casualos 3.7.0-alpha.16977445547 → 3.7.0-alpha.17049743052

package/dist/cli.js

@@ -97334,7 +97334,7 @@ var trace = TraceAPI.getInstance();
 function hashLowEntropyPasswordWithSalt2(password, salt) {
   const tracer = trace.getTracer(
     "InstrumentedHashHelpers",
-    false ? void 0 : "v3.7.0-alpha.16977445547"
+    false ? void 0 : "v3.7.0-alpha.17049743052"
   );
   return tracer.startActiveSpan(
     "hashLowEntropyPasswordWithSalt",
@@ -97352,7 +97352,7 @@ function hashLowEntropyPasswordWithSalt2(password, salt) {
 function hashHighEntropyPasswordWithSalt2(password, salt) {
   const tracer = trace.getTracer(
     "InstrumentedHashHelpers",
-    false ? void 0 : "v3.7.0-alpha.16977445547"
+    false ? void 0 : "v3.7.0-alpha.17049743052"
   );
   return tracer.startActiveSpan(
     "hashHighEntropyPasswordWithSalt",
@@ -97370,7 +97370,7 @@ function hashHighEntropyPasswordWithSalt2(password, salt) {
 function verifyPasswordAgainstHashes2(password, salt, hashes) {
   const tracer = trace.getTracer(
     "InstrumentedHashHelpers",
-    false ? void 0 : "v3.7.0-alpha.16977445547"
+    false ? void 0 : "v3.7.0-alpha.17049743052"
   );
   return tracer.startActiveSpan(
     "verifyPasswordAgainstHashes",
@@ -100837,134 +100837,678 @@ function randomCode() {
   return str2;
 }
 
-// ../../node_modules/.pnpm/@simplewebauthn+server@9.0.3_encoding@0.1.13/node_modules/@simplewebauthn/server/esm/helpers/iso/isoBase64URL.js
-var isoBase64URL_exports = {};
-__export(isoBase64URL_exports, {
-  fromBuffer: () => fromBuffer,
-  fromString: () => fromString,
-  isBase64: () => isBase64,
-  isBase64url: () => isBase64url,
-  toBase64: () => toBase64,
-  toBuffer: () => toBuffer,
-  toString: () => toString3
+// ../aux-records/SubscriptionConfiguration.ts
+var webhookFeaturesSchema = z.object({
+  allowed: z.boolean().describe(
+    "Whether webhook features are granted for the subscription."
+  ),
+  maxItems: z.number().describe(
+    "The maximum number of webhook items that are allowed for the subscription. If not specified, then there is no limit."
+  ).int().optional(),
+  tokenLifetimeMs: z.number().describe(
+    "The lifetime of session tokens that are issued to the webhook in miliseconds. Defaults to 5 minutes."
+  ).int().positive().optional().nullable().default(5 * 60 * 1e3),
+  initTimeoutMs: z.number().describe(
+    "The maximum number of miliseconds that the webhook has to initialize. Defaults to 5000ms."
+  ).int().positive().optional().nullable().default(5e3),
+  requestTimeoutMs: z.number().describe(
+    "The maximum number of miliseconds that the webhook has to respond to a request after being initialized. Defaults to 5000ms"
+  ).int().positive().optional().nullable().default(5e3),
+  fetchTimeoutMs: z.number().describe(
+    "The maximum number of miliseconds that the system will take to fetch the AUX state for the webhook. Defaults to 5000ms."
+  ).int().positive().optional().nullable().default(5e3),
+  addStateTimeoutMs: z.number().describe(
+    "The maximum number of miliseconds that the system will take to add the AUX state to the webhook simulation. Defaults to 1000ms."
+  ).int().positive().optional().nullable().default(1e3),
+  maxRunsPerPeriod: z.number().describe(
+    "The maximum number of webhook runs allowed per subscription period. If not specified, then there is no limit."
+  ).int().positive().optional(),
+  maxRunsPerHour: z.number().describe(
+    "The maximum number of webhook runs allowed per hour for the subscription. If not specified, then there is no limit."
+  ).int().positive().optional()
+}).describe(
+  "The configuration for webhook features. Defaults to not allowed."
+).optional().default({
+  allowed: false
 });
-
-// ../../node_modules/.pnpm/@levischuck+tiny-cbor@0.2.11/node_modules/@levischuck/tiny-cbor/esm/index.js
-var esm_exports = {};
-__export(esm_exports, {
-  CBORTag: () => CBORTag,
-  decodeCBOR: () => decodeCBOR,
-  decodePartialCBOR: () => decodePartialCBOR,
-  encodeCBOR: () => encodeCBOR
+var subscriptionFeaturesSchema = z.object({
+  records: z.object({
+    allowed: z.boolean().describe(
+      "Whether records are allowed for the subscription. If false, then every request to create or update a record will be rejected."
+    ),
+    maxRecords: z.number().describe(
+      "The maximum number of records allowed for the subscription."
+    ).int().positive().optional()
+  }).describe("The configuration for record features.").optional(),
+  data: z.object({
+    allowed: z.boolean().describe(
+      "Whether data resources are allowed for the subscription. If false, then every request to create or update a data resource will be rejected."
+    ),
+    maxItems: z.number({}).describe(
+      "The maximum number of data resource items allowed for the subscription. If omitted, then there is no limit."
+    ).int().positive().optional(),
+    maxReadsPerPeriod: z.number().describe(
+      "The maximum number of data item reads allowed per subscription period. If omitted, then there is no limit."
+    ).int().positive().optional(),
+    maxWritesPerPeriod: z.number().describe(
+      "The maximum number of data item writes allowed per subscription period. If omitted, then there is no limit."
+    ).int().positive().optional(),
+    maxItemSizeInBytes: z.number().describe(
+      "The maximum number of bytes that can be stored in a single data item. If set to null, then there is no limit. If omitted, then the limit is 500,000 bytes (500KB)"
+    ).int().positive().nullable().optional().default(5e5)
+  }),
+  files: z.object({
+    allowed: z.boolean().describe(
+      "Whether file resources are allowed for the subscription. If false, then every request to create or update a file resource will be rejected."
+    ),
+    maxFiles: z.number().describe(
+      "The maximum number of files allowed for the subscription. If omitted, then there is no limit."
+    ).int().positive().optional(),
+    maxBytesPerFile: z.number().describe(
+      "The maximum number of bytes per file allowed for the subscription. If omitted, then there is no limit."
+    ).int().positive().optional(),
+    maxBytesTotal: z.number().describe(
+      "The maximum number of file bytes that can be stored for the subscription. If omitted, then there is no limit."
+    ).int().positive().optional()
+  }),
+  events: z.object({
+    allowed: z.boolean().describe(
+      "Whether event resources are allowed for the subscription. If false, then every request to increment or count events will be rejected."
+    ),
+    maxEvents: z.number().describe(
+      "The maximum number of distinct event names that are allowed for the subscription. If omitted, then there is no limit."
+    ).int().positive().optional(),
+    maxUpdatesPerPeriod: z.number().describe("Not currently implemented.").int().positive().optional()
+  }),
+  policies: z.object({
+    allowed: z.boolean().describe(
+      "Whether policy resources are allowed for the subscription. If false, then every request to create or update a policy will be rejected."
+    ),
+    maxPolicies: z.number().describe("Not currently implemented.").int().positive().optional()
+  }),
+  ai: z.object({
+    chat: z.object({
+      allowed: z.boolean().describe(
+        "Whether AI chat requests are allowed for the subscription. If false, then every request to generate AI chat will be rejected."
+      ),
+      maxTokensPerPeriod: z.number().describe(
+        "The maximum number of AI chat tokens allowed per subscription period. If omitted, then there is no limit."
+      ).int().positive().optional(),
+      allowedModels: z.array(z.string()).describe(
+        "The list of model IDs that are allowed for the subscription. If omitted, then all models are allowed."
+      ).optional()
+    }),
+    images: z.object({
+      allowed: z.boolean().describe(
+        "Whether AI image requests are allowed for the subscription. If false, then every request to generate AI images will be rejected."
+      ),
+      maxSquarePixelsPerPeriod: z.number().describe(
+        "The maximum number of square pixels (pixels squared) that are allowed to be generated per subscription period. If omitted, then there is no limit."
+      ).int().positive().optional()
+    }),
+    skyboxes: z.object({
+      allowed: z.boolean().describe(
+        "Whether AI Skybox requests are allowed for the subscription. If false, then every request to generate AI skyboxes will be rejected."
+      ),
+      maxSkyboxesPerPeriod: z.number().describe(
+        "The maximum number of skyboxes that are allowed to be generated per subscription period. If omitted, then there is no limit."
+      ).int().positive().optional()
+    }),
+    hume: z.object({
+      allowed: z.boolean().describe(
+        "Whether Hume AI features are allowed for the subscription. If false, then every request to generate Hume AI will be rejected."
+      )
+    }).describe(
+      "The configuration for Hume AI features for the subscription. Defaults to not allowed if omitted."
+    ).optional().default({
+      allowed: false
+    }),
+    sloyd: z.object({
+      allowed: z.boolean().describe(
+        "Whether Sloyd AI features are allowed for the subscription. If false, then every request to generate Sloyd AI will be rejected."
+      ),
+      maxModelsPerPeriod: z.number().describe(
+        "The maximum number of models that can be generated per subscription period. If omitted, then there is no limit."
+      ).positive().int().optional()
+    }).describe(
+      "The configuration for Sloyd AI features for the subscription. Defaults to not allowed if omitted."
+    ).optional().default({
+      allowed: false
+    }),
+    openai: z.object({
+      realtime: z.object({
+        allowed: z.boolean().describe(
+          "Whether OpenAI realtime API features are allowed."
+        ),
+        maxSessionsPerPeriod: z.number().describe(
+          "The maximum number of realtime sessions that can be initiated per subscription period. If omitted, then there is no limit."
+        ).int().positive().optional(),
+        maxResponseOutputTokens: z.number().describe(
+          "The maximum number of output tokens that can be generated per response per session. If omitted, then there is no limit."
+        ).int().positive().optional(),
+        allowedModels: z.array(z.string()).describe(
+          "The list of models that are allowed to be used with the realtime API. If ommited, then all models are allowed."
