@valbuild/server 0.60.27 → 0.62.0

package/dist/valbuild-server.cjs.dev.js

@@ -7,15 +7,16 @@ var ts = require('typescript');
 var fp = require('@valbuild/core/fp');
 var core = require('@valbuild/core');
 var patch = require('@valbuild/core/patch');
-var path = require('path');
+var fsPath = require('path');
 var fs = require('fs');
 var sucrase = require('sucrase');
 var ui = require('@valbuild/ui');
-var z = require('zod');
+var server = require('@valbuild/ui/server');
 var internal = require('@valbuild/shared/internal');
+var crypto$1 = require('crypto');
+var z = require('zod');
 var sizeOf = require('image-size');
-var crypto = require('crypto');
-var server = require('@valbuild/ui/server');
+var zodValidationError = require('zod-validation-error');
 
 function _interopDefault (e) { return e && e.__esModule ? e : { 'default': e }; }
 
@@ -38,11 +39,11 @@ function _interopNamespace(e) {
 }
 
 var ts__default = /*#__PURE__*/_interopDefault(ts);
-var path__namespace = /*#__PURE__*/_interopNamespace(path);
+var fsPath__namespace = /*#__PURE__*/_interopNamespace(fsPath);
 var fs__default = /*#__PURE__*/_interopDefault(fs);
+var crypto__default = /*#__PURE__*/_interopDefault(crypto$1);
 var z__default = /*#__PURE__*/_interopDefault(z);
 var sizeOf__default = /*#__PURE__*/_interopDefault(sizeOf);
-var crypto__default = /*#__PURE__*/_interopDefault(crypto);
 
 class ValSyntaxError {
   constructor(message, node) {
@@ -634,10 +635,10 @@ class TSOps {
 }
 
 function getSyntheticContainingPath(rootDir) {
-  return path__namespace["default"].join(rootDir, "<val>"); // TODO: this is the synthetic path used when evaluating / patching modules. I am not sure <val> is the best choice: val.ts / js better? But that is weird too. At least now it is clear(er) that it is indeed a synthetic file (i.e. not an actual file)
+  return fsPath__namespace["default"].join(rootDir, "<val>"); // TODO: this is the synthetic path used when evaluating / patching modules. I am not sure <val> is the best choice: val.ts / js better? But that is weird too. At least now it is clear(er) that it is indeed a synthetic file (i.e. not an actual file)
 }
 
-const ops$1 = new TSOps(document => {
+const ops = new TSOps(document => {
   return fp.pipe(analyzeValModule(document), fp.result.map(({
     source
   }) => source));
@@ -647,12 +648,12 @@ const ops$1 = new TSOps(document => {
 const patchValFile = async (id, rootDir, patch$1, sourceFileHandler, runtime) => {
   // const timeId = randomUUID();
   // console.time("patchValFile" + timeId);
-  const filePath = sourceFileHandler.resolveSourceModulePath(getSyntheticContainingPath(rootDir), `.${id}.val`);
+  const filePath = sourceFileHandler.resolveSourceModulePath(getSyntheticContainingPath(rootDir), `.${id.replace(".val.ts", ".val").replace(".val.js", ".val").replace(".val.jsx", ".val").replace(".val.tsx", ".val")}`);
   const sourceFile = sourceFileHandler.getSourceFile(filePath);
   if (!sourceFile) {
     throw Error(`Source file ${filePath} not found`);
   }
-  const derefRes = core.derefPatch(patch$1, sourceFile, ops$1);
+  const derefRes = core.derefPatch(patch$1, sourceFile, ops);
   if (fp.result.isErr(derefRes)) {
     throw derefRes.error;
   }
@@ -690,12 +691,12 @@ function convertDataUrlToBase64(dataUrl) {
 }
 const patchSourceFile = (sourceFile, patch$1) => {
   if (typeof sourceFile === "string") {
-    return patch.applyPatch(ts__default["default"].createSourceFile("<val>", sourceFile, ts__default["default"].ScriptTarget.ES2015), ops$1, patch$1);
+    return patch.applyPatch(ts__default["default"].createSourceFile("<val>", sourceFile, ts__default["default"].ScriptTarget.ES2015), ops, patch$1);
   }
-  return patch.applyPatch(sourceFile, ops$1, patch$1);
+  return patch.applyPatch(sourceFile, ops, patch$1);
 };
 
-const readValFile = async (id, rootDirPath, runtime, options) => {
+const readValFile = async (moduleFilePath, rootDirPath, runtime, options) => {
   const context = runtime.newContext();
 
   // avoid failures when console.log is called
@@ -730,12 +731,12 @@ const readValFile = async (id, rootDirPath, runtime, options) => {
   processHandle.dispose();
   optionsHandle.dispose();
   try {
-    const modulePath = `.${id}.val`;
+    const modulePath = `.${moduleFilePath.replace(".val.js", ".val").replace(".val.ts", ".val").replace(".val.tsx", ".val").replace(".val.jsx", ".val")}`;
     const code = `import * as valModule from ${JSON.stringify(modulePath)};
 import { Internal } from "@valbuild/core";
 
 globalThis.valModule = { 
-  id: valModule?.default && Internal.getValPath(valModule?.default),
+  path: valModule?.default && Internal.getValPath(valModule?.default),
   schema: !!globalThis['__VAL_OPTIONS__'].schema ? valModule?.default && Internal.getSchema(valModule?.default)?.serialize() : undefined,
   source: !!globalThis['__VAL_OPTIONS__'].source ? valModule?.default && Internal.getSource(valModule?.default) : undefined,
   validation: !!globalThis['__VAL_OPTIONS__'].validate ? valModule?.default && Internal.getSchema(valModule?.default)?.validate(
@@ -749,11 +750,11 @@ globalThis.valModule = {
     const fatalErrors = [];
     if (result.error) {
       const error = result.error.consume(context.dump);
-      console.error(`Fatal error reading val file: ${id}. Error: ${error.message}\n`, error.stack);
+      console.error(`Fatal error reading val file: ${moduleFilePath}. Error: ${error.message}\n`, error.stack);
       return {
-        path: id,
+        path: moduleFilePath,
         errors: {
-          invalidModuleId: id,
+          invalidModulePath: moduleFilePath,
           fatal: [{
             message: `${error.name || "Unknown error"}: ${error.message || "<no message>"}`,
             stack: error.stack
@@ -765,21 +766,21 @@ globalThis.valModule = {
       const valModule = context.getProp(context.global, "valModule").consume(context.dump);
       if (
       // if one of these are set it is a Val module, so must validate
-      (valModule === null || valModule === void 0 ? void 0 : valModule.id) !== undefined || (valModule === null || valModule === void 0 ? void 0 : valModule.schema) !== undefined || (valModule === null || valModule === void 0 ? void 0 : valModule.source) !== undefined) {
-        if (valModule.id !== id) {
-          fatalErrors.push(`Wrong c.define id! Expected: '${id}', found: '${valModule.id}'`);
+      (valModule === null || valModule === void 0 ? void 0 : valModule.path) !== undefined || (valModule === null || valModule === void 0 ? void 0 : valModule.schema) !== undefined || (valModule === null || valModule === void 0 ? void 0 : valModule.source) !== undefined) {
+        if (valModule.path !== moduleFilePath) {
+          fatalErrors.push(`Wrong c.define id! Expected: '${moduleFilePath}', found: '${valModule.path}'`);
         } else if (encodeURIComponent(valModule.id).replace(/%2F/g, "/") !== valModule.id) {
           fatalErrors.push(`Invalid c.define id! Must be a web-safe path without escape characters, found: '${valModule.id}', which was encoded as: '${encodeURIComponent(valModule.id).replace("%2F", "/")}'`);
         } else if ((valModule === null || valModule === void 0 ? void 0 : valModule.schema) === undefined && options.schema) {
-          fatalErrors.push(`Expected val id: '${id}' to have a schema`);
+          fatalErrors.push(`Expected val id: '${moduleFilePath}' to have a schema`);
         } else if ((valModule === null || valModule === void 0 ? void 0 : valModule.source) === undefined && options.source) {
-          fatalErrors.push(`Expected val id: '${id}' to have a source`);
+          fatalErrors.push(`Expected val id: '${moduleFilePath}' to have a source`);
         }
       }
       let errors = false;
       if (fatalErrors.length > 0) {
         errors = {
-          invalidModuleId: valModule.id !== id ? id : undefined,
+          invalidModulePath: valModule.path !== moduleFilePath ? moduleFilePath : undefined,
           fatal: fatalErrors.map(message => ({
             message
           }))
@@ -792,7 +793,7 @@ globalThis.valModule = {
         };
       }
       return {
-        path: valModule.id || id,
+        path: valModule.id || moduleFilePath,
         // NOTE: we use path here, since SerializedModuleContent (maybe bad name?) can be used for whole modules as well as subparts of modules
         source: valModule.source,
         schema: valModule.schema,
@@ -805,8 +806,8 @@ globalThis.valModule = {
 };
 
 const getCompilerOptions = (rootDir, parseConfigHost) => {
-  const tsConfigPath = path__namespace["default"].resolve(rootDir, "tsconfig.json");
-  const jsConfigPath = path__namespace["default"].resolve(rootDir, "jsconfig.json");
+  const tsConfigPath = fsPath__namespace["default"].resolve(rootDir, "tsconfig.json");
+  const jsConfigPath = fsPath__namespace["default"].resolve(rootDir, "jsconfig.json");
   let configFilePath;
   if (parseConfigHost.fileExists(jsConfigPath)) {
     configFilePath = jsConfigPath;
@@ -837,7 +838,7 @@ class ValSourceFileHandler {
   constructor(projectRoot, compilerOptions, host = {
     ...ts__default["default"].sys,
     writeFile: (fileName, data, encoding) => {
-      fs__default["default"].mkdirSync(path__namespace["default"].dirname(fileName), {
+      fs__default["default"].mkdirSync(fsPath__namespace["default"].dirname(fileName), {
         recursive: true
       });
       fs__default["default"].writeFileSync(fileName, data, encoding);
@@ -864,7 +865,7 @@ class ValSourceFileHandler {
     this.host.writeFile(filePath, content, encoding);
   }
   resolveSourceModulePath(containingFilePath, requestedModuleName) {
-    const resolutionRes = ts__default["default"].resolveModuleName(requestedModuleName, path__namespace["default"].isAbsolute(containingFilePath) ? containingFilePath : path__namespace["default"].resolve(this.projectRoot, containingFilePath), this.compilerOptions, this.host, undefined, undefined, ts__default["default"].ModuleKind.ESNext);
+    const resolutionRes = ts__default["default"].resolveModuleName(requestedModuleName, fsPath__namespace["default"].isAbsolute(containingFilePath) ? containingFilePath : fsPath__namespace["default"].resolve(this.projectRoot, containingFilePath), this.compilerOptions, this.host, undefined, undefined, ts__default["default"].ModuleKind.ESNext);
     const resolvedModule = resolutionRes.resolvedModule;
     if (!resolvedModule) {
       throw Error(`Could not resolve module "${requestedModuleName}", base: "${containingFilePath}": No resolved modules returned: ${JSON.stringify(resolutionRes)}`);
@@ -887,7 +888,7 @@ class ValModuleLoader {
   sourceFileHandler, host = {
     ...ts__default["default"].sys,
     writeFile: (fileName, data, encoding) => {
-      fs__default["default"].mkdirSync(path__namespace["default"].dirname(fileName), {
+      fs__default["default"].mkdirSync(fsPath__namespace["default"].dirname(fileName), {
         recursive: true
       });
       fs__default["default"].writeFileSync(fileName, data, encoding);
@@ -1179,7 +1180,7 @@ export default new Proxy({}, {
 async function createService(projectRoot, opts, host = {
   ...ts__default["default"].sys,
   writeFile: (fileName, data, encoding) => {
-    fs__default["default"].mkdirSync(path__namespace["default"].dirname(fileName), {
+    fs__default["default"].mkdirSync(fsPath__namespace["default"].dirname(fileName), {
       recursive: true
     });
     fs__default["default"].writeFileSync(fileName, data, encoding);
@@ -1198,15 +1199,15 @@ class Service {
     this.runtime = runtime;
     this.projectRoot = projectRoot;
   }
-  async get(moduleId, modulePath, options) {
-    const valModule = await readValFile(moduleId, this.projectRoot, this.runtime, options ?? {
+  async get(moduleFilePath, modulePath, options) {
+    const valModule = await readValFile(moduleFilePath, this.projectRoot, this.runtime, options ?? {
       validate: true,
       source: true,
       schema: true
     });
     if (valModule.source && valModule.schema) {
       const resolved = core.Internal.resolvePath(modulePath, valModule.source, valModule.schema);
-      const sourcePath = resolved.path ? [moduleId, resolved.path].join(".") : moduleId;
+      const sourcePath = resolved.path ? [moduleFilePath, resolved.path].join(".") : moduleFilePath;
       return {
         path: sourcePath,
         schema: resolved.schema instanceof core.Schema ? resolved.schema.serialize() : resolved.schema,
@@ -1222,101 +1223,73 @@ class Service {
       return valModule;
     }
   }
-  async patch(moduleId, patch) {
-    await patchValFile(moduleId, this.projectRoot, patch, this.sourceFileHandler, this.runtime);
+  async patch(moduleFilePath, patch) {
+    await patchValFile(moduleFilePath, this.projectRoot, patch, this.sourceFileHandler, this.runtime);
   }
   dispose() {
     this.runtime.dispose();
   }
 }
 
-const JSONValueT = z__default["default"].lazy(() => z__default["default"].union([z__default["default"].string(), z__default["default"].number(), z__default["default"].boolean(), z__default["default"].null(), z__default["default"].array(JSONValueT), z__default["default"].record(JSONValueT)]));
-
-/**
- * Raw JSON patch operation.
- */
-const OperationJSONT = z__default["default"].discriminatedUnion("op", [z__default["default"].object({
-  op: z__default["default"].literal("add"),
-  path: z__default["default"].string(),
-  value: JSONValueT
-}).strict(), z__default["default"].object({
-  op: z__default["default"].literal("remove"),
-  /**
-   * Must be non-root
-   */
-  path: z__default["default"].string()
-}).strict(), z__default["default"].object({
-  op: z__default["default"].literal("replace"),
-  path: z__default["default"].string(),
-  value: JSONValueT
-}).strict(), z__default["default"].object({
-  op: z__default["default"].literal("move"),
-  /**
-   * Must be non-root and not a proper prefix of "path".
-   */
-  from: z__default["default"].string(),
-  path: z__default["default"].string()
-}).strict(), z__default["default"].object({
-  op: z__default["default"].literal("copy"),
-  from: z__default["default"].string(),
-  path: z__default["default"].string()
-}).strict(), z__default["default"].object({
-  op: z__default["default"].literal("test"),
-  path: z__default["default"].string(),
-  value: JSONValueT
-}).strict(), z__default["default"].object({
-  op: z__default["default"].literal("file"),
-  path: z__default["default"].string(),
-  filePath: z__default["default"].string(),
-  value: z__default["default"].string()
-}).strict()]);
-const PatchJSON = z__default["default"].array(OperationJSONT);
-/**
- * Raw JSON patch operation.
- */
-const OperationT = z__default["default"].discriminatedUnion("op", [z__default["default"].object({
-  op: z__default["default"].literal("add"),
-  path: z__default["default"].array(z__default["default"].string()),
-  value: JSONValueT
-}).strict(), z__default["default"].object({
-  op: z__default["default"].literal("remove"),
-  path: z__default["default"].array(z__default["default"].string()).nonempty()
-}).strict(), z__default["default"].object({
-  op: z__default["default"].literal("replace"),
-  path: z__default["default"].array(z__default["default"].string()),
-  value: JSONValueT
-}).strict(), z__default["default"].object({
-  op: z__default["default"].literal("move"),
-  from: z__default["default"].array(z__default["default"].string()).nonempty(),
-  path: z__default["default"].array(z__default["default"].string())
-}).strict(), z__default["default"].object({
-  op: z__default["default"].literal("copy"),
-  from: z__default["default"].array(z__default["default"].string()),
-  path: z__default["default"].array(z__default["default"].string())
-}).strict(), z__default["default"].object({
-  op: z__default["default"].literal("test"),
-  path: z__default["default"].array(z__default["default"].string()),
-  value: JSONValueT
-}).strict(), z__default["default"].object({
-  op: z__default["default"].literal("file"),
-  path: z__default["default"].array(z__default["default"].string()),
-  filePath: z__default["default"].string(),
-  value: z__default["default"].union([z__default["default"].string(), z__default["default"].object({
-    sha256: z__default["default"].string(),
-    mimeType: z__default["default"].string()
-  })])
-}).strict()]);
-const Patch = z__default["default"].array(OperationT);
-
-function getValidationErrorFileRef(validationError) {
-  const maybeRef = validationError.value && typeof validationError.value === "object" && core.FILE_REF_PROP in validationError.value && typeof validationError.value[core.FILE_REF_PROP] === "string" ? validationError.value[core.FILE_REF_PROP] : undefined;
-  if (!maybeRef) {
+function decodeJwt(token, secretKey) {
+  const [headerBase64, payloadBase64, signatureBase64, ...rest] = token.split(".");
+  if (!headerBase64 || !payloadBase64 || !signatureBase64 || rest.length > 0) {
+    console.debug("Invalid JWT: format is not exactly {header}.{payload}.{signature}", token);
     return null;
   }
-  return maybeRef;
+  try {
+    const parsedHeader = JSON.parse(Buffer.from(headerBase64, "base64").toString("utf8"));
+    const headerVerification = JwtHeaderSchema.safeParse(parsedHeader);
+    if (!headerVerification.success) {
+      console.debug("Invalid JWT: invalid header", parsedHeader);
+      return null;
+    }
+    if (headerVerification.data.typ !== jwtHeader.typ) {
+      console.debug("Invalid JWT: invalid header typ", parsedHeader);
+      return null;
+    }
+    if (headerVerification.data.alg !== jwtHeader.alg) {
+      console.debug("Invalid JWT: invalid header alg", parsedHeader);
+      return null;
+    }
+  } catch (err) {
+    console.debug("Invalid JWT: could not parse header", err);
+    return null;
+  }
+  if (secretKey) {
+    const signature = crypto__default["default"].createHmac("sha256", secretKey).update(`${headerBase64}.${payloadBase64}`).digest("base64");
+    if (signature !== signatureBase64) {
+      console.debug("Invalid JWT: invalid signature");
+      return null;
+    }
+  }
+  try {
+    const parsedPayload = JSON.parse(Buffer.from(payloadBase64, "base64").toString("utf8"));
+    return parsedPayload;
+  } catch (err) {
+    console.debug("Invalid JWT: could not parse payload", err);
+    return null;
+  }
+}
+function getExpire() {
+  return Math.floor(Date.now() / 1000) + 60 * 60 * 24 * 4; // 4 days
+}
+const JwtHeaderSchema = z.z.object({
+  alg: z.z.literal("HS256"),
+  typ: z.z.literal("JWT")
+});
+const jwtHeader = {
+  alg: "HS256",
+  typ: "JWT"
+};
+const jwtHeaderBase64 = Buffer.from(JSON.stringify(jwtHeader)).toString("base64");
+function encodeJwt(payload, sessionKey) {
+  // NOTE: this is only used for authentication, not for authorization (i.e. what a user can do) - this is handled when actually doing operations
+  const payloadBase64 = Buffer.from(JSON.stringify(payload)).toString("base64");
+  return `${jwtHeaderBase64}.${payloadBase64}.${crypto__default["default"].createHmac("sha256", sessionKey).update(`${jwtHeaderBase64}.${payloadBase64}`).digest("base64")}`;
 }
 
-const textEncoder$1 = new TextEncoder();
+const textEncoder$2 = new TextEncoder();
 async function extractImageMetadata(filename, input) {
   const imageSize = sizeOf__default["default"](input);
   let mimeType = null;
@@ -1350,7 +1323,7 @@ async function extractImageMetadata(filename, input) {
   };
 }
 function getSha256(mimeType, input) {
-  return core.Internal.getSHA256Hash(textEncoder$1.encode(
+  return core.Internal.getSHA256Hash(textEncoder$2.encode(
   // TODO: we should probably store the mimetype in the metadata and reuse it here
   `data:${mimeType};base64,${input.toString("base64")}`));
 }
@@ -1366,1218 +1339,2004 @@ async function extractFileMetadata(filename, input) {
   };
 }
 
