dexie-cloud-addon 4.3.9 → 4.4.0

package/dist/modern/service-worker.js

@@ -8,7 +8,7 @@
  *
  * ==========================================================================
  *
- * Version 4.3.9, Thu Jan 29 2026
+ * Version 4.4.0, Wed Mar 18 2026
  *
  * https://dexie.org
  *
@@ -16,9 +16,9 @@
  * 
  */
 
-import Dexie, { PropModification, cmp, RangeSet, liveQuery } from 'dexie';
-import { Observable, BehaviorSubject, firstValueFrom, Subject, from, filter as filter$1, of, fromEvent, merge, switchMap as switchMap$1, tap as tap$1, mergeMap, Subscription, throwError, combineLatest, map as map$1, share, timer, startWith as startWith$1 } from 'rxjs';
-import { filter, switchMap, delay, distinctUntilChanged, map, tap, take, catchError, debounceTime, startWith, skip } from 'rxjs/operators';
+import Dexie, { PropModification, cmp, liveQuery, RangeSet } from 'dexie';
+import { Observable, BehaviorSubject, firstValueFrom, Subject, from, combineLatest, timer, filter as filter$1, of, fromEvent, merge, switchMap as switchMap$1, tap as tap$1, mergeMap, Subscription, throwError, map as map$1, share as share$1, startWith as startWith$1 } from 'rxjs';
+import { filter, map, share, switchMap, delay, distinctUntilChanged, tap, take, catchError, debounceTime, startWith, skip } from 'rxjs/operators';
 import { Encoder, writeVarString, writeAny, writeVarUint8Array, writeBigUint64, toUint8Array } from 'lib0/encoding';
 import { Decoder, readVarString, readAny, readVarUint8Array, readBigUint64, hasContent, readUint8 } from 'lib0/decoding';
 import * as Y from 'yjs';
@@ -325,6 +325,409 @@ function triggerSync(db, purpose) {
     }
 }
 
+const { toString: toStr } = {};
+function getToStringTag(val) {
+    return toStr.call(val).slice(8, -1);
+}
+function escapeDollarProps(value) {
+    const keys = Object.keys(value);
+    let dollarKeys = null;
+    for (let i = 0, l = keys.length; i < l; ++i) {
+        if (keys[i][0] === "$") {
+            dollarKeys = dollarKeys || [];
+            dollarKeys.push(keys[i]);
+        }
+    }
+    if (!dollarKeys)
+        return value;
+    const clone = { ...value };
+    for (const k of dollarKeys) {
+        delete clone[k];
+    }
+    for (const k of dollarKeys) {
+        clone["$" + k] = value[k];
+    }
+    return clone;
+}
+const ObjectDef = {
+    replace: escapeDollarProps,
+};
+function TypesonSimplified(...typeDefsInputs) {
+    const typeDefs = typeDefsInputs.reduce((p, c) => ({ ...p, ...c }), typeDefsInputs.reduce((p, c) => ({ ...c, ...p }), {}));
+    const protoMap = new WeakMap();
+    return {
+        stringify(value, alternateChannel, space) {
+            const json = JSON.stringify(value, function (key) {
+                const realVal = this[key];
+                const typeDef = getTypeDef(realVal);
+                return typeDef
+                    ? typeDef.replace(realVal, alternateChannel, typeDefs)
+                    : realVal;
+            }, space);
+            return json;
+        },
+        parse(tson, alternateChannel) {
+            const stack = [];
+            return JSON.parse(tson, function (key, value) {
+                //
+                // Parent Part
+                //
+                const type = value?.$t;
+                if (type) {
+                    const typeDef = typeDefs[type];
+                    value = typeDef
+                        ? typeDef.revive(value, alternateChannel, typeDefs)
+                        : value;
+                }
+                let top = stack[stack.length - 1];
+                if (top && top[0] === value) {
+                    // Do what the kid told us to
+                    // Unescape dollar props
+                    value = { ...value };
+                    // Delete keys that children wanted us to delete
+                    for (const k of top[1])
+                        delete value[k];
+                    // Set keys that children wanted us to set
+                    for (const [k, v] of Object.entries(top[2])) {
+                        value[k] = v;
+                    }
+                    stack.pop();
+                }
+                //
+                // Child part
+                //
+                if (value === undefined || (key[0] === "$" && key !== "$t")) {
+                    top = stack[stack.length - 1];
+                    let deletes;
+                    let mods;
+                    if (top && top[0] === this) {
+                        deletes = top[1];
+                        mods = top[2];
+                    }
+                    else {
+                        stack.push([this, (deletes = []), (mods = {})]);
+                    }
+                    if (key[0] === "$" && key !== "$t") {
+                        // Unescape props (also preserves undefined if this is a combo)
+                        deletes.push(key);
+                        mods[key.substr(1)] = value;
+                    }
+                    else {
+                        // Preserve undefined
+                        mods[key] = undefined;
+                    }
+                }
+                return value;
+            });
+        },
+    };
+    function getTypeDef(realVal) {
+        const type = typeof realVal;
+        switch (typeof realVal) {
+            case "object":
+            case "function": {
+                // "object", "function", null
+                if (realVal === null)
+                    return null;
+                const proto = Object.getPrototypeOf(realVal);
+                if (!proto)
+                    return ObjectDef;
+                let typeDef = protoMap.get(proto);
+                if (typeDef !== undefined)
+                    return typeDef; // Null counts to! So the caching of Array.prototype also counts.
+                const toStringTag = getToStringTag(realVal);
+                const entry = Object.entries(typeDefs).find(([typeName, typeDef]) => typeDef?.test?.(realVal, toStringTag) ?? typeName === toStringTag);
+                typeDef = entry?.[1];
+                if (!typeDef) {
+                    typeDef = Array.isArray(realVal)
+                        ? null
+                        : typeof realVal === "function"
+                            ? typeDefs.function || null
+                            : ObjectDef;
+                }
+                protoMap.set(proto, typeDef);
+                return typeDef;
+            }
+            default:
+                return typeDefs[type];
+        }
+    }
+}
+
+class FakeBlob {
+    constructor(buf, type) {
+        this.buf = buf;
+        this.type = type;
+    }
+}
+
+/**
+ * TSONRef - Reference to a blob stored separately from the main data.
+ *
+ * When TSON parses data containing blob references, it creates TSONRef
+ * instances instead of the actual binary data. The client can then
+ * resolve these refs asynchronously.
+ *
+ * @example
+ * ```typescript
+ * // Configure resolver
+ * TSONRef.resolver = async (ref) => {
+ *   const response = await fetch(`/blob/${ref.ref}`);
+ *   return response.arrayBuffer();
+ * };
+ *
+ * // After parsing, resolve all refs in an object
+ * await resolveAllRefs(data);
+ * ```
+ */
+var _a;
+/** Symbol for type checking TSONRef instances */
+const TSON_REF_SYMBOL = Symbol.for('TSONRef');
+/**
+ * TSONRef represents a reference to binary data stored as a blob.
+ */
+class TSONRef {
+    constructor(
+    /** Original TSON type: 'ArrayBuffer', 'Blob', 'Uint8Array', etc */
+    type, 
+    /** Blob reference ID (UUID) */
+    ref, 
+    /** Size in bytes */
+    size, 
+    /** Content-Type (for Blob type) */
+    contentType) {
+        this.type = type;
+        this.ref = ref;
+        this.size = size;
+        this.contentType = contentType;
+        /** Type brand for runtime identification */
+        this[_a] = true;
+        Object.freeze(this);
+    }
+    /**
+     * Resolve this reference to actual data.
+     * Requires TSONRef.resolver to be configured.
+     */
+    async resolve() {
+        if (!TSONRef.resolver) {
+            throw new Error('TSONRef.resolver not configured. ' +
+                'Set TSONRef.resolver to a function that fetches blobs.');
+        }
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const data = await TSONRef.resolver(this);
+        return this.reconstruct(data);
+    }
+    /**
+     * Reconstruct the original type from ArrayBuffer.
+     * Validates byte alignment for TypedArrays that require it.
+     */
+    reconstruct(data) {
+        // Helper to validate alignment for multi-byte TypedArrays
+        const validateAlignment = (bytesPerElement, typeName) => {
+            if (data.byteLength % bytesPerElement !== 0) {
+                throw new RangeError(`Buffer length ${data.byteLength} is not aligned to ${bytesPerElement} bytes for ${typeName}`);
+            }
+        };
+        switch (this.type) {
+            case 'ArrayBuffer':
+                return data;
+            case 'Uint8Array':
+                return new Uint8Array(data);
+            case 'Blob':
+                return new Blob([data], { type: this.contentType });
+            // Handle other TypedArrays with alignment validation
+            case 'Int8Array':
+                return new Int8Array(data);
+            case 'Uint8ClampedArray':
+                return new Uint8ClampedArray(data);
+            case 'Int16Array':
+                validateAlignment(2, 'Int16Array');
+                return new Int16Array(data);
+            case 'Uint16Array':
+                validateAlignment(2, 'Uint16Array');
+                return new Uint16Array(data);
+            case 'Int32Array':
+                validateAlignment(4, 'Int32Array');
+                return new Int32Array(data);
+            case 'Uint32Array':
+                validateAlignment(4, 'Uint32Array');
+                return new Uint32Array(data);
+            case 'Float32Array':
+                validateAlignment(4, 'Float32Array');
+                return new Float32Array(data);
+            case 'Float64Array':
+                validateAlignment(8, 'Float64Array');
+                return new Float64Array(data);
+            case 'BigInt64Array':
+                validateAlignment(8, 'BigInt64Array');
+                return new BigInt64Array(data);
+            case 'BigUint64Array':
+                validateAlignment(8, 'BigUint64Array');
+                return new BigUint64Array(data);
+            default:
+                console.warn(`Unknown TSONRef type: ${this.type}, returning ArrayBuffer`);
+                return data;
+        }
+    }
+    /**
+     * Check if a value is a TSONRef instance.
+     */
+    static isTSONRef(value) {
+        return (value !== null &&
+            typeof value === 'object' &&
+            TSON_REF_SYMBOL in value &&
+            value[TSON_REF_SYMBOL] === true);
+    }
+    /**
+     * Check if a value is TSONRef serialized data (has $ref).
+     */
+    static isTSONRefData(value) {
+        return (value !== null &&
+            typeof value === 'object' &&
+            '$ref' in value &&
+            '$t' in value &&
+            '$size' in value);
+    }
+    /**
+     * Create TSONRef from serialized data.
+     */
+    static fromData(data) {
+        return new TSONRef(data.$t, data.$ref, data.$size, data.$ct);
+    }
+    /**
+     * Serialize to JSON-compatible format.
+     */
+    toJSON() {
+        const result = {
+            $t: this.type,
+            $ref: this.ref,
+            $size: this.size,
+        };
+        if (this.contentType) {
+            result.$ct = this.contentType;
+        }
+        return result;
+    }
+}
+_a = TSON_REF_SYMBOL;
+/** Symbol for type checking */
+TSONRef.TYPE_SYMBOL = TSON_REF_SYMBOL;
+/** Global resolver function - must be configured before resolving */
+TSONRef.resolver = null;
+
+function readBlobSync(b) {
+    const req = new XMLHttpRequest();
+    req.overrideMimeType("text/plain; charset=x-user-defined");
+    const url = URL.createObjectURL(b);
+    try {
+        req.open("GET", url, false); // Sync
+        req.send();
+        if (req.status !== 200 && req.status !== 0) {
+            throw new Error("Bad Blob access: " + req.status);
+        }
+        return req.responseText;
+    }
+    finally {
+        URL.revokeObjectURL(url);
+    }
+}
+
+const numberTypeDef = {
+    number: {
+        replace: (num) => {
+            switch (true) {
+                case isNaN(num):
+                    return { $t: "number", v: "NaN" };
+                case num === Infinity:
+                    return { $t: "number", v: "Infinity" };
+                case num === -Infinity:
+                    return { $t: "number", v: "-Infinity" };
+                default:
+                    return num;
+            }
+        },
+        revive: ({ v }) => Number(v),
+    },
+};
+
+const dateTypeDef = {
+    Date: {
+        replace: (date) => ({
+            $t: "Date",
+            v: isNaN(date.getTime()) ? "NaN" : date.toISOString(),
+        }),
+        revive: ({ v }) => new Date(v === "NaN" ? NaN : Date.parse(v)),
+    },
+};
+
+const setTypeDef = {
+    Set: {
+        replace: (set) => ({
+            $t: "Set",
+            v: Array.from(set),
+        }),
+        revive: ({ v }) => new Set(v),
+    },
+};
+
+const mapTypeDef = {
+    Map: {
+        replace: (map) => ({
+            $t: "Map",
+            v: Array.from(map.entries()),
+        }),
+        revive: ({ v }) => new Map(v),
+    },
+};
+
+const _global = typeof globalThis !== "undefined" // All modern environments (node, bun, deno, browser, workers, webview etc)
+    ? globalThis
+    : typeof self !== "undefined" // Older browsers, workers, webview, window etc
+        ? self
+        : typeof global !== "undefined" // Older versions of node
+            ? global
+            : undefined; // Unsupported environment. No idea to return 'this' since we are in a module or a function scope anyway.
+
+const typedArrayTypeDefs = [
+    "Int8Array",
+    "Uint8Array",
+    "Uint8ClampedArray",
+    "Int16Array",
+    "Uint16Array",
+    "Int32Array",
+    "Uint32Array",
+    "Float32Array",
+    "Float64Array",
+    "DataView",
+    "BigInt64Array",
+    "BigUint64Array",
+].reduce((specs, typeName) => ({
+    ...specs,
+    [typeName]: {
+        // Replace passes the typed array into $t, buffer so that
+        // the ArrayBuffer typedef takes care of further handling of the buffer:
+        // {$t:"Uint8Array",buffer:{$t:"ArrayBuffer",idx:0}}
+        // CHANGED ABOVE! Now shortcutting that for more sparse format of the typed arrays
+        // to contain the b64 property directly.
+        replace: (a, _, typeDefs) => {
+            const buffer = a.buffer;
+            const slicedBuffer = a.byteOffset === 0 && a.byteLength === buffer.byteLength
+                ? buffer
+                : buffer.slice(a.byteOffset, a.byteOffset + a.byteLength);
+            const result = {
+                $t: typeName,
+                v: typeDefs.ArrayBuffer.replace(slicedBuffer, _, typeDefs).v,
+            };
+            return result;
+        },
+        revive: ({ v }, _, typeDefs) => {
+            const TypedArray = _global[typeName];
+            return (TypedArray &&
+                new TypedArray(typeDefs.ArrayBuffer.revive({ v }, _, typeDefs)));
+        },
+    },
+}), {});
+
 const hasArrayBufferFromBase64 = "fromBase64" in Uint8Array; // https://github.com/tc39/proposal-arraybuffer-base64;
 const hasArrayBufferToBase64 = "toBase64" in Uint8Array.prototype; // https://github.com/tc39/proposal-arraybuffer-base64;
 const b64decode = typeof Buffer !== "undefined"
@@ -366,183 +769,261 @@ const b64encode = typeof Buffer !== "undefined"
             const strs = [];
             for (let i = 0, l = u8a.length; i < l; i += CHUNK_SIZE) {
                 const chunk = u8a.subarray(i, i + CHUNK_SIZE);
-                strs.push(String.fromCharCode.apply(null, chunk));
+                strs.push(String.fromCharCode.apply(null, Array.from(chunk)));
             }
             return btoa(strs.join(""));
         };
 
-function computeRealmSetHash(_a) {
-    return __awaiter(this, arguments, void 0, function* ({ realms, inviteRealms, }) {
-        const data = JSON.stringify([
-            ...realms.map((realmId) => ({ realmId, accepted: true })),
-            ...inviteRealms.map((realmId) => ({ realmId, accepted: false })),
-        ].sort((a, b) => a.realmId < b.realmId ? -1 : a.realmId > b.realmId ? 1 : 0));
-        const byteArray = new TextEncoder().encode(data);
-        const digestBytes = yield crypto.subtle.digest('SHA-1', byteArray);
-        const base64 = b64encode(digestBytes);
-        return base64;
-    });
+function b64LexEncode(b) {
+    return b64ToLex(b64encode(b));
 }
-
-function getSyncableTables(db) {
-    return Object.entries(db.cloud.schema || {})
-        .filter(([, { markedForSync }]) => markedForSync)
-        .map(([tbl]) => db.tables.filter(({ name }) => name === tbl)[0])
-        .filter(cloudTableSchema => cloudTableSchema);
+function b64LexDecode(b64Lex) {
+    return b64decode(lexToB64(b64Lex));
 }
-
-function getMutationTable(tableName) {
-    return `$${tableName}_mutations`;
+function b64ToLex(base64) {
+    var encoded = "";
+    for (var i = 0, length = base64.length; i < length; i++) {
+        encoded += ENCODE_TABLE[base64[i]];
+    }
+    return encoded;
 }
-
-function getTableFromMutationTable(mutationTable) {
-    var _a;
-    const tableName = (_a = /^\$(.*)_mutations$/.exec(mutationTable)) === null || _a === void 0 ? void 0 : _a[1];
-    if (!tableName)
-        throw new Error(`Given mutationTable ${mutationTable} is not correct`);
-    return tableName;
+function lexToB64(base64lex) {
+    // only accept string input
+    if (typeof base64lex !== "string") {
+        throw new Error("invalid decoder input: " + base64lex);
+    }
+    var base64 = "";
+    for (var i = 0, length = base64lex.length; i < length; i++) {
+        base64 += DECODE_TABLE[base64lex[i]];
+    }
+    return base64;
 }
-
-const concat = [].concat;
-function flatten(a) {
-    return concat.apply([], a);
+const DECODE_TABLE = {
+    "-": "=",
+    "0": "A",
+    "1": "B",
+    "2": "C",
+    "3": "D",
+    "4": "E",
+    "5": "F",
+    "6": "G",
+    "7": "H",
+    "8": "I",
+    "9": "J",
+    A: "K",
+    B: "L",
+    C: "M",
+    D: "N",
+    E: "O",
+    F: "P",
+    G: "Q",
+    H: "R",
+    I: "S",
+    J: "T",
+    K: "U",
+    L: "V",
+    M: "W",
+    N: "X",
+    O: "Y",
+    P: "Z",
+    Q: "a",
+    R: "b",
+    S: "c",
+    T: "d",
+    U: "e",
+    V: "f",
+    W: "g",
+    X: "h",
+    Y: "i",
+    Z: "j",
+    _: "k",
+    a: "l",
+    b: "m",
+    c: "n",
+    d: "o",
+    e: "p",
+    f: "q",
+    g: "r",
+    h: "s",
+    i: "t",
+    j: "u",
+    k: "v",
+    l: "w",
+    m: "x",
+    n: "y",
+    o: "z",
+    p: "0",
+    q: "1",
+    r: "2",
+    s: "3",
+    t: "4",
+    u: "5",
+    v: "6",
+    w: "7",
+    x: "8",
+    y: "9",
+    z: "+",
+    "|": "/",
+};
+const ENCODE_TABLE = {};
+for (const c of Object.keys(DECODE_TABLE)) {
+    ENCODE_TABLE[DECODE_TABLE[c]] = c;
 }
 
