@rebasepro/server-postgresql 0.2.1 → 0.2.4

package/dist/index.umd.js

@@ -59,6 +59,70 @@
       connectionString
     };
   }
+  function createDirectDatabaseConnection(connectionString, schema, poolConfig) {
+    const opts = {
+      ...DEFAULT_POOL,
+      max: 5,
+      ...poolConfig
+    };
+    const pgPoolConfig = {
+      connectionString,
+      max: opts.max,
+      idleTimeoutMillis: opts.idleTimeoutMillis,
+      connectionTimeoutMillis: opts.connectionTimeoutMillis,
+      query_timeout: opts.queryTimeout,
+      statement_timeout: opts.statementTimeout,
+      keepAlive: opts.keepAlive,
+      keepAliveInitialDelayMillis: 0
+    };
+    const pool = new pg.Pool(pgPoolConfig);
+    pool.on("error", (err) => {
+      console.error("[pg-direct-pool] Unexpected pool error:", err.message);
+    });
+    const db = schema ? nodePostgres.drizzle(pool, {
+      schema
+    }) : nodePostgres.drizzle(pool);
+    return {
+      db,
+      pool,
+      connectionString
+    };
+  }
+  function createReadReplicaConnection(connectionString, schema, poolConfig) {
+    const opts = {
+      ...DEFAULT_POOL,
+      max: 10,
+      ...poolConfig
+    };
+    const pgPoolConfig = {
+      connectionString,
+      max: opts.max,
+      idleTimeoutMillis: opts.idleTimeoutMillis,
+      connectionTimeoutMillis: opts.connectionTimeoutMillis,
+      query_timeout: opts.queryTimeout,
+      statement_timeout: opts.statementTimeout,
+      keepAlive: opts.keepAlive,
+      keepAliveInitialDelayMillis: 0
+    };
+    const pool = new pg.Pool(pgPoolConfig);
+    pool.on("error", (err) => {
+      console.error("[pg-replica-pool] Unexpected pool error:", err.message);
+    });
+    const db = schema ? nodePostgres.drizzle(pool, {
+      schema
+    }) : nodePostgres.drizzle(pool);
+    return {
+      db,
+      pool,
+      connectionString
+    };
+  }
+  const connection = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
+    __proto__: null,
+    createDirectDatabaseConnection,
+    createPostgresDatabaseConnection,
+    createReadReplicaConnection
+  }, Symbol.toStringTag, { value: "Module" }));
   class Vector {
     value;
     constructor(value) {
@@ -978,6 +1042,9 @@
       return output;
     }
     for (const key in source) {
+      if (key === "__proto__" || key === "constructor" || key === "prototype") {
+        continue;
+      }
       if (Object.prototype.hasOwnProperty.call(source, key)) {
         const sourceValue = source[key];
         const outputValue = output[key];
@@ -1166,118 +1233,6 @@
       });
     }
   }
-  function getSubcollections(collection) {
-    if (collection.childCollections) {
-      return collection.childCollections() ?? [];
-    }
-    if (getDataSourceCapabilities(collection.driver).supportsSubcollections && collection.subcollections) {
-      return collection.subcollections() ?? [];
-    }
-    if (getDataSourceCapabilities(collection.driver).supportsRelations && collection.relations) {
-      const manyRelations = collection.relations.filter((r) => r.cardinality === "many");
-      return manyRelations.map((r) => {
-        const target = r.target();
-        if (!target) return void 0;
-        const relationKey = r.relationName || target.slug;
-        let customName;
-        if (collection.properties) {
-          const prop = Object.entries(collection.properties).find(([_, p]) => p.type === "relation" && p.relationName === relationKey);
-          if (prop && prop[1].name) {
-            customName = prop[1].name;
-          }
-        }
-        const baseOverrides = {
-          slug: relationKey
-        };
-        if (customName) {
-          baseOverrides.name = customName;
-          baseOverrides.singularName = customName;
-        }
-        const targetWithOverrides = {
-          ...target,
-          ...baseOverrides
-        };
-        return r.overrides ? mergeDeep(targetWithOverrides, r.overrides) : targetWithOverrides;
-      }).filter((c) => Boolean(c));
-    }
-    return [];
-  }
-  function hasPropertyCallbacks(properties, callbackName) {
-    if (!properties) return false;
-    for (const property of Object.values(properties)) {
-      if (property.callbacks?.[callbackName]) return true;
-      if (property.type === "map" && property.properties) {
-        if (hasPropertyCallbacks(property.properties, callbackName)) return true;
-      } else if (property.type === "array" && property.of) {
-        const ofs = Array.isArray(property.of) ? property.of : [property.of];
-        for (const of of ofs) {
-          if (of.callbacks?.[callbackName]) return true;
-          if (of.type === "map" && of.properties && hasPropertyCallbacks(of.properties, callbackName)) return true;
-        }
-      }
-    }
-    return false;
-  }
-  async function processProperties(properties, values, previousValues, propsContext, callbackName) {
-    if (!values || typeof values !== "object") return values;
-    const result = {
-      ...values
-    };
-    for (const [key, property] of Object.entries(properties)) {
-      if (result[key] === void 0) continue;
-      let currentValue = result[key];
-      const previousValue = previousValues?.[key];
-      if (property.type === "array" && Array.isArray(currentValue)) {
-        if (property.of && !Array.isArray(property.of)) {
-          currentValue = await Promise.all(currentValue.map(async (item, index) => {
-            const prevItem = Array.isArray(previousValue) ? previousValue[index] : void 0;
-            const singlePropData = {
-              "_tmp": property.of
-            };
-            const res = await processProperties(singlePropData, {
-              "_tmp": item
-            }, {
-              "_tmp": prevItem
-            }, propsContext, callbackName);
-            return res["_tmp"];
-          }));
-        }
-      } else if (property.type === "map" && property.properties && typeof currentValue === "object") {
-        currentValue = await processProperties(property.properties, currentValue, previousValue ?? {}, propsContext, callbackName);
-      }
-      if (property.callbacks?.[callbackName]) {
-        const cbRes = await Promise.resolve(property.callbacks[callbackName]({
-          ...propsContext,
-          value: currentValue,
-          previousValue
-        }));
-        if (cbRes !== void 0) {
-          currentValue = cbRes;
-        }
-      }
-      result[key] = currentValue;
-    }
-    return result;
-  }
-  const buildPropertyCallbacks = (properties) => {
-    if (!properties) return void 0;
-    const propertyCallbacks = {};
-    if (hasPropertyCallbacks(properties, "afterRead")) {
-      propertyCallbacks.afterRead = async (props) => {
-        const processedValues = await processProperties(properties, props.entity.values, props.entity.values, props, "afterRead");
-        return {
-          ...props.entity,
-          values: processedValues
-        };
-      };
-    }
-    if (hasPropertyCallbacks(properties, "beforeSave")) {
-      propertyCallbacks.beforeSave = async (props) => {
-        return await processProperties(properties, props.values, props.previousValues ?? {}, props, "beforeSave");
-      };
-    }
-    return Object.keys(propertyCallbacks).length > 0 ? propertyCallbacks : void 0;
-  };
   function sanitizeRelation(relation, sourceCollection, resolveCollection) {
     if (!relation.target) {
       throw new Error("Relation is missing a `target` collection.");
@@ -1309,6 +1264,8 @@
       } else {
         targetCollection = evaluated;
       }
+    } else if (rawTarget && typeof rawTarget === "object") {
+      targetCollection = rawTarget;
     }
     if (!targetCollection) {
       throw new Error("Relation is missing a valid `target` collection.");
@@ -1428,11 +1385,14 @@
     const registeredRelationNames = /* @__PURE__ */ new Set();
     if (relCollection.relations) {
       relCollection.relations.forEach((relation) => {
-        const normalizedRelation = sanitizeRelation(relation, collection);
-        const relationKey = normalizedRelation.relationName;
-        if (relationKey) {
-          relations[relationKey] = normalizedRelation;
-          registeredRelationNames.add(relationKey);
+        try {
+          const normalizedRelation = sanitizeRelation(relation, collection);
+          const relationKey = normalizedRelation.relationName;
+          if (relationKey) {
+            relations[relationKey] = normalizedRelation;
+            registeredRelationNames.add(relationKey);
+          }
+        } catch (e) {
         }
       });
     }
@@ -1480,12 +1440,8 @@
         overrides: relProp.overrides
       };
     }
-    const relation = (sourceCollection.relations ?? []).find((rel) => rel.relationName === relProp.relationName);
-    if (!relation) {
-      console.warn(`Unrecognized relation format for property '${propertyKey}' in collection '${sourceCollection.slug}'`);
-      return void 0;
-    }
-    return relation;
+    console.warn(`Unrecognized or missing relation target for property '${propertyKey}' in collection '${sourceCollection.slug}'`);
+    return void 0;
   }
   function getTableName(collection) {
     if (getDataSourceCapabilities(collection.driver).supportsRelations) {
@@ -1512,6 +1468,119 @@
     if (snakeKey !== key && resolvedRelations[snakeKey]) return resolvedRelations[snakeKey];
     return void 0;
   }
+  function getSubcollections(collection) {
+    if (collection.childCollections) {
+      return collection.childCollections() ?? [];
+    }
+    if (getDataSourceCapabilities(collection.driver).supportsSubcollections && collection.subcollections) {
+      return collection.subcollections() ?? [];
+    }
+    if (getDataSourceCapabilities(collection.driver).supportsRelations) {
+      const resolvedRelations = resolveCollectionRelations(collection);
+      const manyRelations = Object.values(resolvedRelations).filter((r) => r.cardinality === "many");
+      return manyRelations.map((r) => {
+        const target = r.target();
+        if (!target) return void 0;
+        const relationKey = r.relationName || target.slug;
+        let customName;
+        if (collection.properties) {
+          const prop = Object.entries(collection.properties).find(([_, p]) => p.type === "relation" && p.relationName === relationKey);
+          if (prop && prop[1].name) {
+            customName = prop[1].name;
+          }
+        }
+        const baseOverrides = {
+          slug: relationKey
+        };
+        if (customName) {
+          baseOverrides.name = customName;
+          baseOverrides.singularName = customName;
+        }
+        const targetWithOverrides = {
+          ...target,
+          ...baseOverrides
+        };
+        return r.overrides ? mergeDeep(targetWithOverrides, r.overrides) : targetWithOverrides;
+      }).filter((c) => Boolean(c));
+    }
+    return [];
+  }
+  function hasPropertyCallbacks(properties, callbackName) {
+    if (!properties) return false;
+    for (const property of Object.values(properties)) {
+      if (property.callbacks?.[callbackName]) return true;
+      if (property.type === "map" && property.properties) {
+        if (hasPropertyCallbacks(property.properties, callbackName)) return true;
+      } else if (property.type === "array" && property.of) {
+        const ofs = Array.isArray(property.of) ? property.of : [property.of];
+        for (const of of ofs) {
+          if (of.callbacks?.[callbackName]) return true;
+          if (of.type === "map" && of.properties && hasPropertyCallbacks(of.properties, callbackName)) return true;
+        }
