkflowInstance {
584
+ readonly id: string;
585
+ pause: () => Promise<void>;
586
+ restart: () => Promise<void>;
587
+ resume: () => Promise<void>;
588
+ sendEvent: (event: {
589
+ payload: unknown;
590
+ type: string;
591
+ }) => Promise<void>;
592
+ status: () => Promise<WorkflowStatusResult>;
593
+ terminate: () => Promise<void>;
594
+ }
595
+ /**
596
+ * A typed handle to one declared workflow, addressable from `ctx.workflows`.
597
+ * Mirrors `@lunora/workflow`'s `WorkflowHandle`.
598
+ */
599
+ interface WorkflowHandle<Params = Record<string, unknown>> {
600
+ /** Start a new instance (optionally with an id + params). */
601
+ create: (options?: WorkflowCreateOptions<Params>) => Promise<WorkflowInstance>;
602
+ /** Start many instances in one batched RPC. */
603
+ createBatch: (batch: ReadonlyArray<WorkflowCreateOptions<Params>>) => Promise<WorkflowInstance[]>;
604
+ /** Get a handle to an existing instance by id. */
605
+ get: (id: string) => Promise<WorkflowInstance>;
606
+ }
607
+ /**
608
+ * The `ctx.workflows` surface on {@link MutationCtx} / {@link ActionCtx}. Each
609
+ * workflow declared in `lunora/workflows.ts` is reachable by its export name;
610
+ * codegen narrows the `get(name)` overloads to the known workflow names + their
611
+ * inferred param types. Mirrors `@lunora/workflow`'s `Workflows`.
612
+ */
613
+ interface Workflows {
614
+ /** Resolve the handle for a declared workflow by export name. */
615
+ get: <Params = Record<string, unknown>>(name: string) => WorkflowHandle<Params>;
616
+ }
617
+ /** Lifecycle phase relative to the SQL write. */
618
+ type TriggerTiming = "after" | "before";
619
+ /** The CRUD operation a trigger reacts to. `patch` and `replace` both map to `update`. */
620
+ type TriggerOp = "delete" | "insert" | "update";
621
+ /**
622
+ * A row as observed by a trigger handler: the table's `Shape` (with the same
623
+ * optionality rules as {@link InferArgs}) plus the system columns every stored
624
+ * doc carries.
625
+ */
626
+ type TriggerRow<Shape extends Record<string, Validator>> = { [K in keyof Shape as undefined extends Infer<Shape[K]> ? K : never]?: Infer<Shape[K]> } & { [K in keyof Shape as undefined extends Infer<Shape[K]> ? never : K]: Infer<Shape[K]> } & {
627
+ readonly _creationTime: number;
628
+ readonly _id: string;
629
+ };
630
+ /** What an `insert` trigger observes: the freshly written row. */
631
+ interface TriggerInsertEvent<Shape extends Record<string, Validator> = Record<string, Validator>> {
632
+ readonly doc: TriggerRow<Shape>;
633
+ readonly id: string;
634
+ readonly op: "insert";
635
+ readonly table: string;
636
+ }
637
+ /**
638
+ * What an `update` trigger observes: the merged row plus the pre-write row.
639
+ * `previous` is typed as always present (the row must exist to be updated); the
640
+ * runtime supplies it best-effort and only omits it in the unreachable
641
+ * row-vanished-mid-write case.
642
+ */
643
+ interface TriggerUpdateEvent<Shape extends Record<string, Validator> = Record<string, Validator>> {
644
+ readonly doc: TriggerRow<Shape>;
645
+ readonly id: string;
646
+ readonly op: "update";
647
+ readonly previous: TriggerRow<Shape>;
648
+ readonly table: string;
649
+ }
650
+ /**
651
+ * What a `delete` trigger observes: the row about to be (or just) removed.
652
+ * `previous` is typed as always present; the runtime supplies it best-effort
653
+ * and only omits it in the unreachable row-vanished-mid-write case.
