@sonicjs-cms/core 2.19.0 → 3.0.0-beta.3

package/dist/chunk-2CB4KY7I.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/services/documents.ts","../src/services/rbac.ts"],"names":["DocumentProjection","nanoid"],"mappings":";;;;;AAWA,IAAM,oBAAA,GAAuB,EAAA;AAQtB,SAAS,oBAAoB,EAAA,EAA8C;AAChF,EAAA,OAAO,EAAA,IAAM,IAAA,GAAO,IAAA,GAAO,EAAA,GAAK,GAAA;AAClC;AAEA,SAAS,cAAc,GAAA,EAA4B;AACjD,EAAA,OAAO;AAAA,IACL,IAAI,GAAA,CAAI,EAAA;AAAA,IACR,QAAQ,GAAA,CAAI,OAAA;AAAA,IACZ,QAAQ,GAAA,CAAI,OAAA;AAAA,IACZ,aAAa,GAAA,CAAI,YAAA;AAAA,IACjB,aAAa,GAAA,CAAI,aAAA;AAAA,IACjB,eAAe,GAAA,CAAI,cAAA;AAAA,IACnB,cAAA,EAAgB,IAAI,gBAAA,KAAqB,CAAA;AAAA,IACzC,WAAA,EAAa,IAAI,YAAA,KAAiB,CAAA;AAAA,IAClC,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,cAAc,GAAA,CAAI,cAAA;AAAA,IAClB,MAAM,GAAA,CAAI,IAAA;AAAA,IACV,MAAM,GAAA,CAAI,IAAA;AAAA,IACV,OAAO,GAAA,CAAI,KAAA;AAAA,IACX,MAAM,GAAA,CAAI,IAAA;AAAA,IACV,WAAW,GAAA,CAAI,UAAA;AAAA,IACf,OAAA,EAAS,IAAI,OAAA,KAAY,CAAA;AAAA,IACzB,aAAa,GAAA,CAAI,YAAA;AAAA,IACjB,aAAa,GAAA,CAAI,YAAA;AAAA,IACjB,WAAW,GAAA,CAAI,UAAA;AAAA,IACf,WAAW,GAAA,CAAI,UAAA;AAAA,IACf,UAAU,GAAA,CAAI,SAAA;AAAA,IACd,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,oBAAoB,GAAA,CAAI,oBAAA;AAAA,IACxB,IAAA,EAAM,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,IAAI,CAAA;AAAA,IACzB,QAAA,EAAU,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,QAAQ,CAAA;AAAA,IACjC,SAAS,GAAA,CAAI,QAAA;AAAA,IACb,WAAW,GAAA,CAAI,UAAA;AAAA,IACf,WAAW,GAAA,CAAI,UAAA;AAAA,IACf,WAAW,GAAA,CAAI,UAAA;AAAA,IACf,WAAW,GAAA,CAAI;AAAA,GACjB;AACF;AAYO,IAAM,mBAAN,MAAuB;AAAA,EAK5B,WAAA,CACU,EAAA,EACA,IAAA,GAAgC,EAAC,EACzC;AAFQ,IAAA,IAAA,CAAA,EAAA,GAAA,EAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAER,IAAA,IAAA,CAAK,UAAA,GAAa,IAAIA,oCAAA,CAAmB,EAAE,CAAA;AAC3C,IAAA,IAAA,CAAK,QAAA,GAAW,KAAK,QAAA,IAAY,SAAA;AACjC,IAAA,IAAA,CAAK,UAAA,GAAa,KAAK,UAAA,IAAc,KAAA;AAAA,EACvC;AAAA,EAXQ,UAAA;AAAA,EACA,QAAA;AAAA,EACA,UAAA;AAAA;AAAA,EAaR,MAAM,MAAA,CAAO,KAAA,EAA4B,SAAA,EAAuC;AAG9E,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,KAAKC,wBAAA,EAAO;AAClB,IAAA,MAAM,OAAA,GAAU,MAAM,eAAA,IAAmB,KAAA;AAEzC,IAAA,MAAM,SAAA,GAAY,MAAM,SAAA,IAAa,GAAA;AACrC,IAAA,MAAM,SAAA,GAAY,MAAM,SAAA,IAAa,GAAA;AAErC,IAAA,MAAM,GAAA,GAAgB;AAAA,MACpB,EAAA;AAAA,MACA,MAAA,EAAQ,EAAA;AAAA,MACR,QAAQ,KAAA,CAAM,MAAA;AAAA,MACd,WAAA,EAAa,IAAA,CAAK,IAAA,CAAK,iBAAA,IAAqB,CAAA;AAAA,MAC5C,WAAA,EAAa,IAAA;AAAA,MACb,aAAA,EAAe,CAAA;AAAA,MACf,cAAA,EAAgB,IAAA;AAAA,MAChB,WAAA,EAAa,OAAA;AAAA,MACb,MAAA,EAAQ,UAAU,WAAA,GAAc,OAAA;AAAA,MAChC,YAAA,EAAc,MAAM,YAAA,IAAgB,EAAA;AAAA,MACpC,IAAA,EAAM,MAAM,IAAA,IAAQ,IAAA;AAAA,MACpB,IAAA,EAAM,IAAA;AAAA,MACN,KAAA,EAAO,MAAM,KAAA,IAAS,IAAA;AAAA,MACtB,IAAA,EAAM,MAAM,IAAA,IAAQ,IAAA;AAAA,MACpB,SAAA,EAAW,MAAM,SAAA,IAAa,CAAA;AAAA,MAC9B,OAAA,EAAS,MAAM,OAAA,IAAW,IAAA;AAAA,MAC1B,WAAA,EAAa,UAAU,SAAA,GAAY,IAAA;AAAA,MACnC,WAAA,EAAa,MAAM,WAAA,IAAe,IAAA;AAAA,MAClC,SAAA,EAAW,MAAM,SAAA,IAAa,IAAA;AAAA,MAC9B,SAAA,EAAW,IAAA;AAAA;AAAA;AAAA,MAGX,QAAA,EAAU,KAAA,CAAM,QAAA,IAAY,IAAA,CAAK,QAAA;AAAA,MACjC,MAAA,EAAQ,MAAM,MAAA,IAAU,SAAA;AAAA,MACxB,kBAAA,EAAoB,EAAA;AAAA,MACpB,IAAA,EAAM,KAAA,CAAM,IAAA,IAAQ,EAAC;AAAA,MACrB,QAAA,EAAU,KAAA,CAAM,QAAA,IAAY,EAAC;AAAA,MAC7B,OAAA,EAAS,MAAM,OAAA,IAAW,IAAA;AAAA,MAC1B,WAAW,SAAA,IAAa,IAAA;AAAA,MACxB,WAAW,SAAA,IAAa,IAAA;AAAA,MACxB,SAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,SAAA,GAAY,KAAK,EAAA,CAAG,OAAA;AAAA,MACxB,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,2EAAA;AAAA,KAMF,CAAE,IAAA;AAAA,MACA,GAAA,CAAI,EAAA;AAAA,MAAI,GAAA,CAAI,MAAA;AAAA,MAAQ,GAAA,CAAI,MAAA;AAAA,MAAQ,GAAA,CAAI,WAAA;AAAA,MAAa,IAAA;AAAA,MAAM,CAAA;AAAA,MACvD,CAAA;AAAA,MAAG,UAAU,CAAA,GAAI,CAAA;AAAA,MAAG,GAAA,CAAI,MAAA;AAAA,MAAQ,GAAA,CAAI,YAAA;AAAA,MAAc,GAAA,CAAI,IAAA;AAAA,MAAM,IAAA;AAAA,MAAM,GAAA,CAAI,KAAA;AAAA,MAAO,GAAA,CAAI,IAAA;AAAA,MACjF,GAAA,CAAI,SAAA;AAAA,MAAW,GAAA,CAAI,UAAU,CAAA,GAAI,CAAA;AAAA,MAAG,GAAA,CAAI,WAAA;AAAA,MAAa,GAAA,CAAI,WAAA;AAAA,MAAa,GAAA,CAAI,SAAA;AAAA,MAAW,IAAA;AAAA,MACrF,GAAA,CAAI,QAAA;AAAA,MAAU,GAAA,CAAI,MAAA;AAAA,MAAQ,EAAA;AAAA,MAAI,IAAA,CAAK,SAAA,CAAU,GAAA,CAAI,IAAI,CAAA;AAAA,MAAG,IAAA,CAAK,SAAA,CAAU,GAAA,CAAI,QAAQ,CAAA;AAAA,MACnF,GAAA,CAAI,OAAA;AAAA,MAAS,GAAA,CAAI,SAAA;AAAA,MAAW,GAAA,CAAI,SAAA;AAAA,MAAW,SAAA;AAAA,MAAW;AAAA,KACxD;AAEA,IAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,UAAA,CAAW,4BAAA,CAA6B,GAAA,EAAK,KAAK,IAAA,CAAK,eAAA,IAAmB,EAAC,EAAG,GAAG,CAAA;AAE7G,IAAA,MAAM,KAAK,EAAA,CAAG,KAAA,CAAM,CAAC,SAAA,EAAW,GAAG,cAAc,CAAC,CAAA;AAClD,IAAA,OAAO,GAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,SAAA,CAAU,MAAA,EAAgB,KAAA,EAA4B,SAAA,EAAuC;AACjG,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,QAAQA,wBAAA,EAAO;AAIrB,IAAA,MAAM,YAAA,GAAe,MAAM,IAAA,CAAK,EAAA,CAC7B,OAAA,CAAQ,sFAAsF,CAAA,CAC9F,IAAA,CAAK,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAC1B,KAAA,EAAmB;AAEtB,IAAA,IAAI,CAAC,YAAA,EAAc,MAAM,IAAI,KAAA,CAAM,CAAA,gCAAA,EAAmC,MAAM,CAAA,CAAE,CAAA;AAE9E,IAAA,MAAM,SAAA,GAAY,cAAc,YAAY,CAAA;AAE5C,IAAA,MAAM,UAAA,GAAa,EAAE,GAAG,SAAA,CAAU,MAAM,GAAI,KAAA,CAAM,IAAA,IAAQ,EAAC,EAAG;AAC9D,IAAA,MAAM,UAAA,GAAa,EAAE,GAAG,SAAA,CAAU,UAAU,GAAI,KAAA,CAAM,QAAA,IAAY,EAAC,EAAG;AAEtE,IAAA,MAAM,MAAA,GAAmB;AAAA,MACvB,GAAG,SAAA;AAAA,MACH,EAAA,EAAI,KAAA;AAAA,MACJ,MAAA;AAAA,MACA,WAAA,EAAa,IAAA,CAAK,IAAA,CAAK,iBAAA,IAAqB,SAAA,CAAU,WAAA;AAAA,MACtD,aAAa,SAAA,CAAU,EAAA;AAAA,MACvB,aAAA,EAAe,CAAA;AAAA;AAAA,MACf,cAAA,EAAgB,IAAA;AAAA,MAChB,WAAA,EAAa,KAAA;AAAA,MACb,MAAA,EAAQ,OAAA;AAAA,MACR,MAAM,KAAA,CAAM,IAAA,KAAS,SAAY,KAAA,CAAM,IAAA,IAAQ,OAAO,SAAA,CAAU,IAAA;AAAA,MAChE,OAAO,KAAA,CAAM,KAAA,KAAU,SAAY,KAAA,CAAM,KAAA,IAAS,OAAO,SAAA,CAAU,KAAA;AAAA,MACnE,MAAM,KAAA,CAAM,IAAA,KAAS,SAAY,KAAA,CAAM,IAAA,IAAQ,OAAO,SAAA,CAAU,IAAA;AAAA,MAChE,SAAA,EAAW,KAAA,CAAM,SAAA,IAAa,SAAA,CAAU,SAAA;AAAA,MACxC,OAAA,EAAS,KAAA,CAAM,OAAA,IAAW,SAAA,CAAU,OAAA;AAAA,MACpC,aAAa,KAAA,CAAM,WAAA,KAAgB,MAAA,GAAY,KAAA,CAAM,cAAc,SAAA,CAAU,WAAA;AAAA,MAC7E,WAAW,KAAA,CAAM,SAAA,KAAc,MAAA,GAAY,KAAA,CAAM,YAAY,SAAA,CAAU,SAAA;AAAA,MACvE,IAAA,EAAM,UAAA;AAAA,MACN,QAAA,EAAU,UAAA;AAAA,MACV,SAAA,EAAW,aAAa,SAAA,CAAU,SAAA;AAAA,MAClC,SAAA,EAAW,GAAA;AAAA,MACX,SAAA,EAAW;AAAA,KACb;AAEA,IAAA,MAAM,eAAA,GAAkB,aAAa,YAAA,KAAiB,CAAA;AAItD,IAAA,IAAI,CAAC,IAAA,CAAK,UAAA,IAAc,CAAC,eAAA,EAAiB;AACxC,MAAA,OAAO,IAAA,CAAK,aAAA,CAAc,SAAA,EAAW,KAAA,EAAO,KAAK,SAAS,CAAA;AAAA,IAC5D;AAEA,IAAA,MAAM,UAAA,GAAoC;AAAA;AAAA,MAExC,IAAA,CAAK,EAAA,CAAG,OAAA,CAAQ,0FAA0F,CAAA,CACvG,KAAK,GAAA,EAAK,SAAA,CAAU,EAAA,EAAI,IAAA,CAAK,QAAQ,CAAA;AAAA;AAAA,MAGxC,GAAI,CAAC,eAAA,GAAkB,IAAA,CAAK,WAAW,4BAAA,CAA6B,SAAA,CAAU,EAAE,CAAA,GAAI,EAAC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOrF,KAAK,EAAA,CAAG,OAAA;AAAA,QACN,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,kBAAA;AAAA,OASF,CAAE,IAAA;AAAA,QACA,KAAA;AAAA,QAAO,MAAA;AAAA,QAAQ,MAAA,CAAO,MAAA;AAAA,QAAQ,MAAA,CAAO,WAAA;AAAA,QAAa,SAAA,CAAU,EAAA;AAAA,QAC5D,MAAA;AAAA,QACA,MAAA,CAAO,YAAA;AAAA,QAAc,MAAA,CAAO,IAAA;AAAA,QAAM,IAAA;AAAA,QAAM,MAAA,CAAO,KAAA;AAAA,QAAO,MAAA,CAAO,IAAA;AAAA,QAC7D,MAAA,CAAO,SAAA;AAAA,QAAW,MAAA,CAAO,UAAU,CAAA,GAAI,CAAA;AAAA,QAAG,IAAA;AAAA,QAAM,MAAA,CAAO,WAAA;AAAA,QAAa,MAAA,CAAO,SAAA;AAAA,QAAW,IAAA;AAAA,QACtF,MAAA,CAAO,QAAA;AAAA,QAAU,MAAA,CAAO,MAAA;AAAA,QAAQ,MAAA,CAAO,kBAAA;AAAA,QACvC,IAAA,CAAK,SAAA,CAAU,MAAA,CAAO,IAAI,CAAA;AAAA,QAAG,IAAA,CAAK,SAAA,CAAU,MAAA,CAAO,QAAQ,CAAA;AAAA,QAC3D,MAAA,CAAO,OAAA;AAAA,QAAS,MAAA,CAAO,SAAA;AAAA,QAAW,MAAA,CAAO,SAAA;AAAA,QAAW,GAAA;AAAA,QAAK;AAAA,OAC3D;AAAA;AAAA,MAGA,GAAG,IAAA,CAAK,UAAA,CAAW,4BAAA,CAA6B,MAAA,EAAQ,KAAK,IAAA,CAAK,eAAA,IAAmB,EAAC,EAAG,GAAG;AAAA,KAC9F;AAIA,IAAA,MAAM,WAAA,GAAc,IAAA,CAAK,IAAA,CAAK,kBAAA,IAAsB,oBAAA;AACpD,IAAA,UAAA,CAAW,IAAA;AAAA,MACT,KAAK,EAAA,CAAG,OAAA;AAAA,QACN,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,8HAAA;AAAA,OAMF,CAAE,IAAA,CAAK,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,WAAA,EAAa,MAAA,EAAQ,IAAA,CAAK,QAAQ;AAAA,KACzF;AAEA,IAAA,MAAM,IAAA,CAAK,EAAA,CAAG,KAAA,CAAM,UAAU,CAAA;AAG9B,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,EAAA,CACtB,OAAA,CAAQ,sCAAsC,CAAA,CAC9C,IAAA,CAAK,KAAK,CAAA,CACV,KAAA,EAAmB;AACtB,IAAA,OAAO,cAAc,KAAM,CAAA;AAAA,EAC7B;AAAA;AAAA;AAAA,EAIA,MAAc,aAAA,CACZ,SAAA,EACA,KAAA,EACA,KACA,SAAA,EACmB;AACnB,IAAA,MAAM,UAAA,GAAa,EAAE,GAAG,SAAA,CAAU,MAAM,GAAI,KAAA,CAAM,IAAA,IAAQ,EAAC,EAAG;AAC9D,IAAA,MAAM,UAAA,GAAa,EAAE,GAAG,SAAA,CAAU,UAAU,GAAI,KAAA,CAAM,QAAA,IAAY,EAAC,EAAG;AAEtE,IAAA,MAAM,OAAA,GAAoB;AAAA,MACxB,GAAG,SAAA;AAAA,MACH,MAAM,KAAA,CAAM,IAAA,KAAS,SAAY,KAAA,CAAM,IAAA,IAAQ,OAAO,SAAA,CAAU,IAAA;AAAA,MAChE,OAAO,KAAA,CAAM,KAAA,KAAU,SAAY,KAAA,CAAM,KAAA,IAAS,OAAO,SAAA,CAAU,KAAA;AAAA,MACnE,MAAM,KAAA,CAAM,IAAA,KAAS,SAAY,KAAA,CAAM,IAAA,IAAQ,OAAO,SAAA,CAAU,IAAA;AAAA,MAChE,SAAA,EAAW,KAAA,CAAM,SAAA,IAAa,SAAA,CAAU,SAAA;AAAA,MACxC,OAAA,EAAS,KAAA,CAAM,OAAA,IAAW,SAAA,CAAU,OAAA;AAAA,MACpC,aAAa,KAAA,CAAM,WAAA,KAAgB,MAAA,GAAY,KAAA,CAAM,cAAc,SAAA,CAAU,WAAA;AAAA,MAC7E,WAAW,KAAA,CAAM,SAAA,KAAc,MAAA,GAAY,KAAA,CAAM,YAAY,SAAA,CAAU,SAAA;AAAA,MACvE,IAAA,EAAM,UAAA;AAAA,MACN,QAAA,EAAU,UAAA;AAAA,MACV,SAAA,EAAW,aAAa,SAAA,CAAU,SAAA;AAAA,MAClC,SAAA,EAAW;AAAA,KACb;AAEA,IAAA,MAAM,UAAA,GAAoC;AAAA;AAAA,MAExC,KAAK,EAAA,CAAG,OAAA;AAAA,QACN,CAAA;AAAA;AAAA;AAAA,uCAAA;AAAA,OAIF,CAAE,IAAA;AAAA,QACA,OAAA,CAAQ,IAAA;AAAA,QAAM,OAAA,CAAQ,KAAA;AAAA,QAAO,OAAA,CAAQ,IAAA;AAAA,QAAM,OAAA,CAAQ,SAAA;AAAA,QAAW,OAAA,CAAQ,UAAU,CAAA,GAAI,CAAA;AAAA,QACpF,OAAA,CAAQ,WAAA;AAAA,QAAa,OAAA,CAAQ,SAAA;AAAA,QAAW,IAAA,CAAK,SAAA,CAAU,OAAA,CAAQ,IAAI,CAAA;AAAA,QAAG,IAAA,CAAK,SAAA,CAAU,OAAA,CAAQ,QAAQ,CAAA;AAAA,QACrG,OAAA,CAAQ,SAAA;AAAA,QAAW,GAAA;AAAA,QACnB,OAAA,CAAQ,EAAA;AAAA,QAAI,IAAA,CAAK;AAAA,OACnB;AAAA;AAAA,MAEA,GAAG,IAAA,CAAK,UAAA,CAAW,4BAAA,CAA6B,QAAQ,EAAE,CAAA;AAAA,MAC1D,GAAG,IAAA,CAAK,UAAA,CAAW,4BAAA,CAA6B,OAAA,EAAS,KAAK,IAAA,CAAK,eAAA,IAAmB,EAAC,EAAG,GAAG;AAAA,KAC/F;AAEA,IAAA,MAAM,IAAA,CAAK,EAAA,CAAG,KAAA,CAAM,UAAU,CAAA;AAE9B,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,EAAA,CAAG,OAAA,CAAQ,sCAAsC,CAAA,CAAE,IAAA,CAAK,OAAA,CAAQ,EAAE,CAAA,CAAE,KAAA,EAAmB;AAChH,IAAA,OAAO,cAAc,KAAM,CAAA;AAAA,EAC7B;AAAA;AAAA,EAIA,MAAM,OAAA,CAAQ,UAAA,EAAoB,WAAA,EAAyC;AACzE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AAExC,IAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,EAAA,CAC1B,OAAA,CAAQ,wDAAwD,CAAA,CAChE,IAAA,CAAK,UAAA,EAAY,IAAA,CAAK,QAAQ,CAAA,CAC9B,KAAA,EAAmB;AAEtB,IAAA,IAAI,CAAC,SAAA,EAAW,MAAM,IAAI,KAAA,CAAM,CAAA,SAAA,EAAY,UAAU,CAAA,UAAA,CAAY,CAAA;AAElE,IAAA,MAAM,gBAAA,GAAmB,MAAM,IAAA,CAAK,EAAA,CACjC,QAAQ,8FAA8F,CAAA,CACtG,IAAA,CAAK,SAAA,CAAU,OAAA,EAAS,IAAA,CAAK,QAAA,EAAU,UAAU,EACjD,KAAA,EAAmB;AAEtB,IAAA,MAAM,aAAoC,EAAC;AAE3C,IAAA,IAAI,gBAAA,EAAkB;AACpB,MAAA,IAAI,CAAC,IAAA,CAAK,UAAA,IAAc,gBAAA,CAAiB,qBAAqB,CAAA,EAAG;AAK/D,QAAA,UAAA,CAAW,IAAA,CAAK,IAAA,CAAK,EAAA,CAAG,OAAA,CAAQ,qFAAqF,CAAA,CAClH,IAAA,CAAK,gBAAA,CAAiB,EAAA,EAAI,IAAA,CAAK,QAAQ,CAAC,CAAA;AAC3C,QAAA,UAAA,CAAW,KAAK,GAAG,IAAA,CAAK,WAAW,4BAAA,CAA6B,gBAAA,CAAiB,EAAE,CAAC,CAAA;AACpF,QAAA,UAAA,CAAW,IAAA,CAAK,IAAA,CAAK,EAAA,CAAG,OAAA,CAAQ,sDAAsD,CAAA,CACnF,IAAA,CAAK,gBAAA,CAAiB,EAAA,EAAI,IAAA,CAAK,QAAQ,CAAC,CAAA;AAAA,MAC7C,CAAA,MAAO;AAEL,QAAA,UAAA,CAAW,IAAA;AAAA,UACT,IAAA,CAAK,GAAG,OAAA,CAAQ,oEAAoE,EACjF,IAAA,CAAK,GAAA,EAAK,iBAAiB,EAAE;AAAA,SAClC;AACA,QAAA,IAAI,gBAAA,CAAiB,qBAAqB,CAAA,EAAG;AAC3C,UAAA,UAAA,CAAW,KAAK,GAAG,IAAA,CAAK,WAAW,4BAAA,CAA6B,gBAAA,CAAiB,EAAE,CAAC,CAAA;AAAA,QACtF;AAAA,MACF;AAAA,IACF;AAGA,IAAA,UAAA,CAAW,IAAA;AAAA,MACT,KAAK,EAAA,CAAG,OAAA;AAAA,QACN,CAAA,0HAAA;AAAA,QACA,IAAA,CAAK,GAAA,EAAK,GAAA,EAAK,WAAA,IAAe,MAAM,UAAU;AAAA,KAClD;AAGA,IAAA,IAAI,SAAA,CAAU,qBAAqB,CAAA,EAAG;AACpC,MAAA,MAAM,SAAA,GAAY,cAAc,SAAS,CAAA;AACzC,MAAA,UAAA,CAAW,IAAA,CAAK,GAAG,IAAA,CAAK,UAAA,CAAW,4BAAA,CAA6B,SAAA,EAAW,IAAA,CAAK,IAAA,CAAK,eAAA,IAAmB,EAAC,EAAG,GAAG,CAAC,CAAA;AAAA,IAClH;AAEA,IAAA,MAAM,IAAA,CAAK,EAAA,CAAG,KAAA,CAAM,UAAU,CAAA;AAE9B,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,EAAA,CAAG,OAAA,CAAQ,sCAAsC,CAAA,CAAE,IAAA,CAAK,UAAU,CAAA,CAAE,KAAA,EAAmB;AAChH,IAAA,OAAO,cAAc,KAAM,CAAA;AAAA,EAC7B;AAAA;AAAA,EAIA,MAAM,UAAU,UAAA,EAAuC;AACrD,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AAExC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,EAAA,CACpB,OAAA,CAAQ,wDAAwD,CAAA,CAChE,IAAA,CAAK,UAAA,EAAY,IAAA,CAAK,QAAQ,CAAA,CAC9B,KAAA,EAAmB;AAEtB,IAAA,IAAI,CAAC,GAAA,EAAK,MAAM,IAAI,KAAA,CAAM,CAAA,SAAA,EAAY,UAAU,CAAA,UAAA,CAAY,CAAA;AAC5D,IAAA,IAAI,CAAC,IAAI,YAAA,EAAc,MAAM,IAAI,KAAA,CAAM,CAAA,SAAA,EAAY,UAAU,CAAA,iBAAA,CAAmB,CAAA;AAEhF,IAAA,MAAM,UAAA,GAAoC;AAAA,MACxC,KAAK,EAAA,CAAG,OAAA,CAAQ,sFAAsF,CAAA,CACnG,IAAA,CAAK,KAAK,UAAU;AAAA,KACzB;AAGA,IAAA,IAAI,GAAA,CAAI,qBAAqB,CAAA,EAAG;AAC9B,MAAA,UAAA,CAAW,KAAK,GAAG,IAAA,CAAK,UAAA,CAAW,4BAAA,CAA6B,UAAU,CAAC,CAAA;AAAA,IAC7E;AAEA,IAAA,MAAM,IAAA,CAAK,EAAA,CAAG,KAAA,CAAM,UAAU,CAAA;AAE9B,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,EAAA,CAAG,OAAA,CAAQ,sCAAsC,CAAA,CAAE,IAAA,CAAK,UAAU,CAAA,CAAE,KAAA,EAAmB;AAChH,IAAA,OAAO,cAAc,KAAM,CAAA;AAAA,EAC7B;AAAA;AAAA,EAIA,MAAM,WAAW,UAAA,EAAmC;AAClD,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,IAAA,CAAK,EAAA,CACR,OAAA,CAAQ,oFAAoF,CAAA,CAC5F,IAAA,CAAK,GAAA,EAAK,GAAA,EAAK,UAAA,EAAY,IAAA,CAAK,QAAQ,CAAA,CACxC,GAAA,EAAI;AAAA,EACT;AAAA;AAAA;AAAA,EAKA,MAAM,KAAA,CAAM,MAAA,EAAgB,QAAA,EAAiC;AAE3D,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,EAAA,CACvB,OAAA,CAAQ,8DAA8D,CAAA,CACtE,IAAA,CAAK,MAAA,EAAQ,QAAQ,CAAA,CACrB,GAAA,EAAoB;AAEvB,IAAA,MAAM,MAAA,GAAA,CAAU,OAAO,OAAA,IAAW,IAAI,GAAA,CAAI,CAAA,CAAA,KAAK,EAAE,EAAE,CAAA;AACnD,IAAA,IAAI,MAAA,CAAO,WAAW,CAAA,EAAG;AAEzB,IAAA,MAAM,aAAoC,EAAC;AAG3C,IAAA,KAAA,MAAW,MAAM,MAAA,EAAQ;AACvB,MAAA,UAAA,CAAW,IAAA,CAAK,KAAK,EAAA,CAAG,OAAA,CAAQ,mDAAmD,CAAA,CAAE,IAAA,CAAK,EAAE,CAAC,CAAA;AAC7F,MAAA,UAAA,CAAW,IAAA,CAAK,KAAK,EAAA,CAAG,OAAA,CAAQ,4DAA4D,CAAA,CAAE,IAAA,CAAK,EAAE,CAAC,CAAA;AAAA,IACxG;AAEA,IAAA,UAAA,CAAW,IAAA,CAAK,KAAK,EAAA,CAAG,OAAA,CAAQ,sEAAsE,CAAA,CAAE,IAAA,CAAK,MAAA,EAAQ,QAAQ,CAAC,CAAA;AAG9H,IAAA,KAAA,MAAW,MAAM,MAAA,EAAQ;AACvB,MAAA,UAAA,CAAW,IAAA,CAAK,KAAK,EAAA,CAAG,OAAA,CAAQ,oCAAoC,CAAA,CAAE,IAAA,CAAK,EAAE,CAAC,CAAA;AAAA,IAChF;AAEA,IAAA,MAAM,IAAA,CAAK,EAAA,CAAG,KAAA,CAAM,UAAU,CAAA;AAAA,EAChC;AACF;;;ACxYA,IAAM,MAAA,GAAS,SAAA;AACf,IAAM,MAAA,GAAS,WAAA;AACf,IAAM,MAAA,GAAS,WAAA;AACf,IAAM,YAAA,GAAe,iBAAA;AAErB,IAAM,gBAAA,GAAmC;AAAA,EACvC,EAAE,GAAA,EAAK,GAAA,EAAK,KAAA,EAAO,eAAA,EAAiB,OAAO,QAAA,EAAS;AAAA,EACpD,EAAE,GAAA,EAAK,QAAA,EAAU,KAAA,EAAO,cAAA,EAAgB,OAAO,QAAA,EAAS;AAAA,EACxD,EAAE,GAAA,EAAK,WAAA,EAAa,KAAA,EAAO,WAAA,EAAa,OAAO,QAAA,EAAS;AAAA,EACxD,EAAE,GAAA,EAAK,MAAA,EAAQ,KAAA,EAAO,qBAAA,EAAuB,OAAO,QAAA,EAAS;AAAA,EAC7D,EAAE,GAAA,EAAK,WAAA,EAAa,KAAA,EAAO,WAAA,EAAa,OAAO,QAAA,EAAkB;AAAA,EACjE,EAAE,GAAA,EAAK,gBAAA,EAAkB,KAAA,EAAO,gBAAA,EAAkB,OAAO,QAAA,EAAkB;AAAA,EAC3E,EAAE,GAAA,EAAK,OAAA,EAAS,KAAA,EAAO,kBAAA,EAAoB,OAAO,QAAA,EAAS;AAAA,EAC3D,EAAE,GAAA,EAAK,OAAA,EAAS,KAAA,EAAO,OAAA,EAAS,OAAO,QAAA,EAAS;AAAA,EAChD,EAAE,GAAA,EAAK,UAAA,EAAY,KAAA,EAAO,UAAA,EAAY,OAAO,QAAA,EAAS;AAAA,EACtD,EAAE,GAAA,EAAK,MAAA,EAAQ,KAAA,EAAO,MAAA,EAAQ,OAAO,QAAA;AACvC,CAAA;AAEO,IAAM,WAAA,GAAN,MAAM,YAAA,CAAY;AAAA,EAUvB,WAAA,CAAoB,IAAwB,EAAA,EAAkB;AAA1C,IAAA,IAAA,CAAA,EAAA,GAAA,EAAA;AAAwB,IAAA,IAAA,CAAA,EAAA,GAAA,EAAA;AAAA,EAAmB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAJ/D,OAAwB,sBAAA,GAAyB,CAAC,OAAA,EAAS,QAAQ,CAAA;AAAA,EAE3D,KAAA;AAAA;AAAA,EAMA,IAAA,GAAyB;AAC/B,IAAA,IAAI,CAAC,KAAK,KAAA,EAAO;AACf,MAAA,IAAA,CAAK,KAAA,GAAQ,IAAI,gBAAA,CAAiB,IAAA,CAAK,EAAA,EAAI,EAAE,QAAA,EAAU,MAAA,EAAQ,kBAAA,EAAoB,CAAA,EAAG,eAAA,EAAiB,IAAI,CAAA;AAAA,IAC7G;AACA,IAAA,OAAO,IAAA,CAAK,KAAA;AAAA,EACd;AAAA,EAEQ,MAAS,GAAA,EAAoE;AACnF,IAAA,IAAI,IAAA;AACJ,IAAA,IAAI;AAAE,MAAA,IAAA,GAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,IAAI,CAAA;AAAA,IAAO,CAAA,CAAA,MAAQ;AAAE,MAAA,IAAA,GAAO,EAAC;AAAA,IAAO;AAChE,IAAA,OAAO,EAAE,EAAA,EAAI,GAAA,CAAI,EAAA,EAAI,MAAA,EAAQ,GAAA,CAAI,OAAA,EAAS,IAAA,EAAM,GAAA,CAAI,IAAA,IAAQ,EAAA,EAAI,IAAA,EAAK;AAAA,EACvE;AAAA,EAEA,MAAc,SAAY,MAAA,EAAuF;AAC/G,IAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,EAAA,CACpB,OAAA;AAAA,MACC,CAAA;AAAA,4FAAA;AAAA,KAEF,CACC,IAAA,CAAK,MAAA,EAAQ,MAAM,EACnB,GAAA,EAAY;AACf,IAAA,OAAA,CAAQ,GAAA,CAAI,OAAA,IAAW,EAAC,EAAG,GAAA,CAAI,CAAC,CAAA,KAAM,IAAA,CAAK,KAAA,CAAS,CAAC,CAAC,CAAA;AAAA,EACxD;AAAA,EAEA,MAAc,MAAA,CAAU,MAAA,EAAgB,IAAA,EAAuE;AAC7G,IAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,EAAA,CACpB,OAAA;AAAA,MACC,CAAA;AAAA,yGAAA;AAAA,MAGD,IAAA,CAAK,MAAA,EAAQ,MAAA,EAAQ,IAAI,EACzB,KAAA,EAAc;AACjB,IAAA,OAAO,GAAA,GAAM,IAAA,CAAK,KAAA,CAAS,GAAG,CAAA,GAAI,IAAA;AAAA,EACpC;AAAA,EAEA,MAAc,SAAA,CAAU,MAAA,EAAgB,IAAA,EAAc,MAAe,KAAA,EAAqC;AACxG,