@querypanel/node-sdk 1.0.26 → 1.0.28

package/dist/index.cjs

@@ -0,0 +1,2498 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ClickHouseAdapter: () => ClickHouseAdapter,
+  PostgresAdapter: () => PostgresAdapter,
+  QueryPanelSdkAPI: () => QueryPanelSdkAPI,
+  anonymizeResults: () => anonymizeResults
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/utils/clickhouse.ts
+var WRAPPER_REGEX = /^(Nullable|LowCardinality|SimpleAggregateFunction)\((.+)\)$/i;
+function unwrapTypeModifiers(type) {
+  let current = type.trim();
+  let match = WRAPPER_REGEX.exec(current);
+  while (match) {
+    const inner = match[2];
+    if (!inner) {
+      break;
+    }
+    current = inner.trim();
+    match = WRAPPER_REGEX.exec(current);
+  }
+  return current;
+}
+function parseKeyExpression(expression) {
+  if (!expression) return [];
+  let value = expression.trim();
+  if (!value) return [];
+  if (/^tuple\s*\(/i.test(value) && value.endsWith(")")) {
+    value = value.replace(/^tuple\s*\(/i, "").replace(/\)$/, "");
+  }
+  const columns = [];
+  let depth = 0;
+  let token = "";
+  for (const ch of value) {
+    if (ch === "(") {
+      depth += 1;
+      token += ch;
+      continue;
+    }
+    if (ch === ")") {
+      depth = Math.max(0, depth - 1);
+      token += ch;
+      continue;
+    }
+    if (ch === "," && depth === 0) {
+      const col = token.trim();
+      if (col) columns.push(stripWrapper(col));
+      token = "";
+      continue;
+    }
+    token += ch;
+  }
+  const last = token.trim();
+  if (last) columns.push(stripWrapper(last));
+  return columns.filter(Boolean);
+}
+function stripWrapper(value) {
+  const noQuotes = stripQuotes(value);
+  const withoutTicks = noQuotes.replace(/`/g, "").trim();
+  const parts = withoutTicks.split(".");
+  return parts[parts.length - 1]?.trim() ?? "";
+}
+function stripQuotes(value) {
+  if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+    return value.slice(1, -1);
+  }
+  return value;
+}
+
+// src/adapters/clickhouse.ts
+var ClickHouseAdapter = class {
+  constructor(clientFn, options = {}) {
+    this.clientFn = clientFn;
+    this.databaseName = options.database ?? "default";
+    this.defaultFormat = options.defaultFormat ?? "JSONEachRow";
+    this.kind = options.kind ?? "clickhouse";
+    if (options.allowedTables) {
+      this.allowedTables = normalizeTableFilter(options.allowedTables);
+    }
+  }
+  databaseName;
+  defaultFormat;
+  kind;
+  allowedTables;
+  async execute(sql, params) {
+    if (this.allowedTables) {
+      this.validateQueryTables(sql);
+    }
+    const queryOptions = {
+      format: this.defaultFormat
+    };
+    if (params) {
+      queryOptions.params = params;
+    }
+    const rows = await this.query(sql, queryOptions);
+    const fields = rows.length > 0 ? Object.keys(rows[0] ?? {}) : [];
+    return { fields, rows };
+  }
+  async validate(sql, params) {
+    const queryOptions = {
+      format: this.defaultFormat
+    };
+    if (params) {
+      queryOptions.params = params;
+    }
+    await this.query(`EXPLAIN ${sql}`, queryOptions);
+  }
+  getDialect() {
+    return "clickhouse";
+  }
+  /**
+   * Simplified introspection: only collect table/column metadata for IngestRequest
+   * No indexes, constraints, or statistics
+   */
+  async introspect(options) {
+    const tablesToIntrospect = options?.tables ? normalizeTableFilter(options.tables) : this.allowedTables;
+    const allowTables = tablesToIntrospect ?? [];
+    const hasFilter = allowTables.length > 0;
+    const queryParams = {
+      db: this.databaseName
+    };
+    if (hasFilter) {
+      queryParams.tables = allowTables;
+    }
+    const filterClause = hasFilter ? " AND name IN {tables:Array(String)}" : "";
+    const tables = await this.query(
+      `SELECT name, engine, comment, primary_key
+       FROM system.tables
+       WHERE database = {db:String}${filterClause}
+       ORDER BY name`,
+      { params: queryParams }
+    );
+    const columnFilterClause = hasFilter ? " AND table IN {tables:Array(String)}" : "";
+    const columns = await this.query(
+      `SELECT table, name, type, position, comment, is_in_primary_key
+       FROM system.columns
+       WHERE database = {db:String}${columnFilterClause}
+       ORDER BY table, position`,
+      { params: queryParams }
+    );
+    const columnsByTable = /* @__PURE__ */ new Map();
+    for (const rawColumn of columns) {
+      const list = columnsByTable.get(rawColumn.table) ?? [];
+      list.push(transformColumnRow(rawColumn));
+      columnsByTable.set(rawColumn.table, list);
+    }
+    const tableSchemas = tables.map((table) => {
+      const tableColumns = columnsByTable.get(table.name) ?? [];
+      const primaryKeyColumns = parseKeyExpression(table.primary_key);
+      for (const column of tableColumns) {
+        column.isPrimaryKey = column.isPrimaryKey || primaryKeyColumns.includes(column.name);
+      }
+      const base = {
+        name: table.name,
+        schema: this.databaseName,
+        type: asTableType(table.engine),
+        columns: tableColumns
+      };
+      const comment = sanitize(table.comment);
+      if (comment !== void 0) {
+        base.comment = comment;
+      }
+      return base;
+    });
+    return {
+      db: {
+        kind: this.kind,
+        name: this.databaseName
+      },
+      tables: tableSchemas,
+      introspectedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  validateQueryTables(sql) {
+    if (!this.allowedTables || this.allowedTables.length === 0) {
+      return;
+    }
+    const allowedSet = new Set(this.allowedTables);
+    const tablePattern = /(?:FROM|JOIN)\s+(?:FINAL\s+)?(?:(?:[a-zA-Z_][a-zA-Z0-9_]*)\.)?(["'`]?[a-zA-Z_][a-zA-Z0-9_]*["'`]?)/gi;
+    const matches = sql.matchAll(tablePattern);
+    for (const match of matches) {
+      const table = match[1]?.replace(/["'`]/g, "");
+      if (table) {
+        if (!allowedSet.has(table)) {
+          throw new Error(
+            `Query references table "${table}" which is not in the allowed tables list`
+          );
+        }
+      }
+    }
+  }
+  async close() {
+  }
+  async query(sql, options) {
+    const params = {
+      query: sql
+    };
+    const format = options?.format ?? this.defaultFormat;
+    if (format !== void 0) {
+      params.format = format;
+    }
+    if (options?.params) {
+      params.query_params = options.params;
+    }
+    if (options?.settings) {
+      params.clickhouse_settings = options.settings;
+    }
+    const result = await this.clientFn(params);
+    return this.extractRows(result);
+  }
+  async extractRows(result) {
+    if (Array.isArray(result)) {
+      return result;
+    }
+    if (result && typeof result.json === "function") {
+      const payload = await result.json();
+      return normalizePayload(payload);
+    }
+    return [];
+  }
+};
+function normalizePayload(payload) {
+  if (Array.isArray(payload)) {
+    return payload;
+  }
+  if (payload && typeof payload === "object") {
+    const maybeData = payload.data;
+    if (Array.isArray(maybeData)) {
+      return maybeData;
+    }
+  }
+  return [];
+}
+function normalizeTableFilter(tables) {
+  if (!tables?.length) return [];
+  const seen = /* @__PURE__ */ new Set();
+  const normalized = [];
+  for (const table of tables) {
+    if (!table) continue;
+    const trimmed = table.trim();
+    if (!trimmed) continue;
+    const parts = trimmed.split(".");
+    const tableName = parts[parts.length - 1];
+    if (!tableName || seen.has(tableName)) continue;
+    seen.add(tableName);
+    normalized.push(tableName);
+  }
+  return normalized;
+}
+function transformColumnRow(row) {
+  const unwrappedType = unwrapTypeModifiers(row.type);
+  const column = {
+    name: row.name,
+    type: unwrappedType,
+    rawType: row.type,
+    isPrimaryKey: Boolean(toNumber(row.is_in_primary_key))
+  };
+  const comment = sanitize(row.comment);
+  if (comment !== void 0) column.comment = comment;
+  return column;
+}
+function asTableType(engine) {
+  if (typeof engine === "string") {
+    const normalized = engine.toLowerCase();
+    if (normalized.includes("view")) {
+      return "view";
+    }
+  }
+  return "table";
+}
+function sanitize(value) {
+  if (value === null || value === void 0) return void 0;
+  const trimmed = String(value).trim();
+  return trimmed.length ? trimmed : void 0;
+}
+function toNumber(value) {
+  if (value === null || value === void 0) return void 0;
+  if (typeof value === "number") return value;
+  const parsed = Number.parseFloat(String(value));
+  return Number.isNaN(parsed) ? void 0 : parsed;
+}
+
+// src/adapters/postgres.ts
+var PostgresAdapter = class {
+  constructor(clientFn, options = {}) {
+    this.clientFn = clientFn;
+    this.databaseName = options.database ?? "postgres";
+    this.defaultSchema = options.defaultSchema ?? "public";
+    this.kind = options.kind ?? "postgres";
+    if (options.allowedTables) {
+      this.allowedTables = normalizeTableFilter2(
+        options.allowedTables,
+        this.defaultSchema
+      );
+    }
+  }
+  databaseName;
+  defaultSchema;
+  kind;
+  allowedTables;
+  async execute(sql, params) {
+    if (this.allowedTables) {
+      this.validateQueryTables(sql);
+    }
+    let paramArray;
