@rpcbase/server 0.472.0 → 0.474.0

package/dist/handler-CGko2pJM.js

@@ -0,0 +1,500 @@
+import { loadModel, getTenantFilesystemDb } from "@rpcbase/db";
+import { GridFSBucket, ObjectId } from "mongodb";
+import { g as getTenantId, a as getModelCtx, b as getOwnershipSelector, e as ensureUploadIndexes, c as getBucketName, d as getUserId, f as getChunkSizeBytes, h as getSessionTtlMs, i as computeSha256Hex, t as toBufferPayload, n as normalizeSha256Hex, j as getMaxClientUploadBytesPerSecond, k as getRawBodyLimitBytes } from "./shared-8XhCreJo.js";
+import { randomBytes } from "node:crypto";
+import { o as object, n as number, s as string, b as boolean, a as array, _ as _enum } from "./schemas-CyxqObur.js";
+const waitForStreamFinished = async (stream) => new Promise((resolve, reject) => {
+  stream.once("finish", resolve);
+  stream.once("error", reject);
+});
+const writeToStream = async (stream, chunk) => {
+  const ok = stream.write(chunk);
+  if (ok) return;
+  await new Promise((resolve, reject) => {
+    const onDrain = () => {
+      cleanup();
+      resolve();
+    };
+    const onError = (error) => {
+      cleanup();
+      reject(error);
+    };
+    const cleanup = () => {
+      stream.off("drain", onDrain);
+      stream.off("error", onError);
+    };
+    stream.on("drain", onDrain);
+    stream.on("error", onError);
+  });
+};
+const abortUploadStream = async (stream) => {
+  if (!stream) return;
+  if (typeof stream.abort === "function") {
+    try {
+      await stream.abort();
+      return;
+    } catch {
+    }
+  }
+  try {
+    stream.destroy();
+  } catch {
+  }
+};
+const completeUpload = async (_payload, ctx) => {
+  const tenantId = getTenantId(ctx);
+  if (!tenantId) {
+    ctx.res.status(400);
+    return { ok: false, error: "tenant_missing" };
+  }
+  const uploadId = String(ctx.req.params?.uploadId ?? "").trim();
+  if (!uploadId) {
+    ctx.res.status(400);
+    return { ok: false, error: "invalid_upload_id" };
+  }
+  const modelCtx = getModelCtx(ctx, tenantId);
+  const [UploadSession, UploadChunk] = await Promise.all([
+    loadModel("RBUploadSession", modelCtx),
+    loadModel("RBUploadChunk", modelCtx)
+  ]);
+  const existing = await UploadSession.findOne({ _id: uploadId }).lean();
+  if (!existing) {
+    ctx.res.status(404);
+    return { ok: false, error: "not_found" };
+  }
+  const ownershipSelector = getOwnershipSelector(ctx, existing);
+  if (!ownershipSelector) {
+    ctx.res.status(401);
+    return { ok: false, error: "unauthorized" };
+  }
+  if (existing.status === "done" && existing.fileId) {
+    return { ok: true, fileId: existing.fileId };
+  }
+  const locked = await UploadSession.findOneAndUpdate(
+    { _id: uploadId, ...ownershipSelector, status: "uploading" },
+    { $set: { status: "assembling" }, $unset: { error: "" } },
+    { new: true }
+  ).lean();
+  if (!locked) {
+    ctx.res.status(409);
+    return { ok: false, error: "not_uploading" };
+  }
+  await ensureUploadIndexes(UploadSession, UploadChunk);
+  const fsDb = await getTenantFilesystemDb(tenantId);
+  const nativeDb = fsDb.db;
+  if (!nativeDb) {
+    await UploadSession.updateOne(
+      { _id: uploadId, ...ownershipSelector },
+      { $set: { status: "error", error: "filesystem_db_unavailable" } }
+    );
+    ctx.res.status(500);
+    return { ok: false, error: "assembly_failed" };
+  }
+  const bucketName = getBucketName();
+  const bucket = new GridFSBucket(nativeDb, { bucketName });
+  const lockedUserId = typeof locked.userId === "string" ? locked.userId : void 0;
+  const uploadStream = bucket.openUploadStream(locked.filename, {
+    metadata: {
+      uploadId,
+      tenantId,
+      mimeType: locked.mimeType,
+      totalSize: locked.totalSize,
+      ...lockedUserId ? { userId: lockedUserId } : {}
+    }
+  });
+  try {
+    const cursor = UploadChunk.find({ uploadId }).sort({ index: 1 }).cursor();
+    let expectedIndex = 0;
+    try {
+      for await (const doc of cursor) {
+        const chunkDoc = doc;
+        if (chunkDoc.index !== expectedIndex) {
+          throw new Error("missing_chunks");
+        }
+        await writeToStream(uploadStream, chunkDoc.data);
+        expectedIndex += 1;
+      }
+    } finally {
+      try {
+        await cursor.close();
+      } catch {
+      }
+    }
+    if (expectedIndex !== locked.chunksTotal) {
+      throw new Error("missing_chunks");
+    }
+    const finished = waitForStreamFinished(uploadStream);
+    uploadStream.end();
+    await finished;
+    const fileId = String(uploadStream.id ?? "");
+    if (!fileId) {
+      throw new Error("missing_file_id");
+    }
+    await UploadSession.updateOne(
+      { _id: uploadId, ...ownershipSelector },
+      { $set: { status: "done", fileId }, $unset: { error: "" } }
+    );
+    try {
+      await UploadChunk.deleteMany({ uploadId });
+    } catch {
+    }
+    return { ok: true, fileId };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    await abortUploadStream(uploadStream);
+    if (message === "missing_chunks") {
+      await UploadSession.updateOne(
+        { _id: uploadId, ...ownershipSelector },
+        { $set: { status: "uploading" } }
+      );
+      ctx.res.status(409);
+      return { ok: false, error: "missing_chunks" };
+    }
+    await UploadSession.updateOne(
+      { _id: uploadId, ...ownershipSelector },
+      { $set: { status: "error", error: message } }
+    );
+    ctx.res.status(500);
+    return { ok: false, error: "assembly_failed" };
+  }
+};
+const getStatus = async (_payload, ctx) => {
+  const tenantId = getTenantId(ctx);
+  if (!tenantId) {
+    ctx.res.status(400);
+    return { ok: false, error: "tenant_missing" };
+  }
+  const uploadId = String(ctx.req.params?.uploadId ?? "").trim();
+  if (!uploadId) {
+    ctx.res.status(400);
+    return { ok: false, error: "invalid_upload_id" };
+  }
+  const modelCtx = getModelCtx(ctx, tenantId);
+  const [UploadSession, UploadChunk] = await Promise.all([
+    loadModel("RBUploadSession", modelCtx),
+    loadModel("RBUploadChunk", modelCtx)
+  ]);
+  const session = await UploadSession.findOne({ _id: uploadId }).lean();
+  if (!session) {
+    ctx.res.status(404);
+    return { ok: false, error: "not_found" };
+  }
+  const ownershipSelector = getOwnershipSelector(ctx, session);
+  if (!ownershipSelector) {
+    ctx.res.status(401);
+    return { ok: false, error: "unauthorized" };
+  }
+  const receivedDocs = await UploadChunk.find(
+    { uploadId },
+    { index: 1, _id: 0 }
+  ).sort({ index: 1 }).lean();
+  const received = receivedDocs.map((d) => Number(d?.index ?? -1)).filter((n) => Number.isInteger(n) && n >= 0);
+  return {
+    ok: true,
+    status: session.status,
+    chunkSize: session.chunkSize,
+    chunksTotal: session.chunksTotal,
+    received,
+    ...session.fileId ? { fileId: session.fileId } : {}
+  };
+};
+const InitRoute = "/api/rb/file-uploads";
+const ChunkRoute = "/api/rb/file-uploads/:uploadId/chunks/:index";
+const StatusRoute = "/api/rb/file-uploads/:uploadId/status";
+const CompleteRoute = "/api/rb/file-uploads/:uploadId/complete";
+const initRequestSchema = object({
+  filename: string().min(1),
+  mimeType: string().min(1),
+  totalSize: number().int().min(1)
+});
+object({
+  ok: boolean(),
+  error: string().optional(),
+  uploadId: string().optional(),
+  uploadKey: string().optional(),
+  chunkSize: number().int().optional(),
+  chunksTotal: number().int().optional()
+});
+object({
+  ok: boolean(),
+  error: string().optional(),
+  status: _enum(["uploading", "assembling", "done", "error"]).optional(),
+  chunkSize: number().int().optional(),
+  chunksTotal: number().int().optional(),
+  received: array(number().int().min(0)).optional(),
+  fileId: string().optional()
+});
+object({
+  ok: boolean(),
+  error: string().optional(),
+  fileId: string().optional()
+});
+const initUpload = async (payload, ctx) => {
+  const tenantId = getTenantId(ctx);
+  if (!tenantId) {
+    ctx.res.status(400);
+    return { ok: false, error: "tenant_missing" };
+  }
+  const userId = getUserId(ctx);
+  const parsed = initRequestSchema.safeParse(payload ?? {});
+  if (!parsed.success) {
+    ctx.res.status(400);
+    return { ok: false, error: "invalid_payload" };
+  }
