@palbase/backend 0.7.0 → 0.9.0

package/dist/endpoint-DysSe3SI.d.ts

@@ -0,0 +1,1299 @@
+import { ZodSchema, z } from 'zod';
+import { S as SchemaDef, T as TableDef, h as ColIsOptionalOnInsert, k as ColValue } from './schema-zk-a0Dv7.js';
+
+/** Supported HTTP methods for endpoints. */
+type HttpMethod = "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
+/** Authenticated user attached to the request context. */
+interface User {
+    id: string;
+    email: string;
+    role: string;
+    metadata: Record<string, unknown>;
+}
+/** Authentication configuration for an endpoint. */
+interface AuthConfig {
+    /** Whether authentication is required. Defaults to true. */
+    required: boolean;
+    /** Required role for access. If undefined, any authenticated user is allowed. */
+    role?: string;
+}
+
+/** Middleware context — subset of EndpointContext without input (not yet validated). */
+interface MiddlewareContext extends PalbaseModuleClients {
+    params: Record<string, string>;
+    query: Record<string, string>;
+    headers: Record<string, string>;
+    user: User | null;
+    db: DBClient;
+    env: Record<string, string>;
+    log: Logger;
+    cache: CacheClient;
+    requestId: string;
+    projectId: string;
+    environmentId: string;
+}
+/** Middleware function signature — receives context and next function. */
+type MiddlewareHandler = (ctx: MiddlewareContext, next: () => Promise<void>) => Promise<void>;
+/**
+ * Define a middleware function for use in the middleware/ directory or
+ * as endpoint-specific middleware.
+ *
+ * Middleware runs before the handler. Call `next()` to pass control
+ * to the next middleware or handler. If `next()` is not called, the
+ * handler will not execute.
+ *
+ * Errors thrown in middleware are caught by the pipeline and returned
+ * as error responses.
+ */
+declare function defineMiddleware(fn: MiddlewareHandler): MiddlewareHandler;
+
+/**
+ * typed-db.ts — Task 2: TypedDB schema-derived insert/row shapes.
+ *
+ * Derives INSERT and full-row TypeScript types from a `defineSchema()` result
+ * and wraps the untyped runtime `DBClient` with a typed facade.
+ *
+ * No value-any. No `as unknown as X`. The two narrow `as` casts in
+ * `makeTypedTable` are safe because:
+ *  - `data as Record<string, unknown>`: InsertShape<T> maps string keys to
+ *    typed values; all value types are subsets of `unknown`, so the cast is
+ *    structurally sound.
+ *  - `result as RowShape<T>`: The runtime DBClient returns `Record<string,
+ *    unknown>` which is the erased form of the typed row; we're narrowing back
+ *    to the precise shape that the schema declared.
+ * Both casts are narrowing only (not widening) and correctness is guaranteed
+ * by the schema the caller provides.
+ */
+
+/** Keys of C whose columns are required on INSERT (not nullable, no default). */
+type RequiredKeys<C> = {
+    [K in keyof C]: ColIsOptionalOnInsert<C[K]> extends true ? never : K;
+}[keyof C];
+/** Keys of C whose columns are optional on INSERT (nullable or has a default). */
+type OptionalKeys<C> = {
+    [K in keyof C]: ColIsOptionalOnInsert<C[K]> extends true ? K : never;
+}[keyof C];
+/**
+ * The TypeScript type for an INSERT payload for table `T`.
+ * - Required: columns that are NOT NULL and have no DB-level default.
+ * - Optional: columns that are nullable or carry a default.
+ *
+ * When all columns are optional, `RequiredKeys<C>` resolves to `never` and
+ * the first part becomes `{}`, which is a neutral element for `&`.
+ */
+type InsertShape<T extends TableDef> = {
+    [K in RequiredKeys<T["columns"]>]: ColValue<T["columns"][K]>;
+} & {
+    [K in OptionalKeys<T["columns"]>]?: ColValue<T["columns"][K]>;
+};
+/**
+ * The TypeScript type for a full row returned by the DB for table `T`.
+ * Every column is present; nullable columns resolve to `T | null`.
+ */
+type RowShape<T extends TableDef> = {
+    [K in keyof T["columns"]]: ColValue<T["columns"][K]>;
+};
+/** A typed table accessor that mirrors the runtime DBClient surface. */
+interface TypedTable<T extends TableDef> {
+    insert(data: InsertShape<T>): Promise<RowShape<T>>;
+    update(id: string, data: Partial<InsertShape<T>>): Promise<RowShape<T>>;
+    delete(id: string): Promise<void>;
+    findById(id: string): Promise<RowShape<T> | null>;
+    findMany(query?: Partial<RowShape<T>>): Promise<RowShape<T>[]>;
+}
+/** A typed DB facade covering all tables declared in schema `S`. */
+interface TypedDB<S extends SchemaDef> {
+    tables: {
+        [K in keyof S["tables"]]: TypedTable<S["tables"][K]>;
+    };
+}
+/**
+ * Wraps a raw `DBClient` with the type-safe `TypedDB<S>` facade derived from
+ * the provided schema. No behavior change — all calls delegate to `raw` with
+ * the table name as a plain string.
+ *
+ * The `satisfies` check verifies the built object is structurally compatible
+ * before we present it as `TypedDB<S>`. The final `as TypedDB<S>` is a
+ * single structural narrowing from the dynamically-built type to the precise
+ * mapped type (TS cannot infer through `Object.keys` iteration).
+ */
+declare function makeTypedDB<S extends SchemaDef>(schema: S, raw: DBClient): TypedDB<S>;
+
+/**
+ * Local typed interfaces for the 9 Palbase module clients injected into
+ * every endpoint context via `ctx.auth`, `ctx.storage`, etc.
+ *
+ * Design intent
+ * ─────────────
+ * • @palbase/backend owns this contract — no runtime or type dependency on
+ *   @palbase/server or any module package.
+ * • These interfaces are STRUCTURALLY compatible with the runtime's
+ *   ServerClient module objects so assignment is valid without a cast.
+ * • All parameter and return types are defined LOCALLY here (not imported
+ *   from modules/) to keep the package self-contained.
+ *
+ * Privilege note
+ * ──────────────
+ * These clients run with the project's service-role (privileged) key —
+ * they bypass end-user RLS; intentional for server handlers. Treat every
+ * call as if it has admin access to the project's data.