-function listClientChanges(mutationTables_1, db_1) {
-    return __awaiter(this, arguments, void 0, function* (mutationTables, db, { since = {}, limit = Infinity } = {}) {
-        const allMutsOnTables = yield Promise.all(mutationTables.map((mutationTable) => __awaiter(this, void 0, void 0, function* () {
-            const tableName = getTableFromMutationTable(mutationTable.name);
-            const lastRevision = since[tableName];
-            let query = lastRevision
-                ? mutationTable.where('rev').above(lastRevision)
-                : mutationTable;
-            if (limit < Infinity)
-                query = query.limit(limit);
-            let muts = yield query.toArray();
-            muts = canonicalizeToUpdateOps(muts);
-            muts = removeRedundantUpdateOps(muts);
-            const rv = muts.map((mut) => ({
-                table: tableName,
-                mut,
-            }));
-            return rv;
-        })));
-        // Sort by time to get a true order of the operations (between tables)
-        const sorted = flatten(allMutsOnTables).sort((a, b) => a.mut.txid === b.mut.txid
-            ? a.mut.opNo - b.mut.opNo // Within same transaction, sort by opNo
-            : a.mut.ts - b.mut.ts // Different transactions - sort by timestamp when mutation resolved
-        );
-        const result = [];
-        let currentEntry = null;
-        let currentTxid = null;
-        for (const { table, mut } of sorted) {
-            if (currentEntry &&
-                currentEntry.table === table &&
-                currentTxid === mut.txid) {
-                currentEntry.muts.push(mut);
-            }
-            else {
-                currentEntry = {
-                    table,
-                    muts: [mut],
-                };
-                currentTxid = mut.txid;
-                result.push(currentEntry);
-            }
-        }
-        // Filter out those tables that doesn't have any mutations:
-        return result;
-    });
-}
-function removeRedundantUpdateOps(muts) {
-    const updateCoverage = new Map();
-    for (const mut of muts) {
-        if (mut.type === 'update') {
-            if (mut.keys.length !== 1 || mut.changeSpecs.length !== 1) {
-                continue; // Don't optimize multi-key updates
-            }
-            const strKey = '' + mut.keys[0];
-            const changeSpecs = mut.changeSpecs[0];
-            if (Object.values(changeSpecs).some(v => typeof v === "object" && v && "@@propmod" in v)) {
-                continue; // Cannot optimize if any PropModification is present
-            }
-            let keyCoverage = updateCoverage.get(strKey);
-            if (keyCoverage) {
-                keyCoverage.push({ txid: mut.txid, updateSpec: changeSpecs });
-            }
-            else {
-                updateCoverage.set(strKey, [{ txid: mut.txid, updateSpec: changeSpecs }]);
-            }
-        }
+const arrayBufferTypeDef = {
+    ArrayBuffer: {
+        replace: (ab) => ({
+            $t: "ArrayBuffer",
+            v: b64LexEncode(ab),
+        }),
+        revive: ({ v }) => {
+            const ba = b64LexDecode(v);
+            const buf = ba.buffer.byteLength === ba.byteLength
+                ? ba.buffer
+                : ba.buffer.slice(ba.byteOffset, ba.byteOffset + ba.byteLength);
+            return buf;
+        },
+    },
+};
+
+function string2ArrayBuffer(str) {
+    const array = new Uint8Array(str.length);
+    for (let i = 0; i < str.length; ++i) {
+        array[i] = str.charCodeAt(i); // & 0xff;
     }
-    muts = muts.filter(mut => {
-        // Only apply optimization to update mutations that are single-key
-        if (mut.type !== 'update')
-            return true;
-        if (mut.keys.length !== 1 || mut.changeSpecs.length !== 1)
-            return true;
-        // Check if this has PropModifications - if so, skip optimization
-        const changeSpecs = mut.changeSpecs[0];
-        if (Object.values(changeSpecs).some(v => typeof v === "object" && v && "@@propmod" in v)) {
-            return true; // Cannot optimize if any PropModification is present
-        }
-        // Keep track of properties that aren't overlapped by later transactions
-        const unoverlappedProps = new Set(Object.keys(mut.changeSpecs[0]));
-        const strKey = '' + mut.keys[0];
-        const keyCoverage = updateCoverage.get(strKey);
-        if (!keyCoverage)
-            return true; // No coverage info - cannot optimize
-        for (let i = keyCoverage.length - 1; i >= 0; --i) {
-            const { txid, updateSpec } = keyCoverage[i];
-            if (txid === mut.txid)
-                break; // Stop when reaching own txid
-            // If all changes in updateSpec are covered by all props on all mut.changeSpecs then
-            // txid is redundant and can be removed.
-            for (const keyPath of Object.keys(updateSpec)) {
-                unoverlappedProps.delete(keyPath);
-            }
-        }
-        if (unoverlappedProps.size === 0) {
-            // This operation is completely overlapped by later operations. It can be removed.
-            return false;
-        }
-        return true;
-    });
-    return muts;
-}
-function canonicalizeToUpdateOps(muts) {
-    muts = muts.map(mut => {
-        if (mut.type === 'modify' && mut.criteria.index === null) {
-            // The criteria is on primary key. Convert to an update operation instead.
-            // It is simpler for the server to handle and also more efficient.
-            const updateMut = Object.assign(Object.assign({}, mut), { criteria: undefined, changeSpec: undefined, type: 'update', keys: mut.keys, changeSpecs: [mut.changeSpec] });
-            delete updateMut.criteria;
-            delete updateMut.changeSpec;
-            return updateMut;
-        }
-        return mut;
-    });
-    return muts;
+    return array.buffer;
 }
 
-function randomString$1(bytes) {
-    const buf = new Uint8Array(bytes);
-    if (typeof crypto !== 'undefined') {
-        crypto.getRandomValues(buf);
-    }
-    else {
-        for (let i = 0; i < bytes; i++)
-            buf[i] = Math.floor(Math.random() * 256);
-    }
-    if (typeof Buffer !== 'undefined' && Buffer.from) {
-        return Buffer.from(buf).toString('base64');
-    }
-    else if (typeof btoa !== 'undefined') {
-        return btoa(String.fromCharCode.apply(null, buf));
+const blobTypeDef = {
+    Blob: {
+        test: (blob, toStringTag) => toStringTag === "Blob" || blob instanceof FakeBlob,
+        replace: (blob) => ({
+            $t: "Blob",
+            v: blob instanceof FakeBlob
+                ? b64encode(blob.buf)
+                : b64encode(string2ArrayBuffer(readBlobSync(blob))),
+            type: blob.type,
+        }),
+        revive: ({ type, v }) => {
+            const ab = b64decode(v);
+            const buf = ab.buffer.byteLength === ab.byteLength
+                ? ab.buffer
+                : ab.buffer.slice(ab.byteOffset, ab.byteOffset + ab.byteLength);
+            return typeof Blob !== "undefined"
+                ? new Blob([new Uint8Array(buf)], { type })
+                : new FakeBlob(buf, type);
+        },
+    },
+};
+
+({
+    ...numberTypeDef,
+    ...dateTypeDef,
+    ...setTypeDef,
+    ...mapTypeDef,
+    ...typedArrayTypeDefs,
+    ...arrayBufferTypeDef,
+    ...blobTypeDef, // Should be moved to another preset for DOM types (or universal? since it supports node as well with FakeBlob)
+});
+
+const fileTypeDef = {
+    File: {
+        test: (file, toStringTag) => toStringTag === "File",
+        replace: (file) => ({
+            $t: "File",
+            v: b64encode(string2ArrayBuffer(readBlobSync(file))),
+            type: file.type,
+            name: file.name,
+            lastModified: new Date(file.lastModified).toISOString(),
+        }),
+        revive: ({ type, v, name, lastModified }) => {
+            const ab = b64decode(v);
+            const buf = ab.buffer.byteLength === ab.byteLength
+                ? ab.buffer
+                : ab.buffer.slice(ab.byteOffset, ab.byteOffset + ab.byteLength);
+            return new File([new Uint8Array(buf)], name, {
+                type,
+                lastModified: new Date(lastModified).getTime(),
+            });
+        },
+    },
+};
+
+/** The undefined type is not part of builtin but can be manually added.
+ * The reason for supporting undefined is if the following object should be revived correctly:
+ *
+ *    {foo: undefined}
+ *
+ * Without including this typedef, the revived object would just be {}.
+ * If including this typedef, the revived object would be {foo: undefined}.
+ */
+const undefinedTypeDef = {
+    undefined: {
+        replace: () => ({
+            $t: "undefined",
+        }),
+        revive: () => undefined,
+    },
+};
+
+const getRandomValues = typeof crypto !== "undefined"
+    ? crypto.getRandomValues.bind(crypto)
+    : (buf) => {
+        for (let i = 0; i < buf.length; ++i) {
+            buf[i] = Math.floor(Math.random() * 256);
+        }
+    };
+let time$1 = 0;
+/**
+ * Generates unique ID where bytes 0-6 represents a timestampish value
+ * instead of random, similary to UUID version 1 but with random istead of MAC address.
+ *
+ * With "timestampish" we mean milliseconds from 1970 approximately, as in bulk-creation
+ * scenarios, milliseconds in future will be used (while creating more than 1 id per
+ * millisecond)
+ *
+ * This is similary UUID version 1 but with random instead of Mac, and with
+ * support for generating unique IDs the same millisecond.
+ *
+ * It's even more similar to the "version 6" proposal at
+ * https://bradleypeabody.github.io/uuidv6/.
+ *
+ * Difference from "version 6" proposal is that we keep the clock-sequence within
+ * the timestamp part to allow 9 more bits for randomness. This is at the cost of
+ * knwoing how exact the time-stamp is. But since we anyway don't expect a perfect
+ * time stamps as many clients may have wrong time settings, what we want is just
+ * a sorted ID, still universially unique.
+ *
+ * Random part is totally 73 bits entropy, which basically means that a collisions would
+ * be likely if 9 444 732 965 739 290 427 392 devices was generating ids during the exact same
+ * millisecond.
+ *
+ */
+function newId() {
+    const a = new Uint8Array(18);
+    const timePart = new Uint8Array(a.buffer, 0, 6);
+    const now = Date.now(); // Will fit into 6 bytes until year 10 895.
+    if (time$1 >= now) {
+        // User is bulk-creating objects the same millisecond.
+        // Increment the time part by one millisecond for each item.
+        // If bulk-creating 1,000,000 rows client-side in 0 seconds,
+        // the last time-stamp will be 1,000 seconds in future, which is no biggie at all.
+        // The point is to create a nice order of the generated IDs instead of
+        // using random ids.
+        ++time$1;
     }
     else {
-        throw new Error('No btoa or Buffer available');
+        time$1 = now;
     }
+    timePart[0] = time$1 / 0x10000000000;
+    timePart[1] = time$1 / 0x100000000;
+    timePart[2] = time$1 / 0x1000000;
+    timePart[3] = time$1 / 0x10000;
+    timePart[4] = time$1 / 0x100;
+    timePart[5] = time$1;
+    const randomPart = new Uint8Array(a.buffer, 6);
+    getRandomValues(randomPart);
+    return b64LexEncode(a);
 }
 
 function assert(b) {
@@ -605,7 +1086,7 @@ function setByKeyPath(obj, keyPath, value) {
         }
     }
 }
-const randomString = typeof self !== 'undefined' && typeof crypto !== 'undefined' ? (bytes, randomFill = crypto.getRandomValues.bind(crypto)) => {
+const randomString$1 = typeof self !== 'undefined' && typeof crypto !== 'undefined' ? (bytes, randomFill = crypto.getRandomValues.bind(crypto)) => {
     // Web
     const buf = new Uint8Array(bytes);
     randomFill(buf);
@@ -1076,9 +1557,183 @@ function getFetchResponseBodyGenerator(res) {
     };
 }
 