+        ).optional()
+      }).describe(
+        "The configuration for OpenAI realtime API features."
+      ).optional().default({
+        allowed: false
+      })
+    }).describe(
+      "The configuration for Open AI-specific features for the subscription. Defaults to not allowed if omitted."
+    ).optional().default({})
+  }),
+  insts: z.object({
+    allowed: z.boolean().describe(
+      "Whether insts are allowed for the subscription. If false, then every request to create or update an inst will be rejected."
+    ),
+    maxInsts: z.number().describe(
+      "The maximum number of private insts that are allowed for the subscription. If omitted, then there is no limit."
+    ).int().positive().optional(),
+    maxBytesPerInst: z.number().describe(
+      "The maximum number of bytes that can be stored in an inst. If omitted, then there is no limit."
+    ).int().positive().optional(),
+    maxActiveConnectionsPerInst: z.number().describe(
+      "The maximum number of active websocket connections that an inst can have. If omitted, then there is no limit."
+    ).int().positive().optional()
+  }),
+  comId: z.object({
+    allowed: z.boolean().describe("Whether comId features are granted to the studio."),
+    // allowCustomComId: z
+    //     .boolean()
+    //     .describe(
+    //         'Whether the studio is allowed to set their own comId. If false, then the user will be able to request changes to their comId, but they will not automatically apply.'
+    //     ),
+    maxStudios: z.number().describe(
+      "The maximum number of studios that can be created in this comId. If omitted, then there is no limit."
+    ).positive().int().optional()
+  }).describe(
+    "The configuration for comId features for studios. Defaults to not allowed."
+  ).optional().default({
+    allowed: false
+    // allowCustomComId: false,
+  }),
+  loom: z.object({
+    allowed: z.boolean().describe("Whether loom features are granted to the studio.")
+  }).describe(
+    "The configuration for loom features for studios. Defaults to not allowed."
+  ).optional().default({
+    allowed: false
+  }),
+  webhooks: webhookFeaturesSchema,
+  notifications: z.object({
+    allowed: z.boolean().describe(
+      "Whether notifications are allowed for the subscription."
+    ),
+    maxItems: z.number().describe(
+      "The maximum number of notification items that are allowed for the subscription. If not specified, then there is no limit."
+    ).int().positive().optional(),
+    maxSubscribersPerItem: z.number().describe(
+      "The maximum number of subscribers that a notification can have in the subscription. If not specified, then there is no limit."
+    ).int().positive().optional(),
+    maxSentNotificationsPerPeriod: z.number().describe(
+      'The maximum number of notifications that can be sent per subscription period. This tracks the number of times the "sendNotification" operation was called. If not specified, then there is no limit.'
+    ).int().positive().optional(),
+    maxSentPushNotificationsPerPeriod: z.number().describe(
+      "The maximum number of push notifications that can be sent per subscription period. This tracks the actual number of push notifications that were sent to users. If not specified, then there is no limit."
+    ).int().positive().optional()
+  }).describe(
+    "The configuration for notification features. Defaults to not allowed."
+  ).optional().default({
+    allowed: false
+  }),
+  packages: z.object({
+    allowed: z.boolean().describe("Whether packages are allowed for the subscription."),
+    maxItems: z.number().describe(
+      "The maximum number of packages that are allowed for the subscription. If not specified, then there is no limit."
+    ).int().positive().optional(),
+    maxPackageVersions: z.number().describe(
+      "The maximum number of package versions that are allowed for the subscription. If not specified, then there is no limit."
+    ).int().positive().optional(),
+    maxPackageVersionSizeInBytes: z.number().describe(
+      "The maximum number of bytes that a single package version can be. If not specified, then there is no limit."
+    ).int().positive().optional(),
+    maxPackageBytesTotal: z.number().describe(
+      "The maximum number of bytes that all package versions in the subscription can be. If not specified, then there is no limit."
+    ).int().positive().optional()
+  }).describe(
+    "The configuration for package features. Defaults to allowed."
+  ).optional().default({
+    allowed: true
+  }),
+  search: z.object({
+    allowed: z.boolean().describe(
+      "Whether search records are allowed for the subscription."
+    ),
+    maxItems: z.number().describe(
+      "The maximum number of search records that can be created for the subscription. If not specified, then there is no limit."
+    ).int().positive().optional()
+  }).describe(
+    "The configuration for search records features. Defaults to allowed."
+  ).optional().default({
+    allowed: true
+  })
 });
-
-// ../../node_modules/.pnpm/@levischuck+tiny-cbor@0.2.11/node_modules/@levischuck/tiny-cbor/esm/cbor/cbor_internal.js
-function decodeLength(data, argument, index) {
-  if (argument < 24) {
-    return [argument, 1];
-  }
-  const remainingDataLength = data.byteLength - index - 1;
-  const view = new DataView(data.buffer, index + 1);
-  let output;
-  let bytes = 0;
-  switch (argument) {
-    case 24: {
-      if (remainingDataLength > 0) {
-        output = view.getUint8(0);
-        bytes = 2;
-      }
-      break;
-    }
-    case 25: {
-      if (remainingDataLength > 1) {
-        output = view.getUint16(0, false);
-        bytes = 3;
-      }
-      break;
-    }
-    case 26: {
-      if (remainingDataLength > 3) {
-        output = view.getUint32(0, false);
-        bytes = 5;
-      }
-      break;
-    }
-    case 27: {
-      if (remainingDataLength > 7) {
-        const bigOutput = view.getBigUint64(0, false);
-        if (bigOutput >= 24n && bigOutput <= Number.MAX_SAFE_INTEGER) {
-          return [Number(bigOutput), 9];
+var subscriptionConfigSchema = z.object({
+  webhookSecret: z.string().describe(
+    "The Stripe Webhook secret. Used to validate that webhooks are actually coming from Stripe."
+  ).nonempty(),
+  successUrl: z.string().describe(
+    "The URL that successful Stripe checkout sessions should be redirected to."
+  ).nonempty(),
+  cancelUrl: z.string().describe(
+    "The URL that canceled Stripe checkout sessions should be redirected to."
+  ).nonempty(),
+  returnUrl: z.string().describe(
+    "The URL that users should be redirected to when exiting the Stripe subscription management customer portal."
+  ).nonempty(),
+  portalConfig: z.object({}).describe(
+    "Additional options that should be passed to stripe.billingPortal.sessions.create()."
+  ).passthrough().optional().nullable(),
+  checkoutConfig: z.object({}).describe(
+    "Additional options that should be passed to stripe.checkout.sessions.create()."
+  ).passthrough().optional().nullable(),
+  subscriptions: z.array(
+    z.object({
+      id: z.string().describe(
+        "The ID of the subscription. Can be anything, but it must be unique to each subscription and never change."
+      ).nonempty(),
+      product: z.string().describe(
+        "The ID of the Stripe product that is being offered by this subscription. If omitted, then this subscription will be shown but not able to be purchased."
+      ).nonempty().optional(),
+      featureList: z.array(z.string().nonempty()).describe(
+        "The list of features that should be shown for this subscription tier."
+      ),
+      eligibleProducts: z.array(z.string().nonempty()).describe(
+        "The list of Stripe product IDs that count as eligible for this subscription. Useful if you want to change the product of this subscription, but grandfather in existing users."
+      ).optional(),
+      defaultSubscription: z.boolean().describe(
+        "Whether this subscription should be granted to users if they don't already have a subscription. The first in the list of subscriptions that is marked as the default will be used. Defaults to false"
+      ).optional(),
+      purchasable: z.boolean().describe(
+        "Whether this subscription is purchasable and should be offered to users who do not already have a subscription. If false, then this subscription will not be shown to users unless they already have an active subscription for it. Defaults to true."
+      ).optional(),
+      name: z.string().describe(
+        "The name of the subscription. Ignored if a Stripe product is specified."
+      ).nonempty().optional(),
+      description: z.string().describe(
+        "The description of the subscription. Ignored if a Stripe product is specified."
+      ).nonempty().optional(),
+      tier: z.string().describe(
+        'The tier of this subscription. Useful for grouping multiple subscriptions into the same set of features. Defaults to "beta"'
+      ).nonempty().optional(),
+      userOnly: z.boolean().describe(
+        "Whether this subscription can only be purchased by individual users. Defaults to false."
+      ).optional(),
+      studioOnly: z.boolean().describe(
+        "Whether this subscription can only be purchased by studios. Defaults to false."
+      ).optional()
+    })
+  ).describe("The list of subscriptions that are in use."),
+  tiers: z.object({}).describe(
+    "The configuration for the subscription tiers. Each key should be a tier."
+  ).catchall(
+    z.object({
+      features: subscriptionFeaturesSchema.optional()
+    }).describe("The configuration for an individual tier.")
+  ).optional(),
+  defaultFeatures: z.object({
+    user: subscriptionFeaturesSchema.describe(
+      "The features that are available for users who either dont have a subscription for have a subscription for a tier that is not listed in the tiers configuration. Defaults to an object that allows all features."
+    ).optional(),
+    studio: subscriptionFeaturesSchema.describe(
+      "The features that are available for studios who either dont have a subscription for have a subscription for a tier that is not listed in the tiers configuration. Defaults to an object that allows all features."
+    ).optional(),
+    defaultPeriodLength: z.object({
+      days: z.number().int().nonnegative().optional(),
+      months: z.number().int().nonnegative().optional()
+    }).describe(
+      "The length of the period for users that do not have a subscription. Defaults to 1 month and 0 days."
+    ).optional().default({
+      days: 0,
+      months: 1
+    }),
+    publicInsts: z.object({
+      allowed: z.boolean().describe(
+        "Whether public (temp) insts are allowed. If false, then every request to create or update a public inst will be rejected."
+      ),
+      maxBytesPerInst: z.number().describe(
+        "The maximum number of bytes that can be stored for a public inst. If omitted, then there is no limit."
+      ).int().positive().optional(),
+      maxActiveConnectionsPerInst: z.number().describe(
+        "The maximum number of active connections that are allowed for a public inst. If omitted, then there is no limit."
+      ).int().positive().optional()
+    }).describe(
+      "The feature limits for public insts (insts that do not belong to a record and will expire after a preset time). Defaults to an object that allows all features."
