appos 0.2.1 → 0.2.3-0

package/dist/exports/cli/api/storage.d.mts

@@ -0,0 +1,396 @@
+import { StorageBlob, StorageRelationsConfig, StorageTables } from "./storage-schema.mjs";
+import { ImageTransformations, transformationsSchema } from "./workflows/generate-image-variant.mjs";
+import { NodePgDatabase } from "drizzle-orm/node-postgres";
+import { Pool } from "pg";
+import { DriveManager } from "flydrive";
+import { FSDriverOptions } from "flydrive/drivers/fs/types";
+import { S3DriverOptions } from "flydrive/drivers/s3/types";
+
+//#region src/api/storage.d.ts
+
+/**
+ * Database type with storage schema and relations.
+ */
+type DatabaseWithStorage = NodePgDatabase<StorageTables, StorageRelationsConfig> & {
+  $client: Pool;
+};
+/**
+ * Type of the storage service instance.
+ */
+type Storage<TDisks extends Record<string, FSDriverOptions | S3DriverOptions> = Record<string, FSDriverOptions | S3DriverOptions>, TTableNames extends string = string, TAttachments extends Partial<Record<TTableNames, readonly string[]>> = Record<never, never>> = StorageService<Extract<keyof TDisks, string>, TTableNames, TAttachments>;
+/**
+ * Helper type to extract attachment name for a specific table.
+ */
+type AttachmentName<TAttachments extends Partial<Record<string, readonly string[]>>, TTable extends string> = TTable extends keyof TAttachments ? TAttachments[TTable] extends readonly (infer N)[] ? N : string : string;
+/**
+ * Storage service for blob operations.
+ *
+ * This service uses a dual-drive architecture when configured:
+ * - `drive`: For actual file operations (upload, delete, read) using internal endpoints
+ * - `signedUrlDrive`: For generating browser-accessible signed URLs with public endpoints
+ *
+ * This allows containers to use fast internal network for operations while
+ * generating URLs that work in end-user browsers.
+ *
+ * @template TDiskNames - Union of disk names (e.g., "private" | "public")
+ * @template TTableNames - Union of table names for type-safe attachment methods
+ * @template TAttachments - Mapping of table names to valid attachment names
+ */
+declare class StorageService<TDiskNames extends string = string, TTableNames extends string = string, TAttachments extends Partial<Record<TTableNames, readonly string[]>> = Record<never, never>> {
+  /**
+   * The drive manager for file operations.
+   */
+  readonly drive: DriveManager<any>;
+  /**
+   * The database instance with storage schema and relations.
+   */
+  readonly db: DatabaseWithStorage;
+  /**
+   * The default disk name.
+   */
+  readonly defaultDisk: TDiskNames;
+  /**
+   * Cron expression for unattached blob purge schedule.
+   *
+   * @default "0 0 * * *"
+   */
+  readonly purgeCron?: string;
+  /**
+   * Secret key for signing blob IDs.
+   */
+  readonly secret?: string;
+  /**
+   * Drive manager for generating signed URLs (public endpoint).
+   */
+  readonly signedUrlDrive: DriveManager<any>;
+  constructor(drive: DriveManager<any>, db: DatabaseWithStorage, defaultDisk: TDiskNames, signedUrlDrive: DriveManager<any>, purgeCron?: string, secret?: string);
+  /**
+   * Create a blob record and upload file.
+   */
+  createBlob(file: Buffer | Uint8Array, options: {
+    filename: string;
+    contentType?: string;
+    metadata?: Record<string, any>;
+    serviceName?: TDiskNames;
+    prefix?: string;
+  }): Promise<StorageBlob>;
+  /**
+   * Get blob by ID.
+   */
+  getBlob(id: string): Promise<StorageBlob | null>;
+  /**
+   * Download blob content.
+   */
+  downloadBlob(id: string): Promise<Buffer | null>;
+  /**
+   * Delete blob and its content.
+   */
+  deleteBlob(id: string): Promise<boolean>;
+  /**
+   * Get signed URL for blob. If blob is on public service, returns permanent
+   * URL instead.
+   */
+  getSignedUrl(id: string, options?: {
+    expiresIn?: number;
+    disposition?: "inline" | "attachment";
+    filename?: string;
+  }): Promise<string | null>;
+  /**
+   * Get permanent public URL (no expiration).
+   * Works for blobs on public storage service.
+   */
+  getPublicUrl(id: string): Promise<string | null>;
+  /**
+   * Create attachment between a record and blob.
+   *
+   * @param recordType - The table name (e.g., 'users')
+   * @param recordId - The record ID
+   * @param blobId - The blob ID to attach
+   * @param name - The attachment name (e.g., 'avatar')
+   * @param replaceExisting - If true, replaces existing attachment with same name (for one-to-one)
+   */
+  createAttachment(recordType: string, recordId: string, blobId: string, name: string, replaceExisting?: boolean): Promise<{
+    id: string;
+    createdAt: string;
+    name: string;
+    recordType: string;
+    recordId: string;
+    blobId: string;
+  }>;
+  /**
+   * Get attachments for a record with their associated blobs.
+   */
+  getAttachments(recordType: string, recordId: string, name?: string): Promise<{
+    id: string;
+    createdAt: string;
+    name: string;
+    recordType: string;
+    recordId: string;
+    blobId: string;