+    if (params) {
+      paramArray = this.convertNamedToPositionalParams(params);
+    }
+    const result = await this.clientFn(sql, paramArray);
+    const fields = result.fields.map((f) => f.name);
+    return { fields, rows: result.rows };
+  }
+  validateQueryTables(sql) {
+    if (!this.allowedTables || this.allowedTables.length === 0) {
+      return;
+    }
+    const allowedSet = new Set(
+      this.allowedTables.map((t) => tableKey(t.schema, t.table))
+    );
+    const tablePattern = /(?:FROM|JOIN)\s+(?:ONLY\s+)?(?:([a-zA-Z_][a-zA-Z0-9_]*)\.)?(["']?[a-zA-Z_][a-zA-Z0-9_]*["']?)/gi;
+    const matches = sql.matchAll(tablePattern);
+    for (const match of matches) {
+      const schema = match[1] ?? this.defaultSchema;
+      const table = match[2]?.replace(/['"]/g, "");
+      if (table) {
+        const key = tableKey(schema, table);
+        if (!allowedSet.has(key)) {
+          throw new Error(
+            `Query references table "${schema}.${table}" which is not in the allowed tables list`
+          );
+        }
+      }
+    }
+  }
+  /**
+   * Convert named params to positional array for PostgreSQL
+   * PostgreSQL expects $1, $2, $3 in SQL and an array of values [val1, val2, val3]
+   */
+  convertNamedToPositionalParams(params) {
+    const numericKeys = Object.keys(params).filter((k) => /^\d+$/.test(k)).map((k) => Number.parseInt(k, 10)).sort((a, b) => a - b);
+    const namedKeys = Object.keys(params).filter((k) => !/^\d+$/.test(k)).sort();
+    const positionalParams = [];
+    for (const key of numericKeys) {
+      let val = params[String(key)];
+      if (typeof val === "string") {
+        const match = val.match(/^<([a-zA-Z0-9_]+)>$/);
+        const namedKey = match?.[1];
+        if (namedKey && namedKey in params) {
+          val = params[namedKey];
+        }
+      }
+      positionalParams.push(val);
+    }
+    for (const key of namedKeys) {
+      const val = params[key];
+      positionalParams.push(val);
+    }
+    return positionalParams;
+  }
+  async validate(sql, params) {
+    let paramArray;
+    if (params) {
+      paramArray = this.convertNamedToPositionalParams(params);
+    }
+    await this.clientFn(`EXPLAIN ${sql}`, paramArray);
+  }
+  getDialect() {
+    return "postgres";
+  }
+  /**
+   * Simplified introspection: only collect table/column metadata for IngestRequest
+   * No indexes, constraints, or statistics
+   */
+  async introspect(options) {
+    const tablesToIntrospect = options?.tables ? normalizeTableFilter2(options.tables, this.defaultSchema) : this.allowedTables;
+    const normalizedTables = tablesToIntrospect ?? [];
+    const tablesResult = await this.clientFn(
+      buildTablesQuery(normalizedTables)
+    );
+    const tableRows = tablesResult.rows;
+    const columnsResult = await this.clientFn(
+      buildColumnsQuery(normalizedTables)
+    );
+    const columnRows = columnsResult.rows;
+    const tablesByKey = /* @__PURE__ */ new Map();
+    for (const row of tableRows) {
+      const key = tableKey(row.schema_name, row.table_name);
+      const table = {
+        name: row.table_name,
+        schema: row.schema_name,
+        type: asTableType2(row.table_type),
+        columns: []
+      };
+      const comment = sanitize2(row.comment);
+      if (comment !== void 0) {
+        table.comment = comment;
+      }
+      tablesByKey.set(key, table);
+    }
+    for (const row of columnRows) {
+      const key = tableKey(row.table_schema, row.table_name);
+      const table = tablesByKey.get(key);
+      if (!table) continue;
+      const column = {
+        name: row.column_name,
+        type: row.data_type,
+        isPrimaryKey: row.is_primary_key
+      };
+      const rawType = row.udt_name ?? void 0;
+      if (rawType !== void 0) column.rawType = rawType;
+      const comment = sanitize2(row.description);
+      if (comment !== void 0) column.comment = comment;
+      table.columns.push(column);
+    }
+    const tables = Array.from(tablesByKey.values()).sort((a, b) => {
+      if (a.schema === b.schema) {
+        return a.name.localeCompare(b.name);
+      }
+      return a.schema.localeCompare(b.schema);
+    });
+    return {
+      db: {
+        kind: this.kind,
+        name: this.databaseName
+      },
+      tables,
+      introspectedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+};
+function normalizeTableFilter2(tables, defaultSchema) {
+  if (!tables?.length) return [];
+  const normalized = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const raw of tables) {
+    if (!raw) continue;
+    const trimmed = raw.trim();
+    if (!trimmed) continue;
+    const parts = trimmed.split(".");
+    const table = parts.pop() ?? "";
+    const schema = parts.pop() ?? defaultSchema;
+    if (!isSafeIdentifier(schema) || !isSafeIdentifier(table)) {
+      continue;
+    }
+    const key = tableKey(schema, table);
+    if (seen.has(key)) continue;
+    seen.add(key);
+    normalized.push({ schema, table });
+  }
+  return normalized;
+}
+function buildTablesQuery(tables) {
+  const filter = buildFilterClause(tables, "n.nspname", "c.relname");
+  return `SELECT
+    c.relname AS table_name,
+    n.nspname AS schema_name,
+    CASE c.relkind
+      WHEN 'r' THEN 'table'
+      WHEN 'v' THEN 'view'
+      WHEN 'm' THEN 'materialized_view'
+      ELSE c.relkind::text
+    END AS table_type,
+    obj_description(c.oid) AS comment
+  FROM pg_class c
+  JOIN pg_namespace n ON n.oid = c.relnamespace
+  WHERE n.nspname NOT IN ('pg_catalog', 'information_schema')
+    AND c.relkind IN ('r', 'v', 'm')
+    ${filter}
+  ORDER BY n.nspname, c.relname;`;
+}
+function buildColumnsQuery(tables) {
+  const filter = buildFilterClause(
+    tables,
+    "cols.table_schema",
+    "cols.table_name"
+  );
+  return `SELECT
+    cols.table_name,
+    cols.table_schema,
+    cols.column_name,
+    cols.data_type,
+    cols.udt_name,
+    pgd.description,
+    EXISTS(
+      SELECT 1
+      FROM information_schema.table_constraints tc
+      JOIN information_schema.key_column_usage kcu
+        ON tc.constraint_name = kcu.constraint_name
+       AND tc.table_schema = kcu.table_schema
+      WHERE tc.constraint_type = 'PRIMARY KEY'
+        AND tc.table_schema = cols.table_schema
+        AND tc.table_name = cols.table_name
+        AND kcu.column_name = cols.column_name
+    ) AS is_primary_key
+  FROM information_schema.columns cols
+  LEFT JOIN pg_catalog.pg_class c
+    ON c.relname = cols.table_name
+   AND c.relkind IN ('r', 'v', 'm')
+  LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace
+  LEFT JOIN pg_catalog.pg_attribute attr
+    ON attr.attrelid = c.oid
+   AND attr.attname = cols.column_name
+  LEFT JOIN pg_catalog.pg_description pgd
+    ON pgd.objoid = attr.attrelid AND pgd.objsubid = attr.attnum
+  WHERE cols.table_schema NOT IN ('pg_catalog', 'information_schema')
+    ${filter}
+  ORDER BY cols.table_schema, cols.table_name, cols.ordinal_position;`;
+}
+function buildFilterClause(tables, schemaExpr, tableExpr) {
+  if (!tables.length) return "";
+  const clauses = tables.map(({ schema, table }) => {
+    return `(${schemaExpr} = '${schema}' AND ${tableExpr} = '${table}')`;
+  });
+  return `AND (${clauses.join(" OR ")})`;
+}
+function tableKey(schema, table) {
+  return `${schema}.${table}`;
+}
+function isSafeIdentifier(value) {
+  return /^[A-Za-z_][A-Za-z0-9_]*$/.test(value);
+}
+function asTableType2(value) {
+  const normalized = value.toLowerCase();
+  if (normalized.includes("view")) {
+    return normalized.includes("materialized") ? "materialized_view" : "view";
+  }
+  return "table";
+}
+function sanitize2(value) {
+  if (value === null || value === void 0) return void 0;
+  const trimmed = String(value).trim();
+  return trimmed.length ? trimmed : void 0;
+}
+
+// node_modules/jose/dist/webapi/lib/buffer_utils.js
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+var MAX_INT32 = 2 ** 32;
+function concat(...buffers) {
+  const size = buffers.reduce((acc, { length }) => acc + length, 0);
+  const buf = new Uint8Array(size);
+  let i = 0;
+  for (const buffer of buffers) {
+    buf.set(buffer, i);
+    i += buffer.length;
+  }
+  return buf;
+}
+function encode(string) {
+  const bytes = new Uint8Array(string.length);
+  for (let i = 0; i < string.length; i++) {
+    const code = string.charCodeAt(i);
+    if (code > 127) {
+      throw new TypeError("non-ASCII string encountered in encode()");
+    }
+    bytes[i] = code;
+  }
+  return bytes;
+}
+
+// node_modules/jose/dist/webapi/lib/base64.js
+function encodeBase64(input) {
+  if (Uint8Array.prototype.toBase64) {
+    return input.toBase64();
+  }
+  const CHUNK_SIZE = 32768;
+  const arr = [];
+  for (let i = 0; i < input.length; i += CHUNK_SIZE) {
+    arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
+  }
+  return btoa(arr.join(""));
+}
+function decodeBase64(encoded) {
+  if (Uint8Array.fromBase64) {
+    return Uint8Array.fromBase64(encoded);
+  }
+  const binary = atob(encoded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+
+// node_modules/jose/dist/webapi/util/base64url.js
+function decode(input) {
+  if (Uint8Array.fromBase64) {
+    return Uint8Array.fromBase64(typeof input === "string" ? input : decoder.decode(input), {
