appos 0.2.1 → 0.2.3-0

package/dist/exports/api/storage.d.mts

@@ -0,0 +1,506 @@
+import { StorageBlob, StorageRelationsConfig, StorageTables } from "./storage-schema.mjs";
+import { ImageTransformations, ResizeOptions, resizeSchema, transformationsSchema } from "./workflows/generate-image-variant.mjs";
+import { NodePgDatabase } from "drizzle-orm/node-postgres";
+import { Pool } from "pg";
+import { DriveManager } from "flydrive";
+import { FSDriverOptions } from "flydrive/drivers/fs/types";
+import { S3DriverOptions } from "flydrive/drivers/s3/types";
+
+//#region src/api/storage.d.ts
+
+/**
+ * Options for defining an S3 disk.
+ */
+interface DefineS3DiskOptions {
+  /**
+   * The S3 bucket name.
+   */
+  bucket: string;
+  /**
+   * Optional credentials. If not provided, uses default AWS credential chain.
+   */
+  credentials?: {
+    accessKeyId: string;
+    secretAccessKey: string;
+  };
+  /**
+   * Optional S3 endpoint for S3-compatible services (e.g., MinIO, LocalStack).
+   */
+  endpoint?: string;
+  /**
+   * The AWS region.
+   */
+  region: string;
+  /**
+   * Bucket visibility (private or public).
+   * @default "private"
+   */
+  visibility?: "private" | "public";
+}
+/**
+ * Creates an S3 disk configuration with common boilerplate handled.
+ *
+ * Algorithm:
+ * 1. Build base config with bucket, region, visibility
+ * 2. If endpoint provided, add endpoint + forcePathStyle
+ * 3. If credentials provided, add credentials object
+ *
+ * @example
+ * ```typescript
+ * defineS3Disk({
+ *   bucket: "my-bucket",
+ *   region: "us-east-1",
+ *   endpoint: "http://localhost:4566",
+ *   credentials: {
+ *     accessKeyId: "test",
+ *     secretAccessKey: "test",
+ *   },
+ * })
+ * ```
+ */
+declare function defineS3Disk(opts: DefineS3DiskOptions): S3DriverOptions;
+/**
+ * Database type with storage schema and relations.
+ */
+type DatabaseWithStorage = NodePgDatabase<StorageTables, StorageRelationsConfig> & {
+  $client: Pool;
+};
+/**
+ * Storage service configuration.
+ * @template TDisks - Record of disk configurations keyed by disk name
+ * @template TDb - Database type for table name extraction
+ * @template TAttachments - Mapping of table names to valid attachment names
+ */
+interface DefineStorageOptions<TDisks extends Record<string, FSDriverOptions | S3DriverOptions>, TDb extends NodePgDatabase<any, any> = DatabaseWithStorage, TAttachments extends Partial<Record<ExtractTableNames<TDb>, readonly string[]>> = Record<never, never>> {
+  /**
+   * Type-safe attachment name configuration.
+   * Maps table names to valid attachment names for that table.
+   *
+   * @example
+   * ```typescript
+   * attachments: {
+   *   users: ["avatar", "documents"] as const,
+   *   posts: ["images", "cover"] as const,
+   * }
+   * ```
+   */
+  attachments?: TAttachments;
+  /**
+   * The database instance with storage schema and relations.
+   */
+  database: TDb;
+  /**
+   * The default disk name.
+   */
+  default?: keyof TDisks;
+  /**
+   * The disk configurations.
+   */
+  disks?: TDisks;
+  /**
+   * Optional public endpoint for signed URLs (for S3 disks).
+   *
+   * If provided, signed URLs will use this endpoint to be browser-accessible.
+   */
+  publicEndpoint?: string;
+  /**
+   * Cron expression for unattached blob purge schedule.
+   * @default "0 0 * * *" (midnight daily)
+   */
+  purgeCron?: string;
+  /**
+   * Secret key for signing blob IDs. Required for signedId() / findSigned() methods.
+   */
+  secret?: string;
+}
+/**
+ * Type of the storage service instance.
+ */
+type Storage<TDisks extends Record<string, FSDriverOptions | S3DriverOptions> = Record<string, FSDriverOptions | S3DriverOptions>, TTableNames extends string = string, TAttachments extends Partial<Record<TTableNames, readonly string[]>> = Record<never, never>> = StorageService<Extract<keyof TDisks, string>, TTableNames, TAttachments>;
+/**
+ * Extract table names from a database type.
+ */
+type ExtractTableNames<TDb> = TDb extends NodePgDatabase<infer TTables, any> ? keyof TTables extends string ? keyof TTables : never : never;
+/**
+ * Define storage service with FlyDrive.
