boltstore 0.5.2 → 0.6.0

package/dist/admin/oauth/handler.d.ts

@@ -0,0 +1,5 @@
+import { DatabasePool } from "../../db/pool";
+import { type AuthConfig, type TokenPair } from "../../auth";
+export declare function getAuthorizationUrl(provider: string, redirectUri: string): string;
+export declare function authenticateWithOAuth(pool: DatabasePool, provider: string, code: string, redirectUri: string, authConfig: AuthConfig): Promise<TokenPair>;
+//# sourceMappingURL=handler.d.ts.map

package/dist/admin/oauth/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../src/admin/oauth/handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAA0B,KAAK,UAAU,EAAE,KAAK,SAAS,EAAa,MAAM,YAAY,CAAC;AAIhG,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,GAClB,MAAM,CAoBR;AAED,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,YAAY,EAClB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM,EACnB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,SAAS,CAAC,CAyCpB"}

package/dist/admin/oauth/handler.js

@@ -0,0 +1,37 @@
+import { createTokenPairForUser } from "../../auth";
+import { getProviders, getProviderEnvConfig } from "./registry";
+import { findOrCreateOAuthUser } from "./user";
+export function getAuthorizationUrl(provider, redirectUri) {
+    const providers = getProviders();
+    const handler = providers.get(provider.toLowerCase());
+    if (!handler) {
+        throw Object.assign(new Error(`OAuth provider "${provider}" is not configured. Supported: ${[...providers.keys()].join(", ") || "none"}`), { status: 400 });
+    }
+    if (!redirectUri || typeof redirectUri !== "string") {
+        throw Object.assign(new Error("Query parameter 'redirect_uri' is required."), { status: 400 });
+    }
+    const providerConfig = getProviderEnvConfig(provider);
+    return handler.getAuthUrl(redirectUri, providerConfig);
+}
+export async function authenticateWithOAuth(pool, provider, code, redirectUri, authConfig) {
+    const providers = getProviders();
+    const handler = providers.get(provider.toLowerCase());
+    if (!handler) {
+        throw Object.assign(new Error(`OAuth provider "${provider}" is not configured.`), { status: 400 });
+    }
+    if (!code || typeof code !== "string") {
+        throw Object.assign(new Error("Field 'code' is required."), { status: 400 });
+    }
+    if (!redirectUri || typeof redirectUri !== "string") {
+        throw Object.assign(new Error("Field 'redirect_uri' is required."), { status: 400 });
+    }
+    const providerConfig = getProviderEnvConfig(provider);
+    const accessToken = await handler.exchangeCode(code, redirectUri, providerConfig);
+    const profile = await handler.fetchProfile(accessToken);
+    const user = await findOrCreateOAuthUser(pool, profile);
+    if (user.oauth_only === 1 && !user.password_set) {
+        throw Object.assign(new Error("OAuth account requires a password reset before first login. Use PATCH /api/:database/auth/me to set a password."), { status: 403, code: "OAUTH_PASSWORD_RESET_REQUIRED" });
+    }
+    return createTokenPairForUser(pool, user, authConfig);
+}
+//# sourceMappingURL=handler.js.map

package/dist/admin/oauth/handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../../../src/admin/oauth/handler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,sBAAsB,EAA8C,MAAM,YAAY,CAAC;AAChG,OAAO,EAAE,YAAY,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAChE,OAAO,EAAE,qBAAqB,EAAE,MAAM,QAAQ,CAAC;AAE/C,MAAM,UAAU,mBAAmB,CACjC,QAAgB,EAChB,WAAmB;IAEnB,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,MAAM,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC;IAEtD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,MAAM,CAAC,MAAM,CACjB,IAAI,KAAK,CAAC,mBAAmB,QAAQ,mCAAmC,CAAC,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM,EAAE,CAAC,EACrH,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,WAAW,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;QACpD,MAAM,MAAM,CAAC,MAAM,CACjB,IAAI,KAAK,CAAC,6CAA6C,CAAC,EACxD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAC;IACtD,OAAO,OAAO,CAAC,UAAU,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;AACzD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,IAAkB,EAClB,QAAgB,EAChB,IAAY,EACZ,WAAmB,EACnB,UAAsB;IAEtB,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,MAAM,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC;IAEtD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,MAAM,CAAC,MAAM,CACjB,IAAI,KAAK,CAAC,mBAAmB,QAAQ,sBAAsB,CAAC,EAC5D,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtC,MAAM,MAAM,CAAC,MAAM,CACjB,IAAI,KAAK,CAAC,2BAA2B,CAAC,EACtC,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,WAAW,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;QACpD,MAAM,MAAM,CAAC,MAAM,CACjB,IAAI,KAAK,CAAC,mCAAmC,CAAC,EAC9C,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAC;IAEtD,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC;IAElF,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;IAExD,MAAM,IAAI,GAAG,MAAM,qBAAqB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAExD,IAAI,IAAI,CAAC,UAAU,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QAChD,MAAM,MAAM,CAAC,MAAM,CACjB,IAAI,KAAK,CAAC,iHAAiH,CAAC,EAC5H,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,+BAA+B,EAAE,CACvD,CAAC;IACJ,CAAC;IAED,OAAO,sBAAsB,CAAC,IAAI,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;AACxD,CAAC"}