+    blob: {
+      id: string;
+      key: string;
+      filename: string;
+      contentType: string | null;
+      metadata: unknown;
+      serviceName: string;
+      byteSize: number;
+      checksum: string | null;
+      createdAt: string;
+    } | null;
+  }[]>;
+  /**
+   * Get attachments by their IDs with associated blobs.
+   *
+   * @param attachmentIds - Array of attachment IDs to fetch.
+   */
+  getAttachmentsByIds(attachmentIds: string[]): Promise<{
+    id: string;
+    createdAt: string;
+    name: string;
+    recordType: string;
+    recordId: string;
+    blobId: string;
+    blob: {
+      id: string;
+      key: string;
+      filename: string;
+      contentType: string | null;
+      metadata: unknown;
+      serviceName: string;
+      byteSize: number;
+      checksum: string | null;
+      createdAt: string;
+    } | null;
+  }[]>;
+  /**
+   * Delete a single attachment by ID.
+   */
+  deleteAttachment(attachmentId: string): Promise<boolean>;
+  /**
+   * Delete attachments for a record (without deleting the blobs).
+   */
+  deleteAttachments(recordType: string, recordId: string, name?: string): Promise<number>;
+  /**
+   * Get direct upload credentials (for S3). Also creates a pending blob record
+   * that will be finalized after upload.
+   */
+  getDirectUploadUrl(options: {
+    contentType?: string;
+    expiresIn?: number;
+    filename: string;
+    metadata?: Record<string, any>;
+    serviceName?: TDiskNames;
+  }): Promise<{
+    blobId: string;
+    headers?: Record<string, string>;
+    key: string;
+    url: string;
+  } | null>;
+  /**
+   * Finalize a direct upload by updating blob metadata. Call this after the
+   * client has uploaded to S3.
+   */
+  finalizeDirectUpload(blobId: string, actualSize: number): Promise<void>;
+  /**
+   * Update blob metadata (for automatic extraction).
+   */
+  updateBlobMetadata(blobId: string, metadata: Record<string, any>): Promise<void>;
+  /**
+   * Get existing variant or return null.
+   */
+  getVariant(blobId: string, transformations: ImageTransformations): Promise<StorageBlob | null>;
+  /**
+   * Create variant blob and record.
+   */
+  createVariant(blobId: string, transformations: ImageTransformations, variantBuffer: Buffer): Promise<StorageBlob>;
+  /**
+   * Get blobs that have no attachments (orphaned). Useful for cleanup jobs.
+   */
+  getUnattachedBlobs(options?: {
+    olderThan?: string;
+    limit?: number;
+  }): Promise<StorageBlob[]>;
+  /**
+   * Get pending blobs that were never finalized (stuck direct uploads).
+   */
+  getPendingBlobs(olderThan?: string): Promise<StorageBlob[]>;
+  /**
+   * Purge unattached blobs.
+   */
+  purgeUnattached(olderThan?: string): Promise<number>;
+  /**
+   * Create a signed, tamper-proof reference to a blob.
+   * Use findSigned() to resolve back to blob.
+   *
+   * Algorithm:
+   * 1. Create payload with blobId and expiration timestamp
+   * 2. JSON stringify and base64url encode the payload
+   * 3. Create HMAC-SHA256 signature of the encoded payload
+   * 4. Return payload.signature format
+   */
+  signedId(blobId: string, expiresIn?: number): string;
+  /**
+   * Find blob by signed ID. Returns null if invalid or expired.
+   * Uses constant-time comparison to prevent timing attacks.
+   *
+   * Algorithm:
+   * 1. Split signed ID into payload and signature
+   * 2. Decode and recompute expected signature
+   * 3. Use timingSafeEqual for constant-time comparison
+   * 4. Check expiration timestamp
+   * 5. Return blob if valid, null otherwise
+   */
+  findSigned(signedId: string): Promise<StorageBlob | null>;
+  /**
+   * Get a single attachment handle (one-to-one relationship).
+   * Similar to Rails' `has_one_attached :avatar`.
+   *
+   * Algorithm:
+   * Returns an object with methods to manage a single attachment:
+   * - attach(): Replace existing attachment with new blob
+   * - get(): Get attached blob or null
+   * - url(): Get signed URL
+   * - variant(): Get/generate image variant
+   * - purge(): Delete attachment and blob
+   *
+   * @template TTable - The table name (must be in TTableNames)
+   */
+  one<TTable extends TTableNames>(recordType: TTable, recordId: string, name: AttachmentName<TAttachments, TTable>): {
+    /**
+     * Attach a blob to this record (replaces existing).
+     * Auto-triggers extractBlobMetadata workflow.
+     */
+    attach(blobId: string): Promise<{
+      id: string;
+      createdAt: string;
+      name: string;
+      recordType: string;
+      recordId: string;
+      blobId: string;
+    }>;
+    /** Get the attached blob or null. */
+    get(): Promise<StorageBlob | null>;
+    /** Check if a blob is attached. */
+    attached(): Promise<boolean>;
+    /** Get signed URL or null. */
+    url(options?: {
+      expiresIn?: number;
+      disposition?: "inline" | "attachment";
+    }): Promise<string | null>;
+    /** Get permanent public URL or null. */
+    publicUrl(): Promise<string | null>;
+    /** Get blob metadata or null. */