+ * @template TDisks - Record of disk configurations keyed by disk name
+ * @template TDb - Database type for table name extraction
+ * @template TAttachments - Mapping of table names to valid attachment names
+ */
+declare function defineStorage<TDisks extends Record<string, FSDriverOptions | S3DriverOptions>, TDb extends NodePgDatabase<any, any> = DatabaseWithStorage, TAttachments extends Partial<Record<ExtractTableNames<TDb>, readonly string[]>> = Record<never, never>>(opts: DefineStorageOptions<TDisks, TDb, TAttachments>): StorageService<Extract<keyof TDisks, string>, ExtractTableNames<TDb>, TAttachments>;
+/**
+ * Helper type to extract attachment name for a specific table.
+ */
+type AttachmentName<TAttachments extends Partial<Record<string, readonly string[]>>, TTable extends string> = TTable extends keyof TAttachments ? TAttachments[TTable] extends readonly (infer N)[] ? N : string : string;
+/**
+ * Storage service for blob operations.
+ *
+ * This service uses a dual-drive architecture when configured:
+ * - `drive`: For actual file operations (upload, delete, read) using internal endpoints
+ * - `signedUrlDrive`: For generating browser-accessible signed URLs with public endpoints
+ *
+ * This allows containers to use fast internal network for operations while
+ * generating URLs that work in end-user browsers.
+ *
+ * @template TDiskNames - Union of disk names (e.g., "private" | "public")
+ * @template TTableNames - Union of table names for type-safe attachment methods
+ * @template TAttachments - Mapping of table names to valid attachment names
+ */
+declare class StorageService<TDiskNames extends string = string, TTableNames extends string = string, TAttachments extends Partial<Record<TTableNames, readonly string[]>> = Record<never, never>> {
+  /**
+   * The drive manager for file operations.
+   */
+  readonly drive: DriveManager<any>;
+  /**
+   * The database instance with storage schema and relations.
+   */
+  readonly db: DatabaseWithStorage;
+  /**
+   * The default disk name.
+   */
+  readonly defaultDisk: TDiskNames;
+  /**
+   * Cron expression for unattached blob purge schedule.
+   *
+   * @default "0 0 * * *"
+   */
+  readonly purgeCron?: string;
+  /**
+   * Secret key for signing blob IDs.
+   */
+  readonly secret?: string;
+  /**
+   * Drive manager for generating signed URLs (public endpoint).
+   */
+  readonly signedUrlDrive: DriveManager<any>;
+  constructor(drive: DriveManager<any>, db: DatabaseWithStorage, defaultDisk: TDiskNames, signedUrlDrive: DriveManager<any>, purgeCron?: string, secret?: string);
+  /**
+   * Create a blob record and upload file.
+   */
+  createBlob(file: Buffer | Uint8Array, options: {
+    filename: string;
+    contentType?: string;
+    metadata?: Record<string, any>;
+    serviceName?: TDiskNames;
+    prefix?: string;
+  }): Promise<StorageBlob>;
+  /**
+   * Get blob by ID.
+   */
+  getBlob(id: string): Promise<StorageBlob | null>;
+  /**
+   * Download blob content.
+   */
+  downloadBlob(id: string): Promise<Buffer | null>;
+  /**
+   * Delete blob and its content.
+   */
+  deleteBlob(id: string): Promise<boolean>;
+  /**
+   * Get signed URL for blob. If blob is on public service, returns permanent
+   * URL instead.
+   */
+  getSignedUrl(id: string, options?: {
+    expiresIn?: number;
+    disposition?: "inline" | "attachment";
+    filename?: string;
+  }): Promise<string | null>;
+  /**
+   * Get permanent public URL (no expiration).
+   * Works for blobs on public storage service.
+   */
+  getPublicUrl(id: string): Promise<string | null>;
+  /**
+   * Create attachment between a record and blob.
+   *
+   * @param recordType - The table name (e.g., 'users')
+   * @param recordId - The record ID
+   * @param blobId - The blob ID to attach
+   * @param name - The attachment name (e.g., 'avatar')
+   * @param replaceExisting - If true, replaces existing attachment with same name (for one-to-one)
+   */
+  createAttachment(recordType: string, recordId: string, blobId: string, name: string, replaceExisting?: boolean): Promise<{
+    id: string;
+    createdAt: string;
+    name: string;
+    recordType: string;
+    recordId: string;
+    blobId: string;
+  }>;
+  /**
+   * Get attachments for a record with their associated blobs.
+   */
+  getAttachments(recordType: string, recordId: string, name?: string): Promise<{
+    id: string;
+    createdAt: string;
+    name: string;
+    recordType: string;
+    recordId: string;
+    blobId: string;
+    blob: {
+      id: string;
+      createdAt: string;
+      key: string;
+      metadata: unknown;
+      filename: string;
+      contentType: string | null;
+      serviceName: string;
+      byteSize: number;
+      checksum: string | null;
+    } | null;
+  }[]>;
+  /**
+   * Get attachments by their IDs with associated blobs.