+      alphabet: "base64url"
+    });
+  }
+  let encoded = input;
+  if (encoded instanceof Uint8Array) {
+    encoded = decoder.decode(encoded);
+  }
+  encoded = encoded.replace(/-/g, "+").replace(/_/g, "/");
+  try {
+    return decodeBase64(encoded);
+  } catch {
+    throw new TypeError("The input to be decoded is not correctly encoded.");
+  }
+}
+function encode2(input) {
+  let unencoded = input;
+  if (typeof unencoded === "string") {
+    unencoded = encoder.encode(unencoded);
+  }
+  if (Uint8Array.prototype.toBase64) {
+    return unencoded.toBase64({ alphabet: "base64url", omitPadding: true });
+  }
+  return encodeBase64(unencoded).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+
+// node_modules/jose/dist/webapi/util/errors.js
+var JOSEError = class extends Error {
+  static code = "ERR_JOSE_GENERIC";
+  code = "ERR_JOSE_GENERIC";
+  constructor(message2, options) {
+    super(message2, options);
+    this.name = this.constructor.name;
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+};
+var JOSENotSupported = class extends JOSEError {
+  static code = "ERR_JOSE_NOT_SUPPORTED";
+  code = "ERR_JOSE_NOT_SUPPORTED";
+};
+var JWSInvalid = class extends JOSEError {
+  static code = "ERR_JWS_INVALID";
+  code = "ERR_JWS_INVALID";
+};
+var JWTInvalid = class extends JOSEError {
+  static code = "ERR_JWT_INVALID";
+  code = "ERR_JWT_INVALID";
+};
+
+// node_modules/jose/dist/webapi/lib/crypto_key.js
+var unusable = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
+var isAlgorithm = (algorithm, name) => algorithm.name === name;
+function getHashLength(hash) {
+  return parseInt(hash.name.slice(4), 10);
+}
+function getNamedCurve(alg) {
+  switch (alg) {
+    case "ES256":
+      return "P-256";
+    case "ES384":
+      return "P-384";
+    case "ES512":
+      return "P-521";
+    default:
+      throw new Error("unreachable");
+  }
+}
+function checkUsage(key, usage) {
+  if (usage && !key.usages.includes(usage)) {
+    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
+  }
+}
+function checkSigCryptoKey(key, alg, usage) {
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!isAlgorithm(key.algorithm, "HMAC"))
+        throw unusable("HMAC");
+      const expected = parseInt(alg.slice(2), 10);
+      const actual = getHashLength(key.algorithm.hash);
+      if (actual !== expected)
+        throw unusable(`SHA-${expected}`, "algorithm.hash");
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw unusable("RSASSA-PKCS1-v1_5");
+      const expected = parseInt(alg.slice(2), 10);
+      const actual = getHashLength(key.algorithm.hash);
+      if (actual !== expected)
+        throw unusable(`SHA-${expected}`, "algorithm.hash");
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!isAlgorithm(key.algorithm, "RSA-PSS"))
+        throw unusable("RSA-PSS");
+      const expected = parseInt(alg.slice(2), 10);
+      const actual = getHashLength(key.algorithm.hash);
+      if (actual !== expected)
+        throw unusable(`SHA-${expected}`, "algorithm.hash");
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA": {
+      if (!isAlgorithm(key.algorithm, "Ed25519"))
+        throw unusable("Ed25519");
+      break;
+    }
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87": {
+      if (!isAlgorithm(key.algorithm, alg))
+        throw unusable(alg);
+      break;
+    }
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!isAlgorithm(key.algorithm, "ECDSA"))
+        throw unusable("ECDSA");
+      const expected = getNamedCurve(alg);
+      const actual = key.algorithm.namedCurve;
+      if (actual !== expected)
+        throw unusable(expected, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  checkUsage(key, usage);
+}
+
+// node_modules/jose/dist/webapi/lib/invalid_key_input.js
+function message(msg, actual, ...types) {
+  types = types.filter(Boolean);
+  if (types.length > 2) {
+    const last = types.pop();
+    msg += `one of type ${types.join(", ")}, or ${last}.`;
+  } else if (types.length === 2) {
+    msg += `one of type ${types[0]} or ${types[1]}.`;
+  } else {
+    msg += `of type ${types[0]}.`;
+  }
+  if (actual == null) {
+    msg += ` Received ${actual}`;
+  } else if (typeof actual === "function" && actual.name) {
+    msg += ` Received function ${actual.name}`;
+  } else if (typeof actual === "object" && actual != null) {
+    if (actual.constructor?.name) {
+      msg += ` Received an instance of ${actual.constructor.name}`;
+    }
+  }
+  return msg;
+}
+var invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types);
+var withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
+
+// node_modules/jose/dist/webapi/lib/is_key_like.js
+var isCryptoKey = (key) => {
+  if (key?.[Symbol.toStringTag] === "CryptoKey")
+    return true;
+  try {
+    return key instanceof CryptoKey;
+  } catch {
+    return false;
+  }
+};
+var isKeyObject = (key) => key?.[Symbol.toStringTag] === "KeyObject";
+var isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
+
+// node_modules/jose/dist/webapi/lib/is_disjoint.js
+function isDisjoint(...headers) {
+  const sources = headers.filter(Boolean);
+  if (sources.length === 0 || sources.length === 1) {
+    return true;
+  }
+  let acc;
+  for (const header of sources) {
+    const parameters = Object.keys(header);
+    if (!acc || acc.size === 0) {
+      acc = new Set(parameters);
+      continue;
+    }
+    for (const parameter of parameters) {
+      if (acc.has(parameter)) {
+        return false;
+      }
+      acc.add(parameter);
+    }
+  }
+  return true;
+}
+
+// node_modules/jose/dist/webapi/lib/is_object.js
+var isObjectLike = (value) => typeof value === "object" && value !== null;
+function isObject(input) {
+  if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
+    return false;
+  }
+  if (Object.getPrototypeOf(input) === null) {
+    return true;
+  }
+  let proto = input;
+  while (Object.getPrototypeOf(proto) !== null) {
+    proto = Object.getPrototypeOf(proto);
+  }
+  return Object.getPrototypeOf(input) === proto;
+}
+
+// node_modules/jose/dist/webapi/lib/check_key_length.js
+function checkKeyLength(alg, key) {
+  if (alg.startsWith("RS") || alg.startsWith("PS")) {
+    const { modulusLength } = key.algorithm;
+    if (typeof modulusLength !== "number" || modulusLength < 2048) {
+      throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
+    }
+  }
+}
+
+// node_modules/jose/dist/webapi/lib/asn1.js
+var bytesEqual = (a, b) => {
+  if (a.byteLength !== b.length)
+    return false;
+  for (let i = 0; i < a.byteLength; i++) {
+    if (a[i] !== b[i])
+      return false;
+  }
+  return true;
+};
+var createASN1State = (data) => ({ data, pos: 0 });
+var parseLength = (state) => {
+  const first = state.data[state.pos++];
+  if (first & 128) {
+    const lengthOfLen = first & 127;
+    let length = 0;
+    for (let i = 0; i < lengthOfLen; i++) {
+      length = length << 8 | state.data[state.pos++];
+    }
+    return length;
+  }
+  return first;
+};
+var expectTag = (state, expectedTag, errorMessage) => {
+  if (state.data[state.pos++] !== expectedTag) {
+    throw new Error(errorMessage);
+  }
+};
+var getSubarray = (state, length) => {
+  const result = state.data.subarray(state.pos, state.pos + length);
+  state.pos += length;
+  return result;
+};
+var parseAlgorithmOID = (state) => {
+  expectTag(state, 6, "Expected algorithm OID");
+  const oidLen = parseLength(state);
+  return getSubarray(state, oidLen);
+};
+function parsePKCS8Header(state) {
+  expectTag(state, 48, "Invalid PKCS#8 structure");
+  parseLength(state);
+  expectTag(state, 2, "Expected version field");
+  const verLen = parseLength(state);
+  state.pos += verLen;
+  expectTag(state, 48, "Expected algorithm identifier");
+  const algIdLen = parseLength(state);
+  const algIdStart = state.pos;
+  return { algIdStart, algIdLength: algIdLen };
+}
+var parseECAlgorithmIdentifier = (state) => {
+  const algOid = parseAlgorithmOID(state);
+  if (bytesEqual(algOid, [43, 101, 110])) {
+    return "X25519";
+  }
+  if (!bytesEqual(algOid, [42, 134, 72, 206, 61, 2, 1])) {
+    throw new Error("Unsupported key algorithm");
+  }
+  expectTag(state, 6, "Expected curve OID");
+  const curveOidLen = parseLength(state);
+  const curveOid = getSubarray(state, curveOidLen);
+  for (const { name, oid } of [
+    { name: "P-256", oid: [42, 134, 72, 206, 61, 3, 1, 7] },
+    { name: "P-384", oid: [43, 129, 4, 0, 34] },
+    { name: "P-521", oid: [43, 129, 4, 0, 35] }
+  ]) {
+    if (bytesEqual(curveOid, oid)) {
+      return name;
+    }
+  }
+  throw new Error("Unsupported named curve");
+};
+var genericImport = async (keyFormat, keyData, alg, options) => {
+  let algorithm;
+  let keyUsages;
+  const isPublic = keyFormat === "spki";
+  const getSigUsages = () => isPublic ? ["verify"] : ["sign"];
+  const getEncUsages = () => isPublic ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
+  switch (alg) {
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      algorithm = { name: "RSA-PSS", hash: `SHA-${alg.slice(-3)}` };
+      keyUsages = getSigUsages();
+      break;
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      algorithm = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${alg.slice(-3)}` };
+      keyUsages = getSigUsages();
+      break;