+ */
+
+/** A user as returned by auth verifyUserToken. */
+interface PalbaseUser {
+    id: string;
+    email: string;
+    emailVerified?: boolean;
+    createdAt?: string;
+    updatedAt?: string;
+    metadata?: Record<string, unknown>;
+}
+/** A session as returned by auth.getSession(). */
+interface PalbaseSession {
+    accessToken: string;
+    refreshToken: string;
+    expiresAt: number;
+}
+/** MFA enroll result. */
+interface PalbaseMFAEnrollResult {
+    enrollment_id?: string;
+    secret?: string;
+    otp_url?: string;
+    qr_code?: string;
+    recovery_codes?: string[];
+    status?: string;
+}
+/** MFA token response. */
+interface PalbaseTokenResponse {
+    access_token: string;
+    refresh_token: string;
+    token_type: string;
+    expires_in: number;
+}
+/** MFA factor. */
+interface PalbaseMFAFactor {
+    id: string;
+    type: string;
+    verified: boolean;
+    created_at: string;
+}
+/** Device token view returned by registerDevice. */
+interface PalbaseDeviceTokenView {
+    id: string;
+    device_id: string;
+    platform: "android" | "ios" | "web";
+    status: "active" | "inactive";
+    created_at: string;
+    updated_at: string;
+}
+/** Device info item returned by device.list(). */
+interface PalbaseDeviceInfo {
+    id: string;
+    platform: string;
+    attestation_status: string;
+    bound: boolean;
+    created_at: string;
+}
+/** Params for device.attestAndroid(). */
+interface PalbaseAttestAndroidParams {
+    verdict_token: string;
+}
+/** Result of device.attestAndroid(). */
+interface PalbaseAttestAndroidResult {
+    device_id: string;
+    attestation_status: string;
+    device_integrity?: string;
+}
+/** Params for device.attestiOS(). */
+interface PalbaseAttestiOSParams {
+    attestation_object: string;
+    key_id: string;
+    challenge: string;
+}
+/** Result of device.attestiOS(). */
+interface PalbaseAttestiOSResult {
+    device_id: string;
+    attestation_status: string;
+}
+/** Params for device.bind(). */
+interface PalbaseBindDeviceParams {
+    device_id: string;
+    public_key: string;
+    platform_attestation?: string;
+}
+/** Params for device.verifyRequestSignature() (server-only). */
+interface PalbaseVerifyRequestSignatureParams {
+    payload: string;
+    signature: string;
+}
+/** Flag context (user targeting). */
+interface PalbaseFlagContext {
+    userId?: string;
+    properties?: Record<string, unknown>;
+}
+/** Feature flag variant. */
+interface PalbaseFlagVariant {
+    name: string;
+    payload?: unknown;
+}
+/** Feature flag (getAll result item). */
+interface PalbaseFlag {
+    name: string;
+    enabled: boolean;
+    variant?: PalbaseFlagVariant;
+}
+/** File object returned by storage operations. */
+interface PalbaseFileObject {
+    name: string;
+    id: string;
+    bucket: string;
+    createdAt: string;
+    updatedAt: string;
+    size: number;
+    contentType: string;
+    metadata: Record<string, unknown>;
+}
+/** Storage signed URL response. */
+interface PalbaseSignedUrlResponse {
+    signedUrl: string;
+}
+/** Storage public URL response. */
+interface PalbasePublicUrlResponse {
+    publicUrl: string;
+}
+/** Storage upload options. */
+interface PalbaseUploadOptions {
+    contentType?: string;
+    upsert?: boolean;
+}
+/** Storage transform options for public URLs. */
+interface PalbaseTransformOptions {
+    width?: number;
+    height?: number;
+    format?: "webp" | "avif" | "jpeg" | "png";
+}
+/** Storage list options. */
+interface PalbaseListOptions {
+    limit?: number;
+    offset?: number;
+    sortBy?: {
+        column: string;
+        order: "asc" | "desc";
+    };
+}
+/** Realtime message shape for server-side publish. */
+interface PalbaseRealtimeMessage {
+    type: "broadcast" | "presence" | "postgres_changes";
+    event?: string;
+    payload?: Record<string, unknown>;
+}
+/** Edge-function invoke options. */
+interface PalbaseInvokeOptions {
+    body?: unknown;
+    headers?: Record<string, string>;
+    method?: "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
+}
+/** Push recipient — user ID, array of user IDs, or a topic. */
+type PalbasePushRecipient = string | string[] | {
+    topic: string;
+};
+/** Localized text (plain or locale map). */
+type PalbaseLocalizedText = string | Record<string, string>;
+/** Push send params. */
+interface PalbasePushSendParams {
+    to: PalbasePushRecipient;
+    title?: PalbaseLocalizedText;
+    body?: PalbaseLocalizedText;
+    variables?: Record<string, string>;
+    default_locale?: string;
+    data?: Record<string, string>;
+    image?: string;
+    badge?: number;
+    sound?: string;
+    deep_link?: string;
+    collapse_key?: string;
+    priority?: "high" | "normal";
+    ttl?: number;
+    silent?: boolean;
+    content_available?: boolean;
+    category?: string;
+    metadata?: unknown;
+    channels?: Array<"push" | "inbox">;
+    inbox_action_url?: string;
+}
+/** Push send response. */
+interface PalbasePushSendResponse {
+    message_id?: string;
+    message_ids?: string[];
+    recipients: number;
+}
+/** Email send params. */
+interface PalbaseEmailSendParams {
+    to: string | string[];
+    subject?: string;
+    template?: string;
+    variables?: Record<string, unknown>;
+    html?: string;
+    text?: string;
+    from?: {
+        email: string;
+        name?: string;
+    };
+    reply_to?: string;
+    category?: string;
+}
+/** Email send response. */
+interface PalbaseEmailSendResponse {
+    message_id?: string;
+    message_ids?: string[];
+}
+/** SMS send params. */
+interface PalbaseSmsSendParams {
+    to: string | string[];
+    body: string;
+    category?: string;
+}
+/** SMS send response. */
+interface PalbaseSmsSendResponse {
+    message_id?: string;
+    message_ids?: string[];
+}
+/** Inbox send params (service-role: create inbox row for a user). */
+interface PalbaseInboxSendParams {
+    to: string;
+    title?: string;
+    body: string;
+    data?: unknown;
+    action_url?: string;
+    category?: string;
+    channels?: Array<"push" | "inbox">;
+    push_deep_link?: string;
+}
+/** Inbox send response. */
+interface PalbaseInboxSendResponse {
+    message_id?: string;
+    skipped?: boolean;
+}
+/** A per-channel status entry in a multi-channel response. */
+interface PalbaseChannelOutcome {
+    status: "queued" | "sent" | "skipped" | "failed";
+    message_id?: string;
+    message_ids?: string[];
+    recipients?: number;
+    error?: string;
+}
+/** Multi-channel fan-out response. */
+interface PalbaseMultiChannelResponse {
+    channels: Record<string, PalbaseChannelOutcome>;
+}
+/** An inbox message as returned by inbox.list. */
+interface PalbaseInboxMessage {
+    id: string;
+    user_id?: string;
+    title?: string;
+    body: string;
+    data?: unknown;
+    action_url?: string;
+    category?: string;
+    is_read: boolean;
+    read_at?: string;
+    created_at: string;
+}
+/** Inbox list options. */
+interface PalbaseInboxListOptions {
+    cursor?: string;
+    limit?: number;
+    is_read?: boolean;
+    category?: string;
+    include_archived?: boolean;
+}
+/** Inbox list result. */
+interface PalbaseInboxListResult {
+    messages: PalbaseInboxMessage[];
+    next_cursor?: string;