+   *
+   * @param attachmentIds - Array of attachment IDs to fetch.
+   */
+  getAttachmentsByIds(attachmentIds: string[]): Promise<{
+    id: string;
+    createdAt: string;
+    name: string;
+    recordType: string;
+    recordId: string;
+    blobId: string;
+    blob: {
+      id: string;
+      createdAt: string;
+      key: string;
+      metadata: unknown;
+      filename: string;
+      contentType: string | null;
+      serviceName: string;
+      byteSize: number;
+      checksum: string | null;
+    } | null;
+  }[]>;
+  /**
+   * Delete a single attachment by ID.
+   */
+  deleteAttachment(attachmentId: string): Promise<boolean>;
+  /**
+   * Delete attachments for a record (without deleting the blobs).
+   */
+  deleteAttachments(recordType: string, recordId: string, name?: string): Promise<number>;
+  /**
+   * Get direct upload credentials (for S3). Also creates a pending blob record
+   * that will be finalized after upload.
+   */
+  getDirectUploadUrl(options: {
+    contentType?: string;
+    expiresIn?: number;
+    filename: string;
+    metadata?: Record<string, any>;
+    serviceName?: TDiskNames;
+  }): Promise<{
+    blobId: string;
+    headers?: Record<string, string>;
+    key: string;
+    url: string;
+  } | null>;
+  /**
+   * Finalize a direct upload by updating blob metadata. Call this after the
+   * client has uploaded to S3.
+   */
+  finalizeDirectUpload(blobId: string, actualSize: number): Promise<void>;
+  /**
+   * Update blob metadata (for automatic extraction).
+   */
+  updateBlobMetadata(blobId: string, metadata: Record<string, any>): Promise<void>;
+  /**
+   * Get existing variant or return null.
+   */
+  getVariant(blobId: string, transformations: ImageTransformations): Promise<StorageBlob | null>;
+  /**
+   * Create variant blob and record.
+   */
+  createVariant(blobId: string, transformations: ImageTransformations, variantBuffer: Buffer): Promise<StorageBlob>;
+  /**
+   * Get blobs that have no attachments (orphaned). Useful for cleanup jobs.
+   */
+  getUnattachedBlobs(options?: {
+    olderThan?: string;
+    limit?: number;
+  }): Promise<StorageBlob[]>;
+  /**
+   * Get pending blobs that were never finalized (stuck direct uploads).
+   */
+  getPendingBlobs(olderThan?: string): Promise<StorageBlob[]>;
+  /**
+   * Purge unattached blobs.
+   */
+  purgeUnattached(olderThan?: string): Promise<number>;
+  /**
+   * Create a signed, tamper-proof reference to a blob.
+   * Use findSigned() to resolve back to blob.
+   *
+   * Algorithm:
+   * 1. Create payload with blobId and expiration timestamp
+   * 2. JSON stringify and base64url encode the payload
+   * 3. Create HMAC-SHA256 signature of the encoded payload
+   * 4. Return payload.signature format
+   */
+  signedId(blobId: string, expiresIn?: number): string;
+  /**
+   * Find blob by signed ID. Returns null if invalid or expired.
+   * Uses constant-time comparison to prevent timing attacks.
+   *
+   * Algorithm:
+   * 1. Split signed ID into payload and signature
+   * 2. Decode and recompute expected signature
+   * 3. Use timingSafeEqual for constant-time comparison
+   * 4. Check expiration timestamp
+   * 5. Return blob if valid, null otherwise
+   */
+  findSigned(signedId: string): Promise<StorageBlob | null>;
+  /**
+   * Get a single attachment handle (one-to-one relationship).
+   * Similar to Rails' `has_one_attached :avatar`.
+   *
+   * Algorithm:
+   * Returns an object with methods to manage a single attachment:
+   * - attach(): Replace existing attachment with new blob
+   * - get(): Get attached blob or null
+   * - url(): Get signed URL
+   * - variant(): Get/generate image variant
+   * - purge(): Delete attachment and blob
+   *
+   * @template TTable - The table name (must be in TTableNames)
+   */
+  one<TTable extends TTableNames>(recordType: TTable, recordId: string, name: AttachmentName<TAttachments, TTable>): {
+    /**
+     * Attach a blob to this record (replaces existing).
+     * Auto-triggers extractBlobMetadata workflow.