-function validateMetadata(actualMetadata, expectedMetadata) {
-  const missingMetadata = [];
-  const erroneousMetadata = {};
-  if (typeof actualMetadata !== "object" || actualMetadata === null) {
-    return {
-      globalErrors: ["Metadata is wrong type: must be an object."]
-    };
-  }
-  if (Array.isArray(actualMetadata)) {
-    return {
-      globalErrors: ["Metadata is wrong type: cannot be an array."]
-    };
-  }
-  const recordMetadata = actualMetadata;
-  const globalErrors = [];
-  for (const anyKey in expectedMetadata) {
-    if (typeof anyKey !== "string") {
-      globalErrors.push(`Expected metadata has key '${anyKey}' that is not typeof 'string', but: '${typeof anyKey}'. This is most likely a Val bug.`);
-    } else {
-      if (anyKey in actualMetadata) {
-        const key = anyKey;
-        if (expectedMetadata[key] !== recordMetadata[key]) {
-          erroneousMetadata[key] = `Expected metadata '${key}' to be ${JSON.stringify(expectedMetadata[key])}, but got ${JSON.stringify(recordMetadata[key])}.`;
-        }
-      } else {
-        missingMetadata.push(anyKey);
-      }
-    }
-  }
-  if (globalErrors.length === 0 && missingMetadata.length === 0 && Object.keys(erroneousMetadata).length === 0) {
-    return false;
-  }
-  return {
-    missingMetadata,
-    erroneousMetadata
-  };
-}
+/* eslint-disable @typescript-eslint/no-unused-vars */
+const textEncoder$1 = new TextEncoder();
+const jsonOps = new patch.JSONOps();
+const tsOps = new TSOps(document => {
+  return fp.pipe(analyzeValModule(document), fp.result.map(({
+    source
+  }) => source));
+});
+// #region ValOps
+class ValOps {
+  /** Sources from val modules, immutable (without patches or anything)  */
 
-function getValidationErrorMetadata(validationError) {
-  const maybeMetadata = validationError.value && typeof validationError.value === "object" && "metadata" in validationError.value && validationError.value.metadata && validationError.value.metadata;
-  if (!maybeMetadata) {
-    return null;
-  }
-  return maybeMetadata;
-}
+  /** The sha265 / hash of sources + schema + config */
 
-const ops = new patch.JSONOps();
-class ValServer {
-  constructor(cwd, options, callbacks) {
-    this.cwd = cwd;
+  /** Schema from val modules, immutable  */
+
+  /** The sha265 / hash of schema + config - if this changes users needs to reload */
+
+  constructor(valModules, options) {
+    this.valModules = valModules;
     this.options = options;
-    this.callbacks = callbacks;
+    this.sources = null;
+    this.baseSha = null;
+    this.schemas = null;
+    this.schemaSha = null;
+    this.modulesErrors = null;
+  }
+  hash(input) {
+    let str;
+    if (typeof input === "string") {
+      str = input;
+    } else {
+      str = JSON.stringify(input);
+    }
+    return core.Internal.getSHA256Hash(textEncoder$1.encode(str));
   }
 
-  /* Auth endpoints: */
-  async enable(query) {
-    const redirectToRes = getRedirectUrl(query, this.options.valEnableRedirectUrl);
-    if (typeof redirectToRes !== "string") {
-      return redirectToRes;
+  // #region initTree
+  async initTree() {
+    if (this.baseSha === null || this.schemaSha === null || this.sources === null || this.schemas === null || this.modulesErrors === null) {
+      const currentModulesErrors = [];
+      const addModuleError = (message, index, path) => {
+        currentModulesErrors[index] = {
+          message,
+          path: path
+        };
+      };
+      const currentSources = {};
+      const currentSchemas = {};
+      let baseSha = this.hash(JSON.stringify(this.valModules.config));
+      let schemaSha = baseSha;
+      for (let moduleIdx = 0; moduleIdx < this.valModules.modules.length; moduleIdx++) {
+        const module = this.valModules.modules[moduleIdx];
+        if (!module.def) {
+          addModuleError("val.modules is missing 'def' property", moduleIdx);
+          continue;
+        }
+        if (typeof module.def !== "function") {
+          addModuleError("val.modules 'def' property is not a function", moduleIdx);
+          continue;
+        }
+        await module.def().then(value => {
+          if (!value) {
+            addModuleError(`val.modules 'def' did not return a value`, moduleIdx);
+            return;
+          }
+          if (!value.default) {
+            addModuleError(`val.modules 'def' did not return a default export`, moduleIdx);
+            return;
+          }
+          const path = core.Internal.getValPath(value.default);
+          if (path === undefined) {
+            addModuleError(`path is undefined`, moduleIdx);
+            return;
+          }
+          const schema = core.Internal.getSchema(value.default);
+          if (schema === undefined) {
+            addModuleError(`schema in path '${path}' is undefined`, moduleIdx, path);
+            return;
+          }
+          if (!(schema instanceof core.Schema)) {
+            addModuleError(`schema in path '${path}' is not an instance of Schema`, moduleIdx, path);
+            return;
+          }
+          if (typeof schema.serialize !== "function") {
+            addModuleError(`schema.serialize in path '${path}' is not a function`, moduleIdx, path);
+            return;
+          }
+          const source = core.Internal.getSource(value.default);
+          if (source === undefined) {
+            addModuleError(`source in ${path} is undefined`, moduleIdx, path);
+            return;
+          }
+          const pathM = path;
+          currentSources[pathM] = source;
+          currentSchemas[pathM] = schema;
+          // make sure the checks above is enough that this does not fail - even if val modules are not set up correctly
+          baseSha += this.hash({
+            path,
+            schema: schema.serialize(),
+            source,
+            modulesErrors: currentModulesErrors
+          });
+          schemaSha += this.hash(schema.serialize());
+        });
+      }
+      this.sources = currentSources;
+      this.schemas = currentSchemas;
+      this.baseSha = baseSha;
+      this.schemaSha = schemaSha;
+      this.modulesErrors = currentModulesErrors;
     }
-    await this.callbacks.onEnable(true);
     return {
-      cookies: {
-        [internal.VAL_ENABLE_COOKIE_NAME]: ENABLE_COOKIE_VALUE
-      },
-      status: 302,
-      redirectTo: redirectToRes
+      baseSha: this.baseSha,
+      schemaSha: this.schemaSha,
+      sources: this.sources,
+      schemas: this.schemas,
+      moduleErrors: this.modulesErrors
     };
   }
-  async disable(query) {
-    const redirectToRes = getRedirectUrl(query, this.options.valDisableRedirectUrl);
-    if (typeof redirectToRes !== "string") {
-      return redirectToRes;
-    }
-    await this.callbacks.onDisable(true);
-    return {
-      cookies: {
-        [internal.VAL_ENABLE_COOKIE_NAME]: {
-          value: "false"
-        }
-      },
-      status: 302,
-      redirectTo: redirectToRes
-    };
+  async init() {
+    const {
+      baseSha,
+      schemaSha
+    } = await this.initTree();
+    await this.onInit(baseSha, schemaSha);
   }
-  async getTree(treePath,
-  // TODO: use the params: patch, schema, source now we return everything, every time
-  query, cookies, requestHeaders) {
-    const ensureRes = await debugTiming("ensureInitialized", () => this.ensureInitialized("getTree", cookies));
-    if (fp.result.isErr(ensureRes)) {
-      return ensureRes.error;
-    }
-    const applyPatches = query.patch === "true";
-    const includeSource = query.source === "true";
-    const includeSchema = query.schema === "true";
-    const moduleIds = await debugTiming("getAllModules", () => this.getAllModules(treePath));
-    let {
-      patchIdsByModuleId,
-      patchesById,
-      fileUpdates
-    } = {
-      patchIdsByModuleId: {},
-      patchesById: {},
-      fileUpdates: {}
-    };
-    if (applyPatches) {
-      const res = await debugTiming("readPatches", () => this.readPatches(cookies));
-      if (fp.result.isErr(res)) {
-        return res.error;
-      }
-      patchIdsByModuleId = res.value.patchIdsByModuleId;
-      patchesById = res.value.patchesById;
-      fileUpdates = res.value.fileUpdates;
-    }
-    const validate = false;
-    const possiblyPatchedContent = await debugTiming("applyAllPatchesThenValidate", () => Promise.all(moduleIds.map(async moduleId => {
-      return this.applyAllPatchesThenValidate(moduleId, patchIdsByModuleId, patchesById, fileUpdates, cookies, requestHeaders, applyPatches, validate, includeSource, includeSchema);
-    })));
-    const modules = Object.fromEntries(possiblyPatchedContent.map(serializedModuleContent => {
-      const module = {
-        schema: serializedModuleContent.schema,
-        source: serializedModuleContent.source,
-        errors: serializedModuleContent.errors
-      };
-      return [serializedModuleContent.path, module];
-    }));
-    const apiTreeResponse = {
-      modules,
-      git: this.options.git
-    };
-    return {
-      status: 200,
-      json: apiTreeResponse
-    };
+  async getBaseSources() {
+    return this.initTree().then(result => result.sources);
   }
-  async postValidate(rawBody, cookies, requestHeaders) {
-    const ensureRes = await this.ensureInitialized("postValidate", cookies);
-    if (fp.result.isErr(ensureRes)) {
-      return ensureRes.error;
-    }
-    return this.validateThenMaybeCommit(rawBody, false, cookies, requestHeaders);
+  async getSchemas() {
+    return this.initTree().then(result => result.schemas);
   }
-  async postCommit(rawBody, cookies, requestHeaders) {
-    const ensureRes = await this.ensureInitialized("postCommit", cookies);
-    if (fp.result.isErr(ensureRes)) {
-      return ensureRes.error;
-    }
-    const res = await this.validateThenMaybeCommit(rawBody, true, cookies, requestHeaders);
-    if (res.status === 200) {
-      if (res.json.validationErrors) {
-        return {
-          status: 400,
-          json: {
-            ...res.json
-          }
-        };
-      }
-      return {
-        status: 200,
-        json: {
-          ...res.json,
-          git: this.options.git
-        }
-      };
-    }
-    return res;
+  async getModuleErrors() {
+    return this.initTree().then(result => result.moduleErrors);
+  }
+  async getBaseSha() {
+    return this.initTree().then(result => result.baseSha);
+  }
+  async getSchemaSha() {
+    return this.initTree().then(result => result.schemaSha);
   }
 