+}
+/** Notification preferences (channel × category opt-in/out). */
+type PalbasePreferences = Partial<Record<"push" | "email" | "sms" | "inbox", Record<string, boolean>>>;
+/** Register device params. */
+interface PalbaseRegisterDeviceParams {
+    device_id: string;
+    token: string;
+    platform: "android" | "ios" | "web";
+    app_version?: string;
+    locale?: string;
+}
+/** Analytics event properties. */
+type PalbaseAnalyticsProperties = Record<string, unknown>;
+/** Analytics identify traits. */
+type PalbaseIdentifyTraits = Record<string, unknown>;
+/** Analytics count query input. */
+interface PalbaseCountQueryInput {
+    eventName?: string;
+    eventNames?: string[];
+    from: number;
+    to: number;
+    interval?: "hour" | "day";
+    filters?: Record<string, string>;
+    breakdown?: string;
+}
+/** A single time-bucket in a count result. */
+interface PalbaseCountBucket {
+    t: number;
+    count: number;
+    breakdown?: string;
+}
+/** Count query result. */
+interface PalbaseCountResult {
+    series: PalbaseCountBucket[];
+    from_mv: boolean;
+}
+/** Events query input. */
+interface PalbaseEventsQueryInput {
+    from: number;
+    to: number;
+    eventName?: string;
+    distinctId?: string;
+    limit?: number;
+    cursor?: string;
+}
+/** A single event row. */
+interface PalbaseEventRow {
+    event_id: string;
+    timestamp: number;
+    event_name: string;
+    distinct_id: string;
+    properties: Record<string, unknown>;
+}
+/** Events query result. */
+interface PalbaseEventsResult {
+    events: PalbaseEventRow[];
+    next_cursor?: string;
+}
+/** Properties query input. */
+interface PalbasePropertiesQueryInput {
+    eventName?: string;
+    from?: number;
+    to?: number;
+}
+/** Property descriptor (from /query/properties). */
+interface PalbasePropertyDescriptor {
+    name: string;
+    value_count: number;
+}
+/** Users query input. */
+interface PalbaseUsersQueryInput {
+    from: number;
+    to: number;
+    filters?: Record<string, string>;
+    limit?: number;
+    cursor?: string;
+}
+/** A single user row. */
+interface PalbaseUserRow {
+    distinct_id: string;
+    first_seen: number;
+    last_seen: number;
+    event_count: number;
+    properties?: Record<string, unknown>;
+}
+/** Users query result. */
+interface PalbaseUsersResult {
+    users: PalbaseUserRow[];
+    next_cursor?: string;
+}
+/** Funnel query input. */
+interface PalbaseFunnelQueryInput {
+    steps: Array<{
+        event_name: string;
+        filters?: Record<string, string>;
+    }>;
+    from: number;
+    to: number;
+    conversionWindowSeconds?: number;
+    breakdown?: string;
+}
+/** Funnel step result. */
+interface PalbaseFunnelStepResult {
+    event_name: string;
+    count: number;
+    conversion_rate: number;
+}
+/** Funnel query result. */
+interface PalbaseFunnelResult {
+    steps: PalbaseFunnelStepResult[];
+    overall_conversion_rate: number;
+}
+/** Retention query input. */
+interface PalbaseRetentionQueryInput {
+    firstEvent: string;
+    returnEvent: string;
+    from: number;
+    to: number;
+    periodDays?: number;
+    periods?: number;
+}
+/** Retention cohort result item. */
+interface PalbaseRetentionCohort {
+    cohort_start: number;
+    size: number;
+    periods: number[];
+}
+/** Retention query result. */
+interface PalbaseRetentionResult {
+    cohorts: PalbaseRetentionCohort[];
+}
+/** Cohort query input. */
+interface PalbaseCohortQueryInput {
+    name: string;
+    rules: Array<{
+        event_name: string;
+        filters?: Record<string, string>;
+    }>;
+    from: number;
+    to: number;
+}
+/** Cohort query result. */
+interface PalbaseCohortResult {
+    size: number;
+    distinct_ids_sample: string[];
+}
+/** Analytics overview result. */
+interface PalbaseOverviewResult {
+    dau: number;
+    wau: number;
+    mau: number;
+    total_events: number;
+    top_events: Array<{
+        event_name: string;
+        count: number;
+    }>;
+}
+/** Event names result. */
+interface PalbaseEventNamesResult {
+    names: string[];
+}
+/** User detail result. */
+interface PalbaseUserDetailResult {
+    distinct_id: string;
+    first_seen: number;
+    last_seen: number;
+    event_count: number;
+    properties: Record<string, unknown>;
+    recent_events: PalbaseEventRow[];
+}
+/** Create link params. */
+interface PalbaseCreateLinkParams {
+    url: string;
+    title?: string;
+    description?: string;
+    imageUrl?: string;
+    ios?: {
+        bundleId: string;
+        appStoreId?: string;
+        fallbackUrl?: string;
+        minimumVersion?: string;
+    };
+    android?: {
+        packageName: string;
+        fallbackUrl?: string;
+        minimumVersion?: number;
+    };
+    web?: {
+        fallbackUrl?: string;
+    };
+    social?: {
+        title?: string;
+        description?: string;
+        imageUrl?: string;
+    };
+    expiresAt?: string;
+    customShortCode?: string;
+}
+/** Update link params. */
+interface PalbaseUpdateLinkParams {
+    url?: string;
+    title?: string;
+    description?: string;
+    imageUrl?: string;
+    ios?: {
+        bundleId?: string;
+        appStoreId?: string;
+        fallbackUrl?: string;
+        minimumVersion?: string;
+    };
+    android?: {
+        packageName?: string;
+        fallbackUrl?: string;
+        minimumVersion?: number;
+    };
+    web?: {
+        fallbackUrl?: string;
+    };
+    social?: {
+        title?: string;
+        description?: string;
+        imageUrl?: string;
+    };
+    expiresAt?: string;
+}
+/** A link object. */
+interface PalbaseLink {
+    id: string;
+    shortCode: string;
+    shortUrl: string;
+    url: string;
+    title?: string;
+    clickCount: number;
+    createdAt: string;
+}
+/** Link details (extended link). */
+interface PalbaseLinkDetails extends PalbaseLink {
+    description?: string;
+    imageUrl?: string;
+    ios?: Record<string, unknown>;
+    android?: Record<string, unknown>;
+    web?: Record<string, unknown>;
+    social?: Record<string, unknown>;
+    expiresAt?: string;
+}
+/** Link analytics. */
+interface PalbaseLinkAnalytics {
+    totalClicks: number;
+    clicksByPlatform: Record<string, number>;
+    clicksByCountry: Record<string, number>;
+    clicksByDay: Array<{
+        date: string;
+        clicks: number;
+    }>;
+}
+/** QR code options. */
+interface PalbaseQrCodeOptions {
+    size?: number;
+    format?: "png" | "svg";
+}
+/** Match params for deferred deep link resolution. */
+interface PalbaseMatchParams {
+    fingerprintHash: string;
+}
+/** Initial deep link. */
+interface PalbaseInitialLink {
+    url: string;
+    params?: Record<string, string>;
+}
+/** List links options. */
+interface PalbaseListLinksOptions {
+    limit?: number;
+    offset?: number;
+}
+/** List links result. */
+interface PalbaseListLinksResult {
+    links: PalbaseLink[];
+    total: number;
+}
+/** CMS find options. */
+interface PalbaseCmsFindOptions {
+    locale?: string;
+    limit?: number;
+    offset?: number;
+    filter?: Record<string, unknown>;
+}
+/** CMS find-one options. */
+interface PalbaseCmsFindOneOptions {
+    locale?: string;
+}
+/**
+ * Auth client surface available on `ctx.auth`.
