npm - @vibes.diy/api-svc - Versions diffs - 2.4.11 → 2.4.13 - Mend

@vibes.diy/api-svc 2.4.11 → 2.4.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (70) hide show

package/README.md +12 -12
package/cf-serve.js +1 -0
package/cf-serve.js.map +1 -1
package/create-handler.d.ts +1 -0
package/create-handler.js +0 -10
package/create-handler.js.map +1 -1
package/intern/process-access-bindings.d.ts +12 -0
package/intern/process-access-bindings.js +225 -0
package/intern/process-access-bindings.js.map +1 -0
package/intern/prompt-streaming.js +5 -4
package/intern/prompt-streaming.js.map +1 -1
package/intern/render-vibe.js +2 -2
package/intern/render-vibe.js.map +1 -1
package/intern/write-apps.js +11 -2
package/intern/write-apps.js.map +1 -1
package/models.json +1 -0
package/package.json +11 -11
package/public/access-function.d.ts +6 -1
package/public/access-function.js +44 -9
package/public/access-function.js.map +1 -1
package/public/access-helpers.d.ts +7 -4
package/public/access-helpers.js +7 -7
package/public/access-helpers.js.map +1 -1
package/public/app-documents-dm-eventos.d.ts +4 -0
package/public/app-documents-dm-eventos.js +121 -0
package/public/app-documents-dm-eventos.js.map +1 -0
package/public/app-documents-query-filter.d.ts +6 -0
package/public/app-documents-query-filter.js +33 -0
package/public/app-documents-query-filter.js.map +1 -0
package/public/app-documents-read-eventos.d.ts +6 -0
package/public/app-documents-read-eventos.js +359 -0
package/public/app-documents-read-eventos.js.map +1 -0
package/public/app-documents-shared.d.ts +11 -0
package/public/app-documents-shared.js +17 -0
package/public/app-documents-shared.js.map +1 -0
package/public/app-documents-write-eventos.d.ts +4 -0
package/public/app-documents-write-eventos.js +405 -0
package/public/app-documents-write-eventos.js.map +1 -0
package/public/app-documents.d.ts +4 -15
package/public/app-documents.js +4 -898
package/public/app-documents.js.map +1 -1
package/public/asset-upload-grant.js +1 -1
package/public/asset-upload-grant.js.map +1 -1
package/public/db-acl-resolver.js +1 -1
package/public/db-acl-resolver.js.map +1 -1
package/public/ensure-app-slug-item.js +9 -225
package/public/ensure-app-slug-item.js.map +1 -1
package/public/files-asset.js +1 -1
package/public/files-asset.js.map +1 -1
package/public/grant-reduce.d.ts +2 -2
package/public/grant-reduce.js +5 -5
package/public/grant-reduce.js.map +1 -1
package/public/list-members.js +2 -2
package/public/list-members.js.map +1 -1
package/public/list-models.d.ts +1 -0
package/public/prompt-chat-section.js +203 -49
package/public/prompt-chat-section.js.map +1 -1
package/public/who-am-i.d.ts +7 -0
package/public/who-am-i.js +79 -6
package/public/who-am-i.js.map +1 -1
package/svc-ws-send-provider.d.ts +1 -0
package/svc-ws-send-provider.js +1 -0
package/svc-ws-send-provider.js.map +1 -1
package/types.d.ts +1 -8
package/types.js.map +1 -1
package/vibes-msg-evento.js +1 -2
package/vibes-msg-evento.js.map +1 -1
package/public/get-fp-cloud-token.d.ts +0 -3
package/public/get-fp-cloud-token.js +0 -140
package/public/get-fp-cloud-token.js.map +0 -1

package/public/app-documents.js CHANGED Viewed

@@ -1,899 +1,5 @@
-import { Result, Option, EventoResult, exception2Result } from "@adviser/cement";
-import { reqPutDoc, reqGetDoc, reqQueryDocs, reqDeleteDoc, reqSubscribeDocs, reqListDbNames, reqListDmThreads, reqMarkDmRead, COMMENTS_DB_NAME, isDirectChannel, directChannelParticipants, } from "@vibes.diy/api-types";
-import { unwrapMsgBase } from "../unwrap-msg-base.js";
-import { checkAuth, optAuth } from "../check-auth.js";
-import { eq, and, sql, inArray, desc } from "drizzle-orm";
-import { max } from "drizzle-orm/sql";
-import { type } from "arktype";
-import { checkDocAccess, canRead, isPublicReadable } from "./access-helpers.js";
-import { enforceAllowAnonymous, ForbiddenError, extractExportSource } from "./access-function.js";
-import { aclAllows, resolveDbAcl, checkDirectChannelAccess } from "./db-acl-resolver.js";
-import { GrantReduce, extractContribution } from "./grant-reduce.js";
-import { filterDocsByChannel } from "./channel-read-filter.js";
-import { mintFilesUrls, isFileMeta } from "./files-url-mint.js";
-async function readAllowed(vctx, acl, access, appSlug, ownerHandle) {
-    if (acl?.read !== undefined)
-        return aclAllows(acl, "read", access);
-    if (canRead(access))
-        return true;
-    return isPublicReadable(vctx, appSlug, ownerHandle);
-}
-function clientWsSend(ctx) {
-    return ctx.send.provider;
-}
-async function validateFilesUploads(vctx, doc, ownerHandle, appSlug) {
-    const files = doc?._files;
-    if (!files || typeof files !== "object")
-        return { ok: true };
-    const uploadIds = [];
-    for (const entry of Object.values(files)) {
-        if (isFileMeta(entry))
-            uploadIds.push(entry.uploadId);
-    }
-    if (uploadIds.length === 0)
-        return { ok: true };
-    const t = vctx.sql.tables.assetUploads;
-    const rows = await vctx.sql.db
-        .select({ uploadId: t.uploadId, ownerHandle: t.ownerHandle, appSlug: t.appSlug })
-        .from(t)
-        .where(inArray(t.uploadId, uploadIds));
-    const found = new Map(rows.map((r) => [r.uploadId, r]));
-    for (const id of uploadIds) {
-        const row = found.get(id);
-        if (!row)
-            return { ok: false, reason: `unknown uploadId: ${id}` };
-        if (row.ownerHandle !== ownerHandle || row.appSlug !== appSlug) {
-            return { ok: false, reason: `uploadId ${id} not minted for this app` };
-        }
-    }
-    return { ok: true };
-}
-export const putDocEvento = {
-    hash: "put-doc",
-    validate: unwrapMsgBase(async (msg) => {
-        const ret = reqPutDoc(msg.payload);
-        if (ret instanceof type.errors) {
-            return Result.Ok(Option.None());
