@selvajs/selva 4.3.5 → 4.5.0

package/build/server/chunks/providers.server-C3fQ7ZdV.js

@@ -0,0 +1,4456 @@
+import { p as private_env } from './shared-server-C3WdcJCQ.js';
+import { pathToFileURL } from 'node:url';
+import * as path from 'node:path';
+import { resolve } from 'node:path';
+import { existsSync } from 'node:fs';
+import { D as DEFAULT_ORG_PERMISSIONS, S as SYSTEM_CONTEXT, j as hasPermission, P as PlatformPermissionSchema } from './context-BJnJL8ES.js';
+import * as crypto from 'node:crypto';
+import { createDecipheriv, randomBytes, createCipheriv, randomUUID, createHmac, timingSafeEqual } from 'node:crypto';
+import * as fs from 'node:fs/promises';
+import { createClient } from '@supabase/supabase-js';
+
+function assertSafeKey(value, label) {
+  if (!value || !/^[A-Za-z0-9._-]+$/.test(value) || value === "." || value === "..") {
+    throw new Error(`Unsafe ${label}: ${JSON.stringify(value)}`);
+  }
+}
+const definitionPaths = {
+  version: (guid, versionNumber, ext) => {
+    assertSafeKey(guid, "guid");
+    if (!Number.isInteger(versionNumber) || versionNumber < 1) {
+      throw new Error(`Unsafe versionNumber: ${versionNumber}`);
+    }
+    return `definitions/${guid}/versions/v${versionNumber}.${ext}`;
+  },
+  image: (guid) => {
+    assertSafeKey(guid, "guid");
+    return `definitions/${guid}/cover.webp`;
+  },
+  prefix: (guid) => {
+    assertSafeKey(guid, "guid");
+    return `definitions/${guid}/`;
+  }
+};
+const IMAGE_MAX_WIDTH = 1200;
+const IMAGE_WEBP_QUALITY = 85;
+function isImageUpload(contentType, storagePath) {
+  if (contentType?.startsWith("image/")) return true;
+  return /\.(webp|png|jpe?g|gif|bmp|tif?f)$/i.test(storagePath);
+}
+function toWebpPath(storagePath) {
+  return storagePath.replace(/\.(png|jpe?g|gif|bmp|tif?f)$/i, ".webp");
+}
+async function transcodeImageIfNeeded(data, contentType, storagePath) {
+  if (!isImageUpload(contentType, storagePath)) {
+    return { data, contentType: contentType ?? "application/octet-stream", path: storagePath };
+  }
+  const sharp = await loadSharp();
+  const compressed = await sharp(Buffer.from(data)).resize({ width: IMAGE_MAX_WIDTH, withoutEnlargement: true }).webp({ quality: IMAGE_WEBP_QUALITY }).toBuffer();
+  return {
+    data: new Uint8Array(compressed),
+    contentType: "image/webp",
+    path: toWebpPath(storagePath)
+  };
+}
+let cachedSharp = null;
+async function loadSharp() {
+  if (cachedSharp) return cachedSharp;
+  try {
+    const mod = await import('sharp');
+    cachedSharp = mod.default ?? mod;
+    return cachedSharp;
+  } catch (err) {
+    throw new Error(
+      "Image transcoding requires `sharp` to be installed. Add it as a dependency in your provider package.",
+      { cause: err }
+    );
+  }
+}
+function isPlatformServer(s) {
+  return s.scope === "platform";
+}
+function isOrgServer(s) {
+  return s.scope === "org";
+}
+function actorFrom(ctx) {
+  return ctx.userId || "system";
+}
+class NoopEventSink {
+  async emit(_event) {
+  }
+}
+class NoopSolveMetricSink {
+  async record(_ctx, _metric) {
+  }
+}
+const nowIso = () => (/* @__PURE__ */ new Date()).toISOString();
+function auditUpdate(ctx, fallbackActor) {
+  return {
+    updatedAt: nowIso(),
+    updatedBy: ctx.userId || fallbackActor || ""
+  };
+}
+function auditSoftDelete(ctx, fallbackActor) {
+  const now = nowIso();
+  return {
+    deletedAt: now,
+    updatedAt: now,
+    updatedBy: ctx.userId || fallbackActor || ""
+  };
+}
+const DEFAULT_PAGE_LIMIT = 50;
+const MAX_PAGE_LIMIT = 200;
+function isFlagEnabled(config, flag2) {
+  return Boolean(config.flags?.[flag2]);
+}
+function defineConfig(config) {
+  return config;
+}
+class ProviderError extends Error {
+  statusCode;
+  constructor(message, statusCode = 400) {
+    super(message);
+    this.name = "ProviderError";
+    this.statusCode = statusCode;
+  }
+}
+const DEFAULT_MAX_AGE_MS = 8 * 60 * 60 * 1e3;
+function signHmacToken(secret, userId, maxAgeMs = DEFAULT_MAX_AGE_MS) {
+  const expiry = Date.now() + maxAgeMs;
+  const payload = Buffer.from(`${userId}:${expiry}`).toString("base64url");
+  const sig = createHmac("sha256", secret).update(payload).digest("base64url");
+  return `${payload}.${sig}`;
+}
+function verifyHmacToken(token, secret) {
+  const dot = token.lastIndexOf(".");
+  if (dot === -1) return { userId: "", valid: false };
+  const payload = token.slice(0, dot);
+  const sig = token.slice(dot + 1);
+  const expectedSig = createHmac("sha256", secret).update(payload).digest("base64url");
+  const a = Buffer.from(sig);
+  const b = Buffer.from(expectedSig);
+  if (a.length !== b.length || !timingSafeEqual(a, b)) return { userId: "", valid: false };
+  const decoded = Buffer.from(payload, "base64url").toString();
+  const colon = decoded.lastIndexOf(":");
+  if (colon === -1) return { userId: "", valid: false };
+  const userId = decoded.slice(0, colon);
+  const expiry = parseInt(decoded.slice(colon + 1), 10);
+  if (!Number.isFinite(expiry) || Date.now() >= expiry) return { userId: "", valid: false };
+  return { userId, valid: true };
+}
+async function readJsonFile(filePath, fallback) {
+  try {
+    const raw = await fs.readFile(filePath, "utf-8");
+    return JSON.parse(raw);
+  } catch (err) {
+    if (err.code === "ENOENT") return fallback;
+    throw err;
+  }
+}
+async function writeJsonFile(filePath, data) {
+  await fs.mkdir(path.dirname(filePath), { recursive: true });
+  const tmp = `${filePath}.tmp`;
+  await fs.writeFile(tmp, JSON.stringify(data, null, "	"), "utf-8");
+  await fs.rename(tmp, filePath);
+}
+const LAST_LOGIN_DEBOUNCE_MS$1 = 6e4;
+const PBKDF2_ITERATIONS = 1e5;
+const PBKDF2_KEYLEN = 32;
+const PBKDF2_DIGEST = "sha256";
+async function hashPassword(password) {
+  const salt = crypto.randomBytes(16).toString("base64url");
+  const hash = await new Promise(
+    (resolve2, reject) => crypto.pbkdf2(
+      password,
+      salt,
+      PBKDF2_ITERATIONS,
+      PBKDF2_KEYLEN,
+      PBKDF2_DIGEST,
+      (err, key) => err ? reject(err) : resolve2(key)
+    )
+  );
+  return `pbkdf2:${PBKDF2_DIGEST}:${PBKDF2_ITERATIONS}:${salt}:${hash.toString("base64url")}`;
+}
+async function verifyPasswordHash(password, storedHash) {
+  const parts = storedHash.split(":");
+  if (parts.length !== 5 || parts[0] !== "pbkdf2") return false;
+  const [, digest, iterStr, salt, expectedHashB64] = parts;
+  const iterations = parseInt(iterStr, 10);
+  if (!Number.isFinite(iterations) || iterations <= 0) return false;
+  const expected = Buffer.from(expectedHashB64, "base64url");
+  const actual = await new Promise(
+    (resolve2, reject) => crypto.pbkdf2(
+      password,
+      salt,
+      iterations,
+      PBKDF2_KEYLEN,
+      digest,
+      (err, key) => err ? reject(err) : resolve2(key)
+    )
+  );
+  if (actual.length !== expected.length) return false;
+  return crypto.timingSafeEqual(actual, expected);
+}
+const empty$5 = () => ({ users: [] });
+function createLocalAuthUserStore(usersFilePath) {
+  return {
+    async findByEmail(email) {
+      const { users } = await readJsonFile(usersFilePath, empty$5());
+      return users.find((u) => u.email.toLowerCase() === email.toLowerCase()) ?? null;
+    },
+    async findById(id) {
+      const { users } = await readJsonFile(usersFilePath, empty$5());
+      return users.find((u) => u.id === id) ?? null;
+    },
+    async listUsers() {
+      const { users } = await readJsonFile(usersFilePath, empty$5());
+      return users.map(({ passwordHash: _ph, ...rest }) => rest);
+    },
+    async createUser(email, password) {
+      const file = await readJsonFile(usersFilePath, empty$5());
+      if (file.users.some((u) => u.email.toLowerCase() === email.toLowerCase())) {
+        throw new ProviderError(`User with email "${email}" already exists`, 409);
+      }
+      const user = {
+        id: randomUUID(),
+        email,
+        passwordHash: password !== null ? await hashPassword(password) : null,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      file.users.push(user);
+      await writeJsonFile(usersFilePath, file);
+      return user;
+    },
+    async setDisabled(id, disabled) {
+      const file = await readJsonFile(usersFilePath, empty$5());
+      const user = file.users.find((u) => u.id === id);
+      if (!user) throw new ProviderError(`User "${id}" not found`, 404);
+      user.disabled = disabled;
+      await writeJsonFile(usersFilePath, file);
+    },
+    async touchLastLogin(id) {
+      const file = await readJsonFile(usersFilePath, empty$5());
+      const user = file.users.find((u) => u.id === id);
+      if (!user) return;
+      const now = Date.now();
+      if (user.lastLoginAt) {
+        const prev = Date.parse(user.lastLoginAt);
+        if (Number.isFinite(prev) && now - prev < LAST_LOGIN_DEBOUNCE_MS$1) return;
+      }
+      user.lastLoginAt = new Date(now).toISOString();
+      await writeJsonFile(usersFilePath, file);
+    },
+    async deleteUser(id) {
+      const file = await readJsonFile(usersFilePath, empty$5());
+      const before = file.users.length;
+      file.users = file.users.filter((u) => u.id !== id);
+      if (file.users.length === before) throw new ProviderError(`User "${id}" not found`, 404);
+      await writeJsonFile(usersFilePath, file);
+    }
+  };
+}
+function paginate(items, opts) {
+  const limit = Math.min(Math.max(1, opts?.limit ?? DEFAULT_PAGE_LIMIT), MAX_PAGE_LIMIT);
+  const offset = opts?.cursor ? parseInt(opts.cursor, 10) || 0 : 0;
+  const slice = items.slice(offset, offset + limit);
+  const nextOffset = offset + slice.length;
+  return {
+    items: slice,
+    nextCursor: nextOffset < items.length ? String(nextOffset) : void 0
+  };
+}
+function applyOrder(items, opts, keyFn = (item, field) => item[field]) {
+  const field = opts?.orderBy ?? "createdAt";
+  const dir = opts?.orderDir ?? "desc";
+  const mul = dir === "asc" ? 1 : -1;
+  items.sort((a, b) => {
+    const av = keyFn(a, field) ?? "";
+    const bv = keyFn(b, field) ?? "";
+    if (av < bv) return -1 * mul;
+    if (av > bv) return 1 * mul;
+    return 0;
+  });
+  return items;
+}
+const SESSION_MAX_AGE_MS = 8 * 60 * 60 * 1e3;
+function toAuthUser$1(u) {
+  return {
+    id: u.id,
+    email: u.email,
+    createdAt: u.createdAt,
+    lastLoginAt: u.lastLoginAt,
+    disabled: u.disabled
+  };
+}
+class LocalPasswordAuth {
+  constructor(users, mintToken) {
+    this.users = users;
+    this.mintToken = mintToken;
+  }
+  users;
+  mintToken;
+  async verifyLogin(email, password) {
+    if (!this.users) return { kind: "failed", reason: "invalid_credentials" };
+    const user = await this.users.findByEmail(email);
+    if (!user) return { kind: "failed", reason: "invalid_credentials" };
+    if (user.disabled) return { kind: "failed", reason: "disabled" };
+    if (!user.passwordHash || !await verifyPasswordHash(password, user.passwordHash)) {
+      return { kind: "failed", reason: "invalid_credentials" };
+    }
+    await this.users.touchLastLogin(user.id).catch(() => {
+    });
+    const auth = toAuthUser$1(user);
+    return { kind: "success", user: auth, sessionToken: this.mintToken(auth) };
+  }
+  async createUserWithPassword(email, password) {
+    if (!this.users) {
+      throw new ProviderError(
+        "createUserWithPassword requires a users.json backend (DATA_PATH)",
+        500
+      );
+    }
+    return toAuthUser$1(await this.users.createUser(email, password));
+  }
+  async registerUser(email, password) {
+    if (!this.users) return null;
+    return toAuthUser$1(await this.users.createUser(email, password));
+  }
+}
+class LocalAuthProvider {
+  hmacSecret;
+  users;
+  name = "Local";
+  passwordAuth;
+  constructor(config) {
+    this.hmacSecret = config.hmacSecret;
+    if (config.usersFilePath) {
+      this.users = createLocalAuthUserStore(config.usersFilePath);
+    }
+    this.passwordAuth = new LocalPasswordAuth(
+      this.users,
+      (user) => signHmacToken(this.hmacSecret, user.id, SESSION_MAX_AGE_MS)
+    );
+  }
+  static fromEnv(env) {
+    const hmacSecret = env.SELVA_HMAC_KEY;
+    if (!hmacSecret) throw new Error("Missing required env var: SELVA_HMAC_KEY");
+    return new LocalAuthProvider({
+      hmacSecret,
+      usersFilePath: env.DATA_PATH ? path.join(env.DATA_PATH, "auth-users.json") : void 0
+    });
+  }
+  /** Verify an HMAC session token and return the live user record. */
+  async verifyToken(token) {
+    const { valid, userId } = verifyHmacToken(token, this.hmacSecret);
+    if (!valid) return null;
+    if (!this.users) return null;
+    const u = await this.users.findById(userId);
+    if (!u || u.disabled) return null;
+    await this.users.touchLastLogin(u.id).catch(() => {
+    });
+    return toAuthUser$1(u);
+  }
+  async touchLastLogin(id) {
+    if (!this.users) return;
+    await this.users.touchLastLogin(id);
+  }
+  async getUser(id) {
+    if (!this.users) return null;
+    const u = await this.users.findById(id);
+    return u ? toAuthUser$1(u) : null;
+  }
+  async listUsers(opts) {
+    if (!this.users) return null;
+    const users = await this.users.listUsers();
+    return paginate(users.map(toAuthUser$1), opts);
+  }
+  async deleteUser(id) {
+    if (!this.users) return "not_supported";
+    const target = await this.users.findById(id);
+    if (!target) return "not_found";
+    try {
+      await this.users.deleteUser(id);
+      return "ok";
+    } catch (err) {
+      if (err instanceof ProviderError && err.statusCode === 404) return "not_found";
+      throw err;
+    }
+  }
+  async disableUser(id) {
+    if (!this.users) return "not_supported";
+    const target = await this.users.findById(id);
+    if (!target) return "not_found";
+    try {
+      await this.users.setDisabled(id, true);
+      return "ok";
+    } catch (err) {
+      if (err instanceof ProviderError && err.statusCode === 404) return "not_found";
+      throw err;
+    }
+  }
+}
+const EMPTY$1 = { invites: [] };
+class LocalInviteStore {
+  constructor(dataPath, events = new NoopEventSink()) {
+    this.events = events;
+    this.filePath = path.join(dataPath, "invites.json");
+  }
+  events;
+  filePath;
+  static fromEnv(env, events = new NoopEventSink()) {
+    if (!env.DATA_PATH) throw new Error("Missing required env var: DATA_PATH");
+    return new LocalInviteStore(env.DATA_PATH, events);
+  }
+  async load() {
+    return readJsonFile(this.filePath, EMPTY$1);
+  }
+  async save(file) {
+    await writeJsonFile(this.filePath, file);
+  }
+  async create(ctx, invite) {
+    const file = await this.load();
+    file.invites.push(invite);
+    await this.save(file);
+    await this.events.emit({
+      type: "invite.created",
+      inviteId: invite.id,
+      orgId: invite.orgId,
+      email: invite.email,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async getByTokenHash(_ctx, tokenHash) {
+    const { invites } = await this.load();
+    const invite = invites.find((i) => i.tokenHash === tokenHash);
+    if (!invite) return null;
+    if (invite.acceptedAt) return null;
+    if (Date.parse(invite.expiresAt) <= Date.now()) return null;
+    return invite;
+  }
+  async listByOrg(_ctx, orgId, opts) {
+    const { invites } = await this.load();
+    const filtered = invites.filter((i) => i.orgId === orgId);
+    return paginate(applyOrder(filtered, opts), opts);
+  }
+  async markAccepted(ctx, id, userId) {
+    const file = await this.load();
+    const invite = file.invites.find((i) => i.id === id);
+    if (!invite || invite.acceptedAt) return;
+    invite.acceptedAt = (/* @__PURE__ */ new Date()).toISOString();
+    invite.acceptedByUserId = userId;
+    await this.save(file);
+    await this.events.emit({
+      type: "invite.accepted",
+      inviteId: invite.id,
+      orgId: invite.orgId,
+      userId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async revoke(ctx, id) {
+    const file = await this.load();
+    const target = file.invites.find((i) => i.id === id && !i.acceptedAt);
+    if (!target) return;
+    file.invites = file.invites.filter((i) => i.id !== id || i.acceptedAt);
+    await this.save(file);
+    await this.events.emit({
+      type: "invite.revoked",
+      inviteId: id,
+      orgId: target.orgId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async deleteByOrg(_ctx, orgId) {
+    const file = await this.load();
+    const before = file.invites.length;
+    file.invites = file.invites.filter((i) => i.orgId !== orgId);
+    if (file.invites.length === before) return;
+    await this.save(file);
+  }
+}
+const ALGO = "aes-256-gcm";
+const IV_BYTES = 12;
+const TAG_BYTES = 16;
+const PREFIX = "enc:v1:";
+function isEncryptedSecret(value) {
+  return value.startsWith(PREFIX);
+}
+function encryptSecret(plaintext, key) {
+  if (key.length !== 32) {
+    throw new Error(`Secret key must be 32 bytes; got ${key.length}`);
+  }
+  if (isEncryptedSecret(plaintext)) {
+    throw new Error("Refusing to encrypt a value that is already encrypted");
+  }
+  const iv = randomBytes(IV_BYTES);
+  const cipher = createCipheriv(ALGO, key, iv);
+  const ciphertext = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return PREFIX + Buffer.concat([iv, tag, ciphertext]).toString("base64");
+}
+function decryptSecret(envelope, key) {
+  if (key.length !== 32) {
+    throw new Error(`Secret key must be 32 bytes; got ${key.length}`);
+  }
+  if (!isEncryptedSecret(envelope)) {
+    throw new Error("Value is not an encrypted secret envelope");
+  }
+  const buf = Buffer.from(envelope.slice(PREFIX.length), "base64");
+  const iv = buf.subarray(0, IV_BYTES);
+  const tag = buf.subarray(IV_BYTES, IV_BYTES + TAG_BYTES);
+  const ciphertext = buf.subarray(IV_BYTES + TAG_BYTES);
+  const decipher = createDecipheriv(ALGO, key, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8");
+}
+function decodeSecretKey(raw) {
+  if (/^[0-9a-fA-F]{64}$/.test(raw)) return Buffer.from(raw, "hex");
+  const buf = Buffer.from(raw, "base64");
+  if (buf.length === 32) return buf;
+  throw new Error(
+    `SELVA_AT_REST_KEY must be 32 bytes encoded as 64-char hex or base64. Generate one with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"`
+  );
+}
+const EMPTY = { servers: [], orgDefaults: {} };
+class LocalComputeServerStore {
+  constructor(configFilePath, secretKey) {
+    this.configFilePath = configFilePath;
+    this.secretKey = secretKey;
+  }
+  configFilePath;
+  secretKey;
+  static fromEnv(env) {
+    if (!env.DATA_PATH) throw new Error("Missing required env var: DATA_PATH");
+    if (!env.SELVA_AT_REST_KEY) {
+      throw new Error(
+        `Missing required env var: SELVA_AT_REST_KEY (32-byte hex or base64). Generate one with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"`
+      );
+    }
+    return new LocalComputeServerStore(
+      path.join(env.DATA_PATH, "compute.config.json"),
+      decodeSecretKey(env.SELVA_AT_REST_KEY)
+    );
+  }
+  async readAll() {
+    const raw = await readJsonFile(this.configFilePath, EMPTY);
+    return {
+      servers: raw.servers ?? [],
+      defaultServerId: raw.defaultServerId,
+      orgDefaults: raw.orgDefaults ?? {}
+    };
+  }
+  /**
+   * Per-row tolerant decrypt. A row whose ciphertext can't be authenticated
+   * under the current `SELVA_AT_REST_KEY` is returned with `apiKey: undefined`
+   * and a warning logged once. The page that loaded the config keeps
+   * rendering; solves against that server will fail later when Rhino.Compute
+   * rejects the missing key.
+   *
+   * Boot-time `verifySecrets()` is the strict counterpart — call that from
+   * the app entrypoint to refuse to start when this state is detected.
+   *
+   * Plaintext-on-disk is still hard-fail. That state is never produced by
+   * the store itself (every write goes through `encryptApiKeys`), so seeing
+   * it means someone hand-edited the file with a real secret in plaintext —
+   * which is a security issue we should surface loudly, not paper over.
