appos 0.2.1 → 0.2.3-0

package/dist/exports/api/workflows/storage.d.mts

@@ -0,0 +1,396 @@
+import { StorageBlob, StorageRelationsConfig, StorageTables } from "./storage-schema.mjs";
+import { ImageTransformations, transformationsSchema } from "./generate-image-variant.mjs";
+import { NodePgDatabase } from "drizzle-orm/node-postgres";
+import { Pool } from "pg";
+import { DriveManager } from "flydrive";
+import { FSDriverOptions } from "flydrive/drivers/fs/types";
+import { S3DriverOptions } from "flydrive/drivers/s3/types";
+
+//#region src/api/storage.d.ts
+
+/**
+ * Database type with storage schema and relations.
+ */
+type DatabaseWithStorage = NodePgDatabase<StorageTables, StorageRelationsConfig> & {
+  $client: Pool;
+};
+/**
+ * Type of the storage service instance.
+ */
+type Storage<TDisks extends Record<string, FSDriverOptions | S3DriverOptions> = Record<string, FSDriverOptions | S3DriverOptions>, TTableNames extends string = string, TAttachments extends Partial<Record<TTableNames, readonly string[]>> = Record<never, never>> = StorageService<Extract<keyof TDisks, string>, TTableNames, TAttachments>;
+/**
+ * Helper type to extract attachment name for a specific table.
+ */
+type AttachmentName<TAttachments extends Partial<Record<string, readonly string[]>>, TTable extends string> = TTable extends keyof TAttachments ? TAttachments[TTable] extends readonly (infer N)[] ? N : string : string;
+/**
+ * Storage service for blob operations.
+ *
+ * This service uses a dual-drive architecture when configured:
+ * - `drive`: For actual file operations (upload, delete, read) using internal endpoints
+ * - `signedUrlDrive`: For generating browser-accessible signed URLs with public endpoints
+ *
+ * This allows containers to use fast internal network for operations while
+ * generating URLs that work in end-user browsers.
+ *
+ * @template TDiskNames - Union of disk names (e.g., "private" | "public")
+ * @template TTableNames - Union of table names for type-safe attachment methods
+ * @template TAttachments - Mapping of table names to valid attachment names
+ */
+declare class StorageService<TDiskNames extends string = string, TTableNames extends string = string, TAttachments extends Partial<Record<TTableNames, readonly string[]>> = Record<never, never>> {
+  /**
+   * The drive manager for file operations.
+   */
+  readonly drive: DriveManager<any>;
+  /**
+   * The database instance with storage schema and relations.
+   */
+  readonly db: DatabaseWithStorage;
+  /**
+   * The default disk name.
+   */
+  readonly defaultDisk: TDiskNames;
+  /**
+   * Cron expression for unattached blob purge schedule.
+   *
+   * @default "0 0 * * *"
+   */
+  readonly purgeCron?: string;
+  /**
+   * Secret key for signing blob IDs.
+   */
+  readonly secret?: string;
+  /**
+   * Drive manager for generating signed URLs (public endpoint).
+   */
+  readonly signedUrlDrive: DriveManager<any>;
+  constructor(drive: DriveManager<any>, db: DatabaseWithStorage, defaultDisk: TDiskNames, signedUrlDrive: DriveManager<any>, purgeCron?: string, secret?: string);
+  /**
+   * Create a blob record and upload file.
+   */
+  createBlob(file: Buffer | Uint8Array, options: {
+    filename: string;
+    contentType?: string;
+    metadata?: Record<string, any>;
+    serviceName?: TDiskNames;
+    prefix?: string;
+  }): Promise<StorageBlob>;
+  /**
+   * Get blob by ID.
+   */
+  getBlob(id: string): Promise<StorageBlob | null>;
+  /**
+   * Download blob content.
+   */
+  downloadBlob(id: string): Promise<Buffer | null>;
+  /**
+   * Delete blob and its content.
+   */
+  deleteBlob(id: string): Promise<boolean>;
+  /**
+   * Get signed URL for blob. If blob is on public service, returns permanent
+   * URL instead.