package/dist/admin/oauth/index.d.ts

@@ -0,0 +1,5 @@
+export * from "./types";
+export * from "./registry";
+export * from "./handler";
+export * from "./user";
+//# sourceMappingURL=index.d.ts.map

package/dist/admin/oauth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/admin/oauth/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,cAAc,YAAY,CAAC;AAC3B,cAAc,WAAW,CAAC;AAC1B,cAAc,QAAQ,CAAC"}

package/dist/admin/oauth/index.js

@@ -0,0 +1,5 @@
+export * from "./types";
+export * from "./registry";
+export * from "./handler";
+export * from "./user";
+//# sourceMappingURL=index.js.map

package/dist/admin/oauth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/admin/oauth/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,cAAc,YAAY,CAAC;AAC3B,cAAc,WAAW,CAAC;AAC1B,cAAc,QAAQ,CAAC"}

package/dist/admin/oauth/registry.d.ts

@@ -0,0 +1,16 @@
+import { OAuthProviderConfig } from "./types";
+type ProviderHandler = {
+    name: string;
+    scopes: string;
+    getAuthUrl(redirectUri: string, config: OAuthProviderConfig): string;
+    exchangeCode(code: string, redirectUri: string, config: OAuthProviderConfig): Promise<string>;
+    fetchProfile(accessToken: string): Promise<{
+        id: string;
+        email: string;
+        name?: string;
+    }>;
+};
+export declare function getProviders(): Map<string, ProviderHandler>;
+export declare function getProviderEnvConfig(provider: string): OAuthProviderConfig;
+export {};
+//# sourceMappingURL=registry.d.ts.map

package/dist/admin/oauth/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../../src/admin/oauth/registry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAI9C,KAAK,eAAe,GAAG;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,mBAAmB,GAAG,MAAM,CAAC;IACrE,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9F,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC1F,CAAC;AAEF,wBAAgB,YAAY,IAAI,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAsB3D;AAED,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,mBAAmB,CA0B1E"}

package/dist/admin/oauth/registry.js

@@ -0,0 +1,37 @@
+import { googleProvider } from "./google";
+import { githubProvider } from "./github";
+export function getProviders() {
+    const providers = new Map();
+    const googleConfig = {
+        clientId: Bun.env.GOOGLE_CLIENT_ID,
+        clientSecret: Bun.env.GOOGLE_CLIENT_SECRET,
+    };
+    if (googleConfig.clientId && googleConfig.clientSecret) {
+        providers.set("google", googleProvider);
+    }
+    const githubConfig = {
+        clientId: Bun.env.GITHUB_CLIENT_ID,
+        clientSecret: Bun.env.GITHUB_CLIENT_SECRET,
+    };
+    if (githubConfig.clientId && githubConfig.clientSecret) {
+        providers.set("github", githubProvider);
+    }
+    return providers;
+}
+export function getProviderEnvConfig(provider) {
+    const lower = provider.toLowerCase();
+    if (lower === "google") {
+        if (!Bun.env.GOOGLE_CLIENT_ID || !Bun.env.GOOGLE_CLIENT_SECRET) {
+            throw Object.assign(new Error("Google OAuth is not configured. Set GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET."), { status: 500 });
+        }
+        return { clientId: Bun.env.GOOGLE_CLIENT_ID, clientSecret: Bun.env.GOOGLE_CLIENT_SECRET };
+    }
+    if (lower === "github") {
+        if (!Bun.env.GITHUB_CLIENT_ID || !Bun.env.GITHUB_CLIENT_SECRET) {
+            throw Object.assign(new Error("GitHub OAuth is not configured. Set GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET."), { status: 500 });
+        }
+        return { clientId: Bun.env.GITHUB_CLIENT_ID, clientSecret: Bun.env.GITHUB_CLIENT_SECRET };
+    }
+    throw Object.assign(new Error(`Unknown provider: ${provider}`), { status: 400 });
+}
+//# sourceMappingURL=registry.js.map

package/dist/admin/oauth/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../../src/admin/oauth/registry.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAU1C,MAAM,UAAU,YAAY;IAC1B,MAAM,SAAS,GAAG,IAAI,GAAG,EAA2B,CAAC;IAErD,MAAM,YAAY,GAAG;QACnB,QAAQ,EAAE,GAAG,CAAC,GAAG,CAAC,gBAAgB;QAClC,YAAY,EAAE,GAAG,CAAC,GAAG,CAAC,oBAAoB;KAC3C,CAAC;IAEF,IAAI,YAAY,CAAC,QAAQ,IAAI,YAAY,CAAC,YAAY,EAAE,CAAC;QACvD,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,cAAiC,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,YAAY,GAAG;QACnB,QAAQ,EAAE,GAAG,CAAC,GAAG,CAAC,gBAAgB;QAClC,YAAY,EAAE,GAAG,CAAC,GAAG,CAAC,oBAAoB;KAC3C,CAAC;IAEF,IAAI,YAAY,CAAC,QAAQ,IAAI,YAAY,CAAC,YAAY,EAAE,CAAC;QACvD,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,cAAiC,CAAC,CAAC;IAC7D,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,QAAgB;IACnD,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IACrC,IAAI,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC;YAC/D,MAAM,MAAM,CAAC,MAAM,CACjB,IAAI,KAAK,CAAC,gFAAgF,CAAC,EAC3F,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,QAAQ,EAAE,GAAG,CAAC,GAAG,CAAC,gBAAgB,EAAE,YAAY,EAAE,GAAG,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC;IAC5F,CAAC;IAED,IAAI,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC;YAC/D,MAAM,MAAM,CAAC,MAAM,CACjB,IAAI,KAAK,CAAC,gFAAgF,CAAC,EAC3F,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,QAAQ,EAAE,GAAG,CAAC,GAAG,CAAC,gBAAgB,EAAE,YAAY,EAAE,GAAG,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC;IAC5F,CAAC;IAED,MAAM,MAAM,CAAC,MAAM,CACjB,IAAI,KAAK,CAAC,qBAAqB,QAAQ,EAAE,CAAC,EAC1C,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;AACJ,CAAC"}