+function computeRealmSetHash(_a) {
+    return __awaiter(this, arguments, void 0, function* ({ realms, inviteRealms, }) {
+        const data = JSON.stringify([
+            ...realms.map((realmId) => ({ realmId, accepted: true })),
+            ...inviteRealms.map((realmId) => ({ realmId, accepted: false })),
+        ].sort((a, b) => a.realmId < b.realmId ? -1 : a.realmId > b.realmId ? 1 : 0));
+        const byteArray = new TextEncoder().encode(data);
+        const digestBytes = yield crypto.subtle.digest('SHA-1', byteArray);
+        const base64 = b64encode(digestBytes);
+        return base64;
+    });
+}
+
+function getSyncableTables(db) {
+    return Object.entries(db.cloud.schema || {})
+        .filter(([, { markedForSync }]) => markedForSync)
+        .map(([tbl]) => db.tables.find(({ name }) => name === tbl))
+        .filter((syncableTable) => !!syncableTable);
+}
+
+function getMutationTable(tableName) {
+    return `$${tableName}_mutations`;
+}
+
+function getTableFromMutationTable(mutationTable) {
+    var _a;
+    const tableName = (_a = /^\$(.*)_mutations$/.exec(mutationTable)) === null || _a === void 0 ? void 0 : _a[1];
+    if (!tableName)
+        throw new Error(`Given mutationTable ${mutationTable} is not correct`);
+    return tableName;
+}
+
+const concat = [].concat;
+function flatten(a) {
+    return concat.apply([], a);
+}
+
+function listClientChanges(mutationTables_1, db_1) {
+    return __awaiter(this, arguments, void 0, function* (mutationTables, db, { since = {}, limit = Infinity } = {}) {
+        const allMutsOnTables = yield Promise.all(mutationTables.map((mutationTable) => __awaiter(this, void 0, void 0, function* () {
+            const tableName = getTableFromMutationTable(mutationTable.name);
+            const lastRevision = since[tableName];
+            let query = lastRevision
+                ? mutationTable.where('rev').above(lastRevision)
+                : mutationTable;
+            if (limit < Infinity)
+                query = query.limit(limit);
+            let muts = yield query.toArray();
+            muts = canonicalizeToUpdateOps(muts);
+            muts = removeRedundantUpdateOps(muts);
+            const rv = muts.map((mut) => ({
+                table: tableName,
+                mut,
+            }));
+            return rv;
+        })));
+        // Sort by time to get a true order of the operations (between tables)
+        const sorted = flatten(allMutsOnTables).sort((a, b) => a.mut.txid === b.mut.txid
+            ? a.mut.opNo - b.mut.opNo // Within same transaction, sort by opNo
+            : a.mut.ts - b.mut.ts // Different transactions - sort by timestamp when mutation resolved
+        );
+        const result = [];
+        let currentEntry = null;
+        let currentTxid = null;
+        for (const { table, mut } of sorted) {
+            if (currentEntry &&
+                currentEntry.table === table &&
+                currentTxid === mut.txid) {
+                currentEntry.muts.push(mut);
+            }
+            else {
+                currentEntry = {
+                    table,
+                    muts: [mut],
+                };
+                currentTxid = mut.txid;
+                result.push(currentEntry);
+            }
+        }
+        // Filter out those tables that doesn't have any mutations:
+        return result;
+    });
+}
+function removeRedundantUpdateOps(muts) {
+    const updateCoverage = new Map();
+    for (const mut of muts) {
+        if (mut.type === 'update') {
+            if (mut.keys.length !== 1 || mut.changeSpecs.length !== 1) {
+                continue; // Don't optimize multi-key updates
+            }
+            const strKey = '' + mut.keys[0];
+            const changeSpecs = mut.changeSpecs[0];
+            if (Object.values(changeSpecs).some(v => typeof v === "object" && v && "@@propmod" in v)) {
+                continue; // Cannot optimize if any PropModification is present
+            }
+            let keyCoverage = updateCoverage.get(strKey);
+            if (keyCoverage) {
+                keyCoverage.push({ txid: mut.txid, updateSpec: changeSpecs });
+            }
+            else {
+                updateCoverage.set(strKey, [{ txid: mut.txid, updateSpec: changeSpecs }]);
+            }
+        }
+    }
+    muts = muts.filter(mut => {
+        // Only apply optimization to update mutations that are single-key
+        if (mut.type !== 'update')
+            return true;
+        if (mut.keys.length !== 1 || mut.changeSpecs.length !== 1)
+            return true;
+        // Check if this has PropModifications - if so, skip optimization
+        const changeSpecs = mut.changeSpecs[0];
+        if (Object.values(changeSpecs).some(v => typeof v === "object" && v && "@@propmod" in v)) {
+            return true; // Cannot optimize if any PropModification is present
+        }
+        // Keep track of properties that aren't overlapped by later transactions
+        const unoverlappedProps = new Set(Object.keys(mut.changeSpecs[0]));
+        const strKey = '' + mut.keys[0];
+        const keyCoverage = updateCoverage.get(strKey);
+        if (!keyCoverage)
+            return true; // No coverage info - cannot optimize
+        for (let i = keyCoverage.length - 1; i >= 0; --i) {
+            const { txid, updateSpec } = keyCoverage[i];
+            if (txid === mut.txid)
+                break; // Stop when reaching own txid
+            // If all changes in updateSpec are covered by all props on all mut.changeSpecs then
+            // txid is redundant and can be removed.
+            for (const keyPath of Object.keys(updateSpec)) {
+                unoverlappedProps.delete(keyPath);
+            }
+        }
+        if (unoverlappedProps.size === 0) {
+            // This operation is completely overlapped by later operations. It can be removed.
+            return false;
+        }
+        return true;
+    });
+    return muts;
+}
+function canonicalizeToUpdateOps(muts) {
+    muts = muts.map(mut => {
+        if (mut.type === 'modify' && mut.criteria.index === null) {
+            // The criteria is on primary key. Convert to an update operation instead.
+            // It is simpler for the server to handle and also more efficient.
+            const updateMut = Object.assign(Object.assign({}, mut), { criteria: undefined, changeSpec: undefined, type: 'update', keys: mut.keys, changeSpecs: [mut.changeSpec] });
+            delete updateMut.criteria;
+            delete updateMut.changeSpec;
+            return updateMut;
+        }
+        return mut;
+    });
+    return muts;
+}
+
+function randomString(bytes) {
+    const buf = new Uint8Array(bytes);
+    if (typeof crypto !== 'undefined') {
+        crypto.getRandomValues(buf);
+    }
+    else {
+        for (let i = 0; i < bytes; i++)
+            buf[i] = Math.floor(Math.random() * 256);
+    }
+    if (typeof Buffer !== 'undefined' && Buffer.from) {
+        return Buffer.from(buf).toString('base64');
+    }
+    else if (typeof btoa !== 'undefined') {
+        return btoa(String.fromCharCode.apply(null, buf));
+    }
+    else {
+        throw new Error('No btoa or Buffer available');
+    }
+}
+
 function listSyncifiedChanges(tablesToSyncify, currentUser, schema, alreadySyncedRealms) {
     return __awaiter(this, void 0, void 0, function* () {
-        const txid = `upload-${randomString$1(8)}`;
+        const txid = `upload-${randomString(8)}`;
         if (currentUser.isLoggedIn) {
             if (tablesToSyncify.length > 0) {
                 const ignoredRealms = new Set(alreadySyncedRealms || []);
@@ -1246,861 +1901,360 @@ function promptForOTP(userInteraction, email, alert) {
                 type: 'info',
                 messageCode: 'OTP_SENT',
                 message: `A One-Time password has been sent to {email}`,
-                messageParams: { email },
-            },
-        ];
-        if (alert) {
-            alerts.push(alert);
-        }
-        const { otp } = yield interactWithUser(userInteraction, {
-            type: 'otp',
-            title: 'Enter OTP',
-            alerts,
-            fields: {
-                otp: {
-                    type: 'otp',
-                    label: 'OTP',
-                    placeholder: 'Paste OTP here',
-                },
-            },
-        });
-        return otp;
-    });
-}
-function confirmLogout(userInteraction, currentUserId, numUnsyncedChanges) {
-    return __awaiter(this, void 0, void 0, function* () {
-        const alerts = [
-            {
-                type: 'warning',
-                messageCode: 'LOGOUT_CONFIRMATION',
-                message: `{numUnsyncedChanges} unsynced changes will get lost!
-                Logout anyway?`,
-                messageParams: {
-                    currentUserId,
-                    numUnsyncedChanges: numUnsyncedChanges.toString(),
-                }
-            },
-        ];
-        return yield interactWithUser(userInteraction, {
-            type: 'logout-confirmation',
-            title: 'Confirm Logout',
-            alerts,
-            fields: {},
-            submitLabel: 'Confirm logout',
-            cancelLabel: 'Cancel'
-        })
-            .then(() => true)
-            .catch(() => false);
-    });
-}
-/**
- * Prompts the user to select an authentication method (OAuth provider or OTP).
- *
- * This function converts OAuth providers and OTP option into generic DXCOption[]
- * for the DXCSelect interaction, handling icon fetching and style hints.
- *
- * @param userInteraction - The user interaction BehaviorSubject
- * @param providers - Available OAuth providers
- * @param otpEnabled - Whether OTP is available
- * @param title - Dialog title
- * @param alerts - Optional alerts to display
- * @returns Promise resolving to the user's selection
- */
-function promptForProvider(userInteraction_1, providers_1, otpEnabled_1) {
-    return __awaiter(this, arguments, void 0, function* (userInteraction, providers, otpEnabled, title = 'Choose login method', alerts = []) {
-        // Convert providers to generic options
-        const providerOptions = providers.map(providerToOption);
-        // Build the options array
-        const options = [...providerOptions];
-        // Add OTP option if enabled
-        if (otpEnabled) {
-            options.push({
-                name: 'otp',
-                value: 'email',
-                displayName: 'Continue with email',
-                iconUrl: EmailIcon,
-                styleHint: 'otp',
-            });
-        }
-        return new Promise((resolve, reject) => {
-            const interactionProps = {
-                type: 'generic',
-                title,
-                alerts,
-                options,
-                fields: {},
-                submitLabel: '', // No submit button - just options
-                cancelLabel: 'Cancel',
-                onSubmit: (params) => {
-                    userInteraction.next(undefined);
-                    // Check which option was selected
-                    if ('otp' in params) {
-                        resolve({ type: 'otp' });
-                    }
-                    else if ('provider' in params) {
-                        resolve({ type: 'provider', provider: params.provider });
-                    }
-                    else {
-                        // Unknown - default to OTP
-                        resolve({ type: 'otp' });
-                    }
-                },
-                onCancel: () => {
-                    userInteraction.next(undefined);
-                    reject(new Dexie.AbortError('User cancelled'));
-                },
-            };
-            userInteraction.next(interactionProps);
-        });
-    });
-}
-
-/**
- * Error thrown when initiating an OAuth redirect.
- *
- * This is not a real error - it's used to signal that the page is
- * navigating away to an OAuth provider. It should be caught and
- * silently ignored at the appropriate level.
- */
-class OAuthRedirectError extends Error {
-    constructor(provider) {
-        super(`OAuth redirect initiated for provider: ${provider}`);
-        this.name = 'OAuthRedirectError';
-        this.provider = provider;
-    }
-}
-
-function loadAccessToken(db) {
-    return __awaiter(this, void 0, void 0, function* () {
-        var _a, _b, _c;
-        const currentUser = yield db.getCurrentUser();
-        const { accessToken, accessTokenExpiration, refreshToken, refreshTokenExpiration, claims, } = currentUser;
-        if (!accessToken)
-            return null;
-        const expTime = (_a = accessTokenExpiration === null || accessTokenExpiration === void 0 ? void 0 : accessTokenExpiration.getTime()) !== null && _a !== void 0 ? _a : Infinity;
-        if (expTime > Date.now() && (((_b = currentUser.license) === null || _b === void 0 ? void 0 : _b.status) || 'ok') === 'ok') {
-            return currentUser;
-        }
-        if (!refreshToken) {
-            throw new Error(`Refresh token missing`);
-        }
-        const refreshExpTime = (_c = refreshTokenExpiration === null || refreshTokenExpiration === void 0 ? void 0 : refreshTokenExpiration.getTime()) !== null && _c !== void 0 ? _c : Infinity;
-        if (refreshExpTime <= Date.now()) {
-            throw new Error(`Refresh token has expired`);
-        }
-        const refreshedLogin = yield refreshAccessToken(db.cloud.options.databaseUrl, currentUser);
-        yield db.table('$logins').update(claims.sub, {
-            accessToken: refreshedLogin.accessToken,
-            accessTokenExpiration: refreshedLogin.accessTokenExpiration,
-            claims: refreshedLogin.claims,
-            license: refreshedLogin.license,
-            data: refreshedLogin.data,
-        });
-        return refreshedLogin;
-    });
-}
-function authenticate(url, context, fetchToken, userInteraction, hints) {
-    return __awaiter(this, void 0, void 0, function* () {
-        if (context.accessToken &&
-            context.accessTokenExpiration.getTime() > Date.now()) {
-            return context;
-        }
-        else if (context.refreshToken &&
-            (!context.refreshTokenExpiration ||
-                context.refreshTokenExpiration.getTime() > Date.now())) {
-            return yield refreshAccessToken(url, context);
-        }
-        else {
-            return yield userAuthenticate(context, fetchToken, userInteraction, hints);
-        }
-    });
-}
-function refreshAccessToken(url, login) {
-    return __awaiter(this, void 0, void 0, function* () {
-        if (!login.refreshToken)
-            throw new Error(`Cannot refresh token - refresh token is missing.`);
-        if (!login.nonExportablePrivateKey)
-            throw new Error(`login.nonExportablePrivateKey is missing - cannot sign refresh token without a private key.`);
-        const time_stamp = Date.now();
-        const signing_algorithm = 'RSASSA-PKCS1-v1_5';
-        const textEncoder = new TextEncoder();
-        const data = textEncoder.encode(login.refreshToken + time_stamp);
-        const binarySignature = yield crypto.subtle.sign(signing_algorithm, login.nonExportablePrivateKey, data);
-        const signature = b64encode(binarySignature);
-        const tokenRequest = {
-            grant_type: 'refresh_token',
-            refresh_token: login.refreshToken,
-            scopes: ['ACCESS_DB'],
-            signature,
-            signing_algorithm,
-            time_stamp,
-        };
-        const res = yield fetch(`${url}/token`, {
-            body: JSON.stringify(tokenRequest),
-            method: 'post',
-            headers: { 'Content-Type': 'application/json' },
-            mode: 'cors',
-        });
-        if (res.status !== 200)
-            throw new Error(`RefreshToken: Status ${res.status} from ${url}/token`);
-        const response = yield res.json();
-        if (response.type === 'error') {
-            throw new TokenErrorResponseError(response);
-        }
-        login.accessToken = response.accessToken;
-        login.accessTokenExpiration = response.accessTokenExpiration
-            ? new Date(response.accessTokenExpiration)
-            : undefined;
-        login.claims = response.claims;
-        login.license = {
-            type: response.userType,
-            status: response.claims.license || 'ok',
-        };
-        if (response.evalDaysLeft != null) {
-            login.license.evalDaysLeft = response.evalDaysLeft;
-        }
-        if (response.userValidUntil != null) {
-            login.license.validUntil = new Date(response.userValidUntil);
-        }
-        if (response.data) {
-            login.data = response.data;
-        }
-        return login;
-    });
-}
-function userAuthenticate(context, fetchToken, userInteraction, hints) {
-    return __awaiter(this, void 0, void 0, function* () {
-        if (!crypto.subtle) {
-            if (typeof location !== 'undefined' && location.protocol === 'http:') {
-                throw new Error(`Dexie Cloud Addon needs to use WebCrypto, but your browser has disabled it due to being served from an insecure location. Please serve it from https or http://localhost:<port> (See https://stackoverflow.com/questions/46670556/how-to-enable-crypto-subtle-for-unsecure-origins-in-chrome/46671627#46671627)`);
-            }
-            else {
-                throw new Error(`This browser does not support WebCrypto.`);
-            }
-        }
-        const { privateKey, publicKey } = yield crypto.subtle.generateKey({
-            name: 'RSASSA-PKCS1-v1_5',
-            modulusLength: 2048,
-            publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
-            hash: { name: 'SHA-256' },
-        }, false, // Non-exportable...
-        ['sign', 'verify']);
-        if (!privateKey || !publicKey)
-            throw new Error(`Could not generate RSA keypair`); // Typings suggest these can be undefined...
-        context.nonExportablePrivateKey = privateKey; //...but storable!
-        const publicKeySPKI = yield crypto.subtle.exportKey('spki', publicKey);
-        const publicKeyPEM = spkiToPEM(publicKeySPKI);
-        context.publicKey = publicKey;
-        try {
-            const response2 = yield fetchToken({
-                public_key: publicKeyPEM,
-                hints,
-            });
-            if (response2.type === 'error') {
-                throw new TokenErrorResponseError(response2);
-            }
-            if (response2.type !== 'tokens')
-                throw new Error(`Unexpected response type from token endpoint: ${response2.type}`);
-            /*const licenseStatus = response2.claims.license || 'ok';
-            if (licenseStatus !== 'ok') {
-              throw new InvalidLicenseError(licenseStatus);
-            }*/
-            context.accessToken = response2.accessToken;
-            context.accessTokenExpiration = new Date(response2.accessTokenExpiration);
-            context.refreshToken = response2.refreshToken;
-            if (response2.refreshTokenExpiration) {
-                context.refreshTokenExpiration = new Date(response2.refreshTokenExpiration);
-            }
-            context.userId = response2.claims.sub;
-            context.email = response2.claims.email;
-            context.name = response2.claims.name;
-            context.claims = response2.claims;
-            context.license = {
-                type: response2.userType,
-                status: response2.claims.license || 'ok',
-            };
-            context.data = response2.data;
-            if (response2.evalDaysLeft != null) {
-                context.license.evalDaysLeft = response2.evalDaysLeft;
-            }
-            if (response2.userValidUntil != null) {
-                context.license.validUntil = new Date(response2.userValidUntil);
-            }
-            if (response2.alerts && response2.alerts.length > 0) {
-                yield interactWithUser(userInteraction, {
-                    type: 'message-alert',
-                    title: 'Authentication Alert',
-                    fields: {},
-                    alerts: response2.alerts,
-                });
-            }
-            return context;
-        }
-        catch (error) {
-            // OAuth redirect is not an error - page is navigating away
-            if (error instanceof OAuthRedirectError || (error === null || error === void 0 ? void 0 : error.name) === 'OAuthRedirectError') {
-                throw error; // Re-throw without logging
-            }
-            if (error instanceof TokenErrorResponseError) {
-                yield alertUser(userInteraction, error.title, {
-                    type: 'error',
-                    messageCode: error.messageCode,
-                    message: error.message,
-                    messageParams: {},
-                });
-                throw error;
-            }
-            let message = `We're having a problem authenticating right now.`;
-            console.error(`Error authenticating`, error);
-            if (error instanceof TypeError) {
-                const isOffline = typeof navigator !== undefined && !navigator.onLine;
-                if (isOffline) {
-                    message = `You seem to be offline. Please connect to the internet and try again.`;
-                }
-                else if (Dexie.debug || (typeof location !== 'undefined' && (location.hostname === 'localhost' || location.hostname === '127.0.0.1'))) {
-                    // The audience is most likely the developer. Suggest to whitelist the localhost origin:
-                    message = `Could not connect to server. Please verify that your origin '${location.origin}' is whitelisted using \`npx dexie-cloud whitelist\``;
-                }
-                else {
-                    message = `Could not connect to server. Please verify the connection.`;
-                }
-                yield alertUser(userInteraction, 'Authentication Failed', {
-                    type: 'error',
-                    messageCode: 'GENERIC_ERROR',
-                    message,
-                    messageParams: {},
-                }).catch(() => { });
-            }
-            throw error;
-        }
-    });
-}
-function spkiToPEM(keydata) {
-    const keydataB64 = b64encode(keydata);
-    const keydataB64Pem = formatAsPem(keydataB64);
-    return keydataB64Pem;
-}
-function formatAsPem(str) {
-    let finalString = '-----BEGIN PUBLIC KEY-----\n';
-    while (str.length > 0) {
-        finalString += str.substring(0, 64) + '\n';
-        str = str.substring(64);
-    }
-    finalString = finalString + '-----END PUBLIC KEY-----';
-    return finalString;
-}
-
-const { toString: toStr } = {};
-function getToStringTag(val) {
-    return toStr.call(val).slice(8, -1);
-}
-function escapeDollarProps(value) {
-    const keys = Object.keys(value);
-    let dollarKeys = null;
-    for (let i = 0, l = keys.length; i < l; ++i) {
-        if (keys[i][0] === "$") {
-            dollarKeys = dollarKeys || [];
-            dollarKeys.push(keys[i]);
-        }
-    }
-    if (!dollarKeys)
-        return value;
-    const clone = { ...value };
-    for (const k of dollarKeys) {
-        delete clone[k];
-    }
-    for (const k of dollarKeys) {
-        clone["$" + k] = value[k];
-    }
-    return clone;
-}
-const ObjectDef = {
-    replace: escapeDollarProps,
-};
-function TypesonSimplified(...typeDefsInputs) {
-    const typeDefs = typeDefsInputs.reduce((p, c) => ({ ...p, ...c }), typeDefsInputs.reduce((p, c) => ({ ...c, ...p }), {}));
-    const protoMap = new WeakMap();
-    return {
-        stringify(value, alternateChannel, space) {
-            const json = JSON.stringify(value, function (key) {
-                const realVal = this[key];
-                const typeDef = getTypeDef(realVal);
-                return typeDef
-                    ? typeDef.replace(realVal, alternateChannel, typeDefs)
-                    : realVal;
-            }, space);
-            return json;
-        },
-        parse(tson, alternateChannel) {
-            const stack = [];
-            return JSON.parse(tson, function (key, value) {
-                //
-                // Parent Part
-                //
-                const type = value === null || value === void 0 ? void 0 : value.$t;
-                if (type) {
-                    const typeDef = typeDefs[type];
-                    value = typeDef
-                        ? typeDef.revive(value, alternateChannel, typeDefs)
-                        : value;
-                }
-                let top = stack[stack.length - 1];
-                if (top && top[0] === value) {
-                    // Do what the kid told us to
-                    // Unescape dollar props
-                    value = { ...value };
-                    // Delete keys that children wanted us to delete
-                    for (const k of top[1])
-                        delete value[k];
-                    // Set keys that children wanted us to set
-                    for (const [k, v] of Object.entries(top[2])) {
-                        value[k] = v;
-                    }
-                    stack.pop();
-                }
-                //
-                // Child part
-                //
-                if (value === undefined || (key[0] === "$" && key !== "$t")) {
-                    top = stack[stack.length - 1];
-                    let deletes;
-                    let mods;
-                    if (top && top[0] === this) {
-                        deletes = top[1];
-                        mods = top[2];
-                    }
-                    else {
-                        stack.push([this, (deletes = []), (mods = {})]);
-                    }
-                    if (key[0] === "$" && key !== "$t") {
-                        // Unescape props (also preserves undefined if this is a combo)
-                        deletes.push(key);
-                        mods[key.substr(1)] = value;
-                    }
-                    else {
-                        // Preserve undefined
-                        mods[key] = undefined;
-                    }
-                }
-                return value;
-            });
-        },
-    };
-    function getTypeDef(realVal) {
-        const type = typeof realVal;
-        switch (typeof realVal) {
-            case "object":
-            case "function": {
-                // "object", "function", null
-                if (realVal === null)
-                    return null;
-                const proto = Object.getPrototypeOf(realVal);
-                if (!proto)
-                    return ObjectDef;
-                let typeDef = protoMap.get(proto);
-                if (typeDef !== undefined)
-                    return typeDef; // Null counts to! So the caching of Array.prototype also counts.
-                const toStringTag = getToStringTag(realVal);
-                const entry = Object.entries(typeDefs).find(([typeName, typeDef]) => { var _a, _b; return (_b = (_a = typeDef === null || typeDef === void 0 ? void 0 : typeDef.test) === null || _a === void 0 ? void 0 : _a.call(typeDef, realVal, toStringTag)) !== null && _b !== void 0 ? _b : typeName === toStringTag; });
-                typeDef = entry === null || entry === void 0 ? void 0 : entry[1];
-                if (!typeDef) {
-                    typeDef = Array.isArray(realVal)
-                        ? null
-                        : typeof realVal === "function"
-                            ? typeDefs.function || null
-                            : ObjectDef;
-                }
-                protoMap.set(proto, typeDef);
-                return typeDef;
-            }
-            default:
-                return typeDefs[type];
-        }
-    }
-}
-
-const BisonBinaryTypes = {
-    Blob: {
-        test: (blob, toStringTag) => toStringTag === "Blob",
-        replace: (blob, altChannel) => {
-            const i = altChannel.length;
-            altChannel.push(blob);
-            return {
-                $t: "Blob",
-                mimeType: blob.type,
-                i,
-            };
-        },
-        revive: ({ i, mimeType }, altChannel) => new Blob([altChannel[i]], { type: mimeType }),
-    },
-};
-
-var numberDef = {
-    number: {
-        replace: (num) => {
-            switch (true) {
-                case isNaN(num):
-                    return { $t: "number", v: "NaN" };
-                case num === Infinity:
-                    return { $t: "number", v: "Infinity" };
-                case num === -Infinity:
-                    return { $t: "number", v: "-Infinity" };
-                default:
-                    return num;
-            }
-        },
-        revive: ({ v }) => Number(v),
-    },
-};
-
-const bigIntDef$1 = {
-    bigint: {
-        replace: (realVal) => {
-            return { $t: "bigint", v: "" + realVal };
-        },
-        revive: (obj) => BigInt(obj.v),
-    },
-};
-
-var DateDef = {
-    Date: {
-        replace: (date) => ({
-            $t: "Date",
-            v: isNaN(date.getTime()) ? "NaN" : date.toISOString(),
-        }),
-        revive: ({ v }) => new Date(v === "NaN" ? NaN : Date.parse(v)),
-    },
-};
-
-var SetDef = {
-    Set: {
-        replace: (set) => ({
-            $t: "Set",
-            v: Array.from(set.entries()),
-        }),
-        revive: ({ v }) => new Set(v),
-    },
-};
-
-var MapDef = {
-    Map: {
-        replace: (map) => ({
-            $t: "Map",
-            v: Array.from(map.entries()),
-        }),
-        revive: ({ v }) => new Map(v),
-    },
-};
-
-const _global = typeof globalThis !== "undefined" // All modern environments (node, bun, deno, browser, workers, webview etc)
-    ? globalThis
-    : typeof self !== "undefined" // Older browsers, workers, webview, window etc
-        ? self
-        : typeof global !== "undefined" // Older versions of node
-            ? global
-            : undefined; // Unsupported environment. No idea to return 'this' since we are in a module or a function scope anyway.
-
-var TypedArraysDefs = [
-    "Int8Array",
-    "Uint8Array",
-    "Uint8ClampedArray",
-    "Int16Array",
-    "Uint16Array",
-    "Int32Array",
-    "Uint32Array",
-    "Float32Array",
-    "Float64Array",
-    "DataView",
-    "BigInt64Array",
-    "BigUint64Array",
-].reduce((specs, typeName) => ({
-    ...specs,
-    [typeName]: {
-        // Replace passes the the typed array into $t, buffer so that
-        // the ArrayBuffer typedef takes care of further handling of the buffer:
-        // {$t:"Uint8Array",buffer:{$t:"ArrayBuffer",idx:0}}
-        // CHANGED ABOVE! Now shortcutting that for more sparse format of the typed arrays
-        // to contain the b64 property directly.
-        replace: (a, _, typeDefs) => {
-            const result = {
-                $t: typeName,
-                v: typeDefs.ArrayBuffer.replace(a.byteOffset === 0 && a.byteLength === a.buffer.byteLength
-                    ? a.buffer
-                    : a.buffer.slice(a.byteOffset, a.byteOffset + a.byteLength), _, typeDefs).v,
-            };
-            return result;
-        },
-        revive: ({ v }, _, typeDefs) => {
-            const TypedArray = _global[typeName];
-            return (TypedArray &&
-                new TypedArray(typeDefs.ArrayBuffer.revive({ v }, _, typeDefs)));
-        },
-    },
-}), {});
-
-function b64LexEncode(b) {
-    return b64ToLex(b64encode(b));
-}
-function b64LexDecode(b64Lex) {
-    return b64decode(lexToB64(b64Lex));
-}
-function b64ToLex(base64) {
-    var encoded = "";
-    for (var i = 0, length = base64.length; i < length; i++) {
-        encoded += ENCODE_TABLE[base64[i]];
-    }
-    return encoded;
-}
-function lexToB64(base64lex) {
-    // only accept string input
-    if (typeof base64lex !== "string") {
-        throw new Error("invalid decoder input: " + base64lex);
-    }
-    var base64 = "";
-    for (var i = 0, length = base64lex.length; i < length; i++) {
-        base64 += DECODE_TABLE[base64lex[i]];
-    }
-    return base64;
-}
-const DECODE_TABLE = {
-    "-": "=",
-    "0": "A",
-    "1": "B",
-    "2": "C",
-    "3": "D",
-    "4": "E",
-    "5": "F",
-    "6": "G",
-    "7": "H",
-    "8": "I",
-    "9": "J",
-    A: "K",
-    B: "L",
-    C: "M",
-    D: "N",
-    E: "O",
-    F: "P",
-    G: "Q",
-    H: "R",
-    I: "S",
-    J: "T",
-    K: "U",
-    L: "V",
-    M: "W",
-    N: "X",
-    O: "Y",
-    P: "Z",
-    Q: "a",
-    R: "b",
-    S: "c",
-    T: "d",
-    U: "e",
-    V: "f",
-    W: "g",
-    X: "h",
-    Y: "i",
-    Z: "j",
-    _: "k",
-    a: "l",
-    b: "m",
-    c: "n",
-    d: "o",
-    e: "p",
-    f: "q",
-    g: "r",
-    h: "s",
-    i: "t",
-    j: "u",
-    k: "v",
-    l: "w",
-    m: "x",
-    n: "y",
-    o: "z",
-    p: "0",
-    q: "1",
-    r: "2",
-    s: "3",
-    t: "4",
-    u: "5",
-    v: "6",
-    w: "7",
-    x: "8",
-    y: "9",
-    z: "+",
-    "|": "/",
-};
-const ENCODE_TABLE = {};
-for (const c of Object.keys(DECODE_TABLE)) {
-    ENCODE_TABLE[DECODE_TABLE[c]] = c;
+                messageParams: { email },
+            },
+        ];
+        if (alert) {
+            alerts.push(alert);
+        }
+        const { otp } = yield interactWithUser(userInteraction, {
+            type: 'otp',
+            title: 'Enter OTP',
+            alerts,
+            fields: {
+                otp: {
+                    type: 'otp',
+                    label: 'OTP',
+                    placeholder: 'Paste OTP here',
+                },
+            },
+        });
+        return otp;
+    });
 }
-
-var ArrayBufferDef = {
-    ArrayBuffer: {
-        replace: (ab) => ({
-            $t: "ArrayBuffer",
-            v: b64LexEncode(ab),
-        }),
-        revive: ({ v }) => {
-            const ba = b64LexDecode(v);
-            return ba.buffer.byteLength === ba.byteLength
-                ? ba.buffer
-                : ba.buffer.slice(ba.byteOffset, ba.byteOffset + ba.byteLength);
-        },
-    },
-};
-
-class FakeBlob {
-    constructor(buf, type) {
-        this.buf = buf;
-        this.type = type;
-    }
+function confirmLogout(userInteraction, currentUserId, numUnsyncedChanges) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const alerts = [
+            {
+                type: 'warning',
+                messageCode: 'LOGOUT_CONFIRMATION',
+                message: `{numUnsyncedChanges} unsynced changes will get lost!
+                Logout anyway?`,
+                messageParams: {
+                    currentUserId,
+                    numUnsyncedChanges: numUnsyncedChanges.toString(),
+                }
+            },
+        ];
+        return yield interactWithUser(userInteraction, {
+            type: 'logout-confirmation',
+            title: 'Confirm Logout',
+            alerts,
+            fields: {},
+            submitLabel: 'Confirm logout',
+            cancelLabel: 'Cancel'
+        })
+            .then(() => true)
+            .catch(() => false);
+    });
 }
-
-function readBlobSync(b) {
-    const req = new XMLHttpRequest();
-    req.overrideMimeType("text/plain; charset=x-user-defined");
-    req.open("GET", URL.createObjectURL(b), false); // Sync
-    req.send();
-    if (req.status !== 200 && req.status !== 0) {
-        throw new Error("Bad Blob access: " + req.status);
-    }
-    return req.responseText;
+/**
+ * Prompts the user to select an authentication method (OAuth provider or OTP).
+ *
+ * This function converts OAuth providers and OTP option into generic DXCOption[]
+ * for the DXCSelect interaction, handling icon fetching and style hints.
+ *
+ * @param userInteraction - The user interaction BehaviorSubject
+ * @param providers - Available OAuth providers
+ * @param otpEnabled - Whether OTP is available
+ * @param title - Dialog title
+ * @param alerts - Optional alerts to display
+ * @returns Promise resolving to the user's selection
+ */
+function promptForProvider(userInteraction_1, providers_1, otpEnabled_1) {
+    return __awaiter(this, arguments, void 0, function* (userInteraction, providers, otpEnabled, title = 'Choose login method', alerts = []) {
+        // Convert providers to generic options
+        const providerOptions = providers.map(providerToOption);
+        // Build the options array
+        const options = [...providerOptions];
+        // Add OTP option if enabled
+        if (otpEnabled) {
+            options.push({
+                name: 'otp',
+                value: 'email',
+                displayName: 'Continue with email',
+                iconUrl: EmailIcon,
+                styleHint: 'otp',
+            });
+        }
+        return new Promise((resolve, reject) => {
+            const interactionProps = {
+                type: 'generic',
+                title,
+                alerts,
+                options,
+                fields: {},
+                submitLabel: '', // No submit button - just options
+                cancelLabel: 'Cancel',
+                onSubmit: (params) => {
+                    userInteraction.next(undefined);
+                    // Check which option was selected
+                    if ('otp' in params) {
+                        resolve({ type: 'otp' });
+                    }
+                    else if ('provider' in params) {
+                        resolve({ type: 'provider', provider: params.provider });
+                    }
+                    else {
+                        // Unknown - default to OTP
+                        resolve({ type: 'otp' });
+                    }
+                },
+                onCancel: () => {
+                    userInteraction.next(undefined);
+                    reject(new Dexie.AbortError('User cancelled'));
+                },
+            };
+            userInteraction.next(interactionProps);
+        });
+    });
 }
 
