hydrousdb 2.0.1 → 3.0.0

package/dist/index.js

@@ -1,1305 +1,1632 @@
-'use strict';
-
 // src/utils/errors.ts
-var HydrousSDKError = class extends Error {
-  constructor(message, code = "SDK_ERROR", status) {
+var HydrousError = class extends Error {
+  constructor(message, code, status, requestId, details) {
     super(message);
-    this.name = "HydrousSDKError";
+    this.name = "HydrousError";
     this.code = code;
     this.status = status;
+    this.requestId = requestId;
+    this.details = details;
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+  toString() {
+    return `HydrousError [${this.code}]: ${this.message}`;
   }
 };
-function toHydrousError(err) {
-  if (err instanceof HydrousSDKError) {
-    return { message: err.message, code: err.code, status: err.status };
+var AuthError = class extends HydrousError {
+  constructor(message, code, status, requestId, details) {
+    super(message, code, status, requestId, details);
+    this.name = "AuthError";
   }
-  if (err instanceof Error) {
-    return { message: err.message, code: "UNKNOWN_ERROR" };
+};
+var RecordError = class extends HydrousError {
+  constructor(message, code, status, requestId, details) {
+    super(message, code, status, requestId, details);
+    this.name = "RecordError";
   }
-  return { message: String(err), code: "UNKNOWN_ERROR" };
-}
-function isHydrousError(err) {
-  return err instanceof HydrousSDKError;
-}
+};
+var StorageError = class extends HydrousError {
+  constructor(message, code, status, requestId) {
+    super(message, code, status, requestId);
+    this.name = "StorageError";
+  }
+};
+var AnalyticsError = class extends HydrousError {
+  constructor(message, code, status, requestId) {
+    super(message, code, status, requestId);
+    this.name = "AnalyticsError";
+  }
+};
+var ValidationError = class extends HydrousError {
+  constructor(message, details) {
+    super(message, "VALIDATION_ERROR", 400, void 0, details);
+    this.name = "ValidationError";
+  }
+};
+var NetworkError = class extends HydrousError {
+  constructor(message, cause) {
+    super(message, "NETWORK_ERROR");
+    this.name = "NetworkError";
+    this.cause = cause;
+  }
+};
 
 // src/utils/http.ts
-async function parseResponse(res) {
-  let body;
-  try {
-    body = await res.json();
-  } catch (e) {
-    if (!res.ok) {
-      throw new HydrousSDKError(`HTTP ${res.status}`, "HTTP_ERROR", res.status);
-    }
-    return void 0;
-  }
-  if (!res.ok) {
-    const err = body;
-    throw new HydrousSDKError(
-      err.error || err.message || `HTTP ${res.status}`,
-      err.code || "HTTP_ERROR",
-      res.status
-    );
+var DEFAULT_BASE_URL = "https://db-api-82687684612.us-central1.run.app";
+var HttpClient = class {
+  constructor(baseUrl, securityKey) {
+    this.baseUrl = baseUrl.replace(/\/$/, "");
+    this.securityKey = securityKey;
   }
-  return body;
-}
-function buildUrl(base, path, params) {
-  const url = new URL(path, base.endsWith("/") ? base : base + "/");
-  if (params) {
-    for (const [k, v] of Object.entries(params)) {
-      if (v !== void 0 && v !== null) {
-        url.searchParams.set(k, String(v));
-      }
+  async request(path, opts = {}) {
+    const {
+      method = "GET",
+      body,
+      headers = {},
+      rawBody,
+      contentType = "application/json"
+    } = opts;
+    const url = `${this.baseUrl}${path}`;
+    const reqHeaders = {
+      "X-Api-Key": this.securityKey,
+      ...headers
+    };
+    let reqBody = null;
+    if (rawBody !== void 0) {
+      reqBody = rawBody;
+      if (contentType) reqHeaders["Content-Type"] = contentType;
+    } else if (body !== void 0) {
+      reqBody = JSON.stringify(body);
+      reqHeaders["Content-Type"] = "application/json";
     }
-  }
-  return url.toString();
-}
-function mergeHeaders(defaults, overrides) {
-  return { ...defaults, ...overrides };
-}
-async function readSSEStream(response, onEvent) {
-  if (!response.body) return;
-  const reader = response.body.getReader();
-  const decoder = new TextDecoder();
-  let buf = "";
-  const flush = (chunk) => {
-    var _a;
-    buf += chunk;
-    const blocks = buf.split("\n\n");
-    buf = (_a = blocks.pop()) != null ? _a : "";
