@rebasepro/server-postgresql 0.2.1 → 0.2.4

package/dist/index.es.js

@@ -1,7 +1,7 @@
 import { Pool, Client } from "pg";
 import { drizzle } from "drizzle-orm/node-postgres";
 import { sql, inArray, eq, and, or, ilike, asc, desc, gt, lt, getTableName as getTableName$1, count, relations, isTable } from "drizzle-orm";
-import { PgVarchar, PgText, PgChar, pgSchema, pgTable, timestamp, jsonb, varchar, boolean, uuid, primaryKey, unique, getTableConfig } from "drizzle-orm/pg-core";
+import { PgVarchar, PgText, PgChar, pgSchema, pgTable, timestamp, jsonb, boolean, varchar, uuid, primaryKey, unique, getTableConfig } from "drizzle-orm/pg-core";
 import { createHash, randomUUID } from "crypto";
 import * as fs from "fs";
 import { promises } from "fs";
@@ -11,7 +11,7 @@ import chokidar from "chokidar";
 import { WebSocket, WebSocketServer } from "ws";
 import { EventEmitter } from "events";
 import { inspect } from "util";
-import { extractUserFromToken, createEmailService } from "@rebasepro/server-core";
+import { extractUserFromToken, logger, createEmailService } from "@rebasepro/server-core";
 const DEFAULT_POOL = {
   max: 20,
   idleTimeoutMillis: 3e4,
@@ -51,6 +51,70 @@ function createPostgresDatabaseConnection(connectionString, schema, poolConfig)
     connectionString
   };
 }
+function createDirectDatabaseConnection(connectionString, schema, poolConfig) {
+  const opts = {
+    ...DEFAULT_POOL,
+    max: 5,
+    ...poolConfig
+  };
+  const pgPoolConfig = {
+    connectionString,
+    max: opts.max,
+    idleTimeoutMillis: opts.idleTimeoutMillis,
+    connectionTimeoutMillis: opts.connectionTimeoutMillis,
+    query_timeout: opts.queryTimeout,
+    statement_timeout: opts.statementTimeout,
+    keepAlive: opts.keepAlive,
+    keepAliveInitialDelayMillis: 0
+  };
+  const pool = new Pool(pgPoolConfig);
+  pool.on("error", (err) => {
+    console.error("[pg-direct-pool] Unexpected pool error:", err.message);
+  });
+  const db = schema ? drizzle(pool, {
+    schema
+  }) : drizzle(pool);
+  return {
+    db,
+    pool,
+    connectionString
+  };
+}
+function createReadReplicaConnection(connectionString, schema, poolConfig) {
+  const opts = {
+    ...DEFAULT_POOL,
+    max: 10,
+    ...poolConfig
+  };
+  const pgPoolConfig = {
+    connectionString,
+    max: opts.max,
+    idleTimeoutMillis: opts.idleTimeoutMillis,
+    connectionTimeoutMillis: opts.connectionTimeoutMillis,
+    query_timeout: opts.queryTimeout,
+    statement_timeout: opts.statementTimeout,
+    keepAlive: opts.keepAlive,
+    keepAliveInitialDelayMillis: 0
+  };
+  const pool = new Pool(pgPoolConfig);
+  pool.on("error", (err) => {
+    console.error("[pg-replica-pool] Unexpected pool error:", err.message);
+  });
+  const db = schema ? drizzle(pool, {
+    schema
+  }) : drizzle(pool);
+  return {
+    db,
+    pool,
+    connectionString
+  };
+}
+const connection = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
+  __proto__: null,
+  createDirectDatabaseConnection,
+  createPostgresDatabaseConnection,
+  createReadReplicaConnection
+}, Symbol.toStringTag, { value: "Module" }));
 class Vector {
   value;
   constructor(value) {
@@ -970,6 +1034,9 @@ function mergeDeep(target, source, ignoreUndefined = false) {
     return output;
   }
   for (const key in source) {
+    if (key === "__proto__" || key === "constructor" || key === "prototype") {
+      continue;
+    }
     if (Object.prototype.hasOwnProperty.call(source, key)) {
       const sourceValue = source[key];
       const outputValue = output[key];
@@ -1158,118 +1225,6 @@ function enumToObjectEntries(enumValues) {
     });
   }
 }
-function getSubcollections(collection) {
-  if (collection.childCollections) {
-    return collection.childCollections() ?? [];
-  }
-  if (getDataSourceCapabilities(collection.driver).supportsSubcollections && collection.subcollections) {
-    return collection.subcollections() ?? [];
-  }
-  if (getDataSourceCapabilities(collection.driver).supportsRelations && collection.relations) {
-    const manyRelations = collection.relations.filter((r) => r.cardinality === "many");
-    return manyRelations.map((r) => {
-      const target = r.target();
-      if (!target) return void 0;
-      const relationKey = r.relationName || target.slug;
-      let customName;
-      if (collection.properties) {
-        const prop = Object.entries(collection.properties).find(([_, p]) => p.type === "relation" && p.relationName === relationKey);
-        if (prop && prop[1].name) {
-          customName = prop[1].name;
-        }
-      }
-      const baseOverrides = {
-        slug: relationKey
-      };
-      if (customName) {
-        baseOverrides.name = customName;
-        baseOverrides.singularName = customName;
-      }
-      const targetWithOverrides = {
-        ...target,
-        ...baseOverrides
-      };
-      return r.overrides ? mergeDeep(targetWithOverrides, r.overrides) : targetWithOverrides;
-    }).filter((c) => Boolean(c));
-  }
-  return [];
-}
-function hasPropertyCallbacks(properties, callbackName) {
-  if (!properties) return false;
-  for (const property of Object.values(properties)) {
-    if (property.callbacks?.[callbackName]) return true;
-    if (property.type === "map" && property.properties) {
-      if (hasPropertyCallbacks(property.properties, callbackName)) return true;
-    } else if (property.type === "array" && property.of) {
-      const ofs = Array.isArray(property.of) ? property.of : [property.of];
-      for (const of of ofs) {
-        if (of.callbacks?.[callbackName]) return true;
-        if (of.type === "map" && of.properties && hasPropertyCallbacks(of.properties, callbackName)) return true;
-      }
-    }
-  }
-  return false;
-}
-async function processProperties(properties, values, previousValues, propsContext, callbackName) {
-  if (!values || typeof values !== "object") return values;
-  const result = {
-    ...values
-  };
-  for (const [key, property] of Object.entries(properties)) {
-    if (result[key] === void 0) continue;
-    let currentValue = result[key];
-    const previousValue = previousValues?.[key];
-    if (property.type === "array" && Array.isArray(currentValue)) {
-      if (property.of && !Array.isArray(property.of)) {
-        currentValue = await Promise.all(currentValue.map(async (item, index) => {
-          const prevItem = Array.isArray(previousValue) ? previousValue[index] : void 0;
-          const singlePropData = {
-            "_tmp": property.of
-          };
-          const res = await processProperties(singlePropData, {
-            "_tmp": item
-          }, {
-            "_tmp": prevItem
-          }, propsContext, callbackName);
-          return res["_tmp"];
-        }));
-      }
-    } else if (property.type === "map" && property.properties && typeof currentValue === "object") {
-      currentValue = await processProperties(property.properties, currentValue, previousValue ?? {}, propsContext, callbackName);
-    }
-    if (property.callbacks?.[callbackName]) {
-      const cbRes = await Promise.resolve(property.callbacks[callbackName]({
-        ...propsContext,
-        value: currentValue,
-        previousValue
-      }));
-      if (cbRes !== void 0) {
-        currentValue = cbRes;
-      }
-    }
-    result[key] = currentValue;
-  }
-  return result;
-}
-const buildPropertyCallbacks = (properties) => {
-  if (!properties) return void 0;
-  const propertyCallbacks = {};
-  if (hasPropertyCallbacks(properties, "afterRead")) {
-    propertyCallbacks.afterRead = async (props) => {
-      const processedValues = await processProperties(properties, props.entity.values, props.entity.values, props, "afterRead");
-      return {
-        ...props.entity,
-        values: processedValues
-      };
-    };
-  }
-  if (hasPropertyCallbacks(properties, "beforeSave")) {
-    propertyCallbacks.beforeSave = async (props) => {
-      return await processProperties(properties, props.values, props.previousValues ?? {}, props, "beforeSave");
-    };
-  }
-  return Object.keys(propertyCallbacks).length > 0 ? propertyCallbacks : void 0;
-};
 function sanitizeRelation(relation, sourceCollection, resolveCollection) {
   if (!relation.target) {
     throw new Error("Relation is missing a `target` collection.");
@@ -1301,6 +1256,8 @@ function sanitizeRelation(relation, sourceCollection, resolveCollection) {
     } else {
       targetCollection = evaluated;
     }
+  } else if (rawTarget && typeof rawTarget === "object") {
+    targetCollection = rawTarget;
   }
   if (!targetCollection) {
     throw new Error("Relation is missing a valid `target` collection.");
@@ -1420,11 +1377,14 @@ function resolveCollectionRelations(collection) {
   const registeredRelationNames = /* @__PURE__ */ new Set();
   if (relCollection.relations) {
     relCollection.relations.forEach((relation) => {
-      const normalizedRelation = sanitizeRelation(relation, collection);
-      const relationKey = normalizedRelation.relationName;
-      if (relationKey) {
-        relations2[relationKey] = normalizedRelation;
-        registeredRelationNames.add(relationKey);
+      try {
+        const normalizedRelation = sanitizeRelation(relation, collection);
+        const relationKey = normalizedRelation.relationName;
+        if (relationKey) {
+          relations2[relationKey] = normalizedRelation;
+          registeredRelationNames.add(relationKey);
+        }
+      } catch (e) {
       }
     });
   }
@@ -1472,12 +1432,8 @@ function resolvePropertyRelation({
       overrides: relProp.overrides
     };
   }
-  const relation = (sourceCollection.relations ?? []).find((rel) => rel.relationName === relProp.relationName);
-  if (!relation) {
-    console.warn(`Unrecognized relation format for property '${propertyKey}' in collection '${sourceCollection.slug}'`);
-    return void 0;
-  }
-  return relation;
+  console.warn(`Unrecognized or missing relation target for property '${propertyKey}' in collection '${sourceCollection.slug}'`);
+  return void 0;
 }
 function getTableName(collection) {
   if (getDataSourceCapabilities(collection.driver).supportsRelations) {