+    ).optional()
+  }).optional()
+});
+function allowAllFeatures() {
+  return {
+    records: {
+      allowed: true
+    },
+    ai: {
+      chat: {
+        allowed: true
+      },
+      images: {
+        allowed: true
+      },
+      skyboxes: {
+        allowed: true
+      },
+      hume: {
+        allowed: true
+      },
+      sloyd: {
+        allowed: true
+      },
+      openai: {
+        realtime: {
+          allowed: true
         }
       }
-      break;
-    }
-  }
-  if (output && output >= 24) {
-    return [output, bytes];
-  }
-  throw new Error("Length not supported or not well formed");
-}
-var MAJOR_TYPE_UNSIGNED_INTEGER = 0;
-var MAJOR_TYPE_NEGATIVE_INTEGER = 1;
-var MAJOR_TYPE_BYTE_STRING = 2;
-var MAJOR_TYPE_TEXT_STRING = 3;
-var MAJOR_TYPE_ARRAY = 4;
-var MAJOR_TYPE_MAP = 5;
-var MAJOR_TYPE_TAG = 6;
-var MAJOR_TYPE_SIMPLE_OR_FLOAT = 7;
-function encodeLength(major2, argument) {
-  const majorEncoded = major2 << 5;
-  if (argument < 0) {
-    throw new Error("CBOR Data Item argument must not be negative");
-  }
-  let bigintArgument;
-  if (typeof argument == "number") {
-    if (!Number.isInteger(argument)) {
-      throw new Error("CBOR Data Item argument must be an integer");
-    }
-    bigintArgument = BigInt(argument);
-  } else {
-    bigintArgument = argument;
-  }
-  if (major2 == MAJOR_TYPE_NEGATIVE_INTEGER) {
-    if (bigintArgument == 0n) {
-      throw new Error("CBOR Data Item argument cannot be zero when negative");
+    },
+    data: {
+      allowed: true
+    },
+    events: {
+      allowed: true
+    },
+    files: {
+      allowed: true
+    },
+    insts: {
+      allowed: true
+    },
+    notifications: {
+      allowed: true
+    },
+    packages: {
+      allowed: true
+    },
+    search: {
+      allowed: true
     }
-    bigintArgument = bigintArgument - 1n;
-  }
-  if (bigintArgument > 18446744073709551615n) {
-    throw new Error("CBOR number out of range");
-  }
-  const buffer = new Uint8Array(8);
-  const view = new DataView(buffer.buffer);
-  view.setBigUint64(0, bigintArgument, false);
-  if (bigintArgument <= 23) {
-    return [majorEncoded | buffer[7]];
-  } else if (bigintArgument <= 255) {
-    return [majorEncoded | 24, buffer[7]];
-  } else if (bigintArgument <= 65535) {
-    return [majorEncoded | 25, ...buffer.slice(6)];
-  } else if (bigintArgument <= 4294967295) {
-    return [
-      majorEncoded | 26,
-      ...buffer.slice(4)
-    ];
-  } else {
-    return [
-      majorEncoded | 27,
-      ...buffer
-    ];
-  }
+  };
 }
-
-// ../../node_modules/.pnpm/@levischuck+tiny-cbor@0.2.11/node_modules/@levischuck/tiny-cbor/esm/cbor/cbor.js
-var CBORTag = class {
-  /**
-   * Wrap a value with a tag number.
-   * When encoded, this tag will be attached to the value.
-   *
-   * @param tag Tag number
-   * @param value Wrapped value
+function getSearchFeatures(config2, subscriptionStatus, subscriptionId, type, periodStartMs, periodEndMs, nowMs = Date.now()) {
+  const features = getSubscriptionFeatures(
+    config2,
+    subscriptionStatus,
+    subscriptionId,
+    type,
+    periodStartMs,
+    periodEndMs,
+    nowMs
+  );
+  return features.search ?? { allowed: true };
+}
+function getPackageFeatures(config2, subscriptionStatus, subscriptionId, type, periodStartMs, periodEndMs, nowMs = Date.now()) {
+  const features = getSubscriptionFeatures(
+    config2,
+    subscriptionStatus,
+    subscriptionId,
+    type,
+    periodStartMs,
+    periodEndMs,
+    nowMs
+  );
+  return features.packages ?? { allowed: true };
+}
+function getNotificationFeatures(config2, subscriptionStatus, subscriptionId, type, periodStartMs, periodEndMs, nowMs = Date.now()) {
+  const features = getSubscriptionFeatures(
+    config2,
+    subscriptionStatus,
+    subscriptionId,
+    type,
+    periodStartMs,
+    periodEndMs,
+    nowMs
+  );
+  return features.notifications ?? { allowed: false };
+}
+function getWebhookFeatures(config2, subscriptionStatus, subscriptionId, type, periodStartMs, periodEndMs, nowMs = Date.now()) {
+  const features = getSubscriptionFeatures(
+    config2,
+    subscriptionStatus,
+    subscriptionId,
+    type,
+    periodStartMs,
+    periodEndMs,
+    nowMs
+  );
+  return features.webhooks ?? webhookFeaturesSchema.parse({ allowed: false });
+}
+function getComIdFeatures(config2, subscriptionStatus, subscriptionId, periodStartMs, periodEndMs, nowMs = Date.now()) {
+  const features = getSubscriptionFeatures(
+    config2,
+    subscriptionStatus,
+    subscriptionId,
+    "studio",
+    periodStartMs,
+    periodEndMs,
+    nowMs
+  );
+  return features.comId ?? {
+    allowed: false
+    // allowCustomComId: false,
+  };
+}
+function getLoomFeatures(config2, subscriptionStatus, subscriptionId, periodStartMs, periodEndMs, nowMs = Date.now()) {
+  const features = getSubscriptionFeatures(
+    config2,
+    subscriptionStatus,
+    subscriptionId,
+    "studio",
+    periodStartMs,
+    periodEndMs,
+    nowMs
+  );
+  return features.loom ?? { allowed: false };
+}
+function getHumeAiFeatures(config2, subscriptionStatus, subscriptionId, type, periodStartMs, periodEndMs, nowMs = Date.now()) {
+  const features = getSubscriptionFeatures(
+    config2,
+    subscriptionStatus,
+    subscriptionId,
+    type,
+    periodStartMs,
+    periodEndMs,
+    nowMs
+  );
+  return features.ai.hume ?? { allowed: false };
+}
+function getSubscriptionFeatures(config2, subscriptionStatus, subscriptionId, type, periodStartMs, periodEndMs, nowMs = Date.now()) {
+  const sub = getSubscription(
+    config2,
+    subscriptionStatus,
+    subscriptionId,
+    type,
+    periodStartMs,
+    periodEndMs,
+    nowMs
+  );
+  if (typeof sub === "undefined") {
+    return allowAllFeatures();
+  } else if (sub) {
+    const tier = sub?.tier;
+    const features = tier ? config2?.tiers?.[tier]?.features : null;
+    if (features) {
+      return features;
+    }
+  }
+  return config2.defaultFeatures?.[type] ?? allowAllFeatures();
+}
+function getSubscription(config2, subscriptionStatus, subscriptionId, type, periodStartMs, periodEndMs, nowMs = Date.now()) {
+  if (!config2) {
+    return void 0;
+  }
+  if (config2.tiers) {
+    const roleSubscriptions = config2.subscriptions.filter(
+      (s3) => subscriptionMatchesRole(s3, type)
+    );
+    if (isActiveSubscription(
+      subscriptionStatus,
+      periodStartMs,
+      periodEndMs,
+      nowMs
+    )) {
+      const sub2 = roleSubscriptions.find((s3) => s3.id === subscriptionId);
+      if (sub2) {
+        return sub2;
+      }
+    }
+    const sub = roleSubscriptions.find((s3) => s3.defaultSubscription);
+    if (sub) {
+      return sub;
+    }
+  }
+  return null;
+}
+function getSubscriptionTier(config2, subscriptionStatus, subId, type) {
+  const sub = getSubscription(config2, subscriptionStatus, subId, type);
+  if (!sub) {
+    return null;
+  }
+  return sub?.tier ?? null;
+}
+function subscriptionMatchesRole(subscription, role) {
+  const isUserOnly = subscription.userOnly ?? false;
+  const isStudioOnly = subscription.studioOnly ?? false;
+  const matchesRole = isUserOnly && role === "user" || isStudioOnly && role === "studio" || !isUserOnly && !isStudioOnly;
+  return matchesRole;
+}
+
+// ../../node_modules/.pnpm/@simplewebauthn+server@9.0.3_encoding@0.1.13/node_modules/@simplewebauthn/server/esm/helpers/iso/isoBase64URL.js
+var isoBase64URL_exports = {};
+__export(isoBase64URL_exports, {
+  fromBuffer: () => fromBuffer,
+  fromString: () => fromString,
+  isBase64: () => isBase64,
+  isBase64url: () => isBase64url,
+  toBase64: () => toBase64,
+  toBuffer: () => toBuffer,
+  toString: () => toString3
+});
+
+// ../../node_modules/.pnpm/@levischuck+tiny-cbor@0.2.11/node_modules/@levischuck/tiny-cbor/esm/index.js
+var esm_exports = {};
+__export(esm_exports, {
+  CBORTag: () => CBORTag,
+  decodeCBOR: () => decodeCBOR,
+  decodePartialCBOR: () => decodePartialCBOR,
+  encodeCBOR: () => encodeCBOR
+});
+
+// ../../node_modules/.pnpm/@levischuck+tiny-cbor@0.2.11/node_modules/@levischuck/tiny-cbor/esm/cbor/cbor_internal.js
+function decodeLength(data, argument, index) {
+  if (argument < 24) {
+    return [argument, 1];
+  }
+  const remainingDataLength = data.byteLength - index - 1;
+  const view = new DataView(data.buffer, index + 1);
+  let output;
+  let bytes = 0;
+  switch (argument) {
+    case 24: {
+      if (remainingDataLength > 0) {
+        output = view.getUint8(0);
+        bytes = 2;
+      }
+      break;
+    }
+    case 25: {
+      if (remainingDataLength > 1) {
+        output = view.getUint16(0, false);
+        bytes = 3;
+      }
+      break;
+    }
+    case 26: {
+      if (remainingDataLength > 3) {
+        output = view.getUint32(0, false);
+        bytes = 5;
+      }
+      break;
+    }
+    case 27: {
+      if (remainingDataLength > 7) {
+        const bigOutput = view.getBigUint64(0, false);
+        if (bigOutput >= 24n && bigOutput <= Number.MAX_SAFE_INTEGER) {
+          return [Number(bigOutput), 9];
+        }
+      }
+      break;
+    }
+  }
+  if (output && output >= 24) {
+    return [output, bytes];
+  }
+  throw new Error("Length not supported or not well formed");
+}
+var MAJOR_TYPE_UNSIGNED_INTEGER = 0;
+var MAJOR_TYPE_NEGATIVE_INTEGER = 1;
+var MAJOR_TYPE_BYTE_STRING = 2;
+var MAJOR_TYPE_TEXT_STRING = 3;
+var MAJOR_TYPE_ARRAY = 4;
+var MAJOR_TYPE_MAP = 5;
+var MAJOR_TYPE_TAG = 6;
+var MAJOR_TYPE_SIMPLE_OR_FLOAT = 7;
+function encodeLength(major2, argument) {
+  const majorEncoded = major2 << 5;
+  if (argument < 0) {
+    throw new Error("CBOR Data Item argument must not be negative");
+  }
+  let bigintArgument;
+  if (typeof argument == "number") {
+    if (!Number.isInteger(argument)) {
+      throw new Error("CBOR Data Item argument must be an integer");
+    }
+    bigintArgument = BigInt(argument);
+  } else {
+    bigintArgument = argument;
+  }
+  if (major2 == MAJOR_TYPE_NEGATIVE_INTEGER) {
+    if (bigintArgument == 0n) {
+      throw new Error("CBOR Data Item argument cannot be zero when negative");
+    }
+    bigintArgument = bigintArgument - 1n;
+  }
+  if (bigintArgument > 18446744073709551615n) {
+    throw new Error("CBOR number out of range");
+  }
+  const buffer = new Uint8Array(8);
+  const view = new DataView(buffer.buffer);
+  view.setBigUint64(0, bigintArgument, false);
+  if (bigintArgument <= 23) {
+    return [majorEncoded | buffer[7]];
+  } else if (bigintArgument <= 255) {
+    return [majorEncoded | 24, buffer[7]];
+  } else if (bigintArgument <= 65535) {
+    return [majorEncoded | 25, ...buffer.slice(6)];
+  } else if (bigintArgument <= 4294967295) {
+    return [
+      majorEncoded | 26,
+      ...buffer.slice(4)
+    ];
+  } else {
+    return [
+      majorEncoded | 27,
+      ...buffer
+    ];
+  }
+}
+
+// ../../node_modules/.pnpm/@levischuck+tiny-cbor@0.2.11/node_modules/@levischuck/tiny-cbor/esm/cbor/cbor.js
+var CBORTag = class {
+  /**
+   * Wrap a value with a tag number.
