@run402/functions 2.5.1 → 2.6.0

package/dist/auth.d.ts

@@ -12,7 +12,7 @@ export interface User {
  * application role from a declarative `requireRole` gate. For the
  * gate-resolved application role, use {@link getRole}.
  */
-export declare function getUser(req: Request): User | null;
+export declare function getUser(req?: Request): User | null;
 /**
  * Read the gate-resolved user id from the request.
  *
@@ -33,7 +33,7 @@ export declare function getUser(req: Request): User | null;
  * `members` table via gateway-side RLS-bypass; user code does not
  * need to re-decode the JWT.
  */
-export declare function getUserId(req: Request): string | null;
+export declare function getUserId(req?: Request): string | null;
 /**
  * Read the gate-resolved application role from the request.
  *
@@ -53,5 +53,5 @@ export declare function getUserId(req: Request): string | null;
  * {@link getUser}. The two are independent — see the JSDoc on
  * `getUser` for the distinction.
  */
-export declare function getRole(req: Request): string | null;
+export declare function getRole(req?: Request): string | null;
 //# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,IAAI;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,CAAC,GAAG,EAAE,OAAO,GAAG,IAAI,GAAG,IAAI,CAmBjD;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAErD;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,OAAO,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAEnD"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,IAAI;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,CAAC,GAAG,CAAC,EAAE,OAAO,GAAG,IAAI,GAAG,IAAI,CAsClD;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,SAAS,CAAC,GAAG,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAOtD;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,OAAO,CAAC,GAAG,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAOpD"}

package/dist/auth.js

@@ -1,5 +1,6 @@
-import jwt from "jsonwebtoken";
+import jwt from "./lib/jwt.js";
 import { config } from "./config.js";
+import { getCurrentContext, taintCacheBypass } from "./runtime-context.js";
 /**
  * Verify the caller's JWT and return user identity.
  * Returns { id, role, email } or null if unauthenticated/invalid.
@@ -10,9 +11,30 @@ import { config } from "./config.js";
  * gate-resolved application role, use {@link getRole}.
  */
 export function getUser(req) {
-    const authHeader = typeof req.headers.get === "function"
-        ? req.headers.get("authorization")
-        : req.headers?.authorization;
+    // Capability `astro-ssr-runtime` (v1.52). Taint the cache-bypass flag
+    // on the active request context, regardless of whether `getUser`
+    // resolves to a user or null — the response now depends on per-request
+    // auth state and MUST NOT be cached publicly.
+    taintCacheBypass();
+    // If no `req` was passed, read auth from the ALS context (the SSR
+    // Lambda runtime's `runWithContext` populates `request.headers`).
+    // This is what makes `await getUser()` work naturally inside Astro
+    // `[slug].astro` frontmatter without any explicit plumbing.
+    let authHeader;
+    if (req !== undefined) {
+        authHeader =
+            typeof req.headers.get === "function"
+                ? req.headers.get("authorization")
+                : req.headers?.authorization;
+    }
+    else {
+        const ctx = getCurrentContext();
+        if (ctx === undefined)
+            return null;
+        const h = ctx.request.headers;
+        const raw = h["authorization"] ?? h["Authorization"];
+        authHeader = Array.isArray(raw) ? raw[0] : raw;
+    }
     if (!authHeader || !authHeader.startsWith("Bearer "))
         return null;
     const token = authHeader.slice(7);
@@ -47,7 +69,15 @@ export function getUser(req) {
  * need to re-decode the JWT.
  */
 export function getUserId(req) {
-    return req.headers.get("x-run402-user-id");
+    if (req !== undefined)
+        return req.headers.get("x-run402-user-id");
+    const ctx = getCurrentContext();
+    if (ctx === undefined)
+        return null;
+    const raw = ctx.request.headers["x-run402-user-id"];
+    if (Array.isArray(raw))
+        return raw[0] ?? null;
+    return raw ?? null;
 }
 /**
  * Read the gate-resolved application role from the request.
@@ -69,6 +99,14 @@ export function getUserId(req) {
  * `getUser` for the distinction.
  */
 export function getRole(req) {
-    return req.headers.get("x-run402-user-role");
+    if (req !== undefined)
+        return req.headers.get("x-run402-user-role");
+    const ctx = getCurrentContext();
+    if (ctx === undefined)
+        return null;
+    const raw = ctx.request.headers["x-run402-user-role"];
+    if (Array.isArray(raw))
+        return raw[0] ?? null;
+    return raw ?? null;
 }
 //# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,cAAc,CAAC;AAC/B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAQrC;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO,CAAC,GAAY;IAClC,MAAM,UAAU,GACd,OAAQ,GAAG,CAAC,OAA6C,CAAC,GAAG,KAAK,UAAU;QAC1E,CAAC,CAAE,GAAG,CAAC,OAAmB,CAAC,GAAG,CAAC,eAAe,CAAC;QAC/C,CAAC,CAAE,GAAG,CAAC,OAAyD,EAAE,aAAa,CAAC;IACpF,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAClE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,UAAU,CAKlD,CAAC;QACF,IAAI,OAAO,CAAC,UAAU,KAAK,MAAM,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC;QAC1D,OAAO,EAAE,EAAE,EAAE,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,SAAS,CAAC,GAAY;IACpC,OAAO,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;AAC7C,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,OAAO,CAAC,GAAY;IAClC,OAAO,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;AAC/C,CAAC"}
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,cAAc,CAAC;AAC/B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAQ3E;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO,CAAC,GAAa;IACnC,sEAAsE;IACtE,iEAAiE;IACjE,uEAAuE;IACvE,8CAA8C;IAC9C,gBAAgB,EAAE,CAAC;IAEnB,kEAAkE;IAClE,kEAAkE;IAClE,mEAAmE;IACnE,4DAA4D;IAC5D,IAAI,UAAqC,CAAC;IAC1C,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,UAAU;YACR,OAAQ,GAAG,CAAC,OAA6C,CAAC,GAAG,KAAK,UAAU;gBAC1E,CAAC,CAAE,GAAG,CAAC,OAAmB,CAAC,GAAG,CAAC,eAAe,CAAC;gBAC/C,CAAC,CAAE,GAAG,CAAC,OAAyD,EAAE,aAAa,CAAC;IACtF,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;QAChC,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC;QACnC,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;QAC9B,MAAM,GAAG,GAAG,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,eAAe,CAAC,CAAC;QACrD,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACjD,CAAC;IACD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAClE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAKvB,KAAK,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;QAC7B,IAAI,OAAO,CAAC,UAAU,KAAK,MAAM,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC;QAC1D,OAAO,EAAE,EAAE,EAAE,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,SAAS,CAAC,GAAa;IACrC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAClE,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACpD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAC9C,OAAO,GAAG,IAAI,IAAI,CAAC;AACrB,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,OAAO,CAAC,GAAa;IACnC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IACpE,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACtD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAC9C,OAAO,GAAG,IAAI,IAAI,CAAC;AACrB,CAAC"}