-        }
-        return Result.Ok(Option.Some({ ...msg, payload: ret }));
-    }),
-    handle: optAuth(async (ctx) => {
-        const req = ctx.validated.payload;
-        const vctx = ctx.ctx.getOrThrow("vibesApiCtx");
-        const userId = req._auth?.verifiedAuth.claims.userId ?? null;
-        if (isDirectChannel(req.ownerHandle)) {
-            if (!userId) {
-                await ctx.send.send(ctx, { type: "vibes.diy.res-error", error: { message: "Access denied" } });
-                return Result.Ok(EventoResult.Continue);
-            }
-            const rAccess = await checkDirectChannelAccess(vctx, req.ownerHandle, userId);
-            if (rAccess.isErr() || !rAccess.Ok()) {
-                await ctx.send.send(ctx, { type: "vibes.diy.res-error", error: { message: "Access denied" } });
-                return Result.Ok(EventoResult.Continue);
-            }
-        }
-        else if (userId) {
-            const access = await checkDocAccess(vctx, userId, req.appSlug, req.ownerHandle);
-            const rAcl = await resolveDbAcl(vctx, req.ownerHandle, req.appSlug, req.dbName);
-            if (rAcl.isErr()) {
-                await ctx.send.send(ctx, { type: "vibes.diy.res-error", error: { message: "Access denied" } });
-                return Result.Ok(EventoResult.Continue);
-            }
-            const acl = rAcl.Ok();
-            if (!aclAllows(acl, "write", access)) {
-                await ctx.send.send(ctx, { type: "vibes.diy.res-error", error: { message: "Access denied" } });
-                return Result.Ok(EventoResult.Continue);
-            }
-        }
-        const filesCheck = await validateFilesUploads(vctx, req.doc, req.ownerHandle, req.appSlug);
-        if (!filesCheck.ok) {
-            await ctx.send.send(ctx, {
-                type: "vibes.diy.res-error",
-                error: { message: `Invalid file reference: ${filesCheck.reason}` },
-            });
-            return Result.Ok(EventoResult.Continue);
-        }
-        let accessResult;
-        const tAfb = vctx.sql.tables.accessFunctionBindings;
-        const afbRow = await vctx.sql.db
-            .select({ accessFnCid: tAfb.accessFnCid, accessFnAssetUri: tAfb.accessFnAssetUri, dbName: tAfb.dbName })
-            .from(tAfb)
-            .where(and(eq(tAfb.userSlug, req.ownerHandle), eq(tAfb.appSlug, req.appSlug), inArray(tAfb.dbName, [req.dbName, "*"])))
-            .orderBy(sql `CASE WHEN ${tAfb.dbName} = ${req.dbName} THEN 0 ELSE 1 END`)
-            .limit(1)
-            .then((r) => r[0]);
-        if (!userId && !afbRow?.accessFnCid) {
-            await ctx.send.send(ctx, {
-                type: "vibes.diy.res-error",
-                error: { message: "Access denied" },
-            });
-            return Result.Ok(EventoResult.Continue);
-        }
-        const docId = req.docId ?? vctx.sthis.timeOrderedNextId().str;
-        if (afbRow?.accessFnCid && vctx.invokeAccessFn) {
-            const fnCid = afbRow.accessFnCid;
-            const t_usb = vctx.sql.tables.handleBinding;
-            const writerRow = userId
-                ? await vctx.sql.db
-                    .select({ handle: t_usb.handle })
-                    .from(t_usb)
-                    .where(eq(t_usb.userId, userId))
-                    .limit(1)
-                    .then((r) => r[0])
-                : undefined;
-            const userContext = writerRow?.handle ? { userHandle: writerRow.handle } : null;
-            let oldDoc = null;
-            if (req.docId) {
-                const tDocs = vctx.sql.tables.appDocuments;
-                const existing = await vctx.sql.db
-                    .select({ data: tDocs.data })
-                    .from(tDocs)
-                    .where(and(eq(tDocs.ownerHandle, req.ownerHandle), eq(tDocs.appSlug, req.appSlug), eq(tDocs.dbName, req.dbName), eq(tDocs.docId, req.docId)))
-                    .orderBy(desc(tDocs.seq))
-                    .limit(1)
-                    .then((r) => r[0]);
-                oldDoc = existing?.data ?? null;
-            }
-            let accessFnSource;
-            if (afbRow.accessFnAssetUri) {
-                const rFetch = await vctx.storage.fetch(afbRow.accessFnAssetUri);
-                if (rFetch.type === "fetch.ok") {
-                    const reader = rFetch.data.getReader();
-                    const chunks = [];
-                    for (;;) {
-                        const { done, value } = await reader.read();
-                        if (done)
-                            break;
-                        if (value)
-                            chunks.push(value);
-                    }
-                    const totalLength = chunks.reduce((sum, c) => sum + c.length, 0);
-                    const merged = new Uint8Array(totalLength);
-                    let offset = 0;
-                    for (const chunk of chunks) {
-                        merged.set(chunk, offset);
-                        offset += chunk.length;
-                    }
-                    const rawSource = new TextDecoder().decode(merged);
-                    accessFnSource = extractExportSource(rawSource, afbRow.dbName) ?? rawSource;
-                }
-            }
-            const tOutputs = vctx.sql.tables.accessFnOutputs;
-            const storedOutputs = await vctx.sql.db
-                .select({ docId: tOutputs.docId, output: tOutputs.output })
-                .from(tOutputs)
-                .where(and(eq(tOutputs.userSlug, req.ownerHandle), eq(tOutputs.appSlug, req.appSlug), eq(tOutputs.dbName, req.dbName), eq(tOutputs.fnCid, fnCid), eq(tOutputs.hasGrants, 1)));
-            const reduce = new GrantReduce();
-            for (const row of storedOutputs) {
-                reduce.addDoc(row.docId, extractContribution(JSON.parse(row.output)));