+      }
+    }
+    return false;
+  }
+  async function processProperties(properties, values, previousValues, propsContext, callbackName) {
+    if (!values || typeof values !== "object") return values;
+    const result = {
+      ...values
+    };
+    for (const [key, property] of Object.entries(properties)) {
+      if (result[key] === void 0) continue;
+      let currentValue = result[key];
+      const previousValue = previousValues?.[key];
+      if (property.type === "array" && Array.isArray(currentValue)) {
+        if (property.of && !Array.isArray(property.of)) {
+          currentValue = await Promise.all(currentValue.map(async (item, index) => {
+            const prevItem = Array.isArray(previousValue) ? previousValue[index] : void 0;
+            const singlePropData = {
+              "_tmp": property.of
+            };
+            const res = await processProperties(singlePropData, {
+              "_tmp": item
+            }, {
+              "_tmp": prevItem
+            }, propsContext, callbackName);
+            return res["_tmp"];
+          }));
+        }
+      } else if (property.type === "map" && property.properties && typeof currentValue === "object") {
+        currentValue = await processProperties(property.properties, currentValue, previousValue ?? {}, propsContext, callbackName);
+      }
+      if (property.callbacks?.[callbackName]) {
+        const cbRes = await Promise.resolve(property.callbacks[callbackName]({
+          ...propsContext,
+          value: currentValue,
+          previousValue
+        }));
+        if (cbRes !== void 0) {
+          currentValue = cbRes;
+        }
+      }
+      result[key] = currentValue;
+    }
+    return result;
+  }
+  const buildPropertyCallbacks = (properties) => {
+    if (!properties) return void 0;
+    const propertyCallbacks = {};
+    if (hasPropertyCallbacks(properties, "afterRead")) {
+      propertyCallbacks.afterRead = async (props) => {
+        const processedValues = await processProperties(properties, props.entity.values, props.entity.values, props, "afterRead");
+        return {
+          ...props.entity,
+          values: processedValues
+        };
+      };
+    }
+    if (hasPropertyCallbacks(properties, "beforeSave")) {
+      propertyCallbacks.beforeSave = async (props) => {
+        return await processProperties(properties, props.values, props.previousValues ?? {}, props, "beforeSave");
+      };
+    }
+    return Object.keys(propertyCallbacks).length > 0 ? propertyCallbacks : void 0;
+  };
   var logic = { exports: {} };
   (function(module2, exports3) {
     (function(root, factory) {
@@ -2419,8 +2488,18 @@
       const mergedRelationsRaw = [...extractedRelations];
       for (const manual of manualRelations) {
         const name = manual.relationName;
-        if (!name || !mergedRelationsRaw.find((r) => r.relationName === name)) {
+        if (!name) {
           mergedRelationsRaw.push(manual);
+        } else {
+          const existingIndex = mergedRelationsRaw.findIndex((r) => r.relationName === name);
+          if (existingIndex === -1) {
+            mergedRelationsRaw.push(manual);
+          } else {
+            mergedRelationsRaw[existingIndex] = {
+              ...manual,
+              ...mergedRelationsRaw[existingIndex]
+            };
+          }
         }
       }
       let mergedRelations = mergedRelationsRaw;
@@ -2633,11 +2712,207 @@
           collections.push(currentCollection);
         }
       }
-      return {
-        collections,
-        entityIds,
-        finalCollection: currentCollection
-      };
+      return {
+        collections,
+        entityIds,
+        finalCollection: currentCollection
+      };
+    }
+  }
+  const defaultUsersCollection = {
+    name: "Users",
+    singularName: "User",
+    slug: "users",
+    table: "users",
+    schema: "rebase",
+    icon: "Users",
+    group: "Settings",
+    properties: {
+      id: {
+        name: "ID",
+        type: "string",
+        isId: "uuid"
+      },
+      email: {
+        name: "Email",
+        type: "string",
+        validation: {
+          required: true,
+          unique: true
+        }
+      },
+      password_hash: {
+        name: "Password Hash",
+        type: "string",
+        ui: {
+          hideFromCollection: true
+        }
+      },
+      display_name: {
+        name: "Display Name",
+        type: "string"
+      },
+      photo_url: {
+        name: "Photo URL",
+        type: "string"
+      },
+      email_verified: {
+        name: "Email Verified",
+        type: "boolean",
+        defaultValue: false
+      },
+      email_verification_token: {
+        name: "Email Verification Token",
+        type: "string",
+        ui: {
+          hideFromCollection: true
+        }
+      },
+      email_verification_sent_at: {
+        name: "Email Verification Sent At",
+        type: "date",
+        ui: {
+          hideFromCollection: true
+        }
+      },
+      metadata: {
+        name: "Metadata",
+        type: "map",
+        defaultValue: {},
+        ui: {
+          hideFromCollection: true
+        }
+      },
+      created_at: {
+        name: "Created At",
+        type: "date",
+        autoValue: "on_create",
+        ui: {
+          readOnly: true,
+          hideFromCollection: true
+        }
+      },
+      updated_at: {
+        name: "Updated At",
+        type: "date",
+        autoValue: "on_update",
+        ui: {
+          readOnly: true,
+          hideFromCollection: true
+        }
+      }
+    }
+  };
+  function mapOperator(op) {
+    switch (op) {
+      case "==":
+        return "eq";
+      case "!=":
+        return "neq";
+      case ">":
+        return "gt";
+      case ">=":
+        return "gte";
+      case "<":
+        return "lt";
+      case "<=":
+        return "lte";
+      case "array-contains":
+        return "cs";
+      case "array-contains-any":
+        return "csa";
+      case "not-in":
+        return "nin";
+      default:
+        return op;
+    }
+  }
+  class QueryBuilder {
+    constructor(collection) {
+      this.collection = collection;
+    }
+    params = {
+      where: {}
+    };
+    /**
+     * Add a filter condition to your query.
+     * @example
+     * client.collection('users').where('age', '>=', 18).find()
+     */
+    where(column, operator, value) {
+      if (!this.params.where) {
+        this.params.where = {};
+      }
+      const mappedOp = mapOperator(operator);
+      let formattedValue = value;
+      if (Array.isArray(value) && ["in", "nin", "cs", "csa"].includes(mappedOp)) {
+        formattedValue = `(${value.join(",")})`;
+      } else if (value === null) {
+        formattedValue = "null";
+      }
+      this.params.where[column] = mappedOp === "eq" ? String(formattedValue) : `${mappedOp}.${formattedValue}`;
+      return this;
+    }
+    /**
+     * Order the results by a specific column.
+     * @example
+     * client.collection('users').orderBy('createdAt', 'desc').find()
+     */
+    orderBy(column, ascending = "asc") {
+      this.params.orderBy = `${column}:${ascending}`;
+      return this;
+    }
+    /**
+     * Limit the number of results returned.
+     */
+    limit(count) {
+      this.params.limit = count;
+      return this;
+    }
+    /**
+     * Skip the first N results.
+     */
+    offset(count) {
+      this.params.offset = count;
+      return this;
+    }
+    /**
+     * Set a free-text search string if supported by the backend.
+     */
+    search(searchString) {
+      this.params.searchString = searchString;
+      return this;
+    }
+    /**
+     * Include related entities in the response.
+     * Relations will be populated with full entity data instead of just IDs.
+     *
+     * @param relations - Relation names to include, or "*" for all.
+     * @example
+     * // Include specific relations
+     * client.data.posts.include("tags", "author").find()
+     *
+     * // Include all relations
+     * client.data.posts.include("*").find()
+     */
+    include(...relations) {
+      this.params.include = relations;
+      return this;
+    }
+    /**
+     * Execute the find query and return the results.
+     */
+    async find() {
+      return this.collection.find(this.params);
+    }
+    /**
+     * Listen to realtime updates matching this query.
+     */
+    listen(onUpdate, onError) {
+      if (!this.collection.listen) {
+        throw new Error("Listen is only available when RebaseClient is configured with a websocketUrl.");
+      }
+      return this.collection.listen(this.params, onUpdate, onError);
     }
   }
   function convertWhereToFilter(where) {
@@ -2719,7 +2994,7 @@
     return [field, direction];
   }
   function createDriverAccessor(driver, slug) {
-    return {
+    const accessor = {
       async find(params) {
         const orderParsed = parseOrderBy(params?.orderBy);
         const entities = await driver.fetchCollection({
@@ -2813,8 +3088,28 @@
           onUpdate: (entity) => onUpdate(entity ?? void 0),
           onError
         });
-      } : void 0
+      } : void 0,
+      // Fluent Query Builder
+      where(column, operator, value) {
+        return new QueryBuilder(accessor).where(column, operator, value);
+      },
+      orderBy(column, ascending) {
+        return new QueryBuilder(accessor).orderBy(column, ascending);
+      },
+      limit(count) {
+        return new QueryBuilder(accessor).limit(count);
+      },
+      offset(count) {
+        return new QueryBuilder(accessor).offset(count);
+      },
+      search(searchString) {
+        return new QueryBuilder(accessor).search(searchString);
+      },
+      include(...relations) {
+        return new QueryBuilder(accessor).include(...relations);
+      }
     };
+    return accessor;
   }
   function buildRebaseData(driver) {
     const cache = /* @__PURE__ */ new Map();
@@ -2848,7 +3143,13 @@
       for (const [field, filterParam] of Object.entries(filter)) {
         if (!filterParam) continue;
         const [op, value] = filterParam;
-        const fieldColumn = table[field];
+        let fieldColumn = table[field];
+        if (!fieldColumn) {
+          const relationKey = `${field}_id`;
+          if (relationKey in table) {
+            fieldColumn = table[relationKey];
+          }
+        }
         if (!fieldColumn) {
           console.warn(`Filtering by field '${field}', but it does not exist in table for collection '${collectionPath}'`);
           continue;
@@ -2890,6 +3191,17 @@
           return null;
         case "array-contains":
           return drizzleOrm.sql`${column} @> ${JSON.stringify([value])}`;
+        case "array-contains-any":
+          if (Array.isArray(value) && value.length > 0) {
+            const textValues = value.map((v) => String(v));
+            return drizzleOrm.sql`${column} ?| array[${drizzleOrm.sql.join(textValues.map((v) => drizzleOrm.sql`${v}`), drizzleOrm.sql`, `)}]`;
+          }
+          return drizzleOrm.sql`${column} @> ${JSON.stringify([value])}`;
+        case "not-in":
+          if (Array.isArray(value) && value.length > 0) {
+            return drizzleOrm.sql`${column} NOT IN (${drizzleOrm.sql.join(value.map((v) => drizzleOrm.sql`${v}`), drizzleOrm.sql`, `)})`;
+          }
+          return null;
         default:
           console.warn(`Unsupported filter operation: ${op}`);
           return null;
@@ -3405,6 +3717,40 @@
         return null;
       }
     }
+    /**
+     * Build vector similarity search expressions for pgvector.
