@sorb/juice 0.1.0

package/dist/cli.js

@@ -0,0 +1,1209 @@
+#!/usr/bin/env node
+const __sorbModuleUrl = require('url').pathToFileURL(require('path').join(__dirname, 'migrate.js')).href;
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// src/store/redis.js
+var redis_exports = {};
+__export(redis_exports, {
+  createRedisStore: () => createRedisStore,
+  default: () => redis_default
+});
+var import_ioredis, PREVIEW_PREFIX, VERIFY_PREFIX, VERIFY_LATEST_KEY, previewKey, verifyKey, scanCount, createRedisStore, redis_default;
+var init_redis = __esm({
+  "src/store/redis.js"() {
+    import_ioredis = __toESM(require("ioredis"));
+    PREVIEW_PREFIX = "preview:";
+    VERIFY_PREFIX = "verify:";
+    VERIFY_LATEST_KEY = "verify:latest";
+    previewKey = (id) => PREVIEW_PREFIX + id;
+    verifyKey = (id) => VERIFY_PREFIX + id;
+    scanCount = async (client, match) => {
+      let cursor = "0";
+      let total = 0;
+      do {
+        const [next, keys] = await client.scan(cursor, "MATCH", match, "COUNT", 100);
+        cursor = next;
+        total += keys.length;
+      } while (cursor !== "0");
+      return total;
+    };
+    createRedisStore = async (config) => {
+      const ttlMs = config.previewTtlMs;
+      const client = new import_ioredis.default(config.redisUrl, {
+        lazyConnect: true,
+        maxRetriesPerRequest: 2
+      });
+      client.on("error", () => {
+      });
+      try {
+        await client.connect();
+      } catch (e) {
+      }
+      const putPreview = async (id, tokens) => {
+        const entry = { tokens, createdAt: Date.now() };
+        await client.set(previewKey(id), JSON.stringify(entry), "PX", ttlMs);
+      };
+      const getPreview = async (id) => {
+        const raw = await client.get(previewKey(id));
+        if (raw == null) return null;
+        return JSON.parse(raw);
+      };
+      const hasPreview = async (id) => {
+        return await client.exists(previewKey(id)) === 1;
+      };
+      const updatePreview = async (id, tokens) => {
+        if (!await hasPreview(id)) return false;
+        const entry = { tokens, createdAt: Date.now() };
+        await client.set(previewKey(id), JSON.stringify(entry), "PX", ttlMs);
+        return true;
+      };
+      const deletePreview = async (id) => {
+        await client.del(previewKey(id));
+      };
+      const countPreviews = async () => {
+        return scanCount(client, PREVIEW_PREFIX + "*");
+      };
+      const putVerification = async (id, { storyId, bbox, meta }) => {
+        const entry = { storyId, bbox, meta, createdAt: Date.now() };
+        const pipeline = client.multi();
+        pipeline.set(verifyKey(id), JSON.stringify(entry), "PX", ttlMs);
+        pipeline.set(VERIFY_LATEST_KEY, id, "PX", ttlMs);
+        await pipeline.exec();
+      };
+      const getVerification = async (id) => {
+        const raw = await client.get(verifyKey(id));
+        if (raw == null) return null;
+        return JSON.parse(raw);
+      };
+      const getLatestVerification = async () => {
+        const id = await client.get(VERIFY_LATEST_KEY);
+        if (id == null) return null;
+        return getVerification(id);
+      };
+      const countVerifications = async () => {
+        const total = await scanCount(client, VERIFY_PREFIX + "*");
+        const hasLatest = await client.exists(VERIFY_LATEST_KEY) === 1;
+        return hasLatest ? Math.max(0, total - 1) : total;
+      };
+      const ping = async () => {
+        try {
+          return await client.ping() === "PONG";
+        } catch (e) {
+          return false;
+        }
+      };
+      const close2 = async () => {
+        try {
+          await client.quit();
+        } catch (e) {
+        }
+      };
+      return {
+        putPreview,
+        getPreview,
+        hasPreview,
+        updatePreview,
+        deletePreview,
+        countPreviews,
+        putVerification,
+        getVerification,
+        getLatestVerification,
+        countVerifications,
+        ping,
+        close: close2
+      };
+    };
+    redis_default = createRedisStore;
+  }
+});
+
+// src/cli.js
+var import_commander = require("commander");
+var import_node_server = require("@hono/node-server");
+var import_fs3 = require("fs");
+var import_path3 = require("path");
+var import_picocolors4 = __toESM(require("picocolors"));
+
+// src/server.js
+var import_hono = require("hono");
+var import_cors = require("hono/cors");
+var import_nanoid = require("nanoid");
+
+// src/auth.js
+var import_node_crypto = require("node:crypto");
+var SCOPE = Object.freeze({ READ: "read", WRITE: "write" });
+function hashKey(raw) {
+  return (0, import_node_crypto.createHash)("sha256").update(raw, "utf8").digest("hex");
+}
+function parseBearer(authHeader) {
+  if (typeof authHeader !== "string") return null;
+  const trimmed = authHeader.trim();
+  if (trimmed === "") return null;
+  const match = /^(\S+)\s+(.*)$/.exec(trimmed);
+  if (!match) return null;
+  const scheme = match[1];
+  if (scheme.toLowerCase() !== "bearer") return null;
+  const token = match[2].trim();