+     */
+    attach(blobId: string): Promise<{
+      id: string;
+      createdAt: string;
+      name: string;
+      recordType: string;
+      recordId: string;
+      blobId: string;
+    }>;
+    /** Get the attached blob or null. */
+    get(): Promise<StorageBlob | null>;
+    /** Check if a blob is attached. */
+    attached(): Promise<boolean>;
+    /** Get signed URL or null. */
+    url(options?: {
+      expiresIn?: number;
+      disposition?: "inline" | "attachment";
+    }): Promise<string | null>;
+    /** Get permanent public URL or null. */
+    publicUrl(): Promise<string | null>;
+    /** Get blob metadata or null. */
+    metadata(): Promise<Record<string, unknown> | null>;
+    /** Check if metadata has been extracted. */
+    analyzed(): Promise<boolean>;
+    /** Check if blob supports preview/variant generation. */
+    representable(): Promise<boolean>;
+    /**
+     * Get variant URL. Auto-enqueues generation if not ready.
+     * Returns URL if variant exists, null if generating.
+     */
+    variant(transformations: ImageTransformations, expiresIn?: number): Promise<string | null>;
+    /**
+     * Get preview URL. Auto-enqueues generation if not ready.
+     * Returns URL if preview exists, null if generating.
+     */
+    preview(expiresIn?: number, timeInSeconds?: number): Promise<string | null>;
+    /** Detach blob from record (keeps blob for reuse). */
+    detach(): Promise<boolean>;
+    /** Delete attachment AND blob immediately. */
+    purge(): Promise<boolean>;
+    /** Enqueue attachment and blob deletion in background. */
+    purgeLater(): Promise<boolean>;
+    /** Download blob content as Buffer. */
+    download(): Promise<Buffer | null>;
+    /** Download to temp file, run callback, auto-cleanup. */
+    open<T>(callback: (filePath: string) => Promise<T> | T): Promise<T | null>;
+    /**
+     * Smart representation - variant for images, preview for videos/PDFs.
+     * Auto-enqueues generation if not ready.
+     */
+    representation(transformations: ImageTransformations, expiresIn?: number): Promise<string | null>;
+    /** Get blob's byte size. */
+    byteSize(): Promise<number | null>;
+    /** Get blob's content type. */
+    contentType(): Promise<string | null>;
+    /** Get blob's filename. */
+    filename(): Promise<string | null>;
+    /** Get signed, tamper-proof ID for the blob. */
+    signedId(expiresIn?: number): Promise<string | null>;
+  };
+  /**
+   * Get a multiple attachment handle (one-to-many relationship).
+   * Similar to Rails' `has_many_attached :images`.
+   *
+   * Algorithm:
+   * Returns an object with methods to manage multiple attachments:
+   * - attach(): Add blobs (doesn't replace existing)
+   * - list(): Get all attached blobs
+   * - urls(): Get signed URLs for all
+   * - variants(): Get/generate variants for all
+   * - purge(): Delete all or specific attachment
+   *
+   * @template TTable - The table name (must be in TTableNames)
+   */
+  many<TTable extends TTableNames>(recordType: TTable, recordId: string, name: AttachmentName<TAttachments, TTable>): {
+    /**
+     * Attach one or more blobs (adds to existing, doesn't replace).
+     * Auto-triggers extractBlobMetadata for each blob.
+     */
+    attach(blobIds: string | string[]): Promise<{
+      id: string;
+      createdAt: string;
+      name: string;
+      recordType: string;
+      recordId: string;
+      blobId: string;
+    }[]>;
+    /** Get all attached blobs. */
+    list(): Promise<StorageBlob[]>;
+    /** Count attached blobs. */
+    count(): Promise<number>;
+    /** Get signed URLs for all blobs. */
+    urls(options?: {
+      expiresIn?: number;
+    }): Promise<string[]>;
+    /** Get public URLs for all blobs. */
+    publicUrls(): Promise<(string | null)[]>;
+    /** Get metadata for all blobs. */
+    metadata(): Promise<(Record<string, unknown> | null)[]>;
+    /** Check which blobs have been analyzed. */
+    analyzed(): Promise<boolean[]>;
+    /** Check which blobs support preview/variants. */
+    representable(): Promise<boolean[]>;
+    /** Get variant URLs for all blobs. Auto-enqueues if not ready. */
+    variants(transformations: ImageTransformations, expiresIn?: number): Promise<(string | null)[]>;
+    /** Get preview URLs for all blobs. Auto-enqueues if not ready. */
+    previews(expiresIn?: number, timeInSeconds?: number): Promise<(string | null)[]>;
+    /** Detach specific blob or all blobs (keeps blobs for reuse). */
+    detach(blobId?: string): Promise<number>;
+    /** Delete specific or all attachments AND blobs immediately. */
+    purge(blobId?: string): Promise<number>;
+    /** Enqueue specific or all attachments for background deletion. */
+    purgeLater(blobId?: string): Promise<number>;
+    /** Download all blobs as Buffers. */
+    download(): Promise<Buffer[]>;
+    /** Download each blob to temp file, run callback for each. */
+    open<T>(callback: (filePath: string, blob: StorageBlob) => Promise<T> | T): Promise<T[]>;
+    /**
+     * Smart representations - variant for images, preview for videos/PDFs.