+     *
+     * Returns:
+     * - `orderBy`: SQL expression to ORDER BY distance (ascending = closest first)
+     * - `filter`: optional WHERE clause for distance threshold
+     * - `distanceSelect`: SQL expression for selecting the distance as `_distance`
+     */
+    static buildVectorSearchConditions(table, vectorSearch) {
+      const column = table[vectorSearch.property];
+      if (!column) {
+        throw new Error(`Vector column '${vectorSearch.property}' not found in table`);
+      }
+      const vectorLiteral = `'[${vectorSearch.vector.join(",")}]'::vector`;
+      const distanceFn = vectorSearch.distance || "cosine";
+      let operator;
+      switch (distanceFn) {
+        case "cosine":
+          operator = "<=>";
+          break;
+        case "l2":
+          operator = "<->";
+          break;
+        case "inner_product":
+          operator = "<#>";
+          break;
+      }
+      const distanceExpr = drizzleOrm.sql`${column} ${drizzleOrm.sql.raw(operator)} ${drizzleOrm.sql.raw(vectorLiteral)}`;
+      return {
+        orderBy: distanceExpr,
+        filter: vectorSearch.threshold != null ? drizzleOrm.sql`(${column} ${drizzleOrm.sql.raw(operator)} ${drizzleOrm.sql.raw(vectorLiteral)}) < ${vectorSearch.threshold}` : void 0,
+        distanceSelect: drizzleOrm.sql`(${column} ${drizzleOrm.sql.raw(operator)} ${drizzleOrm.sql.raw(vectorLiteral)})`
+      };
+    }
   }
   const PostgresConditionBuilder = DrizzleConditionBuilder;
   function getColumnMeta(col) {
@@ -5350,7 +5696,7 @@
       const qb = this.getQueryBuilder(tableName);
       const withConfig = this.buildWithConfig(collection);
       const hasRelations = withConfig && Object.keys(withConfig).length > 0;
-      if (qb && !options.searchString && !hasRelations) {
+      if (qb && !options.searchString && !hasRelations && !options.vectorSearch) {
         try {
           const queryOpts = this.buildDrizzleQueryOptions(table, idField, idInfo, options, collectionPath, void 0);
           const results2 = await qb.findMany(queryOpts);
@@ -5364,7 +5710,14 @@
           console.warn(`[EntityFetchService] db.query.findMany failed for ${collectionPath}, falling back to db.select:`, e);
         }
       }
-      let query = this.db.select().from(table).$dynamic();
+      let vectorMeta;
+      if (options.vectorSearch) {
+        vectorMeta = DrizzleConditionBuilder.buildVectorSearchConditions(table, options.vectorSearch);
+      }
+      let query = vectorMeta ? this.db.select({
+        table_row: table,
+        _distance: vectorMeta.distanceSelect
+      }).from(table).$dynamic() : this.db.select().from(table).$dynamic();
       const allConditions = [];
       if (options.searchString) {
         const searchConditions = DrizzleConditionBuilder.buildSearchConditions(options.searchString, collection.properties, table);
@@ -5375,12 +5728,17 @@
         const filterConditions = this.buildFilterConditions(options.filter, table, collectionPath);
         if (filterConditions.length > 0) allConditions.push(...filterConditions);
       }
+      if (vectorMeta?.filter) {
+        allConditions.push(vectorMeta.filter);
+      }
       if (allConditions.length > 0) {
         const finalCondition = DrizzleConditionBuilder.combineConditionsWithAnd(allConditions);
         if (finalCondition) query = query.where(finalCondition);
       }
       const orderExpressions = [];
-      if (options.orderBy) {
+      if (vectorMeta) {
+        orderExpressions.push(drizzleOrm.asc(vectorMeta.orderBy));
+      } else if (options.orderBy) {
         const orderByField = this.resolveOrderByField(table, options.orderBy, collection);
         if (orderByField) {
           orderExpressions.push(options.order === "asc" ? drizzleOrm.asc(orderByField) : drizzleOrm.desc(orderByField));
@@ -5396,10 +5754,14 @@
           if (finalCondition) query = query.where(finalCondition);
         }
       }
-      const limitValue = options.searchString ? options.limit || 50 : options.limit;
+      const limitValue = options.vectorSearch ? options.limit || 10 : options.searchString ? options.limit || 50 : options.limit;
       if (limitValue) query = query.limit(limitValue);
       if (options.offset && options.offset > 0) query = query.offset(options.offset);
-      const results = await query;
+      const rawResults = await query;
+      const results = vectorMeta ? rawResults.map((r) => ({
+        ...r.table_row,
+        _distance: typeof r._distance === "number" ? r._distance : parseFloat(String(r._distance))
+      })) : rawResults;
       return this.processEntityResults(results, collection, collectionPath, idInfo, options.databaseId, false, idInfoArray);
     }
     /**
@@ -5621,7 +5983,7 @@
       const idField = table[idInfo.fieldName];
       const tableName = drizzleOrm.getTableName(table);
       const qb = this.getQueryBuilder(tableName);
-      if (qb && !options.searchString) {
+      if (qb && !options.searchString && !options.vectorSearch) {
         try {
           const withConfig = include && include.length > 0 ? this.buildWithConfig(collection, include) : void 0;
           const queryOpts = this.buildDrizzleQueryOptions(table, idField, idInfo, options, collectionPath, withConfig);
@@ -5767,7 +6129,14 @@
       const idInfoArray = getPrimaryKeys(collection, this.registry);
       const idInfo = idInfoArray[0];
       const idField = table[idInfo.fieldName];
-      let query = this.db.select().from(table).$dynamic();
+      let vectorMeta;
+      if (options.vectorSearch) {
+        vectorMeta = DrizzleConditionBuilder.buildVectorSearchConditions(table, options.vectorSearch);
+      }
+      let query = vectorMeta ? this.db.select({
+        table_row: table,
+        _distance: vectorMeta.distanceSelect
+      }).from(table).$dynamic() : this.db.select().from(table).$dynamic();
       const allConditions = [];
       if (options.searchString) {
         const searchConditions = DrizzleConditionBuilder.buildSearchConditions(options.searchString, collection.properties, table);
@@ -5778,12 +6147,17 @@
         const filterConditions = this.buildFilterConditions(options.filter, table, collectionPath);
         if (filterConditions.length > 0) allConditions.push(...filterConditions);
       }
+      if (vectorMeta?.filter) {
+        allConditions.push(vectorMeta.filter);
+      }
       if (allConditions.length > 0) {
         const finalCondition = DrizzleConditionBuilder.combineConditionsWithAnd(allConditions);
         if (finalCondition) query = query.where(finalCondition);
       }
       const orderExpressions = [];
-      if (options.orderBy) {
+      if (vectorMeta) {
+        orderExpressions.push(drizzleOrm.asc(vectorMeta.orderBy));
+      } else if (options.orderBy) {
         const orderByField = this.resolveOrderByField(table, options.orderBy, collection);
         if (orderByField) {
           orderExpressions.push(options.order === "asc" ? drizzleOrm.asc(orderByField) : drizzleOrm.desc(orderByField));
@@ -5791,10 +6165,17 @@
       }
       orderExpressions.push(drizzleOrm.desc(idField));
       if (orderExpressions.length > 0) query = query.orderBy(...orderExpressions);
-      const limitValue = options.searchString ? options.limit || 50 : options.limit;
+      const limitValue = options.vectorSearch ? options.limit || 10 : options.searchString ? options.limit || 50 : options.limit;
       if (limitValue) query = query.limit(limitValue);
       if (options.offset && options.offset > 0) query = query.offset(options.offset);
-      return await query;
+      const rawResults = await query;
+      if (vectorMeta) {
+        return rawResults.map((r) => ({
+          ...r.table_row,
+          _distance: typeof r._distance === "number" ? r._distance : parseFloat(String(r._distance))
+        }));
+      }
+      return rawResults;
     }
     /**
      * Check if the Drizzle instance has the relational query API available
@@ -6522,7 +6903,7 @@
         callbacks: void 0,
         propertyCallbacks: void 0
       };
-      const registryCollection = this.registry.getCollectionByPath(path2);
+      const registryCollection = this.registry?.getCollectionByPath(path2);
       const resolvedCollection = registryCollection ? {
         ...collection,
         ...registryCollection
@@ -6548,7 +6929,8 @@
       startAfter,
       orderBy,
       searchString,
-      order
+      order,
+      vectorSearch
     }) {
       const entities = await this.entityService.fetchCollection(path2, {
         filter,
@@ -6558,7 +6940,8 @@
         offset,
         startAfter,
         databaseId: collection?.databaseId,
-        searchString
+        searchString,
+        vectorSearch
       });
       const {
         collection: resolvedCollection,
@@ -6570,7 +6953,8 @@
           user: this.user,
           driver: this,
           data: this.data,
-          client: this.client
+          client: this.client,
+          storageSource: this.client?.storage
         };
         return Promise.all(entities.map(async (entity) => {
           let fetched = entity;
@@ -6665,7 +7049,8 @@
           user: this.user,
           driver: this,
           data: this.data,
-          client: this.client
+          client: this.client,
+          storageSource: this.client?.storage
         };
         if (callbacks?.afterRead) {
           entity = await callbacks.afterRead({
@@ -6735,7 +7120,8 @@
         user: this.user,
         driver: this,
         data: this.data,
-        client: this.client
+        client: this.client,
+        storageSource: this.client?.storage
       };
       let previousValuesForHistory;
       if (status === "existing" && entityId) {
@@ -6884,7 +7270,8 @@
         user: this.user,
         driver: this,
         data: this.data,
-        client: this.client
+        client: this.client,
+        storageSource: this.client?.storage
       };
       if (callbacks?.beforeDelete || propertyCallbacks?.beforeDelete) {
         let preventDefault = false;
@@ -7397,6 +7784,7 @@
         length: 255
       }),
       emailVerificationSentAt: pgCore.timestamp("email_verification_sent_at"),
+      isAnonymous: pgCore.boolean("is_anonymous").default(false).notNull(),
       metadata: pgCore.jsonb("metadata").$type().default({}).notNull(),
       createdAt: pgCore.timestamp("created_at").defaultNow().notNull(),
       updatedAt: pgCore.timestamp("updated_at").defaultNow().notNull()
@@ -7411,8 +7799,7 @@
       }).notNull(),
       isAdmin: pgCore.boolean("is_admin").default(false).notNull(),
       defaultPermissions: pgCore.jsonb("default_permissions").$type(),
-      collectionPermissions: pgCore.jsonb("collection_permissions").$type(),
-      config: pgCore.jsonb("config").$type()