@@ -1504,6 +1460,119 @@ function findRelation(resolvedRelations, key) {
   if (snakeKey !== key && resolvedRelations[snakeKey]) return resolvedRelations[snakeKey];
   return void 0;
 }
+function getSubcollections(collection) {
+  if (collection.childCollections) {
+    return collection.childCollections() ?? [];
+  }
+  if (getDataSourceCapabilities(collection.driver).supportsSubcollections && collection.subcollections) {
+    return collection.subcollections() ?? [];
+  }
+  if (getDataSourceCapabilities(collection.driver).supportsRelations) {
+    const resolvedRelations = resolveCollectionRelations(collection);
+    const manyRelations = Object.values(resolvedRelations).filter((r) => r.cardinality === "many");
+    return manyRelations.map((r) => {
+      const target = r.target();
+      if (!target) return void 0;
+      const relationKey = r.relationName || target.slug;
+      let customName;
+      if (collection.properties) {
+        const prop = Object.entries(collection.properties).find(([_, p]) => p.type === "relation" && p.relationName === relationKey);
+        if (prop && prop[1].name) {
+          customName = prop[1].name;
+        }
+      }
+      const baseOverrides = {
+        slug: relationKey
+      };
+      if (customName) {
+        baseOverrides.name = customName;
+        baseOverrides.singularName = customName;
+      }
+      const targetWithOverrides = {
+        ...target,
+        ...baseOverrides
+      };
+      return r.overrides ? mergeDeep(targetWithOverrides, r.overrides) : targetWithOverrides;
+    }).filter((c) => Boolean(c));
+  }
+  return [];
+}
+function hasPropertyCallbacks(properties, callbackName) {
+  if (!properties) return false;
+  for (const property of Object.values(properties)) {
+    if (property.callbacks?.[callbackName]) return true;
+    if (property.type === "map" && property.properties) {
+      if (hasPropertyCallbacks(property.properties, callbackName)) return true;
+    } else if (property.type === "array" && property.of) {
+      const ofs = Array.isArray(property.of) ? property.of : [property.of];
+      for (const of of ofs) {
+        if (of.callbacks?.[callbackName]) return true;
+        if (of.type === "map" && of.properties && hasPropertyCallbacks(of.properties, callbackName)) return true;
+      }
+    }
+  }
+  return false;
+}
+async function processProperties(properties, values, previousValues, propsContext, callbackName) {
+  if (!values || typeof values !== "object") return values;
+  const result = {
+    ...values
+  };
+  for (const [key, property] of Object.entries(properties)) {
+    if (result[key] === void 0) continue;
+    let currentValue = result[key];
+    const previousValue = previousValues?.[key];
+    if (property.type === "array" && Array.isArray(currentValue)) {
+      if (property.of && !Array.isArray(property.of)) {
+        currentValue = await Promise.all(currentValue.map(async (item, index) => {
+          const prevItem = Array.isArray(previousValue) ? previousValue[index] : void 0;
+          const singlePropData = {
+            "_tmp": property.of
+          };
+          const res = await processProperties(singlePropData, {
+            "_tmp": item
+          }, {
+            "_tmp": prevItem
+          }, propsContext, callbackName);
+          return res["_tmp"];
+        }));
+      }
+    } else if (property.type === "map" && property.properties && typeof currentValue === "object") {
+      currentValue = await processProperties(property.properties, currentValue, previousValue ?? {}, propsContext, callbackName);
+    }
+    if (property.callbacks?.[callbackName]) {
+      const cbRes = await Promise.resolve(property.callbacks[callbackName]({
+        ...propsContext,
+        value: currentValue,
+        previousValue
+      }));
+      if (cbRes !== void 0) {
+        currentValue = cbRes;
+      }
+    }
+    result[key] = currentValue;
+  }
+  return result;
+}
+const buildPropertyCallbacks = (properties) => {
+  if (!properties) return void 0;
+  const propertyCallbacks = {};
+  if (hasPropertyCallbacks(properties, "afterRead")) {
+    propertyCallbacks.afterRead = async (props) => {
+      const processedValues = await processProperties(properties, props.entity.values, props.entity.values, props, "afterRead");
+      return {
+        ...props.entity,
+        values: processedValues
+      };
+    };
+  }
+  if (hasPropertyCallbacks(properties, "beforeSave")) {
+    propertyCallbacks.beforeSave = async (props) => {
+      return await processProperties(properties, props.values, props.previousValues ?? {}, props, "beforeSave");
+    };
+  }
+  return Object.keys(propertyCallbacks).length > 0 ? propertyCallbacks : void 0;
+};
 var logic = { exports: {} };
 (function(module, exports) {
   (function(root, factory) {
@@ -2411,8 +2480,18 @@ class CollectionRegistry {
     const mergedRelationsRaw = [...extractedRelations];
     for (const manual of manualRelations) {
       const name = manual.relationName;
-      if (!name || !mergedRelationsRaw.find((r) => r.relationName === name)) {
+      if (!name) {
         mergedRelationsRaw.push(manual);
+      } else {
+        const existingIndex = mergedRelationsRaw.findIndex((r) => r.relationName === name);
+        if (existingIndex === -1) {
+          mergedRelationsRaw.push(manual);
+        } else {
+          mergedRelationsRaw[existingIndex] = {
+            ...manual,
+            ...mergedRelationsRaw[existingIndex]
+          };
+        }
       }
     }
     let mergedRelations = mergedRelationsRaw;
@@ -2625,11 +2704,207 @@ class CollectionRegistry {
         collections.push(currentCollection);
       }
     }
-    return {
-      collections,
-      entityIds,
-      finalCollection: currentCollection
-    };
+    return {
+      collections,
+      entityIds,
+      finalCollection: currentCollection
+    };
+  }
+}
+const defaultUsersCollection = {
+  name: "Users",
+  singularName: "User",
+  slug: "users",
+  table: "users",
+  schema: "rebase",
+  icon: "Users",
+  group: "Settings",
+  properties: {
+    id: {
+      name: "ID",
+      type: "string",
+      isId: "uuid"
+    },
+    email: {
+      name: "Email",
+      type: "string",
+      validation: {
+        required: true,
+        unique: true
+      }
+    },
+    password_hash: {
+      name: "Password Hash",
+      type: "string",
+      ui: {
+        hideFromCollection: true
+      }
+    },
+    display_name: {
+      name: "Display Name",
+      type: "string"
+    },
+    photo_url: {
+      name: "Photo URL",
+      type: "string"
+    },
+    email_verified: {
+      name: "Email Verified",
+      type: "boolean",
+      defaultValue: false
+    },
+    email_verification_token: {
+      name: "Email Verification Token",
+      type: "string",
+      ui: {
+        hideFromCollection: true
+      }
+    },
+    email_verification_sent_at: {
+      name: "Email Verification Sent At",
+      type: "date",
+      ui: {
+        hideFromCollection: true
+      }
+    },
+    metadata: {
+      name: "Metadata",
+      type: "map",
+      defaultValue: {},
+      ui: {
+        hideFromCollection: true
+      }
+    },
+    created_at: {
+      name: "Created At",
+      type: "date",
+      autoValue: "on_create",
+      ui: {
+        readOnly: true,
+        hideFromCollection: true
+      }
+    },
+    updated_at: {
+      name: "Updated At",
+      type: "date",
+      autoValue: "on_update",
+      ui: {
+        readOnly: true,
+        hideFromCollection: true
+      }
+    }
+  }
+};
+function mapOperator(op) {
+  switch (op) {
+    case "==":
+      return "eq";
+    case "!=":
+      return "neq";
+    case ">":
+      return "gt";
+    case ">=":
+      return "gte";
+    case "<":
+      return "lt";
+    case "<=":
+      return "lte";
+    case "array-contains":
+      return "cs";
+    case "array-contains-any":
+      return "csa";
+    case "not-in":
+      return "nin";
+    default:
+      return op;
+  }
+}
+class QueryBuilder {
+  constructor(collection) {
+    this.collection = collection;
+  }
+  params = {
+    where: {}
+  };
+  /**
+   * Add a filter condition to your query.
+   * @example
+   * client.collection('users').where('age', '>=', 18).find()
+   */
+  where(column, operator, value) {
+    if (!this.params.where) {
+      this.params.where = {};
+    }
+    const mappedOp = mapOperator(operator);
+    let formattedValue = value;
+    if (Array.isArray(value) && ["in", "nin", "cs", "csa"].includes(mappedOp)) {
+      formattedValue = `(${value.join(",")})`;
+    } else if (value === null) {
+      formattedValue = "null";
+    }
+    this.params.where[column] = mappedOp === "eq" ? String(formattedValue) : `${mappedOp}.${formattedValue}`;
+    return this;
+  }
+  /**
+   * Order the results by a specific column.
+   * @example
+   * client.collection('users').orderBy('createdAt', 'desc').find()
+   */
+  orderBy(column, ascending = "asc") {
+    this.params.orderBy = `${column}:${ascending}`;
+    return this;
+  }
+  /**
+   * Limit the number of results returned.
+   */
+  limit(count2) {
+    this.params.limit = count2;
+    return this;
+  }
+  /**
+   * Skip the first N results.
+   */
+  offset(count2) {
+    this.params.offset = count2;
+    return this;
+  }
+  /**
+   * Set a free-text search string if supported by the backend.
+   */
+  search(searchString) {
+    this.params.searchString = searchString;
+    return this;
+  }
+  /**
+   * Include related entities in the response.
+   * Relations will be populated with full entity data instead of just IDs.
+   *
+   * @param relations - Relation names to include, or "*" for all.
+   * @example
+   * // Include specific relations
+   * client.data.posts.include("tags", "author").find()
+   *
+   * // Include all relations
+   * client.data.posts.include("*").find()
+   */
+  include(...relations2) {
+    this.params.include = relations2;
+    return this;
+  }
+  /**
+   * Execute the find query and return the results.
+   */
+  async find() {
+    return this.collection.find(this.params);
+  }
+  /**
+   * Listen to realtime updates matching this query.