+   */
+  getSignedUrl(id: string, options?: {
+    expiresIn?: number;
+    disposition?: "inline" | "attachment";
+    filename?: string;
+  }): Promise<string | null>;
+  /**
+   * Get permanent public URL (no expiration).
+   * Works for blobs on public storage service.
+   */
+  getPublicUrl(id: string): Promise<string | null>;
+  /**
+   * Create attachment between a record and blob.
+   *
+   * @param recordType - The table name (e.g., 'users')
+   * @param recordId - The record ID
+   * @param blobId - The blob ID to attach
+   * @param name - The attachment name (e.g., 'avatar')
+   * @param replaceExisting - If true, replaces existing attachment with same name (for one-to-one)
+   */
+  createAttachment(recordType: string, recordId: string, blobId: string, name: string, replaceExisting?: boolean): Promise<{
+    id: string;
+    createdAt: string;
+    name: string;
+    recordType: string;
+    recordId: string;
+    blobId: string;
+  }>;
+  /**
+   * Get attachments for a record with their associated blobs.
+   */
+  getAttachments(recordType: string, recordId: string, name?: string): Promise<{
+    id: string;
+    createdAt: string;
+    name: string;
+    recordType: string;
+    recordId: string;
+    blobId: string;
+    blob: {
+      metadata: unknown;
+      id: string;
+      key: string;
+      filename: string;
+      contentType: string | null;
+      serviceName: string;
+      byteSize: number;
+      checksum: string | null;
+      createdAt: string;
+    } | null;
+  }[]>;
+  /**
+   * Get attachments by their IDs with associated blobs.
+   *
+   * @param attachmentIds - Array of attachment IDs to fetch.
+   */
+  getAttachmentsByIds(attachmentIds: string[]): Promise<{
+    id: string;
+    createdAt: string;
+    name: string;
+    recordType: string;
+    recordId: string;
+    blobId: string;
+    blob: {
+      metadata: unknown;
+      id: string;
+      key: string;
+      filename: string;
+      contentType: string | null;
+      serviceName: string;
+      byteSize: number;
+      checksum: string | null;
+      createdAt: string;
+    } | null;
+  }[]>;
+  /**
+   * Delete a single attachment by ID.
+   */
+  deleteAttachment(attachmentId: string): Promise<boolean>;
+  /**
+   * Delete attachments for a record (without deleting the blobs).
+   */
+  deleteAttachments(recordType: string, recordId: string, name?: string): Promise<number>;
+  /**
+   * Get direct upload credentials (for S3). Also creates a pending blob record
+   * that will be finalized after upload.
+   */
+  getDirectUploadUrl(options: {
+    contentType?: string;
+    expiresIn?: number;
+    filename: string;
+    metadata?: Record<string, any>;
+    serviceName?: TDiskNames;
+  }): Promise<{
+    blobId: string;
+    headers?: Record<string, string>;
+    key: string;
+    url: string;
+  } | null>;
+  /**
+   * Finalize a direct upload by updating blob metadata. Call this after the
+   * client has uploaded to S3.
+   */
+  finalizeDirectUpload(blobId: string, actualSize: number): Promise<void>;
+  /**
+   * Update blob metadata (for automatic extraction).
+   */
+  updateBlobMetadata(blobId: string, metadata: Record<string, any>): Promise<void>;
+  /**
+   * Get existing variant or return null.
+   */
+  getVariant(blobId: string, transformations: ImageTransformations): Promise<StorageBlob | null>;
+  /**
+   * Create variant blob and record.
+   */
+  createVariant(blobId: string, transformations: ImageTransformations, variantBuffer: Buffer): Promise<StorageBlob>;
+  /**
+   * Get blobs that have no attachments (orphaned). Useful for cleanup jobs.
+   */
+  getUnattachedBlobs(options?: {
+    olderThan?: string;
+    limit?: number;
+  }): Promise<StorageBlob[]>;
+  /**
+   * Get pending blobs that were never finalized (stuck direct uploads).
+   */
+  getPendingBlobs(olderThan?: string): Promise<StorageBlob[]>;
+  /**
+   * Purge unattached blobs.
+   */
+  purgeUnattached(olderThan?: string): Promise<number>;
+  /**
+   * Create a signed, tamper-proof reference to a blob.
