npm - @od-oneapp/storage - Versions diffs - 2026.2.1501-canary.1 - Mend

@od-oneapp/storage 2026.2.1501-canary.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/README.md +854 -0
package/client-next.d.mts +60 -0
package/client-next.d.mts.map +1 -0
package/client-next.mjs +111 -0
package/client-next.mjs.map +1 -0
package/client.d.mts +66 -0
package/client.d.mts.map +1 -0
package/client.mjs +183 -0
package/client.mjs.map +1 -0
package/env-BVHLmQdh.mjs +128 -0
package/env-BVHLmQdh.mjs.map +1 -0
package/env.mjs +3 -0
package/health-check-Bn4qWNOt.d.mts +143 -0
package/health-check-Bn4qWNOt.d.mts.map +1 -0
package/health-check-DbHmYLDb.mjs +848 -0
package/health-check-DbHmYLDb.mjs.map +1 -0
package/index.d.mts +60 -0
package/index.d.mts.map +1 -0
package/index.mjs +3 -0
package/keys.d.mts +37 -0
package/keys.d.mts.map +1 -0
package/keys.mjs +253 -0
package/keys.mjs.map +1 -0
package/package.json +123 -0
package/server-edge.d.mts +27 -0
package/server-edge.d.mts.map +1 -0
package/server-edge.mjs +88 -0
package/server-edge.mjs.map +1 -0
package/server-next.d.mts +182 -0
package/server-next.d.mts.map +1 -0
package/server-next.mjs +1352 -0
package/server-next.mjs.map +1 -0
package/server.d.mts +68 -0
package/server.d.mts.map +1 -0
package/server.mjs +371 -0
package/server.mjs.map +1 -0
package/types.d.mts +314 -0
package/types.d.mts.map +1 -0
package/types.mjs +3 -0
package/validation.d.mts +101 -0
package/validation.d.mts.map +1 -0
package/validation.mjs +590 -0
package/validation.mjs.map +1 -0
package/vercel-blob-HSvMatlk.mjs +156 -0
package/vercel-blob-HSvMatlk.mjs.map +1 -0

package/server-next.mjs ADDED Viewed

@@ -0,0 +1,1352 @@
+import { r as safeEnv, t as env } from "./env-BVHLmQdh.mjs";
+import { sanitizeStorageKey, validateStorageKey } from "./keys.mjs";
+import { ConfigError, DownloadError, NetworkError, ProviderError, StorageError, StorageErrorCode, UploadError, ValidationError, createStorageError, formatFileSize, getErrorCode, getQuotaInfo, isQuotaExceeded, isRetryableError, parseFileSize, validateFileSize, validateMimeType, validateUploadOptions, validateUrlForSSRF } from "./validation.mjs";
+import { a as getBestProvider, b as CloudflareImagesProvider, c as hasAllCapabilities, d as validateProviderCapabilities, f as MultipartUploadManager, g as MultiStorageManager, h as hasMultipartSupport, i as describeProviderCapabilities, l as hasAnyCapability, m as getOptimalPartSize, n as storageHealthCheck, o as getCapabilityMatrix, p as createMultipartUploadManager, r as checkProviderSuitability, s as getProviderCapabilities, t as checkProviderHealth, u as hasCapability, v as STORAGE_CONSTANTS, x as logError, y as CloudflareR2Provider } from "./health-check-DbHmYLDb.mjs";
+import { t as VercelBlobProvider } from "./vercel-blob-HSvMatlk.mjs";
+import { createStorageProvider, getMultiStorage, getProviderCapabilitiesFromConfig, getStorage, initializeMultiStorage, initializeStorage, multiStorage, resetStorageState, storage, validateStorageConfig } from "./server.mjs";
+import { handleUpload } from "@vercel/blob/client";
+//#region src/auth-helpers.ts
+/**
+* Retrieves the current authenticated user session
+*
+* This is a placeholder implementation that should be replaced with your actual
+* authentication system integration (NextAuth, @od-oneapp/auth, Clerk, etc.).
+*
+* **Implementation Pattern:**
+* ```typescript
+* // Example with @od-oneapp/auth:
+* const { auth } = await import('@od-oneapp/auth/server');
+* return await auth();
+*
+* // Example with NextAuth:
+* const { getServerSession } = await import('next-auth');
+* return await getServerSession(authOptions);
+* ```
+*
+* @returns Session object containing user info, or `null` if unauthenticated
+*
+* @example
+* ```typescript
+* export async function uploadMediaAction(key: string, data: Blob) {
+*   'use server';
+*
+*   const session = await getSession();
+*   if (!session?.user) {
+*     return { success: false, error: 'Unauthorized' };
+*   }
+*
+*   // Proceed with authenticated upload
+*   const storage = getStorage();
+*   const result = await storage.upload(key, data);
+*
+*   return { success: true, data: result };
+* }
+* ```
+*/
+async function getSession() {
+	try {
+		return null;
+	} catch {
+		return null;
+	}
+}
+/**
+* Checks if a user has permission to manage a specific product
+*
+* This is a placeholder that returns `false` by default (deny-by-default security).