-            }
-            const grantState = {
-                members: Object.fromEntries(Array.from(reduce.effectiveMembers).map(([k, v]) => [k, Array.from(v)])),
-                roleGrants: Object.fromEntries(Array.from(reduce.roleGrants).map(([k, v]) => [k, Array.from(v)])),
-                userGrants: Object.fromEntries(Array.from(reduce.userGrants).map(([k, v]) => [k, Array.from(v)])),
-            };
-            const invokeResult = await vctx.invokeAccessFn({
-                cid: fnCid,
-                doc: { ...req.doc, _id: docId },
-                oldDoc,
-                user: userContext,
-                source: accessFnSource,
-                grantState,
-            });
-            if ("forbidden" in invokeResult) {
-                await ctx.send.send(ctx, {
-                    type: "vibes.diy.res-error",
-                    error: { message: invokeResult.forbidden },
-                });
-                return Result.Ok(EventoResult.Continue);
-            }
-            try {
-                enforceAllowAnonymous(invokeResult, userContext);
-            }
-            catch (err) {
-                const reason = err instanceof ForbiddenError ? err.forbidden : String(err);
-                await ctx.send.send(ctx, {
-                    type: "vibes.diy.res-error",
-                    error: { message: reason },
-                });
-                return Result.Ok(EventoResult.Continue);
-            }
-            accessResult = invokeResult;
-        }
-        const now = new Date().toISOString();
-        const dbName = req.dbName;
-        const t = vctx.sql.tables.appDocuments;
-        const maxSeqResult = await vctx.sql.db
-            .select({ maxSeq: max(t.seq) })
-            .from(t)
-            .where(and(eq(t.ownerHandle, req.ownerHandle), eq(t.appSlug, req.appSlug), eq(t.dbName, dbName), eq(t.docId, docId)))
-            .then((r) => r[0]);
-        const nextSeq = (maxSeqResult?.maxSeq ?? 0) + 1;
-        await vctx.sql.db.insert(t).values({
-            ownerHandle: req.ownerHandle,
-            appSlug: req.appSlug,
-            dbName,
-            docId,
-            seq: nextSeq,
-            userId: userId ?? "unknown",
-            data: req.doc,
-            deleted: 0,
-            created: now,
-        });
-        if (isDirectChannel(req.ownerHandle)) {
-            const participants = directChannelParticipants(req.ownerHandle);
-            if (participants) {
-                const t_idx = vctx.sql.tables.directChannelIndex;
-                await vctx.sql.db
-                    .insert(t_idx)
-                    .values([
-                    { handle: participants[0], channelHandle: req.ownerHandle },
-                    { handle: participants[1], channelHandle: req.ownerHandle },
-                ])
-                    .onConflictDoNothing();
-                const t_usb = vctx.sql.tables.handleBinding;
-                const senderRow = await vctx.sql.db
-                    .select({ handle: t_usb.handle })
-                    .from(t_usb)
-                    .where(and(eq(t_usb.userId, userId ?? ""), inArray(t_usb.handle, participants)))
-                    .then((r) => r[0]);
-                const senderUserSlug = senderRow?.handle ?? "";
-                const recipientUserSlug = participants.find((h) => h !== senderUserSlug) ?? participants[1];
-                await vctx.postQueue({
-                    payload: {
-                        type: "vibes.diy.evt-dm-received",
-                        senderUserId: userId ?? "",
-                        senderUserSlug,
-                        recipientUserSlug,
-                        channelUserSlug: req.ownerHandle,
-                        docId,
-                        created: now,
-                        bodySnippet: typeof req.doc.body === "string"
-                            ? req.doc.body.slice(0, 100)
-                            : undefined,
-                    },
-                    tid: "queue-event",
-                    src: "putDoc",
-                    dst: "vibes-service",
-                    ttl: 1,
-                });
-                if (senderUserSlug) {
-                    const t_reads = vctx.sql.tables.directChannelReads;
-                    await vctx.sql.db
-                        .insert(t_reads)
-                        .values({ channelHandle: req.ownerHandle, handle: senderUserSlug, lastSeenSeq: nextSeq })
-                        .onConflictDoUpdate({
-                        target: [t_reads.channelHandle, t_reads.handle],
-                        set: { lastSeenSeq: sql `MAX(${t_reads.lastSeenSeq}, ${nextSeq})` },
-                    });
-                }
-            }
-        }
-        if (dbName === COMMENTS_DB_NAME && nextSeq === 1) {
-            await vctx.postQueue({
-                payload: {
-                    type: "vibes.diy.evt-comment-posted",
-                    userId: userId ?? "unknown",
-                    ownerHandle: req.ownerHandle,
-                    appSlug: req.appSlug,
-                    docId,
-                    created: now,
-                    email: req._auth?.verifiedAuth.claims.params.email ?? "unknown",
-                },
-                tid: "queue-event",
-                src: "putDoc",
-                dst: "vibes-service",
-                ttl: 1,
-            });
-        }
-        if (vctx.notifyDocChanged) {
-            if (accessResult?.channels?.length) {
-                for (const channel of accessResult.channels) {
-                    vctx
-                        .notifyDocChanged({ ownerHandle: req.ownerHandle, appSlug: req.appSlug, dbName: channel, docId }, clientWsSend(ctx).connId)
-                        .catch((e) => console.error("DocNotify channel error:", e));