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,EAAA,CACzB,OAAA;AAAA,MACC,CAAA;AAAA,yGAAA;AAAA,MAGD,IAAA,CAAK,MAAA,EAAQ,MAAA,EAAQ,IAAI,EACzB,KAAA,EAA2B;AAC9B,IAAA,MAAM,OAAA,GAAU,IAAA;AAChB,IAAA,IAAI,UAAU,OAAA,EAAS;AACrB,MAAA,MAAM,IAAA,CAAK,IAAA,EAAK,CAAE,SAAA,CAAU,QAAA,CAAS,SAAS,EAAE,IAAA,EAAM,OAAA,EAAS,KAAA,EAAO,CAAA;AAAA,IACxE,CAAA,MAAO;AACL,MAAA,MAAM,IAAA,CAAK,IAAA,EAAK,CAAE,MAAA,CAAO;AAAA,QACvB,MAAA;AAAA,QACA,QAAA,EAAU,MAAA;AAAA,QACV,MAAA,EAAQ,SAAA;AAAA,QACR,YAAA,EAAc,EAAA;AAAA,QACd,IAAA;AAAA,QACA,KAAA;AAAA,QACA,SAAA,EAAW,CAAA;AAAA,QACX,OAAA,EAAS,IAAA;AAAA,QACT,IAAA,EAAM,OAAA;AAAA,QACN,UAAU,EAAC;AAAA,QACX,OAAA,EAAS,IAAA;AAAA,QACT,eAAA,EAAiB;AAAA,OAClB,CAAA;AAAA,IACH;AAAA,EACF;AAAA,EAEA,MAAc,SAAA,CAAU,MAAA,EAAgB,IAAA,EAA6B;AACnE,IAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,MAAA,CAAO,QAAQ,IAAI,CAAA;AAC1C,IAAA,IAAI,KAAK,MAAM,IAAA,CAAK,MAAK,CAAE,UAAA,CAAW,IAAI,EAAE,CAAA;AAAA,EAC9C;AAAA,EAEQ,UAAU,CAAA,EAA+C;AAC/D,IAAA,OAAO;AAAA,MACL,IAAI,CAAA,CAAE,IAAA;AAAA,MACN,IAAA,EAAM,EAAE,IAAA,CAAK,IAAA;AAAA,MACb,YAAA,EAAc,EAAE,IAAA,CAAK,WAAA;AAAA,MACrB,WAAA,EAAa,CAAA,CAAE,IAAA,CAAK,WAAA,IAAe,IAAA;AAAA,MACnC,SAAA,EAAW,CAAA,CAAE,IAAA,CAAK,QAAA,GAAW,CAAA,GAAI;AAAA,KACnC;AAAA,EACF;AAAA;AAAA,EAIA,MAAM,QAAA,GAAgC;AACpC,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,QAAA,CAAmB,MAAM,CAAA;AACjD,IAAA,OAAO,IAAA,CACJ,IAAI,CAAC,CAAA,KAAM,KAAK,SAAA,CAAU,CAAC,CAAC,CAAA,CAC5B,IAAA,CAAK,CAAC,GAAG,CAAA,KAAM,CAAA,CAAE,YAAY,CAAA,CAAE,SAAA,IAAa,EAAE,IAAA,CAAK,aAAA,CAAc,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAC7E;AAAA,EAEA,MAAM,QAAA,GAAgC;AACpC,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,QAAA,CAAmB,MAAM,CAAA;AACjD,IAAA,OAAO,IAAA,CACJ,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,MACX,IAAI,CAAA,CAAE,IAAA;AAAA,MACN,IAAA,EAAM,EAAE,IAAA,CAAK,IAAA;AAAA,MACb,WAAA,EAAa,CAAA,CAAE,IAAA,CAAK,WAAA,IAAe,IAAA;AAAA,MACnC,SAAA,EAAW,CAAA,CAAE,IAAA,CAAK,QAAA,GAAW,CAAA,GAAI,CAAA;AAAA,MACjC,UAAA,EAAY,CAAA,CAAE,IAAA,CAAK,SAAA,IAAa;AAAA,KAClC,CAAE,CAAA,CACD,IAAA,CAAK,CAAC,GAAG,CAAA,KAAM,CAAA,CAAE,UAAA,GAAa,CAAA,CAAE,cAAc,CAAA,CAAE,IAAA,CAAK,aAAA,CAAc,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAC/E;AAAA;AAAA,EAGA,MAAM,YAAA,GAAwC;AAC5C,IAAA,MAAM,KAAA,GAAA,CACJ,MAAM,IAAA,CAAK,EAAA,CACR,QAAQ,iFAAiF,CAAA,CACzF,KAA4C,EAC/C,OAAA;AACF,IAAA,MAAM,qBAAA,GAAwC;AAAA,MAC5C,EAAE,GAAA,EAAK,iBAAA,EAAmB,KAAA,EAAO,oBAAA,EAAsB,OAAO,eAAA,EAAgB;AAAA,MAC9E,GAAG,KAAA,CAAM,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,QACnB,GAAA,EAAK,CAAA,cAAA,EAAiB,CAAA,CAAE,IAAI,CAAA,CAAA;AAAA,QAC5B,KAAA,EAAO,CAAA,CAAE,YAAA,IAAgB,CAAA,CAAE,IAAA;AAAA,QAC3B,KAAA,EAAO;AAAA,OACT,CAAE;AAAA,KACJ;AACA,IAAA,OAAO,CAAC,GAAG,gBAAA,EAAkB,GAAG,qBAAqB,CAAA;AAAA,EACvD;AAAA,EAEA,MAAM,SAAA,GAA8B;AAClC,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAmB,MAAM,CAAA;AAClD,IAAA,MAAM,MAAe,EAAC;AACtB,IAAA,KAAA,MAAW,KAAK,KAAA,EAAO;AACrB,MAAA,KAAA,MAAW,CAAA,IAAK,CAAA,CAAE,IAAA,CAAK,MAAA,IAAU,EAAC,EAAG;AACnC,QAAA,GAAA,CAAI,KAAK,EAAE,OAAA,EAAS,CAAA,CAAE,IAAA,EAAM,UAAU,CAAA,CAAE,QAAA,EAAU,IAAA,EAAM,CAAA,CAAE,MAAM,KAAA,EAAO,CAAA,CAAE,UAAU,KAAA,GAAQ,KAAA,GAAQ,OAAO,CAAA;AAAA,MAC5G;AAAA,IACF;AACA,IAAA,OAAO,GAAA;AAAA,EACT;AAAA,EAEA,MAAM,gBAAgB,MAAA,EAAqC;AACzD,IAAA,MAAM,EAAA,GAAK,MAAM,IAAA,CAAK,MAAA,CAAsB,cAAc,MAAM,CAAA;AAChE,IAAA,MAAM,UAAU,IAAI,GAAA,CAAI,IAAI,IAAA,CAAK,OAAA,IAAW,EAAE,CAAA;AAC9C,IAAA,IAAI,OAAA,CAAQ,IAAA,KAAS,CAAA,EAAG,OAAO,EAAC;AAChC,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAmB,MAAM,CAAA;AAClD,IAAA,OAAO,MAAM,MAAA,CAAO,CAAC,CAAA,KAAM,OAAA,CAAQ,IAAI,CAAA,CAAE,IAAI,CAAC,CAAA,CAAE,IAAI,CAAC,CAAA,KAAM,IAAA,CAAK,SAAA,CAAU,CAAC,CAAC,CAAA;AAAA,EAC9E;AAAA;AAAA,EAGA,MAAc,iBAAiB,OAAA,EAA+F;AAC5H,IAAA,IAAI,OAAA,CAAQ,MAAA,KAAW,CAAA,EAAG,OAAO,EAAC;AAClC,IAAA,MAAM,IAAA,GAAO,IAAI,GAAA,CAAI,OAAO,CAAA;AAC5B,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAmB,MAAM,CAAA;AAClD,IAAA,MAAM,MAAyE,EAAC;AAChF,IAAA,KAAA,MAAW,KAAK,KAAA,EAAO;AACrB,MAAA,IAAI,CAAC,IAAA,CAAK,GAAA,CAAI,CAAA,CAAE,IAAI,CAAA,EAAG;AACvB,MAAA,KAAA,MAAW,CAAA,IAAK,CAAA,CAAE,IAAA,CAAK,MAAA,IAAU,EAAC,EAAG;AACnC,QAAA,GAAA,CAAI,IAAA,CAAK,EAAE,QAAA,EAAU,CAAA,CAAE,UAAU,IAAA,EAAM,CAAA,CAAE,IAAA,EAAM,KAAA,EAAO,CAAA,CAAE,KAAA,KAAU,KAAA,GAAQ,KAAA,GAAQ,OAAO,CAAA;AAAA,MAC3F;AAAA,IACF;AACA,IAAA,OAAO,GAAA;AAAA,EACT;AAAA;AAAA,EAGQ,YAAA,CAAa,CAAA,EAAuC,QAAA,EAAkB,IAAA,EAAuB;AACnG,IAAA,MAAM,UAAA,GACJ,CAAA,CAAE,QAAA,KAAa,GAAA,IACf,CAAA,CAAE,QAAA,KAAa,QAAA,IACd,CAAA,CAAE,QAAA,KAAa,iBAAA,IAAqB,QAAA,CAAS,UAAA,CAAW,gBAAgB,CAAA;AAC3E,IAAA,IAAI,CAAC,YAAY,OAAO,KAAA;AACxB,IAAA,OAAO,EAAE,IAAA,KAAS,GAAA,IAAO,EAAE,IAAA,KAAS,IAAA,IAAQ,EAAE,IAAA,KAAS,QAAA;AAAA,EACzD;AAAA,EAEQ,eAAe,MAAA,EAA4C;AACjE,IAAA,IAAI,MAAA,CAAO,QAAA,CAAS,KAAK,CAAA,EAAG,OAAO,KAAA;AACnC,IAAA,IAAI,MAAA,CAAO,QAAA,CAAS,KAAK,CAAA,EAAG,OAAO,KAAA;AACnC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA,EAGA,MAAM,GAAA,CAAI,MAAA,EAAgB,QAAA,EAAkB,IAAA,EAAgC;AAC1E,IAAA,OAAQ,MAAM,IAAA,CAAK,kBAAA,CAAmB,MAAA,EAAQ,QAAA,EAAU,IAAI,CAAA,KAAO,MAAA;AAAA,EACrE;AAAA;AAAA,EAGA,MAAM,kBAAA,CAAmB,MAAA,EAAgB,QAAA,EAAkB,IAAA,EAAwC;AACjG,IAAA,MAAM,EAAA,GAAK,MAAM,IAAA,CAAK,MAAA,CAAsB,cAAc,MAAM,CAAA;AAChE,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,gBAAA,CAAiB,IAAI,IAAA,CAAK,OAAA,IAAW,EAAE,CAAA;AACjE,IAAA,OAAO,IAAA,CAAK,cAAA;AAAA,MACV,OAAO,MAAA,CAAO,CAAC,MAAM,IAAA,CAAK,YAAA,CAAa,GAAG,QAAA,EAAU,IAAI,CAAC,CAAA,CAAE,IAAI,CAAC,CAAA,KAAO,EAAE,KAAA,KAAU,KAAA,GAAQ,QAAQ,KAAM;AAAA,KAC3G;AAAA,EACF;AAAA;AAAA,EAGA,MAAM,mBAAmB,MAAA,EAAmC;AAC1D,IAAA,IAAI,KAAK,EAAA,EAAI;AACX,MAAA,MAAM,SAAS,MAAM,IAAA,CAAK,GAAG,GAAA,CAAI,CAAA,WAAA,EAAc,MAAM,CAAA,CAAE,CAAA;AACvD,MAAA,IAAI,MAAA,KAAW,IAAA,EAAM,OAAO,IAAA,CAAK,MAAM,MAAM,CAAA;AAAA,IAC/C;AACA,IAAA,MAAM,EAAA,GAAK,MAAM,IAAA,CAAK,MAAA,CAAsB,cAAc,MAAM,CAAA;AAChE,IAAA,MAAM,OAAA,GAAU,EAAA,EAAI,IAAA,CAAK,OAAA,IAAW,EAAC;AACrC,IAAA,IAAI,OAAA,CAAQ,MAAA,KAAW,CAAA,EAAG,OAAO,EAAC;AAClC,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,gBAAA,CAAiB,OAAO,CAAA;AAClD,IAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,YAAA,EAAa;AAC1C,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,EAAS;AAClC,IAAA,MAAM,GAAA,uBAAU,GAAA,EAAY;AAC5B,IAAA,KAAA,MAAW,KAAK,SAAA,EAAW;AACzB,MAAA,KAAA,MAAW,KAAK,KAAA,EAAO;AACrB,QAAA,IAAI,MAAA,CAAO,KAAK,CAAC,CAAA,KAAM,KAAK,YAAA,CAAa,CAAA,EAAG,EAAE,GAAA,EAAK,CAAA,CAAE,IAAI,CAAC,CAAA,MAAO,GAAA,CAAI,CAAA,EAAG,EAAE,GAAG,CAAA,CAAA,EAAI,CAAA,CAAE,IAAI,CAAA,CAAE,CAAA;AAAA,MAC3F;AAAA,IACF;AACA,IAAA,MAAM,MAAA,GAAS,CAAC,GAAG,GAAG,EAAE,IAAA,EAAK;AAC7B,IAAA,IAAI,KAAK,EAAA,EAAI;AACX,MAAA,MAAM,IAAA,CAAK,EAAA,CAAG,GAAA,CAAI,CAAA,WAAA,EAAc,MAAM,CAAA,CAAA,EAAI,IAAA,CAAK,SAAA,CAAU,MAAM,CAAA,EAAG,EAAE,aAAA,EAAe,IAAI,CAAA;AAAA,IACzF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA,EAIA,MAAM,UAAA,CAAW,IAAA,EAAc,WAAA,EAAqB,cAAc,EAAA,EAAmB;AACnF,IAAA,MAAM,OAAO,IAAA,CAAK,WAAA,EAAY,CAAE,OAAA,CAAQ,eAAe,GAAG,CAAA;AAC1D,IAAA,MAAM,EAAA,GAAK,QAAQ,IAAI,CAAA,CAAA;AACvB,IAAA,MAAM,IAAA,CAAK,SAAA;AAAA,MACT,MAAA;AAAA,MACA,EAAA;AAAA,MACA,EAAE,IAAA,EAAM,IAAA,CAAK,WAAA,EAAY,EAAG,WAAA,EAAa,WAAA,EAAa,QAAA,EAAU,KAAA,EAAO,MAAA,EAAQ,EAAC,EAAE;AAAA,MAClF;AAAA,KACF;AAAA,EACF;AAAA,EAEA,MAAM,WAAW,MAAA,EAA+B;AAC9C,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,MAAA,CAAiB,QAAQ,MAAM,CAAA;AACvD,IAAA,IAAI,CAAC,IAAA,IAAQ,IAAA,CAAK,IAAA,CAAK,QAAA,EAAU;AACjC,IAAA,MAAM,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,MAAM,CAAA;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,UAAA,CAAW,MAAA,EAAgB,WAAA,EAAqB,WAAA,GAAc,IAAI,IAAA,EAA8B;AACpG,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,MAAA,CAAiB,QAAQ,MAAM,CAAA;AACvD,IAAA,IAAI,CAAC,IAAA,EAAM;AACX,IAAA,MAAM,OAAiB,EAAE,GAAG,IAAA,CAAK,IAAA,EAAM,aAAa,WAAA,EAAY;AAChE,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,CAAK,QAAA,IAAY,IAAA,EAAM;AAC/B,MAAA,IAAA,CAAK,OAAO,IAAA,CAAK,WAAA,EAAY,CAAE,OAAA,CAAQ,eAAe,GAAG,CAAA;AAAA,IAC3D;AACA,IAAA,MAAM,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,MAAA,EAAQ,MAAM,WAAW,CAAA;AAAA,EACxD;AAAA;AAAA,EAGA,MAAM,yBAAA,CACJ,MAAA,EACA,WAAA,EACA,IAAA,EACA,eACA,WAAA,EACe;AACf,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,MAAA,CAAiB,QAAQ,MAAM,CAAA;AACvD,IAAA,IAAI,CAAC,IAAA,EAAM;AACX,IAAA,MAAM,IAAA,GAAiB,EAAE,GAAG,IAAA,CAAK,IAAA,EAAM,WAAA,EAAa,WAAA,EAAa,WAAA,IAAe,IAAA,CAAK,IAAA,CAAK,WAAA,IAAe,EAAA,EAAG;AAC5G,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,CAAK,QAAA,IAAY,IAAA,EAAM;AAC/B,MAAA,IAAA,CAAK,OAAO,IAAA,CAAK,WAAA,EAAY,CAAE,OAAA,CAAQ,eAAe,GAAG,CAAA;AAAA,IAC3D;AACA,IAAA,MAAM,MAAA,GAAA,CAAU,IAAA,CAAK,MAAA,IAAU,IAAI,MAAA,CAAO,CAAC,CAAA,KAAM,EAAE,CAAA,CAAE,QAAA,KAAa,QAAA,IAAY,CAAA,CAAE,SAAS,QAAA,CAAS,CAAA;AAClG,IAAA,IAAI,aAAA,EAAe,MAAA,CAAO,IAAA,CAAK,EAAE,QAAA,EAAU,UAAU,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AACnF,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,MAAM,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,MAAA,EAAQ,MAAM,WAAW,CAAA;AAAA,EACxD;AAAA,EAEA,MAAM,UAAA,CAAW,IAAA,EAAc,WAAA,GAAc,EAAA,EAAmB;AAC9D,IAAA,MAAM,OAAO,IAAA,CAAK,WAAA,EAAY,CAAE,OAAA,CAAQ,eAAe,GAAG,CAAA;AAC1D,IAAA,MAAM,EAAA,GAAK,QAAQ,IAAI,CAAA,CAAA;AACvB,IAAA,MAAM,IAAA,CAAK,SAAA;AAAA,MACT,MAAA;AAAA,MACA,EAAA;AAAA,MACA,EAAE,MAAM,IAAA,CAAK,WAAA,IAAe,WAAA,EAAa,QAAA,EAAU,KAAA,EAAO,SAAA,EAAW,GAAA,EAAI;AAAA,MACzE;AAAA,KACF;AAAA,EACF;AAAA,EAEA,MAAM,WAAW,MAAA,EAA+B;AAC9C,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,MAAA,CAAiB,QAAQ,MAAM,CAAA;AACvD,IAAA,IAAI,CAAC,IAAA,IAAQ,IAAA,CAAK,IAAA,CAAK,QAAA,EAAU;AACjC,IAAA,MAAM,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,MAAM,CAAA;AAAA,EACrC;AAAA;AAAA,EAGA,MAAM,aAAA,CACJ,MAAA,EACA,KAAA,EACe;AACf,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,MAAA,CAAiB,QAAQ,MAAM,CAAA;AACvD,IAAA,IAAI,CAAC,IAAA,EAAM;AACX,IAAA,MAAM,SAAsB,KAAA,CAAM,GAAA,CAAI,CAAC,CAAA,MAAO,EAAE,UAAU,CAAA,CAAE,QAAA,EAAU,IAAA,EAAM,CAAA,CAAE,MAAM,KAAA,EAAO,CAAA,CAAE,UAAU,KAAA,GAAQ,KAAA,GAAQ,OAAM,CAAE,CAAA;AAC/H,IAAA,MAAM,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,MAAA,EAAQ,EAAE,GAAG,IAAA,CAAK,IAAA,EAAM,MAAA,EAAO,EAAsB,IAAA,CAAK,IAAA,CAAK,WAAW,CAAA;AAAA,EACzG;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,kBAAkB,aAAA,EAAyC;AAC/D,IAAA,MAAM,MAAA,GAAA,CACJ,MAAM,IAAA,CAAK,EAAA,CAAG,QAAQ,8CAA8C,CAAA,CAAE,KAAoB,EAC1F,OAAA;AACF,IAAA,MAAM,SAAA,GAAY,IAAI,GAAA,CAAI,MAAA,CAAO,IAAI,CAAC,CAAA,KAAM,CAAA,CAAE,EAAE,CAAC,CAAA;AAGjD,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAmB,MAAM,CAAA;AAClD,IAAA,MAAM,eAAe,IAAI,GAAA,CAAyB,KAAA,CAAM,GAAA,CAAI,CAAC,CAAA,KAAM,CAAC,CAAA,CAAE,IAAA,EAAM,EAAE,IAAA,CAAK,MAAA,IAAU,EAAE,CAAC,CAAC,CAAA;AAEjG,IAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,QAAA,CAAwB,YAAY,CAAA;AACjE,IAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,IAAA,KAAA,MAAW,MAAM,SAAA,EAAW;AAC1B,MAAA,MAAM,SAAS,EAAA,CAAG,IAAA;AAClB,MAAA,IAAI,CAAC,SAAA,CAAU,GAAA,CAAI,MAAM,CAAA,EAAG;AAC5B,MAAA,IAAI,aAAA,IAAiB,WAAW,aAAA,EAAe;AAC/C,MAAA,IAAI,MAAA,GAAS,KAAA;AACb,MAAA,IAAI,IAAA,GAAO,KAAA;AACX,MAAA,KAAA,MAAW,GAAA,IAAO,EAAA,CAAG,IAAA,CAAK,OAAA,IAAW,EAAC,EAAG;AACvC,QAAA,KAAA,MAAW,KAAK,YAAA,CAAa,GAAA,CAAI,GAAG,CAAA,IAAK,EAAC,EAAG;AAC3C,UAAA,IAAI,KAAK,YAAA,CAAa,CAAA,EAAG,QAAA,EAAU,QAAQ,GAAG,MAAA,GAAS,IAAA;AACvD,UAAA,IAAI,KAAK,YAAA,CAAa,CAAA,EAAG,MAAA,EAAQ,QAAQ,GAAG,IAAA,GAAO,IAAA;AAAA,QACrD;AAAA,MACF;AACA,MAAA,IAAI,UAAU,IAAA,EAAM,KAAA,EAAA;AAAA,IACtB;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,YAAA,CAAa,MAAA,EAAgB,OAAA,EAAkC;AACnE,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,QAAA,CAAmB,MAAM,CAAA;AACrD,IAAA,MAAM,IAAA,GAAO,IAAI,GAAA,CAAI,QAAA,CAAS,GAAA,CAAI,CAAC,CAAA,KAAM,CAAC,CAAA,CAAE,IAAA,EAAM,CAAA,CAAE,IAAI,CAAC,CAAC,CAAA;AAC1D,IAAA,MAAM,QAAQ,OAAA,CAAQ,GAAA,CAAI,CAAC,EAAA,KAAO,KAAK,GAAA,CAAI,EAAE,CAAA,EAAG,IAAI,EAAE,MAAA,CAAO,CAAC,CAAA,KAAmB,CAAC,CAAC,CAAC,CAAA;AACpF,IAAA,MAAM,WAAA,GAAc,YAAA,CAAY,sBAAA,CAAuB,IAAA,CAAK,CAAC,MAAM,KAAA,CAAM,QAAA,CAAS,CAAC,CAAC,CAAA,IAAK,QAAA;AAIzF,IAAA,MAAM,YAAyB,EAAC;AAChC,IAAA,KAAA,MAAW,EAAA,IAAM,OAAA,EAAS,KAAA,MAAW,CAAA,IAAK,IAAA,CAAK,GAAA,CAAI,EAAE,CAAA,EAAG,MAAA,IAAU,EAAC,EAAG,SAAA,CAAU,KAAK,CAAC,CAAA;AACtF,IAAA,MAAM,eAAA,GACJ,UAAU,IAAA,CAAK,CAAC,MAAM,IAAA,CAAK,YAAA,CAAa,GAAG,QAAA,EAAU,QAAQ,CAAC,CAAA,IAC9D,SAAA,CAAU,KAAK,CAAC,CAAA,KAAM,KAAK,YAAA,CAAa,CAAA,EAAG,MAAA,EAAQ,QAAQ,CAAC,CAAA;AAC9D,IAAA,IAAI,CAAC,eAAA,IAAoB,MAAM,KAAK,iBAAA,CAAkB,MAAM,MAAO,CAAA,EAAG;AACpE,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,KAAK,SAAA,CAAU,YAAA,EAAc,QAAQ,EAAE,OAAA,IAAmC,IAAI,CAAA;AAEpF,IAAA,MAAM,IAAA,CAAK,EAAA,CAAG,OAAA,CAAQ,4DAA4D,CAAA,CAAE,IAAA,CAAK,WAAA,EAAa,IAAA,CAAK,GAAA,EAAI,EAAG,MAAM,CAAA,CAAE,GAAA,EAAI;AAC9H,IAAA,IAAI,IAAA,CAAK,IAAI,MAAM,IAAA,CAAK,GAAG,MAAA,CAAO,CAAA,WAAA,EAAc,MAAM,CAAA,CAAE,CAAA;AAAA,EAC1D;AAAA,EAEA,MAAM,mBAAA,CAAoB,MAAA,EAAgB,OAAA,EAAiC;AACzE,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,MAAA,CAAiB,QAAQ,MAAM,CAAA;AACvD,IAAA,IAAI,CAAC,IAAA,EAAM;AACX,IAAA,MAAM,MAAA,GAAA,CAAU,IAAA,CAAK,IAAA,CAAK,MAAA,IAAU,EAAC,EAAG,MAAA,CAAO,CAAC,CAAA,KAAM,EAAE,CAAA,CAAE,QAAA,KAAa,QAAA,IAAY,CAAA,CAAE,SAAS,QAAA,CAAS,CAAA;AACvG,IAAA,IAAI,OAAA,EAAS,MAAA,CAAO,IAAA,CAAK,EAAE,QAAA,EAAU,UAAU,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAC7E,IAAA,MAAM,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,MAAA,EAAQ,EAAE,GAAG,IAAA,CAAK,IAAA,EAAM,MAAA,EAAO,EAAsB,IAAA,CAAK,IAAA,CAAK,WAAW,CAAA;AAAA,EACzG;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,oBAAA,GAAsC;AAI1C,IAAA,MAAM,KAAA,GAA0C;AAAA,MAC9C;AAAA,QAAE,EAAA,EAAI,YAAA;AAAA,QAAc,IAAA,EAAM,OAAA;AAAA,QAAS,WAAA,EAAa,eAAA;AAAA,QAAiB,WAAA,EAAa,2BAAA;AAAA,QAA6B,QAAA,EAAU,IAAA;AAAA,QACnH,MAAA,EAAQ;AAAA,UACN,EAAE,QAAA,EAAU,GAAA,EAAK,IAAA,EAAM,QAAA,EAAS;AAAA,UAAG,EAAE,QAAA,EAAU,QAAA,EAAU,IAAA,EAAM,QAAA,EAAS;AAAA,UAAG,EAAE,QAAA,EAAU,MAAA,EAAQ,IAAA,EAAM,QAAA,EAAS;AAAA,UAC9G,EAAE,QAAA,EAAU,gBAAA,EAAkB,IAAA,EAAM,QAAA,EAAS;AAAA,UAAG,EAAE,QAAA,EAAU,OAAA,EAAS,IAAA,EAAM,QAAA,EAAS;AAAA,UAAG,EAAE,QAAA,EAAU,OAAA,EAAS,IAAA,EAAM,QAAA;AAAS;AAC7H,OAAE;AAAA,MACJ;AAAA,QAAE,EAAA,EAAI,aAAA;AAAA,QAAe,IAAA,EAAM,QAAA;AAAA,QAAU,WAAA,EAAa,QAAA;AAAA,QAAU,WAAA,EAAa,mCAAA;AAAA,QAAqC,QAAA,EAAU,KAAA;AAAA,QACtH,MAAA,EAAQ;AAAA,UACN,EAAE,QAAA,EAAU,QAAA,EAAU,IAAA,EAAM,QAAA,EAAS;AAAA,UACrC,EAAE,QAAA,EAAU,WAAA,EAAa,IAAA,EAAM,QAAA,EAAS;AAAA,UACxC,EAAE,QAAA,EAAU,iBAAA,EAAmB,IAAA,EAAM,MAAA,EAAO;AAAA,UAC5C,EAAE,QAAA,EAAU,iBAAA,EAAmB,IAAA,EAAM,QAAA,EAAS;AAAA,UAC9C,EAAE,QAAA,EAAU,iBAAA,EAAmB,IAAA,EAAM,QAAA,EAAS;AAAA,UAC9C,EAAE,QAAA,EAAU,iBAAA,EAAmB,IAAA,EAAM,QAAA,EAAS;AAAA,UAC9C,EAAE,QAAA,EAAU,UAAA,EAAY,IAAA,EAAM,MAAA;AAAO;AACvC;AAAE,KACN;AACA,IAAA,MAAM,KAAA,GAA0C;AAAA,MAC9C,EAAE,EAAA,EAAI,aAAA,EAAe,IAAA,EAAM,QAAA,EAAU,aAAa,gCAAA,EAAkC,QAAA,EAAU,IAAA,EAAM,SAAA,EAAW,CAAA,EAAE;AAAA,MACjH,EAAE,EAAA,EAAI,WAAA,EAAa,IAAA,EAAM,MAAA,EAAQ,aAAa,iBAAA,EAAmB,QAAA,EAAU,IAAA,EAAM,SAAA,EAAW,EAAA,EAAG;AAAA,MAC/F,EAAE,EAAA,EAAI,aAAA,EAAe,IAAA,EAAM,QAAA,EAAU,aAAa,mBAAA,EAAqB,QAAA,EAAU,IAAA,EAAM,SAAA,EAAW,EAAA,EAAG;AAAA,MACrG,EAAE,EAAA,EAAI,aAAA,EAAe,IAAA,EAAM,QAAA,EAAU,aAAa,iBAAA,EAAmB,QAAA,EAAU,IAAA,EAAM,SAAA,EAAW,EAAA,EAAG;AAAA,MACnG,EAAE,EAAA,EAAI,aAAA,EAAe,IAAA,EAAM,QAAA,EAAU,aAAa,mBAAA,EAAqB,QAAA,EAAU,IAAA,EAAM,SAAA,EAAW,EAAA,EAAG;AAAA,MACrG,EAAE,EAAA,EAAI,aAAA,EAAe,IAAA,EAAM,QAAA,EAAU,aAAa,kCAAA,EAAoC,QAAA,EAAU,IAAA,EAAM,SAAA,EAAW,EAAA;AAAG,KACtH;AAEA,IAAA,KAAA,MAAW,KAAK,KAAA,EAAO;AACrB,MAAA,IAAI,MAAM,IAAA,CAAK,MAAA,CAAO,MAAA,EAAQ,CAAA,CAAE,EAAE,CAAA,EAAG;AACrC,MAAA,MAAM,EAAE,EAAA,EAAI,GAAG,IAAA,EAAK,GAAI,CAAA;AACxB,MAAA,MAAM,KAAK,SAAA,CAAU,MAAA,EAAQ,EAAA,EAAI,IAAA,EAAM,EAAE,WAAW,CAAA;AAAA,IACtD;AACA,IAAA,KAAA,MAAW,KAAK,KAAA,EAAO;AACrB,MAAA,IAAI,MAAM,IAAA,CAAK,MAAA,CAAO,MAAA,EAAQ,CAAA,CAAE,EAAE,CAAA,EAAG;AACrC,MAAA,MAAM,EAAE,EAAA,EAAI,GAAG,IAAA,EAAK,GAAI,CAAA;AACxB,MAAA,MAAM,KAAK,SAAA,CAAU,MAAA,EAAQ,EAAA,EAAI,IAAA,EAAM,EAAE,IAAI,CAAA;AAAA,IAC/C;AAAA,EACF;AAAA;AAAA,EAGA,MAAM,iBAAA,CAAkB,MAAA,EAAgB,QAAA,EAAiC;AACvE,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAmB,MAAM,CAAA;AAClD,IAAA,MAAM,IAAA,GAAO,KAAA,CAAM,IAAA,CAAK,CAAC,CAAA,KAAM,EAAE,IAAA,CAAK,IAAA,KAAS,QAAA,CAAS,WAAA,EAAa,CAAA;AACrE,IAAA,IAAI,CAAC,IAAA,EAAM;AACX,IAAA,MAAM,EAAA,GAAK,MAAM,IAAA,CAAK,MAAA,CAAsB,cAAc,MAAM,CAAA;AAChE,IAAA,MAAM,UAAU,IAAI,GAAA,CAAI,IAAI,IAAA,CAAK,OAAA,IAAW,EAAE,CAAA;AAC9C,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,IAAI,CAAA,EAAG;AAC5B,IAAA,OAAA,CAAQ,GAAA,CAAI,KAAK,IAAI,CAAA;AACrB,IAAA,MAAM,KAAK,YAAA,CAAa,MAAA,EAAQ,CAAC,GAAG,OAAO,CAAC,CAAA;AAAA,EAC9C;AACF","file":"chunk-2CB4KY7I.cjs","sourcesContent":["import { D1Database } from '@cloudflare/workers-types'\nimport { nanoid } from 'nanoid'\nimport type {\n  Document,\n  DocumentRow,\n  CreateDocumentInput,\n  UpdateDocumentInput,\n  QueryableField,\n} from '../schemas/document'\nimport { DocumentProjection } from './document-projection'\n\nconst DEFAULT_MAX_VERSIONS = 50\n\n/**\n * D29: documents store `created_at`/`updated_at` in SECONDS (see `create`/`saveDraft`), but the legacy\n * `content` table — and therefore the public/CRUD `/api/content` contract — used MILLISECONDS. Any code\n * that shapes a document row into the content response must convert so `new Date(item.created_at)` keeps\n * working for API consumers. Null/undefined pass through unchanged.