+   * Use findSigned() to resolve back to blob.
+   *
+   * Algorithm:
+   * 1. Create payload with blobId and expiration timestamp
+   * 2. JSON stringify and base64url encode the payload
+   * 3. Create HMAC-SHA256 signature of the encoded payload
+   * 4. Return payload.signature format
+   */
+  signedId(blobId: string, expiresIn?: number): string;
+  /**
+   * Find blob by signed ID. Returns null if invalid or expired.
+   * Uses constant-time comparison to prevent timing attacks.
+   *
+   * Algorithm:
+   * 1. Split signed ID into payload and signature
+   * 2. Decode and recompute expected signature
+   * 3. Use timingSafeEqual for constant-time comparison
+   * 4. Check expiration timestamp
+   * 5. Return blob if valid, null otherwise
+   */
+  findSigned(signedId: string): Promise<StorageBlob | null>;
+  /**
+   * Get a single attachment handle (one-to-one relationship).
+   * Similar to Rails' `has_one_attached :avatar`.
+   *
+   * Algorithm:
+   * Returns an object with methods to manage a single attachment:
+   * - attach(): Replace existing attachment with new blob
+   * - get(): Get attached blob or null
+   * - url(): Get signed URL
+   * - variant(): Get/generate image variant
+   * - purge(): Delete attachment and blob
+   *
+   * @template TTable - The table name (must be in TTableNames)
+   */
+  one<TTable extends TTableNames>(recordType: TTable, recordId: string, name: AttachmentName<TAttachments, TTable>): {
+    /**
+     * Attach a blob to this record (replaces existing).
+     * Auto-triggers extractBlobMetadata workflow.
+     */
+    attach(blobId: string): Promise<{
+      id: string;
+      createdAt: string;
+      name: string;
+      recordType: string;
+      recordId: string;
+      blobId: string;
+    }>;
+    /** Get the attached blob or null. */
+    get(): Promise<StorageBlob | null>;
+    /** Check if a blob is attached. */
+    attached(): Promise<boolean>;
+    /** Get signed URL or null. */
+    url(options?: {
+      expiresIn?: number;
+      disposition?: "inline" | "attachment";
+    }): Promise<string | null>;
+    /** Get permanent public URL or null. */
+    publicUrl(): Promise<string | null>;
+    /** Get blob metadata or null. */
+    metadata(): Promise<Record<string, unknown> | null>;
+    /** Check if metadata has been extracted. */
+    analyzed(): Promise<boolean>;
+    /** Check if blob supports preview/variant generation. */
+    representable(): Promise<boolean>;
+    /**
+     * Get variant URL. Auto-enqueues generation if not ready.
+     * Returns URL if variant exists, null if generating.
+     */
+    variant(transformations: ImageTransformations, expiresIn?: number): Promise<string | null>;
+    /**
+     * Get preview URL. Auto-enqueues generation if not ready.
+     * Returns URL if preview exists, null if generating.
+     */
+    preview(expiresIn?: number, timeInSeconds?: number): Promise<string | null>;
+    /** Detach blob from record (keeps blob for reuse). */
+    detach(): Promise<boolean>;
+    /** Delete attachment AND blob immediately. */
+    purge(): Promise<boolean>;
+    /** Enqueue attachment and blob deletion in background. */
+    purgeLater(): Promise<boolean>;
+    /** Download blob content as Buffer. */
+    download(): Promise<Buffer | null>;
+    /** Download to temp file, run callback, auto-cleanup. */
+    open<T>(callback: (filePath: string) => Promise<T> | T): Promise<T | null>;
+    /**
+     * Smart representation - variant for images, preview for videos/PDFs.
+     * Auto-enqueues generation if not ready.
+     */
+    representation(transformations: ImageTransformations, expiresIn?: number): Promise<string | null>;
+    /** Get blob's byte size. */
+    byteSize(): Promise<number | null>;
+    /** Get blob's content type. */
+    contentType(): Promise<string | null>;
+    /** Get blob's filename. */
+    filename(): Promise<string | null>;
+    /** Get signed, tamper-proof ID for the blob. */
+    signedId(expiresIn?: number): Promise<string | null>;
+  };
+  /**
+   * Get a multiple attachment handle (one-to-many relationship).