+* Replace with your actual authorization logic that checks:
+* - Product ownership
+* - Role-based permissions (admin, editor, viewer)
+* - Team/organization membership
+*
+* **Implementation Pattern:**
+* ```typescript
+* // Example with database check:
+* const product = await db.product.findUnique({
+*   where: { id: productId },
+*   include: { team: { members: true } }
+* });
+*
+* return product?.ownerId === userId ||
+*        product?.team?.members.some(m => m.userId === userId && m.role === 'admin');
+* ```
+*
+* @param userId - User ID to authorize
+* @param productId - Product ID to check access for
+* @returns `true` if user can manage the product, `false` otherwise
+*
+* @example
+* ```typescript
+* export async function deleteProductMediaAction(mediaId: string) {
+*   'use server';
+*
+*   const session = await getSession();
+*   if (!session?.user) {
+*     return { success: false, error: 'Unauthorized' };
+*   }
+*
+*   const media = await db.productMedia.findUnique({ where: { id: mediaId } });
+*   if (!media) {
+*     return { success: false, error: 'Not found' };
+*   }
+*
+*   const canManage = await canUserManageProduct(session.user.id, media.productId);
+*   if (!canManage) {
+*     return { success: false, error: 'Forbidden' };
+*   }
+*
+*   await getStorage().delete(media.storageKey);
+*   return { success: true };
+* }
+* ```
+*/
+async function canUserManageProduct(_userId, _productId) {
+	return false;
+}
+/**
+* Extracts client IP address or identifier for rate limiting
+*
+* This placeholder returns `'unknown'`. Implement proper IP extraction based on:
+* - Proxy headers (X-Forwarded-For, X-Real-IP, CF-Connecting-IP)
+* - Direct connection IP
+* - User ID for authenticated rate limiting
+*
+* **Implementation Pattern:**
+* ```typescript
+* export function getClientIP(_request?: Request): string {
+*   if (!request) return 'unknown';
+*
+*   // Cloudflare
+*   const cfIP = request.headers.get('cf-connecting-ip');
+*   if (cfIP) return cfIP;
+*
+*   // Behind proxy
+*   const forwarded = request.headers.get('x-forwarded-for');
+*   if (forwarded) return forwarded.split(',')[0]?.trim() || 'unknown';
+*
+*   // Direct connection
+*   const realIP = request.headers.get('x-real-ip');
+*   return realIP || 'unknown';
+* }
+* ```
+*
+* @param request - Optional Request object to extract IP from
+* @returns Client IP address or `'unknown'` if not determinable
+*
+* @example
+* ```typescript
+* export async function uploadAction(request: Request, data: FormData) {
+*   'use server';
+*
+*   const clientIP = getClientIP(request);
+*   const rateLimit = await checkRateLimit(
+*     clientIP,
+*     'storage:upload',
+*     100, // max requests
+*     60000 // per minute
+*   );
+*
+*   if (!rateLimit.allowed) {
+*     return {
+*       success: false,
+*       error: 'Rate limit exceeded',
+*       resetAt: rateLimit.resetAt
+*     };
+*   }
+*
+*   // Process upload...
+* }
+* ```
+*/
+function getClientIP(_request) {
+	return "unknown";
+}
+/**
+* Checks if an identifier has exceeded rate limits for a storage action
+*
+* This placeholder always allows requests when `STORAGE_ENABLE_RATE_LIMIT=false`.
+* When enabled, implement with Redis, Upstash, or in-memory store.
+*
+* **Implementation Pattern (Redis):**
+* ```typescript
+* import { Redis } from '@upstash/redis';
+*
+* export async function checkRateLimit(
+*   identifier: string,
+*   action: string,
+*   maxRequests: number,
+*   windowMs: number
+* ) {
+*   const redis = Redis.fromEnv();
+*   const key = `ratelimit:${action}:${identifier}`;
+*
+*   const count = await redis.incr(key);
+*   if (count === 1) {
+*     await redis.pexpire(key, windowMs);
+*   }
+*
+*   const ttl = await redis.pttl(key);
+*   const resetAt = new Date(Date.now() + ttl);
+*
+*   return {
+*     allowed: count <= maxRequests,
+*     remaining: Math.max(0, maxRequests - count),
+*     resetAt
+*   };
+* }
+* ```
+*
+* @param identifier - Unique identifier (IP address, user ID, API key)
+* @param action - Action key for rate limiting (e.g., `'storage:upload'`, `'storage:delete'`)
+* @param maxRequests - Maximum requests allowed in the time window
+* @param windowMs - Time window in milliseconds (e.g., 60000 for 1 minute)
+* @returns Rate limit status with allowed flag, remaining count, and reset time
+*
+* @example
+* ```typescript
+* export async function uploadMediaAction(key: string, data: Blob) {
+*   'use server';
+*
+*   const session = await getSession();
+*   const identifier = session?.user.id || getClientIP();
+*
+*   const limit = await checkRateLimit(identifier, 'storage:upload', 100, 60000);
+*   if (!limit.allowed) {
+*     return {
+*       success: false,
+*       error: `Rate limit exceeded. ${limit.remaining} requests remaining. Resets at ${limit.resetAt.toISOString()}`,
+*     };
+*   }
+*
+*   const storage = getStorage();
+*   const result = await storage.upload(key, data);
+*   return { success: true, data: result };
+* }
+* ```
+*/
+async function checkRateLimit(identifier, action, maxRequests, windowMs) {
+	const { safeEnv } = await import("./index.mjs");
+	if (!safeEnv().STORAGE_ENABLE_RATE_LIMIT) return {
+		allowed: true,
+		remaining: maxRequests,
+		resetAt: new Date(Date.now() + windowMs)
+	};
+	return {
+		allowed: true,
+		remaining: Math.max(0, maxRequests - 1),
+		resetAt: new Date(Date.now() + windowMs)
+	};
+}
+/**
+* Validate a CSRF token according to runtime enforcement settings.
+*
+* If the environment flag `STORAGE_ENFORCE_CSRF` is false or the environment is unavailable, validation is permissive and this function returns `true`. When enforcement is enabled, the function returns `true` only if `token` is a non-empty string.
+*
+* @param token - CSRF token to validate
+* @param request - Optional request object that consuming applications may inspect when implementing real validation
+* @returns `true` if the token is considered valid (or enforcement is disabled / env unavailable), `false` otherwise
+* @deprecated Use validateCSRFOrigin() for better origin-based validation
+*/
+function validateCSRFToken(token, _request) {
+	try {
+		if (!safeEnv().STORAGE_ENFORCE_CSRF) return true;
+	} catch {
+		return true;
+	}
+	return typeof token === "string" && token.length > 0;
+}
+//#endregion
+//#region src/actions/mediaActions.ts
+/**
+* @fileoverview Media storage server actions
+*
+* Provides Next.js server actions for media file operations including upload,
+* download, delete, move, and list operations with authentication and validation.
+*
+* Features:
+* - Authentication and authorization
+* - Rate limiting
+* - File validation (size, MIME type)
+* - SSRF protection
+* - Bulk operations
+*
+* @module @od-oneapp/storage/actions/mediaActions
+*/
+/**
+* Upload binary data to the configured storage provider with optional validations.
+*
+* Validations performed before upload include storage key safety checks, optional
+* authentication and rate limiting, maximum file size enforcement, and MIME type
+* validation when `options.allowedMimeTypes` and `options.contentType` are provided.