+ * Exposes server-relevant methods only. Browser-only patterns are omitted:
+ * — signUp / signIn / signOut / refresh / requestPasswordReset / confirmPasswordReset
+ *   / changePassword / resendVerification / verifyEmail (client flow helpers)
+ * — onAuthStateChange / onTokenChange (subscription callbacks)
+ * — getOAuthURL / signInWithCredential (OAuth browser redirects)
+ * — requestMagicLink / verifyMagicLink (client flow helpers)
+ * — setTokens / getAccessToken (internal token management)
+ * — listSessions / revokeSession / revokeAllSessions (user-self management)
+ * — listIdentities / linkIdentity / unlinkIdentity (user-self management)
+ * — listTrustedDevices / registerTrustedDevice / revokeTrustedDevice (user-self management)
+ */
+interface PalbaseAuthClient {
+    /**
+     * Verify a user's JWT by calling GET /auth/user. Returns the user if the
+     * token is valid; error otherwise. Service-role privileged.
+     */
+    verifyUserToken(jwt: string): Promise<PalbaseResult<PalbaseUser>>;
+    /**
+     * Get the current session held by the client (synchronous — no network
+     * call). On the server the service-role client does not hold a user
+     * session; this always returns `{ data: null, error: null }`.
+     */
+    getSession(): {
+        data: PalbaseSession | null;
+        error: null;
+    };
+    /** MFA admin surface — enroll/verify/manage factors on behalf of users. */
+    mfa: {
+        /** Enroll a new MFA factor (TOTP or email). */
+        enroll(params: {
+            type: "totp" | "email";
+        }): Promise<PalbaseResult<PalbaseMFAEnrollResult>>;
+        /** Verify an enrollment code. */
+        verifyEnrollment(code: string): Promise<PalbaseResult<{
+            status: string;
+        }>>;
+        /** Challenge an MFA factor (verify code, obtain token). */
+        challenge(params: {
+            mfa_token: string;
+            type: "totp" | "email";
+            code: string;
+        }): Promise<PalbaseResult<PalbaseTokenResponse>>;
+        /** Recover via backup code. */
+        recovery(params: {
+            mfa_token: string;
+            code: string;
+        }): Promise<PalbaseResult<PalbaseTokenResponse>>;
+        /** List enrolled factors. */
+        listFactors(): Promise<PalbaseResult<{
+            factors: PalbaseMFAFactor[];
+        }>>;
+        /** Remove a factor. Requires current password. */
+        removeFactor(factorId: string, currentPassword: string): Promise<PalbaseResult<{
+            status: string;
+        }>>;
+        /** Regenerate recovery codes. */
+        regenerateRecoveryCodes(): Promise<PalbaseResult<{
+            recovery_codes: string[];
+        }>>;
+        /** Email MFA: start enrollment. */
+        emailEnroll(): Promise<PalbaseResult<{
+            status: string;
+        }>>;
+        /** Email MFA: send challenge. */
+        emailChallenge(params: {
+            mfa_token: string;
+        }): Promise<PalbaseResult<{
+            status: string;
+        }>>;
+        /** Email MFA: verify code. */
+        emailVerify(params: {
+            mfa_token: string;
+            code: string;
+        }): Promise<PalbaseResult<PalbaseTokenResponse>>;
+    };
+    /** Device attestation surface (App Attest / Play Integrity). */
+    device: {
+        /** Generate a device attestation challenge. */
+        generateChallenge(): Promise<PalbaseResult<{
+            challenge: string;
+        }>>;
+        /** Attest an Android device with a Play Integrity verdict token. */
+        attestAndroid(params: PalbaseAttestAndroidParams): Promise<PalbaseResult<PalbaseAttestAndroidResult>>;
+        /** Attest an iOS device with App Attest attestation data. */
+        attestiOS(params: PalbaseAttestiOSParams): Promise<PalbaseResult<PalbaseAttestiOSResult>>;
+        /** Bind a verified device with a public key for request signing. */
+        bind(params: PalbaseBindDeviceParams): Promise<PalbaseResult<{
+            success: boolean;
+        }>>;
+        /** List all devices for the current user. */
+        list(): Promise<PalbaseResult<{
+            devices: PalbaseDeviceInfo[];
+        }>>;
+        /** Delete a device by ID. */
+        delete(deviceId: string): Promise<PalbaseResult<{
+            success: boolean;
+        }>>;
+        /**
+         * Verify a request signature from a device (server-only).
+         * Not exposed in the client SDK.
+         */
+        verifyRequestSignature(deviceId: string, params: PalbaseVerifyRequestSignatureParams): Promise<PalbaseResult<{
+            verified: boolean;
+        }>>;
+        /** Get the cached App Check token, or null if not available / expired. */
+        getToken(): string | null;
+        /** Whether App Check is active (token cached and not expired). */
+        readonly isActive: boolean;
+        /** Set a cached App Check token manually (e.g. after attest flow). */
+        setCachedToken(token: string, expiresInMs: number): void;
+        /** Clean up timers and cached state. */
+        dispose(): void;
+    };
+}
+/**
+ * Bucket-level file operations available via `ctx.storage.bucket(name)`.
+ * `getPublicUrl` is synchronous (no network call — constructs URL locally).
+ */
+interface PalbaseBucketClient {
+    /** Upload a file. */
+    upload(path: string, file: Blob | ArrayBuffer | ReadableStream, options?: PalbaseUploadOptions): Promise<PalbaseResult<PalbaseFileObject>>;
+    /** Download a file as a Blob. */
+    download(path: string): Promise<PalbaseResult<Blob>>;
+    /** Construct the public URL for a file (sync — no network call). */
+    getPublicUrl(path: string, options?: PalbaseTransformOptions): {
+        data: PalbasePublicUrlResponse;
+    };
+    /** Create a time-limited signed URL. */
+    createSignedUrl(path: string, expiresIn: number): Promise<PalbaseResult<PalbaseSignedUrlResponse>>;
+    /** List objects in the bucket (optionally filtered by prefix). */
+    list(prefix?: string, options?: PalbaseListOptions): Promise<PalbaseResult<PalbaseFileObject[]>>;
+    /** Delete one or more objects. */
+    remove(paths: string[]): Promise<PalbaseResult<PalbaseFileObject[]>>;
+    /** Move / rename an object. */
+    move(from: string, to: string): Promise<PalbaseResult<void>>;
+    /** Copy an object. */
+    copy(from: string, to: string): Promise<PalbaseResult<void>>;
+}
+/**
+ * Storage client available on `ctx.storage`.