package/dist/cache.d.ts

@@ -0,0 +1,122 @@
+/**
+ * SSR cache invalidation SDK — capability `ssr-isr-cache`.
+ *
+ * Server-side (function-context) only. Reads the current request's
+ * project_id and host from `getCurrentContext()` (AsyncLocalStorage) to
+ * scope invalidations safely.
+ *
+ * Four operations:
+ *
+ *   - `cache.invalidate(urlOrPath)` — delete cache rows for a specific
+ *     path (or absolute URL). Returns `{ deleted, generation, host, path }`.
+ *   - `cache.invalidatePrefix({ host, prefix })` — delete all rows
+ *     under a path prefix on the given host.
+ *   - `cache.invalidateAll({ host })` — delete all rows on the given
+ *     host. Atomic with a generation bump.
+ *   - `cache.invalidateMany(urls)` — bulk invalidate in one round-trip.
+ *
+ * Host authorization: absolute-URL forms (or explicit `host` in the
+ * options bag) MUST be hosts owned by the caller's authenticated
+ * project. Cross-project hosts throw `R402_CACHE_INVALIDATION_HOST_FORBIDDEN`.
+ *
+ * Path-string form requires an active request context (the SDK reads
+ * the current host from ALS); calling it outside a handler throws
+ * `R402_CACHE_INVALIDATION_HOST_REQUIRED`.
+ *
+ * Tag-based invalidation is NOT in v1; future v1.5 work.
+ *
+ * @see openspec/changes/astro-ssr-runtime/specs/ssr-isr-cache/spec.md
+ */
+/** Result envelope returned by every invalidation API. */
+export interface CacheInvalidateResult {
+    /** Number of `internal.ssr_cache` rows DELETEd by this call. */
+    deleted: number;
+    /** Post-increment generation. Each invalidate bumps the per-(project,
+     *  host) generation counter, which gates in-flight MISS writes from
+     *  populating stale content after the invalidate. */
+    generation: bigint;
+    /** The host the invalidation targeted. */
+    host: string;
+    /** The pathname targeted (single-URL form only); undefined for
+     *  prefix/all/many. */
+    path?: string;
+}
+export interface InvalidatePrefixOptions {
+    host: string;
+    prefix: string;
+}
+export interface InvalidateAllOptions {
+    host: string;
+}
+/**
+ * Structured error thrown when path-string form is called outside an
+ * active request context. The caller has no host to scope against.
+ * Use the absolute-URL form instead OR move the call into a handler.
+ */
+export declare class CacheInvalidationHostRequiredError extends Error {
+    readonly code = "R402_CACHE_INVALIDATION_HOST_REQUIRED";
+    readonly docs = "https://docs.run402.com/cache/errors#invalidation-host-required";
+    readonly suggestedFix = "Pass an absolute URL (e.g., `new URL('https://eagles.kychon.com/the-guys')`) OR move the call into a request handler so the SDK can resolve the current host.";
+    constructor();
+}
+/**
+ * Structured error thrown when an invalidation targets a host that is
+ * not owned by the caller's authenticated project. Prevents project A
+ * from invalidating project B's cache.
+ */
+export declare class CacheInvalidationHostForbiddenError extends Error {
+    readonly code = "R402_CACHE_INVALIDATION_HOST_FORBIDDEN";
+    readonly docs = "https://docs.run402.com/cache/errors#invalidation-host-forbidden";
+    readonly host: string;
+    readonly suggestedFix: string;
+    constructor(host: string);
+}
+/**
+ * Invalidate a single cached SSR response.
+ *
+ * Accepts either:
+ *   - a path string (e.g., `'/the-guys'`) — the SDK reads the current
+ *     host from the active request context (throws
+ *     `CacheInvalidationHostRequiredError` if no context)
+ *   - an absolute URL (e.g., `new URL('https://eagles.kychon.com/the-guys')`)
+ *     — multi-host admin scenarios (host MUST be owned by caller's
+ *     project; throws `CacheInvalidationHostForbiddenError` otherwise)
+ *
+ * Deletes GET and HEAD rows for ALL locales and ALL release ids matching
+ * the exact canonical pathname + normalized search on the target host.
+ *
+ * The DELETE and the per-(project, host) generation increment happen in
+ * the same transaction; the post-increment generation is returned.
+ */
+export declare function invalidate(urlOrPath: string | URL): Promise<CacheInvalidateResult>;
+/**
+ * Invalidate all cache rows under a path prefix on the given host.
+ */
+export declare function invalidatePrefix(opts: InvalidatePrefixOptions): Promise<CacheInvalidateResult>;
+/**
+ * Invalidate all cache rows for the given host (entire-host purge).
+ * Useful for catastrophic content changes (nav restructure, layout
+ * update, etc.) where targeted invalidation would be impractical.
+ */
+export declare function invalidateAll(opts: InvalidateAllOptions): Promise<CacheInvalidateResult>;
+/**
+ * Bulk-invalidate many URLs in a single round-trip. Path-string forms
+ * use the current request context's host; absolute URLs are scoped
+ * individually.
+ *
+ * Returns a SUMMARY envelope with the total deleted count. Per-URL
+ * results are also available on the optional `results` field of the
+ * returned object (not in the result type return for the common case;
+ * use the internal endpoint if you need per-URL precision).
+ */
+export declare function invalidateMany(urls: Array<string | URL>): Promise<CacheInvalidateResult>;
+/** The full cache namespace exported via the `cache` named export from
+ *  `@run402/functions`. */
+export declare const cache: {
+    readonly invalidate: typeof invalidate;
+    readonly invalidatePrefix: typeof invalidatePrefix;
+    readonly invalidateAll: typeof invalidateAll;
+    readonly invalidateMany: typeof invalidateMany;
+};
+export type Cache = typeof cache;
+//# sourceMappingURL=cache.d.ts.map