-  /* */
-  async applyAllPatchesThenValidate(moduleId, patchIdsByModuleId, patchesById, fileUpdates, cookies, requestHeaders, applyPatches, validate, includeSource, includeSchema) {
-    const serializedModuleContent = await this.getModule(moduleId, {
-      source: includeSource,
-      schema: includeSchema
-    });
-    if (!applyPatches) {
-      return serializedModuleContent;
-    }
-    const schema = serializedModuleContent.schema;
-    const maybeSource = serializedModuleContent.source;
-    if (serializedModuleContent.errors && (serializedModuleContent.errors.fatal || serializedModuleContent.errors.invalidModuleId)) {
-      return serializedModuleContent;
-    }
-    if (!maybeSource || !schema) {
-      return serializedModuleContent;
-    }
-    let source = maybeSource;
-    await debugTiming("applyPatches:" + moduleId, async () => {
-      for (const patchId of patchIdsByModuleId[moduleId] ?? []) {
-        const patch$1 = patchesById[patchId];
-        if (!patch$1) {
-          continue;
-        }
-        const patchRes = patch.applyPatch(source, ops, patch$1.filter(core.Internal.notFileOp));
-        if (fp.result.isOk(patchRes)) {
-          source = patchRes.value;
-        } else {
-          console.error("Val: got an unexpected error while applying patch. Is there a mismatch in Val versions? Perhaps Val is misconfigured?", {
-            patchId,
-            moduleId,
-            patch: JSON.stringify(patch$1, null, 2),
-            error: patchRes.error
-          });
-          return {
-            path: moduleId,
-            schema,
-            source,
-            errors: {
-              fatal: [{
-                message: "Unexpected error applying patch",
-                type: "invalid-patch"
-              }]
-            }
-          };
+  // #region analyzePatches
+  analyzePatches(patchesById) {
+    const patchesByModule = {};
+    const fileLastUpdatedByPatchId = {};
+    for (const [patchIdS, {
+      path,
+      patch,
+      createdAt: created_at
+    }] of Object.entries(patchesById)) {
+      const patchId = patchIdS;
+      for (const op of patch) {
+        if (op.op === "file") {
+          fileLastUpdatedByPatchId[op.filePath] = patchId;
         }
       }
-    });
-    if (validate) {
-      const validationErrors = await debugTiming("validate:" + moduleId, async () => core.deserializeSchema(schema).validate(moduleId, source));
-      if (validationErrors) {
-        const revalidated = await debugTiming("revalidate image/file:" + moduleId, async () => this.revalidateImageAndFileValidation(validationErrors, fileUpdates, cookies, requestHeaders));
-        return {
-          path: moduleId,
-          schema,
-          source,
-          errors: revalidated && {
-            validation: revalidated
-          }
-        };
+      if (!patchesByModule[path]) {
+        patchesByModule[path] = [];
       }
+      patchesByModule[path].push({
+        patchId,
+        createdAt: created_at
+      });
+    }
+    for (const path in patchesByModule) {
+      patchesByModule[path].sort((a, b) => a.createdAt.localeCompare(b.createdAt));
     }
     return {
-      path: moduleId,
-      schema,
-      source,
-      errors: false
+      patchesByModule,
+      fileLastUpdatedByPatchId
     };
   }
-  // TODO: name this better: we need to check for image and file validation errors
-  // since they cannot be handled directly inside the validation function.
-  // The reason is that validate will be called inside QuickJS (in the future, hopefully),
-  // which does not have access to the filesystem, at least not at the time of writing this comment.
-  // If you are reading this, and we still are not using QuickJS to validate, this assumption might be wrong.
-  async revalidateImageAndFileValidation(validationErrors, fileUpdates, cookies, reqHeaders) {
-    const revalidatedValidationErrors = {};
-    for (const pathStr in validationErrors) {
-      const errorSourcePath = pathStr;
-      const errors = validationErrors[errorSourcePath];
-      revalidatedValidationErrors[errorSourcePath] = [];
-      for (const error of errors) {
-        var _error$fixes;
-        if ((_error$fixes = error.fixes) !== null && _error$fixes !== void 0 && _error$fixes.every(fix => fix === "file:check-metadata" || fix === "image:replace-metadata" // TODO: rename fix to: image:check-metadata
-        )) {
-          const fileRef = getValidationErrorFileRef(error);
-          if (fileRef) {
-            var _fileUpdates$fileRef;
-            const filePath = path__namespace["default"].join(this.cwd, fileRef);
-            let expectedMetadata = await this.getMetadata(fileRef, (_fileUpdates$fileRef = fileUpdates[fileRef]) === null || _fileUpdates$fileRef === void 0 ? void 0 : _fileUpdates$fileRef.sha256);
-
-            // if this is a new file or we have an actual FS, we read the file and get the metadata
-            if (!expectedMetadata) {
-              let fileBuffer = undefined;
-              const updatedFileMetadata = fileUpdates[fileRef];
-              if (updatedFileMetadata) {
-                const fileRes = await this.getFiles(fileRef, {
-                  sha256: updatedFileMetadata.sha256
-                }, cookies, reqHeaders);
-                if (fileRes.status === 200 && fileRes.body) {
-                  const res = new Response(fileRes.body);
-                  fileBuffer = Buffer.from(await res.arrayBuffer());
-                } else {
-                  console.error("Val: unexpected error while fetching image / file:", fileRef, {
-                    error: fileRes
-                  });
-                }
-              }
-              // try fetch file directly via http
-              if (fileRef.startsWith("/public")) {
-                const host = `${reqHeaders["x-forwarded-proto"]}://${reqHeaders["host"]}`;
-                const fileUrl = fileRef.slice("/public".length);
-                const fetchRes = await fetch(new URL(fileUrl, host));
-                if (fetchRes.status === 200) {
-                  fileBuffer = Buffer.from(await fetchRes.arrayBuffer());
-                } else {
-                  console.error("Val: unexpected error while fetching image / file:", fileRef, {
-                    error: {
-                      status: fetchRes.status,
-                      url: fetchRes.url
-                    }
-                  });
-                }
-              } else {
-                console.error("Val: unexpected while getting public image / file (file reference did not start with /public)", fileRef);
-              }
-              if (!fileBuffer) {
-                revalidatedValidationErrors[errorSourcePath].push({
-                  message: `Could not read file: ${filePath}`
-                });
-                continue;
-              }
-              if (error.fixes.some(fix => fix === "image:replace-metadata")) {
-                expectedMetadata = await extractImageMetadata(filePath, fileBuffer);
-              } else {
-                expectedMetadata = await extractFileMetadata(filePath, fileBuffer);
-              }
-            }
-            if (!expectedMetadata) {
-              revalidatedValidationErrors[errorSourcePath].push({
-                message: `Could not read file metadata. Is the reference to the file: ${fileRef} correct?`
-              });
+
+  // #region getTree
+  async getTree(analysis) {
+    if (!analysis) {
+      const {
+        sources
+      } = await this.initTree();
+      return {
+        sources,
+        errors: {}
+      };
+    }
+    const {
+      sources
+    } = await this.initTree();
+    const patchedSources = {};
+    const errors = {};
+    for (const [pathS, patches] of Object.entries(analysis.patchesByModule)) {
+      const path = pathS;
+      if (!sources[path]) {
+        if (!errors[path]) {
+          errors[path] = [];
+        }
+        errors[path].push({
+          invalidPath: true,
+          error: new patch.PatchError(`Module at path: '${path}' not found`)
+        });
+      }
+      const source = sources[path];
+      for (const {
+        patchId
+      } of patches) {
+        if (errors[path]) {
+          errors[path].push({
+            patchId: patchId,
+            error: new patch.PatchError(`Cannot apply patch: previous errors exists`)
+          });
+        } else {
+          const patchData = analysis.patches[patchId];
+          if (!patchData) {
+            errors[path].push({
+              patchId: patchId,
+              error: new patch.PatchError(`Patch not found`)
+            });
+            continue;
+          }
+          const applicableOps = [];
+          const fileFixOps = {};
+          for (const op of patchData.patch) {
+            if (op.op === "file") {
+              // NOTE: We insert the last patch_id that modify a file
+              // when constructing the url we use the patch id (and the file path)
+              // to fetch the right file
+              // NOTE: overwrite and use last patch_id if multiple patches modify the same file
+              fileFixOps[op.path.join("/")] = [{
+                op: "add",
+                path: op.path.concat("patch_id"),
+                value: patchId
+              }];
             } else {
-              const actualMetadata = getValidationErrorMetadata(error);
-              const revalidatedError = validateMetadata(actualMetadata, expectedMetadata);
-              if (!revalidatedError) {
-                // no errors anymore:
-                continue;
-              }
-              const errorMsgs = (revalidatedError.globalErrors || []).concat(Object.values(revalidatedError.erroneousMetadata || {})).concat(Object.values(revalidatedError.missingMetadata || []).map(missingKey => {
-                var _expectedMetadata;
-                return `Required key: '${missingKey}' is not defined. Should be: '${JSON.stringify((_expectedMetadata = expectedMetadata) === null || _expectedMetadata === void 0 ? void 0 : _expectedMetadata[missingKey])}'`;
-              }));
-              revalidatedValidationErrors[errorSourcePath].push(...errorMsgs.map(message => ({
-                message
-              })));
+              applicableOps.push(op);
             }
-          } else {
-            revalidatedValidationErrors[errorSourcePath].push(error);
           }
-        } else {
-          revalidatedValidationErrors[errorSourcePath].push(error);
-        }
-      }
-    }
-    const hasErrors = Object.values(revalidatedValidationErrors).some(errors => errors.length > 0);
-    if (hasErrors) {
-      return revalidatedValidationErrors;
-    }
-    return hasErrors;
-  }
-  sortPatchIds(patchesByModule) {
-    return Object.values(patchesByModule).flatMap(modulePatches => modulePatches).sort((a, b) => {
-      return a.created_at.localeCompare(b.created_at);
-    }).map(patchData => patchData.patch_id);
-  }
-
-  // can be overridden if FS cannot read from static assets / public folder (because of bundlers or what not)
-  async readStaticBinaryFile(filePath) {
-    return fs__default["default"].promises.readFile(filePath);
-  }
-  async readPatches(cookies) {
-    const res = await this.getPatches({},
-    // {} means no ids, so get all patches
-    cookies);
-    if (res.status === 400 || res.status === 401 || res.status === 403 || res.status === 404 || res.status === 500 || res.status === 501) {
-      return fp.result.err(res);
-    } else if (res.status === 200 || res.status === 201) {
-      const patchesByModule = res.json;
-      const patches = [];
-      const patchIdsByModuleId = {};
-      const patchesById = {};
-      for (const [moduleIdS, modulePatchData] of Object.entries(patchesByModule)) {
-        const moduleId = moduleIdS;
-        patchIdsByModuleId[moduleId] = modulePatchData.map(patch => patch.patch_id);
-        for (const patchData of modulePatchData) {
-          patches.push([patchData.patch_id, moduleId, patchData.patch]);
-          patchesById[patchData.patch_id] = patchData.patch;
-        }
-      }
-      const fileUpdates = {};
-      const sortedPatchIds = this.sortPatchIds(patchesByModule);
-      for (const sortedPatchId of sortedPatchIds) {
-        const patchId = sortedPatchId;
-        for (const op of patchesById[patchId] || []) {
-          if (op.op === "file") {
-            const parsedFileOp = z.z.object({
-              sha256: z.z.string(),
-              mimeType: z.z.string()
-            }).safeParse(op.value);
-            if (!parsedFileOp.success) {
-              return fp.result.err({
-                status: 500,
-                json: {
-                  message: "Unexpected error: file op value must be transformed into object",
-                  details: {
-                    value: "First 200 chars: " + JSON.stringify(op.value).slice(0, 200),
-                    patchId
-                  }
-                }
-              });
+          const patchRes = patch.applyPatch(source, jsonOps, applicableOps.concat(...Object.values(fileFixOps)));
+          if (fp.result.isErr(patchRes)) {
+            if (!errors[path]) {
+              errors[path] = [];
             }
-            fileUpdates[op.filePath] = {
-              ...parsedFileOp.data
-            };
+            errors[path].push({
+              patchId: patchId,
+              error: patchRes.error
+            });
+          } else {
+            patchedSources[path] = patchRes.value;
           }
         }
       }
-      return fp.result.ok({
-        patches,
-        patchIdsByModuleId,
-        patchesById,
-        fileUpdates
-      });
-    } else {
-      return fp.result.err({
-        status: 500,
-        json: {
-          message: "Unknown error"
-        }
-      });
     }
+    return {
+      sources: patchedSources,
+      errors
+    };
   }
-  async validateThenMaybeCommit(rawBody, commit, cookies, requestHeaders) {
-    const filterPatchesByModuleIdRes = z.z.object({
-      patches: z.z.record(z.z.array(z.z.string())).optional()
-    }).safeParse(rawBody);
-    if (!filterPatchesByModuleIdRes.success) {
-      return {
-        status: 404,
-        json: {
-          message: "Could not parse body",
-          details: filterPatchesByModuleIdRes.error
-        }
-      };
-    }
-    const res = await this.readPatches(cookies);
-    if (fp.result.isErr(res)) {
-      return res.error;
-    }
-    const {
-      patchIdsByModuleId,
-      patchesById,
-      patches,
-      fileUpdates
-    } = res.value;
-    const validationErrorsByModuleId = {};
-    for (const moduleIdStr of await this.getAllModules("/")) {
-      const moduleId = moduleIdStr;
-      const serializedModuleContent = await this.applyAllPatchesThenValidate(moduleId, filterPatchesByModuleIdRes.data.patches ||
-      // TODO: refine to ModuleId and PatchId when parsing
-      patchIdsByModuleId, patchesById, fileUpdates, cookies, requestHeaders, true, true, true, commit);
-      if (serializedModuleContent.errors) {
-        validationErrorsByModuleId[moduleId] = serializedModuleContent;
-      }
-    }
-    if (Object.keys(validationErrorsByModuleId).length > 0) {
-      const modules = {};
-      for (const [patchId, moduleId] of patches) {
-        if (!modules[moduleId]) {
-          modules[moduleId] = {
-            patches: {
-              applied: []
-            }
+
+  // #region validateSources
+  async validateSources(schemas, sources, patchesByModule) {
+    const errors = {};
+    const files = {};
+    const entries = Object.entries(schemas);
+    const modulePathsToValidate = patchesByModule && Object.keys(patchesByModule);
+    for (const [pathS, schema] of entries) {
+      if (modulePathsToValidate && !modulePathsToValidate.includes(pathS)) {
+        continue;
+      }
+      const path = pathS;
+      const source = sources[path];
+      if (source === undefined) {
+        if (!errors[path]) {
+          errors[path] = {
+            validations: {}
           };
         }
-        if (validationErrorsByModuleId[moduleId]) {
-          var _modules$moduleId$pat;
-          if (!modules[moduleId].patches.failed) {
-            modules[moduleId].patches.failed = [];
+        errors[path] = {
+          ...errors[path],
+          invalidSource: {
+            message: `Module at path: '${path}' does not exist`
           }
-          (_modules$moduleId$pat = modules[moduleId].patches.failed) === null || _modules$moduleId$pat === void 0 || _modules$moduleId$pat.push(patchId);
-        } else {
-          modules[moduleId].patches.applied.push(patchId);
-        }
+        };
+        continue;
       }
-      return {
-        status: 200,
-        json: {
-          modules,
-          validationErrors: validationErrorsByModuleId
+      const res = schema.validate(path, source);
+      if (res === false) {
+        continue;
+      }
+      for (const [sourcePathS, validationErrors] of Object.entries(res)) {
+        const sourcePath = sourcePathS;
+        for (const validationError of validationErrors) {
+          if (isOnlyFileCheckValidationError(validationError)) {
+            if (files[sourcePath]) {
+              throw new Error("Cannot have multiple files with same path. Path: " + sourcePath + "; Module: " + path);
+            }
+            const value = validationError.value;
+            if (isFileSource(value)) {
+              files[sourcePath] = value;
+            }
+          } else {
+            if (!errors[path]) {
+              errors[path] = {
+                validations: {}
+              };
+            }
+            if (!errors[path].validations[sourcePath]) {
+              errors[path].validations[sourcePath] = [];
+            }
+            errors[path].validations[sourcePath].push(validationError);
+          }
         }
-      };
-    }
-    let modules;
-    if (commit) {
-      const commitRes = await this.execCommit(patches, cookies);
-      if (commitRes.status !== 200) {
-        return commitRes;
       }
-      modules = commitRes.json;
-    } else {
-      modules = await this.getPatchedModules(patches);
     }
     return {
-      status: 200,
-      json: {
-        modules,
-        validationErrors: false
+      errors,
+      files
+    };
+  }
+
+  // #region validateFiles
+  async validateFiles(schemas, sources, files, fileLastUpdatedByPatchId) {
+    const validateFileAtSourcePath = async (sourcePath, value) => {
+      const [fullModulePath, modulePath] = core.Internal.splitModuleFilePathAndModulePath(sourcePath);
+      const schema = schemas[fullModulePath];
+      if (!schema) {
+        return {
+          [sourcePath]: [{
+            message: `Schema not found for path: '${fullModulePath}'`,
+            value
+          }]
+        };
+      }
+      const source = sources[fullModulePath];
+      if (!source) {
+        return {
+          [sourcePath]: [{
+            message: `Source not found for path: '${fullModulePath}'`,
+            value
+          }]
+        };
+      }
+      let schemaAtPath;
+      try {
+        const {
+          schema: resolvedSchema
+        } = core.Internal.resolvePath(modulePath, sources[fullModulePath], schemas[fullModulePath]);
+        schemaAtPath = resolvedSchema;
+      } catch (e) {
+        if (e instanceof Error) {
+          return {
+            [sourcePath]: [{
+              message: `Could not resolve schema at path: ${modulePath}. Error: ${e.message}`,
+              value
+            }]
+          };
+        }
+        return {
+          [sourcePath]: [{
+            message: `Could not resolve schema at path: ${modulePath}. Unknown error.`,
+            value
+          }]
+        };
+      }
+      const type = schemaAtPath instanceof core.ImageSchema ? "image" : "file";
+      const filePath = value[core.FILE_REF_PROP];
+      const patchId = (fileLastUpdatedByPatchId === null || fileLastUpdatedByPatchId === void 0 ? void 0 : fileLastUpdatedByPatchId[filePath]) || null;
+      let metadata;
+      let metadataErrors;
+
+      // TODO: refactor so we call get metadata once instead of iterating like this. Reason: should be a lot faster
+      if (patchId) {
+        const patchFileMetadata = await this.getBase64EncodedBinaryFileMetadataFromPatch(filePath, type, patchId);
+        if (patchFileMetadata.errors) {
+          metadataErrors = patchFileMetadata.errors;
+        } else {
+          metadata = patchFileMetadata.metadata;
+        }
+      } else {
+        const patchFileMetadata = await this.getBinaryFileMetadata(filePath, type);
+        if (patchFileMetadata.errors) {
+          metadataErrors = patchFileMetadata.errors;
+        } else {
+          metadata = patchFileMetadata.metadata;
+        }
+      }
+      if (metadataErrors && metadataErrors.length > 0) {
+        return {
+          [sourcePath]: metadataErrors.map(e => ({
+            message: e.message,
+            value: {
+              filePath,
+              patchId
+            }
+          }))
+        };
+      }
+      if (!metadata) {
+        return {
+          [sourcePath]: [{
+            message: "Unexpectedly got no metadata",
+            value: {
+              filePath
+            }
+          }]
+        };
+      }
+      const metadataSourcePath = core.Internal.createValPathOfItem(sourcePath, "metadata");
+      if (!metadataSourcePath) {
+        throw new Error("Could not create metadata path");
+      }
+      const currentValueMetadata = value.metadata;
+      if (!currentValueMetadata) {
+        return {
+          [metadataSourcePath]: [{
+            message: "Missing metadata field: 'metadata'",
+            value
+          }]
+        };
       }
+      const fieldErrors = {};
+      for (const field of getFieldsForType(type)) {
+        const fieldMetadata = metadata[field];
+        const fieldSourcePath = core.Internal.createValPathOfItem(metadataSourcePath, field);
+        if (!fieldSourcePath) {
+          throw new Error("Could not create field path");
+        }
+        if (!(field in currentValueMetadata)) {
+          return {
+            [fieldSourcePath]: [{
+              message: `Missing metadata field: '${field}'`,
+              value
+            }]
+          };
+        }
+        if (fieldMetadata !== currentValueMetadata[field]) {
+          fieldErrors[fieldSourcePath] = [{
+            message: `Metadata field '${field}' of value: ${JSON.stringify(currentValueMetadata[field])} does not match expected value: ${JSON.stringify(fieldMetadata)}`,
+            value: {
+              actual: currentValueMetadata[field],
+              expected: fieldMetadata
+            },
+            fixes: ["image:replace-metadata"]
+          }];
+        }
+      }
+      return fieldErrors;
     };
+    const allErrors = (await Promise.all(Object.entries(files).map(([sourcePathS, value]) => validateFileAtSourcePath(sourcePathS, value).then(res => {
+      if (res) {
+        return Object.entries(res);
+      } else {
+        return [];
+      }
+    })))).flat();
+    return Object.fromEntries(allErrors);
   }
-  async getPatchedModules(patches) {
-    const modules = {};
-    for (const [patchId, moduleId] of patches) {
-      if (!modules[moduleId]) {
-        modules[moduleId] = {
-          patches: {
-            applied: []
+
+  // #region prepareCommit
+  async prepare(patchAnalysis) {
+    const {
+      patchesByModule,
+      fileLastUpdatedByPatchId
+    } = patchAnalysis;
+    const applySourceFilePatches = async (path, patches) => {
+      const sourceFileRes = await this.getSourceFile(path);
+      const errors = [];
+      if (sourceFileRes.error) {
+        errors.push({
+          message: sourceFileRes.error.message,
+          filePath: path
+        });
+        return {
+          path,
+          errors,
+          skippedPatches: patches.map(p => p.patchId)
+        };
+      }
+      const sourceFile = sourceFileRes.data;
+      let tsSourceFile = ts__default["default"].createSourceFile("<val>", sourceFile, ts__default["default"].ScriptTarget.ES2015);
+      const appliedPatches = [];
+      const triedPatches = [];
+      for (const {
+        patchId
+      } of patches) {
+        var _patchAnalysis$patche;
+        const patch$1 = (_patchAnalysis$patche = patchAnalysis.patches) === null || _patchAnalysis$patche === void 0 || (_patchAnalysis$patche = _patchAnalysis$patche[patchId]) === null || _patchAnalysis$patche === void 0 ? void 0 : _patchAnalysis$patche.patch;
+        if (!patch$1) {
+          errors.push({
+            message: `Analysis required non-existing patch: ${patchId}`
+          });
+          break;
+        }
+        const sourceFileOps = patch$1.filter(op => op.op !== "file"); // file is not a valid source file op
+        const patchRes = patch.applyPatch(tsSourceFile, tsOps, sourceFileOps);
+        if (fp.result.isErr(patchRes)) {
+          if (Array.isArray(patchRes.error)) {
+            errors.push(...patchRes.error);
+          } else {
+            errors.push(patchRes.error);
+          }
+          triedPatches.push(patchId);
+          break;
+        }
+        appliedPatches.push(patchId);
+        tsSourceFile = patchRes.value;
+      }
+      if (errors.length === 0) {
+        var _this$options;
+        let sourceFileText = tsSourceFile.getText(tsSourceFile);
+        if ((_this$options = this.options) !== null && _this$options !== void 0 && _this$options.formatter) {
+          try {
+            sourceFileText = this.options.formatter(sourceFileText, path);
+          } catch (err) {
+            errors.push({
+              message: "Could not format source file: " + (err instanceof Error ? err.message : "Unknown error")
+            });
           }
+        }
+        return {
+          path,
+          appliedPatches,
+          result: sourceFileText
+        };
+      } else {
+        const skippedPatches = patches.slice(appliedPatches.length + triedPatches.length).map(p => p.patchId);
+        return {
+          path,
+          appliedPatches,
+          triedPatches,
+          skippedPatches,
+          errors
         };
       }
-      modules[moduleId].patches.applied.push(patchId);
+    };
+    const allResults = await Promise.all(Object.entries(patchesByModule).map(([path, patches]) => applySourceFilePatches(path, patches)));
+    let hasErrors = false;
+    const sourceFilePatchErrors = {};
+    const appliedPatches = {};
+    const triedPatches = {};
+    const skippedPatches = {};
+    const patchedSourceFiles = {};
+
+    //
+    const globalAppliedPatches = [];
+    for (const res of allResults) {
+      if (res.errors) {
+        hasErrors = true;
+        sourceFilePatchErrors[res.path] = res.errors;
+        appliedPatches[res.path] = res.appliedPatches ?? [];
+        triedPatches[res.path] = res.triedPatches ?? [];
+        skippedPatches[res.path] = res.skippedPatches ?? [];
+      } else {
+        patchedSourceFiles[res.path] = res.result;
+        appliedPatches[res.path] = res.appliedPatches ?? [];
+      }
+      for (const patchId of res.appliedPatches ?? []) {
+        globalAppliedPatches.push(patchId);
+      }
     }
-    return modules;
+    const patchedBinaryFilesDescriptors = {};
+    const binaryFilePatchErrors = {};
+    await Promise.all(Object.entries(fileLastUpdatedByPatchId).map(async ([filePath, patchId]) => {
+      if (globalAppliedPatches.includes(patchId)) {
+        // TODO: do we want to make sure the file is there? Then again, it should be rare that it happens (unless there's a Val bug) so it might be enough to fail later (at commit)
+        // TODO: include sha256? This way we can make sure we pick the right file since theoretically there could be multiple files with the same path in the same patch
+        // or is that the case? We are picking the latest file by path so, that should be enough?
+        patchedBinaryFilesDescriptors[filePath] = {
+          patchId
+        };
+      } else {
+        hasErrors = true;
+        binaryFilePatchErrors[filePath] = {
+          message: "Patch not applied"
+        };
+      }
+    }));
+    const res = {
+      hasErrors,
+      sourceFilePatchErrors,
+      binaryFilePatchErrors,
+      patchedSourceFiles,
+      patchedBinaryFilesDescriptors,
+      appliedPatches,
+      skippedPatches,
+      triedPatches
+    };
+    return res;
   }
 