package/dist/admin/oauth/types.d.ts

@@ -0,0 +1,14 @@
+export interface OAuthProviderConfig {
+    clientId: string;
+    clientSecret: string;
+}
+export interface OAuthConfig {
+    google?: OAuthProviderConfig;
+    github?: OAuthProviderConfig;
+}
+export interface OAuthProfile {
+    id: string;
+    email: string;
+    name?: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/admin/oauth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/admin/oauth/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,CAAC,EAAE,mBAAmB,CAAC;IAC7B,MAAM,CAAC,EAAE,mBAAmB,CAAC;CAC9B;AAED,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf"}

package/dist/admin/oauth/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/admin/oauth/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/admin/oauth/types.ts"],"names":[],"mappings":""}

package/dist/admin/oauth/user.d.ts

@@ -0,0 +1,12 @@
+import { DatabasePool } from "../../db/pool";
+import { type User } from "../../auth";
+export declare function findOrCreateOAuthUser(pool: DatabasePool, profile: {
+    id: string;
+    email: string;
+    name?: string;
+}): Promise<User & {
+    oauth_only: number;
+    password_set: number;
+}>;
+export declare function markPasswordSet(pool: DatabasePool, userId: string): void;
+//# sourceMappingURL=user.d.ts.map

package/dist/admin/oauth/user.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../../src/admin/oauth/user.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAiE,KAAK,IAAI,EAAE,MAAM,YAAY,CAAC;AAEtG,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,YAAY,EAClB,OAAO,EAAE;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,GACpD,OAAO,CAAC,IAAI,GAAG;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAA;CAAE,CAAC,CA6B9D;AAED,wBAAgB,eAAe,CAAC,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAGxE"}

package/dist/admin/oauth/user.js

@@ -0,0 +1,28 @@
+import { bootstrapAuthTables, generateSecureId, generateRandomPassword } from "../../auth";
+export async function findOrCreateOAuthUser(pool, profile) {
+    bootstrapAuthTables(pool);
+    const db = pool.read();
+    const existing = db
+        .query("SELECT id, email, role, oauth_only, password_set, created_at, updated_at FROM _users WHERE email=?")
+        .get(profile.email);
+    if (existing) {
+        const passwordSet = existing.password_set ?? (existing.oauth_only === 1 ? 0 : 1);
+        if (existing.oauth_only === 1 && passwordSet === 0) {
+            return { ...existing, oauth_only: 1, password_set: 0 };
+        }
+        return { ...existing, oauth_only: existing.oauth_only ?? 0, password_set: passwordSet };
+    }
+    const id = generateSecureId("usr");
+    const ts = new Date().toISOString();
+    const randomPassword = await generateRandomPassword();
+    return pool.writeTransaction(() => {
+        const writeDb = pool.write();
+        writeDb.run("INSERT INTO _users (id, email, password_hash, role, oauth_only, password_set, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)", [id, profile.email, randomPassword, "user", 1, 0, ts, ts]);
+        return { id, email: profile.email, role: "user", oauth_only: 1, password_set: 0, created_at: ts, updated_at: ts };
+    });
+}
+export function markPasswordSet(pool, userId) {
+    bootstrapAuthTables(pool);
+    pool.write().run("UPDATE _users SET password_set=1, oauth_only=0 WHERE id=?", [userId]);
+}
+//# sourceMappingURL=user.js.map