654
+ */
655
+ interface TriggerDeleteEvent<Shape extends Record<string, Validator> = Record<string, Validator>> {
656
+ readonly id: string;
657
+ readonly op: "delete";
658
+ readonly previous: TriggerRow<Shape>;
659
+ readonly table: string;
660
+ }
661
+ /** Union of every trigger event, with the table `Shape` erased (as stored in `triggerMap`). */
662
+ type TriggerEvent = TriggerDeleteEvent | TriggerInsertEvent | TriggerUpdateEvent;
663
+ /** Page returned by {@link TriggerDatabase.findMany}; mirrors `@lunora/do`'s `QueryPage`. */
664
+ interface TriggerQueryPage {
665
+ continueCursor: null | string;
666
+ isDone: boolean;
667
+ page: Record<string, unknown>[];
668
+ }
669
+ /** Args accepted by {@link TriggerDatabase} reads; mirrors `@lunora/do`'s `QueryArgs`. */
670
+ interface TriggerQueryArgs {
671
+ cursor?: null | string;
672
+ limit?: number;
673
+ orderBy?: ReadonlyArray<unknown>;
674
+ where?: Record<string, unknown>;
675
+ with?: Record<string, unknown>;
676
+ }
677
+ /**
678
+ * Args accepted by {@link TriggerDatabase.aggregate} — structural mirror of
679
+ * `@lunora/do`'s `AggregateOptions`, kept local so trigger handlers in
680
+ * `@lunora/server` don't take a hard dep on the DO runtime.
681
+ */
682
+ interface TriggerAggregateOptions {
683
+ baseWhere?: Record<string, unknown>;
684
+ field?: string;
685
+ op: AggregateOp;
686
+ restrictsCounts?: boolean;
687
+ where?: Record<string, unknown>;
688
+ }
689
+ /** Args accepted by {@link TriggerDatabase.groupBy}. */
690
+ interface TriggerGroupByOptions {
691
+ agg?: {
692
+ field?: string;
693
+ op: AggregateOp;
694
+ };
695
+ baseWhere?: Record<string, unknown>;
696
+ by: ReadonlyArray<string>;
697
+ restrictsCounts?: boolean;
698
+ where?: Record<string, unknown>;
699
+ }
700
+ /** One entry returned by {@link TriggerDatabase.groupBy}. */
701
+ interface TriggerGroupByEntry {
702
+ key: Record<string, unknown>;
703
+ value: null | number;
704
+ }
705
+ /** Args accepted by {@link TriggerDatabase.rank}. */
706
+ interface TriggerRankOptions {
707
+ baseWhere?: Record<string, unknown>;
708
+ restrictsCounts?: boolean;
709
+ /** Either the row id or the full row document. */
710
+ row: Record<string, unknown> | string;
711
+ where?: Record<string, unknown>;
712
+ }
713
+ /** Result of {@link TriggerDatabase.rank} — 1-based position + partition total. */
714
+ interface TriggerRankResult {
715
+ position: number;
716
+ total: number;
717
+ }
718
+ /** Args accepted by {@link TriggerDatabase.rankPage}. */
719
+ interface TriggerRankPageOptions {
720
+ baseWhere?: Record<string, unknown>;
721
+ cursor?: null | string;
722
+ take?: number;
723
+ where?: Record<string, unknown>;
724
+ }
725
+ /**
726
+ * Portable, table/id-addressed ORM writer handed to trigger handlers via
727
+ * `ctx.db`. Mirrors `@lunora/do`'s runtime `DatabaseWriterLike` surface — it is
728
+ * **not** the generated per-table `ctx.db.&lt;table>` facade (which can't be typed
729
+ * from inside `defineTable`, where the full schema isn't known).