+   */
+  decryptApiKeys(servers) {
+    return servers.map((s) => {
+      if (!s.apiKey) return s;
+      if (!isEncryptedSecret(s.apiKey)) {
+        throw new Error(
+          `compute.config.json contains an unencrypted apiKey for server "${s.label}" (${s.id}). Re-enter the key via /admin/compute so it is stored encrypted.`
+        );
+      }
+      try {
+        return { ...s, apiKey: decryptSecret(s.apiKey, this.secretKey) };
+      } catch (cause) {
+        console.warn(
+          `[selva] Could not decrypt apiKey for compute server "${s.label}" (${s.id}). The stored ciphertext does not match the current SELVA_AT_REST_KEY. This server will be returned without an apiKey; solves against it will fail. Re-enter the key via /admin/compute, or restore the original SELVA_AT_REST_KEY. See docs/Troubleshooting.md.`,
+          cause
+        );
+        return { ...s, apiKey: void 0 };
+      }
+    });
+  }
+  /**
+   * Boot-time integrity check. Reads every server row and attempts to
+   * decrypt each encrypted `apiKey`. Returns a structured report — does NOT
+   * throw. The caller decides what to do (refuse boot, log + degrade, etc.).
+   *
+   * Use this from app startup (`hooks.server.ts`) so a key mismatch fails
+   * loudly at deploy time instead of as a blank page when a user first hits
+   * a route that loads compute config.
+   */
+  async verifySecrets() {
+    const all = await this.readAll();
+    const failures = [];
+    let plaintextFound = false;
+    for (const s of all.servers) {
+      if (!s.apiKey) continue;
+      if (!isEncryptedSecret(s.apiKey)) {
+        plaintextFound = true;
+        failures.push({
+          serverId: s.id,
+          serverLabel: s.label,
+          reason: "plaintext_on_disk"
+        });
+        continue;
+      }
+      try {
+        decryptSecret(s.apiKey, this.secretKey);
+      } catch (cause) {
+        failures.push({
+          serverId: s.id,
+          serverLabel: s.label,
+          reason: "key_mismatch",
+          cause: cause instanceof Error ? cause.message : String(cause)
+        });
+      }
+    }
+    return { ok: failures.length === 0, failures, plaintextFound };
+  }
+  encryptApiKeys(servers) {
+    return servers.map((s) => {
+      if (!s.apiKey) return s;
+      if (isEncryptedSecret(s.apiKey)) return s;
+      return { ...s, apiKey: encryptSecret(s.apiKey, this.secretKey) };
+    });
+  }
+  async getConfig(_ctx) {
+    const all = await this.readAll();
+    return {
+      servers: this.decryptApiKeys(all.servers),
+      defaultServerId: all.defaultServerId,
+      orgDefaults: all.orgDefaults
+    };
+  }
+  async savePlatformServers(_ctx, servers, defaultServerId) {
+    const all = await this.readAll();
+    const orgRows = all.servers.filter(isOrgServer);
+    const platformRows = this.encryptApiKeys(servers.filter(isPlatformServer));
+    await writeJsonFile(this.configFilePath, {
+      servers: [...platformRows, ...orgRows],
+      defaultServerId,
+      orgDefaults: all.orgDefaults
+    });
+  }
+  async saveOrgServers(_ctx, orgId, servers, defaultServerId) {
+    const all = await this.readAll();
+    const platformRows = all.servers.filter(isPlatformServer);
+    const otherOrgRows = all.servers.filter((s) => isOrgServer(s) && s.ownerOrgId !== orgId);
+    const thisOrgRows = this.encryptApiKeys(
+      servers.filter((_s) => true).map(
+        (s) => isOrgServer(s) ? { ...s, ownerOrgId: orgId } : (
+          // Coerce — caller passed something with the wrong/missing scope.
+          { ...s, scope: "org", ownerOrgId: orgId }
+        )
+      )
+    );
+    const orgDefaults = { ...all.orgDefaults ?? {} };
+    if (defaultServerId === null) {
+      delete orgDefaults[orgId];
+    } else if (typeof defaultServerId === "string") {
+      orgDefaults[orgId] = defaultServerId;
+    }
+    await writeJsonFile(this.configFilePath, {
+      servers: [...platformRows, ...otherOrgRows, ...thisOrgRows],
+      defaultServerId: all.defaultServerId,
+      orgDefaults
+    });
+  }
+  async setOrgDefault(_ctx, orgId, serverId) {
+    const all = await this.readAll();
+    const orgDefaults = { ...all.orgDefaults ?? {} };
+    if (serverId === null) {
+      delete orgDefaults[orgId];
+    } else {
+      orgDefaults[orgId] = serverId;
+    }
+    await writeJsonFile(this.configFilePath, { ...all, orgDefaults });
+  }
+  async deleteByOrg(_ctx, orgId) {
+    const all = await this.readAll();
+    const remaining = all.servers.filter((s) => !(isOrgServer(s) && s.ownerOrgId === orgId));
+    const cleaned = remaining.map((s) => {
+      if (!isPlatformServer(s)) return s;
+      if (s.sharedWith === "all") return s;
+      if (!s.sharedWith.includes(orgId)) return s;
+      const next = {
+        ...s,
+        sharedWith: s.sharedWith.filter((id) => id !== orgId)
+      };
+      return next;
+    });
+    const orgDefaults = { ...all.orgDefaults ?? {} };
+    const hadDefault = orgId in orgDefaults;
+    delete orgDefaults[orgId];
+    const changed = cleaned.length !== all.servers.length || hadDefault || cleaned.some((c, i) => c !== all.servers[i]);
+    if (!changed) return;
+    await writeJsonFile(this.configFilePath, {
+      servers: cleaned,
+      defaultServerId: all.defaultServerId,
+      orgDefaults
+    });
+  }
+}
+const empty$4 = () => ({ grants: [] });
+class LocalPlatformProjectGrantStore {
+  filePath;
+  static fromEnv(env) {
+    if (!env.DATA_PATH) throw new Error("Missing required env var: DATA_PATH");
+    return new LocalPlatformProjectGrantStore(
+      path.join(env.DATA_PATH, "platform-project-grants.json")
+    );
+  }
+  constructor(filePath) {
+    this.filePath = filePath;
+  }
+  async read() {
+    return readJsonFile(this.filePath, empty$4());
+  }
+  async write(data) {
+    await writeJsonFile(this.filePath, data);
+  }
+  async listByProject(_ctx, projectId) {
+    const { grants } = await this.read();
+    return grants.filter((g) => g.projectId === projectId);
+  }
+  async create(_ctx, grant) {
+    const data = await this.read();
+    if (data.grants.some((g) => g.id === grant.id)) {
+      throw new ProviderError(`Grant '${grant.id}' already exists`, 409);
+    }
+    const duplicate = data.grants.find(
+      (g) => g.projectId === grant.projectId && g.granteeType === grant.granteeType && g.granteeId === grant.granteeId
+    );
+    if (duplicate) {
+      throw new ProviderError(
+        `A grant for this ${grant.granteeType} already exists on this project`,
+        409
+      );
+    }
+    data.grants.push(grant);
+    await this.write(data);
+  }
+  async delete(_ctx, id) {
+    const data = await this.read();
+    const idx = data.grants.findIndex((g) => g.id === id);
+    if (idx === -1) throw new ProviderError(`Grant '${id}' not found`, 404);
+    data.grants.splice(idx, 1);
+    await this.write(data);
+  }
+  async deleteByProject(_ctx, projectId) {
+    const data = await this.read();
+    const before = data.grants.length;
+    data.grants = data.grants.filter((g) => g.projectId !== projectId);
+    if (data.grants.length !== before) await this.write(data);
+  }
+  async deleteByGranteeOrg(_ctx, orgId) {
+    const data = await this.read();
+    const before = data.grants.length;
+    data.grants = data.grants.filter((g) => !(g.granteeType === "org" && g.granteeId === orgId));
+    if (data.grants.length !== before) await this.write(data);
+  }
+}
+function isLive$1(row) {
+  return row.deletedAt == null;
+}
+class LocalOrgStoreLoader {
+  storePath;
+  store = null;
+  loading = null;
+  constructor(dataPath) {
+    this.storePath = path.join(dataPath, "local-org.json");
+  }
+  async get() {
+    if (this.store) return this.store;
+    this.loading ??= readJsonFile(this.storePath, {
+      orgs: [],
+      projects: [],
+      orgMembers: [],
+      projectMembers: []
+    }).then((data) => {
+      this.store = data;
+      this.loading = null;
+      return data;
+    });
+    return this.loading;
+  }
+  async write(store) {
+    this.store = store;
+    await writeJsonFile(this.storePath, store);
+  }
+}
+class LocalOrgStore {
+  loader;
+  events;
+  invites;
+  computeServer;
+  grants;
+  static fromEnv(env) {
+    if (!env.DATA_PATH) throw new Error("Missing required env var: DATA_PATH");
+    return new LocalOrgStore({
+      loader: new LocalOrgStoreLoader(env.DATA_PATH),
+      invites: LocalInviteStore.fromEnv(env),
+      computeServer: LocalComputeServerStore.fromEnv(env),
+      grants: LocalPlatformProjectGrantStore.fromEnv(env)
+    });
+  }
+  constructor(opts) {
+    this.loader = opts.loader;
+    this.invites = opts.invites;
+    this.computeServer = opts.computeServer;
+    this.grants = opts.grants;
+    this.events = opts.events ?? new NoopEventSink();
+  }
+  async listOrgs(_ctx, opts) {
+    const { orgs } = await this.loader.get();
+    return paginate(applyOrder(orgs.filter(isLive$1), opts), opts);
+  }
+  async getOrg(_ctx, id) {
+    const { orgs } = await this.loader.get();
+    const o = orgs.find((o2) => o2.id === id);
+    return o && isLive$1(o) ? o : null;
+  }
+  async getOrgBySlug(_ctx, slug) {
+    const { orgs } = await this.loader.get();
+    const o = orgs.find((o2) => o2.slug === slug);
+    return o && isLive$1(o) ? o : null;
+  }
+  async createOrg(ctx, org) {
+    const store = await this.loader.get();
+    if (store.orgs.some((o) => o.id === org.id && isLive$1(o))) {
+      throw new ProviderError(`Org '${org.id}' already exists`, 409);
+    }
+    if (store.orgs.some((o) => o.slug === org.slug && isLive$1(o))) {
+      throw new ProviderError(`Org slug '${org.slug}' already in use`, 409);
+    }
+    store.orgs.push({ ...org, deletedAt: null });
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    store.orgMembers.push({
+      orgId: org.id,
+      userId: org.ownerId,
+      role: "owner",
+      permissions: [...DEFAULT_ORG_PERMISSIONS.owner],
+      joinedAt: now,
+      ...auditUpdate(ctx, org.ownerId),
+      deletedAt: null
+    });
+    await this.loader.write(store);
+    await this.events.emit({ type: "org.created", orgId: org.id, actorId: actorFrom(ctx) });
+  }
+  async updateOrg(ctx, id, patch) {
+    const store = await this.loader.get();
+    const idx = store.orgs.findIndex((o) => o.id === id && isLive$1(o));
+    if (idx === -1) throw new ProviderError(`Org '${id}' not found`, 404);
+    if (patch.slug && patch.slug !== store.orgs[idx].slug) {
+      if (store.orgs.some((o) => o.id !== id && o.slug === patch.slug && isLive$1(o))) {
+        throw new ProviderError(`Org slug '${patch.slug}' already in use`, 409);
+      }
+    }
+    store.orgs[idx] = {
+      ...store.orgs[idx],
+      ...patch,
+      ...auditUpdate(ctx, store.orgs[idx].updatedBy ?? store.orgs[idx].ownerId)
+    };
+    await this.loader.write(store);
+  }
+  async deleteOrg(ctx, id) {
+    const store = await this.loader.get();
+    const idx = store.orgs.findIndex((o) => o.id === id && isLive$1(o));
+    if (idx === -1) throw new ProviderError(`Org '${id}' not found`, 404);
+    const stamp = auditSoftDelete(ctx, store.orgs[idx].updatedBy ?? store.orgs[idx].ownerId);
+    store.orgs[idx] = { ...store.orgs[idx], ...stamp };
+    store.orgMembers = store.orgMembers.map(
+      (m) => m.orgId === id && isLive$1(m) ? { ...m, ...stamp } : m
+    );
+    const orgProjectIds = new Set(
+      store.projects.filter((p) => p.orgId === id && isLive$1(p)).map((p) => p.id)
+    );
+    store.projects = store.projects.map(
+      (p) => p.orgId === id && isLive$1(p) ? { ...p, ...stamp } : p
+    );
+    store.projectMembers = store.projectMembers.map(
+      (m) => orgProjectIds.has(m.projectId) && isLive$1(m) ? { ...m, ...stamp } : m
+    );
+    await this.loader.write(store);
+    await this.invites.deleteByOrg(ctx, id);
+    await this.computeServer.deleteByOrg(ctx, id);
+    for (const projectId of orgProjectIds) {
+      await this.grants.deleteByProject(ctx, projectId);
+    }
+    await this.grants.deleteByGranteeOrg(ctx, id);
+    await this.events.emit({ type: "org.deleted", orgId: id, actorId: actorFrom(ctx) });
+  }
+  async listOrgMembers(_ctx, orgId, opts) {
+    const { orgMembers } = await this.loader.get();
+    return paginate(
+      orgMembers.filter((m) => m.orgId === orgId && isLive$1(m)),
+      opts
+    );
+  }
+  async getOrgMember(_ctx, orgId, userId) {
+    const { orgMembers } = await this.loader.get();
+    const m = orgMembers.find((m2) => m2.orgId === orgId && m2.userId === userId);
+    return m && isLive$1(m) ? m : null;
+  }
+  async findUserMembership(_ctx, userId) {
+    const store = await this.loader.get();
+    const member = store.orgMembers.find((m) => m.userId === userId && isLive$1(m));
+    if (!member) return null;
+    const org = store.orgs.find((o) => o.id === member.orgId);
+    if (!org || !isLive$1(org)) return null;
+    return { org, member };
+  }
+  async addOrgMember(ctx, member) {
+    const store = await this.loader.get();
+    const existing = store.orgMembers.find(
+      (m) => m.orgId === member.orgId && m.userId === member.userId
+    );
+    if (existing) {
+      Object.assign(existing, member, {
+        ...auditUpdate(ctx, member.userId),
+        deletedAt: null
+      });
+    } else {
+      store.orgMembers.push({ ...member, deletedAt: null });
+    }
+    await this.loader.write(store);
+    await this.events.emit({
+      type: "org_member.added",
+      orgId: member.orgId,
+      userId: member.userId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async updateOrgMemberRole(ctx, orgId, userId, role) {
+    const store = await this.loader.get();
+    const m = store.orgMembers.find((m2) => m2.orgId === orgId && m2.userId === userId && isLive$1(m2));
+    if (!m) throw new ProviderError(`Org member '${userId}' not found`, 404);
+    m.role = role;
+    m.permissions = [...DEFAULT_ORG_PERMISSIONS[role]];
+    Object.assign(m, auditUpdate(ctx, m.updatedBy));
+    await this.loader.write(store);
+    await this.events.emit({
+      type: "org_member.role_changed",
+      orgId,
+      userId,
+      role,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async updateOrgMemberPermissions(ctx, orgId, userId, permissions) {
+    const store = await this.loader.get();
+    const m = store.orgMembers.find((m2) => m2.orgId === orgId && m2.userId === userId && isLive$1(m2));
+    if (!m) throw new ProviderError(`Org member '${userId}' not found`, 404);
+    m.permissions = [...permissions];
+    Object.assign(m, auditUpdate(ctx, m.updatedBy));
+    await this.loader.write(store);
+    await this.events.emit({
+      type: "org_member.permissions_changed",
+      orgId,
+      userId,
+      permissions: [...permissions],
+      actorId: actorFrom(ctx)
+    });
+  }
+  async removeOrgMember(ctx, orgId, userId) {
+    const store = await this.loader.get();
+    const m = store.orgMembers.find((m2) => m2.orgId === orgId && m2.userId === userId && isLive$1(m2));
+    if (!m) return;
+    const stamp = auditSoftDelete(ctx, m.updatedBy);
+    Object.assign(m, stamp);
+    const projectIdsInOrg = new Set(
+      store.projects.filter((p) => p.orgId === orgId).map((p) => p.id)
+    );
+    store.projectMembers = store.projectMembers.map(
+      (pm) => pm.userId === userId && projectIdsInOrg.has(pm.projectId) && isLive$1(pm) ? { ...pm, ...stamp } : pm
+    );
+    await this.loader.write(store);
+    await this.events.emit({
+      type: "org_member.removed",
+      orgId,
+      userId,
+      actorId: actorFrom(ctx)
+    });
+  }
+}
+function isLive(row) {
+  return row.deletedAt == null;
+}
+class LocalProjectStore {
+  loader;
+  events;
+  grants;
+  constructor(opts) {
+    this.loader = opts.loader;
+    this.grants = opts.grants;
+    this.events = opts.events ?? new NoopEventSink();
+  }
+  async listProjects(_ctx, orgId, opts) {
+    const { projects } = await this.loader.get();
+    return paginate(
+      applyOrder(
+        projects.filter((p) => p.orgId === orgId && isLive(p)),
+        opts
+      ),
+      opts
+    );
+  }
+  async getProject(_ctx, id) {
+    const { projects } = await this.loader.get();
+    const p = projects.find((p2) => p2.id === id);
+    return p && isLive(p) ? p : null;
+  }
+  async getProjectBySlug(_ctx, orgId, slug) {
+    const { projects } = await this.loader.get();
+    const p = projects.find((p2) => p2.orgId === orgId && p2.slug === slug);
+    return p && isLive(p) ? p : null;
+  }
+  async createProject(ctx, project) {
+    const store = await this.loader.get();
+    if (!store.orgs.some((o) => o.id === project.orgId && isLive(o))) {
+      throw new ProviderError(`Org '${project.orgId}' not found`, 404);
+    }
+    if (store.projects.some((p) => p.id === project.id && isLive(p))) {
+      throw new ProviderError(`Project '${project.id}' already exists`, 409);
+    }
+    const nameKey = project.name.toLowerCase();
+    if (store.projects.some(
+      (p) => p.orgId === project.orgId && isLive(p) && p.name.toLowerCase() === nameKey
+    )) {
+      throw new ProviderError("projects_org_name_unique: project name already in use", 409);
+    }
+    if (store.projects.some((p) => p.orgId === project.orgId && isLive(p) && p.slug === project.slug)) {
+      throw new ProviderError("projects_org_id_slug_key: project slug already in use", 409);
+    }
+    store.projects.push({ ...project, deletedAt: null });
+    store.projectMembers.push({
+      projectId: project.id,
+      userId: project.ownerId,
+      role: "owner",
+      joinedAt: project.createdAt,
+      updatedAt: project.createdAt,
+      updatedBy: project.ownerId,
+      deletedAt: null
+    });
+    await this.loader.write(store);
+    await this.events.emit({
+      type: "project.created",
+      projectId: project.id,
+      orgId: project.orgId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async updateProject(ctx, id, patch) {
+    const store = await this.loader.get();
+    const idx = store.projects.findIndex((p) => p.id === id && isLive(p));
+    if (idx === -1) throw new ProviderError(`Project '${id}' not found`, 404);
+    const current = store.projects[idx];
+    if (patch.name && patch.name.toLowerCase() !== current.name.toLowerCase()) {
+      const nameKey = patch.name.toLowerCase();
+      if (store.projects.some(
+        (p) => p.orgId === current.orgId && p.id !== id && isLive(p) && p.name.toLowerCase() === nameKey
+      )) {
+        throw new ProviderError("projects_org_name_unique: project name already in use", 409);
+      }
+    }
+    if (patch.slug && patch.slug !== current.slug) {
+      if (store.projects.some(
+        (p) => p.orgId === current.orgId && p.slug === patch.slug && p.id !== id && isLive(p)
+      )) {
+        throw new ProviderError("projects_org_id_slug_key: project slug already in use", 409);
+      }
+    }
+    store.projects[idx] = {
+      ...current,
+      ...patch,
+      ...auditUpdate(ctx, current.updatedBy ?? current.ownerId)
+    };
+    await this.loader.write(store);
+  }
+  async deleteProject(ctx, id) {
+    const store = await this.loader.get();
+    const idx = store.projects.findIndex((p) => p.id === id && isLive(p));
+    if (idx === -1) throw new ProviderError(`Project '${id}' not found`, 404);
+    const stamp = auditSoftDelete(
+      ctx,
+      store.projects[idx].updatedBy ?? store.projects[idx].ownerId
+    );
+    store.projects[idx] = { ...store.projects[idx], ...stamp };
+    store.projectMembers = store.projectMembers.map(
+      (m) => m.projectId === id && isLive(m) ? { ...m, ...stamp } : m
+    );
+    await this.loader.write(store);
+    await this.grants.deleteByProject(ctx, id);
+    await this.events.emit({ type: "project.deleted", projectId: id, actorId: actorFrom(ctx) });
+  }
+  async reactivateProject(ctx, orgId, slug) {
+    const store = await this.loader.get();
+    const idx = store.projects.findIndex((p) => p.orgId === orgId && p.slug === slug && !isLive(p));
+    if (idx === -1) return null;
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    store.projects[idx] = { ...store.projects[idx], deletedAt: null, updatedAt: now };
+    const ownerId = store.projects[idx].ownerId;
+    const pmIdx = store.projectMembers.findIndex(
+      (m) => m.projectId === store.projects[idx].id && m.userId === ownerId && !isLive(m)
+    );
+    if (pmIdx !== -1) {
+      store.projectMembers[pmIdx] = {
+        ...store.projectMembers[pmIdx],
+        deletedAt: null,
+        updatedAt: now
+      };
+    }
+    await this.loader.write(store);
+    const project = { ...store.projects[idx] };
+    await this.events.emit({
+      type: "project.created",
+      projectId: project.id,
+      orgId: project.orgId,
+      actorId: actorFrom(ctx)
+    });
+    return project;
+  }
+  async listProjectMembers(_ctx, projectId, opts) {
+    const { projectMembers } = await this.loader.get();
+    return paginate(
+      projectMembers.filter((m) => m.projectId === projectId && isLive(m)),
+      opts
+    );
+  }
+  async getProjectMember(_ctx, projectId, userId) {
+    const { projectMembers } = await this.loader.get();
+    const m = projectMembers.find((m2) => m2.projectId === projectId && m2.userId === userId);
+    return m && isLive(m) ? m : null;
+  }
+  async addProjectMember(ctx, member) {
+    const store = await this.loader.get();
+    const existing = store.projectMembers.find(
+      (m) => m.projectId === member.projectId && m.userId === member.userId
+    );
+    if (existing) {
+      Object.assign(existing, member, {
+        ...auditUpdate(ctx, member.userId),
+        deletedAt: null
+      });
+    } else {
+      const stamp = auditUpdate(ctx, member.userId);
+      store.projectMembers.push({
+        ...member,
+        updatedAt: member.updatedAt ?? stamp.updatedAt,
+        updatedBy: member.updatedBy ?? stamp.updatedBy,
+        deletedAt: null
+      });
+    }
+    await this.loader.write(store);
+    await this.events.emit({
+      type: "project_member.added",
+      projectId: member.projectId,
+      userId: member.userId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async updateProjectMemberRole(ctx, projectId, userId, role) {
+    const store = await this.loader.get();
+    const m = store.projectMembers.find(
+      (m2) => m2.projectId === projectId && m2.userId === userId && isLive(m2)
+    );
+    if (!m) throw new ProviderError(`Project member '${userId}' not found`, 404);
+    m.role = role;
+    Object.assign(m, auditUpdate(ctx, m.updatedBy));
+    await this.loader.write(store);
+    await this.events.emit({
+      type: "project_member.role_changed",
+      projectId,
+      userId,
+      role,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async removeProjectMember(ctx, projectId, userId) {