\n */\nexport function documentSecondsToMs(ts: number | null | undefined): number | null {\n  return ts == null ? null : ts * 1000\n}\n\nfunction rowToDocument(row: DocumentRow): Document {\n  return {\n    id: row.id,\n    rootId: row.root_id,\n    typeId: row.type_id,\n    typeVersion: row.type_version,\n    versionOfId: row.version_of_id,\n    versionNumber: row.version_number,\n    isCurrentDraft: row.is_current_draft === 1,\n    isPublished: row.is_published === 1,\n    status: row.status,\n    parentRootId: row.parent_root_id,\n    slug: row.slug,\n    path: row.path,\n    title: row.title,\n    zone: row.zone,\n    sortOrder: row.sort_order,\n    visible: row.visible === 1,\n    publishedAt: row.published_at,\n    scheduledAt: row.scheduled_at,\n    expiresAt: row.expires_at,\n    deletedAt: row.deleted_at,\n    tenantId: row.tenant_id,\n    locale: row.locale,\n    translationGroupId: row.translation_group_id,\n    data: JSON.parse(row.data),\n    metadata: JSON.parse(row.metadata),\n    ownerId: row.owner_id,\n    createdBy: row.created_by,\n    updatedBy: row.updated_by,\n    createdAt: row.created_at,\n    updatedAt: row.updated_at,\n  }\n}\n\nexport interface DocumentsServiceOptions {\n  queryableFields?: QueryableField[]\n  typeSchemaVersion?: number\n  maxVersionsPerRoot?: number\n  /** Tenant this service operates within. Every root-keyed lookup is scoped to it (R3). POC default: 'default'. */\n  tenantId?: string\n  /** Retain version history (new row per saveDraft, supersede-as-history). Default false (in-place). */\n  versioning?: boolean\n}\n\nexport class DocumentsService {\n  private projection: DocumentProjection\n  private tenantId: string\n  private versioning: boolean\n\n  constructor(\n    private db: D1Database,\n    private opts: DocumentsServiceOptions = {},\n  ) {\n    this.projection = new DocumentProjection(db)\n    this.tenantId = opts.tenantId ?? 'default'\n    this.versioning = opts.versioning ?? false\n  }\n\n  // ─── Create ───────────────────────────────────────────────────────────────\n\n  async create(input: CreateDocumentInput, createdBy?: string): Promise<Document> {\n    // D23: document timestamps are stored in SECONDS (legacy `content` rows use milliseconds). Any\n    // Date() rendering of a document timestamp must multiply by 1000.\n    const now = Math.floor(Date.now() / 1000)\n    const id = nanoid()\n    const publish = input.publishOnCreate ?? false\n    // D34: backfill may carry the source row's original timestamps; normal creates default to now.\n    const createdAt = input.createdAt ?? now\n    const updatedAt = input.updatedAt ?? now\n\n    const doc: Document = {\n      id,\n      rootId: id,\n      typeId: input.typeId,\n      typeVersion: this.opts.typeSchemaVersion ?? 1,\n      versionOfId: null,\n      versionNumber: 1,\n      isCurrentDraft: true,\n      isPublished: publish,\n      status: publish ? 'published' : 'draft',\n      parentRootId: input.parentRootId ?? '',\n      slug: input.slug ?? null,\n      path: null,\n      title: input.title ?? null,\n      zone: input.zone ?? null,\n      sortOrder: input.sortOrder ?? 0,\n      visible: input.visible ?? true,\n      publishedAt: publish ? createdAt : null,\n      scheduledAt: input.scheduledAt ?? null,\n      expiresAt: input.expiresAt ?? null,\n      deletedAt: null,\n      // Tenant comes from the service scope unless the caller passes one explicitly. Never trust a\n      // request-body tenant: route handlers must override with the resolved request-context tenant.\n      tenantId: input.tenantId ?? this.tenantId,\n      locale: input.locale ?? 'default',\n      translationGroupId: '',\n      data: input.data ?? {},\n      metadata: input.metadata ?? {},\n      ownerId: input.ownerId ?? null,\n      createdBy: createdBy ?? null,\n      updatedBy: createdBy ?? null,\n      createdAt,\n      updatedAt,\n    }\n\n    const insertDoc = this.db.prepare(\n      `INSERT INTO documents (id, root_id, type_id, type_version, version_of_id, version_number,\n         is_current_draft, is_published, status, parent_root_id, slug, path, title, zone,\n         sort_order, visible, published_at, scheduled_at, expires_at, deleted_at,\n         tenant_id, locale, translation_group_id, data, metadata,\n         owner_id, created_by, updated_by, created_at, updated_at)\n       VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)`,\n    ).bind(\n      doc.id, doc.rootId, doc.typeId, doc.typeVersion, null, 1,\n      1, publish ? 1 : 0, doc.status, doc.parentRootId, doc.slug, null, doc.title, doc.zone,\n      doc.sortOrder, doc.visible ? 1 : 0, doc.publishedAt, doc.scheduledAt, doc.expiresAt, null,\n      doc.tenantId, doc.locale, '', JSON.stringify(doc.data), JSON.stringify(doc.metadata),\n      doc.ownerId, doc.createdBy, doc.updatedBy, createdAt, updatedAt,\n    )\n\n    const derivedInserts = this.projection.buildDerivedInsertStatements(doc, this.opts.queryableFields ?? [], now)\n\n    await this.db.batch([insertDoc, ...derivedInserts])\n    return doc\n  }\n\n  // ─── Save new draft ───────────────────────────────────────────────────────\n  // Atomically: demote previous draft → delete its derived rows (if not published) →\n  // insert new draft → materialize derived rows → prune excess versions.\n\n  async saveDraft(rootId: string, input: UpdateDocumentInput, updatedBy?: string): Promise<Document> {\n    const now = Math.floor(Date.now() / 1000)\n    const newId = nanoid()\n\n    // Fetch current state synchronously before starting the batch. Tenant-scoped (R3): a service\n    // for tenant B must not find or mutate tenant A's root.\n    const prevDraftRow = await this.db\n      .prepare('SELECT * FROM documents WHERE root_id = ? AND tenant_id = ? AND is_current_draft = 1')\n      .bind(rootId, this.tenantId)\n      .first<DocumentRow>()\n\n    if (!prevDraftRow) throw new Error(`No current draft found for root ${rootId}`)\n\n    const prevDraft = rowToDocument(prevDraftRow)\n\n    const mergedData = { ...prevDraft.data, ...(input.data ?? {}) }\n    const mergedMeta = { ...prevDraft.metadata, ...(input.metadata ?? {}) }\n\n    const newDoc: Document = {\n      ...prevDraft,\n      id: newId,\n      rootId,\n      typeVersion: this.opts.typeSchemaVersion ?? prevDraft.typeVersion,\n      versionOfId: prevDraft.id,\n      versionNumber: 0, // computed by SQL below\n      isCurrentDraft: true,\n      isPublished: false,\n      status: 'draft',\n      slug: input.slug !== undefined ? input.slug ?? null : prevDraft.slug,\n      title: input.title !== undefined ? input.title ?? null : prevDraft.title,\n      zone: input.zone !== undefined ? input.zone ?? null : prevDraft.zone,\n      sortOrder: input.sortOrder ?? prevDraft.sortOrder,\n      visible: input.visible ?? prevDraft.visible,\n      scheduledAt: input.scheduledAt !== undefined ? input.scheduledAt : prevDraft.scheduledAt,\n      expiresAt: input.expiresAt !== undefined ? input.expiresAt : prevDraft.expiresAt,\n      data: mergedData,\n      metadata: mergedMeta,\n      updatedBy: updatedBy ?? prevDraft.updatedBy,\n      updatedAt: now,\n      createdAt: now,\n    }\n\n    const prevIsPublished = prevDraftRow.is_published === 1\n\n    // Versioning off + the working draft is a pure draft (not the live published row):\n    // update it in place. No new row, no history accumulation. (R7: rebuild derived rows.)\n    if (!this.versioning && !prevIsPublished) {\n      return this.updateInPlace(prevDraft, input, now, updatedBy)\n    }\n\n    const statements: D1PreparedStatement[] = [\n      // 1. Demote previous current draft FIRST (unique index: never two current drafts mid-batch).\n      this.db.prepare('UPDATE documents SET is_current_draft = 0, updated_at = ? WHERE id = ? AND tenant_id = ?')\n        .bind(now, prevDraft.id, this.tenantId),\n\n      // 2. If the previous draft was not also the published row, delete its derived rows.\n      ...(!prevIsPublished ? this.projection.buildDerivedDeleteStatements(prevDraft.id) : []),\n\n      // 3. Insert new draft. version_number derived in SQL (COALESCE(MAX)+1 from existing rows).\n      // R5 arithmetic — keep balanced: 30 columns = 5 leading '?' + 1 version_number subquery\n      //   + 3 literals (1,0,'draft') + 21 trailing '?'. Total placeholders: 5 + 1 (subquery\n      //   root_id) + 21 = 27, which MUST equal the 27 .bind() args below. Do not change one side\n      //   without recounting the other.\n      this.db.prepare(\n        `INSERT INTO documents (id, root_id, type_id, type_version, version_of_id, version_number,\n           is_current_draft, is_published, status, parent_root_id, slug, path, title, zone,\n           sort_order, visible, published_at, scheduled_at, expires_at, deleted_at,\n           tenant_id, locale, translation_group_id, data, metadata,\n           owner_id, created_by, updated_by, created_at, updated_at)\n         SELECT ?,?,?,?,?,\n           (SELECT COALESCE(MAX(version_number), 0) + 1 FROM documents WHERE root_id = ?),\n           1,0,'draft',?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?\n         WHERE 1=1`,\n      ).bind(\n        newId, rootId, newDoc.typeId, newDoc.typeVersion, prevDraft.id,\n        rootId,\n        newDoc.parentRootId, newDoc.slug, null, newDoc.title, newDoc.zone,\n        newDoc.sortOrder, newDoc.visible ? 1 : 0, null, newDoc.scheduledAt, newDoc.expiresAt, null,\n        newDoc.tenantId, newDoc.locale, newDoc.translationGroupId,\n        JSON.stringify(newDoc.data), JSON.stringify(newDoc.metadata),\n        newDoc.ownerId, newDoc.createdBy, newDoc.updatedBy, now, now,\n      ),\n\n      // 4. Materialize derived rows for new draft.\n      ...this.projection.buildDerivedInsertStatements(newDoc, this.opts.queryableFields ?? [], now),\n    ]\n\n    // 5. Prune excess versions (beyond maxVersionsPerRoot), never the published or current-draft row,\n    //    and never a version still referenced as version_of_id by another row (FK RESTRICT).\n    const maxVersions = this.opts.maxVersionsPerRoot ?? DEFAULT_MAX_VERSIONS\n    statements.push(\n      this.db.prepare(\n        `DELETE FROM documents WHERE root_id = ? AND tenant_id = ? AND is_current_draft = 0 AND is_published = 0\n         AND id NOT IN (\n           SELECT id FROM documents WHERE root_id = ? AND tenant_id = ? AND is_current_draft = 0 AND is_published = 0\n           ORDER BY version_number DESC LIMIT ?\n         )\n         AND id NOT IN (SELECT version_of_id FROM documents WHERE version_of_id IS NOT NULL AND root_id = ? AND tenant_id = ?)`,\n      ).bind(rootId, this.tenantId, rootId, this.tenantId, maxVersions, rootId, this.tenantId),\n    )\n\n    await this.db.batch(statements)\n\n    // Fetch the saved row to get the SQL-computed version_number.\n    const saved = await this.db\n      .prepare('SELECT * FROM documents WHERE id = ?')\n      .bind(newId)\n      .first<DocumentRow>()\n    return rowToDocument(saved!)\n  }\n\n  // In-place draft update (versioning off). Mutates the existing draft row; preserves id/root_id/\n  // version_number/version_of_id and the is_current_draft/is_published flags. Rebuilds derived rows.\n  private async updateInPlace(\n    prevDraft: Document,\n    input: UpdateDocumentInput,\n    now: number,\n    updatedBy?: string,\n  ): Promise<Document> {\n    const mergedData = { ...prevDraft.data, ...(input.data ?? {}) }\n    const mergedMeta = { ...prevDraft.metadata, ...(input.metadata ?? {}) }\n\n    const updated: Document = {\n      ...prevDraft,\n      slug: input.slug !== undefined ? input.slug ?? null : prevDraft.slug,\n      title: input.title !== undefined ? input.title ?? null : prevDraft.title,\n      zone: input.zone !== undefined ? input.zone ?? null : prevDraft.zone,\n      sortOrder: input.sortOrder ?? prevDraft.sortOrder,\n      visible: input.visible ?? prevDraft.visible,\n      scheduledAt: input.scheduledAt !== undefined ? input.scheduledAt : prevDraft.scheduledAt,\n      expiresAt: input.expiresAt !== undefined ? input.expiresAt : prevDraft.expiresAt,\n      data: mergedData,\n      metadata: mergedMeta,\n      updatedBy: updatedBy ?? prevDraft.updatedBy,\n      updatedAt: now,\n    }\n\n    const statements: D1PreparedStatement[] = [\n      // R5: 11 SET '?' + 2 WHERE '?' (id, tenant_id) = 13 binds, matching .bind() below.\n      this.db.prepare(\n        `UPDATE documents SET\n           slug = ?, title = ?, zone = ?, sort_order = ?, visible = ?,\n           scheduled_at = ?, expires_at = ?, data = ?, metadata = ?, updated_by = ?, updated_at = ?\n         WHERE id = ? AND tenant_id = ?`,\n      ).bind(\n        updated.slug, updated.title, updated.zone, updated.sortOrder, updated.visible ? 1 : 0,\n        updated.scheduledAt, updated.expiresAt, JSON.stringify(updated.data), JSON.stringify(updated.metadata),\n        updated.updatedBy, now,\n        updated.id, this.tenantId,\n      ),\n      // R7: derived rows track the new data — delete then reinsert for this row.\n      ...this.projection.buildDerivedDeleteStatements(updated.id),\n      ...this.projection.buildDerivedInsertStatements(updated, this.opts.queryableFields ?? [], now),\n    ]\n\n    await this.db.batch(statements)\n\n    const saved = await this.db.prepare('SELECT * FROM documents WHERE id = ?').bind(updated.id).first<DocumentRow>()\n    return rowToDocument(saved!)\n  }\n\n  // ─── Publish ──────────────────────────────────────────────────────────────\n\n  async publish(documentId: string, publishedBy?: string): Promise<Document> {\n    const now = Math.floor(Date.now() / 1000)\n\n    const targetRow = await this.db\n      .prepare('SELECT * FROM documents WHERE id = ? AND tenant_id = ?')\n      .bind(documentId, this.tenantId)\n      .first<DocumentRow>()\n\n    if (!targetRow) throw new Error(`Document ${documentId} not found`)\n\n    const prevPublishedRow = await this.db\n      .prepare('SELECT * FROM documents WHERE root_id = ? AND tenant_id = ? AND is_published = 1 AND id != ?')\n      .bind(targetRow.root_id, this.tenantId, documentId)\n      .first<DocumentRow>()\n\n    const statements: D1PreparedStatement[] = []\n\n    if (prevPublishedRow) {\n      if (!this.versioning && prevPublishedRow.is_current_draft !== 1) {\n        // Versioning off: old published row is pure history — remove it + its derived rows.\n        // First null any version_of_id pointing at it (the target draft may chain off it) so the\n        // delete can't trip the FK RESTRICT on documents.version_of_id (plan risk #1; the chain is\n        // unused when versioning is off). Tenant-scoped (R3).\n        statements.push(this.db.prepare('UPDATE documents SET version_of_id = NULL WHERE version_of_id = ? AND tenant_id = ?')\n          .bind(prevPublishedRow.id, this.tenantId))\n        statements.push(...this.projection.buildDerivedDeleteStatements(prevPublishedRow.id))\n        statements.push(this.db.prepare('DELETE FROM documents WHERE id = ? AND tenant_id = ?')\n          .bind(prevPublishedRow.id, this.tenantId))\n      } else {\n        // existing behavior: clear is_published, drop derived rows if not the current draft\n        statements.push(\n          this.db.prepare('UPDATE documents SET is_published = 0, updated_at = ? WHERE id = ?')\n            .bind(now, prevPublishedRow.id),\n        )\n        if (prevPublishedRow.is_current_draft !