-                }
-            }
-            else {
-                vctx
-                    .notifyDocChanged({ ownerHandle: req.ownerHandle, appSlug: req.appSlug, dbName, docId }, clientWsSend(ctx).connId)
-                    .catch((e) => console.error("DocNotify error:", e));
-            }
-        }
-        if (accessResult && !("forbidden" in accessResult) && afbRow?.accessFnCid) {
-            const tOutputs = vctx.sql.tables.accessFnOutputs;
-            const outputHasGrants = (accessResult.members && Object.keys(accessResult.members).length > 0) ||
-                (accessResult.grant?.users && Object.keys(accessResult.grant.users).length > 0) ||
-                (accessResult.grant?.roles && Object.keys(accessResult.grant.roles).length > 0) ||
-                (accessResult.grant?.public && accessResult.grant.public.length > 0)
-                ? 1
-                : 0;
-            const rUpsert = await exception2Result(() => vctx.sql.db
-                .insert(tOutputs)
-                .values({
-                userSlug: req.ownerHandle,
-                appSlug: req.appSlug,
-                dbName: req.dbName,
-                docId,
-                fnCid: afbRow.accessFnCid,
-                output: JSON.stringify(accessResult),
-                hasGrants: outputHasGrants,
-            })
-                .onConflictDoUpdate({
-                target: [tOutputs.userSlug, tOutputs.appSlug, tOutputs.dbName, tOutputs.docId],
-                set: {
-                    fnCid: afbRow.accessFnCid,
-                    output: JSON.stringify(accessResult),
-                    hasGrants: outputHasGrants,
-                },
-            }));
-            if (rUpsert.isErr()) {
-                console.error("AccessFnOutputs upsert failed:", rUpsert.Err());
-                if (outputHasGrants === 1) {
-                    await ctx.send.send(ctx, {
-                        type: "vibes.diy.res-error",
-                        error: { message: "grant storage failed — retry the write" },
-                    });
-                    return Result.Ok(EventoResult.Continue);
-                }
-            }
-        }
-        await ctx.send.send(ctx, {
-            type: "vibes.diy.res-put-doc",
-            status: "ok",
-            id: docId,
-        });
-        return Result.Ok(EventoResult.Continue);
-    }),
-};
-export const getDocEvento = {
-    hash: "get-doc",
-    validate: unwrapMsgBase(async (msg) => {
-        const ret = reqGetDoc(msg.payload);
-        if (ret instanceof type.errors) {
-            return Result.Ok(Option.None());
-        }
-        return Result.Ok(Option.Some({ ...msg, payload: ret }));
-    }),
-    handle: optAuth(async (ctx) => {
-        const req = ctx.validated.payload;
-        const vctx = ctx.ctx.getOrThrow("vibesApiCtx");
-        const access = req._auth
-            ? await checkDocAccess(vctx, req._auth.verifiedAuth.claims.userId, req.appSlug, req.ownerHandle)
-            : "none";
-        const rAcl = await resolveDbAcl(vctx, req.ownerHandle, req.appSlug, req.dbName);
-        if (rAcl.isErr() || !(await readAllowed(vctx, rAcl.Ok(), access, req.appSlug, req.ownerHandle))) {
-            await ctx.send.send(ctx, {
-                type: "vibes.diy.res-error",
-                error: { message: "Access denied" },
-            });
-            return Result.Ok(EventoResult.Continue);
-        }
-        const t = vctx.sql.tables.appDocuments;
-        const row = await vctx.sql.db
-            .select()
-            .from(t)
-            .where(and(eq(t.ownerHandle, req.ownerHandle), eq(t.appSlug, req.appSlug), eq(t.dbName, req.dbName), eq(t.docId, req.docId)))
-            .orderBy(sql `${t.seq} desc`)
-            .limit(1)
-            .then((r) => r[0]);
-        if (!row || row.deleted === 1) {
-            await ctx.send.send(ctx, {
-                type: "vibes.diy.res-get-doc",
-                status: "not-found",
-                id: req.docId,
-            });
-            return Result.Ok(EventoResult.Continue);
-        }
-        const tAfbG = vctx.sql.tables.accessFunctionBindings;
-        const afbRowG = await vctx.sql.db
-            .select({ accessFnCid: tAfbG.accessFnCid })
-            .from(tAfbG)
-            .where(and(eq(tAfbG.userSlug, req.ownerHandle), eq(tAfbG.appSlug, req.appSlug), inArray(tAfbG.dbName, [req.dbName, "*"])))
-            .orderBy(sql `CASE WHEN ${tAfbG.dbName} = ${req.dbName} THEN 0 ELSE 1 END`)
-            .limit(1)
-            .then((r) => r[0]);
-        if (afbRowG?.accessFnCid) {
-            const tOutputsG = vctx.sql.tables.accessFnOutputs;
-            const docOutput = await vctx.sql.db
-                .select({ output: tOutputsG.output })
-                .from(tOutputsG)
-                .where(and(eq(tOutputsG.userSlug, req.ownerHandle), eq(tOutputsG.appSlug, req.appSlug), eq(tOutputsG.dbName, req.dbName), eq(tOutputsG.docId, req.docId), eq(tOutputsG.fnCid, afbRowG.accessFnCid)))
-                .limit(1)
-                .then((r) => r[0]);
-            const parsed = docOutput ? JSON.parse(docOutput.output) : undefined;
-            const docChannels = parsed?.channels;
-            if (docChannels === undefined || docChannels.length === 0) {
-                await ctx.send.send(ctx, {
-                    type: "vibes.diy.res-get-doc",
-                    status: "not-found",
-                    id: req.docId,
-                });
-                return Result.Ok(EventoResult.Continue);
-            }
-            const grantOutputs = await vctx.sql.db
-                .select({ docId: tOutputsG.docId, output: tOutputsG.output })
-                .from(tOutputsG)
-                .where(and(eq(tOutputsG.userSlug, req.ownerHandle), eq(tOutputsG.appSlug, req.appSlug), eq(tOutputsG.dbName, req.dbName), eq(tOutputsG.fnCid, afbRowG.accessFnCid), eq(tOutputsG.hasGrants, 1)));