+    const store = await this.loader.get();
+    const m = store.projectMembers.find(
+      (m2) => m2.projectId === projectId && m2.userId === userId && isLive(m2)
+    );
+    if (!m) return;
+    Object.assign(m, auditSoftDelete(ctx, m.updatedBy));
+    await this.loader.write(store);
+    await this.events.emit({
+      type: "project_member.removed",
+      projectId,
+      userId,
+      actorId: actorFrom(ctx)
+    });
+  }
+}
+const empty$3 = () => ({ definitions: {}, definitionVersions: {} });
+class LocalDefinitionStore {
+  configPath;
+  events;
+  projectProvider;
+  static fromEnv(env) {
+    if (!env.DATA_PATH) throw new Error("Missing required env var: DATA_PATH");
+    return new LocalDefinitionStore(env.DATA_PATH);
+  }
+  constructor(definitionsPath, projectProvider, events = new NoopEventSink()) {
+    this.configPath = path.join(definitionsPath, "definitions-config.json");
+    this.projectProvider = projectProvider;
+    this.events = events;
+  }
+  setProjectProvider(projectProvider) {
+    this.projectProvider = projectProvider;
+  }
+  async readConfig() {
+    return readJsonFile(this.configPath, empty$3());
+  }
+  live(record) {
+    return Boolean(record && record.deletedAt == null);
+  }
+  async writeConfig(config) {
+    await writeJsonFile(this.configPath, config);
+  }
+  sortedRecords(records, opts) {
+    const defaulted = {
+      ...opts,
+      orderBy: opts?.orderBy ?? "name",
+      orderDir: opts?.orderDir ?? "asc"
+    };
+    return applyOrder([...records], defaulted, (r, field) => {
+      if (field === "name") return r.displayName.toLowerCase();
+      if (field === "solveCount") return r.solveCount ?? 0;
+      return r[field];
+    });
+  }
+  visibleRecords(records, opts) {
+    const filtered = records.filter((r) => r?.displayName && this.live(r));
+    if (opts?.statuses?.length) {
+      const allowed = new Set(opts.statuses);
+      return filtered.filter((r) => allowed.has(r.status));
+    }
+    return filtered.filter((r) => {
+      if (r.status === "pending" && !opts?.includePending) return false;
+      if (r.status === "archived" && !opts?.includeArchived) return false;
+      return true;
+    });
+  }
+  async list(_ctx, opts) {
+    const config = await this.readConfig();
+    const records = this.visibleRecords(Object.values(config.definitions), opts);
+    return paginate(this.sortedRecords(records, opts), opts);
+  }
+  async listByProject(_ctx, projectId, opts) {
+    const config = await this.readConfig();
+    const records = this.visibleRecords(
+      Object.values(config.definitions).filter((r) => r?.projectId === projectId),
+      opts
+    );
+    return paginate(this.sortedRecords(records, opts), opts);
+  }
+  async listPublic(ctx, opts) {
+    if (!this.projectProvider) {
+      return this.list(ctx, opts);
+    }
+    const config = await this.readConfig();
+    const records = Object.values(config.definitions).filter(
+      (r) => Boolean(r?.displayName && this.live(r))
+    );
+    const projectIds = Array.from(new Set(records.map((r) => r.projectId)));
+    const projects = await Promise.all(
+      projectIds.map((id) => this.projectProvider.getProject(ctx, id))
+    );
+    const publicProjectIds = new Set(
+      projects.filter(
+        (p) => p !== null && p.visibility === "public" && (!opts?.orgId || p.orgId === opts.orgId)
+      ).map((p) => p.id)
+    );
+    const publicRecords = this.visibleRecords(
+      records.filter((r) => publicProjectIds.has(r.projectId)),
+      opts
+    );
+    return paginate(this.sortedRecords(publicRecords, opts), opts);
+  }
+  async get(_ctx, guid) {
+    const config = await this.readConfig();
+    const r = config.definitions[guid];
+    return this.live(r) ? r : null;
+  }
+  async create(ctx, record) {
+    const config = await this.readConfig();
+    const actor = ctx.userId || record.ownerId;
+    config.definitions[record.guid] = {
+      ...record,
+      createdBy: record.createdBy || actor,
+      updatedBy: record.updatedBy || actor,
+      liveVersionId: record.liveVersionId ?? null,
+      draftVersionId: record.draftVersionId ?? null,
+      deletedAt: null
+    };
+    await this.writeConfig(config);
+    await this.events.emit({
+      type: "definition.created",
+      definitionId: record.guid,
+      projectId: record.projectId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async update(ctx, guid, patch) {
+    const config = await this.readConfig();
+    const existing = config.definitions[guid];
+    if (!this.live(existing)) throw new ProviderError(`Definition '${guid}' not found`, 404);
+    const clearable = (v) => v === null ? void 0 : v;
+    config.definitions[guid] = {
+      ...existing,
+      ...patch.displayName !== void 0 && { displayName: patch.displayName },
+      ...patch.description !== void 0 && {
+        description: clearable(patch.description)
+      },
+      ...patch.category !== void 0 && {
+        category: clearable(patch.category)
+      },
+      ...patch.tags !== void 0 && { tags: clearable(patch.tags) },
+      ...patch.coverImage !== void 0 && {
+        coverImage: clearable(patch.coverImage)
+      },
+      ...patch.projectId !== void 0 && { projectId: patch.projectId },
+      ...patch.computeServerId !== void 0 && {
+        computeServerId: clearable(patch.computeServerId)
+      },
+      ...patch.status !== void 0 && { status: patch.status },
+      ...patch.ownerId !== void 0 && { ownerId: patch.ownerId },
+      ...auditUpdate(ctx, existing.updatedBy ?? existing.ownerId)
+    };
+    await this.writeConfig(config);
+  }
+  async delete(ctx, guid) {
+    const config = await this.readConfig();
+    const existing = config.definitions[guid];
+    if (!this.live(existing)) return;
+    Object.assign(existing, auditSoftDelete(ctx, existing.updatedBy ?? existing.ownerId));
+    await this.writeConfig(config);
+    await this.events.emit({
+      type: "definition.deleted",
+      definitionId: guid,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async incrementSolveCount(_ctx, guid) {
+    const config = await this.readConfig();
+    const existing = config.definitions[guid];
+    if (!this.live(existing)) return;
+    existing.solveCount = (existing.solveCount ?? 0) + 1;
+    existing.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+    await this.writeConfig(config);
+  }
+  // ============================================================================
+  // Versions (spec §6)
+  // ============================================================================
+  async createVersion(ctx, version) {
+    const config = await this.readConfig();
+    const parent = config.definitions[version.definitionId];
+    if (!this.live(parent)) {
+      throw new ProviderError(`Definition '${version.definitionId}' not found`, 404);
+    }
+    if (config.definitionVersions[version.id]) {
+      throw new ProviderError(`Version '${version.id}' already exists`, 409);
+    }
+    config.definitionVersions[version.id] = { ...version };
+    await this.writeConfig(config);
+    await this.events.emit({
+      type: "definition_version.created",
+      versionId: version.id,
+      definitionId: version.definitionId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async listVersions(_ctx, definitionId, opts) {
+    const config = await this.readConfig();
+    const parent = config.definitions[definitionId];
+    if (!this.live(parent)) return paginate([], opts);
+    const rows = Object.values(config.definitionVersions).filter((v) => v.definitionId === definitionId).sort((a, b) => b.versionNumber - a.versionNumber);
+    return paginate(rows, opts);
+  }
+  async getVersion(_ctx, versionId) {
+    const config = await this.readConfig();
+    return config.definitionVersions[versionId] ?? null;
+  }
+  async setVersionSchema(_ctx, versionId, schema) {
+    const config = await this.readConfig();
+    const version = config.definitionVersions[versionId];
+    if (!version) return;
+    version.schema = schema;
+    version.schemaExtractedAt = (/* @__PURE__ */ new Date()).toISOString();
+    await this.writeConfig(config);
+  }
+  async deleteVersion(ctx, versionId) {
+    const config = await this.readConfig();
+    const version = config.definitionVersions[versionId];
+    if (!version) return;
+    const parent = config.definitions[version.definitionId];
+    if (parent && (parent.liveVersionId === versionId || parent.draftVersionId === versionId)) {
+      throw new ProviderError(
+        `Version '${versionId}' is referenced by liveVersionId or draftVersionId`,
+        409
+      );
+    }
+    delete config.definitionVersions[versionId];
+    await this.writeConfig(config);
+    await this.events.emit({
+      type: "definition_version.deleted",
+      versionId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async setLiveVersion(ctx, definitionId, versionId) {
+    await this.repoint("live", ctx, definitionId, versionId);
+  }
+  async setDraftVersion(ctx, definitionId, versionId) {
+    await this.repoint("draft", ctx, definitionId, versionId);
+  }
+  async attachInitialVersion(ctx, definitionId, versionId) {
+    const config = await this.readConfig();
+    const record = config.definitions[definitionId];
+    if (!this.live(record)) throw new ProviderError(`Definition '${definitionId}' not found`, 404);
+    const version = config.definitionVersions[versionId];
+    if (!version || version.definitionId !== definitionId) {
+      throw new ProviderError(`Version '${versionId}' not found for this definition`, 404);
+    }
+    record.liveVersionId = versionId;
+    record.draftVersionId = versionId;
+    record.status = "draft";
+    Object.assign(record, auditUpdate(ctx, record.updatedBy ?? record.ownerId));
+    await this.writeConfig(config);
+  }
+  async repoint(channel, ctx, definitionId, versionId) {
+    const config = await this.readConfig();
+    const record = config.definitions[definitionId];
+    if (!this.live(record)) throw new ProviderError(`Definition '${definitionId}' not found`, 404);
+    const version = config.definitionVersions[versionId];
+    if (!version || version.definitionId !== definitionId) {
+      throw new ProviderError(`Version '${versionId}' not found for this definition`, 404);
+    }
+    if (channel === "live") record.liveVersionId = versionId;
+    else record.draftVersionId = versionId;
+    Object.assign(record, auditUpdate(ctx, record.updatedBy ?? record.ownerId));
+    await this.writeConfig(config);
+    if (channel === "live") {
+      await this.events.emit({
+        type: "definition.published",
+        definitionId,
+        versionId,
+        actorId: actorFrom(ctx)
+      });
+    }
+  }
+}
+const empty$2 = () => ({ links: {} });
+class LocalShareLinkStore {
+  definitionProvider;
+  events;
+  configFilePath;
+  static fromEnv(env) {
+    if (!env.DATA_PATH) throw new Error("Missing required env var: DATA_PATH");
+    return new LocalShareLinkStore({
+      filePath: path.join(env.DATA_PATH, "share-links.json")
+    });
+  }
+  constructor(opts) {
+    this.configFilePath = opts.filePath;
+    this.events = opts.events ?? new NoopEventSink();
+  }
+  /**
+   * Wire the definition store so token resolution can check the parent
+   * definition's `deletedAt` (Permissions.md §7 cascade contract). Mirrors
+   * Supabase, which performs the equivalent JOIN. Optional: when unset, the
+   * store falls back to the local-only revoke check; the route layer in
+   * the selva app does the parent lookup as a safety net either way.
+   */
+  setDefinitionProvider(definitions) {
+    this.definitionProvider = definitions;
+  }
+  async readAll() {
+    return readJsonFile(this.configFilePath, empty$2());
+  }
+  async writeAll(data) {
+    await writeJsonFile(this.configFilePath, data);
+  }
+  isLive(l) {
+    return Boolean(l && l.revokedAt == null);
+  }
+  async create(ctx, link) {
+    const all = await this.readAll();
+    if (all.links[link.id]) {
+      throw new ProviderError(`Share link '${link.id}' already exists`, 409);
+    }
+    all.links[link.id] = { ...link, revokedAt: null };
+    await this.writeAll(all);
+    await this.events.emit({
+      type: "share_link.minted",
+      linkId: link.id,
+      definitionId: link.definitionId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async listByDefinition(_ctx, definitionId, opts) {
+    const all = await this.readAll();
+    const rows = Object.values(all.links).filter((l) => l.definitionId === definitionId && this.isLive(l)).sort((a, b) => b.createdAt.localeCompare(a.createdAt));
+    return paginate(rows, opts);
+  }
+  async getById(_ctx, id) {
+    const all = await this.readAll();
+    return all.links[id] ?? null;
+  }
+  async getByTokenHash(_ctx, tokenHash) {
+    const all = await this.readAll();
+    const found = Object.values(all.links).find((l) => l.tokenHash === tokenHash);
+    if (!this.isLive(found)) return null;
+    if (this.definitionProvider) {
+      const parent = await this.definitionProvider.get(SYSTEM_CONTEXT, found.definitionId);
+      if (!parent) return null;
+    }
+    return found;
+  }
+  async revoke(ctx, id) {
+    const all = await this.readAll();
+    const l = all.links[id];
+    if (!l || !this.isLive(l)) return;
+    l.revokedAt = (/* @__PURE__ */ new Date()).toISOString();
+    await this.writeAll(all);
+    await this.events.emit({ type: "share_link.revoked", linkId: id, actorId: actorFrom(ctx) });
+  }
+  async tryIncrementSolveCount(_ctx, id) {
+    const all = await this.readAll();
+    const l = all.links[id];
+    if (!l || !this.isLive(l)) return null;
+    if (l.maxSolves != null && l.solveCount >= l.maxSolves) return null;
+    l.solveCount += 1;
+    await this.writeAll(all);
+    return l.solveCount;
+  }
+}
+const MAX_RECENT_RUNS$1 = 20;
+const empty$1 = () => ({ users: [] });
+function emptyRow(userId) {
+  return {
+    userId,
+    platformPermissions: [],
+    starredDefinitions: [],
+    recentRuns: []
+  };
+}
+function createLocalUserDataStore(filePath) {
+  async function findOrThrow(userId) {
+    const file = await readJsonFile(filePath, empty$1());
+    const row = file.users.find((u) => u.userId === userId);
+    if (!row) throw new ProviderError(`User-data row "${userId}" not found`, 404);
+    return { file, row };
+  }
+  return {
+    async ensure(userId) {
+      const file = await readJsonFile(filePath, empty$1());
+      if (file.users.some((u) => u.userId === userId)) return;
+      file.users.push(emptyRow(userId));
+      await writeJsonFile(filePath, file);
+    },
+    async findById(userId) {
+      const { users } = await readJsonFile(filePath, empty$1());
+      return users.find((u) => u.userId === userId) ?? null;
+    },
+    async listAll() {
+      const { users } = await readJsonFile(filePath, empty$1());
+      return users;
+    },
+    async updatePermissions(userId, permissions) {
+      const { file, row } = await findOrThrow(userId);
+      row.platformPermissions = permissions;
+      await writeJsonFile(filePath, file);
+    },
+    async updateDisplayName(userId, displayName) {
+      const { file, row } = await findOrThrow(userId);
+      if (displayName === void 0) {
+        delete row.displayName;
+      } else {
+        row.displayName = displayName;
+      }
+      await writeJsonFile(filePath, file);
+    },
+    async starDefinition(userId, definitionId) {
+      const { file, row } = await findOrThrow(userId);
+      if (!row.starredDefinitions.includes(definitionId)) {
+        row.starredDefinitions.push(definitionId);
+        await writeJsonFile(filePath, file);
+      }
+    },
+    async unstarDefinition(userId, definitionId) {
+      const { file, row } = await findOrThrow(userId);
+      row.starredDefinitions = row.starredDefinitions.filter((d) => d !== definitionId);
+      await writeJsonFile(filePath, file);
+    },
+    async recordRun(userId, run) {
+      const { file, row } = await findOrThrow(userId);
+      row.recentRuns = [
+        run,
+        ...row.recentRuns.filter((r) => r.definitionId !== run.definitionId)
+      ].slice(0, MAX_RECENT_RUNS$1);
+      await writeJsonFile(filePath, file);
+    },
+    async deleteUser(userId) {
+      const file = await readJsonFile(filePath, empty$1());
+      const before = file.users.length;
+      file.users = file.users.filter((u) => u.userId !== userId);
+      if (file.users.length === before) {
+        throw new ProviderError(`User-data row "${userId}" not found`, 404);
+      }
+      await writeJsonFile(filePath, file);
+    }
+  };
+}
+function toProfile(u) {
+  return {
+    userId: u.userId,
+    displayName: u.displayName,
+    starredDefinitions: u.starredDefinitions ?? [],
+    recentRuns: u.recentRuns ?? []
+  };
+}
+class LocalUserProfileProvider {
+  data;
+  constructor(userDataFilePath) {
+    this.data = createLocalUserDataStore(userDataFilePath);
+  }
+  static fromEnv(env) {
+    if (!env.DATA_PATH) throw new Error("Missing required env var: DATA_PATH");
+    return new LocalUserProfileProvider(path.join(env.DATA_PATH, "user-data.json"));
+  }
+  async getProfile(ctx, userId) {
+    assertCanAccess$1(ctx, userId);
+    const u = await this.data.findById(userId);
+    return u ? toProfile(u) : null;
+  }
+  async getProfiles(_ctx, userIds) {
+    const all = await this.data.listAll();
+    const wanted = new Set(userIds);
+    return all.filter((u) => wanted.has(u.userId)).map(toProfile);
+  }
+  async updateProfile(ctx, userId, patch) {
+    assertCanAccess$1(ctx, userId);
+    try {
+      if (patch.displayName !== void 0) {
+        await this.data.updateDisplayName(userId, patch.displayName);
+      }
+      return "ok";
+    } catch (err) {
+      if (err instanceof ProviderError && err.statusCode === 404) return "not_found";
+      throw err;
+    }
+  }
+  async starDefinition(ctx, userId, definitionId) {
+    assertCanAccess$1(ctx, userId);
+    try {
+      await this.data.starDefinition(userId, definitionId);
+      return "ok";
+    } catch (err) {
+      if (err instanceof ProviderError && err.statusCode === 404) return "not_found";
+      throw err;
+    }
+  }
+  async unstarDefinition(ctx, userId, definitionId) {
+    assertCanAccess$1(ctx, userId);
+    try {
+      await this.data.unstarDefinition(userId, definitionId);
+      return "ok";
+    } catch (err) {
+      if (err instanceof ProviderError && err.statusCode === 404) return "not_found";
+      throw err;
+    }
+  }
+  async recordRun(ctx, userId, run) {
+    assertCanAccess$1(ctx, userId);
+    try {
+      await this.data.recordRun(userId, run);
+      return "ok";
+    } catch (err) {
+      if (err instanceof ProviderError && err.statusCode === 404) return "not_found";
+      throw err;
+    }
+  }
+}
+function assertCanAccess$1(ctx, userId) {
+  if (ctx.system) return;
+  if (ctx.userId === userId) return;
+  if (hasPermission(ctx, "instance_admin")) return;
+  throw new ProviderError("Forbidden: cannot access another user’s profile", 403);
+}
+class LocalPlatformPermissionStore {
+  data;
+  static fromEnv(env) {
+    if (!env.DATA_PATH) throw new Error("Missing required env var: DATA_PATH");
+    return new LocalPlatformPermissionStore(path.join(env.DATA_PATH, "user-data.json"));
+  }
+  constructor(userDataFilePath) {
+    this.data = createLocalUserDataStore(userDataFilePath);
+  }
+  async getFor(ctx, userId) {
+    assertCanRead$1(ctx, userId);
+    const row = await this.data.findById(userId);
+    return row?.platformPermissions ?? [];
+  }
+  async getForBatch(ctx, userIds) {
+    assertCanReadBatch(ctx);
+    const all = await this.data.listAll();
+    const wanted = new Set(userIds);
+    const out = /* @__PURE__ */ new Map();
+    for (const u of all) {
+      if (wanted.has(u.userId)) out.set(u.userId, u.platformPermissions ?? []);
+    }
+    return out;
+  }
+  async set(ctx, userId, permissions) {
+    assertAdmin$1(ctx);
+    const target = await this.data.findById(userId);
+    if (!target) return "not_found";
+    const wasAdmin = target.platformPermissions.includes("instance_admin");
+    const willBeAdmin = permissions.includes("instance_admin");
+    if (wasAdmin && !willBeAdmin) {
+      const others = await this.countOtherAdmins(userId);
+      if (others === 0) return "last_admin";
+    }
+    try {
+      await this.data.updatePermissions(userId, [...permissions]);
+      return "ok";
+    } catch (err) {
+      if (err instanceof ProviderError && err.statusCode === 404) return "not_found";
+      throw err;
+    }
+  }
+  async hasInstanceAdmin(_ctx) {
+    const all = await this.data.listAll();
+    return all.some((u) => u.platformPermissions.includes("instance_admin"));
+  }
+  async countInstanceAdminsExcluding(_ctx, excludeUserId) {
+    return this.countOtherAdmins(excludeUserId);
+  }
+  async countOtherAdmins(excludeUserId) {
+    const all = await this.data.listAll();
+    return all.filter(
+      (u) => u.userId !== excludeUserId && u.platformPermissions.includes("instance_admin")
+    ).length;
+  }
+}
+function assertCanRead$1(ctx, userId) {
+  if (ctx.system) return;
+  if (ctx.userId === userId) return;
+  if (hasPermission(ctx, "instance_admin")) return;
+  throw new ProviderError("Forbidden: cannot read another user’s permissions", 403);
+}
+function assertAdmin$1(ctx) {
+  if (ctx.system) return;
+  if (hasPermission(ctx, "instance_admin")) return;
+  throw new ProviderError("Forbidden: instance admin required", 403);
+}
+function assertCanReadBatch(ctx) {
+  if (ctx.system) return;
+  if (hasPermission(ctx, "instance_admin")) return;
+  if (hasPermission(ctx, "manage_instance_users")) return;
+  throw new ProviderError("Forbidden: instance admin or manage_instance_users required", 403);
+}
+class LocalDataProvider {
+  orgs;
+  projects;
+  definitions;
+  computeServer;
+  invites;
+  shareLinks;
+  userProfile;
+  permissions;
+  platformProjectGrants;
+  userData;
+  constructor(stores, userData) {
+    this.orgs = stores.orgs;
+    this.projects = stores.projects;
+    this.definitions = stores.definitions;
+    this.computeServer = stores.computeServer;
+    this.invites = stores.invites;
+    this.shareLinks = stores.shareLinks;
+    this.userProfile = stores.userProfile;
+    this.permissions = stores.permissions;
+    this.platformProjectGrants = stores.platformProjectGrants;
+    this.userData = userData;
+  }
+  /**
+   * Idempotently register a user in the data layer. Called from
+   * `hooks.server.ts` on every authed request — the local equivalent of
+   * Supabase's `handle_new_auth_user` trigger. After this completes the
+   * user has an empty row in `user-data.json` that the permissions and
+   * profile stores can read and update.