+  if (token === "") return null;
+  return token;
+}
+async function resolveApiKey(db, authHeader) {
+  const raw = parseBearer(authHeader);
+  if (raw === null) return null;
+  const hash = hashKey(raw);
+  const result = await db.query(
+    `SELECT k.id AS key_id, k.type, k.project_id, p.org_id, p.namespace, p.allowed_origins
+       FROM api_keys k
+       JOIN projects p ON p.id = k.project_id
+      WHERE k.hash = $1 AND k.revoked_at IS NULL
+      LIMIT 1`,
+    [hash]
+  );
+  const rows = result && result.rows || [];
+  if (rows.length === 0) return null;
+  const row = rows[0];
+  const type = row.type;
+  const scope = type === "publishable" ? SCOPE.READ : SCOPE.WRITE;
+  const allowedOrigins = Array.isArray(row.allowed_origins) ? row.allowed_origins : [];
+  return Object.freeze({
+    keyId: row.key_id,
+    type,
+    projectId: row.project_id,
+    orgId: row.org_id,
+    namespace: row.namespace,
+    allowedOrigins,
+    scope
+  });
+}
+
+// src/entitlements.js
+var FREE = Object.freeze({
+  plan: "free",
+  status: "active",
+  seats: 1,
+  previewPersistence: false,
+  previewSharing: false,
+  maxProjects: 1,
+  maxActivePreviews: -1,
+  captureEnabled: false
+});
+var numOr = (v, fallback) => {
+  const n = Number(v);
+  return Number.isFinite(n) ? n : fallback;
+};
+function normalizeEntitlements(row) {
+  const r = row || {};
+  let data = r.data;
+  if (typeof data === "string") {
+    try {
+      data = JSON.parse(data);
+    } catch (e) {
+      data = null;
+    }
+  }
+  if (data === null || data === void 0 || typeof data !== "object") data = {};
+  const out = {
+    plan: FREE.plan,
+    status: FREE.status,
+    seats: "seats" in data ? Math.max(1, numOr(data.seats, FREE.seats)) : FREE.seats,
+    previewPersistence: "previewPersistence" in data ? Boolean(data.previewPersistence) : FREE.previewPersistence,
+    previewSharing: "previewSharing" in data ? Boolean(data.previewSharing) : FREE.previewSharing,
+    maxProjects: "maxProjects" in data ? numOr(data.maxProjects, FREE.maxProjects) : FREE.maxProjects,
+    maxActivePreviews: "maxActivePreviews" in data ? numOr(data.maxActivePreviews, FREE.maxActivePreviews) : FREE.maxActivePreviews,
+    captureEnabled: "captureEnabled" in data ? Boolean(data.captureEnabled) : FREE.captureEnabled
+  };
+  if (r.plan !== void 0 && r.plan !== null && String(r.plan).trim() !== "") {
+    out.plan = /** @type {Entitlements['plan']} */
+    String(r.plan);
+  }
+  if (r.status !== void 0 && r.status !== null && String(r.status).trim() !== "") {
+    out.status = /** @type {Entitlements['status']} */
+    String(r.status);
+  }
+  return Object.freeze(out);
+}
+async function getEntitlements(db, orgId) {
+  const { rows } = await db.query(
+    "SELECT plan, status, data FROM entitlements WHERE org_id = $1 LIMIT 1",
+    [orgId]
+  );
+  if (!rows || rows.length === 0) return FREE;
+  return normalizeEntitlements(rows[0]);
+}
+function effectiveEntitlements(ent) {
+  if (ent && (ent.status === "past_due" || ent.status === "canceled")) {
+    return Object.freeze({
+      ...ent,
+      // Overlay FREE's gate fields; keep plan + status from ent.
+      seats: FREE.seats,
+      previewPersistence: FREE.previewPersistence,
+      previewSharing: FREE.previewSharing,
+      maxProjects: FREE.maxProjects,
+      maxActivePreviews: FREE.maxActivePreviews,
+      captureEnabled: FREE.captureEnabled,
+      plan: ent.plan,
+      status: ent.status
+    });
+  }
+  return ent;
+}
+
+// src/server.js
+var createServer = ({
+  store,
+  config,
+  db = null,
+  getLatestTokens = () => ({}),
+  getResolvedTokens = () => null,
+  getArtifactIndex = () => null,
+  getArtifact = () => null,
+  onError = () => {
+  }
+}) => {
+  const namespace = config.namespace;
+  const corsOrigin = config.corsOrigins && config.corsOrigins !== "*" ? config.corsOrigins : "*";
+  const hosted = Boolean(config.databaseUrl);
+  const upgradeUrl = process.env.SORB_UPGRADE_URL || "/billing";
+  const previewTtlMs = config.previewTtlMs || 864e5;
+  const app = new import_hono.Hono();
+  if (hosted) {
+    app.use("*", async (c, next) => {
+      const path = c.req.path;
+      if (path === "/health" || path === "/ready") return next();
+      if (c.req.method === "OPTIONS") return next();
+      let ctx;
+      try {
+        ctx = await resolveApiKey(db, c.req.header("Authorization"));
+      } catch (e) {
+        onError(e, { at: "auth" });
+        return c.json({ error: "Service unavailable", code: "db_unavailable" }, 503);
+      }
+      if (!ctx) {
+        return c.json({ error: "Unauthorized", code: "unauthorized" }, 401);
+      }
+      c.set("auth", ctx);
+      let ent;
+      try {
+        ent = effectiveEntitlements(await getEntitlements(db, ctx.orgId));
+      } catch (e) {
+        onError(e, { at: "entitlements" });
+        return c.json({ error: "Service unavailable", code: "db_unavailable" }, 503);
+      }
+      c.set("ent", ent);
+      return next();
+    });
+    app.use(
+      "*",
+      (0, import_cors.cors)({
+        origin: (origin, c) => {