-function string2ArrayBuffer(str) {
-    const array = new Uint8Array(str.length);
-    for (let i = 0; i < str.length; ++i) {
-        array[i] = str.charCodeAt(i); // & 0xff;
+/**
+ * Error thrown when initiating an OAuth redirect.
+ *
+ * This is not a real error - it's used to signal that the page is
+ * navigating away to an OAuth provider. It should be caught and
+ * silently ignored at the appropriate level.
+ */
+class OAuthRedirectError extends Error {
+    constructor(provider) {
+        super(`OAuth redirect initiated for provider: ${provider}`);
+        this.name = 'OAuthRedirectError';
+        this.provider = provider;
     }
-    return array.buffer;
 }
 
-var BlobDef = {
-    Blob: {
-        test: (blob, toStringTag) => toStringTag === "Blob" || blob instanceof FakeBlob,
-        replace: (blob) => ({
-            $t: "Blob",
-            v: blob instanceof FakeBlob
-                ? b64encode(blob.buf)
-                : b64encode(string2ArrayBuffer(readBlobSync(blob))),
-            type: blob.type,
-        }),
-        revive: ({ type, v }) => {
-            const ab = b64decode(v);
-            return typeof Blob !== undefined
-                ? new Blob([ab])
-                : new FakeBlob(ab.buffer, type);
-        },
-    },
-};
-
-const builtin = {
-    ...numberDef,
-    ...bigIntDef$1,
-    ...DateDef,
-    ...SetDef,
-    ...MapDef,
-    ...TypedArraysDefs,
-    ...ArrayBufferDef,
-    ...BlobDef, // Should be moved to another preset for DOM types (or universal? since it supports node as well with FakeBlob)
-};
+const SECONDS = 1000;
+const MINUTES = 60 * SECONDS;
 