+   *
+   * `ctx` is unused — registration runs as a system operation regardless of
+   * the calling user. Argument is kept for interface symmetry with adapters
+   * that need it.
+   */
+  async ensureUser(_ctx, userId) {
+    await this.userData.ensure(userId);
+  }
+  /**
+   * Cascade hook called after the auth provider deletes a user. Removes the
+   * matching `user-data.json` row so the data layer doesn't accumulate
+   * orphans. Tolerates missing rows.
+   */
+  async onUserDeleted(_ctx, userId) {
+    try {
+      await this.userData.deleteUser(userId);
+    } catch {
+    }
+  }
+  static fromEnv(env, events = new NoopEventSink()) {
+    if (!env.DATA_PATH) throw new Error("Missing required env var: DATA_PATH");
+    const dataPath = env.DATA_PATH;
+    const userDataFilePath = path.join(dataPath, "user-data.json");
+    const loader = new LocalOrgStoreLoader(dataPath);
+    const platformProjectGrants = LocalPlatformProjectGrantStore.fromEnv(env);
+    const invites = LocalInviteStore.fromEnv(env, events);
+    const computeServer = LocalComputeServerStore.fromEnv(env);
+    const projects = new LocalProjectStore({ loader, grants: platformProjectGrants, events });
+    const definitions = new LocalDefinitionStore(dataPath, void 0, events);
+    const shareLinks = new LocalShareLinkStore({
+      filePath: path.join(dataPath, "share-links.json"),
+      events
+    });
+    const orgs = new LocalOrgStore({
+      loader,
+      invites,
+      computeServer,
+      grants: platformProjectGrants,
+      events
+    });
+    definitions.setProjectProvider(projects);
+    shareLinks.setDefinitionProvider(definitions);
+    const userData = createLocalUserDataStore(userDataFilePath);
+    return new LocalDataProvider(
+      {
+        orgs,
+        projects,
+        definitions,
+        computeServer,
+        invites,
+        shareLinks,
+        userProfile: new LocalUserProfileProvider(userDataFilePath),
+        permissions: new LocalPlatformPermissionStore(userDataFilePath),
+        platformProjectGrants
+      },
+      userData
+    );
+  }
+}
+class LocalStorageProvider {
+  basePath;
+  publicUrlBase;
+  static fromEnv(env) {
+    if (!env.DATA_PATH) throw new Error("Missing required env var: DATA_PATH");
+    return new LocalStorageProvider(env.DATA_PATH, "/api/files");
+  }
+  constructor(basePath, publicUrlBase = "/api/files") {
+    this.basePath = basePath;
+    this.publicUrlBase = publicUrlBase;
+  }
+  /**
+   * Resolve a caller-provided path under basePath, rejecting anything that
+   * would escape the root. Last line of defense against traversal — while
+   * platform-side helpers (definitionPaths) also assert safe keys, this
+   * adapter is reached by any IStorageProvider caller.
+   */
+  resolvePath(storagePath) {
+    const base = path.resolve(this.basePath);
+    const full = path.resolve(base, storagePath);
+    if (full !== base && !full.startsWith(base + path.sep)) {
+      throw new Error(`Path escapes base: ${storagePath}`);
+    }
+    return full;
+  }
+  async get(storagePath) {
+    try {
+      const buffer = await fs.readFile(this.resolvePath(storagePath));
+      return new Uint8Array(buffer);
+    } catch (err) {
+      if (err.code === "ENOENT") return null;
+      throw err;
+    }
+  }
+  async put(storagePath, data, contentType) {
+    const transcoded = await transcodeImageIfNeeded(data, contentType, storagePath);
+    const fullPath = this.resolvePath(transcoded.path);
+    await fs.mkdir(path.dirname(fullPath), { recursive: true });
+    await fs.writeFile(fullPath, Buffer.from(transcoded.data));
+  }
+  async delete(storagePath) {
+    try {
+      await fs.unlink(this.resolvePath(storagePath));
+    } catch (err) {
+      if (err.code !== "ENOENT") throw err;
+    }
+  }
+  async deletePrefix(prefix) {
+    const fullPath = this.resolvePath(prefix);
+    await fs.rm(fullPath, { recursive: true, force: true });
+  }
+  getPublicUrl(storagePath) {
+    return `${this.publicUrlBase}/${storagePath}`;
+  }
+}
+class SupabaseStorageProvider {
+  client;
+  publicBucket;
+  privateBucket;
+  publicBaseUrl;
+  privateUrlPrefix;
+  static fromEnv(env) {
+    const supabaseUrl = env.SUPABASE_URL;
+    const serviceRoleKey = env.SUPABASE_SERVICE_ROLE_KEY;
+    if (!supabaseUrl) throw new Error("Missing required env var: SUPABASE_URL");
+    if (!serviceRoleKey) throw new Error("Missing required env var: SUPABASE_SERVICE_ROLE_KEY");
+    return new SupabaseStorageProvider({
+      supabaseUrl,
+      serviceRoleKey,
+      publicBucket: env.SUPABASE_PUBLIC_BUCKET,
+      privateBucket: env.SUPABASE_PRIVATE_BUCKET,
+      privateUrlPrefix: env.SUPABASE_PRIVATE_URL_PREFIX
+    });
+  }
+  constructor(config) {
+    this.client = createClient(config.supabaseUrl, config.serviceRoleKey, {
+      auth: { persistSession: false, autoRefreshToken: false }
+    });
+    this.publicBucket = config.publicBucket ?? "selva-public";
+    this.privateBucket = config.privateBucket ?? "selva-private";
+    this.publicBaseUrl = `${config.supabaseUrl.replace(/\/$/, "")}/storage/v1/object/public/${this.publicBucket}`;
+    this.privateUrlPrefix = (config.privateUrlPrefix ?? "/api/files").replace(/\/$/, "");
+  }
+  /**
+   * Route a storage path to a bucket. Any `.gh`/`.ghx` source file is
+   * private — confidentiality is determined by extension, not location, so
+   * a path-scheme rename (e.g. `definition.gh` → `versions/v1.gh`) can't
+   * silently move source files into the public bucket. Everything else
+   * (covers, archives, thumbnails) is public.
+   */
+  bucketFor(storagePath) {
+    return /\.(gh|ghx)$/i.test(storagePath) ? this.privateBucket : this.publicBucket;
+  }
+  async get(storagePath) {
+    const bucket = this.bucketFor(storagePath);
+    const { data, error } = await this.client.storage.from(bucket).download(storagePath);
+    if (error) {
+      const msg = error.message ?? "";
+      if (/not found/i.test(msg) || /no such key/i.test(msg)) return null;
+      throw error;
+    }
+    const buffer = await data.arrayBuffer();
+    return new Uint8Array(buffer);
+  }
+  async put(storagePath, data, contentType) {
+    const transcoded = await transcodeImageIfNeeded(data, contentType, storagePath);
+    const bucket = this.bucketFor(transcoded.path);
+    const { error } = await this.client.storage.from(bucket).upload(transcoded.path, transcoded.data, {
+      contentType: transcoded.contentType,
+      upsert: true
+    });
+    if (error) throw error;
+  }
+  async delete(storagePath) {
+    const bucket = this.bucketFor(storagePath);
+    const { error } = await this.client.storage.from(bucket).remove([storagePath]);
+    if (error) throw error;
+  }
+  async deletePrefix(prefix) {
+    await Promise.all([
+      this.deletePrefixInBucket(this.publicBucket, prefix),
+      this.deletePrefixInBucket(this.privateBucket, prefix)
+    ]);
+  }
+  async deletePrefixInBucket(bucket, prefix) {
+    const normalized = prefix.replace(/\/+$/, "");
+    const keys = await this.listAllKeys(bucket, normalized);
+    if (keys.length === 0) return;
+    for (let i = 0; i < keys.length; i += 1e3) {
+      const slice = keys.slice(i, i + 1e3);
+      const { error } = await this.client.storage.from(bucket).remove(slice);
+      if (error) throw error;
+    }
+  }
+  /**
+   * Recursively list every key under a prefix. `storage-js`'s `list` API
+   * only returns the immediate children of a "folder", so we DFS.
+   */
+  async listAllKeys(bucket, prefix) {
+    const out = [];
+    const stack = [prefix];
+    while (stack.length > 0) {
+      const dir = stack.pop();
+      const { data, error } = await this.client.storage.from(bucket).list(dir, {
+        limit: 1e3,
+        sortBy: { column: "name", order: "asc" }
+      });
+      if (error) throw error;
+      for (const entry of data ?? []) {
+        const full = dir ? `${dir}/${entry.name}` : entry.name;
+        if (entry.id === null) {
+          stack.push(full);
+        } else {
+          out.push(full);
+        }
+      }
+    }
+    return out;
+  }
+  getPublicUrl(storagePath) {
+    if (this.bucketFor(storagePath) === this.publicBucket) {
+      return `${this.publicBaseUrl}/${storagePath}`;
+    }
+    return `${this.privateUrlPrefix}/${storagePath}`;
+  }
+}
+function decodeCursor(cursor) {
+  if (!cursor) return 0;
+  const n = parseInt(cursor, 10);
+  return Number.isFinite(n) && n >= 0 ? n : 0;
+}
+function encodeCursor(offset) {
+  return String(offset);
+}
+function toRange(opts) {
+  const limit = Math.min(Math.max(opts?.limit ?? DEFAULT_PAGE_LIMIT, 1), MAX_PAGE_LIMIT);
+  const from = decodeCursor(opts?.cursor);
+  return { from, to: from + limit - 1, limit };
+}
+function nextCursorFromRange(range, returnedCount, totalCount) {
+  const consumed = range.from + returnedCount;
+  if (totalCount != null) {
+    return consumed < totalCount ? encodeCursor(consumed) : void 0;
+  }
+  return returnedCount >= range.limit ? encodeCursor(consumed) : void 0;
+}
+function orderColumn(orderBy) {
+  switch (orderBy) {
+    case "name":
+      return "name";
+    case "updatedAt":
+      return "updated_at";
+    case "createdAt":
+    default:
+      return "created_at";
+  }
+}
+class SupabaseOrgStore {
+  constructor(clients, events = new NoopEventSink()) {
+    this.clients = clients;
+    this.events = events;
+  }
+  clients;
+  events;
+  async listOrgs(ctx, opts) {
+    const range = toRange(opts);
+    const direction = opts?.orderDir ?? "desc";
+    const { data, error, count } = await this.clients.forRequest(ctx).from("orgs").select("*", { count: "exact" }).is("deleted_at", null).order(orderColumn(opts?.orderBy), { ascending: direction === "asc" }).range(range.from, range.to);
+    if (error) throw mapError$7(error);
+    const items = (data ?? []).map(rowToOrg);
+    return { items, nextCursor: nextCursorFromRange(range, items.length, count) };
+  }
+  async getOrg(ctx, id) {
+    const { data, error } = await this.clients.forRequest(ctx).from("orgs").select("*").eq("id", id).is("deleted_at", null).maybeSingle();
+    if (error) throw mapError$7(error);
+    return data ? rowToOrg(data) : null;
+  }
+  async getOrgBySlug(ctx, slug) {
+    const { data, error } = await this.clients.forRequest(ctx).from("orgs").select("*").eq("slug", slug).is("deleted_at", null).maybeSingle();
+    if (error) throw mapError$7(error);
+    return data ? rowToOrg(data) : null;
+  }
+  async createOrg(ctx, org) {
+    const client = this.clients.forRequest(ctx);
+    const { error } = await client.from("orgs").insert(orgToRow(org));
+    if (error) throw mapError$7(error);
+    const { error: memberError } = await client.from("org_members").upsert(
+      {
+        org_id: org.id,
+        user_id: org.ownerId,
+        role: "owner",
+        permissions: [...DEFAULT_ORG_PERMISSIONS.owner],
+        joined_at: (/* @__PURE__ */ new Date()).toISOString(),
+        deleted_at: null
+      },
+      { onConflict: "org_id,user_id" }
+    );
+    if (memberError) throw mapError$7(memberError);
+    await this.events.emit({ type: "org.created", orgId: org.id, actorId: actorFrom(ctx) });
+  }
+  async updateOrg(ctx, id, patch) {
+    const row = {};
+    if (patch.name !== void 0) row.name = patch.name;
+    if (patch.slug !== void 0) row.slug = patch.slug;
+    if (Object.keys(row).length === 0) return;
+    if (ctx.userId) row.updated_by = ctx.userId;
+    const { error, data } = await this.clients.forRequest(ctx).from("orgs").update(row).eq("id", id).is("deleted_at", null).select("id");
+    if (error) throw mapError$7(error);
+    if (!data || data.length === 0) throw new ProviderError(`Org '${id}' not found`, 404);
+  }
+  async deleteOrg(ctx, id) {
+    const client = this.clients.forRequest(ctx);
+    const stamp = auditSoftDelete(ctx, ctx.userId);
+    const stampRow = stampToRow$1(stamp);
+    const { error: orgErr, data: orgData } = await client.from("orgs").update(stampRow).eq("id", id).is("deleted_at", null).select("id");
+    if (orgErr) throw mapError$7(orgErr);
+    if (!orgData || orgData.length === 0) throw new ProviderError(`Org '${id}' not found`, 404);
+    const { error: omErr } = await client.from("org_members").update(stampRow).eq("org_id", id).is("deleted_at", null);
+    if (omErr) throw mapError$7(omErr);
+    const { data: orgProjects, error: projFetchErr } = await client.from("projects").select("id").eq("org_id", id).is("deleted_at", null);
+    if (projFetchErr) throw mapError$7(projFetchErr);
+    const projectIds = (orgProjects ?? []).map((p) => p.id);
+    const { error: projErr } = await client.from("projects").update(stampRow).eq("org_id", id).is("deleted_at", null);
+    if (projErr) throw mapError$7(projErr);
+    if (projectIds.length > 0) {
+      const { error: pmErr } = await client.from("project_members").update(stampRow).in("project_id", projectIds).is("deleted_at", null);
+      if (pmErr) throw mapError$7(pmErr);
+      const { error: defErr } = await client.from("definitions").update(stampRow).in("project_id", projectIds).is("deleted_at", null);
+      if (defErr) throw mapError$7(defErr);
+    }
+    const { error: invErr } = await client.from("invites").delete().eq("org_id", id);
+    if (invErr) throw mapError$7(invErr);
+    const { error: cdErr } = await client.from("compute_server_org_defaults").delete().eq("org_id", id);
+    if (cdErr) throw mapError$7(cdErr);
+    const { error: shErr } = await client.from("compute_server_shares").delete().eq("org_id", id);
+    if (shErr) throw mapError$7(shErr);
+    const { error: csErr } = await client.from("compute_servers").delete().eq("scope", "org").eq("owner_org_id", id);
+    if (csErr) throw mapError$7(csErr);
+    await this.events.emit({ type: "org.deleted", orgId: id, actorId: actorFrom(ctx) });
+  }
+  // ============================================================================
+  // Org members
+  // ============================================================================
+  async listOrgMembers(ctx, orgId, opts) {
+    const range = toRange(opts);
+    const { data, error, count } = await this.clients.forRequest(ctx).from("org_members").select("*", { count: "exact" }).eq("org_id", orgId).is("deleted_at", null).order("joined_at", { ascending: (opts?.orderDir ?? "desc") === "asc" }).range(range.from, range.to);
+    if (error) throw mapError$7(error);
+    const items = (data ?? []).map(rowToOrgMember);
+    return { items, nextCursor: nextCursorFromRange(range, items.length, count) };
+  }
+  async getOrgMember(ctx, orgId, userId) {
+    const { data, error } = await this.clients.forRequest(ctx).from("org_members").select("*").eq("org_id", orgId).eq("user_id", userId).is("deleted_at", null).maybeSingle();
+    if (error) throw mapError$7(error);
+    return data ? rowToOrgMember(data) : null;
+  }
+  async findUserMembership(ctx, userId) {
+    const { data, error } = await this.clients.forRequest(ctx).from("org_members").select("*, org:orgs!inner(*)").eq("user_id", userId).is("deleted_at", null).is("org.deleted_at", null).order("joined_at", { ascending: true }).limit(1).maybeSingle();
+    if (error) throw mapError$7(error);
+    if (!data) return null;
+    const row = data;
+    const orgRow = Array.isArray(row.org) ? row.org[0] : row.org;
+    if (!orgRow) return null;
+    const { org: _omit, ...memberRow } = row;
+    return {
+      org: rowToOrg(orgRow),
+      member: rowToOrgMember(memberRow)
+    };
+  }
+  async addOrgMember(ctx, member) {
+    const row = {
+      ...memberToRow(member),
+      deleted_at: null
+    };
+    if (ctx.userId) row.updated_by = ctx.userId;
+    const { error } = await this.clients.forRequest(ctx).from("org_members").upsert(row, { onConflict: "org_id,user_id" });
+    if (error) throw mapError$7(error);
+    await this.events.emit({
+      type: "org_member.added",
+      orgId: member.orgId,
+      userId: member.userId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async updateOrgMemberRole(ctx, orgId, userId, role) {
+    const row = {
+      role,
+      permissions: [...DEFAULT_ORG_PERMISSIONS[role]]
+    };
+    if (ctx.userId) row.updated_by = ctx.userId;
+    const { data, error } = await this.clients.forRequest(ctx).from("org_members").update(row).eq("org_id", orgId).eq("user_id", userId).is("deleted_at", null).select("user_id");
+    if (error) throw mapError$7(error);
+    if (!data || data.length === 0)
+      throw new ProviderError(`Org member '${userId}' not found`, 404);
+    await this.events.emit({
+      type: "org_member.role_changed",
+      orgId,
+      userId,
+      role,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async updateOrgMemberPermissions(ctx, orgId, userId, permissions) {
+    const row = { permissions: [...permissions] };
+    if (ctx.userId) row.updated_by = ctx.userId;
+    const { data, error } = await this.clients.forRequest(ctx).from("org_members").update(row).eq("org_id", orgId).eq("user_id", userId).is("deleted_at", null).select("user_id");
+    if (error) throw mapError$7(error);
+    if (!data || data.length === 0)
+      throw new ProviderError(`Org member '${userId}' not found`, 404);
+    await this.events.emit({
+      type: "org_member.permissions_changed",
+      orgId,
+      userId,
+      permissions: [...permissions],
+      actorId: actorFrom(ctx)
+    });
+  }
+  async removeOrgMember(ctx, orgId, userId) {
+    const client = this.clients.forRequest(ctx);
+    const stamp = auditSoftDelete(ctx, ctx.userId);
+    const stampRow = stampToRow$1(stamp);
+    const { data: orgProjects, error: projError } = await client.from("projects").select("id").eq("org_id", orgId).is("deleted_at", null);
+    if (projError) throw mapError$7(projError);
+    const projectIds = (orgProjects ?? []).map((p) => p.id);
+    if (projectIds.length > 0) {
+      const { error: pmError } = await client.from("project_members").update(stampRow).in("project_id", projectIds).eq("user_id", userId).is("deleted_at", null);
+      if (pmError) throw mapError$7(pmError);
+    }
+    const { error } = await client.from("org_members").update(stampRow).eq("org_id", orgId).eq("user_id", userId).is("deleted_at", null);
+    if (error) throw mapError$7(error);
+    await this.events.emit({
+      type: "org_member.removed",
+      orgId,
+      userId,
+      actorId: actorFrom(ctx)
+    });
+  }
+}
+function stampToRow$1(stamp) {
+  const row = {
+    deleted_at: stamp.deletedAt,
+    updated_at: stamp.updatedAt
+  };
+  if (stamp.updatedBy) row.updated_by = stamp.updatedBy;
+  return row;
+}
+function rowToOrg(row) {
+  return {
+    id: row.id,
+    name: row.name,
+    slug: row.slug,
+    ownerId: row.owner_id,
+    createdBy: row.created_by ?? row.owner_id,
+    updatedBy: row.updated_by ?? row.owner_id,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+    deletedAt: row.deleted_at ?? null
+  };
+}
+function orgToRow(org) {
+  return {
+    id: org.id,
+    name: org.name,
+    slug: org.slug,
+    owner_id: org.ownerId,
+    created_by: org.createdBy,
+    updated_by: org.updatedBy,
+    created_at: org.createdAt,
+    updated_at: org.updatedAt,
+    deleted_at: org.deletedAt ?? null
+  };
+}
+function rowToOrgMember(row) {
+  return {
+    orgId: row.org_id,
+    userId: row.user_id,
+    role: row.role,
+    permissions: row.permissions ?? [],
+    joinedAt: row.joined_at,
+    updatedAt: row.updated_at ?? row.joined_at,
+    updatedBy: row.updated_by ?? row.user_id,
+    deletedAt: row.deleted_at ?? null
+  };
+}
+function memberToRow(m) {
+  return {
+    org_id: m.orgId,
+    user_id: m.userId,
+    role: m.role,
+    permissions: m.permissions ?? [],
+    joined_at: m.joinedAt
+  };
+}
+function mapError$7(e) {
+  const pg = e;
+  if (pg?.code === "23505") {
+    return new ProviderError(pg.message ?? "Duplicate record", 409);
+  }
+  if (pg?.code === "23503") {
+    return new ProviderError(pg.message ?? "Foreign key violation", 409);
+  }
+  if (e instanceof Error) return e;
+  if (e && typeof e === "object") {
+    const obj = e;
+    const msg = obj.message ?? obj.details ?? obj.hint ?? "Unknown Postgres error";
+    const err = new Error(obj.code ? `[${obj.code}] ${msg}` : msg);
+    Object.assign(err, obj);
+    return err;
+  }
+  return new Error(String(e));
+}
+class SupabaseProjectStore {
+  constructor(clients, events = new NoopEventSink()) {
+    this.clients = clients;
+    this.events = events;
+  }
+  clients;
+  events;
+  async listProjects(ctx, orgId, opts) {
+    const range = toRange(opts);
+    const direction = opts?.orderDir ?? "desc";
+    const { data, error, count } = await this.clients.forRequest(ctx).from("projects").select("*", { count: "exact" }).eq("org_id", orgId).is("deleted_at", null).order(orderColumn(opts?.orderBy), { ascending: direction === "asc" }).range(range.from, range.to);
+    if (error) throw mapError$6(error);
+    const items = (data ?? []).map(rowToProject);
+    return { items, nextCursor: nextCursorFromRange(range, items.length, count) };
+  }
+  async getProject(ctx, id) {
+    const { data, error } = await this.clients.forRequest(ctx).from("projects").select("*").eq("id", id).is("deleted_at", null).maybeSingle();
+    if (error) throw mapError$6(error);
+    return data ? rowToProject(data) : null;
+  }
+  async getProjectBySlug(ctx, orgId, slug) {
+    const { data, error } = await this.clients.forRequest(ctx).from("projects").select("*").eq("org_id", orgId).eq("slug", slug).is("deleted_at", null).maybeSingle();
+    if (error) throw mapError$6(error);
+    return data ? rowToProject(data) : null;
+  }
+  async createProject(ctx, project) {
+    const client = this.clients.forRequest(ctx);
+    const { error } = await client.from("projects").insert(projectToRow(project));
+    if (error) throw mapError$6(error);
+    const { error: memberError } = await client.from("project_members").upsert(