-            const reduce = new GrantReduce();
-            for (const r of grantOutputs) {
-                reduce.addDoc(r.docId, extractContribution(JSON.parse(r.output)));
-            }
-            const userHandle = req._auth
-                ? await vctx.sql.db
-                    .select({ handle: vctx.sql.tables.handleBinding.handle })
-                    .from(vctx.sql.tables.handleBinding)
-                    .where(eq(vctx.sql.tables.handleBinding.userId, req._auth.verifiedAuth.claims.userId))
-                    .limit(1)
-                    .then((r) => r[0]?.handle ?? null)
-                : null;
-            const effectiveChannels = userHandle !== null ? reduce.resolveEffectiveChannels(userHandle) : new Set();
-            const hasAccess = docChannels.some((ch) => effectiveChannels.has(ch) || reduce.publicChannels.has(ch));
-            if (!hasAccess) {
-                await ctx.send.send(ctx, {
-                    type: "vibes.diy.res-get-doc",
-                    status: "not-found",
-                    id: req.docId,
-                });
-                return Result.Ok(EventoResult.Continue);
-            }
-        }
-        const doc = mintFilesUrls(row.data, {
-            ownerHandle: req.ownerHandle,
-            appSlug: req.appSlug,
-            dbName: req.dbName,
-            docId: row.docId,
-            svc: vctx.params.vibes.svc,
-        });
-        await ctx.send.send(ctx, {
-            type: "vibes.diy.res-get-doc",
-            status: "ok",
-            id: row.docId,
-            doc,
-        });
-        return Result.Ok(EventoResult.Continue);
-    }),
-};
-function isInInclusiveRange(value, lo, hi) {
-    if (typeof value === "string" && typeof lo === "string" && typeof hi === "string") {
-        return value >= lo && value <= hi;
-    }
-    if (typeof value === "number" && typeof lo === "number" && typeof hi === "number") {
-        return value >= lo && value <= hi;
-    }
-    if (typeof value === "bigint" && typeof lo === "bigint" && typeof hi === "bigint") {
-        return value >= lo && value <= hi;
-    }
-    if (typeof value === "boolean" && typeof lo === "boolean" && typeof hi === "boolean") {
-        return Number(value) >= Number(lo) && Number(value) <= Number(hi);
-    }
-    return false;
-}
-export function applyQueryFilter(docs, filter) {
-    if (!filter)
-        return docs;
-    const { field, key, keys, range } = filter;
-    if (key !== undefined) {
-        return docs.filter((doc) => doc[field] === key);
-    }
-    if (keys !== undefined) {
-        const keySet = new Set(keys);
-        return docs.filter((doc) => keySet.has(doc[field]));
-    }
-    if (range !== undefined) {
-        const [lo, hi] = range;
-        return docs.filter((doc) => isInInclusiveRange(doc[field], lo, hi));
-    }
-    return docs;
-}
-export const queryDocsEvento = {
-    hash: "query-docs",
-    validate: unwrapMsgBase(async (msg) => {
-        const ret = reqQueryDocs(msg.payload);
-        if (ret instanceof type.errors) {
-            return Result.Ok(Option.None());
-        }
-        return Result.Ok(Option.Some({ ...msg, payload: ret }));
-    }),
-    handle: optAuth(async (ctx) => {
-        const req = ctx.validated.payload;
-        const vctx = ctx.ctx.getOrThrow("vibesApiCtx");
-        if (isDirectChannel(req.ownerHandle)) {
-            const userId = req._auth?.verifiedAuth.claims.userId;
-            const rAccess = userId ? await checkDirectChannelAccess(vctx, req.ownerHandle, userId) : Result.Ok(false);
-            if (rAccess.isErr() || !rAccess.Ok()) {
-                await ctx.send.send(ctx, {
-                    type: "vibes.diy.res-error",
-                    error: { message: "Access denied" },
-                });
-                return Result.Ok(EventoResult.Continue);
-            }
-        }
-        else {
-            const access = req._auth
-                ? await checkDocAccess(vctx, req._auth.verifiedAuth.claims.userId, req.appSlug, req.ownerHandle)
-                : "none";
-            const rAcl = await resolveDbAcl(vctx, req.ownerHandle, req.appSlug, req.dbName);
-            if (rAcl.isErr() || !(await readAllowed(vctx, rAcl.Ok(), access, req.appSlug, req.ownerHandle))) {
-                await ctx.send.send(ctx, {
-                    type: "vibes.diy.res-error",
-                    error: { message: "Access denied" },
-                });
-                return Result.Ok(EventoResult.Continue);
-            }
-        }
-        const t = vctx.sql.tables.appDocuments;
-        const rows = await vctx.sql.db
-            .select()
-            .from(t)
-            .where(and(eq(t.ownerHandle, req.ownerHandle), eq(t.appSlug, req.appSlug), eq(t.dbName, req.dbName)))
-            .orderBy(sql `${t.docId}, ${t.seq}`);
-        const latest = new Map();
-        for (const row of rows) {
-            latest.set(row.docId, row);
-        }
-        const docs = [];
-        for (const row of latest.values()) {
-            if (row.deleted === 1)
-                continue;
-            const doc = mintFilesUrls(row.data, {
-                ownerHandle: req.ownerHandle,
-                appSlug: req.appSlug,
-                dbName: req.dbName,
-                docId: row.docId,
-                svc: vctx.params.vibes.svc,
-            });
-            docs.push({
-                _id: row.docId,
-                ...doc,
-            });
-        }
-        const tAfbQ = vctx.sql.tables.accessFunctionBindings;
-        const afbRowQ = await vctx.sql.db
-            .select({ accessFnCid: tAfbQ.accessFnCid })
-            .from(tAfbQ)
-            .where(and(eq(tAfbQ.userSlug, req.ownerHandle), eq(tAfbQ.appSlug, req.appSlug), inArray(tAfbQ.dbName, [req.dbName, "*"])))