+    metadata(): Promise<Record<string, unknown> | null>;
+    /** Check if metadata has been extracted. */
+    analyzed(): Promise<boolean>;
+    /** Check if blob supports preview/variant generation. */
+    representable(): Promise<boolean>;
+    /**
+     * Get variant URL. Auto-enqueues generation if not ready.
+     * Returns URL if variant exists, null if generating.
+     */
+    variant(transformations: ImageTransformations, expiresIn?: number): Promise<string | null>;
+    /**
+     * Get preview URL. Auto-enqueues generation if not ready.
+     * Returns URL if preview exists, null if generating.
+     */
+    preview(expiresIn?: number, timeInSeconds?: number): Promise<string | null>;
+    /** Detach blob from record (keeps blob for reuse). */
+    detach(): Promise<boolean>;
+    /** Delete attachment AND blob immediately. */
+    purge(): Promise<boolean>;
+    /** Enqueue attachment and blob deletion in background. */
+    purgeLater(): Promise<boolean>;
+    /** Download blob content as Buffer. */
+    download(): Promise<Buffer | null>;
+    /** Download to temp file, run callback, auto-cleanup. */
+    open<T>(callback: (filePath: string) => Promise<T> | T): Promise<T | null>;
+    /**
+     * Smart representation - variant for images, preview for videos/PDFs.
+     * Auto-enqueues generation if not ready.
+     */
+    representation(transformations: ImageTransformations, expiresIn?: number): Promise<string | null>;
+    /** Get blob's byte size. */
+    byteSize(): Promise<number | null>;
+    /** Get blob's content type. */
+    contentType(): Promise<string | null>;
+    /** Get blob's filename. */
+    filename(): Promise<string | null>;
+    /** Get signed, tamper-proof ID for the blob. */
+    signedId(expiresIn?: number): Promise<string | null>;
+  };
+  /**
+   * Get a multiple attachment handle (one-to-many relationship).
+   * Similar to Rails' `has_many_attached :images`.
+   *
+   * Algorithm:
+   * Returns an object with methods to manage multiple attachments:
+   * - attach(): Add blobs (doesn't replace existing)
+   * - list(): Get all attached blobs
+   * - urls(): Get signed URLs for all
+   * - variants(): Get/generate variants for all
+   * - purge(): Delete all or specific attachment
+   *
+   * @template TTable - The table name (must be in TTableNames)
+   */
+  many<TTable extends TTableNames>(recordType: TTable, recordId: string, name: AttachmentName<TAttachments, TTable>): {
+    /**
+     * Attach one or more blobs (adds to existing, doesn't replace).
+     * Auto-triggers extractBlobMetadata for each blob.
+     */
+    attach(blobIds: string | string[]): Promise<{
+      id: string;
+      createdAt: string;
+      name: string;
+      recordType: string;
+      recordId: string;
+      blobId: string;
+    }[]>;
+    /** Get all attached blobs. */
+    list(): Promise<StorageBlob[]>;
+    /** Count attached blobs. */
+    count(): Promise<number>;
+    /** Get signed URLs for all blobs. */
+    urls(options?: {
+      expiresIn?: number;
+    }): Promise<string[]>;
+    /** Get public URLs for all blobs. */
+    publicUrls(): Promise<(string | null)[]>;
+    /** Get metadata for all blobs. */
+    metadata(): Promise<(Record<string, unknown> | null)[]>;
+    /** Check which blobs have been analyzed. */
+    analyzed(): Promise<boolean[]>;
+    /** Check which blobs support preview/variants. */
+    representable(): Promise<boolean[]>;
+    /** Get variant URLs for all blobs. Auto-enqueues if not ready. */
+    variants(transformations: ImageTransformations, expiresIn?: number): Promise<(string | null)[]>;
+    /** Get preview URLs for all blobs. Auto-enqueues if not ready. */
+    previews(expiresIn?: number, timeInSeconds?: number): Promise<(string | null)[]>;
+    /** Detach specific blob or all blobs (keeps blobs for reuse). */
+    detach(blobId?: string): Promise<number>;
+    /** Delete specific or all attachments AND blobs immediately. */
+    purge(blobId?: string): Promise<number>;
+    /** Enqueue specific or all attachments for background deletion. */
+    purgeLater(blobId?: string): Promise<number>;
+    /** Download all blobs as Buffers. */
+    download(): Promise<Buffer[]>;
+    /** Download each blob to temp file, run callback for each. */
+    open<T>(callback: (filePath: string, blob: StorageBlob) => Promise<T> | T): Promise<T[]>;
+    /**
+     * Smart representations - variant for images, preview for videos/PDFs.
+     * Auto-enqueues generation if not ready.
+     */
+    representations(transformations: ImageTransformations, expiresIn?: number): Promise<(string | null)[]>;
+    /** Get byte sizes for all blobs. */
+    byteSizes(): Promise<number[]>;
+    /** Get content types for all blobs. */
+    contentTypes(): Promise<(string | null)[]>;
+    /** Get filenames for all blobs. */
+    filenames(): Promise<string[]>;
+    /** Get signed IDs for all blobs. */
+    signedIds(expiresIn?: number): Promise<string[]>;
+  };
+}
+//#endregion
+export { Storage };