-function Bison(...typeDefsInputs) {
-    const tson = TypesonSimplified(builtin, BisonBinaryTypes, ...typeDefsInputs);
-    return {
-        toBinary(value) {
-            const [blob, json] = this.stringify(value);
-            const lenBuf = new ArrayBuffer(4);
-            new DataView(lenBuf).setUint32(0, blob.size);
-            return new Blob([lenBuf, blob, json]);
-        },
-        stringify(value) {
-            const binaries = [];
-            const json = tson.stringify(value, binaries);
-            const blob = new Blob(binaries.map((b) => {
-                const lenBuf = new ArrayBuffer(4);
-                new DataView(lenBuf).setUint32(0, "byteLength" in b ? b.byteLength : b.size);
-                return new Blob([lenBuf, b]);
-            }));
-            return [blob, json];
-        },
-        async parse(json, binData) {
-            let pos = 0;
-            const arrayBuffers = [];
-            const buf = await readBlobBinary(binData);
-            const view = new DataView(buf);
-            while (pos < buf.byteLength) {
-                const len = view.getUint32(pos);
-                pos += 4;
-                const ab = buf.slice(pos, pos + len);
-                pos += len;
-                arrayBuffers.push(ab);
-            }
-            return tson.parse(json, arrayBuffers);
-        },
-        async fromBinary(blob) {
-            const len = new DataView(await readBlobBinary(blob.slice(0, 4))).getUint32(0);
-            const binData = blob.slice(4, len + 4);
-            const json = await readBlob(blob.slice(len + 4));
-            return await this.parse(json, binData);
-        },
-    };
+function loadAccessToken(db) {
+    return __awaiter(this, void 0, void 0, function* () {
+        var _a, _b, _c;
+        const currentUser = yield db.getCurrentUser();
+        const { accessToken, accessTokenExpiration, refreshToken, refreshTokenExpiration, claims, } = currentUser;
+        if (!accessToken)
+            return null;
+        const expTime = (_a = accessTokenExpiration === null || accessTokenExpiration === void 0 ? void 0 : accessTokenExpiration.getTime()) !== null && _a !== void 0 ? _a : Infinity;
+        if (expTime > (Date.now() + 5 * MINUTES) && (((_b = currentUser.license) === null || _b === void 0 ? void 0 : _b.status) || 'ok') === 'ok') {
+            return currentUser;
+        }
+        if (!refreshToken) {
+            throw new Error(`Refresh token missing`);
+        }
+        const refreshExpTime = (_c = refreshTokenExpiration === null || refreshTokenExpiration === void 0 ? void 0 : refreshTokenExpiration.getTime()) !== null && _c !== void 0 ? _c : Infinity;
+        if (refreshExpTime <= Date.now()) {
+            throw new Error(`Refresh token has expired`);
+        }
+        const refreshedLogin = yield refreshAccessToken(db.cloud.options.databaseUrl, currentUser);
+        yield db.table('$logins').update(claims.sub, {
+            accessToken: refreshedLogin.accessToken,
+            accessTokenExpiration: refreshedLogin.accessTokenExpiration,
+            claims: refreshedLogin.claims,
+            license: refreshedLogin.license,
+            data: refreshedLogin.data,
+        });
+        return refreshedLogin;
+    });
 }
-function readBlob(blob) {
-    return new Promise((resolve, reject) => {
-        const reader = new FileReader();
-        reader.onabort = (ev) => reject(new Error("file read aborted"));
-        reader.onerror = (ev) => reject(ev.target.error);
-        reader.onload = (ev) => resolve(ev.target.result);
-        reader.readAsText(blob);
+function authenticate(url, context, fetchToken, userInteraction, hints) {
+    return __awaiter(this, void 0, void 0, function* () {
+        if (context.accessToken &&
+            context.accessTokenExpiration.getTime() > Date.now()) {
+            return context;
+        }
+        else if (context.refreshToken &&
+            (!context.refreshTokenExpiration ||
+                context.refreshTokenExpiration.getTime() > Date.now())) {
+            return yield refreshAccessToken(url, context);
+        }
+        else {
+            return yield userAuthenticate(context, fetchToken, userInteraction, hints);
+        }
+    });
+}
+function refreshAccessToken(url, login) {
+    return __awaiter(this, void 0, void 0, function* () {
+        if (!login.refreshToken)
+            throw new Error(`Cannot refresh token - refresh token is missing.`);
+        if (!login.nonExportablePrivateKey)
+            throw new Error(`login.nonExportablePrivateKey is missing - cannot sign refresh token without a private key.`);
+        const time_stamp = Date.now();
+        const signing_algorithm = 'RSASSA-PKCS1-v1_5';
+        const textEncoder = new TextEncoder();
+        const data = textEncoder.encode(login.refreshToken + time_stamp);
+        const binarySignature = yield crypto.subtle.sign(signing_algorithm, login.nonExportablePrivateKey, data);
+        const signature = b64encode(binarySignature);
+        const tokenRequest = {
+            grant_type: 'refresh_token',
+            refresh_token: login.refreshToken,
+            scopes: ['ACCESS_DB'],
+            signature,
+            signing_algorithm,
+            time_stamp,
+        };
+        const res = yield fetch(`${url}/token`, {
+            body: JSON.stringify(tokenRequest),
+            method: 'post',
+            headers: { 'Content-Type': 'application/json' },
+            mode: 'cors',
+        });
+        if (res.status !== 200)
+            throw new Error(`RefreshToken: Status ${res.status} from ${url}/token`);
+        const response = yield res.json();
+        if (response.type === 'error') {
+            throw new TokenErrorResponseError(response);
+        }
+        login.accessToken = response.accessToken;
+        login.accessTokenExpiration = response.accessTokenExpiration
+            ? new Date(response.accessTokenExpiration)
+            : undefined;
+        login.claims = response.claims;
+        login.license = {
+            type: response.userType,
+            status: response.claims.license || 'ok',
+        };
+        if (response.evalDaysLeft != null) {
+            login.license.evalDaysLeft = response.evalDaysLeft;
+        }
+        if (response.userValidUntil != null) {
+            login.license.validUntil = new Date(response.userValidUntil);
+        }
+        if (response.data) {
+            login.data = response.data;
+        }
+        return login;
     });
 }
-function readBlobBinary(blob) {
-    return new Promise((resolve, reject) => {
-        const reader = new FileReader();
-        reader.onabort = (ev) => reject(new Error("file read aborted"));
-        reader.onerror = (ev) => reject(ev.target.error);
-        reader.onload = (ev) => resolve(ev.target.result);
-        reader.readAsArrayBuffer(blob);
+function userAuthenticate(context, fetchToken, userInteraction, hints) {
+    return __awaiter(this, void 0, void 0, function* () {
+        if (!crypto.subtle) {
+            if (typeof location !== 'undefined' && location.protocol === 'http:') {
+                throw new Error(`Dexie Cloud Addon needs to use WebCrypto, but your browser has disabled it due to being served from an insecure location. Please serve it from https or http://localhost:<port> (See https://stackoverflow.com/questions/46670556/how-to-enable-crypto-subtle-for-unsecure-origins-in-chrome/46671627#46671627)`);
+            }
+            else {
+                throw new Error(`This browser does not support WebCrypto.`);
+            }
+        }
+        const { privateKey, publicKey } = yield crypto.subtle.generateKey({
+            name: 'RSASSA-PKCS1-v1_5',
+            modulusLength: 2048,
+            publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+            hash: { name: 'SHA-256' },
+        }, false, // Non-exportable...
+        ['sign', 'verify']);
+        if (!privateKey || !publicKey)
+            throw new Error(`Could not generate RSA keypair`); // Typings suggest these can be undefined...
+        context.nonExportablePrivateKey = privateKey; //...but storable!
+        const publicKeySPKI = yield crypto.subtle.exportKey('spki', publicKey);
+        const publicKeyPEM = spkiToPEM(publicKeySPKI);
+        context.publicKey = publicKey;
+        try {
+            const response2 = yield fetchToken({
+                public_key: publicKeyPEM,
+                hints,
+            });
+            if (response2.type === 'error') {
+                throw new TokenErrorResponseError(response2);
+            }
+            if (response2.type !== 'tokens')
+                throw new Error(`Unexpected response type from token endpoint: ${response2.type}`);
+            /*const licenseStatus = response2.claims.license || 'ok';
+            if (licenseStatus !== 'ok') {
+              throw new InvalidLicenseError(licenseStatus);
+            }*/
+            context.accessToken = response2.accessToken;
+            context.accessTokenExpiration = new Date(response2.accessTokenExpiration);
+            context.refreshToken = response2.refreshToken;
+            if (response2.refreshTokenExpiration) {
+                context.refreshTokenExpiration = new Date(response2.refreshTokenExpiration);
+            }
+            context.userId = response2.claims.sub;
+            context.email = response2.claims.email;
+            context.name = response2.claims.name;
+            context.claims = response2.claims;
+            context.license = {
+                type: response2.userType,
+                status: response2.claims.license || 'ok',
+            };
+            context.data = response2.data;
+            if (response2.evalDaysLeft != null) {
+                context.license.evalDaysLeft = response2.evalDaysLeft;
+            }
+            if (response2.userValidUntil != null) {
+                context.license.validUntil = new Date(response2.userValidUntil);
+            }
+            if (response2.alerts && response2.alerts.length > 0) {
+                yield interactWithUser(userInteraction, {
+                    type: 'message-alert',
+                    title: 'Authentication Alert',
+                    fields: {},
+                    alerts: response2.alerts,
+                });
+            }
+            return context;
+        }
+        catch (error) {
+            // OAuth redirect is not an error - page is navigating away
+            if (error instanceof OAuthRedirectError || (error === null || error === void 0 ? void 0 : error.name) === 'OAuthRedirectError') {
+                throw error; // Re-throw without logging
+            }
+            if (error instanceof TokenErrorResponseError) {
+                yield alertUser(userInteraction, error.title, {
+                    type: 'error',
+                    messageCode: error.messageCode,
+                    message: error.message,
+                    messageParams: {},
+                });
+                throw error;
+            }
+            let message = `We're having a problem authenticating right now.`;
+            console.error(`Error authenticating`, error);
+            if (error instanceof TypeError) {
+                const isOffline = typeof navigator !== 'undefined' && !navigator.onLine;
+                if (isOffline) {
+                    message = `You seem to be offline. Please connect to the internet and try again.`;
+                }
+                else if (typeof location !== 'undefined' && (Dexie.debug || location.hostname === 'localhost' || location.hostname === '127.0.0.1')) {
+                    // The audience is most likely the developer. Suggest to whitelist the localhost origin:
+                    const whitelistCommand = `npx dexie-cloud whitelist ${location.origin}`;
+                    message = `Could not connect to server. Please verify that your origin '${location.origin}' is whitelisted using \`npx dexie-cloud whitelist\``;
+                    yield alertUser(userInteraction, 'Authentication Failed', {
+                        type: 'error',
+                        messageCode: 'GENERIC_ERROR',
+                        message,
+                        messageParams: {},
+                        copyText: whitelistCommand,
+                    }).catch(() => { });
+                }
+                else {
+                    message = `Could not connect to server. Please verify the connection.`;
+                    yield alertUser(userInteraction, 'Authentication Failed', {
+                        type: 'error',
+                        messageCode: 'GENERIC_ERROR',
+                        message,
+                        messageParams: {},
+                    }).catch(() => { });
+                }
+            }
+            throw error;
+        }
     });
 }
-
-/** The undefined type is not part of builtin but can be manually added.
- * The reason for supporting undefined is if the following object should be revived correctly:
- *
- *    {foo: undefined}
- *
- * Without including this typedef, the revived object would just be {}.
- * If including this typedef, the revived object would be {foo: undefined}.
- */
-var undefinedDef = {
-    undefined: {
-        replace: () => ({
-            $t: "undefined"
-        }),
-        revive: () => undefined,
-    },
-};
-
-var FileDef = {
-    File: {
-        test: (file, toStringTag) => toStringTag === "File",
-        replace: (file) => ({
-            $t: "File",
-            v: b64encode(string2ArrayBuffer(readBlobSync(file))),
-            type: file.type,
-            name: file.name,
-            lastModified: new Date(file.lastModified).toISOString(),
-        }),
-        revive: ({ type, v, name, lastModified }) => {
-            const ab = b64decode(v);
-            return new File([ab], name, {
-                type,
-                lastModified: new Date(lastModified).getTime(),
-            });
-        },
-    },
-};
+function spkiToPEM(keydata) {
+    const keydataB64 = b64encode(keydata);
+    const keydataB64Pem = formatAsPem(keydataB64);
+    return keydataB64Pem;
+}
+function formatAsPem(str) {
+    let finalString = '-----BEGIN PUBLIC KEY-----\n';
+    while (str.length > 0) {
+        finalString += str.substring(0, 64) + '\n';
+        str = str.substring(64);
+    }
+    finalString = finalString + '-----END PUBLIC KEY-----';
+    return finalString;
+}
 
 // Since server revisions are stored in bigints, we need to handle clients without
 // bigint support to not fail when serverRevision is passed over to client.
@@ -2137,7 +2291,7 @@ const bigIntDef = hasBigIntSupport
             revive: ({ v }) => new FakeBigInt(v),
         },
     };
-const defs = Object.assign(Object.assign(Object.assign(Object.assign({}, undefinedDef), bigIntDef), FileDef), { PropModification: {
+const defs = Object.assign(Object.assign(Object.assign(Object.assign({}, undefinedTypeDef), bigIntDef), fileTypeDef), { PropModification: {
         test: (val) => val instanceof PropModification,
         replace: (propModification) => {
             return Object.assign({ $t: 'PropModification' }, propModification['@@propmod']);
@@ -2149,8 +2303,14 @@ const defs = Object.assign(Object.assign(Object.assign(Object.assign({}, undefin
             return new PropModification(propModSpec);
         },
     } });
-const TSON = TypesonSimplified(builtin, defs);
-const BISON = Bison(defs);
+const TSON = TypesonSimplified(
+// Standard type definitions - TSON is transparent to BlobRefs
+// BlobRefs use _bt convention and are handled by blobResolveMiddleware, not TSON
+typedArrayTypeDefs, arrayBufferTypeDef, blobTypeDef, 
+// Non-binary built-in types
+numberTypeDef, dateTypeDef, setTypeDef, mapTypeDef, 
+// Custom type definitions
+defs);
 