package/dist/admin/oauth/user.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.js","sourceRoot":"","sources":["../../../src/admin/oauth/user.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,sBAAsB,EAAa,MAAM,YAAY,CAAC;AAEtG,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,IAAkB,EAClB,OAAqD;IAErD,mBAAmB,CAAC,IAAI,CAAC,CAAC;IAC1B,MAAM,EAAE,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAEvB,MAAM,QAAQ,GAAG,EAAE;SAChB,KAAK,CAAC,oGAAoG,CAAC;SAC3G,GAAG,CAAC,OAAO,CAAC,KAAK,CAAmE,CAAC;IAExF,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,WAAW,GAAG,QAAQ,CAAC,YAAY,IAAI,CAAC,QAAQ,CAAC,UAAU,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACjF,IAAI,QAAQ,CAAC,UAAU,KAAK,CAAC,IAAI,WAAW,KAAK,CAAC,EAAE,CAAC;YACnD,OAAO,EAAE,GAAG,QAAQ,EAAE,UAAU,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;QACzD,CAAC;QACD,OAAO,EAAE,GAAG,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,CAAC,EAAE,YAAY,EAAE,WAAW,EAAE,CAAC;IAC1F,CAAC;IAED,MAAM,EAAE,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IACnC,MAAM,EAAE,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACpC,MAAM,cAAc,GAAG,MAAM,sBAAsB,EAAE,CAAC;IAEtD,OAAO,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE;QAChC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QAC7B,OAAO,CAAC,GAAG,CACT,uIAAuI,EACvI,CAAC,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,CAC1D,CAAC;QAEF,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,MAAe,EAAE,UAAU,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAC7H,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,IAAkB,EAAE,MAAc;IAChE,mBAAmB,CAAC,IAAI,CAAC,CAAC;IAC1B,IAAI,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,2DAA2D,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;AAC1F,CAAC"}

package/dist/admin/query.d.ts

@@ -0,0 +1,54 @@
+/**
+ * Raw SQL query execution for admin users.
+ *
+ * Allows executing arbitrary SQL against a database with safety guards:
+ * - Read-only queries via a separate endpoint
+ * - Write queries with system table protection
+ * - EXPLAIN QUERY PLAN for debugging
+ * - All queries use parameterized prepared statements
+ *
+ * @module boltstore/admin/query
+ */
+import { DatabasePool } from "../db/pool";
+/** Context for a raw SQL execution. */
+export interface QueryContext {
+    principalId?: string;
+    principalType?: "user" | "api_key";
+    ip?: string;
+    userAgent?: string;
+    database: string;
+}
+/**
+ * Execute a read-only SQL query.
+ *
+ * Only SELECT, EXPLAIN, PRAGMA (read-only), and WITH (CTE) statements are allowed.
+ *
+ * `POST /api/admin/:database/query`
+ */
+export declare function executeReadQuery(pool: DatabasePool, sql: string, params?: unknown[]): {
+    columns: string[];
+    rows: Record<string, unknown>[];
+    rowCount: number;
+};
+/**
+ * Execute a write SQL query (INSERT, UPDATE, DELETE, CREATE, etc.).
+ *
+ * Destructive operations on system tables are blocked.
+ *
+ * `POST /api/admin/:database/query/write`
+ */
+export declare function executeWriteQuery(pool: DatabasePool, sql: string, params?: unknown[], ctx?: QueryContext): {
+    changes: number;
+    lastInsertRowid: number | bigint;
+};
+/**
+ * Execute EXPLAIN QUERY PLAN on a SQL statement.
+ *
+ * Returns the query plan rows for debugging slow queries.
+ *
+ * `POST /api/admin/:database/query/explain`
+ */
+export declare function explainQuery(pool: DatabasePool, sql: string, params?: unknown[]): {
+    rows: Record<string, unknown>[];
+};
+//# sourceMappingURL=query.d.ts.map

package/dist/admin/query.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"query.d.ts","sourceRoot":"","sources":["../../src/admin/query.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAgD1C,uCAAuC;AACvC,MAAM,WAAW,YAAY;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACnC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AA0BD;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,YAAY,EAClB,GAAG,EAAE,MAAM,EACX,MAAM,GAAE,OAAO,EAAO,GACrB;IAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAwB1E;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,YAAY,EAClB,GAAG,EAAE,MAAM,EACX,MAAM,GAAE,OAAO,EAAO,EACtB,GAAG,CAAC,EAAE,YAAY,GACjB;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,GAAG,MAAM,CAAA;CAAE,CAoDvD;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,CAC1B,IAAI,EAAE,YAAY,EAClB,GAAG,EAAE,MAAM,EACX,MAAM,GAAE,OAAO,EAAO,GACrB;IAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAA;CAAE,CAcrC"}