package/dist/exports/cli/api/workflow.d.mts

@@ -0,0 +1,2 @@
+import "./container.mjs";
+import { z } from "zod";

package/dist/exports/cli/api/workflow.mjs

@@ -0,0 +1 @@
+import{join as e}from"node:path";import"es-toolkit";function t(e){let t=null,n=null,r=null,i=null,a=async i=>{if(!t||!r)throw Error(`Workflow "${n}" not registered`);let a=r,o=a.workflowID;if(!o)throw Error(`DBOS.workflowID is not available in this context`);let s={container:t,workflowId:o,input:i,step:(e,t)=>a.runStep(t,{name:e})};return e.run(s)};return{inputSchema:e.input,get name(){return n},register(o,s,c){t=o,n=s,r=c,i=c.registerWorkflow(a,{name:s,...e.config})},async start(t){if(!i||!n||!r)throw Error(`Workflow not registered. Ensure the worker is started before triggering workflows.`);let a=e.input.parse(t),o=await r.startWorkflow(i)(a);return{workflowId:o.workflowID,getStatus:()=>o.getStatus(),getResult:()=>o.getResult()}}}}function n(e){let t=null,n=null,r=null,i=async(i,a)=>{if(!t||!r)throw Error(`Workflow "${n}" not registered`);let o=r,s=o.workflowID;if(!s)throw Error(`DBOS.workflowID is not available in this context`);let c={container:t,workflowId:s,scheduledTime:i,step:(e,t)=>o.runStep(t,{name:e})};return e.run(c)};return{crontab:e.crontab,get name(){return n},register(a,o,s){t=a,n=o,r=s,s.registerScheduled(s.registerWorkflow(i,{name:o}),{crontab:e.crontab})}}}export{n as defineScheduledWorkflow,t as defineWorkflow};