 class HttpError extends Error {
     constructor(res, message) {
@@ -2266,7 +2426,7 @@ function syncWithServer(changes, y, syncState, baseRevs, db, databaseUrl, schema
         // Push changes to server using fetch
         //
         const headers = {
-            Accept: 'application/json, application/x-bison, application/x-bison-stream',
+            Accept: 'application/json',
             'Content-Type': 'application/tson',
         };
         const updatedUser = yield loadAccessToken(db);
@@ -2285,7 +2445,7 @@ function syncWithServer(changes, y, syncState, baseRevs, db, databaseUrl, schema
             headers.Authorization = `Bearer ${accessToken}`;
         }
         const syncRequest = {
-            v: 2,
+            v: 3, // v3 = supports BlobRef
             dbID: syncState === null || syncState === void 0 ? void 0 : syncState.remoteDbId,
             clientIdentity,
             schema: schema || {},
@@ -2323,8 +2483,9 @@ function syncWithServer(changes, y, syncState, baseRevs, db, databaseUrl, schema
         }
         switch (res.headers.get('content-type')) {
             case 'application/x-bison':
-                return BISON.fromBinary(yield res.blob());
-            case 'application/x-bison-stream': //return BisonWebStreamReader(BISON, res);
+            case 'application/x-bison-stream':
+                // BISON format deprecated - throw error if server sends it
+                throw new Error('BISON format no longer supported. Server should send application/json.');
             default:
             case 'application/json': {
                 const text = yield res.text();
@@ -2728,13 +2889,462 @@ function applyYServerMessages(yMessages, db) {
                 console.error(`Failed to apply YMessage`, m, e);
             }
         }
-        return {
-            receivedUntils,
-            resyncNeeded,
-            yServerRevision,
-        };
+        return {
+            receivedUntils,
+            resyncNeeded,
+            yServerRevision,
+        };
+    });
+}
+
+/**
+ * Check if a value is a BlobRef (offloaded binary data)
+ * A BlobRef has _bt (type), ref (blob ID), but no v (inline data)
+ */
+function isBlobRef(value) {
+    if (typeof value !== 'object' || value === null)
+        return false;
+    const obj = value;
+    return (typeof obj._bt === 'string' &&
+        typeof obj.ref === 'string' &&
+        obj.v === undefined // No inline data = it's a reference
+    );
+}
+/**
+ * Check if a value is a serialized TSONRef (after IndexedDB storage)
+ * Has 'type' instead of '$t', and no Symbol marker
+ */
+function isSerializedTSONRef(value) {
+    if (typeof value !== 'object' || value === null)
+        return false;
+    const obj = value;
+    return (typeof obj.type === 'string' &&
+        typeof obj.ref === 'string' &&
+        typeof obj.size === 'number' &&
+        obj._bt === undefined // Not a raw BlobRef
+    );
+}
+/**
+ * Convert downloaded Uint8Array to the original type specified in BlobRef
+ */
+function convertToOriginalType(data, ref) {
+    // Get the underlying ArrayBuffer (handle shared buffer case)
+    const buffer = data.buffer.byteLength === data.byteLength
+        ? data.buffer
+        : data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength);
+    switch (ref._bt) {
+        case 'Blob':
+            return new Blob([new Uint8Array(buffer)], { type: ref.ct || '' });
+        case 'ArrayBuffer':
+            return buffer;
+        case 'Uint8Array':
+            return data;
+        case 'Int8Array':
+            return new Int8Array(buffer);
+        case 'Uint8ClampedArray':
+            return new Uint8ClampedArray(buffer);
+        case 'Int16Array':
+            return new Int16Array(buffer);
+        case 'Uint16Array':
+            return new Uint16Array(buffer);
+        case 'Int32Array':
+            return new Int32Array(buffer);
+        case 'Uint32Array':
+            return new Uint32Array(buffer);
+        case 'Float32Array':
+            return new Float32Array(buffer);
+        case 'Float64Array':
+            return new Float64Array(buffer);
+        case 'BigInt64Array':
+            return new BigInt64Array(buffer);
+        case 'BigUint64Array':
+            return new BigUint64Array(buffer);
+        case 'DataView':
+            return new DataView(buffer);
+        default:
+            // Fallback to Uint8Array for unknown types
+            return data;
+    }
+}
+/**
+ * Recursively resolve all BlobRefs in an object and collect them for queueing.
+ * Returns a new object with BlobRefs replaced by their original type data,
+ * and populates the resolvedBlobs array with keyPath info for each blob.
+ *
+ * @param obj - Object to resolve
+ * @param dbUrl - Base URL for the database
+ * @param accessToken - Access token for blob downloads
+ * @param resolvedBlobs - Array to collect resolved blob info
+ * @param currentPath - Current property path (for tracking)
+ * @param visited - WeakMap for circular reference detection
+ */
+function resolveAllBlobRefs(obj_1, dbUrl_1) {
+    return __awaiter(this, arguments, void 0, function* (obj, dbUrl, resolvedBlobs = [], currentPath = '', visited = new WeakMap(), tracker) {
+        if (obj == null) { // null or undefined
+            return obj;
+        }
+        // Check if this is a BlobRef - resolve it and track it
+        if (isBlobRef(obj)) {
+            const rawData = yield tracker.download(obj, dbUrl);
+            const data = convertToOriginalType(rawData, obj);
+            resolvedBlobs.push({ keyPath: currentPath, data, ref: obj.ref });
+            return data;
+        }
+        // Handle arrays
+        if (Array.isArray(obj)) {
+            // Avoid circular references - check and set BEFORE iterating
+            if (visited.has(obj)) {
+                return visited.get(obj);
+            }
+            const result = [];
+            visited.set(obj, result); // Set before iterating to handle self-references
+            for (let i = 0; i < obj.length; i++) {
+                const itemPath = currentPath ? `${currentPath}.${i}` : `${i}`;
+                result.push(yield resolveAllBlobRefs(obj[i], dbUrl, resolvedBlobs, itemPath, visited, tracker));
+            }
+            return result;
+        }
+        // Handle POJO objects only (not Date, RegExp, Blob, ArrayBuffer, etc.)
+        if (typeof obj === 'object' && obj.constructor === Object) {
+            // Avoid circular references
+            if (visited.has(obj)) {
+                return visited.get(obj);
+            }
+            const result = {};
+            visited.set(obj, result);
+            for (const [propName, value] of Object.entries(obj)) {
+                // Skip the _hasBlobRefs marker itself
+                if (propName === '_hasBlobRefs') {
+                    continue;
+                }
+                const propPath = currentPath ? `${currentPath}.${propName}` : propName;
+                result[propName] = yield resolveAllBlobRefs(value, dbUrl, resolvedBlobs, propPath, visited, tracker);
+            }
+            return result;
+        }
+        return obj;
+    });
+}
+/**
+ * Check if an object has unresolved BlobRefs
+ */
+function hasUnresolvedBlobRefs(obj) {
+    return (typeof obj === 'object' &&
+        obj !== null &&
+        obj._hasBlobRefs === 1);
+}
+
+/**
+ * Blob Offloading for Dexie Cloud
+ *
+ * Handles uploading large blobs to blob storage before sync,
+ * and resolving BlobRefs when reading from the database.
+ */
+// Blobs >= 4KB are offloaded to blob storage
+const BLOB_OFFLOAD_THRESHOLD = 4096;
+// Cache: once we know the server doesn't support blob storage, skip future uploads.
+// Maps databaseUrl → boolean (true = supported, false = not supported).
+const blobEndpointSupported = new Map();
+/**
+ * Cross-realm type detection helpers (performance-optimized)
+ *
+ * When code runs in different JavaScript realms (e.g., Service Worker context),
+ * `instanceof` checks can fail because each realm has its own global constructors.
+ * We use Object.prototype.toString which works reliably across realms.
+ *
+ * Performance considerations (this is a hot path - every property is checked):
+ * - Early return for primitives via typeof
+ * - Static Set for O(1) TypedArray tag lookup
+ * - Single typeTag call per check
+ */
+// TypedArray/DataView tags for size check
+const ARRAYBUFFER_VIEW_TAGS = new Set([
+    'Int8Array', 'Uint8Array', 'Uint8ClampedArray',
+    'Int16Array', 'Uint16Array', 'Int32Array', 'Uint32Array',
+    'Float32Array', 'Float64Array', 'BigInt64Array', 'BigUint64Array',
+    'DataView'
+]);
+// Static Set for O(1) lookup of binary type tags
+const BINARY_TYPE_TAGS = new Set([
+    'Blob',
+    'File',
+    'ArrayBuffer',
+    ...ARRAYBUFFER_VIEW_TAGS,
+]);
+/**
+ * Get the [[Class]] internal property via Object.prototype.toString
+ */
+function getTypeTag(value) {
+    return Object.prototype.toString.call(value).slice(8, -1);
+}
+/**
+ * Get the original type name for a value
+ */
+function getOrigType(value) {
+    const tag = getTypeTag(value);
+    if (tag === 'Blob' || tag === 'File')
+        return 'Blob';
+    if (tag === 'ArrayBuffer')
+        return 'ArrayBuffer';
+    return tag;
+}
+/**
+ * Check if a value should be offloaded to blob storage
+ * Performance-optimized for hot path traversal.
+ */
+function shouldOffloadBlob(value) {
+    // Fast path: primitives (most common case)
+    // typeof returns: "string", "number", "boolean", "undefined", "symbol", "bigint", "function", "object"
+    const t = typeof value;
+    if (t !== 'object' || value === null)
+        return false;
+    // Get type tag once (cross-realm safe)
+    const tag = getTypeTag(value);
+    // Quick check: is this even a binary type?
+    if (!BINARY_TYPE_TAGS.has(tag))
+        return false;
+    // Blob/File: always offload regardless of size.
+    // This ensures blobs are never stored inline in IndexedDB, which avoids
+    // issues with synchronous blob reading (e.g. in service workers where
+    // XMLHttpRequest is unavailable — see #2182).
+    if (tag === 'Blob' || tag === 'File') {
+        return true;
+    }
+    // ArrayBuffer/TypedArray/DataView: only offload above threshold
+    if (tag === 'ArrayBuffer') {
+        return value.byteLength >= BLOB_OFFLOAD_THRESHOLD;
+    }
+    // TypedArray or DataView
+    return value.byteLength >= BLOB_OFFLOAD_THRESHOLD;
+}
+/**
+ * Upload a blob to the blob storage endpoint
+ */
+function uploadBlob(databaseUrl, getCachedAccessToken, blob) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const accessToken = yield getCachedAccessToken();
+        if (!accessToken) {
+            throw new Error('Failed to load access token for blob upload');
+        }
+        const blobId = newId();
+        // URL format: {databaseUrl}/blob/{blobId}
+        const url = `${databaseUrl}/blob/${blobId}`;
+        let body;
+        let contentType;
+        let size;
+        const origType = getOrigType(blob);
+        // Use type tag for cross-realm compatible checks
+        const tag = getTypeTag(blob);
+        if (tag === 'Blob' || tag === 'File') {
+            body = blob;
+            contentType = blob.type || 'application/octet-stream';
+            size = blob.size;
+        }
+        else if (tag === 'ArrayBuffer') {
+            body = blob;
+            contentType = 'application/octet-stream';
+            size = blob.byteLength;
+        }
+        else if (ARRAYBUFFER_VIEW_TAGS.has(tag)) {
+            // ArrayBufferView (TypedArray or DataView) - create a proper ArrayBuffer copy
+            const view = blob;
+            const arrayBuffer = new ArrayBuffer(view.byteLength);
+            new Uint8Array(arrayBuffer).set(new Uint8Array(view.buffer, view.byteOffset, view.byteLength));
+            body = arrayBuffer;
+            contentType = 'application/octet-stream';
+            size = view.byteLength;
+        }
+        else {
+            throw new Error(`Unsupported blob type: ${tag}`);
+        }
+        // Add content type as query param for the server to store
+        const uploadUrl = `${url}?ct=${encodeURIComponent(contentType)}`;
+        const response = yield fetch(uploadUrl, {
+            method: 'PUT',
+            headers: {
+                'Authorization': `Bearer ${accessToken}`,
+                'Content-Type': contentType,
+            },
+            body,
+        });
+        if (!response.ok) {
+            if (response.status === 404 || response.status === 405) {
+                // Server doesn't support blob storage endpoint — fall back to inline storage.
+                // This happens when a new client connects to an older server (pre-3.0).
+                return null;
+            }
+            throw new Error(`Failed to upload blob: ${response.status} ${response.statusText}`);
+        }
+        // The server returns the ref with version prefix (e.g., "1:blobId")
+        const result = yield response.json();
+        // Return BlobRef with server's ref (includes version) and original type preserved in _bt
+        return Object.assign({ _bt: origType, ref: result.ref, size: size }, (origType === 'Blob' ? { ct: contentType } : {}) // Only include content type for Blobs
+        );
+    });
+}
+function offloadBlobsAndMarkDirty(obj, databaseUrl, getCachedAccessToken) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const dirtyFlag = { dirty: false };
+        const result = yield offloadBlobs(obj, databaseUrl, getCachedAccessToken, dirtyFlag);
+        // Mark the object as dirty for sync if any blobs were offloaded
+        if (dirtyFlag.dirty && typeof result === 'object' && result !== null && result.constructor === Object) {
+            result._hasBlobRefs = 1;
+        }
+        return result;
+    });
+}
+/**
+ * Recursively scan an object for large blobs and upload them
+ * Returns a new object with blobs replaced by BlobRefs
+ */
+function offloadBlobs(obj_1, databaseUrl_1, getCachedAccessToken_1) {
+    return __awaiter(this, arguments, void 0, function* (obj, databaseUrl, getCachedAccessToken, dirtyFlag = { dirty: false }, visited = new WeakSet()) {
+        if (obj === null || obj === undefined) {
+            return obj;
+        }
+        // Check if this is a blob that should be offloaded
+        if (shouldOffloadBlob(obj)) {
+            if (blobEndpointSupported.get(databaseUrl) === false) {
+                // Server known to not support blob storage — keep inline
+                return obj;
+            }
+            const blobRef = yield uploadBlob(databaseUrl, getCachedAccessToken, obj);
+            if (blobRef === null) {
+                // Server doesn't support blob storage — keep original inline
+                blobEndpointSupported.set(databaseUrl, false);
+                return obj;
+            }
+            blobEndpointSupported.set(databaseUrl, true);
+            dirtyFlag.dirty = true;
+            return blobRef;
+        }
+        if (typeof obj !== 'object') {
+            return obj;
+        }
+        // Avoid circular references - check BEFORE processing
+        if (visited.has(obj)) {
+            return obj;
+        }
+        visited.add(obj);
+        // Handle arrays
+        if (Array.isArray(obj)) {
+            const result = [];
+            for (const item of obj) {
+                result.push(yield offloadBlobs(item, databaseUrl, getCachedAccessToken, dirtyFlag, visited));
+            }
+            return result;
+        }
+        // Traverse plain objects (POJO-like) - use prototype check since IndexedDB
+        // may return objects where constructor !== Object
+        const proto = Object.getPrototypeOf(obj);
+        if (proto !== Object.prototype && proto !== null) {
+            return obj;
+        }
+        const result = {};
+        for (const [key, value] of Object.entries(obj)) {
+            result[key] = yield offloadBlobs(value, databaseUrl, getCachedAccessToken, dirtyFlag, visited);
+        }
+        return result;
+    });
+}
+/**
+ * Process a DBOperationsSet and offload any large blobs
+ * Returns a new DBOperationsSet with blobs replaced by BlobRefs
+ */
+function offloadBlobsInOperations(operations, databaseUrl, getCachedAccessToken) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const result = [];
+        for (const tableOps of operations) {
+            const processedMuts = [];
+            for (const mut of tableOps.muts) {
+                const processedMut = yield offloadBlobsInOperation(mut, databaseUrl, getCachedAccessToken);
+                processedMuts.push(processedMut);
+            }
+            result.push({
+                table: tableOps.table,
+                muts: processedMuts,
+            });
+        }
+        return result;
+    });
+}
+function offloadBlobsInOperation(op, databaseUrl, getCachedAccessToken) {
+    return __awaiter(this, void 0, void 0, function* () {
+        switch (op.type) {
+            case 'insert':
+            case 'upsert': {
+                const processedValues = yield Promise.all(op.values.map(value => offloadBlobsAndMarkDirty(value, databaseUrl, getCachedAccessToken)));
+                return Object.assign(Object.assign({}, op), { values: processedValues });
+            }
+            case 'update': {
+                const processedChangeSpecs = yield Promise.all(op.changeSpecs.map(spec => offloadBlobsAndMarkDirty(spec, databaseUrl, getCachedAccessToken)));
+                return Object.assign(Object.assign({}, op), { changeSpecs: processedChangeSpecs });
+            }
+            case 'modify': {
+                const processedChangeSpec = yield offloadBlobsAndMarkDirty(op.changeSpec, databaseUrl, getCachedAccessToken);
+                return Object.assign(Object.assign({}, op), { changeSpec: processedChangeSpec });
+            }
+            case 'delete':
+                // No blobs in delete operations
+                return op;
+            default:
+                return op;
+        }
     });
 }
+/**
+ * Check if there are any large blobs in the operations that need offloading
+ * This is a quick check to avoid unnecessary processing
+ */
+function hasLargeBlobsInOperations(operations) {
+    for (const tableOps of operations) {
+        for (const mut of tableOps.muts) {
+            if (hasLargeBlobsInOperation(mut)) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+function hasLargeBlobsInOperation(op) {
+    switch (op.type) {
+        case 'insert':
+        case 'upsert':
+            return op.values.some(value => hasLargeBlobs(value));
+        case 'update':
+            return op.changeSpecs.some(spec => hasLargeBlobs(spec));
+        case 'modify':
+            return hasLargeBlobs(op.changeSpec);
+        default:
+            return false;
+    }
+}
+function hasLargeBlobs(obj, visited = new WeakSet()) {
+    if (obj === null || obj === undefined) {
+        return false;
+    }
+    if (shouldOffloadBlob(obj)) {
+        return true;
+    }
+    if (typeof obj !== 'object') {
+        return false;
+    }
+    // Avoid circular references - check BEFORE processing
+    if (visited.has(obj)) {
+        return false;
+    }
+    visited.add(obj);
+    if (Array.isArray(obj)) {
+        return obj.some(item => hasLargeBlobs(item, visited));
+    }
+    // Traverse plain objects (POJO-like) - use duck typing since IndexedDB
+    // may return objects where constructor !== Object
+    const proto = Object.getPrototypeOf(obj);
+    if (proto === Object.prototype || proto === null) {
+        return Object.values(obj).some(value => hasLargeBlobs(value, visited));
+    }
+    return false;
+}
 
 function updateYSyncStates(lastUpdateIdsBeforeSync, receivedUntilsAfterSync, db) {
     return __awaiter(this, void 0, void 0, function* () {
@@ -2917,6 +3527,33 @@ function downloadYDocsFromServer(db_1, databaseUrl_1, _a) {
     });
 }
 
+const wm$3 = new WeakMap();
+function loadCachedAccessToken(db) {
+    var _a, _b, _c, _d;
+    let cached = wm$3.get(db);
+    if (cached && cached.expiration > Date.now() + 5 * MINUTES) {
+        return Promise.resolve(cached.accessToken);
+    }
+    const currentUser = db.cloud.currentUser.value;
+    if (currentUser && currentUser.accessToken && ((_b = (_a = currentUser.accessTokenExpiration) === null || _a === void 0 ? void 0 : _a.getTime()) !== null && _b !== void 0 ? _b : Infinity) > Date.now() + 5 * MINUTES) {
+        wm$3.set(db, {
+            accessToken: currentUser.accessToken,
+            expiration: (_d = (_c = currentUser.accessTokenExpiration) === null || _c === void 0 ? void 0 : _c.getTime()) !== null && _d !== void 0 ? _d : Infinity
+        });
+        return Promise.resolve(currentUser.accessToken);
+    }
+    return Dexie.ignoreTransaction(() => loadAccessToken(db).then(user => {
+        var _a, _b;
+        if (user === null || user === void 0 ? void 0 : user.accessToken) {
+            wm$3.set(db, {
+                accessToken: user.accessToken,
+                expiration: (_b = (_a = user.accessTokenExpiration) === null || _a === void 0 ? void 0 : _a.getTime()) !== null && _b !== void 0 ? _b : Infinity
+            });
+        }
+        return (user === null || user === void 0 ? void 0 : user.accessToken) || null;
+    }));
+}
+
 const CURRENT_SYNC_WORKER = 'currentSyncWorker';
 function sync(db, options, schema, syncOptions) {
     return _sync(db, options, schema, syncOptions)
@@ -3034,12 +3671,20 @@ function _sync(db_1, options_1, schema_1) {
             return false;
         }
         const latestRevisions = getLatestRevisionsPerTable(clientChangeSet, syncState === null || syncState === void 0 ? void 0 : syncState.latestRevisions);
-        const clientIdentity = (syncState === null || syncState === void 0 ? void 0 : syncState.clientIdentity) || randomString(16);
+        const clientIdentity = (syncState === null || syncState === void 0 ? void 0 : syncState.clientIdentity) || randomString$1(16);
+        //
+        // Offload large blobs to blob storage before sync
+        //
+        let processedChangeSet = clientChangeSet;
+        const hasLargeBlobs = hasLargeBlobsInOperations(clientChangeSet);
+        if (hasLargeBlobs) {
+            processedChangeSet = yield offloadBlobsInOperations(clientChangeSet, databaseUrl, () => loadCachedAccessToken(db));
+        }
         //
         // Push changes to server
         //
         throwIfCancelled(cancelToken);
-        const res = yield syncWithServer(clientChangeSet, yMessages, syncState, baseRevs, db, databaseUrl, schema, clientIdentity, currentUser);
+        const res = yield syncWithServer(processedChangeSet, yMessages, syncState, baseRevs, db, databaseUrl, schema, clientIdentity, currentUser);
         console.debug('Sync response', res);
         //
         // Apply changes locally and clear old change entries:
@@ -3442,6 +4087,65 @@ function MessagesFromServerConsumer(db) {
     };
 }
 
+/**
+ * Deduplicates in-flight blob downloads.
+ *
+ * Both the blob-resolve middleware and the eager blob downloader may
+ * try to fetch the same blob concurrently. This tracker ensures each
+ * unique blob ref is only downloaded once — subsequent requests for
+ * the same ref piggyback on the existing promise.
+ *
+ * Instantiate once per DexieCloudDB.
+ */
+class BlobDownloadTracker {
+    constructor(db) {
+        this.inFlight = new Map();
+        this.db = db;
+    }
+    /**
+     * Download a blob, deduplicating concurrent requests for the same ref.
+     *
+     * @param blobRef - The BlobRef to download
+     * @param dbUrl - Base URL for the database (e.g., 'https://mydb.dexie.cloud')
+     */
+    download(blobRef, dbUrl) {
+        let promise = this.inFlight.get(blobRef.ref);
+        if (!promise) {
+            promise = loadCachedAccessToken(this.db).then(accessToken => {
+                if (!accessToken)
+                    throw new Error("No access token available for blob download");
+                return downloadBlob(blobRef, dbUrl, accessToken);
+            }).finally(() => this.inFlight.delete(blobRef.ref));
+            // When the promise settles (either fulfilled or rejected), remove it from the in-flight map
+            this.inFlight.set(blobRef.ref, promise);
+        }
+        return promise;
+    }
+}
+/**
+ * Download blob data from server via proxy endpoint.
+ * Uses auth header for authentication (same as sync).
+ *
+ * @param blobRef - The BlobRef to download
+ * @param dbUrl - Base URL for the database (e.g., 'https://mydb.dexie.cloud')
+ * @param accessToken - Access token for authentication
+ */
+function downloadBlob(blobRef, dbUrl, accessToken) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const downloadUrl = `${dbUrl}/blob/${blobRef.ref}`;
+        const response = yield fetch(downloadUrl, {
+            headers: {
+                'Authorization': `Bearer ${accessToken}`
+            }
+        });
+        if (!response.ok) {
+            throw new Error(`Failed to download blob ${blobRef.ref}: ${response.status} ${response.statusText}`);
+        }
+        const arrayBuffer = yield response.arrayBuffer();
+        return new Uint8Array(arrayBuffer);
+    });
+}
+
 const wm$2 = new WeakMap();
 const DEXIE_CLOUD_SCHEMA = {
     members: '@id, [userId+realmId], [email+realmId], realmId',
@@ -3456,7 +4160,7 @@ let static_counter = 0;
 function DexieCloudDB(dx) {
     if ('vip' in dx)
         dx = dx['vip']; // Avoid race condition. Always map to a vipped dexie that don't block during db.on.ready().
-    let db = wm$2.get(dx.cloud);
+    let db = wm$2.get(dx);
     if (!db) {
         const localSyncEvent = new Subject();
         let syncStateChangedEvent = new BroadcastedAndLocalEvent(`syncstatechanged-${dx.name}`);
@@ -3475,7 +4179,9 @@ function DexieCloudDB(dx) {
             get tables() {
                 return dx.tables;
             },
-            cloud: dx.cloud,
+            get cloud() {
+                return dx.cloud;
+            },
             get $jobs() {
                 return dx.table('$jobs');
             },
@@ -3544,7 +4250,8 @@ function DexieCloudDB(dx) {
         Object.assign(db, helperMethods);
         db.messageConsumer = MessagesFromServerConsumer(db);
         db.messageProducer = new Subject();
-        wm$2.set(dx.cloud, db);
+        db.blobDownloadTracker = new BlobDownloadTracker(db);
+        wm$2.set(dx, db);
     }
     return db;
 }
@@ -3554,6 +4261,221 @@ function nameFromKeyPath(keyPath) {
         keyPath ? ('[' + [].join.call(keyPath, '+') + ']') : "";
 }
 