+*
+* @param key - Destination storage key (path) where the file will be stored
+* @param data - File contents to upload (Buffer, ArrayBuffer, Blob, File, or ReadableStream)
+* @param options - Upload options and validation overrides. Notable fields:
+* - `maxFileSize` — override maximum allowed file size in bytes for this upload
+* - `allowedMimeTypes` — list of permitted MIME types; validated against `options.contentType` if present
+* - other provider-specific upload options (e.g., `contentType`, `metadata`) are passed through to the storage provider
+* @returns An object with `success: true` and the uploaded `StorageObject` on success, or `success: false` and an `error` message on failure
+*/
+async function uploadMediaAction(key, data, options) {
+	"use server";
+	const storageEnv = safeEnv();
+	const session = await getSession();
+	if (storageEnv.STORAGE_ENFORCE_AUTH && !session?.user) return {
+		success: false,
+		error: "Unauthorized: Authentication required"
+	};
+	const rateLimitResult = await checkRateLimit(session?.user?.id ?? getClientIP(), "storage:upload", storageEnv.STORAGE_RATE_LIMIT_REQUESTS, storageEnv.STORAGE_RATE_LIMIT_WINDOW_MS);
+	if (storageEnv.STORAGE_ENABLE_RATE_LIMIT && !rateLimitResult.allowed) return {
+		success: false,
+		error: "Rate limit exceeded. Please try again later."
+	};
+	try {
+		const keyValidation = validateStorageKey(key, {
+			maxLength: 1024,
+			forbiddenPatterns: [/\.\./, /\/\//]
+		});
+		if (!keyValidation.valid) return {
+			success: false,
+			error: `Invalid storage key: ${keyValidation.errors.join(", ")}`
+		};
+		const maxSize = options?.maxFileSize ?? storageEnv.STORAGE_MAX_FILE_SIZE;
+		let fileSize = 0;
+		if (data instanceof File || data instanceof Blob) fileSize = data.size;
+		else if (data instanceof ArrayBuffer) fileSize = data.byteLength;
+		else if (data instanceof Buffer) fileSize = data.length;
+		if (fileSize > maxSize) return {
+			success: false,
+			error: `File size ${fileSize} bytes exceeds maximum ${maxSize} bytes`
+		};
+		if (options?.allowedMimeTypes && options.contentType) {
+			const mimeValidation = validateMimeType(options.contentType, options.allowedMimeTypes);
+			if (!mimeValidation.valid) return {
+				success: false,
+				error: mimeValidation.error ?? "Invalid file type"
+			};
+		}
+		return {
+			success: true,
+			data: await getStorage().upload(key, data, options)
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to upload media"
+		};
+	}
+}
+/**
+* Get media file metadata
+*/
+async function getMediaAction(key) {
+	"use server";
+	try {
+		return {
+			success: true,
+			data: await getStorage().getMetadata(key)
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to get media metadata"
+		};
+	}
+}
+/**
+* List media files
+*/
+async function listMediaAction(options) {
+	"use server";
+	try {
+		return {
+			success: true,
+			data: await getStorage().list(options)
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to list media"
+		};
+	}
+}
+/**
+* Delete a media file
+*/
+async function deleteMediaAction(key) {
+	"use server";
+	try {
+		await getStorage().delete(key);
+		return { success: true };
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to delete media"
+		};
+	}
+}
+/**
+* Determine whether a media object exists at the given storage key.
+*
+* @param key - The storage key (path) of the media object to check
+* @returns A response object whose `data` is `true` if the object exists, `false` otherwise. On error the response will have `success: false` and an `error` message
+*/
+async function existsMediaAction(key) {
+	"use server";
+	try {
+		return {
+			success: true,
+			data: await getStorage().exists(key)
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to check media existence"
+		};
+	}
+}
+/**
+* Retrieve a public or signed URL for a media object.
+*
+* When the context is `product`, when `forceSign` is true, or when `expiresIn` is provided,
+* a signed URL is returned using the specified or default expiry; otherwise a direct URL is returned.
+*
+* @param key - The storage key of the media object
+* @param options.expiresIn - Expiration time in seconds for a signed URL
+* @param options.context - Context of the media; `product` forces signed URLs for product photos
+* @param options.forceSign - When true, force generation of a signed URL regardless of context
+* @returns The URL for the storage key (signed if signing rules apply)
+*/
+async function getMediaUrlAction(key, options) {
+	"use server";
+	try {
+		const storage = getStorage();
+		const isProductPhoto = options?.context === "product" || key.includes("/products/");
+		if ((isProductPhoto || options?.forceSign) ?? Boolean(options?.expiresIn)) {
+			const expiresIn = options?.expiresIn ?? (isProductPhoto ? STORAGE_CONSTANTS.PRODUCT_URL_EXPIRY_SECONDS : STORAGE_CONSTANTS.UPLOAD_URL_EXPIRY_SECONDS);
+			return {
+				success: true,
+				data: await storage.getUrl(key, { expiresIn })
+			};
+		}
+		return {
+			success: true,
+			data: await storage.getUrl(key)
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to get media URL"
+		};
+	}
+}
+/**
+* Generate signed URLs for multiple product media keys.
+*
+* Appends the provided `variant` to keys that reference Cloudflare Images and uses
+* `options.expiresIn` or the product URL expiry constant as the signing duration.