package/dist/exports/cli/api/workflows/extract-blob-metadata.mjs

@@ -0,0 +1 @@
+import{defineWorkflow as e}from"../workflow.mjs";import{join as t}from"node:path";import{ALL_FORMATS as n,BlobSource as r,Input as i}from"mediabunny";import a from"sharp";import o from"zod";const s=e({input:o.object({blobId:o.string()}),async run({container:e,input:{blobId:o},step:s}){let c=await s(`fetch-blob`,async()=>e.storage.primary.getBlob(o));if(!c)throw Error(`Blob ${o} not found`);let l=await s(`download-blob`,async()=>e.storage.primary.downloadBlob(o));if(!l)throw Error(`Failed to download blob ${o}`);let u={};return c.contentType?.startsWith(`image/`)?u=await s(`extract-image-metadata`,async()=>{let e=await a(l).metadata();return{width:e.width,height:e.height,format:e.format,hasAlpha:e.hasAlpha,space:e.space}}):c.contentType?.startsWith(`video/`)||c.contentType?.startsWith(`audio/`)?u=await s(`extract-media-metadata`,async()=>{let e=new Uint8Array(l),t=new i({source:new r(new Blob([e],{type:c.contentType||`video/mp4`})),formats:n}),a=await t.computeDuration(),o=await t.getMetadataTags(),s={},u={},d=!1,f=!1;try{let e=await t.getPrimaryVideoTrack();if(e){d=!0;let t=e.displayWidth&&e.displayHeight?e.displayWidth/e.displayHeight:null;s={width:e.displayWidth,height:e.displayHeight,rotation:e.rotation,angle:e.rotation,displayAspectRatio:t}}}catch{}try{let e=await t.getPrimaryAudioTrack();e&&(f=!0,u={sampleRate:e.sampleRate,channels:e.numberOfChannels})}catch{}return{duration:a,video:d,audio:f,...s,...u,tags:o}}):c.contentType===`application/pdf`&&(u=await s(`extract-pdf-metadata`,async()=>{try{let e=await import(`pdfjs-dist/legacy/build/pdf.mjs`),n=`${t(process.cwd(),`node_modules/pdfjs-dist/standard_fonts`)}/`,r=await e.getDocument({data:new Uint8Array(l),standardFontDataUrl:n}).promise,i=await r.getMetadata(),a=(await r.getPage(1)).getViewport({scale:1}),o=i.info;return{pageCount:r.numPages,width:a.width,height:a.height,title:o?.Title||null,author:o?.Author||null,subject:o?.Subject||null,keywords:o?.Keywords||null,creator:o?.Creator||null,producer:o?.Producer||null,creationDate:o?.CreationDate||null,modificationDate:o?.ModDate||null,pdfVersion:o?.PDFFormatVersion||null}}catch(t){return e.logger.error({error:t,errorMessage:t instanceof Error?t.message:String(t),errorStack:t instanceof Error?t.stack:void 0,errorCode:t?.code,blobId:o},`Failed to extract PDF metadata`),{error:`Failed to extract PDF metadata`,errorMessage:t instanceof Error?t.message:String(t)}}})),await s(`save-metadata`,async()=>{await e.storage.primary.updateBlobMetadata(o,{...u,analyzed:!0})}),e.logger.info({blobId:o,metadata:u},`Metadata extracted`),{...u,analyzed:!0}}});export{s as extractBlobMetadata};

package/dist/exports/cli/api/workflows/generate-image-variant.d.mts

@@ -0,0 +1,63 @@
+import "../workflow.mjs";
+import "../container.mjs";
+import { z } from "zod";
+
+//#region src/api/workflows/generate-image-variant.d.ts
+
+/**
+ * Image transformations schema.
+ * Supports resize, rotate, flip, flop, sharpen, blur, grayscale, format conversion.
+ */
+declare const transformationsSchema: z.ZodObject<{
+  resize: z.ZodOptional<z.ZodObject<{
+    width: z.ZodOptional<z.ZodNumber>;
+    height: z.ZodOptional<z.ZodNumber>;
+    fit: z.ZodOptional<z.ZodEnum<{
+      fill: "fill";
+      cover: "cover";
+      contain: "contain";
+      inside: "inside";
+      outside: "outside";
+    }>>;
+    position: z.ZodOptional<z.ZodEnum<{
+      left: "left";
+      right: "right";
+      top: "top";
+      "right top": "right top";
+      "right bottom": "right bottom";
+      bottom: "bottom";
+      "left bottom": "left bottom";
+      "left top": "left top";
+      centre: "centre";
+    }>>;
+    kernel: z.ZodOptional<z.ZodEnum<{
+      nearest: "nearest";
+      linear: "linear";
+      cubic: "cubic";
+      mitchell: "mitchell";
+      lanczos2: "lanczos2";
+      lanczos3: "lanczos3";
+    }>>;
+  }, z.core.$strip>>;
+  rotate: z.ZodOptional<z.ZodNumber>;
+  flip: z.ZodOptional<z.ZodBoolean>;
+  flop: z.ZodOptional<z.ZodBoolean>;
+  sharpen: z.ZodOptional<z.ZodBoolean>;
+  blur: z.ZodOptional<z.ZodNumber>;
+  grayscale: z.ZodOptional<z.ZodBoolean>;
+  format: z.ZodOptional<z.ZodEnum<{
+    jpeg: "jpeg";
+    png: "png";
+    webp: "webp";
+    avif: "avif";
+    gif: "gif";
+  }>>;
+  quality: z.ZodOptional<z.ZodNumber>;
+  preview: z.ZodOptional<z.ZodLiteral<true>>;
+}, z.core.$strip>;
+/**
+ * Types for image transformations.
+ */
+type ImageTransformations = z.infer<typeof transformationsSchema>;
+//#endregion
+export { ImageTransformations, transformationsSchema };