+          if (!origin) return origin;
+          if (c.req.method === "OPTIONS") return origin;
+          const ctx = c.get("auth");
+          if (ctx && Array.isArray(ctx.allowedOrigins) && ctx.allowedOrigins.includes(origin)) {
+            return origin;
+          }
+          return void 0;
+        }
+      })
+    );
+  } else {
+    app.use("*", (0, import_cors.cors)({ origin: corsOrigin }));
+  }
+  const requireWrite = (c) => {
+    if (!hosted) return null;
+    const ctx = c.get("auth");
+    if (ctx.scope !== SCOPE.WRITE) {
+      return c.json({ error: "Publishable keys are read-only", code: "read_only" }, 403);
+    }
+    return null;
+  };
+  const activePreviewCount = async (projectId) => {
+    const res = await db.query(
+      "SELECT count(*)::int AS n FROM previews WHERE project_id = $1 AND (expires_at IS NULL OR expires_at > now())",
+      [projectId]
+    );
+    const row = res && res.rows && res.rows[0];
+    return row ? Number(row.n) || 0 : 0;
+  };
+  const requireSharing = (c) => {
+    const ent = c.get("ent");
+    if (!ent || ent.previewSharing !== true) {
+      return c.json({ error: "Preview sharing is not available on your plan", code: "sharing_locked", upgradeUrl }, 402);
+    }
+    return null;
+  };
+  app.post("/preview", async (c) => {
+    if (hosted) {
+      const denied = requireWrite(c);
+      if (denied) return denied;
+      const ctx = c.get("auth");
+      const ent = c.get("ent");
+      if (c.req.query("share") === "1") {
+        const locked = requireSharing(c);
+        if (locked) return locked;
+      }
+      if (ent.maxActivePreviews !== -1) {
+        let active;
+        try {
+          active = await activePreviewCount(ctx.projectId);
+        } catch (e) {
+          onError(e, { at: "preview.count" });
+          return c.json({ error: "Service unavailable", code: "db_unavailable" }, 503);
+        }
+        if (active >= ent.maxActivePreviews) {
+          return c.json(
+            {
+              error: `Active preview limit reached (${ent.maxActivePreviews}). Upgrade for more concurrent previews.`,
+              code: "preview_limit",
+              upgradeUrl
+            },
+            402
+          );
+        }
+      }
+      const tokens2 = await c.req.json();
+      const id2 = (0, import_nanoid.nanoid)(8);
+      const ttlMs = ent.previewPersistence ? null : previewTtlMs;
+      await store.putPreview(id2, tokens2, ttlMs);
+      const expiresAt = ttlMs == null ? null : new Date(Date.now() + ttlMs);
+      try {
+        await db.query(
+          "INSERT INTO previews (id, project_id, expires_at) VALUES ($1, $2, $3)",
+          [id2, ctx.projectId, expiresAt]
+        );
+      } catch (e) {
+        onError(e, { at: "preview.bookkeeping.insert", id: id2 });
+      }
+      const url2 = `?preview=${id2}`;
+      return c.json({ id: id2, url: url2 });
+    }
+    const tokens = await c.req.json();
+    const id = (0, import_nanoid.nanoid)(8);
+    await store.putPreview(id, tokens);
+    const url = `?preview=${id}`;
+    return c.json({ id, url });
+  });
+  app.get("/preview/:id", async (c) => {
+    const id = c.req.param("id");
+    const entry = await store.getPreview(id);
+    if (!entry) {
+      return c.json({ error: "Preview not found or expired" }, 404);
+    }
+    if (hosted) {
+      const ctx = c.get("auth");
+      let owned = false;
+      try {
+        const res = await db.query(
+          "SELECT 1 FROM previews WHERE id = $1 AND project_id = $2 LIMIT 1",
+          [id, ctx.projectId]
+        );
+        owned = Boolean(res && res.rows && res.rows.length);
+      } catch (e) {
+        onError(e, { at: "preview.owner", method: "GET", id });
+        return c.json({ error: "Service unavailable", code: "db_unavailable" }, 503);
+      }
+      if (!owned) {
+        return c.json({ error: "Preview not found or expired" }, 404);
+      }
+    }
+    return c.json(entry.tokens);
+  });
+  app.put("/preview/:id", async (c) => {
+    const id = c.req.param("id");
+    if (hosted) {
+      const denied = requireWrite(c);
+      if (denied) return denied;
+      const ctx = c.get("auth");
+      let owned = false;
+      try {
+        const res = await db.query(
+          "SELECT 1 FROM previews WHERE id = $1 AND project_id = $2 LIMIT 1",
+          [id, ctx.projectId]
+        );
+        owned = Boolean(res && res.rows && res.rows.length);
+      } catch (e) {
+        onError(e, { at: "preview.owner", method: "PUT", id });
+        return c.json({ error: "Service unavailable", code: "db_unavailable" }, 503);
+      }
+      if (!owned) {
+        return c.json({ error: "Preview not found" }, 404);
+      }
+    }
+    const tokens = await c.req.json();
+    const updated = await store.updatePreview(id, tokens);
+    if (!updated) {
+      return c.json({ error: "Preview not found" }, 404);
+    }
+    return c.json({ id, updated: true });
+  });
+  app.delete("/preview/:id", async (c) => {
+    const id = c.req.param("id");
+    if (hosted) {
+      const denied = requireWrite(c);
+      if (denied) return denied;