+*
+* @param keys - Array of storage keys identifying product media items
+* @param options - Optional settings: `expiresIn` (seconds) overrides the default signed URL expiry; `variant` is appended to Cloudflare Images keys to request a specific image variant
+* @returns A MediaActionResponse whose `data` is an array of objects with the original `key` and the generated `url` when successful; on failure the response contains an error message
+*/
+async function getProductMediaUrlsAction(keys, options) {
+	"use server";
+	try {
+		const storage = getStorage();
+		const expiresIn = options?.expiresIn ?? STORAGE_CONSTANTS.PRODUCT_URL_EXPIRY_SECONDS;
+		return {
+			success: true,
+			data: await Promise.all(keys.map(async (key) => {
+				let finalKey = key;
+				if (options?.variant && key.includes("cloudflare-images")) finalKey = `${key}/${options.variant}`;
+				return {
+					key,
+					url: await storage.getUrl(finalKey, { expiresIn })
+				};
+			}))
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to get product media URLs"
+		};
+	}
+}
+/**
+* Get presigned upload URL for product photos (admin only)
+*/
+async function getProductUploadUrlAction(filename, productId, options) {
+	"use server";
+	try {
+		const storage = getStorage();
+		const key = `products/${productId}/${Date.now()}-${filename}`;
+		return {
+			success: true,
+			data: {
+				uploadUrl: await storage.getUrl(key, { expiresIn: options?.expiresIn ?? 1800 }),
+				key
+			}
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to get product upload URL"
+		};
+	}
+}
+/**
+* Download a media file
+*/
+async function downloadMediaAction(key) {
+	"use server";
+	try {
+		return {
+			success: true,
+			data: await getStorage().download(key)
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to download media"
+		};
+	}
+}
+/**
+* Delete multiple media files
+*/
+async function bulkDeleteMediaAction(keys) {
+	"use server";
+	const results = {
+		succeeded: [],
+		failed: []
+	};
+	try {
+		await Promise.all(keys.map(async (key) => {
+			try {
+				await getStorage().delete(key);
+				results.succeeded.push(key);
+			} catch (error) {
+				results.failed.push({
+					key,
+					error: error instanceof Error ? error.message : "Unknown error"
+				});
+			}
+		}));
+		return {
+			success: results.failed.length === 0,
+			data: results
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Bulk delete operation failed"
+		};
+	}
+}
+/**
+* Move/rename multiple media files
+*/
+async function bulkMoveMediaAction(operations) {
+	"use server";
+	const results = {
+		succeeded: [],
+		failed: []
+	};
+	try {
+		await Promise.all(operations.map(async ({ sourceKey, destinationKey }) => {
+			try {
+				const blob = await getStorage().download(sourceKey);
+				const metadata = await getStorage().getMetadata(sourceKey);
+				await getStorage().upload(destinationKey, blob, { contentType: metadata.contentType });
+				await getStorage().delete(sourceKey);
+				results.succeeded.push({
+					sourceKey,
+					destinationKey
+				});
+			} catch (error) {
+				results.failed.push({
+					sourceKey,
+					destinationKey,
+					error: error instanceof Error ? error.message : "Unknown error"
+				});
+			}
+		}));
+		return {
+			success: results.failed.length === 0,
+			data: results
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Bulk move operation failed"
+		};
+	}
+}
+/**
+* Imports multiple external URLs into storage, processing them in configurable batches.
+*
+* Each source URL is validated for safety, fetched with a per-request timeout, and streamed
+* into the chosen storage provider (or routed to Cloudflare Images for images when available).
+* Successful imports are recorded with their destination key and resulting StorageObject;
+* failures record the source URL and an error message. Processing continues after individual failures.
+*
+* @param imports - Array of import entries, each with a required `sourceUrl`, optional `destinationKey`
+* (if omitted a key is generated), and optional `metadata` (altText, productId, userId, type).
+* @param options - Optional settings:
+* - `batchSize`: number of concurrent imports per batch (defaults to STORAGE_CONSTANTS.DEFAULT_BATCH_SIZE).
+* - `provider`: name of the storage provider to use (if omitted uses default provider or Cloudflare Images for images).
+* - `timeout`: per-request fetch timeout in milliseconds (defaults to STORAGE_CONSTANTS.DEFAULT_REQUEST_TIMEOUT_MS).
+* @returns An object with:
+* - `succeeded`: array of { sourceUrl, destinationKey, storageObject } for successful imports;
+* - `failed`: array of { sourceUrl, error } for failed imports;
+* - `totalProcessed`: total number of import attempts processed.
+*/
+async function bulkImportFromUrlsAction(imports, options) {
+	"use server";
+	const results = {
+		succeeded: [],
+		failed: [],
+		totalProcessed: 0
+	};
+	const batchSize = options?.batchSize ?? STORAGE_CONSTANTS.DEFAULT_BATCH_SIZE;
+	const timeout = options?.timeout ?? STORAGE_CONSTANTS.DEFAULT_REQUEST_TIMEOUT_MS;
+	try {
+		for (let i = 0; i < imports.length; i += batchSize) {
+			const batch = imports.slice(i, i + batchSize);
+			await Promise.all(batch.map(async (importItem) => {
+				try {
+					const urlValidation = validateUrlForSSRF(importItem.sourceUrl);
+					if (!urlValidation.valid) throw new Error(urlValidation.error ?? "Invalid or unsafe URL");
+					const controller = new AbortController();
+					const timeoutId = setTimeout(() => controller.abort(), timeout);
+					const response = await fetch(importItem.sourceUrl, {
+						signal: controller.signal,
+						headers: { "User-Agent": "Storage-Service/1.0" },
+						redirect: "error"
+					});
+					clearTimeout(timeoutId);
+					if (!response.ok) throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+					const contentType = response.headers.get("content-type") ?? "application/octet-stream";
+					const isImage = contentType.startsWith("image/");
+					const destinationKey = importItem.destinationKey ?? generateStorageKey(importItem.sourceUrl, importItem.metadata);
+					const storage = options?.provider ? getMultiStorage().getProvider(options.provider) : getStorage();
+					if (!storage) throw new Error("Storage provider not available");
+					if (isImage && !options?.provider) {
+						const imageProvider = getMultiStorage().getProvider("cloudflare-images");
+						if (imageProvider) {
+							const blob = await response.blob();
+							const result = await imageProvider.upload(destinationKey, blob, {
+								contentType,
+								metadata: importItem.metadata
+							});
+							results.succeeded.push({
+								sourceUrl: importItem.sourceUrl,
+								destinationKey,
+								storageObject: result
+							});
+							results.totalProcessed++;
+							return;
+						}
+					}
+					const stream = response.body;
+					if (!stream) throw new Error("No response body available");
+					const result = await storage.upload(destinationKey, stream, {
+						contentType,
+						metadata: importItem.metadata
+					});
+					results.succeeded.push({
+						sourceUrl: importItem.sourceUrl,
+						destinationKey,
+						storageObject: result
+					});
+					results.totalProcessed++;
+				} catch (error) {
+					results.failed.push({
+						sourceUrl: importItem.sourceUrl,
+						error: error instanceof Error ? error.message : "Unknown error"
+					});
+					results.totalProcessed++;
+				}
+			}));
+		}
+		return {
+			success: results.failed.length === 0,
+			data: results
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Bulk import operation failed",
+			data: results
+		};
+	}
+}
+/**
+* Import a single media item from a remote HTTPS URL into storage.
+*
+* Validates the source URL for safety, fetches the resource, and uploads it to storage.
+* If `options.onProgress` is provided and the response exposes a `content-length`, progress
+* updates are emitted as a fraction between 0 and 1 during download.
+*
+* @param sourceUrl - The HTTPS URL of the resource to import; must pass SSRF-safe validation.
+* @param destinationKey - Optional destination storage key; generated automatically when omitted.