-    for (const block of blocks) {
-      if (!block.trim()) continue;
-      let eventType = "message";
-      let dataLine = null;
-      for (const line of block.split("\n")) {
-        if (line.startsWith("event:")) eventType = line.slice(6).trim();
-        if (line.startsWith("data:")) dataLine = line.slice(5).trim();
-      }
-      if (dataLine === null) continue;
-      try {
-        onEvent(eventType, JSON.parse(dataLine));
-      } catch (e) {
+    let response;
+    try {
+      response = await fetch(url, {
+        method,
+        headers: reqHeaders,
+        body: reqBody
+      });
+    } catch (err) {
+      throw new NetworkError(
+        `Network request failed: ${err instanceof Error ? err.message : String(err)}`,
+        err
+      );
+    }
+    const ct = response.headers.get("content-type") ?? "";
+    if (!ct.includes("application/json")) {
+      if (!response.ok) {
+        throw new HydrousError(
+          `Request failed with status ${response.status}`,
+          `HTTP_${response.status}`,
+          response.status
+        );
       }
+      const buffer = await response.arrayBuffer();
+      return buffer;
     }
-  };
-  while (true) {
-    const { done, value } = await reader.read();
-    if (done) break;
-    flush(decoder.decode(value, { stream: true }));
-  }
-  if (buf.trim()) flush("");
-}
-function xhrUpload(url, body, headers, onXhrProgress) {
-  return new Promise((resolve, reject) => {
-    const xhr = new XMLHttpRequest();
-    xhr.open("POST", url);
-    for (const [key, val] of Object.entries(headers)) {
-      xhr.setRequestHeader(key, val);
+    let responseData;
+    try {
+      responseData = await response.json();
+    } catch {
+      throw new HydrousError(
+        "Failed to parse server response as JSON",
+        "PARSE_ERROR",
+        response.status
+      );
     }
-    xhr.responseType = "text";
-    if (onXhrProgress) {
-      xhr.upload.onprogress = (e) => {
-        if (e.lengthComputable) onXhrProgress(e.loaded, e.total);
-      };
+    if (!response.ok) {
+      const errData = responseData;
+      throw new HydrousError(
+        errData["error"] ?? `Request failed with status ${response.status}`,
+        errData["code"] ?? `HTTP_${response.status}`,
+        response.status,
+        errData["requestId"],
+        errData["details"]
+      );
     }
-    xhr.onload = () => {
-      var _a;
-      if (xhr.status >= 200 && xhr.status < 300) {
-        resolve(xhr.responseText);
-      } else {
-        try {
-          const d = JSON.parse(xhr.responseText);
-          reject(new HydrousSDKError((_a = d.error) != null ? _a : `HTTP ${xhr.status}`, "HTTP_ERROR", xhr.status));
-        } catch (e) {
-          reject(new HydrousSDKError(`HTTP ${xhr.status}`, "HTTP_ERROR", xhr.status));
-        }
-      }
-    };
-    xhr.onerror = () => reject(new HydrousSDKError("Network error", "NETWORK_ERROR"));
-    xhr.onabort = () => reject(new HydrousSDKError("Upload aborted", "UPLOAD_ABORTED"));
-    xhr.ontimeout = () => reject(new HydrousSDKError("Upload timed out", "UPLOAD_TIMEOUT"));
-    xhr.send(body);
-  });
-}
-function parseSSEText(text, onEvent) {
-  const blocks = text.split("\n\n");
-  for (const block of blocks) {
-    if (!block.trim()) continue;
-    let eventType = "message";
-    let dataLine = null;
-    for (const line of block.split("\n")) {
-      if (line.startsWith("event:")) eventType = line.slice(6).trim();
-      if (line.startsWith("data:")) dataLine = line.slice(5).trim();
+    return responseData;
+  }
+  get(path, headers) {
+    return this.request(path, { method: "GET", headers });
+  }
+  post(path, body, headers) {
+    return this.request(path, { method: "POST", body, headers });
+  }
+  put(path, body, headers) {
+    return this.request(path, { method: "PUT", body, headers });
+  }
+  patch(path, body, headers) {
+    return this.request(path, { method: "PATCH", body, headers });
+  }
+  delete(path, body, headers) {
+    return this.request(path, { method: "DELETE", body, headers });
+  }
+  async putToSignedUrl(signedUrl, data, mimeType, onProgress) {
+    if (typeof XMLHttpRequest !== "undefined" && onProgress) {