+/**
+ * Blob Progress Tracking
+ *
+ * Uses liveQuery to reactively track unresolved blob refs.
+ * Any change to _hasBlobRefs in any syncable table automatically
+ * triggers a re-scan — no manual updateBlobProgress() needed.
+ */
+/**
+ * BehaviorSubject for the isDownloading flag, controlled by eagerBlobDownloader.
+ */
+function createDownloadingState() {
+    return new BehaviorSubject(false);
+}
+/**
+ * Set downloading state.
+ */
+function setDownloadingState(downloading$, isDownloading) {
+    if (downloading$.value !== isDownloading) {
+        downloading$.next(isDownloading);
+    }
+}
+/**
+ * Create a liveQuery-based Observable<BlobProgress>.
+ *
+ * Combines a liveQuery (blobsRemaining, bytesRemaining) with an external
+ * isDownloading flag controlled by the eager downloader.
+ */
+function observeBlobProgress(db, downloading$) {
+    const blobStats$ = from(liveQuery(() => __awaiter(this, void 0, void 0, function* () {
+        let blobsRemaining = 0;
+        let bytesRemaining = 0;
+        const syncedTables = getSyncableTables(db);
+        yield db.dx.transaction('r', syncedTables, (tx) => __awaiter(this, void 0, void 0, function* () {
+            tx.idbtrans.disableBlobResolve = true;
+            for (const table of syncedTables) {
+                const hasIndex = !!table.schema.idxByName['_hasBlobRefs'];
+                if (!hasIndex)
+                    continue;
+                const unresolvedObjects = yield table
+                    .where('_hasBlobRefs')
+                    .equals(1)
+                    .toArray();
+                for (const obj of unresolvedObjects) {
+                    const blobs = findBlobRefs(obj);
+                    blobsRemaining += blobs.length;
+                    bytesRemaining += blobs.reduce((sum, blob) => sum + (blob.size || 0), 0);
+                }
+            }
+        }));
+        return { blobsRemaining, bytesRemaining };
+    })));
+    return combineLatest([blobStats$, downloading$]).pipe(map(([stats, isDownloading]) => ({
+        isDownloading: isDownloading && stats.blobsRemaining > 0,
+        blobsRemaining: stats.blobsRemaining,
+        bytesRemaining: stats.bytesRemaining,
+    })), share({ resetOnRefCountZero: () => timer(2000) }) // Keep alive for 2s after last unsubscription to avoid rapid re-subscriptions during UI updates  
+    );
+}
+/**
+ * Find all unresolved refs (BlobRef or TSONRef) in an object (recursive).
+ * Handles both live TSONRef instances and serialized TSONRefs (after IndexedDB).
+ */
+function findBlobRefs(obj) {
+    const refs = [];
+    function scan(value) {
+        if (value === null || value === undefined)
+            return;
+        if (typeof value !== 'object')
+            return;
+        if (TSONRef.isTSONRef(value)) {
+            refs.push({ ref: value.ref, size: value.size });
+            return;
+        }
+        if (isSerializedTSONRef(value)) {
+            const obj = value;
+            refs.push({ ref: obj.ref, size: obj.size });
+            return;
+        }
+        if (isBlobRef(value)) {
+            refs.push({ ref: value.ref, size: value.size || 0 });
+            return;
+        }
+        if (Array.isArray(value)) {
+            value.forEach(scan);
+        }
+        else if (value.constructor === Object) {
+            Object.values(value).forEach(scan);
+        }
+    }
+    scan(obj);
+    return refs;
+}
+
+/**
+ * Eager Blob Downloader
+ *
+ * Downloads unresolved blobs in the background when blobMode='eager'.
+ * Called after sync completes to prefetch blobs for offline access.
+ *
+ * Progress is tracked automatically via liveQuery in blobProgress.ts —
+ * no manual progress reporting needed here.
+ */
+/**
+ * Download all unresolved blobs in the background.
+ *
+ * This is called when blobMode='eager' (default) after sync completes.
+ * BlobRef URLs are signed (SAS tokens) so no auth header needed.
+ *
+ * Each blob is saved atomically using Table.update() to avoid race conditions.
+ */
+function downloadUnresolvedBlobs(db, downloading$, signal) {
+    return __awaiter(this, void 0, void 0, function* () {
+        var _a;
+        const debugLog = (msg) => console.debug(`[dexie-cloud] ${msg}`);
+        debugLog('Eager download: Starting...');
+        // Scan for unresolved blobs
+        const syncedTables = getSyncableTables(db);
+        let hasWork = false;
+        for (const table of syncedTables) {
+            try {
+                const hasIndex = !!table.schema.idxByName['_hasBlobRefs'];
+                if (!hasIndex)
+                    continue;
+                const count = yield table.where('_hasBlobRefs').equals(1).count();
+                if (count > 0) {
+                    hasWork = true;
+                    break;
+                }
+            }
+            catch (_b) {
+                // skip
+            }
+        }
+        if (!hasWork) {
+            debugLog('Eager download: No blobs remaining, exiting');
+            return;
+        }
+        setDownloadingState(downloading$, true);
+        try {
+            debugLog(`Eager download: Found ${syncedTables.length} syncable tables: ${syncedTables.map(t => t.name).join(', ')}`);
+            for (const table of syncedTables) {
+                if (signal === null || signal === void 0 ? void 0 : signal.aborted)
+                    ;
+                try {
+                    // Check if table has _hasBlobRefs index
+                    const hasIndex = table.schema.indexes.some(idx => idx.name === '_hasBlobRefs');
+                    if (!hasIndex)
+                        continue;
+                    // Query objects with _hasBlobRefs marker
+                    const unresolvedObjects = yield table
+                        .where('_hasBlobRefs')
+                        .equals(1)
+                        .toArray();
+                    debugLog(`Eager download: Table ${table.name} has ${unresolvedObjects.length} unresolved objects`);
+                    const databaseUrl = (_a = db.cloud.options) === null || _a === void 0 ? void 0 : _a.databaseUrl;
+                    if (!databaseUrl)
+                        throw new Error('Database URL is required to download blobs');
+                    // Download up to MAX_CONCURRENT blobs in parallel
+                    const MAX_CONCURRENT = 6;
+                    const primaryKey = table.schema.primKey;
+                    // Filter to actionable objects first
+                    const pending = unresolvedObjects.filter(obj => {
+                        if (!hasUnresolvedBlobRefs(obj))
+                            return false;
+                        const key = primaryKey.keyPath
+                            ? Dexie.getByKeyPath(obj, primaryKey.keyPath)
+                            : undefined;
+                        return key !== undefined;
+                    });
+                    // Process in parallel with concurrency limit
+                    let i = 0;
+                    const runNext = () => __awaiter(this, void 0, void 0, function* () {
+                        while (i < pending.length) {
+                            if (signal === null || signal === void 0 ? void 0 : signal.aborted)
+                                ;
+                            const obj = pending[i++];
+                            const key = Dexie.getByKeyPath(obj, primaryKey.keyPath);
+                            try {
+                                // Refresh token per object — cheap (returns cached) but ensures
+                                // we pick up renewed tokens during long download sessions.
+                                const resolvedBlobs = [];
+                                yield resolveAllBlobRefs(obj, databaseUrl, resolvedBlobs, '', new WeakMap(), db.blobDownloadTracker);
+                                const updateSpec = {
+                                    _hasBlobRefs: undefined,
+                                };
+                                for (const blob of resolvedBlobs) {
+                                    updateSpec[blob.keyPath] = blob.data;
+                                }
+                                debugLog(`Eager download: Updating ${table.name}:${key} with ${resolvedBlobs.length} blobs`);
+                                yield table.update(key, updateSpec);
+                                // liveQuery in blobProgress.ts auto-detects this change
+                            }
+                            catch (err) {
+                                console.error(`Failed to download blobs for ${table.name}:${key}:`, err);
+                            }
+                        }
+                    });
+                    // Launch up to MAX_CONCURRENT workers
+                    const workers = [];
+                    for (let w = 0; w < Math.min(MAX_CONCURRENT, pending.length); w++) {
+                        workers.push(runNext());
+                    }
+                    yield Promise.all(workers);
+                }
+                catch (err) {
+                    // Table might not have _hasBlobRefs index or other issues - skip silently
+                }
+            }
+        }
+        finally {
+            setDownloadingState(downloading$, false);
+        }
+    });
+}
+
 // Emulate true-private property db. Why? So it's not stored in DB.
 const wm$1 = new WeakMap();
 class AuthPersistedContext {
@@ -4512,7 +5434,7 @@ function createMutationTrackingMiddleware({ currentUserObservable, db, }) {
                     }
                     if (mode === 'readwrite') {
                         // Give each transaction a globally unique id.
-                        tx.txid = randomString$1(16);
+                        tx.txid = randomString(16);
                         tx.opCount = 0;
                         // Introduce the concept of current user that lasts through the entire transaction.
                         // This is important because the tracked mutations must be connected to the user.
@@ -4810,6 +5732,318 @@ function createMutationTrackingMiddleware({ currentUserObservable, db, }) {
     };
 }
 
+/**
+ * BlobSavingQueue - Queues resolved blobs for saving back to IndexedDB
+ *
+ * Uses setTimeout(fn, 0) instead of queueMicrotask to completely isolate
+ * from Dexie's Promise.PSD context. This prevents the save operation
+ * from inheriting any ongoing transaction.
+ *
+ * Each blob is saved atomically using downCore transaction with the specific
+ * keyPath to avoid race conditions with other property changes.
+ */
+class BlobSavingQueue {
+    constructor(db) {
+        this.queue = [];
+        this.isProcessing = false;
+        this.db = db;
+    }
+    /**
+     * Queue a resolved blob for saving.
+     * Only the specific blob property will be updated atomically.
+     */
+    saveBlobs(tableName, primaryKey, resolvedBlobs) {
+        this.queue.push({ tableName, primaryKey, resolvedBlobs });
+        this.startConsumer();
+    }
+    /**
+     * Start the consumer if not already processing.
+     * Uses setTimeout(fn, 0) to completely break out of any
+     * Dexie transaction context (Promise.PSD).
+     */
+    startConsumer() {
+        if (this.isProcessing)
+            return;
+        this.isProcessing = true;
+        // Use setTimeout to completely isolate from Dexie's PSD context
+        // queueMicrotask would risk inheriting the current transaction
+        setTimeout(() => {
+            this.processQueue();
+        }, 0);
+    }
+    /**
+     * Process all queued blobs.
+     * Runs in a completely isolated context (no inherited transaction).
+     * Uses atomic updates to avoid race conditions.
+     */
+    processQueue() {
+        const item = this.queue.shift();
+        if (!item) {
+            this.isProcessing = false;
+            return;
+        }
+        // Atomic update of just the blob property
+        this.db.transaction('rw', item.tableName, (tx) => {
+            const trans = tx.idbtrans;
+            trans.disableChangeTracking = true; // Don't regard this as a change for sync purposes
+            trans.disableAccessControl = true; // Bypass any access control checks since this is an internal operation
+            trans.disableBlobResolve = true; // Custom flag to skip blob resolve middleware during this transaction
+            const updateSpec = {};
+            for (const blob of item.resolvedBlobs) {
+                updateSpec[blob.keyPath] = blob.data;
+            }
+            tx.table(item.tableName).update(item.primaryKey, obj => {
+                // Check that object still has the same unresolved blob refs before applying update (i.e. it hasn't been modified since we read it)
+                for (const blob of item.resolvedBlobs) {
+                    // Verify atomicity - none of the blob properties has been modified since we read it. If any of them was modified, skip updating this item to avoid overwriting user changes.
+                    const currentValue = Dexie.getByKeyPath(obj, blob.keyPath);
+                    if (currentValue === undefined) {
+                        // Blob property was removed - skip updating this blob
+                        continue;
+                    }
+                    if (!isBlobRef(currentValue)) {
+                        // Blob property was modified to a non-blob-ref value - skip updating this blob
+                        continue;
+                    }
+                    if (currentValue.ref !== blob.ref) {
+                        // Blob property was modified - skip updating this blob
+                        return; // Stop. Another items has been queued to fully fix the object.
+                    }
+                    Dexie.setByKeyPath(obj, blob.keyPath, blob.data);
+                }
+                delete obj._hasBlobRefs; // Clear the _hasBlobRefs marker if all refs was resolved.
+            });
+        }).catch((error) => {
+            console.error(`Error saving resolved blobs on ${item.tableName}:${item.primaryKey}:`, error);
+        }).finally(() => {
+            // Process next item in the queue
+            return this.processQueue();
+        });
+    }
+}
+
+/**
+ * DBCore Middleware for resolving BlobRefs on read
+ *
+ * This middleware intercepts read operations and resolves any BlobRefs
+ * found in objects marked with _hasBlobRefs.
+ *
+ * Important: Avoids async/await to preserve Dexie's Promise.PSD context.
+ * Uses Dexie.waitFor() only for explicit rw transactions to keep them alive.
+ * For readonly or implicit transactions, resolves directly (no waitFor needed).
+ *
+ * Resolved blobs are queued for saving via BlobSavingQueue, which uses
+ * setTimeout(fn, 0) to completely isolate from Dexie's transaction context.
+ * Each blob is saved atomically using Table.update() with its keyPath to
+ * avoid race conditions with other property changes.
+ *
+ * Blob downloads use Authorization header (same as sync) via the server
+ * proxy endpoint: GET /blob/{ref}
+ */
+function createBlobResolveMiddleware(db) {
+    return {
+        stack: 'dbcore',
+        name: 'blobResolve',
+        level: -2, // Run below other middlewares and after sync and caching middlewares
+        create(downlevelDatabase) {
+            // Create a single queue instance for this database
+            const blobSavingQueue = new BlobSavingQueue(db);
+            return Object.assign(Object.assign({}, downlevelDatabase), { table(tableName) {
+                    var _a;
+                    if (!db.cloud) {
+                        // db.cloud not yet initialized - skip blob resolution
+                        // Fall through to downlevel table to avoid crash
+                        return downlevelDatabase.table(tableName);
+                    }
+                    const dbUrl = (_a = db.cloud.options) === null || _a === void 0 ? void 0 : _a.databaseUrl;
+                    const downlevelTable = downlevelDatabase.table(tableName);
+                    // Skip internal tables
+                    if (tableName.startsWith('$')) {
+                        return downlevelTable;
+                    }
+                    return Object.assign(Object.assign({}, downlevelTable), { get(req) {
+                            var _a;
+                            if ((_a = req.trans) === null || _a === void 0 ? void 0 : _a.disableBlobResolve) {
+                                return downlevelTable.get(req);
+                            }
+                            return downlevelTable.get(req).then(result => {
+                                if (result && hasUnresolvedBlobRefs(result)) {
+                                    return resolveAndSave(downlevelTable, req.trans, req.key, result, blobSavingQueue, db);
+                                }
+                                return result;
+                            });
+                        },
+                        getMany(req) {
+                            var _a;
+                            if ((_a = req.trans) === null || _a === void 0 ? void 0 : _a.disableBlobResolve) {
+                                return downlevelTable.getMany(req);
+                            }
+                            return downlevelTable.getMany(req).then(results => {
+                                // Check if any results need resolution
+                                const needsResolution = results.some(r => r && hasUnresolvedBlobRefs(r));
+                                if (!needsResolution)
+                                    return results;
+                                return Dexie.Promise.all(results.map((result, index) => {
+                                    if (result && hasUnresolvedBlobRefs(result)) {
+                                        return resolveAndSave(downlevelTable, req.trans, req.keys[index], result, blobSavingQueue, db);
+                                    }
+                                    return result;
+                                }));
+                            });
+                        },
+                        query(req) {
+                            var _a;
+                            if ((_a = req.trans) === null || _a === void 0 ? void 0 : _a.disableBlobResolve) {
+                                return downlevelTable.query(req);
+                            }
+                            return downlevelTable.query(req).then(result => {
+                                if (!result.result || !Array.isArray(result.result))
+                                    return result;
+                                // Check if any results need resolution
+                                const needsResolution = result.result.some(r => r && hasUnresolvedBlobRefs(r));
+                                if (!needsResolution)
+                                    return result;
+                                return Dexie.Promise.all(result.result.map(item => {
+                                    if (item && hasUnresolvedBlobRefs(item)) {
+                                        return resolveAndSave(downlevelTable, req.trans, undefined, item, blobSavingQueue, db);
+                                    }
+                                    return item;
+                                })).then(resolved => (Object.assign(Object.assign({}, result), { result: resolved })));
+                            });
+                        },
+                        openCursor(req) {
+                            var _a;
+                            if ((_a = req.trans) === null || _a === void 0 ? void 0 : _a.disableBlobResolve) {
+                                return downlevelTable.openCursor(req);
+                            }
+                            return downlevelTable.openCursor(req).then(cursor => {
+                                if (!cursor)
+                                    return cursor; // No results, so no resolution needed
+                                if (!req.values)
+                                    return cursor; // No values requested, so no resolution needed
+                                if (!dbUrl)
+                                    return cursor; // No database URL configured, can't resolve blobs
+                                return createBlobResolvingCursor(cursor, downlevelTable, blobSavingQueue, db);
+                            });
+                        } });
+                } });
+        },
+    };
+}
+/**
+ * Create a cursor wrapper that resolves BlobRefs in values synchronously.
+ *
+ * Uses Object.create() to inherit all cursor methods, only overriding:
+ * - start(): Resolves BlobRefs before calling the callback
+ * - value: Getter that returns the resolved value
+ *
+ * Returns the cursor synchronously. Resolution happens in start() before
+ * each onNext callback, ensuring cursor.value is always available.
+ */
+function createBlobResolvingCursor(cursor, table, blobSavingQueue, db) {
+    // Create wrapped cursor using Object.create() - inherits everything
+    const wrappedCursor = Object.create(cursor, {
+        value: {
+            value: cursor.value,
+            enumerable: true,
+            writable: true
+        },
+        start: {
+            value(onNext) {
+                // Override start to resolve BlobRefs before each callback
+                return cursor.start(() => {
+                    const rawValue = cursor.value;
+                    if (!rawValue || !hasUnresolvedBlobRefs(rawValue)) {
+                        onNext();
+                        return;
+                    }
+                    resolveAndSave(table, cursor.trans, cursor.primaryKey, rawValue, blobSavingQueue, db, true).then(resolved => {
+                        wrappedCursor.value = resolved;
+                        onNext();
+                    }, err => {
+                        console.error('Failed to resolve BlobRefs for cursor value:', err);
+                        onNext();
+                    });
+                });
+            }
+        }
+    });
+    return wrappedCursor;
+}
+/**
+ * Resolve BlobRefs in an object and queue each blob for atomic saving.
+ *
+ * Uses Dexie.waitFor() only when needed:
+ * - Skip waitFor for readonly ('r') transactions
+ * - Skip waitFor for implicit transactions (most common in liveQuery)
+ * - Use waitFor only for explicit rw transactions that need to stay alive
+ *
+ * Each resolved blob is queued individually with its keyPath for atomic
+ * update using downCore transaction with the specific keyPath - this avoids race conditions.
+ *
+ * Returns Dexie.Promise to preserve PSD context.
+ */
+function resolveAndSave(table, trans, pKey, // optional. If missing, tries to extract from object using primary key path
+obj, blobSavingQueue, db, isCursorValue = false // Flag to indicate if we're resolving a cursor value (which may not have a primary key)
+) {
+    var _a;
+    try {
+        // Determine if we need waitFor:
+        // Skip waitFor ONLY if BOTH conditions are met:
+        //   1. readonly transaction
+        //   2. implicit (non-explicit) transaction
+        //
+        // Transaction.explicit is true when user called db.transaction() explicitly.
+        // For implicit transactions (auto-created for single operations),
+        // Dexie handles async automatically so no waitFor needed.
+        const currentTx = Dexie.currentTransaction;
+        const isReadonly = (currentTx === null || currentTx === void 0 ? void 0 : currentTx.mode) === 'readonly';
+        const isExplicit = (currentTx === null || currentTx === void 0 ? void 0 : currentTx.explicit) === true;
+        // Skip waitFor only for implicit readonly (most common case: liveQuery)
+        const skipWaitFor = isReadonly && !isExplicit && !isCursorValue;
+        const needsWaitFor = currentTx && !skipWaitFor;
+        const dbUrl = ((_a = db.cloud.options) === null || _a === void 0 ? void 0 : _a.databaseUrl) || '';
+        // Collect resolved blobs with their keyPaths
+        const resolvedBlobs = [];
+        // Create the resolution promise with auth info
+        const resolutionPromise = resolveAllBlobRefs(obj, dbUrl, resolvedBlobs, '', new WeakMap(), db.blobDownloadTracker);
+        // Wrap with waitFor to keep transaction alive during fetch
+        const resolvePromise = needsWaitFor
+            ? Dexie.waitFor(resolutionPromise)
+            : Dexie.Promise.resolve(resolutionPromise);
+        return resolvePromise.then(resolved => {
+            // Get primary key from the object
+            const primaryKey = table.schema.primaryKey;
+            const key = pKey !== undefined ? pKey : primaryKey.keyPath
+                ? Dexie.getByKeyPath(obj, primaryKey.keyPath)
+                : undefined;
+            if (key !== undefined) {
+                // Queue each resolved blob individually for atomic update
+                // This uses setTimeout(fn, 0) to completely isolate from
+                // Dexie's transaction context (avoids inheriting PSD)
+                if (isReadonly) {
+                    blobSavingQueue.saveBlobs(table.name, key, resolvedBlobs);
+                }
+                else {
+                    // For rw transactions, we can save directly without queueing
+                    // since we're still in the same transaction context
+                    table.mutate({ type: 'put', keys: [key], values: [resolved], trans }).catch(err => {
+                        console.error(`Failed to save resolved blob on ${table.name}:${key}:`, err);
+                    });
+                }
+            }
+            return resolved;
+        }).catch(err => {
+            console.error(`[dexie-cloud:blobResolve] Failed to resolve BlobRefs on ${table.name}:`, err);
+            return obj; // Return original object on error - never block the read pipeline
+        });
+    }
+    catch (err) {
+        console.error(`[dexie-cloud:blobResolve] Sync error in resolveAndSave on ${table.name}:`, err);
+        return Dexie.Promise.resolve(obj); // Never block reads
+    }
+}
+
 function overrideParseStoresSpec(origFunc, dexie) {
     return function (stores, dbSchema) {
         var _a;
@@ -4862,6 +6096,11 @@ function overrideParseStoresSpec(origFunc, dexie) {
                 if (!/^\$/.test(tableName)) {
                     storesClone[`$${tableName}_mutations`] = '++rev';
                     cloudTableSchema.markedForSync = true;
+                    // Add sparse index for _hasBlobRefs (for BlobRef resolution tracking)
+                    // IndexedDB sparse indexes have zero overhead when the property doesn't exist
+                    if (!storesClone[tableName].includes('_hasBlobRefs')) {
+                        storesClone[tableName] += ',_hasBlobRefs';
+                    }
                 }
                 if (cloudTableSchema.deleted) {
                     cloudTableSchema.deleted = false;
@@ -5501,7 +6740,6 @@ function syncIfPossible(db, cloudOptions, cloudSchema, options) {
                 yield checkSyncRateLimitDelay(db);
                 yield performGuardedJob(db, CURRENT_SYNC_WORKER, () => sync(db, cloudOptions, cloudSchema, options));
                 ongoingSyncs.delete(db);
-                console.debug('Done sync');
             }
             catch (error) {
                 ongoingSyncs.delete(db);
@@ -5516,8 +6754,6 @@ function syncIfPossible(db, cloudOptions, cloudSchema, options) {
     }
 }
 