+     * Auto-enqueues generation if not ready.
+     */
+    representations(transformations: ImageTransformations, expiresIn?: number): Promise<(string | null)[]>;
+    /** Get byte sizes for all blobs. */
+    byteSizes(): Promise<number[]>;
+    /** Get content types for all blobs. */
+    contentTypes(): Promise<(string | null)[]>;
+    /** Get filenames for all blobs. */
+    filenames(): Promise<string[]>;
+    /** Get signed IDs for all blobs. */
+    signedIds(expiresIn?: number): Promise<string[]>;
+  };
+}
+//#endregion
+export { DatabaseWithStorage, DefineS3DiskOptions, DefineStorageOptions, Storage, StorageService, defineS3Disk, defineStorage };

package/dist/exports/api/storage.mjs

@@ -0,0 +1 @@
+import{orm_exports as e}from"./orm.mjs";import{extractBlobMetadata as t}from"./workflows/extract-blob-metadata.mjs";import{generateImageVariant as n,resizeSchema as r,transformationsSchema as i}from"./workflows/generate-image-variant.mjs";import{generatePreview as a}from"./workflows/generate-preview.mjs";import{purgeAttachment as o}from"./workflows/purge-attachment.mjs";import{join as s}from"node:path";import{mkdtemp as c,rm as l,writeFile as u}from"node:fs/promises";import{createHash as d,createHmac as f,randomBytes as p,timingSafeEqual as m}from"node:crypto";import{tmpdir as h}from"node:os";import{DriveManager as g}from"flydrive";import{FSDriver as _}from"flydrive/drivers/fs";import{S3Driver as v}from"flydrive/drivers/s3";function y(e){return{bucket:e.bucket,region:e.region,visibility:e.visibility??`private`,...e.endpoint&&{endpoint:e.endpoint,forcePathStyle:!0},...e.credentials&&{credentials:e.credentials}}}function b(e){return d(`md5`).update(e).digest(`hex`)}function x(e,t){return`variants/${e}/${d(`sha256`).update(JSON.stringify({blobId:e,transformations:t})).digest(`hex`)}`}function S(e){let t=`${Date.now()}-${p(16).toString(`hex`)}`;return e?`${e}/${t}`:t}function C(e){if(!e.default)throw Error(`Storage: 'default' disk must be specified`);if(!e.disks||Object.keys(e.disks).length===0)throw Error(`Storage: At least one disk must be configured`);let t=e.default,n={},r={};for(let[t,i]of Object.entries(e.disks)){let a=i;if(`driver`in a)if(a.driver===`fs`){let e=()=>new _(a);n[t]=e,r[t]=e}else a.driver===`s3`&&(n[t]=()=>new v(a),e.publicEndpoint?r[t]=()=>new v({...a,endpoint:e.publicEndpoint}):r[t]=()=>new v(a));else if(`location`in a){let e=()=>new _(a);n[t]=e,r[t]=e}else if(`bucket`in a)if(n[t]=()=>new v(a),e.publicEndpoint){let n={...a,endpoint:e.publicEndpoint};r[t]=()=>new v(n)}else r[t]=()=>new v(a)}let i=new g({default:t,services:n}),a=new g({default:t,services:r});return new w(i,e.database,t,a,e.purgeCron,e.secret)}var w=class{drive;db;defaultDisk;purgeCron;secret;signedUrlDrive;constructor(e,t,n,r,i,a){this.drive=e,this.db=t,this.defaultDisk=n,this.signedUrlDrive=r,this.purgeCron=i,this.secret=a}async createBlob(e,t){let n=S(t.prefix),r=Buffer.from(e),i=b(r),a=t.serviceName||this.defaultDisk;await(t.serviceName?this.drive.use(t.serviceName):this.drive.use()).put(n,r,{contentType:t.contentType});let[o]=await this.db.insert(this.db._.fullSchema.storageBlobs).values({key:n,filename:t.filename,contentType:t.contentType,metadata:t.metadata,serviceName:a,byteSize:r.byteLength,checksum:i}).returning();return o}async getBlob(t){let[n]=await this.db.select().from(this.db._.fullSchema.storageBlobs).where((0,e.eq)(this.db._.fullSchema.storageBlobs.id,t));return n||null}async downloadBlob(e){let t=await this.getBlob(e);if(!t)return null;let n=await this.drive.use(t.serviceName).getBytes(t.key);return Buffer.from(n)}async deleteBlob(t){let n=await this.getBlob(t);return n?