+      return new Promise((resolve, reject) => {
+        const xhr = new XMLHttpRequest();
+        xhr.upload.onprogress = (e) => {
+          if (e.lengthComputable) {
+            onProgress(Math.round(e.loaded / e.total * 100));
+          }
+        };
+        xhr.onload = () => {
+          if (xhr.status >= 200 && xhr.status < 300) {
+            resolve();
+          } else {
+            reject(new Error(`Upload failed: ${xhr.status}`));
+          }
+        };
+        xhr.onerror = () => reject(new Error("Upload network error"));
+        xhr.open("PUT", signedUrl);
+        xhr.setRequestHeader("Content-Type", mimeType);
+        const payload = data instanceof Blob ? data : new Blob([data], { type: mimeType });
+        xhr.send(payload);
+      });
     }
-    if (dataLine === null) continue;
-    try {
-      onEvent(eventType, JSON.parse(dataLine));
-    } catch (e) {
+    const fetchBody = data instanceof Blob ? data : new Blob([data], { type: mimeType });
+    const response = await fetch(signedUrl, {
+      method: "PUT",
+      headers: { "Content-Type": mimeType },
+      body: fetchBody
+    });
+    if (!response.ok) {
+      throw new NetworkError(`Signed URL upload failed with status ${response.status}`);
     }
   }
-}
+};
 
 // src/auth/client.ts
 var AuthClient = class {
-  constructor(config) {
-    this.session = null;
-    this.baseUrl = config.url;
-    this.headers = {
-      "Content-Type": "application/json",
-      "Authorization": `Bearer ${config.apiKey}`
-    };
+  constructor(http, bucketKey) {
+    this.http = http;
+    this.bucketKey = bucketKey;
+    this.basePath = `/auth/${bucketKey}`;
   }
-  // ─── SIGN UP ───────────────────────────────────────────────────────────────
+  // ─── Registration & Login ─────────────────────────────────────────────────
   /**
-   * Create a new user account and return a session.
+   * Register a new user in this bucket.
    *
    * @example
-   * const { data, error } = await hydrous.auth.signUp({
-   *   email:    'user@example.com',
-   *   password: 'supersecret',
+   * ```ts
+   * const { user, session } = await auth.signup({
+   *   email: 'alice@example.com',
+   *   password: 'hunter2',
+   *   fullName: 'Alice Wonderland',
+   *   // Any extra fields are stored on the user record:
+   *   plan: 'pro',
    * });
+   * ```
    */
-  async signUp(options) {
-    try {
-      const url = buildUrl(this.baseUrl, "auth/signup");
-      const res = await fetch(url, {
-        method: "POST",
-        headers: this.headers,
-        body: JSON.stringify(options)
-      });
-      const json = await parseResponse(res);
-      this.session = json.data;
-      return { data: json.data, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async signup(options) {
+    const result = await this.http.post(`${this.basePath}/signup`, options);
+    return { user: result.user, session: result.session };
   }
-  // ─── SIGN IN ───────────────────────────────────────────────────────────────
   /**
-   * Sign in with email and password.
+   * Authenticate an existing user and create a session.
+   * Sessions are valid for 24 hours; use `refreshSession` to extend.
    *
    * @example
-   * const { data, error } = await hydrous.auth.signIn({
-   *   email:    'user@example.com',
-   *   password: 'supersecret',
+   * ```ts
+   * const { user, session } = await auth.login({
+   *   email: 'alice@example.com',
+   *   password: 'hunter2',
    * });
-   * if (data) console.log('Signed in as', data.user.email);
+   * // Store session.sessionId safely — you'll need it for other calls.
+   * ```
    */
-  async signIn(options) {
-    try {
-      const url = buildUrl(this.baseUrl, "auth/signin");
-      const res = await fetch(url, {
-        method: "POST",
-        headers: this.headers,
-        body: JSON.stringify(options)
-      });
-      const json = await parseResponse(res);
-      this.session = json.data;
-      return { data: json.data, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async login(options) {
+    const result = await this.http.post(`${this.basePath}/login`, options);
+    return { user: result.user, session: result.session };
+  }
+  /**
+   * Invalidate a session (sign out).