+   */
+  listen(onUpdate, onError) {
+    if (!this.collection.listen) {
+      throw new Error("Listen is only available when RebaseClient is configured with a websocketUrl.");
+    }
+    return this.collection.listen(this.params, onUpdate, onError);
   }
 }
 function convertWhereToFilter(where) {
@@ -2711,7 +2986,7 @@ function parseOrderBy(orderBy) {
   return [field, direction];
 }
 function createDriverAccessor(driver, slug) {
-  return {
+  const accessor = {
     async find(params) {
       const orderParsed = parseOrderBy(params?.orderBy);
       const entities = await driver.fetchCollection({
@@ -2805,8 +3080,28 @@ function createDriverAccessor(driver, slug) {
         onUpdate: (entity) => onUpdate(entity ?? void 0),
         onError
       });
-    } : void 0
+    } : void 0,
+    // Fluent Query Builder
+    where(column, operator, value) {
+      return new QueryBuilder(accessor).where(column, operator, value);
+    },
+    orderBy(column, ascending) {
+      return new QueryBuilder(accessor).orderBy(column, ascending);
+    },
+    limit(count2) {
+      return new QueryBuilder(accessor).limit(count2);
+    },
+    offset(count2) {
+      return new QueryBuilder(accessor).offset(count2);
+    },
+    search(searchString) {
+      return new QueryBuilder(accessor).search(searchString);
+    },
+    include(...relations2) {
+      return new QueryBuilder(accessor).include(...relations2);
+    }
   };
+  return accessor;
 }
 function buildRebaseData(driver) {
   const cache = /* @__PURE__ */ new Map();
@@ -2840,7 +3135,13 @@ class DrizzleConditionBuilder {
     for (const [field, filterParam] of Object.entries(filter)) {
       if (!filterParam) continue;
       const [op, value] = filterParam;
-      const fieldColumn = table[field];
+      let fieldColumn = table[field];
+      if (!fieldColumn) {
+        const relationKey = `${field}_id`;
+        if (relationKey in table) {
+          fieldColumn = table[relationKey];
+        }
+      }
       if (!fieldColumn) {
         console.warn(`Filtering by field '${field}', but it does not exist in table for collection '${collectionPath}'`);
         continue;
@@ -2882,6 +3183,17 @@ class DrizzleConditionBuilder {
         return null;
       case "array-contains":
         return sql`${column} @> ${JSON.stringify([value])}`;
+      case "array-contains-any":
+        if (Array.isArray(value) && value.length > 0) {
+          const textValues = value.map((v) => String(v));
+          return sql`${column} ?| array[${sql.join(textValues.map((v) => sql`${v}`), sql`, `)}]`;
+        }
+        return sql`${column} @> ${JSON.stringify([value])}`;
+      case "not-in":
+        if (Array.isArray(value) && value.length > 0) {
+          return sql`${column} NOT IN (${sql.join(value.map((v) => sql`${v}`), sql`, `)})`;
+        }
+        return null;
       default:
         console.warn(`Unsupported filter operation: ${op}`);
         return null;
@@ -3397,6 +3709,40 @@ class DrizzleConditionBuilder {
       return null;
     }
   }
+  /**
+   * Build vector similarity search expressions for pgvector.
+   *
+   * Returns:
+   * - `orderBy`: SQL expression to ORDER BY distance (ascending = closest first)
+   * - `filter`: optional WHERE clause for distance threshold
+   * - `distanceSelect`: SQL expression for selecting the distance as `_distance`
+   */
+  static buildVectorSearchConditions(table, vectorSearch) {
+    const column = table[vectorSearch.property];
+    if (!column) {
+      throw new Error(`Vector column '${vectorSearch.property}' not found in table`);
+    }
+    const vectorLiteral = `'[${vectorSearch.vector.join(",")}]'::vector`;
+    const distanceFn = vectorSearch.distance || "cosine";
+    let operator;
+    switch (distanceFn) {
+      case "cosine":
+        operator = "<=>";
+        break;
+      case "l2":
+        operator = "<->";
+        break;
+      case "inner_product":
+        operator = "<#>";
+        break;
+    }
+    const distanceExpr = sql`${column} ${sql.raw(operator)} ${sql.raw(vectorLiteral)}`;
+    return {
+      orderBy: distanceExpr,
+      filter: vectorSearch.threshold != null ? sql`(${column} ${sql.raw(operator)} ${sql.raw(vectorLiteral)}) < ${vectorSearch.threshold}` : void 0,
+      distanceSelect: sql`(${column} ${sql.raw(operator)} ${sql.raw(vectorLiteral)})`
+    };
+  }
 }
 const PostgresConditionBuilder = DrizzleConditionBuilder;
 function getColumnMeta(col) {
@@ -5342,7 +5688,7 @@ class EntityFetchService {
     const qb = this.getQueryBuilder(tableName);
     const withConfig = this.buildWithConfig(collection);
     const hasRelations = withConfig && Object.keys(withConfig).length > 0;
-    if (qb && !options.searchString && !hasRelations) {
+    if (qb && !options.searchString && !hasRelations && !options.vectorSearch) {
       try {
         const queryOpts = this.buildDrizzleQueryOptions(table, idField, idInfo, options, collectionPath, void 0);
         const results2 = await qb.findMany(queryOpts);
@@ -5356,7 +5702,14 @@ class EntityFetchService {
         console.warn(`[EntityFetchService] db.query.findMany failed for ${collectionPath}, falling back to db.select:`, e);
       }
     }
-    let query = this.db.select().from(table).$dynamic();
+    let vectorMeta;
+    if (options.vectorSearch) {
+      vectorMeta = DrizzleConditionBuilder.buildVectorSearchConditions(table, options.vectorSearch);
+    }
+    let query = vectorMeta ? this.db.select({
+      table_row: table,
+      _distance: vectorMeta.distanceSelect
+    }).from(table).$dynamic() : this.db.select().from(table).$dynamic();
     const allConditions = [];
     if (options.searchString) {
       const searchConditions = DrizzleConditionBuilder.buildSearchConditions(options.searchString, collection.properties, table);
@@ -5367,12 +5720,17 @@ class EntityFetchService {
       const filterConditions = this.buildFilterConditions(options.filter, table, collectionPath);
       if (filterConditions.length > 0) allConditions.push(...filterConditions);
     }
+    if (vectorMeta?.filter) {
+      allConditions.push(vectorMeta.filter);
+    }
     if (allConditions.length > 0) {
       const finalCondition = DrizzleConditionBuilder.combineConditionsWithAnd(allConditions);
       if (finalCondition) query = query.where(finalCondition);
     }
     const orderExpressions = [];
-    if (options.orderBy) {
+    if (vectorMeta) {
+      orderExpressions.push(asc(vectorMeta.orderBy));
+    } else if (options.orderBy) {
       const orderByField = this.resolveOrderByField(table, options.orderBy, collection);
       if (orderByField) {
         orderExpressions.push(options.order === "asc" ? asc(orderByField) : desc(orderByField));
@@ -5388,10 +5746,14 @@ class EntityFetchService {
         if (finalCondition) query = query.where(finalCondition);
       }
     }
-    const limitValue = options.searchString ? options.limit || 50 : options.limit;
+    const limitValue = options.vectorSearch ? options.limit || 10 : options.searchString ? options.limit || 50 : options.limit;
     if (limitValue) query = query.limit(limitValue);
     if (options.offset && options.offset > 0) query = query.offset(options.offset);
-    const results = await query;
+    const rawResults = await query;
+    const results = vectorMeta ? rawResults.map((r) => ({
+      ...r.table_row,
+      _distance: typeof r._distance === "number" ? r._distance : parseFloat(String(r._distance))
+    })) : rawResults;
     return this.processEntityResults(results, collection, collectionPath, idInfo, options.databaseId, false, idInfoArray);
   }
   /**
@@ -5613,7 +5975,7 @@ class EntityFetchService {
     const idField = table[idInfo.fieldName];
     const tableName = getTableName$1(table);
     const qb = this.getQueryBuilder(tableName);
-    if (qb && !options.searchString) {
+    if (qb && !options.searchString && !options.vectorSearch) {
       try {
         const withConfig = include && include.length > 0 ? this.buildWithConfig(collection, include) : void 0;
         const queryOpts = this.buildDrizzleQueryOptions(table, idField, idInfo, options, collectionPath, withConfig);
@@ -5759,7 +6121,14 @@ class EntityFetchService {
     const idInfoArray = getPrimaryKeys(collection, this.registry);
     const idInfo = idInfoArray[0];
     const idField = table[idInfo.fieldName];
-    let query = this.db.select().from(table).$dynamic();
+    let vectorMeta;
+    if (options.vectorSearch) {
+      vectorMeta = DrizzleConditionBuilder.buildVectorSearchConditions(table, options.vectorSearch);
+    }
+    let query = vectorMeta ? this.db.select({
+      table_row: table,
+      _distance: vectorMeta.distanceSelect
+    }).from(table).$dynamic() : this.db.select().from(table).$dynamic();
     const allConditions = [];
     if (options.searchString) {
       const searchConditions = DrizzleConditionBuilder.buildSearchConditions(options.searchString, collection.properties, table);
@@ -5770,12 +6139,17 @@ class EntityFetchService {
       const filterConditions = this.buildFilterConditions(options.filter, table, collectionPath);
       if (filterConditions.length > 0) allConditions.push(...filterConditions);
     }
+    if (vectorMeta?.filter) {
+      allConditions.push(vectorMeta.filter);
+    }
     if (allConditions.length > 0) {
       const finalCondition = DrizzleConditionBuilder.combineConditionsWithAnd(allConditions);
       if (finalCondition) query = query.where(finalCondition);
     }
     const orderExpressions = [];
-    if (options.orderBy) {
+    if (vectorMeta) {
+      orderExpressions.push(asc(vectorMeta.orderBy));
+    } else if (options.orderBy) {
       const orderByField = this.resolveOrderByField(table, options.orderBy, collection);
       if (orderByField) {
         orderExpressions.push(options.order === "asc" ? asc(orderByField) : desc(orderByField));
@@ -5783,10 +6157,17 @@ class EntityFetchService {
     }
     orderExpressions.push(desc(idField));
     if (orderExpressions.length > 0) query = query.orderBy(...orderExpressions);
-    const limitValue = options.searchString ? options.limit || 50 : options.limit;
+    const limitValue = options.vectorSearch ? options.limit || 10 : options.searchString ? options.limit || 50 : options.limit;
     if (limitValue) query = query.limit(limitValue);
     if (options.offset && options.offset > 0) query = query.offset(options.offset);
-    return await query;
+    const rawResults = await query;
+    if (vectorMeta) {
+      return rawResults.map((r) => ({
+        ...r.table_row,
+        _distance: typeof r._distance === "number" ? r._distance : parseFloat(String(r._distance))
+      }));
+    }
+    return rawResults;
   }
   /**