== 1) {\n          statements.push(...this.projection.buildDerivedDeleteStatements(prevPublishedRow.id))\n        }\n      }\n    }\n\n    // Set published on target row.\n    statements.push(\n      this.db.prepare(\n        `UPDATE documents SET is_published = 1, status = 'published', published_at = ?, updated_at = ?, updated_by = ? WHERE id = ?`,\n      ).bind(now, now, publishedBy ?? null, documentId),\n    )\n\n    // Ensure derived rows exist for the target (they do if it was current draft; materialize if not).\n    if (targetRow.is_current_draft !== 1) {\n      const targetDoc = rowToDocument(targetRow)\n      statements.push(...this.projection.buildDerivedInsertStatements(targetDoc, this.opts.queryableFields ?? [], now))\n    }\n\n    await this.db.batch(statements)\n\n    const saved = await this.db.prepare('SELECT * FROM documents WHERE id = ?').bind(documentId).first<DocumentRow>()\n    return rowToDocument(saved!)\n  }\n\n  // ─── Unpublish ────────────────────────────────────────────────────────────\n\n  async unpublish(documentId: string): Promise<Document> {\n    const now = Math.floor(Date.now() / 1000)\n\n    const row = await this.db\n      .prepare('SELECT * FROM documents WHERE id = ? AND tenant_id = ?')\n      .bind(documentId, this.tenantId)\n      .first<DocumentRow>()\n\n    if (!row) throw new Error(`Document ${documentId} not found`)\n    if (!row.is_published) throw new Error(`Document ${documentId} is not published`)\n\n    const statements: D1PreparedStatement[] = [\n      this.db.prepare(`UPDATE documents SET is_published = 0, status = 'draft', updated_at = ? WHERE id = ?`)\n        .bind(now, documentId),\n    ]\n\n    // If the unpublished row is not the current draft, remove its derived rows.\n    if (row.is_current_draft !== 1) {\n      statements.push(...this.projection.buildDerivedDeleteStatements(documentId))\n    }\n\n    await this.db.batch(statements)\n\n    const saved = await this.db.prepare('SELECT * FROM documents WHERE id = ?').bind(documentId).first<DocumentRow>()\n    return rowToDocument(saved!)\n  }\n\n  // ─── Soft delete ──────────────────────────────────────────────────────────\n\n  async softDelete(documentId: string): Promise<void> {\n    const now = Math.floor(Date.now() / 1000)\n    await this.db\n      .prepare('UPDATE documents SET deleted_at = ?, updated_at = ? WHERE id = ? AND tenant_id = ?')\n      .bind(now, now, documentId, this.tenantId)\n      .run()\n  }\n\n  // ─── Hard erase (PII types) ───────────────────────────────────────────────\n  // Deletes every version row for a root plus all derived data, in dependency order.\n\n  async erase(rootId: string, tenantId: string): Promise<void> {\n    // Get all document IDs for this root.\n    const result = await this.db\n      .prepare('SELECT id FROM documents WHERE root_id = ? AND tenant_id = ?')\n      .bind(rootId, tenantId)\n      .all<{ id: string }>()\n\n    const docIds = (result.results ?? []).map(r => r.id)\n    if (docIds.length === 0) return\n\n    const statements: D1PreparedStatement[] = []\n\n    // Delete derived tables first (explicit; don't rely on FK cascade).\n    for (const id of docIds) {\n      statements.push(this.db.prepare('DELETE FROM document_facets WHERE document_id = ?').bind(id))\n      statements.push(this.db.prepare('DELETE FROM document_references WHERE from_document_id = ?').bind(id))\n    }\n\n    statements.push(this.db.prepare('DELETE FROM document_permissions WHERE root_id = ? AND tenant_id = ?').bind(rootId, tenantId))\n\n    // Delete all version rows.\n    for (const id of docIds) {\n      statements.push(this.db.prepare('DELETE FROM documents WHERE id = ?').bind(id))\n    }\n\n    await this.db.batch(statements)\n  }\n}\n","/**\n * Dynamic RBAC service — document-backed.\n *\n * Roles, verbs, and user-role assignments are stored as `is_auth` documents\n * (slug-addressed) instead of relational tables:\n *   rbac_role        slug = roleId,  data = { name, displayName, description, isSystem, grants:[{resource,verb,scope}] }\n *   rbac_verb        slug = verbId,  data = { name, description, isSystem, sortOrder }\n *   rbac_user_roles  slug = userId,  data = { roleIds:[] }\n * Grants are embedded in the role document (no separate join type); user-role\n * assignments are embedded in a per-user document. Resources are still computed:\n * a fixed set of system resources plus one `document_type:<name>` per type.\n *\n * Wildcards: resource '*' / 'document_type:*', verb '*' / 'manage' (implies all).\n * Scope: 'any' beats 'own' beats 'none'.\n *\n * The public API is unchanged from the relational implementation, so callers\n * (admin-rbac routes, permission checks) need no changes.\n */\nimport { DocumentsService } from './documents'\n\nexport interface RbacRole {\n  id: string\n  name: string\n  display_name: string\n  description: string | null\n  is_system: number\n}\nexport interface RbacVerb {\n  id: string\n  name: string\n  description: string | null\n  is_system: number\n  sort_order: number\n}\nexport interface RbacResource {\n  key: string // e.g. 'content' or 'collection:blog_posts'\n  label: string\n  group: 'system' | 'document_type'\n}\nexport type PermissionScope = 'none' | 'own' | 'any'\nexport interface Grant {\n  role_id: string\n  resource: string\n  verb: string\n  scope: Exclude<PermissionScope, 'none'>\n}\n\ninterface GrantData { resource: string; verb: string; scope?: PermissionScope }\ninterface RoleData { name: string; displayName: string; description?: string | null; isSystem?: boolean; grants?: GrantData[] }\ninterface VerbData { name: string; description?: string | null; isSystem?: boolean; sortOrder?: number }\ninterface UserRolesData { roleIds?: string[] }\ninterface DocRow { id: string; root_id: string; slug: string | null; data: string }\n\nconst TENANT = 'default'\nconst T_ROLE = 'rbac_role'\nconst T_VERB = 'rbac_verb'\nconst T_USER_ROLES = 'rbac_user_roles'\n\nconst SYSTEM_RESOURCES: RbacResource[] = [\n  { key: '*', label: 'All resources', group: 'system' },\n  { key: 'portal', label: 'Admin Portal', group: 'system' },\n  { key: 'dashboard', label: 'Dashboard', group: 'system' },\n  { key: 'rbac', label: 'Roles & Permissions', group: 'system' },\n  { key: 'documents', label: 'Documents', group: 'system' as const },\n  { key: 'document_types', label: 'Document Types', group: 'system' as const },\n  { key: 'email', label: 'Email Management', group: 'system' },\n  { key: 'users', label: 'Users', group: 'system' },\n  { key: 'settings', label: 'Settings', group: 'system' },\n  { key: 'logs', label: 'Logs', group: 'system' },\n]\n\nexport class RbacService {\n  // Precedence for projecting the user's RBAC roles back onto the legacy\n  // users.role compat column (highest privilege first). Only `admin` is\n  // hardcoded as a seeded role — `editor` is listed here purely so that if an\n  // administrator chooses to recreate a role named `editor`, legacy code that\n  // still gates on the `editor` label keeps working.\n  private static readonly LEGACY_ROLE_PRECEDENCE = ['admin', 'editor']\n\n  private _docs?: DocumentsService\n\n  constructor(private db: D1Database, private kv?: KVNamespace) {}\n\n  // ── Document access helpers ──────────────────────────────────────────────────\n\n  private docs(): DocumentsService {\n    if (!this._docs) {\n      this._docs = new DocumentsService(this.db, { tenantId: TENANT, maxVersionsPerRoot: 1, queryableFields: [] })\n    }\n    return this._docs\n  }\n\n  private parse<T>(row: DocRow): { id: string; rootId: string; slug: string; data: T } {\n    let data: T\n    try { data = JSON.parse(row.data) as T } catch { data = {} as T }\n    return { id: row.id, rootId: row.root_id, slug: row.slug ?? '', data }\n  }\n\n  private async listDocs<T>(typeId: string): Promise<Array<{ id: string; rootId: string; slug: string; data: T }>> {\n    const res = await this.db\n      .prepare(\n        `SELECT id, root_id, slug, data FROM documents\n         WHERE type_id = ? AND tenant_id = ? AND is_current_draft = 1 AND deleted_at IS NULL`,\n      )\n      .bind(typeId, TENANT)\n      .all<DocRow>()\n    return (res.results ?? []).map((r) => this.parse<T>(r))\n  }\n\n  private async getDoc<T>(typeId: string, slug: string): Promise<{ id: string; rootId: string; data: T } | null> {\n    const row = await this.db\n      .prepare(\n        `SELECT id, root_id, slug, data FROM documents\n         WHERE type_id = ? AND tenant_id = ? AND slug = ? AND is_current_draft = 1 AND deleted_at IS NULL`,\n      )\n      .bind(typeId, TENANT, slug)\n      .first<DocRow>()\n    return row ? this.parse<T>(row) : null\n  }\n\n  private async upsertDoc(typeId: string, slug: string, data: unknown, title: string | null): Promise<void> {\n    const existing = await this.db\n      .prepare(\n        `SELECT root_id FROM documents\n         WHERE type_id = ? AND tenant_id = ? AND slug = ? AND is_current_draft = 1 AND deleted_at IS NULL`,\n      )\n      .bind(typeId, TENANT, slug)\n      .first<{ root_id: string }>()\n    const payload = data as Record<string, unknown>\n    if (existing?.root_id) {\n      await this.docs().saveDraft(existing.root_id, { data: payload, title })\n    } else {\n      await this.docs().create({\n        typeId,\n        tenantId: TENANT,\n        locale: 'default',\n        parentRootId: '',\n        slug,\n        title,\n        sortOrder: 0,\n        visible: true,\n        data: payload,\n        metadata: {},\n        ownerId: null,\n        publishOnCreate: false,\n      })\n    }\n  }\n\n  private async deleteDoc(typeId: string, slug: string): Promise<void> {\n    const doc = await this.getDoc(typeId, slug)\n    if (doc) await this.docs().softDelete(doc.id)\n  }\n\n  private roleToRow(d: { slug: string; data: RoleData }): RbacRole {\n    return {\n      id: d.slug,\n      name: d.data.name,\n      display_name: d.data.displayName,\n      description: d.data.description ?? null,\n      is_system: d.data.isSystem ? 1 : 0,\n    }\n  }\n\n  // ── Reads ────────────────────────────────────────────────────────────────────\n\n  async getRoles(): Promise<RbacRole[]> {\n    const docs = await this.listDocs<RoleData>(T_ROLE)\n    return docs\n      .map((d) => this.roleToRow(d))\n      .sort((a, b) => b.is_system - a.is_system || a.name.localeCompare(b.name))\n  }\n\n  async getVerbs(): Promise<RbacVerb[]> {\n    const docs = await this.listDocs<VerbData>(T_VERB)\n    return docs\n      .map((d) => ({\n        id: d.slug,\n        name: d.data.name,\n        description: d.data.description ?? null,\n        is_system: d.data.isSystem ? 1 : 0,\n        sort_order: d.data.sortOrder ?? 100,\n      }))\n      .sort((a, b) => a.sort_order - b.sort_order || a.name.localeCompare(b.name))\n  }\n\n  /** System resources + one `document_type:<name>` per active document type. */\n  async getResources(): Promise<RbacResource[]> {\n    const types = (\n      await this.db\n        .prepare('SELECT name, display_name FROM document_types WHERE is_active = 1 ORDER BY name')\n        .all<{ name: string; display_name: string }>()\n    ).results as Array<{ name: string; display_name: string }>\n    const documentTypeResources: RbacResource[] = [\n      { key: 'document_type:*', label: 'All document types', group: 'document_type' },\n      ...types.map((t) => ({\n        key: `document_type:${t.name}`,\n        label: t.display_name || t.name,\n        group: 'document_type' as const,\n      })),\n    ]\n    return [...SYSTEM_RESOURCES, ...documentTypeResources]\n  }\n\n  async getGrants(): Promise<Grant[]> {\n    const roles = await this.listDocs<RoleData>(T_ROLE)\n    const out: Grant[] = []\n    for (const r of roles) {\n      for (const g of r.data.grants ?? []) {\n        out.push({ role_id: r.slug, resource: g.resource, verb: g.verb, scope: g.scope === 'own' ? 'own' : 'any' })\n      }\n    }\n    return out\n  }\n\n  async getRolesForUser(userId: string): Promise<RbacRole[]> {\n    const ur = await this.getDoc<UserRolesData>(T_USER_ROLES, userId)\n    const roleIds = new Set(ur?.data.roleIds ?? [])\n    if (roleIds.size === 0) return []\n    const roles = await this.listDocs<RoleData>(T_ROLE)\n    return roles.filter((r) => roleIds.has(r.slug)).map((d) => this.roleToRow(d))\n  }\n\n  /** Grants attached to a set of role ids (from the embedded role grants). */\n  private async grantsForRoleIds(roleIds: string[]): Promise<Array<{ resource: string; verb: string; scope: PermissionScope }>> {\n    if (roleIds.length === 0) return []\n    const want = new Set(roleIds)\n    const roles = await this.listDocs<RoleData>(T_ROLE)\n    const out: Array<{ resource: string; verb: string; scope: PermissionScope }> = []\n    for (const r of roles) {\n      if (!want.has(r.slug)) continue\n      for (const g of r.data.grants ?? []) {\n        out.push({ resource: g.resource, verb: g.verb, scope: g.scope === 'own' ? 'own' : 'any' })\n      }\n    }\n    return out\n  }\n\n  /** Does a single grant row satisfy the requested (resource, verb)? */\n  private grantMatches(g: { resource: string; verb: string }, resource: string, verb: string): boolean {\n    const resourceOk =\n      g.resource === '*' ||\n      g.resource === resource ||\n      (g.resource === 'document_type:*' && resource.startsWith('document_type:'))\n    if (!resourceOk) return false\n    return g.verb === '*' || g.verb === verb || g.verb === 'manage'\n  }\n\n  private strongestScope(scopes: PermissionScope[]): PermissionScope {\n    if (scopes.includes('any')) return 'any'\n    if (scopes.includes('own')) return 'own'\n    return 'none'\n  }\n\n  /** Can the user perform `verb` on `resource`? Reads the live grant matrix. */\n  async can(userId: string, resource: string, verb: string): Promise<boolean> {\n    return (await this.getPermissionScope(userId, resource, verb)) !== 'none'\n  }\n\n  /** Highest scope granted to the user for `resource:verb`. */\n  async getPermissionScope(userId: string, resource: string, verb: string): Promise<PermissionScope> {\n    const ur = await this.getDoc<UserRolesData>(T_USER_ROLES, userId)\n    const grants = await this.grantsForRoleIds(ur?.data.roleIds ?? [])\n    return this.strongestScope(\n      grants.filter((g) => this.grantMatches(g, resource, verb)).map((g) => (g.scope === 'own' ? 'own' : 'any')),\n    )\n  }\n\n  /** Flattened, human-readable permission list for a user. Cached in KV for 60 s. */\n  async permissionsForUser(userId: string): Promise<string[]> {\n    if (this.kv) {\n      const cached = await this.kv.get(`rbac:perms:${userId}`)\n      if (cached !== null) return JSON.parse(cached) as string[]\n    }\n    const ur = await this.getDoc<UserRolesData>(T_USER_ROLES, userId)\n    const roleIds = ur?.data.roleIds ?? []\n    if (roleIds.length === 0) return []\n    const grants = await this.grantsForRoleIds(roleIds)\n    const resources = await this.getResources()\n    const verbs = await this.getVerbs()\n    const out = new Set<string>()\n    for (const r of resources) {\n      for (const v of verbs) {\n        if (grants.some((g) => this.grantMatches(g, r.key, v.name))) out.add(`${r.key}:${v.name}`)\n      }\n    }\n    const result = [...out].sort()\n    if (this.kv) {\n      await this.kv.put(`rbac:perms:${userId}`, JSON.stringify(result), { expirationTtl: 60 })\n    }\n    return result\n  }\n\n  // ── Mutations ──────────────────────────────────────────────────────────────\n\n  async createRole(name: string, displayName: string, description = ''): Promise<void> {\n    const slug = name.toLowerCase().replace(/[^a-z0-9]+/g, '-')\n    const id = `role-${slug}`\n    await this.upsertDoc(\n      T_ROLE,\n      id,\n      { name: name.toLowerCase(), displayName, description, isSystem: false, grants: [] } satisfies RoleData,\n      displayName,\n    )\n  }\n\n  async deleteRole(roleId: string): Promise<void> {\n    const role = await this.getDoc<RoleData>(T_ROLE, roleId)\n    if (!role || role.data.isSystem) return // System roles cannot be deleted.