+      collectionPermissions: pgCore.jsonb("collection_permissions").$type()
     });
     const userRoles2 = rolesTableCreator("user_roles", {
       userId: pgCore.uuid("user_id").notNull().references(() => users2.id, {
@@ -7484,6 +7871,48 @@
     }, (table) => ({
       uniqueProviderId: pgCore.unique("unique_provider_id").on(table.provider, table.providerId)
     }));
+    const mfaFactors2 = rolesTableCreator("mfa_factors", {
+      id: pgCore.uuid("id").defaultRandom().primaryKey(),
+      userId: pgCore.uuid("user_id").notNull().references(() => users2.id, {
+        onDelete: "cascade"
+      }),
+      factorType: pgCore.varchar("factor_type", {
+        length: 20
+      }).notNull(),
+      // 'totp'
+      secretEncrypted: pgCore.varchar("secret_encrypted", {
+        length: 500
+      }).notNull(),
+      friendlyName: pgCore.varchar("friendly_name", {
+        length: 255
+      }),
+      verified: pgCore.boolean("verified").default(false).notNull(),
+      createdAt: pgCore.timestamp("created_at").defaultNow().notNull(),
+      updatedAt: pgCore.timestamp("updated_at").defaultNow().notNull()
+    });
+    const mfaChallenges2 = rolesTableCreator("mfa_challenges", {
+      id: pgCore.uuid("id").defaultRandom().primaryKey(),
+      factorId: pgCore.uuid("factor_id").notNull().references(() => mfaFactors2.id, {
+        onDelete: "cascade"
+      }),
+      createdAt: pgCore.timestamp("created_at").defaultNow().notNull(),
+      verifiedAt: pgCore.timestamp("verified_at"),
+      ipAddress: pgCore.varchar("ip_address", {
+        length: 45
+      }),
+      expiresAt: pgCore.timestamp("expires_at").notNull()
+    });
+    const recoveryCodes2 = rolesTableCreator("recovery_codes", {
+      id: pgCore.uuid("id").defaultRandom().primaryKey(),
+      userId: pgCore.uuid("user_id").notNull().references(() => users2.id, {
+        onDelete: "cascade"
+      }),
+      codeHash: pgCore.varchar("code_hash", {
+        length: 255
+      }).notNull(),
+      usedAt: pgCore.timestamp("used_at"),
+      createdAt: pgCore.timestamp("created_at").defaultNow().notNull()
+    });
     return {
       rolesSchema,
       usersSchema: usersSchema2,
@@ -7493,7 +7922,10 @@
       refreshTokens: refreshTokens2,
       passwordResetTokens: passwordResetTokens2,
       appConfig: appConfig2,
-      userIdentities: userIdentities2
+      userIdentities: userIdentities2,
+      mfaFactors: mfaFactors2,
+      mfaChallenges: mfaChallenges2,
+      recoveryCodes: recoveryCodes2
     };
   }
   const defaultAuthSchema = createAuthSchema("rebase", "rebase");
@@ -7506,13 +7938,18 @@
   const passwordResetTokens = defaultAuthSchema.passwordResetTokens;
   const appConfig = defaultAuthSchema.appConfig;
   const userIdentities = defaultAuthSchema.userIdentities;
+  const mfaFactors = defaultAuthSchema.mfaFactors;
+  const mfaChallenges = defaultAuthSchema.mfaChallenges;
+  const recoveryCodes = defaultAuthSchema.recoveryCodes;
   const usersRelations = drizzleOrm.relations(users, ({
     many
   }) => ({
     userRoles: many(userRoles),
     refreshTokens: many(refreshTokens),
     passwordResetTokens: many(passwordResetTokens),
-    userIdentities: many(userIdentities)
+    userIdentities: many(userIdentities),
+    mfaFactors: many(mfaFactors),
+    recoveryCodes: many(recoveryCodes)
   }));
   const rolesRelations = drizzleOrm.relations(roles, ({
     many
@@ -7555,6 +7992,32 @@
       references: [users.id]
     })
   }));
+  const mfaFactorsRelations = drizzleOrm.relations(mfaFactors, ({
+    one,
+    many
+  }) => ({
+    user: one(users, {
+      fields: [mfaFactors.userId],
+      references: [users.id]
+    }),
+    challenges: many(mfaChallenges)
+  }));
+  const mfaChallengesRelations = drizzleOrm.relations(mfaChallenges, ({
+    one
+  }) => ({
+    factor: one(mfaFactors, {
+      fields: [mfaChallenges.factorId],
+      references: [mfaFactors.id]
+    })
+  }));
+  const recoveryCodesRelations = drizzleOrm.relations(recoveryCodes, ({
+    one
+  }) => ({
+    user: one(users, {
+      fields: [recoveryCodes.userId],
+      references: [users.id]
+    })
+  }));
   const resolveColumnName = (propName, prop) => {
     if (prop && "columnName" in prop && typeof prop.columnName === "string") {
       return prop.columnName;
@@ -8079,167 +8542,84 @@
         fields: [${tableVarName}.${rel.localKey}],
         references: [${targetTableVar}.${getPrimaryKeyName(target)}],
         relationName: "${drizzleRelationName}"
-    })`);
-              } else if (rel.direction === "inverse") {
-                tableRelations.push(`    "${relationKey}": one(${targetTableVar}, {
-        relationName: "${drizzleRelationName}"
-    })`);
-              }
-            } else if (rel.cardinality === "many") {
-              if (rel.direction === "inverse" && rel.foreignKeyOnTarget) {
-                tableRelations.push(`    "${relationKey}": many(${targetTableVar}, { relationName: "${drizzleRelationName}" })`);
-              } else if (rel.through) {
-                const junctionTableVar = getTableVarName(rel.through.table);
-                tableRelations.push(`    "${relationKey}": many(${junctionTableVar}, { relationName: "${drizzleRelationName}" })`);
-              } else if (rel.direction === "inverse" && rel.inverseRelationName) {
-                try {
-                  const targetCollection = rel.target();
-                  const targetResolvedRelations = resolveCollectionRelations(targetCollection);
-                  const correspondingRelation = Object.values(targetResolvedRelations).find((targetRel) => targetRel.direction === "owning" && targetRel.cardinality === "many" && targetRel.through && targetRel.relationName === rel.inverseRelationName);
-                  if (correspondingRelation && correspondingRelation.through) {
-                    const junctionTableVar = getTableVarName(correspondingRelation.through.table);
-                    tableRelations.push(`    "${relationKey}": many(${junctionTableVar}, { relationName: "${drizzleRelationName}" })`);
-                  } else {
-                    console.warn(`Could not find corresponding owning many-to-many relation for inverse relation '${relationKey}' on '${collection.name}'`);
-                  }
-                } catch (e) {
-                  console.warn(`Could not resolve inverse many-to-many relation '${relationKey}':`, e);
-                }
-              }
-            }
-          } catch (e) {
-            console.warn(`Could not generate relation ${relationKey} for ${collection.name}:`, e);
-          }
-        }
-        for (const otherCollection of collections) {
-          if (otherCollection.slug === collection.slug) continue;
-          const otherRelations = resolveCollectionRelations(otherCollection);
-          for (const [otherKey, otherRel] of Object.entries(otherRelations)) {
-            if (otherRel.direction === "inverse" && otherRel.foreignKeyOnTarget) {
-              try {
-                const otherTarget = otherRel.target();
-                if (otherTarget.slug === collection.slug) {
-                  const drizzleRelationName = computeSharedRelationName(otherRel, otherCollection, collections);
-                  const deduplicationKey = `${drizzleRelationName}::owning`;
-                  if (!emittedRelationNames.has(deduplicationKey)) {
-                    const otherTableVar = getTableVarName(getTableName(otherCollection));
-                    const synthKey = `_synth_${otherTableVar}_${otherRel.foreignKeyOnTarget}`;
-                    tableRelations.push(`    "${synthKey}": one(${otherTableVar}, {
-        fields: [${tableVarName}.${otherRel.foreignKeyOnTarget}],
-        references: [${otherTableVar}.${getPrimaryKeyName(otherCollection)}],
-        relationName: "${drizzleRelationName}"
-    })`);
-                    emittedRelationNames.add(deduplicationKey);
-                  }
-                }
-              } catch (e) {
-              }
-            }
-          }
-        }
-      }
-      if (tableRelations.length > 0) {
-        const relVarName = `${tableVarName}Relations`;
-        schemaContent += `export const ${relVarName} = drizzleRelations(${tableVarName}, ({ one, many }) => ({
-${tableRelations.join(",\n")}
-}));
-
-`;
-        if (!exportedRelationVars.includes(relVarName)) exportedRelationVars.push(relVarName);
-      }
-    }
-    const tablesExport = `export const tables = { ${exportedTableVars.join(", ")} };
-`;
-    const enumsExport = `export const enums = { ${exportedEnumVars.join(", ")} };
-`;
-    const relationsExport = `export const relations = { ${exportedRelationVars.join(", ")} };
-
-`;
-    schemaContent += tablesExport + enumsExport + relationsExport;
-    return schemaContent;
-  };
-  const defaultUsersCollection = {
-    name: "Users",
-    singularName: "User",
-    slug: "users",
-    table: "users",
-    icon: "Users",
-    group: "Settings",
-    properties: {
-      id: {
-        name: "ID",
-        type: "string",
-        isId: "uuid"
-      },
-      email: {
-        name: "Email",
-        type: "string",
-        validation: {
-          required: true,
-          unique: true
-        }
-      },
-      password_hash: {
-        name: "Password Hash",
-        type: "string",
-        ui: {
-          hideFromCollection: true
-        }
-      },
-      display_name: {
-        name: "Display Name",
-        type: "string"
-      },
-      photo_url: {
-        name: "Photo URL",
-        type: "string"
-      },
-      email_verified: {
-        name: "Email Verified",
-        type: "boolean",
-        defaultValue: false
-      },
-      email_verification_token: {
-        name: "Email Verification Token",
-        type: "string",
-        ui: {
-          hideFromCollection: true
-        }
-      },
-      email_verification_sent_at: {
-        name: "Email Verification Sent At",
-        type: "date",
-        ui: {
-          hideFromCollection: true
-        }
-      },
-      metadata: {
-        name: "Metadata",
-        type: "map",
-        defaultValue: {},
-        ui: {
-          hideFromCollection: true
-        }
-      },
-      created_at: {
-        name: "Created At",
-        type: "date",
-        autoValue: "on_create",
-        ui: {
-          readOnly: true,
-          hideFromCollection: true
+    })`);
+              } else if (rel.direction === "inverse") {
+                tableRelations.push(`    "${relationKey}": one(${targetTableVar}, {
+        relationName: "${drizzleRelationName}"
+    })`);
+              }
+            } else if (rel.cardinality === "many") {
+              if (rel.direction === "inverse" && rel.foreignKeyOnTarget) {
+                tableRelations.push(`    "${relationKey}": many(${targetTableVar}, { relationName: "${drizzleRelationName}" })`);