+      const ctx = c.get("auth");
+      let owned = false;
+      try {
+        const res = await db.query(
+          "SELECT 1 FROM previews WHERE id = $1 AND project_id = $2 LIMIT 1",
+          [id, ctx.projectId]
+        );
+        owned = Boolean(res && res.rows && res.rows.length);
+      } catch (e) {
+        onError(e, { at: "preview.owner", method: "DELETE", id });
+        return c.json({ error: "Service unavailable", code: "db_unavailable" }, 503);
+      }
+      if (!owned) {
+        return c.json({ error: "Preview not found" }, 404);
+      }
+      await store.deletePreview(id);
+      try {
+        await db.query("DELETE FROM previews WHERE id = $1 AND project_id = $2", [id, ctx.projectId]);
+      } catch (e) {
+        onError(e, { at: "preview.bookkeeping.delete", id });
+      }
+      return c.json({ deleted: true });
+    }
+    await store.deletePreview(id);
+    return c.json({ deleted: true });
+  });
+  app.post("/verify", async (c) => {
+    if (hosted) {
+      const denied = requireWrite(c);
+      if (denied) return denied;
+    }
+    const { storyId, bbox, meta } = await c.req.json();
+    const id = (0, import_nanoid.nanoid)(8);
+    await store.putVerification(id, { storyId, bbox, meta });
+    return c.json({ id });
+  });
+  app.get("/verify/latest", async (c) => {
+    const entry = await store.getLatestVerification();
+    if (!entry) {
+      return c.json({ error: "No verification reported yet" }, 404);
+    }
+    return c.json(entry);
+  });
+  app.get("/verify/:id", async (c) => {
+    const entry = await store.getVerification(c.req.param("id"));
+    if (!entry) {
+      return c.json({ error: "Verification not found or expired" }, 404);
+    }
+    return c.json(entry);
+  });
+  app.get("/tokens/latest", (c) => {
+    return c.json(getLatestTokens());
+  });
+  app.get("/tokens/resolved", (c) => {
+    const resolved = getResolvedTokens();
+    if (!resolved) {
+      return c.json(
+        { error: "No resolved token map. Run `sorb-seed resolve` (Style Dictionary build)." },
+        404
+      );
+    }
+    return c.json(resolved);
+  });
+  app.get("/artifacts", (c) => {
+    const idx = getArtifactIndex();
+    if (!idx) {
+      return c.json(
+        { error: "No artifact index. Run `sorb-seed capture`." },
+        404
+      );
+    }
+    return c.json(idx);
+  });
+  app.get("/artifact", (c) => {
+    const storyId = c.req.query("id");
+    if (!storyId) return c.json({ error: "Missing ?id=" }, 400);
+    const art = getArtifact(storyId);
+    if (!art) return c.json({ error: "Artifact not found for id: " + storyId }, 404);
+    return c.json(art);
+  });
+  app.get("/health", async (c) => {
+    return c.json({
+      ok: true,
+      namespace,
+      activePreviews: await store.countPreviews(),
+      verifications: await store.countVerifications()
+    });
+  });
+  app.get("/ready", async (c) => {
+    const checks = {};
+    try {
+      checks.store = await store.ping();
+    } catch (e) {
+      checks.store = false;
+    }
+    if (db) {
+      try {
+        checks.db = await db.ping();
+      } catch (e) {
+        checks.db = false;
+      }
+    }
+    const ok = Object.values(checks).every(Boolean);
+    return c.json({ ok, checks }, ok ? 200 : 503);
+  });
+  return app;
+};
+
+// src/config.js
+var DEFAULTS = Object.freeze({
+  PORT: 7777,
+  SORB_NAMESPACE: "sorb-local",
+  REDIS_URL: void 0,
+  DATABASE_URL: void 0,
+  CORS_ORIGINS: "*",
+  // open by default = free local mode
+  PREVIEW_TTL_MS: 864e5,
+  // 24h — preserves today's preview/verify lifetime
+  PRUNE_INTERVAL_MS: 36e5,
+  // 1h — preserves today's in-memory prune cadence
+  NODE_ENV: "development"
+});
+var intOr = (raw, fallback) => {
+  if (raw === void 0 || raw === null || String(raw).trim() === "") return fallback;
+  const n = Number.parseInt(String(raw), 10);
+  return Number.isFinite(n) && n > 0 ? n : fallback;
+};
+var strOrUndef = (raw) => {
+  if (raw === void 0 || raw === null) return void 0;
+  const s = String(raw).trim();
+  return s === "" ? void 0 : s;
+};
+var parseCorsOrigins = (raw) => {
+  const s = strOrUndef(raw);
+  if (s === void 0) return "*";
+  const parts = s.split(",").map((o) => o.trim()).filter((o) => o !== "");
+  if (parts.length === 0 || parts.includes("*")) return "*";
+  return Array.from(new Set(parts));
+};
+var loadConfig = (env = process.env) => {
+  const redisUrl = strOrUndef(env.REDIS_URL);
+  const databaseUrl = strOrUndef(env.DATABASE_URL);
+  const config = {
+    port: intOr(env.PORT, DEFAULTS.PORT),
+    namespace: strOrUndef(env.SORB_NAMESPACE) ?? DEFAULTS.SORB_NAMESPACE,
+    // Presence of these URLs is the switch that activates each hosted backend.
+    redisUrl,
+    databaseUrl,
+    corsOrigins: parseCorsOrigins(env.CORS_ORIGINS),
+    previewTtlMs: intOr(env.PREVIEW_TTL_MS, DEFAULTS.PREVIEW_TTL_MS),
+    pruneIntervalMs: intOr(env.PRUNE_INTERVAL_MS, DEFAULTS.PRUNE_INTERVAL_MS),
+    nodeEnv: strOrUndef(env.NODE_ENV) ?? DEFAULTS.NODE_ENV,
+    // Convenience flags so the store factory + /ready don't re-derive presence.