+  const chunkSize = getChunkSizeBytes();
+  const { filename, mimeType, totalSize } = parsed.data;
+  const chunksTotal = Math.ceil(totalSize / chunkSize);
+  const modelCtx = getModelCtx(ctx, tenantId);
+  const [UploadSession, UploadChunk] = await Promise.all([
+    loadModel("RBUploadSession", modelCtx),
+    loadModel("RBUploadChunk", modelCtx)
+  ]);
+  await ensureUploadIndexes(UploadSession, UploadChunk);
+  const uploadId = new ObjectId().toString();
+  const now = Date.now();
+  const expiresAt = new Date(now + getSessionTtlMs());
+  const uploadKey = userId ? null : randomBytes(32).toString("base64url");
+  const ownerKeyHash = uploadKey ? computeSha256Hex(Buffer.from(uploadKey)) : void 0;
+  await UploadSession.create({
+    _id: uploadId,
+    ...userId ? { userId } : {},
+    ...ownerKeyHash ? { ownerKeyHash } : {},
+    filename,
+    mimeType,
+    totalSize,
+    chunkSize,
+    chunksTotal,
+    status: "uploading",
+    createdAt: new Date(now),
+    expiresAt
+  });
+  return {
+    ok: true,
+    uploadId,
+    chunkSize,
+    chunksTotal,
+    ...uploadKey ? { uploadKey } : {}
+  };
+};
+const uploadChunk = async (payload, ctx) => {
+  const tenantId = getTenantId(ctx);
+  if (!tenantId) {
+    ctx.res.status(400);
+    return { ok: false, error: "tenant_missing" };
+  }
+  const uploadId = String(ctx.req.params?.uploadId ?? "").trim();
+  const indexRaw = String(ctx.req.params?.index ?? "").trim();
+  const index = Number(indexRaw);
+  if (!uploadId || !Number.isInteger(index) || index < 0) {
+    ctx.res.status(400);
+    return { ok: false, error: "invalid_chunk_ref" };
+  }
+  const modelCtx = getModelCtx(ctx, tenantId);
+  const [UploadSession, UploadChunk] = await Promise.all([
+    loadModel("RBUploadSession", modelCtx),
+    loadModel("RBUploadChunk", modelCtx)
+  ]);
+  const session = await UploadSession.findOne({ _id: uploadId }).lean();
+  if (!session) {
+    ctx.res.status(404);
+    return { ok: false, error: "not_found" };
+  }
+  const ownershipSelector = getOwnershipSelector(ctx, session);
+  if (!ownershipSelector) {
+    ctx.res.status(401);
+    return { ok: false, error: "unauthorized" };
+  }
+  if (session.status !== "uploading") {
+    ctx.res.status(409);
+    return { ok: false, error: "not_uploading" };
+  }
+  if (index >= session.chunksTotal) {
+    ctx.res.status(400);
+    return { ok: false, error: "index_out_of_range" };
+  }
+  const data = toBufferPayload(payload);
+  if (!data) {
+    ctx.res.status(400);
+    return { ok: false, error: "invalid_body" };
+  }
+  const expectedSize = index === session.chunksTotal - 1 ? session.totalSize - session.chunkSize * (session.chunksTotal - 1) : session.chunkSize;
+  if (data.length > expectedSize) {
+    ctx.res.status(413);
+    return { ok: false, error: "chunk_too_large" };
+  }
+  if (data.length !== expectedSize) {
+    ctx.res.status(400);
+    return { ok: false, error: "invalid_chunk_size" };
+  }
+  const checksumHeader = ctx.req.get("X-Chunk-SHA256");
+  const sha256 = checksumHeader ? computeSha256Hex(data) : void 0;
+  if (checksumHeader) {
+    const expectedSha256 = normalizeSha256Hex(checksumHeader);
+    if (sha256 !== expectedSha256) {
+      ctx.res.status(400);
+      return { ok: false, error: "checksum_mismatch" };
+    }
+  }
+  await ensureUploadIndexes(UploadSession, UploadChunk);
+  await UploadChunk.updateOne(
+    { uploadId, index },
+    {
+      $set: {
+        uploadId,
+        index,
+        data,
+        size: data.length,
+        sha256,
+        expiresAt: session.expiresAt
+      },
+      $setOnInsert: {
+        createdAt: /* @__PURE__ */ new Date()
+      }
+    },
+    { upsert: true }
+  );
+  ctx.res.status(204);
+  return { ok: true };
+};
+const rawBodyParser = ({
+  limitBytes,
+  maxClientBytesPerSecond
+}) => {
+  return (req, res, next) => {
+    const contentType = typeof req?.headers?.["content-type"] === "string" ? String(req.headers["content-type"]) : "";
+    if (!contentType.includes("application/octet-stream")) {
+      next();
+      return;
+    }
+    let total = 0;
+    const chunks = [];
+    let done = false;
+    let paused = false;
+    let throttleTimeout = null;
+    const rateBytesPerSecond = typeof maxClientBytesPerSecond === "number" && maxClientBytesPerSecond > 0 ? maxClientBytesPerSecond : null;
+    const cleanup = () => {
+      req.off("data", onData);
+      req.off("end", onEnd);
+      req.off("error", onError);
+      req.off("aborted", onAborted);
+      if (throttleTimeout) {
+        clearTimeout(throttleTimeout);
+        throttleTimeout = null;
+      }
+    };
+    const finish = (error) => {
+      if (done) return;
+      done = true;
+      cleanup();
+      if (error) {
+        next(error);
+        return;
+      }
+      req.body = Buffer.concat(chunks, total);
+      next();
+    };
+    const onData = (chunk) => {
+      if (done) return;
+      const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+      total += buffer.length;
+      if (total > limitBytes) {
+        done = true;
+        cleanup();
+        req.destroy();
+        res.status(413).json({ ok: false, error: "chunk_too_large" });
+        return;
+      }
+      chunks.push(buffer);
+      if (!rateBytesPerSecond) return;
+      const now = Date.now();
+      const clientKey = getClientKey(req);
+      const state = getClientRateState(clientKey, rateBytesPerSecond, now);
+      const waitMs = consumeRateBudget(state, buffer.length, rateBytesPerSecond, now);
+      if (waitMs > 0 && !paused) {
+        paused = true;
+        req.pause();
+        throttleTimeout = setTimeout(() => {
+          throttleTimeout = null;
+          paused = false;
+          if (done) return;
+          try {
+            req.resume();
+          } catch {
+          }
+        }, waitMs);
+      }
+    };
+    const onEnd = () => finish();
+    const onError = (err) => finish(err);
+    const onAborted = () => finish(new Error("request_aborted"));
+    req.on("data", onData);
+    req.on("end", onEnd);
+    req.on("error", onError);
+    req.on("aborted", onAborted);
+  };
+};
+const MAX_BURST_SECONDS = 1;
+const STALE_CLIENT_MS = 15 * 60 * 1e3;
+const clientRateStates = /* @__PURE__ */ new Map();
+let lastCleanupMs = 0;
+const getClientKey = (req) => {
+  const rawClientIp = typeof req?.clientIp === "string" ? req.clientIp : "";
+  if (rawClientIp.trim()) return rawClientIp.trim();
+  const rawIp = typeof req?.ip === "string" ? req.ip : "";
+  return rawIp.trim() || "unknown";
+};
+const maybeCleanupStates = (now) => {
+  if (now - lastCleanupMs < 6e4) return;
+  lastCleanupMs = now;
+  if (clientRateStates.size < 2e3) return;
+  for (const [key, state] of clientRateStates) {
+    if (now - state.lastSeenMs > STALE_CLIENT_MS) {
+      clientRateStates.delete(key);
+    }
+  }
+};
+const getClientRateState = (key, rateBytesPerSecond, now) => {
+  maybeCleanupStates(now);
+  const capacity = rateBytesPerSecond * MAX_BURST_SECONDS;
+  const existing = clientRateStates.get(key);
+  if (existing) {
+    existing.lastSeenMs = now;
+    existing.tokens = Math.min(capacity, existing.tokens);
+    return existing;
+  }
+  const next = {
+    tokens: capacity,
+    lastRefillMs: now,
+    lastSeenMs: now
+  };
+  clientRateStates.set(key, next);
+  return next;
+};
+const consumeRateBudget = (state, bytes, rateBytesPerSecond, now) => {
+  const capacity = rateBytesPerSecond * MAX_BURST_SECONDS;
+  const elapsedMs = Math.max(0, now - state.lastRefillMs);
+  if (elapsedMs > 0) {
+    state.tokens = Math.min(capacity, state.tokens + elapsedMs * rateBytesPerSecond / 1e3);
+    state.lastRefillMs = now;
+  }
+  state.tokens -= bytes;
+  if (state.tokens >= 0) return 0;
+  return Math.ceil(-state.tokens / rateBytesPerSecond * 1e3);
+};
+const handler = (api) => {
+  const chunkSizeBytes = getChunkSizeBytes();
+  api.use(
+    InitRoute,
+    rawBodyParser({
+      limitBytes: getRawBodyLimitBytes(chunkSizeBytes),
+      maxClientBytesPerSecond: getMaxClientUploadBytesPerSecond()
+    })
+  );
+  api.post(InitRoute, initUpload);
+  api.put(ChunkRoute, uploadChunk);
+  api.get(StatusRoute, getStatus);
+  api.post(CompleteRoute, completeUpload);
+};
+export {
+  handler as default
+};