+      {
+        project_id: project.id,
+        user_id: project.ownerId,
+        role: "owner",
+        joined_at: (/* @__PURE__ */ new Date()).toISOString(),
+        deleted_at: null
+      },
+      { onConflict: "project_id,user_id" }
+    );
+    if (memberError) throw mapError$6(memberError);
+    await this.events.emit({
+      type: "project.created",
+      projectId: project.id,
+      orgId: project.orgId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async updateProject(ctx, id, patch) {
+    const row = {};
+    if (patch.name !== void 0) row.name = patch.name;
+    if (patch.slug !== void 0) row.slug = patch.slug;
+    if (patch.description !== void 0) row.description = patch.description;
+    if (patch.visibility !== void 0) row.visibility = patch.visibility;
+    if (patch.autoJoinOnUpload !== void 0) row.auto_join_on_upload = patch.autoJoinOnUpload;
+    if (Object.keys(row).length === 0) return;
+    if (ctx.userId) row.updated_by = ctx.userId;
+    const { data, error } = await this.clients.forRequest(ctx).from("projects").update(row).eq("id", id).is("deleted_at", null).select("id");
+    if (error) throw mapError$6(error);
+    if (!data || data.length === 0) throw new ProviderError(`Project '${id}' not found`, 404);
+  }
+  async deleteProject(ctx, id) {
+    const client = this.clients.forRequest(ctx);
+    const stamp = auditSoftDelete(ctx, ctx.userId);
+    const stampRow = stampToRow(stamp);
+    const { data, error } = await client.from("projects").update(stampRow).eq("id", id).is("deleted_at", null).select("id");
+    if (error) throw mapError$6(error);
+    if (!data || data.length === 0) throw new ProviderError(`Project '${id}' not found`, 404);
+    const { error: pmErr } = await client.from("project_members").update(stampRow).eq("project_id", id).is("deleted_at", null);
+    if (pmErr) throw mapError$6(pmErr);
+    const { error: defErr } = await client.from("definitions").update(stampRow).eq("project_id", id).is("deleted_at", null);
+    if (defErr) throw mapError$6(defErr);
+    await this.events.emit({ type: "project.deleted", projectId: id, actorId: actorFrom(ctx) });
+  }
+  async reactivateProject(ctx, orgId, slug) {
+    const client = this.clients.forRequest(ctx);
+    const { data, error } = await client.from("projects").update({ deleted_at: null }).eq("org_id", orgId).eq("slug", slug).not("deleted_at", "is", null).select("*").maybeSingle();
+    if (error) throw mapError$6(error);
+    if (!data) return null;
+    const { error: pmErr } = await client.from("project_members").update({ deleted_at: null }).eq("project_id", data.id).eq("user_id", data.owner_id).not("deleted_at", "is", null);
+    if (pmErr) throw mapError$6(pmErr);
+    const project = rowToProject(data);
+    await this.events.emit({
+      type: "project.created",
+      projectId: project.id,
+      orgId: project.orgId,
+      actorId: actorFrom(ctx)
+    });
+    return project;
+  }
+  // ============================================================================
+  // Project members
+  // ============================================================================
+  async listProjectMembers(ctx, projectId, opts) {
+    const range = toRange(opts);
+    const { data, error, count } = await this.clients.forRequest(ctx).from("project_members").select("*", { count: "exact" }).eq("project_id", projectId).is("deleted_at", null).order("joined_at", { ascending: (opts?.orderDir ?? "desc") === "asc" }).range(range.from, range.to);
+    if (error) throw mapError$6(error);
+    const items = (data ?? []).map(rowToProjectMember);
+    return { items, nextCursor: nextCursorFromRange(range, items.length, count) };
+  }
+  async getProjectMember(ctx, projectId, userId) {
+    const { data, error } = await this.clients.forRequest(ctx).from("project_members").select("*").eq("project_id", projectId).eq("user_id", userId).is("deleted_at", null).maybeSingle();
+    if (error) throw mapError$6(error);
+    return data ? rowToProjectMember(data) : null;
+  }
+  async addProjectMember(ctx, member) {
+    const row = {
+      ...projectMemberToRow(member),
+      deleted_at: null
+    };
+    if (ctx.userId) row.updated_by = ctx.userId;
+    const { error } = await this.clients.forRequest(ctx).from("project_members").upsert(row, { onConflict: "project_id,user_id" });
+    if (error) throw mapError$6(error);
+    await this.events.emit({
+      type: "project_member.added",
+      projectId: member.projectId,
+      userId: member.userId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async updateProjectMemberRole(ctx, projectId, userId, role) {
+    const row = { role };
+    if (ctx.userId) row.updated_by = ctx.userId;
+    const { data, error } = await this.clients.forRequest(ctx).from("project_members").update(row).eq("project_id", projectId).eq("user_id", userId).is("deleted_at", null).select("user_id");
+    if (error) throw mapError$6(error);
+    if (!data || data.length === 0)
+      throw new ProviderError(`Project member '${userId}' not found`, 404);
+    await this.events.emit({
+      type: "project_member.role_changed",
+      projectId,
+      userId,
+      role,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async removeProjectMember(ctx, projectId, userId) {
+    const stamp = auditSoftDelete(ctx, ctx.userId);
+    const { error } = await this.clients.forRequest(ctx).from("project_members").update(stampToRow(stamp)).eq("project_id", projectId).eq("user_id", userId).is("deleted_at", null);
+    if (error) throw mapError$6(error);
+    await this.events.emit({
+      type: "project_member.removed",
+      projectId,
+      userId,
+      actorId: actorFrom(ctx)
+    });
+  }
+}
+function rowToProject(row) {
+  return {
+    id: row.id,
+    orgId: row.org_id,
+    name: row.name,
+    slug: row.slug,
+    description: row.description ?? void 0,
+    visibility: row.visibility,
+    ownerId: row.owner_id,
+    createdBy: row.created_by ?? row.owner_id,
+    updatedBy: row.updated_by ?? row.owner_id,
+    autoJoinOnUpload: row.auto_join_on_upload ?? false,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+    deletedAt: row.deleted_at ?? null
+  };
+}
+function projectToRow(p) {
+  return {
+    id: p.id,
+    org_id: p.orgId,
+    name: p.name,
+    slug: p.slug,
+    description: p.description ?? null,
+    visibility: p.visibility,
+    owner_id: p.ownerId,
+    created_by: p.createdBy,
+    updated_by: p.updatedBy,
+    auto_join_on_upload: p.autoJoinOnUpload,
+    created_at: p.createdAt,
+    updated_at: p.updatedAt,
+    deleted_at: p.deletedAt ?? null
+  };
+}
+function rowToProjectMember(row) {
+  return {
+    projectId: row.project_id,
+    userId: row.user_id,
+    role: row.role,
+    joinedAt: row.joined_at,
+    updatedAt: row.updated_at ?? row.joined_at,
+    updatedBy: row.updated_by ?? row.user_id,
+    deletedAt: row.deleted_at ?? null
+  };
+}
+function projectMemberToRow(m) {
+  return {
+    project_id: m.projectId,
+    user_id: m.userId,
+    role: m.role,
+    joined_at: m.joinedAt
+  };
+}
+function stampToRow(stamp) {
+  const row = {
+    deleted_at: stamp.deletedAt,
+    updated_at: stamp.updatedAt
+  };
+  if (stamp.updatedBy) row.updated_by = stamp.updatedBy;
+  return row;
+}
+function mapError$6(e) {
+  const pg = e;
+  if (pg?.code === "23505") return new ProviderError(pg.message ?? "Duplicate record", 409);
+  if (pg?.code === "23503") return new ProviderError(pg.message ?? "Foreign key violation", 409);
+  if (e instanceof Error) return e;
+  if (e && typeof e === "object") {
+    const obj = e;
+    const msg = obj.message ?? obj.details ?? obj.hint ?? "Unknown Postgres error";
+    const err = new Error(obj.code ? `[${obj.code}] ${msg}` : msg);
+    Object.assign(err, obj);
+    return err;
+  }
+  return new Error(String(e));
+}
+class SupabaseDefinitionStore {
+  constructor(clients, events = new NoopEventSink()) {
+    this.clients = clients;
+    this.events = events;
+  }
+  clients;
+  events;
+  // ============================================================================
+  // Definitions
+  // ============================================================================
+  async list(ctx, opts) {
+    return this.runList(ctx, void 0, opts);
+  }
+  async listByProject(ctx, projectId, opts) {
+    return this.runList(ctx, { projectId }, opts);
+  }
+  async listPublic(ctx, opts) {
+    return this.runList(ctx, { publicOnly: true, orgId: opts?.orgId }, opts);
+  }
+  async runList(ctx, filter, opts) {
+    const range = toRange(opts);
+    const direction = opts?.orderDir ?? "desc";
+    let query = this.clients.forRequest(ctx).from("definitions").select("*", { count: "exact" }).is("deleted_at", null);
+    if (filter?.projectId) query = query.eq("project_id", filter.projectId);
+    if (filter?.publicOnly) {
+      query = this.clients.forRequest(ctx).from("definitions").select("*, project:projects!inner(visibility, org_id)", {
+        count: "exact"
+      }).is("deleted_at", null).eq("project.visibility", "public");
+      if (filter.orgId) query = query.eq("project.org_id", filter.orgId);
+      if (filter.projectId) query = query.eq("project_id", filter.projectId);
+    }
+    if (opts?.statuses?.length) {
+      query = query.in("status", opts.statuses);
+    } else {
+      const excluded = [];
+      if (!opts?.includePending) excluded.push("pending");
+      if (!opts?.includeArchived) excluded.push("archived");
+      if (excluded.length) {
+        query = query.not("status", "in", `(${excluded.join(",")})`);
+      }
+    }
+    query = query.order(definitionOrderColumn(opts?.orderBy), { ascending: direction === "asc" }).range(range.from, range.to);
+    const { data, error, count } = await query;
+    if (error) throw mapError$5(error);
+    const items = (data ?? []).map(rowToRecord);
+    return { items, nextCursor: nextCursorFromRange(range, items.length, count) };
+  }
+  async get(ctx, guid) {
+    const { data, error } = await this.clients.forRequest(ctx).from("definitions").select("*").eq("guid", guid).is("deleted_at", null).maybeSingle();
+    if (error) throw mapError$5(error);
+    return data ? rowToRecord(data) : null;
+  }
+  async create(ctx, record) {
+    const { error } = await this.clients.forRequest(ctx).from("definitions").insert(recordToRow(record));
+    if (error) throw mapError$5(error);
+    await this.events.emit({
+      type: "definition.created",
+      definitionId: record.guid,
+      projectId: record.projectId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async update(ctx, guid, patch) {
+    const row = patchToRow(patch);
+    if (Object.keys(row).length === 0) return;
+    if (ctx.userId) row.updated_by = ctx.userId;
+    const { data, error } = await this.clients.forRequest(ctx).from("definitions").update(row).eq("guid", guid).is("deleted_at", null).select("guid");
+    if (error) throw mapError$5(error);
+    if (!data || data.length === 0) throw new ProviderError(`Definition '${guid}' not found`, 404);
+  }
+  async delete(ctx, guid) {
+    const stamp = auditSoftDelete(ctx, ctx.userId);
+    const row = {
+      deleted_at: stamp.deletedAt,
+      updated_at: stamp.updatedAt
+    };
+    if (stamp.updatedBy) row.updated_by = stamp.updatedBy;
+    const { error } = await this.clients.forRequest(ctx).from("definitions").update(row).eq("guid", guid).is("deleted_at", null);
+    if (error) throw mapError$5(error);
+    await this.events.emit({
+      type: "definition.deleted",
+      definitionId: guid,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async incrementSolveCount(ctx, guid) {
+    const { error } = await this.clients.forRequest(ctx).rpc("increment_run_count", { g: guid });
+    if (error) throw mapError$5(error);
+  }
+  // ============================================================================
+  // Versions (spec §6)
+  // ============================================================================
+  async createVersion(ctx, version) {
+    const { error } = await this.clients.forRequest(ctx).from("definition_versions").insert(versionToRow(version));
+    if (error) throw mapError$5(error);
+    await this.events.emit({
+      type: "definition_version.created",
+      versionId: version.id,
+      definitionId: version.definitionId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async listVersions(ctx, definitionId, opts) {
+    const range = toRange(opts);
+    const { data, error, count } = await this.clients.forRequest(ctx).from("definition_versions").select("*", { count: "exact" }).eq("definition_guid", definitionId).order("version_number", { ascending: false }).range(range.from, range.to);
+    if (error) throw mapError$5(error);
+    const items = (data ?? []).map(rowToVersion);
+    return { items, nextCursor: nextCursorFromRange(range, items.length, count) };
+  }
+  async getVersion(ctx, versionId) {
+    const { data, error } = await this.clients.forRequest(ctx).from("definition_versions").select("*").eq("id", versionId).maybeSingle();
+    if (error) throw mapError$5(error);
+    return data ? rowToVersion(data) : null;
+  }
+  async setVersionSchema(ctx, versionId, schema) {
+    const { error } = await this.clients.forRequest(ctx).from("definition_versions").update({ schema, schema_extracted_at: (/* @__PURE__ */ new Date()).toISOString() }).eq("id", versionId);
+    if (error) throw mapError$5(error);
+  }
+  async deleteVersion(ctx, versionId) {
+    const { error } = await this.clients.forRequest(ctx).from("definition_versions").delete().eq("id", versionId);
+    if (error) throw mapError$5(error);
+    await this.events.emit({
+      type: "definition_version.deleted",
+      versionId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async setLiveVersion(ctx, definitionId, versionId) {
+    await this.repointChannel(ctx, definitionId, versionId, "live_version_id");
+    await this.events.emit({
+      type: "definition.published",
+      definitionId,
+      versionId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async setDraftVersion(ctx, definitionId, versionId) {
+    await this.repointChannel(ctx, definitionId, versionId, "draft_version_id");
+  }
+  async attachInitialVersion(ctx, definitionId, versionId) {
+    const client = this.clients.forRequest(ctx);
+    const { data: version, error: vError } = await client.from("definition_versions").select("id, definition_guid").eq("id", versionId).maybeSingle();
+    if (vError) throw mapError$5(vError);
+    if (!version || version.definition_guid !== definitionId) {
+      throw new ProviderError(`Version '${versionId}' not found for this definition`, 404);
+    }
+    const row = {
+      live_version_id: versionId,
+      draft_version_id: versionId,
+      status: "draft"
+    };
+    if (ctx.userId) row.updated_by = ctx.userId;
+    const { data, error } = await client.from("definitions").update(row).eq("guid", definitionId).is("deleted_at", null).select("guid");
+    if (error) throw mapError$5(error);
+    if (!data || data.length === 0) {
+      throw new ProviderError(`Definition '${definitionId}' not found`, 404);
+    }
+  }
+  async repointChannel(ctx, definitionId, versionId, column) {
+    const client = this.clients.forRequest(ctx);
+    const { data: version, error: vError } = await client.from("definition_versions").select("id, definition_guid").eq("id", versionId).maybeSingle();
+    if (vError) throw mapError$5(vError);
+    if (!version || version.definition_guid !== definitionId) {
+      throw new ProviderError(`Version '${versionId}' not found for this definition`, 404);
+    }
+    const row = { [column]: versionId };
+    if (ctx.userId) row.updated_by = ctx.userId;
+    const { data, error } = await client.from("definitions").update(row).eq("guid", definitionId).is("deleted_at", null).select("guid");
+    if (error) throw mapError$5(error);
+    if (!data || data.length === 0) {
+      throw new ProviderError(`Definition '${definitionId}' not found`, 404);
+    }
+  }
+}
+function rowToRecord(row) {
+  return {
+    guid: row.guid,
+    projectId: row.project_id,
+    ownerId: row.owner_id,
+    createdBy: row.created_by ?? row.owner_id,
+    updatedBy: row.updated_by ?? row.owner_id,
+    liveVersionId: row.live_version_id,
+    draftVersionId: row.draft_version_id,
+    computeServerId: row.compute_server_id ?? void 0,
+    displayName: row.display_name,
+    description: row.description ?? void 0,
+    category: row.category ?? void 0,
+    tags: row.tags ?? void 0,
+    coverImage: row.cover_image ?? void 0,
+    status: row.status,
+    solveCount: typeof row.run_count === "string" ? Number(row.run_count) : row.run_count,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+    deletedAt: row.deleted_at ?? null
+  };
+}
+function recordToRow(r) {
+  const row = {
+    guid: r.guid,
+    project_id: r.projectId,
+    owner_id: r.ownerId,
+    created_by: r.createdBy,
+    updated_by: r.updatedBy,
+    live_version_id: r.liveVersionId,
+    draft_version_id: r.draftVersionId,
+    compute_server_id: r.computeServerId ?? null,
+    display_name: r.displayName,
+    description: r.description ?? null,
+    category: r.category ?? null,
+    cover_image: r.coverImage ?? null,
+    status: r.status,
+    run_count: r.solveCount,
+    created_at: r.createdAt,
+    updated_at: r.updatedAt,
+    deleted_at: r.deletedAt ?? null
+  };
+  if (r.tags !== void 0) row.tags = r.tags;
+  return row;
+}
+function patchToRow(patch) {
+  const row = {};
+  if (patch.displayName !== void 0) row.display_name = patch.displayName;
+  if (patch.description !== void 0) row.description = patch.description;
+  if (patch.category !== void 0) row.category = patch.category;
+  if (patch.tags !== void 0) row.tags = patch.tags;
+  if (patch.coverImage !== void 0) row.cover_image = patch.coverImage;
+  if (patch.projectId !== void 0) row.project_id = patch.projectId;
+  if (patch.computeServerId !== void 0) row.compute_server_id = patch.computeServerId;
+  if (patch.status !== void 0) row.status = patch.status;
+  if (patch.ownerId !== void 0) row.owner_id = patch.ownerId;
+  return row;
+}
+function rowToVersion(row) {
+  return {
+    id: row.id,
+    definitionId: row.definition_guid,
+    versionNumber: row.version_number,
+    fileExt: row.file_ext,
+    fileKey: row.file_key,
+    originalFilename: row.original_filename ?? void 0,
+    uploadedBy: row.uploaded_by,
+    uploadedAt: row.uploaded_at,
+    changeNote: row.change_note ?? void 0,
+    schema: row.schema ?? void 0,
+    schemaExtractedAt: row.schema_extracted_at ?? void 0
+  };
+}
+function versionToRow(v) {
+  const row = {
+    id: v.id,
+    definition_guid: v.definitionId,
+    version_number: v.versionNumber,
+    file_ext: v.fileExt,
+    file_key: v.fileKey,
+    original_filename: v.originalFilename ?? null,
+    uploaded_by: v.uploadedBy,
+    uploaded_at: v.uploadedAt
+  };
+  if (v.changeNote !== void 0) row.change_note = v.changeNote;
+  if (v.schema !== void 0) row.schema = v.schema;
+  if (v.schemaExtractedAt !== void 0) row.schema_extracted_at = v.schemaExtractedAt;
+  return row;
+}
+function definitionOrderColumn(orderBy) {
+  switch (orderBy) {
+    case "name":
+      return "display_name";
+    case "solveCount":
+      return "run_count";
+    case "updatedAt":
+      return "updated_at";
+    case "createdAt":
+    default:
+      return "created_at";
+  }
+}
+function mapError$5(e) {
+  const pg = e;
+  if (pg?.code === "23505") return new ProviderError(pg.message ?? "Duplicate record", 409);
+  if (pg?.code === "23503") return new ProviderError(pg.message ?? "Foreign key violation", 409);
+  if (e instanceof Error) return e;
+  if (e && typeof e === "object") {
+    const obj = e;
+    const msg = obj.message ?? obj.details ?? obj.hint ?? "Unknown Postgres error";
+    const err = new Error(obj.code ? `[${obj.code}] ${msg}` : msg);
+    Object.assign(err, obj);
+    return err;
+  }
+  return new Error(String(e));
+}
+class SupabaseInviteStore {
+  constructor(clients, events = new NoopEventSink()) {
+    this.clients = clients;
+    this.events = events;
+  }
+  clients;
+  events;
+  async create(ctx, invite) {
+    const { error } = await this.clients.forRequest(ctx).from("invites").insert(inviteToRow(invite));
+    if (error) throw mapError$4(error);
+    await this.events.emit({
+      type: "invite.created",
+      inviteId: invite.id,
+      orgId: invite.orgId,
+      email: invite.email,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async getByTokenHash(ctx, tokenHash) {
+    const { data, error } = await this.clients.forRequest(ctx).rpc("get_invite_by_token_hash", { h: tokenHash });
+    if (error) throw mapError$4(error);
+    const row = Array.isArray(data) ? data[0] : data;
+    return row ? rowToInvite(row) : null;
+  }
+  async listByOrg(ctx, orgId, opts) {
+    const range = toRange(opts);
+    const { data, error, count } = await this.clients.forRequest(ctx).from("invites").select("*", { count: "exact" }).eq("org_id", orgId).order("created_at", { ascending: (opts?.orderDir ?? "desc") === "asc" }).range(range.from, range.to);
+    if (error) throw mapError$4(error);
+    const items = (data ?? []).map(rowToInvite);
+    return { items, nextCursor: nextCursorFromRange(range, items.length, count) };
+  }
+  async markAccepted(ctx, id, userId) {
+    const { data, error } = await this.clients.forRequest(ctx).from("invites").update({ accepted_at: (/* @__PURE__ */ new Date()).toISOString(), accepted_by_user_id: userId }).eq("id", id).is("accepted_at", null).select("org_id");
+    if (error) throw mapError$4(error);
+    const row = data?.[0];
+    if (!row) return;
+    await this.events.emit({
+      type: "invite.accepted",
+      inviteId: id,
+      orgId: row.org_id,
+      userId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async revoke(ctx, id) {