package/dist/exports/cli/api/workflows/generate-image-variant.mjs

@@ -0,0 +1 @@
+import{defineWorkflow as e}from"../workflow.mjs";import t from"sharp";import{z as n}from"zod";const r=n.object({width:n.number().optional(),height:n.number().optional(),fit:n.enum([`cover`,`contain`,`fill`,`inside`,`outside`]).optional(),position:n.enum([`top`,`right top`,`right`,`right bottom`,`bottom`,`left bottom`,`left`,`left top`,`centre`]).optional(),kernel:n.enum([`nearest`,`linear`,`cubic`,`mitchell`,`lanczos2`,`lanczos3`]).optional()}),i=n.object({resize:r.optional(),rotate:n.number().optional(),flip:n.boolean().optional(),flop:n.boolean().optional(),sharpen:n.boolean().optional(),blur:n.number().optional(),grayscale:n.boolean().optional(),format:n.enum([`jpeg`,`png`,`webp`,`avif`,`gif`]).optional(),quality:n.number().min(1).max(100).optional(),preview:n.literal(!0).optional()}),a=e({input:n.object({blobId:n.string(),transformations:i}),async run({container:e,input:{blobId:n,transformations:r},step:i}){if(!await i(`fetch-blob`,async()=>e.storage.primary.getBlob(n)))throw Error(`Blob ${n} not found`);let a=await i(`download-blob`,async()=>e.storage.primary.downloadBlob(n));if(!a)throw Error(`Failed to download blob ${n}`);let o=await i(`apply-transformations`,async()=>{let e=t(a);return r.resize&&(e=e.resize({width:r.resize.width,height:r.resize.height,fit:r.resize.fit,position:r.resize.position,kernel:r.resize.kernel})),r.rotate!==void 0&&(e=e.rotate(r.rotate)),r.flip&&(e=e.flip()),r.flop&&(e=e.flop()),r.sharpen&&(e=e.sharpen()),r.blur!==void 0&&(e=e.blur(r.blur)),r.grayscale&&(e=e.grayscale()),r.format&&(e=e.toFormat(r.format,{quality:r.quality})),e.toBuffer()}),s=await i(`store-variant`,async()=>e.storage.primary.createVariant(n,r,o));return e.logger.info({blobId:n,variantId:s.id},`Image variant generated`),s}});export{a as generateImageVariant};