    * Check if the Drizzle instance has the relational query API available
@@ -6514,7 +6895,7 @@ class PostgresBackendDriver {
       callbacks: void 0,
       propertyCallbacks: void 0
     };
-    const registryCollection = this.registry.getCollectionByPath(path2);
+    const registryCollection = this.registry?.getCollectionByPath(path2);
     const resolvedCollection = registryCollection ? {
       ...collection,
       ...registryCollection
@@ -6540,7 +6921,8 @@ class PostgresBackendDriver {
     startAfter,
     orderBy,
     searchString,
-    order
+    order,
+    vectorSearch
   }) {
     const entities = await this.entityService.fetchCollection(path2, {
       filter,
@@ -6550,7 +6932,8 @@ class PostgresBackendDriver {
       offset,
       startAfter,
       databaseId: collection?.databaseId,
-      searchString
+      searchString,
+      vectorSearch
     });
     const {
       collection: resolvedCollection,
@@ -6562,7 +6945,8 @@ class PostgresBackendDriver {
         user: this.user,
         driver: this,
         data: this.data,
-        client: this.client
+        client: this.client,
+        storageSource: this.client?.storage
       };
       return Promise.all(entities.map(async (entity) => {
         let fetched = entity;
@@ -6657,7 +7041,8 @@ class PostgresBackendDriver {
         user: this.user,
         driver: this,
         data: this.data,
-        client: this.client
+        client: this.client,
+        storageSource: this.client?.storage
       };
       if (callbacks?.afterRead) {
         entity = await callbacks.afterRead({
@@ -6727,7 +7112,8 @@ class PostgresBackendDriver {
       user: this.user,
       driver: this,
       data: this.data,
-      client: this.client
+      client: this.client,
+      storageSource: this.client?.storage
     };
     let previousValuesForHistory;
     if (status === "existing" && entityId) {
@@ -6876,7 +7262,8 @@ class PostgresBackendDriver {
       user: this.user,
       driver: this,
       data: this.data,
-      client: this.client
+      client: this.client,
+      storageSource: this.client?.storage
     };
     if (callbacks?.beforeDelete || propertyCallbacks?.beforeDelete) {
       let preventDefault = false;
@@ -7389,6 +7776,7 @@ function createAuthSchema(rolesSchemaName = "rebase", usersSchemaName = "rebase"
       length: 255
     }),
     emailVerificationSentAt: timestamp("email_verification_sent_at"),
+    isAnonymous: boolean("is_anonymous").default(false).notNull(),
     metadata: jsonb("metadata").$type().default({}).notNull(),
     createdAt: timestamp("created_at").defaultNow().notNull(),
     updatedAt: timestamp("updated_at").defaultNow().notNull()
@@ -7403,8 +7791,7 @@ function createAuthSchema(rolesSchemaName = "rebase", usersSchemaName = "rebase"
     }).notNull(),
     isAdmin: boolean("is_admin").default(false).notNull(),
     defaultPermissions: jsonb("default_permissions").$type(),
-    collectionPermissions: jsonb("collection_permissions").$type(),
-    config: jsonb("config").$type()
+    collectionPermissions: jsonb("collection_permissions").$type()
   });
   const userRoles2 = rolesTableCreator("user_roles", {
     userId: uuid("user_id").notNull().references(() => users2.id, {
@@ -7476,6 +7863,48 @@ function createAuthSchema(rolesSchemaName = "rebase", usersSchemaName = "rebase"
   }, (table) => ({
     uniqueProviderId: unique("unique_provider_id").on(table.provider, table.providerId)
   }));
+  const mfaFactors2 = rolesTableCreator("mfa_factors", {
+    id: uuid("id").defaultRandom().primaryKey(),
+    userId: uuid("user_id").notNull().references(() => users2.id, {
+      onDelete: "cascade"
+    }),
+    factorType: varchar("factor_type", {
+      length: 20
+    }).notNull(),
+    // 'totp'
+    secretEncrypted: varchar("secret_encrypted", {
+      length: 500
+    }).notNull(),
+    friendlyName: varchar("friendly_name", {
+      length: 255
+    }),
+    verified: boolean("verified").default(false).notNull(),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at").defaultNow().notNull()
+  });
+  const mfaChallenges2 = rolesTableCreator("mfa_challenges", {
+    id: uuid("id").defaultRandom().primaryKey(),
+    factorId: uuid("factor_id").notNull().references(() => mfaFactors2.id, {
+      onDelete: "cascade"
+    }),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    verifiedAt: timestamp("verified_at"),
+    ipAddress: varchar("ip_address", {
+      length: 45
+    }),
+    expiresAt: timestamp("expires_at").notNull()
+  });
+  const recoveryCodes2 = rolesTableCreator("recovery_codes", {
+    id: uuid("id").defaultRandom().primaryKey(),
+    userId: uuid("user_id").notNull().references(() => users2.id, {
+      onDelete: "cascade"
+    }),
+    codeHash: varchar("code_hash", {
+      length: 255
+    }).notNull(),
+    usedAt: timestamp("used_at"),
+    createdAt: timestamp("created_at").defaultNow().notNull()
+  });
   return {
     rolesSchema,
     usersSchema: usersSchema2,
@@ -7485,7 +7914,10 @@ function createAuthSchema(rolesSchemaName = "rebase", usersSchemaName = "rebase"
     refreshTokens: refreshTokens2,
     passwordResetTokens: passwordResetTokens2,
     appConfig: appConfig2,
-    userIdentities: userIdentities2
+    userIdentities: userIdentities2,
+    mfaFactors: mfaFactors2,
+    mfaChallenges: mfaChallenges2,
+    recoveryCodes: recoveryCodes2
   };
 }
 const defaultAuthSchema = createAuthSchema("rebase", "rebase");
@@ -7498,13 +7930,18 @@ const refreshTokens = defaultAuthSchema.refreshTokens;
 const passwordResetTokens = defaultAuthSchema.passwordResetTokens;
 const appConfig = defaultAuthSchema.appConfig;
 const userIdentities = defaultAuthSchema.userIdentities;
+const mfaFactors = defaultAuthSchema.mfaFactors;
+const mfaChallenges = defaultAuthSchema.mfaChallenges;
+const recoveryCodes = defaultAuthSchema.recoveryCodes;
 const usersRelations = relations(users, ({
   many
 }) => ({
   userRoles: many(userRoles),
   refreshTokens: many(refreshTokens),
   passwordResetTokens: many(passwordResetTokens),
-  userIdentities: many(userIdentities)
+  userIdentities: many(userIdentities),
+  mfaFactors: many(mfaFactors),
+  recoveryCodes: many(recoveryCodes)
 }));
 const rolesRelations = relations(roles, ({
   many
@@ -7547,6 +7984,32 @@ const userIdentitiesRelations = relations(userIdentities, ({
     references: [users.id]
   })
 }));
+const mfaFactorsRelations = relations(mfaFactors, ({
+  one,
+  many
+}) => ({
+  user: one(users, {
+    fields: [mfaFactors.userId],
+    references: [users.id]
+  }),
+  challenges: many(mfaChallenges)
+}));
+const mfaChallengesRelations = relations(mfaChallenges, ({
+  one
+}) => ({
+  factor: one(mfaFactors, {
+    fields: [mfaChallenges.factorId],
+    references: [mfaFactors.id]
+  })
+}));
+const recoveryCodesRelations = relations(recoveryCodes, ({
+  one
+}) => ({
+  user: one(users, {
+    fields: [recoveryCodes.userId],
+    references: [users.id]
+  })
+}));
 const resolveColumnName = (propName, prop) => {
   if (prop && "columnName" in prop && typeof prop.columnName === "string") {
     return prop.columnName;
@@ -8071,167 +8534,84 @@ const generateSchema = async (collections, stripPolicies = false) => {
         fields: [${tableVarName}.${rel.localKey}],
         references: [${targetTableVar}.${getPrimaryKeyName(target)}],
         relationName: "${drizzleRelationName}"
-    })`);
-            } else if (rel.direction === "inverse") {
-              tableRelations.push(`    "${relationKey}": one(${targetTableVar}, {
-        relationName: "${drizzleRelationName}"
-    })`);
-            }
-          } else if (rel.cardinality === "many") {
-            if (rel.direction === "inverse" && rel.foreignKeyOnTarget) {
-              tableRelations.push(`    "${relationKey}": many(${targetTableVar}, { relationName: "${drizzleRelationName}" })`);
-            } else if (rel.through) {
-              const junctionTableVar = getTableVarName(rel.through.table);
-              tableRelations.push(`    "${relationKey}": many(${junctionTableVar}, { relationName: "${drizzleRelationName}" })`);
-            } else if (rel.direction === "inverse" && rel.inverseRelationName) {
-              try {
-                const targetCollection = rel.target();
-                const targetResolvedRelations = resolveCollectionRelations(targetCollection);
-                const correspondingRelation = Object.values(targetResolvedRelations).find((targetRel) => targetRel.direction === "owning" && targetRel.cardinality === "many" && targetRel.through && targetRel.relationName === rel.inverseRelationName);
-                if (correspondingRelation && correspondingRelation.through) {
-                  const junctionTableVar = getTableVarName(correspondingRelation.through.table);
-                  tableRelations.push(`    "${relationKey}": many(${junctionTableVar}, { relationName: "${drizzleRelationName}" })`);
-                } else {
-                  console.warn(`Could not find corresponding owning many-to-many relation for inverse relation '${relationKey}' on '${collection.name}'`);
-                }
-              } catch (e) {
-                console.warn(`Could not resolve inverse many-to-many relation '${relationKey}':`, e);
-              }
-            }
-          }
-        } catch (e) {
-          console.warn(`Could not generate relation ${relationKey} for ${collection.name}:`, e);
-        }
-      }
-      for (const otherCollection of collections) {
-        if (otherCollection.slug === collection.slug) continue;
-        const otherRelations = resolveCollectionRelations(otherCollection);
-        for (const [otherKey, otherRel] of Object.entries(otherRelations)) {
-          if (otherRel.direction === "inverse" && otherRel.foreignKeyOnTarget) {
-            try {
-              const otherTarget = otherRel.target();
-              if (otherTarget.slug === collection.slug) {
-                const drizzleRelationName = computeSharedRelationName(otherRel, otherCollection, collections);
-                const deduplicationKey = `${drizzleRelationName}::owning`;
-                if (!emittedRelationNames.has(deduplicationKey)) {
-                  const otherTableVar = getTableVarName(getTableName(otherCollection));
-                  const synthKey = `_synth_${otherTableVar}_${otherRel.foreignKeyOnTarget}`;
-                  tableRelations.push(`    "${synthKey}": one(${otherTableVar}, {
-        fields: [${tableVarName}.${otherRel.foreignKeyOnTarget}],
-        references: [${otherTableVar}.${getPrimaryKeyName(otherCollection)}],
-        relationName: "${drizzleRelationName}"
-    })`);
-                  emittedRelationNames.add(deduplicationKey);
-                }
-              }