+ * Only `bucket()` is exposed — service-role callers select a bucket first.
+ */
+interface PalbaseStorageClient {
+    /** Get a bucket-scoped client for file operations. */
+    bucket(name: string): PalbaseBucketClient;
+}
+/**
+ * Channel reference for server-side realtime publish.
+ * Omits browser subscription patterns (on(), presenceState()) and
+ * internal test helpers (_injectWebSocket). All send operations are
+ * synchronous — they throw if the channel is not subscribed.
+ */
+interface PalbaseRealtimeChannel {
+    /** The channel name. */
+    readonly name: string;
+    /** Send a message to all channel subscribers. */
+    send(message: PalbaseRealtimeMessage): void;
+    /** Track server presence state. */
+    track(state: Record<string, unknown>): void;
+    /** Remove server presence state. */
+    untrack(): void;
+    /** Subscribe (connect WebSocket). Returns `this` for chaining. */
+    subscribe(): PalbaseRealtimeChannel;
+    /** Unsubscribe (close WebSocket). */
+    unsubscribe(): void;
+}
+/**
+ * Realtime client available on `ctx.realtime`.
+ * Server-side usage: get a channel, call send() to publish broadcasts.
+ * Omits browser subscription patterns (onSnapshot, subscribe listeners).
+ */
+interface PalbaseRealtimeClient {
+    /** Get (or create) a named channel. */
+    channel(name: string): PalbaseRealtimeChannel;
+    /** Remove a channel and close its WebSocket. */
+    removeChannel(name: string): void;
+    /** Remove all channels and close all WebSockets. */
+    removeAllChannels(): void;
+}
+/**
+ * Functions client available on `ctx.functions`.
+ * Invoke edge functions from a backend endpoint.
+ */
+interface PalbaseFunctionsClient {
+    /** Invoke a named edge function. */
+    invoke<T = unknown>(fnName: string, options?: PalbaseInvokeOptions): Promise<PalbaseResult<T>>;
+}
+/**
+ * Flags client available on `ctx.flags`.
+ * Evaluate feature flags server-side (service-role key — user targeting
+ * is optional via context).
+ */
+interface PalbaseFlagsClient {
+    /** Is a flag enabled for the given context? */
+    isEnabled(flagName: string, context?: PalbaseFlagContext): Promise<PalbaseResult<boolean>>;
+    /** Get the active variant of a multivariate flag. */
+    getVariant(flagName: string, context?: PalbaseFlagContext): Promise<PalbaseResult<PalbaseFlagVariant>>;
+    /** Get all flags for the project. */
+    getAll(context?: PalbaseFlagContext): Promise<PalbaseResult<PalbaseFlag[]>>;
+}
+/**
+ * Push sub-client surface (server-only: fan-out to users / topics).
+ */
+interface PalbasePushClient {
+    /** Send a push notification to one or more users, or a topic. */
+    send(params: PalbasePushSendParams): Promise<PalbaseResult<PalbasePushSendResponse | PalbaseMultiChannelResponse>>;
+}
+/**
+ * Email sub-client surface (service-role).
+ */
+interface PalbaseEmailClient {
+    /** Send a transactional email. */
+    send(params: PalbaseEmailSendParams): Promise<PalbaseResult<PalbaseEmailSendResponse>>;
+}
+/**
+ * SMS sub-client surface (service-role).
+ */
+interface PalbaseSmsClient {
+    /** Send an SMS message. */
+    send(params: PalbaseSmsSendParams): Promise<PalbaseResult<PalbaseSmsSendResponse>>;
+}
+/**
+ * Inbox sub-client surface (service-role send + user read operations).
+ */
+interface PalbaseInboxClient {
+    /** Service-role: create an inbox notification row for a user. */
+    send(params: PalbaseInboxSendParams): Promise<PalbaseResult<PalbaseInboxSendResponse | PalbaseMultiChannelResponse>>;
+    /** List inbox messages (user-scoped or admin). */
+    list(options?: PalbaseInboxListOptions): Promise<PalbaseResult<PalbaseInboxListResult>>;
+    /** Count unread messages. */
+    unreadCount(): Promise<PalbaseResult<{
+        count: number;
+    }>>;
+    /** Mark a message as read. */
+    markRead(id: string): Promise<PalbaseResult<void>>;
+    /** Mark all messages read. */
+    markAllRead(): Promise<PalbaseResult<void>>;
+    /** Archive (soft-delete) a message. */
+    archive(id: string): Promise<PalbaseResult<void>>;
+}
+/**
+ * Preferences sub-client surface.
+ */
+interface PalbasePreferencesClient {
+    /** Get notification preferences. */
+    get(): Promise<PalbaseResult<PalbasePreferences>>;
+    /** Update notification preferences. */
+    update(params: PalbasePreferences): Promise<PalbaseResult<PalbasePreferences>>;
+}
+/**
+ * Notifications client available on `ctx.notifications`.
+ * Service-role: all send operations require privileged access.
+ * Omits ClientNotificationsClient (browser-only narrowed surface).
+ */
+interface PalbaseNotificationsClient {
+    /** Push notification sender. */
+    push: PalbasePushClient;
+    /** Email sender. */
+    email: PalbaseEmailClient;
+    /** SMS sender. */
+    sms: PalbaseSmsClient;
+    /** Inbox (in-app) message sender and reader. */
+    inbox: PalbaseInboxClient;
+    /** Notification preferences manager. */
+    preferences: PalbasePreferencesClient;
+    /** Register a device for push notifications. */
+    registerDevice(params: PalbaseRegisterDeviceParams): Promise<PalbaseResult<PalbaseDeviceTokenView>>;
+    /** Remove a device registration. */
+    unregisterDevice(deviceId: string): Promise<PalbaseResult<void>>;
+}
+/**
+ * Analytics query namespace (read-side endpoints).