package/dist/cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache.d.ts","sourceRoot":"","sources":["../src/cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAKH,0DAA0D;AAC1D,MAAM,WAAW,qBAAqB;IACpC,gEAAgE;IAChE,OAAO,EAAE,MAAM,CAAC;IAChB;;yDAEqD;IACrD,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb;2BACuB;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;;;GAIG;AACH,qBAAa,kCAAmC,SAAQ,KAAK;IAC3D,QAAQ,CAAC,IAAI,2CAA2C;IACxD,QAAQ,CAAC,IAAI,qEAAqE;IAClF,QAAQ,CAAC,YAAY,mKAC6I;;CASnK;AAED;;;;GAIG;AACH,qBAAa,mCAAoC,SAAQ,KAAK;IAC5D,QAAQ,CAAC,IAAI,4CAA4C;IACzD,QAAQ,CAAC,IAAI,sEAAsE;IACnF,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;gBAElB,IAAI,EAAE,MAAM;CAMzB;AA4DD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAsCxF;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,EAAE,uBAAuB,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAepG;AAED;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE,oBAAoB,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAW9F;AAED;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,GAAG,GAAG,CAAC,GAAG,OAAO,CAAC,qBAAqB,CAAC,CA0B9F;AAED;2BAC2B;AAC3B,eAAO,MAAM,KAAK;;;;;CAKR,CAAC;AAEX,MAAM,MAAM,KAAK,GAAG,OAAO,KAAK,CAAC"}