+   * When encoded, this tag will be attached to the value.
+   *
+   * @param tag Tag number
+   * @param value Wrapped value
    */
   constructor(tag, value) {
     Object.defineProperty(this, "tagId", {
@@ -104202,7 +104746,7 @@ var import_semantic_conventions = __toESM(require_src3());
 function traced(tracerName, options = {}, metricOptions = {}) {
   const tracer = trace.getTracer(
     tracerName,
-    false ? void 0 : "v3.7.0-alpha.16977445547"
+    false ? void 0 : "v3.7.0-alpha.17049743052"
   );
   return function(target, propertyKey, descriptor) {
     const originalMethod = descriptor.value;
@@ -104284,7 +104828,7 @@ function getHistogram(meter) {
   }
   return metrics.getMeter(
     meter.meter,
-    false ? void 0 : "v3.7.0-alpha.16977445547"
+    false ? void 0 : "v3.7.0-alpha.17049743052"
   ).createHistogram(meter.name, meter.options);
 }
 function getCounter(meter) {
@@ -104293,7 +104837,7 @@ function getCounter(meter) {
   }
   return metrics.getMeter(
     meter.meter,
-    false ? void 0 : "v3.7.0-alpha.16977445547"
+    false ? void 0 : "v3.7.0-alpha.17049743052"
   ).createCounter(meter.name, meter.options);
 }
 function traceHttpResponse(options = {}) {
@@ -104335,12 +104879,11 @@ var MAX_EMAIL_ADDRESS_LENGTH = 200;
 var MAX_SMS_ADDRESS_LENGTH = 30;
 var PRIVO_OPEN_ID_PROVIDER = "privo";
 var AuthController = class {
-  constructor(authStore, messenger, configStore, forceAllowSubscriptionFeatures = false, privoClient = null, relyingParties = []) {
+  constructor(authStore, messenger, configStore, privoClient = null, relyingParties = []) {
     this._privoClient = null;
     this._store = authStore;
     this._messenger = messenger;
     this._config = configStore;
-    this._forceAllowSubscriptionFeatures = forceAllowSubscriptionFeatures;
     this._privoClient = privoClient;
     this._webAuthNRelyingParties = relyingParties;
     this._privoEnabled = this._privoClient !== null;
@@ -106340,41 +106883,25 @@ var AuthController = class {
     }
   }
   async _getSubscriptionInfo(user) {
-    const hasActiveSubscription = this._forceAllowSubscriptionFeatures || isActiveSubscription(user.subscriptionStatus);
     let tier = null;
-    let sub = null;
     const subscriptionConfig = await this._config.getSubscriptionConfiguration();
-    if (hasActiveSubscription) {
-      if (user.subscriptionId) {
-        sub = subscriptionConfig?.subscriptions.find(
-          (s3) => s3.id === user.subscriptionId
-        );
-      }
-      if (!sub) {
-        sub = subscriptionConfig?.subscriptions[0];
-        if (sub) {
-          console.log(
-            "[AuthController] [getUserInfo] Using first subscription for user."
-          );
-        }
-      }
-      tier = "beta";
-    }
-    if (!sub) {
-      sub = subscriptionConfig?.subscriptions.find(
-        (s3) => s3.defaultSubscription
-      );
-      if (sub) {
-        console.log(
-          "[AuthController] [getUserInfo] Using default subscription for user."
-        );
-      }
-    }
+    const sub = getSubscription(
+      subscriptionConfig,
+      user.subscriptionStatus,
+      user.subscriptionId,
+      "user",
+      user.subscriptionPeriodStartMs,
+      user.subscriptionPeriodEndMs
+    );
     if (sub) {
       tier = sub.tier || "beta";
     }
     return {
-      hasActiveSubscription,
+      hasActiveSubscription: !!sub && isActiveSubscription(
+        user.subscriptionStatus,
+        user.subscriptionPeriodStartMs,
+        user.subscriptionPeriodEndMs
+      ),
       subscriptionId: sub?.id,
       subscriptionTier: tier
     };
@@ -106511,926 +107038,395 @@ var AuthController = class {
       span?.setStatus({ code: SpanStatusCode.ERROR });
       console.error(
         "[AuthController] Error ocurred while requesting a change in privacy features",
-        err
-      );
-      return {
-        success: false,
-        errorCode: "server_error",
-        errorMessage: "A server error occurred."
-      };
-    }
-  }
-  async listEmailRules() {
-    try {
-      const rules = await this._store.listEmailRules();
-      return {
-        success: true,
-        rules
-      };
-    } catch (err) {
-      const span = trace.getActiveSpan();
-      span?.recordException(err);
-      span?.setStatus({ code: SpanStatusCode.ERROR });
-      console.error(
-        "[AuthController] Error ocurred while listing email rules",
-        err
-      );
-      return {
-        success: false,
-        errorCode: "server_error",
-        errorMessage: "A server error occurred."
-      };
-    }
-  }
-  async listSmsRules() {
-    try {
-      const rules = await this._store.listSmsRules();
-      return {
-        success: true,
-        rules
-      };
-    } catch (err) {
-      const span = trace.getActiveSpan();
-      span?.recordException(err);
-      span?.setStatus({ code: SpanStatusCode.ERROR });
-      console.error(
-        "[AuthController] Error ocurred while listing email rules",
-        err
-      );
-      return {
-        success: false,
-        errorCode: "server_error",
-        errorMessage: "A server error occurred."
-      };
-    }
-  }
-  async isValidEmailAddress(email) {
-    try {
-      const valid = await this._validateAddress(email, "email");
-      if (!valid) {
-        return {
-          success: true,
-          allowed: false
-        };
-      }
-      if (this._privoClient) {
-        const config2 = await this._config.getPrivoConfiguration();
-        if (config2) {
-          const result = await this._privoClient.checkEmail(email);
-          const allowed = result.available && !result.profanity;
-          return {
-            success: true,
-            allowed,
-            suggestions: result.suggestions,
-            profanity: result.profanity
-          };
-        }
-      }
-      return {
-        success: true,
-        allowed: true
-      };
-    } catch (err) {
-      const span = trace.getActiveSpan();
-      span?.recordException(err);
-      span?.setStatus({ code: SpanStatusCode.ERROR });
-      console.error(
-        "[AuthController] Error ocurred while checking if email address is valid",
-        err
-      );
-      return {
-        success: false,
-        errorCode: "server_error",
-        errorMessage: "A server error occurred."
-      };
-    }
-  }
-  async isValidDisplayName(displayName, name) {
-    try {
-      if (this._privoClient) {
-        if (name) {
-          const lowercaseName = name.trim().toLowerCase();
-          const lowercaseDisplayName = displayName.trim().toLowerCase();
-          if (lowercaseDisplayName.includes(lowercaseName)) {
-            return {
-              success: true,
-              allowed: false,
-              containsName: true
-            };
-          }
-        }
-        const config2 = await this._config.getPrivoConfiguration();
-        if (config2) {
-          const result = await this._privoClient.checkDisplayName(
-            displayName
-          );
-          const allowed = result.available && !result.profanity;
-          return {
-            success: true,
-            allowed,
-            suggestions: result.suggestions,
-            profanity: result.profanity
-          };
-        }
-      }
-      return {
-        success: true,
-        allowed: true
-      };
-    } catch (err) {
-      const span = trace.getActiveSpan();
-      span?.recordException(err);
-      span?.setStatus({ code: SpanStatusCode.ERROR });
-      console.error(
-        "[AuthController] Error ocurred while checking if display name is valid",
-        err
-      );
-      return {
-        success: false,
-        errorCode: "server_error",
-        errorMessage: "A server error occurred."