package/dist/admin/query.js

@@ -0,0 +1,168 @@
+/**
+ * Raw SQL query execution for admin users.
+ *
+ * Allows executing arbitrary SQL against a database with safety guards:
+ * - Read-only queries via a separate endpoint
+ * - Write queries with system table protection
+ * - EXPLAIN QUERY PLAN for debugging
+ * - All queries use parameterized prepared statements
+ *
+ * @module boltstore/admin/query
+ */
+import { toBindings } from "../db/cast";
+import { logAuditEvent, sanitizeSqlForAudit } from "../audit";
+/** System tables that must not be dropped or altered via raw SQL. */
+const PROTECTED_TABLES = [
+    "_collections",
+    "_databases",
+    "_migrations",
+    "_users",
+    "_tokens",
+    "_api_keys",
+    "_webhooks",
+    "_jobs",
+    "sqlite_master",
+    "sqlite_sequence",
+    "sqlite_stat1",
+];
+/** Destructive SQL patterns that are blocked. */
+const BLOCKED_PATTERNS = [
+    /\bDROP\s+TABLE\s+/i,
+    /\bALTER\s+TABLE\s+/i,
+    /\bDROP\s+INDEX\s+/i,
+    /\bDROP\s+VIEW\s+/i,
+    /\bDROP\s+TRIGGER\s+/i,
+];
+/** Dangerous statements that are never allowed via the raw write endpoint. */
+const DANGEROUS_KEYWORDS = [
+    "ATTACH",
+    "DETACH",
+    "REINDEX",
+    "VACUUM",
+    "PRAGMA",
+    "CREATE TRIGGER",
+    "CREATE VIRTUAL TABLE",
+];
+function hasDangerousKeyword(sql) {
+    const upper = sql.toUpperCase();
+    for (const kw of DANGEROUS_KEYWORDS) {
+        if (upper.includes(kw))
+            return kw;
+    }
+    return null;
+}
+/** Maximum length of a raw SQL statement accepted by the write endpoint. */
+const MAX_SQL_LENGTH = 10000;
+function auditRawWrite(pool, ctx, sql, success, error) {
+    const event = {
+        type: "raw_sql.write",
+        principalId: ctx.principalId,
+        principalType: ctx.principalType,
+        database: ctx.database,
+        ip: ctx.ip,
+        userAgent: ctx.userAgent,
+        success,
+        details: { sql: sanitizeSqlForAudit(sql) },
+        error,
+    };
+    logAuditEvent(event, pool);
+}
+/**
+ * Execute a read-only SQL query.
+ *
+ * Only SELECT, EXPLAIN, PRAGMA (read-only), and WITH (CTE) statements are allowed.
+ *
+ * `POST /api/admin/:database/query`
+ */
+export function executeReadQuery(pool, sql, params = []) {
+    const trimmed = sql.trim().toUpperCase();
+    // Allow SELECT, EXPLAIN, PRAGMA (read-only), and WITH (CTE)
+    const isReadOnly = trimmed.startsWith("SELECT") ||
+        trimmed.startsWith("EXPLAIN") ||
+        trimmed.startsWith("PRAGMA") ||
+        trimmed.startsWith("WITH") ||
+        trimmed.startsWith("DESCRIBE");
+    if (!isReadOnly) {
+        throw Object.assign(new Error("Only SELECT, EXPLAIN, PRAGMA, WITH, and DESCRIBE queries are allowed on this endpoint. Use /api/admin/query/write for mutations."), { status: 400 });
+    }
+    const db = pool.read();
+    const rows = db.query(sql).all(...toBindings(params));
+    const columns = rows.length > 0 ? Object.keys(rows[0]) : [];
+    return { columns, rows, rowCount: rows.length };
+}
+/**
+ * Execute a write SQL query (INSERT, UPDATE, DELETE, CREATE, etc.).
+ *
+ * Destructive operations on system tables are blocked.
+ *
+ * `POST /api/admin/:database/query/write`
+ */
+export function executeWriteQuery(pool, sql, params = [], ctx) {
+    if (sql.length > MAX_SQL_LENGTH) {
+        const err = `SQL statement exceeds maximum length of ${MAX_SQL_LENGTH} characters.`;
+        if (ctx)
+            auditRawWrite(pool, ctx, sql, false, err);
+        throw Object.assign(new Error(err), { status: 413 });
+    }
+    const dangerous = hasDangerousKeyword(sql);
+    if (dangerous) {
+        const err = `Dangerous statement "${dangerous}" is not allowed via the raw SQL write endpoint.`;
+        if (ctx)
+            auditRawWrite(pool, ctx, sql, false, err);
+        throw Object.assign(new Error(err), { status: 403 });
+    }
+    // Validate system table protection
+    for (const pattern of BLOCKED_PATTERNS) {
+        const match = sql.match(pattern);
+        if (match) {
+            const tableMatch = sql.match(/(?:DROP\s+TABLE|ALTER\s+TABLE|DROP\s+INDEX|DROP\s+VIEW|DROP\s+TRIGGER)\s+(?:IF\s+EXISTS\s+)?['"]?(\w+)['"]?/i);
+            if (tableMatch) {
+                const tableName = tableMatch[1].toLowerCase();
+                if (PROTECTED_TABLES.includes(tableName) || tableName.startsWith("sqlite_") || tableName.startsWith("_")) {
+                    const err = `Cannot perform destructive operation on system table "${tableName}".`;
+                    if (ctx)
+                        auditRawWrite(pool, ctx, sql, false, err);
+                    throw Object.assign(new Error(err), { status: 403 });
+                }
+            }
+        }
+    }
+    try {
+        return pool.writeTransaction(() => {
+            const db = pool.write();
+            db.run(sql, toBindings(params));
+            // Use db.query() for SELECT-based introspection (run() doesn't support .values())
+            const changesQuery = db.query("SELECT changes() as cnt").get();
+            const rowIdQuery = db.query("SELECT last_insert_rowid() as id").get();
+            if (ctx)
+                auditRawWrite(pool, ctx, sql, true);
+            return {
+                changes: changesQuery?.cnt ?? 0,
+                lastInsertRowid: rowIdQuery?.id ?? 0,
+            };
+        });
+    }
+    catch (err) {
+        if (ctx)
+            auditRawWrite(pool, ctx, sql, false, err.message);
+        throw Object.assign(err, { status: err.status || 500 });
+    }
+}
+/**
+ * Execute EXPLAIN QUERY PLAN on a SQL statement.
+ *
+ * Returns the query plan rows for debugging slow queries.
+ *
+ * `POST /api/admin/:database/query/explain`
+ */
+export function explainQuery(pool, sql, params = []) {
+    const trimmed = sql.trim().toUpperCase();
+    // EXPLAIN QUERY PLAN only works on SELECT, INSERT, UPDATE, DELETE
+    if (trimmed.startsWith("EXPLAIN") || trimmed.startsWith("PRAGMA")) {
+        throw Object.assign(new Error("Cannot explain an EXPLAIN or PRAGMA statement."), { status: 400 });
+    }
+    const db = pool.read();
+    const rows = db.query(`EXPLAIN QUERY PLAN ${sql}`).all(...toBindings(params));
+    return { rows };
+}
+//# sourceMappingURL=query.js.map