package/dist/cache.js

@@ -0,0 +1,243 @@
+/**
+ * SSR cache invalidation SDK — capability `ssr-isr-cache`.
+ *
+ * Server-side (function-context) only. Reads the current request's
+ * project_id and host from `getCurrentContext()` (AsyncLocalStorage) to
+ * scope invalidations safely.
+ *
+ * Four operations:
+ *
+ *   - `cache.invalidate(urlOrPath)` — delete cache rows for a specific
+ *     path (or absolute URL). Returns `{ deleted, generation, host, path }`.
+ *   - `cache.invalidatePrefix({ host, prefix })` — delete all rows
+ *     under a path prefix on the given host.
+ *   - `cache.invalidateAll({ host })` — delete all rows on the given
+ *     host. Atomic with a generation bump.
+ *   - `cache.invalidateMany(urls)` — bulk invalidate in one round-trip.
+ *
+ * Host authorization: absolute-URL forms (or explicit `host` in the
+ * options bag) MUST be hosts owned by the caller's authenticated
+ * project. Cross-project hosts throw `R402_CACHE_INVALIDATION_HOST_FORBIDDEN`.
+ *
+ * Path-string form requires an active request context (the SDK reads
+ * the current host from ALS); calling it outside a handler throws
+ * `R402_CACHE_INVALIDATION_HOST_REQUIRED`.
+ *
+ * Tag-based invalidation is NOT in v1; future v1.5 work.
+ *
+ * @see openspec/changes/astro-ssr-runtime/specs/ssr-isr-cache/spec.md
+ */
+import { config } from "./config.js";
+import { getCurrentContext } from "./runtime-context.js";
+/**
+ * Structured error thrown when path-string form is called outside an
+ * active request context. The caller has no host to scope against.
+ * Use the absolute-URL form instead OR move the call into a handler.
+ */
+export class CacheInvalidationHostRequiredError extends Error {
+    code = "R402_CACHE_INVALIDATION_HOST_REQUIRED";
+    docs = "https://docs.run402.com/cache/errors#invalidation-host-required";
+    suggestedFix = "Pass an absolute URL (e.g., `new URL('https://eagles.kychon.com/the-guys')`) OR move the call into a request handler so the SDK can resolve the current host.";
+    constructor() {
+        super("cache.invalidate(path) called outside a request context. " +
+            "Path-string form needs the current host from request scope.");
+        this.name = "CacheInvalidationHostRequiredError";
+    }
+}
+/**
+ * Structured error thrown when an invalidation targets a host that is
+ * not owned by the caller's authenticated project. Prevents project A
+ * from invalidating project B's cache.
+ */
+export class CacheInvalidationHostForbiddenError extends Error {
+    code = "R402_CACHE_INVALIDATION_HOST_FORBIDDEN";
+    docs = "https://docs.run402.com/cache/errors#invalidation-host-forbidden";
+    host;
+    suggestedFix;
+    constructor(host) {
+        super(`host ${host} is not owned by the current project`);
+        this.name = "CacheInvalidationHostForbiddenError";
+        this.host = host;
+        this.suggestedFix = `Use a host attached to your project. List your project's hosts with \`r.domains.list()\` or check Run402 dashboard. The cache layer rejects cross-project invalidations to preserve tenant isolation.`;
+    }
+}
+/**
+ * Internal: call the gateway's cache invalidation endpoint with the
+ * resolved scope. The gateway enforces project ownership of the host
+ * server-side; this function relies on that enforcement but ALSO
+ * validates the response shape.
+ */
+async function callCacheInvalidate(body) {
+    const url = `${config.API_BASE}/cache/v1/invalidate`;
+    const response = await fetch(url, {
+        method: "POST",
+        headers: {
+            "content-type": "application/json",
+            // The gateway resolves the caller's project from the service key.
+            // Cache invalidation is server-side only; the SDK is bundled into
+            // user functions and runs with RUN402_SERVICE_KEY in scope.
+            Authorization: "Bearer " + config.SERVICE_KEY,
+        },
+        body: JSON.stringify(body),
+    });
+    if (response.status === 403) {
+        const errBody = (await response.json().catch(() => ({})));
+        const host = typeof errBody.host === "string" ? errBody.host : (body.host ?? "");
+        throw new CacheInvalidationHostForbiddenError(host);
+    }
+    if (!response.ok) {
+        const errBody = await response.text().catch(() => "");
+        throw new Error(`cache.invalidate(${body.kind}) failed: HTTP ${response.status} ${errBody.slice(0, 200)}`);
+    }
+    const json = (await response.json());
+    return {
+        deleted: json.deleted,
+        generation: BigInt(json.generation),
+        host: json.host,
+        path: json.path,
+        results: json.results?.map((r) => ({
+            ...r,
+            generation: BigInt(r.generation),
+        })),
+    };
+}
+/**
+ * Invalidate a single cached SSR response.
+ *
+ * Accepts either:
+ *   - a path string (e.g., `'/the-guys'`) — the SDK reads the current
+ *     host from the active request context (throws
+ *     `CacheInvalidationHostRequiredError` if no context)
+ *   - an absolute URL (e.g., `new URL('https://eagles.kychon.com/the-guys')`)
+ *     — multi-host admin scenarios (host MUST be owned by caller's
+ *     project; throws `CacheInvalidationHostForbiddenError` otherwise)
+ *
+ * Deletes GET and HEAD rows for ALL locales and ALL release ids matching
+ * the exact canonical pathname + normalized search on the target host.
+ *
+ * The DELETE and the per-(project, host) generation increment happen in
+ * the same transaction; the post-increment generation is returned.
+ */
+export async function invalidate(urlOrPath) {
+    let host;
+    let path;
+    if (urlOrPath instanceof URL) {
+        host = urlOrPath.host.toLowerCase();
+        path = urlOrPath.pathname + urlOrPath.search;
+    }
+    else if (typeof urlOrPath === "string" && urlOrPath.startsWith("http://")) {
+        // Allow http:// only for local-dev parity, but the gateway will
+        // typically reject it.
+        const u = new URL(urlOrPath);
+        host = u.host.toLowerCase();
+        path = u.pathname + u.search;
+    }
+    else if (typeof urlOrPath === "string" && urlOrPath.startsWith("https://")) {
+        const u = new URL(urlOrPath);
+        host = u.host.toLowerCase();
+        path = u.pathname + u.search;
+    }
+    else if (typeof urlOrPath === "string" && urlOrPath.startsWith("/")) {
+        // Path-string form: requires active request context to resolve host.
+        const ctx = getCurrentContext();
+        if (ctx === undefined || !ctx.active.value) {
+            throw new CacheInvalidationHostRequiredError();
+        }
+        host = ctx.host.toLowerCase();
+        path = urlOrPath;
+    }
+    else {
+        throw new Error(`cache.invalidate: argument must be a URL, an "https://" URL string, or a path starting with "/". Got: ${typeof urlOrPath === "string" ? `"${urlOrPath}"` : typeof urlOrPath}`);
+    }
+    const result = await callCacheInvalidate({ kind: "exact", host, path });
+    return {
+        deleted: result.deleted,
+        generation: result.generation,
+        host: result.host,
+        path: result.path ?? path,
+    };
+}
+/**
+ * Invalidate all cache rows under a path prefix on the given host.
+ */
+export async function invalidatePrefix(opts) {
+    if (!opts.host)
+        throw new Error("cache.invalidatePrefix: host is required");
+    if (!opts.prefix || !opts.prefix.startsWith("/")) {
+        throw new Error("cache.invalidatePrefix: prefix must start with '/'");
+    }
+    const result = await callCacheInvalidate({
+        kind: "prefix",
+        host: opts.host.toLowerCase(),
+        prefix: opts.prefix,
+    });
+    return {
+        deleted: result.deleted,
+        generation: result.generation,
+        host: result.host,
+    };
+}
+/**
+ * Invalidate all cache rows for the given host (entire-host purge).
+ * Useful for catastrophic content changes (nav restructure, layout
+ * update, etc.) where targeted invalidation would be impractical.
+ */
+export async function invalidateAll(opts) {
+    if (!opts.host)
+        throw new Error("cache.invalidateAll: host is required");
+    const result = await callCacheInvalidate({
+        kind: "all",
+        host: opts.host.toLowerCase(),
+    });
+    return {
+        deleted: result.deleted,
+        generation: result.generation,
+        host: result.host,
+    };
+}
+/**
+ * Bulk-invalidate many URLs in a single round-trip. Path-string forms
+ * use the current request context's host; absolute URLs are scoped
+ * individually.
+ *
+ * Returns a SUMMARY envelope with the total deleted count. Per-URL
+ * results are also available on the optional `results` field of the
+ * returned object (not in the result type return for the common case;
+ * use the internal endpoint if you need per-URL precision).
+ */
+export async function invalidateMany(urls) {
+    if (!Array.isArray(urls) || urls.length === 0) {
+        return { deleted: 0, generation: 0n, host: "" };
+    }
+    // Resolve each URL to its absolute form, using the current context
+    // for path-only entries.
+    const ctx = getCurrentContext();
+    const resolved = urls.map((u) => {
+        if (u instanceof URL)
+            return u.toString();
+        if (u.startsWith("https://") || u.startsWith("http://"))
+            return u;
+        if (u.startsWith("/")) {
+            if (ctx === undefined || !ctx.active.value) {
+                throw new CacheInvalidationHostRequiredError();
+            }
+            return `https://${ctx.host}${u}`;
+        }
+        throw new Error(`cache.invalidateMany: invalid entry "${u}"`);
+    });
+    const result = await callCacheInvalidate({ kind: "many", urls: resolved });
+    return {
+        deleted: result.deleted,
+        generation: result.generation,
+        host: result.host ?? "",
+    };
+}
+/** The full cache namespace exported via the `cache` named export from
+ *  `@run402/functions`. */
+export const cache = {
+    invalidate,
+    invalidatePrefix,
+    invalidateAll,
+    invalidateMany,
+};
+//# sourceMappingURL=cache.js.map