+ */
+interface PalbaseAnalyticsQueryNamespace {
+    /** Count events over time. */
+    count(input: PalbaseCountQueryInput): Promise<PalbaseResult<PalbaseCountResult>>;
+    /** List raw events. */
+    events(input: PalbaseEventsQueryInput): Promise<PalbaseResult<PalbaseEventsResult>>;
+    /** List event property descriptors. */
+    properties(input?: PalbasePropertiesQueryInput): Promise<PalbaseResult<PalbasePropertyDescriptor[]>>;
+    /** Query users by filters. */
+    users(input: PalbaseUsersQueryInput): Promise<PalbaseResult<PalbaseUsersResult>>;
+    /** Run a funnel query. */
+    funnel(input: PalbaseFunnelQueryInput): Promise<PalbaseResult<PalbaseFunnelResult>>;
+    /** Run a retention query. */
+    retention(input: PalbaseRetentionQueryInput): Promise<PalbaseResult<PalbaseRetentionResult>>;
+    /** Run a cohort query. */
+    cohort(input: PalbaseCohortQueryInput): Promise<PalbaseResult<PalbaseCohortResult>>;
+}
+/**
+ * Analytics management namespace (meta-level endpoints).
+ */
+interface PalbaseAnalyticsManagementNamespace {
+    /** Get project-level overview stats. */
+    overview(): Promise<PalbaseResult<PalbaseOverviewResult>>;
+    /** Get all event names seen by the project. */
+    eventNames(): Promise<PalbaseResult<PalbaseEventNamesResult>>;
+    /** Get details for a specific user. */
+    userDetail(distinctId: string): Promise<PalbaseResult<PalbaseUserDetailResult>>;
+    /** Delete all data for a user (GDPR erasure). */
+    deleteUser(distinctId: string): Promise<PalbaseResult<void>>;
+}
+/**
+ * Analytics client available on `ctx.analytics`.
+ * Capture events server-side and run analytical queries.
+ */
+interface PalbaseAnalyticsClient {
+    /** Capture a custom event. */
+    capture(event: string, properties?: PalbaseAnalyticsProperties, distinctId?: string): Promise<PalbaseResult<void>>;
+    /** Identify a user with traits. */
+    identify(distinctId: string, traits?: PalbaseIdentifyTraits): Promise<PalbaseResult<void>>;
+    /** Track a screen view. */
+    screen(screenName: string, properties?: PalbaseAnalyticsProperties, distinctId?: string): Promise<PalbaseResult<void>>;
+    /** Query namespace for analytics read operations. */
+    query: PalbaseAnalyticsQueryNamespace;
+    /** Management namespace for meta-level operations. */
+    management: PalbaseAnalyticsManagementNamespace;
+}
+/**
+ * Deep-links client available on `ctx.links`.
+ * Create, manage, and resolve deep links from server endpoints.
+ * Omits `getInitialLink()` (client SDK convenience — browser/app only).
+ */
+interface PalbaseLinksClient {
+    /** Create a short link. */
+    create(params: PalbaseCreateLinkParams): Promise<PalbaseResult<PalbaseLink>>;
+    /** List links (paginated). */
+    list(options?: PalbaseListLinksOptions): Promise<PalbaseResult<PalbaseListLinksResult>>;
+    /** Get link details + analytics summary. */
+    get(linkId: string): Promise<PalbaseResult<PalbaseLinkDetails>>;
+    /** Update a link. */
+    update(linkId: string, params: PalbaseUpdateLinkParams): Promise<PalbaseResult<PalbaseLink>>;
+    /** Delete a link. */
+    delete(linkId: string): Promise<PalbaseResult<{
+        success: boolean;
+    }>>;
+    /** Get click analytics for a link. */
+    analytics(linkId: string): Promise<PalbaseResult<PalbaseLinkAnalytics>>;
+    /** Generate a QR code for a link (returns PNG or SVG Blob). */
+    qrCode(linkId: string, options?: PalbaseQrCodeOptions): Promise<PalbaseResult<Blob>>;
+    /** Match a deferred deep link by device fingerprint. */
+    match(params: PalbaseMatchParams): Promise<PalbaseResult<PalbaseInitialLink | null>>;
+}
+/**
+ * CMS client available on `ctx.cms`.
+ * Fetch content from PayloadCMS collections within a server endpoint.
+ */
+interface PalbaseCmsClient {
+    /** Find multiple documents in a collection. */
+    find<T = unknown>(collection: string, options?: PalbaseCmsFindOptions): Promise<PalbaseResult<T[]>>;
+    /** Find a single document by ID. */
+    findOne<T = unknown>(collection: string, id: string, options?: PalbaseCmsFindOneOptions): Promise<PalbaseResult<T>>;
+}
+
+/** Uploaded file metadata injected into endpoint context when a file is present.
+ * `data` is typed as `Uint8Array` for SDK portability (Buffer extends Uint8Array in Node).
+ */
+interface FileContext {
+    filename: string;
+    contentType: string;
+    size: number;
+    data: Uint8Array;
+}
+/** Queue client for dispatching background jobs from within a handler. */
+interface QueueClient {
+    /** Enqueue a job for the named worker. Returns the new job ID. */
+    push(worker: string, payload: unknown): Promise<{
+        jobId: string;
+    }>;
+}
+/** Rate limit configuration for an endpoint. */
+interface RateLimitConfig {
+    /** Maximum number of requests in the window. */
+    max: number;
+    /** Window duration in seconds. */
+    window: number;
+}
+/** Database client interface injected into endpoint context. */
+interface DBClient {
+    /** Run a read-only SQL query (executes in a READ ONLY transaction). */
+    query(sql: string, params?: unknown[]): Promise<Record<string, unknown>[]>;
+    insert(table: string, data: Record<string, unknown>): Promise<Record<string, unknown>>;
+    update(table: string, id: string, data: Record<string, unknown>): Promise<Record<string, unknown>>;
+    delete(table: string, id: string): Promise<void>;
+    findById(table: string, id: string): Promise<Record<string, unknown> | null>;
+    findMany(table: string, query?: Record<string, unknown>): Promise<Record<string, unknown>[]>;
+}
+/** Logger interface injected into endpoint context. */
+interface Logger {
+    info(message: string, ...args: unknown[]): void;
+    warn(message: string, ...args: unknown[]): void;
+    error(message: string, ...args: unknown[]): void;
+    debug(message: string, ...args: unknown[]): void;
+}
+/**
+ * Cache client interface injected into endpoint context.
+ *
+ * The cache is JSON-typed: values are serialized to/from JSON, so any JSON
+ * value (objects, arrays, numbers, booleans, strings) round-trips. `get<T>`
+ * therefore returns `T | null` rather than `string | null`.
+ */
+interface CacheClient {
+    /** Read a value. Returns `null` on a cache miss. */
+    get<T = unknown>(key: string): Promise<T | null>;
+    /** Write a JSON-serializable value with an optional TTL (seconds). */
+    set(key: string, value: unknown, ttl?: number): Promise<void>;
+    /** Delete a key. */
+    del(key: string): Promise<void>;
+    /** Atomically increment an integer counter, returning the new value. */
+    incr(key: string): Promise<number>;
+    /**
+     * Stampede-safe read-through cache fill. On a hit, returns the cached value.