-            } catch (e) {
-            }
-          }
-        }
-      }
-    }
-    if (tableRelations.length > 0) {
-      const relVarName = `${tableVarName}Relations`;
-      schemaContent += `export const ${relVarName} = drizzleRelations(${tableVarName}, ({ one, many }) => ({
-${tableRelations.join(",\n")}
-}));
-
-`;
-      if (!exportedRelationVars.includes(relVarName)) exportedRelationVars.push(relVarName);
-    }
-  }
-  const tablesExport = `export const tables = { ${exportedTableVars.join(", ")} };
-`;
-  const enumsExport = `export const enums = { ${exportedEnumVars.join(", ")} };
-`;
-  const relationsExport = `export const relations = { ${exportedRelationVars.join(", ")} };
-
-`;
-  schemaContent += tablesExport + enumsExport + relationsExport;
-  return schemaContent;
-};
-const defaultUsersCollection = {
-  name: "Users",
-  singularName: "User",
-  slug: "users",
-  table: "users",
-  icon: "Users",
-  group: "Settings",
-  properties: {
-    id: {
-      name: "ID",
-      type: "string",
-      isId: "uuid"
-    },
-    email: {
-      name: "Email",
-      type: "string",
-      validation: {
-        required: true,
-        unique: true
-      }
-    },
-    password_hash: {
-      name: "Password Hash",
-      type: "string",
-      ui: {
-        hideFromCollection: true
-      }
-    },
-    display_name: {
-      name: "Display Name",
-      type: "string"
-    },
-    photo_url: {
-      name: "Photo URL",
-      type: "string"
-    },
-    email_verified: {
-      name: "Email Verified",
-      type: "boolean",
-      defaultValue: false
-    },
-    email_verification_token: {
-      name: "Email Verification Token",
-      type: "string",
-      ui: {
-        hideFromCollection: true
-      }
-    },
-    email_verification_sent_at: {
-      name: "Email Verification Sent At",
-      type: "date",
-      ui: {
-        hideFromCollection: true
-      }
-    },
-    metadata: {
-      name: "Metadata",
-      type: "map",
-      defaultValue: {},
-      ui: {
-        hideFromCollection: true
-      }
-    },
-    created_at: {
-      name: "Created At",
-      type: "date",
-      autoValue: "on_create",
-      ui: {
-        readOnly: true,
-        hideFromCollection: true
+    })`);
+            } else if (rel.direction === "inverse") {
+              tableRelations.push(`    "${relationKey}": one(${targetTableVar}, {
+        relationName: "${drizzleRelationName}"
+    })`);
+            }
+          } else if (rel.cardinality === "many") {
+            if (rel.direction === "inverse" && rel.foreignKeyOnTarget) {
+              tableRelations.push(`    "${relationKey}": many(${targetTableVar}, { relationName: "${drizzleRelationName}" })`);
+            } else if (rel.through) {
+              const junctionTableVar = getTableVarName(rel.through.table);
+              tableRelations.push(`    "${relationKey}": many(${junctionTableVar}, { relationName: "${drizzleRelationName}" })`);
+            } else if (rel.direction === "inverse" && rel.inverseRelationName) {
+              try {
+                const targetCollection = rel.target();
+                const targetResolvedRelations = resolveCollectionRelations(targetCollection);
+                const correspondingRelation = Object.values(targetResolvedRelations).find((targetRel) => targetRel.direction === "owning" && targetRel.cardinality === "many" && targetRel.through && targetRel.relationName === rel.inverseRelationName);
+                if (correspondingRelation && correspondingRelation.through) {
+                  const junctionTableVar = getTableVarName(correspondingRelation.through.table);
+                  tableRelations.push(`    "${relationKey}": many(${junctionTableVar}, { relationName: "${drizzleRelationName}" })`);
+                } else {
+                  console.warn(`Could not find corresponding owning many-to-many relation for inverse relation '${relationKey}' on '${collection.name}'`);
+                }
+              } catch (e) {
+                console.warn(`Could not resolve inverse many-to-many relation '${relationKey}':`, e);
+              }
+            }
+          }
+        } catch (e) {
+          console.warn(`Could not generate relation ${relationKey} for ${collection.name}:`, e);
+        }
       }
-    },
-    updated_at: {
-      name: "Updated At",
-      type: "date",
-      autoValue: "on_update",
-      ui: {
-        readOnly: true,
-        hideFromCollection: true
+      for (const otherCollection of collections) {
+        if (otherCollection.slug === collection.slug) continue;
+        const otherRelations = resolveCollectionRelations(otherCollection);
+        for (const [otherKey, otherRel] of Object.entries(otherRelations)) {
+          if (otherRel.direction === "inverse" && otherRel.foreignKeyOnTarget) {
+            try {
+              const otherTarget = otherRel.target();
+              if (otherTarget.slug === collection.slug) {
+                const drizzleRelationName = computeSharedRelationName(otherRel, otherCollection, collections);
+                const deduplicationKey = `${drizzleRelationName}::owning`;
+                if (!emittedRelationNames.has(deduplicationKey)) {
+                  const otherTableVar = getTableVarName(getTableName(otherCollection));
+                  const synthKey = `_synth_${otherTableVar}_${otherRel.foreignKeyOnTarget}`;
+                  tableRelations.push(`    "${synthKey}": one(${otherTableVar}, {
+        fields: [${tableVarName}.${otherRel.foreignKeyOnTarget}],
+        references: [${otherTableVar}.${getPrimaryKeyName(otherCollection)}],
+        relationName: "${drizzleRelationName}"
+    })`);
+                  emittedRelationNames.add(deduplicationKey);
+                }
+              }
+            } catch (e) {
+            }
+          }
+        }
       }
     }
+    if (tableRelations.length > 0) {
+      const relVarName = `${tableVarName}Relations`;
+      schemaContent += `export const ${relVarName} = drizzleRelations(${tableVarName}, ({ one, many }) => ({
+${tableRelations.join(",\n")}
+}));
+
+`;
+      if (!exportedRelationVars.includes(relVarName)) exportedRelationVars.push(relVarName);
+    }
   }
+  const tablesExport = `export const tables = { ${exportedTableVars.join(", ")} };
+`;
+  const enumsExport = `export const enums = { ${exportedEnumVars.join(", ")} };
+`;
+  const relationsExport = `export const relations = { ${exportedRelationVars.join(", ")} };
+
+`;
+  schemaContent += tablesExport + enumsExport + relationsExport;
+  return schemaContent;
 };
 const formatTerminalText = (text, options = {}) => {
   let codes = "";
@@ -8298,10 +8678,7 @@ const runGeneration = async (collectionsFilePath, outputPath) => {
     if (!collections || !Array.isArray(collections)) {
       collections = [];
     }
-    const hasUsersCollection = collections.some((c) => c.slug === "users");
-    if (!hasUsersCollection) {
-      collections.push(defaultUsersCollection);
-    }
+    collections = Array.from(new Map([defaultUsersCollection, ...collections].map((c) => [c.slug, c])).values());
     collections.sort((a, b) => a.slug.localeCompare(b.slug));
     const schemaContent = await generateSchema(collections);
     if (outputPath) {
@@ -8362,6 +8739,13 @@ class RealtimeService extends EventEmitter {
     this.entityService = new EntityService(db, registry);
   }
   clients = /* @__PURE__ */ new Map();
+  // Broadcast channels: channel name → set of client IDs
+  channels = /* @__PURE__ */ new Map();
+  // Presence: channel → Map<clientId, { state, lastSeen }>
+  presence = /* @__PURE__ */ new Map();
+  presenceInterval;
+  static PRESENCE_TIMEOUT_MS = 3e4;
+  // 30s
   entityService;
   // Enhanced subscriptions storage with full request parameters
   _subscriptions = /* @__PURE__ */ new Map();
@@ -8488,8 +8872,19 @@ class RealtimeService extends EventEmitter {
         }
       }
     }
+    for (const [channel, members] of this.channels.entries()) {
+      if (members.has(clientId)) {
+        members.delete(clientId);
+        this.removePresence(clientId, channel);
+        if (members.size === 0) this.channels.delete(channel);
+      }
+    }
+    for (const [channel] of this.presence) {
+      this.removePresence(clientId, channel);
+    }
   }
   async handleMessage(clientId, message, authContext) {
+    const payload = message.payload;
     switch (message.type) {
       case "subscribe_collection":
         await this.handleCollectionSubscription(clientId, message.payload, authContext);
@@ -8500,6 +8895,25 @@ class RealtimeService extends EventEmitter {
       case "unsubscribe":
         await this.handleUnsubscribe(clientId, message.subscriptionId);
         break;
+      case "join_channel":
+        this.joinChannel(clientId, payload?.channel);
+        break;
+      case "leave_channel":
+        this.leaveChannel(clientId, payload?.channel);
+        break;
+      case "broadcast":
+        this.broadcastToChannel(clientId, payload?.channel, payload?.event, payload?.payload);
+        break;
+      case "presence_track":
+        this.joinChannel(clientId, payload?.channel);
+        this.trackPresence(clientId, payload?.channel, payload?.state ?? {});
+        break;
+      case "presence_untrack":
+        this.removePresence(clientId, payload?.channel);
+        break;
+      case "presence_state":
+        this.sendPresenceState(clientId, payload?.channel);
+        break;
       default:
         this.sendError(clientId, "Unknown message type " + message.type, message.subscriptionId);
     }
@@ -8957,6 +9371,132 @@ class RealtimeService extends EventEmitter {
     return parentPaths;
   }
   // =============================================================================
+  // Broadcast Channels
+  // =============================================================================
+  /** Join a broadcast channel */
+  joinChannel(clientId, channel) {
+    if (!this.channels.has(channel)) {
+      this.channels.set(channel, /* @__PURE__ */ new Set());
+    }
+    this.channels.get(channel).add(clientId);
+    this.debugLog(`📡 [Broadcast] Client ${clientId} joined channel: ${channel}`);
+  }
+  /** Leave a broadcast channel */
+  leaveChannel(clientId, channel) {
+    const members = this.channels.get(channel);
+    if (members) {
+      members.delete(clientId);
+      if (members.size === 0) this.channels.delete(channel);
+    }
+    this.removePresence(clientId, channel);
+  }
+  /** Broadcast a message to all clients in a channel except sender */
+  broadcastToChannel(clientId, channel, event, payload) {
+    const members = this.channels.get(channel);
+    if (!members) return;
+    const message = JSON.stringify({