+              } else if (rel.through) {
+                const junctionTableVar = getTableVarName(rel.through.table);
+                tableRelations.push(`    "${relationKey}": many(${junctionTableVar}, { relationName: "${drizzleRelationName}" })`);
+              } else if (rel.direction === "inverse" && rel.inverseRelationName) {
+                try {
+                  const targetCollection = rel.target();
+                  const targetResolvedRelations = resolveCollectionRelations(targetCollection);
+                  const correspondingRelation = Object.values(targetResolvedRelations).find((targetRel) => targetRel.direction === "owning" && targetRel.cardinality === "many" && targetRel.through && targetRel.relationName === rel.inverseRelationName);
+                  if (correspondingRelation && correspondingRelation.through) {
+                    const junctionTableVar = getTableVarName(correspondingRelation.through.table);
+                    tableRelations.push(`    "${relationKey}": many(${junctionTableVar}, { relationName: "${drizzleRelationName}" })`);
+                  } else {
+                    console.warn(`Could not find corresponding owning many-to-many relation for inverse relation '${relationKey}' on '${collection.name}'`);
+                  }
+                } catch (e) {
+                  console.warn(`Could not resolve inverse many-to-many relation '${relationKey}':`, e);
+                }
+              }
+            }
+          } catch (e) {
+            console.warn(`Could not generate relation ${relationKey} for ${collection.name}:`, e);
+          }
         }
-      },
-      updated_at: {
-        name: "Updated At",
-        type: "date",
-        autoValue: "on_update",
-        ui: {
-          readOnly: true,
-          hideFromCollection: true
+        for (const otherCollection of collections) {
+          if (otherCollection.slug === collection.slug) continue;
+          const otherRelations = resolveCollectionRelations(otherCollection);
+          for (const [otherKey, otherRel] of Object.entries(otherRelations)) {
+            if (otherRel.direction === "inverse" && otherRel.foreignKeyOnTarget) {
+              try {
+                const otherTarget = otherRel.target();
+                if (otherTarget.slug === collection.slug) {
+                  const drizzleRelationName = computeSharedRelationName(otherRel, otherCollection, collections);
+                  const deduplicationKey = `${drizzleRelationName}::owning`;
+                  if (!emittedRelationNames.has(deduplicationKey)) {
+                    const otherTableVar = getTableVarName(getTableName(otherCollection));
+                    const synthKey = `_synth_${otherTableVar}_${otherRel.foreignKeyOnTarget}`;
+                    tableRelations.push(`    "${synthKey}": one(${otherTableVar}, {
+        fields: [${tableVarName}.${otherRel.foreignKeyOnTarget}],
+        references: [${otherTableVar}.${getPrimaryKeyName(otherCollection)}],
+        relationName: "${drizzleRelationName}"
+    })`);
+                    emittedRelationNames.add(deduplicationKey);
+                  }
+                }
+              } catch (e) {
+              }
+            }
+          }
         }
       }
+      if (tableRelations.length > 0) {
+        const relVarName = `${tableVarName}Relations`;
+        schemaContent += `export const ${relVarName} = drizzleRelations(${tableVarName}, ({ one, many }) => ({
+${tableRelations.join(",\n")}
+}));
+
+`;
+        if (!exportedRelationVars.includes(relVarName)) exportedRelationVars.push(relVarName);
+      }
     }
+    const tablesExport = `export const tables = { ${exportedTableVars.join(", ")} };
+`;
+    const enumsExport = `export const enums = { ${exportedEnumVars.join(", ")} };
+`;
+    const relationsExport = `export const relations = { ${exportedRelationVars.join(", ")} };
+
+`;
+    schemaContent += tablesExport + enumsExport + relationsExport;
+    return schemaContent;
   };
   const formatTerminalText = (text, options = {}) => {
     let codes = "";
@@ -8306,10 +8686,7 @@ ${tableRelations.join(",\n")}
       if (!collections || !Array.isArray(collections)) {
         collections = [];
       }
-      const hasUsersCollection = collections.some((c) => c.slug === "users");
-      if (!hasUsersCollection) {
-        collections.push(defaultUsersCollection);
-      }
+      collections = Array.from(new Map([defaultUsersCollection, ...collections].map((c) => [c.slug, c])).values());
       collections.sort((a, b) => a.slug.localeCompare(b.slug));
       const schemaContent = await generateSchema(collections);
       if (outputPath) {
@@ -8370,6 +8747,13 @@ ${tableRelations.join(",\n")}
       this.entityService = new EntityService(db, registry);
     }
     clients = /* @__PURE__ */ new Map();
+    // Broadcast channels: channel name → set of client IDs
+    channels = /* @__PURE__ */ new Map();
+    // Presence: channel → Map<clientId, { state, lastSeen }>
+    presence = /* @__PURE__ */ new Map();
+    presenceInterval;
+    static PRESENCE_TIMEOUT_MS = 3e4;
+    // 30s
     entityService;
     // Enhanced subscriptions storage with full request parameters
     _subscriptions = /* @__PURE__ */ new Map();
@@ -8496,8 +8880,19 @@ ${tableRelations.join(",\n")}
           }
         }
       }
+      for (const [channel, members] of this.channels.entries()) {
+        if (members.has(clientId)) {
+          members.delete(clientId);
+          this.removePresence(clientId, channel);
+          if (members.size === 0) this.channels.delete(channel);
+        }
+      }
+      for (const [channel] of this.presence) {
+        this.removePresence(clientId, channel);
+      }
     }
     async handleMessage(clientId, message, authContext) {
+      const payload = message.payload;
       switch (message.type) {
         case "subscribe_collection":
           await this.handleCollectionSubscription(clientId, message.payload, authContext);
@@ -8508,6 +8903,25 @@ ${tableRelations.join(",\n")}
         case "unsubscribe":
           await this.handleUnsubscribe(clientId, message.subscriptionId);
           break;
+        case "join_channel":
+          this.joinChannel(clientId, payload?.channel);
+          break;
+        case "leave_channel":
+          this.leaveChannel(clientId, payload?.channel);
+          break;
+        case "broadcast":
+          this.broadcastToChannel(clientId, payload?.channel, payload?.event, payload?.payload);
+          break;
+        case "presence_track":
+          this.joinChannel(clientId, payload?.channel);
+          this.trackPresence(clientId, payload?.channel, payload?.state ?? {});
+          break;
+        case "presence_untrack":
+          this.removePresence(clientId, payload?.channel);
+          break;
+        case "presence_state":
+          this.sendPresenceState(clientId, payload?.channel);
+          break;
         default:
           this.sendError(clientId, "Unknown message type " + message.type, message.subscriptionId);
       }
@@ -8965,6 +9379,132 @@ ${tableRelations.join(",\n")}
       return parentPaths;
     }
     // =============================================================================
+    // Broadcast Channels
+    // =============================================================================
+    /** Join a broadcast channel */
+    joinChannel(clientId, channel) {
+      if (!this.channels.has(channel)) {
+        this.channels.set(channel, /* @__PURE__ */ new Set());
+      }
+      this.channels.get(channel).add(clientId);
+      this.debugLog(`📡 [Broadcast] Client ${clientId} joined channel: ${channel}`);
+    }
+    /** Leave a broadcast channel */
+    leaveChannel(clientId, channel) {
+      const members = this.channels.get(channel);
+      if (members) {
+        members.delete(clientId);
+        if (members.size === 0) this.channels.delete(channel);
+      }
+      this.removePresence(clientId, channel);
+    }
+    /** Broadcast a message to all clients in a channel except sender */
+    broadcastToChannel(clientId, channel, event, payload) {
+      const members = this.channels.get(channel);
+      if (!members) return;
+      const message = JSON.stringify({
+        type: "broadcast",
+        channel,
+        event,
+        payload
+      });
+      for (const memberId of members) {
+        if (memberId === clientId) continue;
+        const ws$1 = this.clients.get(memberId);
+        if (ws$1 && ws$1.readyState === ws.WebSocket.OPEN) {
+          ws$1.send(message);
+        }
+      }
+    }
+    // =============================================================================
+    // Presence
+    // =============================================================================
+    /** Track presence in a channel */
+    trackPresence(clientId, channel, state) {
+      if (!this.presence.has(channel)) {
+        this.presence.set(channel, /* @__PURE__ */ new Map());
+      }
+      const channelPresence = this.presence.get(channel);
+      channelPresence.set(clientId, {
+        state,
+        lastSeen: Date.now()
+      });
+      this.broadcastPresenceDiff(channel, {
+        [clientId]: state
+      }, {});
+      this.ensurePresenceCleanup();
+    }
+    /** Remove presence from a channel */
+    removePresence(clientId, channel) {
+      const channelPresence = this.presence.get(channel);
+      if (!channelPresence) return;
+      const entry = channelPresence.get(clientId);
+      if (entry) {
+        channelPresence.delete(clientId);
+        this.broadcastPresenceDiff(channel, {}, {
+          [clientId]: entry.state
+        });
+      }
+      if (channelPresence.size === 0) {
+        this.presence.delete(channel);
+      }
+    }
+    /** Send full presence state to a specific client */
+    sendPresenceState(clientId, channel) {
+      const channelPresence = this.presence.get(channel);
+      const presences = {};
+      if (channelPresence) {
+        for (const [id, {
+          state
+        }] of channelPresence) {
+          presences[id] = state;
+        }
+      }
+      const ws$1 = this.clients.get(clientId);
+      if (ws$1 && ws$1.readyState === ws.WebSocket.OPEN) {
+        ws$1.send(JSON.stringify({
+          type: "presence_state",
+          channel,
+          presences
+        }));
+      }
+    }
+    /** Broadcast presence diff (joins/leaves) to channel */
+    broadcastPresenceDiff(channel, joins, leaves) {
+      const members = this.channels.get(channel);
+      if (!members) return;
+      const message = JSON.stringify({
+        type: "presence_diff",
+        channel,
+        joins,
+        leaves
+      });
+      for (const memberId of members) {
