@standardagents/builder 0.17.2 → 0.18.0

package/dist/runtime.js

@@ -12539,11 +12539,24 @@ async function hashToken(token) {
   const hashArray = new Uint8Array(hashBuffer);
   return Array.from(hashArray, (byte) => byte.toString(16).padStart(2, "0")).join("");
 }
+var SESSION_COOKIE_NAME = "agtuser_session";
+function readSessionCookie(request) {
+  const header = request.headers.get("Cookie");
+  if (!header) return null;
+  for (const part of header.split(";")) {
+    const eq = part.indexOf("=");
+    if (eq === -1) continue;
+    if (part.slice(0, eq).trim() === SESSION_COOKIE_NAME) {
+      return decodeURIComponent(part.slice(eq + 1).trim()) || null;
+    }
+  }
+  return null;
+}
 function isValidUserToken(token) {
   return token.startsWith("agtuser_") && token.length > 10;
 }
 function isValidApiKey(key) {
-  return key.startsWith("agtbldr_") && key.length > 10;
+  return key.startsWith("agtbldr_") && key.length > 10 || key.startsWith("sak_live_") && key.length > 10;
 }
 async function verifySignedToken(signedToken, encryptionKey) {
   try {
@@ -12612,6 +12625,10 @@ function extractBearerToken(request) {
   if (authHeader && authHeader.startsWith("Bearer ")) {
     return authHeader.substring(7);
   }
+  const cookieToken = readSessionCookie(request);
+  if (cookieToken) {
+    return cookieToken;
+  }
   const isWebSocket = request.headers.get("upgrade")?.toLowerCase() === "websocket";
   if (isWebSocket) {
     try {
@@ -12663,7 +12680,11 @@ async function authenticate(request, env) {
           user: {
             id: user.id,
             username: user.username,
-            role: user.role
+            role: user.role,
+            platform_user_id: user.platform_user_id ?? null,
+            email: user.email ?? null,
+            display_name: user.display_name ?? null,
+            avatar_url: user.avatar_url ?? null
           },
           authType: "session"
         };
@@ -12681,7 +12702,11 @@ async function authenticate(request, env) {
           user: {
             id: user.id,
             username: user.username,
-            role: user.role
+            role: user.role,
+            platform_user_id: user.platform_user_id ?? null,
+            email: user.email ?? null,
+            display_name: user.display_name ?? null,
+            avatar_url: user.avatar_url ?? null
           },
           authType: "api_key"
         };
@@ -15471,9 +15496,9 @@ var DurableThread = class extends DurableObject {
    * Each migration is run in order, starting from the current version + 1.
    */
   async runMigrations(fromVersion) {
-    for (const migration37 of migrations) {
-      if (migration37.version > fromVersion) {
-        await migration37.up(this.ctx.storage.sql);
+    for (const migration38 of migrations) {
+      if (migration38.version > fromVersion) {
+        await migration38.up(this.ctx.storage.sql);
       }
     }
   }
@@ -18908,9 +18933,38 @@ var migration36 = {
   }
 };
 
+// src/durable-objects/agentbuilder-migrations/0007_platform_identity_replica.ts
+var migration37 = {
+  version: 7,
+  async up(sql) {
+    sql.exec(`ALTER TABLE users ADD COLUMN platform_user_id TEXT`);
+    sql.exec(`ALTER TABLE users ADD COLUMN email TEXT`);
+    sql.exec(`ALTER TABLE users ADD COLUMN display_name TEXT`);
+    sql.exec(`ALTER TABLE users ADD COLUMN avatar_url TEXT`);
+    sql.exec(`ALTER TABLE users ADD COLUMN instance_role TEXT NOT NULL DEFAULT 'admin' CHECK (instance_role IN ('admin', 'user'))`);
+    sql.exec(`ALTER TABLE users ADD COLUMN source TEXT NOT NULL DEFAULT 'local' CHECK (source IN ('local', 'standard_agents'))`);
+    sql.exec(`ALTER TABLE users ADD COLUMN replica_active INTEGER NOT NULL DEFAULT 1`);