+    redisEnabled: redisUrl !== void 0,
+    databaseEnabled: databaseUrl !== void 0,
+    hosted: redisUrl !== void 0 || databaseUrl !== void 0
+  };
+  return Object.freeze(config);
+};
+
+// src/store/memory.js
+var createMemoryStore = (config) => {
+  const ttlMs = config.previewTtlMs;
+  const pruneIntervalMs = config.pruneIntervalMs;
+  const previews = /* @__PURE__ */ new Map();
+  const verifications = /* @__PURE__ */ new Map();
+  let latestVerifyId = null;
+  const isExpired = (entry, now) => now - entry.createdAt > ttlMs;
+  const pruneTimer = setInterval(() => {
+    const now = Date.now();
+    for (const [id, entry] of previews) {
+      if (isExpired(entry, now)) previews.delete(id);
+    }
+    for (const [id, entry] of verifications) {
+      if (isExpired(entry, now)) {
+        verifications.delete(id);
+        if (id === latestVerifyId) latestVerifyId = null;
+      }
+    }
+  }, pruneIntervalMs);
+  if (typeof pruneTimer.unref === "function") pruneTimer.unref();
+  const putPreview = async (id, tokens) => {
+    previews.set(id, { tokens, createdAt: Date.now() });
+  };
+  const getPreview = async (id) => {
+    const entry = previews.get(id);
+    if (!entry) return null;
+    if (isExpired(entry, Date.now())) {
+      previews.delete(id);
+      return null;
+    }
+    return entry;
+  };
+  const hasPreview = async (id) => {
+    return await getPreview(id) !== null;
+  };
+  const updatePreview = async (id, tokens) => {
+    if (!await hasPreview(id)) return false;
+    previews.set(id, { tokens, createdAt: Date.now() });
+    return true;
+  };
+  const deletePreview = async (id) => {
+    previews.delete(id);
+  };
+  const countPreviews = async () => {
+    const now = Date.now();
+    let n = 0;
+    for (const entry of previews.values()) {
+      if (!isExpired(entry, now)) n++;
+    }
+    return n;
+  };
+  const putVerification = async (id, { storyId, bbox, meta }) => {
+    verifications.set(id, { storyId, bbox, meta, createdAt: Date.now() });
+    latestVerifyId = id;
+  };
+  const getVerification = async (id) => {
+    const entry = verifications.get(id);
+    if (!entry) return null;
+    if (isExpired(entry, Date.now())) {
+      verifications.delete(id);
+      if (id === latestVerifyId) latestVerifyId = null;
+      return null;
+    }
+    return entry;
+  };
+  const getLatestVerification = async () => {
+    if (!latestVerifyId) return null;
+    return getVerification(latestVerifyId);
+  };
+  const countVerifications = async () => {
+    const now = Date.now();
+    let n = 0;
+    for (const entry of verifications.values()) {
+      if (!isExpired(entry, now)) n++;
+    }
+    return n;
+  };
+  const ping = async () => true;
+  const close2 = async () => {
+    clearInterval(pruneTimer);
+  };
+  return {
+    putPreview,
+    getPreview,
+    hasPreview,
+    updatePreview,
+    deletePreview,
+    countPreviews,
+    putVerification,
+    getVerification,
+    getLatestVerification,
+    countVerifications,
+    ping,
+    close: close2
+  };
+};
+
+// src/store/index.js
+var createStore = async (config) => {
+  if (config.redisUrl) {
+    const { createRedisStore: createRedisStore2 } = await Promise.resolve().then(() => (init_redis(), redis_exports));
+    return createRedisStore2(config);
+  }
+  return createMemoryStore(config);
+};
+
+// src/db/migrate.js
+var import_promises = require("node:fs/promises");
+var import_node_path = require("node:path");
+var import_node_url = require("node:url");
+var SELF_URL = __sorbModuleUrl;
+var MIGRATIONS_DIR = (0, import_node_path.join)((0, import_node_path.dirname)((0, import_node_url.fileURLToPath)(SELF_URL)), "migrations");
+var SCHEMA_MIGRATIONS_DDL = `
+CREATE TABLE IF NOT EXISTS schema_migrations (
+  filename    text PRIMARY KEY,
+  applied_at  timestamptz NOT NULL DEFAULT now()
+)
+`;
+async function runMigrations(db, opts) {
+  if (!db) {
+    throw new Error("runMigrations: no DbHandle (DATABASE_URL not configured?)");
+  }
+  const dir = opts && opts.dir || MIGRATIONS_DIR;
+  await db.query(SCHEMA_MIGRATIONS_DDL);
+  let entries;
+  try {
+    entries = await (0, import_promises.readdir)(dir);
+  } catch (e) {
+    if (e && e.code === "ENOENT") return [];
+    throw e;
+  }
+  const files = entries.filter((f) => f.toLowerCase().endsWith(".sql")).sort((a, b) => a < b ? -1 : a > b ? 1 : 0);
+  const appliedRes = await db.query("SELECT filename FROM schema_migrations");
+  const already = new Set((appliedRes.rows || []).map((r) => r.filename));
+  const applied = [];
+  for (const file of files) {
+    if (already.has(file)) continue;
+    const sql = await (0, import_promises.readFile)((0, import_node_path.join)(dir, file), "utf8");
+    await db.tx(async (client) => {
+      await client.query(sql);
+      await client.query("INSERT INTO schema_migrations (filename) VALUES ($1)", [file]);
+    });
+    applied.push(file);
+    console.log(`[db] applied migration ${file}`);
+  }
+  return applied;
+}
+
+// src/db/index.js
+async function createDb(config) {
+  const databaseUrl = config && config.databaseUrl;
+  if (!databaseUrl) {
+    return null;
+  }
+  const pgModule = await import("pg");
+  const pg = pgModule.default || pgModule;
+  const { Pool } = pg;
+  const pool = new Pool({
+    connectionString: databaseUrl,
+    // Keep the pool conservative; the bridge is mostly Redis-bound. These can
+    // be tuned later via config if needed.