package/dist/handler-D6oN38vE.js

@@ -0,0 +1,122 @@
+import { getTenantFilesystemDb } from "@rpcbase/db";
+import { ObjectId, GridFSBucket } from "mongodb";
+import { g as getTenantId, c as getBucketName } from "./shared-8XhCreJo.js";
+const deleteFile = async (_payload, ctx) => {
+  const tenantId = getTenantId(ctx);
+  if (!tenantId) {
+    ctx.res.status(400);
+    return { ok: false, error: "tenant_missing" };
+  }
+  const fileIdRaw = String(ctx.req.params?.fileId ?? "").trim();
+  let fileObjectId;
+  try {
+    fileObjectId = new ObjectId(fileIdRaw);
+  } catch {
+    ctx.res.status(400);
+    return { ok: false, error: "invalid_file_id" };
+  }
+  const fsDb = await getTenantFilesystemDb(tenantId);
+  const nativeDb = fsDb.db;
+  if (!nativeDb) {
+    ctx.res.status(500);
+    return { ok: false, error: "filesystem_db_unavailable" };
+  }
+  const bucketName = getBucketName();
+  const bucket = new GridFSBucket(nativeDb, { bucketName });
+  try {
+    await bucket.delete(fileObjectId);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (!message.includes("FileNotFound")) {
+      ctx.res.status(500);
+      return { ok: false, error: "delete_failed" };
+    }
+  }
+  ctx.res.status(204);
+  return { ok: true };
+};
+const resolveHeaderString = (value) => {
+  if (typeof value !== "string") return null;
+  const normalized = value.trim();
+  return normalized ? normalized : null;
+};
+const escapeHeaderFilename = (filename) => filename.replace(/[\\"]/g, "_");
+const getFile = async (_payload, ctx) => {
+  const tenantId = getTenantId(ctx);
+  if (!tenantId) {
+    ctx.res.status(400).end();
+    return {};
+  }
+  const fileIdRaw = String(ctx.req.params?.fileId ?? "").trim();
+  let fileObjectId;
+  try {
+    fileObjectId = new ObjectId(fileIdRaw);
+  } catch {
+    ctx.res.status(400).end();
+    return {};
+  }
+  const fsDb = await getTenantFilesystemDb(tenantId);
+  const nativeDb = fsDb.db;
+  if (!nativeDb) {
+    ctx.res.status(500).end();
+    return {};
+  }
+  const bucketName = getBucketName();
+  const bucket = new GridFSBucket(nativeDb, { bucketName });
+  const [file] = await bucket.find({ _id: fileObjectId }).limit(1).toArray();
+  if (!file) {
+    ctx.res.status(404).end();
+    return {};
+  }
+  const mimeTypeFromMetadata = resolveHeaderString(file?.metadata?.mimeType);
+  const mimeType = mimeTypeFromMetadata ?? "application/octet-stream";
+  const filenameFromDb = resolveHeaderString(file?.filename);
+  const filename = filenameFromDb ?? fileIdRaw;
+  const filenameSafe = escapeHeaderFilename(filename);
+  const cacheControl = "private, max-age=0, must-revalidate";
+  const md5 = resolveHeaderString(file?.md5);
+  const uploadDate = file?.uploadDate instanceof Date ? file.uploadDate : null;
+  const etagValue = md5 ?? `${fileObjectId.toHexString()}-${String(file?.length ?? 0)}-${String(uploadDate?.getTime() ?? 0)}`;
+  const etag = md5 ? `"${etagValue}"` : `W/"${etagValue}"`;
+  const ifNoneMatch = resolveHeaderString(ctx.req.headers?.["if-none-match"]);
+  if (ifNoneMatch) {
+    const candidates = ifNoneMatch.split(",").map((value) => value.trim()).filter(Boolean);
+    if (candidates.includes("*") || candidates.includes(etag)) {
+      ctx.res.status(304);
+      ctx.res.setHeader("Cache-Control", cacheControl);
+      ctx.res.setHeader("ETag", etag);
+      ctx.res.end();
+      return {};
+    }
+  }
+  ctx.res.status(200);
+  ctx.res.setHeader("Content-Type", mimeType);
+  ctx.res.setHeader("Content-Length", String(file?.length ?? 0));
+  ctx.res.setHeader("Content-Disposition", `inline; filename="${filenameSafe}"`);
+  ctx.res.setHeader("Cache-Control", cacheControl);
+  ctx.res.setHeader("ETag", etag);
+  ctx.res.flushHeaders();
+  if (ctx.req.method === "HEAD") {
+    ctx.res.end();
+    return {};
+  }
+  const stream = bucket.openDownloadStream(fileObjectId);
+  stream.on("error", () => {
+    try {
+      ctx.res.destroy();
+    } catch {
+    }
+  });
+  stream.pipe(ctx.res);
+  return {};
+};
+const Route = "/api/rb/files/:fileId";
+const GetRoute = Route;
+const DeleteRoute = Route;
+const handler = (api) => {
+  api.get(GetRoute, getFile);
+  api.delete(DeleteRoute, deleteFile);
+};
+export {
+  handler as default
+};