package/dist/admin/query.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"query.js","sourceRoot":"","sources":["../../src/admin/query.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAExC,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAmB,MAAM,UAAU,CAAC;AAE/E,qEAAqE;AACrE,MAAM,gBAAgB,GAAG;IACvB,cAAc;IACd,YAAY;IACZ,aAAa;IACb,QAAQ;IACR,SAAS;IACT,WAAW;IACX,WAAW;IACX,OAAO;IACP,eAAe;IACf,iBAAiB;IACjB,cAAc;CACf,CAAC;AAEF,iDAAiD;AACjD,MAAM,gBAAgB,GAAG;IACvB,oBAAoB;IACpB,qBAAqB;IACrB,oBAAoB;IACpB,mBAAmB;IACnB,sBAAsB;CACvB,CAAC;AAEF,8EAA8E;AAC9E,MAAM,kBAAkB,GAAG;IACzB,QAAQ;IACR,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,gBAAgB;IAChB,sBAAsB;CACvB,CAAC;AAEF,SAAS,mBAAmB,CAAC,GAAW;IACtC,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IAChC,KAAK,MAAM,EAAE,IAAI,kBAAkB,EAAE,CAAC;QACpC,IAAI,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;YAAE,OAAO,EAAE,CAAC;IACpC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAWD,4EAA4E;AAC5E,MAAM,cAAc,GAAG,KAAK,CAAC;AAE7B,SAAS,aAAa,CACpB,IAAkB,EAClB,GAAiB,EACjB,GAAW,EACX,OAAgB,EAChB,KAAc;IAEd,MAAM,KAAK,GAAe;QACxB,IAAI,EAAE,eAAe;QACrB,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,aAAa,EAAE,GAAG,CAAC,aAAa;QAChC,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,OAAO;QACP,OAAO,EAAE,EAAE,GAAG,EAAE,mBAAmB,CAAC,GAAG,CAAC,EAAE;QAC1C,KAAK;KACN,CAAC;IACF,aAAa,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;AAC7B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAC9B,IAAkB,EAClB,GAAW,EACX,SAAoB,EAAE;IAEtB,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAEzC,4DAA4D;IAC5D,MAAM,UAAU,GACd,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC;QAC5B,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC;QAC7B,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC;QAC5B,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC;QAC1B,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IAEjC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,MAAM,CAAC,MAAM,CACjB,IAAI,KAAK,CAAC,kIAAkI,CAAC,EAC7I,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IACvB,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,MAAM,CAAC,CAA8B,CAAC;IAEnF,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAE5D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC;AAClD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAC/B,IAAkB,EAClB,GAAW,EACX,SAAoB,EAAE,EACtB,GAAkB;IAElB,IAAI,GAAG,CAAC,MAAM,GAAG,cAAc,EAAE,CAAC;QAChC,MAAM,GAAG,GAAG,2CAA2C,cAAc,cAAc,CAAC;QACpF,IAAI,GAAG;YAAE,aAAa,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QACnD,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,SAAS,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,GAAG,GAAG,wBAAwB,SAAS,kDAAkD,CAAC;QAChG,IAAI,GAAG;YAAE,aAAa,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QACnD,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IACvD,CAAC;IAED,mCAAmC;IACnC,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;QACvC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACjC,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,UAAU,GAAG,GAAG,CAAC,KAAK,CAC1B,8GAA8G,CAC/G,CAAC;YACF,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,SAAS,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;gBAC9C,IAAI,gBAAgB,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;oBACzG,MAAM,GAAG,GAAG,yDAAyD,SAAS,IAAI,CAAC;oBACnF,IAAI,GAAG;wBAAE,aAAa,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;oBACnD,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBACvD,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;YACxB,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;YAEhC,kFAAkF;YAClF,MAAM,YAAY,GAAG,EAAE,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC,GAAG,EAA4B,CAAC;YACzF,MAAM,UAAU,GAAG,EAAE,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC,GAAG,EAA2B,CAAC;YAE/F,IAAI,GAAG;gBAAE,aAAa,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;YAE7C,OAAO;gBACL,OAAO,EAAE,YAAY,EAAE,GAAG,IAAI,CAAC;gBAC/B,eAAe,EAAE,UAAU,EAAE,EAAE,IAAI,CAAC;aACrC,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG;YAAE,aAAa,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,CAAC,CAAC;QACtE,MAAM,MAAM,CAAC,MAAM,CAAC,GAAY,EAAE,EAAE,MAAM,EAAG,GAA2B,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;IAC5F,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAC1B,IAAkB,EAClB,GAAW,EACX,SAAoB,EAAE;IAEtB,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAEzC,kEAAkE;IAClE,IAAI,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClE,MAAM,MAAM,CAAC,MAAM,CACjB,IAAI,KAAK,CAAC,gDAAgD,CAAC,EAC3D,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IACvB,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,sBAAsB,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,MAAM,CAAC,CAA8B,CAAC;IAC3G,OAAO,EAAE,IAAI,EAAE,CAAC;AAClB,CAAC"}