+* @param options.metadata - Optional metadata to attach to the uploaded object.
+* @param options.onProgress - Optional callback invoked with a number in [0, 1] representing download progress.
+* @returns On success, a response containing the uploaded `StorageObject`; on failure, a response containing an error message.
+*/
+async function importFromUrlAction(sourceUrl, destinationKey, options) {
+	"use server";
+	try {
+		const urlValidation = validateUrlForSSRF(sourceUrl);
+		if (!urlValidation.valid) throw new Error(urlValidation.error ?? "Invalid or unsafe URL");
+		const response = await fetch(sourceUrl, {
+			headers: { "User-Agent": "Storage-Service/1.0" },
+			redirect: "error"
+		});
+		if (!response.ok) throw new Error(`Failed to fetch: ${response.status} ${response.statusText}`);
+		const contentType = response.headers.get("content-type") ?? "application/octet-stream";
+		const contentLength = response.headers.get("content-length");
+		const key = destinationKey ?? generateStorageKey(sourceUrl);
+		if (options?.onProgress && contentLength && response.body) {
+			const total = parseInt(contentLength);
+			let loaded = 0;
+			const reader = response.body.getReader();
+			const chunks = [];
+			while (true) {
+				const { done, value } = await reader.read();
+				if (done) break;
+				chunks.push(value);
+				loaded += value.length;
+				options.onProgress(loaded / total);
+			}
+			const blob = new Blob(chunks.map((chunk) => chunk.buffer.slice(chunk.byteOffset, chunk.byteOffset + chunk.byteLength)), { type: contentType });
+			return {
+				success: true,
+				data: await getStorage().upload(key, blob, {
+					contentType,
+					metadata: options.metadata
+				})
+			};
+		} else {
+			const storage = getStorage();
+			const stream = response.body;
+			if (!stream) throw new Error("No response body available");
+			return {
+				success: true,
+				data: await storage.upload(key, stream, {
+					contentType,
+					metadata: options?.metadata
+				})
+			};
+		}
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to import from URL"
+		};
+	}
+}
+/**
+* Helper function to generate storage key from URL
+*/
+function generateStorageKey(sourceUrl, metadata) {
+	try {
+		const filename = new URL(sourceUrl).pathname.split("/").pop() ?? "imported-file";
+		const timestamp = Date.now();
+		let prefix = "imports";
+		if (metadata?.productId) prefix = `products/${metadata.productId}`;
+		else if (metadata?.userId) prefix = `users/${metadata.userId}`;
+		else if (metadata?.type === "IMAGE") prefix = "images";
+		else if (metadata?.type === "VIDEO") prefix = "videos";
+		else if (metadata?.type === "DOCUMENT") prefix = "documents";
+		return `${prefix}/${timestamp}-${filename}`;
+	} catch {
+		return `imports/${Date.now()}-imported-file`;
+	}
+}
+/**
+* Upload to a specific storage provider
+*/
+async function uploadToProviderAction(providerName, key, data, options) {
+	"use server";
+	try {
+		const provider = getMultiStorage().getProvider(providerName);
+		if (!provider) throw new Error(`Provider '${providerName}' not found`);
+		return {
+			success: true,
+			data: await provider.upload(key, data, options)
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to upload to provider"
+		};
+	}
+}
+/**
+* List available storage providers
+*/
+async function listProvidersAction() {
+	"use server";
+	try {
+		return {
+			success: true,
+			data: getMultiStorage().getProviderNames()
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to list providers"
+		};
+	}
+}
+/**
+* Copy media between providers
+*/
+async function copyBetweenProvidersAction(sourceProvider, destinationProvider, key, options) {
+	"use server";
+	try {
+		const multiStorage = getMultiStorage();
+		const source = multiStorage.getProvider(sourceProvider);
+		const destination = multiStorage.getProvider(destinationProvider);
+		if (!source) throw new Error(`Source provider '${sourceProvider}' not found`);
+		if (!destination) throw new Error(`Destination provider '${destinationProvider}' not found`);
+		const blob = await source.download(key);
+		const metadata = await source.getMetadata(key);
+		return {
+			success: true,
+			data: await destination.upload(key, blob, {
+				contentType: metadata.contentType,
+				...options
+			})
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to copy between providers"
+		};
+	}
+}
+/**
+* Create an empty folder (placeholder with trailing slash)
+*/
+async function createFolderAction(key, options) {
+	"use server";
+	try {
+		const folderKey = key.endsWith("/") ? key : `${key}/`;
+		const emptyContent = Buffer.from(new Uint8Array(0));
+		return {
+			success: true,
+			data: await getStorage().upload(folderKey, emptyContent, {
+				contentType: "application/x-directory",
+				...options
+			})
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to create folder"
+		};
+	}
+}
+/**
+* Copy media between storage locations
+*/
+async function copyMediaAction(sourceKey, destinationKey, options) {
+	"use server";
+	try {
+		const blob = await getStorage().download(sourceKey);
+		return {
+			success: true,
+			data: await getStorage().upload(destinationKey, blob, {
+				contentType: options?.contentType,
+				...options
+			})
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to copy media"
+		};
+	}
+}
+/**
+* Get presigned upload URL for direct client uploads
+*/
+async function getPresignedUploadUrlAction(key, options) {
+	"use server";
+	try {
+		const provider = getStorage();
+		if (!provider.getPresignedUploadUrl) return {
+			success: false,
+			error: "Provider does not support presigned URLs"
+		};
+		return {
+			success: true,
+			data: await provider.getPresignedUploadUrl(key, options)
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to get presigned upload URL"
+		};
+	}
+}
+/**
+* Get storage provider capabilities
+*/
+async function getStorageCapabilitiesAction() {
+	"use server";
+	try {
+		return {
+			success: true,
+			data: getStorage().getCapabilities?.() ?? {
+				multipart: false,
+				presignedUrls: false,
+				progressTracking: false,
+				abortSignal: false,
+				metadata: false,
+				customDomains: false,
+				edgeCompatible: false
+			}
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to get storage capabilities"
+		};
+	}
+}
+/**
+* Validate a file's size, MIME type, and extension against provided constraints.
+*
+* Checks the file's byte size against `maxFileSize`, verifies the MIME type against
+* `allowedMimeTypes` (supports wildcard patterns like `image/*`), and verifies the
+* filename extension against `allowedExtensions`.
+*
+* @param file - The file to validate; must include `size`, `type`, and `name`.