+        const ws$1 = this.clients.get(memberId);
+        if (ws$1 && ws$1.readyState === ws.WebSocket.OPEN) {
+          ws$1.send(message);
+        }
+      }
+    }
+    /** Periodic cleanup for stale presences */
+    ensurePresenceCleanup() {
+      if (this.presenceInterval) return;
+      this.presenceInterval = setInterval(() => {
+        const now = Date.now();
+        for (const [channel, channelPresence] of this.presence) {
+          for (const [clientId, entry] of channelPresence) {
+            if (now - entry.lastSeen > RealtimeService.PRESENCE_TIMEOUT_MS) {
+              this.removePresence(clientId, channel);
+            }
+          }
+        }
+        if (this.presence.size === 0 && this.presenceInterval) {
+          clearInterval(this.presenceInterval);
+          this.presenceInterval = void 0;
+        }
+      }, 1e4);
+    }
+    // =============================================================================
     // Lifecycle / Cleanup
     // =============================================================================
     /**
@@ -8985,6 +9525,12 @@ ${tableRelations.join(",\n")}
       }
       this._subscriptions.clear();
       this.subscriptionCallbacks.clear();
+      this.channels.clear();
+      this.presence.clear();
+      if (this.presenceInterval) {
+        clearInterval(this.presenceInterval);
+        this.presenceInterval = void 0;
+      }
       await this.stopListening();
       this.clients.clear();
       this.debugLog("🧹 [RealtimeService] destroy() complete — all resources released.");
@@ -9631,8 +10177,14 @@ ${tableRelations.join(",\n")}
               break;
             case "subscribe_collection":
             case "subscribe_entity":
-            case "unsubscribe": {
-              wsDebug("🔄 [WebSocket Server] Routing subscription message to RealtimeService:", type);
+            case "unsubscribe":
+            case "join_channel":
+            case "leave_channel":
+            case "broadcast":
+            case "presence_track":
+            case "presence_untrack":
+            case "presence_state": {
+              wsDebug("🔄 [WebSocket Server] Routing realtime message to RealtimeService:", type);
               const session = clientSessions.get(clientId);
               const authContext = session?.user ? {
                 userId: session.user.userId,
@@ -9751,11 +10303,6 @@ ${tableRelations.join(",\n")}
       create: true,
       edit: true,
       delete: true
-    },
-    config: {
-      createCollections: true,
-      editCollections: "all",
-      deleteCollections: "all"
     }
   }, {
     id: "editor",
@@ -9766,11 +10313,6 @@ ${tableRelations.join(",\n")}
       create: true,
       edit: true,
       delete: true
-    },
-    config: {
-      createCollections: true,
-      editCollections: "own",
-      deleteCollections: "own"
     }
   }, {
     id: "viewer",
@@ -9781,11 +10323,10 @@ ${tableRelations.join(",\n")}
       create: false,
       edit: false,
       delete: false
-    },
-    config: null
+    }
   }];
   async function ensureAuthTablesExist(db, registry) {
-    console.log("🔍 Checking auth tables...");
+    serverCore.logger.info("🔍 Checking auth tables...");
     try {
       let usersTableName = '"users"';
       let userIdType = "TEXT";
@@ -9855,7 +10396,6 @@ ${tableRelations.join(",\n")}
                 is_admin BOOLEAN DEFAULT FALSE,
                 default_permissions JSONB,
                 collection_permissions JSONB,
-                config JSONB,
                 created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
             )
         `);
@@ -9938,34 +10478,85 @@ ${tableRelations.join(",\n")}
             `);
       });
       await seedDefaultRoles(db, rolesTableName);
-      console.log("✅ Auth tables ready");
+      await db.execute(drizzleOrm.sql`
+            ALTER TABLE ${drizzleOrm.sql.raw(usersTableName)}
+            ADD COLUMN IF NOT EXISTS is_anonymous BOOLEAN DEFAULT FALSE
+        `);
+      const mfaFactorsTableName = `"${rolesSchema}"."mfa_factors"`;
+      const mfaChallengesTableName = `"${rolesSchema}"."mfa_challenges"`;
+      const recoveryCodesTableName = `"${rolesSchema}"."recovery_codes"`;
+      await db.execute(drizzleOrm.sql`
+            CREATE TABLE IF NOT EXISTS ${drizzleOrm.sql.raw(mfaFactorsTableName)} (
+                id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
+                user_id ${drizzleOrm.sql.raw(userIdType)} NOT NULL REFERENCES ${drizzleOrm.sql.raw(usersTableName)}(id) ON DELETE CASCADE,
+                factor_type TEXT NOT NULL DEFAULT 'totp',
+                secret_encrypted TEXT NOT NULL,
+                friendly_name TEXT,
+                verified BOOLEAN DEFAULT FALSE,
+                created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+                updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
+            )
+        `);
+      await db.execute(drizzleOrm.sql`
+            CREATE INDEX IF NOT EXISTS idx_mfa_factors_user
+            ON ${drizzleOrm.sql.raw(mfaFactorsTableName)}(user_id)
+        `);
+      await db.execute(drizzleOrm.sql`
+            CREATE TABLE IF NOT EXISTS ${drizzleOrm.sql.raw(mfaChallengesTableName)} (
+                id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
+                factor_id TEXT NOT NULL REFERENCES ${drizzleOrm.sql.raw(mfaFactorsTableName)}(id) ON DELETE CASCADE,
+                created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+                verified_at TIMESTAMP WITH TIME ZONE,
+                ip_address TEXT,
+                expires_at TIMESTAMP WITH TIME ZONE NOT NULL
+            )
+        `);
+      await db.execute(drizzleOrm.sql`
+            CREATE INDEX IF NOT EXISTS idx_mfa_challenges_factor
+            ON ${drizzleOrm.sql.raw(mfaChallengesTableName)}(factor_id)
+        `);
+      await db.execute(drizzleOrm.sql`
+            CREATE TABLE IF NOT EXISTS ${drizzleOrm.sql.raw(recoveryCodesTableName)} (
+                id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
+                user_id ${drizzleOrm.sql.raw(userIdType)} NOT NULL REFERENCES ${drizzleOrm.sql.raw(usersTableName)}(id) ON DELETE CASCADE,
+                code_hash TEXT NOT NULL,
+                used_at TIMESTAMP WITH TIME ZONE,
+                created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
+            )
+        `);
+      await db.execute(drizzleOrm.sql`
+            CREATE INDEX IF NOT EXISTS idx_recovery_codes_user
+            ON ${drizzleOrm.sql.raw(recoveryCodesTableName)}(user_id)
+        `);
+      serverCore.logger.info("✅ Auth tables ready");
     } catch (error) {
-      console.error("❌ Failed to create auth tables:", error);
-      console.warn("⚠️ Continuing without creating auth tables.");
+      serverCore.logger.error("❌ Failed to create auth tables", {
+        error
+      });
+      serverCore.logger.warn("⚠️ Continuing without creating auth tables.");
     }
   }
   async function seedDefaultRoles(db, rolesTableName) {
     const result = await db.execute(drizzleOrm.sql`SELECT COUNT(*) as count FROM ${drizzleOrm.sql.raw(rolesTableName)}`);
     const count = parseInt(result.rows[0]?.count || "0", 10);
     if (count > 0) {
-      console.log(`📋 Found ${count} existing roles`);
+      serverCore.logger.info(`📋 Found ${count} existing roles`);
       return;
     }
-    console.log("🌱 Seeding default roles...");
+    serverCore.logger.info("🌱 Seeding default roles...");
     for (const role of DEFAULT_ROLES) {
       await db.execute(drizzleOrm.sql`
-            INSERT INTO ${drizzleOrm.sql.raw(rolesTableName)} (id, name, is_admin, default_permissions, config)
+            INSERT INTO ${drizzleOrm.sql.raw(rolesTableName)} (id, name, is_admin, default_permissions)
             VALUES (
                 ${role.id}, 
                 ${role.name}, 
                 ${role.is_admin}, 
-                ${JSON.stringify(role.default_permissions)}::jsonb, 
-                ${role.config ? JSON.stringify(role.config) : null}::jsonb
+                ${JSON.stringify(role.default_permissions)}::jsonb
             )
             ON CONFLICT (id) DO NOTHING
         `);
     }
-    console.log("✅ Default roles created: admin, editor, viewer");
+    serverCore.logger.info("✅ Default roles created: admin, editor, viewer");
   }
   function getColumnKey(table, ...keys2) {
     if (!table) return void 0;
@@ -10019,12 +10610,13 @@ ${tableRelations.join(",\n")}
       const emailVerified = row.email_verified ?? row.emailVerified ?? false;
       const emailVerificationToken = row.email_verification_token ?? row.emailVerificationToken ?? null;
       const emailVerificationSentAt = row.email_verification_sent_at ?? row.emailVerificationSentAt ?? null;
+      const isAnonymous = row.is_anonymous ?? row.isAnonymous ?? false;
       const createdAt = row.created_at ?? row.createdAt;
       const updatedAt = row.updated_at ?? row.updatedAt;
       const metadata = {
         ...row.metadata || {}
       };
-      const knownKeys = /* @__PURE__ */ new Set(["id", "uid", "email", "password_hash", "passwordHash", "display_name", "displayName", "photo_url", "photoUrl", "photoURL", "email_verified", "emailVerified", "email_verification_token", "emailVerificationToken", "email_verification_sent_at", "emailVerificationSentAt", "created_at", "createdAt", "updated_at", "updatedAt", "metadata"]);
+      const knownKeys = /* @__PURE__ */ new Set(["id", "uid", "email", "password_hash", "passwordHash", "display_name", "displayName", "photo_url", "photoUrl", "photoURL", "email_verified", "emailVerified", "email_verification_token", "emailVerificationToken", "email_verification_sent_at", "emailVerificationSentAt", "is_anonymous", "isAnonymous", "created_at", "createdAt", "updated_at", "updatedAt", "metadata"]);
       for (const [key, val] of Object.entries(row)) {
         if (!knownKeys.has(key)) {
           const camelKey = camelCase(key);
@@ -10040,6 +10632,7 @@ ${tableRelations.join(",\n")}
         emailVerified,
         emailVerificationToken,
         emailVerificationSentAt: emailVerificationSentAt ? new Date(emailVerificationSentAt) : null,
+        isAnonymous,
         createdAt: createdAt ? new Date(createdAt) : /* @__PURE__ */ new Date(),
         updatedAt: updatedAt ? new Date(updatedAt) : /* @__PURE__ */ new Date(),
         metadata
@@ -10056,6 +10649,7 @@ ${tableRelations.join(",\n")}
       const emailVerifiedKey = getColumnKey(this.usersTable, "emailVerified", "email_verified") || "emailVerified";
       const emailVerificationTokenKey = getColumnKey(this.usersTable, "emailVerificationToken", "email_verification_token") || "emailVerificationToken";