+    max: 10,
+    idleTimeoutMillis: 3e4,
+    connectionTimeoutMillis: 1e4
+  });
+  pool.on("error", (err) => {
+    console.error("[db] idle pool client error:", err && err.message ? err.message : err);
+  });
+  async function query(text, params) {
+    return pool.query(text, params);
+  }
+  async function getClient() {
+    return pool.connect();
+  }
+  async function tx(fn) {
+    const client = await pool.connect();
+    try {
+      await client.query("BEGIN");
+      const result = await fn(client);
+      await client.query("COMMIT");
+      return result;
+    } catch (e) {
+      try {
+        await client.query("ROLLBACK");
+      } catch (rollbackErr) {
+        console.error("[db] rollback failed:", rollbackErr && rollbackErr.message ? rollbackErr.message : rollbackErr);
+      }
+      throw e;
+    } finally {
+      client.release();
+    }
+  }
+  async function ping() {
+    try {
+      const res = await pool.query("SELECT 1 AS ok");
+      return Boolean(res && res.rows && res.rows.length === 1);
+    } catch (e) {
+      console.error("[db] ping failed:", e && e.message ? e.message : e);
+      return false;
+    }
+  }
+  let closed = false;
+  async function close2() {
+    if (closed) return;
+    closed = true;
+    try {
+      await pool.end();
+    } catch (e) {
+      console.error("[db] close failed:", e && e.message ? e.message : e);
+    }
+  }
+  const handle = {
+    pool,
+    query,
+    getClient,
+    tx,
+    ping,
+    close: close2,
+    /** Apply pending SQL migrations in order. @returns {Promise<string[]>} */
+    runMigrations: () => runMigrations(handle)
+  };
+  return handle;
+}
+
+// src/watch.js
+var import_chokidar = __toESM(require("chokidar"));
+var import_fs = require("fs");
+var import_path = require("path");
+var import_picocolors = __toESM(require("picocolors"));
+var watchSources = (paths, onChange) => {
+  const abs = (paths || []).map((p) => (0, import_path.resolve)(process.cwd(), p)).filter((p) => (0, import_fs.existsSync)(p));
+  if (!abs.length) {
+    console.warn(import_picocolors.default.yellow("  \u26A0 No token sources found to watch."));
+    return { stop: () => {
+    } };
+  }
+  const watcher = import_chokidar.default.watch(abs, {
+    ignoreInitial: true,
+    awaitWriteFinish: { stabilityThreshold: 100 }
+  });
+  watcher.on("change", (p) => {
+    console.log(import_picocolors.default.cyan("  \u2192 Token source changed") + import_picocolors.default.dim(` (${p})`));
+    onChange(p);
+  });
+  watcher.on("error", (err) => console.error(import_picocolors.default.red("  \u2717 Watcher error:"), err));
+  return { stop: () => watcher.close() };
+};
+
+// src/transform.js
+var import_child_process = require("child_process");
+var import_fs2 = require("fs");
+var import_path2 = require("path");
+var import_picocolors2 = __toESM(require("picocolors"));
+var runStyleDictionary = (configPath) => {
+  const abs = (0, import_path2.resolve)(process.cwd(), configPath);
+  if (!(0, import_fs2.existsSync)(abs)) {
+    console.warn(
+      import_picocolors2.default.yellow(`  \u26A0 style-dictionary config not found at ${configPath}, skipping`)
+    );
+    return false;
+  }
+  try {
+    console.log(import_picocolors2.default.dim("  \u2192 Running Style Dictionary..."));
+    (0, import_child_process.execSync)(`npx style-dictionary build --config ${abs}`, {
+      stdio: "inherit",
+      cwd: process.cwd()
+    });
+    console.log(import_picocolors2.default.green("  \u2713 Style Dictionary build complete"));
+    return true;
+  } catch (e) {
+    console.error(import_picocolors2.default.red("  \u2717 Style Dictionary build failed"));
+    return false;
+  }
+};
+
+// src/github.js
+var import_picocolors3 = __toESM(require("picocolors"));
+var openTokenPR = async (opts) => {
+  const base = `https://api.github.com/repos/${opts.owner}/${opts.repo}`;
+  const headers = {
+    Authorization: `Bearer ${opts.pat}`,
+    "Content-Type": "application/json",
+    Accept: "application/vnd.github+json"
+  };
+  const mainRef = await fetch(`${base}/git/ref/heads/main`, { headers }).then((r) => r.json());
+  const sha = mainRef.object.sha;
+  const branchName = `tokens/update-${Date.now()}`;
+  await fetch(`${base}/git/refs`, {
+    method: "POST",
+    headers,
+    body: JSON.stringify({
+      ref: `refs/heads/${branchName}`,
+      sha
+    })
+  });
+  const fileRes = await fetch(`${base}/contents/${opts.tokenPath}`, {
+    headers
+  });
+  const fileData = fileRes.ok ? await fileRes.json() : null;
+  await fetch(`${base}/contents/${opts.tokenPath}`, {
+    method: "PUT",
+    headers,
+    body: JSON.stringify({
+      message: opts.message,
+      content: Buffer.from(opts.content).toString("base64"),
+      branch: branchName,
+      ...fileData?.sha ? { sha: fileData.sha } : {}
+    })
+  });
+  const pr = await fetch(`${base}/pulls`, {
+    method: "POST",
+    headers,
+    body: JSON.stringify({
+      title: opts.message,
+      head: branchName,
+      base: "main",
+      body: [
+        "> \u{1F3A8} Created by **Sorb**",
+        "",
+        "This PR was generated from the Sorb Figma plugin.",
+        "Review the token diff and merge to apply changes to the app."