+* @param options.maxFileSize - Maximum allowed file size in bytes.
+* @param options.allowedMimeTypes - Allowed MIME types; supports exact types and wildcards (e.g., `image/*`).
+* @param options.allowedExtensions - Allowed file extensions including the leading dot (e.g., `.jpg`, `.png`).
+* @returns An object with `valid` set to `true` when no validation errors were found, and `errors` listing any validation messages.
+*/
+async function validateFileAction(file, options) {
+	"use server";
+	try {
+		const errors = [];
+		if (options?.maxFileSize && file.size > options.maxFileSize) errors.push(`File size ${file.size} bytes exceeds maximum ${options.maxFileSize} bytes`);
+		if (options?.allowedMimeTypes && options.allowedMimeTypes.length > 0) {
+			const normalizedMimeType = file.type.toLowerCase().trim();
+			const normalizedAllowed = options.allowedMimeTypes.map((t) => t.toLowerCase().trim());
+			if (!normalizedAllowed.includes(normalizedMimeType)) {
+				if (!normalizedAllowed.some((allowed) => {
+					if (allowed.endsWith("/*")) {
+						const prefix = allowed.slice(0, -2);
+						return normalizedMimeType.startsWith(prefix);
+					}
+					return false;
+				})) errors.push(`MIME type '${file.type}' is not allowed. Allowed types: ${options.allowedMimeTypes.join(", ")}`);
+			}
+		}
+		if (options?.allowedExtensions && options.allowedExtensions.length > 0) {
+			const extension = file.name.match(/\.[^/.]+$/)?.[0]?.toLowerCase();
+			if (extension && !options.allowedExtensions.includes(extension)) errors.push(`File extension ${extension} is not allowed. Allowed: ${options.allowedExtensions.join(", ")}`);
+		}
+		return {
+			success: true,
+			data: {
+				valid: errors.length === 0,
+				errors
+			}
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to validate file"
+		};
+	}
+}
+//#endregion
+//#region src/actions/productMediaActions.ts
+/**
+* @fileoverview Product media business logic server actions
+*
+* Provides Next.js server actions specifically for product media operations.
+* Includes business logic for product image management with vendor and admin contexts.
+*
+* Features:
+* - Product-specific media uploads
+* - Vendor and admin role support
+* - Product media metadata management
+* - Authorization checks
+*
+* @module @od-oneapp/storage/actions/productMediaActions
+*/
+/**
+* Uploads multiple media files for a product while enforcing optional authentication, authorization, and rate limits.
+*
+* @param productId - The ID of the product to attach media to.
+* @param files - Files to upload; each object must include `filename`, `contentType`, and binary `data`.
+* @param options - Optional settings: `context` is the uploader role (`admin` | `vendor`); `altText`, `description`, and `tags` supply metadata.
+* @returns The action response. On success, `data` is an array of uploaded items containing `key`, `url`, and a temporary `mediaId`; on failure, `error` describes the problem.
+*/
+async function uploadProductMediaAction(productId, files, options) {
+	"use server";
+	try {
+		const featureEnv = safeEnv();
+		const session = await getSession();
+		if (featureEnv.STORAGE_ENFORCE_AUTH && !session?.user) return {
+			success: false,
+			error: "Unauthorized: Authentication required"
+		};
+		const hasPermission = session?.user ? await canUserManageProduct(session.user.id, productId) : false;
+		if (featureEnv.STORAGE_ENFORCE_AUTH && !hasPermission) return {
+			success: false,
+			error: "Forbidden: Insufficient permissions"
+		};
+		const env = safeEnv();
+		const rateLimitResult = await checkRateLimit(session?.user?.id ?? "anonymous", "storage:upload", env.STORAGE_RATE_LIMIT_REQUESTS, env.STORAGE_RATE_LIMIT_WINDOW_MS);
+		if (env.STORAGE_ENABLE_RATE_LIMIT && !rateLimitResult.allowed) return {
+			success: false,
+			error: "Rate limit exceeded. Please try again later."
+		};
+		const storage = getStorage();
+		const results = [];
+		for (const [index, file] of files.entries()) {
+			const sanitizedFilename = sanitizeStorageKey(file.filename);
+			const timestamp = Date.now();
+			const key = `products/${productId}/images/${timestamp}-${index}-${sanitizedFilename}`;
+			const keyValidation = validateStorageKey(key, {
+				maxLength: 1024,
+				forbiddenPatterns: [/\.\./, /\/\//]
+			});
+			if (!keyValidation.valid) return {
+				success: false,
+				error: `Invalid storage key: ${keyValidation.errors.join(", ")}`
+			};
+			const signedUrl = (await storage.upload(key, file.data, {
+				contentType: file.contentType,
+				metadata: {
+					productId,
+					uploadedBy: options?.context ?? "admin",
+					altText: options?.altText ?? ""
+				}
+			})).url || await storage.getUrl(key, { expiresIn: STORAGE_CONSTANTS.PRODUCT_URL_EXPIRY_SECONDS });
+			results.push({
+				key,
+				url: signedUrl,
+				mediaId: `temp-${timestamp}-${index}`
+			});
+		}
+		return {
+			success: true,
+			data: results
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to upload product media"
+		};
+	}
+}
+/**
+* Retrieve a product's media entries and attach signed URLs for client access.
+*
+* The returned media items include metadata (id, key, altText, sortOrder, contentType, size)
+* and a signed `url` valid for the configured expiry. If `options.variant` is provided and is
+* not `'public'`, the storage key is adjusted to include the variant before generating the URL.
+*
+* @param productId - The identifier of the product whose media should be fetched
+* @param options.context - Request context; affects visibility (e.g., `'admin'` may include deleted items)
+* @param options.variant - Optional variant key (`'thumbnail' | 'gallery' | 'hero' | 'public'`); when set and not `'public'` the storage key is suffixed with the variant for URL generation
+* @param options.expiresIn - Signed URL lifetime in seconds (defaults to 3600)
+* @returns On success, a `MediaActionResponse` containing an array of media items each with `id`, `key`, `url`, optional `altText`, `sortOrder`, `contentType`, and `size`; on failure, an error message describing the problem
+*/
+async function getProductMediaAction(productId, options) {
+	"use server";
+	try {
+		const productMedia = [{
+			id: "media-1",
+			key: `products/${productId}/images/hero.jpg`,
+			altText: "Product hero image",
+			sortOrder: 0,
+			contentType: "image/jpeg",
+			size: 1024e3
+		}, {
+			id: "media-2",
+			key: `products/${productId}/images/gallery-1.jpg`,
+			altText: "Product gallery image 1",
+			sortOrder: 1,
+			contentType: "image/jpeg",
+			size: 856e3
+		}];
+		const storage = getStorage();
+		const expiresIn = options?.expiresIn ?? 3600;
+		return {
+			success: true,
+			data: await Promise.all(productMedia.map(async (media) => {
+				let { key } = media;
+				if (options?.variant && options.variant !== "public") key = `${media.key}/${options.variant}`;
+				const signedUrl = await storage.getUrl(key, { expiresIn });
+				return {
+					...media,
+					url: signedUrl
+				};
+			}))
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to get product media"
+		};
+	}
+}
+/**
+* Delete a product's media entry and remove its stored object when requested.