\n    await this.deleteDoc(T_ROLE, roleId)\n  }\n\n  /**\n   * Update a role's display name and description. The `name` (slug) can only be\n   * changed for custom roles — system role names are referenced by the legacy\n   * mapping, so they stay fixed.\n   */\n  async updateRole(roleId: string, displayName: string, description = '', name?: string): Promise<void> {\n    const role = await this.getDoc<RoleData>(T_ROLE, roleId)\n    if (!role) return\n    const next: RoleData = { ...role.data, displayName, description }\n    if (!role.data.isSystem && name) {\n      next.name = name.toLowerCase().replace(/[^a-z0-9]+/g, '-')\n    }\n    await this.upsertDoc(T_ROLE, roleId, next, displayName)\n  }\n\n  /** Update displayName + portal access in a single write to avoid double-saveDraft FK issues. */\n  async updateRoleAndPortalAccess(\n    roleId: string,\n    displayName: string,\n    name: string | undefined,\n    portalEnabled: boolean,\n    description?: string,\n  ): Promise<void> {\n    const role = await this.getDoc<RoleData>(T_ROLE, roleId)\n    if (!role) return\n    const next: RoleData = { ...role.data, displayName, description: description ?? role.data.description ?? '' }\n    if (!role.data.isSystem && name) {\n      next.name = name.toLowerCase().replace(/[^a-z0-9]+/g, '-')\n    }\n    const grants = (next.grants ?? []).filter((g) => !(g.resource === 'portal' && g.verb === 'access'))\n    if (portalEnabled) grants.push({ resource: 'portal', verb: 'access', scope: 'any' })\n    next.grants = grants\n    await this.upsertDoc(T_ROLE, roleId, next, displayName)\n  }\n\n  async createVerb(name: string, description = ''): Promise<void> {\n    const slug = name.toLowerCase().replace(/[^a-z0-9]+/g, '-')\n    const id = `verb-${slug}`\n    await this.upsertDoc(\n      T_VERB,\n      id,\n      { name: name.toLowerCase(), description, isSystem: false, sortOrder: 100 } satisfies VerbData,\n      name,\n    )\n  }\n\n  async deleteVerb(verbId: string): Promise<void> {\n    const verb = await this.getDoc<VerbData>(T_VERB, verbId)\n    if (!verb || verb.data.isSystem) return\n    await this.deleteDoc(T_VERB, verbId)\n  }\n\n  /** Replace all grants for one role with the supplied (resource, verb, scope) rows. */\n  async setRoleGrants(\n    roleId: string,\n    pairs: Array<{ resource: string; verb: string; scope?: Exclude<PermissionScope, 'none'> }>,\n  ): Promise<void> {\n    const role = await this.getDoc<RoleData>(T_ROLE, roleId)\n    if (!role) return\n    const grants: GrantData[] = pairs.map((p) => ({ resource: p.resource, verb: p.verb, scope: p.scope === 'own' ? 'own' : 'any' }))\n    await this.upsertDoc(T_ROLE, roleId, { ...role.data, grants } satisfies RoleData, role.data.displayName)\n  }\n\n  /**\n   * Count active users (optionally excluding one) who hold BOTH an effective\n   * portal:access grant and an effective rbac:manage grant — the users who could\n   * recover from a permission lockout. Powers the self-lockout guard.\n   */\n  async countPortalAdmins(excludeUserId?: string): Promise<number> {\n    const active = (\n      await this.db.prepare('SELECT id FROM auth_user WHERE is_active = 1').all<{ id: string }>()\n    ).results as Array<{ id: string }>\n    const activeIds = new Set(active.map((u) => u.id))\n\n    // role id -> its grants\n    const roles = await this.listDocs<RoleData>(T_ROLE)\n    const grantsByRole = new Map<string, GrantData[]>(roles.map((r) => [r.slug, r.data.grants ?? []]))\n\n    const userRoles = await this.listDocs<UserRolesData>(T_USER_ROLES)\n    let count = 0\n    for (const ur of userRoles) {\n      const userId = ur.slug\n      if (!activeIds.has(userId)) continue\n      if (excludeUserId && userId === excludeUserId) continue\n      let portal = false\n      let rbac = false\n      for (const rid of ur.data.roleIds ?? []) {\n        for (const g of grantsByRole.get(rid) ?? []) {\n          if (this.grantMatches(g, 'portal', 'access')) portal = true\n          if (this.grantMatches(g, 'rbac', 'manage')) rbac = true\n        }\n      }\n      if (portal && rbac) count++\n    }\n    return count\n  }\n\n  /**\n   * Replace a user's RBAC role assignments. The `rbac_user_roles` document is the\n   * single source of truth for authorization; the legacy `auth_user.role` column\n   * is kept as a derived projection (highest-precedence system role, else\n   * 'viewer') so the two never diverge.\n   */\n  async setUserRoles(userId: string, roleIds: string[]): Promise<void> {\n    const allRoles = await this.listDocs<RoleData>(T_ROLE)\n    const byId = new Map(allRoles.map((r) => [r.slug, r.data]))\n    const names = roleIds.map((id) => byId.get(id)?.name).filter((n): n is string => !!n)\n    const primaryRole = RbacService.LEGACY_ROLE_PRECEDENCE.find((r) => names.includes(r)) || 'viewer'\n\n    // Self-lockout guard: never leave zero active users who can BOTH enter the\n    // portal and manage RBAC (the minimum needed to recover).\n    const newGrants: GrantData[] = []\n    for (const id of roleIds) for (const g of byId.get(id)?.grants ?? []) newGrants.push(g)\n    const userWillBeAdmin =\n      newGrants.some((g) => this.grantMatches(g, 'portal', 'access')) &&\n      newGrants.some((g) => this.grantMatches(g, 'rbac', 'manage'))\n    if (!userWillBeAdmin && (await this.countPortalAdmins(userId)) === 0) {\n      throw new Error(\n        'Refusing to update roles: this would leave no user able to manage Roles & Permissions and access the portal. Grant another user portal access + Roles & Permissions first.',\n      )\n    }\n\n    await this.upsertDoc(T_USER_ROLES, userId, { roleIds } satisfies UserRolesData, null)\n    // Keep the legacy auth_user.role column in lockstep as a projection of RBAC.\n    await this.db.prepare('UPDATE auth_user SET role = ?, updated_at = ? WHERE id = ?').bind(primaryRole, Date.now(), userId).run()\n    if (this.kv) await this.kv.delete(`rbac:perms:${userId}`)\n  }\n\n  async setRolePortalAccess(roleId: string, enabled: boolean): Promise<void> {\n    const role = await this.getDoc<RoleData>(T_ROLE, roleId)\n    if (!role) return\n    const grants = (role.data.grants ?? []).filter((g) => !(g.resource === 'portal' && g.verb === 'access'))\n    if (enabled) grants.push({ resource: 'portal', verb: 'access', scope: 'any' })\n    await this.upsertDoc(T_ROLE, roleId, { ...role.data, grants } satisfies RoleData, role.data.displayName)\n  }\n\n  // ── Bootstrap helpers ────────────────────────────────────────────────────────\n\n  /**\n   * Seed the system roles, verbs, and their grants as documents. Idempotent —\n   * existing roles/verbs (by slug) are left untouched. Replaces the INSERT OR\n   * IGNORE seeds that lived in migration 0001. Call at bootstrap, after the rbac\n   * document types are registered.\n   */\n  async ensureSystemRbacSeed(): Promise<void> {\n    // `admin` is the only hardcoded SYSTEM role (locked, undeletable). `editor`\n    // is seeded as a non-system example so a fresh install has a usable second\n    // role out of the box, but an administrator can edit, rename, or delete it.\n    const roles: Array<RoleData & { id: string }> = [\n      { id: 'role-admin', name: 'admin', displayName: 'Administrator', description: 'Full access to everything', isSystem: true,\n        grants: [\n          { resource: '*', verb: 'manage' }, { resource: 'portal', verb: 'access' }, { resource: 'rbac', verb: 'manage' },\n          { resource: 'document_types', verb: 'manage' }, { resource: 'email', verb: 'manage' }, { resource: 'users', verb: 'manage' },\n        ] },\n      { id: 'role-editor', name: 'editor', displayName: 'Editor', description: 'Manage documents across all types', isSystem: false,\n        grants: [\n          { resource: 'portal', verb: 'access' },\n          { resource: 'documents', verb: 'manage' },\n          { resource: 'document_type:*', verb: 'read' },\n          { resource: 'document_type:*', verb: 'create' },\n          { resource: 'document_type:*', verb: 'update' },\n          { resource: 'document_type:*', verb: 'delete' },\n          { resource: 'settings', verb: 'read' },\n        ] },\n    ]\n    const verbs: Array<VerbData & { id: string }> = [\n      { id: 'verb-access', name: 'access', description: 'Enter or use a portal/resource', isSystem: true, sortOrder: 5 },\n      { id: 'verb-read', name: 'read', description: 'View a resource', isSystem: true, sortOrder: 10 },\n      { id: 'verb-create', name: 'create', description: 'Create a resource', isSystem: true, sortOrder: 20 },\n      { id: 'verb-update', name: 'update', description: 'Edit a resource', isSystem: true, sortOrder: 30 },\n      { id: 'verb-delete', name: 'delete', description: 'Remove a resource', isSystem: true, sortOrder: 40 },\n      { id: 'verb-manage', name: 'manage', description: 'Full control (implies all verbs)', isSystem: true, sortOrder: 50 },\n    ]\n\n    for (const r of roles) {\n      if (await this.getDoc(T_ROLE, r.id)) continue\n      const { id, ...data } = r\n      await this.upsertDoc(T_ROLE, id, data, r.displayName)\n    }\n    for (const v of verbs) {\n      if (await this.getDoc(T_VERB, v.id)) continue\n      const { id, ...data } = v\n      await this.upsertDoc(T_VERB, id, data, v.name)\n    }\n  }\n\n  /** Assign a role to a user by role name (e.g. 'admin'), preserving existing roles. */\n  async addUserRoleByName(userId: string, roleName: string): Promise<void> {\n    const roles = await this.listDocs<RoleData>(T_ROLE)\n    const role = roles.find((r) => r.data.name === roleName.toLowerCase())\n    if (!role) return\n    const ur = await this.getDoc<UserRolesData>(T_USER_ROLES, userId)\n    const roleIds = new Set(ur?.data.roleIds ?? [])\n    if (roleIds.has(role.slug)) return\n    roleIds.add(role.slug)\n    await this.setUserRoles(userId, [...roleIds])\n  }\n}\n"]}

package/dist/chunk-2JTWQZHG.cjs

@@ -0,0 +1,276 @@
+'use strict';
+
+// src/db/migrations-bundle.ts
+var bundledMigrations = [
+  {
+    id: "0001",
+    name: "Core",
+    filename: "0001_core.sql",
+    description: "Migration 0001: Core",
+    sql: "-- Migration 0001: Auth tables\n-- auth_user, auth_session, auth_account, auth_verification + BA plugin tables + RBAC + auth support.\n-- Only auth_* prefixed tables live here. All content lives in document_* tables (0002_documents.sql).\n\n-- \u2500\u2500 auth_user \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n-- BA user model + SonicJS domain columns as BA additionalFields.\nCREATE TABLE IF NOT EXISTS auth_user (\n  id TEXT PRIMARY KEY,\n  name TEXT,\n  email TEXT NOT NULL UNIQUE,\n  email_verified INTEGER NOT NULL DEFAULT 0,\n  image TEXT,\n  created_at INTEGER NOT NULL,\n  updated_at INTEGER NOT NULL,\n  -- SonicJS additionalFields\n  first_name TEXT NOT NULL,\n  last_name TEXT NOT NULL,\n  role TEXT NOT NULL DEFAULT 'viewer',\n  -- Platform super-admin: bypasses the multi-tenant membership gate, uses global roles in every\n  -- tenant. Opt-in (default 0); intentionally NOT derived from the 'admin' role.\n  is_super_admin INTEGER NOT NULL DEFAULT 0,\n  avatar TEXT,\n  password_hash TEXT,\n  is_active INTEGER NOT NULL DEFAULT 1,\n  last_login_at INTEGER,\n  phone TEXT,\n  bio TEXT,\n  timezone TEXT DEFAULT 'UTC',\n  language TEXT DEFAULT 'en',\n  email_notifications INTEGER DEFAULT 1,\n  theme TEXT DEFAULT 'dark',\n  invitation_token TEXT,\n  invited_by TEXT,\n  invited_at INTEGER,\n  accepted_invitation_at INTEGER,\n  failed_login_count INTEGER NOT NULL DEFAULT 0,\n  locked_until INTEGER\n);\n\nCREATE INDEX IF NOT EXISTS idx_auth_user_email ON auth_user(email);\nCREATE INDEX IF NOT EXISTS idx_auth_user_role ON auth_user(role);\nCREATE INDEX IF NOT EXISTS idx_auth_user_invitation_token ON auth_user(invitation_token);\nCREATE INDEX IF NOT EXISTS idx_auth_user_locked_until ON auth_user(locked_until) WHERE locked_until IS NOT NULL;\n\n-- \u2500\u2500 auth_session \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nCREATE TABLE IF NOT EXISTS auth_session (\n  id TEXT PRIMARY KEY,\n  user_id TEXT NOT NULL REFERENCES auth_user(id) ON DELETE CASCADE,\n  token TEXT NOT NULL UNIQUE,\n  expires_at INTEGER NOT NULL,\n  ip_address TEXT,\n  user_agent TEXT,\n  created_at INTEGER NOT NULL,\n  updated_at INTEGER NOT NULL\n);\nCREATE INDEX IF NOT EXISTS idx_auth_session_user_id ON auth_session(user_id);\nCREATE INDEX IF NOT EXISTS idx_auth_session_token ON auth_session(token);\nCREATE INDEX IF NOT EXISTS idx_auth_session_expires_at ON auth_session(expires_at);\n\n-- \u2500\u2500 auth_account \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nCREATE TABLE IF NOT EXISTS auth_account (\n  id TEXT PRIMARY KEY,\n  user_id TEXT NOT NULL REFERENCES auth_user(id) ON DELETE CASCADE,\n  account_id TEXT NOT NULL,\n  provider_id TEXT NOT NULL,\n  access_token TEXT,\n  refresh_token TEXT,\n  access_token_expires_at INTEGER,\n  refresh_token_expires_at INTEGER,\n  scope TEXT,\n  id_token TEXT,\n  password TEXT,\n  created_at INTEGER NOT NULL,\n  updated_at INTEGER NOT NULL\n);\nCREATE INDEX IF NOT EXISTS idx_auth_account_user_id ON auth_account(user_id);\nCREATE INDEX IF NOT EXISTS idx_auth_account_provider ON auth_account(provider_id, account_id);\n\n-- \u2500\u2500 auth_verification \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n-- Covers email verification, password reset, magic-link tokens, OTP codes.\nCREATE TABLE IF NOT EXISTS auth_verification (\n  id TEXT PRIMARY KEY,\n  identifier TEXT NOT NULL,\n  value TEXT NOT NULL,\n  expires_at INTEGER NOT NULL,\n  created_at INTEGER NOT NULL,\n  updated_at INTEGER NOT NULL\n);\nCREATE INDEX IF NOT EXISTS idx_auth_verification_identifier ON auth_verification(identifier);\n\n-- \u2500\u2500 BA plugin tables \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\nCREATE TABLE IF NOT EXISTS auth_two_factor (\n  id           TEXT PRIMARY KEY,\n  secret       TEXT NOT NULL,\n  backup_codes TEXT NOT NULL,\n  user_id      TEXT NOT NULL REFERENCES auth_user(id) ON DELETE CASCADE,\n  verified     INTEGER NOT NULL DEFAULT 1,\n  created_at   INTEGER NOT NULL,\n  updated_at   INTEGER NOT NULL\n);\nCREATE INDEX IF NOT EXISTS idx_auth_two_factor_user_id ON auth_two_factor(user_id);\n\nCREATE TABLE IF NOT EXISTS auth_tenant (\n  id         TEXT PRIMARY KEY,\n  name       TEXT NOT NULL,\n  slug       TEXT NOT NULL UNIQUE,\n  logo       TEXT,\n  metadata   TEXT,\n  -- SonicJS tenant-resolution fields (BA organization additionalFields):\n  status     TEXT NOT NULL DEFAULT 'active',\n  domain     TEXT,\n  notes      TEXT NOT NULL DEFAULT '',\n  created_at INTEGER NOT NULL,\n  updated_at INTEGER NOT NULL\n);\nCREATE INDEX IF NOT EXISTS idx_auth_tenant_domain ON auth_tenant(domain);\n\nCREATE TABLE IF NOT EXISTS auth_tenant_member (\n  id        TEXT PRIMARY KEY,\n  tenant_id TEXT NOT NULL REFERENCES auth_tenant(id) ON DELETE CASCADE,\n  user_id   TEXT NOT NULL REFERENCES auth_user(id)   ON DELETE CASCADE,\n  role      TEXT NOT NULL DEFAULT 'member',\n  email     TEXT,\n  created_at INTEGER NOT NULL,\n  updated_at INTEGER NOT NULL,\n  UNIQUE(tenant_id, user_id)\n);\nCREATE INDEX IF NOT EXISTS idx_auth_tenant_member_tenant ON auth_tenant_member(tenant_id);\nCREATE INDEX IF NOT EXISTS idx_auth_tenant_member_user   ON auth_tenant_member(user_id);\n\nCREATE TABLE IF NOT EXISTS auth_tenant_invitation (\n  id         TEXT PRIMARY KEY,\n  tenant_id  TEXT NOT NULL REFERENCES auth_tenant(id) ON DELETE CASCADE,\n  email      TEXT NOT NULL,\n  role       TEXT NOT NULL DEFAULT 'member',\n  status     TEXT NOT NULL DEFAULT 'pending',\n  expires_at INTEGER NOT NULL,\n  inviter_id TEXT REFERENCES auth_user(id) ON DELETE SET NULL,\n  created_at INTEGER NOT NULL,\n  updated_at INTEGER NOT NULL\n);\nCREATE INDEX IF NOT EXISTS idx_auth_tenant_invitation_tenant ON auth_tenant_invitation(tenant_id);\nCREATE INDEX IF NOT EXISTS idx_auth_tenant_invitation_email  ON auth_tenant_invitation(email);\n\nCREATE TABLE IF NOT EXISTS auth_tenant_team (\n  id        TEXT PRIMARY KEY,\n  name      TEXT NOT NULL,\n  tenant_id TEXT NOT NULL REFERENCES auth_tenant(id) ON DELETE CASCADE,\n  created_at INTEGER NOT NULL,\n  updated_at INTEGER NOT NULL\n);\n\n-- \u2500\u2500 RBAC \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n-- RBAC roles, verbs, and user-role assignments are document-backed (is_auth doc\n-- types rbac_role / rbac_verb / rbac_user_roles \u2014 see services/rbac.ts). The\n-- system roles/verbs/grants are seeded at bootstrap by RbacService.ensureSystemRbacSeed().\n-- No auth_rbac_* tables.\n\n-- \u2500\u2500 Auth support tables \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nCREATE TABLE IF NOT EXISTS auth_password_history (\n  id TEXT PRIMARY KEY,\n  user_id TEXT NOT NULL REFERENCES auth_user(id) ON DELETE CASCADE,\n  password_hash TEXT NOT NULL,\n  created_at INTEGER NOT NULL\n);\nCREATE INDEX IF NOT EXISTS idx_auth_password_history_user_id ON auth_password_history(user_id);\n\nCREATE TABLE IF NOT EXISTS auth_api_tokens (\n  id TEXT PRIMARY KEY,\n  name TEXT NOT NULL,\n  token TEXT NOT NULL UNIQUE,\n  user_id TEXT NOT NULL REFERENCES auth_user(id),\n  permissions TEXT NOT NULL,\n  expires_at INTEGER,\n  last_used_at INTEGER,\n  created_at INTEGER NOT NULL\n);\nCREATE INDEX IF NOT EXISTS idx_auth_api_tokens_user ON auth_api_tokens(user_id);\nCREATE INDEX IF NOT EXISTS idx_auth_api_tokens_token ON auth_api_tokens(token);\n\n-- User profiles moved to the document model: a `user_profile` document (is_auth type),\n-- one per user, addressed by slug = userId. See services/document-types-seed.ts and\n-- plugins/core-plugins/user-profiles/user-profile-document.ts. No auth_user_profiles table.\n"