-            .orderBy(sql `CASE WHEN ${tAfbQ.dbName} = ${req.dbName} THEN 0 ELSE 1 END`)
-            .limit(1)
-            .then((r) => r[0]);
-        let channelFilteredDocs = docs;
-        if (afbRowQ?.accessFnCid) {
-            const tOutputsQ = vctx.sql.tables.accessFnOutputs;
-            const allOutputs = await vctx.sql.db
-                .select({ docId: tOutputsQ.docId, output: tOutputsQ.output })
-                .from(tOutputsQ)
-                .where(and(eq(tOutputsQ.userSlug, req.ownerHandle), eq(tOutputsQ.appSlug, req.appSlug), eq(tOutputsQ.dbName, req.dbName), eq(tOutputsQ.fnCid, afbRowQ.accessFnCid)));
-            const grantOutputs = allOutputs.filter((r) => {
-                const parsed = JSON.parse(r.output);
-                return ((parsed.members !== undefined && Object.keys(parsed.members).length > 0) ||
-                    (parsed.grant?.users !== undefined && Object.keys(parsed.grant.users).length > 0) ||
-                    (parsed.grant?.roles !== undefined && Object.keys(parsed.grant.roles).length > 0) ||
-                    (parsed.grant?.public !== undefined && parsed.grant.public.length > 0));
-            });
-            const reduce = new GrantReduce();
-            for (const row of grantOutputs) {
-                reduce.addDoc(row.docId, extractContribution(JSON.parse(row.output)));
-            }
-            const userHandle = req._auth
-                ? await vctx.sql.db
-                    .select({ handle: vctx.sql.tables.handleBinding.handle })
-                    .from(vctx.sql.tables.handleBinding)
-                    .where(eq(vctx.sql.tables.handleBinding.userId, req._auth.verifiedAuth.claims.userId))
-                    .limit(1)
-                    .then((r) => r[0]?.handle ?? null)
-                : null;
-            const effectiveChannels = userHandle !== null ? reduce.resolveEffectiveChannels(userHandle) : new Set();
-            channelFilteredDocs = filterDocsByChannel(docs, allOutputs, userHandle, effectiveChannels, reduce.publicChannels);
-        }
-        const filteredDocs = applyQueryFilter(channelFilteredDocs, req.filter);
-        await ctx.send.send(ctx, {
-            type: "vibes.diy.res-query-docs",
-            status: "ok",
-            docs: filteredDocs,
-        });
-        return Result.Ok(EventoResult.Continue);
-    }),
-};
-export const deleteDocEvento = {
-    hash: "delete-doc",
-    validate: unwrapMsgBase(async (msg) => {
-        const ret = reqDeleteDoc(msg.payload);
-        if (ret instanceof type.errors) {
-            return Result.Ok(Option.None());
-        }
-        return Result.Ok(Option.Some({ ...msg, payload: ret }));
-    }),
-    handle: checkAuth(async (ctx) => {
-        const req = ctx.validated.payload;
-        const vctx = ctx.ctx.getOrThrow("vibesApiCtx");
-        const userId = req._auth.verifiedAuth.claims.userId;
-        if (isDirectChannel(req.ownerHandle)) {
-            const rAccess = await checkDirectChannelAccess(vctx, req.ownerHandle, userId);
-            if (rAccess.isErr() || !rAccess.Ok()) {
-                await ctx.send.send(ctx, { type: "vibes.diy.res-error", error: { message: "Access denied" } });
-                return Result.Ok(EventoResult.Continue);
-            }
-        }
-        else {
-            const access = await checkDocAccess(vctx, userId, req.appSlug, req.ownerHandle);
-            const rAcl = await resolveDbAcl(vctx, req.ownerHandle, req.appSlug, req.dbName);
-            if (rAcl.isErr() || !aclAllows(rAcl.Ok(), "delete", access)) {
-                await ctx.send.send(ctx, { type: "vibes.diy.res-error", error: { message: "Access denied" } });
-                return Result.Ok(EventoResult.Continue);
-            }
-        }
-        const now = new Date().toISOString();
-        const t = vctx.sql.tables.appDocuments;
-        const dbName = req.dbName;
-        const maxSeqResult = await vctx.sql.db
-            .select({ maxSeq: max(t.seq) })
-            .from(t)
-            .where(and(eq(t.ownerHandle, req.ownerHandle), eq(t.appSlug, req.appSlug), eq(t.dbName, dbName), eq(t.docId, req.docId)))
-            .then((r) => r[0]);
-        const nextSeq = (maxSeqResult?.maxSeq ?? 0) + 1;
-        await vctx.sql.db.insert(t).values({
-            ownerHandle: req.ownerHandle,
-            appSlug: req.appSlug,
-            dbName,
-            docId: req.docId,
-            seq: nextSeq,
-            userId: req._auth.verifiedAuth.claims.userId,
-            data: {},
-            deleted: 1,
-            created: now,
-        });
-        if (vctx.notifyDocChanged) {
-            vctx
-                .notifyDocChanged({ ownerHandle: req.ownerHandle, appSlug: req.appSlug, dbName, docId: req.docId }, clientWsSend(ctx).connId)
-                .catch((e) => console.error("DocNotify error:", e));
-        }
-        await ctx.send.send(ctx, {
-            type: "vibes.diy.res-delete-doc",
-            status: "ok",
-            id: req.docId,
-        });
-        return Result.Ok(EventoResult.Continue);
-    }),
-};
-export const subscribeDocsEvento = {
-    hash: "subscribe-docs",
-    validate: unwrapMsgBase(async (msg) => {
-        const ret = reqSubscribeDocs(msg.payload);
-        if (ret instanceof type.errors) {
-            return Result.Ok(Option.None());
-        }
-        return Result.Ok(Option.Some({ ...msg, payload: ret }));
-    }),
-    handle: optAuth(async (ctx) => {
-        const req = ctx.validated.payload;
-        const vctx = ctx.ctx.getOrThrow("vibesApiCtx");
-        if (isDirectChannel(req.ownerHandle)) {
-            const userId = req._auth?.verifiedAuth.claims.userId;
-            const rAccess = userId ? await checkDirectChannelAccess(vctx, req.ownerHandle, userId) : Result.Ok(false);