-  /* Abstract methods */
-
-  /**
-   * Runs before remoteFS dependent methods (e.g.getModule, ...) are called to make sure that:
-   * 1) The remote FS, if applicable, is initialized
-   * 2) The error is returned via API if the remote FS could not be initialized
-   * */
-
-  /* Abstract endpoints */
-
-  /* Abstract auth endpoints: */
-
-  /* Abstract patch endpoints: */
-}
-const chunkSize = 1024 * 1024;
-function bufferToReadableStream(buffer) {
-  const stream = new ReadableStream({
-    start(controller) {
-      let offset = 0;
-      while (offset < buffer.length) {
-        const chunk = buffer.subarray(offset, offset + chunkSize);
-        controller.enqueue(chunk);
-        offset += chunkSize;
+  // #region createPatch
+  async createPatch(path, patch$1, authorId) {
+    const {
+      sources,
+      schemas,
+      moduleErrors
+    } = await this.initTree();
+    const source = sources[path];
+    const schema = schemas[path];
+    const moduleError = moduleErrors.find(e => e.path === path);
+    if (moduleError) {
+      return {
+        error: {
+          message: `Cannot patch. Module at path: '${path}' has fatal errors: ` + moduleErrors.map(m => `"${m.message}"`).join(" and ")
+        }
+      };
+    }
+    if (!source) {
+      return {
+        error: {
+          message: `Cannot patch. Module source at path: '${path}' does not exist`
+        }
+      };
+    }
+    if (!schema) {
+      return {
+        error: {
+          message: `Cannot patch. Module schema at path: '${path}' does not exist`
+        }
+      };
+    }
+    const sourceFileOps = [];
+    const files = {};
+    for (const op of patch$1) {
+      if (op.op !== "file") {
+        sourceFileOps.push(op);
+      } else {
+        const {
+          value,
+          filePath
+        } = op;
+        if (files[filePath]) {
+          files[filePath] = {
+            error: new patch.PatchError("Cannot have multiple files with same path in same patch")
+          };
+        } else if (typeof value !== "string") {
+          files[filePath] = {
+            error: new patch.PatchError("Value is not a string")
+          };
+        } else {
+          const sha256 = core.Internal.getSHA256Hash(textEncoder$1.encode(value));
+          files[filePath] = {
+            value,
+            sha256,
+            path: op.path
+          };
+          sourceFileOps.push({
+            op: "file",
+            path: op.path,
+            filePath,
+            value: {
+              sha256
+            }
+          });
+        }
       }
-      controller.close();
     }
-  });
-  return stream;
-}
-const ENABLE_COOKIE_VALUE = {
-  value: "true",
-  options: {
-    httpOnly: false,
-    sameSite: "lax"
-  }
-};
-function getRedirectUrl(query, overrideHost) {
-  if (typeof query.redirect_to !== "string") {
-    return {
-      status: 400,
-      json: {
-        message: "Missing redirect_to query param"
+    const saveRes = await this.saveSourceFilePatch(path, sourceFileOps, authorId);
+    if (saveRes.error) {
+      return {
+        error: saveRes.error
+      };
+    }
+    const patchId = saveRes.patchId;
+    const saveFileRes = await Promise.all(Object.entries(files).map(async ([filePath, data]) => {
+      if (data.error) {
+        return {
+          filePath,
+          error: data.error
+        };
+      } else {
+        var _lastRes;
+        let type;
+        const modulePath = core.Internal.patchPathToModulePath(data.path);
+        try {
+          const {
+            schema: schemaAtPath
+          } = core.Internal.resolvePath(modulePath, source, schema);
+          type = schemaAtPath instanceof core.ImageSchema ? "image" : schemaAtPath instanceof core.FileSchema ? "file" : schema.serialize().type;
+        } catch (e) {
+          if (e instanceof Error) {
+            return {
+              filePath,
+              error: new patch.PatchError(`Could not resolve file type at: ${modulePath}. Error: ${e.message}`)
+            };
+          }
+          return {
+            filePath,
+            error: new patch.PatchError(`Could not resolve file type at: ${modulePath}. Unknown error.`)
+          };
+        }
+        if (type !== "image" && type !== "file") {
+          return {
+            filePath,
+            error: new patch.PatchError("Unknown file type (resolved from schema): " + type)
+          };
+        }
+        const mimeType = getMimeTypeFromBase64(data.value);
+        if (!mimeType) {
+          return {
+            filePath,
+            error: new patch.PatchError("Could not get mimeType from base 64 encoded value. First chars were: " + data.value.slice(0, 20))
+          };
+        }
+        const buffer = bufferFromDataUrl(data.value);
+        if (!buffer) {
+          return {
+            filePath,
+            error: new patch.PatchError("Could not create buffer from base 64 encoded value")
+          };
+        }
+        const metadataOps = createMetadataFromBuffer(type, mimeType, buffer);
+        if (metadataOps.errors) {
+          return {
+            filePath,
+            error: new patch.PatchError(`Could not get metadata. Errors: ${metadataOps.errors.map(error => error.message).join(", ")}`)
+          };
+        }
+        const MaxRetries = 3;
+        let lastRes;
+        for (let i = 0; i < MaxRetries; i++) {
+          lastRes = await this.saveBase64EncodedBinaryFileFromPatch(filePath, patchId, data.value, type, metadataOps.metadata);
+          if (!lastRes.error) {
+            return {
+              filePath
+            };
+          }
+        }
+        return {
+          filePath,
+          error: new patch.PatchError(((_lastRes = lastRes) === null || _lastRes === void 0 || (_lastRes = _lastRes.error) === null || _lastRes === void 0 ? void 0 : _lastRes.message) || "Unexpectedly could not save patch file")
+        };
       }
+    }));
+    return {
+      patchId,
+      files: saveFileRes,
+      createdAt: new Date().toISOString()
     };
   }
-  if (overrideHost) {
-    return overrideHost + "?redirect_to=" + encodeURIComponent(query.redirect_to);
+
+  // #region abstract ops
+}
+function isOnlyFileCheckValidationError(validationError) {
+  var _validationError$fixe;
+  if ((_validationError$fixe = validationError.fixes) !== null && _validationError$fixe !== void 0 && _validationError$fixe.every(f => f === "file:check-metadata" || f === "image:replace-metadata")) {
+    return true;
   }
-  return query.redirect_to;
+  return false;
 }
-const base64DataAttr = "data:";
-function getMimeTypeFromBase64(content) {
-  const dataIndex = content.indexOf(base64DataAttr);
-  const base64Index = content.indexOf(";base64,");
-  if (dataIndex > -1 || base64Index > -1) {
-    const mimeType = content.slice(dataIndex + base64DataAttr.length, base64Index);
-    return mimeType;
+function isFileSource(value) {
+  if (typeof value === "object" && value !== null && core.FILE_REF_PROP in value && core.VAL_EXTENSION in value && value[core.VAL_EXTENSION] === "file" && core.FILE_REF_PROP) {
+    return true;
   }
-  return null;
+  return false;
 }
-function bufferFromDataUrl(dataUrl, contentType) {
-  let base64Data;
-  if (!contentType) {
-    const base64Index = dataUrl.indexOf(";base64,");
-    if (base64Index > -1) {
-      base64Data = dataUrl.slice(base64Index + ";base64,".length);
-    }
-  } else {
-    const dataUrlEncodingHeader = `${base64DataAttr}${contentType};base64,`;
-    if (dataUrl.slice(0, dataUrlEncodingHeader.length) === dataUrlEncodingHeader) {
-      base64Data = dataUrl.slice(dataUrlEncodingHeader.length);
-    }
+function getFieldsForType(type) {
+  if (type === "file") {
+    return ["sha256", "mimeType"];
+  } else if (type === "image") {
+    return ["sha256", "mimeType", "height", "width"];
   }
-  if (base64Data) {
-    return Buffer.from(base64Data, "base64" // TODO: why does it not work with base64url?
-    );
+  throw new Error("Unknown type: " + type);
+}
+function createMetadataFromBuffer(type, mimeType, buffer) {
+  const sha256 = getSha256(mimeType, buffer);
+  const errors = [];
+  let availableMetadata;
+  if (type === "image") {
+    const {
+      width,
+      height,
+      type
+    } = sizeOf__default["default"](buffer);
+    const normalizedType = type === "jpg" ? "jpeg" : type;
+    if (type !== undefined && `image/${normalizedType}` !== mimeType) {
+      return {
+        errors: [{
+          message: `Mime type does not match image type: ${mimeType} vs ${type}`
+        }]
+      };
+    }
+    availableMetadata = {
+      sha256: sha256,
+      mimeType,
+      height,
+      width
+    };
+  } else {
+    availableMetadata = {
+      sha256: sha256,
+      mimeType
+    };
   }
+  const metadata = {};
+  for (const field of getFieldsForType(type)) {
+    const foundFieldData = field in availableMetadata ? availableMetadata[field] : null;
+    if (foundFieldData !== undefined && foundFieldData !== null) {
+      metadata[field] = foundFieldData;
+    } else {
+      errors.push({
+        message: `Field not found: '${field}'`,
+        field
+      });
+    }
+  }
+  if (errors.length > 0) {
+    return {
+      errors
+    };
+  }
+  return {
+    metadata
+  };
 }
-// https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types
-const COMMON_MIME_TYPES = {
-  aac: "audio/aac",
-  abw: "application/x-abiword",
-  arc: "application/x-freearc",
-  avif: "image/avif",
-  avi: "video/x-msvideo",
-  azw: "application/vnd.amazon.ebook",
-  bin: "application/octet-stream",
-  bmp: "image/bmp",
-  bz: "application/x-bzip",
-  bz2: "application/x-bzip2",
-  cda: "application/x-cdf",
-  csh: "application/x-csh",
-  css: "text/css",
-  csv: "text/csv",
-  doc: "application/msword",
-  docx: "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
-  eot: "application/vnd.ms-fontobject",
-  epub: "application/epub+zip",
-  gz: "application/gzip",
-  gif: "image/gif",
-  htm: "text/html",
-  html: "text/html",
-  ico: "image/vnd.microsoft.icon",
-  ics: "text/calendar",
-  jar: "application/java-archive",
-  jpeg: "image/jpeg",
-  jpg: "image/jpeg",
-  js: "text/javascript",
-  json: "application/json",
-  jsonld: "application/ld+json",
-  mid: "audio/midi",
-  midi: "audio/midi",
-  mjs: "text/javascript",
-  mp3: "audio/mpeg",
-  mp4: "video/mp4",
-  mpeg: "video/mpeg",
-  mpkg: "application/vnd.apple.installer+xml",
-  odp: "application/vnd.oasis.opendocument.presentation",
-  ods: "application/vnd.oasis.opendocument.spreadsheet",
-  odt: "application/vnd.oasis.opendocument.text",
-  oga: "audio/ogg",
-  ogv: "video/ogg",
-  ogx: "application/ogg",
-  opus: "audio/opus",
-  otf: "font/otf",
-  png: "image/png",
-  pdf: "application/pdf",
-  php: "application/x-httpd-php",
-  ppt: "application/vnd.ms-powerpoint",
-  pptx: "application/vnd.openxmlformats-officedocument.presentationml.presentation",
-  rar: "application/vnd.rar",
-  rtf: "application/rtf",
-  sh: "application/x-sh",
-  svg: "image/svg+xml",
-  tar: "application/x-tar",
-  tif: "image/tiff",
-  tiff: "image/tiff",
-  ts: "video/mp2t",
-  ttf: "font/ttf",
-  txt: "text/plain",
-  vsd: "application/vnd.visio",
-  wav: "audio/wav",
-  weba: "audio/webm",
-  webm: "video/webm",
-  webp: "image/webp",
-  woff: "font/woff",
-  woff2: "font/woff2",
-  xhtml: "application/xhtml+xml",
-  xls: "application/vnd.ms-excel",
-  xlsx: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
-  xml: "application/xml",
-  xul: "application/vnd.mozilla.xul+xml",
-  zip: "application/zip",
-  "3gp": "video/3gpp; audio/3gpp if it doesn't contain video",
-  "3g2": "video/3gpp2; audio/3gpp2 if it doesn't contain video",
-  "7z": "application/x-7z-compressed"
-};
-function guessMimeTypeFromPath(filePath) {
-  const fileExt = filePath.split(".").pop();
-  if (fileExt) {
-    return COMMON_MIME_TYPES[fileExt.toLowerCase()] || null;
+const base64DataAttr = "data:";
+function getMimeTypeFromBase64(content) {
+  const dataIndex = content.indexOf(base64DataAttr);
+  const base64Index = content.indexOf(";base64,");
+  if (dataIndex > -1 || base64Index > -1) {
+    const mimeType = content.slice(dataIndex + base64DataAttr.length, base64Index);
+    const normalizedMimeType = mimeType === "image/jpg" ? "image/jpeg" : mimeType;
+    return normalizedMimeType;
   }
   return null;
 }
-function isCachedPatchFileOp(op) {
-  return !!(op.op === "file" && typeof op.filePath === "string" && op.value && typeof op.value === "object" && !Array.isArray(op.value) && "sha256" in op.value && typeof op.value.sha256 === "string");
-}
-async function debugTiming(id, fn) {
-  if (process.env["VAL_DEBUG_TIMING"] === "true") {
-    const start = Date.now();
-    const r = await fn();
-    console.log(`Timing: ${id} took: ${Date.now() - start}ms (${new Date().toISOString()})`);
-    return r;
-  } else {
-    return fn();
+function bufferFromDataUrl(dataUrl) {
+  let base64Data;
+  const base64Index = dataUrl.indexOf(";base64,");
+  if (base64Index > -1) {
+    base64Data = dataUrl.slice(base64Index + ";base64,".length);
+  }
+  if (base64Data) {
+    return Buffer.from(base64Data, "base64" // TODO: why does it not work with base64url?
+    );
   }
 }
 