+    const { data, error } = await this.clients.forRequest(ctx).from("invites").delete().eq("id", id).is("accepted_at", null).select("org_id");
+    if (error) throw mapError$4(error);
+    const row = data?.[0];
+    if (!row) return;
+    await this.events.emit({
+      type: "invite.revoked",
+      inviteId: id,
+      orgId: row.org_id,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async deleteByOrg(ctx, orgId) {
+    const { error } = await this.clients.forRequest(ctx).from("invites").delete().eq("org_id", orgId);
+    if (error) throw mapError$4(error);
+  }
+}
+function rowToInvite(row) {
+  return {
+    id: row.id,
+    tokenHash: row.token_hash,
+    email: row.email,
+    orgId: row.org_id,
+    orgRole: row.org_role,
+    orgPermissions: row.org_permissions,
+    invitedBy: row.invited_by,
+    createdAt: row.created_at,
+    expiresAt: row.expires_at,
+    acceptedAt: row.accepted_at ?? void 0,
+    acceptedByUserId: row.accepted_by_user_id ?? void 0
+  };
+}
+function inviteToRow(i) {
+  return {
+    id: i.id,
+    token_hash: i.tokenHash,
+    email: i.email,
+    org_id: i.orgId,
+    org_role: i.orgRole,
+    org_permissions: i.orgPermissions,
+    invited_by: i.invitedBy,
+    created_at: i.createdAt,
+    expires_at: i.expiresAt,
+    accepted_at: i.acceptedAt ?? null,
+    accepted_by_user_id: i.acceptedByUserId ?? null
+  };
+}
+function mapError$4(e) {
+  const pg = e;
+  if (pg?.code === "23505") return new ProviderError(pg.message ?? "Duplicate record", 409);
+  if (pg?.code === "23503") return new ProviderError(pg.message ?? "Foreign key violation", 409);
+  if (e instanceof Error) return e;
+  if (e && typeof e === "object") {
+    const obj = e;
+    return new Error(obj.code ? `[${obj.code}] ${obj.message ?? ""}` : obj.message ?? String(e));
+  }
+  return new Error(String(e));
+}
+class SupabaseComputeServerStore {
+  constructor(clients) {
+    this.clients = clients;
+  }
+  clients;
+  async getConfig(ctx) {
+    const client = this.clients.forRequest(ctx);
+    const [serversRes, sharesRes, orgDefRes, platDefRes] = await Promise.all([
+      client.from("compute_servers").select("*"),
+      client.from("compute_server_shares").select("*"),
+      client.from("compute_server_org_defaults").select("*"),
+      client.from("compute_server_platform_default").select("default_server_id").eq("singleton", true).maybeSingle()
+    ]);
+    if (serversRes.error) throw mapError$3(serversRes.error);
+    if (sharesRes.error) throw mapError$3(sharesRes.error);
+    if (orgDefRes.error) throw mapError$3(orgDefRes.error);
+    if (platDefRes.error) throw mapError$3(platDefRes.error);
+    const sharedByServer = /* @__PURE__ */ new Map();
+    for (const row of sharesRes.data ?? []) {
+      const list = sharedByServer.get(row.server_id) ?? [];
+      list.push(row.org_id);
+      sharedByServer.set(row.server_id, list);
+    }
+    const servers = (serversRes.data ?? []).map((row) => rowToServer(row, sharedByServer));
+    const orgDefaults = {};
+    for (const row of orgDefRes.data ?? []) {
+      if (row.default_server_id) orgDefaults[row.org_id] = row.default_server_id;
+    }
+    return {
+      servers,
+      defaultServerId: platDefRes.data?.default_server_id ?? void 0,
+      orgDefaults
+    };
+  }
+  async savePlatformServers(ctx, servers, defaultServerId) {
+    const client = this.clients.forRequest(ctx);
+    const platformOnly = servers.filter(isPlatformServer);
+    const { error: delErr } = await client.from("compute_servers").delete().eq("scope", "platform");
+    if (delErr) throw mapError$3(delErr);
+    if (platformOnly.length > 0) {
+      const { error: insErr } = await client.from("compute_servers").insert(platformOnly.map(serverToRow));
+      if (insErr) throw mapError$3(insErr);
+      const shareRows = platformOnly.flatMap(
+        (s) => s.sharedWith === "all" ? [] : s.sharedWith.map((orgId) => ({ server_id: s.id, org_id: orgId }))
+      );
+      if (shareRows.length > 0) {
+        const { error: shErr } = await client.from("compute_server_shares").insert(shareRows);
+        if (shErr) throw mapError$3(shErr);
+      }
+    }
+    const { error: defErr } = await client.from("compute_server_platform_default").update({ default_server_id: defaultServerId ?? null }).eq("singleton", true);
+    if (defErr) throw mapError$3(defErr);
+  }
+  async saveOrgServers(ctx, orgId, servers, defaultServerId) {
+    const client = this.clients.forRequest(ctx);
+    const orgOnly = servers.filter(isOrgServer).map((s) => ({ ...s, ownerOrgId: orgId }));
+    const { error: delErr } = await client.from("compute_servers").delete().eq("scope", "org").eq("owner_org_id", orgId);
+    if (delErr) throw mapError$3(delErr);
+    if (orgOnly.length > 0) {
+      const { error: insErr } = await client.from("compute_servers").insert(orgOnly.map(serverToRow));
+      if (insErr) throw mapError$3(insErr);
+    }
+    if (defaultServerId === null) {
+      const { error } = await client.from("compute_server_org_defaults").delete().eq("org_id", orgId);
+      if (error) throw mapError$3(error);
+    } else if (typeof defaultServerId === "string") {
+      const { error } = await client.from("compute_server_org_defaults").upsert({ org_id: orgId, default_server_id: defaultServerId });
+      if (error) throw mapError$3(error);
+    }
+  }
+  async setOrgDefault(ctx, orgId, serverId) {
+    const client = this.clients.forRequest(ctx);
+    if (serverId === null) {
+      const { error: error2 } = await client.from("compute_server_org_defaults").delete().eq("org_id", orgId);
+      if (error2) throw mapError$3(error2);
+      return;
+    }
+    const { error } = await client.from("compute_server_org_defaults").upsert({ org_id: orgId, default_server_id: serverId });
+    if (error) throw mapError$3(error);
+  }
+  async deleteByOrg(ctx, orgId) {
+    const client = this.clients.forRequest(ctx);
+    const { error: defErr } = await client.from("compute_server_org_defaults").delete().eq("org_id", orgId);
+    if (defErr) throw mapError$3(defErr);
+    const { error: srvErr } = await client.from("compute_servers").delete().eq("scope", "org").eq("owner_org_id", orgId);
+    if (srvErr) throw mapError$3(srvErr);
+    const { error: shErr } = await client.from("compute_server_shares").delete().eq("org_id", orgId);
+    if (shErr) throw mapError$3(shErr);
+  }
+}
+function rowToServer(row, sharedByServer) {
+  const common = {
+    id: row.id,
+    label: row.label,
+    serverUrl: row.server_url,
+    apiKey: row.api_key ?? void 0,
+    timeoutMs: row.timeout_ms ?? void 0,
+    retryCount: row.retry_count ?? void 0
+  };
+  if (row.scope === "platform") {
+    return {
+      ...common,
+      scope: "platform",
+      sharedWith: row.shared_with_all ? "all" : sharedByServer.get(row.id) ?? []
+    };
+  }
+  if (!row.owner_org_id) {
+    throw new Error(`compute_servers row ${row.id} has scope='org' but null owner_org_id`);
+  }
+  return { ...common, scope: "org", ownerOrgId: row.owner_org_id };
+}
+function serverToRow(s) {
+  const base = {
+    id: s.id,
+    label: s.label,
+    server_url: s.serverUrl,
+    api_key: s.apiKey ?? null,
+    timeout_ms: s.timeoutMs ?? null,
+    retry_count: s.retryCount ?? null
+  };
+  if (isPlatformServer(s)) {
+    return {
+      ...base,
+      scope: "platform",
+      owner_org_id: null,
+      shared_with_all: s.sharedWith === "all"
+    };
+  }
+  return {
+    ...base,
+    scope: "org",
+    owner_org_id: s.ownerOrgId,
+    shared_with_all: false
+  };
+}
+function mapError$3(e) {
+  const pg = e;
+  if (pg?.code === "23505") return new ProviderError(pg.message ?? "Duplicate record", 409);
+  if (pg?.code === "23503") return new ProviderError(pg.message ?? "Foreign key violation", 409);
+  if (e instanceof Error) return e;
+  if (e && typeof e === "object") {
+    const obj = e;
+    return new Error(obj.code ? `[${obj.code}] ${obj.message ?? ""}` : obj.message ?? String(e));
+  }
+  return new Error(String(e));
+}
+class SupabaseShareLinkStore {
+  constructor(clients, events = new NoopEventSink()) {
+    this.clients = clients;
+    this.events = events;
+  }
+  clients;
+  events;
+  async create(ctx, link) {
+    const { error } = await this.clients.forRequest(ctx).from("share_links").insert(linkToRow(link));
+    if (error) throw mapError$2(error);
+    await this.events.emit({
+      type: "share_link.minted",
+      linkId: link.id,
+      definitionId: link.definitionId,
+      actorId: actorFrom(ctx)
+    });
+  }
+  async listByDefinition(ctx, definitionId, opts) {
+    const range = toRange(opts);
+    const { data, error, count } = await this.clients.forRequest(ctx).from("share_links").select("*", { count: "exact" }).eq("definition_guid", definitionId).is("revoked_at", null).order("created_at", { ascending: false }).range(range.from, range.to);
+    if (error) throw mapError$2(error);
+    const items = (data ?? []).map(rowToLink);
+    return { items, nextCursor: nextCursorFromRange(range, items.length, count) };
+  }
+  async getById(ctx, id) {
+    const { data, error } = await this.clients.forRequest(ctx).from("share_links").select("*").eq("id", id).maybeSingle();
+    if (error) throw mapError$2(error);
+    return data ? rowToLink(data) : null;
+  }
+  async getByTokenHash(_ctx, tokenHash) {
+    const { data, error } = await this.clients.serviceClient.from("share_links").select("*, definitions!inner(deleted_at)").eq("token_hash", tokenHash).is("revoked_at", null).is("definitions.deleted_at", null).maybeSingle();
+    if (error) throw mapError$2(error);
+    return data ? rowToLink(data) : null;
+  }
+  async revoke(ctx, id) {
+    const { error } = await this.clients.forRequest(ctx).from("share_links").update({ revoked_at: (/* @__PURE__ */ new Date()).toISOString() }).eq("id", id).is("revoked_at", null);
+    if (error) throw mapError$2(error);
+    await this.events.emit({ type: "share_link.revoked", linkId: id, actorId: actorFrom(ctx) });
+  }
+  async tryIncrementSolveCount(_ctx, id) {
+    const { data, error } = await this.clients.serviceClient.rpc(
+      "try_increment_share_link_solve_count",
+      { link_id: id }
+    );
+    if (error) throw mapError$2(error);
+    return typeof data === "number" ? data : null;
+  }
+}
+function rowToLink(row) {
+  return {
+    id: row.id,
+    definitionId: row.definition_guid,
+    channel: row.channel,
+    tokenHash: row.token_hash,
+    name: row.name ?? void 0,
+    createdBy: row.created_by,
+    createdAt: row.created_at,
+    expiresAt: row.expires_at,
+    revokedAt: row.revoked_at,
+    allowSolve: row.allow_solve,
+    maxSolves: row.max_solves,
+    solveCount: row.solve_count
+  };
+}
+function linkToRow(l) {
+  return {
+    id: l.id,
+    definition_guid: l.definitionId,
+    channel: l.channel,
+    token_hash: l.tokenHash,
+    name: l.name ?? null,
+    created_by: l.createdBy,
+    created_at: l.createdAt,
+    expires_at: l.expiresAt ?? null,
+    revoked_at: l.revokedAt ?? null,
+    allow_solve: l.allowSolve,
+    max_solves: l.maxSolves ?? null,
+    solve_count: l.solveCount
+  };
+}
+function mapError$2(e) {
+  const pg = e;
+  if (pg?.code === "23505") return new ProviderError(pg.message ?? "Duplicate record", 409);
+  if (pg?.code === "23503") return new ProviderError(pg.message ?? "Foreign key violation", 409);
+  if (e instanceof Error) return e;
+  if (e && typeof e === "object") {
+    const obj = e;
+    const msg = obj.message ?? obj.details ?? obj.hint ?? "Unknown Postgres error";
+    const err = new Error(obj.code ? `[${obj.code}] ${msg}` : msg);
+    Object.assign(err, obj);
+    return err;
+  }
+  return new Error(String(e));
+}
+function buildClientBundle(opts) {
+  const serviceClient = createClient(opts.supabaseUrl, opts.serviceRoleKey, {
+    db: { schema: "selva" },
+    auth: { persistSession: false, autoRefreshToken: false }
+  });
+  const anonClient = createClient(opts.supabaseUrl, opts.anonKey, {
+    db: { schema: "selva" },
+    auth: { persistSession: false, autoRefreshToken: false }
+  });
+  const perRequestCache = /* @__PURE__ */ new WeakMap();
+  return {
+    serviceClient,
+    forRequest(ctx) {
+      if (ctx.system) return serviceClient;
+      const token = extractSessionToken(ctx.adapterContext);
+      if (!token) return anonClient;
+      const cached = perRequestCache.get(ctx);
+      if (cached) return cached;
+      const client = createClient(opts.supabaseUrl, opts.anonKey, {
+        db: { schema: "selva" },
+        auth: { persistSession: false, autoRefreshToken: false },
+        global: {
+          headers: { Authorization: `Bearer ${token}` }
+        }
+      });
+      perRequestCache.set(ctx, client);
+      return client;
+    }
+  };
+}
+function extractSessionToken(adapterContext) {
+  if (!adapterContext || typeof adapterContext !== "object") return void 0;
+  const maybe = adapterContext.sessionToken;
+  return typeof maybe === "string" && maybe.length > 0 ? maybe : void 0;
+}
+class SupabaseEventSink {
+  constructor(clients) {
+    this.clients = clients;
+  }
+  clients;
+  async emit(event) {
+    try {
+      const { error } = await this.clients.serviceClient.from("audit_events").insert({
+        type: event.type,
+        actor_id: event.actorId,
+        data: event
+      });
+      if (error) {
+        console.error("[SupabaseEventSink] insert failed:", error.message, { event });
+      }
+    } catch (err) {
+      console.error("[SupabaseEventSink] unexpected error:", err, { event });
+    }
+  }
+}
+class SupabaseSolveMetricSink {
+  constructor(clients) {
+    this.clients = clients;
+  }
+  clients;
+  async record(_ctx, metric) {
+    try {
+      const { error } = await this.clients.serviceClient.from("solve_metrics").insert({
+        actor_id: _ctx.userId || "system",
+        definition_url: metric.definitionUrl,
+        definition_id: metric.definitionId,
+        version_id: metric.versionId,
+        channel: metric.channel,
+        org_id: metric.orgId,
+        duration_ms: metric.durationMs,
+        ok: metric.ok,
+        failure_kind: metric.failureKind,
+        error_count: metric.errorCount,
+        warning_count: metric.warningCount
+      });
+      if (error) {
+        console.error("[SupabaseSolveMetricSink] insert failed:", error.message, { metric });
+      }
+    } catch (err) {
+      console.error("[SupabaseSolveMetricSink] unexpected error:", err, { metric });
+    }
+  }
+}
+const MAX_LIMIT = 200;
+const DEFAULT_LIMIT = 100;
+const ISO_RE = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:?\d{2})$/;
+const UUID_RE = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/;
+class SupabaseAuditQuery {
+  constructor(clients) {
+    this.clients = clients;
+  }
+  clients;
+  async list(_ctx, filters) {
+    const limit = clampLimit(filters.limit);
+    let q = this.clients.serviceClient.from("audit_events").select("id, type, actor_id, occurred_at, data").order("occurred_at", { ascending: false }).order("id", { ascending: false }).limit(limit + 1);
+    if (filters.types && filters.types.length > 0) {
+      q = q.in("type", [...filters.types]);
+    }
+    if (filters.actorId) {
+      q = q.eq("actor_id", filters.actorId);
+    }
+    if (filters.sinceIso) {
+      q = q.gte("occurred_at", filters.sinceIso);
+    }
+    if (filters.untilIso) {
+      q = q.lte("occurred_at", filters.untilIso);
+    }
+    if (filters.cursor) {
+      const ts = filters.cursor.occurredAt;
+      const id = filters.cursor.id;
+      if (!ISO_RE.test(ts) || !UUID_RE.test(id)) {
+        throw new Error("audit_events query: malformed cursor");
+      }
+      q = q.or(`occurred_at.lt.${ts},and(occurred_at.eq.${ts},id.lt.${id})`);
+    }
+    const { data, error } = await q;
+    if (error) {
+      throw new Error(`audit_events query failed: ${error.message}`);
+    }
+    const fetched = data ?? [];
+    const hasMore = fetched.length > limit;
+    const page = hasMore ? fetched.slice(0, limit) : fetched;
+    const last = page[page.length - 1];
+    return {
+      rows: page.map((r) => ({
+        id: r.id,
+        type: r.type,
+        actorId: r.actor_id,
+        occurredAt: r.occurred_at,
+        data: r.data
+      })),
+      nextCursor: hasMore && last ? { occurredAt: last.occurred_at, id: last.id } : null
+    };
+  }
+}
+function clampLimit(requested) {
+  if (!requested || requested <= 0) return DEFAULT_LIMIT;
+  if (requested > MAX_LIMIT) return MAX_LIMIT;
+  return Math.floor(requested);
+}
+const MAX_RECENT_RUNS = 20;
+class SupabaseUserProfileProvider {
+  constructor(clients) {
+    this.clients = clients;
+  }
+  clients;
+  client() {
+    return this.clients.serviceClient;
+  }
+  async getProfile(ctx, userId) {
+    assertCanAccess(ctx, userId);
+    const { data, error } = await this.client().from("user_profiles").select("user_id, display_name, starred_definitions, recent_runs").eq("user_id", userId).maybeSingle();
+    if (error) throw mapError$1(error);
+    return data ? rowToProfile(data) : null;
+  }
+  async getProfiles(_ctx, userIds) {
+    if (userIds.length === 0) return [];
+    const { data, error } = await this.client().from("user_profiles").select("user_id, display_name, starred_definitions, recent_runs").in("user_id", [...userIds]);
+    if (error) throw mapError$1(error);
+    return (data ?? []).map(rowToProfile);
+  }
+  async updateProfile(ctx, userId, patch) {
+    assertCanAccess(ctx, userId);
+    const row = {};
+    if (patch.displayName !== void 0) row.display_name = patch.displayName;
+    if (Object.keys(row).length === 0) return "ok";
+    const { data, error } = await this.client().from("user_profiles").update(row).eq("user_id", userId).select("user_id");
+    if (error) throw mapError$1(error);
+    return data && data.length > 0 ? "ok" : "not_found";
+  }
+  async starDefinition(ctx, userId, definitionId) {
+    assertCanAccess(ctx, userId);
+    const existing = await this.getProfile(ctx, userId);
+    if (!existing) return "not_found";
+    if (existing.starredDefinitions.includes(definitionId)) return "ok";
+    const next = [...existing.starredDefinitions, definitionId];
+    const { data, error } = await this.client().from("user_profiles").update({ starred_definitions: next }).eq("user_id", userId).select("user_id");
+    if (error) throw mapError$1(error);
+    return data && data.length > 0 ? "ok" : "not_found";
+  }
+  async unstarDefinition(ctx, userId, definitionId) {
+    assertCanAccess(ctx, userId);
+    const existing = await this.getProfile(ctx, userId);
+    if (!existing) return "not_found";
+    if (!existing.starredDefinitions.includes(definitionId)) return "ok";
+    const next = existing.starredDefinitions.filter((id) => id !== definitionId);
+    const { data, error } = await this.client().from("user_profiles").update({ starred_definitions: next }).eq("user_id", userId).select("user_id");
+    if (error) throw mapError$1(error);
+    return data && data.length > 0 ? "ok" : "not_found";
+  }
+  async recordRun(ctx, userId, run) {
+    assertCanAccess(ctx, userId);
+    const existing = await this.getProfile(ctx, userId);
+    if (!existing) return "not_found";
+    const filtered = existing.recentRuns.filter((r) => r.definitionId !== run.definitionId);
+    const next = [run, ...filtered].slice(0, MAX_RECENT_RUNS);
+    const { data, error } = await this.client().from("user_profiles").update({ recent_runs: next }).eq("user_id", userId).select("user_id");
+    if (error) throw mapError$1(error);
+    return data && data.length > 0 ? "ok" : "not_found";
+  }
+}
+function assertCanAccess(ctx, userId) {
+  if (ctx.system) return;
+  if (ctx.userId === userId) return;
+  if (hasPermission(ctx, "instance_admin")) return;
+  throw new ProviderError("Forbidden: cannot access another user’s profile", 403);
+}
+function rowToProfile(row) {
+  return {
+    userId: row.user_id,
+    displayName: row.display_name ?? void 0,
+    starredDefinitions: row.starred_definitions ?? [],
+    recentRuns: row.recent_runs ?? []
+  };
+}
+function mapError$1(e) {
+  const pg = e;
+  if (pg?.code === "23505") return new ProviderError(pg.message ?? "Duplicate record", 409);
+  if (pg?.code === "23503") return new ProviderError(pg.message ?? "Foreign key violation", 409);
+  if (e instanceof Error) return e;
+  if (e && typeof e === "object") {
+    const obj = e;
+    return new Error(obj.code ? `[${obj.code}] ${obj.message ?? ""}` : obj.message ?? String(e));
+  }
+  return new Error(String(e));
+}
+class SupabasePlatformPermissionStore {
+  constructor(clients) {
+    this.clients = clients;
+  }
+  clients;
+  client() {
+    return this.clients.serviceClient;
+  }
+  async getFor(ctx, userId) {
+    assertCanRead(ctx, userId);
+    const { data, error } = await this.client().from("user_profiles").select("platform_permissions").eq("user_id", userId).maybeSingle();
+    if (error) throw mapError(error);
+    return filterValid(data?.platform_permissions ?? []);
+  }
+  async getForBatch(ctx, userIds) {
+    assertAdmin(ctx);
+    const out = /* @__PURE__ */ new Map();
+    if (userIds.length === 0) return out;
+    const { data, error } = await this.client().from("user_profiles").select("user_id, platform_permissions").in("user_id", [...userIds]);
+    if (error) throw mapError(error);
+    for (const row of data ?? []) {
+      out.set(row.user_id, filterValid(row.platform_permissions ?? []));
+    }
+    return out;
+  }
+  async set(ctx, userId, permissions) {
+    assertAdmin(ctx);
+    const { data: existing, error: fetchError } = await this.client().from("user_profiles").select("platform_permissions").eq("user_id", userId).maybeSingle();
+    if (fetchError) throw mapError(fetchError);
+    if (!existing) return "not_found";
+    const wasAdmin = (existing.platform_permissions ?? []).includes("instance_admin");