package/dist/handler-ybYk2VTq.js

@@ -0,0 +1,109 @@
+import { loadModel, ZRBRtsChangeOp } from "@rpcbase/db";
+import { o as object, a as array, s as string, n as number, b as boolean, _ as _enum } from "./schemas-CyxqObur.js";
+const Route = "/api/rb/rts/changes";
+const requestSchema = object({
+  sinceSeq: number().int().min(0).default(0),
+  limit: number().int().min(1).max(5e3).default(2e3),
+  modelNames: array(string().min(1)).optional()
+});
+object({
+  ok: boolean(),
+  needsFullResync: boolean().optional(),
+  earliestSeq: number().int().min(0).optional(),
+  latestSeq: number().int().min(0),
+  changes: array(object({
+    seq: number().int().min(1),
+    modelName: string().min(1),
+    op: _enum(["delete", "reset_model"]),
+    docId: string().optional()
+  }))
+});
+const getTenantId = (ctx) => {
+  const raw = ctx.req.query?.["rb-tenant-id"];
+  const queryTenantId = Array.isArray(raw) ? raw[0] : raw;
+  if (typeof queryTenantId === "string" && queryTenantId.trim()) return queryTenantId.trim();
+  const sessionTenantId = ctx.req.session?.user?.current_tenant_id;
+  if (typeof sessionTenantId === "string" && sessionTenantId.trim()) return sessionTenantId.trim();
+  return null;
+};
+const ensureAuthorized = (ctx, tenantId) => {
+  const userId = ctx.req.session?.user?.id;
+  if (!userId) return null;
+  const signedInTenants = ctx.req.session?.user?.signed_in_tenants;
+  const currentTenantId = ctx.req.session?.user?.current_tenant_id;
+  const hasTenantAccessFromList = Array.isArray(signedInTenants) && signedInTenants.includes(tenantId);
+  const normalizedCurrentTenantId = typeof currentTenantId === "string" ? currentTenantId.trim() : "";
+  const hasTenantAccessFromCurrent = Boolean(normalizedCurrentTenantId) && normalizedCurrentTenantId === tenantId;
+  if (!hasTenantAccessFromList && !hasTenantAccessFromCurrent) return null;
+  return userId;
+};
+const getModelCtx = (_ctx, tenantId) => ({
+  req: {
+    session: {
+      user: {
+        current_tenant_id: tenantId
+      }
+    }
+  }
+});
+const isRtsChangeRecord = (value) => {
+  if (!value || typeof value !== "object") return false;
+  const obj = value;
+  const isOp = ZRBRtsChangeOp.safeParse(obj.op).success;
+  return typeof obj.seq === "number" && typeof obj.modelName === "string" && isOp;
+};
+const changesHandler = async (payload, ctx) => {
+  const parsed = requestSchema.safeParse(payload ?? {});
+  if (!parsed.success) {
+    ctx.res.status(400);
+    return { ok: false, latestSeq: 0, changes: [] };
+  }
+  const tenantId = getTenantId(ctx);
+  if (!tenantId) {
+    ctx.res.status(400);
+    return { ok: false, latestSeq: 0, changes: [] };
+  }
+  const userId = ensureAuthorized(ctx, tenantId);
+  if (!userId) {
+    ctx.res.status(401);
+    return { ok: false, latestSeq: 0, changes: [] };
+  }
+  const modelCtx = getModelCtx(ctx, tenantId);
+  const [RtsChange, RtsCounter] = await Promise.all([
+    loadModel("RBRtsChange", modelCtx),
+    loadModel("RBRtsCounter", modelCtx)
+  ]);
+  const counter = await RtsCounter.findOne({ _id: "rts" }, { seq: 1 }).lean();
+  const latestSeq = Number(counter?.seq ?? 0) || 0;
+  const { sinceSeq, limit, modelNames } = parsed.data;
+  const earliestSelector = {};
+  if (Array.isArray(modelNames) && modelNames.length) {
+    earliestSelector.modelName = { $in: modelNames };
+  }
+  const earliest = await RtsChange.findOne(earliestSelector, { seq: 1 }).sort({ seq: 1 }).lean();
+  const earliestSeq = earliest?.seq ? Number(earliest.seq) : void 0;
+  const needsFullResync = typeof earliestSeq === "number" && sinceSeq < earliestSeq - 1;
+  const selector = { seq: { $gt: sinceSeq } };
+  if (Array.isArray(modelNames) && modelNames.length) {
+    selector.modelName = { $in: modelNames };
+  }
+  const changes = await RtsChange.find(selector, { _id: 0, seq: 1, modelName: 1, op: 1, docId: 1 }).sort({ seq: 1 }).limit(limit).lean();
+  return {
+    ok: true,
+    needsFullResync: needsFullResync || void 0,
+    earliestSeq,
+    latestSeq,
+    changes: Array.isArray(changes) ? changes.filter(isRtsChangeRecord).map((c) => ({
+      seq: Number(c.seq),
+      modelName: String(c.modelName),
+      op: c.op,
+      docId: c.docId ? String(c.docId) : void 0
+    })) : []
+  };
+};
+const handler = (api) => {
+  api.post(Route, changesHandler);
+};
+export {
+  handler as default
+};

package/dist/{index-BSIupjlE.js → index-dlSIqvl2.js}

@@ -5,7 +5,7 @@ const TENANT_ID_QUERY_PARAM = "rb-tenant-id";
 const USER_ID_HEADER = "rb-user-id";
 const QUERY_KEY_MAX_LEN = 4096;
 const QUERY_MAX_LIMIT = 4096;
-const INTERNAL_MODEL_NAMES = /* @__PURE__ */ new Set(["RtsChange", "RtsCounter"]);
+const INTERNAL_MODEL_NAMES = /* @__PURE__ */ new Set(["RBRtsChange", "RBRtsCounter"]);
 const DEFAULT_MAX_PAYLOAD_BYTES = 1024 * 1024;
 const DEFAULT_MAX_SUBSCRIPTIONS_PER_SOCKET = 256;
 const DEFAULT_DISPATCH_DEBOUNCE_MS = 25;

package/dist/index.js

@@ -18,7 +18,7 @@ import { StrictMode, createElement } from "react";
 import { renderToPipeableStream, renderToStaticMarkup } from "react-dom/server";
 import { jsx } from "react/jsx-runtime";
 import { createPath, matchRoutes, parsePath, createStaticRouter, StaticRouterProvider } from "@rpcbase/router";
-import { i, n, r } from "./index-BSIupjlE.js";
+import { i, n, r } from "./index-dlSIqvl2.js";
 function getDefaultExportFromCjs(x) {
   return x && x.__esModule && Object.prototype.hasOwnProperty.call(x, "default") ? x["default"] : x;
 }