-const textEncoder = new TextEncoder();
-class LocalValServer extends ValServer {
-  static PATCHES_DIR = "patches";
-  static FILES_DIR = "files";
-  constructor(options, callbacks) {
-    super(options.service.sourceFileHandler.projectRoot, options, callbacks);
-    this.options = options;
-    this.callbacks = callbacks;
-    this.patchesRootPath = options.cacheDir || path__namespace["default"].join(options.service.sourceFileHandler.projectRoot, ".val");
-    this.host = this.options.service.sourceFileHandler.host;
+const JSONValueT = z__default["default"].lazy(() => z__default["default"].union([z__default["default"].string(), z__default["default"].number(), z__default["default"].boolean(), z__default["default"].null(), z__default["default"].array(JSONValueT), z__default["default"].record(JSONValueT)]));
+
+/**
+ * Raw JSON patch operation.
+ */
+const OperationJSONT = z__default["default"].discriminatedUnion("op", [z__default["default"].object({
+  op: z__default["default"].literal("add"),
+  path: z__default["default"].string(),
+  value: JSONValueT
+}).strict(), z__default["default"].object({
+  op: z__default["default"].literal("remove"),
+  /**
+   * Must be non-root
+   */
+  path: z__default["default"].string()
+}).strict(), z__default["default"].object({
+  op: z__default["default"].literal("replace"),
+  path: z__default["default"].string(),
+  value: JSONValueT
+}).strict(), z__default["default"].object({
+  op: z__default["default"].literal("move"),
+  /**
+   * Must be non-root and not a proper prefix of "path".
+   */
+  from: z__default["default"].string(),
+  path: z__default["default"].string()
+}).strict(), z__default["default"].object({
+  op: z__default["default"].literal("copy"),
+  from: z__default["default"].string(),
+  path: z__default["default"].string()
+}).strict(), z__default["default"].object({
+  op: z__default["default"].literal("test"),
+  path: z__default["default"].string(),
+  value: JSONValueT
+}).strict(), z__default["default"].object({
+  op: z__default["default"].literal("file"),
+  path: z__default["default"].string(),
+  filePath: z__default["default"].string(),
+  value: z__default["default"].string()
+}).strict()]);
+const PatchJSON = z__default["default"].array(OperationJSONT);
+/**
+ * Raw JSON patch operation.
+ */
+const OperationT = z__default["default"].discriminatedUnion("op", [z__default["default"].object({
+  op: z__default["default"].literal("add"),
+  path: z__default["default"].array(z__default["default"].string()),
+  value: JSONValueT
+}).strict(), z__default["default"].object({
+  op: z__default["default"].literal("remove"),
+  path: z__default["default"].array(z__default["default"].string()).nonempty()
+}).strict(), z__default["default"].object({
+  op: z__default["default"].literal("replace"),
+  path: z__default["default"].array(z__default["default"].string()),
+  value: JSONValueT
+}).strict(), z__default["default"].object({
+  op: z__default["default"].literal("move"),
+  from: z__default["default"].array(z__default["default"].string()).nonempty(),
+  path: z__default["default"].array(z__default["default"].string())
+}).strict(), z__default["default"].object({
+  op: z__default["default"].literal("copy"),
+  from: z__default["default"].array(z__default["default"].string()),
+  path: z__default["default"].array(z__default["default"].string())
+}).strict(), z__default["default"].object({
+  op: z__default["default"].literal("test"),
+  path: z__default["default"].array(z__default["default"].string()),
+  value: JSONValueT
+}).strict(), z__default["default"].object({
+  op: z__default["default"].literal("file"),
+  path: z__default["default"].array(z__default["default"].string()),
+  filePath: z__default["default"].string(),
+  value: z__default["default"].union([z__default["default"].string(), z__default["default"].object({
+    sha256: z__default["default"].string()
+  })])
+}).strict()]);
+const Patch = z__default["default"].array(OperationT);
+
+class ValOpsFS extends ValOps {
+  static VAL_DIR = ".val";
+  constructor(rootDir, valModules, options) {
+    super(valModules, options);
+    this.rootDir = rootDir;
+    this.host = new FSOpsHost();
+  }
+  async onInit() {
+    // do nothing
   }
-  async session() {
-    return {
-      status: 200,
-      json: {
-        mode: "local",
-        enabled: await this.callbacks.isEnabled()
+  async readPatches(includes) {
+    const patchesCacheDir = this.getPatchesDir();
+    let patchJsonFiles = [];
+    if (!this.host.directoryExists || this.host.directoryExists && this.host.directoryExists(patchesCacheDir)) {
+      patchJsonFiles = this.host.readDirectory(patchesCacheDir, ["patch.json"], [], []);
+    }
+    const patches = {};
+    const errors = {};
+    const sortedPatchIds = patchJsonFiles.map(file => parseInt(fsPath__namespace["default"].basename(fsPath__namespace["default"].dirname(file)), 10)).sort();
+    for (const patchIdNum of sortedPatchIds) {
+      if (Number.isNaN(patchIdNum)) {
+        throw new Error("Could not parse patch id from file name. Files found: " + patchJsonFiles.join(", "));
       }
-    };
-  }
-  async deletePatches(query) {
-    const deletedPatches = [];
-    for (const patchId of query.id ?? []) {
-      const rawPatchFileContent = this.host.readFile(this.getPatchFilePath(patchId));
-      if (!rawPatchFileContent) {
-        console.warn("Val: Patch not found", patchId);
+      const patchId = patchIdNum.toString();
+      if (includes && !includes.includes(patchId)) {
         continue;
       }
-      const parsedPatchesRes = z.z.record(Patch).safeParse(JSON.parse(rawPatchFileContent));
-      if (!parsedPatchesRes.success) {
-        console.warn("Val: Could not parse patch file", patchId, parsedPatchesRes.error);
+      const parsedFSPatchRes = this.parseJsonFile(this.getPatchFilePath(patchId), FSPatch);
+      let parsedFSPatchBaseRes = undefined;
+      if (this.host.fileExists(this.getPatchBaseFile(patchId))) {
+        parsedFSPatchBaseRes = this.parseJsonFile(this.getPatchBaseFile(patchId), FSPatchBase);
+      }
+      if (parsedFSPatchRes.error) {
+        errors[patchId] = parsedFSPatchRes.error;
+      } else if (parsedFSPatchBaseRes && parsedFSPatchBaseRes.error) {
+        errors[patchId] = parsedFSPatchBaseRes.error;
+      } else {
+        patches[patchId] = {
+          ...parsedFSPatchRes.data,
+          appliedAt: parsedFSPatchBaseRes ? parsedFSPatchBaseRes.data : null
+        };
+      }
+    }
+    if (Object.keys(errors).length > 0) {
+      return {
+        patches,
+        errors
+      };
+    }
+    return {
+      patches
+    };
+  }
+  async getPatchOpsById(patchIds) {
+    return this.readPatches(patchIds);
+  }
+  async findPatches(filters) {
+    const patches = {};
+    const errors = {};
+    const {
+      errors: allErrors,
+      patches: allPatches
+    } = await this.readPatches();
+    for (const [patchIdS, patch] of Object.entries(allPatches)) {
+      const patchId = patchIdS;
+      if (filters.authors && !(patch.authorId === null || filters.authors.includes(patch.authorId))) {
         continue;
       }
-      const files = Object.values(parsedPatchesRes.data).flatMap(ops => ops.filter(isCachedPatchFileOp).map(op => ({
-        filePath: op.filePath,
-        sha256: op.value.sha256
-      })));
-      for (const file of files) {
-        this.host.rmFile(this.getFilePath(file.filePath, file.sha256));
-        this.host.rmFile(this.getFileMetadataPath(file.filePath, file.sha256));
+      patches[patchId] = {
+        path: patch.path,
+        createdAt: patch.createdAt,
+        authorId: patch.authorId,
+        appliedAt: patch.appliedAt
+      };
+      const error = allErrors && allErrors[patchId];
+      if (error) {
+        errors[patchId] = error;
       }
-      this.host.rmFile(path__namespace["default"].join(this.patchesRootPath, LocalValServer.PATCHES_DIR, patchId));
-      deletedPatches.push(patchId);
+    }
+    if (errors && Object.keys(errors).length > 0) {
+      return {
+        patches,
+        errors
+      };
     }
     return {
-      status: 200,
-      json: deletedPatches
+      patches
     };
   }
-  async postPatches(body) {
-    const patches = z.z.record(Patch).safeParse(body);
-    if (!patches.success) {
+
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  parseJsonFile(filePath, parser) {
+    if (!this.host.fileExists(filePath)) {
       return {
-        status: 404,
-        json: {
-          message: `Invalid patch: ${patches.error.message}`,
-          details: patches.error.issues
+        error: {
+          message: `File not found: ${filePath}`,
+          filePath
         }
       };
     }
+    const data = this.host.readUtf8File(filePath);
+    if (!data) {
+      return {
+        error: {
+          message: `File is empty: ${filePath}`,
+          filePath
+        }
+      };
+    }
+    let jsonData;
+    try {
+      jsonData = JSON.parse(data);
+    } catch (err) {
+      if (typeof err === "object" && err && "message" in err && typeof err.message === "string") {
+        return {
+          error: {
+            message: `Could not parse JSON of file: ${filePath}. Message: ${err.message}`,
+            filePath
+          }
+        };
+      }
+      return {
+        error: {
+          message: "Unknown error",
+          filePath
+        }
+      };
+    }
+    if (!parser) {
+      return {
+        data: jsonData
+      };
+    }
+    try {
+      const parsed = parser.safeParse(jsonData);
+      if (!parsed.success) {
+        return {
+          error: {
+            message: `Could not parse file: ${filePath}. Details: ${JSON.stringify(zodValidationError.fromError(parsed.error).toString())}`,
+            details: parsed.error,
+            filePath
+          }
+        };
+      }
+      return {
+        data: parsed.data
+      };
+    } catch (err) {
+      if (typeof err === "object" && err && "message" in err && typeof err.message === "string") {
+        return {
+          error: {
+            message: `Could not parse JSON of file: ${filePath}. Message: ${err.message}`,
+            filePath
+          }
+        };
+      }
+      return {
+        error: {
+          message: "Unknown error",
+          filePath
+        }
+      };
+    }
+  }
+  async saveSourceFilePatch(path, patch, authorId) {
     let fileId = Date.now();
-    while (this.host.fileExists(this.getPatchFilePath(fileId.toString()))) {
-      // ensure unique file / patch id
-      fileId++;
+    try {
+      while (this.host.fileExists(this.getPatchFilePath(fileId.toString()))) {
+        // ensure unique file / patch id
+        fileId++;
+      }
+      const patchId = fileId.toString();
+      const data = {
+        patch,
+        path,
+        authorId,
+        coreVersion: core.Internal.VERSION.core,
+        createdAt: new Date().toISOString()
+      };
+      this.host.writeUf8File(this.getPatchFilePath(patchId), JSON.stringify(data));
+      return {
+        patchId
+      };
+    } catch (err) {
+      if (err instanceof Error) {
+        return {
+          error: {
+            message: err.message
+          }
+        };
+      }
+      return {
+        error: {
+          message: "Unknown error"
+        }
+      };
     }
-    const patchId = fileId.toString();
-    const res = {};
-    const parsedPatches = {};
-    for (const moduleIdStr in patches.data) {
-      const moduleId = moduleIdStr; // TODO: validate that this is a valid module id
-      res[moduleId] = {
-        patch_id: patchId
-      };
-      parsedPatches[moduleId] = [];
-      for (const op of patches.data[moduleId]) {
-        // We do not want to include value of a file op in the patch as they potentially contain a lot of data,
-        // therefore we store the file in a separate file and only store the sha256 hash in the patch.
-        // I.e. the patch that frontend sends is not the same as the one stored.
-        // Large amount of text is one thing, but one could easily imagine a lot of patches being accumulated over time with a lot of images which would then consume a non-negligible amount of memory.
-        //
-        // This is potentially confusing for us working on Val internals, however, the alternative was expected to cause a lot of issues down the line: low performance, a lot of data moved, etc
-        // In the worst scenario we imagine this being potentially crashing the server runtime, especially on smaller edge runtimes.
-        // Potential crashes are bad enough to warrant this workaround.
-        if (core.Internal.isFileOp(op)) {
-          const sha256 = core.Internal.getSHA256Hash(textEncoder.encode(op.value));
-          const mimeType = getMimeTypeFromBase64(op.value);
-          if (!mimeType) {
-            console.error("Val: Cannot determine mimeType from base64 data", op);
-            throw Error("Cannot determine mimeType from base64 data: " + op.filePath);
+  }
+  async getSourceFile(path) {
+    const filePath = fsPath__namespace["default"].join(this.rootDir, path);
+    if (!this.host.fileExists(filePath)) {
+      return {
+        error: {
+          message: `File not found: ${filePath}`
+        }
+      };
+    }
+    return {
+      data: this.host.readUtf8File(filePath)
+    };
+  }
+  async saveSourceFile(path, data) {
+    const filePath = fsPath__namespace["default"].join(this.rootDir, ...path.split("/"));
+    try {
+      this.host.writeUf8File(filePath, data);
+      return {
+        path
+      };
+    } catch (err) {
+      if (err instanceof Error) {
+        return {
+          error: {
+            message: err.message
           }
-          const buffer = bufferFromDataUrl(op.value, mimeType);
-          if (!buffer) {
-            console.error("Val: Cannot parse base64 data", op);
-            throw Error("Cannot parse base64 data: " + op.filePath);
+        };
+      }
+      return {
+        error: {
+          message: "Unknown error"
+        }
+      };
+    }
+  }
+  async saveBase64EncodedBinaryFileFromPatch(filePath, patchId, data, _type, metadata) {
+    const patchFilePath = this.getBinaryFilePath(filePath, patchId);
+    const metadataFilePath = this.getBinaryFileMetadataPath(filePath, patchId);
+    try {
+      const buffer = bufferFromDataUrl(data);
+      if (!buffer) {
+        return {
+          error: {
+            message: "Could not create buffer from data url. Not a data url? First chars were: " + data.slice(0, 20)
           }
-          this.host.writeFile(this.getFilePath(op.filePath, sha256), buffer, "binary");
-          this.host.writeFile(this.getFileMetadataPath(op.filePath, sha256), JSON.stringify({
-            mimeType,
-            sha256,
-            // useful for debugging / manual inspection
-            patchId,
-            createdAt: new Date().toISOString()
-          }, null, 2), "utf8");
-          parsedPatches[moduleId].push({
-            ...op,
-            value: {
-              sha256,
-              mimeType
-            }
-          });
-        } else {
-          parsedPatches[moduleId].push(op);
+        };
+      }
+      this.host.writeUf8File(metadataFilePath, JSON.stringify(metadata));
+      this.host.writeBinaryFile(patchFilePath, buffer);
+      return {
+        patchId,
+        filePath
+      };
+    } catch (err) {
+      if (err instanceof Error) {
+        return {
+          error: {
+            message: err.message
+          }
+        };
+      }
+      return {
+        error: {
+          message: "Unknown error"
         }
+      };
+    }
+  }
+  async getBase64EncodedBinaryFileMetadataFromPatch(filePath, type, patchId) {
+    const metadataFilePath = this.getBinaryFileMetadataPath(filePath, patchId);
+    if (!this.host.fileExists(metadataFilePath)) {
+      return {
+        errors: [{
+          message: "Metadata file not found",
+          filePath
+        }]
+      };
+    }
+    const metadataParseRes = this.parseJsonFile(metadataFilePath, z.z.record(z.z.union([z.z.string(), z.z.number()])));
+    if (metadataParseRes.error) {
+      return {
+        errors: [metadataParseRes.error]
+      };
+    }
+    const parsed = metadataParseRes.data;
+    const expectedFields = getFieldsForType(type);
+    const fieldErrors = [];
+    for (const field of expectedFields) {
+      if (!(field in parsed)) {
+        fieldErrors.push({
+          message: `Expected fields for type: ${type}. Field not found: '${field}'`,
+          field
+        });
       }
     }
-    this.host.writeFile(this.getPatchFilePath(patchId), JSON.stringify(parsedPatches), "utf8");
+    if (fieldErrors.length > 0) {
+      return {
+        errors: fieldErrors
+      };
+    }
     return {
-      status: 200,
-      json: res
+      metadata: parsed
+    };
+  }
+  async getBase64EncodedBinaryFileFromPatch(filePath, patchId) {
+    const absPath = this.getBinaryFilePath(filePath, patchId);
+    if (!this.host.fileExists(absPath)) {
+      return null;
+    }
+    return this.host.readBinaryFile(absPath);
+  }
+  async deletePatches(patchIds) {
+    const deleted = [];
+    let errors = null;
+    for (const patchId of patchIds) {
+      try {
+        this.host.deleteDir(this.getPatchDir(patchId));
+        deleted.push(patchId);
+      } catch (err) {
+        if (!errors) {
+          errors = {};
+        }
+        errors[patchId] = {
+          message: err instanceof Error ? err.message : "Unknown error"
+        };
+      }
+    }
+    if (errors) {
+      return {
+        deleted,
+        errors
+      };
+    }
+    return {
+      deleted
+    };
+  }
+  async saveFiles(preparedCommit) {
+    const updatedFiles = [];
+    const errors = {};
+    for (const [filePath, data] of Object.entries(preparedCommit.patchedSourceFiles)) {
+      const absPath = fsPath__namespace["default"].join(this.rootDir, ...filePath.split("/"));
+      try {
+        this.host.writeUf8File(absPath, data);
+        updatedFiles.push(absPath);
+      } catch (err) {
+        errors[absPath] = {
+          message: err instanceof Error ? err.message : "Unknown error",
+          filePath
+        };
+      }
+    }
+    for (const [filePath, {
+      patchId
+    }] of Object.entries(preparedCommit.patchedBinaryFilesDescriptors)) {
+      const absPath = fsPath__namespace["default"].join(this.rootDir, ...filePath.split("/"));
+      try {
+        this.host.copyFile(this.getBinaryFilePath(filePath, patchId), absPath);
+        updatedFiles.push(absPath);
+      } catch (err) {
+        errors[absPath] = {
+          message: err instanceof Error ? err.message : "Unknown error",
+          filePath
+        };
+      }
+    }
+    for (const patchId of Object.values(preparedCommit.appliedPatches).flat()) {
+      const appliedAt = {
+        baseSha: await this.getBaseSha(),
+        timestamp: new Date().toISOString()
+      };
+      const absPath = this.getPatchBaseFile(patchId);
+      try {
+        this.host.writeUf8File(absPath, JSON.stringify(appliedAt));
+      } catch (err) {
+        errors[absPath] = {
+          message: err instanceof Error ? err.message : "Unknown error",
+          filePath: absPath
+        };
+      }
+    }
+    return {
+      updatedFiles,
+      errors
+    };
+  }
+  async getBinaryFile(filePath) {
+    const absPath = fsPath__namespace["default"].join(this.rootDir, ...filePath.split("/"));
+    if (!this.host.fileExists(absPath)) {
+      return null;
+    }
+    const buffer = this.host.readBinaryFile(absPath);
+    return buffer;
+  }
+  async getBinaryFileMetadata(filePath, type) {
+    const buffer = await this.getBinaryFile(filePath);
+    if (!buffer) {
+      return {
+        errors: [{
+          message: "File not found",
+          filePath
+        }]
+      };
+    }
+    const mimeType = guessMimeTypeFromPath(filePath);
+    if (!mimeType) {
+      return {
+        errors: [{
+          message: `Could not guess mime type of file ext: ${fsPath__namespace["default"].extname(filePath)}`,
+          filePath
+        }]
+      };
+    }
+    return createMetadataFromBuffer(type, mimeType, buffer);
+  }
+
+  // #region fs file path helpers
+  getPatchesDir() {
+    return fsPath__namespace["default"].join(this.rootDir, ValOpsFS.VAL_DIR, "patches");
+  }
+  getPatchDir(patchId) {
+    return fsPath__namespace["default"].join(this.getPatchesDir(), patchId);
+  }
+  getBinaryFilePath(filename, patchId) {
+    return fsPath__namespace["default"].join(this.getPatchDir(patchId), "files", filename, fsPath__namespace["default"].basename(filename));
+  }
+  getBinaryFileMetadataPath(filename, patchId) {
+    return fsPath__namespace["default"].join(this.getPatchDir(patchId), "files", filename, "metadata.json");
+  }
+  getPatchFilePath(patchId) {
+    return fsPath__namespace["default"].join(this.getPatchDir(patchId), "patch.json");
+  }
+  getPatchBaseFile(patchId) {
+    return fsPath__namespace["default"].join(this.getPatchDir(patchId), "base.json");
+  }
+}
+class FSOpsHost {
+  constructor() {}
+
+  // TODO: do we want async operations here?
+  deleteDir(dir) {
+    if (this.directoryExists(dir)) {
+      fs__default["default"].rmdirSync(dir, {
+        recursive: true
+      });
+    }
+  }
+  directoryExists(path) {
+    return ts__default["default"].sys.directoryExists(path);
+  }
+  readDirectory(path, extensions, exclude, include) {
+    return ts__default["default"].sys.readDirectory(path, extensions, exclude, include);
+  }
+  fileExists(path) {
+    return ts__default["default"].sys.fileExists(path);
+  }
+  readBinaryFile(path) {
+    return fs__default["default"].readFileSync(path);
+  }
+  readUtf8File(path) {
+    return fs__default["default"].readFileSync(path, "utf-8");
+  }
+  writeUf8File(path, data) {
+    fs__default["default"].mkdirSync(fsPath__namespace["default"].dirname(path), {
+      recursive: true
+    });
+    fs__default["default"].writeFileSync(path, data, "utf-8");
+  }
+  writeBinaryFile(path, data) {
+    fs__default["default"].mkdirSync(fsPath__namespace["default"].dirname(path), {
+      recursive: true
+    });
+    fs__default["default"].writeFileSync(path, data, "base64url");
+  }
+  copyFile(from, to) {
+    fs__default["default"].mkdirSync(fsPath__namespace["default"].dirname(to), {
+      recursive: true
+    });
+    fs__default["default"].copyFileSync(from, to);
+  }
+}
+const FSPatch = z.z.object({
+  path: z.z.string().refine(p => p.startsWith("/") && p.includes(".val."), "Path is not valid. Must start with '/' and include '.val.'"),
+  patch: Patch,
+  authorId: z.z.string().refine(p => true).nullable(),
+  createdAt: z.z.string().datetime(),
+  coreVersion: z.z.string().nullable() // TODO: use this to check if patch is compatible with current core version?
+});
+const FSPatchBase = z.z.object({
+  baseSha: z.z.string().refine(p => true),
+  timestamp: z.z.string().datetime()
+});
+
+const textEncoder = new TextEncoder();
+const PatchId = z.z.string().refine(s => !!s); // TODO: validate
+const CommitSha = z.z.string().refine(s => !!s); // TODO: validate
+const BaseSha = z.z.string().refine(s => !!s); // TODO: validate
+const AuthorId = z.z.string().refine(s => !!s); // TODO: validate
+const ModuleFilePath = z.z.string().refine(s => !!s); // TODO: validate
+const Metadata = z.z.union([z.z.object({
+  sha256: z.z.string(),
+  mimeType: z.z.string(),
+  width: z.z.number(),
+  height: z.z.number()
+}), z.z.object({
+  sha256: z.z.string(),
+  mimeType: z.z.string()
+})]);
+const MetadataRes = z.z.object({
+  filePath: ModuleFilePath,
+  metadata: Metadata,
+  type: z.z.union([z.z.literal("file"), z.z.literal("image")]).nullable()
+});
+const BasePatchResponse = z.z.object({
+  path: ModuleFilePath,
+  patchId: PatchId,
+  authorId: AuthorId.nullable(),
+  createdAt: z.z.string().datetime(),
+  applied: z.z.object({
+    baseSha: BaseSha,
+    commitSha: CommitSha,
+    appliedAt: z.z.string().datetime()
+  }).nullable()
+});
+const GetPatches = z.z.object({
+  patches: z.z.array(z.z.intersection(z.z.object({
+    patch: Patch
+  }), BasePatchResponse)),
+  errors: z.z.array(z.z.object({
+    patchId: PatchId.optional(),
+    message: z.z.string()
+  })).optional()
+});
+const SearchPatches = z.z.object({
+  patches: z.z.array(BasePatchResponse)
+});
+const FilesResponse = z.z.object({
+  files: z.z.array(z.z.union([z.z.object({
+    filePath: z.z.string(),
+    location: z.z.literal("patch"),
+    patchId: PatchId,
+    value: z.z.string()
+  }), z.z.object({
+    filePath: z.z.string(),
+    location: z.z.literal("repo"),
+    commitSha: CommitSha,
+    value: z.z.string()
+  })])),
+  errors: z.z.array(z.z.union([z.z.object({
+    filePath: z.z.string(),
+    location: z.z.literal("patch"),
+    patchId: PatchId,
+    message: z.z.string()
+  }), z.z.object({
+    filePath: z.z.string(),
+    location: z.z.literal("repo"),
+    commitSha: CommitSha,
+    message: z.z.string()
+  })])).optional()
+});
+const SavePatchResponse = z.z.object({
+  patchId: PatchId
+});
+const DeletePatchesResponse = z.z.object({
+  deleted: z.z.array(PatchId),
+  errors: z.z.array(z.z.object({
+    message: z.z.string(),
+    patchId: PatchId
+  })).optional()
+});
+const SavePatchFileResponse = z.z.object({
+  patchId: PatchId,
+  filePath: ModuleFilePath
+});
+const CommitResponse = z.z.object({
+  updatedFiles: z.z.array(z.z.string()),
+  commit: CommitSha,
+  branch: z.z.string()
+});
+class ValOpsHttp extends ValOps {
+  constructor(hostUrl, project, commitSha, branch, apiKey, valModules, options) {
+    super(valModules, options);
+    this.hostUrl = hostUrl;
+    this.project = project;
+    this.commitSha = commitSha;
+    this.branch = branch;
+    this.authHeaders = {
+      Authorization: `Bearer ${apiKey}`
     };
+    this.root = (options === null || options === void 0 ? void 0 : options.root) ?? "";
   }
-  async getMetadata() {
-    return undefined;
+  async onInit() {
+    // TODO: unused for now. Implement or remove
   }
-  async getFiles(filePath, query) {
-    if (query.sha256) {
-      const fileExists = this.host.fileExists(this.getFilePath(filePath, query.sha256));
-      if (fileExists) {
-        const metadataFileContent = this.host.readFile(this.getFileMetadataPath(filePath, query.sha256));
-        const fileContent = await this.readStaticBinaryFile(this.getFilePath(filePath, query.sha256));
-        if (!fileContent) {
-          throw Error("Could not read cached patch file / asset. Cache corrupted?");
-        }
-        if (!metadataFileContent) {
-          throw Error("Missing metadata of cached patch file / asset. Cache corrupted?");
+  async getPatchOpsById(patchIds) {
+    const params = new URLSearchParams();
+    params.set("branch", this.branch);
+    if (patchIds.length > 0) {
+      params.set("patch_ids", encodeURIComponent(patchIds.join(",")));
+    }
+    return fetch(`${this.hostUrl}/v1/${this.project}/patches${params.size > 0 ? "?" + params : ""}`, {
+      headers: {
+        ...this.authHeaders,
+        "Content-Type": "application/json"
+      }
+    }).then(async res => {
+      const patches = {};
+      if (res.ok) {
+        const json = await res.json();
+        const parsed = GetPatches.safeParse(json);
+        if (parsed.success) {
+          const data = parsed.data;
+          const errors = {};
+          for (const patchesRes of data.patches) {
+            patches[patchesRes.patchId] = {
+              path: patchesRes.path,
+              authorId: patchesRes.authorId,
+              createdAt: patchesRes.createdAt,
+              appliedAt: patchesRes.applied && {
+                baseSha: patchesRes.applied.baseSha,
+                timestamp: patchesRes.applied.appliedAt,
+                git: {
+                  commitSha: patchesRes.applied.commitSha
+                }
+              },
+              patch: patchesRes.patch
+            };
+          }
+          return {
+            patches,
+            errors
+          };
         }
-        const metadata = JSON.parse(metadataFileContent);
         return {
-          status: 200,
-          headers: {
-            "Content-Type": metadata.mimeType,
-            "Content-Length": fileContent.byteLength.toString(),
-            "Cache-Control": "public, max-age=31536000, immutable"
-          },
-          body: bufferToReadableStream(fileContent)
+          patches,
+          error: {
+            message: `Could not parse get patches response. Error: ${zodValidationError.fromError(parsed.error)}`
+          }
         };
       }
-    }
-    const buffer = await this.readStaticBinaryFile(path__namespace["default"].join(this.cwd, filePath));
-    const mimeType = guessMimeTypeFromPath(filePath) || "application/octet-stream";
-    if (!buffer) {
       return {
-        status: 404,
-        json: {
-          message: "File not found"
+        patches,
+        error: {
+          message: "Could not get patches. HTTP error: " + res.status + " " + res.statusText
         }
       };
+    });
+  }
+  async findPatches(filters) {
+    const params = new URLSearchParams();
+    params.set("branch", this.branch);
+    if (filters.authors && filters.authors.length > 0) {
+      params.set("author_ids", encodeURIComponent(filters.authors.join(",")));
     }
-    if (query.sha256) {
-      const sha256 = getSha256(mimeType, buffer);
-      if (sha256 === query.sha256) {
+    return fetch(`${this.hostUrl}/v1/${this.project}/search/patches${params.size > 0 ? "?" + params : ""}`, {
+      headers: {
+        ...this.authHeaders,
+        "Content-Type": "application/json"
+      }
+    }).then(async res => {
+      const patches = {};
+      if (res.ok) {
+        const parsed = SearchPatches.safeParse(await res.json());
+        if (parsed.success) {
+          for (const patchesRes of parsed.data.patches) {
+            patches[patchesRes.patchId] = {
+              path: patchesRes.path,
+              authorId: patchesRes.authorId,
+              createdAt: patchesRes.createdAt,
+              appliedAt: patchesRes.applied && {
+                baseSha: patchesRes.applied.baseSha,
+                timestamp: patchesRes.applied.appliedAt,
+                git: {
+                  commitSha: patchesRes.applied.commitSha
+                }
+              }
+            };
+          }
+          return {
+            patches
+          };
+        }
         return {
-          status: 200,
-          headers: {
-            "Content-Type": mimeType,
-            "Content-Length": buffer.byteLength.toString(),
-            "Cache-Control": "public, max-age=31536000, immutable"
-          },
-          body: bufferToReadableStream(buffer)
+          patches,
+          error: {
+            message: `Could not parse search patches response. Error: ${zodValidationError.fromError(parsed.error)}`
+          }
         };
       }
-    }
-    return {
-      status: 200,
+      return {
+        patches,
+        error: {
+          message: "Could not find patches. HTTP error: " + res.status + " " + res.statusText
+        }
+      };
+    });
+  }
+  async saveSourceFilePatch(path, patch, authorId) {
+    return fetch(`${this.hostUrl}/v1/${this.project}/patches`, {
+      method: "POST",
       headers: {
-        "Content-Type": mimeType,
-        "Content-Length": buffer.byteLength.toString()
+        ...this.authHeaders,
+        "Content-Type": "application/json"
       },
-      body: bufferToReadableStream(buffer)
-    };
-  }
-  async getPatches(query) {
-    const patchesCacheDir = path__namespace["default"].join(this.patchesRootPath, LocalValServer.PATCHES_DIR);
-    let files = [];
-    try {
-      if (!this.host.directoryExists || this.host.directoryExists && this.host.directoryExists(patchesCacheDir)) {
-        files = this.host.readDirectory(patchesCacheDir, [""], [], []);
-      }
-    } catch (e) {
-      console.debug("Failed to read directory (no patches yet?)", e);
-    }
-    const res = {};
-    const sortedPatchIds = files.map(file => parseInt(path__namespace["default"].basename(file), 10)).sort();
-    for (const patchIdStr of sortedPatchIds) {
-      const patchId = patchIdStr.toString();
-      if (query.id && query.id.length > 0 && !query.id.includes(patchId)) {
-        continue;
-      }
-      try {
-        const currentParsedPatches = z.z.record(Patch).safeParse(JSON.parse(this.host.readFile(path__namespace["default"].join(this.patchesRootPath, LocalValServer.PATCHES_DIR, `${patchId}`)) || ""));
-        if (!currentParsedPatches.success) {
-          const msg = "Unexpected error reading patch. Patch did not parse correctly. Is there a mismatch in Val versions? Perhaps Val is misconfigured?";
-          console.error(`Val: ${msg}`, {
-            patchId,
-            error: currentParsedPatches.error
-          });
+      body: JSON.stringify({
+        path,
+        patch,
+        authorId,
+        commit: this.commitSha,
+        branch: this.branch,
+        coreVersion: core.Internal.VERSION.core
+      })
+    }).then(async res => {
+      if (res.ok) {
+        const parsed = SavePatchResponse.safeParse(await res.json());
+        if (parsed.success) {
           return {
-            status: 500,
-            json: {
-              message: msg,
-              details: {
-                patchId,
-                error: currentParsedPatches.error
-              }
-            }
+            patchId: parsed.data.patchId
           };
         }
-        const createdAt = patchId;
-        for (const moduleIdStr in currentParsedPatches.data) {
-          const moduleId = moduleIdStr;
-          if (!res[moduleId]) {
-            res[moduleId] = [];
-          }
-          res[moduleId].push({
-            patch: currentParsedPatches.data[moduleId],
-            patch_id: patchId,
-            created_at: new Date(Number(createdAt)).toISOString()
-          });
-        }
-      } catch (err) {
-        const msg = `Unexpected error while reading patch file. The cache may be corrupted or Val may be misconfigured. Try deleting the cache directory.`;
-        console.error(`Val: ${msg}`, {
-          patchId,
-          error: err,
-          dir: this.patchesRootPath
-        });
         return {
-          status: 500,
-          json: {
-            message: msg,
-            details: {
-              patchId,
-              error: err === null || err === void 0 ? void 0 : err.toString()
-            }
+          error: {
+            message: `Could not parse save patch response. Error: ${zodValidationError.fromError(parsed.error)}`
           }
         };
       }
-    }
-    return {
-      status: 200,
-      json: res
-    };
-  }
-  getFilePath(filename, sha256) {
-    return path__namespace["default"].join(this.patchesRootPath, LocalValServer.FILES_DIR, filename, sha256, "file");
-  }
-  getFileMetadataPath(filename, sha256) {
-    return path__namespace["default"].join(this.patchesRootPath, LocalValServer.FILES_DIR, filename, sha256, "metadata.json");
-  }
-  getPatchFilePath(patchId) {
-    return path__namespace["default"].join(this.patchesRootPath, LocalValServer.PATCHES_DIR, patchId.toString());
+      return {
+        error: {
+          message: "Could not save patch. HTTP error: " + res.status + " " + res.statusText
+        }
+      };
+    }).catch(e => {
+      return {
+        error: {
+          message: `Could save source file patch (connection error?): ${e instanceof Error ? e.message : e.toString()}`
+        }
+      };
+    });
   }
-  badRequest() {
-    return {
-      status: 400,
-      json: {
-        message: "Local server does not handle this request"
+  async saveBase64EncodedBinaryFileFromPatch(filePath, patchId, data, type, metadata) {
+    return fetch(`${this.hostUrl}/v1/${this.project}/patches/${patchId}/files`, {
+      method: "POST",
+      headers: {
+        ...this.authHeaders,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        filePath: filePath,
+        data,
+        type,
+        metadata
+      })
+    }).then(async res => {
+      if (res.ok) {
+        const parsed = SavePatchFileResponse.safeParse(await res.json());
+        if (parsed.success) {
+          return {
+            patchId: parsed.data.patchId,
+            filePath: parsed.data.filePath
+          };
+        }
+        return {
+          error: {
+            message: `Could not parse save patch file response. Error: ${zodValidationError.fromError(parsed.error)}`
+          }
+        };
       }
-    };
-  }
-  async ensureInitialized() {
-    // No RemoteFS so nothing to ensure
-    return fp.result.ok(undefined);
-  }
-  getModule(moduleId, options) {
-    return this.options.service.get(moduleId, "", {
-      ...options,
-      validate: false
+      return {
+        error: {
+          message: "Could not save patch file. HTTP error: " + res.status + " " + res.statusText
+        }
+      };
+    }).catch(e => {
+      return {
+        error: {
+          message: `Could save source binary file in patch (connection error?): ${e.toString()}`
+        }
+      };
     });
   }
-  async getAllModules(treePath) {
-    const moduleIds = this.host.readDirectory(this.cwd, ["ts", "js"], ["node_modules", ".*"], ["**/*.val.ts", "**/*.val.js"]).filter(file => {
-      if (treePath) {
-        return file.replace(this.cwd, "").startsWith(treePath);
+  async getHttpFiles(files) {
+    const params = new URLSearchParams();
+    const stringifiedFiles = JSON.stringify({
+      files,
+      root: this.root
+    });
+    params.set("body_sha",
+    // We use this for cache invalidation
+    core.Internal.getSHA256Hash(textEncoder.encode(stringifiedFiles)));
+    return fetch(`${this.hostUrl}/v1/${this.project}/files?${params}`, {
+      method: "PUT",
+      // Yes, PUT is weird. Weirder to have a body in a GET request.
+      headers: {
+        ...this.authHeaders,
+        "Content-Type": "application/json"
+      },
+      body: stringifiedFiles
+    }).then(async res => {
+      if (res.ok) {
+        const json = await res.json();
+        // TODO: Check that all requested paths are in the response
+        const parsedFileResponse = FilesResponse.safeParse(json);
+        if (parsedFileResponse.success) {
+          return parsedFileResponse.data;
+        }
+        return {
+          error: {
+            message: `Could not parse file response. Error: ${zodValidationError.fromError(parsedFileResponse.error)}`
+          }
+        };
       }
-      return true;
-    }).map(file => file.replace(this.cwd, "").replace(".val.js", "").replace(".val.ts", "").split(path__namespace["default"].sep).join("/"));
-    return moduleIds;
+      return {
+        error: {
+          message: "Could not get files. HTTP error: " + res.status + " " + res.statusText
+        }
+      };
+    }).catch(e => {
+      return {
+        error: {
+          message: `Could not get file (connection error?): ${e instanceof Error ? e.message : e.toString()}`
+        }
+      };
+    });
   }
-  async execCommit(patches) {
-    for (const [patchId, moduleId, patch] of patches) {
-      // TODO: patch the entire module content directly by using a { path: "", op: "replace", value: patchedData }?
-      // Reason: that would be more atomic? Not doing it now, because there are currently already too many moving pieces.
-      // Other things we could do would be to patch in a temp directory and ONLY when all patches are applied we move back in.
-      // This would improve reliability
-      this.host.rmFile(this.getPatchFilePath(patchId));
-      await this.options.service.patch(moduleId, patch);
+  async getSourceFile(path) {
+    const filesRes = await this.getHttpFiles([{
+      filePath: path,
+      location: "repo",
+      root: this.root,
+      commitSha: this.commitSha
+    }]);
+    if (filesRes.error) {
+      return filesRes;
+    }
+    const file = filesRes.files.find(f => f.filePath === path);
+    if (!file) {
+      return {
+        error: {
+          message: `Could not find file ${path} in response`
+        }
+      };
     }
     return {
-      status: 200,
-      json: await this.getPatchedModules(patches)
+      data: Buffer.from(file.value, "base64").toString("utf-8")
     };
   }
-
-  /* Bad requests on Local Server: */
-
-  async authorize() {
-    return this.badRequest();
-  }
-  async callback() {
-    return this.badRequest();
-  }
-  async logout() {
-    return this.badRequest();
-  }
-}
-
-function decodeJwt(token, secretKey) {
-  const [headerBase64, payloadBase64, signatureBase64, ...rest] = token.split(".");
-  if (!headerBase64 || !payloadBase64 || !signatureBase64 || rest.length > 0) {
-    console.debug("Invalid JWT: format is not exactly {header}.{payload}.{signature}", token);
-    return null;
-  }
-  try {
-    const parsedHeader = JSON.parse(Buffer.from(headerBase64, "base64").toString("utf8"));
-    const headerVerification = JwtHeaderSchema.safeParse(parsedHeader);
-    if (!headerVerification.success) {
-      console.debug("Invalid JWT: invalid header", parsedHeader);
+  async getBinaryFile(filePath) {
+    // We could also just get this from public/ on the running server. Current approach feels more clean, but will be slower / puts more server load... We might want to change this
+    const filesRes = await this.getHttpFiles([{
+      filePath: filePath,
+      location: "repo",
+      root: this.root,
+      commitSha: this.commitSha
+    }]);
+    if (filesRes.error) {
       return null;
     }
-    if (headerVerification.data.typ !== jwtHeader.typ) {
-      console.debug("Invalid JWT: invalid header typ", parsedHeader);
+    const file = filesRes.files.find(f => f.filePath === filePath);
+    if (!file) {
       return null;
     }
-    if (headerVerification.data.alg !== jwtHeader.alg) {
-      console.debug("Invalid JWT: invalid header alg", parsedHeader);
+    return Buffer.from(file.value, "base64");
+  }
+  async getBase64EncodedBinaryFileFromPatch(filePath, patchId) {
+    const filesRes = await this.getHttpFiles([{
+      filePath: filePath,
+      location: "patch",
+      patchId
+    }]);
+    if (filesRes.error) {
       return null;
     }
-  } catch (err) {
-    console.debug("Invalid JWT: could not parse header", err);
-    return null;
-  }
-  if (secretKey) {
-    const signature = crypto__default["default"].createHmac("sha256", secretKey).update(`${headerBase64}.${payloadBase64}`).digest("base64");
-    if (signature !== signatureBase64) {
-      console.debug("Invalid JWT: invalid signature");
+    const file = filesRes.files.find(f => f.filePath === filePath);
+    if (!file) {
       return null;
     }
+    return Buffer.from(file.value, "base64");
   }
-  try {
-    const parsedPayload = JSON.parse(Buffer.from(payloadBase64, "base64").toString("utf8"));
-    return parsedPayload;
-  } catch (err) {
-    console.debug("Invalid JWT: could not parse payload", err);
-    return null;
-  }
-}
-function getExpire() {
-  return Math.floor(Date.now() / 1000) + 60 * 60 * 24 * 4; // 4 days
-}
-const JwtHeaderSchema = z.z.object({
-  alg: z.z.literal("HS256"),
-  typ: z.z.literal("JWT")
-});
-const jwtHeader = {
-  alg: "HS256",
-  typ: "JWT"
-};
-const jwtHeaderBase64 = Buffer.from(JSON.stringify(jwtHeader)).toString("base64");
-function encodeJwt(payload, sessionKey) {
-  // NOTE: this is only used for authentication, not for authorization (i.e. what a user can do) - this is handled when actually doing operations
-  const payloadBase64 = Buffer.from(JSON.stringify(payload)).toString("base64");
-  return `${jwtHeaderBase64}.${payloadBase64}.${crypto__default["default"].createHmac("sha256", sessionKey).update(`${jwtHeaderBase64}.${payloadBase64}`).digest("base64")}`;
-}
-
-class ProxyValServer extends ValServer {
-  moduleCache = null;
-  constructor(cwd, options, apiOptions, callbacks) {
-    super(cwd, options, callbacks);
-    this.cwd = cwd;
-    this.options = options;
-    this.apiOptions = apiOptions;
-    this.callbacks = callbacks;
-    this.moduleCache = null;
-  }
-
-  /** Remote FS dependent methods: */
-
-  async getModule(moduleId,
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  _options) {
-    if (this.moduleCache) {
-      return this.moduleCache[moduleId];
+  async getBase64EncodedBinaryFileMetadataFromPatch(filePath, type, patchId) {
+    const params = new URLSearchParams();
+    params.set("file_path", filePath);
+    try {
+      const metadataRes = await fetch(`${this.hostUrl}/v1/${this.project}/patches/${patchId}/metadata?${params}`, {
+        headers: {
+          ...this.authHeaders,
+          "Content-Type": "application/json"
+        }
+      });
+      if (metadataRes.ok) {
+        const json = await metadataRes.json();
+        const parsed = MetadataRes.safeParse(json);
+        if (parsed.success) {
+          return {
+            metadata: parsed.data.metadata
+          };
+        }
+        return {
+          errors: [{
+            message: `Could not parse metadata response. Error: ${zodValidationError.fromError(parsed.error)}`,
+            filePath
+          }]
+        };
+      }
+      return {
+        errors: [{
+          message: "Could not get metadata. HTTP error: " + metadataRes.status + " " + metadataRes.statusText,
+          filePath
+        }]
+      };
+    } catch (err) {
+      return {
+        errors: [{
+          message: "Could not get metadata (connection error?): " + (err instanceof Error ? err.message : (err === null || err === void 0 ? void 0 : err.toString()) || "unknown error")
+        }]
+      };
     }
-    throw new Error("Module cache not initialized");
   }
-  async getAllModules(treePath) {
-    if (!this.moduleCache) {
-      throw new Error("Module cache not initialized");
-    }
-    return Object.keys(this.moduleCache).filter(moduleId => moduleId.startsWith(treePath));
+  async getBinaryFileMetadata(filePath, type) {
+    // TODO: call get metadata on this instance which caches + returns the metadata for this filepath / commit
+    // something like this:
+    // const params = new URLSearchParams();
+    // params.set("path", filePath);
+    // params.set("type", type);
+    // return fetch(new URL(`${this.route}/files/metadata?${params}`, baseUrl)).then(
+    //   (res) => {
+    //     return res.json();
+    //   }
+    // );
+    return {
+      errors: [{
+        message: "Not implemented: " + type,
+        filePath
+      }]
+    };
   }
-  execCommit(patches, cookies) {
-    return withAuth(this.options.valSecret, cookies, "execCommit", async ({
-      token
-    }) => {
-      const commit = this.options.git.commit;
-      if (!commit) {
-        return {
-          status: 400,
-          json: {
-            message: "Could not detect the git commit. Check if env is missing VAL_GIT_COMMIT."
+  async deletePatches(patchIds) {
+    return fetch(`${this.hostUrl}/v1/${this.project}/patches`, {
+      method: "DELETE",
+      headers: {
+        ...this.authHeaders,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        patchIds
+      })
+    }).then(async res => {
+      if (res.ok) {
+        const parsed = DeletePatchesResponse.safeParse(await res.json());
+        if (parsed.success) {
+          const errors = {};
+          for (const err of parsed.data.errors || []) {
+            errors[err.patchId] = err;
           }
-        };
-      }
-      const params = createParams({
-        root: this.apiOptions.root,
-        commit,
-        ext: ["ts", "js", "json"],
-        package: ["@valbuild/core@" + this.options.versions.core, "@valbuild/next@" + this.options.versions.next],
-        include: ["**/*.val.{js,ts},package.json,tsconfig.json,jsconfig.json"]
-      });
-      const url = new URL(`/v1/commit/${this.options.remote}/heads/${this.options.git.branch}/~?${params}`, this.options.valContentUrl);
-      const patchIds = patches.map(([patchId]) => patchId);
-      const fetchRes = await fetch(url, {
-        method: "POST",
-        headers: getAuthHeaders(token, "application/json"),
-        body: JSON.stringify({
-          patchIds
-        })
-      });
-      if (fetchRes.status === 200) {
+          if (Object.keys(errors).length === 0) {
+            return {
+              deleted: parsed.data.deleted
+            };
+          }
+          return {
+            deleted: parsed.data.deleted,
+            errors
+          };
+        }
         return {
-          status: fetchRes.status,
-          json: await fetchRes.json()
+          error: {
+            message: `Could not parse delete patches response. Error: ${zodValidationError.fromError(parsed.error)}`
+          }
         };
-      } else {
-        return createJsonError(fetchRes);
       }
+      return {
+        error: {
+          message: "Could not delete patches. HTTP error: " + res.status + " " + res.statusText
+        }
+      };
+    }).catch(e => {
+      return {
+        error: {
+          message: `Could not delete patches (connection error?): ${e instanceof Error ? e.message : e.toString()}`
+        }
+      };
     });
   }
-  async init(commit, token) {
-    const params = createParams({
-      root: this.apiOptions.root,
-      commit,
-      ext: ["ts", "js", "json"],
-      package: ["@valbuild/core@" + this.options.versions.core, "@valbuild/next@" + this.options.versions.next],
-      include: ["**/*.val.{js,ts},package.json,tsconfig.json,jsconfig.json"]
-    });
-    const url = new URL(`/v1/eval/${this.options.remote}/heads/${this.options.git.branch}/~?${params}`, this.options.valContentUrl);
+  async commit(prepared, message, committer, newBranch) {
     try {
-      const fetchRes = await fetch(url, {
-        headers: getAuthHeaders(token, "application/json")
-      });
-      if (fetchRes.status === 200) {
-        const json = await fetchRes.json();
-        let error = false;
-        if (typeof json !== "object") {
-          error = {
-            details: "Invalid response: not an object"
-          };
-        }
-        if (typeof json.git !== "object") {
-          error = {
-            details: "Invalid response: missing git"
-          };
-        }
-        if (typeof json.git.commit !== "string") {
-          error = {
-            details: "Invalid response: missing git.commit"
-          };
-        }
-        if (typeof json.modules !== "object" || json.modules === null) {
-          error = {
-            details: "Invalid response: missing modules"
-          };
-        }
-        if (error) {
-          console.error("Could not initialize remote modules", error);
+      const existingBranch = this.branch;
+      const res = await fetch(`${this.hostUrl}/v1/${this.project}/commit`, {
+        method: "POST",
+        headers: {
+          ...this.authHeaders,
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          patchedSourceFiles: prepared.patchedSourceFiles,
+          patchedBinaryFilesDescriptors: prepared.patchedBinaryFilesDescriptors,
+          appliedPatches: prepared.appliedPatches,
+          commit: this.commitSha,
+          root: this.root,
+          baseSha: await this.getBaseSha(),
+          committer,
+          message,
+          existingBranch,
+          newBranch
+        })
+      });
+      if (res.ok) {
+        const parsed = CommitResponse.safeParse(await res.json());
+        if (parsed.success) {
           return {
-            status: 500,
-            json: {
-              message: "Failed to fetch remote modules",
-              ...error
-            }
+            updatedFiles: parsed.data.updatedFiles,
+            commit: parsed.data.commit,
+            branch: parsed.data.branch
           };
         }
-        this.moduleCache = json.modules;
         return {
-          status: 200
+          error: {
+            message: `Could not parse commit response. Error: ${zodValidationError.fromError(parsed.error)}`
+          }
         };
-      } else {
-        return createJsonError(fetchRes);
       }
+      return {
+        error: {
+          message: "Could not commit. HTTP error: " + res.status + " " + res.statusText
+        }
+      };
     } catch (err) {
       return {
-        status: 500,
-        json: {
-          message: "Failed to fetch: check network connection"
+        error: {
+          message: `Could not commit (connection error?): ${err instanceof Error ? err.message : (err === null || err === void 0 ? void 0 : err.toString()) || "unknown error"}`
         }
       };
     }
   }
-  async ensureInitialized(errorMessageType, cookies) {
-    const commit = this.options.git.commit;
-    if (!commit) {
-      return fp.result.err({
-        status: 400,
-        json: {
-          message: "Could not detect the git commit. Check if env is missing VAL_GIT_COMMIT."
-        }
+}
+
+/* eslint-disable @typescript-eslint/no-unused-vars */
+class ValServer {
+  constructor(valModules, options, callbacks) {
+    this.valModules = valModules;
+    this.options = options;
+    this.callbacks = callbacks;
+    if (options.mode === "fs") {
+      this.serverOps = new ValOpsFS(options.cwd, valModules, {
+        formatter: options.formatter
+      });
+    } else if (options.mode === "http") {
+      this.serverOps = new ValOpsHttp(options.valContentUrl, options.project, options.commit, options.branch, options.apiKey, valModules, {
+        formatter: options.formatter,
+        root: options.root
       });
-    }
-    const res = await withAuth(this.options.valSecret, cookies, errorMessageType, async data => {
-      if (!this.moduleCache) {
-        return this.init(commit, data.token);
-      } else {
-        return {
-          status: 200
-        };
-      }
-    });
-    if (res.status === 200) {
-      return fp.result.ok(undefined);
     } else {
-      return fp.result.err(res);
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      throw new Error("Invalid mode: " + (options === null || options === void 0 ? void 0 : options.mode));
     }
   }
-  /* Auth endpoints */
 