730
+ *
731
+ * `aggregate`/`groupBy`/`count`/`rank`/`rankPage` route through the same
732
+ * trigger-maintained counter and rank tables the user-facing reader uses, so
733
+ * a handler's `ctx.db.&lt;table>.aggregate(...)` observes the just-staged write
734
+ * within the same DO transaction (the counter step happens before the trigger
735
+ * fires).
736
+ */
737
+ interface TriggerDatabase {
738
+ aggregate: (tableName: string, options: TriggerAggregateOptions) => Promise<null | number>;
739
+ count: (tableName: string, where?: Record<string, unknown>) => Promise<number>;
740
+ delete: (id: string) => Promise<void>;
741
+ findFirst: (tableName: string, args?: TriggerQueryArgs) => Promise<Record<string, unknown> | null>;
742
+ findMany: (tableName: string, args?: TriggerQueryArgs) => Promise<TriggerQueryPage>;
743
+ get: (id: string) => Promise<Record<string, unknown> | null>;
744
+ groupBy: (tableName: string, options: TriggerGroupByOptions) => Promise<ReadonlyArray<TriggerGroupByEntry>>;
745
+ insert: (tableName: string, document: Record<string, unknown>) => Promise<string>;
746
+ patch: (id: string, patch: Record<string, unknown>) => Promise<void>;
747
+ rank: (tableName: string, indexName: string, options: TriggerRankOptions) => Promise<null | TriggerRankResult>;
748
+ rankPage: (tableName: string, indexName: string, options?: TriggerRankPageOptions) => Promise<TriggerQueryPage>;
749
+ replace: (id: string, document: Record<string, unknown>) => Promise<void>;
750
+ }
751
+ /**
752
+ * Handle injected into every trigger handler. `db` is the portable ORM writer;
753
+ * `scheduler` enqueues async / cross-shard follow-up work (cross-shard work is
754
+ * **not** transactional with the firing write).
755
+ */
756
+ interface TriggerCtx {
757
+ readonly db: TriggerDatabase;
758
+ readonly scheduler: Scheduler;
759
+ }
760
+ /** A user-declared trigger handler. Throwing from a `before*` handler aborts the write. */
761
+ type TriggerHandler<Event> = (context: TriggerCtx, event: Event) => Promise<void> | void;
762
+ /**
763
+ * A single declared trigger, as stored in {@link TableDefinition.triggerMap}.
764
+ * The handler's event type is erased to the {@link TriggerEvent} union here; the
765
+ * per-op {@link TriggerBuilder} methods recover the precise event type for
766
+ * authors.
767
+ */
768
+ interface TriggerDefinition {
769
+ readonly handler: TriggerHandler<TriggerEvent>;
770
+ readonly op: TriggerOp;
771
+ readonly timing: TriggerTiming;
772
+ }
773
+ /**
774
+ * The `t` argument passed to `.triggers((t) => …)`. Each method binds a handler
775
+ * to one `timing`+`op` pair, typing the event against the table's `Shape`.
776
+ */
777
+ interface TriggerBuilder<Shape extends Record<string, Validator> = Record<string, Validator>> {
778
+ afterDelete: (handler: TriggerHandler<TriggerDeleteEvent<Shape>>) => TriggerDefinition;
779
+ afterInsert: (handler: TriggerHandler<TriggerInsertEvent<Shape>>) => TriggerDefinition;
780
+ afterUpdate: (handler: TriggerHandler<TriggerUpdateEvent<Shape>>) => TriggerDefinition;
781
+ beforeDelete: (handler: TriggerHandler<TriggerDeleteEvent<Shape>>) => TriggerDefinition;
782
+ beforeInsert: (handler: TriggerHandler<TriggerInsertEvent<Shape>>) => TriggerDefinition;
783
+ beforeUpdate: (handler: TriggerHandler<TriggerUpdateEvent<Shape>>) => TriggerDefinition;
784
+ }
785
+ /**
786
+ * Per-file metadata returned by {@link ReadOnlyStorage.getMetadata}. A clean
787
+ * public mirror of `@lunora/storage`'s `ObjectMetadata` — re-declared here so
788
+ * the ctx surface carries no dependency on the storage package's types. Matches
789
+ * the columns Convex surfaces for `ctx.storage.getMetadata` / `_storage`.
790
+ */
791
+ interface StorageMetadata {
792
+ /** The object's `Content-Type`, when recorded. */
793
+ contentType?: string;
794
+ /** Custom metadata set at upload time, if any. */
795
+ customMetadata?: Record<string, string>;
796
+ /** The object's key. */
797
+ key: string;
798
+ /** Hex-encoded SHA-256 of the body, when R2 carries a checksum. */
799
+ sha256?: string;
800
+ /** Body length in bytes. */
801
+ size: number;
802
+ /** When the object was last written (epoch ms), when reported. */
803
+ uploaded?: number;
804
+ }
805
+ /**
806
+ * Read-only projection of `Storage` exposed on `QueryCtx` / `MutationCtx`.
807
+ *
808
+ * Queries are pure reads, and mutations run inside a transactional scope —
809
+ * neither is allowed to perform side-effectful R2 writes (`upload`) or
810
+ * deletes (`delete`). They can, however, **read** existing objects and
811
+ * resolve signed URLs (the URL signing itself is HMAC-only — no R2 round
812
+ * trip), so the read-only surface keeps `download` and `getSignedUrl`. The
813
+ * full {@link Storage} surface stays on `ActionCtx`.
814
+ */
815
+ interface ReadOnlyStorage<Buckets extends string = string> {
816
+ /**
817
+ * Select a named bucket (declared via `v.storage("name")`). The returned
818
+ * accessor's operations target that bucket — `ctx.storage.bucket("avatars")
819
+ * .download(key)`. The bare `ctx.storage` targets the default bucket.
820
+ */
821
+ bucket: (name: Buckets) => ReadOnlyStorage<Buckets>;
822
+ /** The bucket this accessor's operations target (the default for the bare `ctx.storage`). */
823
+ readonly bucketName: string;
824
+ /** Fetch the body of an existing object. Returns `null` when absent. */
825
+ download: (key: string) => Promise<ReadableStream | null>;
826
+ /**
827
+ * Read a file's metadata (size, content-type, sha256, upload time, custom
828
+ * metadata) without fetching its body. Returns `null` when the object is
829
+ * absent. Mirrors Convex's `ctx.storage.getMetadata`.
830
+ */
831
+ getMetadata: (key: string) => Promise<StorageMetadata | null>;
832
+ /** Resolve a short-lived signed URL for an existing object. */
833
+ getSignedUrl: (key: string, options?: {
834
+ expiresInSeconds?: number;
835
+ }) => Promise<string>;
836
+ /** Public URL pointing at the configured base for `key`. */
837
+ getUrl: (key: string) => string;
838
+ }
839
+ interface Storage<Buckets extends string = string> extends ReadOnlyStorage<Buckets> {
840
+ /** Select a named bucket; the returned accessor exposes the full read/write surface. */
841
+ bucket: (name: Buckets) => Storage<Buckets>;
842
+ delete: (key: string) => Promise<void>;
843
+ /**
844
+ * Mint a short-lived signed `PUT` URL a client can upload directly to,
845
+ * optionally pinning the `Content-Type` the uploader must send. Mirrors
846
+ * Convex's `storage.generateUploadUrl`.
847
+ */
848
+ generateUploadUrl: (key: string, options?: {
849
+ contentType?: string;
850
+ expiresInSeconds?: number;
851
+ }) => Promise<string>;
852
+ /**
853
+ * Upload `body` to `key` from the server, returning the stored object's key
854
+ * and etag. Mirrors Convex's `storage.store`. Accepts the same guard fields
855
+ * as `@lunora/storage`'s `UploadOptions` so `maxSize` /
856
+ * `allowedContentTypes` enforcement isn't lost behind the Convex-style alias.
857
+ */
858
+ store: (key: string, body: ReadableStream | ArrayBuffer | Blob, options?: {
859
+ allowedContentTypes?: ReadonlyArray<string>;
860
+ contentType?: string;
861
+ customMetadata?: Record<string, string>;
862
+ maxSize?: number;
863
+ }) => Promise<{
864
+ etag: string;
865
+ key: string;
866
+ }>;
867
+ }
868
+ interface VectorMatch {
869
+ id: string;
870
+ metadata?: Record<string, unknown>;
871
+ score: number;
872
+ }
873
+ interface VectorMatches {
874
+ count: number;
875
+ matches: ReadonlyArray<VectorMatch>;
876
+ }
877
+ interface VectorQueryInput {
878
+ /** Embedder used when `input` is supplied instead of a precomputed `vector`. */
879
+ embed?: VectorEmbedder;
880
+ filter?: Record<string, unknown>;
881
+ /** Natural-language input embedded via `embed`. Ignored when `vector` is set. */
882
+ input?: string;
883
+ namespace?: string;
884
+ topK?: number;
885
+ /** Precomputed query vector; skips `embed`. */
886
+ vector?: ReadonlyArray<number>;
887
+ }
888
+ interface VectorUpsertInput {
889
+ embed: VectorEmbedder;
890
+ id: string;
891
+ input: string;
892
+ metadata?: Record<string, unknown>;
893
+ namespace?: string;
894
+ }
895
+ interface VectorRecord {
896
+ id: string;
897
+ metadata?: Record<string, unknown>;
898
+ values: ReadonlyArray<number>;
899
+ }
900
+ /**
901
+ * Read-only vector surface exposed on {@link QueryCtx}. Mirrors the read half
902
+ * of `@lunora/vectors`' `LunoraVectors` so the live adapter is assignable.
903
+ */
904
+ interface VectorSearchReader {
905
+ getByIds: (indexName: string, ids: ReadonlyArray<string>) => Promise<ReadonlyArray<VectorRecord>>;
906
+ query: (indexName: string, input: VectorQueryInput) => Promise<VectorMatches>;
907
+ }
908
+ /**
909
+ * Mutating vector surface on {@link MutationCtx} / {@link ActionCtx}. `upsert`
910
+ * is queued post-commit by default; `upsertNow` forces a synchronous write.
911
+ * `db.delete` on a vectorized table auto-propagates the matching `deleteByIds`.
912
+ */
913
+ interface VectorSearch extends VectorSearchReader {
914
+ deleteByIds: (indexName: string, ids: ReadonlyArray<string>) => Promise<void>;
915
+ upsert: (indexName: string, input: VectorUpsertInput) => Promise<void>;
916
+ upsertNow: (indexName: string, input: VectorUpsertInput) => Promise<void>;
917
+ }
918
+ /**
919
+ * Structured logger on every function `ctx`. Each call emits one attributed log
920
+ * line — tagged with the function path on the server — that flows to an
921
+ * `ObservabilitySink`'s `onLog` (where you route it in production) and, in
922
+ * development, to the dev server terminal via the CLI / Vite plugin formatter.
923
+ * Mirrors the `console` method names so it's a drop-in for `console.log` inside a
924
+ * handler, but with attribution and a routable transport.
925
+ *
926
+ * Accepts any number of values per call, exactly like `console`; objects are
927
+ * rendered into the human-readable message. The raw, un-rendered arguments are
928
+ * preserved ONLY on the in-process `onLog` sink (which you opt into and control);
929
+ * the rendered message — not the structured args — is what reaches the dev
930
+ * terminal and the platform's Workers Logs.
931
+ *
932
+ * Attribution follows the dispatched function: a log emitted inside an internal
933
+ * function invoked via `ctx.runQuery`/`runMutation`/`runAction` is attributed to
934
+ * the outer request entrypoint, since the composed call reuses its context.
935
+ */
936
+ interface LunoraLogger {
937
+ readonly debug: (...args: unknown[]) => void;
938
+ readonly error: (...args: unknown[]) => void;
939
+ readonly info: (...args: unknown[]) => void;
940
+ readonly log: (...args: unknown[]) => void;
941
+ readonly warn: (...args: unknown[]) => void;
942
+ }
943
+ interface QueryCtx {
944
+ readonly auth: AuthState;
945
+ readonly db: DatabaseReader;
946
+ /**
947
+ * The caller's IP for this request — Cloudflare's trusted `CF-Connecting-IP`,
948
+ * forwarded server-side (never read from a client header). `undefined` when
949
+ * unknown: a live-subscription re-run, a server-initiated dispatch, or
950
+ * non-Cloudflare hosting. A convenient rate-limit key for anonymous traffic.
951
+ */
952
+ readonly ip?: string;
953
+ /** Structured, function-attributed logger; see {@link LunoraLogger}. */
954
+ readonly log: LunoraLogger;
955
+ /**
956
+ * Compose a read-only subquery in-process, reusing this query's read
957
+ * context (same transaction, same `db`). Executes the referenced query's
958
+ * handler directly — no fresh DO RPC round-trip — so it observes the exact
959
+ * same snapshot. A query may only call other queries; there is no
960
+ * `runMutation` on a `QueryCtx` (writes are not allowed from a query).
961
+ * Mirrors Convex's `ctx.runQuery`.
962
+ */
963
+ readonly runQuery: <A extends ArgsValidator, R>(reference: RegisteredQuery<A, R>, args: InferArgs<A>) => Promise<R>;
964
+ readonly storage: ReadOnlyStorage;
965
+ readonly vectors: VectorSearchReader;
966
+ }
967
+ interface MutationCtx {
968
+ readonly auth: AuthState;
969
+ readonly db: DatabaseWriter;
970
+ /**
971
+ * The caller's IP for this request — Cloudflare's trusted `CF-Connecting-IP`,
972
+ * forwarded server-side (never read from a client header). `undefined` when
973
+ * unknown: a live-subscription re-run, a server-initiated dispatch, or
974
+ * non-Cloudflare hosting. A convenient rate-limit key for anonymous traffic.
975
+ */
976
+ readonly ip?: string;
977
+ /** Structured, function-attributed logger; see {@link LunoraLogger}. */
978
+ readonly log: LunoraLogger;
979
+ /**
980
+ * Compose a submutation in-process, reusing this mutation's `db` writer.
981
+ * Executes the referenced mutation's handler directly — no fresh DO RPC —
982
+ * so its writes apply through the same shard invocation as the enclosing
983
+ * mutation. Note: writes are not wrapped in a SQL transaction, so a partial
984
+ * failure does not roll back earlier writes (the same as a top-level
985
+ * mutation). Mirrors Convex's `ctx.runMutation`.
986
+ */
987
+ readonly runMutation: <A extends ArgsValidator, R>(reference: RegisteredMutation<A, R>, args: InferArgs<A>) => Promise<R>;
988
+ /**
989
+ * Compose a read-only subquery in-process, reusing this mutation's `db`.
990
+ * Executes the referenced query's handler directly — no fresh DO RPC — so
991
+ * it observes this mutation's in-flight writes. Mirrors Convex's
992
+ * `ctx.runQuery`.
993
+ */
994
+ readonly runQuery: <A extends ArgsValidator, R>(reference: RegisteredQuery<A, R>, args: InferArgs<A>) => Promise<R>;
995
+ readonly scheduler: Scheduler;
996
+ readonly storage: ReadOnlyStorage;
997
+ readonly vectors: VectorSearch;
998
+ /** Start / resume / inspect durable workflows; see {@link Workflows}. */
999
+ readonly workflows: Workflows;
1000
+ }
1001
+ interface ActionCtx {
1002
+ readonly auth: AuthState;
1003
+ readonly db: DatabaseWriter;
1004
+ readonly fetch: typeof globalThis.fetch;
1005
+ /**
1006
+ * The caller's IP for this request — Cloudflare's trusted `CF-Connecting-IP`,
1007
+ * forwarded server-side (never read from a client header). `undefined` when
1008
+ * unknown: a live-subscription re-run, a server-initiated dispatch, or
1009
+ * non-Cloudflare hosting. A convenient rate-limit key for anonymous traffic.
1010
+ */
1011
+ readonly ip?: string;
1012
+ /** Structured, function-attributed logger; see {@link LunoraLogger}. */
1013
+ readonly log: LunoraLogger;
1014
+ readonly runAction: <A extends ArgsValidator, R>(reference: RegisteredAction<A, R>, args: InferArgs<A>) => Promise<R>;
1015
+ readonly runMutation: <A extends ArgsValidator, R>(reference: RegisteredMutation<A, R>, args: InferArgs<A>) => Promise<R>;
1016
+ readonly runQuery: <A extends ArgsValidator, R>(reference: RegisteredQuery<A, R>, args: InferArgs<A>) => Promise<R>;
1017
+ readonly scheduler: Scheduler;
1018
+ readonly storage: Storage;
1019
+ readonly vectors: VectorSearch;
1020
+ /** Start / resume / inspect durable workflows; see {@link Workflows}. */
1021
+ readonly workflows: Workflows;
1022
+ }
1023
+ /**
1024
+ * Stand-in returned by codegen so projects can `import { api } from "./_generated/api"`.
1025
+ * The runtime value is opaque; the types are filled in by generated declarations.
1026
+ */
1027
+ type AnyApi = Record<string, Record<string, RegisteredFunction<ArgsValidator, unknown, FunctionKind>>>;
1028
+ declare const anyApi: AnyApi;
1029
+ export { type ActionCtx, type AggregateIndexDefinition, type AggregateOp, type AnyApi, type ArgsValidator, type AuthState, type DatabaseReader, type DatabaseWriter, type FunctionKind, type FunctionVisibility, type GlobalBackend, type IndexDefinition, type IndexRangeBuilder, type InferArgs, type LifecycleEvent, type LifecycleEventKind, type LunoraLogger, type MutationCtx, type OnDeleteAction, type PaginationOptions, type PaginationResult, type QueryCtx, type RankIndexDefinition, type RankSortKey, type ReadOnlyStorage, type RegisteredAction, type RegisteredFunction, type RegisteredLifecycleHook, type RegisteredMutation, type RegisteredQuery, type RegisteredStream, type RelationDefinition, type ScheduledFunctionDoc, type ScheduledJob, type Scheduler, type Schema, type SearchFilterBuilder, type SearchIndexDefinition, type ShardMode, type Storage, type StorageMetadata, type SystemDatabaseReader, type SystemDoc, type SystemQuery, type SystemTableName, type TableDefinition, type TableReader, type TableVectorIndex, type TriggerAggregateOptions, type TriggerBuilder, type TriggerCtx, type TriggerDatabase, type TriggerDefinition, type TriggerDeleteEvent, type TriggerEvent, type TriggerGroupByEntry, type TriggerGroupByOptions, type TriggerHandler, type TriggerInsertEvent, type TriggerOp, type TriggerQueryArgs, type TriggerQueryPage, type TriggerRankOptions, type TriggerRankPageOptions, type TriggerRankResult, type TriggerRow, type TriggerTiming, type TriggerUpdateEvent, type VectorEmbedder, type VectorIndexDefinition, type VectorMatch, type VectorMatches, type VectorMetric, type VectorQueryInput, type VectorRecord, type VectorSearch, type VectorSearchReader, type VectorUpsertInput, type WorkflowCreateOptions, type WorkflowHandle, type WorkflowInstance, type WorkflowInstanceStatus, type WorkflowStatusResult, type Workflows, anyApi };