package/dist/rts/api/changes/handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../../src/rts/api/changes/handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAmB,MAAM,cAAc,CAAA;AAOnD,KAAK,WAAW,GAAG;IACjB,EAAE,CAAC,EAAE,MAAM,CAAA;IACX,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC7B,CAAA;yBAqIe,KAAK,GAAG,CAAC,WAAW,CAAC;AAArC,wBAEC"}
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../../src/rts/api/changes/handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAmB,MAAM,cAAc,CAAA;AAOnD,KAAK,WAAW,GAAG;IACjB,EAAE,CAAC,EAAE,MAAM,CAAA;IACX,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC7B,CAAA;yBA0He,KAAK,GAAG,CAAC,WAAW,CAAC;AAArC,wBAEC"}

package/dist/rts.js

@@ -1,6 +1,6 @@
-import { i, n, r } from "./index-BSIupjlE.js";
+import { i, n, r } from "./index-dlSIqvl2.js";
 const routes = Object.entries({
-  .../* @__PURE__ */ Object.assign({ "./api/changes/handler.ts": () => import("./handler-DHunTqwt.js") })
+  .../* @__PURE__ */ Object.assign({ "./api/changes/handler.ts": () => import("./handler-ybYk2VTq.js") })
 }).reduce((acc, [path, mod]) => {
   acc[path.replace("./api/", "@rpcbase/server/rts/api/")] = mod;
   return acc;

package/dist/{handler-DHunTqwt.js → schemas-CyxqObur.js}

@@ -1,4 +1,3 @@
-import { loadModel } from "@rpcbase/db";
 function $constructor(name, initializer2, params) {
   function init(inst, def) {
     if (!inst._zod) {
@@ -3275,110 +3274,11 @@ function refine(fn, _params = {}) {
 function superRefine(fn) {
   return _superRefine(fn);
 }
-const Route = "/api/rb/rts/changes";
-const requestSchema = object({
-  sinceSeq: number().int().min(0).default(0),
-  limit: number().int().min(1).max(5e3).default(2e3),
-  modelNames: array(string().min(1)).optional()
-});
-object({
-  ok: boolean(),
-  needsFullResync: boolean().optional(),
-  earliestSeq: number().int().min(0).optional(),
-  latestSeq: number().int().min(0),
-  changes: array(object({
-    seq: number().int().min(1),
-    modelName: string().min(1),
-    op: _enum(["delete", "reset_model"]),
-    docId: string().optional()
-  }))
-});
-const getTenantId = (ctx) => {
-  const raw = ctx.req.query?.["rb-tenant-id"];
-  const queryTenantId = Array.isArray(raw) ? raw[0] : raw;
-  if (typeof queryTenantId === "string" && queryTenantId.trim()) return queryTenantId.trim();
-  const sessionTenantId = ctx.req.session?.user?.current_tenant_id;
-  if (typeof sessionTenantId === "string" && sessionTenantId.trim()) return sessionTenantId.trim();
-  return null;
-};
-const ensureAuthorized = (ctx, tenantId) => {
-  const userId = ctx.req.session?.user?.id;
-  if (!userId) return null;
-  const signedInTenants = ctx.req.session?.user?.signed_in_tenants;
-  const currentTenantId = ctx.req.session?.user?.current_tenant_id;
-  const hasTenantAccessFromList = Array.isArray(signedInTenants) && signedInTenants.includes(tenantId);
-  const normalizedCurrentTenantId = typeof currentTenantId === "string" ? currentTenantId.trim() : "";
-  const hasTenantAccessFromCurrent = Boolean(normalizedCurrentTenantId) && normalizedCurrentTenantId === tenantId;
-  if (!hasTenantAccessFromList && !hasTenantAccessFromCurrent) return null;
-  return userId;
-};
-const getModelCtx = (_ctx, tenantId) => ({
-  req: {
-    session: {
-      user: {
-        current_tenant_id: tenantId
-      }
-    }
-  }
-});
-const isRtsChangeRecord = (value) => {
-  if (!value || typeof value !== "object") return false;
-  const obj = value;
-  const isOp = obj.op === "delete" || obj.op === "reset_model";
-  return typeof obj.seq === "number" && typeof obj.modelName === "string" && isOp;
-};
-const changesHandler = async (payload, ctx) => {
-  const parsed = requestSchema.safeParse(payload ?? {});
-  if (!parsed.success) {
-    ctx.res.status(400);
-    return { ok: false, latestSeq: 0, changes: [] };
-  }
-  const tenantId = getTenantId(ctx);
-  if (!tenantId) {
-    ctx.res.status(400);
-    return { ok: false, latestSeq: 0, changes: [] };
-  }
-  const userId = ensureAuthorized(ctx, tenantId);
-  if (!userId) {
-    ctx.res.status(401);
-    return { ok: false, latestSeq: 0, changes: [] };
-  }
-  const modelCtx = getModelCtx(ctx, tenantId);
-  const [RtsChange, RtsCounter] = await Promise.all([
-    loadModel("RtsChange", modelCtx),
-    loadModel("RtsCounter", modelCtx)
-  ]);
-  const counter = await RtsCounter.findOne({ _id: "rts" }, { seq: 1 }).lean();
-  const latestSeq = Number(counter?.seq ?? 0) || 0;
-  const { sinceSeq, limit, modelNames } = parsed.data;
-  const earliestSelector = {};
-  if (Array.isArray(modelNames) && modelNames.length) {
-    earliestSelector.modelName = { $in: modelNames };
-  }
-  const earliest = await RtsChange.findOne(earliestSelector, { seq: 1 }).sort({ seq: 1 }).lean();
-  const earliestSeq = earliest?.seq ? Number(earliest.seq) : void 0;
-  const needsFullResync = typeof earliestSeq === "number" && sinceSeq < earliestSeq - 1;
-  const selector = { seq: { $gt: sinceSeq } };
-  if (Array.isArray(modelNames) && modelNames.length) {
-    selector.modelName = { $in: modelNames };
-  }
-  const changes = await RtsChange.find(selector, { _id: 0, seq: 1, modelName: 1, op: 1, docId: 1 }).sort({ seq: 1 }).limit(limit).lean();
-  return {
-    ok: true,
-    needsFullResync: needsFullResync || void 0,
-    earliestSeq,
-    latestSeq,
-    changes: Array.isArray(changes) ? changes.filter(isRtsChangeRecord).map((c) => ({
-      seq: Number(c.seq),
-      modelName: String(c.modelName),
-      op: c.op,
-      docId: c.docId ? String(c.docId) : void 0
-    })) : []
-  };
-};
-const handler = (api) => {
-  api.post(Route, changesHandler);
-};
 export {
-  handler as default
+  _enum as _,
+  array as a,
+  boolean as b,
+  number as n,
+  object as o,
+  string as s
 };