+    sql.exec(`ALTER TABLE users ADD COLUMN replica_updated_at INTEGER`);
+    sql.exec(`ALTER TABLE users ADD COLUMN deleted_at INTEGER`);
+    sql.exec(`CREATE INDEX IF NOT EXISTS idx_users_platform_user_id ON users(platform_user_id)`);
+    sql.exec(`CREATE INDEX IF NOT EXISTS idx_users_replica_active ON users(replica_active)`);
+    sql.exec(`CREATE INDEX IF NOT EXISTS idx_users_instance_role ON users(instance_role)`);
+    sql.exec(`ALTER TABLE api_keys ADD COLUMN platform_key_id TEXT`);
+    sql.exec(`ALTER TABLE api_keys ADD COLUMN scope TEXT`);
+    sql.exec(`ALTER TABLE api_keys ADD COLUMN source TEXT NOT NULL DEFAULT 'local' CHECK (source IN ('local', 'standard_agents'))`);
+    sql.exec(`ALTER TABLE api_keys ADD COLUMN replica_active INTEGER NOT NULL DEFAULT 1`);
+    sql.exec(`ALTER TABLE api_keys ADD COLUMN replica_updated_at INTEGER`);
+    sql.exec(`CREATE INDEX IF NOT EXISTS idx_api_keys_platform_key_id ON api_keys(platform_key_id)`);
+    sql.exec(`CREATE INDEX IF NOT EXISTS idx_api_keys_replica_active ON api_keys(replica_active)`);
+    sql.exec(`
+      INSERT OR REPLACE INTO _metadata (key, value) VALUES ('schema_version', '7')
+    `);
+  }
+};
+
 // src/durable-objects/agentbuilder-migrations/index.ts
-var migrations2 = [migration31, migration32, migration33, migration34, migration35, migration36];
-var LATEST_SCHEMA_VERSION2 = 6;
+var migrations2 = [migration31, migration32, migration33, migration34, migration35, migration36, migration37];
+var LATEST_SCHEMA_VERSION2 = 7;
 
 // src/utils/crypto.ts
 var CryptoUtil = class {
@@ -19534,9 +19588,9 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
     }
   }
   async runMigrations(fromVersion) {
-    for (const migration37 of migrations2) {
-      if (migration37.version > fromVersion) {
-        await migration37.up(this.ctx.storage.sql);
+    for (const migration38 of migrations2) {
+      if (migration38.version > fromVersion) {
+        await migration38.up(this.ctx.storage.sql);
       }
     }
   }
@@ -20569,27 +20623,54 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
   // ============================================================
   // User Authentication Methods
   // ============================================================
+  normalizeReplicaUsername(input, fallback) {
+    const normalized = (input || fallback).trim().toLowerCase().replace(/[^a-z0-9_-]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 50);
+    return normalized || fallback;
+  }
+  async availableReplicaUsername(candidate, platformUserId) {
+    const existing = await this.ctx.storage.sql.exec(
+      `SELECT id, platform_user_id FROM users WHERE username = ? LIMIT 1`,
+      candidate
+    );
+    const row = existing.toArray()[0];
+    if (!row || row.platform_user_id === platformUserId) {
+      return candidate;
+    }
+    const suffix = platformUserId.replace(/[^a-zA-Z0-9]/g, "").slice(0, 8) || "user";
+    const trimmed = candidate.slice(0, Math.max(1, 50 - suffix.length - 1)).replace(/-+$/g, "");
+    return `${trimmed || "sa"}-${suffix}`;
+  }
+  userFromRow(row) {
+    return {
+      id: row.id,
+      username: row.username,
+      password_hash: row.password_hash,
+      role: row.role === "user" ? "user" : "admin",
+      platform_user_id: row.platform_user_id ?? null,
+      email: row.email ?? null,
+      display_name: row.display_name ?? null,
+      avatar_url: row.avatar_url ?? null,
+      source: row.source ?? "local",
+      replica_active: row.replica_active ?? 1,
+      created_at: row.created_at,
+      updated_at: row.updated_at
+    };
+  }
   /**
    * Get a user by username.