package/dist/admin/transaction.d.ts

@@ -0,0 +1,46 @@
+/**
+ * Transaction API — execute multiple SQL operations atomically.
+ *
+ * All operations in a transaction either succeed together or fail together.
+ * Supports a mix of read (SELECT) and write (INSERT, UPDATE, DELETE) operations.
+ *
+ * @module boltstore/admin/transaction
+ */
+import { DatabasePool } from "../db/pool";
+/** A single operation within a transaction. */
+export interface TransactionOperation {
+    /** SQL statement to execute (parameterized). */
+    sql: string;
+    /** Parameters to bind (positional). */
+    params?: unknown[];
+}
+/** Result of a single operation within a transaction. */
+export interface OperationResult {
+    /** 0-based index of the operation in the batch. */
+    index: number;
+    /** For SELECT operations: the returned rows. */
+    rows?: Record<string, unknown>[];
+    /** Number of columns in SELECT results. */
+    columns?: string[];
+    /** For write operations: number of rows changed. */
+    changes?: number;
+    /** For INSERT operations: the last inserted row ID. */
+    lastInsertRowid?: number | bigint;
+}
+/** Result of an entire batch transaction. */
+export interface TransactionResult {
+    /** Whether all operations succeeded. */
+    success: boolean;
+    /** Per-operation results. */
+    results: OperationResult[];
+}
+/**
+ * Execute multiple SQL operations within a single write transaction.
+ *
+ * If any operation fails, the entire batch is rolled back and an error is thrown.
+ * SELECT results are captured; write operations return change counts and row IDs.
+ *
+ * `POST /api/admin/:database/transactions`
+ */
+export declare function executeTransaction(pool: DatabasePool, operations: TransactionOperation[]): TransactionResult;
+//# sourceMappingURL=transaction.d.ts.map

package/dist/admin/transaction.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"transaction.d.ts","sourceRoot":"","sources":["../../src/admin/transaction.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG1C,+CAA+C;AAC/C,MAAM,WAAW,oBAAoB;IACnC,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,uCAAuC;IACvC,MAAM,CAAC,EAAE,OAAO,EAAE,CAAC;CACpB;AAED,yDAAyD;AACzD,MAAM,WAAW,eAAe;IAC9B,mDAAmD;IACnD,KAAK,EAAE,MAAM,CAAC;IACd,gDAAgD;IAChD,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;IACjC,2CAA2C;IAC3C,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,oDAAoD;IACpD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,eAAe,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;CACnC;AAED,6CAA6C;AAC7C,MAAM,WAAW,iBAAiB;IAChC,wCAAwC;IACxC,OAAO,EAAE,OAAO,CAAC;IACjB,6BAA6B;IAC7B,OAAO,EAAE,eAAe,EAAE,CAAC;CAC5B;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,YAAY,EAClB,UAAU,EAAE,oBAAoB,EAAE,GACjC,iBAAiB,CAyCnB"}

package/dist/admin/transaction.js

@@ -0,0 +1,52 @@
+/**
+ * Transaction API — execute multiple SQL operations atomically.
+ *
+ * All operations in a transaction either succeed together or fail together.
+ * Supports a mix of read (SELECT) and write (INSERT, UPDATE, DELETE) operations.
+ *
+ * @module boltstore/admin/transaction
+ */
+import { toBindings } from "../db/cast";
+/**
+ * Execute multiple SQL operations within a single write transaction.
+ *
+ * If any operation fails, the entire batch is rolled back and an error is thrown.
+ * SELECT results are captured; write operations return change counts and row IDs.
+ *
+ * `POST /api/admin/:database/transactions`
+ */
+export function executeTransaction(pool, operations) {
+    if (!Array.isArray(operations) || operations.length === 0) {
+        throw Object.assign(new Error("At least one operation is required."), { status: 400 });
+    }
+    return pool.writeTransaction(() => {
+        const db = pool.write();
+        const results = [];
+        for (let i = 0; i < operations.length; i++) {
+            const op = operations[i];
+            const params = Array.isArray(op.params) ? op.params : [];
+            const trimmed = op.sql.trim().toUpperCase();
+            const isSelect = trimmed.startsWith("SELECT") ||
+                trimmed.startsWith("PRAGMA") ||
+                trimmed.startsWith("EXPLAIN") ||
+                trimmed.startsWith("WITH");
+            if (isSelect) {
+                const rows = db.query(op.sql).all(...toBindings(params));
+                const columns = rows.length > 0 ? Object.keys(rows[0]) : [];
+                results.push({ index: i, rows, columns });
+            }
+            else {
+                db.run(op.sql, toBindings(params));
+                const changesQuery = db.query("SELECT changes() as cnt").get();
+                const rowIdQuery = db.query("SELECT last_insert_rowid() as id").get();
+                results.push({
+                    index: i,
+                    changes: changesQuery?.cnt ?? 0,
+                    lastInsertRowid: rowIdQuery?.id ?? 0,
+                });
+            }
+        }
+        return { success: true, results };
+    });
+}
+//# sourceMappingURL=transaction.js.map