+      type: "broadcast",
+      channel,
+      event,
+      payload
+    });
+    for (const memberId of members) {
+      if (memberId === clientId) continue;
+      const ws = this.clients.get(memberId);
+      if (ws && ws.readyState === WebSocket.OPEN) {
+        ws.send(message);
+      }
+    }
+  }
+  // =============================================================================
+  // Presence
+  // =============================================================================
+  /** Track presence in a channel */
+  trackPresence(clientId, channel, state) {
+    if (!this.presence.has(channel)) {
+      this.presence.set(channel, /* @__PURE__ */ new Map());
+    }
+    const channelPresence = this.presence.get(channel);
+    channelPresence.set(clientId, {
+      state,
+      lastSeen: Date.now()
+    });
+    this.broadcastPresenceDiff(channel, {
+      [clientId]: state
+    }, {});
+    this.ensurePresenceCleanup();
+  }
+  /** Remove presence from a channel */
+  removePresence(clientId, channel) {
+    const channelPresence = this.presence.get(channel);
+    if (!channelPresence) return;
+    const entry = channelPresence.get(clientId);
+    if (entry) {
+      channelPresence.delete(clientId);
+      this.broadcastPresenceDiff(channel, {}, {
+        [clientId]: entry.state
+      });
+    }
+    if (channelPresence.size === 0) {
+      this.presence.delete(channel);
+    }
+  }
+  /** Send full presence state to a specific client */
+  sendPresenceState(clientId, channel) {
+    const channelPresence = this.presence.get(channel);
+    const presences = {};
+    if (channelPresence) {
+      for (const [id, {
+        state
+      }] of channelPresence) {
+        presences[id] = state;
+      }
+    }
+    const ws = this.clients.get(clientId);
+    if (ws && ws.readyState === WebSocket.OPEN) {
+      ws.send(JSON.stringify({
+        type: "presence_state",
+        channel,
+        presences
+      }));
+    }
+  }
+  /** Broadcast presence diff (joins/leaves) to channel */
+  broadcastPresenceDiff(channel, joins, leaves) {
+    const members = this.channels.get(channel);
+    if (!members) return;
+    const message = JSON.stringify({
+      type: "presence_diff",
+      channel,
+      joins,
+      leaves
+    });
+    for (const memberId of members) {
+      const ws = this.clients.get(memberId);
+      if (ws && ws.readyState === WebSocket.OPEN) {
+        ws.send(message);
+      }
+    }
+  }
+  /** Periodic cleanup for stale presences */
+  ensurePresenceCleanup() {
+    if (this.presenceInterval) return;
+    this.presenceInterval = setInterval(() => {
+      const now = Date.now();
+      for (const [channel, channelPresence] of this.presence) {
+        for (const [clientId, entry] of channelPresence) {
+          if (now - entry.lastSeen > RealtimeService.PRESENCE_TIMEOUT_MS) {
+            this.removePresence(clientId, channel);
+          }
+        }
+      }
+      if (this.presence.size === 0 && this.presenceInterval) {
+        clearInterval(this.presenceInterval);
+        this.presenceInterval = void 0;
+      }
+    }, 1e4);
+  }
+  // =============================================================================
   // Lifecycle / Cleanup
   // =============================================================================
   /**
@@ -8977,6 +9517,12 @@ class RealtimeService extends EventEmitter {
     }
     this._subscriptions.clear();
     this.subscriptionCallbacks.clear();
+    this.channels.clear();
+    this.presence.clear();
+    if (this.presenceInterval) {
+      clearInterval(this.presenceInterval);
+      this.presenceInterval = void 0;
+    }
     await this.stopListening();
     this.clients.clear();
     this.debugLog("🧹 [RealtimeService] destroy() complete — all resources released.");
@@ -9623,8 +10169,14 @@ function createPostgresWebSocket(server, realtimeService, driver, authConfig, au
             break;
           case "subscribe_collection":
           case "subscribe_entity":
-          case "unsubscribe": {
-            wsDebug("🔄 [WebSocket Server] Routing subscription message to RealtimeService:", type);
+          case "unsubscribe":
+          case "join_channel":
+          case "leave_channel":
+          case "broadcast":
+          case "presence_track":
+          case "presence_untrack":
+          case "presence_state": {
+            wsDebug("🔄 [WebSocket Server] Routing realtime message to RealtimeService:", type);
             const session = clientSessions.get(clientId);
             const authContext = session?.user ? {
               userId: session.user.userId,
@@ -9743,11 +10295,6 @@ const DEFAULT_ROLES = [{
     create: true,
     edit: true,
     delete: true
-  },
-  config: {
-    createCollections: true,
-    editCollections: "all",
-    deleteCollections: "all"
   }
 }, {
   id: "editor",
@@ -9758,11 +10305,6 @@ const DEFAULT_ROLES = [{
     create: true,
     edit: true,
     delete: true
-  },
-  config: {
-    createCollections: true,
-    editCollections: "own",
-    deleteCollections: "own"
   }
 }, {
   id: "viewer",
@@ -9773,11 +10315,10 @@ const DEFAULT_ROLES = [{
     create: false,
     edit: false,
     delete: false
-  },
-  config: null
+  }
 }];
 async function ensureAuthTablesExist(db, registry) {
-  console.log("🔍 Checking auth tables...");
+  logger.info("🔍 Checking auth tables...");
   try {
     let usersTableName = '"users"';
     let userIdType = "TEXT";
@@ -9847,7 +10388,6 @@ async function ensureAuthTablesExist(db, registry) {
                 is_admin BOOLEAN DEFAULT FALSE,
                 default_permissions JSONB,
                 collection_permissions JSONB,
-                config JSONB,
                 created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
             )
         `);
@@ -9930,34 +10470,85 @@ async function ensureAuthTablesExist(db, registry) {
             `);
     });
     await seedDefaultRoles(db, rolesTableName);
-    console.log("✅ Auth tables ready");
+    await db.execute(sql`
+            ALTER TABLE ${sql.raw(usersTableName)}
+            ADD COLUMN IF NOT EXISTS is_anonymous BOOLEAN DEFAULT FALSE
+        `);
+    const mfaFactorsTableName = `"${rolesSchema}"."mfa_factors"`;
+    const mfaChallengesTableName = `"${rolesSchema}"."mfa_challenges"`;
+    const recoveryCodesTableName = `"${rolesSchema}"."recovery_codes"`;
+    await db.execute(sql`
+            CREATE TABLE IF NOT EXISTS ${sql.raw(mfaFactorsTableName)} (
+                id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
+                user_id ${sql.raw(userIdType)} NOT NULL REFERENCES ${sql.raw(usersTableName)}(id) ON DELETE CASCADE,
+                factor_type TEXT NOT NULL DEFAULT 'totp',
+                secret_encrypted TEXT NOT NULL,
+                friendly_name TEXT,
+                verified BOOLEAN DEFAULT FALSE,
+                created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+                updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
+            )
+        `);
+    await db.execute(sql`
+            CREATE INDEX IF NOT EXISTS idx_mfa_factors_user
+            ON ${sql.raw(mfaFactorsTableName)}(user_id)
+        `);
+    await db.execute(sql`
+            CREATE TABLE IF NOT EXISTS ${sql.raw(mfaChallengesTableName)} (
+                id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
+                factor_id TEXT NOT NULL REFERENCES ${sql.raw(mfaFactorsTableName)}(id) ON DELETE CASCADE,
+                created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+                verified_at TIMESTAMP WITH TIME ZONE,
+                ip_address TEXT,
+                expires_at TIMESTAMP WITH TIME ZONE NOT NULL
+            )
+        `);
+    await db.execute(sql`
+            CREATE INDEX IF NOT EXISTS idx_mfa_challenges_factor
+            ON ${sql.raw(mfaChallengesTableName)}(factor_id)
+        `);
+    await db.execute(sql`
+            CREATE TABLE IF NOT EXISTS ${sql.raw(recoveryCodesTableName)} (
+                id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
+                user_id ${sql.raw(userIdType)} NOT NULL REFERENCES ${sql.raw(usersTableName)}(id) ON DELETE CASCADE,
+                code_hash TEXT NOT NULL,
+                used_at TIMESTAMP WITH TIME ZONE,
+                created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
+            )
+        `);
+    await db.execute(sql`
+            CREATE INDEX IF NOT EXISTS idx_recovery_codes_user
+            ON ${sql.raw(recoveryCodesTableName)}(user_id)
+        `);
+    logger.info("✅ Auth tables ready");
   } catch (error) {
-    console.error("❌ Failed to create auth tables:", error);
-    console.warn("⚠️ Continuing without creating auth tables.");
+    logger.error("❌ Failed to create auth tables", {
+      error
+    });
+    logger.warn("⚠️ Continuing without creating auth tables.");
   }
 }
 async function seedDefaultRoles(db, rolesTableName) {
   const result = await db.execute(sql`SELECT COUNT(*) as count FROM ${sql.raw(rolesTableName)}`);
   const count2 = parseInt(result.rows[0]?.count || "0", 10);
   if (count2 > 0) {
-    console.log(`📋 Found ${count2} existing roles`);
+    logger.info(`📋 Found ${count2} existing roles`);
     return;
   }
-  console.log("🌱 Seeding default roles...");
+  logger.info("🌱 Seeding default roles...");
   for (const role of DEFAULT_ROLES) {
     await db.execute(sql`
-            INSERT INTO ${sql.raw(rolesTableName)} (id, name, is_admin, default_permissions, config)
+            INSERT INTO ${sql.raw(rolesTableName)} (id, name, is_admin, default_permissions)
             VALUES (
                 ${role.id}, 
                 ${role.name}, 
                 ${role.is_admin}, 
-                ${JSON.stringify(role.default_permissions)}::jsonb, 
-                ${role.config ? JSON.stringify(role.config) : null}::jsonb
+                ${JSON.stringify(role.default_permissions)}::jsonb
             )
             ON CONFLICT (id) DO NOTHING
         `);
   }
-  console.log("✅ Default roles created: admin, editor, viewer");
+  logger.info("✅ Default roles created: admin, editor, viewer");
 }
 function getColumnKey(table, ...keys2) {
   if (!table) return void 0;
@@ -10011,12 +10602,13 @@ class UserService {
     const emailVerified = row.email_verified ?? row.emailVerified ?? false;
     const emailVerificationToken = row.email_verification_token ?? row.emailVerificationToken ?? null;
     const emailVerificationSentAt = row.email_verification_sent_at ?? row.emailVerificationSentAt ?? null;
+    const isAnonymous = row.is_anonymous ?? row.isAnonymous ?? false;
     const createdAt = row.created_at ?? row.createdAt;