-const SECONDS = 1000;
-
 function LocalSyncWorker(db, cloudOptions, cloudSchema) {
     let localSyncEventSubscription = null;
     let cancelToken = { cancelled: false };
@@ -5854,6 +7090,38 @@ const Styles = {
         color: "#374151",
         transition: "all 0.2s ease",
         gap: "12px"
+    },
+    // Copy button for alerts with copyText
+    CopyButton: {
+        display: "inline-flex",
+        alignItems: "center",
+        gap: "4px",
+        padding: "4px 10px",
+        marginTop: "8px",
+        border: "1px solid #d1d5db",
+        borderRadius: "4px",
+        backgroundColor: "#f9fafb",
+        cursor: "pointer",
+        fontSize: "12px",
+        fontWeight: "500",
+        color: "#374151",
+        transition: "all 0.15s ease",
+        fontFamily: "monospace"
+    },
+    CopyButtonCopied: {
+        display: "inline-flex",
+        alignItems: "center",
+        gap: "4px",
+        padding: "4px 10px",
+        marginTop: "8px",
+        border: "1px solid #22c55e",
+        borderRadius: "4px",
+        backgroundColor: "#f0fdf4",
+        cursor: "default",
+        fontSize: "12px",
+        fontWeight: "500",
+        color: "#16a34a",
+        fontFamily: "monospace"
     }};
 
 function Dialog({ children, className }) {
@@ -5964,7 +7232,9 @@ function LoginDialog({ title, alerts, fields, options, submitLabel, cancelLabel,
     return (_$1(Dialog, { className: "dxc-login-dlg" },
         _$1(k$1, null,
             _$1("h3", { style: Styles.WindowHeader }, title),
-            alerts.map((alert, idx) => (_$1("p", { key: idx, style: Styles.Alert[alert.type] }, resolveText(alert)))),
+            alerts.map((alert, idx) => (_$1("div", { key: idx },
+                _$1("p", { style: Styles.Alert[alert.type] }, resolveText(alert)),
+                alert.copyText && _$1(CopyButton, { text: alert.copyText })))),
             hasOptions && (_$1("div", { class: "dxc-options" }, hasMultipleGroups ? (
             // Render with dividers between groups
             Array.from(optionGroups.entries()).map(([groupName, groupOptions], groupIdx) => (_$1(k$1, { key: groupName },
@@ -6003,6 +7273,50 @@ function valueTransformer(type, value) {
             return value;
     }
 }
+function CopyButton({ text }) {
+    const [copied, setCopied] = d(false);
+    const timeoutRef = A(null);
+    // Cleanup timeout on unmount
+    _(() => {
+        return () => {
+            if (timeoutRef.current !== null)
+                clearTimeout(timeoutRef.current);
+        };
+    }, []);
+    const scheduleCopiedReset = () => {
+        if (timeoutRef.current !== null)
+            clearTimeout(timeoutRef.current);
+        setCopied(true);
+        timeoutRef.current = setTimeout(() => {
+            timeoutRef.current = null;
+            setCopied(false);
+        }, 2000);
+    };
+    const handleClick = () => {
+        var _a;
+        if (typeof navigator !== 'undefined' && ((_a = navigator.clipboard) === null || _a === void 0 ? void 0 : _a.writeText)) {
+            navigator.clipboard.writeText(text).then(scheduleCopiedReset).catch(() => {
+                fallbackCopy(text, scheduleCopiedReset);
+            });
+        }
+        else {
+            fallbackCopy(text, scheduleCopiedReset);
+        }
+    };
+    return (_$1("button", { type: "button", style: copied ? Styles.CopyButtonCopied : Styles.CopyButton, onClick: handleClick, title: "Copy to clipboard" }, copied ? '✓ Copied!' : `📋 ${text}`));
+}
+function fallbackCopy(text, onSuccess) {
+    const textarea = document.createElement('textarea');
+    textarea.value = text;
+    textarea.style.position = 'fixed';
+    textarea.style.opacity = '0';
+    document.body.appendChild(textarea);
+    textarea.select();
+    const success = document.execCommand('copy');
+    document.body.removeChild(textarea);
+    if (success)
+        onSuccess();
+}
 
 class LoginGui extends x {
     constructor(props) {
@@ -6147,7 +7461,7 @@ function computeSyncState(db) {
 
 function createSharedValueObservable(o, defaultValue) {
     let currentValue = defaultValue;
-    let shared = from(o).pipe(map$1((x) => (currentValue = x)), share({ resetOnRefCountZero: () => timer(1000) }));
+    let shared = from(o).pipe(map$1((x) => (currentValue = x)), share$1({ resetOnRefCountZero: () => timer(1000) }));
     const rv = new Observable((observer) => {
         let didEmit = false;
         const subscription = shared.subscribe({
@@ -6701,9 +8015,10 @@ function dexieCloud(dexie) {
         currentUserEmitter.next(UNAUTHORIZED_USER);
     });
     const syncComplete = new Subject();
+    const downloading$ = createDownloadingState();
     dexie.cloud = {
         // @ts-ignore
-        version: "4.3.9",
+        version: "4.4.0",
         options: Object.assign({}, DEFAULT_OPTIONS),
         schema: null,
         get currentUserId() {
@@ -6718,6 +8033,7 @@ function dexieCloud(dexie) {
             syncComplete,
         },
         persistedSyncState: new BehaviorSubject(undefined),
+        blobProgress: observeBlobProgress(DexieCloudDB(dexie), downloading$),
         userInteraction: new BehaviorSubject(undefined),
         webSocketStatus: new BehaviorSubject('not-started'),
         login(hint) {
@@ -6831,6 +8147,7 @@ function dexieCloud(dexie) {
         var _a, _b;
         return ((_b = (_a = this.db.cloud.schema) === null || _a === void 0 ? void 0 : _a[this.name]) === null || _b === void 0 ? void 0 : _b.idPrefix) || '';
     };
+    dexie.use(createBlobResolveMiddleware(DexieCloudDB(dexie)));
     dexie.use(createMutationTrackingMiddleware({
         currentUserObservable: dexie.cloud.currentUser,
         db: DexieCloudDB(dexie),
@@ -6839,7 +8156,7 @@ function dexieCloud(dexie) {
     dexie.use(createIdGenerationMiddleware(DexieCloudDB(dexie)));
     function onDbReady(dexie) {
         return __awaiter(this, void 0, void 0, function* () {
-            var _a, _b, _c, _d, _e, _f, _g;
+            var _a, _b, _c, _d, _e, _f, _g, _h, _j;
             closed = false; // As Dexie calls us, we are not closed anymore. Maybe reopened? Remember db.ready event is registered with sticky flag!
             const db = DexieCloudDB(dexie);
             // Setup default GUI:
@@ -6853,6 +8170,25 @@ function dexieCloud(dexie) {
             }
             // Forward db.syncCompleteEvent to be publicly consumable via db.cloud.events.syncComplete:
             subscriptions.push(db.syncCompleteEvent.subscribe(syncComplete));
+            // Eager blob download: When blobMode='eager' (default), download unresolved blobs after sync
+            const blobMode = (_c = (_b = db.cloud.options) === null || _b === void 0 ? void 0 : _b.blobMode) !== null && _c !== void 0 ? _c : 'eager';
+            if (blobMode === 'eager') {
+                let eagerBlobDownloadInFlight = null;
+                const downloadBlobs = () => {
+                    if (eagerBlobDownloadInFlight)
+                        return;
+                    eagerBlobDownloadInFlight = Dexie.ignoreTransaction(() => downloadUnresolvedBlobs(db, downloading$))
+                        .catch(err => {
+                        console.error('[dexie-cloud] Eager blob download failed:', err);
+                    })
+                        .finally(() => {
+                        eagerBlobDownloadInFlight = null;
+                    });
+                };
+                setTimeout(downloadBlobs, 0); // Don't block ready event. Start downloading blobs in the background right after.
+                // And also after every sync completes:
+                subscriptions.push(db.syncCompleteEvent.subscribe(downloadBlobs));
+            }
             //verifyConfig(db.cloud.options); Not needed (yet at least!)
             // Verify the user has allowed version increment.
             if (!db.tables.every((table) => table.core)) {
@@ -7008,7 +8344,7 @@ function dexieCloud(dexie) {
                     // Continue with normal flow - user can try again
                 }
             }
-            const requireAuth = (_b = db.cloud.options) === null || _b === void 0 ? void 0 : _b.requireAuth;
+            const requireAuth = (_d = db.cloud.options) === null || _d === void 0 ? void 0 : _d.requireAuth;
             if (requireAuth) {
                 if (db.cloud.isServiceWorkerDB) {
                     // If this is a service worker DB, we can't do authentication here,
@@ -7045,20 +8381,20 @@ function dexieCloud(dexie) {
                 localSyncWorker.stop();
             localSyncWorker = null;
             throwIfClosed();
-            const doInitialSync = ((_c = db.cloud.options) === null || _c === void 0 ? void 0 : _c.databaseUrl) && (!initiallySynced || changedUser);
+            const doInitialSync = ((_e = db.cloud.options) === null || _e === void 0 ? void 0 : _e.databaseUrl) && (!initiallySynced || changedUser);
             if (doInitialSync) {
                 // Do the initial sync directly in the browser thread no matter if we are using service worker or not.
                 yield performInitialSync(db, db.cloud.options, db.cloud.schema);
                 db.setInitiallySynced(true);
             }
             throwIfClosed();
-            if (db.cloud.usingServiceWorker && ((_d = db.cloud.options) === null || _d === void 0 ? void 0 : _d.databaseUrl)) {
+            if (db.cloud.usingServiceWorker && ((_f = db.cloud.options) === null || _f === void 0 ? void 0 : _f.databaseUrl)) {
                 if (!doInitialSync) {
                     registerSyncEvent(db, 'push').catch(() => { });
                 }
                 registerPeriodicSyncEvent(db).catch(() => { });
             }
-            else if (((_e = db.cloud.options) === null || _e === void 0 ? void 0 : _e.databaseUrl) &&
+            else if (((_g = db.cloud.options) === null || _g === void 0 ? void 0 : _g.databaseUrl) &&
                 db.cloud.schema &&
                 !db.cloud.isServiceWorkerDB) {
                 // There's no SW. Start SyncWorker instead.
@@ -7087,8 +8423,8 @@ function dexieCloud(dexie) {
                 }));
             }
             // Connect WebSocket unless we are in a service worker or websocket is disabled.
-            if (((_f = db.cloud.options) === null || _f === void 0 ? void 0 : _f.databaseUrl) &&
-                !((_g = db.cloud.options) === null || _g === void 0 ? void 0 : _g.disableWebSocket) &&
+            if (((_h = db.cloud.options) === null || _h === void 0 ? void 0 : _h.databaseUrl) &&
+                !((_j = db.cloud.options) === null || _j === void 0 ? void 0 : _j.disableWebSocket) &&
                 !IS_SERVICE_WORKER) {
                 subscriptions.push(connectWebSocket(db));
             }
@@ -7096,7 +8432,7 @@ function dexieCloud(dexie) {
     }
 }
 // @ts-ignore
-dexieCloud.version = "4.3.9";
+dexieCloud.version = "4.4.0";
 Dexie.Cloud = dexieCloud;
 
 // In case the SW lives for a while, let it reuse already opened connections: