@lunora/server 0.0.0 → 1.0.0-alpha.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (45) hide show
  1. package/LICENSE.md +105 -0
  2. package/README.md +134 -9
  3. package/__assets__/package-og.svg +14 -0
  4. package/dist/data-model.d.mts +416 -0
  5. package/dist/data-model.d.ts +416 -0
  6. package/dist/data-model.mjs +1 -0
  7. package/dist/drizzle.d.mts +1 -0
  8. package/dist/drizzle.d.ts +1 -0
  9. package/dist/drizzle.mjs +1 -0
  10. package/dist/index.d.mts +1985 -0
  11. package/dist/index.d.ts +1985 -0
  12. package/dist/index.mjs +28 -0
  13. package/dist/packem_shared/LunoraEnvError-DjFkpkSP.mjs +187 -0
  14. package/dist/packem_shared/LunoraError-DN7Zhhvu.mjs +54 -0
  15. package/dist/packem_shared/PRESENCE_DEFAULT_TTL_MS-D8viLY1S.mjs +114 -0
  16. package/dist/packem_shared/asBucketStorage-Cnxd9y2q.mjs +11 -0
  17. package/dist/packem_shared/bindOrm-Ce57S3N9.mjs +128 -0
  18. package/dist/packem_shared/buildRlsReadRegistry-1jexWrb3.mjs +107 -0
  19. package/dist/packem_shared/composePluginMiddleware-Ck5_TUO8.mjs +100 -0
  20. package/dist/packem_shared/createPolicyDsl-De67zPDS.mjs +29 -0
  21. package/dist/packem_shared/createSecrets-TsIP9lOa.mjs +55 -0
  22. package/dist/packem_shared/defineAggregateIndex-ZdyU78gh.mjs +291 -0
  23. package/dist/packem_shared/defineMigration-CAJLr6fx.mjs +8 -0
  24. package/dist/packem_shared/defineMutator-EIXAWhs9.mjs +11 -0
  25. package/dist/packem_shared/defineShape-CJ27Wx7o.mjs +17 -0
  26. package/dist/packem_shared/defineStorageRule-qu0mpilX.mjs +20 -0
  27. package/dist/packem_shared/functions-Di9FUNkf.mjs +5 -0
  28. package/dist/packem_shared/httpAction-FLwfsePg.mjs +340 -0
  29. package/dist/packem_shared/initLunora-lxwHTEV3.mjs +100 -0
  30. package/dist/packem_shared/mask-BV_jNzsN.mjs +211 -0
  31. package/dist/packem_shared/onConnect-CIPXKPyw.mjs +13 -0
  32. package/dist/packem_shared/policy-tag-DvpVH2tv.mjs +13 -0
  33. package/dist/packem_shared/protectPublic-BjFkQ_Or.mjs +15 -0
  34. package/dist/packem_shared/rls-2Jhd0uev.mjs +569 -0
  35. package/dist/packem_shared/run-middleware-CYQOuoV6.mjs +18 -0
  36. package/dist/packem_shared/storageRules-Cje6Woea.mjs +88 -0
  37. package/dist/packem_shared/types.d-BDY0FYHK.d.ts +135 -0
  38. package/dist/packem_shared/types.d-DmvyEMD6.d.mts +135 -0
  39. package/dist/rls/testing.d.mts +63 -0
  40. package/dist/rls/testing.d.ts +63 -0
  41. package/dist/rls/testing.mjs +49 -0
  42. package/dist/types.d.mts +1157 -0
  43. package/dist/types.d.ts +1157 -0
  44. package/dist/types.mjs +31 -0
  45. package/package.json +59 -17
@@ -0,0 +1,1985 @@
1
+ import { Validator, Infer, ValidatorMap, InferValidatorMap, v } from '@lunora/values';
2
+ export { type ColumnValidator, type Id, type Infer, ValidationError, type Validator, type ValidatorKind, v } from '@lunora/values';
3
+ import { ArgsValidator, InferArgs, RegisteredAction, ActionCtx, MutationCtx, RegisteredMutation, QueryCtx, RegisteredQuery, RegisteredStream, FunctionKind, Secrets, LifecycleEvent, RegisteredLifecycleHook, TableDefinition, RegisteredFunction, VectorIndexDefinition, Schema, AggregateOp, DurableObjectJurisdiction, RelationDefinition, GlobalBackend, OnDeleteAction, ExternalSourceDefinition, TriggerBuilder, TriggerDefinition, VectorEmbedder, VectorMetric, AggregateIndexDefinition, RankIndexDefinition } from "./types.js";
4
+ export { type AnyApi, type AuthState, type DatabaseReader, type DatabaseWriter, type FunctionVisibility, type IndexDefinition, type IndexRangeBuilder, type LifecycleEventKind, type LunoraLogger, type PaginationOptions, type PaginationResult, type RankSortKey, type ReadOnlyStorage, type ScheduledFunctionDoc, type ScheduledJob, type Scheduler, type SearchFilterBuilder, type SearchIndexDefinition, type ShardMode, type Storage, type StorageMetadata, type SystemDatabaseReader, type SystemDoc, type SystemQuery, type SystemTableName, type TableReader, type TableVectorIndex, type TriggerAggregateOptions, type TriggerCtx, type TriggerDatabase, type TriggerDeleteEvent, type TriggerEvent, type TriggerGroupByEntry, type TriggerGroupByOptions, type TriggerHandler, type TriggerInsertEvent, type TriggerOp, type TriggerQueryArgs, type TriggerQueryPage, type TriggerRankOptions, type TriggerRankPageOptions, type TriggerRankResult, type TriggerRow, type TriggerTiming, type TriggerUpdateEvent, type VectorMatch, type VectorMatches, type VectorQueryInput, type VectorRecord, type VectorSearch, type VectorSearchReader, type VectorUpsertInput, type WorkflowCreateOptions, type WorkflowHandle, type WorkflowInstance, type WorkflowInstanceStatus, type WorkflowStatusResult, type Workflows, anyApi } from "./types.js";
5
+ import { Context, Hono } from 'hono';
6
+ import { b as Permission, R as Role, T as TypedDefinePolicyInput, a as Policy, D as DefinePolicyInput, W as WhereInput, c as RlsOptions } from "./packem_shared/types.d-BDY0FYHK.js";
7
+ export type { d as PolicyContext, e as PolicyDecision, f as PolicyDecisionOf, P as PolicyOperation } from "./packem_shared/types.d-BDY0FYHK.js";
8
+ export { type CronJob, type CronJobsBuilder, type CronScheduleKind, type DailySchedule, type IntervalSchedule, type MonthlySchedule, type WeeklySchedule, cronJobs } from '@lunora/scheduler';
9
+ import "./data-model.js";
10
+ /**
11
+ * Make any `config.storage` result bucket-aware so `ctx.storage.bucket(name)`
12
+ * always resolves. A `createBucketStorage(...)` result already carries
13
+ * `.bucket` / `.bucketName` and is returned as-is; a single `createStorage(...)`
14
+ * (or the no-storage stub) is tagged as the `"default"` bucket, where
15
+ * `.bucket(name)` is the identity — single-bucket apps address one binding under
16
+ * every name.
17
+ *
18
+ * This is the runtime counterpart the generated `_generated/shard.ts` imports to
19
+ * wrap `ctx.storage`; it lives here (the single source) rather than being stamped
20
+ * inline into every generated file, so the bucket-tagging behaviour has one home
21
+ * alongside the storage ctx types. The input is genuinely heterogeneous (a thunk
22
+ * result cast through `unknown`), so the signature is `unknown → unknown`; the
23
+ * generated caller casts the result to its storage type.
24
+ */
25
+ declare const asBucketStorage: (raw: unknown) => unknown;
26
+ /** Builder discriminator. Codegen reads this kind. */
27
+ type TerminalKind = FunctionKind;
28
+ /** Initial (empty) accumulated args for a fresh builder. */
29
+ type EmptyArgs = Record<never, never>;
30
+ /**
31
+ * `next()` advances the middleware chain. Called with no argument it forwards
32
+ * the current context unchanged; called with `{ ctx }` it shallow-merges the
33
+ * extension, and the result type reflects the widened context.
34
+ */
35
+ interface MiddlewareNext<ContextIn> {
36
+ (): Promise<ContextIn>;
37
+ <Extension extends Record<string, unknown>>(options: {
38
+ ctx: Extension;
39
+ }): Promise<ContextIn & Extension>;
40
+ }
41
+ /**
42
+ * A middleware receives the current context and a `next` continuation. Its
43
+ * return type becomes the builder's new context, so `return next({ ctx })`
44
+ * propagates the extension into every downstream `.use()` and the handler.
45
+ */
46
+ type Middleware<ContextIn, ContextOut> = (options: {
47
+ ctx: ContextIn;
48
+ next: MiddlewareNext<ContextIn>;
49
+ }) => ContextOut | Promise<ContextOut>;
50
+ /** Options accepted by `initLunora.dataModel&lt;DM>().create(...)`. Reserved for transformer/error-formatter wiring. */
51
+ type CreateOptions = Record<never, never>;
52
+ /**
53
+ * `Output` carries the type declared by `.output(validator)`. It defaults to
54
+ * the `undefined` sentinel meaning "not declared": in that state the terminal
55
+ * stays generic over the handler's own return type. Once `.output()` sets it to
56
+ * a concrete type, the terminal requires the handler to return that type and
57
+ * the registration is typed to it (the runtime parses the result through the
58
+ * validator). `[Output] extends [undefined]` is wrapped in a tuple so a union
59
+ * `Output` doesn't distribute and so the test is for the exact sentinel.
60
+ */
61
+ interface QueryBuilder<Context, Args extends ArgsValidator, Output = undefined> {
62
+ readonly __lunoraProcedure: "query";
63
+ input: <A extends ArgsValidator>(validators: A) => QueryBuilder<Context, A & Args, Output>;
64
+ output: <V extends Validator>(validator: V) => QueryBuilder<Context, Args, Infer<V>>;
65
+ query: [Output] extends [undefined] ? <R>(handler: (options: {
66
+ args: InferArgs<Args>;
67
+ ctx: Context;
68
+ }) => Promise<R> | R) => RegisteredQuery<Args, Awaited<R>> : (handler: (options: {
69
+ args: InferArgs<Args>;
70
+ ctx: Context;
71
+ }) => Output | Promise<Output>) => RegisteredQuery<Args, Output>;
72
+ /**
73
+ * Terminal: declare this procedure as a streaming query. The handler is an
74
+ * async generator (or any function returning an `AsyncIterable&lt;R>`) that
75
+ * yields one chunk per server-pushed frame. The third `signal` argument is
76
+ * tripped when the client cancels — break out of the loop or check
77
+ * `signal.aborted` between yields. `.output()` does not apply: per-chunk
78
+ * validation is opt-in via the handler itself.
79
+ */
80
+ stream: <R>(handler: (options: {
81
+ args: InferArgs<Args>;
82
+ ctx: Context;
83
+ signal: AbortSignal;
84
+ }) => AsyncGenerator<R, void, void> | AsyncIterable<R>) => RegisteredStream<Args, R>;
85
+ use: <ContextOut>(middleware: Middleware<Context, ContextOut>) => QueryBuilder<ContextOut, Args, Output>;
86
+ }
87
+ interface MutationBuilder<Context, Args extends ArgsValidator, Output = undefined> {
88
+ readonly __lunoraProcedure: "mutation";
89
+ input: <A extends ArgsValidator>(validators: A) => MutationBuilder<Context, A & Args, Output>;
90
+ mutation: [Output] extends [undefined] ? <R>(handler: (options: {
91
+ args: InferArgs<Args>;
92
+ ctx: Context;
93
+ }) => Promise<R> | R) => RegisteredMutation<Args, Awaited<R>> : (handler: (options: {
94
+ args: InferArgs<Args>;
95
+ ctx: Context;
96
+ }) => Output | Promise<Output>) => RegisteredMutation<Args, Output>;
97
+ output: <V extends Validator>(validator: V) => MutationBuilder<Context, Args, Infer<V>>;
98
+ use: <ContextOut>(middleware: Middleware<Context, ContextOut>) => MutationBuilder<ContextOut, Args, Output>;
99
+ }
100
+ interface ActionBuilder<Context, Args extends ArgsValidator, Output = undefined> {
101
+ readonly __lunoraProcedure: "action";
102
+ action: [Output] extends [undefined] ? <R>(handler: (options: {
103
+ args: InferArgs<Args>;
104
+ ctx: Context;
105
+ }) => Promise<R> | R) => RegisteredAction<Args, Awaited<R>> : (handler: (options: {
106
+ args: InferArgs<Args>;
107
+ ctx: Context;
108
+ }) => Output | Promise<Output>) => RegisteredAction<Args, Output>;
109
+ input: <A extends ArgsValidator>(validators: A) => ActionBuilder<Context, A & Args, Output>;
110
+ output: <V extends Validator>(validator: V) => ActionBuilder<Context, Args, Infer<V>>;
111
+ use: <ContextOut>(middleware: Middleware<Context, ContextOut>) => ActionBuilder<ContextOut, Args, Output>;
112
+ }
113
+ /**
114
+ * Internal builder variants. Identical to their public counterparts but carry
115
+ * the `__lunoraVisibility: "internal"` brand codegen keys off to route the
116
+ * registration into the `internal` object (and keep it off `api`). `input`/`use`
117
+ * return the internal builder type so the brand survives the whole chain.
118
+ */
119
+ interface InternalQueryBuilder<Context, Args extends ArgsValidator, Output = undefined> {
120
+ readonly __lunoraProcedure: "query";
121
+ readonly __lunoraVisibility: "internal";
122
+ input: <A extends ArgsValidator>(validators: A) => InternalQueryBuilder<Context, A & Args, Output>;
123
+ output: <V extends Validator>(validator: V) => InternalQueryBuilder<Context, Args, Infer<V>>;
124
+ query: [Output] extends [undefined] ? <R>(handler: (options: {
125
+ args: InferArgs<Args>;
126
+ ctx: Context;
127
+ }) => Promise<R> | R) => RegisteredQuery<Args, Awaited<R>> : (handler: (options: {
128
+ args: InferArgs<Args>;
129
+ ctx: Context;
130
+ }) => Output | Promise<Output>) => RegisteredQuery<Args, Output>;
131
+ /** See {@link QueryBuilder.stream}; the internal variant routes the registration into `internal` instead of `api`. */
132
+ stream: <R>(handler: (options: {
133
+ args: InferArgs<Args>;
134
+ ctx: Context;
135
+ signal: AbortSignal;
136
+ }) => AsyncGenerator<R, void, void> | AsyncIterable<R>) => RegisteredStream<Args, R>;
137
+ use: <ContextOut>(middleware: Middleware<Context, ContextOut>) => InternalQueryBuilder<ContextOut, Args, Output>;
138
+ }
139
+ interface InternalMutationBuilder<Context, Args extends ArgsValidator, Output = undefined> {
140
+ readonly __lunoraProcedure: "mutation";
141
+ readonly __lunoraVisibility: "internal";
142
+ input: <A extends ArgsValidator>(validators: A) => InternalMutationBuilder<Context, A & Args, Output>;
143
+ mutation: [Output] extends [undefined] ? <R>(handler: (options: {
144
+ args: InferArgs<Args>;
145
+ ctx: Context;
146
+ }) => Promise<R> | R) => RegisteredMutation<Args, Awaited<R>> : (handler: (options: {
147
+ args: InferArgs<Args>;
148
+ ctx: Context;
149
+ }) => Output | Promise<Output>) => RegisteredMutation<Args, Output>;
150
+ output: <V extends Validator>(validator: V) => InternalMutationBuilder<Context, Args, Infer<V>>;
151
+ use: <ContextOut>(middleware: Middleware<Context, ContextOut>) => InternalMutationBuilder<ContextOut, Args, Output>;
152
+ }
153
+ interface InternalActionBuilder<Context, Args extends ArgsValidator, Output = undefined> {
154
+ readonly __lunoraProcedure: "action";
155
+ readonly __lunoraVisibility: "internal";
156
+ action: [Output] extends [undefined] ? <R>(handler: (options: {
157
+ args: InferArgs<Args>;
158
+ ctx: Context;
159
+ }) => Promise<R> | R) => RegisteredAction<Args, Awaited<R>> : (handler: (options: {
160
+ args: InferArgs<Args>;
161
+ ctx: Context;
162
+ }) => Output | Promise<Output>) => RegisteredAction<Args, Output>;
163
+ input: <A extends ArgsValidator>(validators: A) => InternalActionBuilder<Context, A & Args, Output>;
164
+ output: <V extends Validator>(validator: V) => InternalActionBuilder<Context, Args, Infer<V>>;
165
+ use: <ContextOut>(middleware: Middleware<Context, ContextOut>) => InternalActionBuilder<ContextOut, Args, Output>;
166
+ }
167
+ /** The public root builders plus their `internal*` counterparts, returned by `.create()`. */
168
+ interface LunoraBuilders {
169
+ action: ActionBuilder<ActionCtx, EmptyArgs>;
170
+ internalAction: InternalActionBuilder<ActionCtx, EmptyArgs>;
171
+ internalMutation: InternalMutationBuilder<MutationCtx, EmptyArgs>;
172
+ internalQuery: InternalQueryBuilder<QueryCtx, EmptyArgs>;
173
+ mutation: MutationBuilder<MutationCtx, EmptyArgs>;
174
+ query: QueryBuilder<QueryCtx, EmptyArgs>;
175
+ }
176
+ interface DataModelInit<DataModel> {
177
+ /** Phantom carrier for the generated `DataModel`; reserved for typed `ctx.db` (Plan2 1.2.7). */
178
+ readonly __dataModel?: DataModel;
179
+ create: (options?: CreateOptions) => LunoraBuilders;
180
+ }
181
+ /**
182
+ * Entry point for the procedure builder. `dataModel&lt;DM>()` binds the generated
183
+ * `DataModel` (phantom for now), and `.create()` yields the public root builders
184
+ * plus their `internal*` counterparts.
185
+ */
186
+ declare const initLunora: {
187
+ dataModel: <DataModel>() => DataModelInit<DataModel>;
188
+ };
189
+ /**
190
+ * Build the `ctx.secrets` reader from the worker `env`. `get(name)` resolves
191
+ * `env[name].get()` — the `secrets_store_secrets[]` binding of that name. An
192
+ * absent or non-Secrets-Store binding throws a directed error pointing at the
193
+ * wrangler config; the lookup is lazy, so an unused secret never resolves.
194
+ */
195
+ declare const createSecrets: (env: Record<string, unknown>) => Secrets;
196
+ /**
197
+ * Redact secrets from a free-form message. Masks, in order: any quoted value
198
+ * whose contents look like a credential (so a value surfaced as `received string
199
+ * "sk_live_…"` is masked even though the surrounding text is not a token); a
200
+ * `scheme://user:password@host` URL credential (the password segment); any
201
+ * known-prefix credential token wherever it appears, at any length; any value
202
+ * following a secret-named key in `KEY=value` / `KEY: value` form; and any
203
+ * remaining bare high-entropy ≥24-char token run anywhere in the message.
204
+ *
205
+ * This is BEST-EFFORT defense-in-depth, NOT a guarantee: a short, prefix-less
206
+ * secret under a non-secret-named key (and embedded credentials in shapes not
207
+ * enumerated here) can still slip through. Treat it as a backstop — prefer
208
+ * structured logging that never serializes raw env/secret fields in the first
209
+ * place over relying on post-hoc scrubbing of untrusted data.
210
+ *
211
+ * Exported because it is independently useful — call it before logging anything
212
+ * derived from `env`, request bodies, or thrown errors.
213
+ */
214
+ declare const redactSecrets: (message: string) => string;
215
+ /** One key's validation failure, secrets already redacted out of `message`. */
216
+ interface EnvKeyFailure {
217
+ /** The env key that failed. */
218
+ key: string;
219
+ /** Redacted human-readable reason. */
220
+ message: string;
221
+ }
222
+ /**
223
+ * Thrown when one or more env keys are missing or fail validation. Carries the
224
+ * structured list of `failures` (each with the offending `key`) so callers can
225
+ * react programmatically; `message` is the joined, secret-redacted summary.
226
+ *
227
+ * Named export only (no default) per the repo export convention.
228
+ */
229
+ declare class LunoraEnvError extends Error {
230
+ override readonly name = "LunoraEnvError";
231
+ readonly failures: ReadonlyArray<EnvKeyFailure>;
232
+ constructor(failures: ReadonlyArray<EnvKeyFailure>);
233
+ }
234
+ /** A record of `v.*` validators describing the expected env shape. */
235
+ type EnvShape = Record<string, Validator>;
236
+ /**
237
+ * The typed output of {@link defineEnv}. Optional validators (`v.optional(...)`)
238
+ * become optional keys; everything else is required. Mirrors how `InferArgs`
239
+ * derives an args object from a validator map.
240
+ */
241
+ type InferEnv<S extends EnvShape> = { [K in keyof S as undefined extends Infer<S[K]> ? K : never]?: Infer<S[K]> } & { [K in keyof S as undefined extends Infer<S[K]> ? never : K]: Infer<S[K]> };
242
+ /**
243
+ * The accessor returned by {@link defineEnv}. A typed view over an `env` object
244
+ * plus a `.parse(env)` escape hatch that validates every key eagerly.
245
+ *
246
+ * Call the accessor with the worker's `env` to get the typed, lazily-validated
247
+ * proxy: `const config = defineEnv({ … }); const { PORT } = config(env);`.
248
+ */
249
+ interface EnvAccessor<S extends EnvShape> {
250
+ /** Validate every key eagerly and return the typed, plain (non-proxy) object. Use for fail-fast-at-boot. */
251
+ parse: (env: unknown) => InferEnv<S>;
252
+ /** Lazily-validated, per-key-cached typed view over `env`. Keys are validated on first access. */
253
+ (env: unknown): InferEnv<S>;
254
+ }
255
+ /**
256
+ * Define a typed, validated accessor over a Worker's `env`. Pass a record of
257
+ * `v.*` validators; receive an accessor that validates lazily per key (cached
258
+ * per `env` identity) and infers its output type from the validators.
259
+ *
260
+ * ```ts
261
+ * import { defineEnv, v } from "@lunora/server";
262
+ *
263
+ * const config = defineEnv({
264
+ * STRIPE_KEY: v.string(),
265
+ * PORT: v.optional(v.number()),
266
+ * });
267
+ *
268
+ * export default {
269
+ * fetch(request, env) {
270
+ * const { STRIPE_KEY, PORT } = config(env); // STRIPE_KEY: string, PORT?: number
271
+ * // …
272
+ * },
273
+ * };
274
+ * ```
275
+ *
276
+ * Throws {@link LunoraEnvError} (secrets redacted) when a key is missing or
277
+ * invalid — lazily on first access of that key, or eagerly via `config.parse(env)`.
278
+ */
279
+ declare const defineEnv: <S extends EnvShape>(shape: S) => EnvAccessor<S>;
280
+ /**
281
+ * Canonical error type for Lunora procedures and middleware.
282
+ *
283
+ * The runtime's structural error mapper keys off `name === "LunoraError"` plus
284
+ * the numeric `status`, so throwing one of these from a handler or middleware
285
+ * yields the right RPC/HTTP status without any further wiring. `code` carries
286
+ * the machine-readable reason for clients; the optional `data` carries a
287
+ * structured, JSON+wire-encodable payload propagated verbatim to the client
288
+ * (e.g. `{ retryAfterMs }`). Only an explicit `LunoraError`'s `data` crosses the
289
+ * wire — an unhandled throw is still redacted to a generic message server-side.
290
+ */
291
+ declare const CODE_STATUS: {
292
+ readonly BAD_REQUEST: 400;
293
+ readonly CONFLICT: 409;
294
+ /**
295
+ * `count()` invoked against a table whose context carries an active RLS
296
+ * policy. The operation itself is unsupported in an RLS-restricted reader
297
+ * (kitcn's documented constraint) — the request is well-formed and the
298
+ * caller is authorized, so this is a 422 (semantic conflict) rather than a
299
+ * 403 (policy denial).
300
+ */
301
+ readonly COUNT_RLS_UNSUPPORTED: 422;
302
+ readonly FORBIDDEN: 403;
303
+ readonly INTERNAL_SERVER_ERROR: 500;
304
+ /**
305
+ * An analytical reduction (`aggregate` / `groupBy`) was invoked over a
306
+ * column that the procedure's `mask()` middleware redacts. A masked column
307
+ * can't be summed, averaged, or grouped without leaking the very values the
308
+ * mask hides (a group key *is* the raw value; an aggregate is computed from
309
+ * it), so the operation fails closed. The request is well-formed and the
310
+ * caller is authorized — this is a 422 (semantic conflict), mirroring
311
+ * `COUNT_RLS_UNSUPPORTED`.
312
+ */
313
+ readonly MASK_UNSUPPORTED: 422;
314
+ readonly NOT_FOUND: 404;
315
+ readonly NOT_IMPLEMENTED: 501;
316
+ /**
317
+ * A write policy's `when` returned a relation-crossing predicate
318
+ * (`some`/`none`/`every`/`is`/`isNot`). The in-memory write-policy evaluator
319
+ * has no child fetcher and cannot resolve a relation node, so the policy is
320
+ * unsupported as written. Relation predicates are valid in *read* policies
321
+ * and query `where` clauses (the pre-resolver handles them there). The
322
+ * request is well-formed; this is a 422 (semantic conflict), mirroring the
323
+ * sibling `*_UNSUPPORTED` codes.
324
+ */
325
+ readonly RELATION_PREDICATE_UNSUPPORTED: 422;
326
+ readonly TOO_MANY_REQUESTS: 429;
327
+ readonly UNAUTHORIZED: 401;
328
+ readonly UNPROCESSABLE: 422;
329
+ };
330
+ type LunoraErrorCode = keyof typeof CODE_STATUS;
331
+ declare class LunoraError extends Error {
332
+ override readonly name = "LunoraError";
333
+ readonly code: LunoraErrorCode;
334
+ readonly status: number;
335
+ /** Structured, JSON+wire-encodable payload surfaced to the client alongside `code`. */
336
+ readonly data?: unknown;
337
+ constructor(code: LunoraErrorCode, message?: string, data?: unknown);
338
+ }
339
+ /**
340
+ * Minimal structural writer the facade binds over. Declared with **method**
341
+ * syntax (not arrow properties) so a more-specifically-typed writer — both
342
+ * `@lunora/do`'s `DatabaseWriterLike` and the RLS middleware's wrapped writer —
343
+ * stays assignable under bivariant parameter checking. That is the whole reason
344
+ * the shared helper can serve both callers, hence the rule exemption.
345
+ */
346
+ interface FacadeWriterLike {
347
+ aggregate(tableName: string, options: unknown): Promise<unknown>;
348
+ count(tableName: string, where?: unknown): Promise<number>;
349
+ delete(id: string, expectedTable?: string, options?: {
350
+ hard?: boolean;
351
+ }): Promise<void>;
352
+ deleteMany?(ids: ReadonlyArray<string>, options?: {
353
+ limit?: number;
354
+ }, expectedTable?: string): Promise<{
355
+ deleted: number;
356
+ }>;
357
+ findFirst(tableName: string, args?: unknown): Promise<unknown>;
358
+ findFirstOrThrow(tableName: string, args?: unknown): Promise<unknown>;
359
+ findMany(tableName: string, args?: unknown): Promise<unknown>;
360
+ get(id: string, expectedTable?: string): Promise<unknown>;
361
+ groupBy(tableName: string, options: unknown): Promise<unknown>;
362
+ insert(tableName: string, document: Record<string, unknown>): Promise<string>;
363
+ insertMany?(tableName: string, documents: ReadonlyArray<Record<string, unknown>>, options?: {
364
+ limit?: number;
365
+ }): Promise<string[]>;
366
+ patch(id: string, patch: Record<string, unknown>, expectedTable?: string): Promise<void>;
367
+ patchMany?(patches: ReadonlyArray<{
368
+ id: string;
369
+ patch: Record<string, unknown>;
370
+ }>, options?: {
371
+ limit?: number;
372
+ }, expectedTable?: string): Promise<void>;
373
+ query(tableName: string): {
374
+ withSearchIndex(indexName: string, search: (q: unknown) => unknown): unknown;
375
+ };
376
+ rank(tableName: string, indexName: string, options: unknown): Promise<unknown>;
377
+ rankPage(tableName: string, indexName: string, options?: unknown): Promise<unknown>;
378
+ replace(id: string, document: Record<string, unknown>, expectedTable?: string): Promise<void>;
379
+ restore?(id: string, expectedTable?: string): Promise<void>;
380
+ }
381
+ /** The per-table accessor object returned for the `ctx.db` table form. */
382
+ interface FacadeEntry {
383
+ aggregate: (options: unknown) => Promise<unknown>;
384
+ count: (where?: unknown) => Promise<number>;
385
+ delete: (id: string) => Promise<void>;
386
+ deleteMany: (ids: ReadonlyArray<string>, options?: {
387
+ limit?: number;
388
+ }) => Promise<{
389
+ deleted: number;
390
+ }>;
391
+ /** `true` when at least one row matches `where` (or any row exists when omitted). Honors RLS like `findFirst`. */
392
+ exists: (where?: unknown) => Promise<boolean>;
393
+ findFirst: (args?: unknown) => Promise<unknown>;
394
+ findFirstOrThrow: (args?: unknown) => Promise<unknown>;
395
+ findMany: (args?: unknown) => Promise<unknown>;
396
+ get: (id: string) => Promise<unknown>;
397
+ groupBy: (options: unknown) => Promise<unknown>;
398
+ /** Physically remove a row (and physically cascade), bypassing `.softDelete()`. */
399
+ hardDelete: (id: string) => Promise<void>;
400
+ insert: (document: Record<string, unknown>, options?: FacadeInsertOptions) => Promise<null | string>;
401
+ insertMany: (documents: ReadonlyArray<Record<string, unknown>>, options?: {
402
+ limit?: number;
403
+ }) => Promise<string[]>;
404
+ patch: (id: string, patch: Record<string, unknown>) => Promise<void>;
405
+ patchMany: (patches: ReadonlyArray<{
406
+ id: string;
407
+ values: Record<string, unknown>;
408
+ }>, options?: {
409
+ limit?: number;
410
+ }) => Promise<void>;
411
+ rank: (indexName: string, options: unknown) => Promise<unknown>;
412
+ rankPage: (indexName: string, options?: unknown) => Promise<unknown>;
413
+ replace: (id: string, document: Record<string, unknown>) => Promise<void>;
414
+ /** Un-soft-delete a row: clears the `.softDelete()` marker (by-id, so it reaches a row list reads hide). */
415
+ restore: (id: string) => Promise<void>;
416
+ /** Insert when no row matches `target`, else patch the match. Composes `findFirst` + `insert`/`patch`, so RLS applies to each step. */
417
+ upsert: (args: UpsertArgs) => Promise<UpsertResult>;
418
+ /** Sequential `upsert` over many rows sharing one `target`; returns one result per input row in order. */
419
+ upsertMany: (args: UpsertManyArgs) => Promise<UpsertResult[]>;
420
+ withSearchIndex: (indexName: string, search: (q: unknown) => unknown) => unknown;
421
+ }
422
+ /** Options accepted by the per-table `insert` accessor. */
423
+ interface FacadeInsertOptions {
424
+ /**
425
+ * When `true`, a UNIQUE-constraint breach is swallowed: the insert becomes a
426
+ * silent no-op and resolves to `null` instead of throwing a `CONFLICT`. Any
427
+ * other error still propagates. Mirrors better-drizzle's `create({ skipDuplicates })`.
428
+ */
429
+ skipDuplicates?: boolean;
430
+ }
431
+ /** The conflict target for `upsert`/`upsertMany`: one field name or a tuple of them. */
432
+ type UpsertTarget = ReadonlyArray<string> | string;
433
+ /** Argument to the per-table `upsert` accessor. */
434
+ interface UpsertArgs {
435
+ /** Document inserted when no existing row matches the `target`. */
436
+ create: Record<string, unknown>;
437
+ /** Field(s) — typically a `.unique()` column or unique index — used to look up an existing row. */
438
+ target: UpsertTarget;
439
+ /** Patch applied when an existing row matches the `target`. Defaults to `create`. */
440
+ update?: Record<string, unknown>;
441
+ }
442
+ /** Result of an `upsert`: the row's id and whether it was freshly inserted (`true`) or updated (`false`). */
443
+ interface UpsertResult {
444
+ created: boolean;
445
+ id: string;
446
+ }
447
+ /** Argument to the per-table `upsertMany` accessor — a shared `target` plus per-row create/update payloads. */
448
+ interface UpsertManyArgs {
449
+ rows: ReadonlyArray<{
450
+ create: Record<string, unknown>;
451
+ update?: Record<string, unknown>;
452
+ }>;
453
+ target: UpsertTarget;
454
+ }
455
+ /**
456
+ * Bind a structural writer to one table, producing its `ctx.db` table accessor.
457
+ *
458
+ * The by-id accessors (`get`/`delete`/`patch`/`replace`) forward the bound
459
+ * `tableName` as `expectedTable` so the underlying writer scopes its id lookup
460
+ * to this table. Without it, a branded `Id&lt;"posts">` carrying another table's
461
+ * id would resolve cross-table (the writer probes every table by id), letting
462
+ * `ctx.db.posts.get(foreignId)` read — or `.delete`/`.patch`/`.replace`
463
+ * mutate — a row in an unrelated table (IDOR). Writers that ignore the second
464
+ * argument keep their previous global behaviour; the scoping is opt-in via this
465
+ * forwarded name.
466
+ */
467
+ declare const bindTableFacade: (writer: FacadeWriterLike, tableName: string) => FacadeEntry;
468
+ /** The kitcn-style `ctx.orm` namespace over a per-table facade map. */
469
+ interface OrmLike {
470
+ delete: (table: string, id: string) => Promise<void>;
471
+ insert: (table: string) => {
472
+ values: (document: Record<string, unknown>) => Promise<null | string>;
473
+ };
474
+ query: Record<string, FacadeEntry>;
475
+ replace: (table: string, id: string) => {
476
+ with: (document: Record<string, unknown>) => Promise<void>;
477
+ };
478
+ update: (table: string, id: string) => {
479
+ set: (values: Record<string, unknown>) => Promise<void>;
480
+ };
481
+ }
482
+ /** Build `ctx.orm` over a per-table facade map (table name → FacadeEntry). */
483
+ declare const bindOrm: (facade: Record<string, FacadeEntry>) => OrmLike;
484
+ /** HTTP verbs the typed {@link httpRoute} builder can bind to. */
485
+ type HttpMethod = "DELETE" | "GET" | "HEAD" | "OPTIONS" | "PATCH" | "POST" | "PUT";
486
+ /**
487
+ * Context handed to an HTTP action handler. A narrower view of {@link ActionContext}:
488
+ * HTTP actions run in the worker (the "action runtime"), separate from the
489
+ * transactional store, so there is no direct `db` / `vectors` / `scheduler` /
490
+ * `storage` surface — reach the data layer through `runQuery` / `runMutation` /
491
+ * `runAction`, which forward to the owning shard.
492
+ */
493
+ type HttpActionCtx = Pick<ActionCtx, "auth" | "fetch" | "runAction" | "runMutation" | "runQuery">;
494
+ /** A raw handler wrapped by {@link httpAction}. Receives the raw request, returns the raw response. */
495
+ type HttpActionHandler = (context: HttpActionCtx, request: Request) => Promise<Response> | Response;
496
+ /**
497
+ * The hono {@link https://hono.dev | Hono} environment used by {@link httpRouter}.
498
+ * The runtime injects the per-request {@link HttpActionCtx} on the private
499
+ * `__lunoraCtx` binding; the router's lifting middleware promotes it to
500
+ * `c.var.lunora` so handlers can read it as a typed variable.
501
+ */
502
+ interface LunoraHttpEnv {
503
+ Bindings: Record<string, unknown> & {
504
+ __lunoraCtx?: HttpActionCtx;
505
+ };
506
+ Variables: {
507
+ lunora: HttpActionCtx;
508
+ };
509
+ }
510
+ /** The hono app type {@link httpRouter} returns. */
511
+ type LunoraHttpApp = Hono<LunoraHttpEnv>;
512
+ /** A compiled route handler: a hono handler that resolves to a raw {@link Response}. */
513
+ type LunoraRouteHandler = (c: Context<LunoraHttpEnv>) => Promise<Response>;
514
+ /**
515
+ * Wrap a `(ctx, request) => Response` handler as a hono handler. The raw escape
516
+ * hatch — mount it with `app.all(path, httpAction(fn))`. `ctx` is the
517
+ * runtime-injected {@link HttpActionCtx} lifted into `c.var.lunora` by
518
+ * {@link httpRouter}; `request` is the underlying `c.req.raw`.
519
+ */
520
+ declare const httpAction: (handler: HttpActionHandler) => LunoraRouteHandler;
521
+ /**
522
+ * Create the hono app for HTTP actions. Pre-wired with a middleware that lifts
523
+ * the runtime-injected `c.env.__lunoraCtx` into `c.var.lunora`, so both
524
+ * {@link httpAction} and the typed {@link httpRoute} builder can read the action
525
+ * context. The full hono surface is available — plugins, path params, `.route`:
526
+ *
527
+ * ```ts
528
+ * const app = httpRouter();
529
+ * app.use("*", cors());
530
+ * app.post("/webhook", httpAction(onWebhook));
531
+ * app.get("/users/:id", getUser);
532
+ * export default createWorker({ httpRouter: app, ... });
533
+ * ```
534
+ *
535
+ * The lifting middleware throws if the context is absent. `createWorker` injects
536
+ * it on every request the router sees, so this only trips when the app is run
537
+ * outside the runtime — a misconfiguration we surface loudly rather than let
538
+ * `c.var.lunora` be silently `undefined` despite its non-optional type.
539
+ */
540
+ declare const httpRouter: () => LunoraHttpApp;
541
+ /** The `{ ctx, searchParams, body, params }` a typed route handler receives. */
542
+ interface HttpRouteHandlerOptions<SearchParams extends ArgsValidator, Body extends ArgsValidator, Params extends ArgsValidator> {
543
+ body: InferArgs<Body>;
544
+ ctx: HttpActionCtx;
545
+ params: InferArgs<Params>;
546
+ searchParams: InferArgs<SearchParams>;
547
+ }
548
+ /**
549
+ * The `{ ctx, searchParams, params, request, signal }` a streaming HTTP
550
+ * handler receives. There is no parsed `body` — streams are typically GET, and
551
+ * the raw `request` is exposed if a handler needs to read the body itself.
552
+ * `signal` is tripped when the client disconnects.
553
+ */
554
+ interface HttpStreamHandlerOptions<SearchParams extends ArgsValidator, Params extends ArgsValidator> {
555
+ ctx: HttpActionCtx;
556
+ params: InferArgs<Params>;
557
+ request: Request;
558
+ searchParams: InferArgs<SearchParams>;
559
+ signal: AbortSignal;
560
+ }
561
+ /**
562
+ * A typed REST route under construction. `.searchParams()` / `.body()` /
563
+ * `.params()` accumulate validator maps (later calls merge, a colliding key
564
+ * wins) that decode the URL query, JSON body, and hono path params into the
565
+ * handler's typed `searchParams` / `body` / `params`. Like the procedure
566
+ * builder, `.output(validator)` defaults to the `undefined` sentinel — while
567
+ * unset the handler is generic over its own return; once set the handler must
568
+ * return that type and the result is parsed through the validator before
569
+ * serialization. `[Output] extends [undefined]` is tuple-wrapped so a union
570
+ * `Output` doesn't distribute and the test is for the exact sentinel.
571
+ *
572
+ * The terminal `.handler()` yields a {@link LunoraRouteHandler} — mount it
573
+ * directly with `app.get(path, route)`.
574
+ */
575
+ interface HttpRouteBuilder<SearchParams extends ArgsValidator, Body extends ArgsValidator, Params extends ArgsValidator, Output = undefined> {
576
+ body: <B extends ArgsValidator>(validators: B) => HttpRouteBuilder<SearchParams, B & Body, Params, Output>;
577
+ handler: [Output] extends [undefined] ? <R>(handler: (options: HttpRouteHandlerOptions<SearchParams, Body, Params>) => Promise<R> | R) => LunoraRouteHandler : (handler: (options: HttpRouteHandlerOptions<SearchParams, Body, Params>) => Output | Promise<Output>) => LunoraRouteHandler;
578
+ output: <V extends Validator>(validator: V) => HttpRouteBuilder<SearchParams, Body, Params, Infer<V>>;
579
+ params: <P extends ArgsValidator>(validators: P) => HttpRouteBuilder<SearchParams, Body, P & Params, Output>;
580
+ searchParams: <S extends ArgsValidator>(validators: S) => HttpRouteBuilder<S & SearchParams, Body, Params, Output>;
581
+ /**
582
+ * Terminal: declare this route as a streaming Server-Sent Events endpoint.
583
+ * The handler is an async generator (or any function returning an
584
+ * `AsyncIterable&lt;R>`) that yields one chunk per SSE `data:` frame; on
585
+ * iterator completion the route writes a final `event: complete` frame; on
586
+ * throw, an `event: error` frame is written with `{code, message}` before
587
+ * the stream closes. The chunks are JSON-encoded; `R` is inferred from the
588
+ * handler's yielded type.
589
+ */
590
+ stream: <R>(handler: (options: HttpStreamHandlerOptions<SearchParams, Params>) => AsyncGenerator<R, void, void> | AsyncIterable<R>) => LunoraRouteHandler;
591
+ }
592
+ /** Opens a fresh {@link HttpRouteBuilder}. The `path` documents intent; hono owns the actual routing at mount. */
593
+ type HttpRouteFactory = (path: string) => HttpRouteBuilder<EmptyArgs, EmptyArgs, EmptyArgs>;
594
+ /** The verb-keyed entry point: `httpRoute.get("/api/todos")…`. */
595
+ interface HttpRoute {
596
+ delete: HttpRouteFactory;
597
+ get: HttpRouteFactory;
598
+ head: HttpRouteFactory;
599
+ options: HttpRouteFactory;
600
+ patch: HttpRouteFactory;
601
+ post: HttpRouteFactory;
602
+ put: HttpRouteFactory;
603
+ }
604
+ /**
605
+ * Typed REST route builder. Compiles down to a {@link LunoraRouteHandler}, so a
606
+ * typed route and a hand-written {@link httpAction} are interchangeable when
607
+ * mounted on {@link httpRouter}:
608
+ *
609
+ * ```ts
610
+ * export const listTodos = httpRoute
611
+ * .get("/api/todos")
612
+ * .searchParams({ limit: v.number(), q: v.optional(v.string()) })
613
+ * .output(v.array(v.object({ id: v.string(), text: v.string() })))
614
+ * .handler(async ({ ctx, searchParams }) => ctx.runQuery(api.todos.list, searchParams));
615
+ *
616
+ * export const getTodo = httpRoute
617
+ * .get("/api/todos/:id")
618
+ * .params({ id: v.string() })
619
+ * .handler(async ({ ctx, params }) => ctx.runQuery(api.todos.get, params));
620
+ *
621
+ * const app = httpRouter();
622
+ * app.get("/api/todos", listTodos);
623
+ * app.get("/api/todos/:id", getTodo);
624
+ * ```
625
+ */
626
+ declare const httpRoute: HttpRoute;
627
+ /**
628
+ * Structural view of an R2 object body, as returned by `@lunora/storage`'s
629
+ * `download()`. Re-declared here (not imported) so `@lunora/server` takes no
630
+ * runtime dependency on `@lunora/storage`; the real binding satisfies the shape.
631
+ */
632
+ interface StorageObjectBody {
633
+ /** The object body stream (`null` for a zero-byte object). */
634
+ body: ReadableStream | null;
635
+ etag: string;
636
+ httpMetadata?: {
637
+ contentType?: string;
638
+ };
639
+ key: string;
640
+ /** Hex SHA-256, when R2 carries a checksum (surfaced by `@lunora/storage`). */
641
+ sha256?: string;
642
+ /** Base64 SHA-256 (RFC 9530 digest encoding), when R2 carries a checksum. */
643
+ sha256Base64?: string;
644
+ size: number;
645
+ }
646
+ /** Byte window forwarded to `download()` so R2 streams just the requested slice. */
647
+ interface StorageRange {
648
+ length: number;
649
+ offset: number;
650
+ }
651
+ /** The minimal storage surface {@link serveStorageObject} needs: a metadata-rich `download`. */
652
+ interface StorageDownloader {
653
+ download: (key: string, options?: {
654
+ range?: StorageRange;
655
+ }) => Promise<StorageObjectBody | null>;
656
+ }
657
+ /** Any ctx that carries a {@link StorageDownloader} on `.storage` (Query/Mutation/Action ctx all do). */
658
+ interface ContextWithStorage {
659
+ storage: StorageDownloader;
660
+ }
661
+ /**
662
+ * Stream a stored object as an HTTP {@link Response} from an `httpAction`
663
+ * handler, with correct `Content-Type`, `ETag`, and `Accept-Ranges: bytes`.
664
+ * Honors a single-range `Range` request → **206 Partial Content** with
665
+ * `Content-Range` + `Content-Length`; otherwise **200**. A missing object is a
666
+ * **404**; an out-of-bounds range is a **416** with a `Content-Range` of
667
+ * `bytes` star-slash-size.
668
+ *
669
+ * A range request re-issues the `download()` with the resolved `{ offset, length }`
670
+ * window so R2 streams only those bytes back to the Worker — the slice is never
671
+ * buffered in the isolate. The first `download()` is used only for the object's
672
+ * size + metadata (its body is left unread and cancelled). For very large
673
+ * objects a signed URL (`ctx.storage.getSignedUrl`) is still cheaper since the
674
+ * client then ranges against R2/CDN directly with no Worker hop.
675
+ */
676
+ declare const serveStorageObject: (context: ContextWithStorage, key: string, request: Request) => Promise<Response>;
677
+ /** Handler for a connection-lifecycle hook. */
678
+ type LifecycleHandler = (context: MutationCtx, event: LifecycleEvent) => Promise<void> | void;
679
+ /** Register a hook that fires once when a client's WebSocket connects. */
680
+ declare const onConnect: (handler: LifecycleHandler) => RegisteredLifecycleHook;
681
+ /** Register a hook that fires once when a client's WebSocket disconnects. */
682
+ declare const onDisconnect: (handler: LifecycleHandler) => RegisteredLifecycleHook;
683
+ /**
684
+ * Context handed to a {@link MaskFn} (and to {@link MaskOptions.bypass}). The
685
+ * `auth` shape mirrors RLS's `PolicyContext.auth` one-for-one — same identity
686
+ * resolver, same `can(...)` permission check — so an author can branch a mask
687
+ * on the caller's role/permission. `row` is the full pre-mask row the column
688
+ * belongs to; `column` is the column currently being masked. Both are absent
689
+ * when the context is used for the procedure-wide `bypass` check (no specific
690
+ * cell is in play yet).
691
+ */
692
+ interface MaskContext<Context = unknown> {
693
+ readonly auth: {
694
+ /** `true` when any of the request's `roles` grants `permission` (see {@link MaskOptions.roles}). Fails closed for unregistered roles. */
695
+ readonly can: (permission: Permission | string) => boolean;
696
+ readonly identity?: Record<string, unknown> | null;
697
+ readonly roles: ReadonlyArray<string>;
698
+ readonly userId: null | string;
699
+ };
700
+ /** The column currently being masked. Present only inside a per-cell {@link MaskFn}. */
701
+ readonly column?: string;
702
+ readonly ctx: Context;
703
+ /** The full pre-mask row the masked cell belongs to. Present only inside a per-cell {@link MaskFn}. */
704
+ readonly row?: Record<string, unknown>;
705
+ }
706
+ /**
707
+ * A custom masking function. Receives the raw cell value and the
708
+ * {@link MaskContext}, returns the value to surface. Use it for partial masks
709
+ * (`maskMiddle(phone)`), role-aware reveals (`ctx.auth.can(...) ? value : null`),
710
+ * or format-preserving tokens. A function that **throws** fails closed — the
711
+ * cell is redacted to `null`, never leaked raw.
712
+ */
713
+ type MaskFn<Context = unknown> = (value: unknown, context: MaskContext<Context>) => unknown;
714
+ /**
715
+ * How a column is masked:
716
+ *
717
+ * - `"redact"` — drop the value to `null`. The simplest, safest strategy, and
718
+ * the right choice for any value that must actually be kept secret.
719
+ * - `"hash"` — replace with a stable token (unsalted 32-bit FNV-1a hex) so the
720
+ * same input always yields the same token (joinable/groupable client-side).
721
+ * **This is NOT a confidentiality control.** It is a non-cryptographic,
722
+ * unsalted, deterministic, narrow (~2^32) digest: low-entropy values (emails,
723
+ * phone numbers, SSNs) are brute-force-recoverable by the very caller you are
724
+ * masking from, and identical values always produce identical tokens across
725
+ * rows/columns/tenants (enabling correlation). Use `"hash"` ONLY when you want a
726
+ * stable pseudonym for grouping/joining and leaking the value is acceptable —
727
+ * never to hide sensitive PII. For PII that must stay hidden, use `"redact"`.
728
+ * - a {@link MaskFn} — author-defined transform (partial mask, role-aware reveal).
729
+ */
730
+ type MaskStrategy<Context = unknown> = "hash" | "redact" | MaskFn<Context>;
731
+ /** Per-column strategy map for one table: `{ email: "redact", phone: maskMiddle }`. */
732
+ type MaskColumns<Context = unknown> = Record<string, MaskStrategy<Context>>;
733
+ /**
734
+ * The mask declaration passed to `mask(...)`: a table → column → strategy map.
735
+ * Deliberately a plain object literal so the codegen feeder can statically read
736
+ * which columns a procedure masks (powering the `mask_uncovered_pii_column`
737
+ * advisor lint), exactly as the RLS feeder reads policy tables.
738
+ */
739
+ type MaskPolicies<Context = unknown> = Record<string, MaskColumns<Context>>;
740
+ /**
741
+ * Options for `mask(policies, options)`.
742
+ *
743
+ * - `roles` registers the role→permission grants that back `ctx.auth.can(...)`
744
+ * inside a {@link MaskFn} — identical to `rls(policies, { roles })`. A role
745
+ * not listed grants no permissions (fails closed for unknown roles).
746
+ * - `bypass` is a procedure-wide escape hatch: when it returns `true` the whole
747
+ * mask is skipped (the caller sees raw values). Use it for a privileged
748
+ * viewer — `bypass: ({ auth }) => auth.can("pii:view")`. Prefer this over
749
+ * branching every column when an entire class of caller should see clear data.
750
+ */
751
+ interface MaskOptions<Context = unknown> {
752
+ readonly bypass?: (context: MaskContext<Context>) => boolean;
753
+ readonly roles?: ReadonlyArray<Role>;
754
+ }
755
+ interface QueryPage$1 {
756
+ continueCursor: null | string;
757
+ isDone: boolean;
758
+ page: Record<string, unknown>[];
759
+ }
760
+ interface QueryArgs$1 {
761
+ baseWhere?: unknown;
762
+ cursor?: null | string;
763
+ limit?: number;
764
+ where?: unknown;
765
+ with?: Record<string, unknown>;
766
+ }
767
+ interface AggregateArgs$1 {
768
+ field?: string;
769
+ op: string;
770
+ }
771
+ interface GroupByArgs$1 {
772
+ agg?: {
773
+ field?: string;
774
+ op: string;
775
+ };
776
+ by: ReadonlyArray<string>;
777
+ }
778
+ interface TableReaderLike$1 {
779
+ collect: () => Promise<Record<string, unknown>[]>;
780
+ filter: (predicate: (document: Record<string, unknown>) => boolean) => TableReaderLike$1;
781
+ first: () => Promise<Record<string, unknown> | null>;
782
+ order: (direction: "asc" | "desc") => TableReaderLike$1;
783
+ paginate: (options: {
784
+ cursor?: null | string;
785
+ numItems: number;
786
+ }) => Promise<QueryPage$1>;
787
+ take: (limit: number) => Promise<Record<string, unknown>[]>;
788
+ unique: () => Promise<Record<string, unknown> | null>;
789
+ withIndex: (indexName: string, range?: (q: unknown) => unknown) => TableReaderLike$1;
790
+ withSearchIndex: (indexName: string, search: (q: unknown) => unknown) => TableReaderLike$1;
791
+ }
792
+ /**
793
+ * Structural projection of the runtime ORM writer — the same subset
794
+ * `../rls/middleware` mirrors, so the wrapper is interchangeable between
795
+ * `@lunora/do`'s and `@lunora/d1`'s `DatabaseWriterLike` without an
796
+ * inter-package dependency. `rankBefore` is optional (the D1 twin omits it).
797
+ */
798
+ interface MaskDatabase {
799
+ aggregate: (tableName: string, options: AggregateArgs$1) => Promise<null | number>;
800
+ count: (tableName: string, whereOrArgs?: unknown) => Promise<number>;
801
+ delete: (id: string, expectedTable?: string) => Promise<void>;
802
+ deleteMany: (ids: ReadonlyArray<string>, options?: {
803
+ limit?: number;
804
+ }) => Promise<{
805
+ deleted: number;
806
+ }>;
807
+ findFirst: (tableName: string, args?: QueryArgs$1) => Promise<Record<string, unknown> | null>;
808
+ findFirstOrThrow: (tableName: string, args?: QueryArgs$1) => Promise<Record<string, unknown>>;
809
+ findMany: (tableName: string, args?: QueryArgs$1) => Promise<QueryPage$1>;
810
+ get: (id: string, expectedTable?: string) => Promise<Record<string, unknown> | null>;
811
+ groupBy: (tableName: string, options: GroupByArgs$1) => Promise<ReadonlyArray<{
812
+ key: Record<string, unknown>;
813
+ value: null | number;
814
+ }>>;
815
+ insert: (tableName: string, document: Record<string, unknown>) => Promise<string>;
816
+ insertMany: (tableName: string, documents: ReadonlyArray<Record<string, unknown>>, options?: {
817
+ limit?: number;
818
+ }) => Promise<string[]>;
819
+ lookupById?: (id: string, expectedTable?: string) => Promise<null | {
820
+ row: Record<string, unknown>;
821
+ tableName: string;
822
+ }>;
823
+ patch: (id: string, patch: Record<string, unknown>, expectedTable?: string) => Promise<void>;
824
+ patchMany: (patches: ReadonlyArray<{
825
+ id: string;
826
+ patch: Record<string, unknown>;
827
+ }>, options?: {
828
+ limit?: number;
829
+ }) => Promise<void>;
830
+ query: (tableName: string) => TableReaderLike$1;
831
+ rank: (tableName: string, indexName: string, options: unknown) => Promise<null | {
832
+ position: number;
833
+ total: number;
834
+ }>;
835
+ rankBefore?: (tableName: string, indexName: string, options: unknown) => Promise<{
836
+ before: number;
837
+ total: number;
838
+ }>;
839
+ rankPage: (tableName: string, indexName: string, options?: unknown) => Promise<QueryPage$1>;
840
+ replace: (id: string, document: Record<string, unknown>, expectedTable?: string) => Promise<void>;
841
+ }
842
+ /** Roles list source on the context. Tolerant of older auth states (mirrors RLS's `AuthLike`). */
843
+ type AuthLike$1 = {
844
+ getIdentity?: () => Promise<Record<string, unknown> | null>;
845
+ roles?: ReadonlyArray<string>;
846
+ userId?: null | string;
847
+ };
848
+ interface MaskContextIn {
849
+ auth?: AuthLike$1;
850
+ db: MaskDatabase;
851
+ }
852
+ /**
853
+ * Procedure-builder middleware. Apply per-request via `.use(mask(policies))`.
854
+ * Closes over the policy map at builder-construction time; resolves identity +
855
+ * the `bypass` decision per call against the live ctx.
856
+ *
857
+ * IMPORTANT: a mask is in scope only for procedures whose builder chain
858
+ * includes this middleware — opt-in, never global (the same invariant as RLS).
859
+ */
860
+ declare const mask: <Context extends MaskContextIn = MaskContextIn>(policies: MaskPolicies<Context>, options?: MaskOptions<Context>) => Middleware<Context, Context>;
861
+ /**
862
+ * Online data-migration authoring API.
863
+ *
864
+ * `defineMigration` declares a per-document backfill over one table: `up`
865
+ * transforms every existing row, `down` (optional) reverses it. Unlike the D1
866
+ * SQL schema migrations in `@lunora/d1`, these run *inside each shard's*
867
+ * Durable Object against live documents, in keyset batches, and are resumable —
868
+ * the per-shard runner in `@lunora/do` tracks progress in a reserved
869
+ * `__lunora_migrations` table so an interrupted run picks up where it stopped.
870
+ *
871
+ * The returned object carries a `__lunoraMigration` brand so codegen can
872
+ * discover declarations through the type checker (mirroring the procedure
873
+ * builder's `__lunoraProcedure` brand) and emit them into a `LUNORA_MIGRATIONS`
874
+ * registry the DO and CLI look migrations up by id.
875
+ */
876
+ /** A document handed to a migration transform: the stored row including `_id`/`_creationTime`. */
877
+ type MigrationDocument = Record<string, unknown>;
878
+ /**
879
+ * Transform applied to one document. Return a new document to rewrite the row,
880
+ * or `undefined` to leave it untouched (skipped, not counted as changed). The
881
+ * runner always preserves the original `_id` and `_creationTime`, so the
882
+ * returned document neither needs to nor should change row identity.
883
+ */
884
+ type MigrationTransform = (document: MigrationDocument) => MigrationDocument | undefined | void;
885
+ interface MigrationDefinition {
886
+ /** Rows fetched and rewritten per batch. Defaults to the runner's batch size when omitted. */
887
+ readonly batchSize?: number;
888
+ /** Optional reverse transform, applied by `migrate down`. */
889
+ readonly down?: MigrationTransform;
890
+ /** Stable, unique identifier — the key per-shard run-state is tracked under. */
891
+ readonly id: string;
892
+ /** Table whose documents this migration iterates. */
893
+ readonly table: string;
894
+ /** Forward transform, applied to every row by `migrate up`. */
895
+ readonly up: MigrationTransform;
896
+ }
897
+ /** A {@link MigrationDefinition} plus the codegen discovery marker. */
898
+ interface RegisteredMigration extends MigrationDefinition {
899
+ readonly __lunoraMigration: true;
900
+ }
901
+ /** Declare an online data migration. See the module docs for runtime semantics. */
902
+ declare const defineMigration: (definition: MigrationDefinition) => RegisteredMigration;
903
+ /**
904
+ * A mutator declaration. `server` is authoritative; `client` is the optimistic
905
+ * twin (optional — omit it to let the optimistic write fall through to the
906
+ * server round-trip with no local preview). Both receive the same validated
907
+ * `args`.
908
+ */
909
+ interface MutatorDefinition<Args extends ValidatorMap = ValidatorMap, ServerContext = MutationCtx, ClientTx = unknown, R = unknown> {
910
+ /**
911
+ * Validator for the mutator's arguments. Validated on the DO before `server`
912
+ * runs and (when present) on the client before `client` runs, so both impls
913
+ * see the same parsed shape. Omit for a parameterless mutator.
914
+ */
915
+ readonly args?: Args;
916
+ /**
917
+ * Optimistic client implementation. Runs in a TanStack DB transaction
918
+ * against the local collections; its writes are applied immediately and
919
+ * automatically rolled back / rebased as the authoritative result syncs
920
+ * back. Pure and side-effect-free beyond the local store. Omit to skip the
921
+ * local preview.
922
+ */
923
+ readonly client?: (tx: ClientTx, args: InferValidatorMap<Args>) => Promise<void> | void;
924
+ /**
925
+ * Authoritative server implementation. Runs inside the shard DO with a full
926
+ * {@link MutationContext} (`ctx.db` writer); its writes append to `__cdc_log`
927
+ * and poke back to subscribers. This is the source of truth — the client
928
+ * impl is only a prediction of it.
929
+ */
930
+ readonly server: (context: ServerContext, args: InferValidatorMap<Args>) => Promise<R> | R;
931
+ }
932
+ /**
933
+ * A {@link MutatorDefinition} plus the codegen discovery marker and a
934
+ * dispatch-shaped `handler` (validates `args`, then runs `server`) so the DO
935
+ * invokes a mutator exactly like a registered procedure.
936
+ */
937
+ interface RegisteredMutator<Args extends ValidatorMap = ValidatorMap, ServerContext = MutationCtx, ClientTx = unknown, R = unknown> extends MutatorDefinition<Args, ServerContext, ClientTx, R> {
938
+ readonly __lunoraMutator: true;
939
+ /** Validate `rawArgs`, then run the authoritative `server` impl. Used by the DO push path. */
940
+ readonly handler: (context: ServerContext, rawArgs: Record<string, unknown>) => Promise<R>;
941
+ /**
942
+ * Marks the dispatch kind so codegen can register the mutator in the same
943
+ * `LUNORA_FUNCTIONS` table queries/mutations use — the DO's `handleRpc`
944
+ * reads `kind === "mutation"` to wrap the authoritative `server` impl in the
945
+ * shard's BEGIN/COMMIT span (all-or-nothing writes), exactly like an
946
+ * ordinary `mutation`.
947
+ */
948
+ readonly kind: "mutation";
949
+ }
950
+ /** Declare a custom mutator. See the module docs for runtime semantics. */
951
+ declare const defineMutator: <Args extends ValidatorMap = ValidatorMap, ServerContext = MutationCtx, ClientTx = unknown, R = unknown>(definition: MutatorDefinition<Args, ServerContext, ClientTx, R>) => RegisteredMutator<Args, ServerContext, ClientTx, R>;
952
+ /**
953
+ * The prefixed tables a single plugin `P` contributes, or an empty map when it
954
+ * ships no schema extension. Mirrors {@link PrefixedTables} at the plugin level
955
+ * so {@link InstalledTables} can fold a tuple of plugins.
956
+ */
957
+ type ExtensionTablesOf<P> = P extends {
958
+ readonly extension: SchemaExtension<infer X> & {
959
+ readonly key: infer K;
960
+ };
961
+ } ? K extends string ? PrefixedTables<X, K> : Record<never, never> : Record<never, never>;
962
+ /**
963
+ * Fold a tuple of plugins onto a base table map `T`, accumulating each plugin's
964
+ * auto-prefixed extension tables left-to-right — the type-level mirror of
965
+ * {@link installPlugins} applying `mergeSchemaExtension` for each plugin in turn.
966
+ */
967
+ type InstalledTables<T extends Record<string, TableDefinition>, Plugins extends ReadonlyArray<unknown>> = Plugins extends readonly [infer Head, ...infer Rest] ? InstalledTables<ExtensionTablesOf<Head> & T, Rest> : T;
968
+ /**
969
+ * Union every plugin's `ContextOut` in a tuple — the type-level mirror of the
970
+ * `ctx.api.&lt;key>` additions {@link composePluginMiddleware} accumulates as each
971
+ * plugin middleware runs. Independent of the incoming context, which the builder
972
+ * infers at the `.use(...)` site.
973
+ */
974
+ type ComposedOut<Plugins extends ReadonlyArray<unknown>> = Plugins extends readonly [infer Head, ...infer Rest] ? ComposedOut<Rest> & (Head extends Plugin<any, any, infer Out> ? Out : unknown) : unknown;
975
+ /**
976
+ * Schema fragment a plugin contributes. Same shape as the `tables` map
977
+ * passed to `defineSchema`. Optional `vectorIndexes` mirror the top-level
978
+ * `defineSchema` argument so a plugin can ship vector decls alongside its
979
+ * tables.
980
+ */
981
+ interface SchemaExtension<T extends Record<string, TableDefinition> = Record<string, TableDefinition>> {
982
+ /** Stable key identifying the plugin that owns this extension. */
983
+ readonly key: string;
984
+ /**
985
+ * Extension tables, keyed by **bare** name (e.g. `buckets`). At merge time
986
+ * each is auto-prefixed with `key` (`ratelimit_buckets`) so it can't
987
+ * collide with an app table; do **not** namespace manually.
988
+ */
989
+ readonly tables: T;
990
+ /**
991
+ * Optional standalone vector indexes the plugin ships, keyed by index
992
+ * name. Merged into the host schema's `vectorIndexes`; a key collision
993
+ * with the base schema is a hard error (same policy as tables).
994
+ */
995
+ readonly vectorIndexes?: Record<string, VectorIndexDefinition>;
996
+ }
997
+ /**
998
+ * Build a {@link SchemaExtension}. The `key` is a runtime tag (used for
999
+ * error messages on collision) and a type-level brand.
1000
+ */
1001
+ declare const defineSchemaExtension: <T extends Record<string, TableDefinition>>(key: string, options: {
1002
+ tables: T;
1003
+ vectorIndexes?: Record<string, VectorIndexDefinition>;
1004
+ }) => SchemaExtension<T>;
1005
+ /**
1006
+ * A plugin packages an optional schema extension and optional middleware.
1007
+ * Both are independently usable: an app can install only the schema (e.g.
1008
+ * for plugins that ship background workers but no per-request behavior)
1009
+ * or only the middleware (plugins that augment ctx without persistent
1010
+ * state).
1011
+ */
1012
+ interface Plugin<TExtension extends Record<string, TableDefinition> = Record<string, TableDefinition>, TContextIn = unknown, TContextOut = TContextIn> {
1013
+ /**
1014
+ * Optional schema extension. Apps install via
1015
+ * `defineSchema(...).extend(plugin.extension)`.
1016
+ */
1017
+ readonly extension?: SchemaExtension<TExtension>;
1018
+ /** Stable key identifying the plugin. Matches `extension.key` when set. */
1019
+ readonly key: string;
1020
+ /**
1021
+ * Optional middleware. Users attach with `c.query.use(plugin.middleware)`.
1022
+ * The middleware can extend `ctx`; convention is to attach helpers under
1023
+ * `ctx.api.&lt;key>`, e.g.
1024
+ *
1025
+ * ```ts
1026
+ * middleware: ({ ctx, next }) =>
1027
+ * next({ ctx: { api: { ...ctx.api, ratelimit: api } } })
1028
+ * ```
1029
+ */
1030
+ readonly middleware?: Middleware<TContextIn, TContextOut>;
1031
+ }
1032
+ /** Options to {@link definePlugin}. */
1033
+ interface DefinePluginOptions<TExtension extends Record<string, TableDefinition>, TContextIn, TContextOut> {
1034
+ extension?: SchemaExtension<TExtension>;
1035
+ middleware?: Middleware<TContextIn, TContextOut>;
1036
+ }
1037
+ /**
1038
+ * Package a schema extension + middleware as a reusable plugin. Either
1039
+ * field is optional — `definePlugin("foo", {})` is valid but degenerate.
1040
+ */
1041
+ declare const definePlugin: <TExtension extends Record<string, TableDefinition>, TContextIn = unknown, TContextOut = TContextIn>(key: string, options: DefinePluginOptions<TExtension, TContextIn, TContextOut>) => Plugin<TExtension, TContextIn, TContextOut>;
1042
+ /**
1043
+ * Bundle of registered functions a {@link Component} ships. Keys are the
1044
+ * function's local name (e.g. `check`, `reset`); the registered function
1045
+ * value carries its own kind / args / handler.
1046
+ *
1047
+ * Users re-export from their own lunora module so codegen picks them up:
1048
+ *
1049
+ * ```ts
1050
+ * // lunora/ratelimit.ts
1051
+ * import { ratelimit } from "@vendor/ratelimit-component";
1052
+ * export const { check, reset } = ratelimit.functions;
1053
+ * // Emits as `ratelimit:check` / `ratelimit:reset` in the generated `api`.
1054
+ * ```
1055
+ *
1056
+ * Codegen follows the re-export back to the bundled `query/mutation/action`
1057
+ * call (property access or destructuring both work), so the functions land in
1058
+ * the generated `api` under the re-exporting file's namespace.
1059
+ */
1060
+ type ComponentFunctions = Readonly<Record<string, RegisteredFunction<any, any, FunctionKind>>>;
1061
+ /**
1062
+ * Component = {@link Plugin} with a bundle of registered functions. The
1063
+ * extension + middleware + functions are independent: a component can ship
1064
+ * functions without a schema (e.g. a stateless utility), or a schema
1065
+ * without functions (e.g. shared table definitions), and any combination.
1066
+ */
1067
+ interface Component<TExtension extends Record<string, TableDefinition> = Record<string, TableDefinition>, TContextIn = unknown, TContextOut = TContextIn, F extends ComponentFunctions = ComponentFunctions> extends Plugin<TExtension, TContextIn, TContextOut> {
1068
+ readonly functions: F;
1069
+ }
1070
+ interface DefineComponentOptions<TExtension extends Record<string, TableDefinition>, TContextIn, TContextOut, F extends ComponentFunctions> extends DefinePluginOptions<TExtension, TContextIn, TContextOut> {
1071
+ /** Registered functions the component ships. Keys are the function's local name. */
1072
+ functions?: F;
1073
+ }
1074
+ /**
1075
+ * Convenience wrapper around {@link definePlugin} that also bundles a set
1076
+ * of registered functions. The resulting `component.functions` object is a
1077
+ * record of `name → registered query/mutation/action`; consumers
1078
+ * re-export entries so codegen discovers them as user functions:
1079
+ *
1080
+ * ```ts
1081
+ * export const ratelimit = defineComponent("ratelimit", {
1082
+ * // Bare `buckets` merges in as `ratelimit_buckets`.
1083
+ * extension: defineSchemaExtension("ratelimit", { tables: { buckets } }),
1084
+ * middleware: ({ ctx, next }) => next({ ctx: { ...ctx, ratelimit: api(ctx) } }),
1085
+ * functions: {
1086
+ * check: query.input({ key: v.string() }).query(async ({ ctx, args }) => ...),
1087
+ * reset: mutation.input({ key: v.string() }).mutation(async ({ ctx, args }) => ...),
1088
+ * },
1089
+ * });
1090
+ * ```
1091
+ *
1092
+ * Re-exporting an entry (by property access or destructuring) is enough for
1093
+ * codegen to discover it in the host app's namespace — the discovery resolver
1094
+ * chases the re-export back to the bundled registration call.
1095
+ */
1096
+ declare const defineComponent: <TExtension extends Record<string, TableDefinition>, TContextIn = unknown, TContextOut = TContextIn, F extends ComponentFunctions = ComponentFunctions>(key: string, options: DefineComponentOptions<TExtension, TContextIn, TContextOut, F>) => Component<TExtension, TContextIn, TContextOut, F>;
1097
+ /**
1098
+ * Map every key `K` of an extension's table map `X` to its auto-prefixed name
1099
+ * `${Key}_${K}`. Mirrors the runtime prefixing in {@link mergeSchemaExtension}
1100
+ * so the typed `.extend(...)` chain reflects the real merged table names.
1101
+ */
1102
+ type PrefixedTables<X extends Record<string, TableDefinition>, Key extends string> = { [K in keyof X as K extends string ? `${Key}_${K}` : K]: X[K] };
1103
+ /**
1104
+ * Merge a {@link SchemaExtension} into an existing schema. Returns a new
1105
+ * schema object — never mutates the input.
1106
+ *
1107
+ * Extension tables are auto-namespaced: each bare table name is prefixed with
1108
+ * the extension `key` (`buckets` → `ratelimit_buckets`), Convex-Components
1109
+ * style, and every intra-extension reference (relation targets, aggregate /
1110
+ * rank index `on`, standalone vector index `table`) is rewritten to match.
1111
+ * References to base/app tables are left untouched.
1112
+ *
1113
+ * Because each extension lives in its own `key` namespace, app↔component
1114
+ * collisions are impossible. The only remaining hard error is two extensions
1115
+ * sharing the same `key` and producing the same prefixed table (or vector
1116
+ * index) name — silent shadow would let one plugin hijack another's data.
1117
+ */
1118
+ declare const mergeSchemaExtension: <T extends Record<string, TableDefinition>, X extends Record<string, TableDefinition>, Key extends string = string>(base: Schema<T>, extension: SchemaExtension<X> & {
1119
+ readonly key: Key;
1120
+ }) => Schema<PrefixedTables<X, Key> & T>;
1121
+ /**
1122
+ * Install several plugins' schema extensions in one call — the one-shot
1123
+ * counterpart to chaining `defineSchema(...).extend(a).extend(b)`. Plugins
1124
+ * without an `extension` (middleware-only) are skipped; tables from those that
1125
+ * do are auto-prefixed and reference-rewritten exactly as
1126
+ * {@link mergeSchemaExtension} does for a single `.extend(...)`.
1127
+ *
1128
+ * ```ts
1129
+ * const schema = installPlugins(defineSchema({ todos }), [ratelimit, audit]);
1130
+ * // → todos + ratelimit_* + audit_*
1131
+ * ```
1132
+ *
1133
+ * Pair it with {@link composePluginMiddleware} to attach every plugin's
1134
+ * middleware in a single `.use(...)`, so installing N plugins is two calls
1135
+ * rather than N `.extend(...)` + N `.use(...)`.
1136
+ */
1137
+ declare const installPlugins: <T extends Record<string, TableDefinition>, const Plugins extends ReadonlyArray<Plugin<any, any, any>>>(base: Schema<T>, plugins: Plugins) => Schema<InstalledTables<T, Plugins>>;
1138
+ /**
1139
+ * Compose every plugin's middleware into a single middleware you attach with one
1140
+ * `.use(...)`. Plugins without middleware (schema-only) are skipped; the rest run
1141
+ * in array order, each seeing the context the previous one widened, so the final
1142
+ * `next({ ctx })` the builder receives carries every plugin's `ctx.api.&lt;key>`
1143
+ * additions. Equivalent to `.use(a.middleware).use(b.middleware)…` but as one
1144
+ * value, the middleware sibling of {@link installPlugins}.
1145
+ *
1146
+ * `ContextIn` is left free so the builder infers it from the context at the
1147
+ * `.use(...)` site; the result type widens it by the union of the plugins'
1148
+ * outputs.
1149
+ */
1150
+ declare const composePluginMiddleware: <ContextIn = unknown, const Plugins extends ReadonlyArray<Plugin<any, any, any>> = ReadonlyArray<Plugin<any, any, any>>>(plugins: Plugins) => Middleware<ContextIn, ComposedOut<Plugins> & ContextIn>;
1151
+ /** Options for `.vectorize(field, opts)` (DSL Shape A). */
1152
+ interface VectorizeOptions<Shape extends Record<string, Validator> = Record<string, Validator>> {
1153
+ dimensions: number;
1154
+ embed: VectorEmbedder;
1155
+ /** Logical index name; must match a `[[vectorize]]` binding in wrangler. */
1156
+ index: string;
1157
+ /** Fields mirrored into Vectorize metadata for filtering. */
1158
+ metadata?: ReadonlyArray<keyof Shape & string>;
1159
+ metric: VectorMetric;
1160
+ }
1161
+ /** A `one` (many-to-one) relation descriptor; phantom `Target` carries the target table name. */
1162
+ interface OneRelation<Target extends string = string> extends RelationDefinition {
1163
+ readonly __target?: Target;
1164
+ readonly kind: "one";
1165
+ }
1166
+ /** A `many` (one-to-many) relation descriptor; phantom `Target` carries the target table name. */
1167
+ interface ManyRelation<Target extends string = string> extends RelationDefinition {
1168
+ readonly __target?: Target;
1169
+ readonly kind: "many";
1170
+ }
1171
+ /** The `r` argument passed to `.relations((r) => …)`. */
1172
+ interface RelationBuilder {
1173
+ /** One-to-many: the FK `field` lives on the target table, matching this table's `references` (default `_id`). */
1174
+ many: <Target extends string>(table: Target, options: {
1175
+ field: string;
1176
+ references?: string;
1177
+ }) => ManyRelation<Target>;
1178
+ /** Many-to-one: the FK `field` lives on this table, pointing at `table`.`references` (default `_id`). */
1179
+ one: <Target extends string>(table: Target, options: {
1180
+ field: string;
1181
+ onDelete?: OnDeleteAction;
1182
+ references?: string;
1183
+ }) => OneRelation<Target>;
1184
+ }
1185
+ /**
1186
+ * Options for the inline `.aggregateIndex(name, opts)` builder. `op` defaults to
1187
+ * `count` so `aggregateIndex("byUser", { by: ["userId"] })` is a single-line
1188
+ * `COUNT(*) GROUP BY userId` accelerator.
1189
+ */
1190
+ interface InlineAggregateIndexOptions<Shape extends Record<string, Validator> = Record<string, Validator>> {
1191
+ /** Group keys; counter rows are one per distinct tuple. Omitted = single-row aggregate over the whole table. */
1192
+ by?: ReadonlyArray<keyof Shape & string>;
1193
+ /** The column the reducer applies to. Required for `sum`/`min`/`max`/`avg`; ignored for `count`. */
1194
+ field?: keyof Shape & string;
1195
+ /** Reducer (default `count`). */
1196
+ op?: AggregateOp;
1197
+ /** Static predicate baked into the counter — only matching rows are aggregated. */
1198
+ where?: Record<string, unknown>;
1199
+ }
1200
+ /**
1201
+ * Options for the inline `.rankIndex(name, opts)` builder. `sortBy` is required;
1202
+ * accepts either an array of `{ field, direction }` keys, or the shorthand
1203
+ * `["field"]` (asc) / `{ field: "desc" }` map entries. `partitionBy` scopes the
1204
+ * rank — omitted ⇒ one global rank over the whole table.
1205
+ */
1206
+ interface InlineRankIndexOptions<Shape extends Record<string, Validator> = Record<string, Validator>> {
1207
+ /** Columns that scope each ranking; omitted ⇒ one global rank. */
1208
+ partitionBy?: ReadonlyArray<keyof Shape & string>;
1209
+ /** Ordered sort keys driving the rank. Required. */
1210
+ sortBy: ReadonlyArray<{
1211
+ direction?: "asc" | "desc";
1212
+ field: keyof Shape & string;
1213
+ }>;
1214
+ /** Static predicate baked into the index; only matching rows enter. */
1215
+ where?: Record<string, unknown>;
1216
+ }
1217
+ interface TableBuilder<Shape extends Record<string, Validator> = Record<string, Validator>> extends TableDefinition<Shape> {
1218
+ /** Declare an aggregate (counter/sum/…) maintained by triggers for O(1) reads. */
1219
+ aggregateIndex: (name: string, options?: InlineAggregateIndexOptions<Shape>) => TableBuilder<Shape>;
1220
+ /**
1221
+ * Mark this table as written outside Lunora's discoverable insert path —
1222
+ * by an adapter, a migration, or framework middleware (e.g. `@lunora/auth`'s
1223
+ * better-auth tables, `@lunora/ratelimit`'s store). Advisor insert-path lints
1224
+ * (`table_without_insert`) then skip it instead of flagging the absent
1225
+ * `ctx.db.insert(...)`.
1226
+ */
1227
+ externallyManaged: () => TableBuilder<Shape>;
1228
+ /**
1229
+ * Mark this table as global (cross-shard). Backed by **D1** by default;
1230
+ * pass `{ backend: "hyperdrive" }` to store it in a Postgres/MySQL database
1231
+ * via Cloudflare Hyperdrive (PlanetScale, Neon, …) instead. Either way the
1232
+ * table stays reactive — live queries re-run on write.
1233
+ */
1234
+ global: (options?: {
1235
+ backend?: GlobalBackend;
1236
+ }) => TableBuilder<Shape>;
1237
+ /** Add a secondary index. */
1238
+ index: (name: string, fields: ReadonlyArray<string>, options?: {
1239
+ unique?: boolean;
1240
+ }) => TableBuilder<Shape>;
1241
+ /**
1242
+ * Opt this table OUT of secure-by-default RLS. Under a schema marked
1243
+ * `.rls("required")`, every table is protected (the write path denies raw,
1244
+ * non-RLS `ctx.db` access); calling `.public()` exempts this one table so a
1245
+ * plain `query`/`mutation` may read/write it without an RLS policy. No effect
1246
+ * when the schema does not require RLS.
1247
+ */
1248
+ public: () => TableBuilder<Shape>;
1249
+ /**
1250
+ * Declare a rank index (sorted companion table, btree-backed) for
1251
+ * `rank(row)` / `rankPage()` reads in O(log n). See {@link RankIndexDefinition}.
1252
+ */
1253
+ rankIndex: (name: string, options: InlineRankIndexOptions<Shape>) => TableBuilder<Shape>;
1254
+ /** Declare relations to other tables, loaded via `findMany({ with })`. */
1255
+ relations: (build: (r: RelationBuilder) => Record<string, RelationDefinition>) => TableBuilder<Shape>;
1256
+ /** Add a search index over a field with optional filter fields. */
1257
+ searchIndex: (name: string, options: {
1258
+ field: string;
1259
+ filterFields?: ReadonlyArray<string>;
1260
+ }) => TableBuilder<Shape>;
1261
+ /** Route storage by the named field — one DO per distinct value. */
1262
+ shardBy: (field: keyof Shape & string) => TableBuilder<Shape>;
1263
+ /**
1264
+ * Turn on soft delete. Adds a nullable timestamp column (`options.field`,
1265
+ * default `deletedAt`) and changes `ctx.db.&lt;table>.delete()` to **set** it
1266
+ * instead of removing the row; `onDelete: "cascade"` children are recursively
1267
+ * soft-deleted too. **List reads** (`findMany`/`findFirst`/`query()`/`count`/
1268
+ * `aggregate`/relation loads) then hide soft-deleted rows unless they pass
1269
+ * `includeDeleted: true`; by-id `get`/`patch`/`replace` and the new
1270
+ * `restore()` still address the row directly. `hardDelete()` physically
1271
+ * removes it (cascading as a real delete). Note: `includeDeleted` is a read
1272
+ * scope, not access control — anyone who can run the read can set it; a unique
1273
+ * index still rejects a new row that collides with a soft-deleted one (the row
1274
+ * physically persists).
1275
+ */
1276
+ softDelete: (options?: {
1277
+ field?: string;
1278
+ }) => TableBuilder<Shape>;
1279
+ /**
1280
+ * Materialize this table from an external Postgres/MySQL behind Cloudflare
1281
+ * Hyperdrive (plan 077). A system-driven poll loop reads the tenant slice
1282
+ * (`query`, with params bound from `tenantBy`) and lands it in the DO's SQLite,
1283
+ * after which `defineShape` carries it to clients unchanged. Implies
1284
+ * `.externallyManaged()` (rows come from the ingest loop, not user mutations).
1285
+ *
1286
+ * Orthogonal to `.shardBy()` — combine them for per-tenant DOs. **Under
1287
+ * `.shardBy()` `tenantBy` is mandatory** (the tenant-isolation boundary); the
1288
+ * `external_source_unscoped` advisor lint fails the build when it is absent, and
1289
+ * `external_source_on_global` rejects combining `.source()` with `.global()`.
1290
+ */
1291
+ source: (definition: ExternalSourceDefinition) => TableBuilder<Shape>;
1292
+ /** Declare named lifecycle triggers fired inline within the write path. */
1293
+ triggers: (build: (t: TriggerBuilder<Shape>) => Record<string, TriggerDefinition>) => TableBuilder<Shape>;
1294
+ /** Declare a vector index over a single text field on this table. */
1295
+ vectorize: (field: keyof Shape & string, options: VectorizeOptions<Shape>) => TableBuilder<Shape>;
1296
+ }
1297
+ /** Options for `defineVectorIndex(...)` (DSL Shape B). */
1298
+ interface VectorIndexOptions {
1299
+ dimensions: number;
1300
+ embed: VectorEmbedder;
1301
+ /** Optional projection of the source row into Vectorize metadata. */
1302
+ metadata?: (row: Record<string, unknown>) => Record<string, unknown>;
1303
+ metric: VectorMetric;
1304
+ /** The vector source: which table, and how to derive the embedded text. */
1305
+ source: {
1306
+ select: (row: Record<string, unknown>) => string;
1307
+ table: string;
1308
+ };
1309
+ }
1310
+ /**
1311
+ * Build a table definition. Returned object is both the table definition (for
1312
+ * `defineSchema`) and a fluent builder for indexes + sharding metadata.
1313
+ */
1314
+ declare const defineTable: <Shape extends Record<string, Validator>>(inputShape: Shape) => TableBuilder<Shape>;
1315
+ /**
1316
+ * Declare a standalone vector index (DSL Shape B). Pass the returned value in
1317
+ * the `vectorIndexes` map of {@link defineSchema} when the source is derived
1318
+ * from multiple fields or a computation rather than a single column.
1319
+ */
1320
+ declare const defineVectorIndex: (options: VectorIndexOptions) => VectorIndexDefinition;
1321
+ /**
1322
+ * Options for the standalone `defineAggregateIndex(name, opts)` helper (DSL
1323
+ * Shape B). Unlike the inline `.aggregateIndex(...)` builder, this form takes
1324
+ * the owning table explicitly via `on` — handy when a single counter wants to
1325
+ * live next to the schema map rather than inside a table chain.
1326
+ */
1327
+ interface AggregateIndexOptions {
1328
+ by?: ReadonlyArray<string>;
1329
+ field?: string;
1330
+ on: string;
1331
+ op?: AggregateOp;
1332
+ where?: Record<string, unknown>;
1333
+ }
1334
+ /**
1335
+ * Declare a standalone aggregate index. Pass the returned value to
1336
+ * `defineSchema(tables, vectorIndexes, aggregateIndexes)` keyed by index name —
1337
+ * the schema attaches it to `tables[on].aggregateIndexes` so runtime consumers
1338
+ * (DO + D1) read every index uniformly off the table definition.
1339
+ */
1340
+ declare const defineAggregateIndex: (name: string, options: AggregateIndexOptions) => AggregateIndexDefinition;
1341
+ /**
1342
+ * Options for the standalone `defineRankIndex(name, opts)` helper (DSL Shape B).
1343
+ * Mirrors the inline `.rankIndex(...)` builder but takes the owning table via
1344
+ * `table` so it can sit next to the schema map.
1345
+ */
1346
+ interface RankIndexOptions {
1347
+ partitionBy?: ReadonlyArray<string>;
1348
+ sortBy: ReadonlyArray<{
1349
+ direction?: "asc" | "desc";
1350
+ field: string;
1351
+ }>;
1352
+ table: string;
1353
+ where?: Record<string, unknown>;
1354
+ }
1355
+ /**
1356
+ * Declare a standalone rank index. Pass the returned value to
1357
+ * `defineSchema(tables, vectorIndexes, aggregateIndexes, rankIndexes)` keyed
1358
+ * by index name — the schema attaches it to `tables[on].rankIndexes`.
1359
+ */
1360
+ declare const defineRankIndex: (name: string, options: RankIndexOptions) => RankIndexDefinition;
1361
+ /**
1362
+ * Build the application schema. The first argument is the table map; the
1363
+ * optional second argument registers standalone `defineVectorIndex(...)`
1364
+ * declarations (DSL Shape B) keyed by index name. The optional third argument
1365
+ * registers standalone `defineAggregateIndex(...)` declarations (DSL Shape B);
1366
+ * the optional fourth argument registers standalone `defineRankIndex(...)`
1367
+ * declarations. Both are folded into the matching `tables[on].*Indexes` array
1368
+ * so runtime backends read every index uniformly off the table definition.
1369
+ */
1370
+ /**
1371
+ * Schema with an in-place `.extend(plugin.extension)` method. Used so apps
1372
+ * can compose plugin schemas: `defineSchema({...}).extend(authPlugin.extension)`.
1373
+ *
1374
+ * `extend` is non-mutating — returns a fresh `ExtendableSchema` containing
1375
+ * the merged tables. Extension tables are auto-namespaced by the extension
1376
+ * `key` (`buckets` → `ratelimit_buckets`), so the merged type carries the
1377
+ * prefixed names via {@link PrefixedTables}. Chains:
1378
+ * `defineSchema(...).extend(a).extend(b)` is the typed equivalent of merging
1379
+ * `a`'s prefixed tables then `b`'s.
1380
+ */
1381
+ type ExtendableSchema<T extends Record<string, TableDefinition>> = {
1382
+ extend: <X extends Record<string, TableDefinition>, Key extends string>(extension: SchemaExtension<X> & {
1383
+ readonly key: Key;
1384
+ }) => ExtendableSchema<PrefixedTables<X, Key> & T>;
1385
+ /**
1386
+ * Pin every Durable Object the app reaches — shards, fan-out, subscriptions,
1387
+ * the scheduler, and `ctx.containers` — to a Cloudflare data-residency
1388
+ * jurisdiction (`"eu"`, `"us"`, `"fedramp"`). Codegen reads this off the
1389
+ * schema and emits it into the generated worker's `createWorker({ jurisdiction })`
1390
+ * (and `ctx.scheduler` / `ctx.containers`). Non-mutating: returns a fresh
1391
+ * `ExtendableSchema`, so it composes with `.rls(...)` / `.extend(...)` in any order.
1392
+ *
1393
+ * ⚠️ **Set this once, before your first deploy — changing or removing it
1394
+ * strands data.** A Durable Object name maps to a *different* ID in each
1395
+ * jurisdiction, so toggling this on an existing app makes every shard, scheduler
1396
+ * job, and session DO resolve to a NEW, empty DO; the previous data stays in the
1397
+ * old jurisdiction's DOs and is no longer reachable. There is no in-place
1398
+ * migration — you would have to export from the old jurisdiction and import
1399
+ * into the new one.
1400
+ *
1401
+ * Note: this pins **DO-backed** state only. D1-backed state — `.global()`
1402
+ * tables and `@lunora/auth` sessions alike — is governed by D1's own location
1403
+ * settings, not this option.
1404
+ * @see https://developers.cloudflare.com/durable-objects/reference/data-location/
1405
+ */
1406
+ jurisdiction: (jurisdiction: DurableObjectJurisdiction) => ExtendableSchema<T>;
1407
+ /**
1408
+ * Turn on secure-by-default RLS for the whole schema. Every table is then
1409
+ * protected — the DO/D1 write path denies raw, non-RLS `ctx.db` access, so a
1410
+ * procedure that forgets `.use(rls(...))` fails closed. Opt a table out with
1411
+ * `.public()`. Non-mutating: returns a fresh `ExtendableSchema` carrying the
1412
+ * mode, so `.rls("required")` composes with `.extend(...)` either order.
1413
+ */
1414
+ rls: (mode: "required") => ExtendableSchema<T>;
1415
+ } & Schema<T>;
1416
+ declare const defineSchema: <T extends Record<string, TableDefinition>>(tables: T, vectorIndexes?: Record<string, VectorIndexDefinition>, aggregateIndexes?: Record<string, AggregateIndexDefinition>, rankIndexes?: Record<string, RankIndexDefinition>) => ExtendableSchema<T>;
1417
+ /** Default time-to-live for a presence row: a heartbeat keeps a member "present" for this long. */
1418
+ declare const DEFAULT_TTL_MS = 3e4;
1419
+ declare const PRESENCE_BARE_TABLE = "present";
1420
+ /**
1421
+ * The prefixed table name the extension produces at merge time. The handlers
1422
+ * read/write this name directly so they always agree with the merged schema.
1423
+ */
1424
+ declare const PRESENCE_TABLE: "presence_present";
1425
+ /**
1426
+ * A single present member as returned by `listPresent`.
1427
+ *
1428
+ * Note: the raw client-chosen `sessionId` is deliberately NOT surfaced. It is a
1429
+ * connection secret — disclosing every member's `sessionId` would let any
1430
+ * subscriber enumerate them and target the heartbeat / disconnect write paths.
1431
+ * A "who's here" UI needs only `userId` + awareness `data`; the caller already
1432
+ * knows its own session id locally (the `usePresence` hook returns it).
1433
+ */
1434
+ interface PresenceMember {
1435
+ /** Opaque awareness blob (selection, cursor, name, color…). */
1436
+ data?: Record<string, unknown>;
1437
+ /** Last heartbeat time (epoch ms). */
1438
+ lastSeen: number;
1439
+ /** The room / channel / document this presence is scoped to. */
1440
+ roomId: string;
1441
+ /** Authenticated user id, when known. */
1442
+ userId?: string;
1443
+ }
1444
+ /** Options for {@link definePresence}. */
1445
+ interface DefinePresenceOptions {
1446
+ /**
1447
+ * Grace window (ms) before a gracefully-closed session is dropped from the
1448
+ * present list. When `0` (the default), `onDisconnect` hard-deletes the
1449
+ * session's row the instant its socket closes. When `> 0`, the row is
1450
+ * instead aged so the read-time TTL filter hides it `disconnectGraceMs`
1451
+ * from now — a reconnect with the same `sessionId` within the window
1452
+ * re-heartbeats and restores full presence with no visible flicker (the
1453
+ * AnyCable `presence_ttl` behaviour). Clamped to `ttlMs`.
1454
+ */
1455
+ disconnectGraceMs?: number;
1456
+ /**
1457
+ * How long (ms) a heartbeat keeps a member present. `listPresent` excludes
1458
+ * rows whose `lastSeen` is older than `now - ttlMs`. Defaults to 30s.
1459
+ */
1460
+ ttlMs?: number;
1461
+ }
1462
+ /** The registered functions a presence component ships. */
1463
+ interface PresenceFunctions {
1464
+ /**
1465
+ * Connection-lifecycle hook: the instant a client's WebSocket drops, hard-
1466
+ * delete its presence row so it disappears from `listPresent` with no TTL
1467
+ * lag. Targets the row by the `{ roomId, sessionId }` the client passed as
1468
+ * the connection `context`, and only deletes it when the disconnecting
1469
+ * VERIFIED identity owns the row (so a forged context can't evict another
1470
+ * member). The TTL filter + `sweep` remain the fallback for ungraceful drops
1471
+ * where no `context` was recorded.
1472
+ */
1473
+ disconnect: RegisteredLifecycleHook;
1474
+ /**
1475
+ * Upsert the caller's presence row for `roomId` and stamp `lastSeen = now`.
1476
+ * Keyed by `(roomId, sessionId)` — re-heartbeats patch the existing row so
1477
+ * subscribers receive a single-row delta, not a churn of insert/delete. A
1478
+ * heartbeat may only patch a row owned by the same identity (an existing row
1479
+ * held by a different `userId` is refused with `FORBIDDEN`), so a client
1480
+ * can't overwrite another member's awareness data via a guessed `sessionId`.
1481
+ */
1482
+ heartbeat: RegisteredMutation<{
1483
+ data: ReturnType<typeof v.optional>;
1484
+ roomId: ReturnType<typeof v.string>;
1485
+ sessionId: ReturnType<typeof v.string>;
1486
+ }, {
1487
+ lastSeen: number;
1488
+ }>;
1489
+ /**
1490
+ * Live query returning the non-expired members of `roomId`, newest heartbeat
1491
+ * first. Subscribe to it for a reactive "who's here" list.
1492
+ */
1493
+ listPresent: RegisteredQuery<{
1494
+ roomId: ReturnType<typeof v.string>;
1495
+ }, PresenceMember[]>;
1496
+ /**
1497
+ * Internal mutation that hard-deletes every expired row for `roomId`. Stale
1498
+ * rows already vanish from `listPresent` via the read-time TTL filter; this
1499
+ * only reclaims storage. Schedule it (cron / `runAfter`) if you care.
1500
+ */
1501
+ sweep: RegisteredMutation<{
1502
+ roomId: ReturnType<typeof v.string>;
1503
+ }, {
1504
+ deleted: number;
1505
+ }>;
1506
+ }
1507
+ /** The component shape `definePresence` returns: the presence extension + typed functions. */
1508
+ type PresenceComponent = Component<{
1509
+ [PRESENCE_BARE_TABLE]: ReturnType<typeof defineTable>;
1510
+ }> & {
1511
+ functions: PresenceFunctions;
1512
+ };
1513
+ /**
1514
+ * The presence schema extension: a single `present` table, auto-namespaced to
1515
+ * `presence_present` at merge time, indexed by `(roomId, sessionId)` for the
1516
+ * heartbeat upsert and by `roomId` for `listPresent`.
1517
+ */
1518
+ declare const presenceExtension: SchemaExtension<{
1519
+ [PRESENCE_BARE_TABLE]: ReturnType<typeof defineTable>;
1520
+ }>;
1521
+ declare const definePresence: (options?: DefinePresenceOptions) => PresenceComponent;
1522
+ /**
1523
+ * The middlewares `protectPublic` chains, in the order they run. Every field is
1524
+ * optional, so a bundle can be just a rate limit, just a captcha, or any mix —
1525
+ * pass the already-constructed middlewares (e.g. `rateLimit(limiter, "signup")`
1526
+ * from `@lunora/ratelimit`, `verifyTurnstileMiddleware({...})` from
1527
+ * `@lunora/auth`). They are accepted as values rather than imported here so
1528
+ * `@lunora/server` keeps no dependency on those packages (which depend on it).
1529
+ */
1530
+ interface ProtectPublicOptions<Context> {
1531
+ /**
1532
+ * A CAPTCHA / bot check, run after the rate limit. Placed second on purpose:
1533
+ * an obvious flood is cheaper to reject with the in-memory limiter than with
1534
+ * a Turnstile siteverify round-trip.
1535
+ */
1536
+ captcha?: Middleware<Context, Context>;
1537
+ /**
1538
+ * A rate limit, run first. Cheapest gate, so it sheds obvious abuse before
1539
+ * any network-bound check below it runs.
1540
+ */
1541
+ rateLimit?: Middleware<Context, Context>;
1542
+ /** Extra middlewares appended after `rateLimit` and `captcha`, in order. */
1543
+ use?: ReadonlyArray<Middleware<Context, Context>>;
1544
+ }
1545
+ /**
1546
+ * Compose the recommended public-procedure protections into a single
1547
+ * `.use()`-able middleware. It is thin sugar over middleware composition — no
1548
+ * new enforcement engine — chaining (in order) a rate limit, a CAPTCHA check,
1549
+ * and any extra middlewares so a public mutation that creates users, sends
1550
+ * mail, or consumes credits is guarded in one attachment:
1551
+ *
1552
+ * ```ts
1553
+ * export const signUp = mutation
1554
+ * .use(protectPublic({
1555
+ * rateLimit: rateLimit(limiter, "signup"),
1556
+ * captcha: verifyTurnstileMiddleware({ secret: env.TURNSTILE_SECRET_KEY, token: (c) => c.args.captchaToken }),
1557
+ * }))
1558
+ * .handler(async (ctx, args) => { ... });
1559
+ * ```
1560
+ *
1561
+ * The bundle is context-preserving — each inner middleware leaves the context
1562
+ * unchanged — so it slots into any `.use()` chain without reshaping the
1563
+ * procedure context. Omitted fields are skipped; an empty bundle is a
1564
+ * transparent pass-through.
1565
+ */
1566
+ declare const protectPublic: <Context>(options: ProtectPublicOptions<Context>) => Middleware<Context, Context>;
1567
+ declare const definePolicy: <Context = unknown>(input: DefinePolicyInput<Context>) => Policy<Context>;
1568
+ /**
1569
+ * Build a project-bound, relation-aware `definePolicy` typed against the
1570
+ * generated `DataModel` (`DM`) + `Relations` (`REL`) maps. Codegen emits a
1571
+ * `createPolicyDsl&lt;DataModel, Relations>()` binding into `_generated/server.ts`,
1572
+ * so importing `definePolicy` from the generated module constrains `table` to a
1573
+ * real table name and type-checks the `when` predicate — including Prisma-style
1574
+ * relation predicates (`is`/`some`/…) the `@lunora/do` pre-resolver now resolves
1575
+ * on reads. The runtime is byte-for-byte the untyped {@link definePolicy}; only
1576
+ * the compile-time surface narrows, so a policy authored either way is
1577
+ * discovered identically by the `rls()` chain.
1578
+ */
1579
+ declare const createPolicyDsl: <DM, REL extends Record<keyof DM, object>>() => <T extends keyof DM, Context = unknown>(input: TypedDefinePolicyInput<DM, REL, T, Context>) => Policy<Context>;
1580
+ /**
1581
+ * Declare a named permission a policy can check with `ctx.auth.can(...)`. Grant
1582
+ * it to a role through `defineRole`'s `permissions`, register those roles with
1583
+ * the middleware via `rls(policies, { roles })`, then check it in a policy with
1584
+ * `when: ({ auth }) => auth.can(permission)`. See the `./index` JSDoc for a
1585
+ * worked example.
1586
+ */
1587
+ declare const definePermission: (name: string, options?: Omit<Permission, "name">) => Permission;
1588
+ /**
1589
+ * Collect a list of policies into the structure the `rls()` middleware
1590
+ * consumes. Multiple read policies on the same table OR together (any one
1591
+ * matching reveals the row); multiple write policies for the same `(table,
1592
+ * op)` AND together (every one must allow). The middleware keeps them in order
1593
+ * and decides — see `./middleware`.
1594
+ *
1595
+ * Validates against an **accidentally duplicated policy** — the same
1596
+ * `(table, on)` registered with the *same* decision function (a copy-paste, or
1597
+ * the same policy object spread in twice). Because multiple DISTINCT policies
1598
+ * per `(table, on)` are intentional, the check keys on the `when` reference too:
1599
+ * only a reference-identical `when` for the same `(table, on)` is a real
1600
+ * duplicate. Throws at module load so the misconfiguration surfaces immediately
1601
+ * rather than as a silently double-evaluated predicate at request time.
1602
+ */
1603
+ declare const definePolicies: <Context = unknown>(policies: ReadonlyArray<Policy<Context>>) => ReadonlyArray<Policy<Context>>;
1604
+ declare const defineRole: (name: string, options?: Omit<Role, "name">) => Role;
1605
+ /**
1606
+ * Structural mirror of `@lunora/do`'s `QueryArgs` and `CountArgs`. The
1607
+ * runtime ORM in `@lunora/do`/`@lunora/d1` reads `baseWhere` /
1608
+ * `restrictsCounts` straight off these option objects, so as long as the
1609
+ * fields here stay name-compatible the wrapper is portable across the two
1610
+ * dialects without an inter-package dependency.
1611
+ */
1612
+ interface QueryArgs {
1613
+ baseWhere?: WhereInput;
1614
+ cursor?: null | string;
1615
+ limit?: number;
1616
+ orderBy?: ReadonlyArray<unknown>;
1617
+ /**
1618
+ * Per-target-table read filter the RLS wrapper attaches so a `with` relation
1619
+ * is policy-filtered on its own hop (see `@lunora/do`'s `QueryArgs`). Mirrors
1620
+ * the top-level read: `(table) => readBase(table).baseWhere`.
1621
+ */
1622
+ relationBaseWhere?: (table: string) => undefined | WhereInput;
1623
+ restrictsCounts?: boolean;
1624
+ where?: WhereInput;
1625
+ with?: Record<string, unknown>;
1626
+ }
1627
+ interface CountArgs {
1628
+ baseWhere?: WhereInput;
1629
+ relationBaseWhere?: (table: string) => undefined | WhereInput;
1630
+ restrictsCounts?: boolean;
1631
+ where?: WhereInput;
1632
+ }
1633
+ /** Structural mirror of `@lunora/do`'s `AggregateOptions` — only the fields the wrapper touches. */
1634
+ interface AggregateArgs {
1635
+ baseWhere?: WhereInput;
1636
+ field?: string;
1637
+ op: string;
1638
+ relationBaseWhere?: (table: string) => undefined | WhereInput;
1639
+ restrictsCounts?: boolean;
1640
+ where?: WhereInput;
1641
+ }
1642
+ /** Structural mirror of `@lunora/do`'s `GroupByOptions`. */
1643
+ interface GroupByArgs {
1644
+ agg?: {
1645
+ field?: string;
1646
+ op: string;
1647
+ };
1648
+ baseWhere?: WhereInput;
1649
+ by: ReadonlyArray<string>;
1650
+ relationBaseWhere?: (table: string) => undefined | WhereInput;
1651
+ restrictsCounts?: boolean;
1652
+ where?: WhereInput;
1653
+ }
1654
+ /** Structural mirror of `@lunora/do`'s `RankOptions`. */
1655
+ interface RankArgs {
1656
+ baseWhere?: WhereInput;
1657
+ restrictsCounts?: boolean;
1658
+ row: Record<string, unknown> | string;
1659
+ where?: WhereInput;
1660
+ }
1661
+ /** Structural mirror of `@lunora/do`'s `RankBeforeOptions`. */
1662
+ interface RankBeforeArgs {
1663
+ partitionKey: string;
1664
+ restrictsCounts?: boolean;
1665
+ rowId: string;
1666
+ sortValues: ReadonlyArray<unknown>;
1667
+ }
1668
+ /** Structural mirror of `@lunora/do`'s `RankPageOptions`. */
1669
+ interface RankPageArgs {
1670
+ baseWhere?: WhereInput;
1671
+ cursor?: null | string;
1672
+ restrictsCounts?: boolean;
1673
+ take?: number;
1674
+ where?: WhereInput;
1675
+ }
1676
+ interface QueryPage {
1677
+ continueCursor: null | string;
1678
+ isDone: boolean;
1679
+ page: Record<string, unknown>[];
1680
+ }
1681
+ interface TableReaderLike {
1682
+ collect: () => Promise<Record<string, unknown>[]>;
1683
+ filter: (predicate: (document: Record<string, unknown>) => boolean) => TableReaderLike;
1684
+ first: () => Promise<Record<string, unknown> | null>;
1685
+ paginate: (options: {
1686
+ cursor?: null | string;
1687
+ numItems: number;
1688
+ }) => Promise<QueryPage>;
1689
+ take: (limit: number) => Promise<Record<string, unknown>[]>;
1690
+ withIndex: (indexName: string, range?: (q: unknown) => unknown) => TableReaderLike;
1691
+ withSearchIndex: (indexName: string, search: (q: unknown) => unknown) => TableReaderLike;
1692
+ }
1693
+ /**
1694
+ * Structural projection of the runtime ORM writer. The wrapper relies only
1695
+ * on these fields, so it's interchangeable between `@lunora/do`'s
1696
+ * `DatabaseWriterLike` and `@lunora/d1`'s `DatabaseWriterLike`.
1697
+ */
1698
+ interface DatabaseWriterLike {
1699
+ /**
1700
+ * Reduce matching rows to a scalar. The RLS wrapper AND-merges the read
1701
+ * `baseWhere` into `options` so the reduction only sees policy-visible rows
1702
+ * (safe: an aggregate scoped to `where` never reveals a hidden row — see
1703
+ * `@lunora/do`'s `RestrictableQueryOptions`). Required: the only writer ever
1704
+ * wrapped is `@lunora/do`'s `createShardCtxDb`, which always implements it.
1705
+ */
1706
+ aggregate: (tableName: string, options: AggregateArgs) => Promise<null | number>;
1707
+ count: (tableName: string, whereOrArgs?: CountArgs | WhereInput) => Promise<number>;
1708
+ delete: (id: string, expectedTable?: string, options?: {
1709
+ hard?: boolean;
1710
+ }) => Promise<void>;
1711
+ deleteMany: (ids: ReadonlyArray<string>, options?: {
1712
+ limit?: number;
1713
+ }, expectedTable?: string) => Promise<{
1714
+ deleted: number;
1715
+ }>;
1716
+ findFirst: (tableName: string, args?: QueryArgs) => Promise<Record<string, unknown> | null>;
1717
+ findFirstOrThrow: (tableName: string, args?: QueryArgs) => Promise<Record<string, unknown>>;
1718
+ findMany: (tableName: string, args?: QueryArgs) => Promise<QueryPage>;
1719
+ get: (id: string, expectedTable?: string) => Promise<Record<string, unknown> | null>;
1720
+ /**
1721
+ * Group + reduce. Same `baseWhere` injection as `aggregate`: the per-group
1722
+ * reduction is scoped to policy-visible rows, so a group count tallies only
1723
+ * rows the caller may read. Required for the same reason as `aggregate`.
1724
+ */
1725
+ groupBy: (tableName: string, options: GroupByArgs) => Promise<ReadonlyArray<{
1726
+ key: Record<string, unknown>;
1727
+ value: null | number;
1728
+ }>>;
1729
+ insert: (tableName: string, document: Record<string, unknown>) => Promise<string>;
1730
+ insertMany: (tableName: string, documents: ReadonlyArray<Record<string, unknown>>, options?: {
1731
+ limit?: number;
1732
+ }) => Promise<string[]>;
1733
+ insertManyUnsafe: (tableName: string, documents: ReadonlyArray<Record<string, unknown>>, options?: {
1734
+ allowExplicitId?: boolean;
1735
+ limit?: number;
1736
+ }) => Promise<string[]>;
1737
+ /**
1738
+ * Optional table-aware lookup. The underlying writer (e.g. `@lunora/do`)
1739
+ * already knows the owning table of an id internally, so it can return
1740
+ * `{ row, tableName }` in a single round-trip. When present, the RLS wrapper
1741
+ * uses it to collapse the per-call membership-probe fan-out (1 `get` + N
1742
+ * `findFirst` across every policy table) down to one lookup. Writers that
1743
+ * don't implement it fall back to the probe path.
1744
+ */
1745
+ lookupById?: (id: string, expectedTable?: string) => Promise<null | {
1746
+ row: Record<string, unknown>;
1747
+ tableName: string;
1748
+ }>;
1749
+ patch: (id: string, patch: Record<string, unknown>, expectedTable?: string) => Promise<void>;
1750
+ patchMany: (patches: ReadonlyArray<{
1751
+ id: string;
1752
+ patch: Record<string, unknown>;
1753
+ }>, options?: {
1754
+ limit?: number;
1755
+ }, expectedTable?: string) => Promise<void>;
1756
+ query: (tableName: string) => TableReaderLike;
1757
+ /**
1758
+ * Rank a row within its partition. A position is a count-of-rows-before, so
1759
+ * — exactly like `count()` — it can't be trusted in an RLS-restricted
1760
+ * reader: the wrapper fails it closed with `COUNT_RLS_UNSUPPORTED`. Required
1761
+ * for the same reason as `aggregate`.
1762
+ */
1763
+ rank: (tableName: string, indexName: string, options: RankArgs) => Promise<null | {
1764
+ position: number;
1765
+ total: number;
1766
+ }>;
1767
+ /** Cross-shard rank primitive — same count-of-before RLS hazard as `rank`; failed closed under a read policy. */
1768
+ rankBefore?: (tableName: string, indexName: string, options: RankBeforeArgs) => Promise<{
1769
+ before: number;
1770
+ total: number;
1771
+ }>;
1772
+ /**
1773
+ * Sorted pagination over a rank companion. The companion stores only the
1774
+ * partition + sort keys + id, so an arbitrary read `baseWhere` can't be
1775
+ * enforced against it (and re-filtering the fetched rows would break page
1776
+ * sizing). RLS therefore fails it closed rather than leak hidden rows.
1777
+ * Required for the same reason as `aggregate`.
1778
+ */
1779
+ rankPage: (tableName: string, indexName: string, options?: RankPageArgs) => Promise<QueryPage>;
1780
+ replace: (id: string, document: Record<string, unknown>, expectedTable?: string) => Promise<void>;
1781
+ restore?: (id: string, expectedTable?: string) => Promise<void>;
1782
+ }
1783
+ /**
1784
+ * What a procedure's `ctx.db` must structurally satisfy for the middleware
1785
+ * to wrap it. We deliberately mirror `@lunora/do`'s `DatabaseWriterLike`
1786
+ * rather than `@lunora/server`'s nominal `DatabaseWriter`/`DatabaseReader`:
1787
+ * the runtime adapter that flows in is the `DatabaseWriterLike`-shaped one,
1788
+ * and structural matching keeps this module free of an `@lunora/do`-typed
1789
+ * `ctx`.
1790
+ */
1791
+ type RlsDatabase = DatabaseWriterLike;
1792
+ /** Roles list source on the context. Tolerant of older auth states. */
1793
+ type AuthLike = {
1794
+ getIdentity?: () => Promise<Record<string, unknown> | null>;
1795
+ roles?: ReadonlyArray<string>;
1796
+ userId?: null | string;
1797
+ };
1798
+ /** Minimal shape the middleware needs on the incoming ctx. */
1799
+ interface RlsContextIn {
1800
+ auth?: AuthLike;
1801
+ db: RlsDatabase;
1802
+ }
1803
+ declare const rls: <Context extends RlsContextIn = RlsContextIn>(policies: ReadonlyArray<Policy<Context>>, options?: RlsOptions) => Middleware<Context, Context>;
1804
+ /**
1805
+ * One `rls()` tag's read policies for a table, paired with the role→permission
1806
+ * grants of that SAME middleware. Keeping the role map per-group is what lets a
1807
+ * policy's `auth.can(...)` resolve against its own middleware's roles — never a
1808
+ * permission registered on a different `rls()` step.
1809
+ */
1810
+ interface ScopedReadPolicies {
1811
+ readonly policies: ReadonlyArray<Policy>;
1812
+ readonly rolePermissions: ReadonlyMap<string, ReadonlySet<string>>;
1813
+ }
1814
+ /** Table-indexed read-policy groups, each scoped to the roles of the rls() middleware that declared it. */
1815
+ interface RlsReadRegistry {
1816
+ readonly byTable: ReadonlyMap<string, ReadonlyArray<ScopedReadPolicies>>;
1817
+ }
1818
+ /** The trusted, server-resolved facts a shape's RLS evaluation runs under. */
1819
+ interface ShapeReadWhereRequest {
1820
+ /** The shape ctx (the procedure context a policy `when` reads as `ctx`). */
1821
+ readonly ctx: unknown;
1822
+ /** Resolved identity claims (the socket's verified identity), or `null` when anonymous. */
1823
+ readonly identity: Record<string, unknown> | null;
1824
+ /** `true` when the schema is `.rls("required")` — gates the fail-closed branch. */
1825
+ readonly rlsRequired: boolean;
1826
+ /** Role labels the request carries (drives `auth.can(...)`). */
1827
+ readonly roles: ReadonlyArray<string>;
1828
+ /** The shape's own predicate (`where(ctx, args)`). */
1829
+ readonly shapeWhere: WhereInput;
1830
+ /** Logical table the shape replicates. */
1831
+ readonly table: string;
1832
+ /** `true` when the table is `.public()` (exempt from `.rls("required")` denial). */
1833
+ readonly tablePublic: boolean;
1834
+ /** Verified user id, or `null` when anonymous. */
1835
+ readonly userId: null | string;
1836
+ }
1837
+ /**
1838
+ * Build the read-policy registry from the registered functions (pass
1839
+ * `Object.values(LUNORA_FUNCTIONS)`). Only `on: "read"` policies are collected,
1840
+ * grouped per `rls()` middleware so each group keeps its own role→permission map
1841
+ * (a `(table, when)` pair is de-duplicated within a tag). A tag reused across
1842
+ * several procedures (a shared `const guard = rls(...)`) is folded once. This
1843
+ * mirrors the request-time `rls()` path exactly: a policy's `auth.can(...)`
1844
+ * resolves against the roles of the middleware that declared it, never a union.
1845
+ */
1846
+ declare const buildRlsReadRegistry: (functions: Iterable<unknown>) => RlsReadRegistry;
1847
+ /**
1848
+ * Compute the effective `where` a shape replicates: the table's RLS read
1849
+ * base-where AND the shape's own predicate. Returns the shape predicate
1850
+ * unchanged for a table with no read policy (a `.public()` or non-RLS table),
1851
+ * and the FALSE sentinel (replicate nothing) when a `.rls("required")` schema
1852
+ * exposes a protected, policy-less table.
1853
+ */
1854
+ declare const composeShapeReadWhere: (registry: RlsReadRegistry, request: ShapeReadWhereRequest) => WhereInput;
1855
+ /**
1856
+ * A shape declaration. `where` receives the trusted procedure context and the
1857
+ * validated client args and returns the same {@link WhereInput} shape the RLS
1858
+ * DSL uses, so the DO can AND-merge it with the table's read base-where via the
1859
+ * existing where-compiler (zero second predicate implementation).
1860
+ */
1861
+ interface ShapeDefinition<Args extends ValidatorMap = ValidatorMap, Context = QueryCtx> {
1862
+ /**
1863
+ * Validator for the client-supplied shape parameters. Validated on the DO
1864
+ * before `where` runs, so a malformed `args` envelope is rejected at the
1865
+ * subscription boundary rather than silently widening the partition. Omit
1866
+ * for a parameterless shape.
1867
+ */
1868
+ readonly args?: Args;
1869
+ /**
1870
+ * Project the replicated rows to these columns (the system columns `_id` and
1871
+ * `_creationTime` are always included). Omit to replicate every column. An
1872
+ * empty array is rejected — it would replicate no data, which is never the
1873
+ * intent.
1874
+ */
1875
+ readonly columns?: ReadonlyArray<string>;
1876
+ /** Logical table this shape replicates a partition of. */
1877
+ readonly table: string;
1878
+ /**
1879
+ * Predicate selecting the rows this shape replicates. AND-composed with the
1880
+ * table's RLS read base-where on the DO. Runs server-side with a trusted
1881
+ * `ctx` (identity/auth the client can't forge) and the validated client
1882
+ * `args`; returns a {@link WhereInput} using the same operator set as the
1883
+ * SQL compiler (`eq`/`in`/`lt`/… + `AND`/`OR`/`NOT`).
1884
+ */
1885
+ readonly where: (context: Context, args: InferValidatorMap<Args>) => WhereInput;
1886
+ }
1887
+ /** A {@link ShapeDefinition} plus the codegen discovery marker and a dispatch-shaped `compileWhere`. */
1888
+ interface RegisteredShape<Args extends ValidatorMap = ValidatorMap, Context = QueryCtx> extends ShapeDefinition<Args, Context> {
1889
+ readonly __lunoraShape: true;
1890
+ /**
1891
+ * Validate `rawArgs`, then evaluate `where` under the trusted `ctx` and
1892
+ * return its {@link WhereInput}. Used by the generated DO's `resolveShape`
1893
+ * override: `ctx` is erased to `unknown` at this dispatch boundary (the DO
1894
+ * builds it from the socket's verified identity and hands it back as the
1895
+ * concrete {@link QueryContext} the predicate expects), exactly like
1896
+ * `RegisteredLunoraFunction.handler` erases its context.
1897
+ */
1898
+ readonly compileWhere: (context: unknown, rawArgs: Record<string, unknown>) => WhereInput;
1899
+ }
1900
+ /** Declare a replication shape. See the module docs for runtime semantics. */
1901
+ declare const defineShape: <Args extends ValidatorMap = ValidatorMap, Context = QueryCtx>(definition: ShapeDefinition<Args, Context>) => RegisteredShape<Args, Context>;
1902
+ /**
1903
+ * Operations a storage rule can gate. `read` covers `download` / `getMetadata`
1904
+ * / `getSignedUrl` / `getUrl`; `write` covers `store` / `generateUploadUrl`;
1905
+ * `delete` is `delete`; `list` is a prefix listing (governed via the file
1906
+ * browser / admin path, not `ctx.storage` which has no `list`).
1907
+ */
1908
+ type StorageOperation = "delete" | "list" | "read" | "write";
1909
+ /** A rule's decision. `true` allows, `false` denies, `undefined` opts this rule out. */
1910
+ type StorageRuleDecision = boolean | undefined;
1911
+ /**
1912
+ * Context handed to a storage rule. `auth` mirrors RLS's `PolicyContext.auth`
1913
+ * (the per-request userId / roles / identity and the `can(permission)` helper),
1914
+ * so a rule reads `({ auth, key }) => key.startsWith(`user/${auth.userId}/`)`.
1915
+ * `key` is the object key the operation targets (for `list`, the listing
1916
+ * prefix). `ctx` is the full procedure context the middleware closed over.
1917
+ */
1918
+ interface StorageRuleContext<Context = unknown> {
1919
+ readonly auth: {
1920
+ readonly can: (permission: Permission | string) => boolean;
1921
+ readonly identity?: Record<string, unknown> | null;
1922
+ readonly roles: ReadonlyArray<string>;
1923
+ readonly userId: null | string;
1924
+ };
1925
+ readonly ctx: Context;
1926
+ /** The object key the operation targets (the listing prefix for `list`). */
1927
+ readonly key: string;
1928
+ }
1929
+ /** A registered storage rule as stored in the rule table. */
1930
+ interface StorageRule<Context = unknown> {
1931
+ /**
1932
+ * Logical bucket the rule governs — matched against the accessor's bucket
1933
+ * (`ctx.storage.bucketName`, or the bucket selected via `ctx.storage.bucket(name)`).
1934
+ * A rule only applies to operations on its own bucket. The unnamed bucket is
1935
+ * `"default"`. Also surfaced in the studio's access-rules view.
1936
+ */
1937
+ readonly bucket: string;
1938
+ readonly on: StorageOperation;
1939
+ /** Optional key-prefix scope; the rule only governs keys under it. Absent ⇒ the whole bucket. */
1940
+ readonly prefix?: string;
1941
+ readonly when: (context: StorageRuleContext<Context>) => StorageRuleDecision;
1942
+ }
1943
+ /** Input accepted by `defineStorageRule`. The result is the same shape. */
1944
+ interface DefineStorageRuleInput<Context = unknown> {
1945
+ bucket: string;
1946
+ on: StorageOperation;
1947
+ prefix?: string;
1948
+ when: (context: StorageRuleContext<Context>) => StorageRuleDecision;
1949
+ }
1950
+ /**
1951
+ * Options for the `storageRules(rules, options)` middleware. `roles` registers
1952
+ * the role→permission grants that back `ctx.auth.can(...)`, exactly as RLS's
1953
+ * `RlsOptions.roles` does — fail-closed for unlisted roles.
1954
+ */
1955
+ interface StorageRulesOptions {
1956
+ readonly roles?: ReadonlyArray<Role>;
1957
+ }
1958
+ declare const defineStorageRule: <Context = unknown>(input: DefineStorageRuleInput<Context>) => StorageRule<Context>;
1959
+ /**
1960
+ * Collect a list of storage rules into the structure the `storageRules()`
1961
+ * middleware consumes. Multiple rules for the same `(bucket, on)` OR together —
1962
+ * any one allowing grants the operation (each rule grants a slice of the
1963
+ * keyspace).
1964
+ *
1965
+ * Validates against an **accidentally duplicated rule** — the same
1966
+ * `(bucket, on, prefix)` registered with the *same* decision function (a
1967
+ * copy-paste, or the same rule object spread in twice). Because multiple
1968
+ * DISTINCT rules per `(bucket, on)` are intentional, the check keys on the
1969
+ * `when` reference too. Throws at module load so the misconfiguration surfaces
1970
+ * immediately rather than as a silently double-evaluated predicate.
1971
+ */
1972
+ declare const defineStorageRules: <Context = unknown>(rules: ReadonlyArray<StorageRule<Context>>) => ReadonlyArray<StorageRule<Context>>;
1973
+ /** The minimal `ctx.auth` shape the middleware reads — a structural subset that the full AuthState satisfies. Tolerant of older auth states (mirrors RLS's `AuthLike`). */
1974
+ type StorageAuthLike = {
1975
+ getIdentity?: () => Promise<Record<string, unknown> | null>;
1976
+ roles?: ReadonlyArray<string>;
1977
+ userId?: null | string;
1978
+ };
1979
+ interface StorageContextIn {
1980
+ auth?: StorageAuthLike;
1981
+ storage?: unknown;
1982
+ }
1983
+ declare const storageRules: <Context extends StorageContextIn = StorageContextIn>(rules: ReadonlyArray<StorageRule<Context>>, options?: StorageRulesOptions) => Middleware<Context, Context>;
1984
+ declare const VERSION = "0.0.0";
1985
+ export { type ActionBuilder, type ActionCtx, type AggregateIndexDefinition, type AggregateIndexOptions, type AggregateOp, type ArgsValidator, type Component, type ComponentFunctions, type CreateOptions, type DataModelInit, type DefineComponentOptions, type DefinePluginOptions, type DefinePolicyInput, type DefinePresenceOptions, type DefineStorageRuleInput, type DurableObjectJurisdiction, type EmptyArgs, type EnvAccessor, type EnvKeyFailure, type EnvShape, type ExtendableSchema, type FacadeEntry, type FacadeWriterLike, type FunctionKind, type HttpActionCtx, type HttpActionHandler, type HttpMethod, type HttpRoute, type HttpRouteBuilder, type HttpRouteFactory, type HttpRouteHandlerOptions, type HttpStreamHandlerOptions, type InferArgs, type InferEnv, type InlineAggregateIndexOptions, type InlineRankIndexOptions, type InternalActionBuilder, type InternalMutationBuilder, type InternalQueryBuilder, type LifecycleEvent, type LifecycleHandler, type LunoraBuilders, LunoraEnvError, LunoraError, type LunoraErrorCode, type LunoraHttpApp, type LunoraHttpEnv, type LunoraRouteHandler, type ManyRelation, type MaskColumns, type MaskContext, type MaskFn, type MaskOptions, type MaskPolicies, type MaskStrategy, type Middleware, type MiddlewareNext, type MigrationDefinition, type MigrationDocument, type MigrationTransform, type MutationBuilder, type MutationCtx, type MutatorDefinition, type OnDeleteAction, type OneRelation, type OrmLike, DEFAULT_TTL_MS as PRESENCE_DEFAULT_TTL_MS, PRESENCE_TABLE, type Permission, type Plugin, type Policy, type PrefixedTables, type PresenceComponent, type PresenceFunctions, type PresenceMember, type ProtectPublicOptions, type QueryBuilder, type QueryCtx, type RankIndexDefinition, type RankIndexOptions, type RegisteredAction, type RegisteredFunction, type RegisteredLifecycleHook, type RegisteredMigration, type RegisteredMutation, type RegisteredMutator, type RegisteredQuery, type RegisteredShape, type RegisteredStream, type RelationBuilder, type RelationDefinition, type RlsOptions, type RlsReadRegistry, type Role, type Schema, type SchemaExtension, type ShapeDefinition, type ShapeReadWhereRequest, type StorageOperation, type StorageRule, type StorageRuleContext, type StorageRuleDecision, type StorageRulesOptions, type TableBuilder, type TableDefinition, type TerminalKind, type TriggerBuilder, type TriggerDefinition, type TypedDefinePolicyInput, VERSION, type VectorEmbedder, type VectorIndexDefinition, type VectorIndexOptions, type VectorMetric, type VectorizeOptions, type WhereInput, asBucketStorage, bindOrm, bindTableFacade, buildRlsReadRegistry, composePluginMiddleware, composeShapeReadWhere, createPolicyDsl, createSecrets, defineAggregateIndex, defineComponent, defineEnv, defineMigration, defineMutator, definePermission, definePlugin, definePolicies, definePolicy, definePresence, defineRankIndex, defineRole, defineSchema, defineSchemaExtension, defineShape, defineStorageRule, defineStorageRules, defineTable, defineVectorIndex, httpAction, httpRoute, httpRouter, initLunora, installPlugins, mask, mergeSchemaExtension, onConnect, onDisconnect, presenceExtension, protectPublic, redactSecrets, rls, serveStorageObject, storageRules };