package/dist/cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache.js","sourceRoot":"","sources":["../src/cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,iBAAiB,EAAwB,MAAM,sBAAsB,CAAC;AA0B/E;;;;GAIG;AACH,MAAM,OAAO,kCAAmC,SAAQ,KAAK;IAClD,IAAI,GAAG,uCAAuC,CAAC;IAC/C,IAAI,GAAG,iEAAiE,CAAC;IACzE,YAAY,GACnB,+JAA+J,CAAC;IAElK;QACE,KAAK,CACH,2DAA2D;YACzD,6DAA6D,CAChE,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,oCAAoC,CAAC;IACnD,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,OAAO,mCAAoC,SAAQ,KAAK;IACnD,IAAI,GAAG,wCAAwC,CAAC;IAChD,IAAI,GAAG,kEAAkE,CAAC;IAC1E,IAAI,CAAS;IACb,YAAY,CAAS;IAE9B,YAAY,IAAY;QACtB,KAAK,CAAC,QAAQ,IAAI,sCAAsC,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI,GAAG,qCAAqC,CAAC;QAClD,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,YAAY,GAAG,uMAAuM,CAAC;IAC9N,CAAC;CACF;AAED;;;;;GAKG;AACH,KAAK,UAAU,mBAAmB,CAAC,IAMlC;IACC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,sBAAsB,CAAC;IACrD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,kEAAkE;YAClE,kEAAkE;YAClE,4DAA4D;YAC5D,aAAa,EAAE,SAAS,GAAG,MAAM,CAAC,WAAW;SAC9C;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;KAC3B,CAAC,CAAC;IAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAA4B,CAAC;QACrF,MAAM,IAAI,GAAG,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QACjF,MAAM,IAAI,mCAAmC,CAAC,IAAI,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACtD,MAAM,IAAI,KAAK,CACb,oBAAoB,IAAI,CAAC,IAAI,kBAAkB,QAAQ,CAAC,MAAM,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAC1F,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAMlC,CAAC;IAEF,OAAO;QACL,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;QACnC,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACjC,GAAG,CAAC;YACJ,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;SACjC,CAAC,CAAC;KACJ,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,SAAuB;IACtD,IAAI,IAAY,CAAC;IACjB,IAAI,IAAY,CAAC;IAEjB,IAAI,SAAS,YAAY,GAAG,EAAE,CAAC;QAC7B,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QACpC,IAAI,GAAG,SAAS,CAAC,QAAQ,GAAG,SAAS,CAAC,MAAM,CAAC;IAC/C,CAAC;SAAM,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC5E,gEAAgE;QAChE,uBAAuB;QACvB,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QAC7B,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAC5B,IAAI,GAAG,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,CAAC;SAAM,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7E,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QAC7B,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAC5B,IAAI,GAAG,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,CAAC;SAAM,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACtE,qEAAqE;QACrE,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;QAChC,IAAI,GAAG,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAC3C,MAAM,IAAI,kCAAkC,EAAE,CAAC;QACjD,CAAC;QACD,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAC9B,IAAI,GAAG,SAAS,CAAC;IACnB,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CACb,yGAAyG,OAAO,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,SAAS,GAAG,CAAC,CAAC,CAAC,OAAO,SAAS,EAAE,CAC/K,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;IACxE,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,IAAI;KAC1B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IAA6B;IAClE,IAAI,CAAC,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC5E,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACjD,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC;QACvC,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE;QAC7B,MAAM,EAAE,IAAI,CAAC,MAAM;KACpB,CAAC,CAAC;IACH,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,IAAI,EAAE,MAAM,CAAC,IAAI;KAClB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAA0B;IAC5D,IAAI,CAAC,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IACzE,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC;QACvC,IAAI,EAAE,KAAK;QACX,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE;KAC9B,CAAC,CAAC;IACH,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,IAAI,EAAE,MAAM,CAAC,IAAI;KAClB,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,IAAyB;IAC5D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9C,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IAClD,CAAC;IAED,mEAAmE;IACnE,yBAAyB;IACzB,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QAC9B,IAAI,CAAC,YAAY,GAAG;YAAE,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC1C,IAAI,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,CAAC,CAAC;QAClE,IAAI,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACtB,IAAI,GAAG,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;gBAC3C,MAAM,IAAI,kCAAkC,EAAE,CAAC;YACjD,CAAC;YACD,OAAO,WAAW,GAAG,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACnC,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,GAAG,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC3E,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,EAAE;KACxB,CAAC;AACJ,CAAC;AAED;2BAC2B;AAC3B,MAAM,CAAC,MAAM,KAAK,GAAG;IACnB,UAAU;IACV,gBAAgB;IAChB,aAAa;IACb,cAAc;CACN,CAAC"}