+    case "RSA-OAEP":
+    case "RSA-OAEP-256":
+    case "RSA-OAEP-384":
+    case "RSA-OAEP-512":
+      algorithm = {
+        name: "RSA-OAEP",
+        hash: `SHA-${parseInt(alg.slice(-3), 10) || 1}`
+      };
+      keyUsages = getEncUsages();
+      break;
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      const curveMap = { ES256: "P-256", ES384: "P-384", ES512: "P-521" };
+      algorithm = { name: "ECDSA", namedCurve: curveMap[alg] };
+      keyUsages = getSigUsages();
+      break;
+    }
+    case "ECDH-ES":
+    case "ECDH-ES+A128KW":
+    case "ECDH-ES+A192KW":
+    case "ECDH-ES+A256KW": {
+      try {
+        const namedCurve = options.getNamedCurve(keyData);
+        algorithm = namedCurve === "X25519" ? { name: "X25519" } : { name: "ECDH", namedCurve };
+      } catch (cause) {
+        throw new JOSENotSupported("Invalid or unsupported key format");
+      }
+      keyUsages = isPublic ? [] : ["deriveBits"];
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA":
+      algorithm = { name: "Ed25519" };
+      keyUsages = getSigUsages();
+      break;
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      algorithm = { name: alg };
+      keyUsages = getSigUsages();
+      break;
+    default:
+      throw new JOSENotSupported('Invalid or unsupported "alg" (Algorithm) value');
+  }
+  return crypto.subtle.importKey(keyFormat, keyData, algorithm, options?.extractable ?? (isPublic ? true : false), keyUsages);
+};
+var processPEMData = (pem, pattern) => {
+  return decodeBase64(pem.replace(pattern, ""));
+};
+var fromPKCS8 = (pem, alg, options) => {
+  const keyData = processPEMData(pem, /(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g);
+  let opts = options;
+  if (alg?.startsWith?.("ECDH-ES")) {
+    opts ||= {};
+    opts.getNamedCurve = (keyData2) => {
+      const state = createASN1State(keyData2);
+      parsePKCS8Header(state);
+      return parseECAlgorithmIdentifier(state);
+    };
+  }
+  return genericImport("pkcs8", keyData, alg, opts);
+};
+
+// node_modules/jose/dist/webapi/lib/jwk_to_key.js
+function subtleMapping(jwk) {
+  let algorithm;
+  let keyUsages;
+  switch (jwk.kty) {
+    case "AKP": {
+      switch (jwk.alg) {
+        case "ML-DSA-44":
+        case "ML-DSA-65":
+        case "ML-DSA-87":
+          algorithm = { name: jwk.alg };
+          keyUsages = jwk.priv ? ["sign"] : ["verify"];
+          break;
+        default:
+          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "RSA": {
+      switch (jwk.alg) {
+        case "PS256":
+        case "PS384":
+        case "PS512":
+          algorithm = { name: "RSA-PSS", hash: `SHA-${jwk.alg.slice(-3)}` };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "RS256":
+        case "RS384":
+        case "RS512":
+          algorithm = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${jwk.alg.slice(-3)}` };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "RSA-OAEP":
+        case "RSA-OAEP-256":
+        case "RSA-OAEP-384":
+        case "RSA-OAEP-512":
+          algorithm = {
+            name: "RSA-OAEP",
+            hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`
+          };
+          keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
+          break;
+        default:
+          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "EC": {
+      switch (jwk.alg) {
+        case "ES256":
+          algorithm = { name: "ECDSA", namedCurve: "P-256" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ES384":
+          algorithm = { name: "ECDSA", namedCurve: "P-384" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ES512":
+          algorithm = { name: "ECDSA", namedCurve: "P-521" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          algorithm = { name: "ECDH", namedCurve: jwk.crv };
+          keyUsages = jwk.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "OKP": {
+      switch (jwk.alg) {
+        case "Ed25519":
+        case "EdDSA":
+          algorithm = { name: "Ed25519" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          algorithm = { name: jwk.crv };
+          keyUsages = jwk.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    default:
+      throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+  }
+  return { algorithm, keyUsages };
+}
+async function jwkToKey(jwk) {
+  if (!jwk.alg) {
+    throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
+  }
+  const { algorithm, keyUsages } = subtleMapping(jwk);
+  const keyData = { ...jwk };
+  if (keyData.kty !== "AKP") {
+    delete keyData.alg;
+  }
+  delete keyData.use;
+  return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
+}
+
+// node_modules/jose/dist/webapi/key/import.js
+async function importPKCS8(pkcs8, alg, options) {
+  if (typeof pkcs8 !== "string" || pkcs8.indexOf("-----BEGIN PRIVATE KEY-----") !== 0) {
+    throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
+  }
+  return fromPKCS8(pkcs8, alg, options);
+}
+
+// node_modules/jose/dist/webapi/lib/validate_crit.js
+function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+  if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+  }
+  if (!protectedHeader || protectedHeader.crit === void 0) {
+    return /* @__PURE__ */ new Set();
+  }
+  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  }
+  let recognized;
+  if (recognizedOption !== void 0) {
+    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+  } else {
+    recognized = recognizedDefault;
+  }
+  for (const parameter of protectedHeader.crit) {
+    if (!recognized.has(parameter)) {
+      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
+    }
+    if (joseHeader[parameter] === void 0) {
+      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+    }
+    if (recognized.get(parameter) && protectedHeader[parameter] === void 0) {
+      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+    }
+  }
+  return new Set(protectedHeader.crit);
+}
+
+// node_modules/jose/dist/webapi/lib/is_jwk.js
+var isJWK = (key) => isObject(key) && typeof key.kty === "string";
+var isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
+var isPublicJWK = (key) => key.kty !== "oct" && key.d === void 0 && key.priv === void 0;
+var isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
+
+// node_modules/jose/dist/webapi/lib/normalize_key.js
+var cache;
+var handleJWK = async (key, jwk, alg, freeze = false) => {
+  cache ||= /* @__PURE__ */ new WeakMap();
+  let cached = cache.get(key);
+  if (cached?.[alg]) {
+    return cached[alg];
+  }
+  const cryptoKey = await jwkToKey({ ...jwk, alg });
+  if (freeze)
+    Object.freeze(key);
+  if (!cached) {
+    cache.set(key, { [alg]: cryptoKey });
+  } else {
+    cached[alg] = cryptoKey;
+  }
+  return cryptoKey;
+};
+var handleKeyObject = (keyObject, alg) => {
+  cache ||= /* @__PURE__ */ new WeakMap();
+  let cached = cache.get(keyObject);
+  if (cached?.[alg]) {
+    return cached[alg];
+  }
+  const isPublic = keyObject.type === "public";
+  const extractable = isPublic ? true : false;
+  let cryptoKey;
+  if (keyObject.asymmetricKeyType === "x25519") {
+    switch (alg) {
+      case "ECDH-ES":
+      case "ECDH-ES+A128KW":
+      case "ECDH-ES+A192KW":
+      case "ECDH-ES+A256KW":
+        break;
+      default:
+        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    }
+    cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
+  }
+  if (keyObject.asymmetricKeyType === "ed25519") {
+    if (alg !== "EdDSA" && alg !== "Ed25519") {
+      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    }
+    cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
+      isPublic ? "verify" : "sign"
+    ]);
+  }
+  switch (keyObject.asymmetricKeyType) {
+    case "ml-dsa-44":
+    case "ml-dsa-65":
+    case "ml-dsa-87": {
+      if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
+        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+      }
+      cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
+        isPublic ? "verify" : "sign"
+      ]);
+    }
+  }
+  if (keyObject.asymmetricKeyType === "rsa") {
+    let hash;
+    switch (alg) {
+      case "RSA-OAEP":
+        hash = "SHA-1";
+        break;
+      case "RS256":
+      case "PS256":
+      case "RSA-OAEP-256":
+        hash = "SHA-256";
+        break;
+      case "RS384":
+      case "PS384":
+      case "RSA-OAEP-384":
+        hash = "SHA-384";
+        break;
+      case "RS512":
+      case "PS512":
+      case "RSA-OAEP-512":
+        hash = "SHA-512";
+        break;
+      default:
+        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    }
+    if (alg.startsWith("RSA-OAEP")) {
+      return keyObject.toCryptoKey({
+        name: "RSA-OAEP",
+        hash
+      }, extractable, isPublic ? ["encrypt"] : ["decrypt"]);
+    }
+    cryptoKey = keyObject.toCryptoKey({
+      name: alg.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
+      hash
+    }, extractable, [isPublic ? "verify" : "sign"]);
+  }
+  if (keyObject.asymmetricKeyType === "ec") {
+    const nist = /* @__PURE__ */ new Map([
+      ["prime256v1", "P-256"],
+      ["secp384r1", "P-384"],
+      ["secp521r1", "P-521"]
+    ]);
+    const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
+    if (!namedCurve) {