+     * On a miss, a single caller (across all pod replicas, coordinated by a
+     * distributed lock) runs `fn`, caches the result for `ttl` seconds, and
+     * returns it; concurrent callers wait for that result instead of also
+     * running `fn`. If no value lands within the lock's TTL, the call rejects —
+     * it does NOT run `fn` on timeout (that would reintroduce the stampede).
+     *
+     * @param ttl value TTL in seconds.
+     */
+    getOrSet<T>(key: string, ttl: number, fn: () => Promise<T> | T): Promise<T>;
+}
+/** Result envelope used across the Palbase Server SDK clients. */
+interface PalbaseResult<T> {
+    data: T | null;
+    error: {
+        message?: string;
+        code?: string;
+    } | null;
+    status?: number;
+}
+/** Document snapshot returned by docs.get(). */
+interface PalbaseDocumentSnapshot<T = Record<string, unknown>> {
+    id: string;
+    exists: boolean;
+    data(): T | undefined;
+    ref: {
+        path: string;
+    };
+}
+/** Collection query snapshot returned by collection.get(). */
+interface PalbaseQuerySnapshot<T = Record<string, unknown>> {
+    docs: PalbaseDocumentSnapshot<T>[];
+    empty: boolean;
+    size: number;
+}
+/** Comparison operators supported by docs.where(). */
+type PalbaseWhereOperator = "==" | "!=" | "<" | "<=" | ">" | ">=" | "in" | "array-contains";
+/** Document reference exposed by ctx.docs.collection(...).doc(...). */
+interface PalbaseDocumentRef<T = Record<string, unknown>> {
+    readonly path: string;
+    set(data: T): Promise<PalbaseResult<void>>;
+    get(): Promise<PalbaseResult<PalbaseDocumentSnapshot<T>>>;
+    update(data: Partial<T>): Promise<PalbaseResult<void>>;
+    delete(): Promise<PalbaseResult<void>>;
+}
+/** Collection reference exposed by ctx.docs.collection(...). */
+interface PalbaseCollectionRef<T = Record<string, unknown>> {
+    readonly path: string;
+    doc(id: string): PalbaseDocumentRef<T>;
+    add(data: T): Promise<PalbaseResult<PalbaseDocumentRef<T>>>;
+    where(field: string, op: PalbaseWhereOperator, value: unknown): PalbaseCollectionRef<T>;
+    orderBy(field: string, direction?: "asc" | "desc"): PalbaseCollectionRef<T>;
+    limit(n: number): PalbaseCollectionRef<T>;
+    get(): Promise<PalbaseResult<PalbaseQuerySnapshot<T>>>;
+}
+/** Docs client surface available on ctx.docs. */
+interface PalbaseDocsClient {
+    collection<T = Record<string, unknown>>(path: string): PalbaseCollectionRef<T>;
+    doc<T = Record<string, unknown>>(path: string): PalbaseDocumentRef<T>;
+}
+/** Palbase module clients surfaced directly on every context.
+ *
+ * `ctx.docs`, `ctx.storage`, … — no `ctx.palbase.*` namespace. Structurally
+ * typed against the runtime's `ServerClient`; the runtime injects the real
+ * client, so mismatched names would surface as `undefined is not a function`
+ * at call time — keep these in sync with `ServerClient`.
+ *
+ * Note: `db` here is NOT a module client — `ctx.db` is the project's own
+ * Postgres (pgx, schema `env_<envId>`), declared separately on each context
+ * as `DBClient`. The SDK's PostgREST query-builder is not exposed inside
+ * endpoints.
+ */
+interface PalbaseModuleClients {
+    auth: PalbaseAuthClient;
+    storage: PalbaseStorageClient;
+    docs: PalbaseDocsClient;
+    realtime: PalbaseRealtimeClient;
+    functions: PalbaseFunctionsClient;
+    flags: PalbaseFlagsClient;
+    notifications: PalbaseNotificationsClient;
+    analytics: PalbaseAnalyticsClient;
+    links: PalbaseLinksClient;
+    cms: PalbaseCmsClient;
+}
+/** Endpoint context — injected into every handler. Module clients hang
+ * directly off ctx (`ctx.docs`, not `ctx.palbase.docs`); `ctx.db` is the
+ * project's own Postgres.
+ *
+ * When `TSchema` is a `SchemaDef`, `ctx.db` is `TypedDB<TSchema> & DBClient`:
+ * both `ctx.db.tables.rooms.insert({...})` (typed) and
+ * `ctx.db.insert("rooms", {...})` (legacy string API) compile.
+ * When `TSchema` is `undefined` (no schema), `ctx.db` is plain `DBClient`.
+ */
+interface EndpointContext<TInput = unknown, TSchema extends SchemaDef | undefined = undefined, TAuthed extends boolean = false> extends PalbaseModuleClients {
+    input: TInput;
+    params: Record<string, string>;
+    query: Record<string, string>;
+    headers: Record<string, string>;
+    /** Authenticated user. Non-null (`User`) only when the endpoint's `auth`
+     * config forces authentication; otherwise `User | null`. The narrowing is
+     * driven by the `TAuthed` flag, which `defineEndpoint` computes from the
+     * `auth` literal via {@link IsAuthed}. */
+    user: TAuthed extends true ? User : User | null;
+    /** HTTP method of the incoming request (e.g. "GET", "POST"). */
+    method: string;
+    /** Matched endpoint path (e.g. "/todos/create"). */
+    endpointPath: string;
+    /** Uploaded file, or null when the request has no file part. */
+    file: FileContext | null;
+    db: TSchema extends SchemaDef ? TypedDB<TSchema> & DBClient : DBClient;
+    env: Record<string, string>;
+    log: Logger;
+    cache: CacheClient;
+    /** Queue client for dispatching background jobs. */
+    queue: QueueClient;
+    requestId: string;
+    projectId: string;
+    environmentId: string;
+}
+/** Middleware function signature — uses MiddlewareContext (no input, not yet validated). */
+type Middleware = (ctx: MiddlewareContext, next: () => Promise<void>) => Promise<void>;
+/** The shape an endpoint's `auth` config may take.
+ *
+ * Either a bare boolean (`true`/`false`) or an object form (`{ required?,
+ * role? }`). The object form is `Partial<AuthConfig>` so `required` may be
+ * omitted — which the runtime treats as `required: true` (see {@link IsAuthed}).
+ */
+type AuthSpec = boolean | Partial<AuthConfig>;
+/** Compute, at the type level, whether an endpoint authenticates its caller —
+ * i.e. whether `ctx.user` should be `User` (non-null) instead of `User | null`.
+ *
+ * This mirrors the Go pipeline's enforcement exactly (extract_meta.js + auth.go):
+ * a request is authenticated ⟺ `auth === true` OR (`auth` is an object whose
+ * `required` is not explicitly `false`). So `ctx.user` stays nullable ONLY when
+ * `auth` is absent (`undefined`), `auth === false`, or `auth: { required: false }`.