package/dist/exports/cli/api/workflows/generate-preview.mjs

@@ -0,0 +1 @@
+import{defineWorkflow as e}from"../workflow.mjs";import{join as t}from"node:path";import n from"sharp";import r from"zod";import{spawn as i}from"node:child_process";import{createCanvas as a}from"canvas";const o=e({input:r.object({blobId:r.string(),timeInSeconds:r.number().optional()}),async run({container:e,input:{blobId:r,timeInSeconds:o=1},step:s}){let c=await s(`fetch-blob`,async()=>e.storage.primary.getBlob(r));if(!c)throw Error(`Blob ${r} not found`);let l=await s(`download-blob`,async()=>e.storage.primary.downloadBlob(r));if(!l)throw Error(`Failed to download blob ${r}`);let u=null;if(c.contentType?.startsWith(`video/`))u=await s(`generate-video-preview`,async()=>new Promise((t,a)=>{try{let s=i(`ffmpeg`,[`-i`,`pipe:0`,`-ss`,o.toString(),`-frames:v`,`1`,`-f`,`image2pipe`,`-c:v`,`png`,`pipe:1`]),c=[],u=[];s.stdout.on(`data`,e=>{c.push(e)}),s.stderr.on(`data`,e=>{u.push(e)}),s.on(`close`,async i=>{if(i===0)try{t(await n(Buffer.concat(c)).jpeg({quality:80}).toBuffer())}catch(t){e.logger.error({error:t,blobId:r},`Failed to convert video frame to JPEG`),a(t)}else{let t=Buffer.concat(u).toString(),n=Error(`FFmpeg exited with code ${i}: ${t}`);e.logger.error({error:n,blobId:r,code:i,stderr:t},`Failed to generate video preview`),a(n)}}),s.on(`error`,t=>{e.logger.error({error:t,blobId:r},`Failed to spawn FFmpeg process`),a(t)}),s.stdin.on(`error`,t=>{t.code!==`EPIPE`&&e.logger.error({error:t,blobId:r},`Failed to write to FFmpeg stdin`)}),s.stdin.write(l),s.stdin.end()}catch(t){e.logger.error({error:t,blobId:r},`Failed to generate video preview`),a(t)}}));else if(c.contentType===`application/pdf`)u=await s(`generate-pdf-preview`,async()=>{try{let e=await import(`pdfjs-dist/legacy/build/pdf.mjs`),r=`${t(process.cwd(),`node_modules/pdfjs-dist/standard_fonts`)}/`,i=await(await e.getDocument({data:new Uint8Array(l),standardFontDataUrl:r}).promise).getPage(1),o=i.getViewport({scale:2}),s=a(o.width,o.height),c=s.getContext(`2d`);return await i.render({canvasContext:c,viewport:o,canvas:s}).promise,await n(s.toBuffer(`image/png`)).resize(800,800,{fit:`inside`,withoutEnlargement:!0}).jpeg({quality:85}).toBuffer()}catch(t){throw e.logger.error({error:t,errorMessage:t instanceof Error?t.message:String(t),errorStack:t instanceof Error?t.stack:void 0,errorCode:t?.code,blobId:r},`Failed to generate PDF preview`),t}});else if(c.contentType?.startsWith(`image/`))u=await s(`generate-image-preview`,async()=>await n(l).resize(800,800,{fit:`inside`,withoutEnlargement:!0}).jpeg({quality:85}).toBuffer());else throw Error(`Preview generation not supported for content type: ${c.contentType}`);let d=await s(`store-preview`,async()=>await e.storage.primary.createVariant(r,{preview:!0},u));return e.logger.info({blobId:r,previewId:d.id,contentType:c.contentType},`Preview generated`),d}});export{o as generatePreview};

package/dist/exports/cli/api/workflows/purge-attachment.mjs

@@ -0,0 +1 @@
+import{defineWorkflow as e}from"../workflow.mjs";import t from"zod";const n=e({input:t.object({attachmentIds:t.array(t.string()).min(1)}),async run({container:e,input:{attachmentIds:t},step:n}){let r=await n(`fetch-attachments`,async()=>(await e.storage.primary.getAttachmentsByIds(t)).filter(e=>e.blob!==null).map(e=>({attachmentId:e.id,blobId:e.blob.id})));return await n(`delete-attachments`,async()=>{for(let{attachmentId:t}of r)await e.storage.primary.deleteAttachment(t)}),await n(`delete-blobs`,async()=>{for(let{blobId:t}of r)await e.storage.primary.deleteBlob(t)}),e.logger.info({attachmentIds:t,blobCount:r.length},`Attachments and blobs purged`),{purgedCount:r.length}}});export{n as purgeAttachment};

package/dist/exports/cli/api/workflows/purge-audit-logs.mjs

@@ -0,0 +1 @@
+import{defineScheduledWorkflow as e}from"../workflow.mjs";import{defineAuthSchema as t}from"../auth-schema.mjs";import{lt as n}from"drizzle-orm";const r=t();function i(t=`0 0 * * *`){return e({crontab:t,async run({container:e,step:t,scheduledTime:i}){let a=e.auth.auditLog?.retentionDays??90,o=new Date(i);o.setDate(o.getDate()-a);let s=o.toISOString(),c=await t(`delete-old-logs`,async()=>{let{auditLogs:t}=r.tables;return(await e.db.primary.delete(t).where(n(t.createdAt,s)).returning({id:t.id})).length});e.logger.info({deletedCount:c,retentionDays:a,cutoffDate:s},`Audit log purge completed`)}})}export{i as definePurgeAuditLogs};

package/dist/exports/cli/api/workflows/purge-unattached-blobs.mjs

@@ -0,0 +1 @@
+import{defineScheduledWorkflow as e}from"../workflow.mjs";function t(t=`0 0 * * *`){return e({crontab:t,async run({container:e,step:t}){let n=new Date(Date.now()-2880*60*1e3).toISOString(),r=await t(`fetch-unattached-blobs`,async()=>e.storage.primary.getUnattachedBlobs({olderThan:n})),i=await t(`fetch-pending-blobs`,async()=>e.storage.primary.getPendingBlobs(n)),a=[...r,...i],o=0;for(let n of a)await t(`delete-blob`,async()=>{await e.storage.primary.deleteBlob(n.id),o++});e.logger.info({purgedCount:o,unattachedCount:r.length,pendingCount:i.length},`Orphaned blobs purged`)}})}export{t as definePurgeUnattachedBlobs};