-      };
-    }
-  }
-  /**
-   * Issues a new session for the given user.
-   * @param userId The ID of the user to issue the session for.
-   * @param lifetimeMs The lifetime of the session in milliseconds. If null, then the session will not expire.
-   * @param previousSession The previous session that this session is replacing. If null, then this session is not related to another session.
-   * @param ipAddress The IP address that the session is being issued to. Should be null if the ip address is not known.
-   */
-  async _issueSession({
-    userId,
-    lifetimeMs,
-    previousSession,
-    ipAddress,
-    requestId,
-    ...rest
-  }) {
-    const now2 = Date.now();
-    const newSessionId = (0, import_base64_js10.fromByteArray)((0, import_tweetnacl4.randomBytes)(SESSION_ID_BYTE_LENGTH));
-    const newSessionSecret = (0, import_base64_js10.fromByteArray)(
-      (0, import_tweetnacl4.randomBytes)(SESSION_SECRET_BYTE_LENGTH)
-    );
-    const newConnectionSecret = (0, import_base64_js10.fromByteArray)(
-      (0, import_tweetnacl4.randomBytes)(SESSION_SECRET_BYTE_LENGTH)
-    );
-    const newSession = {
-      ...rest,
-      userId,
-      sessionId: newSessionId,
-      requestId: requestId ?? null,
-      secretHash: this._hashHighEntropyPasswordWithSalt(
-        newSessionSecret,
-        newSessionId
-      ),
-      connectionSecret: newConnectionSecret,
-      grantedTimeMs: now2,
-      revokeTimeMs: null,
-      expireTimeMs: lifetimeMs ? now2 + lifetimeMs : null,
-      previousSessionId: previousSession?.sessionId ?? null,
-      nextSessionId: null,
-      ipAddress
-    };
-    if (requestId) {
-      await this._store.markLoginRequestComplete(userId, requestId, now2);
-    }
-    if (rest.webauthnRequestId) {
-      await this._store.markWebAuthnLoginRequestComplete(
-        rest.webauthnRequestId,
-        userId,
-        now2
-      );
-    }
-    if (rest.oidRequestId) {
-      await this._store.markOpenIDLoginRequestComplete(
-        rest.oidRequestId,
-        now2
-      );
-    }
-    if (previousSession) {
-      await this._store.replaceSession(previousSession, newSession, now2);
-    } else {
-      await this._store.saveSession(newSession);
-    }
-    const metadata = await this._store.findUserLoginMetadata(userId);
-    const info = {
-      userId,
-      sessionKey: formatV1SessionKey(
-        userId,
-        newSessionId,
-        newSessionSecret,
-        newSession.expireTimeMs
-      ),
-      connectionKey: formatV1ConnectionKey(
-        userId,
-        newSessionId,
-        newConnectionSecret,
-        newSession.expireTimeMs
-      ),
-      expireTimeMs: newSession.expireTimeMs,
-      metadata: {
-        hasUserAuthenticator: metadata?.hasUserAuthenticator ?? false,
-        userAuthenticatorCredentialIds: metadata?.userAuthenticatorCredentialIds ?? [],
-        hasPushSubscription: metadata?.hasPushSubscription ?? false,
-        pushSubscriptionIds: metadata?.pushSubscriptionIds ?? []
-      }
-    };
-    console.log(
-      `[AuthController] [issueSession userId: ${userId} newSessionId: ${newSessionId} expiresAt: ${newSession.expireTimeMs}] Issued session.`
-    );
-    return {
-      newSession,
-      info
-    };
-  }
-};
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "createAccount", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "issueSession", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "_hashHighEntropyPasswordWithSalt", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "requestLogin", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "completeLogin", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "requestOpenIDLogin", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "processOpenIDAuthorizationCode", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "completeOpenIDLogin", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "requestPrivoSignUp", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "requestWebAuthnRegistration", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "completeWebAuthnRegistration", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "requestWebAuthnLogin", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "completeWebAuthnLogin", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "listUserAuthenticators", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "deleteUserAuthenticator", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "validateSessionKey", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "verifyPasswordAgainstHashes", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "validateConnectionToken", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "revokeSession", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "revokeAllSessions", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "replaceSession", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "listSessions", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "getUserInfo", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "getPublicUserInfo", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "updateUserInfo", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "requestPrivacyFeaturesChange", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "listEmailRules", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "listSmsRules", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "isValidEmailAddress", 1);
-__decorateClass([
-  traced(TRACE_NAME)
-], AuthController.prototype, "isValidDisplayName", 1);
-async function validateSessionKey(auth7, sessionKey) {
-  if (!sessionKey) {
-    return {
-      success: false,
-      userId: null,
-      role: null,
-      errorCode: "no_session_key",
-      errorMessage: "A session key was not provided, but it is required for this operation."
-    };
-  }
-  const result = await auth7.validateSessionKey(sessionKey);
-  if (result.success === true) {
-    const span = trace.getActiveSpan();
-    if (span) {
-      span.setAttributes({
-        [import_semantic_conventions2.SEMATTRS_ENDUSER_ID]: result.userId,
-        ["request.userId"]: result.userId,
-        ["request.userRole"]: result.role,
-        ["request.sessionId"]: result.sessionId,
-        ["request.subscriptionId"]: result.subscriptionId,
-        ["request.subscriptionTier"]: result.subscriptionTier
-      });
-    }
-  }
-  return result;
-}
-function getPrivacyFeaturesFromPermissions(featureIds, permissions) {
-  const publishData = permissions.some(
-    (p2) => p2.on && p2.featureId === featureIds.projectDevelopment
-  );
-  const allowPublicData = publishData && permissions.some(
-    (p2) => p2.on && p2.featureId === featureIds.publishProjects
-  );
-  const allowAI = permissions.some(
-    (p2) => p2.on && p2.featureId === featureIds.buildAIEggs
-  );
-  const allowPublicInsts = publishData && permissions.some(
-    (p2) => p2.on && p2.featureId === featureIds.joinAndCollaborate
-  );
-  return {
-    publishData,
-    allowPublicData,
-    allowAI,
-    allowPublicInsts
-  };
-}
-function findRelyingPartyForOrigin(relyingParties, originOrHost) {
-  if (!originOrHost) {
-    return relyingParties[0];
-  }
-  return relyingParties.find((rp) => {
-    const matchesOrigin = rp.origin === originOrHost;
-    if (matchesOrigin) {
-      return true;
-    }
-    const originUrl = new URL(rp.origin);
-    const host = originUrl.host;
-    return originOrHost === host;
-  });
-}
-
-// ../aux-records/RecordsController.ts
-var import_tweetnacl5 = __toESM(require_nacl_fast());
-var import_base64_js11 = __toESM(require_base64_js());
-
-// ../aux-records/SubscriptionConfiguration.ts
-var webhookFeaturesSchema = z.object({
-  allowed: z.boolean().describe(
-    "Whether webhook features are granted for the subscription."
-  ),
-  maxItems: z.number().describe(
-    "The maximum number of webhook items that are allowed for the subscription. If not specified, then there is no limit."
-  ).int().optional(),
-  tokenLifetimeMs: z.number().describe(
-    "The lifetime of session tokens that are issued to the webhook in miliseconds. Defaults to 5 minutes."
-  ).int().positive().optional().nullable().default(5 * 60 * 1e3),
-  initTimeoutMs: z.number().describe(
-    "The maximum number of miliseconds that the webhook has to initialize. Defaults to 5000ms."
-  ).int().positive().optional().nullable().default(5e3),
-  requestTimeoutMs: z.number().describe(
-    "The maximum number of miliseconds that the webhook has to respond to a request after being initialized. Defaults to 5000ms"
-  ).int().positive().optional().nullable().default(5e3),
-  fetchTimeoutMs: z.number().describe(
-    "The maximum number of miliseconds that the system will take to fetch the AUX state for the webhook. Defaults to 5000ms."
-  ).int().positive().optional().nullable().default(5e3),
-  addStateTimeoutMs: z.number().describe(
-    "The maximum number of miliseconds that the system will take to add the AUX state to the webhook simulation. Defaults to 1000ms."
-  ).int().positive().optional().nullable().default(1e3),
-  maxRunsPerPeriod: z.number().describe(
-    "The maximum number of webhook runs allowed per subscription period. If not specified, then there is no limit."
-  ).int().positive().optional(),
-  maxRunsPerHour: z.number().describe(
-    "The maximum number of webhook runs allowed per hour for the subscription. If not specified, then there is no limit."
-  ).int().positive().optional()
-}).describe(
-  "The configuration for webhook features. Defaults to not allowed."
-).optional().default({
-  allowed: false
-});
-var subscriptionFeaturesSchema = z.object({
-  records: z.object({
-    allowed: z.boolean().describe(
-      "Whether records are allowed for the subscription. If false, then every request to create or update a record will be rejected."
-    ),
-    maxRecords: z.number().describe(
-      "The maximum number of records allowed for the subscription."
-    ).int().positive().optional()
-  }).describe("The configuration for record features.").optional(),
-  data: z.object({
-    allowed: z.boolean().describe(
-      "Whether data resources are allowed for the subscription. If false, then every request to create or update a data resource will be rejected."
-    ),
-    maxItems: z.number({}).describe(
-      "The maximum number of data resource items allowed for the subscription. If omitted, then there is no limit."
-    ).int().positive().optional(),
-    maxReadsPerPeriod: z.number().describe(
-      "The maximum number of data item reads allowed per subscription period. If omitted, then there is no limit."
-    ).int().positive().optional(),
-    maxWritesPerPeriod: z.number().describe(
-      "The maximum number of data item writes allowed per subscription period. If omitted, then there is no limit."
-    ).int().positive().optional(),
-    maxItemSizeInBytes: z.number().describe(
-      "The maximum number of bytes that can be stored in a single data item. If set to null, then there is no limit. If omitted, then the limit is 500,000 bytes (500KB)"
-    ).int().positive().nullable().optional().default(5e5)
-  }),
-  files: z.object({
-    allowed: z.boolean().describe(
-      "Whether file resources are allowed for the subscription. If false, then every request to create or update a file resource will be rejected."