+    const willBeAdmin = permissions.includes("instance_admin");
+    if (wasAdmin && !willBeAdmin) {
+      const others = await this.countOtherEnabledAdmins(userId);
+      if (others === 0) return "last_admin";
+    }
+    const { error } = await this.client().from("user_profiles").update({ platform_permissions: [...permissions] }).eq("user_id", userId);
+    if (error) throw mapError(error);
+    return "ok";
+  }
+  async hasInstanceAdmin(_ctx) {
+    const { data, error } = await this.client().from("user_profiles").select("user_id").contains("platform_permissions", ["instance_admin"]);
+    if (error) throw mapError(error);
+    const candidates = (data ?? []).map((r) => r.user_id);
+    if (candidates.length === 0) return false;
+    for (const id of candidates) {
+      const { data: authData } = await this.clients.serviceClient.auth.admin.getUserById(id);
+      if (authData.user && authData.user.user_metadata?.disabled !== true) return true;
+    }
+    return false;
+  }
+  async countInstanceAdminsExcluding(_ctx, excludeUserId) {
+    return this.countOtherEnabledAdmins(excludeUserId);
+  }
+  async countOtherEnabledAdmins(excludeUserId) {
+    const { data, error } = await this.client().from("user_profiles").select("user_id").contains("platform_permissions", ["instance_admin"]).neq("user_id", excludeUserId);
+    if (error) throw mapError(error);
+    const candidates = (data ?? []).map((r) => r.user_id);
+    if (candidates.length === 0) return 0;
+    let count = 0;
+    for (const id of candidates) {
+      const { data: authData } = await this.clients.serviceClient.auth.admin.getUserById(id);
+      if (authData.user && authData.user.user_metadata?.disabled !== true) count += 1;
+    }
+    return count;
+  }
+}
+function filterValid(raw) {
+  return raw.filter((p) => PlatformPermissionSchema.safeParse(p).success);
+}
+function assertCanRead(ctx, userId) {
+  if (ctx.system) return;
+  if (ctx.userId === userId) return;
+  if (hasPermission(ctx, "instance_admin")) return;
+  throw new ProviderError("Forbidden: cannot read another user’s permissions", 403);
+}
+function assertAdmin(ctx) {
+  if (ctx.system) return;
+  if (hasPermission(ctx, "instance_admin")) return;
+  throw new ProviderError("Forbidden: instance admin required", 403);
+}
+function mapError(e) {
+  const pg = e;
+  if (pg?.code === "23505") return new ProviderError(pg.message ?? "Duplicate record", 409);
+  if (pg?.code === "23503") return new ProviderError(pg.message ?? "Foreign key violation", 409);
+  if (e instanceof Error) return e;
+  if (e && typeof e === "object") {
+    const obj = e;
+    return new Error(obj.code ? `[${obj.code}] ${obj.message ?? ""}` : obj.message ?? String(e));
+  }
+  return new Error(String(e));
+}
+const NOT_IMPLEMENTED_MSG = "Platform projects are not supported on this deployment yet.";
+const notImplementedGrantStore = {
+  listByProject: async () => {
+    throw new ProviderError(NOT_IMPLEMENTED_MSG, 501);
+  },
+  create: async () => {
+    throw new ProviderError(NOT_IMPLEMENTED_MSG, 501);
+  },
+  delete: async () => {
+    throw new ProviderError(NOT_IMPLEMENTED_MSG, 501);
+  },
+  deleteByProject: async () => {
+  },
+  deleteByGranteeOrg: async () => {
+  }
+};
+class SupabaseDataProvider {
+  constructor(clients, events) {
+    this.clients = clients;
+    this.solveMetrics = new SupabaseSolveMetricSink(clients);
+    this.orgs = new SupabaseOrgStore(clients, events);
+    this.projects = new SupabaseProjectStore(clients, events);
+    this.definitions = new SupabaseDefinitionStore(clients, events);
+    this.invites = new SupabaseInviteStore(clients, events);
+    this.computeServer = new SupabaseComputeServerStore(clients);
+    this.shareLinks = new SupabaseShareLinkStore(clients, events);
+    this.userProfile = new SupabaseUserProfileProvider(clients);
+    this.permissions = new SupabasePlatformPermissionStore(clients);
+    this.platformProjectGrants = notImplementedGrantStore;
+    this.auditQuery = new SupabaseAuditQuery(clients);
+  }
+  clients;
+  orgs;
+  projects;
+  definitions;
+  invites;
+  computeServer;
+  shareLinks;
+  userProfile;
+  permissions;
+  platformProjectGrants;
+  auditQuery;
+  /**
+   * Per-solve timing sink, built from the same client bundle. Exposed so the
+   * app's provider wiring can hand it to `SelvaConfig.solveMetrics` without
+   * constructing a second Supabase client.
+   */
+  solveMetrics;
+  static fromEnv(env, events) {
+    const supabaseUrl = env.SUPABASE_URL;
+    const anonKey = env.SUPABASE_ANON_KEY;
+    const serviceRoleKey = env.SUPABASE_SERVICE_ROLE_KEY;
+    if (!supabaseUrl) throw new Error("Missing required env var: SUPABASE_URL");
+    if (!anonKey) throw new Error("Missing required env var: SUPABASE_ANON_KEY");
+    if (!serviceRoleKey) throw new Error("Missing required env var: SUPABASE_SERVICE_ROLE_KEY");
+    const bundle = buildClientBundle({ supabaseUrl, anonKey, serviceRoleKey });
+    return new SupabaseDataProvider(bundle, events ?? new SupabaseEventSink(bundle));
+  }
+  static create(opts, events) {
+    const bundle = buildClientBundle(opts);
+    return new SupabaseDataProvider(bundle, events ?? new SupabaseEventSink(bundle));
+  }
+  /**
+   * Build from a pre-existing `ClientBundle`. Useful for tests or advanced
+   * cases that need to inject a custom event sink or share a bundle externally.
+   */
+  static fromBundle(bundle, events) {
+    return new SupabaseDataProvider(bundle, events ?? new SupabaseEventSink(bundle));
+  }
+  /**
+   * Expose the underlying bundle so other providers in the same package
+   * (storage, user profile, auth) can share one set of clients per process.
+   */
+  getClientBundle() {
+    return this.clients;
+  }
+  /**
+   * No-op: `public.user_profiles` is auto-seeded by the `handle_new_auth_user`
+   * trigger on every `auth.users` insert (see `0001_initial.sql`). The data
+   * layer always has a row for any authenticated user without per-request work.
+   */
+  async ensureUser() {
+  }
+  /**
+   * No-op: `public.user_profiles.user_id` references `auth.users(id)` with
+   * `on delete cascade`. Deleting the auth user removes the profile row
+   * automatically.
+   */
+  async onUserDeleted() {
+  }
+}
+class SupabaseAuthProvider {
+  name = "Supabase Auth";
+  passwordAuth;
+  oauth;
+  emailLink;
+  admin;
+  anon;
+  anonKey;
+  supabaseUrl;
+  constructor(config) {
+    this.supabaseUrl = config.supabaseUrl;
+    this.anonKey = config.anonKey;
+    this.admin = createClient(config.supabaseUrl, config.serviceRoleKey, {
+      auth: { persistSession: false, autoRefreshToken: false }
+    });
+    this.anon = createClient(config.supabaseUrl, config.anonKey, {
+      auth: { persistSession: false, autoRefreshToken: false }
+    });
+    this.passwordAuth = new SupabasePasswordAuth(
+      this.admin,
+      this.anon,
+      (email, password) => this.signIn(email, password),
+      config.enableSelfSignup ?? false,
+      (user) => this.hydrate(user)
+    );
+    this.oauth = new SupabaseOAuthAuth(
+      this.anon,
+      (user) => this.hydrate(user),
+      config.oauthProviders ?? []
+    );
+    this.emailLink = new SupabaseEmailLinkAuth(
+      this.anon,
+      (user) => this.hydrate(user),
+      config.allowEmailLinkSignup ?? true
+    );
+  }
+  static fromEnv(env) {
+    const supabaseUrl = env.SUPABASE_URL;
+    const anonKey = env.SUPABASE_ANON_KEY;
+    const serviceRoleKey = env.SUPABASE_SERVICE_ROLE_KEY;
+    if (!supabaseUrl) throw new Error("Missing required env var: SUPABASE_URL");
+    if (!anonKey) throw new Error("Missing required env var: SUPABASE_ANON_KEY");
+    if (!serviceRoleKey) throw new Error("Missing required env var: SUPABASE_SERVICE_ROLE_KEY");
+    const oauthProviders = (env.SUPABASE_OAUTH_PROVIDERS ?? "").split(",").map((p) => p.trim().toLowerCase()).filter((p) => p.length > 0);
+    return new SupabaseAuthProvider({
+      supabaseUrl,
+      anonKey,
+      serviceRoleKey,
+      enableSelfSignup: env.SUPABASE_ENABLE_SELF_SIGNUP === "true",
+      oauthProviders,
+      // Default true; set SUPABASE_ALLOW_EMAIL_LINK_SIGNUP=false to lock down
+      // to invite-only and reject magic-link signups for new addresses.
+      allowEmailLinkSignup: env.SUPABASE_ALLOW_EMAIL_LINK_SIGNUP !== "false"
+    });
+  }
+  async verifyToken(token) {
+    if (!token) return null;
+    const { data, error } = await this.anon.auth.getUser(token);
+    if (error || !data.user) return null;
+    if (data.user.user_metadata?.disabled === true) return null;
+    return this.hydrate(data.user);
+  }
+  async getUser(id) {
+    const { data, error } = await this.admin.auth.admin.getUserById(id);
+    if (error || !data.user) return null;
+    return this.hydrate(data.user);
+  }
+  async listUsers(opts) {
+    const perPage = opts?.limit ?? 50;
+    const page = opts?.cursor ? parseInt(opts.cursor, 10) : 1;
+    const { data, error } = await this.admin.auth.admin.listUsers({
+      page: Number.isFinite(page) && page >= 1 ? page : 1,
+      perPage
+    });
+    if (error) throw error;
+    const users = data.users;
+    const hydrated = users.map((u) => this.hydrate(u));
+    const nextCursor = users.length >= perPage ? String(page + 1) : void 0;
+    return { items: hydrated, nextCursor };
+  }
+  async createUser(email) {
+    const { data, error } = await this.admin.auth.admin.createUser({
+      email,
+      email_confirm: true
+    });
+    if (error) throw error;
+    if (!data.user) throw new Error("createUser returned no user");
+    return this.hydrate(data.user);
+  }
+  async deleteUser(id) {
+    const { error } = await this.admin.auth.admin.deleteUser(id);
+    if (error) {
+      const e = error;
+      if (e.status === 404 || /not.?found/i.test(e.message ?? "")) return "not_found";
+      throw error;
+    }
+    return "ok";
+  }
+  async disableUser(id) {
+    const { data: existing, error: fetchError } = await this.admin.auth.admin.getUserById(id);
+    if (fetchError || !existing.user) return "not_found";
+    const mergedMetadata = {
+      ...existing.user.user_metadata ?? {},
+      disabled: true
+    };
+    const { error } = await this.admin.auth.admin.updateUserById(id, {
+      user_metadata: mergedMetadata
+    });
+    if (error) {
+      const e = error;
+      if (e.status === 404 || /not.?found/i.test(e.message ?? "")) return "not_found";
+      throw error;
+    }
+    return "ok";
+  }
+  async touchLastLogin(id) {
+    const { data, error } = await this.admin.from("user_profiles").select("last_login_at").eq("user_id", id).maybeSingle();
+    if (error) return;
+    if (data?.last_login_at) {
+      const prev = Date.parse(data.last_login_at);
+      if (Number.isFinite(prev) && Date.now() - prev < 6e4) return;
+    }
+    await this.admin.from("user_profiles").update({ last_login_at: (/* @__PURE__ */ new Date()).toISOString() }).eq("user_id", id);
+  }
+  // OAuth lives on `this.oauth` (typed `IOAuthAuth`); see `SupabaseOAuthAuth`
+  // below. Mirrors the `passwordAuth` capability split.
+  // ============================================================================
+  // Internals
+  // ============================================================================
+  /**
+   * Sign in via GoTrue. Returns the access token string and the hydrated
+   * user. Called by `SupabasePasswordAuth.verifyLogin` — kept on the
+   * provider class so it has access to the hydrate helper without plumbing.
+   */
+  async signIn(email, password) {
+    const { data, error } = await this.anon.auth.signInWithPassword({ email, password });
+    if (error || !data.user || !data.session) return null;
+    if (data.user.user_metadata?.disabled === true) return null;
+    return { user: this.hydrate(data.user), sessionToken: data.session.access_token };
+  }
+  /**
+   * Map a GoTrue `User` to our identity-only `AuthUser`. Platform permissions
+   * live on `IPlatformPermissionStore` and profile fields (displayName,
+   * starred, recentRuns) on `IUserProfileStore` — neither is in AuthUser.
+   */
+  hydrate(user) {
+    return {
+      id: user.id,
+      email: user.email ?? void 0,
+      createdAt: user.created_at ?? void 0,
+      lastLoginAt: user.last_sign_in_at ?? void 0,
+      disabled: user.user_metadata?.disabled === true,
+      metadata: user.user_metadata
+    };
+  }
+  /**
+   * Expose the anon URL + key so other code (e.g. the same process's
+   * storage provider or per-request client factories) can build user-scoped
+   * clients without requiring a second config read.
+   */
+  getAnonClientConfig() {
+    return { supabaseUrl: this.supabaseUrl, anonKey: this.anonKey };
+  }
+}
+class SupabasePasswordAuth {
+  constructor(admin, anon, signIn, enableSelfSignup, hydrate) {
+    this.admin = admin;
+    this.anon = anon;
+    this.signIn = signIn;
+    this.enableSelfSignup = enableSelfSignup;
+    this.hydrate = hydrate;
+  }
+  admin;
+  anon;
+  signIn;
+  enableSelfSignup;
+  hydrate;
+  async verifyLogin(email, password) {
+    const result = await this.signIn(email, password);
+    if (!result) return { kind: "failed", reason: "invalid_credentials" };
+    return { kind: "success", user: result.user, sessionToken: result.sessionToken };
+  }
+  async createUserWithPassword(email, password) {
+    const { data, error } = await this.admin.auth.admin.createUser({
+      email,
+      password,
+      email_confirm: true
+    });
+    if (error) throw error;
+    if (!data.user) throw new Error("createUserWithPassword returned no user");
+    return this.hydrate(data.user);
+  }
+  async registerUser(email, password) {
+    if (!this.enableSelfSignup) return null;
+    const { data, error } = await this.anon.auth.signUp({ email, password });
+    if (error || !data.user) return null;
+    return this.hydrate(data.user);
+  }
+}
+class SupabaseOAuthAuth {
+  constructor(anon, hydrate, providers2) {
+    this.anon = anon;
+    this.hydrate = hydrate;
+    this.providers = providers2;
+  }
+  anon;
+  hydrate;
+  providers;
+  listProviders() {
+    return this.providers;
+  }
+  async getOAuthAuthorizationUrl(provider, redirectTo) {
+    const { data, error } = await this.anon.auth.signInWithOAuth({
+      provider,
+      options: { redirectTo, skipBrowserRedirect: true }
+    });
+    if (error || !data.url) throw error ?? new Error("signInWithOAuth returned no URL");
+    return data.url;
+  }
+  async exchangeOAuthCode(code) {
+    const { data, error } = await this.anon.auth.exchangeCodeForSession(code);
+    if (error || !data.user || !data.session) return null;
+    if (data.user.user_metadata?.disabled === true) return null;
+    return {
+      user: this.hydrate(data.user),
+      sessionToken: data.session.access_token,
+      refreshToken: data.session.refresh_token
+    };
+  }
+  async refreshSession(refreshToken) {
+    const { data, error } = await this.anon.auth.refreshSession({ refresh_token: refreshToken });
+    if (error || !data.session) return null;
+    return {
+      sessionToken: data.session.access_token,
+      refreshToken: data.session.refresh_token
+    };
+  }
+}
+class SupabaseEmailLinkAuth {
+  constructor(anon, hydrate, allowSignup) {
+    this.anon = anon;
+    this.hydrate = hydrate;
+    this.allowSignup = allowSignup;
+  }
+  anon;
+  hydrate;
+  allowSignup;
+  async sendMagicLink(email, callbackUrl) {
+    const { error } = await this.anon.auth.signInWithOtp({
+      email,
+      options: {
+        emailRedirectTo: callbackUrl,
+        shouldCreateUser: this.allowSignup
+      }
+    });
+    if (!error) return { ok: true };
+    const status = error.status;
+    const code = error.code;
+    const message = error.message ?? "";
+    if (status === 429 || /rate.?limit/i.test(message))
+      return { ok: false, reason: "rate_limited" };
+    if (code === "otp_disabled" || code === "signup_disabled" || /signup.*disabled/i.test(message)) {
+      return { ok: false, reason: "signup_disabled" };
+    }
+    if (code === "validation_failed" || /invalid.*email|email.*invalid/i.test(message)) {
+      return { ok: false, reason: "invalid_email" };
+    }
+    throw error;
+  }
+  async verifyMagicLink(rawCallbackUrl) {
+    const params = parseCallbackParams(rawCallbackUrl);
+    if (!params) return null;
+    const { tokenHash, type } = params;
+    const { data, error } = await this.anon.auth.verifyOtp({
+      token_hash: tokenHash,
+      type
+    });
+    if (error || !data.user || !data.session) return null;
+    if (data.user.user_metadata?.disabled === true) return null;
+    return {
+      user: this.hydrate(data.user),
+      sessionToken: data.session.access_token,
+      refreshToken: data.session.refresh_token
+    };
+  }
+}
+function parseCallbackParams(raw) {
+  let search;
+  try {
+    search = new URL(raw).searchParams;
+  } catch {
+    search = new URLSearchParams(raw.startsWith("?") ? raw.slice(1) : raw);
+  }
+  const tokenHash = search.get("token_hash");
+  const type = search.get("type");
+  if (!tokenHash) return null;
+  const allowed = /* @__PURE__ */ new Set(["magiclink", "email", "signup", "invite", "recovery"]);
+  if (!type || !allowed.has(type)) return null;
+  return {
+    tokenHash,
+    type
+  };
+}
+const empty = () => ({ users: [] });
+const LAST_LOGIN_DEBOUNCE_MS = 6e4;
+async function readFile(filePath) {
+  try {
+    const raw = await fs.readFile(filePath, "utf-8");
+    return JSON.parse(raw);
+  } catch (err) {
+    if (err.code === "ENOENT") return empty();
+    throw err;
+  }
+}
+async function writeFile(filePath, data) {
+  await fs.mkdir(path.dirname(filePath), { recursive: true });
+  const tmp = `${filePath}.tmp`;
+  await fs.writeFile(tmp, JSON.stringify(data, null, "	"), "utf-8");
+  await fs.rename(tmp, filePath);
+}
+function createAllowlistStore(filePath) {
+  const norm = (upn) => upn.trim().toLowerCase();
+  return {
+    async findByUpn(upn) {
+      const { users } = await readFile(filePath);
+      const key = norm(upn);
+      return users.find((u) => u.upn === key) ?? null;
+    },
+    async findByEmail(email) {
+      const { users } = await readFile(filePath);
+      const key = norm(email);
+      return users.find((u) => norm(u.email ?? "") === key || u.upn === key) ?? null;
+    },
+    async findById(id) {
+      const { users } = await readFile(filePath);
+      return users.find((u) => u.id === id) ?? null;
+    },
+    async listUsers() {
+      const { users } = await readFile(filePath);
+      return users;
+    },
+    async createUser(upn) {
+      const file = await readFile(filePath);
+      const key = norm(upn);
+      if (file.users.some((u) => u.upn === key)) {
+        throw new ProviderError(`User with UPN "${upn}" already exists`, 409);
+      }
+      const entry = {
+        id: randomUUID(),
+        upn: key,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      file.users.push(entry);
+      await writeFile(filePath, file);
+      return entry;
+    },
+    async materializeFromHeaders(id, fields) {
+      const file = await readFile(filePath);
+      const user = file.users.find((u) => u.id === id);
+      if (!user) return;
+      let dirty = false;
+      if (!user.email && fields.email) {
+        user.email = fields.email;
+        dirty = true;
+      }
+      if (!user.displayName && fields.displayName) {
+        user.displayName = fields.displayName;
+        dirty = true;
+      }
+      if (dirty) await writeFile(filePath, file);
+    },
+    async rebindUpn(id, upn) {
+      const file = await readFile(filePath);
+      const key = norm(upn);
+      const user = file.users.find((u) => u.id === id);
+      if (!user || user.upn === key) return;
+      if (file.users.some((u) => u.id !== id && u.upn === key)) return;
+      user.upn = key;
+      await writeFile(filePath, file);
+    },
+    async setDisabled(id, disabled) {
+      const file = await readFile(filePath);
+      const user = file.users.find((u) => u.id === id);
+      if (!user) throw new ProviderError(`User "${id}" not found`, 404);
+      user.disabled = disabled;
+      await writeFile(filePath, file);
+    },
+    async touchLastLogin(id) {
+      const file = await readFile(filePath);
+      const user = file.users.find((u) => u.id === id);
+      if (!user) return;
+      const now = Date.now();
+      if (user.lastLoginAt) {
+        const prev = Date.parse(user.lastLoginAt);
+        if (Number.isFinite(prev) && now - prev < LAST_LOGIN_DEBOUNCE_MS) return;
+      }
+      user.lastLoginAt = new Date(now).toISOString();
+      await writeFile(filePath, file);
+    },
+    async deleteUser(id) {
+      const file = await readFile(filePath);
+      const before = file.users.length;
+      file.users = file.users.filter((u) => u.id !== id);
+      if (file.users.length === before) throw new ProviderError(`User "${id}" not found`, 404);
+      await writeFile(filePath, file);
+    }
+  };
+}
+const DEFAULT_HEADERS = {
+  upn: "SELVA-UserPrincipalName",
+  email: "SELVA-Email",
+  displayName: "SELVA-DisplayName"
+};
+function toAuthUser(u) {
+  return {
+    id: u.id,
+    email: u.email,
+    metadata: { upn: u.upn, displayName: u.displayName },
+    createdAt: u.createdAt,
+    lastLoginAt: u.lastLoginAt,
+    disabled: u.disabled
+  };
+}
+class HeaderProxyAuth {
+  constructor(users, headers, bootstrapPolicy) {
+    this.users = users;
+    this.headers = headers;
+    this.bootstrapPolicy = bootstrapPolicy;
+  }
+  users;
+  headers;
+  bootstrapPolicy;
+  // One-shot diagnostic flag. Flipped the first time we see a request that
+  // carries none of the configured SELVA-* headers, so deploys with a
+  // misconfigured proxy get a single loud warning in the logs without
+  // spamming on every anonymous request. Reset is intentional — the
+  // process restarts and you see the warning again next deploy.