+*
+* Performs authentication and permission checks when enforcement is enabled. By default performs a soft delete of the media record; when `options.hardDelete` is true, also deletes the object from storage.
+*
+* @param options - Additional options controlling deletion behavior
+* @param options.context - Invocation context, either `'admin'` or `'vendor'`
+* @param options.hardDelete - If `true`, delete the storage object and perform a hard delete; if omitted or `false`, perform a soft delete
+* @returns A MediaActionResponse<void> indicating success. On failure `success` is `false` and `error` contains a descriptive message.
+*/
+async function deleteProductMediaAction(productId, mediaId, options) {
+	"use server";
+	try {
+		const featureEnv = safeEnv();
+		const session = await getSession();
+		if (featureEnv.STORAGE_ENFORCE_AUTH && !session?.user) return {
+			success: false,
+			error: "Unauthorized: Authentication required"
+		};
+		const hasPermission = session?.user ? await canUserManageProduct(session.user.id, productId) : false;
+		if (featureEnv.STORAGE_ENFORCE_AUTH && !hasPermission) return {
+			success: false,
+			error: "Forbidden: Insufficient permissions"
+		};
+		const mediaRecord = {
+			id: mediaId,
+			key: `products/${productId}/images/example.jpg`,
+			productId
+		};
+		if (options?.hardDelete) await getStorage().delete(mediaRecord.key);
+		return { success: true };
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to delete product media"
+		};
+	}
+}
+/**
+* Reorders media items for a product.
+*
+* When storage authentication is enforced, this action requires an authenticated user
+* who has permission to manage the specified product; otherwise it returns an authorization error.
+*
+* @param productId - The ID of the product whose media order will be updated
+* @param mediaOrder - Array of objects mapping `mediaId` to the desired `sortOrder`
+* @param options.context - Optional caller context, e.g. 'admin' or 'vendor'
+* @returns An object with `success: true` when the reorder operation completes; otherwise `success: false` and an `error` message describing the failure
+*/
+async function reorderProductMediaAction(productId, _mediaOrder, _options) {
+	"use server";
+	try {
+		const featureEnv = safeEnv();
+		const session = await getSession();
+		if (featureEnv.STORAGE_ENFORCE_AUTH && !session?.user) return {
+			success: false,
+			error: "Unauthorized: Authentication required"
+		};
+		const hasPermission = session?.user ? await canUserManageProduct(session.user.id, productId) : false;
+		if (featureEnv.STORAGE_ENFORCE_AUTH && !hasPermission) return {
+			success: false,
+			error: "Forbidden: Insufficient permissions"
+		};
+		return { success: true };
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to reorder product media"
+		};
+	}
+}
+/**
+* Generate presigned upload URLs for client-side direct uploads scoped to a product.
+*
+* @param productId - Product identifier used to scope generated storage keys
+* @param filenames - Desired filenames to include in generated storage keys
+* @param options - Optional settings for URL generation
+* @param options.context - The request context, e.g. 'admin' or 'vendor'
+* @param options.expiresIn - Signed URL lifetime in seconds; defaults to STORAGE_CONSTANTS.UPLOAD_URL_EXPIRY_SECONDS
+* @param options.maxSizeBytes - Optional maximum allowed upload size in bytes (informational; enforcement depends on storage provider)
+* @returns A MediaActionResponse containing an array of upload descriptors; each descriptor includes `filename`, `uploadUrl`, `key`, and optional form `fields`
+*/
+async function getProductUploadPresignedUrlsAction(productId, filenames, options) {
+	"use server";
+	try {
+		const featureEnv = safeEnv();
+		const session = await getSession();
+		if (featureEnv.STORAGE_ENFORCE_AUTH && !session?.user) return {
+			success: false,
+			error: "Unauthorized: Authentication required"
+		};
+		const hasPermission = session?.user ? await canUserManageProduct(session.user.id, productId) : false;
+		if (featureEnv.STORAGE_ENFORCE_AUTH && !hasPermission) return {
+			success: false,
+			error: "Forbidden: Insufficient permissions"
+		};
+		const storage = getStorage();
+		const expiresIn = options?.expiresIn ?? STORAGE_CONSTANTS.UPLOAD_URL_EXPIRY_SECONDS;
+		return {
+			success: true,
+			data: await Promise.all(filenames.map(async (filename, index) => {
+				const sanitizedFilename = sanitizeStorageKey(filename);
+				const key = `products/${productId}/images/${Date.now()}-${index}-${sanitizedFilename}`;
+				const keyValidation = validateStorageKey(key, {
+					maxLength: 1024,
+					forbiddenPatterns: [/\.\./, /\/\//]
+				});
+				if (!keyValidation.valid) throw new Error(`Invalid storage key: ${keyValidation.errors.join(", ")}`);
+				return {
+					filename,
+					uploadUrl: await storage.getUrl(key, { expiresIn }),
+					key
+				};
+			}))
+		};
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to generate upload URLs"
+		};
+	}
+}
+/**
+* Performs bulk metadata updates for a product's media items.