+ *
+ * | `TAuth`                         | `IsAuthed<TAuth>` |
+ * |---------------------------------|-------------------|
+ * | `undefined`                     | `false`           |
+ * | `true`                          | `true`            |
+ * | `false`                         | `false`           |
+ * | `{ required: true }`            | `true`            |
+ * | `{ required: false }`           | `false`           |
+ * | `{ role: 'admin' }` (no `required`) | `true` ⚠️     |
+ *
+ * Order matters: the `{ required: false }` branch is checked first so the
+ * object case can't swallow it; `true` then `false` literals are handled
+ * explicitly before the catch-all object branch (which encodes the
+ * "required omitted ⇒ required" corner case).
+ */
+type IsAuthed<TAuth> = TAuth extends {
+    required: false;
+} ? false : TAuth extends true ? true : TAuth extends false ? false : TAuth extends object ? true : false;
+/** Configuration for defining an endpoint.
+ *
+ * `TSchema` — optional `SchemaDef` that, when provided, types `ctx.db` as
+ * `TypedDB<TSchema> & DBClient` so both the typed `.tables` API and the
+ * legacy string API compile inside the handler.
+ *
+ * `TAuth` — captures the literal type of the `auth` field (via the `const`
+ * type parameter on `defineEndpoint`) so the handler's `ctx.user` can be
+ * narrowed to non-null `User` when auth is required. See {@link IsAuthed}.
+ */
+interface EndpointConfig<TInputSchema extends ZodSchema = ZodSchema, TOutputSchema extends ZodSchema = ZodSchema, TSchema extends SchemaDef | undefined = undefined, TAuth extends AuthSpec | undefined = undefined> {
+    method: HttpMethod;
+    auth?: TAuth;
+    rateLimit?: RateLimitConfig;
+    input?: TInputSchema;
+    output?: TOutputSchema;
+    schema?: TSchema;
+    middleware?: Middleware[];
+    handler: (ctx: EndpointContext<z.infer<TInputSchema>, TSchema, IsAuthed<TAuth>>) => Promise<z.infer<TOutputSchema>>;
+}
+/** Define a type-safe endpoint. Input schema infers the ctx.input type.
+ * Pass a `schema` (from `defineSchema`) to get a typed `ctx.db.tables.*` API.
+ *
+ * The `const TAuth` type parameter captures the `auth` field as a literal
+ * (`true` / `{ required: true }` / `{ role: 'admin' }` …) so the handler's
+ * `ctx.user` is narrowed to `User` (non-null) whenever auth is enforced.
+ */
+declare function defineEndpoint<TInputSchema extends ZodSchema, TOutputSchema extends ZodSchema, TSchema extends SchemaDef | undefined = undefined, const TAuth extends AuthSpec | undefined = undefined>(config: EndpointConfig<TInputSchema, TOutputSchema, TSchema, TAuth>): EndpointConfig<TInputSchema, TOutputSchema, TSchema, TAuth>;
+
+export { type PalbaseIdentifyTraits as $, type AuthConfig as A, type PalbaseDocumentRef as B, type CacheClient as C, type DBClient as D, type EndpointContext as E, type FileContext as F, type PalbaseDocumentSnapshot as G, type HttpMethod as H, type InsertShape as I, type PalbaseEmailClient as J, type PalbaseEmailSendParams as K, type Logger as L, type Middleware as M, type PalbaseEmailSendResponse as N, type PalbaseEventNamesResult as O, type PalbaseModuleClients as P, type QueueClient as Q, type PalbaseEventsQueryInput as R, type PalbaseEventsResult as S, type PalbaseFileObject as T, type PalbaseFlag as U, type PalbaseFlagContext as V, type PalbaseFlagVariant as W, type PalbaseFlagsClient as X, type PalbaseFunctionsClient as Y, type PalbaseFunnelQueryInput as Z, type PalbaseFunnelResult as _, type EndpointConfig as a, type PalbaseInboxClient as a0, type PalbaseInboxListOptions as a1, type PalbaseInboxListResult as a2, type PalbaseInboxMessage as a3, type PalbaseInboxSendParams as a4, type PalbaseInboxSendResponse as a5, type PalbaseInitialLink as a6, type PalbaseInvokeOptions as a7, type PalbaseLink as a8, type PalbaseLinkAnalytics as a9, type PalbaseSmsClient as aA, type PalbaseSmsSendParams as aB, type PalbaseSmsSendResponse as aC, type PalbaseStorageClient as aD, type PalbaseTransformOptions as aE, type PalbaseUpdateLinkParams as aF, type PalbaseUploadOptions as aG, type PalbaseUser as aH, type PalbaseUserDetailResult as aI, type PalbaseUsersQueryInput as aJ, type PalbaseUsersResult as aK, type PalbaseVerifyRequestSignatureParams as aL, type PalbaseWhereOperator as aM, type RateLimitConfig as aN, type RowShape as aO, type TypedDB as aP, type TypedTable as aQ, type User as aR, defineEndpoint as aS, defineMiddleware as aT, makeTypedDB as aU, type PalbaseLinkDetails as aa, type PalbaseLinksClient as ab, type PalbaseListLinksOptions as ac, type PalbaseListLinksResult as ad, type PalbaseListOptions as ae, type PalbaseMatchParams as af, type PalbaseMultiChannelResponse as ag, type PalbaseNotificationsClient as ah, type PalbaseOverviewResult as ai, type PalbasePreferences as aj, type PalbasePreferencesClient as ak, type PalbasePublicUrlResponse as al, type PalbasePushClient as am, type PalbasePushSendParams as an, type PalbasePushSendResponse as ao, type PalbaseQrCodeOptions as ap, type PalbaseQuerySnapshot as aq, type PalbaseRealtimeChannel as ar, type PalbaseRealtimeClient as as, type PalbaseRealtimeMessage as at, type PalbaseRegisterDeviceParams as au, type PalbaseResult as av, type PalbaseRetentionQueryInput as aw, type PalbaseRetentionResult as ax, type PalbaseSession as ay, type PalbaseSignedUrlResponse as az, type MiddlewareContext as b, type MiddlewareHandler as c, type PalbaseAnalyticsClient as d, type PalbaseAnalyticsManagementNamespace as e, type PalbaseAnalyticsProperties as f, type PalbaseAnalyticsQueryNamespace as g, type PalbaseAttestAndroidParams as h, type PalbaseAttestAndroidResult as i, type PalbaseAttestiOSParams as j, type PalbaseAttestiOSResult as k, type PalbaseAuthClient as l, type PalbaseBindDeviceParams as m, type PalbaseBucketClient as n, type PalbaseCmsClient as o, type PalbaseCmsFindOneOptions as p, type PalbaseCmsFindOptions as q, type PalbaseCohortQueryInput as r, type PalbaseCohortResult as s, type PalbaseCollectionRef as t, type PalbaseCountQueryInput as u, type PalbaseCountResult as v, type PalbaseCreateLinkParams as w, type PalbaseDeviceInfo as x, type PalbaseDeviceTokenView as y, type PalbaseDocsClient as z };