+  //#region auth
+  async enable(query) {
+    const redirectToRes = getRedirectUrl(query, this.options.valEnableRedirectUrl);
+    if (typeof redirectToRes !== "string") {
+      return redirectToRes;
+    }
+    await this.callbacks.onEnable(true);
+    return {
+      cookies: {
+        [internal.VAL_ENABLE_COOKIE_NAME]: ENABLE_COOKIE_VALUE
+      },
+      status: 302,
+      redirectTo: redirectToRes
+    };
+  }
+  async disable(query) {
+    const redirectToRes = getRedirectUrl(query, this.options.valDisableRedirectUrl);
+    if (typeof redirectToRes !== "string") {
+      return redirectToRes;
+    }
+    await this.callbacks.onDisable(true);
+    return {
+      cookies: {
+        [internal.VAL_ENABLE_COOKIE_NAME]: {
+          value: "false"
+        }
+      },
+      status: 302,
+      redirectTo: redirectToRes
+    };
+  }
   async authorize(query) {
     if (typeof query.redirect_to !== "string") {
       return {
@@ -2587,7 +3346,7 @@ class ProxyValServer extends ValServer {
         }
       };
     }
-    const token = crypto__default["default"].randomUUID();
+    const token = crypto.randomUUID();
     const redirectUrl = new URL(query.redirect_to);
     const appAuthorizeUrl = this.getAuthorizeUrl(`${redirectUrl.origin}/${this.options.route}`, token);
     return {
@@ -2609,6 +3368,28 @@ class ProxyValServer extends ValServer {
     };
   }
   async callback(query, cookies) {
+    if (!this.options.project) {
+      return {
+        status: 302,
+        cookies: {
+          [internal.VAL_STATE_COOKIE]: {
+            value: null
+          }
+        },
+        redirectTo: this.getAppErrorUrl("Project is not set")
+      };
+    }
+    if (!this.options.valSecret) {
+      return {
+        status: 302,
+        cookies: {
+          [internal.VAL_STATE_COOKIE]: {
+            value: null
+          }
+        },
+        redirectTo: this.getAppErrorUrl("Secret is not set")
+      };
+    }
     const {
       success: callbackReqSuccess,
       error: callbackReqError
@@ -2637,10 +3418,22 @@ class ProxyValServer extends ValServer {
       };
     }
     const exp = getExpire();
+    const valSecret = this.options.valSecret;
+    if (!valSecret) {
+      return {
+        status: 302,
+        cookies: {
+          [internal.VAL_STATE_COOKIE]: {
+            value: null
+          }
+        },
+        redirectTo: this.getAppErrorUrl("Setup is not correct: secret is missing")
+      };
+    }
     const cookie = encodeJwt({
       ...data,
       exp // this is the client side exp
-    }, this.options.valSecret);
+    }, valSecret);
     return {
       status: 302,
       cookies: {
@@ -2662,7 +3455,7 @@ class ProxyValServer extends ValServer {
       redirectTo: callbackReqSuccess.redirect_uri || "/"
     };
   }
-  async logout() {
+  async log() {
     return {
       status: 200,
       cookies: {
@@ -2676,8 +3469,41 @@ class ProxyValServer extends ValServer {
     };
   }
   async session(cookies) {
+    if (this.serverOps instanceof ValOpsFS) {
+      return {
+        status: 200,
+        json: {
+          mode: "local",
+          enabled: await this.callbacks.isEnabled()
+        }
+      };
+    }
+    if (!this.options.project) {
+      return {
+        status: 500,
+        json: {
+          message: "Project is not set"
+        }
+      };
+    }
+    if (!this.options.valSecret) {
+      return {
+        status: 500,
+        json: {
+          message: "Secret is not set"
+        }
+      };
+    }
     return withAuth(this.options.valSecret, cookies, "session", async data => {
-      const url = new URL(`/api/val/${this.options.remote}/auth/session`, this.options.valBuildUrl);
+      if (!this.options.valBuildUrl) {
+        return {
+          status: 500,
+          json: {
+            message: "Val is not correctly setup. Build url is missing"
+          }
+        };
+      }
+      const url = new URL(`/api/val/${this.options.project}/auth/session`, this.options.valBuildUrl);
       const fetchRes = await fetch(url, {
         headers: getAuthHeaders(data.token, "application/json")
       });
@@ -2686,7 +3512,7 @@ class ProxyValServer extends ValServer {
           status: fetchRes.status,
           json: {
             mode: "proxy",
-            enabled: await this.callbacks.isEnabled(),
+            d: await this.callbacks.isEnabled(),
             ...(await fetchRes.json())
           }
         };
@@ -2702,8 +3528,17 @@ class ProxyValServer extends ValServer {
     });
   }
   async consumeCode(code) {
-    const url = new URL(`/api/val/${this.options.remote}/auth/token`, this.options.valBuildUrl);
+    if (!this.options.project) {
+      throw new Error("Project is not set");
+    }
+    if (!this.options.valBuildUrl) {
+      throw new Error("Val build url is not set");
+    }
+    const url = new URL(`/api/val/${this.options.project}/auth/token`, this.options.valBuildUrl);
     url.searchParams.set("code", encodeURIComponent(code));
+    if (!this.options.apiKey) {
+      return null;
+    }
     return fetch(url, {
       method: "POST",
       headers: getAuthHeaders(this.options.apiKey, "application/json") // NOTE: we use apiKey as auth on this endpoint (we do not have a token yet)
@@ -2727,186 +3562,453 @@ class ProxyValServer extends ValServer {
       return null;
     });
   }
-  getAuthorizeUrl(publicValApiRoute, token) {
-    const url = new URL(`/auth/${this.options.remote}/authorize`, this.options.valBuildUrl);
-    url.searchParams.set("redirect_uri", encodeURIComponent(`${publicValApiRoute}/callback`));
+  getAuthorizeUrl(publicValApiRe, token) {
+    if (!this.options.project) {
+      throw new Error("Project is not set");
+    }
+    if (!this.options.valBuildUrl) {
+      throw new Error("Val build url is not set");
+    }
+    const url = new URL(`/auth/${this.options.project}/authorize`, this.options.valBuildUrl);
+    url.searchParams.set("redirect_uri", encodeURIComponent(`${publicValApiRe}/callback`));
     url.searchParams.set("state", token);
     return url.toString();
   }
   getAppErrorUrl(error) {
-    const url = new URL(`/auth/${this.options.remote}/authorize`, this.options.valBuildUrl);
+    if (!this.options.project) {
+      throw new Error("Project is not set");
+    }
+    if (!this.options.valBuildUrl) {
+      throw new Error("Val build url is not set");
+    }
+    const url = new URL(`/auth/${this.options.project}/authorize`, this.options.valBuildUrl);
     url.searchParams.set("error", encodeURIComponent(error));
     return url.toString();
   }
+  getAuth(cookies) {
+    const cookie = cookies[internal.VAL_SESSION_COOKIE];
+    if (!this.options.valSecret) {
+      if (this.serverOps instanceof ValOpsFS) {
+        return {
+          error: null,
+          id: null
+        };
+      } else {
+        return {
+          error: "Setup is not correct: secret is missing"
+        };
+      }
+    }
+    if (typeof cookie === "string") {
+      const decodedToken = decodeJwt(cookie, this.options.valSecret);
+      if (!decodedToken) {
+        if (this.serverOps instanceof ValOpsFS) {
+          return {
+            error: null,
+            id: null
+          };
+        }
+        return {
+          error: "Could not verify session (invalid token). You will need to login again."
+        };
+      }
+      const verification = IntegratedServerJwtPayload.safeParse(decodedToken);
+      if (!verification.success) {
+        if (this.serverOps instanceof ValOpsFS) {
+          return {
+            error: null,
+            id: null
+          };
+        }
+        return {
+          error: "Session invalid or, most likely, expired. You will need to login again."
+        };
+      }
+      return {
+        id: verification.data.sub
+      };
+    } else {
+      if (this.serverOps instanceof ValOpsFS) {
+        return {
+          error: null,
+          id: null
+        };
+      }
+      return {
+        error: "Login required: cookie not found"
+      };
+    }
+  }
+  async logout() {
+    return {
+      status: 200,
+      cookies: {
+        [internal.VAL_SESSION_COOKIE]: {
+          value: null
+        },
+        [internal.VAL_STATE_COOKIE]: {
+          value: null
+        }
+      }
+    };
+  }
 