       const emailVerificationSentAtKey = getColumnKey(this.usersTable, "emailVerificationSentAt", "email_verification_sent_at") || "emailVerificationSentAt";
+      const isAnonymousKey = getColumnKey(this.usersTable, "isAnonymous", "is_anonymous") || "isAnonymous";
       const createdAtKey = getColumnKey(this.usersTable, "createdAt", "created_at") || "createdAt";
       const updatedAtKey = getColumnKey(this.usersTable, "updatedAt", "updated_at") || "updatedAt";
       const metadataKey = getColumnKey(this.usersTable, "metadata") || "metadata";
@@ -10067,6 +10661,7 @@ ${tableRelations.join(",\n")}
       if ("emailVerified" in data) payload[emailVerifiedKey] = data.emailVerified;
       if ("emailVerificationToken" in data) payload[emailVerificationTokenKey] = data.emailVerificationToken;
       if ("emailVerificationSentAt" in data) payload[emailVerificationSentAtKey] = data.emailVerificationSentAt;
+      if ("isAnonymous" in data) payload[isAnonymousKey] = data.isAnonymous;
       if ("createdAt" in data) payload[createdAtKey] = data.createdAt;
       if ("updatedAt" in data) payload[updatedAtKey] = data.updatedAt;
       const metadata = {
@@ -10075,7 +10670,7 @@ ${tableRelations.join(",\n")}
       const remainingMetadata = {};
       for (const [key, val] of Object.entries(metadata)) {
         const tableColKey = getColumnKey(this.usersTable, key);
-        if (tableColKey && tableColKey !== idKey && tableColKey !== emailKey && tableColKey !== passwordHashKey && tableColKey !== displayNameKey && tableColKey !== photoUrlKey && tableColKey !== emailVerifiedKey && tableColKey !== emailVerificationTokenKey && tableColKey !== emailVerificationSentAtKey && tableColKey !== createdAtKey && tableColKey !== updatedAtKey && tableColKey !== metadataKey) {
+        if (tableColKey && tableColKey !== idKey && tableColKey !== emailKey && tableColKey !== passwordHashKey && tableColKey !== displayNameKey && tableColKey !== photoUrlKey && tableColKey !== emailVerifiedKey && tableColKey !== emailVerificationTokenKey && tableColKey !== emailVerificationSentAtKey && tableColKey !== isAnonymousKey && tableColKey !== createdAtKey && tableColKey !== updatedAtKey && tableColKey !== metadataKey) {
           payload[tableColKey] = val;
         } else {
           remainingMetadata[key] = val;
@@ -10263,7 +10858,7 @@ ${tableRelations.join(",\n")}
     async getUserRoles(userId) {
       const rolesSchema = pgCore.getTableConfig(this.rolesTable).schema || "public";
       const result = await this.db.execute(drizzleOrm.sql`
-            SELECT r.id, r.name, r.is_admin, r.default_permissions, r.collection_permissions, r.config
+            SELECT r.id, r.name, r.is_admin, r.default_permissions, r.collection_permissions
             FROM ${drizzleOrm.sql.raw(`"${rolesSchema}"."roles"`)} r
             INNER JOIN ${drizzleOrm.sql.raw(`"${rolesSchema}"."user_roles"`)} ur ON r.id = ur.role_id
             WHERE ur.user_id = ${userId}
@@ -10273,8 +10868,7 @@ ${tableRelations.join(",\n")}
         name: row.name,
         isAdmin: row.is_admin,
         defaultPermissions: row.default_permissions,
-        collectionPermissions: row.collection_permissions,
-        config: row.config
+        collectionPermissions: row.collection_permissions
       }));
     }
     /**
@@ -10340,7 +10934,7 @@ ${tableRelations.join(",\n")}
     async getRoleById(id) {
       const tableName = this.getQualifiedRolesTableName();
       const result = await this.db.execute(drizzleOrm.sql`
-            SELECT id, name, is_admin, default_permissions, collection_permissions, config
+            SELECT id, name, is_admin, default_permissions, collection_permissions
             FROM ${drizzleOrm.sql.raw(tableName)}
             WHERE id = ${id}
         `);
@@ -10351,14 +10945,13 @@ ${tableRelations.join(",\n")}
         name: row.name,
         isAdmin: row.is_admin,
         defaultPermissions: row.default_permissions,
-        collectionPermissions: row.collection_permissions,
-        config: row.config
+        collectionPermissions: row.collection_permissions
       };
     }
     async listRoles() {
       const tableName = this.getQualifiedRolesTableName();
       const result = await this.db.execute(drizzleOrm.sql`
-            SELECT id, name, is_admin, default_permissions, collection_permissions, config
+            SELECT id, name, is_admin, default_permissions, collection_permissions
             FROM ${drizzleOrm.sql.raw(tableName)}
             ORDER BY name
         `);
@@ -10367,23 +10960,21 @@ ${tableRelations.join(",\n")}
         name: row.name,
         isAdmin: row.is_admin,
         defaultPermissions: row.default_permissions,
-        collectionPermissions: row.collection_permissions,
-        config: row.config
+        collectionPermissions: row.collection_permissions
       }));
     }
     async createRole(data) {
       const tableName = this.getQualifiedRolesTableName();
       const result = await this.db.execute(drizzleOrm.sql`
-            INSERT INTO ${drizzleOrm.sql.raw(tableName)} (id, name, is_admin, default_permissions, collection_permissions, config)
+            INSERT INTO ${drizzleOrm.sql.raw(tableName)} (id, name, is_admin, default_permissions, collection_permissions)
             VALUES (
                 ${data.id},
                 ${data.name},
                 ${data.isAdmin ?? false},
                 ${data.defaultPermissions ? JSON.stringify(data.defaultPermissions) : null}::jsonb,
-                ${data.collectionPermissions ? JSON.stringify(data.collectionPermissions) : null}::jsonb,
-                ${data.config ? JSON.stringify(data.config) : null}::jsonb
+                ${data.collectionPermissions ? JSON.stringify(data.collectionPermissions) : null}::jsonb
             )
-            RETURNING id, name, is_admin, default_permissions, collection_permissions, config
+            RETURNING id, name, is_admin, default_permissions, collection_permissions
         `);
       const row = result.rows[0];
       return {
@@ -10391,8 +10982,7 @@ ${tableRelations.join(",\n")}
         name: row.name,
         isAdmin: row.is_admin,
         defaultPermissions: row.default_permissions,
-        collectionPermissions: row.collection_permissions,
-        config: row.config
+        collectionPermissions: row.collection_permissions
       };
     }
     async updateRole(id, data) {
@@ -10405,8 +10995,7 @@ ${tableRelations.join(",\n")}
                 name = ${data.name ?? existing.name},
                 is_admin = ${data.isAdmin ?? existing.isAdmin},
                 default_permissions = ${data.defaultPermissions ? JSON.stringify(data.defaultPermissions) : JSON.stringify(existing.defaultPermissions)}::jsonb,
-                collection_permissions = ${data.collectionPermissions !== void 0 ? data.collectionPermissions ? JSON.stringify(data.collectionPermissions) : null : existing.collectionPermissions ? JSON.stringify(existing.collectionPermissions) : null}::jsonb,
-                config = ${data.config ? JSON.stringify(data.config) : existing.config ? JSON.stringify(existing.config) : null}::jsonb
+                collection_permissions = ${data.collectionPermissions !== void 0 ? data.collectionPermissions ? JSON.stringify(data.collectionPermissions) : null : existing.collectionPermissions ? JSON.stringify(existing.collectionPermissions) : null}::jsonb
             WHERE id = ${id}
         `);
       return this.getRoleById(id);
@@ -10685,8 +11274,7 @@ ${tableRelations.join(",\n")}
       return this.roleService.createRole({
         ...data,
         defaultPermissions: data.defaultPermissions ?? null,
-        collectionPermissions: data.collectionPermissions ?? null,
-        config: data.config ?? null
+        collectionPermissions: data.collectionPermissions ?? null
       });
     }
     async updateRole(id, data) {
@@ -10729,6 +11317,219 @@ ${tableRelations.join(",\n")}
     async deleteExpiredTokens() {
       await this.tokenRepository.deleteExpiredTokens();
     }
+    // MFA operations (delegate to MfaService)
+    _mfaService = null;
+    getMfaService() {
+      if (!this._mfaService) {
+        this._mfaService = new MfaService(this.db);
+      }
+      return this._mfaService;
+    }
+    async createMfaFactor(userId, factorType, secretEncrypted, friendlyName) {
+      return this.getMfaService().createMfaFactor(userId, factorType, secretEncrypted, friendlyName);
+    }
+    async getMfaFactors(userId) {
+      return this.getMfaService().getMfaFactors(userId);
+    }
+    async getMfaFactorById(factorId) {
+      return this.getMfaService().getMfaFactorById(factorId);
+    }
+    async verifyMfaFactor(factorId) {
+      return this.getMfaService().verifyMfaFactor(factorId);
+    }
+    async deleteMfaFactor(factorId, userId) {
+      return this.getMfaService().deleteMfaFactor(factorId, userId);
+    }
+    async createMfaChallenge(factorId, ipAddress) {
+      return this.getMfaService().createMfaChallenge(factorId, ipAddress);
+    }
+    async getMfaChallengeById(challengeId) {
+      return this.getMfaService().getMfaChallengeById(challengeId);
+    }
+    async verifyMfaChallenge(challengeId) {
+      return this.getMfaService().verifyMfaChallenge(challengeId);
+    }
+    async createRecoveryCodes(userId, codeHashes) {
+      return this.getMfaService().createRecoveryCodes(userId, codeHashes);
+    }
+    async useRecoveryCode(userId, codeHash) {
+      return this.getMfaService().useRecoveryCode(userId, codeHash);
+    }
+    async getUnusedRecoveryCodeCount(userId) {
+      return this.getMfaService().getUnusedRecoveryCodeCount(userId);
+    }
+    async deleteAllRecoveryCodes(userId) {
+      return this.getMfaService().deleteAllRecoveryCodes(userId);
+    }
+    async hasVerifiedMfaFactors(userId) {
+      return this.getMfaService().hasVerifiedMfaFactors(userId);
+    }
+  }
+  class MfaService {
+    constructor(db, schemaName = "rebase") {
+      this.db = db;
+      this.schemaName = schemaName;
+    }
+    qualify(tableName) {
+      return `"${this.schemaName}"."${tableName}"`;
+    }
+    async createMfaFactor(userId, factorType, secretEncrypted, friendlyName) {
+      const tableName = this.qualify("mfa_factors");
+      const result = await this.db.execute(drizzleOrm.sql`
+            INSERT INTO ${drizzleOrm.sql.raw(tableName)} (user_id, factor_type, secret_encrypted, friendly_name)
+            VALUES (${userId}, ${factorType}, ${secretEncrypted}, ${friendlyName ?? null})
+            RETURNING id, user_id, factor_type, friendly_name, verified, created_at, updated_at
+        `);
+      const row = result.rows[0];
+      return {
+        id: row.id,
+        userId: row.user_id,
+        factorType: row.factor_type,
+        friendlyName: row.friendly_name ?? void 0,