+   * Similar to Rails' `has_many_attached :images`.
+   *
+   * Algorithm:
+   * Returns an object with methods to manage multiple attachments:
+   * - attach(): Add blobs (doesn't replace existing)
+   * - list(): Get all attached blobs
+   * - urls(): Get signed URLs for all
+   * - variants(): Get/generate variants for all
+   * - purge(): Delete all or specific attachment
+   *
+   * @template TTable - The table name (must be in TTableNames)
+   */
+  many<TTable extends TTableNames>(recordType: TTable, recordId: string, name: AttachmentName<TAttachments, TTable>): {
+    /**
+     * Attach one or more blobs (adds to existing, doesn't replace).
+     * Auto-triggers extractBlobMetadata for each blob.
+     */
+    attach(blobIds: string | string[]): Promise<{
+      id: string;
+      createdAt: string;
+      name: string;
+      recordType: string;
+      recordId: string;
+      blobId: string;
+    }[]>;
+    /** Get all attached blobs. */
+    list(): Promise<StorageBlob[]>;
+    /** Count attached blobs. */
+    count(): Promise<number>;
+    /** Get signed URLs for all blobs. */
+    urls(options?: {
+      expiresIn?: number;
+    }): Promise<string[]>;
+    /** Get public URLs for all blobs. */
+    publicUrls(): Promise<(string | null)[]>;
+    /** Get metadata for all blobs. */
+    metadata(): Promise<(Record<string, unknown> | null)[]>;
+    /** Check which blobs have been analyzed. */
+    analyzed(): Promise<boolean[]>;
+    /** Check which blobs support preview/variants. */
+    representable(): Promise<boolean[]>;
+    /** Get variant URLs for all blobs. Auto-enqueues if not ready. */
+    variants(transformations: ImageTransformations, expiresIn?: number): Promise<(string | null)[]>;
+    /** Get preview URLs for all blobs. Auto-enqueues if not ready. */
+    previews(expiresIn?: number, timeInSeconds?: number): Promise<(string | null)[]>;
+    /** Detach specific blob or all blobs (keeps blobs for reuse). */
+    detach(blobId?: string): Promise<number>;
+    /** Delete specific or all attachments AND blobs immediately. */
+    purge(blobId?: string): Promise<number>;
+    /** Enqueue specific or all attachments for background deletion. */
+    purgeLater(blobId?: string): Promise<number>;
+    /** Download all blobs as Buffers. */
+    download(): Promise<Buffer[]>;
+    /** Download each blob to temp file, run callback for each. */
+    open<T>(callback: (filePath: string, blob: StorageBlob) => Promise<T> | T): Promise<T[]>;
+    /**
+     * Smart representations - variant for images, preview for videos/PDFs.
+     * Auto-enqueues generation if not ready.
+     */
+    representations(transformations: ImageTransformations, expiresIn?: number): Promise<(string | null)[]>;
+    /** Get byte sizes for all blobs. */
+    byteSizes(): Promise<number[]>;
+    /** Get content types for all blobs. */
+    contentTypes(): Promise<(string | null)[]>;
+    /** Get filenames for all blobs. */
+    filenames(): Promise<string[]>;
+    /** Get signed IDs for all blobs. */
+    signedIds(expiresIn?: number): Promise<string[]>;
+  };
+}
+//#endregion
+export { Storage };

package/dist/exports/api/workflows/track-db-changes.d.mts

@@ -0,0 +1,72 @@
+import { WorkflowHandle } from "./workflow.mjs";
+import { Container } from "./container.mjs";
+import { z } from "zod";
+import * as _dbos_inc_dbos_sdk0 from "@dbos-inc/dbos-sdk";
+
+//#region src/api/workflows/track-db-changes.d.ts
+/**
+ * Input schema for trackDbChanges workflow.
+ * Accepts dbChanges() output directly from .returning() clause.