+      ].join("\n")
+    })
+  }).then((r) => r.json());
+  return pr.html_url;
+};
+
+// src/sentry.js
+var Sentry = __toESM(require("@sentry/node"));
+var enabled = false;
+var initSentry = () => {
+  if (enabled) return true;
+  const dsn = process.env.SENTRY_DSN;
+  if (!dsn) return false;
+  try {
+    Sentry.init({
+      dsn,
+      environment: process.env.SENTRY_ENVIRONMENT || process.env.NODE_ENV || "production",
+      tracesSampleRate: 0
+    });
+    enabled = true;
+  } catch (e) {
+    enabled = false;
+  }
+  return enabled;
+};
+var captureError = (err, context) => {
+  if (!enabled) return;
+  try {
+    Sentry.captureException(err, context ? { extra: context } : void 0);
+  } catch (e) {
+  }
+};
+var flushSentry = async (ms) => {
+  if (!enabled) return;
+  try {
+    await Sentry.close(ms);
+  } catch (e) {
+  }
+};
+
+// src/cli.js
+var loadFileConfig = () => {
+  const configPath = (0, import_path3.resolve)(process.cwd(), "sorb.config.json");
+  if (!(0, import_fs3.existsSync)(configPath)) {
+    console.error(import_picocolors4.default.red("\n\u2717 No sorb.config.json found.\n"));
+    console.error(
+      import_picocolors4.default.dim("  Run ") + import_picocolors4.default.cyan("sorb init") + import_picocolors4.default.dim(" to create one, or see the docs.\n")
+    );
+    process.exit(1);
+  }
+  return JSON.parse((0, import_fs3.readFileSync)(configPath, "utf-8"));
+};
+import_commander.program.name("sorb").description("Sorb design token bridge").version("1.2.0");
+import_commander.program.command("dev", { isDefault: true }).description("Start the local token bridge server").option("-p, --port <port>", "port to listen on", "7777").action(async (opts) => {
+  const fileConfig = loadFileConfig();
+  const envConfig = loadConfig();
+  const config = {
+    ...envConfig,
+    namespace: fileConfig.namespace ?? envConfig.namespace,
+    port: fileConfig.port ?? parseInt(opts.port) ?? envConfig.port
+  };
+  const port = config.port;
+  const sources = fileConfig.tokenSources || (fileConfig.tokenPath ? [fileConfig.tokenPath] : []);
+  console.log(import_picocolors4.default.bold("\nSorb"));
+  console.log(import_picocolors4.default.dim("  Namespace :") + ` ${config.namespace}`);
+  console.log(import_picocolors4.default.dim("  Sources   :") + ` ${sources.join(", ") || "(none)"}`);
+  console.log(import_picocolors4.default.dim("  Port      :") + ` ${port}`);
+  const sorbDir = (0, import_path3.resolve)(process.cwd(), ".sorb");
+  const resolvedPath = (0, import_path3.resolve)(sorbDir, "resolved.json");
+  const indexPath = (0, import_path3.resolve)(sorbDir, "index.json");
+  const readJson = (p) => {
+    if (!(0, import_fs3.existsSync)(p)) return null;
+    try {
+      return JSON.parse((0, import_fs3.readFileSync)(p, "utf-8"));
+    } catch (e) {
+      return null;
+    }
+  };
+  const readResolvedArray = () => {
+    const data = readJson(resolvedPath);
+    return data && (Array.isArray(data) ? data : data.tokens);
+  };
+  const readResolved = () => readResolvedArray();
+  const readIndex = () => readJson(indexPath);
+  const buildTokens = () => {
+    if (fileConfig.styleDictionaryConfig) runStyleDictionary(fileConfig.styleDictionaryConfig);
+  };
+  buildTokens();
+  const { stop } = watchSources(sources, buildTokens);
+  const legacyTokenAbs = fileConfig.tokenPath ? (0, import_path3.resolve)(process.cwd(), fileConfig.tokenPath) : null;
+  const read = () => {
+    if (legacyTokenAbs && (0, import_fs3.existsSync)(legacyTokenAbs)) {
+      try {
+        return JSON.parse((0, import_fs3.readFileSync)(legacyTokenAbs, "utf-8"));
+      } catch (e) {
+        return {};
+      }
+    }
+    const arr = readResolvedArray();
+    if (!arr) return {};
+    const flat = {};
+    for (const t of arr) if (t.cssVar) flat[t.cssVar.replace(/^--/, "")] = t.value;
+    return flat;
+  };
+  const readArtifact = (storyId) => {
+    const idx = readIndex();
+    const entry = idx && idx.stories && idx.stories[storyId];
+    if (!entry) return null;
+    const artPath = (0, import_path3.resolve)(process.cwd(), entry.artifact);
+    if (!artPath.startsWith(process.cwd() + "/")) return null;
+    return readJson(artPath);
+  };
+  const store = await createStore(config);
+  const db = await createDb(config);
+  if (db && db.runMigrations) await db.runMigrations();
+  const app = createServer({
+    store,
+    config,
+    db,
+    getLatestTokens: read,
+    getResolvedTokens: readResolved,
+    getArtifactIndex: readIndex,
+    getArtifact: readArtifact
+  });
+  (0, import_node_server.serve)({ fetch: app.fetch, port }, () => {
+    console.log(
+      import_picocolors4.default.dim("\n  Preview URL :") + import_picocolors4.default.cyan(` http://localhost:${port}/preview`)
+    );
+    console.log(