+      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    }
+    if (alg === "ES256" && namedCurve === "P-256") {
+      cryptoKey = keyObject.toCryptoKey({
+        name: "ECDSA",
+        namedCurve
+      }, extractable, [isPublic ? "verify" : "sign"]);
+    }
+    if (alg === "ES384" && namedCurve === "P-384") {
+      cryptoKey = keyObject.toCryptoKey({
+        name: "ECDSA",
+        namedCurve
+      }, extractable, [isPublic ? "verify" : "sign"]);
+    }
+    if (alg === "ES512" && namedCurve === "P-521") {
+      cryptoKey = keyObject.toCryptoKey({
+        name: "ECDSA",
+        namedCurve
+      }, extractable, [isPublic ? "verify" : "sign"]);
+    }
+    if (alg.startsWith("ECDH-ES")) {
+      cryptoKey = keyObject.toCryptoKey({
+        name: "ECDH",
+        namedCurve
+      }, extractable, isPublic ? [] : ["deriveBits"]);
+    }
+  }
+  if (!cryptoKey) {
+    throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+  }
+  if (!cached) {
+    cache.set(keyObject, { [alg]: cryptoKey });
+  } else {
+    cached[alg] = cryptoKey;
+  }
+  return cryptoKey;
+};
+async function normalizeKey(key, alg) {
+  if (key instanceof Uint8Array) {
+    return key;
+  }
+  if (isCryptoKey(key)) {
+    return key;
+  }
+  if (isKeyObject(key)) {
+    if (key.type === "secret") {
+      return key.export();
+    }
+    if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
+      try {
+        return handleKeyObject(key, alg);
+      } catch (err) {
+        if (err instanceof TypeError) {
+          throw err;
+        }
+      }
+    }
+    let jwk = key.export({ format: "jwk" });
+    return handleJWK(key, jwk, alg);
+  }
+  if (isJWK(key)) {
+    if (key.k) {
+      return decode(key.k);
+    }
+    return handleJWK(key, key, alg, true);
+  }
+  throw new Error("unreachable");
+}
+
+// node_modules/jose/dist/webapi/lib/check_key_type.js
+var tag = (key) => key?.[Symbol.toStringTag];
+var jwkMatchesOp = (alg, key, usage) => {
+  if (key.use !== void 0) {
+    let expected;
+    switch (usage) {
+      case "sign":
+      case "verify":
+        expected = "sig";
+        break;
+      case "encrypt":
+      case "decrypt":
+        expected = "enc";
+        break;
+    }
+    if (key.use !== expected) {
+      throw new TypeError(`Invalid key for this operation, its "use" must be "${expected}" when present`);
+    }
+  }
+  if (key.alg !== void 0 && key.alg !== alg) {
+    throw new TypeError(`Invalid key for this operation, its "alg" must be "${alg}" when present`);
+  }
+  if (Array.isArray(key.key_ops)) {
+    let expectedKeyOp;
+    switch (true) {
+      case (usage === "sign" || usage === "verify"):
+      case alg === "dir":
+      case alg.includes("CBC-HS"):
+        expectedKeyOp = usage;
+        break;
+      case alg.startsWith("PBES2"):
+        expectedKeyOp = "deriveBits";
+        break;
+      case /^A\d{3}(?:GCM)?(?:KW)?$/.test(alg):
+        if (!alg.includes("GCM") && alg.endsWith("KW")) {
+          expectedKeyOp = usage === "encrypt" ? "wrapKey" : "unwrapKey";
+        } else {
+          expectedKeyOp = usage;
+        }
+        break;
+      case (usage === "encrypt" && alg.startsWith("RSA")):
+        expectedKeyOp = "wrapKey";
+        break;
+      case usage === "decrypt":
+        expectedKeyOp = alg.startsWith("RSA") ? "unwrapKey" : "deriveBits";
+        break;
+    }
+    if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) {
+      throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${expectedKeyOp}" when present`);
+    }
+  }
+  return true;
+};
+var symmetricTypeCheck = (alg, key, usage) => {
+  if (key instanceof Uint8Array)
+    return;
+  if (isJWK(key)) {
+    if (isSecretJWK(key) && jwkMatchesOp(alg, key, usage))
+      return;
+    throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
+  }
+  if (!isKeyLike(key)) {
+    throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
+  }
+  if (key.type !== "secret") {
+    throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
+  }
+};
+var asymmetricTypeCheck = (alg, key, usage) => {
+  if (isJWK(key)) {
+    switch (usage) {
+      case "decrypt":
+      case "sign":
+        if (isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))
+          return;
+        throw new TypeError(`JSON Web Key for this operation be a private JWK`);
+      case "encrypt":
+      case "verify":
+        if (isPublicJWK(key) && jwkMatchesOp(alg, key, usage))
+          return;
+        throw new TypeError(`JSON Web Key for this operation be a public JWK`);
+    }
+  }
+  if (!isKeyLike(key)) {
+    throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key"));
+  }
+  if (key.type === "secret") {
+    throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type "secret"`);
+  }
+  if (key.type === "public") {
+    switch (usage) {
+      case "sign":
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type "private"`);
+      case "decrypt":
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type "private"`);
+    }
+  }
+  if (key.type === "private") {
+    switch (usage) {
+      case "verify":
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type "public"`);
+      case "encrypt":
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`);
+    }
+  }
+};
+function checkKeyType(alg, key, usage) {
+  switch (alg.substring(0, 2)) {
+    case "A1":
+    case "A2":
+    case "di":
+    case "HS":
+    case "PB":
+      symmetricTypeCheck(alg, key, usage);
+      break;
+    default:
+      asymmetricTypeCheck(alg, key, usage);
+  }
+}
+
+// node_modules/jose/dist/webapi/lib/subtle_dsa.js
+function subtleAlgorithm(alg, algorithm) {
+  const hash = `SHA-${alg.slice(-3)}`;
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
+    case "Ed25519":
+    case "EdDSA":
+      return { name: "Ed25519" };
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return { name: alg };
+    default:
+      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+
+// node_modules/jose/dist/webapi/lib/get_sign_verify_key.js
+async function getSigKey(alg, key, usage) {
+  if (key instanceof Uint8Array) {
+    if (!alg.startsWith("HS")) {
+      throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+    }
+    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
+  }
+  checkSigCryptoKey(key, alg, usage);
+  return key;
+}
+
+// node_modules/jose/dist/webapi/lib/jwt_claims_set.js
+var epoch = (date) => Math.floor(date.getTime() / 1e3);
+var minute = 60;
+var hour = minute * 60;
+var day = hour * 24;
+var week = day * 7;
+var year = day * 365.25;
+var REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
+function secs(str) {
+  const matched = REGEX.exec(str);
+  if (!matched || matched[4] && matched[1]) {
+    throw new TypeError("Invalid time period format");
+  }
+  const value = parseFloat(matched[2]);
+  const unit = matched[3].toLowerCase();
+  let numericDate;
+  switch (unit) {
+    case "sec":
+    case "secs":
+    case "second":
+    case "seconds":
+    case "s":
+      numericDate = Math.round(value);
+      break;
+    case "minute":
+    case "minutes":
+    case "min":
+    case "mins":
+    case "m":
+      numericDate = Math.round(value * minute);
+      break;
+    case "hour":
+    case "hours":
+    case "hr":
+    case "hrs":
+    case "h":
+      numericDate = Math.round(value * hour);
+      break;
+    case "day":
+    case "days":
+    case "d":
+      numericDate = Math.round(value * day);
+      break;
+    case "week":
+    case "weeks":
+    case "w":
+      numericDate = Math.round(value * week);
+      break;
+    default:
+      numericDate = Math.round(value * year);
+      break;
+  }
+  if (matched[1] === "-" || matched[4] === "ago") {
+    return -numericDate;
+  }
+  return numericDate;
+}
+function validateInput(label, input) {
+  if (!Number.isFinite(input)) {
+    throw new TypeError(`Invalid ${label} input`);
+  }
+  return input;
+}
+var JWTClaimsBuilder = class {
+  #payload;
+  constructor(payload) {
+    if (!isObject(payload)) {
+      throw new TypeError("JWT Claims Set MUST be an object");
+    }
+    this.#payload = structuredClone(payload);
+  }
+  data() {
+    return encoder.encode(JSON.stringify(this.#payload));
+  }
+  get iss() {
+    return this.#payload.iss;
+  }
+  set iss(value) {
+    this.#payload.iss = value;
+  }
+  get sub() {
+    return this.#payload.sub;
+  }
+  set sub(value) {
+    this.#payload.sub = value;
+  }
+  get aud() {
+    return this.#payload.aud;
+  }
+  set aud(value) {
+    this.#payload.aud = value;
+  }
+  set jti(value) {
+    this.#payload.jti = value;
+  }
+  set nbf(value) {
+    if (typeof value === "number") {
+      this.#payload.nbf = validateInput("setNotBefore", value);
+    } else if (value instanceof Date) {
+      this.#payload.nbf = validateInput("setNotBefore", epoch(value));
+    } else {
+      this.#payload.nbf = epoch(/* @__PURE__ */ new Date()) + secs(value);
+    }
+  }
+  set exp(value) {
+    if (typeof value === "number") {
+      this.#payload.exp = validateInput("setExpirationTime", value);
+    } else if (value instanceof Date) {
+      this.#payload.exp = validateInput("setExpirationTime", epoch(value));
+    } else {
+      this.#payload.exp = epoch(/* @__PURE__ */ new Date()) + secs(value);
+    }
+  }
+  set iat(value) {