-    ),
-    maxFiles: z.number().describe(
-      "The maximum number of files allowed for the subscription. If omitted, then there is no limit."
-    ).int().positive().optional(),
-    maxBytesPerFile: z.number().describe(
-      "The maximum number of bytes per file allowed for the subscription. If omitted, then there is no limit."
-    ).int().positive().optional(),
-    maxBytesTotal: z.number().describe(
-      "The maximum number of file bytes that can be stored for the subscription. If omitted, then there is no limit."
-    ).int().positive().optional()
-  }),
-  events: z.object({
-    allowed: z.boolean().describe(
-      "Whether event resources are allowed for the subscription. If false, then every request to increment or count events will be rejected."
-    ),
-    maxEvents: z.number().describe(
-      "The maximum number of distinct event names that are allowed for the subscription. If omitted, then there is no limit."
-    ).int().positive().optional(),
-    maxUpdatesPerPeriod: z.number().describe("Not currently implemented.").int().positive().optional()
-  }),
-  policies: z.object({
-    allowed: z.boolean().describe(
-      "Whether policy resources are allowed for the subscription. If false, then every request to create or update a policy will be rejected."
-    ),
-    maxPolicies: z.number().describe("Not currently implemented.").int().positive().optional()
-  }),
-  ai: z.object({
-    chat: z.object({
-      allowed: z.boolean().describe(
-        "Whether AI chat requests are allowed for the subscription. If false, then every request to generate AI chat will be rejected."
-      ),
-      maxTokensPerPeriod: z.number().describe(
-        "The maximum number of AI chat tokens allowed per subscription period. If omitted, then there is no limit."
-      ).int().positive().optional(),
-      allowedModels: z.array(z.string()).describe(
-        "The list of model IDs that are allowed for the subscription. If omitted, then all models are allowed."
-      ).optional()
-    }),
-    images: z.object({
-      allowed: z.boolean().describe(
-        "Whether AI image requests are allowed for the subscription. If false, then every request to generate AI images will be rejected."
-      ),
-      maxSquarePixelsPerPeriod: z.number().describe(
-        "The maximum number of square pixels (pixels squared) that are allowed to be generated per subscription period. If omitted, then there is no limit."
-      ).int().positive().optional()
-    }),
-    skyboxes: z.object({
-      allowed: z.boolean().describe(
-        "Whether AI Skybox requests are allowed for the subscription. If false, then every request to generate AI skyboxes will be rejected."
-      ),
-      maxSkyboxesPerPeriod: z.number().describe(
-        "The maximum number of skyboxes that are allowed to be generated per subscription period. If omitted, then there is no limit."
-      ).int().positive().optional()
-    }),
-    hume: z.object({
-      allowed: z.boolean().describe(
-        "Whether Hume AI features are allowed for the subscription. If false, then every request to generate Hume AI will be rejected."
-      )
-    }).describe(
-      "The configuration for Hume AI features for the subscription. Defaults to not allowed if omitted."
-    ).optional().default({
-      allowed: false
-    }),
-    sloyd: z.object({
-      allowed: z.boolean().describe(
-        "Whether Sloyd AI features are allowed for the subscription. If false, then every request to generate Sloyd AI will be rejected."
-      ),
-      maxModelsPerPeriod: z.number().describe(
-        "The maximum number of models that can be generated per subscription period. If omitted, then there is no limit."
-      ).positive().int().optional()
-    }).describe(
-      "The configuration for Sloyd AI features for the subscription. Defaults to not allowed if omitted."
-    ).optional().default({
-      allowed: false
-    }),
-    openai: z.object({
-      realtime: z.object({
-        allowed: z.boolean().describe(
-          "Whether OpenAI realtime API features are allowed."
-        ),
-        maxSessionsPerPeriod: z.number().describe(
-          "The maximum number of realtime sessions that can be initiated per subscription period. If omitted, then there is no limit."
-        ).int().positive().optional(),
-        maxResponseOutputTokens: z.number().describe(
-          "The maximum number of output tokens that can be generated per response per session. If omitted, then there is no limit."
-        ).int().positive().optional(),
-        allowedModels: z.array(z.string()).describe(
-          "The list of models that are allowed to be used with the realtime API. If ommited, then all models are allowed."
-        ).optional()
-      }).describe(
-        "The configuration for OpenAI realtime API features."
-      ).optional().default({
-        allowed: false
-      })
-    }).describe(
-      "The configuration for Open AI-specific features for the subscription. Defaults to not allowed if omitted."
-    ).optional().default({})
-  }),
-  insts: z.object({
-    allowed: z.boolean().describe(
-      "Whether insts are allowed for the subscription. If false, then every request to create or update an inst will be rejected."
-    ),
-    maxInsts: z.number().describe(
-      "The maximum number of private insts that are allowed for the subscription. If omitted, then there is no limit."
-    ).int().positive().optional(),
-    maxBytesPerInst: z.number().describe(
-      "The maximum number of bytes that can be stored in an inst. If omitted, then there is no limit."
-    ).int().positive().optional(),
-    maxActiveConnectionsPerInst: z.number().describe(
-      "The maximum number of active websocket connections that an inst can have. If omitted, then there is no limit."
-    ).int().positive().optional()
-  }),
-  comId: z.object({
-    allowed: z.boolean().describe("Whether comId features are granted to the studio."),
-    // allowCustomComId: z
-    //     .boolean()
-    //     .describe(
-    //         'Whether the studio is allowed to set their own comId. If false, then the user will be able to request changes to their comId, but they will not automatically apply.'
-    //     ),
-    maxStudios: z.number().describe(
-      "The maximum number of studios that can be created in this comId. If omitted, then there is no limit."
-    ).positive().int().optional()
-  }).describe(
-    "The configuration for comId features for studios. Defaults to not allowed."
-  ).optional().default({
-    allowed: false
-    // allowCustomComId: false,
-  }),
-  loom: z.object({
-    allowed: z.boolean().describe("Whether loom features are granted to the studio.")
-  }).describe(
-    "The configuration for loom features for studios. Defaults to not allowed."
-  ).optional().default({
-    allowed: false
-  }),
-  webhooks: webhookFeaturesSchema,
-  notifications: z.object({
-    allowed: z.boolean().describe(
-      "Whether notifications are allowed for the subscription."
-    ),
-    maxItems: z.number().describe(
-      "The maximum number of notification items that are allowed for the subscription. If not specified, then there is no limit."
-    ).int().positive().optional(),
-    maxSubscribersPerItem: z.number().describe(
-      "The maximum number of subscribers that a notification can have in the subscription. If not specified, then there is no limit."
-    ).int().positive().optional(),
-    maxSentNotificationsPerPeriod: z.number().describe(
-      'The maximum number of notifications that can be sent per subscription period. This tracks the number of times the "sendNotification" operation was called. If not specified, then there is no limit.'
-    ).int().positive().optional(),
-    maxSentPushNotificationsPerPeriod: z.number().describe(
-      "The maximum number of push notifications that can be sent per subscription period. This tracks the actual number of push notifications that were sent to users. If not specified, then there is no limit."
-    ).int().positive().optional()
-  }).describe(
-    "The configuration for notification features. Defaults to not allowed."
-  ).optional().default({
-    allowed: false
-  }),
-  packages: z.object({
-    allowed: z.boolean().describe("Whether packages are allowed for the subscription."),
-    maxItems: z.number().describe(
-      "The maximum number of packages that are allowed for the subscription. If not specified, then there is no limit."
-    ).int().positive().optional(),
-    maxPackageVersions: z.number().describe(
-      "The maximum number of package versions that are allowed for the subscription. If not specified, then there is no limit."
-    ).int().positive().optional(),
-    maxPackageVersionSizeInBytes: z.number().describe(
-      "The maximum number of bytes that a single package version can be. If not specified, then there is no limit."
-    ).int().positive().optional(),
-    maxPackageBytesTotal: z.number().describe(
-      "The maximum number of bytes that all package versions in the subscription can be. If not specified, then there is no limit."
-    ).int().positive().optional()
-  }).describe(
-    "The configuration for package features. Defaults to allowed."
-  ).optional().default({
-    allowed: true
-  }),
-  search: z.object({
-    allowed: z.boolean().describe(
-      "Whether search records are allowed for the subscription."
-    ),
-    maxItems: z.number().describe(
-      "The maximum number of search records that can be created for the subscription. If not specified, then there is no limit."
-    ).int().positive().optional()
-  }).describe(
-    "The configuration for search records features. Defaults to allowed."
-  ).optional().default({
-    allowed: true
-  })
-});
-var subscriptionConfigSchema = z.object({
-  webhookSecret: z.string().describe(
-    "The Stripe Webhook secret. Used to validate that webhooks are actually coming from Stripe."
-  ).nonempty(),
-  successUrl: z.string().describe(
-    "The URL that successful Stripe checkout sessions should be redirected to."
-  ).nonempty(),
-  cancelUrl: z.string().describe(
-    "The URL that canceled Stripe checkout sessions should be redirected to."
-  ).nonempty(),
-  returnUrl: z.string().describe(
-    "The URL that users should be redirected to when exiting the Stripe subscription management customer portal."
-  ).nonempty(),
-  portalConfig: z.object({}).describe(
-    "Additional options that should be passed to stripe.billingPortal.sessions.create()."
-  ).passthrough().optional().nullable(),
-  checkoutConfig: z.object({}).describe(
-    "Additional options that should be passed to stripe.checkout.sessions.create()."
-  ).passthrough().optional().nullable(),
-  subscriptions: z.array(
-    z.object({
-      id: z.string().describe(
-        "The ID of the subscription. Can be anything, but it must be unique to each subscription and never change."
-      ).nonempty(),
-      product: z.string().describe(
-        "The ID of the Stripe product that is being offered by this subscription. If omitted, then this subscription will be shown but not able to be purchased."
-      ).nonempty().optional(),
-      featureList: z.array(z.string().nonempty()).describe(
-        "The list of features that should be shown for this subscription tier."
-      ),
-      eligibleProducts: z.array(z.string().nonempty()).describe(
-        "The list of Stripe product IDs that count as eligible for this subscription. Useful if you want to change the product of this subscription, but grandfather in existing users."