+  },
+  {
+    id: "0002",
+    name: "Documents",
+    filename: "0002_documents.sql",
+    description: "Migration 0002: Documents",
+    sql: "-- Migration 0002: Document Schema (v3 greenfield)\n-- Contains only the new document data model tables, generated columns, and indexes.\n\n-- Document type registry\nCREATE TABLE IF NOT EXISTS document_types (\n  id TEXT PRIMARY KEY,\n  name TEXT NOT NULL UNIQUE,\n  display_name TEXT NOT NULL,\n  description TEXT,\n  schema TEXT NOT NULL DEFAULT '{}',\n  queryable_fields TEXT NOT NULL DEFAULT '[]',\n  settings TEXT NOT NULL DEFAULT '{}',\n  plugin_id TEXT,\n  source TEXT NOT NULL DEFAULT 'code' CHECK (source IN ('code', 'plugin', 'system')),\n  schema_version INTEGER NOT NULL DEFAULT 1,\n  is_system INTEGER NOT NULL DEFAULT 0,\n  is_active INTEGER NOT NULL DEFAULT 1,\n  is_auth INTEGER NOT NULL DEFAULT 0,\n  created_at INTEGER NOT NULL DEFAULT (unixepoch()),\n  updated_at INTEGER NOT NULL DEFAULT (unixepoch())\n);\n\nCREATE INDEX IF NOT EXISTS idx_document_types_plugin ON document_types(plugin_id);\nCREATE INDEX IF NOT EXISTS idx_document_types_active ON document_types(is_active);\n\n-- Documents: canonical document rows and historical versions.\nCREATE TABLE IF NOT EXISTS documents (\n  id TEXT PRIMARY KEY,\n  root_id TEXT NOT NULL,\n  type_id TEXT NOT NULL REFERENCES document_types(id),\n  type_version INTEGER NOT NULL DEFAULT 1,\n\n  version_of_id TEXT REFERENCES documents(id),\n  version_number INTEGER NOT NULL DEFAULT 1,\n\n  is_current_draft INTEGER NOT NULL DEFAULT 1,\n  is_published INTEGER NOT NULL DEFAULT 0,\n  status TEXT NOT NULL DEFAULT 'draft' CHECK (status IN ('draft', 'published', 'archived')),\n\n  parent_root_id TEXT NOT NULL DEFAULT '',\n  slug TEXT,\n  path TEXT,\n  title TEXT,\n  zone TEXT,\n  sort_order INTEGER NOT NULL DEFAULT 0,\n  visible INTEGER NOT NULL DEFAULT 1,\n\n  published_at INTEGER,\n  scheduled_at INTEGER,\n  expires_at INTEGER,\n  deleted_at INTEGER,\n\n  tenant_id TEXT NOT NULL DEFAULT 'default',\n  locale TEXT NOT NULL DEFAULT 'default',\n  translation_group_id TEXT NOT NULL DEFAULT '',\n\n  data TEXT NOT NULL DEFAULT '{}',\n  metadata TEXT NOT NULL DEFAULT '{}',\n\n  owner_id TEXT,\n  created_by TEXT,\n  updated_by TEXT,\n  created_at INTEGER NOT NULL DEFAULT (unixepoch()),\n  updated_at INTEGER NOT NULL DEFAULT (unixepoch())\n);\n\n-- Queryable scalar fields (VIRTUAL generated columns) and their q_* filter indexes\n-- are AUTO-GENERATED at runtime from each document type's queryableFields config \u2014\n-- see DocumentTypeRegistry.register() -> ensureScalarSchema() (document-scalar-schema.ts).\n-- Do not hand-add q_* columns/indexes here; declare the field in the type instead.\n\n-- Revision chain\nCREATE INDEX IF NOT EXISTS idx_documents_root ON documents(root_id, version_number DESC);\n\n-- List / lifecycle\nCREATE INDEX IF NOT EXISTS idx_documents_published ON documents(tenant_id, type_id, locale, is_published)\n  WHERE is_published = 1 AND deleted_at IS NULL;\nCREATE INDEX IF NOT EXISTS idx_documents_drafts ON documents(tenant_id, type_id, status, is_current_draft)\n  WHERE is_current_draft = 1;\nCREATE INDEX IF NOT EXISTS idx_documents_parent ON documents(tenant_id, parent_root_id, sort_order, is_published);\nCREATE INDEX IF NOT EXISTS idx_documents_path ON documents(tenant_id, path);\nCREATE INDEX IF NOT EXISTS idx_documents_translation ON documents(translation_group_id, locale);\nCREATE INDEX IF NOT EXISTS idx_documents_deleted ON documents(deleted_at);\nCREATE INDEX IF NOT EXISTS idx_documents_scheduled ON documents(scheduled_at) WHERE scheduled_at IS NOT NULL;\nCREATE INDEX IF NOT EXISTS idx_documents_expires ON documents(expires_at) WHERE expires_at IS NOT NULL;\n\n-- Stable keyset/cursor pagination for published lists\nCREATE INDEX IF NOT EXISTS idx_documents_published_cursor\n  ON documents(tenant_id, type_id, updated_at DESC, id DESC)\n  WHERE is_published = 1 AND deleted_at IS NULL;\n\n-- (q_* generated-column filter indexes are auto-created at runtime \u2014 see note above.)\n\n-- Partial unique indexes: the hard concurrency guarantees for draft/publish invariants.\nCREATE UNIQUE INDEX IF NOT EXISTS idx_documents_one_current_draft\n  ON documents(root_id) WHERE is_current_draft = 1;\nCREATE UNIQUE INDEX IF NOT EXISTS idx_documents_one_published\n  ON documents(root_id) WHERE is_published = 1;\nCREATE UNIQUE INDEX IF NOT EXISTS idx_documents_unique_version\n  ON documents(root_id, version_number);\nCREATE UNIQUE INDEX IF NOT EXISTS idx_documents_unique_slug\n  ON documents(tenant_id, locale, type_id, parent_root_id, slug)\n  WHERE is_current_draft = 1 AND deleted_at IS NULL AND slug IS NOT NULL;\nCREATE UNIQUE INDEX IF NOT EXISTS idx_documents_one_translation_per_locale\n  ON documents(tenant_id, translation_group_id, locale)\n  WHERE is_current_draft = 1 AND translation_group_id <> '';\n\n-- Document references: typed document-to-document edges.\nCREATE TABLE IF NOT EXISTS document_references (\n  id TEXT PRIMARY KEY,\n  tenant_id TEXT NOT NULL,\n  from_root_id TEXT NOT NULL,\n  from_document_id TEXT NOT NULL REFERENCES documents(id) ON DELETE CASCADE,\n  field_name TEXT NOT NULL,\n  ordinal INTEGER NOT NULL DEFAULT 0,\n  to_root_id TEXT NOT NULL,\n  ref_strength TEXT NOT NULL DEFAULT 'weak' CHECK (ref_strength IN ('strong', 'weak')),\n  created_at INTEGER NOT NULL DEFAULT (unixepoch())\n);\n\nCREATE INDEX IF NOT EXISTS idx_docref_to   ON document_references(tenant_id, to_root_id);\nCREATE INDEX IF NOT EXISTS idx_docref_from ON document_references(from_document_id);\nCREATE UNIQUE INDEX IF NOT EXISTS idx_docref_unique\n  ON document_references(from_document_id, field_name, ordinal);\n\n-- Document facets: indexed rows for multi-valued scalar fields (e.g. tags arrays).\nCREATE TABLE IF NOT EXISTS document_facets (\n  id TEXT PRIMARY KEY,\n  tenant_id TEXT NOT NULL,\n  document_id TEXT NOT NULL REFERENCES documents(id) ON DELETE CASCADE,\n  root_id TEXT NOT NULL,\n  type_id TEXT NOT NULL,\n  field_name TEXT NOT NULL,\n  ordinal INTEGER NOT NULL DEFAULT 0,\n  value_text TEXT,\n  value_number REAL,\n  created_at INTEGER NOT NULL DEFAULT (unixepoch())\n);\n\nCREATE INDEX IF NOT EXISTS idx_facets_lookup ON document_facets(tenant_id, type_id, field_name, value_text);\nCREATE INDEX IF NOT EXISTS idx_facets_doc    ON document_facets(document_id);\nCREATE UNIQUE INDEX IF NOT EXISTS idx_facets_unique\n  ON document_facets(document_id, field_name, ordinal);\n\n-- Document permissions: per-document ACL overrides.\nCREATE TABLE IF NOT EXISTS document_permissions (\n  id TEXT PRIMARY KEY,\n  tenant_id TEXT NOT NULL,\n  root_id TEXT NOT NULL,\n  principal_type TEXT NOT NULL CHECK (principal_type IN ('user', 'role', 'group', 'public', 'token')),\n  principal_id TEXT NOT NULL,\n  permission TEXT NOT NULL CHECK (permission IN ('read', 'create', 'update', 'delete', 'publish', 'manage')),\n  effect TEXT NOT NULL DEFAULT 'allow' CHECK (effect IN ('allow', 'deny')),\n  inherited INTEGER NOT NULL DEFAULT 0,\n  created_at INTEGER NOT NULL DEFAULT (unixepoch()),\n  created_by TEXT\n);\n\nCREATE INDEX IF NOT EXISTS idx_document_permissions_root ON document_permissions(tenant_id, root_id);\nCREATE INDEX IF NOT EXISTS idx_document_permissions_principal\n  ON document_permissions(tenant_id, principal_type, principal_id, permission);\nCREATE UNIQUE INDEX IF NOT EXISTS idx_document_permissions_unique\n  ON document_permissions(root_id, principal_type, principal_id, permission);\n"
+  }
+];
+new Map(
+  bundledMigrations.map((m) => [m.id, m])
+);
+
+// src/services/document-scalar-schema.ts
+var SAFE_IDENTIFIER = /^[a-z_][a-z0-9_]*$/;
+function affinity(type) {
+  if (type === "number") return "REAL";
+  if (type === "integer" || type === "boolean" || type === "date") return "INTEGER";
+  return "TEXT";
+}
+var slug = (s) => s.toLowerCase().replace(/[^a-z0-9]+/g, "_").replace(/^_+|_+$/g, "");
+function resolveColumn(typeId, f) {
+  if (f.column) return f.column;
+  const name = `q_${slug(typeId)}_${slug(f.name)}`;
+  return name.length <= 60 ? name : `q_${slug(typeId).slice(0, 20)}_${slug(f.name).slice(0, 20)}`;
+}
+async function ensureScalarSchema(db, typeId, fields) {
+  const scalars = fields.filter((f) => f.kind === "scalar");
+  if (scalars.length === 0) return [];
+  let existing = /* @__PURE__ */ new Set();
+  try {
+    const info = await db.prepare("SELECT name FROM pragma_table_xinfo('documents')").all();
+    existing = new Set((info?.results ?? []).map((r) => r.name));
+  } catch {
+  }
+  const added = [];
+  for (const f of scalars) {
+    const col = resolveColumn(typeId, f);
+    if (!SAFE_IDENTIFIER.test(col)) {
+      console.error(`[scalar-schema] unsafe column name '${col}' for ${typeId}.${f.name} \u2014 skipped`);
+      continue;
+    }
+    const path = f.path ?? `$.${f.name}`;
+    if (path.includes("'")) {
+      console.error(`[scalar-schema] unsafe json path for ${col} (${typeId}.${f.name}) \u2014 skipped`);
+      continue;
+    }
+    if (!existing.has(col)) {
+      try {
+        await db.prepare(`ALTER TABLE documents ADD COLUMN ${col} ${affinity(f.type)} AS (json_extract(data, '${path}')) VIRTUAL`).run();
+        added.push(col);
+        console.log(`[scalar-schema] added documents.${col} for type '${typeId}'`);
+      } catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        if (!msg.includes("duplicate column name")) {
+          console.error(`[scalar-schema] failed to add documents.${col}:`, msg);
+          continue;
+        }
+      }
+    }
+    try {
+      await db.prepare(`CREATE INDEX IF NOT EXISTS idx_${col} ON documents(tenant_id, type_id, ${col}, updated_at DESC, id DESC)`).run();
+    } catch (error) {
+      console.error(`[scalar-schema] failed to create idx_${col}:`, error instanceof Error ? error.message : String(error));
+    }
+  }
+  return added;
+}
+
+// src/services/migrations.ts
+var MigrationService = class {
+  constructor(db) {
+    this.db = db;
+  }
+  /**
+   * Cloudflare D1 owns migration bookkeeping through `d1_migrations`.
+   * SonicJS intentionally does not create its own tracking table.
+   */
+  async initializeMigrationsTable() {
+  }
+  /**
+   * Get all available migrations from the bundled migrations
+   */
+  async getAvailableMigrations() {
+    const migrations = [];
+    const appliedMigrations = await this.getD1AppliedMigrations();
+    await this.ensureSchemaCompatibility();
+    for (const bundled of bundledMigrations) {
+      const applied = appliedMigrations.has(bundled.id);
+      const appliedData = appliedMigrations.get(bundled.id);
+      migrations.push({
+        id: bundled.id,
+        name: bundled.name,
+        filename: bundled.filename,
+        description: bundled.description,
+        applied,
+        appliedAt: applied ? appliedData?.applied_at : void 0,
+        size: bundled.sql.length
+      });
+    }
+    return migrations;
+  }
+  /**
+   * Read Wrangler/D1's canonical migration table. If the table is absent, no
+   * migrations have been applied by the supported migration runner yet.
+   */
+  async getD1AppliedMigrations() {
+    try {
+      const appliedResult = await this.db.prepare(
+        "SELECT name, applied_at FROM d1_migrations ORDER BY applied_at ASC"
+      ).all();
+      return new Map(
+        (appliedResult.results ?? []).map((row) => {
+          const filename = String(row.name ?? "");
+          const id = filename.match(/^(\d+)/)?.[1];
+          if (!id) return null;
+          return [id, {
+            id,
+            name: filename,
+            filename,
+            applied_at: row.applied_at
+          }];
+        }).filter((entry) => entry !== null)
+      );
+    } catch (error) {
+      return /* @__PURE__ */ new Map();
+    }
+  }
+  /**
+   * Run idempotent compatibility repairs that are safe outside migration state.
+   */
+  async ensureSchemaCompatibility() {
+    if (await this.checkTablesExist(["documents"])) {
+      await this.ensureDocumentGeneratedColumns();
+    }
+  }
+  /**
+   * Ensure the `documents` table exposes every queryable VIRTUAL generated column + index (D45).
+   * Data-driven repair: reconciles from each active type's `queryable_fields` rather than a hardcoded
+   * list, so it stays in sync with whatever types are registered. Generation of these columns is owned
+   * by DocumentTypeRegistry.register() (via ensureScalarSchema); this pass is a bootstrap safety net for
+   * a DB that has document_types rows but lost columns (e.g. table rebuilt). Idempotent.
+   */
+  async ensureDocumentGeneratedColumns() {
+    if (!await this.checkTablesExist(["document_types"])) return;
+    const rows = await this.db.prepare("SELECT id, queryable_fields FROM document_types WHERE is_active = 1").all();
+    for (const row of rows.results ?? []) {
+      let fields;
+      try {
+        fields = JSON.parse(row.queryable_fields);
+      } catch {
+        continue;
+      }
+      await ensureScalarSchema(this.db, row.id, fields);
+    }
+  }
+  /**
+   * Check if specific tables exist in the database
+   */
+  async checkTablesExist(tableNames) {
+    try {
+      for (const tableName of tableNames) {
+        const result = await this.db.prepare(
+          `SELECT name FROM sqlite_master WHERE type='table' AND name=?`
+        ).bind(tableName).first();
+        if (!result) {
+          return false;
+        }
+      }
+      return true;
+    } catch (error) {
+      return false;
+    }
+  }
+  /**
+   * Check if a specific column exists in a table
+   */
+  async checkColumnExists(tableName, columnName) {
+    try {
+      const result = await this.db.prepare(
+        `SELECT * FROM pragma_table_info(?) WHERE name = ?`
+      ).bind(tableName, columnName).first();
+      return !!result;
+    } catch (error) {
+      return false;
+    }
+  }
+  /**
+   * Get migration status summary
+   */
+  async getMigrationStatus() {
+    const migrations = await this.getAvailableMigrations();
+    const appliedMigrations = migrations.filter((m) => m.applied);
+    const pendingMigrations = migrations.filter((m) => !m.applied);
+    const lastApplied = appliedMigrations.length > 0 ? appliedMigrations[appliedMigrations.length - 1]?.appliedAt : void 0;
+    return {
+      totalMigrations: migrations.length,
+      appliedMigrations: appliedMigrations.length,
+      pendingMigrations: pendingMigrations.length,
+      lastApplied,
+      migrations
+    };
+  }
+  /**
+   * D1 migration state is managed by Wrangler.
+   */
+  async markMigrationApplied(migrationId, name, filename) {
+  }
+  /**
+   * D1 migration state is managed by Wrangler.