     const updatedAt = row.updated_at ?? row.updatedAt;
     const metadata = {
       ...row.metadata || {}
     };
-    const knownKeys = /* @__PURE__ */ new Set(["id", "uid", "email", "password_hash", "passwordHash", "display_name", "displayName", "photo_url", "photoUrl", "photoURL", "email_verified", "emailVerified", "email_verification_token", "emailVerificationToken", "email_verification_sent_at", "emailVerificationSentAt", "created_at", "createdAt", "updated_at", "updatedAt", "metadata"]);
+    const knownKeys = /* @__PURE__ */ new Set(["id", "uid", "email", "password_hash", "passwordHash", "display_name", "displayName", "photo_url", "photoUrl", "photoURL", "email_verified", "emailVerified", "email_verification_token", "emailVerificationToken", "email_verification_sent_at", "emailVerificationSentAt", "is_anonymous", "isAnonymous", "created_at", "createdAt", "updated_at", "updatedAt", "metadata"]);
     for (const [key, val] of Object.entries(row)) {
       if (!knownKeys.has(key)) {
         const camelKey = camelCase(key);
@@ -10032,6 +10624,7 @@ class UserService {
       emailVerified,
       emailVerificationToken,
       emailVerificationSentAt: emailVerificationSentAt ? new Date(emailVerificationSentAt) : null,
+      isAnonymous,
       createdAt: createdAt ? new Date(createdAt) : /* @__PURE__ */ new Date(),
       updatedAt: updatedAt ? new Date(updatedAt) : /* @__PURE__ */ new Date(),
       metadata
@@ -10048,6 +10641,7 @@ class UserService {
     const emailVerifiedKey = getColumnKey(this.usersTable, "emailVerified", "email_verified") || "emailVerified";
     const emailVerificationTokenKey = getColumnKey(this.usersTable, "emailVerificationToken", "email_verification_token") || "emailVerificationToken";
     const emailVerificationSentAtKey = getColumnKey(this.usersTable, "emailVerificationSentAt", "email_verification_sent_at") || "emailVerificationSentAt";
+    const isAnonymousKey = getColumnKey(this.usersTable, "isAnonymous", "is_anonymous") || "isAnonymous";
     const createdAtKey = getColumnKey(this.usersTable, "createdAt", "created_at") || "createdAt";
     const updatedAtKey = getColumnKey(this.usersTable, "updatedAt", "updated_at") || "updatedAt";
     const metadataKey = getColumnKey(this.usersTable, "metadata") || "metadata";
@@ -10059,6 +10653,7 @@ class UserService {
     if ("emailVerified" in data) payload[emailVerifiedKey] = data.emailVerified;
     if ("emailVerificationToken" in data) payload[emailVerificationTokenKey] = data.emailVerificationToken;
     if ("emailVerificationSentAt" in data) payload[emailVerificationSentAtKey] = data.emailVerificationSentAt;
+    if ("isAnonymous" in data) payload[isAnonymousKey] = data.isAnonymous;
     if ("createdAt" in data) payload[createdAtKey] = data.createdAt;
     if ("updatedAt" in data) payload[updatedAtKey] = data.updatedAt;
     const metadata = {
@@ -10067,7 +10662,7 @@ class UserService {
     const remainingMetadata = {};
     for (const [key, val] of Object.entries(metadata)) {
       const tableColKey = getColumnKey(this.usersTable, key);
-      if (tableColKey && tableColKey !== idKey && tableColKey !== emailKey && tableColKey !== passwordHashKey && tableColKey !== displayNameKey && tableColKey !== photoUrlKey && tableColKey !== emailVerifiedKey && tableColKey !== emailVerificationTokenKey && tableColKey !== emailVerificationSentAtKey && tableColKey !== createdAtKey && tableColKey !== updatedAtKey && tableColKey !== metadataKey) {
+      if (tableColKey && tableColKey !== idKey && tableColKey !== emailKey && tableColKey !== passwordHashKey && tableColKey !== displayNameKey && tableColKey !== photoUrlKey && tableColKey !== emailVerifiedKey && tableColKey !== emailVerificationTokenKey && tableColKey !== emailVerificationSentAtKey && tableColKey !== isAnonymousKey && tableColKey !== createdAtKey && tableColKey !== updatedAtKey && tableColKey !== metadataKey) {
         payload[tableColKey] = val;
       } else {
         remainingMetadata[key] = val;
@@ -10255,7 +10850,7 @@ class UserService {
   async getUserRoles(userId) {
     const rolesSchema = getTableConfig(this.rolesTable).schema || "public";
     const result = await this.db.execute(sql`
-            SELECT r.id, r.name, r.is_admin, r.default_permissions, r.collection_permissions, r.config
+            SELECT r.id, r.name, r.is_admin, r.default_permissions, r.collection_permissions
             FROM ${sql.raw(`"${rolesSchema}"."roles"`)} r
             INNER JOIN ${sql.raw(`"${rolesSchema}"."user_roles"`)} ur ON r.id = ur.role_id
             WHERE ur.user_id = ${userId}
@@ -10265,8 +10860,7 @@ class UserService {
       name: row.name,
       isAdmin: row.is_admin,
       defaultPermissions: row.default_permissions,
-      collectionPermissions: row.collection_permissions,
-      config: row.config
+      collectionPermissions: row.collection_permissions
     }));
   }
   /**
@@ -10332,7 +10926,7 @@ class RoleService {
   async getRoleById(id) {
     const tableName = this.getQualifiedRolesTableName();
     const result = await this.db.execute(sql`
-            SELECT id, name, is_admin, default_permissions, collection_permissions, config
+            SELECT id, name, is_admin, default_permissions, collection_permissions
             FROM ${sql.raw(tableName)}
             WHERE id = ${id}
         `);
@@ -10343,14 +10937,13 @@ class RoleService {
       name: row.name,
       isAdmin: row.is_admin,
       defaultPermissions: row.default_permissions,
-      collectionPermissions: row.collection_permissions,
-      config: row.config
+      collectionPermissions: row.collection_permissions
     };
   }
   async listRoles() {
     const tableName = this.getQualifiedRolesTableName();
     const result = await this.db.execute(sql`
-            SELECT id, name, is_admin, default_permissions, collection_permissions, config
+            SELECT id, name, is_admin, default_permissions, collection_permissions
             FROM ${sql.raw(tableName)}
             ORDER BY name
         `);
@@ -10359,23 +10952,21 @@ class RoleService {
       name: row.name,
       isAdmin: row.is_admin,
       defaultPermissions: row.default_permissions,
-      collectionPermissions: row.collection_permissions,
-      config: row.config
+      collectionPermissions: row.collection_permissions
     }));
   }
   async createRole(data) {
     const tableName = this.getQualifiedRolesTableName();
     const result = await this.db.execute(sql`
-            INSERT INTO ${sql.raw(tableName)} (id, name, is_admin, default_permissions, collection_permissions, config)
+            INSERT INTO ${sql.raw(tableName)} (id, name, is_admin, default_permissions, collection_permissions)
             VALUES (
                 ${data.id},
                 ${data.name},
                 ${data.isAdmin ?? false},
                 ${data.defaultPermissions ? JSON.stringify(data.defaultPermissions) : null}::jsonb,
-                ${data.collectionPermissions ? JSON.stringify(data.collectionPermissions) : null}::jsonb,
-                ${data.config ? JSON.stringify(data.config) : null}::jsonb
+                ${data.collectionPermissions ? JSON.stringify(data.collectionPermissions) : null}::jsonb
             )
-            RETURNING id, name, is_admin, default_permissions, collection_permissions, config
+            RETURNING id, name, is_admin, default_permissions, collection_permissions
         `);
     const row = result.rows[0];
     return {
@@ -10383,8 +10974,7 @@ class RoleService {
       name: row.name,
       isAdmin: row.is_admin,
       defaultPermissions: row.default_permissions,
-      collectionPermissions: row.collection_permissions,
-      config: row.config
+      collectionPermissions: row.collection_permissions
     };
   }
   async updateRole(id, data) {
@@ -10397,8 +10987,7 @@ class RoleService {
                 name = ${data.name ?? existing.name},
                 is_admin = ${data.isAdmin ?? existing.isAdmin},
                 default_permissions = ${data.defaultPermissions ? JSON.stringify(data.defaultPermissions) : JSON.stringify(existing.defaultPermissions)}::jsonb,
-                collection_permissions = ${data.collectionPermissions !== void 0 ? data.collectionPermissions ? JSON.stringify(data.collectionPermissions) : null : existing.collectionPermissions ? JSON.stringify(existing.collectionPermissions) : null}::jsonb,
-                config = ${data.config ? JSON.stringify(data.config) : existing.config ? JSON.stringify(existing.config) : null}::jsonb
+                collection_permissions = ${data.collectionPermissions !== void 0 ? data.collectionPermissions ? JSON.stringify(data.collectionPermissions) : null : existing.collectionPermissions ? JSON.stringify(existing.collectionPermissions) : null}::jsonb
             WHERE id = ${id}
         `);
     return this.getRoleById(id);
@@ -10677,8 +11266,7 @@ class PostgresAuthRepository {
     return this.roleService.createRole({
       ...data,
       defaultPermissions: data.defaultPermissions ?? null,
-      collectionPermissions: data.collectionPermissions ?? null,
-      config: data.config ?? null
+      collectionPermissions: data.collectionPermissions ?? null
     });
   }
   async updateRole(id, data) {
@@ -10721,6 +11309,219 @@ class PostgresAuthRepository {
   async deleteExpiredTokens() {
     await this.tokenRepository.deleteExpiredTokens();
   }
+  // MFA operations (delegate to MfaService)
+  _mfaService = null;
+  getMfaService() {
+    if (!this._mfaService) {
+      this._mfaService = new MfaService(this.db);
+    }
+    return this._mfaService;
+  }
+  async createMfaFactor(userId, factorType, secretEncrypted, friendlyName) {
+    return this.getMfaService().createMfaFactor(userId, factorType, secretEncrypted, friendlyName);
+  }
+  async getMfaFactors(userId) {
+    return this.getMfaService().getMfaFactors(userId);
+  }
+  async getMfaFactorById(factorId) {
+    return this.getMfaService().getMfaFactorById(factorId);
+  }
+  async verifyMfaFactor(factorId) {
+    return this.getMfaService().verifyMfaFactor(factorId);
+  }
+  async deleteMfaFactor(factorId, userId) {
+    return this.getMfaService().deleteMfaFactor(factorId, userId);
+  }
+  async createMfaChallenge(factorId, ipAddress) {
+    return this.getMfaService().createMfaChallenge(factorId, ipAddress);
+  }
+  async getMfaChallengeById(challengeId) {
+    return this.getMfaService().getMfaChallengeById(challengeId);
+  }
+  async verifyMfaChallenge(challengeId) {
+    return this.getMfaService().verifyMfaChallenge(challengeId);
+  }
+  async createRecoveryCodes(userId, codeHashes) {
+    return this.getMfaService().createRecoveryCodes(userId, codeHashes);
+  }
+  async useRecoveryCode(userId, codeHash) {