-      ).optional(),
-      defaultSubscription: z.boolean().describe(
-        "Whether this subscription should be granted to users if they don't already have a subscription. The first in the list of subscriptions that is marked as the default will be used. Defaults to false"
-      ).optional(),
-      purchasable: z.boolean().describe(
-        "Whether this subscription is purchasable and should be offered to users who do not already have a subscription. If false, then this subscription will not be shown to users unless they already have an active subscription for it. Defaults to true."
-      ).optional(),
-      name: z.string().describe(
-        "The name of the subscription. Ignored if a Stripe product is specified."
-      ).nonempty().optional(),
-      description: z.string().describe(
-        "The description of the subscription. Ignored if a Stripe product is specified."
-      ).nonempty().optional(),
-      tier: z.string().describe(
-        'The tier of this subscription. Useful for grouping multiple subscriptions into the same set of features. Defaults to "beta"'
-      ).nonempty().optional(),
-      userOnly: z.boolean().describe(
-        "Whether this subscription can only be purchased by individual users. Defaults to false."
-      ).optional(),
-      studioOnly: z.boolean().describe(
-        "Whether this subscription can only be purchased by studios. Defaults to false."
-      ).optional()
-    })
-  ).describe("The list of subscriptions that are in use."),
-  tiers: z.object({}).describe(
-    "The configuration for the subscription tiers. Each key should be a tier."
-  ).catchall(
-    z.object({
-      features: subscriptionFeaturesSchema.optional()
-    }).describe("The configuration for an individual tier.")
-  ).optional(),
-  defaultFeatures: z.object({
-    user: subscriptionFeaturesSchema.describe(
-      "The features that are available for users who either dont have a subscription for have a subscription for a tier that is not listed in the tiers configuration. Defaults to an object that allows all features."
-    ).optional(),
-    studio: subscriptionFeaturesSchema.describe(
-      "The features that are available for studios who either dont have a subscription for have a subscription for a tier that is not listed in the tiers configuration. Defaults to an object that allows all features."
-    ).optional(),
-    defaultPeriodLength: z.object({
-      days: z.number().int().nonnegative().optional(),
-      months: z.number().int().nonnegative().optional()
-    }).describe(
-      "The length of the period for users that do not have a subscription. Defaults to 1 month and 0 days."
-    ).optional().default({
-      days: 0,
-      months: 1
-    }),
-    publicInsts: z.object({
-      allowed: z.boolean().describe(
-        "Whether public (temp) insts are allowed. If false, then every request to create or update a public inst will be rejected."
-      ),
-      maxBytesPerInst: z.number().describe(
-        "The maximum number of bytes that can be stored for a public inst. If omitted, then there is no limit."
-      ).int().positive().optional(),
-      maxActiveConnectionsPerInst: z.number().describe(
-        "The maximum number of active connections that are allowed for a public inst. If omitted, then there is no limit."
-      ).int().positive().optional()
-    }).describe(
-      "The feature limits for public insts (insts that do not belong to a record and will expire after a preset time). Defaults to an object that allows all features."
-    ).optional()
-  }).optional()
-});
-function allowAllFeatures() {
-  return {
-    records: {
-      allowed: true
-    },
-    ai: {
-      chat: {
-        allowed: true
-      },
-      images: {
-        allowed: true
-      },
-      skyboxes: {
-        allowed: true
-      },
-      hume: {
-        allowed: true
-      },
-      sloyd: {
+        err
+      );
+      return {
+        success: false,
+        errorCode: "server_error",
+        errorMessage: "A server error occurred."
+      };
+    }
+  }
+  async listEmailRules() {
+    try {
+      const rules = await this._store.listEmailRules();
+      return {
+        success: true,
+        rules
+      };
+    } catch (err) {
+      const span = trace.getActiveSpan();
+      span?.recordException(err);
+      span?.setStatus({ code: SpanStatusCode.ERROR });
+      console.error(
+        "[AuthController] Error ocurred while listing email rules",
+        err
+      );
+      return {
+        success: false,
+        errorCode: "server_error",
+        errorMessage: "A server error occurred."
+      };
+    }
+  }
+  async listSmsRules() {
+    try {
+      const rules = await this._store.listSmsRules();
+      return {
+        success: true,
+        rules
+      };
+    } catch (err) {
+      const span = trace.getActiveSpan();
+      span?.recordException(err);
+      span?.setStatus({ code: SpanStatusCode.ERROR });
+      console.error(
+        "[AuthController] Error ocurred while listing email rules",
+        err
+      );
+      return {
+        success: false,
+        errorCode: "server_error",
+        errorMessage: "A server error occurred."
+      };
+    }
+  }
+  async isValidEmailAddress(email) {
+    try {
+      const valid = await this._validateAddress(email, "email");
+      if (!valid) {
+        return {
+          success: true,
+          allowed: false
+        };
+      }
+      if (this._privoClient) {
+        const config2 = await this._config.getPrivoConfiguration();
+        if (config2) {
+          const result = await this._privoClient.checkEmail(email);
+          const allowed = result.available && !result.profanity;
+          return {
+            success: true,
+            allowed,
+            suggestions: result.suggestions,
+            profanity: result.profanity
+          };
+        }
+      }
+      return {
+        success: true,
         allowed: true
-      },
-      openai: {
-        realtime: {
-          allowed: true
+      };
+    } catch (err) {
+      const span = trace.getActiveSpan();
+      span?.recordException(err);
+      span?.setStatus({ code: SpanStatusCode.ERROR });
+      console.error(
+        "[AuthController] Error ocurred while checking if email address is valid",
+        err
+      );
+      return {
+        success: false,
+        errorCode: "server_error",
+        errorMessage: "A server error occurred."
+      };
+    }
+  }
+  async isValidDisplayName(displayName, name) {
+    try {
+      if (this._privoClient) {
+        if (name) {
+          const lowercaseName = name.trim().toLowerCase();
+          const lowercaseDisplayName = displayName.trim().toLowerCase();
+          if (lowercaseDisplayName.includes(lowercaseName)) {
+            return {
+              success: true,
+              allowed: false,
+              containsName: true
+            };
+          }
+        }
+        const config2 = await this._config.getPrivoConfiguration();
+        if (config2) {
+          const result = await this._privoClient.checkDisplayName(
+            displayName
+          );
+          const allowed = result.available && !result.profanity;
+          return {
+            success: true,
+            allowed,
+            suggestions: result.suggestions,
+            profanity: result.profanity
+          };
         }
       }
-    },
-    data: {
-      allowed: true
-    },
-    events: {
-      allowed: true
-    },
-    files: {
-      allowed: true
-    },
-    insts: {
-      allowed: true
-    },
-    notifications: {
-      allowed: true
-    },
-    packages: {
-      allowed: true
-    },
-    search: {
-      allowed: true
+      return {
+        success: true,
+        allowed: true
+      };
+    } catch (err) {
+      const span = trace.getActiveSpan();
+      span?.recordException(err);
+      span?.setStatus({ code: SpanStatusCode.ERROR });
+      console.error(
+        "[AuthController] Error ocurred while checking if display name is valid",
+        err
+      );
+      return {
+        success: false,
+        errorCode: "server_error",
+        errorMessage: "A server error occurred."
+      };
     }
-  };
-}
-function getSearchFeatures(config2, subscriptionStatus, subscriptionId, type, periodStartMs, periodEndMs, nowMs = Date.now()) {
-  const features = getSubscriptionFeatures(
-    config2,
-    subscriptionStatus,
-    subscriptionId,
-    type,
-    periodStartMs,
-    periodEndMs,
-    nowMs
-  );
-  return features.search ?? { allowed: true };
+  }
+  /**
+   * Issues a new session for the given user.
+   * @param userId The ID of the user to issue the session for.
+   * @param lifetimeMs The lifetime of the session in milliseconds. If null, then the session will not expire.
+   * @param previousSession The previous session that this session is replacing. If null, then this session is not related to another session.
+   * @param ipAddress The IP address that the session is being issued to. Should be null if the ip address is not known.
+   */
+  async _issueSession({
+    userId,
+    lifetimeMs,
+    previousSession,
+    ipAddress,
+    requestId,
+    ...rest
+  }) {
+    const now2 = Date.now();
+    const newSessionId = (0, import_base64_js10.fromByteArray)((0, import_tweetnacl4.randomBytes)(SESSION_ID_BYTE_LENGTH));
+    const newSessionSecret = (0, import_base64_js10.fromByteArray)(
+      (0, import_tweetnacl4.randomBytes)(SESSION_SECRET_BYTE_LENGTH)
+    );
+    const newConnectionSecret = (0, import_base64_js10.fromByteArray)(
+      (0, import_tweetnacl4.randomBytes)(SESSION_SECRET_BYTE_LENGTH)
+    );
+    const newSession = {
+      ...rest,
+      userId,
+      sessionId: newSessionId,
+      requestId: requestId ?? null,
+      secretHash: this._hashHighEntropyPasswordWithSalt(
+        newSessionSecret,
+        newSessionId
+      ),
+      connectionSecret: newConnectionSecret,
+      grantedTimeMs: now2,
+      revokeTimeMs: null,
+      expireTimeMs: lifetimeMs ? now2 + lifetimeMs : null,
+      previousSessionId: previousSession?.sessionId ?? null,
+      nextSessionId: null,
+      ipAddress
+    };
+    if (requestId) {
+      await this._store.markLoginRequestComplete(userId, requestId, now2);
+    }
+    if (rest.webauthnRequestId) {
+      await this._store.markWebAuthnLoginRequestComplete(
+        rest.webauthnRequestId,
+        userId,
+        now2
+      );
+    }
+    if (rest.oidRequestId) {
+      await this._store.markOpenIDLoginRequestComplete(
+        rest.oidRequestId,
+        now2
+      );
+    }
+    if (previousSession) {
+      await this._store.replaceSession(previousSession, newSession, now2);
+    } else {
+      await this._store.saveSession(newSession);
+    }
+    const metadata = await this._store.findUserLoginMetadata(userId);
+    const info = {
+      userId,
+      sessionKey: formatV1SessionKey(
+        userId,
+        newSessionId,
+        newSessionSecret,
+        newSession.expireTimeMs
+      ),
+      connectionKey: formatV1ConnectionKey(
+        userId,
+        newSessionId,
+        newConnectionSecret,
+        newSession.expireTimeMs
+      ),
+      expireTimeMs: newSession.expireTimeMs,
+      metadata: {
+        hasUserAuthenticator: metadata?.hasUserAuthenticator ?? false,
+        userAuthenticatorCredentialIds: metadata?.userAuthenticatorCredentialIds ?? [],
+        hasPushSubscription: metadata?.hasPushSubscription ?? false,
+        pushSubscriptionIds: metadata?.pushSubscriptionIds ?? []
+      }
+    };
+    console.log(
+      `[AuthController] [issueSession userId: ${userId} newSessionId: ${newSessionId} expiresAt: ${newSession.expireTimeMs}] Issued session.`
+    );
+    return {
+      newSession,
+      info
+    };
+  }
+};
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "createAccount", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "issueSession", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "_hashHighEntropyPasswordWithSalt", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "requestLogin", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "completeLogin", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "requestOpenIDLogin", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "processOpenIDAuthorizationCode", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "completeOpenIDLogin", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "requestPrivoSignUp", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "requestWebAuthnRegistration", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "completeWebAuthnRegistration", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "requestWebAuthnLogin", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "completeWebAuthnLogin", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "listUserAuthenticators", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "deleteUserAuthenticator", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "validateSessionKey", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "verifyPasswordAgainstHashes", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "validateConnectionToken", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "revokeSession", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "revokeAllSessions", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "replaceSession", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "listSessions", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "getUserInfo", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "getPublicUserInfo", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "updateUserInfo", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "requestPrivacyFeaturesChange", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "listEmailRules", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "listSmsRules", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "isValidEmailAddress", 1);
+__decorateClass([
+  traced(TRACE_NAME)
+], AuthController.prototype, "isValidDisplayName", 1);
+async function validateSessionKey(auth7, sessionKey) {
+  if (!sessionKey) {
+    return {
+      success: false,
+      userId: null,
+      role: null,
+      errorCode: "no_session_key",
+      errorMessage: "A session key was not provided, but it is required for this operation."