+   */
+  async removeMigrationApplied(migrationId) {
+  }
+  /**
+   * Check if a specific migration has been applied
+   */
+  async isMigrationApplied(migrationId) {
+    const appliedMigrations = await this.getD1AppliedMigrations();
+    return appliedMigrations.has(migrationId);
+  }
+  /**
+   * Get the last applied migration
+   */
+  async getLastAppliedMigration() {
+    const migrations = await this.getAvailableMigrations();
+    return migrations.filter((m) => m.applied).at(-1) ?? null;
+  }
+  /**
+   * Run pending migrations
+   */
+  async runPendingMigrations() {
+    return {
+      success: false,
+      message: "Migrations are managed by Cloudflare D1. Run `wrangler d1 migrations apply DB --local` or `wrangler d1 migrations apply DB --remote`.",
+      applied: [],
+      errors: []
+    };
+  }
+  /**
+   * Validate database schema
+   */
+  async validateSchema() {
+    const issues = [];
+    const requiredTables = [
+      "users",
+      "documents",
+      "document_types"
+    ];
+    for (const table of requiredTables) {
+      try {
+        await this.db.prepare(`SELECT COUNT(*) FROM ${table} LIMIT 1`).first();
+      } catch (error) {
+        issues.push(`Missing table: ${table}`);
+      }
+    }
+    return {
+      valid: issues.length === 0,
+      issues
+    };
+  }
+};
+
+exports.MigrationService = MigrationService;
+exports.ensureScalarSchema = ensureScalarSchema;
+//# sourceMappingURL=chunk-2JTWQZHG.cjs.map
+//# sourceMappingURL=chunk-2JTWQZHG.cjs.map

package/dist/chunk-2JTWQZHG.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/db/migrations-bundle.ts","../src/services/document-scalar-schema.ts","../src/services/migrations.ts"],"names":[],"mappings":";;;AAiBO,IAAM,iBAAA,GAAwC;AAAA,EACnD;AAAA,IACE,EAAA,EAAI,MAAA;AAAA,IACJ,IAAA,EAAM,MAAA;AAAA,IACN,QAAA,EAAU,eAAA;AAAA,IACV,WAAA,EAAa,sBAAA;AAAA,IACb,GAAA,EAAK;AAAA,GACP;AAAA,EACA;AAAA,IACE,EAAA,EAAI,MAAA;AAAA,IACJ,IAAA,EAAM,WAAA;AAAA,IACN,QAAA,EAAU,oBAAA;AAAA,IACV,WAAA,EAAa,2BAAA;AAAA,IACb,GAAA,EAAK;AAAA;AAET,CAAA;AAGiC,IAAI,GAAA;AAAA,EACnC,kBAAkB,GAAA,CAAI,CAAA,CAAA,KAAK,CAAC,CAAA,CAAE,EAAA,EAAI,CAAC,CAAC;AACtC;;;AC/BA,IAAM,eAAA,GAAkB,oBAAA;AAGxB,SAAS,SAAS,IAAA,EAA4D;AAC5E,EAAA,IAAI,IAAA,KAAS,UAAU,OAAO,MAAA;AAC9B,EAAA,IAAI,SAAS,SAAA,IAAa,IAAA,KAAS,SAAA,IAAa,IAAA,KAAS,QAAQ,OAAO,SAAA;AACxE,EAAA,OAAO,MAAA;AACT;AAEA,IAAM,IAAA,GAAO,CAAC,CAAA,KAAc,CAAA,CAAE,WAAA,EAAY,CAAE,OAAA,CAAQ,aAAA,EAAe,GAAG,CAAA,CAAE,OAAA,CAAQ,UAAA,EAAY,EAAE,CAAA;AAQvF,SAAS,aAAA,CAAc,QAAgB,CAAA,EAA2B;AACvE,EAAA,IAAI,CAAA,CAAE,MAAA,EAAQ,OAAO,CAAA,CAAE,MAAA;AACvB,EAAA,MAAM,IAAA,GAAO,KAAK,IAAA,CAAK,MAAM,CAAC,CAAA,CAAA,EAAI,IAAA,CAAK,CAAA,CAAE,IAAI,CAAC,CAAA,CAAA;AAC9C,EAAA,OAAO,IAAA,CAAK,UAAU,EAAA,GAAK,IAAA,GAAO,KAAK,IAAA,CAAK,MAAM,EAAE,KAAA,CAAM,CAAA,EAAG,EAAE,CAAC,CAAA,CAAA,EAAI,KAAK,CAAA,CAAE,IAAI,EAAE,KAAA,CAAM,CAAA,EAAG,EAAE,CAAC,CAAA,CAAA;AAC/F;AAaA,eAAsB,kBAAA,CACpB,EAAA,EACA,MAAA,EACA,MAAA,EACmB;AACnB,EAAA,MAAM,UAAU,MAAA,CAAO,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,SAAS,QAAQ,CAAA;AACxD,EAAA,IAAI,OAAA,CAAQ,MAAA,KAAW,CAAA,EAAG,OAAO,EAAC;AAGlC,EAAA,IAAI,QAAA,uBAAe,GAAA,EAAY;AAC/B,EAAA,IAAI;AACF,IAAA,MAAM,OAAO,MAAM,EAAA,CAAG,OAAA,CAAQ,kDAAkD,EAAE,GAAA,EAAI;AACtF,IAAA,QAAA,GAAW,IAAI,GAAA,CAAA,CAAK,IAAA,EAAM,OAAA,IAAW,EAAC,EAAG,GAAA,CAAI,CAAC,CAAA,KAAW,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAClE,CAAA,CAAA,MAAQ;AAAA,EAER;AAEA,EAAA,MAAM,QAAkB,EAAC;AACzB,EAAA,KAAA,MAAW,KAAK,OAAA,EAAS;AACvB,IAAA,MAAM,GAAA,GAAM,aAAA,CAAc,MAAA,EAAQ,CAAC,CAAA;AACnC,IAAA,IAAI,CAAC,eAAA,CAAgB,IAAA,CAAK,GAAG,CAAA,EAAG;AAC9B,MAAA,OAAA,CAAQ,KAAA,CAAM,uCAAuC,GAAG,CAAA,MAAA,EAAS,MAAM,CAAA,CAAA,EAAI,CAAA,CAAE,IAAI,CAAA,eAAA,CAAY,CAAA;AAC7F,MAAA;AAAA,IACF;AACA,IAAA,MAAM,IAAA,GAAO,CAAA,CAAE,IAAA,IAAQ,CAAA,EAAA,EAAK,EAAE,IAAI,CAAA,CAAA;AAClC,IAAA,IAAI,IAAA,CAAK,QAAA,CAAS,GAAG,CAAA,EAAG;AACtB,MAAA,OAAA,CAAQ,KAAA,CAAM,wCAAwC,GAAG,CAAA,EAAA,EAAK,MAAM,CAAA,CAAA,EAAI,CAAA,CAAE,IAAI,CAAA,gBAAA,CAAa,CAAA;AAC3F,MAAA;AAAA,IACF;AAEA,IAAA,IAAI,CAAC,QAAA,CAAS,GAAA,CAAI,GAAG,CAAA,EAAG;AACtB,MAAA,IAAI;AACF,QAAA,MAAM,EAAA,CACH,OAAA,CAAQ,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAA,EAAI,QAAA,CAAS,CAAA,CAAE,IAAI,CAAC,CAAA,yBAAA,EAA4B,IAAI,CAAA,WAAA,CAAa,EAChH,GAAA,EAAI;AACP,QAAA,KAAA,CAAM,KAAK,GAAG,CAAA;AACd,QAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,gCAAA,EAAmC,GAAG,CAAA,WAAA,EAAc,MAAM,CAAA,CAAA,CAAG,CAAA;AAAA,MAC3E,SAAS,KAAA,EAAO;AACd,QAAA,MAAM,MAAM,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,OAAA,GAAU,OAAO,KAAK,CAAA;AACjE,QAAA,IAAI,CAAC,GAAA,CAAI,QAAA,CAAS,uBAAuB,CAAA,EAAG;AAC1C,UAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,wCAAA,EAA2C,GAAG,CAAA,CAAA,CAAA,EAAK,GAAG,CAAA;AACpE,UAAA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAMA,IAAA,IAAI;AACF,MAAA,MAAM,EAAA,CACH,QAAQ,CAAA,+BAAA,EAAkC,GAAG,qCAAqC,GAAG,CAAA,2BAAA,CAA6B,EAClH,GAAA,EAAI;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,qCAAA,EAAwC,GAAG,CAAA,CAAA,CAAA,EAAK,KAAA,YAAiB,QAAQ,KAAA,CAAM,OAAA,GAAU,MAAA,CAAO,KAAK,CAAC,CAAA;AAAA,IACtH;AAAA,EACF;AACA,EAAA,OAAO,KAAA;AACT;;;AC5EO,IAAM,mBAAN,MAAuB;AAAA,EAC5B,YAAoB,EAAA,EAAgB;AAAhB,IAAA,IAAA,CAAA,EAAA,GAAA,EAAA;AAAA,EAAiB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMrC,MAAM,yBAAA,GAA2C;AAAA,EAEjD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,sBAAA,GAA+C;AACnD,IAAA,MAAM,aAA0B,EAAC;AACjC,IAAA,MAAM,iBAAA,GAAoB,MAAM,IAAA,CAAK,sBAAA,EAAuB;AAC5D,IAAA,MAAM,KAAK,yBAAA,EAA0B;AAGrC,IAAA,KAAA,MAAW,WAAW,iBAAA,EAAmB;AACvC,MAAA,MAAM,OAAA,GAAU,iBAAA,CAAkB,GAAA,CAAI,OAAA,CAAQ,EAAE,CAAA;AAChD,MAAA,MAAM,WAAA,GAAc,iBAAA,CAAkB,GAAA,CAAI,OAAA,CAAQ,EAAE,CAAA;AAEpD,MAAA,UAAA,CAAW,IAAA,CAAK;AAAA,QACd,IAAI,OAAA,CAAQ,EAAA;AAAA,QACZ,MAAM,OAAA,CAAQ,IAAA;AAAA,QACd,UAAU,OAAA,CAAQ,QAAA;AAAA,QAClB,aAAa,OAAA,CAAQ,WAAA;AAAA,QACrB,OAAA;AAAA,QACA,SAAA,EAAW,OAAA,GAAU,WAAA,EAAa,UAAA,GAAa,MAAA;AAAA,QAC/C,IAAA,EAAM,QAAQ,GAAA,CAAI;AAAA,OACnB,CAAA;AAAA,IACH;AAEA,IAAA,OAAO,UAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,sBAAA,GAAoD;AAChE,IAAA,IAAI;AACF,MAAA,MAAM,aAAA,GAAgB,MAAM,IAAA,CAAK,EAAA,CAAG,OAAA;AAAA,QAClC;AAAA,QACA,GAAA,EAAI;AAEN,MAAA,OAAO,IAAI,GAAA;AAAA,QAAA,CACR,cAAc,OAAA,IAAW,EAAC,EACxB,GAAA,CAAI,CAAC,GAAA,KAAa;AACjB,UAAA,MAAM,QAAA,GAAW,MAAA,CAAO,GAAA,CAAI,IAAA,IAAQ,EAAE,CAAA;AACtC,UAAA,MAAM,EAAA,GAAK,QAAA,CAAS,KAAA,CAAM,QAAQ,IAAI,CAAC,CAAA;AACvC,UAAA,IAAI,CAAC,IAAI,OAAO,IAAA;AAChB,UAAA,OAAO,CAAC,EAAA,EAAI;AAAA,YACV,EAAA;AAAA,YACA,IAAA,EAAM,QAAA;AAAA,YACN,QAAA;AAAA,YACA,YAAY,GAAA,CAAI;AAAA,WACjB,CAAA;AAAA,QACH,CAAC,CAAA,CACA,MAAA,CAAO,CAAC,KAAA,KAAkC,UAAU,IAAI;AAAA,OAC7D;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,2BAAW,GAAA,EAAI;AAAA,IACjB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,yBAAA,GAA2C;AAC/C,IAAA,IAAI,MAAM,IAAA,CAAK,gBAAA,CAAiB,CAAC,WAAW,CAAC,CAAA,EAAG;AAC9C,MAAA,MAAM,KAAK,8BAAA,EAA+B;AAAA,IAC5C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAc,8BAAA,GAAgD;AAC5D,IAAA,IAAI,CAAE,MAAM,IAAA,CAAK,iBAAiB,CAAC,gBAAgB,CAAC,CAAA,EAAI;AACxD,IAAA,MAAM,OAAO,MAAM,IAAA,CAAK,GACrB,OAAA,CAAQ,qEAAqE,EAC7E,GAAA,EAA8C;AACjD,IAAA,KAAA,MAAW,GAAA,IAAO,IAAA,CAAK,OAAA,IAAW,EAAC,EAAG;AACpC,MAAA,IAAI,MAAA;AACJ,MAAA,IAAI;AACF,QAAA,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,gBAAgB,CAAA;AAAA,MAC1C,CAAA,CAAA,MAAQ;AACN,QAAA;AAAA,MACF;AACA,MAAA,MAAM,kBAAA,CAAmB,IAAA,CAAK,EAAA,EAAI,GAAA,CAAI,IAAI,MAAM,CAAA;AAAA,IAClD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,iBAAiB,UAAA,EAAwC;AACrE,IAAA,IAAI;AACF,MAAA,KAAA,MAAW,aAAa,UAAA,EAAY;AAClC,QAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,EAAA,CAAG,OAAA;AAAA,UAC3B,CAAA,4DAAA;AAAA,SACF,CAAE,IAAA,CAAK,SAAS,CAAA,CAAE,KAAA,EAAM;AAExB,QAAA,IAAI,CAAC,MAAA,EAAQ;AACX,UAAA,OAAO,KAAA;AAAA,QACT;AAAA,MACF;AACA,MAAA,OAAO,IAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,OAAO,KAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,iBAAA,CAAkB,SAAA,EAAmB,UAAA,EAAsC;AACvF,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,EAAA,CAAG,OAAA;AAAA,QAC3B,CAAA,iDAAA;AAAA,OACF,CAAE,IAAA,CAAK,SAAA,EAAW,UAAU,EAAE,KAAA,EAAM;AAEpC,MAAA,OAAO,CAAC,CAAC,MAAA;AAAA,IACX,SAAS,KAAA,EAAO;AACd,MAAA,OAAO,KAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,kBAAA,GAA+C;AACnD,IAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,sBAAA,EAAuB;AACrD,IAAA,MAAM,iBAAA,GAAoB,UAAA,CAAW,MAAA,CAAO,CAAA,CAAA,KAAK,EAAE,OAAO,CAAA;AAC1D,IAAA,MAAM,oBAAoB,UAAA,CAAW,MAAA,CAAO,CAAA,CAAA,KAAK,CAAC,EAAE,OAAO,CAAA;AAE3D,IAAA,MAAM,WAAA,GAAc,kBAAkB,MAAA,GAAS,CAAA,GAC3C,kBAAkB,iBAAA,CAAkB,MAAA,GAAS,CAAC,CAAA,EAAG,SAAA,GACjD,MAAA;AAEJ,IAAA,OAAO;AAAA,MACL,iBAAiB,UAAA,CAAW,MAAA;AAAA,MAC5B,mBAAmB,iBAAA,CAAkB,MAAA;AAAA,MACrC,mBAAmB,iBAAA,CAAkB,MAAA;AAAA,MACrC,WAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,oBAAA,CAAqB,WAAA,EAAqB,IAAA,EAAc,QAAA,EAAiC;AAGxF,EACP;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,uBAAuB,WAAA,EAAoC;AAC1D,EACP;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,mBAAmB,WAAA,EAAuC;AAC9D,IAAA,MAAM,iBAAA,GAAoB,MAAM,IAAA,CAAK,sBAAA,EAAuB;AAC5D,IAAA,OAAO,iBAAA,CAAkB,IAAI,WAAW,CAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,uBAAA,GAAqD;AACzD,IAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,sBAAA,EAAuB;AACrD,IAAA,OAAO,UAAA,CAAW,OAAO,CAAA,CAAA,KAAK,CAAA,CAAE,OAAO,CAAA,CAAE,EAAA,CAAG,EAAE,CAAA,IAAK,IAAA;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,oBAAA,GAA4G;AAChH,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,OAAA,EAAS,uIAAA;AAAA,MACT,SAAS,EAAC;AAAA,MACV,QAAQ;AAAC,KACX;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cAAA,GAAgE;AACpE,IAAA,MAAM,SAAmB,EAAC;AAG1B,IAAA,MAAM,cAAA,GAAiB;AAAA,MACrB,OAAA;AAAA,MAAS,WAAA;AAAA,MAAa;AAAA,KACxB;AAEA,IAAA,KAAA,MAAW,SAAS,cAAA,EAAgB;AAClC,MAAA,IAAI;AACF,QAAA,MAAM,KAAK,EAAA,CAAG,OAAA,CAAQ,wBAAwB,KAAK,CAAA,QAAA,CAAU,EAAE,KAAA,EAAM;AAAA,MACvE,SAAS,KAAA,EAAO;AACd,QAAA,MAAA,CAAO,IAAA,CAAK,CAAA,eAAA,EAAkB,KAAK,CAAA,CAAE,CAAA;AAAA,MACvC;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,OAAO,MAAA,KAAW,CAAA;AAAA,MACzB;AAAA,KACF;AAAA,EACF;AACF","file":"chunk-2JTWQZHG.cjs","sourcesContent":["/**\n * AUTO-GENERATED FILE - DO NOT EDIT\n * Generated by: scripts/generate-migrations.ts\n * Generated at: 2026-06-18T22:53:44.759Z\n *\n * This file contains all migration SQL bundled for use in Cloudflare Workers\n * where filesystem access is not available at runtime.\n */\n\nexport interface BundledMigration {\n  id: string\n  name: string\n  filename: string\n  description: string\n  sql: string\n}\n\nexport const bundledMigrations: BundledMigration[] = [\n  {\n    id: '0001',\n    name: 'Core',\n    filename: '0001_core.sql',\n    description: 'Migration 0001: Core',\n    sql: \"-- Migration 0001: Auth tables\\n-- auth_user, auth_session, auth_account, auth_verification + BA plugin tables + RBAC + auth support.\\n-- Only auth_* prefixed tables live here. All content lives in document_* tables (0002_documents.sql).\\n\\n-- ── auth_user ────────────────────────────────────────────────────────────────\\n-- BA user model + SonicJS domain columns as BA additionalFields.\\nCREATE TABLE IF NOT EXISTS auth_user (\\n  id TEXT PRIMARY KEY,\\n  name TEXT,\\n  email TEXT NOT NULL UNIQUE,\\n  email_verified INTEGER NOT NULL DEFAULT 0,\\n  image TEXT,\\n  created_at INTEGER NOT NULL,\\n  updated_at INTEGER NOT NULL,\\n  -- SonicJS additionalFields\\n  first_name TEXT NOT NULL,\\n  last_name TEXT NOT NULL,\\n  role TEXT NOT NULL DEFAULT 'viewer',\\n  -- Platform super-admin: bypasses the multi-tenant membership gate, uses global roles in every\\n  -- tenant. Opt-in (default 0); intentionally NOT derived from the 'admin' role.\\n  is_super_admin INTEGER NOT NULL DEFAULT 0,\\n  avatar TEXT,\\n  password_hash TEXT,\\n  is_active INTEGER NOT NULL DEFAULT 1,\\n  last_login_at INTEGER,\\n  phone TEXT,\\n  bio TEXT,\\n  timezone TEXT DEFAULT 'UTC',\\n  language TEXT DEFAULT 'en',\\n  email_notifications INTEGER DEFAULT 1,\\n  theme TEXT DEFAULT 'dark',\\n  invitation_token TEXT,\\n  invited_by TEXT,\\n  invited_at INTEGER,\\n  accepted_invitation_at INTEGER,\\n  failed_login_count INTEGER NOT NULL DEFAULT 0,\\n  locked_until INTEGER\\n);\\n\\nCREATE INDEX IF NOT EXISTS idx_auth_user_email ON auth_user(email);\\nCREATE INDEX IF NOT EXISTS idx_auth_user_role ON auth_user(role);\\nCREATE INDEX IF NOT EXISTS idx_auth_user_invitation_token ON auth_user(invitation_token);\\nCREATE INDEX IF NOT EXISTS idx_auth_user_locked_until ON auth_user(locked_until) WHERE locked_until IS NOT NULL;\\n\\n-- ── auth_session ─────────────────────────────────────────────────────────────\\nCREATE TABLE IF NOT EXISTS auth_session (\\n  id TEXT PRIMARY KEY,\\n  user_id TEXT NOT NULL REFERENCES auth_user(id) ON DELETE CASCADE,\\n  token TEXT NOT NULL UNIQUE,\\n  expires_at INTEGER NOT NULL,\\n  ip_address TEXT,\\n  user_agent TEXT,\\n  created_at INTEGER NOT NULL,\\n  updated_at INTEGER NOT NULL\\n);\\nCREATE INDEX IF NOT EXISTS idx_auth_session_user_id ON auth_session(user_id);\\nCREATE INDEX IF NOT EXISTS idx_auth_session_token ON auth_session(token);\\nCREATE INDEX IF NOT EXISTS idx_auth_session_expires_at ON auth_session(expires_at);\\n\\n-- ── auth_account ─────────────────────────────────────────────────────────────\\nCREATE TABLE IF NOT EXISTS auth_account (\\n  id TEXT PRIMARY KEY,\\n  user_id TEXT NOT NULL REFERENCES auth_user(id) ON DELETE CASCADE,\\n  account_id TEXT NOT NULL,\\n  provider_id TEXT NOT NULL,\\n  access_token TEXT,\\n  refresh_token TEXT,\\n  access_token_expires_at INTEGER,\\n  refresh_token_expires_at INTEGER,\\n  scope TEXT,\\n  id_token TEXT,\\n  password TEXT,\\n  created_at INTEGER NOT NULL,\\n  updated_at INTEGER NOT NULL\\n);\\nCREATE INDEX IF NOT EXISTS idx_auth_account_user_id ON auth_account(user_id);\\nCREATE INDEX IF NOT EXISTS idx_auth_account_provider ON auth_account(provider_id, account_id);\\n\\n-- ── auth_verification ────────────────────────────────────────────────────────\\n-- Covers email verification, password reset, magic-link tokens, OTP codes.\\nCREATE TABLE IF NOT EXISTS auth_verification (\\n  id TEXT PRIMARY KEY,\\n  identifier TEXT NOT NULL,\\n  value TEXT NOT NULL,\\n  expires_at INTEGER NOT NULL,\\n  created_at INTEGER NOT NULL,\\n  updated_at INTEGER NOT NULL\\n);\\nCREATE INDEX IF NOT EXISTS idx_auth_verification_identifier ON auth_verification(identifier);\\n\\n-- ── BA plugin tables ──────────────────────────────────────────────────────────\\n\\nCREATE TABLE IF NOT EXISTS auth_two_factor (\\n  id           TEXT PRIMARY KEY,\\n  secret       TEXT NOT NULL,\\n  backup_codes TEXT NOT NULL,\\n  user_id      TEXT NOT NULL REFERENCES auth_user(id) ON DELETE CASCADE,\\n  verified     INTEGER NOT NULL DEFAULT 1,\\n  created_at   INTEGER NOT NULL,\\n  updated_at   INTEGER NOT NULL\\n);\\nCREATE INDEX IF NOT EXISTS idx_auth_two_factor_user_id ON auth_two_factor(user_id);\\n\\nCREATE TABLE IF NOT EXISTS auth_tenant (\\n  id         TEXT PRIMARY KEY,\\n  name       TEXT NOT NULL,\\n  slug       TEXT NOT NULL UNIQUE,\\n  logo       TEXT,\\n  metadata   TEXT,\\n  -- SonicJS tenant-resolution fields (BA organization additionalFields):\\n  status     TEXT NOT NULL DEFAULT 'active',\\n  domain     TEXT,\\n  notes      TEXT NOT NULL DEFAULT '',\\n  created_at INTEGER NOT NULL,\\n  updated_at INTEGER NOT NULL\\n);\\nCREATE INDEX IF NOT EXISTS idx_auth_tenant_domain ON auth_tenant(domain);\\n\\nCREATE TABLE IF NOT EXISTS auth_tenant_member (\\n  id        TEXT PRIMARY KEY,\\n  tenant_id TEXT NOT NULL REFERENCES auth_tenant(id) ON DELETE CASCADE,\\n  user_id   TEXT NOT NULL REFERENCES auth_user(id)   ON DELETE CASCADE,\\n  role      TEXT NOT NULL DEFAULT 'member',\\n  email     TEXT,\\n  created_at INTEGER NOT NULL,\\n  updated_at INTEGER NOT NULL,\\n  UNIQUE(tenant_id, user_id)\\n);\\nCREATE INDEX IF NOT EXISTS idx_auth_tenant_member_tenant ON auth_tenant_member(tenant_id);\\nCREATE INDEX IF NOT EXISTS idx_auth_tenant_member_user   ON auth_tenant_member(user_id);\\n\\nCREATE TABLE IF NOT EXISTS auth_tenant_invitation (\\n  id         TEXT PRIMARY KEY,\\n  tenant_id  TEXT NOT NULL REFERENCES auth_tenant(id) ON DELETE CASCADE,\\n  email      TEXT NOT NULL,\\n  role       TEXT NOT NULL DEFAULT 'member',\\n  status     TEXT NOT NULL DEFAULT 'pending',\\n  expires_at INTEGER NOT NULL,\\n  inviter_id TEXT REFERENCES auth_user(id) ON DELETE SET NULL,\\n  created_at INTEGER NOT NULL,\\n  updated_at INTEGER NOT NULL\\n);\\nCREATE INDEX IF NOT EXISTS idx_auth_tenant_invitation_tenant ON auth_tenant_invitation(tenant_id);\\nCREATE INDEX IF NOT EXISTS idx_auth_tenant_invitation_email  ON auth_tenant_invitation(email);\\n\\nCREATE TABLE IF NOT EXISTS auth_tenant_team (\\n  id        TEXT PRIMARY KEY,\\n  name      TEXT NOT NULL,\\n  tenant_id TEXT NOT NULL REFERENCES auth_tenant(id) ON DELETE CASCADE,\\n  created_at INTEGER NOT NULL,\\n  updated_at INTEGER NOT NULL\\n);\\n\\n-- ── RBAC ─────────────────────────────────────────────────────────────────────\\n-- RBAC roles, verbs, and user-role assignments are document-backed (is_auth doc\\n-- types rbac_role / rbac_verb / rbac_user_roles — see services/rbac.ts). The\\n-- system roles/verbs/grants are seeded at bootstrap by RbacService.ensureSystemRbacSeed().\\n-- No auth_rbac_* tables.\\n\\n-- ── Auth support tables ───────────────────────────────────────────────────────\\nCREATE TABLE IF NOT EXISTS auth_password_history (\\n  id TEXT PRIMARY KEY,\\n  user_id TEXT NOT NULL REFERENCES auth_user(id) ON DELETE CASCADE,\\n  password_hash TEXT NOT NULL,\\n  created_at INTEGER NOT NULL\\n);\\nCREATE INDEX IF NOT EXISTS idx_auth_password_history_user_id ON auth_password_history(user_id);\\n\\nCREATE TABLE IF NOT EXISTS auth_api_tokens (\\n  id TEXT PRIMARY KEY,\\n  name TEXT NOT NULL,\\n  token TEXT NOT NULL UNIQUE,\\n  user_id TEXT NOT NULL REFERENCES auth_user(id),\\n  permissions TEXT NOT NULL,\\n  expires_at INTEGER,\\n  last_used_at INTEGER,\\n  created_at INTEGER NOT NULL\\n);\\nCREATE INDEX IF NOT EXISTS idx_auth_api_tokens_user ON auth_api_tokens(user_id);\\nCREATE INDEX IF NOT EXISTS idx_auth_api_tokens_token ON auth_api_tokens(token);\\n\\n-- User profiles moved to the document model: a `user_profile` document (is_auth type),\\n-- one per user, addressed by slug = userId. See services/document-types-seed.ts and\\n-- plugins/core-plugins/user-profiles/user-profile-document.ts. No auth_user_profiles table.\\n\"\n  },\n  {\n    id: '0002',\n    name: 'Documents',\n    filename: '0002_documents.sql',\n    description: 'Migration 0002: Documents',\n    sql: \"-- Migration 0002: Document Schema (v3 greenfield)\\n-- Contains only the new document data model tables, generated columns, and indexes.\\n\\n-- Document type registry\\nCREATE TABLE IF NOT EXISTS document_types (\\n  id TEXT PRIMARY KEY,\\n  name TEXT NOT NULL UNIQUE,\\n  display_name TEXT NOT NULL,\\n  description TEXT,\\n  schema TEXT NOT NULL DEFAULT '{}',\\n  queryable_fields TEXT NOT NULL DEFAULT '[]',\\n  settings TEXT NOT NULL DEFAULT '{}',\\n  plugin_id TEXT,\\n  source TEXT NOT NULL DEFAULT 'code' CHECK (source IN ('code', 'plugin', 'system')),\\n  schema_version INTEGER NOT NULL DEFAULT 1,\\n  is_system INTEGER NOT NULL DEFAULT 0,\\n  is_active INTEGER NOT NULL DEFAULT 1,\\n  is_auth INTEGER NOT NULL DEFAULT 0,\\n  created_at INTEGER NOT NULL DEFAULT (unixepoch()),\\n  updated_at INTEGER NOT NULL DEFAULT (unixepoch())\\n);\\n\\nCREATE INDEX IF NOT EXISTS idx_document_types_plugin ON document_types(plugin_id);\\nCREATE INDEX IF NOT EXISTS idx_document_types_active ON document_types(is_active);\\n\\n-- Documents: canonical document rows and historical versions.