package/dist/shared-8XhCreJo.js

@@ -0,0 +1,119 @@
+import { createHash, timingSafeEqual } from "node:crypto";
+const DEFAULT_CHUNK_SIZE_BYTES = 5 * 1024 * 1024;
+const MAX_CHUNK_SIZE_BYTES = 15 * 1024 * 1024;
+const DEFAULT_MAX_CLIENT_BYTES_PER_SECOND = 10 * 1024 * 1024;
+const DEFAULT_SESSION_TTL_S = 60 * 60 * 24;
+const ensuredIndexDbNames = /* @__PURE__ */ new Set();
+const parseOptionalPositiveInt = (rawValue) => {
+  if (typeof rawValue !== "string") return null;
+  const normalized = rawValue.trim();
+  if (!normalized) return null;
+  const parsed = Number(normalized);
+  if (!Number.isFinite(parsed) || parsed <= 0) return null;
+  return Math.floor(parsed);
+};
+const getChunkSizeBytes = () => {
+  const configured = parseOptionalPositiveInt(process.env.RB_UPLOAD_CHUNK_SIZE_BYTES);
+  const resolved = configured ?? DEFAULT_CHUNK_SIZE_BYTES;
+  return Math.min(MAX_CHUNK_SIZE_BYTES, resolved);
+};
+const getMaxClientUploadBytesPerSecond = () => {
+  const configured = parseOptionalPositiveInt(process.env.RB_UPLOAD_MAX_CLIENT_BYTES_PER_SECOND);
+  return configured ?? DEFAULT_MAX_CLIENT_BYTES_PER_SECOND;
+};
+const getSessionTtlMs = () => {
+  const ttlSeconds = parseOptionalPositiveInt(process.env.RB_UPLOAD_SESSION_TTL_S) ?? DEFAULT_SESSION_TTL_S;
+  return ttlSeconds * 1e3;
+};
+const getRawBodyLimitBytes = (chunkSizeBytes) => chunkSizeBytes + 1024 * 1024;
+const getBucketName = () => (process.env.RB_FILESYSTEM_BUCKET_NAME ?? "").trim() || "fs";
+const getUserId = (ctx) => {
+  const raw = ctx.req.session?.user?.id;
+  if (typeof raw !== "string") return null;
+  const normalized = raw.trim();
+  return normalized ? normalized : null;
+};
+const getTenantId = (ctx) => {
+  const rawSession = ctx.req.session?.user?.current_tenant_id;
+  const sessionTenantId = typeof rawSession === "string" ? rawSession.trim() : "";
+  const userId = getUserId(ctx);
+  const rawQuery = ctx.req.query?.["rb-tenant-id"];
+  const queryTenantId = Array.isArray(rawQuery) ? rawQuery[0] : rawQuery;
+  const queryValue = typeof queryTenantId === "string" && queryTenantId.trim() ? queryTenantId.trim() : null;
+  if (!userId && queryValue) return queryValue;
+  if (userId) return sessionTenantId || null;
+  if (sessionTenantId) return sessionTenantId;
+  return queryValue;
+};
+const computeSha256Hex = (data) => createHash("sha256").update(data).digest("hex");
+const normalizeSha256Hex = (value) => value.trim().toLowerCase();
+const getModelCtx = (_ctx, tenantId) => ({
+  req: {
+    session: {
+      user: {
+        current_tenant_id: tenantId
+      }
+    }
+  }
+});
+const toBufferPayload = (payload) => {
+  if (Buffer.isBuffer(payload)) return payload;
+  if (payload instanceof Uint8Array) return Buffer.from(payload);
+  return null;
+};
+const ensureUploadIndexes = async (UploadSession, UploadChunk) => {
+  const dbName = String(UploadSession?.db?.name ?? "");
+  if (dbName && ensuredIndexDbNames.has(dbName)) return;
+  await Promise.all([
+    UploadSession.createIndexes(),
+    UploadChunk.createIndexes()
+  ]);
+  if (dbName) ensuredIndexDbNames.add(dbName);
+};
+const normalizeUploadKey = (raw) => {
+  if (typeof raw !== "string") return null;
+  const normalized = raw.trim();
+  return normalized ? normalized : null;
+};
+const getUploadKeyHash = (ctx) => {
+  const uploadKey = normalizeUploadKey(ctx.req.get("X-Upload-Key"));
+  if (!uploadKey) return null;
+  return computeSha256Hex(Buffer.from(uploadKey));
+};
+const timingSafeEqualHex = (left, right) => {
+  if (left.length !== right.length) return false;
+  try {
+    return timingSafeEqual(Buffer.from(left, "hex"), Buffer.from(right, "hex"));
+  } catch {
+    return false;
+  }
+};
+const getOwnershipSelector = (ctx, session) => {
+  if (session.userId) {
+    const userId = getUserId(ctx);
+    if (!userId || userId !== session.userId) return null;
+    return { userId: session.userId };
+  }
+  if (session.ownerKeyHash) {
+    const uploadKeyHash = getUploadKeyHash(ctx);
+    if (!uploadKeyHash) return null;
+    if (!timingSafeEqualHex(session.ownerKeyHash, uploadKeyHash)) return null;
+    return { ownerKeyHash: session.ownerKeyHash };
+  }
+  return null;
+};
+export {
+  getModelCtx as a,
+  getOwnershipSelector as b,
+  getBucketName as c,
+  getUserId as d,
+  ensureUploadIndexes as e,
+  getChunkSizeBytes as f,
+  getTenantId as g,
+  getSessionTtlMs as h,
+  computeSha256Hex as i,
+  getMaxClientUploadBytesPerSecond as j,
+  getRawBodyLimitBytes as k,
+  normalizeSha256Hex as n,
+  toBufferPayload as t
+};

package/dist/uploads/api/file-uploads/handler.d.ts

@@ -0,0 +1,5 @@
+import { Api } from '../../../../../api/src';
+import { SessionUser } from './shared';
+declare const _default: (api: Api<SessionUser>) => void;
+export default _default;
+//# sourceMappingURL=handler.d.ts.map

package/dist/uploads/api/file-uploads/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../../src/uploads/api/file-uploads/handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAOlC,OAAO,EAA6E,KAAK,WAAW,EAAE,MAAM,UAAU,CAAA;yBAKtG,KAAK,GAAG,CAAC,WAAW,CAAC;AAArC,wBAcC"}

package/dist/uploads/api/file-uploads/handlers/completeUpload.d.ts

@@ -0,0 +1,5 @@
+import { ApiHandler } from '../../../../../../api/src';
+import { SessionUser } from '../shared';
+import * as Uploads from "../index";
+export declare const completeUpload: ApiHandler<Record<string, never>, Uploads.CompleteResponsePayload, SessionUser>;
+//# sourceMappingURL=completeUpload.d.ts.map

package/dist/uploads/api/file-uploads/handlers/completeUpload.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"completeUpload.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/file-uploads/handlers/completeUpload.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAKzC,OAAO,KAAK,OAAO,MAAM,UAAU,CAAA;AACnC,OAAO,EACL,KAAK,WAAW,EAQjB,MAAM,WAAW,CAAA;AAiDlB,eAAO,MAAM,cAAc,EAAE,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,CAAC,uBAAuB,EAAE,WAAW,CAmJ1G,CAAA"}

package/dist/uploads/api/file-uploads/handlers/getStatus.d.ts

@@ -0,0 +1,5 @@
+import { ApiHandler } from '../../../../../../api/src';
+import { SessionUser } from '../shared';
+import * as Uploads from "../index";
+export declare const getStatus: ApiHandler<Record<string, never>, Uploads.StatusResponsePayload, SessionUser>;
+//# sourceMappingURL=getStatus.d.ts.map

package/dist/uploads/api/file-uploads/handlers/getStatus.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getStatus.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/file-uploads/handlers/getStatus.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAIzC,OAAO,KAAK,OAAO,MAAM,UAAU,CAAA;AACnC,OAAO,EACL,KAAK,WAAW,EAMjB,MAAM,WAAW,CAAA;AAGlB,eAAO,MAAM,SAAS,EAAE,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,CAAC,qBAAqB,EAAE,WAAW,CAkDnG,CAAA"}

package/dist/uploads/api/file-uploads/handlers/initUpload.d.ts

@@ -0,0 +1,5 @@
+import { ApiHandler } from '../../../../../../api/src';
+import { SessionUser } from '../shared';
+import * as Uploads from "../index";
+export declare const initUpload: ApiHandler<Uploads.InitRequestPayload, Uploads.InitResponsePayload, SessionUser>;
+//# sourceMappingURL=initUpload.d.ts.map