    */
   async getUserByUsername(username) {
     await this.ensureMigrated();
     const cursor = await this.ctx.storage.sql.exec(
-      `SELECT id, username, password_hash, role, created_at, updated_at
-       FROM users WHERE username = ?`,
+      `SELECT id, username, password_hash, COALESCE(instance_role, role) AS role,
+        platform_user_id, email, display_name, avatar_url, source, replica_active,
+        created_at, updated_at
+       FROM users WHERE username = ? AND deleted_at IS NULL AND replica_active != 0`,
       username
     );
     const rows = cursor.toArray();
     if (rows.length === 0) return null;
-    const row = rows[0];
-    return {
-      id: row.id,
-      username: row.username,
-      password_hash: row.password_hash,
-      role: row.role,
-      created_at: row.created_at,
-      updated_at: row.updated_at
-    };
+    return this.userFromRow(rows[0]);
   }
   /**
    * Get a user by ID.
@@ -20597,21 +20678,15 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
   async getUserById(id) {
     await this.ensureMigrated();
     const cursor = await this.ctx.storage.sql.exec(
-      `SELECT id, username, password_hash, role, created_at, updated_at
-       FROM users WHERE id = ?`,
+      `SELECT id, username, password_hash, COALESCE(instance_role, role) AS role,
+        platform_user_id, email, display_name, avatar_url, source, replica_active,
+        created_at, updated_at
+       FROM users WHERE id = ? AND deleted_at IS NULL AND replica_active != 0`,
       id
     );
     const rows = cursor.toArray();
     if (rows.length === 0) return null;
-    const row = rows[0];
-    return {
-      id: row.id,
-      username: row.username,
-      password_hash: row.password_hash,
-      role: row.role,
-      created_at: row.created_at,
-      updated_at: row.updated_at
-    };
+    return this.userFromRow(rows[0]);
   }
   /**
    * Create a new user.
@@ -20621,12 +20696,23 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
     const id = crypto.randomUUID();
     const now = Math.floor(Date.now() / 1e3);
     await this.ctx.storage.sql.exec(
-      `INSERT INTO users (id, username, password_hash, role, created_at, updated_at)
-       VALUES (?, ?, ?, ?, ?, ?)`,
+      `INSERT INTO users (
+        id, username, password_hash, role, instance_role, platform_user_id,
+        email, display_name, avatar_url, source, replica_active,
+        replica_updated_at, created_at, updated_at
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
       id,
       params.username,
       params.password_hash,
+      "admin",
       params.role || "admin",
+      params.platform_user_id ?? null,
+      params.email ?? null,
+      params.display_name ?? null,
+      params.avatar_url ?? null,
+      params.source ?? "local",
+      1,
+      params.source === "standard_agents" ? now : null,
       now,
       now
     );
@@ -20635,6 +20721,12 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
       username: params.username,
       password_hash: params.password_hash,
       role: params.role || "admin",
+      platform_user_id: params.platform_user_id ?? null,
+      email: params.email ?? null,
+      display_name: params.display_name ?? null,
+      avatar_url: params.avatar_url ?? null,
+      source: params.source ?? "local",
+      replica_active: 1,
       created_at: now,
       updated_at: now
     };
@@ -20654,11 +20746,24 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
    */
   async listUsers() {
     await this.ensureMigrated();
-    const cursor = await this.ctx.storage.sql.exec(`SELECT id, username, role, created_at, updated_at FROM users ORDER BY created_at DESC`);
+    const cursor = await this.ctx.storage.sql.exec(
+      `SELECT id, username, COALESCE(instance_role, role) AS role,
+        platform_user_id, email, display_name, avatar_url, source, replica_active,
+        created_at, updated_at
+       FROM users
+       WHERE deleted_at IS NULL
+       ORDER BY created_at DESC`
+    );
     return cursor.toArray().map((row) => ({
       id: row.id,
       username: row.username,
-      role: row.role,
+      role: row.role === "user" ? "user" : "admin",
+      platform_user_id: row.platform_user_id ?? null,
+      email: row.email ?? null,