package/dist/db.d.ts

@@ -30,15 +30,34 @@ interface CallerDbClient {
     from(table: string): QueryBuilder;
 }
 /**
- * Caller-context DB client. Forwards the incoming Request's Authorization
- * header to PostgREST so RLS policies evaluate against the caller's role.
- * `apikey` is the project's anon key (routing only — does not grant bypass).
+ * Caller-context DB client. Forwards the caller's Authorization header
+ * to PostgREST so RLS policies evaluate against the caller's role.
  *
- * If the incoming Request has no Authorization, the request is sent with
- * just the anon apikey; PostgREST resolves role=anon and RLS decides whether
- * the query succeeds or returns 401/403.
+ * Capability `astro-ssr-runtime` (v1.52): `db()` now accepts the request
+ * via either path:
+ *
+ *   1. **Explicit `db(req)`** — pass a Web `Request` (or Express
+ *      `req.raw` equivalent). The existing v0.x call shape.
+ *
+ *   2. **Implicit `db()`** — when called with no argument, reads the
+ *      Authorization header from the active AsyncLocalStorage request
+ *      context (populated by the SSR Lambda runtime in `@run402/astro`).
+ *      This is what makes `await db().from(...)` work naturally inside
+ *      Astro `[slug].astro` frontmatter without explicit plumbing.
+ *
+ * `apikey` is the project's anon key (routing only — does not grant
+ * bypass). If no Authorization is present (in either form), the request
+ * is sent with just the anon apikey; PostgREST resolves role=anon and
+ * RLS decides whether the query succeeds or returns 401/403.
+ *
+ * Outside an active request context (module scope, background timer
+ * past response materialization), `db()` (no arg) still works — it
+ * sends with no Authorization, exactly as the v0.x behavior with a
+ * Request that has no auth header. SDK functions that REQUIRE a context
+ * (like `cache.invalidate` path-form) throw `R402_SDK_OUTSIDE_REQUEST_CONTEXT`
+ * separately.
  */
-export declare function db(req: Request): CallerDbClient;
+export declare function db(req?: Request): CallerDbClient;
 interface AdminDbClient {
     from(table: string): QueryBuilder;
     sql(query: string, params?: unknown[]): Promise<Record<string, unknown>[]>;