package/dist/uploads/api/file-uploads/handlers/initUpload.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"initUpload.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/file-uploads/handlers/initUpload.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAKzC,OAAO,KAAK,OAAO,MAAM,UAAU,CAAA;AACnC,OAAO,EACL,KAAK,WAAW,EAUjB,MAAM,WAAW,CAAA;AAGlB,eAAO,MAAM,UAAU,EAAE,UAAU,CAAC,OAAO,CAAC,kBAAkB,EAAE,OAAO,CAAC,mBAAmB,EAAE,WAAW,CA2DvG,CAAA"}

package/dist/uploads/api/file-uploads/handlers/uploadChunk.d.ts

@@ -0,0 +1,9 @@
+import { ApiHandler } from '../../../../../../api/src';
+import { SessionUser } from '../shared';
+type ChunkResponsePayload = {
+    ok: boolean;
+    error?: string;
+};
+export declare const uploadChunk: ApiHandler<Buffer, ChunkResponsePayload, SessionUser>;
+export {};
+//# sourceMappingURL=uploadChunk.d.ts.map

package/dist/uploads/api/file-uploads/handlers/uploadChunk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"uploadChunk.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/file-uploads/handlers/uploadChunk.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAIzC,OAAO,EACL,KAAK,WAAW,EAUjB,MAAM,WAAW,CAAA;AAGlB,KAAK,oBAAoB,GAAG;IAC1B,EAAE,EAAE,OAAO,CAAA;IACX,KAAK,CAAC,EAAE,MAAM,CAAA;CACf,CAAA;AAED,eAAO,MAAM,WAAW,EAAE,UAAU,CAAC,MAAM,EAAE,oBAAoB,EAAE,WAAW,CAqG7E,CAAA"}

package/dist/uploads/api/file-uploads/index.d.ts

@@ -0,0 +1,42 @@
+import { z } from '../../../../../vite/node_modules/zod';
+export declare const InitRoute = "/api/rb/file-uploads";
+export declare const ChunkRoute = "/api/rb/file-uploads/:uploadId/chunks/:index";
+export declare const StatusRoute = "/api/rb/file-uploads/:uploadId/status";
+export declare const CompleteRoute = "/api/rb/file-uploads/:uploadId/complete";
+export declare const initRequestSchema: z.ZodObject<{
+    filename: z.ZodString;
+    mimeType: z.ZodString;
+    totalSize: z.ZodNumber;
+}, z.core.$strip>;
+export type InitRequestPayload = z.infer<typeof initRequestSchema>;
+export declare const initResponseSchema: z.ZodObject<{
+    ok: z.ZodBoolean;
+    error: z.ZodOptional<z.ZodString>;
+    uploadId: z.ZodOptional<z.ZodString>;
+    uploadKey: z.ZodOptional<z.ZodString>;
+    chunkSize: z.ZodOptional<z.ZodNumber>;
+    chunksTotal: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strip>;
+export type InitResponsePayload = z.infer<typeof initResponseSchema>;
+export declare const statusResponseSchema: z.ZodObject<{
+    ok: z.ZodBoolean;
+    error: z.ZodOptional<z.ZodString>;
+    status: z.ZodOptional<z.ZodEnum<{
+        error: "error";
+        done: "done";
+        uploading: "uploading";
+        assembling: "assembling";
+    }>>;
+    chunkSize: z.ZodOptional<z.ZodNumber>;
+    chunksTotal: z.ZodOptional<z.ZodNumber>;
+    received: z.ZodOptional<z.ZodArray<z.ZodNumber>>;
+    fileId: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type StatusResponsePayload = z.infer<typeof statusResponseSchema>;
+export declare const completeResponseSchema: z.ZodObject<{
+    ok: z.ZodBoolean;
+    error: z.ZodOptional<z.ZodString>;
+    fileId: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type CompleteResponsePayload = z.infer<typeof completeResponseSchema>;
+//# sourceMappingURL=index.d.ts.map

package/dist/uploads/api/file-uploads/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/uploads/api/file-uploads/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,eAAO,MAAM,SAAS,yBAAyB,CAAA;AAC/C,eAAO,MAAM,UAAU,iDAAiD,CAAA;AACxE,eAAO,MAAM,WAAW,0CAA0C,CAAA;AAClE,eAAO,MAAM,aAAa,4CAA4C,CAAA;AAEtE,eAAO,MAAM,iBAAiB;;;;iBAI5B,CAAA;AAEF,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA;AAElE,eAAO,MAAM,kBAAkB;;;;;;;iBAO7B,CAAA;AAEF,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAEpE,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;iBAQ/B,CAAA;AAEF,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AAExE,eAAO,MAAM,sBAAsB;;;;iBAIjC,CAAA;AAEF,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAA"}

package/dist/uploads/api/file-uploads/middleware/rawBodyParser.d.ts

@@ -0,0 +1,5 @@
+export declare const rawBodyParser: ({ limitBytes, maxClientBytesPerSecond, }: {
+    limitBytes: number;
+    maxClientBytesPerSecond?: number | null;
+}) => (req: any, res: any, next: any) => void;
+//# sourceMappingURL=rawBodyParser.d.ts.map

package/dist/uploads/api/file-uploads/middleware/rawBodyParser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rawBodyParser.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/file-uploads/middleware/rawBodyParser.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,aAAa,GAAI,0CAG3B;IACD,UAAU,EAAE,MAAM,CAAA;IAClB,uBAAuB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CACxC,MACS,KAAK,GAAG,EAAE,KAAK,GAAG,EAAE,MAAM,GAAG,SA6FtC,CAAA"}

package/dist/uploads/api/file-uploads/shared.d.ts

@@ -0,0 +1,29 @@
+import { Ctx } from '../../../../../api/src';
+import { IRBUploadChunk, IRBUploadSession, LoadModelCtx } from '../../../../../db/src';
+import { Model } from '../../../../../vite/node_modules/mongoose';
+export type SessionUser = {
+    id?: string;
+    current_tenant_id?: string;
+};
+export type UploadSessionDoc = IRBUploadSession;
+export type UploadChunkDoc = Omit<IRBUploadChunk, "data"> & {
+    data: Buffer;
+};
+export declare const getChunkSizeBytes: () => number;
+export declare const getMaxClientUploadBytesPerSecond: () => number | null;
+export declare const getSessionTtlMs: () => number;
+export declare const getRawBodyLimitBytes: (chunkSizeBytes: number) => number;
+export declare const getBucketName: () => string;
+export declare const getUserId: (ctx: Ctx<SessionUser>) => string | null;
+export declare const getTenantId: (ctx: Ctx<SessionUser>) => string | null;
+export declare const computeSha256Hex: (data: Buffer) => string;
+export declare const normalizeSha256Hex: (value: string) => string;
+export declare const getModelCtx: (_ctx: Ctx<SessionUser>, tenantId: string) => LoadModelCtx;
+export declare const toBufferPayload: (payload: unknown) => Buffer | null;
+export declare const ensureUploadIndexes: (UploadSession: Model<UploadSessionDoc>, UploadChunk: Model<UploadChunkDoc>) => Promise<void>;
+export declare const getUploadKeyHash: (ctx: Ctx<SessionUser>) => string | null;
+export declare const getOwnershipSelector: (ctx: Ctx<SessionUser>, session: Pick<UploadSessionDoc, "userId" | "ownerKeyHash">) => {
+    userId?: string;
+    ownerKeyHash?: string;
+} | null;
+//# sourceMappingURL=shared.d.ts.map