(await this.drive.use(n.serviceName).delete(n.key),await this.db.delete(this.db._.fullSchema.storageBlobs).where((0,e.eq)(this.db._.fullSchema.storageBlobs.id,t)),!0):!1}async getSignedUrl(e,t={}){let n=await this.getBlob(e);if(!n)return null;if(n.serviceName===`public`)return this.getPublicUrl(e);let r=this.signedUrlDrive.use(n.serviceName);try{let e={expiresIn:t.expiresIn||3600};if(t.disposition){let r=t.filename||n.filename;e.contentDisposition=t.disposition===`attachment`?`attachment; filename="${r}"`:`inline; filename="${r}"`}return await r.getSignedUrl(n.key,e)}catch{let e=`/storage/${n.id}`;return t.disposition?`${e}?${new URLSearchParams({disposition:t.disposition,...t.filename&&{filename:t.filename}}).toString()}`:e}}async getPublicUrl(e){let t=await this.getBlob(e);if(!t)return null;let n=this.drive.use(t.serviceName);if(t.serviceName===`public`)try{if(`getUrl`in n&&typeof n.getUrl==`function`)return await n.getUrl(t.key)}catch{}return`/storage/${t.id}`}async createAttachment(t,n,r,i,a=!1){if(a){let a=`${t}:${n}:${i}`,o=Array.from(a).reduce((e,t)=>(e<<5)-e+t.charCodeAt(0)|0,0);return await this.db.transaction(async a=>{await a.execute(e.sql`SELECT pg_advisory_xact_lock(${o})`),await a.delete(this.db._.fullSchema.storageAttachments).where((0,e.and)((0,e.eq)(this.db._.fullSchema.storageAttachments.recordType,t),(0,e.eq)(this.db._.fullSchema.storageAttachments.recordId,n),(0,e.eq)(this.db._.fullSchema.storageAttachments.name,i)));let[s]=await a.insert(this.db._.fullSchema.storageAttachments).values({recordType:t,recordId:n,blobId:r,name:i}).returning();return s})}let[o]=await this.db.insert(this.db._.fullSchema.storageAttachments).values({recordType:t,recordId:n,blobId:r,name:i}).returning();return o}async getAttachments(e,t,n){return this.db.query.storageAttachments.findMany({where:{recordType:e,recordId:t,...n&&{name:n}},with:{blob:!0}})}async getAttachmentsByIds(e){return e.length===0?[]:this.db.query.storageAttachments.findMany({where:{id:{in:e}},with:{blob:!0}})}async deleteAttachment(t){return((await this.db.delete(this.db._.fullSchema.storageAttachments).where((0,e.eq)(this.db._.fullSchema.storageAttachments.id,t))).rowCount??0)>0}async deleteAttachments(t,n,r){let i=r?(0,e.and)((0,e.eq)(this.db._.fullSchema.storageAttachments.recordType,t),(0,e.eq)(this.db._.fullSchema.storageAttachments.recordId,n),(0,e.eq)(this.db._.fullSchema.storageAttachments.name,r)):(0,e.and)((0,e.eq)(this.db._.fullSchema.storageAttachments.recordType,t),(0,e.eq)(this.db._.fullSchema.storageAttachments.recordId,n));return(await this.db.delete(this.db._.fullSchema.storageAttachments).where(i)).rowCount??0}async getDirectUploadUrl(e){let t=e.serviceName||this.defaultDisk,n=this.drive.use(t);try{let r=S();if(`putSignedUrl`in n){let i=await n.putSignedUrl(r,{expiresIn:e.expiresIn||3600,contentType:e.contentType}),[a]=await this.db.insert(this.db._.fullSchema.storageBlobs).values({key:r,filename:e.filename,contentType:e.contentType,metadata:{...e.metadata,pending:!0},serviceName:t,byteSize:0,checksum:``}).returning();return{url:i,key:r,blobId:a.id,headers:{"Content-Type":e.contentType||`application/octet-stream`}}}}catch{}return null}async finalizeDirectUpload(t,n){let r=await this.getBlob(t);if(!r)throw Error(`Blob ${t} not found`);let i=r.metadata&&typeof r.metadata==`object`?{...r.metadata}:{};delete i.pending,await this.db.update(this.db._.fullSchema.storageBlobs).set({byteSize:n,metadata:i}).where((0,e.eq)(this.db._.fullSchema.storageBlobs.id,t))}async updateBlobMetadata(t,n){let r=await this.getBlob(t);if(!r)throw Error(`Blob ${t} not found`);let i={...r.metadata&&typeof r.metadata==`object`?r.metadata:{},...n};await this.db.update(this.db._.fullSchema.storageBlobs).set({metadata:i}).where((0,e.eq)(this.db._.fullSchema.storageBlobs.id,t))}async getVariant(e,t){let n=d(`sha256`).update(JSON.stringify(t)).digest(`hex`),[r]=await this.db.query.storageVariantRecords.findMany({where:{blobId:e,variationDigest:n},with:{blob:!0},limit:1});return r?.blob||null}async createVariant(e,t,n){let