+      display_name: row.display_name ?? null,
+      avatar_url: row.avatar_url ?? null,
+      source: row.source ?? "local",
+      replica_active: row.replica_active ?? 1,
       created_at: row.created_at,
       updated_at: row.updated_at
     }));
@@ -20682,14 +20787,42 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
       values.push(params.password_hash);
     }
     if (params.role !== void 0) {
-      updates.push("role = ?");
+      updates.push("instance_role = ?");
       values.push(params.role);
     }
+    if (params.platform_user_id !== void 0) {
+      updates.push("platform_user_id = ?");
+      values.push(params.platform_user_id);
+    }
+    if (params.email !== void 0) {
+      updates.push("email = ?");
+      values.push(params.email);
+    }
+    if (params.display_name !== void 0) {
+      updates.push("display_name = ?");
+      values.push(params.display_name);
+    }
+    if (params.avatar_url !== void 0) {
+      updates.push("avatar_url = ?");
+      values.push(params.avatar_url);
+    }
+    if (params.source !== void 0) {
+      updates.push("source = ?");
+      values.push(params.source);
+    }
+    if (params.replica_active !== void 0) {
+      updates.push("replica_active = ?");
+      values.push(params.replica_active);
+    }
     if (updates.length === 0) {
       return existing;
     }
     updates.push("updated_at = ?");
     values.push(now);
+    if (params.source === "standard_agents" || params.replica_active !== void 0) {
+      updates.push("replica_updated_at = ?");
+      values.push(now);
+    }
     values.push(id);
     await this.ctx.storage.sql.exec(
       `UPDATE users SET ${updates.join(", ")} WHERE id = ?`,
@@ -20710,9 +20843,223 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
       `DELETE FROM api_keys WHERE user_id = ?`,
       id
     );
-    await this.ctx.storage.sql.exec(`DELETE FROM users WHERE id = ?`, id);
+    await this.ctx.storage.sql.exec(
+      `UPDATE users SET deleted_at = ?, replica_active = 0 WHERE id = ?`,
+      Math.floor(Date.now() / 1e3),
+      id
+    );
     return true;
   }
+  /**
+   * Upsert a platform-replicated identity and return the local user row.
+   */
+  async upsertPlatformReplicaUser(replica) {
+    await this.ensureMigrated();
+    const now = Math.floor(Date.now() / 1e3);
+    const fallback = this.normalizeReplicaUsername(
+      replica.email?.split("@")[0] ?? null,
+      `sa-${replica.platform_user_id.slice(0, 12)}`
+    );
+    const username = this.normalizeReplicaUsername(
+      replica.username ?? replica.display_name ?? replica.email ?? null,
+      fallback
+    );
+    const existingCursor = await this.ctx.storage.sql.exec(
+      `SELECT id FROM users WHERE platform_user_id = ? LIMIT 1`,
+      replica.platform_user_id
+    );
+    const existing = existingCursor.toArray()[0];
+    const availableUsername = await this.availableReplicaUsername(username, replica.platform_user_id);
+    if (existing) {
+      await this.ctx.storage.sql.exec(
+        `UPDATE users SET
+          username = ?,
+          instance_role = ?,
+          email = ?,
+          display_name = ?,
+          avatar_url = ?,
+          source = 'standard_agents',
+          replica_active = 1,
+          replica_updated_at = ?,
+          deleted_at = NULL,
+          updated_at = ?
+        WHERE id = ?`,
+        availableUsername,
+        replica.role,
+        replica.email ?? null,
+        replica.display_name ?? null,
+        replica.avatar_url ?? null,
+        now,
+        now,
+        existing.id
+      );
+      const updated = await this.getUserById(existing.id);
+      if (!updated) {
+        throw new Error("Failed to load replicated user after update");
+      }
+      return updated;
+    }
+    return this.createUser({
+      username: availableUsername,
+      password_hash: `platform-replica:${crypto.randomUUID()}`,
+      role: replica.role,
+      platform_user_id: replica.platform_user_id,
+      email: replica.email ?? null,
+      display_name: replica.display_name ?? null,
+      avatar_url: replica.avatar_url ?? null,
+      source: "standard_agents"
+    });
+  }
+  /**
+   * Apply a full platform read-replica snapshot for this instance.