package/dist/db.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAEA,UAAU,gBAAgB;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,GAAG,SAAS,CAAC;IAClC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,YAAY;;gBASX,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB;IAOjD,MAAM,CAAC,OAAO,SAAM,GAAG,IAAI;IAK3B,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK3C,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK5C,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,GAAG,IAAI;IAKrD,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,SAAgB,EAAE;;KAAK,GAAG,IAAI;IAKtD,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK1B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK3B,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;IAMvE,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAM3C,MAAM,IAAI,IAAI;IAKd,IAAI,CACF,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,IAAI,EACnD,MAAM,EAAE,CAAC,MAAM,EAAE,KAAK,KAAK,IAAI,GAC9B,IAAI;CA6BR;AAOD,UAAU,cAAc;IACtB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;CACnC;AAED;;;;;;;;GAQG;AACH,wBAAgB,EAAE,CAAC,GAAG,EAAE,OAAO,GAAG,cAAc,CAkB/C;AAED,UAAU,aAAa;IACrB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;IAClC,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;CAC5E;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,IAAI,aAAa,CA+BvC"}
+{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAGA,UAAU,gBAAgB;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,GAAG,SAAS,CAAC;IAClC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,YAAY;;gBASX,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB;IAOjD,MAAM,CAAC,OAAO,SAAM,GAAG,IAAI;IAK3B,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK3C,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK5C,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,GAAG,IAAI;IAKrD,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,SAAgB,EAAE;;KAAK,GAAG,IAAI;IAKtD,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK1B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK3B,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;IAMvE,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAM3C,MAAM,IAAI,IAAI;IAKd,IAAI,CACF,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,IAAI,EACnD,MAAM,EAAE,CAAC,MAAM,EAAE,KAAK,KAAK,IAAI,GAC9B,IAAI;CA6BR;AAgBD,UAAU,cAAc;IACtB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,GAAG,cAAc,CAkBhD;AAED,UAAU,aAAa;IACrB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;IAClC,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;CAC5E;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,IAAI,aAAa,CA+BvC"}

package/dist/db.js

@@ -1,4 +1,5 @@
 import { config } from "./config.js";
+import { getCurrentContext } from "./runtime-context.js";
 export class QueryBuilder {
     #table;
     #params = new URLSearchParams();
@@ -111,21 +112,50 @@ function extractAuth(req) {
     const auth = req.headers.get("authorization") ?? req.headers.get("Authorization");
     return auth ?? undefined;
 }
+function extractAuthFromAls() {
+    const ctx = getCurrentContext();
+    if (ctx === undefined)
+        return undefined;
+    const headers = ctx.request.headers;
+    const raw = headers["authorization"] ?? headers["Authorization"];
+    if (Array.isArray(raw))
+        return raw[0];
+    return raw ?? undefined;
+}
 /**
- * Caller-context DB client. Forwards the incoming Request's Authorization
- * header to PostgREST so RLS policies evaluate against the caller's role.
- * `apikey` is the project's anon key (routing only — does not grant bypass).
+ * Caller-context DB client. Forwards the caller's Authorization header
+ * to PostgREST so RLS policies evaluate against the caller's role.
+ *
+ * Capability `astro-ssr-runtime` (v1.52): `db()` now accepts the request
+ * via either path:
+ *
+ *   1. **Explicit `db(req)`** — pass a Web `Request` (or Express
+ *      `req.raw` equivalent). The existing v0.x call shape.
+ *
+ *   2. **Implicit `db()`** — when called with no argument, reads the
+ *      Authorization header from the active AsyncLocalStorage request
+ *      context (populated by the SSR Lambda runtime in `@run402/astro`).
+ *      This is what makes `await db().from(...)` work naturally inside
+ *      Astro `[slug].astro` frontmatter without explicit plumbing.
+ *
+ * `apikey` is the project's anon key (routing only — does not grant
+ * bypass). If no Authorization is present (in either form), the request
+ * is sent with just the anon apikey; PostgREST resolves role=anon and
+ * RLS decides whether the query succeeds or returns 401/403.
  *
- * If the incoming Request has no Authorization, the request is sent with
- * just the anon apikey; PostgREST resolves role=anon and RLS decides whether
- * the query succeeds or returns 401/403.
+ * Outside an active request context (module scope, background timer
+ * past response materialization), `db()` (no arg) still works — it
+ * sends with no Authorization, exactly as the v0.x behavior with a
+ * Request that has no auth header. SDK functions that REQUIRE a context
+ * (like `cache.invalidate` path-form) throw `R402_SDK_OUTSIDE_REQUEST_CONTEXT`
+ * separately.
  */
 export function db(req) {
     if (!config.ANON_KEY) {
-        throw new Error("db(req) requires RUN402_ANON_KEY in the Lambda environment. " +
+        throw new Error("db() requires RUN402_ANON_KEY in the Lambda environment. " +
             "Redeploy this function via the gateway to pick up the new env var.");
     }
-    const authorization = extractAuth(req);
+    const authorization = req !== undefined ? extractAuth(req) : extractAuthFromAls();
     const anonKey = config.ANON_KEY;
     return {
         from(table) {