+    };
+  }
+  const result = await auth7.validateSessionKey(sessionKey);
+  if (result.success === true) {
+    const span = trace.getActiveSpan();
+    if (span) {
+      span.setAttributes({
+        [import_semantic_conventions2.SEMATTRS_ENDUSER_ID]: result.userId,
+        ["request.userId"]: result.userId,
+        ["request.userRole"]: result.role,
+        ["request.sessionId"]: result.sessionId,
+        ["request.subscriptionId"]: result.subscriptionId,
+        ["request.subscriptionTier"]: result.subscriptionTier
+      });
+    }
+  }
+  return result;
 }
-function getPackageFeatures(config2, subscriptionStatus, subscriptionId, type, periodStartMs, periodEndMs, nowMs = Date.now()) {
-  const features = getSubscriptionFeatures(
-    config2,
-    subscriptionStatus,
-    subscriptionId,
-    type,
-    periodStartMs,
-    periodEndMs,
-    nowMs
+function getPrivacyFeaturesFromPermissions(featureIds, permissions) {
+  const publishData = permissions.some(
+    (p2) => p2.on && p2.featureId === featureIds.projectDevelopment
   );
-  return features.packages ?? { allowed: true };
-}
-function getNotificationFeatures(config2, subscriptionStatus, subscriptionId, type, periodStartMs, periodEndMs, nowMs = Date.now()) {
-  const features = getSubscriptionFeatures(
-    config2,
-    subscriptionStatus,
-    subscriptionId,
-    type,
-    periodStartMs,
-    periodEndMs,
-    nowMs
+  const allowPublicData = publishData && permissions.some(
+    (p2) => p2.on && p2.featureId === featureIds.publishProjects
   );
-  return features.notifications ?? { allowed: false };
-}
-function getWebhookFeatures(config2, subscriptionStatus, subscriptionId, type, periodStartMs, periodEndMs, nowMs = Date.now()) {
-  const features = getSubscriptionFeatures(
-    config2,
-    subscriptionStatus,
-    subscriptionId,
-    type,
-    periodStartMs,
-    periodEndMs,
-    nowMs
+  const allowAI = permissions.some(
+    (p2) => p2.on && p2.featureId === featureIds.buildAIEggs
   );
-  return features.webhooks ?? webhookFeaturesSchema.parse({ allowed: false });
-}
-function getComIdFeatures(config2, subscriptionStatus, subscriptionId, periodStartMs, periodEndMs, nowMs = Date.now()) {
-  const features = getSubscriptionFeatures(
-    config2,
-    subscriptionStatus,
-    subscriptionId,
-    "studio",
-    periodStartMs,
-    periodEndMs,
-    nowMs
+  const allowPublicInsts = publishData && permissions.some(
+    (p2) => p2.on && p2.featureId === featureIds.joinAndCollaborate
   );
-  return features.comId ?? {
-    allowed: false
-    // allowCustomComId: false,
+  return {
+    publishData,
+    allowPublicData,
+    allowAI,
+    allowPublicInsts
   };
 }
-function getLoomFeatures(config2, subscriptionStatus, subscriptionId, periodStartMs, periodEndMs, nowMs = Date.now()) {
-  const features = getSubscriptionFeatures(
-    config2,
-    subscriptionStatus,
-    subscriptionId,
-    "studio",
-    periodStartMs,
-    periodEndMs,
-    nowMs
-  );
-  return features.loom ?? { allowed: false };
-}
-function getHumeAiFeatures(config2, subscriptionStatus, subscriptionId, type, periodStartMs, periodEndMs, nowMs = Date.now()) {
-  const features = getSubscriptionFeatures(
-    config2,
-    subscriptionStatus,
-    subscriptionId,
-    type,
-    periodStartMs,
-    periodEndMs,
-    nowMs
-  );
-  return features.ai.hume ?? { allowed: false };
-}
-function getSubscriptionFeatures(config2, subscriptionStatus, subscriptionId, type, periodStartMs, periodEndMs, nowMs = Date.now()) {
-  if (!config2) {
-    return allowAllFeatures();
+function findRelyingPartyForOrigin(relyingParties, originOrHost) {
+  if (!originOrHost) {
+    return relyingParties[0];
   }
-  if (config2.tiers) {
-    const roleSubscriptions = config2.subscriptions.filter(
-      (s3) => subscriptionMatchesRole(s3, type)
-    );
-    if (isActiveSubscription(
-      subscriptionStatus,
-      periodStartMs,
-      periodEndMs,
-      nowMs
-    )) {
-      const sub = roleSubscriptions.find((s3) => s3.id === subscriptionId);
-      const tier = sub?.tier;
-      const features = tier ? config2.tiers[tier]?.features : null;
-      if (features) {
-        return features;
-      }
-    } else {
-      const sub = roleSubscriptions.find((s3) => s3.defaultSubscription);
-      const tier = sub?.tier;
-      const features = tier ? config2.tiers[tier]?.features : null;
-      if (features) {
-        return features;
-      }
+  return relyingParties.find((rp) => {
+    const matchesOrigin = rp.origin === originOrHost;
+    if (matchesOrigin) {
+      return true;
     }
-  }
-  return config2.defaultFeatures?.[type] ?? allowAllFeatures();
-}
-function getSubscriptionTier(config2, subscriptionStatus, subId) {
-  if (!config2) {
-    return null;
-  }
-  if (!isActiveSubscription(subscriptionStatus)) {
-    return null;
-  }
-  const sub = config2.subscriptions.find((s3) => s3.id === subId);
-  return sub?.tier ?? null;
-}
-function subscriptionMatchesRole(subscription, role) {
-  const isUserOnly = subscription.userOnly ?? false;
-  const isStudioOnly = subscription.studioOnly ?? false;
-  const matchesRole = isUserOnly && role === "user" || isStudioOnly && role === "studio" || !isUserOnly && !isStudioOnly;
-  return matchesRole;
+    const originUrl = new URL(rp.origin);
+    const host = originUrl.host;
+    return originOrHost === host;
+  });
 }
 
+// ../aux-records/RecordsController.ts
+var import_tweetnacl5 = __toESM(require_nacl_fast());
+var import_base64_js11 = __toESM(require_base64_js());
+
 // ../aux-common/records/RecordKeys.js
 var DEFAULT_RECORD_KEY_POLICY2 = "subjectfull";
 function formatV2RecordKey(recordName, recordSecret, keyPolicy) {
@@ -108466,7 +108462,8 @@ var RecordsController = class {
             subscriptionTier: getSubscriptionTier(
               config2,
               s3.subscriptionStatus,
-              s3.subscriptionId
+              s3.subscriptionId,
+              "studio"
             ),
             ownerStudioComId: s3.ownerStudioComId,
             comId: s3.comId
@@ -108506,7 +108503,8 @@ var RecordsController = class {
             subscriptionTier: getSubscriptionTier(
               config2,
               s3.subscriptionStatus,
-              s3.subscriptionId
+              s3.subscriptionId,
+              "studio"
             ),
             ownerStudioComId: s3.ownerStudioComId,
             comId: s3.comId
@@ -115310,7 +115308,7 @@ var RecordsServer = class {
     this._searchRecordsController = searchRecordsController;
     this._tracer = trace.getTracer(
       "RecordsServer",
-      false ? void 0 : "v3.7.0-alpha.16977445547"
+      false ? void 0 : "v3.7.0-alpha.17049743052"
     );
     this._procedures = this._createProcedures();
     this._setupRoutes();
@@ -118347,8 +118345,8 @@ var RecordsServer = class {
         return {
           success: true,
           ...metadata,
-          version: true ? "v3.7.0-alpha.16977445547" : void 0,
-          versionHash: true ? "d22abb62ddde636eefe58909962668df3d6c9566" : void 0
+          version: true ? "v3.7.0-alpha.17049743052" : void 0,
+          versionHash: true ? "6b04efe09edd321556d2dfcc7d56a8f7d25336c1" : void 0
         };
       })
     };
@@ -150057,7 +150055,7 @@ var config = new Conf({
   projectName: "casualos-cli"
 });
 var program2 = new Command();
-program2.name("casualos").description("A CLI for CasualOS").version("v3.7.0-alpha.16977445547").option(
+program2.name("casualos").description("A CLI for CasualOS").version("v3.7.0-alpha.17049743052").option(
   "-e, --endpoint <url>",
   "The endpoint to use for queries. Can be used to override the current endpoint."
 );