+ */
+declare const trackDbChangesInputSchema: z.ZodObject<{
+  changes: z.ZodArray<z.ZodObject<{
+    _table: z.ZodString;
+    old: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    new: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+  }, z.core.$strip>>;
+  dbName: z.ZodString;
+  organizationId: z.ZodNullable<z.ZodString>;
+  requestId: z.ZodString;
+  sessionId: z.ZodNullable<z.ZodString>;
+  userId: z.ZodNullable<z.ZodString>;
+}, z.core.$strip>;
+type TrackDbChangesInput = z.infer<typeof trackDbChangesInputSchema>;
+/**
+ * Built-in workflow for processing database changes.
+ * Handles audit logging and pub/sub notifications with type-safe table filtering.
+ *
+ * Algorithm:
+ * 1. For each change in input, infer the action (INSERT/UPDATE/DELETE)
+ * 2. If table is not excluded from audit logging:
+ *    - Insert into audit_logs table with full context
+ * 3. Emit to dbChangesEvent (publishes via Redis if subscribed handlers exist)
+ *
+ * Filtering is configured via:
+ * - `container.auth.shouldAudit()` - Check if table should be audited
+ *
+ * @returns Object with counts: processed (total changes), audited (logged to audit_logs), published (emitted to event)
+ */
+declare const trackDbChanges: {
+  inputSchema: z.ZodObject<{
+    changes: z.ZodArray<z.ZodObject<{
+      _table: z.ZodString;
+      old: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+      new: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.core.$strip>>;
+    dbName: z.ZodString;
+    organizationId: z.ZodNullable<z.ZodString>;
+    requestId: z.ZodString;
+    sessionId: z.ZodNullable<z.ZodString>;
+    userId: z.ZodNullable<z.ZodString>;
+  }, z.core.$strip>;
+  readonly name: string | null;
+  register(c: Container, name: string, dbos: typeof _dbos_inc_dbos_sdk0.DBOS): void;
+  start(input: {
+    changes: {
+      _table: string;
+      old: Record<string, unknown> | null;
+      new: Record<string, unknown> | null;
+    }[];
+    dbName: string;
+    organizationId: string | null;
+    requestId: string;
+    sessionId: string | null;
+    userId: string | null;
+  }): Promise<WorkflowHandle<{
+    processed: number;
+    audited: number;
+    published: number;
+  }>>;
+};
+//#endregion
+export { TrackDbChangesInput, trackDbChanges };

package/dist/exports/api/workflows/track-db-changes.mjs

@@ -0,0 +1 @@
+import{defineAuthSchema as e}from"./auth-schema.mjs";import{dbChangesEvent as t}from"./event.mjs";import{defineWorkflow as n}from"./workflow.mjs";import{z as r}from"zod";const i=e(),a=r.object({changes:r.array(r.object({_table:r.string(),old:r.record(r.string(),r.unknown()).nullable(),new:r.record(r.string(),r.unknown()).nullable()})),dbName:r.string(),organizationId:r.string().nullable(),requestId:r.string(),sessionId:r.string().nullable(),userId:r.string().nullable()});function o(e){return e.old===null?`INSERT`:e.new===null?`DELETE`:`UPDATE`}const s=n({input:a,async run({container:e,step:n,input:r}){let{dbName:a,changes:s,organizationId:c,userId:l,sessionId:u,requestId:d}=r;if(s.length===0)return{processed:0,audited:0,published:0};let f=new Date().toISOString(),p=0,m=0;for(let r of s){let s=r._table,h=o(r),g=`${a}.${s}`;e.auth.shouldAudit(g)&&(await n(`audit:${g}`,async()=>{await e.db.primary.insert(i.tables.auditLogs).values({tableName:g,action:h,oldData:r.old,newData:r.new,organizationId:c,userId:l,sessionId:u,requestId:d,createdAt:f})}),p++),await n(`event:${g}`,async()=>{await t.emit({action:h,oldData:r.old,newData:r.new,organizationId:c,tableName:g,timestamp:f,userId:l})}),m++}return{processed:s.length,audited:p,published:m}}});export{s as trackDbChanges};

package/dist/exports/api/workflows/workflow.d.mts

@@ -0,0 +1,24 @@
+import "./container.mjs";
+import { z } from "zod";
+
+//#region src/api/workflow.d.ts
+
+/**
+ * Handle to a running or completed workflow.
+ */
+interface WorkflowHandle<TOutput> {
+  /**
+   * Get the current status of the workflow.