package/dist/uploads/api/file-uploads/shared.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shared.d.ts","sourceRoot":"","sources":["../../../../src/uploads/api/file-uploads/shared.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAClC,OAAO,EACL,KAAK,cAAc,EACnB,KAAK,gBAAgB,EACrB,KAAK,YAAY,EAClB,MAAM,aAAa,CAAA;AACpB,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,UAAU,CAAA;AAGrC,MAAM,MAAM,WAAW,GAAG;IACxB,EAAE,CAAC,EAAE,MAAM,CAAA;IACX,iBAAiB,CAAC,EAAE,MAAM,CAAA;CAC3B,CAAA;AAED,MAAM,MAAM,gBAAgB,GAAG,gBAAgB,CAAA;AAC/C,MAAM,MAAM,cAAc,GAAG,IAAI,CAAC,cAAc,EAAE,MAAM,CAAC,GAAG;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,CAAA;AAoB5E,eAAO,MAAM,iBAAiB,QAAO,MAIpC,CAAA;AAED,eAAO,MAAM,gCAAgC,QAAO,MAAM,GAAG,IAG5D,CAAA;AAED,eAAO,MAAM,eAAe,QAAO,MAGlC,CAAA;AAED,eAAO,MAAM,oBAAoB,GAAI,gBAAgB,MAAM,KAAG,MAAsC,CAAA;AAEpG,eAAO,MAAM,aAAa,QAAO,MAAsE,CAAA;AAEvG,eAAO,MAAM,SAAS,GAAI,KAAK,GAAG,CAAC,WAAW,CAAC,KAAG,MAAM,GAAG,IAK1D,CAAA;AAED,eAAO,MAAM,WAAW,GAAI,KAAK,GAAG,CAAC,WAAW,CAAC,KAAG,MAAM,GAAG,IAgB5D,CAAA;AAED,eAAO,MAAM,gBAAgB,GAAI,MAAM,MAAM,KAAG,MAAyD,CAAA;AAEzG,eAAO,MAAM,kBAAkB,GAAI,OAAO,MAAM,KAAG,MAAoC,CAAA;AAEvF,eAAO,MAAM,WAAW,GAAI,MAAM,GAAG,CAAC,WAAW,CAAC,EAAE,UAAU,MAAM,KAAG,YAQrE,CAAA;AAEF,eAAO,MAAM,eAAe,GAAI,SAAS,OAAO,KAAG,MAAM,GAAG,IAI3D,CAAA;AAED,eAAO,MAAM,mBAAmB,GAC9B,eAAe,KAAK,CAAC,gBAAgB,CAAC,EACtC,aAAa,KAAK,CAAC,cAAc,CAAC,KACjC,OAAO,CAAC,IAAI,CAUd,CAAA;AAQD,eAAO,MAAM,gBAAgB,GAAI,KAAK,GAAG,CAAC,WAAW,CAAC,KAAG,MAAM,GAAG,IAIjE,CAAA;AAWD,eAAO,MAAM,oBAAoB,GAC/B,KAAK,GAAG,CAAC,WAAW,CAAC,EACrB,SAAS,IAAI,CAAC,gBAAgB,EAAE,QAAQ,GAAG,cAAc,CAAC,KACzD;IAAE,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAe/C,CAAA"}

package/dist/uploads/api/files/handler.d.ts

@@ -0,0 +1,4 @@
+import { Api } from '../../../../../api/src';
+declare const _default: (api: Api) => void;
+export default _default;
+//# sourceMappingURL=handler.d.ts.map

package/dist/uploads/api/files/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../../src/uploads/api/files/handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;yBAQlB,KAAK,GAAG;AAAxB,wBAGC"}

package/dist/uploads/api/files/handlers/deleteFile.d.ts

@@ -0,0 +1,9 @@
+import { ApiHandler } from '../../../../../../api/src';
+import { SessionUser } from '../../file-uploads/shared';
+type DeleteResponsePayload = {
+    ok: boolean;
+    error?: string;
+};
+export declare const deleteFile: ApiHandler<Record<string, never>, DeleteResponsePayload, SessionUser>;
+export {};
+//# sourceMappingURL=deleteFile.d.ts.map

package/dist/uploads/api/files/handlers/deleteFile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deleteFile.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/files/handlers/deleteFile.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAIzC,OAAO,EAA8B,KAAK,WAAW,EAAE,MAAM,2BAA2B,CAAA;AAGxF,KAAK,qBAAqB,GAAG;IAC3B,EAAE,EAAE,OAAO,CAAA;IACX,KAAK,CAAC,EAAE,MAAM,CAAA;CACf,CAAA;AAED,eAAO,MAAM,UAAU,EAAE,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,qBAAqB,EAAE,WAAW,CAyC5F,CAAA"}

package/dist/uploads/api/files/handlers/getFile.d.ts

@@ -0,0 +1,3 @@
+import { ApiHandler } from '../../../../../../api/src';
+export declare const getFile: ApiHandler<Record<string, never>, Record<string, never>>;
+//# sourceMappingURL=getFile.d.ts.map

package/dist/uploads/api/files/handlers/getFile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getFile.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/files/handlers/getFile.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAezC,eAAO,MAAM,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAmF5E,CAAA"}

package/dist/uploads/api/files/handlers/getFile.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=getFile.test.d.ts.map

package/dist/uploads/api/files/handlers/getFile.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getFile.test.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/files/handlers/getFile.test.ts"],"names":[],"mappings":""}

package/dist/uploads/api/files/index.d.ts

@@ -0,0 +1,4 @@
+export declare const Route = "/api/rb/files/:fileId";
+export declare const GetRoute = "/api/rb/files/:fileId";
+export declare const DeleteRoute = "/api/rb/files/:fileId";
+//# sourceMappingURL=index.d.ts.map

package/dist/uploads/api/files/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/uploads/api/files/index.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,KAAK,0BAA0B,CAAA;AAE5C,eAAO,MAAM,QAAQ,0BAAQ,CAAA;AAC7B,eAAO,MAAM,WAAW,0BAAQ,CAAA"}

package/dist/uploads/routes.d.ts

@@ -0,0 +1,2 @@
+export declare const routes: Record<string, unknown>;
+//# sourceMappingURL=routes.d.ts.map

package/dist/uploads/routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"routes.d.ts","sourceRoot":"","sources":["../../src/uploads/routes.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,MAAM,yBAKb,CAAA"}

package/dist/uploads.d.ts

@@ -0,0 +1,2 @@
+export * from './uploads/routes';
+//# sourceMappingURL=uploads.d.ts.map

package/dist/uploads.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"uploads.d.ts","sourceRoot":"","sources":["../src/uploads.ts"],"names":[],"mappings":"AAAA,cAAc,kBAAkB,CAAA"}

package/dist/uploads.js

@@ -0,0 +1,9 @@
+const routes = Object.entries({
+  .../* @__PURE__ */ Object.assign({ "./api/file-uploads/handler.ts": () => import("./handler-CGko2pJM.js"), "./api/files/handler.ts": () => import("./handler-D6oN38vE.js") })
+}).reduce((acc, [path, mod]) => {
+  acc[path.replace("./api/", "@rpcbase/server/uploads/api/")] = mod;
+  return acc;
+}, {});
+export {
+  routes
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rpcbase/server",
-  "version": "0.472.0",
+  "version": "0.474.0",
   "type": "module",
   "files": [
     "dist"
@@ -17,6 +17,11 @@
       "types": "./dist/rts.d.ts",
       "import": "./dist/rts.js",
       "default": "./dist/rts.js"
+    },
+    "./uploads": {
+      "types": "./dist/uploads.d.ts",
+      "import": "./dist/uploads.js",
+      "default": "./dist/uploads.js"
     }
   },
   "scripts": {