+  missingHeadersWarned = false;
+  setBootstrapPolicy(policy) {
+    this.bootstrapPolicy = policy ?? void 0;
+  }
+  /**
+   * Names of the configured identity headers, in priority order. Exposed so
+   * the hook layer can emit per-page diagnostics ("you hit /login without
+   * these headers") without having to know provider internals.
+   */
+  get configuredHeaderNames() {
+    return [this.headers.upn, this.headers.email, this.headers.displayName];
+  }
+  /** True iff none of the configured identity headers are present. */
+  hasNoIdentityHeaders(headers) {
+    return !headers.get(this.headers.upn) && !headers.get(this.headers.email) && !headers.get(this.headers.displayName);
+  }
+  async identifyFromHeaders(headers) {
+    const upn = headers.get(this.headers.upn);
+    if (!upn || !upn.trim()) {
+      if (!this.missingHeadersWarned && this.hasNoIdentityHeaders(headers)) {
+        this.missingHeadersWarned = true;
+        console.warn(
+          `[HeaderAuth] No identity headers received on the first non-authed request. Expected one of: ${this.headers.upn}, ${this.headers.email}, ${this.headers.displayName}. If you reach the app through your forward-auth proxy, this means the proxy is not forwarding the configured headers — check your forward_auth / copy_headers config. If you're hitting the app directly (bypassing the proxy), bind the process to 127.0.0.1 and only reach it through the proxy. See @selvajs/header-auth-provider README.`
+        );
+      }
+      return null;
+    }
+    const email = headers.get(this.headers.email)?.trim() || void 0;
+    const displayName = headers.get(this.headers.displayName)?.trim() || void 0;
+    let entry = await this.users.findByUpn(upn);
+    if (!entry && email) {
+      const byEmail = await this.users.findByEmail(email);
+      if (byEmail) {
+        entry = byEmail;
+        if (byEmail.upn !== upn.trim().toLowerCase()) {
+          await this.users.rebindUpn(byEmail.id, upn).catch(() => {
+          });
+        }
+      }
+    }
+    if (!entry && this.bootstrapPolicy) {
+      const allowed = await this.bootstrapPolicy({ upn, email });
+      if (allowed) {
+        try {
+          entry = await this.users.createUser(upn);
+        } catch {
+          entry = await this.users.findByUpn(upn);
+        }
+      }
+    }
+    if (!entry || entry.disabled) {
+      return null;
+    }
+    if (!entry.email && email || !entry.displayName && displayName) {
+      await this.users.materializeFromHeaders(entry.id, { email, displayName }).catch(() => {
+      });
+      if (email && !entry.email) entry.email = email;
+      if (displayName && !entry.displayName) entry.displayName = displayName;
+    }
+    await this.users.touchLastLogin(entry.id).catch(() => {
+    });
+    return toAuthUser(entry);
+  }
+}
+class HeaderAuthProvider {
+  users;
+  headers;
+  name = "Header (Forward Auth)";
+  proxyAuth;
+  constructor(config) {
+    this.users = createAllowlistStore(config.allowlistFilePath);
+    this.headers = { ...DEFAULT_HEADERS, ...config.headers };
+    this.proxyAuth = new HeaderProxyAuth(this.users, this.headers, config.bootstrapAllowlistPolicy);
+  }
+  /**
+   * Late-bind a bootstrap-allowlist policy. Useful when the policy needs
+   * runtime state the platform layer owns (e.g. `hasInstanceAdmin`) and
+   * therefore can't be wired up at provider construction time. Pass `null`
+   * to clear.
+   */
+  setBootstrapAllowlistPolicy(policy) {
+    this.proxyAuth.setBootstrapPolicy(policy);
+  }
+  static fromEnv(env) {
+    const dir = env.HEADER_AUTH_DATA_DIR ?? env.DATA_PATH;
+    if (!dir) {
+      throw new Error(
+        "Missing required env var: HEADER_AUTH_DATA_DIR (or DATA_PATH as fallback). This directory holds header-allowlist.json — the pre-provisioned UPN list."
+      );
+    }
+    return new HeaderAuthProvider({
+      allowlistFilePath: path.join(dir, "header-allowlist.json"),
+      headers: {
+        upn: env.HEADER_AUTH_UPN_HEADER ?? DEFAULT_HEADERS.upn,
+        email: env.HEADER_AUTH_EMAIL_HEADER ?? DEFAULT_HEADERS.email,
+        displayName: env.HEADER_AUTH_DISPLAY_NAME_HEADER ?? DEFAULT_HEADERS.displayName
+      }
+    });
+  }
+  /**
+   * No tokens are issued by this provider — identity rides on every request
+   * via the trusted-proxy headers. Always returns null; the hook layer
+   * falls through to `proxyAuth.identifyFromHeaders`.
+   */
+  async verifyToken(_token) {
+    return null;
+  }
+  async getUser(id) {
+    const u = await this.users.findById(id);
+    return u ? toAuthUser(u) : null;
+  }
+  async listUsers(opts) {
+    const all = await this.users.listUsers();
+    const limit = Math.min(Math.max(1, opts?.limit ?? 25), 200);
+    const offset = opts?.cursor ? parseInt(opts.cursor, 10) || 0 : 0;
+    const slice = all.slice(offset, offset + limit).map(toAuthUser);
+    const nextOffset = offset + slice.length;
+    return {
+      items: slice,
+      nextCursor: nextOffset < all.length ? String(nextOffset) : void 0
+    };
+  }
+  /**
+   * Allowlist a UPN. Admin POST `/admin/api/users` with `{ email }`; the
+   * email IS the UPN for M365 / Entra deployments where they match. For
+   * other IdPs, document the UPN format in your README/onboarding.
+   */
+  async createUser(upn) {
+    return toAuthUser(await this.users.createUser(upn));
+  }
+  async deleteUser(id) {
+    const target = await this.users.findById(id);
+    if (!target) return "not_found";
+    try {
+      await this.users.deleteUser(id);
+      return "ok";
+    } catch (err) {
+      if (err instanceof ProviderError && err.statusCode === 404) return "not_found";
+      throw err;
+    }
+  }
+  async disableUser(id) {
+    const target = await this.users.findById(id);
+    if (!target) return "not_found";
+    try {
+      await this.users.setDisabled(id, true);
+      return "ok";
+    } catch (err) {
+      if (err instanceof ProviderError && err.statusCode === 404) return "not_found";
+      throw err;
+    }
+  }
+  async touchLastLogin(id) {
+    await this.users.touchLastLogin(id);
+  }
+}
+class DefinitionService {
+  constructor(data, storage) {
+    this.data = data;
+    this.storage = storage;
+  }
+  data;
+  storage;
+  async create(ctx, input, file, schema) {
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const actor = ctx.userId || input.ownerId;
+    const record = {
+      guid: input.guid,
+      projectId: input.projectId,
+      ownerId: input.ownerId,
+      createdBy: actor,
+      updatedBy: actor,
+      displayName: input.displayName,
+      description: input.description,
+      category: input.category,
+      tags: input.tags,
+      coverImage: input.coverImage,
+      computeServerId: input.computeServerId,
+      status: "pending",
+      solveCount: 0,
+      liveVersionId: null,
+      draftVersionId: null,
+      createdAt: now,
+      updatedAt: now,
+      deletedAt: null
+    };
+    await this.data.definitions.create(ctx, record);
+    const versionId = randomUUID();
+    const fileKey = definitionPaths.version(input.guid, 1, input.fileExt);
+    await this.storage.put(fileKey, file, "application/octet-stream");
+    const version = {
+      id: versionId,
+      definitionId: input.guid,
+      versionNumber: 1,
+      fileExt: input.fileExt,
+      fileKey,
+      originalFilename: input.originalFilename,
+      uploadedBy: actor,
+      uploadedAt: now,
+      schema,
+      schemaExtractedAt: now
+    };
+    await this.data.definitions.createVersion(ctx, version);
+    await this.data.definitions.attachInitialVersion(ctx, input.guid, versionId);
+    return {
+      record: { ...record, status: "draft", liveVersionId: versionId, draftVersionId: versionId },
+      version
+    };
+  }
+  /**
+   * Upload a new version of an existing definition. Writes the blob, inserts
+   * the version row, and advances the draft pointer. `live` is unchanged —
+   * use `publish` to promote.
+   */
+  async uploadVersion(ctx, guid, file, ext, originalName, schema, changeNote) {
+    const existing = await this.data.definitions.get(ctx, guid);
+    if (!existing) throw new ProviderError(`Definition not found: ${guid}`, 404);
+    const versions = await this.data.definitions.listVersions(ctx, guid, { limit: 1 });
+    const next = (versions.items[0]?.versionNumber ?? 0) + 1;
+    const versionId = randomUUID();
+    const fileKey = definitionPaths.version(guid, next, ext);
+    await this.storage.put(fileKey, file, "application/octet-stream");
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const actor = ctx.userId || existing.ownerId;
+    const version = {
+      id: versionId,
+      definitionId: guid,
+      versionNumber: next,
+      fileExt: ext,
+      fileKey,
+      originalFilename: originalName,
+      uploadedBy: actor,
+      uploadedAt: now,
+      changeNote: changeNote?.trim() || void 0,
+      schema,
+      schemaExtractedAt: now
+    };
+    await this.data.definitions.createVersion(ctx, version);
+    await this.data.definitions.setDraftVersion(ctx, guid, versionId);
+    return version;
+  }
+  /**
+   * Advance the live channel. If `versionId` is omitted, promotes the
+   * current draft. Pass an arbitrary version id to roll forward/back —
+   * spec §6 makes rollback a first-class operation.
+   */
+  async publish(ctx, guid, versionId) {
+    const existing = await this.data.definitions.get(ctx, guid);
+    if (!existing) throw new ProviderError(`Definition not found: ${guid}`, 404);
+    const target = versionId ?? existing.draftVersionId;
+    if (!target) throw new ProviderError("No version to publish", 400);
+    const version = await this.data.definitions.getVersion(ctx, target);
+    if (!version || version.definitionId !== guid) {
+      throw new ProviderError(`Version '${target}' not found for this definition`, 404);
+    }
+    await this.data.definitions.setLiveVersion(ctx, guid, target);
+    if (existing.status === "draft" || existing.status === "pending") {
+      await this.data.definitions.update(ctx, guid, { status: "published" });
+    }
+    return version;
+  }
+  async deleteVersion(ctx, guid, versionId) {
+    const version = await this.data.definitions.getVersion(ctx, versionId);
+    if (!version || version.definitionId !== guid) {
+      throw new ProviderError(`Version '${versionId}' not found for this definition`, 404);
+    }
+    await this.data.definitions.deleteVersion(ctx, versionId);
+    await this.storage.delete(version.fileKey);
+  }
+  async updateMeta(ctx, guid, patch) {
+    await this.data.definitions.update(ctx, guid, patch);
+  }
+  async saveCoverImage(ctx, guid, imageData) {
+    const path2 = definitionPaths.image(guid);
+    await this.storage.put(path2, imageData, "image/webp");
+    const url = this.storage.getPublicUrl(path2);
+    await this.data.definitions.update(ctx, guid, { coverImage: url });
+    return url;
+  }
+  async delete(ctx, guid) {
+    await this.data.definitions.delete(ctx, guid);
+    await this.storage.deletePrefix(definitionPaths.prefix(guid));
+  }
+}
+function envBool(e, key) {
+  const v = e[key]?.toLowerCase();
+  return v === "true" || v === "1" || v === "yes";
+}
+function pickAuth(e) {
+  const choice = (e.SELVA_AUTH_PROVIDER ?? "local").toLowerCase();
+  switch (choice) {
+    case "local":
+      return LocalAuthProvider.fromEnv(e);
+    case "supabase":
+      return SupabaseAuthProvider.fromEnv(e);
+    case "header":
+      return HeaderAuthProvider.fromEnv(e);
+    default:
+      throw new Error(
+        `Unknown SELVA_AUTH_PROVIDER="${choice}". Expected: local | supabase | header.`
+      );
+  }
+}
+function pickData(e) {
+  const choice = (e.SELVA_DATA_PROVIDER ?? "local").toLowerCase();
+  switch (choice) {
+    case "local":
+      return LocalDataProvider.fromEnv(e);
+    case "supabase":
+      return SupabaseDataProvider.fromEnv(e);
+    default:
+      throw new Error(`Unknown SELVA_DATA_PROVIDER="${choice}". Expected: local | supabase.`);
+  }
+}
+function pickStorage(e) {
+  const choice = (e.SELVA_STORAGE_PROVIDER ?? "local").toLowerCase();
+  switch (choice) {
+    case "local":
+      return LocalStorageProvider.fromEnv(e);
+    case "supabase":
+      return SupabaseStorageProvider.fromEnv(e);
+    default:
+      throw new Error(`Unknown SELVA_STORAGE_PROVIDER="${choice}". Expected: local | supabase.`);
+  }
+}
+function pickSolveMetrics(data) {
+  const candidate = data.solveMetrics;
+  if (candidate && typeof candidate.record === "function") {
+    return candidate;
+  }
+  return void 0;
+}
+function pickTenancy(e) {
+  const choice = (e.SELVA_TENANCY ?? "single").toLowerCase();
+  if (choice !== "single" && choice !== "multi") {
+    throw new Error(`Unknown SELVA_TENANCY="${choice}". Expected: single | multi.`);
+  }
+  return choice;
+}
+const defaultConfig = defineConfig((e) => {
+  const data = pickData(e);
+  return {
+    tenancy: pickTenancy(e),
+    flags: {
+      ALLOW_CROSS_ORG_PUBLIC: envBool(e, "SELVA_FLAG_ALLOW_CROSS_ORG_PUBLIC"),
+      ALLOW_ORG_COMPUTE_OVERRIDE: envBool(e, "SELVA_FLAG_ALLOW_ORG_COMPUTE_OVERRIDE"),
+      ALLOW_ORG_CREATION: envBool(e, "SELVA_FLAG_ALLOW_ORG_CREATION"),
+      ENABLE_PLATFORM_PROJECTS: envBool(e, "SELVA_FLAG_ENABLE_PLATFORM_PROJECTS"),
+      ENABLE_SHARING: envBool(e, "SELVA_FLAG_ENABLE_SHARING")
+    },
+    branding: {
+      name: e.SELVA_BRAND_NAME,
+      copyrightName: e.SELVA_BRAND_COPYRIGHT_NAME,
+      tagline: e.SELVA_BRAND_TAGLINE,
+      description: e.SELVA_BRAND_DESCRIPTION
+    },
+    auth: pickAuth(e),
+    data,
+    storage: pickStorage(e),
+    solveMetrics: pickSolveMetrics(data)
+  };
+});
+async function loadRawConfig() {
+  const override = private_env.SELVA_CONFIG_PATH;
+  if (!override) {
+    return defaultConfig;
+  }
+  const abs = resolve(process.cwd(), override);
+  if (!existsSync(abs)) {
+    throw new Error(`SELVA_CONFIG_PATH=${override} resolved to ${abs} which does not exist.`);
+  }
+  const mod = await import(
+    /* @vite-ignore */
+    pathToFileURL(abs).href
+  );
+  return mod.default;
+}
+const _raw = await loadRawConfig();
+let _providers;
+function resolveProviders() {
+  if (_providers) return _providers;
+  _providers = typeof _raw === "function" ? _raw(private_env) : _raw;
+  console.info(
+    `[selva] providers wired: auth=${_providers.auth.name} data=${_providers.data.constructor.name} storage=${_providers.storage.constructor.name} tenancy=${_providers.tenancy ?? "single"}` + (private_env.SELVA_CONFIG_PATH ? ` config=${private_env.SELVA_CONFIG_PATH}` : "")
+  );
+  return _providers;
+}
+const providers = new Proxy({}, {
+  get(_t, prop) {
+    return Reflect.get(resolveProviders(), prop);
+  }
+});
+function getTenancy() {
+  return resolveProviders().tenancy ?? "single";
+}
+function getBranding() {
+  const brand = resolveProviders().branding ?? {};
+  const name = brand.name?.trim() || "Selva";
+  return {
+    name,
+    copyrightName: brand.copyrightName?.trim() || name,
+    tagline: brand.tagline?.trim() || "Turn Grasshopper definitions into tools anyone can use.",
+    description: brand.description?.trim() || `Build and deploy interactive web applications powered by Grasshopper definitions with ${name}.`
+  };
+}
+function flag(name) {
+  return isFlagEnabled(resolveProviders(), name);
+}
+let _definitionService;
+function getDefinitionService() {
+  if (!_definitionService) {
+    const p = resolveProviders();
+    _definitionService = new DefinitionService(p.data, p.storage);
+  }
+  return _definitionService;
+}
+function getAuthProvider() {
+  return resolveProviders().auth;
+}
+function getStorageProvider() {
+  return resolveProviders().storage;
+}
+function getDataProvider() {
+  return resolveProviders().data;
+}
+function getOrganizationProvider() {
+  return resolveProviders().data.orgs;
+}
+function getProjectProvider() {
+  return resolveProviders().data.projects;
+}
+function getDefinitionMeta() {
+  return resolveProviders().data.definitions;
+}
+function getComputeServerConfigStore() {
+  return resolveProviders().data.computeServer;
+}
+function getUserProfileStore() {
+  return resolveProviders().data.userProfile;
+}
+function getInviteStore() {
+  return resolveProviders().data.invites;
+}
+function getPermissionStore() {
+  return resolveProviders().data.permissions;
+}
+function getPlatformProjectGrantStore() {
+  return resolveProviders().data.platformProjectGrants;
+}
+let _solveMetricSink;
+function getSolveMetricSink() {
+  if (!_solveMetricSink) {
+    _solveMetricSink = resolveProviders().solveMetrics ?? new NoopSolveMetricSink();
+  }
+  return _solveMetricSink;
+}
+function getAuditQuery() {
+  return providers.data.auditQuery ?? null;
+}
+
+export { LocalComputeServerStore as L, MAX_PAGE_LIMIT as M, ProviderError as P, getAuthProvider as a, getBranding as b, getComputeServerConfigStore as c, definitionPaths as d, getDataProvider as e, flag as f, getAuditQuery as g, getDefinitionMeta as h, getDefinitionService as i, getInviteStore as j, getOrganizationProvider as k, getPermissionStore as l, getPlatformProjectGrantStore as m, getProjectProvider as n, getSolveMetricSink as o, getStorageProvider as p, getTenancy as q, getUserProfileStore as r, isOrgServer as s, isPlatformServer as t, providers as u };
+//# sourceMappingURL=providers.server-C3fQ7ZdV.js.map