+    if (value === void 0) {
+      this.#payload.iat = epoch(/* @__PURE__ */ new Date());
+    } else if (value instanceof Date) {
+      this.#payload.iat = validateInput("setIssuedAt", epoch(value));
+    } else if (typeof value === "string") {
+      this.#payload.iat = validateInput("setIssuedAt", epoch(/* @__PURE__ */ new Date()) + secs(value));
+    } else {
+      this.#payload.iat = validateInput("setIssuedAt", value);
+    }
+  }
+};
+
+// node_modules/jose/dist/webapi/lib/sign.js
+async function sign(alg, key, data) {
+  const cryptoKey = await getSigKey(alg, key, "sign");
+  checkKeyLength(alg, cryptoKey);
+  const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);
+  return new Uint8Array(signature);
+}
+
+// node_modules/jose/dist/webapi/jws/flattened/sign.js
+var FlattenedSign = class {
+  #payload;
+  #protectedHeader;
+  #unprotectedHeader;
+  constructor(payload) {
+    if (!(payload instanceof Uint8Array)) {
+      throw new TypeError("payload must be an instance of Uint8Array");
+    }
+    this.#payload = payload;
+  }
+  setProtectedHeader(protectedHeader) {
+    if (this.#protectedHeader) {
+      throw new TypeError("setProtectedHeader can only be called once");
+    }
+    this.#protectedHeader = protectedHeader;
+    return this;
+  }
+  setUnprotectedHeader(unprotectedHeader) {
+    if (this.#unprotectedHeader) {
+      throw new TypeError("setUnprotectedHeader can only be called once");
+    }
+    this.#unprotectedHeader = unprotectedHeader;
+    return this;
+  }
+  async sign(key, options) {
+    if (!this.#protectedHeader && !this.#unprotectedHeader) {
+      throw new JWSInvalid("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");
+    }
+    if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) {
+      throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+    }
+    const joseHeader = {
+      ...this.#protectedHeader,
+      ...this.#unprotectedHeader
+    };
+    const extensions = validateCrit(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, this.#protectedHeader, joseHeader);
+    let b64 = true;
+    if (extensions.has("b64")) {
+      b64 = this.#protectedHeader.b64;
+      if (typeof b64 !== "boolean") {
+        throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+      }
+    }
+    const { alg } = joseHeader;
+    if (typeof alg !== "string" || !alg) {
+      throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+    }
+    checkKeyType(alg, key, "sign");
+    let payloadS;
+    let payloadB;
+    if (b64) {
+      payloadS = encode2(this.#payload);
+      payloadB = encode(payloadS);
+    } else {
+      payloadB = this.#payload;
+      payloadS = "";
+    }
+    let protectedHeaderString;
+    let protectedHeaderBytes;
+    if (this.#protectedHeader) {
+      protectedHeaderString = encode2(JSON.stringify(this.#protectedHeader));
+      protectedHeaderBytes = encode(protectedHeaderString);
+    } else {
+      protectedHeaderString = "";
+      protectedHeaderBytes = new Uint8Array();
+    }
+    const data = concat(protectedHeaderBytes, encode("."), payloadB);
+    const k = await normalizeKey(key, alg);
+    const signature = await sign(alg, k, data);
+    const jws = {
+      signature: encode2(signature),
+      payload: payloadS
+    };
+    if (this.#unprotectedHeader) {
+      jws.header = this.#unprotectedHeader;
+    }
+    if (this.#protectedHeader) {
+      jws.protected = protectedHeaderString;
+    }
+    return jws;
+  }
+};
+
+// node_modules/jose/dist/webapi/jws/compact/sign.js
+var CompactSign = class {
+  #flattened;
+  constructor(payload) {
+    this.#flattened = new FlattenedSign(payload);
+  }
+  setProtectedHeader(protectedHeader) {
+    this.#flattened.setProtectedHeader(protectedHeader);
+    return this;
+  }
+  async sign(key, options) {
+    const jws = await this.#flattened.sign(key, options);
+    if (jws.payload === void 0) {
+      throw new TypeError("use the flattened module for creating JWS with b64: false");
+    }
+    return `${jws.protected}.${jws.payload}.${jws.signature}`;
+  }
+};
+
+// node_modules/jose/dist/webapi/jwt/sign.js
+var SignJWT = class {
+  #protectedHeader;
+  #jwt;
+  constructor(payload = {}) {
+    this.#jwt = new JWTClaimsBuilder(payload);
+  }
+  setIssuer(issuer) {
+    this.#jwt.iss = issuer;
+    return this;
+  }
+  setSubject(subject) {
+    this.#jwt.sub = subject;
+    return this;
+  }
+  setAudience(audience) {
+    this.#jwt.aud = audience;
+    return this;
+  }
+  setJti(jwtId) {
+    this.#jwt.jti = jwtId;
+    return this;
+  }
+  setNotBefore(input) {
+    this.#jwt.nbf = input;
+    return this;
+  }
+  setExpirationTime(input) {
+    this.#jwt.exp = input;
+    return this;
+  }
+  setIssuedAt(input) {
+    this.#jwt.iat = input;
+    return this;
+  }
+  setProtectedHeader(protectedHeader) {
+    this.#protectedHeader = protectedHeader;
+    return this;
+  }
+  async sign(key, options) {
+    const sig = new CompactSign(this.#jwt.data());
+    sig.setProtectedHeader(this.#protectedHeader);
+    if (Array.isArray(this.#protectedHeader?.crit) && this.#protectedHeader.crit.includes("b64") && this.#protectedHeader.b64 === false) {
+      throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
+    }
+    return sig.sign(key, options);
+  }
+};
+
+// src/core/client.ts
+var ApiClient = class {
+  baseUrl;
+  privateKey;
+  organizationId;
+  defaultTenantId;
+  additionalHeaders;
+  fetchImpl;
+  cachedPrivateKey;
+  constructor(baseUrl, privateKey, organizationId, options) {
+    if (!baseUrl) {
+      throw new Error("Base URL is required");
+    }
+    if (!privateKey) {
+      throw new Error("Private key is required");
+    }
+    if (!organizationId) {
+      throw new Error("Organization ID is required");
+    }
+    this.baseUrl = baseUrl.replace(/\/+$/, "");
+    this.privateKey = privateKey;
+    this.organizationId = organizationId;
+    this.defaultTenantId = options?.defaultTenantId;
+    this.additionalHeaders = options?.additionalHeaders;
+    this.fetchImpl = options?.fetch ?? globalThis.fetch;
+    if (!this.fetchImpl) {
+      throw new Error(
+        "Fetch implementation not found. Provide options.fetch or use Node 18+."
+      );
+    }
+  }
+  getDefaultTenantId() {
+    return this.defaultTenantId;
+  }
+  async get(path, tenantId, userId, scopes, signal, sessionId) {
+    return await this.request(path, {
+      method: "GET",
+      headers: await this.buildHeaders(tenantId, userId, scopes, false, sessionId),
+      signal
+    });
+  }
+  async post(path, body, tenantId, userId, scopes, signal, sessionId) {
+    return await this.request(path, {
+      method: "POST",
+      headers: await this.buildHeaders(tenantId, userId, scopes, true, sessionId),
+      body: JSON.stringify(body ?? {}),
+      signal
+    });
+  }
+  async put(path, body, tenantId, userId, scopes, signal, sessionId) {
+    return await this.request(path, {
+      method: "PUT",
+      headers: await this.buildHeaders(tenantId, userId, scopes, true, sessionId),
+      body: JSON.stringify(body ?? {}),
+      signal
+    });
+  }
+  async delete(path, tenantId, userId, scopes, signal, sessionId) {
+    return await this.request(path, {
+      method: "DELETE",
+      headers: await this.buildHeaders(tenantId, userId, scopes, false, sessionId),
+      signal
+    });
+  }
+  async request(path, init) {
+    const response = await this.fetchImpl(`${this.baseUrl}${path}`, init);
+    const text = await response.text();
+    let json;
+    try {
+      json = text ? JSON.parse(text) : void 0;
+    } catch {
+      json = void 0;
+    }
+    if (!response.ok) {
+      const error = new Error(
+        json?.error || response.statusText || "Request failed"
+      );
+      error.status = response.status;
+      if (json?.details) error.details = json.details;
+      throw error;
+    }
+    return json;
+  }
+  async buildHeaders(tenantId, userId, scopes, includeJson = true, sessionId) {
+    const token = await this.generateJWT(tenantId, userId, scopes);
+    const headers = {
+      Authorization: `Bearer ${token}`,
+      Accept: "application/json"
+    };
+    if (includeJson) {
+      headers["Content-Type"] = "application/json";
+    }
+    if (sessionId) {
+      headers["x-session-id"] = sessionId;
+    }
+    if (this.additionalHeaders) {
+      Object.assign(headers, this.additionalHeaders);
+    }
+    return headers;
+  }
+  async generateJWT(tenantId, userId, scopes) {
+    if (!this.cachedPrivateKey) {
+      this.cachedPrivateKey = await importPKCS8(this.privateKey, "RS256");
+    }
+    const payload = {
+      organizationId: this.organizationId,
+      tenantId
+    };
+    if (userId) payload.userId = userId;
+    if (scopes?.length) payload.scopes = scopes;
+    return await new SignJWT(payload).setProtectedHeader({ alg: "RS256" }).setIssuedAt().setExpirationTime("1h").sign(this.cachedPrivateKey);
+  }
+};
+
+// src/core/query-engine.ts
+var QueryEngine = class {
+  databases = /* @__PURE__ */ new Map();
+  databaseMetadata = /* @__PURE__ */ new Map();
+  defaultDatabase;
+  attachDatabase(name, adapter, metadata) {
+    this.databases.set(name, adapter);
+    this.databaseMetadata.set(name, metadata);
+    if (!this.defaultDatabase) {