\\nCREATE TABLE IF NOT EXISTS documents (\\n  id TEXT PRIMARY KEY,\\n  root_id TEXT NOT NULL,\\n  type_id TEXT NOT NULL REFERENCES document_types(id),\\n  type_version INTEGER NOT NULL DEFAULT 1,\\n\\n  version_of_id TEXT REFERENCES documents(id),\\n  version_number INTEGER NOT NULL DEFAULT 1,\\n\\n  is_current_draft INTEGER NOT NULL DEFAULT 1,\\n  is_published INTEGER NOT NULL DEFAULT 0,\\n  status TEXT NOT NULL DEFAULT 'draft' CHECK (status IN ('draft', 'published', 'archived')),\\n\\n  parent_root_id TEXT NOT NULL DEFAULT '',\\n  slug TEXT,\\n  path TEXT,\\n  title TEXT,\\n  zone TEXT,\\n  sort_order INTEGER NOT NULL DEFAULT 0,\\n  visible INTEGER NOT NULL DEFAULT 1,\\n\\n  published_at INTEGER,\\n  scheduled_at INTEGER,\\n  expires_at INTEGER,\\n  deleted_at INTEGER,\\n\\n  tenant_id TEXT NOT NULL DEFAULT 'default',\\n  locale TEXT NOT NULL DEFAULT 'default',\\n  translation_group_id TEXT NOT NULL DEFAULT '',\\n\\n  data TEXT NOT NULL DEFAULT '{}',\\n  metadata TEXT NOT NULL DEFAULT '{}',\\n\\n  owner_id TEXT,\\n  created_by TEXT,\\n  updated_by TEXT,\\n  created_at INTEGER NOT NULL DEFAULT (unixepoch()),\\n  updated_at INTEGER NOT NULL DEFAULT (unixepoch())\\n);\\n\\n-- Queryable scalar fields (VIRTUAL generated columns) and their q_* filter indexes\\n-- are AUTO-GENERATED at runtime from each document type's queryableFields config —\\n-- see DocumentTypeRegistry.register() -> ensureScalarSchema() (document-scalar-schema.ts).\\n-- Do not hand-add q_* columns/indexes here; declare the field in the type instead.\\n\\n-- Revision chain\\nCREATE INDEX IF NOT EXISTS idx_documents_root ON documents(root_id, version_number DESC);\\n\\n-- List / lifecycle\\nCREATE INDEX IF NOT EXISTS idx_documents_published ON documents(tenant_id, type_id, locale, is_published)\\n  WHERE is_published = 1 AND deleted_at IS NULL;\\nCREATE INDEX IF NOT EXISTS idx_documents_drafts ON documents(tenant_id, type_id, status, is_current_draft)\\n  WHERE is_current_draft = 1;\\nCREATE INDEX IF NOT EXISTS idx_documents_parent ON documents(tenant_id, parent_root_id, sort_order, is_published);\\nCREATE INDEX IF NOT EXISTS idx_documents_path ON documents(tenant_id, path);\\nCREATE INDEX IF NOT EXISTS idx_documents_translation ON documents(translation_group_id, locale);\\nCREATE INDEX IF NOT EXISTS idx_documents_deleted ON documents(deleted_at);\\nCREATE INDEX IF NOT EXISTS idx_documents_scheduled ON documents(scheduled_at) WHERE scheduled_at IS NOT NULL;\\nCREATE INDEX IF NOT EXISTS idx_documents_expires ON documents(expires_at) WHERE expires_at IS NOT NULL;\\n\\n-- Stable keyset/cursor pagination for published lists\\nCREATE INDEX IF NOT EXISTS idx_documents_published_cursor\\n  ON documents(tenant_id, type_id, updated_at DESC, id DESC)\\n  WHERE is_published = 1 AND deleted_at IS NULL;\\n\\n-- (q_* generated-column filter indexes are auto-created at runtime — see note above.)\\n\\n-- Partial unique indexes: the hard concurrency guarantees for draft/publish invariants.\\nCREATE UNIQUE INDEX IF NOT EXISTS idx_documents_one_current_draft\\n  ON documents(root_id) WHERE is_current_draft = 1;\\nCREATE UNIQUE INDEX IF NOT EXISTS idx_documents_one_published\\n  ON documents(root_id) WHERE is_published = 1;\\nCREATE UNIQUE INDEX IF NOT EXISTS idx_documents_unique_version\\n  ON documents(root_id, version_number);\\nCREATE UNIQUE INDEX IF NOT EXISTS idx_documents_unique_slug\\n  ON documents(tenant_id, locale, type_id, parent_root_id, slug)\\n  WHERE is_current_draft = 1 AND deleted_at IS NULL AND slug IS NOT NULL;\\nCREATE UNIQUE INDEX IF NOT EXISTS idx_documents_one_translation_per_locale\\n  ON documents(tenant_id, translation_group_id, locale)\\n  WHERE is_current_draft = 1 AND translation_group_id <> '';\\n\\n-- Document references: typed document-to-document edges.\\nCREATE TABLE IF NOT EXISTS document_references (\\n  id TEXT PRIMARY KEY,\\n  tenant_id TEXT NOT NULL,\\n  from_root_id TEXT NOT NULL,\\n  from_document_id TEXT NOT NULL REFERENCES documents(id) ON DELETE CASCADE,\\n  field_name TEXT NOT NULL,\\n  ordinal INTEGER NOT NULL DEFAULT 0,\\n  to_root_id TEXT NOT NULL,\\n  ref_strength TEXT NOT NULL DEFAULT 'weak' CHECK (ref_strength IN ('strong', 'weak')),\\n  created_at INTEGER NOT NULL DEFAULT (unixepoch())\\n);\\n\\nCREATE INDEX IF NOT EXISTS idx_docref_to   ON document_references(tenant_id, to_root_id);\\nCREATE INDEX IF NOT EXISTS idx_docref_from ON document_references(from_document_id);\\nCREATE UNIQUE INDEX IF NOT EXISTS idx_docref_unique\\n  ON document_references(from_document_id, field_name, ordinal);\\n\\n-- Document facets: indexed rows for multi-valued scalar fields (e.g. tags arrays).\\nCREATE TABLE IF NOT EXISTS document_facets (\\n  id TEXT PRIMARY KEY,\\n  tenant_id TEXT NOT NULL,\\n  document_id TEXT NOT NULL REFERENCES documents(id) ON DELETE CASCADE,\\n  root_id TEXT NOT NULL,\\n  type_id TEXT NOT NULL,\\n  field_name TEXT NOT NULL,\\n  ordinal INTEGER NOT NULL DEFAULT 0,\\n  value_text TEXT,\\n  value_number REAL,\\n  created_at INTEGER NOT NULL DEFAULT (unixepoch())\\n);\\n\\nCREATE INDEX IF NOT EXISTS idx_facets_lookup ON document_facets(tenant_id, type_id, field_name, value_text);\\nCREATE INDEX IF NOT EXISTS idx_facets_doc    ON document_facets(document_id);\\nCREATE UNIQUE INDEX IF NOT EXISTS idx_facets_unique\\n  ON document_facets(document_id, field_name, ordinal);\\n\\n-- Document permissions: per-document ACL overrides.\\nCREATE TABLE IF NOT EXISTS document_permissions (\\n  id TEXT PRIMARY KEY,\\n  tenant_id TEXT NOT NULL,\\n  root_id TEXT NOT NULL,\\n  principal_type TEXT NOT NULL CHECK (principal_type IN ('user', 'role', 'group', 'public', 'token')),\\n  principal_id TEXT NOT NULL,\\n  permission TEXT NOT NULL CHECK (permission IN ('read', 'create', 'update', 'delete', 'publish', 'manage')),\\n  effect TEXT NOT NULL DEFAULT 'allow' CHECK (effect IN ('allow', 'deny')),\\n  inherited INTEGER NOT NULL DEFAULT 0,\\n  created_at INTEGER NOT NULL DEFAULT (unixepoch()),\\n  created_by TEXT\\n);\\n\\nCREATE INDEX IF NOT EXISTS idx_document_permissions_root ON document_permissions(tenant_id, root_id);\\nCREATE INDEX IF NOT EXISTS idx_document_permissions_principal\\n  ON document_permissions(tenant_id, principal_type, principal_id, permission);\\nCREATE UNIQUE INDEX IF NOT EXISTS idx_document_permissions_unique\\n  ON document_permissions(root_id, principal_type, principal_id, permission);\\n\"\n  }\n]\n\n// Map for quick lookup by ID\nexport const migrationsByIdMap = new Map<string, BundledMigration>(\n  bundledMigrations.map(m => [m.id, m])\n)\n\n// Get migration SQL by ID\nexport function getMigrationSQLById(id: string): string | null {\n  return migrationsByIdMap.get(id)?.sql ?? null\n}\n\n// Get all migration info (without SQL for lighter payloads)\nexport function getMigrationList(): Array<Omit<BundledMigration, 'sql'>> {\n  return bundledMigrations.map(({ sql, ...rest }) => rest)\n}\n","import { D1Database } from '@cloudflare/workers-types'\nimport type { QueryableField } from '../schemas/document'\n\n// Identifiers and JSON paths are interpolated into DDL (they cannot be bound), so\n// they are format-guarded here. Source is trusted code config, not user input —\n// this is defense-in-depth, mirroring document-repository.ts.\nconst SAFE_IDENTIFIER = /^[a-z_][a-z0-9_]*$/\n\n/** Map a queryable field's logical type to a SQLite column affinity. */\nfunction affinity(type?: QueryableField['type']): 'TEXT' | 'INTEGER' | 'REAL' {\n  if (type === 'number') return 'REAL'\n  if (type === 'integer' || type === 'boolean' || type === 'date') return 'INTEGER'\n  return 'TEXT'\n}\n\nconst slug = (s: string) => s.toLowerCase().replace(/[^a-z0-9]+/g, '_').replace(/^_+|_+$/g, '')\n\n/**\n * Authoritative generated-column name for a scalar field. An explicit `column`\n * always wins (back-compat with every existing type definition); otherwise it is\n * derived deterministically from the type id + field name. The repository reads\n * the same `column`/derivation when building filter SQL, so the two never drift.\n */\nexport function resolveColumn(typeId: string, f: QueryableField): string {\n  if (f.column) return f.column\n  const name = `q_${slug(typeId)}_${slug(f.name)}`\n  return name.length <= 60 ? name : `q_${slug(typeId).slice(0, 20)}_${slug(f.name).slice(0, 20)}`\n}\n\n/**\n * Idempotently ensure the `documents` table has a VIRTUAL generated column and a\n * filter/sort index for each of a type's scalar queryable fields. Safe to call on\n * every registration and every bootstrap: existing columns/indexes are skipped,\n * and a concurrent add surfaces as a swallowed \"duplicate column name\".\n *\n * Facet and reference fields need no DDL (generic document_facets /\n * document_references tables), so they are ignored here.\n *\n * Returns the columns it actually created (empty when all already existed).\n */\nexport async function ensureScalarSchema(\n  db: D1Database,\n  typeId: string,\n  fields: QueryableField[],\n): Promise<string[]> {\n  const scalars = fields.filter((f) => f.kind === 'scalar')\n  if (scalars.length === 0) return []\n\n  // pragma_table_info does NOT list VIRTUAL generated columns — use table_xinfo, which does.\n  let existing = new Set<string>()\n  try {\n    const info = await db.prepare(\"SELECT name FROM pragma_table_xinfo('documents')\").all()\n    existing = new Set((info?.results ?? []).map((r: any) => r.name))\n  } catch {\n    // table_xinfo unavailable — fall back to attempting every ALTER (duplicate errors swallowed).\n  }\n\n  const added: string[] = []\n  for (const f of scalars) {\n    const col = resolveColumn(typeId, f)\n    if (!SAFE_IDENTIFIER.test(col)) {\n      console.error(`[scalar-schema] unsafe column name '${col}' for ${typeId}.${f.name} — skipped`)\n      continue\n    }\n    const path = f.path ?? `$.${f.name}`\n    if (path.includes(\"'\")) {\n      console.error(`[scalar-schema] unsafe json path for ${col} (${typeId}.${f.name}) — skipped`)\n      continue\n    }\n\n    if (!existing.has(col)) {\n      try {\n        await db\n          .prepare(`ALTER TABLE documents ADD COLUMN ${col} ${affinity(f.type)} AS (json_extract(data, '${path}')) VIRTUAL`)\n          .run()\n        added.push(col)\n        console.log(`[scalar-schema] added documents.${col} for type '${typeId}'`)\n      } catch (error) {\n        const msg = error instanceof Error ? error.message : String(error)\n        if (!msg.includes('duplicate column name')) {\n          console.error(`[scalar-schema] failed to add documents.${col}:`, msg)\n          continue\n        }\n      }\n    }\n\n    // One general index per column: the leading (tenant_id, type_id, col) prefix\n    // serves every equality filter the repository builds; the trailing\n    // (updated_at DESC, id DESC) matches the default keyset sort/cursor. Non-partial\n    // so a single index covers both draft and published lists.\n    try {\n      await db\n        .prepare(`CREATE INDEX IF NOT EXISTS idx_${col} ON documents(tenant_id, type_id, ${col}, updated_at DESC, id DESC)`)\n        .run()\n    } catch (error) {\n      console.error(`[scalar-schema] failed to create idx_${col}:`, error instanceof Error ? error.message : String(error))\n    }\n  }\n  return added\n}\n","import { D1Database } from '@cloudflare/workers-types'\nimport { bundledMigrations } from '../db/migrations-bundle'\nimport { ensureScalarSchema } from './document-scalar-schema'\nimport type { QueryableField } from '../schemas/document'\n\nexport interface Migration {\n  id: string\n  name: string\n  filename: string\n  description?: string\n  applied: boolean\n  appliedAt?: string\n  size?: number\n}\n\nexport interface MigrationStatus {\n  totalMigrations: number\n  appliedMigrations: number\n  pendingMigrations: number\n  lastApplied?: string\n  migrations: Migration[]\n}\n\nexport class MigrationService {\n  constructor(private db: D1Database) {}\n\n  /**\n   * Cloudflare D1 owns migration bookkeeping through `d1_migrations`.\n   * SonicJS intentionally does not create its own tracking table.\n   */\n  async initializeMigrationsTable(): Promise<void> {\n    // Kept as a no-op for compatibility with older callers.\n  }\n\n  /**\n   * Get all available migrations from the bundled migrations\n   */\n  async getAvailableMigrations(): Promise<Migration[]> {\n    const migrations: Migration[] = []\n    const appliedMigrations = await this.getD1AppliedMigrations()\n    await this.ensureSchemaCompatibility()\n\n    // Use bundled migrations as the source of truth\n    for (const bundled of bundledMigrations) {\n      const applied = appliedMigrations.has(bundled.id)\n      const appliedData = appliedMigrations.get(bundled.id)\n\n      migrations.push({\n        id: bundled.id,\n        name: bundled.name,\n        filename: bundled.filename,\n        description: bundled.description,\n        applied,\n        appliedAt: applied ? appliedData?.applied_at : undefined,\n        size: bundled.sql.length\n      })\n    }\n\n    return migrations\n  }\n\n  /**\n   * Read Wrangler/D1's canonical migration table. If the table is absent, no\n   * migrations have been applied by the supported migration runner yet.\n   */\n  private async getD1AppliedMigrations(): Promise<Map<string, any>> {\n    try {\n      const appliedResult = await this.db.prepare(\n        'SELECT name, applied_at FROM d1_migrations ORDER BY applied_at ASC'\n      ).all()\n\n      return new Map(\n        (appliedResult.results ?? [])\n          .map((row: any) => {\n            const filename = String(row.name ?? '')\n            const id = filename.match(/^(\\d+)/)?.[1]\n            if (!id) return null\n            return [id, {\n              id,\n              name: filename,\n              filename,\n              applied_at: row.applied_at\n            }]\n          })\n          .filter((entry): entry is [string, any] => entry !== null)\n      )\n    } catch (error) {\n      return new Map()\n    }\n  }\n\n  /**\n   * Run idempotent compatibility repairs that are safe outside migration state.\n   */\n  async ensureSchemaCompatibility(): Promise<void> {\n    if (await this.checkTablesExist(['documents'])) {\n      await this.ensureDocumentGeneratedColumns()\n    }\n  }\n\n  /**\n   * Ensure the `documents` table exposes every queryable VIRTUAL generated column + index (D45).\n   * Data-driven repair: reconciles from each active type's `queryable_fields` rather than a hardcoded\n   * list, so it stays in sync with whatever types are registered. Generation of these columns is owned\n   * by DocumentTypeRegistry.register() (via ensureScalarSchema); this pass is a bootstrap safety net for\n   * a DB that has document_types rows but lost columns (e.g. table rebuilt). Idempotent.\n   */\n  private async ensureDocumentGeneratedColumns(): Promise<void> {\n    if (!(await this.checkTablesExist(['document_types']))) return\n    const rows = await this.db\n      .prepare('SELECT id, queryable_fields FROM document_types WHERE is_active = 1')\n      .all<{ id: string; queryable_fields: string }>()\n    for (const row of rows.results ?? []) {\n      let fields: QueryableField[]\n      try {\n        fields = JSON.parse(row.queryable_fields)\n      } catch {\n        continue\n      }\n      await ensureScalarSchema(this.db, row.id, fields)\n    }\n  }\n\n  /**\n   * Check if specific tables exist in the database\n   */\n  private async checkTablesExist(tableNames: string[]): Promise<boolean> {\n    try {\n      for (const tableName of tableNames) {\n        const result = await this.db.prepare(\n          `SELECT name FROM sqlite_master WHERE type='table' AND name=?`\n        ).bind(tableName).first()\n\n        if (!result) {\n          return false\n        }\n      }\n      return true\n    } catch (error) {\n      return false\n    }\n  }\n\n  /**\n   * Check if a specific column exists in a table\n   */\n  private async checkColumnExists(tableName: string, columnName: string): Promise<boolean> {\n    try {\n      const result = await this.db.prepare(\n        `SELECT * FROM pragma_table_info(?) WHERE name = ?`\n      ).bind(tableName, columnName).first()\n\n      return !!result\n    } catch (error) {\n      return false\n    }\n  }\n\n  /**\n   * Get migration status summary\n   */\n  async getMigrationStatus(): Promise<MigrationStatus> {\n    const migrations = await this.getAvailableMigrations()\n    const appliedMigrations = migrations.filter(m => m.applied)\n    const pendingMigrations = migrations.filter(m => !m.applied)\n\n    const lastApplied = appliedMigrations.length > 0\n      ? appliedMigrations[appliedMigrations.length - 1]?.appliedAt\n      : undefined\n\n    return {\n      totalMigrations: migrations.length,\n      appliedMigrations: appliedMigrations.length,\n      pendingMigrations: pendingMigrations.length,\n      lastApplied,\n      migrations\n    }\n  }\n\n  /**\n   * D1 migration state is managed by Wrangler.\n   */\n  async markMigrationApplied(migrationId: string, name: string, filename: string): Promise<void> {\n    void migrationId\n    void name\n    void filename\n  }\n\n  /**\n   * D1 migration state is managed by Wrangler.\n   */\n  async removeMigrationApplied(migrationId: string): Promise<void> {\n    void migrationId\n  }\n\n  /**\n   * Check if a specific migration has been applied\n   */\n  async isMigrationApplied(migrationId: string): Promise<boolean> {\n    const appliedMigrations = await this.getD1AppliedMigrations()\n    return appliedMigrations.has(migrationId)\n  }\n\n  /**\n   * Get the last applied migration\n   */\n  async getLastAppliedMigration(): Promise<Migration | null> {\n    const migrations = await this.getAvailableMigrations()\n    return migrations.filter(m => m.applied).at(-1) ?? null\n  }\n\n  /**\n   * Run pending migrations\n   */\n  async runPendingMigrations(): Promise<{ success: boolean; message: string; applied: string[]; errors: string[] }> {\n    return {\n      success: false,\n      message: 'Migrations are managed by Cloudflare D1. Run `wrangler d1 migrations apply DB --local` or `wrangler d1 migrations apply DB --remote`.',\n      applied: [],\n      errors: []\n    }\n  }\n\n  /**\n   * Validate database schema\n   */\n  async validateSchema(): Promise<{ valid: boolean; issues: string[] }> {\n    const issues: string[] = []\n\n    // Basic table existence checks\n    const requiredTables = [\n      'users', 'documents', 'document_types'\n    ]\n\n    for (const table of requiredTables) {\n      try {\n        await this.db.prepare(`SELECT COUNT(*) FROM ${table} LIMIT 1`).first()\n      } catch (error) {\n        issues.push(`Missing table: ${table}`)\n      }\n    }\n\n    return {\n      valid: issues.length === 0,\n      issues\n    }\n  }\n}\n"]}