r=await this.getBlob(e);if(!r)throw Error(`Blob ${e} not found`);let i=x(e,t),a=b(n);await this.drive.use(r.serviceName).put(i,n,{contentType:r.contentType||`application/octet-stream`});let[o]=await this.db.insert(this.db._.fullSchema.storageBlobs).values({key:i,filename:r.filename,contentType:r.contentType,metadata:{sourceBlob:e,transformations:t},serviceName:r.serviceName,byteSize:n.byteLength,checksum:a}).returning(),s=d(`sha256`).update(JSON.stringify(t)).digest(`hex`);return await this.db.insert(this.db._.fullSchema.storageVariantRecords).values({blobId:e,variationDigest:s,id:o.id}),o}async getUnattachedBlobs(t={}){let n=t.olderThan||new Date(Date.now()-2880*60*1e3).toISOString(),r=t.limit||1e3;return(await this.db.select({blob:this.db._.fullSchema.storageBlobs}).from(this.db._.fullSchema.storageBlobs).leftJoin(this.db._.fullSchema.storageAttachments,(0,e.eq)(this.db._.fullSchema.storageBlobs.id,this.db._.fullSchema.storageAttachments.blobId)).where((0,e.and)((0,e.isNull)(this.db._.fullSchema.storageAttachments.id),(0,e.lt)(this.db._.fullSchema.storageBlobs.createdAt,n))).limit(r)).map(e=>e.blob)}async getPendingBlobs(t=new Date(Date.now()-1440*60*1e3).toISOString()){return await this.db.select().from(this.db._.fullSchema.storageBlobs).where((0,e.and)((0,e.lt)(this.db._.fullSchema.storageBlobs.createdAt,t),e.sql`${this.db._.fullSchema.storageBlobs.metadata}->>'pending' = 'true'`))}async purgeUnattached(e){let t=await this.getUnattachedBlobs({olderThan:e}),n=0;for(let e of t)try{await this.deleteBlob(e.id),n++}catch(t){console.error(`Failed to purge blob ${e.id}:`,t)}return n}signedId(e,t=3600){if(!this.secret)throw Error(`Storage secret not configured`);let n={blobId:e,exp:Math.floor(Date.now()/1e3)+t},r=JSON.stringify(n),i=f(`sha256`,this.secret).update(r).digest(`base64url`);return`${Buffer.from(r).toString(`base64url`)}.${i}`}async findSigned(e){if(!this.secret)throw Error(`Storage secret not configured`);try{let[t,n]=e.split(`.`);if(!t||!n)return null;let r=Buffer.from(t,`base64url`).toString(),i=f(`sha256`,this.secret).update(r).digest(`base64url`),a=Buffer.from(n,`base64url`),o=Buffer.from(i,`base64url`);if(a.length!==o.length||!m(a,o))return null;let s=JSON.parse(r);return s.exp&&s.exp<Math.floor(Date.now()/1e3)?null:this.getBlob(s.blobId)}catch{return null}}one(e,r,i){let d=this,f=i;return{async attach(n){if(!await d.getBlob(n))throw Error(`Blob ${n} not found`);let i=await d.createAttachment(e,r,n,f,!0);return await t.start({blobId:n}),i},async get(){return(await d.getAttachments(e,r,f))[0]?.blob??null},async attached(){return await this.get()!==null},async url(e){let t=await this.get();return t?d.getSignedUrl(t.id,e):null},async publicUrl(){let e=await this.get();return e?d.getPublicUrl(e.id):null},async metadata(){return(await this.get())?.metadata??null},async analyzed(){return(await this.metadata())?.analyzed===!0},async representable(){let e=await this.get();return e?.contentType?[`image/`,`video/`,`application/pdf`].some(t=>e.contentType?.startsWith(t)):!1},async variant(e,t=3600){let r=await this.get();if(!r)return null;let i=await d.getVariant(r.id,e);return i?d.getSignedUrl(i.id,{expiresIn:t}):(await n.start({blobId:r.id,transformations:e}),null)},async preview(e=3600,t=1){let n=await this.get();if(!n)return null;let r=await d.getVariant(n.id,{preview:!0});return r?d.getSignedUrl(r.id,{expiresIn:e}):(await a.start({blobId:n.id,timeInSeconds:t}),null)},async detach(){return await d.deleteAttachments(e,r,f)>0},async purge(){let t=await d.getAttachments(e,r,f);if(t.length===0)return!1;let n=t[0].blob;return n?