+   */
+  getStatus(): Promise<unknown>;
+  /**
+   * Wait for the workflow to complete and return its result.
+   */
+  getResult(): Promise<TOutput>;
+  /**
+   * The unique ID of this workflow execution.
+   */
+  workflowId: string;
+}
+//#endregion
+export { WorkflowHandle };

package/dist/exports/api/workflows/workflow.mjs

@@ -0,0 +1 @@
+import{join as e}from"node:path";import"es-toolkit";function t(e){let t=null,n=null,r=null,i=null,a=async i=>{if(!t||!r)throw Error(`Workflow "${n}" not registered`);let a=r,o=a.workflowID;if(!o)throw Error(`DBOS.workflowID is not available in this context`);let s={container:t,workflowId:o,input:i,step:(e,t)=>a.runStep(t,{name:e})};return e.run(s)};return{inputSchema:e.input,get name(){return n},register(o,s,c){t=o,n=s,r=c,i=c.registerWorkflow(a,{name:s,...e.config})},async start(t){if(!i||!n||!r)throw Error(`Workflow not registered. Ensure the worker is started before triggering workflows.`);let a=e.input.parse(t),o=await r.startWorkflow(i)(a);return{workflowId:o.workflowID,getStatus:()=>o.getStatus(),getResult:()=>o.getResult()}}}}function n(e){let t=null,n=null,r=null,i=async(i,a)=>{if(!t||!r)throw Error(`Workflow "${n}" not registered`);let o=r,s=o.workflowID;if(!s)throw Error(`DBOS.workflowID is not available in this context`);let c={container:t,workflowId:s,scheduledTime:i,step:(e,t)=>o.runStep(t,{name:e})};return e.run(c)};return{crontab:e.crontab,get name(){return n},register(a,o,s){t=a,n=o,r=s,s.registerScheduled(s.registerWorkflow(i,{name:o}),{crontab:e.crontab})}}}export{n as defineScheduledWorkflow,t as defineWorkflow};

package/dist/exports/cli/_virtual/rolldown_runtime.mjs

@@ -0,0 +1 @@
+var e=Object.defineProperty,t=Object.getOwnPropertyDescriptor,n=Object.getOwnPropertyNames,r=Object.prototype.hasOwnProperty,i=(t,n)=>{let r={};for(var i in t)e(r,i,{get:t[i],enumerable:!0});return n&&e(r,Symbol.toStringTag,{value:`Module`}),r},a=(i,a,o,s)=>{if(a&&typeof a==`object`||typeof a==`function`)for(var c=n(a),l=0,u=c.length,d;l<u;l++)d=c[l],!r.call(i,d)&&d!==o&&e(i,d,{get:(e=>a[e]).bind(null,d),enumerable:!(s=t(a,d))||s.enumerable});return i},o=(e,t,n)=>(a(e,t,`default`),n&&a(n,t,`default`));export{i as __export,o as __reExport};

package/dist/exports/cli/api/auth-schema.mjs

@@ -0,0 +1 @@
+import{sql as e}from"drizzle-orm";import{pgTable as t}from"drizzle-orm/pg-core";function n(){let n=t(`accounts`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),accessToken:t.text(`access_token`),accessTokenExpiresAt:t.timestamp(`access_token_expires_at`,{mode:`string`,withTimezone:!0}),accountId:t.text(`account_id`).notNull(),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),idToken:t.text(`id_token`),providerId:t.text(`provider_id`).notNull(),password:t.text(`password`),userId:t.text(`user_id`).notNull().references(()=>l.id,{onDelete:`cascade`}),refreshToken:t.text(`refresh_token`),refreshTokenExpiresAt:t.timestamp(`refresh_token_expires_at`,{mode:`string`,withTimezone:!0}),scope:t.text(`scope`),updatedAt:t.timestamp(`updated_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull()}),e=>[]),r=t(`api_keys`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),name:t.text(`name`),enabled:t.boolean(`enabled`).default(!0),expiresAt:t.timestamp(`expires_at`,{mode:`string`,withTimezone:!0}),key:t.text(`key`).notNull(),lastRefillAt:t.timestamp(`last_refill_at`,{mode:`string`,withTimezone:!0}),lastRequest:t.timestamp(`last_request`,{mode:`string`,withTimezone:!0}),lastUsedAt:t.timestamp(`last_used_at`,{mode:`string`,withTimezone:!0}),metadata:t.text(`metadata`),permissions:t.text(`permissions`),prefix:t.text(`prefix`),rateLimitEnabled:t.boolean(`rate_limit_enabled`).default(!0),rateLimitTimeWindow:t.integer(`rate_limit_time_window`).default(864e5),rateLimitMax:t.integer(`rate_limit_max`).default(10),refillInterval:t.integer(`refill_interval`),refillAmount:t.integer(`refill_amount`),requestCount:t.integer(`request_count`),remaining:t.integer(`remaining`),start:t.text(`start`),userId:t.text(`user_id`).notNull().references(()=>l.id,{onDelete:`cascade`}),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),updatedAt:t.timestamp(`updated_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull()}),e=>[]),i=t(`invitations`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),email:t.text(`email`).notNull(),expiresAt:t.timestamp(`expires_at`,{mode:`string`,withTimezone:!0}).notNull(),inviterId:t.text(`inviter_id`).notNull().references(()=>l.id,{onDelete:`cascade`}),organizationId:t.text(`organization_id`).notNull().references(()=>o.id,{onDelete:`cascade`}),role:t.text(`role`),status:t.text(`status`).default(`pending`).notNull(),teamId:t.text(`team_id`),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),updatedAt:t.timestamp(`updated_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull()}),e=>[]),a=t(`members`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),organizationId:t.text(`organization_id`).notNull().references(()=>o.id,{onDelete:`cascade`}),role:t.text(`role`).default(`member`).notNull(),userId:t.text(`user_id`).notNull().references(()=>l.id,{onDelete:`cascade`}),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull()}),e=>[]),o=t(`organizations`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),name:t.text(`name`).notNull(),slug:t.text(`slug`).unique(),logo:t.text(`logo`),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),updatedAt:t.timestamp(`updated_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),metadata:t.text(`metadata`)}),e=>[]),s=t(`sessions`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),activeOrganizationId:t.text(`active_organization_id`).references(()=>o.id,{onDelete:`set null`}),activeTeamId:t.text(`active_team_id`),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),expiresAt:t.timestamp(`expires_at`,{mode:`string`,withTimezone:!0}).notNull(),impersonatedBy:t.text(`impersonated_by`).references(()=>l.id,{onDelete:`set null`}),ipAddress:t.text(`ip_address`),token:t.text(`token`).notNull().unique(),updatedAt:t.timestamp(`updated_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),userAgent:t.text(`user_agent`),userId:t.text(`user_id`).notNull().references(()=>l.id,{onDelete:`cascade`})}),e=>[]),c=t(`sso_providers`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),domain:t.text(`domain`).notNull(),issuer:t.text(`issuer`).notNull(),oidcConfig:t.text(`oidc_config`),organizationId:t.text(`organization_id`).references(()=>o.id,{onDelete:`cascade`}),providerId:t.text(`provider_id`).notNull().unique(),samlConfig:t.text(`saml_config`),userId:t.text(`user_id`).references(()=>l.id,{onDelete:`cascade`})}),e=>[]),l=t(`users`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),banExpires:t.timestamp(`ban_expires`,{mode:`string`,withTimezone:!0}),banReason:t.text(`ban_reason`),banned:t.boolean(`banned`).default(!1),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),displayUsername:t.text(`display_username`),email:t.text(`email`).notNull().unique(),emailVerified:t.boolean(`email_verified`).default(!1).notNull(),image:t.text(`image`),isAnonymous:t.boolean(`is_anonymous`),lastLoginMethod:t.text(`last_login_method`),name:t.text(`name`).notNull(),phoneNumber:t.text(`phone_number`).unique(),phoneNumberVerified:t.boolean(`phone_number_verified`),role:t.text(`role`),twoFactorEnabled:t.boolean(`two_factor_enabled`).default(!1),updatedAt:t.timestamp(`updated_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),username:t.text(`username`).unique()}),e=>[]),u=t(`teams`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