+*
+* @param productId - ID of the product whose media items will be updated
+* @param updates - List of update objects, each with a `mediaId` and optional `altText`, `description`, and `tags`
+* @param options - Optional operation context; expected values are `'admin'` or `'vendor'`
+* @returns A response object indicating success; on failure `error` contains a descriptive message (for example, `Unauthorized: Authentication required` or `Forbidden: Insufficient permissions`)
+*/
+async function bulkUpdateProductMediaAction(productId, _updates, _options) {
+	"use server";
+	try {
+		const featureEnv = safeEnv();
+		const session = await getSession();
+		if (featureEnv.STORAGE_ENFORCE_AUTH && !session?.user) return {
+			success: false,
+			error: "Unauthorized: Authentication required"
+		};
+		const hasPermission = session?.user ? await canUserManageProduct(session.user.id, productId) : false;
+		if (featureEnv.STORAGE_ENFORCE_AUTH && !hasPermission) return {
+			success: false,
+			error: "Forbidden: Insufficient permissions"
+		};
+		return { success: true };
+	} catch (error) {
+		return {
+			success: false,
+			error: error instanceof Error ? error.message : "Failed to bulk update product media"
+		};
+	}
+}
+//#endregion
+//#region src/actions/blob-upload.ts
+/**
+* @fileoverview Blob upload server action
+*
+* Handles Vercel Blob uploads with authentication, validation, and callbacks.
+* Provides secure upload handling for Next.js server actions.
+*
+* @module @od-oneapp/storage/actions/blob-upload
+*/
+/**
+* Process a multipart/form-data upload via Vercel Blob, enforcing CSRF and environment token checks and invoking optional pre-token and post-upload hooks.
+*
+* @param request - Incoming HTTP Request expected to contain multipart/form-data for the upload.
+* @param config - Optional handlers:
+* - onBeforeGenerateToken(pathname, clientPayload): validate/configure a scoped client token and return `{ allowed, token?, allowedContentTypes?, maximumSizeInBytes?, tokenPayload? }`.
+* - onUploadCompleted(blob, clientPayload): receive completed upload metadata `{ url, pathname, contentType?, contentDisposition?, size }` and the original clientPayload.
+* @returns A Response with a JSON body. On success the body is the value returned by Vercel's `handleUpload`; on error the body is `{ error: string }` and the response status will be 403 for invalid CSRF or 500 for configuration/processing errors.
+*/
+async function handleBlobUpload(request, config) {
+	try {
+		const blobEnv = safeEnv();
+		if (blobEnv.STORAGE_ENFORCE_CSRF) {
+			const csrfToken = request.headers.get("x-csrf-token");
+			if (!csrfToken || !validateCSRFToken(csrfToken, request)) return new Response(JSON.stringify({ error: "Invalid CSRF token" }), {
+				status: 403,
+				headers: { "Content-Type": "application/json" }
+			});
+		}
+		const token = blobEnv.VERCEL_BLOB_READ_WRITE_TOKEN;
+		if (!token) return new Response(JSON.stringify({ error: "VERCEL_BLOB_READ_WRITE_TOKEN not configured" }), {
+			status: 500,
+			headers: { "Content-Type": "application/json" }
+		});
+		const result = await handleUpload({
+			body: await request.json(),
+			token,
+			request,
+			onBeforeGenerateToken: async (pathname, clientPayload, _multipart) => {
+				if (config?.onBeforeGenerateToken) try {
+					const result = await config.onBeforeGenerateToken(pathname, clientPayload ?? void 0);
+					if (!result.allowed) throw new Error("Upload not allowed");
+					return {
+						allowedContentTypes: result.allowedContentTypes,
+						maximumSizeInBytes: result.maximumSizeInBytes,
+						tokenPayload: result.tokenPayload
+					};
+				} catch (error) {
+					throw new Error(`Upload validation failed: ${error instanceof Error ? error.message : "Unknown error"}`);
+				}
+				return {};
+			},
+			onUploadCompleted: async (payload) => {
+				if (config?.onUploadCompleted) try {
+					const { blob, tokenPayload } = payload;
+					await config.onUploadCompleted({
+						url: blob.url,
+						pathname: blob.pathname,
+						contentType: blob.contentType,
+						contentDisposition: blob.contentDisposition,
+						size: blob.size ?? 0
+					}, tokenPayload ?? void 0);
+				} catch (error) {
+					logError("onUploadCompleted callback failed", {
+						error: error instanceof Error ? error.message : String(error),
+						blob: {
+							url: payload.blob.url,
+							pathname: payload.blob.pathname,
+							size: payload.blob.size,
+							contentType: payload.blob.contentType
+						},
+						clientPayload: payload.tokenPayload,
+						timestamp: (/* @__PURE__ */ new Date()).toISOString()
+					});
+				}
+			}
+		});
+		return new Response(JSON.stringify(result), {
+			status: 200,
+			headers: { "Content-Type": "application/json" }
+		});
+	} catch (error) {
+		return new Response(JSON.stringify({ error: error instanceof Error ? error.message : "Upload failed" }), {
+			status: 500,
+			headers: { "Content-Type": "application/json" }
+		});
+	}
+}
+//#endregion
+export { CloudflareImagesProvider, CloudflareR2Provider, ConfigError, DownloadError, MultiStorageManager, MultipartUploadManager, NetworkError, ProviderError, StorageError, StorageErrorCode, UploadError, ValidationError, VercelBlobProvider, bulkDeleteMediaAction, bulkImportFromUrlsAction, bulkMoveMediaAction, bulkUpdateProductMediaAction, checkProviderHealth, checkProviderSuitability, copyBetweenProvidersAction, copyMediaAction, createFolderAction, createMultipartUploadManager, createStorageError, createStorageProvider, deleteMediaAction, deleteProductMediaAction, describeProviderCapabilities, downloadMediaAction, env, existsMediaAction, formatFileSize, getBestProvider, getCapabilityMatrix, getErrorCode, getMediaAction, getMediaUrlAction, getMultiStorage, getOptimalPartSize, getPresignedUploadUrlAction, getProductMediaAction, getProductMediaUrlsAction, getProductUploadPresignedUrlsAction, getProductUploadUrlAction, getProviderCapabilities, getProviderCapabilitiesFromConfig, getQuotaInfo, getStorage, getStorageCapabilitiesAction, handleBlobUpload, hasAllCapabilities, hasAnyCapability, hasCapability, hasMultipartSupport, importFromUrlAction, initializeMultiStorage, initializeStorage, isQuotaExceeded, isRetryableError, listMediaAction, listProvidersAction, multiStorage, parseFileSize, reorderProductMediaAction, resetStorageState, safeEnv, storage, storageHealthCheck, uploadMediaAction, uploadProductMediaAction, uploadToProviderAction, validateFileAction, validateFileSize, validateMimeType, validateProviderCapabilities, validateStorageConfig, validateStorageKey, validateUploadOptions };
+//# sourceMappingURL=server-next.mjs.map