package/dist/db.js.map

@@ -1 +1 @@
-{"version":3,"file":"db.js","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAQrC,MAAM,OAAO,YAAY;IACvB,MAAM,CAAS;IACf,OAAO,GAAG,IAAI,eAAe,EAAE,CAAC;IAChC,OAAO,GAAG,KAAK,CAAC;IAChB,KAAK,GAAY,SAAS,CAAC;IAC3B,OAAO,CAAS;IAChB,cAAc,CAAqB;IACnC,SAAS,CAAS;IAElB,YAAY,KAAa,EAAE,IAAsB;QAC/C,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,aAAa,CAAC;QACzC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC;IACjC,CAAC;IAED,MAAM,CAAC,OAAO,GAAG,GAAG;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,MAAc,EAAE,OAAe;QAClC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,OAAO,EAAE,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,OAAe;QACnC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,OAAO,EAAE,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,MAA2B;QAC5C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,EAAE;QAC7C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,MAAM,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACxE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,KAAa;QACjB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,KAAa;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAAyD;QAC9D,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAA6B;QAClC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM;QACJ,IAAI,CAAC,OAAO,GAAG,QAAQ,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CACF,OAAmD,EACnD,MAA+B;QAE/B,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAEtF,MAAM,OAAO,GAA2B;YACtC,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,uBAAuB;SAChC,CAAC;QACF,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,cAAc,CAAC;QAC9C,CAAC;QAED,KAAK,CAAC,GAAG,EAAE;YACT,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;SAC1D,CAAC;aACC,IAAI,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YAClB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC,CAAC;gBACjE,OAAO;YACT,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAiC,CAAC,CAAC;QAC7C,CAAC,CAAC;aACD,KAAK,CAAC,MAAM,CAAC,CAAC;IACnB,CAAC;CACF;AAED,SAAS,WAAW,CAAC,GAAY;IAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAClF,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAMD;;;;;;;;GAQG;AACH,MAAM,UAAU,EAAE,CAAC,GAAY;IAC7B,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CACb,8DAA8D;YAC5D,oEAAoE,CACvE,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC;IAChC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,OAAO;gBACf,aAAa;gBACb,QAAQ,EAAE,UAAU;aACrB,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC;AAOD;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO;IACrB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,WAAW,CAAC;IACtC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,UAAU;gBAClB,aAAa,EAAE,UAAU,UAAU,EAAE;gBACrC,QAAQ,EAAE,gBAAgB;aAC3B,CAAC,CAAC;QACL,CAAC;QACD,KAAK,CAAC,GAAG,CAAC,KAAa,EAAE,MAAkB;YACzC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,sBAAsB,MAAM,CAAC,UAAU,MAAM,CAAC;YAC5E,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;YAC7D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC3B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,UAAU,EAAE;oBACrC,cAAc,EAAE,SAAS,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,YAAY;iBAC9D;gBACD,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK;aACjE,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,IAAI,KAAK,CAAC,cAAc,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC;YAC3D,CAAC;YACD,OAAO,GAAG,CAAC,IAAI,EAAwC,CAAC;QAC1D,CAAC;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"db.js","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAQzD,MAAM,OAAO,YAAY;IACvB,MAAM,CAAS;IACf,OAAO,GAAG,IAAI,eAAe,EAAE,CAAC;IAChC,OAAO,GAAG,KAAK,CAAC;IAChB,KAAK,GAAY,SAAS,CAAC;IAC3B,OAAO,CAAS;IAChB,cAAc,CAAqB;IACnC,SAAS,CAAS;IAElB,YAAY,KAAa,EAAE,IAAsB;QAC/C,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,aAAa,CAAC;QACzC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC;IACjC,CAAC;IAED,MAAM,CAAC,OAAO,GAAG,GAAG;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,MAAc,EAAE,OAAe;QAClC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,OAAO,EAAE,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,OAAe;QACnC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,OAAO,EAAE,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,MAA2B;QAC5C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,EAAE;QAC7C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,MAAM,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACxE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,KAAa;QACjB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,KAAa;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAAyD;QAC9D,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAA6B;QAClC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM;QACJ,IAAI,CAAC,OAAO,GAAG,QAAQ,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CACF,OAAmD,EACnD,MAA+B;QAE/B,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAEtF,MAAM,OAAO,GAA2B;YACtC,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,uBAAuB;SAChC,CAAC;QACF,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,cAAc,CAAC;QAC9C,CAAC;QAED,KAAK,CAAC,GAAG,EAAE;YACT,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;SAC1D,CAAC;aACC,IAAI,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YAClB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC,CAAC;gBACjE,OAAO;YACT,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAiC,CAAC,CAAC;QAC7C,CAAC,CAAC;aACD,KAAK,CAAC,MAAM,CAAC,CAAC;IACnB,CAAC;CACF;AAED,SAAS,WAAW,CAAC,GAAY;IAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAClF,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAED,SAAS,kBAAkB;IACzB,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IACxC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;IACpC,MAAM,GAAG,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,eAAe,CAAC,CAAC;IACjE,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;IACtC,OAAO,GAAG,IAAI,SAAS,CAAC;AAC1B,CAAC;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,UAAU,EAAE,CAAC,GAAa;IAC9B,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CACb,2DAA2D;YACzD,oEAAoE,CACvE,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,EAAE,CAAC;IAClF,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC;IAChC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,OAAO;gBACf,aAAa;gBACb,QAAQ,EAAE,UAAU;aACrB,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC;AAOD;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO;IACrB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,WAAW,CAAC;IACtC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,UAAU;gBAClB,aAAa,EAAE,UAAU,UAAU,EAAE;gBACrC,QAAQ,EAAE,gBAAgB;aAC3B,CAAC,CAAC;QACL,CAAC;QACD,KAAK,CAAC,GAAG,CAAC,KAAa,EAAE,MAAkB;YACzC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,sBAAsB,MAAM,CAAC,UAAU,MAAM,CAAC;YAC5E,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;YAC7D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC3B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,UAAU,EAAE;oBACrC,cAAc,EAAE,SAAS,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,YAAY;iBAC9D;gBACD,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK;aACjE,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,IAAI,KAAK,CAAC,cAAc,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC;YAC3D,CAAC;YACD,OAAO,GAAG,CAAC,IAAI,EAAwC,CAAC;QAC1D,CAAC;KACF,CAAC;AACJ,CAAC"}