-            if (rAccess.isErr() || !rAccess.Ok()) {
-                await ctx.send.send(ctx, {
-                    type: "vibes.diy.res-error",
-                    error: { message: "Access denied" },
-                });
-                return Result.Ok(EventoResult.Continue);
-            }
-        }
-        else {
-            const access = req._auth
-                ? await checkDocAccess(vctx, req._auth.verifiedAuth.claims.userId, req.appSlug, req.ownerHandle)
-                : "none";
-            const rAcl = await resolveDbAcl(vctx, req.ownerHandle, req.appSlug, req.dbName);
-            if (rAcl.isErr() || !(await readAllowed(vctx, rAcl.Ok(), access, req.appSlug, req.ownerHandle))) {
-                await ctx.send.send(ctx, {
-                    type: "vibes.diy.res-error",
-                    error: { message: "Access denied" },
-                });
-                return Result.Ok(EventoResult.Continue);
-            }
-        }
-        const wsSend = clientWsSend(ctx);
-        const subscriptionKey = `${req.ownerHandle}/${req.appSlug}/${req.dbName}`;
-        const tAfbS = vctx.sql.tables.accessFunctionBindings;
-        const afbRowS = await vctx.sql.db
-            .select({ accessFnCid: tAfbS.accessFnCid })
-            .from(tAfbS)
-            .where(and(eq(tAfbS.userSlug, req.ownerHandle), eq(tAfbS.appSlug, req.appSlug), inArray(tAfbS.dbName, [req.dbName, "*"])))
-            .orderBy(sql `CASE WHEN ${tAfbS.dbName} = ${req.dbName} THEN 0 ELSE 1 END`)
-            .limit(1)
-            .then((r) => r[0]);
-        const channelKeys = [];
-        if (afbRowS?.accessFnCid) {
-            const tOutputsS = vctx.sql.tables.accessFnOutputs;
-            const grantOutputs = await vctx.sql.db
-                .select({ docId: tOutputsS.docId, output: tOutputsS.output })
-                .from(tOutputsS)
-                .where(and(eq(tOutputsS.userSlug, req.ownerHandle), eq(tOutputsS.appSlug, req.appSlug), eq(tOutputsS.dbName, req.dbName), eq(tOutputsS.fnCid, afbRowS.accessFnCid), eq(tOutputsS.hasGrants, 1)));
-            const reduce = new GrantReduce();
-            for (const row of grantOutputs) {
-                reduce.addDoc(row.docId, extractContribution(JSON.parse(row.output)));
-            }
-            const userHandle = req._auth
-                ? await vctx.sql.db
-                    .select({ handle: vctx.sql.tables.handleBinding.handle })
-                    .from(vctx.sql.tables.handleBinding)
-                    .where(eq(vctx.sql.tables.handleBinding.userId, req._auth.verifiedAuth.claims.userId))
-                    .limit(1)
-                    .then((r) => r[0]?.handle ?? null)
-                : null;
-            const effectiveChannels = userHandle !== null ? reduce.resolveEffectiveChannels(userHandle) : new Set();
-            for (const ch of effectiveChannels) {
-                channelKeys.push(`${req.ownerHandle}/${req.appSlug}/${ch}`);
-            }
-            for (const ch of reduce.publicChannels) {
-                channelKeys.push(`${req.ownerHandle}/${req.appSlug}/${ch}`);
-            }
-        }
-        if (channelKeys.length > 0) {
-            for (const key of channelKeys) {
-                wsSend.subscribedDocKeys.add(key);
-            }
-        }
-        else {
-            wsSend.subscribedDocKeys.add(subscriptionKey);
-        }
-        if (vctx.registerDocSubscription) {
-            if (channelKeys.length > 0) {
-                for (const key of channelKeys) {
-                    vctx.registerDocSubscription(key).catch((e) => console.error("DocNotify error:", e));
-                }
-            }
-            else {
-                vctx.registerDocSubscription(subscriptionKey).catch((e) => console.error("DocNotify error:", e));
-            }
-        }
-        await ctx.send.send(ctx, {
-            type: "vibes.diy.res-subscribe-docs",
-            status: "ok",
-        });
-        return Result.Ok(EventoResult.Continue);
-    }),
-};
-export const listDbNamesEvento = {
-    hash: "list-db-names",
-    validate: unwrapMsgBase(async (msg) => {
-        const ret = reqListDbNames(msg.payload);
-        if (ret instanceof type.errors) {
-            return Result.Ok(Option.None());
-        }
-        return Result.Ok(Option.Some({ ...msg, payload: ret }));
-    }),
-    handle: checkAuth(async (ctx) => {
-        const req = ctx.validated.payload;
-        const vctx = ctx.ctx.getOrThrow("vibesApiCtx");
-        const userId = req._auth.verifiedAuth.claims.userId;
-        const access = await checkDocAccess(vctx, userId, req.appSlug, req.ownerHandle);
-        if (access !== "owner") {
-            await ctx.send.send(ctx, { type: "vibes.diy.res-error", error: { message: "Access denied" } });
-            return Result.Ok(EventoResult.Continue);
-        }
-        const t = vctx.sql.tables.appDocuments;
-        const rows = await vctx.sql.db
-            .selectDistinct({ dbName: t.dbName })
-            .from(t)
-            .where(and(eq(t.ownerHandle, req.ownerHandle), eq(t.appSlug, req.appSlug)));
-        await ctx.send.send(ctx, {
-            type: "vibes.diy.res-list-db-names",
-            status: "ok",
-            dbNames: rows.map((r) => r.dbName),
-        });
-        return Result.Ok(EventoResult.Continue);
-    }),
-};
-export const listDmThreadsEvento = {
-    hash: "list-dm-threads",
-    validate: unwrapMsgBase(async (msg) => {
-        const ret = reqListDmThreads(msg.payload);
-        if (ret instanceof type.errors)
-            return Result.Ok(Option.None());
-        return Result.Ok(Option.Some({ ...msg, payload: ret }));
-    }),
-    handle: checkAuth(async (ctx) => {
-        const req = ctx.validated.payload;
-        const vctx = ctx.ctx.getOrThrow("vibesApiCtx");
-        const userId = req._auth.verifiedAuth.claims.userId;