+   */
+  async applyPlatformReplicaSnapshot(snapshot) {
+    await this.ensureMigrated();
+    const activeUserIds = /* @__PURE__ */ new Set();
+    for (const replicaUser of snapshot.users) {
+      const user = await this.upsertPlatformReplicaUser(replicaUser);
+      activeUserIds.add(user.id);
+    }
+    const activeList = Array.from(activeUserIds);
+    if (activeList.length > 0) {
+      const placeholders = activeList.map(() => "?").join(", ");
+      const inactive = await this.ctx.storage.sql.exec(
+        `SELECT id FROM users
+         WHERE source = 'standard_agents'
+           AND replica_active != 0
+           AND id NOT IN (${placeholders})`,
+        ...activeList
+      );
+      for (const row of inactive.toArray()) {
+        await this.ctx.storage.sql.exec(`DELETE FROM sessions WHERE user_id = ?`, row.id);
+        await this.ctx.storage.sql.exec(
+          `UPDATE users SET replica_active = 0, deleted_at = ?, replica_updated_at = ?, updated_at = ? WHERE id = ?`,
+          Math.floor(Date.now() / 1e3),
+          Math.floor(Date.now() / 1e3),
+          Math.floor(Date.now() / 1e3),
+          row.id
+        );
+      }
+    } else {
+      const inactive = await this.ctx.storage.sql.exec(
+        `SELECT id FROM users WHERE source = 'standard_agents' AND replica_active != 0`
+      );
+      for (const row of inactive.toArray()) {
+        await this.ctx.storage.sql.exec(`DELETE FROM sessions WHERE user_id = ?`, row.id);
+      }
+      const now2 = Math.floor(Date.now() / 1e3);
+      await this.ctx.storage.sql.exec(
+        `UPDATE users SET replica_active = 0, deleted_at = ?, replica_updated_at = ?, updated_at = ?
+         WHERE source = 'standard_agents'`,
+        now2,
+        now2,
+        now2
+      );
+    }
+    const activePlatformKeyIds = /* @__PURE__ */ new Set();
+    const keys = snapshot.api_keys ?? [];
+    for (const key of keys) {
+      const user = key.user_platform_id ? await this.getUserByPlatformUserId(key.user_platform_id) : await this.getFirstReplicaAdminUser();
+      const keyUser = user ?? await this.getFirstReplicaAdminUser();
+      if (!keyUser) continue;
+      activePlatformKeyIds.add(key.id);
+      await this.upsertPlatformReplicaApiKey(key, keyUser.id);
+    }
+    const now = Math.floor(Date.now() / 1e3);
+    if (activePlatformKeyIds.size > 0) {
+      const ids = Array.from(activePlatformKeyIds);
+      const placeholders = ids.map(() => "?").join(", ");
+      await this.ctx.storage.sql.exec(
+        `UPDATE api_keys SET replica_active = 0, replica_updated_at = ?
+         WHERE source = 'standard_agents' AND platform_key_id NOT IN (${placeholders})`,
+        now,
+        ...ids
+      );
+    } else {
+      await this.ctx.storage.sql.exec(
+        `UPDATE api_keys SET replica_active = 0, replica_updated_at = ?
+         WHERE source = 'standard_agents'`,
+        now
+      );
+    }
+    return { users: activeUserIds.size, api_keys: activePlatformKeyIds.size };
+  }
+  async getUserByPlatformUserId(platformUserId) {
+    await this.ensureMigrated();
+    const cursor = await this.ctx.storage.sql.exec(
+      `SELECT id FROM users
+       WHERE platform_user_id = ? AND deleted_at IS NULL AND replica_active != 0
+       LIMIT 1`,
+      platformUserId
+    );
+    const row = cursor.toArray()[0];
+    return row ? this.getUserById(row.id) : null;
+  }
+  async getFirstReplicaAdminUser() {
+    await this.ensureMigrated();
+    const cursor = await this.ctx.storage.sql.exec(
+      `SELECT id FROM users
+       WHERE source = 'standard_agents'
+         AND instance_role = 'admin'
+         AND deleted_at IS NULL
+         AND replica_active != 0
+       ORDER BY created_at ASC
+       LIMIT 1`
+    );
+    const row = cursor.toArray()[0];
+    return row ? this.getUserById(row.id) : null;
+  }
+  async upsertPlatformReplicaApiKey(key, userId) {
+    await this.ensureMigrated();
+    const now = Math.floor(Date.now() / 1e3);
+    const existing = await this.ctx.storage.sql.exec(
+      `SELECT id FROM api_keys WHERE platform_key_id = ? LIMIT 1`,
+      key.id
+    );
+    const row = existing.toArray()[0];
+    const name = key.name || `Standard Agents ${key.key_prefix}`;
+    const lastFive = key.last_five || key.key_prefix.slice(-5);
+    if (row) {
+      await this.ctx.storage.sql.exec(
+        `UPDATE api_keys SET
+          name = ?,
+          key_hash = ?,
+          key_prefix = ?,
+          last_five = ?,
+          user_id = ?,
+          scope = ?,
+          source = 'standard_agents',
+          replica_active = 1,
+          replica_updated_at = ?