+        verified: row.verified,
+        createdAt: new Date(row.created_at),
+        updatedAt: new Date(row.updated_at)
+      };
+    }
+    async getMfaFactors(userId) {
+      const tableName = this.qualify("mfa_factors");
+      const result = await this.db.execute(drizzleOrm.sql`
+            SELECT id, user_id, factor_type, friendly_name, verified, created_at, updated_at
+            FROM ${drizzleOrm.sql.raw(tableName)}
+            WHERE user_id = ${userId}
+            ORDER BY created_at
+        `);
+      return result.rows.map((row) => ({
+        id: row.id,
+        userId: row.user_id,
+        factorType: row.factor_type,
+        friendlyName: row.friendly_name ?? void 0,
+        verified: row.verified,
+        createdAt: new Date(row.created_at),
+        updatedAt: new Date(row.updated_at)
+      }));
+    }
+    async getMfaFactorById(factorId) {
+      const tableName = this.qualify("mfa_factors");
+      const result = await this.db.execute(drizzleOrm.sql`
+            SELECT id, user_id, factor_type, secret_encrypted, friendly_name, verified, created_at, updated_at
+            FROM ${drizzleOrm.sql.raw(tableName)}
+            WHERE id = ${factorId}
+        `);
+      if (result.rows.length === 0) return null;
+      const row = result.rows[0];
+      return {
+        id: row.id,
+        userId: row.user_id,
+        factorType: row.factor_type,
+        secretEncrypted: row.secret_encrypted,
+        friendlyName: row.friendly_name ?? void 0,
+        verified: row.verified,
+        createdAt: new Date(row.created_at),
+        updatedAt: new Date(row.updated_at)
+      };
+    }
+    async verifyMfaFactor(factorId) {
+      const tableName = this.qualify("mfa_factors");
+      await this.db.execute(drizzleOrm.sql`
+            UPDATE ${drizzleOrm.sql.raw(tableName)}
+            SET verified = TRUE, updated_at = NOW()
+            WHERE id = ${factorId}
+        `);
+    }
+    async deleteMfaFactor(factorId, userId) {
+      const tableName = this.qualify("mfa_factors");
+      await this.db.execute(drizzleOrm.sql`
+            DELETE FROM ${drizzleOrm.sql.raw(tableName)}
+            WHERE id = ${factorId} AND user_id = ${userId}
+        `);
+    }
+    async createMfaChallenge(factorId, ipAddress) {
+      const tableName = this.qualify("mfa_challenges");
+      const expiresAt = new Date(Date.now() + 5 * 60 * 1e3);
+      const result = await this.db.execute(drizzleOrm.sql`
+            INSERT INTO ${drizzleOrm.sql.raw(tableName)} (factor_id, ip_address, expires_at)
+            VALUES (${factorId}, ${ipAddress ?? null}, ${expiresAt})
+            RETURNING id, factor_id, created_at, verified_at, ip_address
+        `);
+      const row = result.rows[0];
+      return {
+        id: row.id,
+        factorId: row.factor_id,
+        createdAt: new Date(row.created_at),
+        verifiedAt: row.verified_at ? new Date(row.verified_at) : void 0,
+        ipAddress: row.ip_address ?? void 0
+      };
+    }
+    async getMfaChallengeById(challengeId) {
+      const tableName = this.qualify("mfa_challenges");
+      const result = await this.db.execute(drizzleOrm.sql`
+            SELECT id, factor_id, created_at, verified_at, ip_address, expires_at
+            FROM ${drizzleOrm.sql.raw(tableName)}
+            WHERE id = ${challengeId} AND expires_at > NOW() AND verified_at IS NULL
+        `);
+      if (result.rows.length === 0) return null;
+      const row = result.rows[0];
+      return {
+        id: row.id,
+        factorId: row.factor_id,
+        createdAt: new Date(row.created_at),
+        verifiedAt: row.verified_at ? new Date(row.verified_at) : void 0,
+        ipAddress: row.ip_address ?? void 0
+      };
+    }
+    async verifyMfaChallenge(challengeId) {
+      const tableName = this.qualify("mfa_challenges");
+      await this.db.execute(drizzleOrm.sql`
+            UPDATE ${drizzleOrm.sql.raw(tableName)}
+            SET verified_at = NOW()
+            WHERE id = ${challengeId}
+        `);
+    }
+    async createRecoveryCodes(userId, codeHashes) {
+      const tableName = this.qualify("recovery_codes");
+      await this.db.execute(drizzleOrm.sql`
+            DELETE FROM ${drizzleOrm.sql.raw(tableName)} WHERE user_id = ${userId}
+        `);
+      for (const hash of codeHashes) {
+        await this.db.execute(drizzleOrm.sql`
+                INSERT INTO ${drizzleOrm.sql.raw(tableName)} (user_id, code_hash)
+                VALUES (${userId}, ${hash})
+            `);
+      }
+    }
+    async useRecoveryCode(userId, codeHash) {
+      const tableName = this.qualify("recovery_codes");
+      const result = await this.db.execute(drizzleOrm.sql`
+            UPDATE ${drizzleOrm.sql.raw(tableName)}
+            SET used_at = NOW()
+            WHERE user_id = ${userId} AND code_hash = ${codeHash} AND used_at IS NULL
+            RETURNING id
+        `);
+      return result.rows.length > 0;
+    }
+    async getUnusedRecoveryCodeCount(userId) {
+      const tableName = this.qualify("recovery_codes");
+      const result = await this.db.execute(drizzleOrm.sql`
+            SELECT COUNT(*)::int as count FROM ${drizzleOrm.sql.raw(tableName)}
+            WHERE user_id = ${userId} AND used_at IS NULL
+        `);
+      return result.rows[0].count;
+    }
+    async deleteAllRecoveryCodes(userId) {
+      const tableName = this.qualify("recovery_codes");
+      await this.db.execute(drizzleOrm.sql`
+            DELETE FROM ${drizzleOrm.sql.raw(tableName)} WHERE user_id = ${userId}
+        `);
+    }
+    async hasVerifiedMfaFactors(userId) {
+      const tableName = this.qualify("mfa_factors");
+      const result = await this.db.execute(drizzleOrm.sql`
+            SELECT COUNT(*)::int as count FROM ${drizzleOrm.sql.raw(tableName)}
+            WHERE user_id = ${userId} AND verified = TRUE
+        `);
+      return result.rows[0].count > 0;
+    }
   }
   const DEFAULT_RETENTION = {
     maxEntries: 200,
@@ -10939,7 +11740,7 @@ ${tableRelations.join(",\n")}
         const registry = new PostgresCollectionRegistry();
         if (collections) {
           registry.registerMultiple(collections);
-          console.log(`📋 [PostgresRegistry] Registered ${registry.getCollections().length} collections: [${registry.getCollections().map((c) => c.slug).join(", ")}]`);
+          serverCore.logger.info(`📋 [PostgresRegistry] Registered ${registry.getCollections().length} collections: [${registry.getCollections().map((c) => c.slug).join(", ")}]`);
         }
         if (pgConfig.schema?.tables) {
           Object.values(pgConfig.schema.tables).forEach((table) => {
@@ -10965,10 +11766,28 @@ ${tableRelations.join(",\n")}
         try {
           await schemaAwareDb.execute(drizzleOrm.sql`SELECT 1`);
         } catch (err) {
-          console.error("❌ Failed to connect to PostgreSQL:", err);
-          console.warn("⚠️ Continuing without initial database verification. Drizzle/PG will attempt to connect on subsequent queries.");
+          serverCore.logger.error("❌ Failed to connect to PostgreSQL", {
+            error: err
+          });
+          serverCore.logger.warn("⚠️ Continuing without initial database verification. Drizzle/PG will attempt to connect on subsequent queries.");
         }
         const realtimeService = new RealtimeService(schemaAwareDb, registry);
+        let readDb;
+        const readUrl = process.env.DATABASE_READ_URL;
+        if (readUrl && readUrl !== pgConfig.connectionString) {
+          try {
+            const {
+              createReadReplicaConnection: createReadReplicaConnection2
+            } = await Promise.resolve().then(() => connection);
+            const readResources = createReadReplicaConnection2(readUrl, mergedSchema);
+            readDb = readResources.db;
+            serverCore.logger.info("📖 [PostgresBootstrapper] Read replica connection established");
+          } catch (err) {
+            serverCore.logger.warn("⚠️ Could not connect to read replica, falling back to primary for all queries", {
+              error: err
+            });
+          }
+        }
         const poolManager = pgConfig.adminConnectionString ? new DatabasePoolManager(pgConfig.adminConnectionString) : void 0;
         const driver = new PostgresBackendDriver(schemaAwareDb, realtimeService, registry, void 0, poolManager);
         realtimeService.setDataDriver(driver);
@@ -10976,18 +11795,24 @@ ${tableRelations.join(",\n")}
           try {
             await driver.branchService.ensureBranchMetadataTable();
           } catch (err) {
-            console.warn("⚠️ Could not initialize branch metadata table:", err);
+            serverCore.logger.warn("⚠️ Could not initialize branch metadata table", {
+              error: err
+            });
           }
         }
-        if (pgConfig.connectionString) {
+        const directUrl = process.env.DATABASE_DIRECT_URL || pgConfig.connectionString;
+        if (directUrl) {
           try {
-            await realtimeService.startListening(pgConfig.connectionString);
+            await realtimeService.startListening(directUrl);
           } catch (err) {
-            console.warn("⚠️ Cross-instance realtime could not be started:", err);
+            serverCore.logger.warn("⚠️ Cross-instance realtime could not be started", {
+              error: err
+            });
           }
         }
         const internals = {
           db: schemaAwareDb,
+          readDb,
           registry,
           realtimeService,
           driver,
@@ -11124,14 +11949,22 @@ ${tableRelations.join(",\n")}
   exports2.RealtimeService = RealtimeService;
   exports2.appConfig = appConfig;
   exports2.createAuthSchema = createAuthSchema;
+  exports2.createDirectDatabaseConnection = createDirectDatabaseConnection;
   exports2.createPostgresAdapter = createPostgresAdapter;
   exports2.createPostgresBootstrapper = createPostgresBootstrapper;
   exports2.createPostgresDatabaseConnection = createPostgresDatabaseConnection;
   exports2.createPostgresWebSocket = createPostgresWebSocket;
+  exports2.createReadReplicaConnection = createReadReplicaConnection;
   exports2.generateSchema = generateSchema;
+  exports2.mfaChallenges = mfaChallenges;
+  exports2.mfaChallengesRelations = mfaChallengesRelations;
+  exports2.mfaFactors = mfaFactors;
+  exports2.mfaFactorsRelations = mfaFactorsRelations;
   exports2.passwordResetTokens = passwordResetTokens;
   exports2.passwordResetTokensRelations = passwordResetTokensRelations;
   exports2.rebaseSchema = rebaseSchema;
+  exports2.recoveryCodes = recoveryCodes;
+  exports2.recoveryCodesRelations = recoveryCodesRelations;
   exports2.refreshTokens = refreshTokens;
   exports2.refreshTokensRelations = refreshTokensRelations;
   exports2.roles = roles;