-  /* Patch endpoints */
-  async deletePatches(
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  query,
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  cookies) {
-    return withAuth(this.options.valSecret, cookies, "deletePatches", async ({
-      token
-    }) => {
-      const patchIds = query.id || [];
-      const url = new URL(`/v1/patches/${this.options.remote}/heads/${this.options.git.branch}/~`, this.options.valContentUrl);
-      const fetchRes = await fetch(url, {
-        method: "DELETE",
-        headers: getAuthHeaders(token, "application/json"),
-        body: JSON.stringify({
-          patches: patchIds
-        })
+  //#region patches
+  async getPatches(query, cookies) {
+    const auth = this.getAuth(cookies);
+    if (auth.error) {
+      return {
+        status: 401,
+        json: {
+          message: auth.error
+        }
+      };
+    }
+    const authors = query.authors;
+    const patches = await this.serverOps.findPatches({
+      authors
+    });
+    if (patches.errors && Object.keys(patches.errors).length > 0) {
+      console.error("Val: Failed to get patches", patches.errors);
+      return {
+        status: 500,
+        json: {
+          message: "Failed to get patches",
+          details: patches.errors
+        }
+      };
+    }
+    const res = {};
+    for (const [patchIdS, patchData] of Object.entries(patches.patches)) {
+      var _patchData$appliedAt;
+      const patchId = patchIdS;
+      if (!res[patchData.path]) {
+        res[patchData.path] = [];
+      }
+      res[patchData.path].push({
+        patch_id: patchId,
+        created_at: patchData.createdAt,
+        applied_at_base_sha: ((_patchData$appliedAt = patchData.appliedAt) === null || _patchData$appliedAt === void 0 ? void 0 : _patchData$appliedAt.baseSha) || null,
+        author: patchData.authorId ?? undefined
       });
-      if (fetchRes.status === 200) {
-        return {
-          status: fetchRes.status,
-          json: await fetchRes.json()
+    }
+    return {
+      status: 200,
+      json: res
+    };
+  }
+  async deletePatches(query, cookies) {
+    const auth = this.getAuth(cookies);
+    if (auth.error) {
+      return {
+        status: 401,
+        json: {
+          message: auth.error
+        }
+      };
+    }
+    if (this.options.mode === "http" && !("id" in auth)) {
+      return {
+        status: 401,
+        json: {
+          message: "Unauthorized"
+        }
+      };
+    }
+    const ids = query.id;
+    const deleteRes = await this.serverOps.deletePatches(ids);
+    if (deleteRes.errors && Object.keys(deleteRes.errors).length > 0) {
+      console.error("Val: Failed to delete patches", deleteRes.errors);
+      return {
+        status: 500,
+        json: {
+          message: "Failed to delete patches",
+          details: deleteRes.errors
+        }
+      };
+    }
+    return {
+      status: 200,
+      json: ids
+    };
+  }
+
+  //#region tree ops
+  async getSchema(cookies) {
+    const auth = this.getAuth(cookies);
+    if (auth.error) {
+      return {
+        status: 401,
+        json: {
+          message: auth.error
+        }
+      };
+    }
+    const moduleErrors = await this.serverOps.getModuleErrors();
+    if ((moduleErrors === null || moduleErrors === void 0 ? void 0 : moduleErrors.length) > 0) {
+      console.error("Val: Module errors", moduleErrors);
+      return {
+        status: 500,
+        json: {
+          message: "Val is not correctly setup. Check the val.modules file",
+          details: moduleErrors
+        }
+      };
+    }
+    const schemaSha = await this.serverOps.getSchemaSha();
+    const schemas = await this.serverOps.getSchemas();
+    const serializedSchemas = {};
+    for (const [moduleFilePathS, schema] of Object.entries(schemas)) {
+      const moduleFilePath = moduleFilePathS;
+      serializedSchemas[moduleFilePath] = schema.serialize();
+    }
+    return {
+      status: 200,
+      json: {
+        schemaSha,
+        schemas: serializedSchemas
+      }
+    };
+  }
+  async putTree(body, treePath, query, cookies) {
+    var _bodyRes$data, _bodyRes$data2, _bodyRes$data3;
+    const auth = this.getAuth(cookies);
+    if (auth.error) {
+      return {
+        status: 401,
+        json: {
+          message: auth.error
+        }
+      };
+    }
+    // TODO: move
+    const PutTreeBody = z.z.object({
+      patchIds: z.z.array(z.z.string().refine(id => true // TODO:
+      )).optional(),
+      addPatch: z.z.object({
+        path: z.z.string().refine(path => true // TODO:
+        ),
+        patch: Patch
+      }).optional()
+    }).optional();
+    const moduleErrors = await this.serverOps.getModuleErrors();
+    if ((moduleErrors === null || moduleErrors === void 0 ? void 0 : moduleErrors.length) > 0) {
+      console.error("Val: Module errors", moduleErrors);
+      return {
+        status: 500,
+        json: {
+          message: "Val is not correctly setup. Check the val.modules file",
+          details: moduleErrors
+        }
+      };
+    }
+    const bodyRes = PutTreeBody.safeParse(body);
+    if (!bodyRes.success) {
+      return {
+        status: 400,
+        json: {
+          message: "Invalid body: " + zodValidationError.fromError(bodyRes.error).toString(),
+          details: bodyRes.error.errors
+        }
+      };
+    }
+    let tree;
+    let patchAnalysis = null;
+    if ((_bodyRes$data = bodyRes.data) !== null && _bodyRes$data !== void 0 && _bodyRes$data.patchIds && ((_bodyRes$data2 = bodyRes.data) === null || _bodyRes$data2 === void 0 || (_bodyRes$data2 = _bodyRes$data2.patchIds) === null || _bodyRes$data2 === void 0 ? void 0 : _bodyRes$data2.length) > 0 || (_bodyRes$data3 = bodyRes.data) !== null && _bodyRes$data3 !== void 0 && _bodyRes$data3.addPatch) {
+      var _bodyRes$data4, _bodyRes$data5;
+      // TODO: validate patches_sha
+      const patchIds = (_bodyRes$data4 = bodyRes.data) === null || _bodyRes$data4 === void 0 ? void 0 : _bodyRes$data4.patchIds;
+      const patchOps = patchIds && patchIds.length > 0 ? await this.serverOps.getPatchOpsById(patchIds) : {
+        patches: {}
+      };
+      let patchErrors = undefined;
+      for (const [patchIdS, error] of Object.entries(patchOps.errors || {})) {
+        const patchId = patchIdS;
+        if (!patchErrors) {
+          patchErrors = {};
+        }
+        patchErrors[patchId] = {
+          message: error.message
+        };
+      }
+      if ((_bodyRes$data5 = bodyRes.data) !== null && _bodyRes$data5 !== void 0 && _bodyRes$data5.addPatch) {
+        const newPatchModuleFilePath = bodyRes.data.addPatch.path;
+        const newPatchOps = bodyRes.data.addPatch.patch;
+        const authorId = null; // TODO:
+        const createPatchRes = await this.serverOps.createPatch(newPatchModuleFilePath, newPatchOps, authorId);
+        if (createPatchRes.error) {
+          return {
+            status: 500,
+            json: {
+              message: "Failed to create patch: " + createPatchRes.error.message,
+              details: createPatchRes.error
+            }
+          };
+        }
+        for (const fileRes of createPatchRes.files) {
+          if (fileRes.error) {
+            // clean up broken patch:
+            await this.serverOps.deletePatches([createPatchRes.patchId]);
+            return {
+              status: 500,
+              json: {
+                message: "Failed to create patch",
+                details: fileRes.error
+              }
+            };
+          }
+        }
+        patchOps.patches[createPatchRes.patchId] = {
+          path: newPatchModuleFilePath,
+          patch: newPatchOps,
+          authorId,
+          createdAt: createPatchRes.createdAt,
+          appliedAt: null
         };
-      } else {
-        return createJsonError(fetchRes);
       }
-    });
-  }
-  async getPatches(query, cookies) {
-    return withAuth(this.options.valSecret, cookies, "getPatches", async ({
-      token
-    }) => {
-      const commit = this.options.git.commit;
-      if (!commit) {
-        return {
-          status: 400,
-          json: {
-            message: "Could not detect the git commit. Check if env is missing VAL_GIT_COMMIT."
+      // TODO: errors
+      patchAnalysis = this.serverOps.analyzePatches(patchOps.patches);
+      tree = {
+        ...(await this.serverOps.getTree({
+          ...patchAnalysis,
+          ...patchOps
+        }))
+      };
+      if (query.validate_all === "true") {
+        const allTree = await this.serverOps.getTree();
+        tree = {
+          sources: {
+            ...allTree.sources,
+            ...tree.sources
+          },
+          errors: {
+            ...allTree.errors,
+            ...tree.errors
           }
         };
       }
-      const patchIds = query.id || [];
-      const params = patchIds.length > 0 ? `commit=${encodeURIComponent(commit)}&${patchIds.map(id => `id=${encodeURIComponent(id)}`).join("&")}` : `commit=${encodeURIComponent(commit)}`;
-      const url = new URL(`/v1/patches/${this.options.remote}/heads/${this.options.git.branch}/~?${params}`, this.options.valContentUrl);
-      // Proxy patch to val.build
-      const fetchRes = await fetch(url, {
-        method: "GET",
-        headers: getAuthHeaders(token, "application/json")
-      });
-      if (fetchRes.status === 200) {
-        return {
-          status: fetchRes.status,
-          json: await fetchRes.json()
+    } else {
+      tree = await this.serverOps.getTree();
+    }
+    if (tree.errors && Object.keys(tree.errors).length > 0) {
+      console.error("Val: Failed to get tree", JSON.stringify(tree.errors));
+    }
+    if (query.validate_sources === "true" || query.validate_binary_files === "true") {
+      const schemas = await this.serverOps.getSchemas();
+      const sourcesValidation = await this.serverOps.validateSources(schemas, tree.sources);
+
+      // TODO: send validation errors
+      if (query.validate_binary_files === "true") {
+        await this.serverOps.validateFiles(schemas, tree.sources, sourcesValidation.files);
+      }
+    }
+    const schemaSha = await this.serverOps.getSchemaSha();
+    const modules = {};
+    for (const [moduleFilePathS, module] of Object.entries(tree.sources)) {
+      const moduleFilePath = moduleFilePathS;
+      if (moduleFilePath.startsWith(treePath)) {
+        modules[moduleFilePath] = {
+          source: module,
+          patches: patchAnalysis ? {
+            applied: patchAnalysis.patchesByModule[moduleFilePath].map(p => p.patchId)
+          } : undefined
         };
-      } else {
-        return createJsonError(fetchRes);
       }
-    });
+    }
+    return {
+      status: 200,
+      json: {
+        schemaSha,
+        modules
+      }
+    };
   }
-  async postPatches(body, cookies) {
-    const commit = this.options.git.commit;
-    if (!commit) {
+  async postSave(body, cookies) {
+    const auth = this.getAuth(cookies);
+    if (auth.error) {
       return {
         status: 401,
         json: {
-          message: "Could not detect the git commit. Check if env is missing VAL_GIT_COMMIT."
+          message: auth.error
         }
       };
     }
-    const params = new URLSearchParams({
-      commit
+    const PostSaveBody = z.z.object({
+      patchIds: z.z.array(z.z.string().refine(id => true // TODO:
+      ))
     });
-    return withAuth(this.options.valSecret, cookies, "postPatches", async ({
-      token
-    }) => {
-      // First validate that the body has the right structure
-      const parsedPatches = z.z.record(Patch).safeParse(body);
-      if (!parsedPatches.success) {
-        return {
-          status: 400,
-          json: {
-            message: "Invalid patch(es)",
-            details: parsedPatches.error.issues
-          }
-        };
-      }
-      const patches = parsedPatches.data;
-      const url = new URL(`/v1/patches/${this.options.remote}/heads/${this.options.git.branch}/~?${params}`, this.options.valContentUrl);
-      // Proxy patch to val.build
-      const fetchRes = await fetch(url, {
-        method: "POST",
-        headers: getAuthHeaders(token, "application/json"),
-        body: JSON.stringify(patches)
-      });
-      if (fetchRes.status === 200) {
+    const bodyRes = PostSaveBody.safeParse(body);
+    if (!bodyRes.success) {
+      return {
+        status: 400,
+        json: {
+          message: "Invalid body: " + zodValidationError.fromError(bodyRes.error).toString(),
+          details: bodyRes.error.errors
+        }
+      };
+    }
+    const {
+      patchIds
+    } = bodyRes.data;
+    const patches = await this.serverOps.getPatchOpsById(patchIds);
+    const analysis = this.serverOps.analyzePatches(patches.patches);
+    const preparedCommit = await this.serverOps.prepare({
+      ...analysis,
+      ...patches
+    });
+    if (this.serverOps instanceof ValOpsFS) {
+      await this.serverOps.saveFiles(preparedCommit);
+      return {
+        status: 200,
+        json: {} // TODO:
+      };
+    } else if (this.serverOps instanceof ValOpsHttp) {
+      if (auth.error === undefined && auth.id) {
+        await this.serverOps.commit(preparedCommit, "Update content: " + Object.keys(analysis.patchesByModule) + " modules changed", auth.id);
         return {
-          status: fetchRes.status,
-          json: await fetchRes.json()
+          status: 200,
+          json: {} // TODO:
         };
-      } else {
-        return createJsonError(fetchRes);
-      }
-    });
-  }
-  async getMetadata(filePath, sha256) {
-    const url = new URL(`/v1/metadata/${this.options.remote}${filePath}?commit=${this.options.git.commit}${sha256 ? `&sha256=${sha256}` : ""}`, this.options.valContentUrl);
-    const fetchRes = await fetch(url, {
-      headers: {
-        Authorization: `Bearer ${this.options.apiKey}`
-      }
-    });
-    if (fetchRes.status === 200) {
-      const json = await fetchRes.json();
-      if (json.type === "file") {
-        return json;
-      } else if (json.type === "image") {
-        return json;
       }
+      return {
+        status: 401,
+        json: {
+          message: "Unauthorized"
+        }
+      };
+    } else {
+      throw new Error("Invalid server ops");
     }
-    return undefined;
   }
-  async getFiles(filePath, query, _cookies, reqHeaders) {
-    const url = new URL(`/v1/files/${this.options.remote}${filePath}`, this.options.valContentUrl);
-    if (typeof query.sha256 === "string") {
-      url.searchParams.append("sha256", query.sha256);
+
+  //#region files
+  async getFiles(filePath, query) {
+    // NOTE: no auth here since you would need the patch_id to get something that is not published.
+    // For everything that is published, well they are already public so no auth required there...
+    // We could imagine adding auth just to be a 200% certain,
+    // However that won't work since images are requested by the nextjs backend as a part of image optimization (again: as an example) which is a backend-to-backend op (no cookies, ...).
+    // So: 1) patch ids are not possible to guess (but possible to brute force)
+    //     2) the process of shimming a patch into the frontend would be quite challenging (so just trying out this attack would require a lot of effort)
+    //     3) the benefit an attacker would get is an image that is not yet published (i.e. most cases: not very interesting)
+    // Thus: attack surface + ease of attack + benefit = low probability of attack
+    // If we couldn't argue that patch ids are secret enough, then this would be a problem.
+    let fileBuffer;
+    if (query.patch_id) {
+      fileBuffer = await this.serverOps.getBase64EncodedBinaryFileFromPatch(filePath, query.patch_id);
+    } else {
+      fileBuffer = await this.serverOps.getBinaryFile(filePath);
     }
-    const fetchRes = await fetch(url, {
-      headers: {
-        Authorization: `Bearer ${this.options.apiKey}`
-      }
-    });
-    if (fetchRes.status === 200) {
-      // TODO: does this stream data?
-      if (fetchRes.body) {
-        return {
-          status: fetchRes.status,
-          headers: {
-            "Content-Type": fetchRes.headers.get("Content-Type") || "",
-            "Content-Length": fetchRes.headers.get("Content-Length") || "0",
-            "Cache-Control": fetchRes.headers.get("Cache-Control") || ""
-          },
-          body: fetchRes.body
-        };
-      } else {
-        return {
-          status: 500,
-          json: {
-            message: "No body in response"
-          }
-        };
-      }
+    if (fileBuffer) {
+      return {
+        status: 200,
+        body: bufferToReadableStream(fileBuffer)
+      };
     } else {
-      if (!(reqHeaders.host && reqHeaders["x-forwarded-proto"])) {
-        return {
-          status: 500,
-          json: {
-            message: "Missing host or x-forwarded-proto header"
-          }
-        };
-      }
-      const host = `${reqHeaders["x-forwarded-proto"]}://${reqHeaders["host"]}`;
-      const staticPublicUrl = new URL(filePath.slice("/public".length), host).toString();
-      const fetchRes = await fetch(staticPublicUrl);
       return {
-        status: fetchRes.status,
-        // forward headers from static public url
-        headers: Object.fromEntries(fetchRes.headers.entries()),
-        body: fetchRes.body
+        status: 404,
+        json: {
+          message: "File not found"
+        }
       };
     }
   }
@@ -3011,22 +4113,6 @@ function getStateFromCookie(stateCookie) {
     };
   }
 }
-async function createJsonError(fetchRes) {
-  var _fetchRes$headers$get;
-  if ((_fetchRes$headers$get = fetchRes.headers.get("Content-Type")) !== null && _fetchRes$headers$get !== void 0 && _fetchRes$headers$get.includes("application/json")) {
-    return {
-      status: fetchRes.status,
-      json: await fetchRes.json()
-    };
-  }
-  console.error("Unexpected failure (did not get a json) - Val down?", fetchRes.status, await fetchRes.text());
-  return {
-    status: fetchRes.status,
-    json: {
-      message: "Unexpected failure (did not get a json) - Val down?"
-    }
-  };
-}
 function createStateCookie(state) {
   return Buffer.from(JSON.stringify(state), "utf8").toString("base64");
 }
@@ -3098,42 +4184,147 @@ function getAuthHeaders(token, type) {
     Authorization: `Bearer ${token}`
   };
 }
-function createParams(params) {
-  let paramIdx = 0;
-  let paramsString = "";
-  for (const key in params) {
-    const param = params[key];
-    if (Array.isArray(param)) {
-      for (const value of param) {
-        paramsString += `${key}=${encodeURIComponent(value)}&`;
+const ENABLE_COOKIE_VALUE = {
+  value: "true",
+  options: {
+    httpOnly: false,
+    sameSite: "lax"
+  }
+};
+const chunkSize = 1024 * 1024;
+function bufferToReadableStream(buffer) {
+  const stream = new ReadableStream({
+    start(controller) {
+      let offset = 0;
+      while (offset < buffer.length) {
+        const chunk = buffer.subarray(offset, offset + chunkSize);
+        controller.enqueue(chunk);
+        offset += chunkSize;
       }
-    } else if (param) {
-      paramsString += `${key}=${encodeURIComponent(param)}`;
-    }
-    if (paramIdx < Object.keys(params).length - 1) {
-      paramsString += "&";
+      controller.close();
     }
-    paramIdx++;
+  });
+  return stream;
+}
+function getRedirectUrl(query, overrideHost) {
+  if (typeof query.redirect_to !== "string") {
+    return {
+      status: 400,
+      json: {
+        message: "Missing redirect_to query param"
+      }
+    };
   }
-  return paramsString;
+  if (overrideHost) {
+    return overrideHost + "?redirect_to=" + encodeURIComponent(query.redirect_to);
+  }
+  return query.redirect_to;
 }
 