+      import_picocolors4.default.dim("  Latest      :") + import_picocolors4.default.cyan(` http://localhost:${port}/tokens/latest`)
+    );
+    console.log(
+      import_picocolors4.default.dim("  Health      :") + import_picocolors4.default.cyan(` http://localhost:${port}/health`)
+    );
+    console.log(import_picocolors4.default.dim("\n  Watching for token file changes...\n"));
+  });
+  process.on("SIGINT", async () => {
+    stop();
+    try {
+      await store.close();
+    } catch (e) {
+    }
+    if (db) {
+      try {
+        await db.close();
+      } catch (e) {
+      }
+    }
+    console.log(import_picocolors4.default.dim("\n  Stopped.\n"));
+    process.exit(0);
+  });
+});
+import_commander.program.command("serve").description("Run the hosted bridge server (config from env; no sorb.config.json)").action(async () => {
+  initSentry();
+  process.on("unhandledRejection", (reason) => {
+    captureError(reason, { at: "unhandledRejection" });
+  });
+  process.on("uncaughtException", (err) => {
+    captureError(err, { at: "uncaughtException" });
+  });
+  const config = loadConfig();
+  const port = config.port;
+  console.log(import_picocolors4.default.bold("\nSorb (hosted bridge)"));
+  console.log(import_picocolors4.default.dim("  Namespace :") + ` ${config.namespace}`);
+  console.log(import_picocolors4.default.dim("  Port      :") + ` ${port}`);
+  console.log(import_picocolors4.default.dim("  Redis     :") + ` ${config.redisUrl ? "on" : "off (in-memory)"}`);
+  console.log(import_picocolors4.default.dim("  Postgres  :") + ` ${config.databaseUrl ? "on" : "off"}`);
+  const store = await createStore(config);
+  let db = null;
+  try {
+    db = await createDb(config);
+    if (db && db.runMigrations) await db.runMigrations();
+  } catch (e) {
+    console.error(import_picocolors4.default.yellow("  \u26A0 Postgres init failed; continuing without DB: ") + e.message);
+    db = null;
+  }
+  const app = createServer({
+    store,
+    config,
+    db,
+    getLatestTokens: () => ({}),
+    getResolvedTokens: () => null,
+    getArtifactIndex: () => null,
+    getArtifact: () => null,
+    // Route server-side DB-error / bookkeeping catches to Sentry. NO-OP when
+    // SENTRY_DSN is unset (captureError gates on the enabled flag).
+    onError: captureError
+  });
+  (0, import_node_server.serve)({ fetch: app.fetch, port, hostname: "0.0.0.0" }, () => {
+    console.log(import_picocolors4.default.dim(`
+  Listening on 0.0.0.0:${port}  \xB7  /health  /ready
+`));
+  });
+  const shutdown = async () => {
+    try {
+      await store.close();
+    } catch (e) {
+    }
+    if (db) {
+      try {
+        await db.close();
+      } catch (e) {
+      }
+    }
+    try {
+      await flushSentry(2e3);
+    } catch (e) {
+    }
+    process.exit(0);
+  };
+  process.on("SIGINT", shutdown);
+  process.on("SIGTERM", shutdown);
+});
+import_commander.program.command("init").description("Create a sorb.config.json in the current directory").action(() => {
+  const configPath = (0, import_path3.resolve)(process.cwd(), "sorb.config.json");
+  if ((0, import_fs3.existsSync)(configPath)) {
+    console.log(import_picocolors4.default.yellow("  sorb.config.json already exists"));
+    return;
+  }
+  const defaults = {
+    namespace: "my-app",
+    tokenSources: [
+      "tokens/primitive.json",
+      "tokens/semantic.json",
+      "tokens/component.json"
+    ],
+    styleDictionaryConfig: "sd.config.js",
+    port: 7777
+  };
+  (0, import_fs3.writeFileSync)(configPath, JSON.stringify(defaults, null, 2) + "\n");
+  console.log(import_picocolors4.default.green("  \u2713 Created sorb.config.json"));
+});
+import_commander.program.command("commit").description("Open a GitHub PR with the current token file").requiredOption("--owner <owner>", "GitHub org or user").requiredOption("--repo <repo>", "GitHub repo name").requiredOption("--pat <pat>", "GitHub personal access token").option("--message <message>", "PR / commit title", "Update design tokens").action(async (opts) => {
+  const config = loadFileConfig();
+  const content = (0, import_fs3.readFileSync)(
+    (0, import_path3.resolve)(process.cwd(), config.tokenPath),
+    "utf-8"
+  );
+  console.log(import_picocolors4.default.dim("\n  Opening PR..."));
+  try {
+    const url = await openTokenPR({
+      owner: opts.owner,
+      repo: opts.repo,
+      tokenPath: config.tokenPath,
+      content,
+      message: opts.message,
+      pat: opts.pat
+    });
+    console.log(import_picocolors4.default.green(`  \u2713 PR opened: `) + import_picocolors4.default.cyan(url) + "\n");
+  } catch (err) {
+    console.error(import_picocolors4.default.red("  \u2717 Failed to open PR:"), err);
+    process.exit(1);
+  }
+});
+import_commander.program.parse();
+//# sourceMappingURL=cli.js.map