+      this.defaultDatabase = name;
+    }
+  }
+  getDatabase(name) {
+    const dbName = name ?? this.defaultDatabase;
+    if (!dbName) {
+      throw new Error("No database attached.");
+    }
+    const adapter = this.databases.get(dbName);
+    if (!adapter) {
+      throw new Error(
+        `Database '${dbName}' not found. Attached: ${Array.from(
+          this.databases.keys()
+        ).join(", ")}`
+      );
+    }
+    return adapter;
+  }
+  getDatabaseMetadata(name) {
+    const dbName = name ?? this.defaultDatabase;
+    if (!dbName) return void 0;
+    return this.databaseMetadata.get(dbName);
+  }
+  getDefaultDatabase() {
+    return this.defaultDatabase;
+  }
+  async validateAndExecute(sql, params, databaseName, tenantId) {
+    const adapter = this.getDatabase(databaseName);
+    const metadata = this.getDatabaseMetadata(databaseName);
+    let finalSql = sql;
+    if (metadata) {
+      finalSql = this.ensureTenantIsolation(sql, params, metadata, tenantId);
+    }
+    await adapter.validate(finalSql, params);
+    const result = await adapter.execute(finalSql, params);
+    return {
+      rows: result.rows,
+      fields: result.fields
+    };
+  }
+  async execute(sql, params, databaseName) {
+    try {
+      const adapter = this.getDatabase(databaseName);
+      const result = await adapter.execute(sql, params);
+      return result.rows;
+    } catch (error) {
+      console.warn(
+        `Failed to execute SQL locally for database '${databaseName}':`,
+        error
+      );
+      return [];
+    }
+  }
+  mapGeneratedParams(params) {
+    const record = {};
+    params.forEach((param, index) => {
+      const value = param.value;
+      if (value === void 0) {
+        return;
+      }
+      const nameCandidate = typeof param.name === "string" && param.name.trim() || typeof param.placeholder === "string" && param.placeholder.trim() || typeof param.position === "number" && String(param.position) || String(index + 1);
+      const key = nameCandidate.replace(/[{}:$]/g, "").trim();
+      record[key] = value;
+    });
+    return record;
+  }
+  ensureTenantIsolation(sql, params, metadata, tenantId) {
+    if (!metadata.tenantFieldName || metadata.enforceTenantIsolation === false) {
+      return sql;
+    }
+    const tenantField = metadata.tenantFieldName;
+    const paramKey = tenantField;
+    params[paramKey] = tenantId;
+    const normalizedSql = sql.toLowerCase();
+    if (normalizedSql.includes(tenantField.toLowerCase())) {
+      return sql;
+    }
+    const tenantPredicate = metadata.dialect === "clickhouse" ? `${tenantField} = {${tenantField}:${metadata.tenantFieldType ?? "String"}}` : `${tenantField} = '${tenantId}'`;
+    if (/\bwhere\b/i.test(sql)) {
+      return sql.replace(
+        /\bwhere\b/i,
+        (match) => `${match} ${tenantPredicate} AND `
+      );
+    }
+    return `${sql} WHERE ${tenantPredicate}`;
+  }
+};
+
+// src/routes/charts.ts
+async function createChart(client, body, options, signal) {
+  const tenantId = resolveTenantId(client, options?.tenantId);
+  return await client.post(
+    "/charts",
+    body,
+    tenantId,
+    options?.userId,
+    options?.scopes,
+    signal
+  );
+}
+async function listCharts(client, queryEngine, options, signal) {
+  const tenantId = resolveTenantId(client, options?.tenantId);
+  const params = new URLSearchParams();
+  if (options?.pagination?.page)
+    params.set("page", `${options.pagination.page}`);
+  if (options?.pagination?.limit)
+    params.set("limit", `${options.pagination.limit}`);
+  if (options?.sortBy) params.set("sort_by", options.sortBy);
+  if (options?.sortDir) params.set("sort_dir", options.sortDir);
+  if (options?.title) params.set("title", options.title);
+  if (options?.userFilter) params.set("user_id", options.userFilter);
+  if (options?.createdFrom) params.set("created_from", options.createdFrom);
+  if (options?.createdTo) params.set("created_to", options.createdTo);
+  if (options?.updatedFrom) params.set("updated_from", options.updatedFrom);
+  if (options?.updatedTo) params.set("updated_to", options.updatedTo);
+  const response = await client.get(
+    `/charts${params.toString() ? `?${params.toString()}` : ""}`,
+    tenantId,
+    options?.userId,
+    options?.scopes,
+    signal
+  );
+  if (options?.includeData) {
+    response.data = await Promise.all(
+      response.data.map(async (chart) => ({
+        ...chart,
+        vega_lite_spec: {
+          ...chart.vega_lite_spec,
+          data: {
+            values: await queryEngine.execute(
+              chart.sql,
+              chart.sql_params ?? void 0,
+              chart.target_db ?? void 0
+            )
+          }
+        }
+      }))
+    );
+  }
+  return response;
+}
+async function getChart(client, queryEngine, id, options, signal) {
+  const tenantId = resolveTenantId(client, options?.tenantId);
+  const chart = await client.get(
+    `/charts/${encodeURIComponent(id)}`,
+    tenantId,
+    options?.userId,
+    options?.scopes,
+    signal
+  );
+  return {
+    ...chart,
+    vega_lite_spec: {
+      ...chart.vega_lite_spec,
+      data: {
+        values: await queryEngine.execute(
+          chart.sql,
+          chart.sql_params ?? void 0,
+          chart.target_db ?? void 0
+        )
+      }
+    }
+  };
+}
+async function updateChart(client, id, body, options, signal) {
+  const tenantId = resolveTenantId(client, options?.tenantId);
+  return await client.put(
+    `/charts/${encodeURIComponent(id)}`,
+    body,
+    tenantId,
+    options?.userId,
+    options?.scopes,
+    signal
+  );
+}
+async function deleteChart(client, id, options, signal) {
+  const tenantId = resolveTenantId(client, options?.tenantId);
+  await client.delete(
+    `/charts/${encodeURIComponent(id)}`,
+    tenantId,
+    options?.userId,
+    options?.scopes,
+    signal
+  );
+}
+function resolveTenantId(client, tenantId) {
+  const resolved = tenantId ?? client.getDefaultTenantId();
+  if (!resolved) {
+    throw new Error(
+      "tenantId is required. Provide it per request or via defaultTenantId option."
+    );
+  }
+  return resolved;
+}
+
+// src/routes/active-charts.ts
+async function createActiveChart(client, body, options, signal) {
+  const tenantId = resolveTenantId2(client, options?.tenantId);
+  return await client.post(
+    "/active-charts",
+    body,
+    tenantId,
+    options?.userId,
+    options?.scopes,
+    signal
+  );
+}
+async function listActiveCharts(client, queryEngine, options, signal) {
+  const tenantId = resolveTenantId2(client, options?.tenantId);
+  const params = new URLSearchParams();
+  if (options?.pagination?.page)
+    params.set("page", `${options.pagination.page}`);
+  if (options?.pagination?.limit)
+    params.set("limit", `${options.pagination.limit}`);
+  if (options?.sortBy) params.set("sort_by", options.sortBy);
+  if (options?.sortDir) params.set("sort_dir", options.sortDir);
+  if (options?.title) params.set("name", options.title);
+  if (options?.userFilter) params.set("user_id", options.userFilter);
+  if (options?.createdFrom) params.set("created_from", options.createdFrom);
+  if (options?.createdTo) params.set("created_to", options.createdTo);
+  if (options?.updatedFrom) params.set("updated_from", options.updatedFrom);
+  if (options?.updatedTo) params.set("updated_to", options.updatedTo);
+  const response = await client.get(
+    `/active-charts${params.toString() ? `?${params.toString()}` : ""}`,
+    tenantId,
+    options?.userId,
+    options?.scopes,
+    signal
+  );
+  if (options?.withData) {
+    response.data = await Promise.all(
+      response.data.map(async (active) => ({
+        ...active,
+        chart: active.chart ? await getChart(
+          client,
+          queryEngine,
+          active.chart_id,
+          options,
+          signal
+        ) : null
+      }))
+    );
+  }
+  return response;
+}
+async function getActiveChart(client, queryEngine, id, options, signal) {
+  const tenantId = resolveTenantId2(client, options?.tenantId);
+  const active = await client.get(
+    `/active-charts/${encodeURIComponent(id)}`,
+    tenantId,
+    options?.userId,
+    options?.scopes,
+    signal
+  );
+  if (options?.withData && active.chart_id) {
+    return {
+      ...active,
+      chart: await getChart(
+        client,
+        queryEngine,
+        active.chart_id,
+        options,
+        signal
+      )
+    };
+  }
+  return active;
+}
+async function updateActiveChart(client, id, body, options, signal) {
+  const tenantId = resolveTenantId2(client, options?.tenantId);
+  return await client.put(
+    `/active-charts/${encodeURIComponent(id)}`,
+    body,
+    tenantId,
+    options?.userId,
+    options?.scopes,
+    signal
+  );
+}
+async function deleteActiveChart(client, id, options, signal) {
+  const tenantId = resolveTenantId2(client, options?.tenantId);
+  await client.delete(
+    `/active-charts/${encodeURIComponent(id)}`,
+    tenantId,
+    options?.userId,
+    options?.scopes,
+    signal
+  );
+}
+function resolveTenantId2(client, tenantId) {
+  const resolved = tenantId ?? client.getDefaultTenantId();
+  if (!resolved) {
+    throw new Error(
+      "tenantId is required. Provide it per request or via defaultTenantId option."