+         WHERE id = ?`,
+        name,
+        key.key_hash,
+        key.key_prefix,
+        lastFive,
+        userId,
+        key.scope ?? null,
+        now,
+        row.id
+      );
+      return;
+    }
+    await this.ctx.storage.sql.exec(
+      `INSERT INTO api_keys (
+        id, name, key_hash, key_prefix, last_five, user_id, created_at,
+        platform_key_id, scope, source, replica_active, replica_updated_at
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, 'standard_agents', 1, ?)`,
+      `platform:${key.id}`,
+      name,
+      key.key_hash,
+      key.key_prefix,
+      lastFive,
+      userId,
+      key.created_at ?? now,
+      key.id,
+      key.scope ?? null,
+      now
+    );
+  }
   // ============================================================
   // Session Methods
   // ============================================================
@@ -20741,8 +21088,13 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
     await this.ensureMigrated();
     const now = Math.floor(Date.now() / 1e3);
     const cursor = await this.ctx.storage.sql.exec(
-      `SELECT user_id, expires_at FROM sessions
-       WHERE token_hash = ? AND expires_at > ?`,
+      `SELECT sessions.user_id, sessions.expires_at
+       FROM sessions
+       JOIN users ON users.id = sessions.user_id
+       WHERE sessions.token_hash = ?
+         AND sessions.expires_at > ?
+         AND users.deleted_at IS NULL
+         AND users.replica_active != 0`,
       tokenHash,
       now
     );
@@ -20799,14 +21151,23 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
    */
   async validateApiKey(keyHash) {
     await this.ensureMigrated();
-    const cursor = await this.ctx.storage.sql.exec(`SELECT id, user_id FROM api_keys WHERE key_hash = ?`, keyHash);
+    const cursor = await this.ctx.storage.sql.exec(
+      `SELECT api_keys.id, api_keys.user_id
+       FROM api_keys
+       JOIN users ON users.id = api_keys.user_id
+       WHERE api_keys.key_hash = ?
+         AND api_keys.replica_active != 0
+         AND users.deleted_at IS NULL
+         AND users.replica_active != 0`,
+      keyHash
+    );
     const rows = cursor.toArray();
     if (rows.length === 0) {
       return null;
     }
     const now = Math.floor(Date.now() / 1e3);
     await this.ctx.storage.sql.exec(
-      `UPDATE api_keys SET last_used_at = ? WHERE key_hash = ?`,
+      `UPDATE api_keys SET last_used_at = ? WHERE key_hash = ? AND replica_active != 0`,
       now,
       keyHash
     );
@@ -20818,8 +21179,10 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
   async listApiKeys(userId) {
     await this.ensureMigrated();
     const cursor = await this.ctx.storage.sql.exec(
-      `SELECT id, name, key_prefix, last_five, created_at, last_used_at
-       FROM api_keys WHERE user_id = ? ORDER BY created_at DESC`,
+      `SELECT id, name, key_prefix, last_five, source, created_at, last_used_at
+       FROM api_keys
+       WHERE user_id = ? AND replica_active != 0
+       ORDER BY created_at DESC`,
       userId
     );
     return cursor.toArray();