(await d.deleteAttachments(e,r,f),await d.deleteBlob(n.id),!0):!1},async purgeLater(){let t=await d.getAttachments(e,r,f);return t.length===0?!1:(await o.start({attachmentIds:[t[0].id]}),!0)},async download(){let e=await this.get();return e?d.downloadBlob(e.id):null},async open(e){let t=await this.get();if(!t)return null;let n=await d.downloadBlob(t.id);if(!n)return null;let r=await c(s(h(),`attachment-`)),i=s(r,t.filename);try{return await u(i,n),await e(i)}finally{await l(r,{recursive:!0,force:!0})}},async representation(e,t=3600){let n=await this.get();return n?n.contentType?.startsWith(`image/`)?this.variant(e,t):this.preview(t):null},async byteSize(){return(await this.get())?.byteSize??null},async contentType(){return(await this.get())?.contentType??null},async filename(){return(await this.get())?.filename??null},async signedId(e=3600){let t=await this.get();return t?d.signedId(t.id,e):null}}}many(e,r,i){let d=this,f=i;return{async attach(n){let i=Array.isArray(n)?n:[n],a=await Promise.all(i.map(e=>d.getBlob(e))),o=i.filter((e,t)=>!a[t]);if(o.length>0)throw Error(`Blobs not found: ${o.join(`, `)}`);let s=await Promise.all(i.map(t=>d.createAttachment(e,r,t,f)));return await Promise.all(i.map(e=>t.start({blobId:e}))),s},async list(){return(await d.getAttachments(e,r,f)).map(e=>e.blob).filter(e=>e!==null)},async count(){return(await this.list()).length},async urls(e){let t=await this.list();return(await Promise.all(t.map(t=>d.getSignedUrl(t.id,e)))).filter(e=>e!==null)},async publicUrls(){let e=await this.list();return Promise.all(e.map(e=>d.getPublicUrl(e.id)))},async metadata(){return(await this.list()).map(e=>e.metadata??null)},async analyzed(){return(await this.metadata()).map(e=>e?.analyzed===!0)},async representable(){return(await this.list()).map(e=>e.contentType?[`image/`,`video/`,`application/pdf`].some(t=>e.contentType?.startsWith(t)):!1)},async variants(e,t=3600){let r=await this.list();return Promise.all(r.map(async r=>{let i=await d.getVariant(r.id,e);return i?d.getSignedUrl(i.id,{expiresIn:t}):(await n.start({blobId:r.id,transformations:e}),null)}))},async previews(e=3600,t=1){let n=await this.list();return Promise.all(n.map(async n=>{let r=await d.getVariant(n.id,{preview:!0});return r?d.getSignedUrl(r.id,{expiresIn:e}):(await a.start({blobId:n.id,timeInSeconds:t}),null)}))},async detach(t){if(t){let n=(await d.getAttachments(e,r,f)).find(e=>e.blob?.id===t);return n?(await d.deleteAttachment(n.id),1):0}return d.deleteAttachments(e,r,f)},async purge(t){let n=await d.getAttachments(e,r,f);if(t){let e=n.find(e=>e.blob?.id===t);return e?(await d.deleteAttachment(e.id),await d.deleteBlob(t),1):0}let i=0;for(let e of n)await d.deleteAttachment(e.id),e.blob&&(await d.deleteBlob(e.blob.id),i++);return i},async purgeLater(t){let n=await d.getAttachments(e,r,f);if(t){let e=n.find(e=>e.blob?.id===t);return e?(await o.start({attachmentIds:[e.id]}),1):0}return n.length>0&&await o.start({attachmentIds:n.map(e=>e.id)}),n.length},async download(){let e=await this.list(),t=[];for(let n of e){let e=await d.downloadBlob(n.id);e&&t.push(e)}return t},async open(e){let t=await this.list(),n=[];for(let r of t){let t=await d.downloadBlob(r.id);if(!t)continue;let i=await c(s(h(),`attachment-`)),a=s(i,r.filename);try{await u(a,t),n.push(await e(a,r))}finally{await l(i,{recursive:!0,force:!0})}}return n},async representations(e,t=3600){let r=await this.list();return Promise.all(r.map(async r=>{if(r.contentType?.startsWith(`image/`)){let i=await d.getVariant(r.id,e);return i?d.getSignedUrl(i.id,{expiresIn:t}):(await n.start({blobId:r.id,transformations:e}),null)}let i=await d.getVariant(r.id,{preview:!0});return i?d.getSignedUrl(i.id,{expiresIn:t}):(await a.start({blobId:r.id}),null)}))},async byteSizes(){return(await this.list()).map(e=>e.byteSize)},async contentTypes(){return(await this.list()).map(e=>e.contentType)},async filenames(){return(await this.list()).map(e=>e.filename)},async signedIds(e=3600){return(await this.list()).map(t=>d.signedId(t.id,e))}}}};export{w as StorageService,y as defineS3Disk,C as defineStorage};