),name:t.text(`name`).notNull(),organizationId:t.text(`organization_id`).notNull().references(()=>o.id,{onDelete:`cascade`}),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),updatedAt:t.timestamp(`updated_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull()}),e=>[]),d=t(`team_members`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),teamId:t.text(`team_id`).notNull().references(()=>u.id,{onDelete:`cascade`}),userId:t.text(`user_id`).notNull().references(()=>l.id,{onDelete:`cascade`}),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull()}),e=>[]),f=t(`two_factors`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),secret:t.text(`secret`).notNull(),backupCodes:t.text(`backup_codes`).notNull(),userId:t.text(`user_id`).notNull().references(()=>l.id,{onDelete:`cascade`})}),e=>[]),p=t(`verifications`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),expiresAt:t.timestamp(`expires_at`,{mode:`string`,withTimezone:!0}).notNull(),identifier:t.text(`identifier`).notNull(),updatedAt:t.timestamp(`updated_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull(),value:t.text(`value`).notNull()}),e=>[]);return{tables:{accounts:n,apiKeys:r,auditLogs:t(`audit_logs`,t=>({id:t.text(`id`).primaryKey().default(e`uuidv7()`),tableName:t.text(`table_name`),action:t.text(`action`).notNull(),customAction:t.text(`custom_action`),oldData:t.jsonb(`old_data`),newData:t.jsonb(`new_data`),metadata:t.jsonb(`metadata`),organizationId:t.text(`organization_id`).references(()=>o.id,{onDelete:`set null`}),userId:t.text(`user_id`).references(()=>l.id,{onDelete:`set null`}),sessionId:t.text(`session_id`).references(()=>s.id,{onDelete:`set null`}),requestId:t.text(`request_id`),createdAt:t.timestamp(`created_at`,{mode:`string`,withTimezone:!0}).default(e`NOW()`).notNull()}),e=>[]),invitations:i,members:a,organizations:o,sessions:s,ssoProviders:c,teams:u,teamMembers:d,twoFactors:f,users:l,verifications:p},relations:e=>({users:{sessions:e.many.sessions({from:e.users.id,to:e.sessions.userId}),accounts:e.many.accounts({from:e.users.id,to:e.accounts.userId}),apiKeys:e.many.apiKeys({from:e.users.id,to:e.apiKeys.userId}),memberships:e.many.members({from:e.users.id,to:e.members.userId}),invitations:e.many.invitations({from:e.users.id,to:e.invitations.inviterId}),ssoProvider:e.one.ssoProviders({from:e.users.id,to:e.ssoProviders.userId}),twoFactor:e.one.twoFactors({from:e.users.id,to:e.twoFactors.userId})},sessions:{user:e.one.users({from:e.sessions.userId,to:e.users.id})},accounts:{user:e.one.users({from:e.accounts.userId,to:e.users.id})},apiKeys:{user:e.one.users({from:e.apiKeys.userId,to:e.users.id})},organizations:{members:e.many.members({from:e.organizations.id,to:e.members.organizationId}),invitations:e.many.invitations({from:e.organizations.id,to:e.invitations.organizationId}),teams:e.many.teams({from:e.organizations.id,to:e.teams.organizationId})},members:{organization:e.one.organizations({from:e.members.organizationId,to:e.organizations.id}),user:e.one.users({from:e.members.userId,to:e.users.id})},invitations:{organization:e.one.organizations({from:e.invitations.organizationId,to:e.organizations.id}),inviter:e.one.users({from:e.invitations.inviterId,to:e.users.id})},teams:{organization:e.one.organizations({from:e.teams.organizationId,to:e.organizations.id})},ssoProviders:{user:e.one.users({from:e.ssoProviders.userId,to:e.users.id})},verifications:{},twoFactors:{user:e.one.users({from:e.twoFactors.userId,to:e.users.id})},auditLogs:{organization:e.one.organizations({from:e.auditLogs.organizationId,to:e.organizations.id}),user:e.one.users({from:e.auditLogs.userId,to:e.users.id}),session:e.one.sessions({from:e.auditLogs.sessionId,to:e.sessions.id})}})}}export{n as defineAuthSchema};