-        const t_usb = vctx.sql.tables.handleBinding;
-        const mySlugRows = await vctx.sql.db.select({ handle: t_usb.handle }).from(t_usb).where(eq(t_usb.userId, userId));
-        const myUserSlugs = mySlugRows.map((r) => r.handle);
-        if (myUserSlugs.length === 0) {
-            await ctx.send.send(ctx, { type: "vibes.diy.res-list-dm-threads", status: "ok", items: [] });
-            return Result.Ok(EventoResult.Continue);
-        }
-        const t_idx = vctx.sql.tables.directChannelIndex;
-        const channelRows = await vctx.sql.db
-            .select({ channelUserSlug: t_idx.channelHandle, ownerHandle: t_idx.handle })
-            .from(t_idx)
-            .where(inArray(t_idx.handle, myUserSlugs));
-        const t_docs = vctx.sql.tables.appDocuments;
-        const t_reads = vctx.sql.tables.directChannelReads;
-        const limit = req.pager?.limit ?? 50;
-        const channelSlugs = channelRows.map((r) => r.channelUserSlug);
-        const subq = vctx.sql.db
-            .select({ ownerHandle: t_docs.ownerHandle, maxSeq: max(t_docs.seq).as("maxSeq") })
-            .from(t_docs)
-            .where(and(inArray(t_docs.ownerHandle, channelSlugs), eq(t_docs.appSlug, "dm"), eq(t_docs.dbName, "messages"), eq(t_docs.deleted, 0)))
-            .groupBy(t_docs.ownerHandle)
-            .as("latest");
-        const latestDocs = await vctx.sql.db
-            .select()
-            .from(t_docs)
-            .innerJoin(subq, and(eq(t_docs.ownerHandle, subq.ownerHandle), eq(t_docs.seq, subq.maxSeq)));
-        const latestDocByChannel = new Map(latestDocs.map((row) => [row.AppDocuments.ownerHandle, row.AppDocuments]));
-        const readRows = await vctx.sql.db
-            .select({ channelUserSlug: t_reads.channelHandle, lastSeenSeq: t_reads.lastSeenSeq })
-            .from(t_reads)
-            .where(and(inArray(t_reads.channelHandle, channelSlugs), inArray(t_reads.handle, myUserSlugs)));
-        const lastSeenByChannel = new Map(readRows.map((r) => [r.channelUserSlug, r.lastSeenSeq]));
-        const items = channelRows.map(({ channelUserSlug, ownerHandle: mySlug }) => {
-            const otherUserSlug = (directChannelParticipants(channelUserSlug) ?? []).find((h) => h !== mySlug) ?? "";
-            const latestDoc = latestDocByChannel.get(channelUserSlug);
-            const latestSeq = latestDoc?.seq ?? 0;
-            const lastSeen = lastSeenByChannel.get(channelUserSlug) ?? 0;
-            const unreadCount = Math.max(0, latestSeq - lastSeen);
-            return {
-                channelUserSlug,
-                otherUserSlug,
-                latestSeq,
-                unreadCount,
-                latestMessage: latestDoc
-                    ? {
-                        body: String(latestDoc.data.body ?? ""),
-                        createdAt: latestDoc.created,
-                        authorUserSlug: String(latestDoc.data.authorUserSlug ?? ""),
-                    }
-                    : undefined,
-            };
-        });
-        const sorted = items
-            .sort((a, b) => ((b.latestMessage?.createdAt ?? "") > (a.latestMessage?.createdAt ?? "") ? 1 : -1))
-            .slice(0, limit);
-        await ctx.send.send(ctx, { type: "vibes.diy.res-list-dm-threads", status: "ok", items: sorted });
-        return Result.Ok(EventoResult.Continue);
-    }),
-};
-export const markDmReadEvento = {
-    hash: "mark-dm-read",
-    validate: unwrapMsgBase(async (msg) => {
-        const ret = reqMarkDmRead(msg.payload);
-        if (ret instanceof type.errors)
-            return Result.Ok(Option.None());
-        return Result.Ok(Option.Some({ ...msg, payload: ret }));
-    }),
-    handle: checkAuth(async (ctx) => {
-        const req = ctx.validated.payload;
-        const vctx = ctx.ctx.getOrThrow("vibesApiCtx");
-        const userId = req._auth.verifiedAuth.claims.userId;
-        const rAccess = await checkDirectChannelAccess(vctx, req.channelUserSlug, userId);
-        if (rAccess.isErr() || !rAccess.Ok()) {
-            await ctx.send.send(ctx, { type: "vibes.diy.res-error", error: { message: "Access denied" } });
-            return Result.Ok(EventoResult.Continue);
-        }
-        const participants = directChannelParticipants(req.channelUserSlug) ?? ["", ""];
-        const t_usb = vctx.sql.tables.handleBinding;
-        const slugRow = await vctx.sql.db
-            .select({ handle: t_usb.handle })
-            .from(t_usb)
-            .where(and(eq(t_usb.userId, userId), inArray(t_usb.handle, participants)))
-            .then((r) => r[0]);
-        if (!slugRow) {
-            await ctx.send.send(ctx, { type: "vibes.diy.res-error", error: { message: "Access denied" } });
-            return Result.Ok(EventoResult.Continue);
-        }
-        const myUserSlug = slugRow.handle;
-        const t_reads = vctx.sql.tables.directChannelReads;
-        await vctx.sql.db
-            .insert(t_reads)
-            .values({ channelHandle: req.channelUserSlug, handle: myUserSlug, lastSeenSeq: req.lastSeenSeq })
-            .onConflictDoUpdate({
-            target: [t_reads.channelHandle, t_reads.handle],
-            set: { lastSeenSeq: sql `MAX(${t_reads.lastSeenSeq}, ${req.lastSeenSeq})` },
-        });
-        await ctx.send.send(ctx, { type: "vibes.diy.res-mark-dm-read", status: "ok" });
-        return Result.Ok(EventoResult.Continue);
-    }),
-};
+export { putDocEvento, deleteDocEvento } from "./app-documents-write-eventos.js";
+export { getDocEvento, queryDocsEvento, subscribeDocsEvento, listDbNamesEvento } from "./app-documents-read-eventos.js";
+export { listDmThreadsEvento, markDmReadEvento } from "./app-documents-dm-eventos.js";
+export { applyQueryFilter } from "./app-documents-query-filter.js";
 //# sourceMappingURL=app-documents.js.map