+    return this.getMfaService().useRecoveryCode(userId, codeHash);
+  }
+  async getUnusedRecoveryCodeCount(userId) {
+    return this.getMfaService().getUnusedRecoveryCodeCount(userId);
+  }
+  async deleteAllRecoveryCodes(userId) {
+    return this.getMfaService().deleteAllRecoveryCodes(userId);
+  }
+  async hasVerifiedMfaFactors(userId) {
+    return this.getMfaService().hasVerifiedMfaFactors(userId);
+  }
+}
+class MfaService {
+  constructor(db, schemaName = "rebase") {
+    this.db = db;
+    this.schemaName = schemaName;
+  }
+  qualify(tableName) {
+    return `"${this.schemaName}"."${tableName}"`;
+  }
+  async createMfaFactor(userId, factorType, secretEncrypted, friendlyName) {
+    const tableName = this.qualify("mfa_factors");
+    const result = await this.db.execute(sql`
+            INSERT INTO ${sql.raw(tableName)} (user_id, factor_type, secret_encrypted, friendly_name)
+            VALUES (${userId}, ${factorType}, ${secretEncrypted}, ${friendlyName ?? null})
+            RETURNING id, user_id, factor_type, friendly_name, verified, created_at, updated_at
+        `);
+    const row = result.rows[0];
+    return {
+      id: row.id,
+      userId: row.user_id,
+      factorType: row.factor_type,
+      friendlyName: row.friendly_name ?? void 0,
+      verified: row.verified,
+      createdAt: new Date(row.created_at),
+      updatedAt: new Date(row.updated_at)
+    };
+  }
+  async getMfaFactors(userId) {
+    const tableName = this.qualify("mfa_factors");
+    const result = await this.db.execute(sql`
+            SELECT id, user_id, factor_type, friendly_name, verified, created_at, updated_at
+            FROM ${sql.raw(tableName)}
+            WHERE user_id = ${userId}
+            ORDER BY created_at
+        `);
+    return result.rows.map((row) => ({
+      id: row.id,
+      userId: row.user_id,
+      factorType: row.factor_type,
+      friendlyName: row.friendly_name ?? void 0,
+      verified: row.verified,
+      createdAt: new Date(row.created_at),
+      updatedAt: new Date(row.updated_at)
+    }));
+  }
+  async getMfaFactorById(factorId) {
+    const tableName = this.qualify("mfa_factors");
+    const result = await this.db.execute(sql`
+            SELECT id, user_id, factor_type, secret_encrypted, friendly_name, verified, created_at, updated_at
+            FROM ${sql.raw(tableName)}
+            WHERE id = ${factorId}
+        `);
+    if (result.rows.length === 0) return null;
+    const row = result.rows[0];
+    return {
+      id: row.id,
+      userId: row.user_id,
+      factorType: row.factor_type,
+      secretEncrypted: row.secret_encrypted,
+      friendlyName: row.friendly_name ?? void 0,
+      verified: row.verified,
+      createdAt: new Date(row.created_at),
+      updatedAt: new Date(row.updated_at)
+    };
+  }
+  async verifyMfaFactor(factorId) {
+    const tableName = this.qualify("mfa_factors");
+    await this.db.execute(sql`
+            UPDATE ${sql.raw(tableName)}
+            SET verified = TRUE, updated_at = NOW()
+            WHERE id = ${factorId}
+        `);
+  }
+  async deleteMfaFactor(factorId, userId) {
+    const tableName = this.qualify("mfa_factors");
+    await this.db.execute(sql`
+            DELETE FROM ${sql.raw(tableName)}
+            WHERE id = ${factorId} AND user_id = ${userId}
+        `);
+  }
+  async createMfaChallenge(factorId, ipAddress) {
+    const tableName = this.qualify("mfa_challenges");
+    const expiresAt = new Date(Date.now() + 5 * 60 * 1e3);
+    const result = await this.db.execute(sql`
+            INSERT INTO ${sql.raw(tableName)} (factor_id, ip_address, expires_at)
+            VALUES (${factorId}, ${ipAddress ?? null}, ${expiresAt})
+            RETURNING id, factor_id, created_at, verified_at, ip_address
+        `);
+    const row = result.rows[0];
+    return {
+      id: row.id,
+      factorId: row.factor_id,
+      createdAt: new Date(row.created_at),
+      verifiedAt: row.verified_at ? new Date(row.verified_at) : void 0,
+      ipAddress: row.ip_address ?? void 0
+    };
+  }
+  async getMfaChallengeById(challengeId) {
+    const tableName = this.qualify("mfa_challenges");
+    const result = await this.db.execute(sql`
+            SELECT id, factor_id, created_at, verified_at, ip_address, expires_at
+            FROM ${sql.raw(tableName)}
+            WHERE id = ${challengeId} AND expires_at > NOW() AND verified_at IS NULL
+        `);
+    if (result.rows.length === 0) return null;
+    const row = result.rows[0];
+    return {
+      id: row.id,
+      factorId: row.factor_id,
+      createdAt: new Date(row.created_at),
+      verifiedAt: row.verified_at ? new Date(row.verified_at) : void 0,
+      ipAddress: row.ip_address ?? void 0
+    };
+  }
+  async verifyMfaChallenge(challengeId) {
+    const tableName = this.qualify("mfa_challenges");
+    await this.db.execute(sql`
+            UPDATE ${sql.raw(tableName)}
+            SET verified_at = NOW()
+            WHERE id = ${challengeId}
+        `);
+  }
+  async createRecoveryCodes(userId, codeHashes) {
+    const tableName = this.qualify("recovery_codes");
+    await this.db.execute(sql`
+            DELETE FROM ${sql.raw(tableName)} WHERE user_id = ${userId}
+        `);
+    for (const hash of codeHashes) {
+      await this.db.execute(sql`
+                INSERT INTO ${sql.raw(tableName)} (user_id, code_hash)
+                VALUES (${userId}, ${hash})
+            `);
+    }
+  }
+  async useRecoveryCode(userId, codeHash) {
+    const tableName = this.qualify("recovery_codes");
+    const result = await this.db.execute(sql`
+            UPDATE ${sql.raw(tableName)}
+            SET used_at = NOW()
+            WHERE user_id = ${userId} AND code_hash = ${codeHash} AND used_at IS NULL
+            RETURNING id
+        `);
+    return result.rows.length > 0;
+  }
+  async getUnusedRecoveryCodeCount(userId) {
+    const tableName = this.qualify("recovery_codes");
+    const result = await this.db.execute(sql`
+            SELECT COUNT(*)::int as count FROM ${sql.raw(tableName)}
+            WHERE user_id = ${userId} AND used_at IS NULL
+        `);
+    return result.rows[0].count;
+  }
+  async deleteAllRecoveryCodes(userId) {
+    const tableName = this.qualify("recovery_codes");
+    await this.db.execute(sql`
+            DELETE FROM ${sql.raw(tableName)} WHERE user_id = ${userId}
+        `);
+  }
+  async hasVerifiedMfaFactors(userId) {
+    const tableName = this.qualify("mfa_factors");
+    const result = await this.db.execute(sql`
+            SELECT COUNT(*)::int as count FROM ${sql.raw(tableName)}
+            WHERE user_id = ${userId} AND verified = TRUE
+        `);
+    return result.rows[0].count > 0;
+  }
 }
 const DEFAULT_RETENTION = {
   maxEntries: 200,
@@ -10931,7 +11732,7 @@ function createPostgresBootstrapper(pgConfig) {
       const registry = new PostgresCollectionRegistry();
       if (collections) {
         registry.registerMultiple(collections);
-        console.log(`📋 [PostgresRegistry] Registered ${registry.getCollections().length} collections: [${registry.getCollections().map((c) => c.slug).join(", ")}]`);
+        logger.info(`📋 [PostgresRegistry] Registered ${registry.getCollections().length} collections: [${registry.getCollections().map((c) => c.slug).join(", ")}]`);
       }
       if (pgConfig.schema?.tables) {
         Object.values(pgConfig.schema.tables).forEach((table) => {
@@ -10957,10 +11758,28 @@ function createPostgresBootstrapper(pgConfig) {
       try {
         await schemaAwareDb.execute(sql`SELECT 1`);
       } catch (err) {
-        console.error("❌ Failed to connect to PostgreSQL:", err);
-        console.warn("⚠️ Continuing without initial database verification. Drizzle/PG will attempt to connect on subsequent queries.");
+        logger.error("❌ Failed to connect to PostgreSQL", {
+          error: err
+        });
+        logger.warn("⚠️ Continuing without initial database verification. Drizzle/PG will attempt to connect on subsequent queries.");
       }
       const realtimeService = new RealtimeService(schemaAwareDb, registry);
+      let readDb;
+      const readUrl = process.env.DATABASE_READ_URL;
+      if (readUrl && readUrl !== pgConfig.connectionString) {
+        try {
+          const {
+            createReadReplicaConnection: createReadReplicaConnection2
+          } = await Promise.resolve().then(() => connection);
+          const readResources = createReadReplicaConnection2(readUrl, mergedSchema);
+          readDb = readResources.db;
+          logger.info("📖 [PostgresBootstrapper] Read replica connection established");
+        } catch (err) {
+          logger.warn("⚠️ Could not connect to read replica, falling back to primary for all queries", {
+            error: err
+          });
+        }
+      }
       const poolManager = pgConfig.adminConnectionString ? new DatabasePoolManager(pgConfig.adminConnectionString) : void 0;
       const driver = new PostgresBackendDriver(schemaAwareDb, realtimeService, registry, void 0, poolManager);
       realtimeService.setDataDriver(driver);
@@ -10968,18 +11787,24 @@ function createPostgresBootstrapper(pgConfig) {
         try {
           await driver.branchService.ensureBranchMetadataTable();
         } catch (err) {
-          console.warn("⚠️ Could not initialize branch metadata table:", err);
+          logger.warn("⚠️ Could not initialize branch metadata table", {
+            error: err
+          });
         }
       }
-      if (pgConfig.connectionString) {
+      const directUrl = process.env.DATABASE_DIRECT_URL || pgConfig.connectionString;
+      if (directUrl) {
         try {
-          await realtimeService.startListening(pgConfig.connectionString);
+          await realtimeService.startListening(directUrl);
         } catch (err) {
-          console.warn("⚠️ Cross-instance realtime could not be started:", err);
+          logger.warn("⚠️ Cross-instance realtime could not be started", {
+            error: err
+          });
         }
       }
       const internals = {
         db: schemaAwareDb,
+        readDb,
         registry,
         realtimeService,
         driver,
@@ -11117,14 +11942,22 @@ export {
   RealtimeService,
   appConfig,
   createAuthSchema,
+  createDirectDatabaseConnection,
   createPostgresAdapter,
   createPostgresBootstrapper,
   createPostgresDatabaseConnection,
   createPostgresWebSocket,
+  createReadReplicaConnection,
   generateSchema,
+  mfaChallenges,
+  mfaChallengesRelations,
+  mfaFactors,
+  mfaFactorsRelations,
   passwordResetTokens,
   passwordResetTokensRelations,
   rebaseSchema,
+  recoveryCodes,
+  recoveryCodesRelations,
   refreshTokens,
   refreshTokensRelations,
   roles,