-async function createValServer(route, opts, callbacks) {
-  const serverOpts = await initHandlerOptions(route, opts);
-  if (serverOpts.mode === "proxy") {
-    const projectRoot = process.cwd(); //[process.cwd(), opts.root || ""]      .filter((seg) => seg)      .join("/");
-    return new ProxyValServer(projectRoot, serverOpts, opts, callbacks);
-  } else {
-    return new LocalValServer(serverOpts, callbacks);
+// https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types
+const COMMON_MIME_TYPES = {
+  aac: "audio/aac",
+  abw: "application/x-abiword",
+  arc: "application/x-freearc",
+  avif: "image/avif",
+  avi: "video/x-msvideo",
+  azw: "application/vnd.amazon.ebook",
+  bin: "application/octet-stream",
+  bmp: "image/bmp",
+  bz: "application/x-bzip",
+  bz2: "application/x-bzip2",
+  cda: "application/x-cdf",
+  csh: "application/x-csh",
+  css: "text/css",
+  csv: "text/csv",
+  doc: "application/msword",
+  docx: "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+  eot: "application/vnd.ms-fontobject",
+  epub: "application/epub+zip",
+  gz: "application/gzip",
+  gif: "image/gif",
+  htm: "text/html",
+  html: "text/html",
+  ico: "image/vnd.microsoft.icon",
+  ics: "text/calendar",
+  jar: "application/java-archive",
+  jpeg: "image/jpeg",
+  jpg: "image/jpeg",
+  js: "text/javascript",
+  json: "application/json",
+  jsonld: "application/ld+json",
+  mid: "audio/midi",
+  midi: "audio/midi",
+  mjs: "text/javascript",
+  mp3: "audio/mpeg",
+  mp4: "video/mp4",
+  mpeg: "video/mpeg",
+  mpkg: "application/vnd.apple.installer+xml",
+  odp: "application/vnd.oasis.opendocument.presentation",
+  ods: "application/vnd.oasis.opendocument.spreadsheet",
+  odt: "application/vnd.oasis.opendocument.text",
+  oga: "audio/ogg",
+  ogv: "video/ogg",
+  ogx: "application/ogg",
+  opus: "audio/opus",
+  otf: "font/otf",
+  png: "image/png",
+  pdf: "application/pdf",
+  php: "application/x-httpd-php",
+  ppt: "application/vnd.ms-powerpoint",
+  pptx: "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+  rar: "application/vnd.rar",
+  rtf: "application/rtf",
+  sh: "application/x-sh",
+  svg: "image/svg+xml",
+  tar: "application/x-tar",
+  tif: "image/tiff",
+  tiff: "image/tiff",
+  ts: "video/mp2t",
+  ttf: "font/ttf",
+  txt: "text/plain",
+  vsd: "application/vnd.visio",
+  wav: "audio/wav",
+  weba: "audio/webm",
+  webm: "video/webm",
+  webp: "image/webp",
+  woff: "font/woff",
+  woff2: "font/woff2",
+  xhtml: "application/xhtml+xml",
+  xls: "application/vnd.ms-excel",
+  xlsx: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+  xml: "application/xml",
+  xul: "application/vnd.mozilla.xul+xml",
+  zip: "application/zip",
+  "3gp": "video/3gpp; audio/3gpp if it doesn't contain video",
+  "3g2": "video/3gpp2; audio/3gpp2 if it doesn't contain video",
+  "7z": "application/x-7z-compressed"
+};
+function guessMimeTypeFromPath(filePath) {
+  const fileExt = filePath.split(".").pop();
+  if (fileExt) {
+    return COMMON_MIME_TYPES[fileExt.toLowerCase()] || null;
   }
+  return null;
+}
+
+async function createValServer(valModules, route, opts, callbacks, formatter) {
+  const valServerConfig = await initHandlerOptions(route, opts);
+  return new ValServer(valModules, {
+    formatter,
+    ...valServerConfig
+  }, callbacks);
 }
 async function initHandlerOptions(route, opts) {
   const maybeApiKey = opts.apiKey || process.env.VAL_API_KEY;
   const maybeValSecret = opts.valSecret || process.env.VAL_SECRET;
   const isProxyMode = opts.mode === "proxy" || opts.mode === undefined && (maybeApiKey || maybeValSecret);
+  const valEnableRedirectUrl = opts.valEnableRedirectUrl || process.env.VAL_ENABLE_REDIRECT_URL;
+  const valDisableRedirectUrl = opts.valDisableRedirectUrl || process.env.VAL_DISABLE_REDIRECT_URL;
+  const maybeValProject = opts.project || process.env.VAL_PROJECT;
+  const valBuildUrl = opts.valBuildUrl || process.env.VAL_BUILD_URL || "https://app.val.build";
   if (isProxyMode) {
     var _opts$versions, _opts$versions2;
-    const valBuildUrl = opts.valBuildUrl || process.env.VAL_BUILD_URL || "https://app.val.build";
     if (!maybeApiKey || !maybeValSecret) {
       throw new Error("VAL_API_KEY and VAL_SECRET env vars must both be set in proxy mode");
     }
@@ -3146,9 +4337,8 @@ async function initHandlerOptions(route, opts) {
     if (!maybeGitBranch) {
       throw new Error("VAL_GIT_BRANCH env var must be set in proxy mode");
     }
-    const maybeValRemote = opts.remote || process.env.VAL_REMOTE;
-    if (!maybeValRemote) {
-      throw new Error("Proxy mode does not work unless the 'remote' option in val.config is defined or the VAL_REMOTE env var is set.");
+    if (!maybeValProject) {
+      throw new Error("Proxy mode does not work unless the 'project' option in val.config is defined or the VAL_PROJECT env var is set.");
     }
     const coreVersion = (_opts$versions = opts.versions) === null || _opts$versions === void 0 ? void 0 : _opts$versions.core;
     if (!coreVersion) {
@@ -3159,43 +4349,40 @@ async function initHandlerOptions(route, opts) {
       throw new Error("Could not determine version of @valbuild/next");
     }
     return {
-      mode: "proxy",
+      mode: "http",
       route,
       apiKey: maybeApiKey,
       valSecret: maybeValSecret,
-      valBuildUrl,
+      commit: maybeGitCommit,
+      branch: maybeGitBranch,
+      root: opts.root,
+      project: maybeValProject,
+      valEnableRedirectUrl,
+      valDisableRedirectUrl,
       valContentUrl,
-      versions: {
-        core: coreVersion,
-        next: nextVersion
-      },
-      git: {
-        commit: maybeGitCommit,
-        branch: maybeGitBranch
-      },
-      remote: maybeValRemote,
-      valEnableRedirectUrl: opts.valEnableRedirectUrl || process.env.VAL_ENABLE_REDIRECT_URL,
-      valDisableRedirectUrl: opts.valDisableRedirectUrl || process.env.VAL_DISABLE_REDIRECT_URL
+      valBuildUrl
     };
   } else {
     const cwd = process.cwd();
-    const service = await createService(cwd, opts);
-    const git = await safeReadGit(cwd);
+    const valBuildUrl = opts.valBuildUrl || process.env.VAL_BUILD_URL || "https://app.val.build";
     return {
-      mode: "local",
-      service,
-      valEnableRedirectUrl: opts.valEnableRedirectUrl || process.env.VAL_ENABLE_REDIRECT_URL,
-      valDisableRedirectUrl: opts.valDisableRedirectUrl || process.env.VAL_DISABLE_REDIRECT_URL,
-      git: {
-        commit: process.env.VAL_GIT_COMMIT || git.commit,
-        branch: process.env.VAL_GIT_BRANCH || git.branch
-      }
+      mode: "fs",
+      cwd,
+      route,
+      valDisableRedirectUrl,
+      valEnableRedirectUrl,
+      valBuildUrl,
+      apiKey: maybeApiKey,
+      valSecret: maybeValSecret,
+      project: maybeValProject
     };
   }
 }
+
+// TODO: remove
 async function safeReadGit(cwd) {
   async function findGitHead(currentDir, depth) {
-    const gitHeadPath = path__namespace.join(currentDir, ".git", "HEAD");
+    const gitHeadPath = fsPath__namespace.join(currentDir, ".git", "HEAD");
     if (depth > 1000) {
       console.error(`Reached max depth while scanning for .git folder. Current working dir: ${cwd}.`);
       return {
@@ -3219,7 +4406,7 @@ async function safeReadGit(cwd) {
         };
       }
     } catch (error) {
-      const parentDir = path__namespace.dirname(currentDir);
+      const parentDir = fsPath__namespace.dirname(currentDir);
 
       // We've reached the root directory
       if (parentDir === currentDir) {
@@ -3243,7 +4430,7 @@ async function safeReadGit(cwd) {
 }
 async function readCommit(gitDir, branchName) {
   try {
-    return (await fs.promises.readFile(path__namespace.join(gitDir, ".git", "refs", "heads", branchName), "utf-8")).trim();
+    return (await fs.promises.readFile(fsPath__namespace.join(gitDir, ".git", "refs", "heads", branchName), "utf-8")).trim();
   } catch (err) {
     return undefined;
   }
@@ -3260,10 +4447,6 @@ function createValApiRouter(route, valServerPromise, convert) {
   return async req => {
     var _req$method;
     const valServer = await valServerPromise;
-    const requestHeaders = {
-      host: req.headers.get("host"),
-      "x-forwarded-proto": req.headers.get("x-forwarded-proto")
-    };
     const url = new URL(req.url);
     if (!url.pathname.startsWith(route)) {
       const error = {
@@ -3324,35 +4507,40 @@ function createValApiRouter(route, valServerPromise, convert) {
       return convert(await valServer.disable({
         redirect_to: url.searchParams.get("redirect_to") || undefined
       }));
-    } else if (method === "POST" && path === "/commit") {
-      const body = await req.json();
-      return convert(await valServer.postCommit(body, getCookies(req, [VAL_SESSION_COOKIE]), requestHeaders));
-    } else if (method === "POST" && path === "/validate") {
+    } else if (method === "POST" && path === "/save") {
       const body = await req.json();
-      return convert(await valServer.postValidate(body, getCookies(req, [VAL_SESSION_COOKIE]), requestHeaders));
-    } else if (method === "GET" && path.startsWith(TREE_PATH_PREFIX)) {
-      return withTreePath(path, TREE_PATH_PREFIX)(async treePath => convert(await valServer.getTree(treePath, {
-        patch: url.searchParams.get("patch") || undefined,
-        schema: url.searchParams.get("schema") || undefined,
-        source: url.searchParams.get("source") || undefined,
-        validate: url.searchParams.get("validate") || undefined
-      }, getCookies(req, [VAL_SESSION_COOKIE]), requestHeaders)));
+      return convert(await valServer.postSave(body, getCookies(req, [VAL_SESSION_COOKIE])));
+      // } else if (method === "POST" && path === "/validate") {
+      //   const body = (await req.json()) as unknown;
+      //   return convert(
+      //     await valServer.postValidate(
+      //       body,
+      //       getCookies(req, [VAL_SESSION_COOKIE]),
+      //       requestHeaders
+      //     )
+      //   );
+    } else if (method === "GET" && path === "/schema") {
+      return convert(await valServer.getSchema(getCookies(req, [VAL_SESSION_COOKIE])));
+    } else if (method === "PUT" && path.startsWith(TREE_PATH_PREFIX)) {
+      return withTreePath(path, TREE_PATH_PREFIX)(async treePath => convert(await valServer.putTree(await req.json(), treePath, {
+        patches_sha: url.searchParams.get("patches_sha") || undefined,
+        validate_all: url.searchParams.get("validate_all") || undefined,
+        validate_binary_files: url.searchParams.get("validate_binary_files") || undefined,
+        validate_sources: url.searchParams.get("validate_sources") || undefined
+      }, getCookies(req, [VAL_SESSION_COOKIE]))));
     } else if (method === "GET" && path.startsWith(PATCHES_PATH_PREFIX)) {
       return withTreePath(path, PATCHES_PATH_PREFIX)(async () => convert(await valServer.getPatches({
-        id: url.searchParams.getAll("id")
+        authors: url.searchParams.getAll("author")
       }, getCookies(req, [VAL_SESSION_COOKIE]))));
-    } else if (method === "POST" && path.startsWith(PATCHES_PATH_PREFIX)) {
-      const body = await req.json();
-      return withTreePath(path, PATCHES_PATH_PREFIX)(async () => convert(await valServer.postPatches(body, getCookies(req, [VAL_SESSION_COOKIE]))));
     } else if (method === "DELETE" && path.startsWith(PATCHES_PATH_PREFIX)) {
       return withTreePath(path, PATCHES_PATH_PREFIX)(async () => convert(await valServer.deletePatches({
         id: url.searchParams.getAll("id")
       }, getCookies(req, [VAL_SESSION_COOKIE]))));
-    } else if (path.startsWith(FILES_PATH_PREFIX)) {
+    } else if (method === "GET" && path.startsWith(FILES_PATH_PREFIX)) {
       const treePath = path.slice(FILES_PATH_PREFIX.length);
       return convert(await valServer.getFiles(treePath, {
-        sha256: url.searchParams.get("sha256") || undefined
-      }, getCookies(req, [VAL_SESSION_COOKIE]), requestHeaders));
+        patch_id: url.searchParams.get("patch_id") || undefined
+      }));
     } else {
       return convert({
         status: 404,
@@ -3404,10 +4592,10 @@ class ValFSHost {
     return this.currentDirectory;
   }
   getCanonicalFileName(fileName) {
-    if (path__namespace["default"].isAbsolute(fileName)) {
-      return path__namespace["default"].normalize(fileName);
+    if (fsPath__namespace["default"].isAbsolute(fileName)) {
+      return fsPath__namespace["default"].normalize(fileName);
     }
-    return path__namespace["default"].resolve(this.getCurrentDirectory(), fileName);
+    return fsPath__namespace["default"].resolve(this.getCurrentDirectory(), fileName);
   }
   fileExists(fileName) {
     return this.valFS.fileExists(fileName);
@@ -3420,6 +4608,14 @@ class ValFSHost {
   }
 }
 
+function getValidationErrorFileRef(validationError) {
+  const maybeRef = validationError.value && typeof validationError.value === "object" && core.FILE_REF_PROP in validationError.value && typeof validationError.value[core.FILE_REF_PROP] === "string" ? validationError.value[core.FILE_REF_PROP] : undefined;
+  if (!maybeRef) {
+    return null;
+  }
+  return maybeRef;
+}
+
 // TODO: find a better name? transformFixesToPatch?
 async function createFixPatch(config, apply, sourcePath, validationError) {
   async function getImageMetadata() {
@@ -3428,7 +4624,7 @@ async function createFixPatch(config, apply, sourcePath, validationError) {
       // TODO:
       throw Error("Cannot fix image without a file reference");
     }
-    const filename = path__namespace["default"].join(config.projectRoot, fileRef);
+    const filename = fsPath__namespace["default"].join(config.projectRoot, fileRef);
     const buffer = fs__default["default"].readFileSync(filename);
     return extractImageMetadata(filename, buffer);
   }
@@ -3438,7 +4634,7 @@ async function createFixPatch(config, apply, sourcePath, validationError) {
       // TODO:
       throw Error("Cannot fix file without a file reference");
     }
-    const filename = path__namespace["default"].join(config.projectRoot, fileRef);
+    const filename = fsPath__namespace["default"].join(config.projectRoot, fileRef);
     const buffer = fs__default["default"].readFileSync(filename);
     return extractFileMetadata(fileRef, buffer);
   }
@@ -3604,7 +4800,6 @@ async function createFixPatch(config, apply, sourcePath, validationError) {
   };
 }
 
-exports.LocalValServer = LocalValServer;
 exports.Patch = Patch;
 exports.PatchJSON = PatchJSON;
 exports.Service = Service;