package/dist/exports/cli/api/workflows/track-db-changes.mjs

@@ -0,0 +1 @@
+import{defineWorkflow as e}from"../workflow.mjs";import{defineAuthSchema as t}from"../auth-schema.mjs";import{dbChangesEvent as n}from"../event.mjs";import{z as r}from"zod";const i=t(),a=r.object({changes:r.array(r.object({_table:r.string(),old:r.record(r.string(),r.unknown()).nullable(),new:r.record(r.string(),r.unknown()).nullable()})),dbName:r.string(),organizationId:r.string().nullable(),requestId:r.string(),sessionId:r.string().nullable(),userId:r.string().nullable()});function o(e){return e.old===null?`INSERT`:e.new===null?`DELETE`:`UPDATE`}const s=e({input:a,async run({container:e,step:t,input:r}){let{dbName:a,changes:s,organizationId:c,userId:l,sessionId:u,requestId:d}=r;if(s.length===0)return{processed:0,audited:0,published:0};let f=new Date().toISOString(),p=0,m=0;for(let r of s){let s=r._table,h=o(r),g=`${a}.${s}`;e.auth.shouldAudit(g)&&(await t(`audit:${g}`,async()=>{await e.db.primary.insert(i.tables.auditLogs).values({tableName:g,action:h,oldData:r.old,newData:r.new,organizationId:c,userId:l,sessionId:u,requestId:d,createdAt:f})}),p++),await t(`event:${g}`,async()=>{await n.emit({action:h,oldData:r.old,newData:r.new,organizationId:c,tableName:g,timestamp:f,userId:l})}),m++}return{processed:s.length,audited:p,published:m}}});export{s as trackDbChanges};

package/dist/exports/cli/command.d.mts

@@ -0,0 +1,54 @@
+import { Container } from "./api/container.mjs";
+import { CommandContext } from "./context.mjs";
+import { z } from "zod";
+
+//#region src/cli/command.d.ts
+
+/**
+ * The command interface.
+ */
+interface Command<C extends Container, A = readonly unknown[], O = Record<string, unknown>> {
+  aliases: string[];
+  description: string;
+  args: z.ZodTuple<readonly [z.ZodTypeAny, ...z.ZodTypeAny[]], z.ZodTypeAny | null> | z.ZodArray<z.ZodTypeAny>;
+  opts: z.ZodObject<z.ZodRawShape>;
+  run: (ctx: CommandContext<C, A, O>) => Promise<void>;
+}
+/**
+ * Define a CLI command with type-safe arguments and options.
+ *
+ * The command name is automatically derived from the filename relative to the commands directory:
+ * - `<APPOS_DIR>/<COMMANDS_DIR>/db/push.ts` → `db:push`
+ * - `<APPOS_DIR>/<COMMANDS_DIR>/dev.ts` → `dev`
+ *
+ * Where:
+ * - `APPOS_DIR` defaults to "appos" (see constants.ts)
+ * - `COMMANDS_DIR` defaults to "commands" (see constants.ts)
+ *
+ * @example
+ * ```typescript
+ * // appos/commands/db/migrate.ts
+ * import { defineCommand } from "appos/cli";
+ * import { z } from "appos/zod";
+ *
+ * export default defineCommand({
+ *   description: "Run database migrations",
+ *   args: z.tuple([]),
+ *   opts: z.object({
+ *     dry: z.boolean().default(false)
+ *   }),
+ *   async run(args, opts, container) {
+ *     await container.db.primary.migrate({ dryRun: opts.dry });
+ *   }
+ * });
+ * ```
+ */
+declare function defineCommand<C extends Container = Container, ASchema extends z.ZodSchema<unknown> | undefined = undefined, OSchema extends z.ZodSchema<unknown> | undefined = undefined>(def: {
+  aliases?: string[];
+  description: string;
+  args: ASchema;
+  opts: OSchema;
+  run: (ctx: CommandContext<C, ASchema extends z.ZodSchema<infer A> ? A : readonly unknown[], OSchema extends z.ZodSchema<infer O> ? O : Record<string, unknown>>) => Promise<void>;
+}): Command<C, ASchema extends z.ZodSchema<infer A> ? A : readonly unknown[], OSchema extends z.ZodSchema<infer O> ? O : Record<string, unknown>>;
+//#endregion
+export { Command, defineCommand };

package/dist/exports/cli/command.mjs

@@ -0,0 +1 @@
+function e(e){return{aliases:e.aliases||[],description:e.description,args:e.args||[],opts:e.opts||{},run:e.run}}export{e as defineCommand};