+    );
+  }
+  return resolved;
+}
+
+// src/routes/ingest.ts
+var import_node_crypto = require("crypto");
+async function syncSchema(client, queryEngine, databaseName, options, signal) {
+  const tenantId = resolveTenantId3(client, options.tenantId);
+  const adapter = queryEngine.getDatabase(databaseName);
+  const introspection = await adapter.introspect(
+    options.tables ? { tables: options.tables } : void 0
+  );
+  const payload = buildSchemaRequest(databaseName, adapter, introspection);
+  const sessionId = (0, import_node_crypto.randomUUID)();
+  const response = await client.post(
+    "/ingest",
+    payload,
+    tenantId,
+    options.userId,
+    options.scopes,
+    signal,
+    sessionId
+  );
+  return response;
+}
+function resolveTenantId3(client, tenantId) {
+  const resolved = tenantId ?? client.getDefaultTenantId();
+  if (!resolved) {
+    throw new Error(
+      "tenantId is required. Provide it per request or via defaultTenantId option."
+    );
+  }
+  return resolved;
+}
+function buildSchemaRequest(databaseName, adapter, introspection) {
+  const dialect = adapter.getDialect();
+  const tables = introspection.tables.map((table) => ({
+    table_name: table.name,
+    description: table.comment ?? `Table ${table.name}`,
+    columns: table.columns.map((column) => ({
+      name: column.name,
+      data_type: column.rawType ?? column.type,
+      is_primary_key: Boolean(column.isPrimaryKey),
+      description: column.comment ?? ""
+    }))
+  }));
+  return {
+    database: databaseName,
+    dialect,
+    tables
+  };
+}
+
+// src/routes/query.ts
+var import_node_crypto2 = require("crypto");
+async function ask(client, queryEngine, question, options, signal) {
+  const tenantId = resolveTenantId4(client, options.tenantId);
+  const sessionId = (0, import_node_crypto2.randomUUID)();
+  const maxRetry = options.maxRetry ?? 0;
+  let attempt = 0;
+  let lastError = options.lastError;
+  let previousSql = options.previousSql;
+  while (attempt <= maxRetry) {
+    console.log({ lastError, previousSql });
+    const queryResponse = await client.post(
+      "/query",
+      {
+        question,
+        ...lastError ? { last_error: lastError } : {},
+        ...previousSql ? { previous_sql: previousSql } : {},
+        ...options.maxRetry ? { max_retry: options.maxRetry } : {}
+      },
+      tenantId,
+      options.userId,
+      options.scopes,
+      signal,
+      sessionId
+    );
+    const databaseName = queryResponse.database ?? options.database ?? queryEngine.getDefaultDatabase();
+    if (!databaseName) {
+      throw new Error(
+        "No database attached. Call attachPostgres/attachClickhouse first."
+      );
+    }
+    const paramMetadata = Array.isArray(queryResponse.params) ? queryResponse.params : [];
+    const paramValues = queryEngine.mapGeneratedParams(paramMetadata);
+    try {
+      const execution = await queryEngine.validateAndExecute(
+        queryResponse.sql,
+        paramValues,
+        databaseName,
+        tenantId
+      );
+      const rows = execution.rows ?? [];
+      let chart = {
+        vegaLiteSpec: null,
+        notes: rows.length === 0 ? "Query returned no rows." : null
+      };
+      if (rows.length > 0) {
+        const chartResponse = await client.post(
+          "/chart",
+          {
+            question,
+            sql: queryResponse.sql,
+            rationale: queryResponse.rationale,
+            fields: execution.fields,
+            rows: anonymizeResults(rows),
+            max_retries: options.chartMaxRetries ?? 3,
+            query_id: queryResponse.queryId
+          },
+          tenantId,
+          options.userId,
+          options.scopes,
+          signal,
+          sessionId
+        );
+        chart = {
+          vegaLiteSpec: chartResponse.chart ? {
+            ...chartResponse.chart,
+            data: { values: rows }
+          } : null,
+          notes: chartResponse.notes
+        };
+      }
+      return {
+        sql: queryResponse.sql,
+        params: paramValues,
+        paramMetadata,
+        rationale: queryResponse.rationale,
+        dialect: queryResponse.dialect,
+        queryId: queryResponse.queryId,
+        rows,
+        fields: execution.fields,
+        chart,
+        context: queryResponse.context,
+        attempts: attempt + 1
+      };
+    } catch (error) {
+      attempt++;
+      if (attempt > maxRetry) {
+        throw error;
+      }
+      lastError = error instanceof Error ? error.message : String(error);
+      previousSql = queryResponse.sql;
+      console.warn(
+        `SQL execution failed (attempt ${attempt}/${maxRetry + 1}): ${lastError}. Retrying...`
+      );
+    }
+  }
+  throw new Error("Unexpected error in ask retry loop");
+}
+function resolveTenantId4(client, tenantId) {
+  const resolved = tenantId ?? client.getDefaultTenantId();
+  if (!resolved) {
+    throw new Error(
+      "tenantId is required. Provide it per request or via defaultTenantId option."
+    );
+  }
+  return resolved;
+}
+function anonymizeResults(rows) {
+  if (!rows?.length) return [];
+  return rows.map((row) => {
+    const masked = {};
+    Object.entries(row).forEach(([key, value]) => {
+      if (value === null) masked[key] = "null";
+      else if (Array.isArray(value)) masked[key] = "array";
+      else masked[key] = typeof value;
+    });
+    return masked;
+  });
+}
+
+// src/index.ts
+var QueryPanelSdkAPI = class {
+  client;
+  queryEngine;
+  constructor(baseUrl, privateKey, organizationId, options) {
+    this.client = new ApiClient(baseUrl, privateKey, organizationId, options);
+    this.queryEngine = new QueryEngine();
+  }
+  // Database attachment methods
+  attachClickhouse(name, clientFn, options) {
+    const adapter = new ClickHouseAdapter(clientFn, options);
+    const metadata = {
+      name,
+      dialect: "clickhouse",
+      description: options?.description,
+      tags: options?.tags,
+      tenantFieldName: options?.tenantFieldName,
+      tenantFieldType: options?.tenantFieldType ?? "String",
+      enforceTenantIsolation: options?.tenantFieldName ? options?.enforceTenantIsolation ?? true : void 0
+    };
+    this.queryEngine.attachDatabase(name, adapter, metadata);
+  }
+  attachPostgres(name, clientFn, options) {
+    const adapter = new PostgresAdapter(clientFn, options);
+    const metadata = {
+      name,
+      dialect: "postgres",
+      description: options?.description,
+      tags: options?.tags,
+      tenantFieldName: options?.tenantFieldName,
+      enforceTenantIsolation: options?.tenantFieldName ? options?.enforceTenantIsolation ?? true : void 0
+    };
+    this.queryEngine.attachDatabase(name, adapter, metadata);
+  }
+  attachDatabase(name, adapter) {
+    const metadata = {
+      name,
+      dialect: adapter.getDialect()
+    };
+    this.queryEngine.attachDatabase(name, adapter, metadata);
+  }
+  // Schema introspection and sync
+  async introspect(databaseName, tables) {
+    const adapter = this.queryEngine.getDatabase(databaseName);
+    return await adapter.introspect(tables ? { tables } : void 0);
+  }
+  async syncSchema(databaseName, options, signal) {
+    return await syncSchema(
+      this.client,
+      this.queryEngine,
+      databaseName,
+      options,
+      signal
+    );
+  }
+  // Natural language query
+  async ask(question, options, signal) {
+    return await ask(
+      this.client,
+      this.queryEngine,
+      question,
+      options,
+      signal
+    );
+  }
+  // Chart CRUD operations
+  async createChart(body, options, signal) {
+    return await createChart(this.client, body, options, signal);
+  }
+  async listCharts(options, signal) {
+    return await listCharts(
+      this.client,
+      this.queryEngine,
+      options,
+      signal
+    );
+  }
+  async getChart(id, options, signal) {
+    return await getChart(
+      this.client,
+      this.queryEngine,
+      id,
+      options,
+      signal
+    );
+  }
+  async updateChart(id, body, options, signal) {
+    return await updateChart(
+      this.client,
+      id,
+      body,
+      options,
+      signal
+    );
+  }
+  async deleteChart(id, options, signal) {
+    await deleteChart(this.client, id, options, signal);
+  }
+  // Active Chart CRUD operations
+  async createActiveChart(body, options, signal) {
+    return await createActiveChart(
+      this.client,
+      body,
+      options,
+      signal
+    );
+  }
+  async listActiveCharts(options, signal) {
+    return await listActiveCharts(
+      this.client,
+      this.queryEngine,
+      options,
+      signal
+    );
+  }
+  async getActiveChart(id, options, signal) {
+    return await getActiveChart(
+      this.client,
+      this.queryEngine,
+      id,
+      options,
+      signal
+    );
+  }
+  async updateActiveChart(id, body, options, signal) {
+    return await updateActiveChart(
+      this.client,
+      id,
+      body,
+      options,
+      signal
+    );
+  }
+  async deleteActiveChart(id, options, signal) {
+    await deleteActiveChart(this.client, id, options, signal);
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ClickHouseAdapter,
+  PostgresAdapter,
+  QueryPanelSdkAPI,
+  anonymizeResults
+});
+//# sourceMappingURL=index.cjs.map