package/dist/admin/transaction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"transaction.js","sourceRoot":"","sources":["../../src/admin/transaction.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAgCxC;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB,CAChC,IAAkB,EAClB,UAAkC;IAElC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1D,MAAM,MAAM,CAAC,MAAM,CACjB,IAAI,KAAK,CAAC,qCAAqC,CAAC,EAChD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACxB,MAAM,OAAO,GAAsB,EAAE,CAAC;QAEtC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3C,MAAM,EAAE,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;YACzB,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;YAEzD,MAAM,OAAO,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;YAC5C,MAAM,QAAQ,GACZ,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC;gBAC5B,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC;gBAC5B,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC;gBAC7B,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YAE7B,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,MAAM,CAAC,CAA8B,CAAC;gBACtF,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5D,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;YAC5C,CAAC;iBAAM,CAAC;gBACN,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;gBACnC,MAAM,YAAY,GAAG,EAAE,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC,GAAG,EAA4B,CAAC;gBACzF,MAAM,UAAU,GAAG,EAAE,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC,GAAG,EAA2B,CAAC;gBAC/F,OAAO,CAAC,IAAI,CAAC;oBACX,KAAK,EAAE,CAAC;oBACR,OAAO,EAAE,YAAY,EAAE,GAAG,IAAI,CAAC;oBAC/B,eAAe,EAAE,UAAU,EAAE,EAAE,IAAI,CAAC;iBACrC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IACpC,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/admin/views.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Views management module for Boltstore.
+ *
+ * SQLite views are saved SELECT queries presented as virtual tables.
+ * They provide read-only access to pre-defined queries — useful for
+ * denormalized data, reporting, and access control.
+ *
+ * All routes are admin-only (`/api/admin/:database/views`).
+ *
+ * @module boltstore/admin/views
+ */
+import { DatabasePool } from "../db/pool";
+export interface ViewInfo {
+    /** View name. */
+    name: string;
+    /** The SQL definition (CREATE VIEW ... AS ...). */
+    sql: string;
+}
+/**
+ * Create a new view.
+ *
+ * The SQL must be a SELECT or WITH statement. Write operations,
+ * schema changes, and references to system tables are rejected.
+ *
+ * `POST /api/admin/:database/views`
+ */
+export declare function createView(pool: DatabasePool, name: string, sql: string): ViewInfo;
+/**
+ * List all user-created views in the database.
+ *
+ * Excludes SQLite internal views (sqlite_*).
+ *
+ * `GET /api/admin/:database/views`
+ */
+export declare function listViews(pool: DatabasePool): ViewInfo[];
+/**
+ * Get metadata for a single view, including its SQL definition.
+ *
+ * `GET /api/admin/:database/views/:name`
+ */
+export declare function getView(pool: DatabasePool, name: string): ViewInfo;
+/**
+ * Query data from a view.
+ *
+ * Supports the same filtering, sorting, and pagination options as
+ * `listRecords` on regular collections. The view is treated as a
+ * read-only virtual table.
+ *
+ * `GET /api/admin/:database/views/:name?sort=field&direction=desc&limit=10`
+ */
+export declare function queryView(pool: DatabasePool, name: string, options?: {
+    filter?: Record<string, unknown>;
+    sort?: string;
+    direction?: "asc" | "desc";
+    limit?: number;
+    offset?: number;
+}): Record<string, unknown>[];
+/**
+ * Delete (drop) a view.
+ *
+ * `DELETE /api/admin/:database/views/:name`
+ */
+export declare function dropView(pool: DatabasePool, name: string): void;
+//# sourceMappingURL=views.d.ts.map

package/dist/admin/views.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"views.d.ts","sourceRoot":"","sources":["../../src/admin/views.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAS1C,MAAM,WAAW,QAAQ;IACvB,iBAAiB;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,mDAAmD;IACnD,GAAG,EAAE,MAAM,CAAC;CACb;AA8DD;;;;;;;GAOG;AACH,wBAAgB,UAAU,CACxB,IAAI,EAAE,YAAY,EAClB,IAAI,EAAE,MAAM,EACZ,GAAG,EAAE,MAAM,GACV,QAAQ,CAuCV;AAED;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,YAAY,GAAG,QAAQ,EAAE,CAWxD;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,QAAQ,CAmBlE;AAED;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CACvB,IAAI,EAAE,YAAY,EAClB,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE;IACR,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GACA,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAgD3B;AAED;;;;GAIG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAyB/D"}