+   *
+   * @example
+   * ```ts
+   * await auth.logout({ sessionId: session.sessionId });
+   * ```
+   */
+  async logout({ sessionId }) {
+    await this.http.post(`${this.basePath}/logout`, { sessionId });
   }
-  // ─── SIGN OUT ──────────────────────────────────────────────────────────────
   /**
-   * Sign out the current user and invalidate their session.
+   * Extend a session using its refresh token.
+   * Returns a new session object.
+   *
+   * @example
+   * ```ts
+   * const newSession = await auth.refreshSession({ refreshToken: session.refreshToken });
+   * ```
    */
-  async signOut() {
-    try {
-      const url = buildUrl(this.baseUrl, "auth/signout");
-      const res = await fetch(url, {
-        method: "POST",
-        headers: mergeHeaders(this.headers, this._sessionHeader())
-      });
-      await parseResponse(res);
-      this.session = null;
-      return { data: void 0, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async refreshSession({ refreshToken }) {
+    const result = await this.http.post(
+      `${this.basePath}/session/refresh`,
+      { refreshToken }
+    );
+    return result.session;
   }
-  // ─── GET USER ──────────────────────────────────────────────────────────────
-  /** Return the currently authenticated user, or null if not signed in. */
-  async getUser() {
-    try {
-      const url = buildUrl(this.baseUrl, "auth/user");
-      const res = await fetch(url, {
-        headers: mergeHeaders(this.headers, this._sessionHeader())
-      });
-      const json = await parseResponse(res);
-      return { data: json.data, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  // ─── User Profile ─────────────────────────────────────────────────────────
+  /**
+   * Fetch a user by their ID.
+   *
+   * @example
+   * ```ts
+   * const user = await auth.getUser({ userId: 'usr_abc123' });
+   * ```
+   */
+  async getUser({ userId }) {
+    const result = await this.http.get(`${this.basePath}/user/${userId}`);
+    return result.user;
   }
-  // ─── REFRESH TOKEN ────────────────────────────────────────────────────────
   /**
-   * Refresh the access token using the stored refresh token.
-   * Called automatically by the SDK when a 401 is received.
+   * Update fields on a user record. Requires a valid session.
+   *
+   * @example
+   * ```ts
+   * const updated = await auth.updateUser({
+   *   sessionId: session.sessionId,
+   *   userId: user.id,
+   *   data: { fullName: 'Alice Smith', plan: 'enterprise' },
+   * });
+   * ```
    */
-  async refreshSession() {
-    var _a;
-    if (!((_a = this.session) == null ? void 0 : _a.refreshToken)) {
-      return { data: null, error: { message: "No session", code: "NO_SESSION" } };
-    }
-    try {
-      const url = buildUrl(this.baseUrl, "auth/refresh");
-      const res = await fetch(url, {
-        method: "POST",
-        headers: this.headers,
-        body: JSON.stringify({ refreshToken: this.session.refreshToken })
-      });
-      const json = await parseResponse(res);
-      this.session = json.data;
-      return { data: json.data, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async updateUser(options) {
+    const { sessionId, userId, data } = options;
+    const result = await this.http.patch(
+      `${this.basePath}/user`,
+      { sessionId, userId, ...data }
+    );
+    return result.user;
+  }
+  /**
+   * Soft-delete a user. The record is marked deleted but not removed from storage.
+   * Requires a valid session (the user can delete themselves, or an admin can delete any user).
+   *
+   * @example
+   * ```ts
+   * await auth.deleteUser({ sessionId: session.sessionId, userId: user.id });
+   * ```
+   */
+  async deleteUser({ sessionId, userId }) {
+    await this.http.delete(`${this.basePath}/user`, { sessionId, userId });
+  }
+  // ─── Admin Operations ─────────────────────────────────────────────────────
+  /**
+   * List all users in the bucket. **Admin session required.**
+   *
+   * @example
+   * ```ts
+   * const { users, total } = await auth.listUsers({
+   *   sessionId: adminSession.sessionId,
+   *   limit: 50,
+   *   offset: 0,
+   * });
+   * ```
+   */
+  async listUsers(options) {
+    const { sessionId, limit = 50, offset = 0 } = options;
+    const result = await this.http.post(
+      `${this.basePath}/users/list`,
+      { sessionId, limit, offset }
+    );
+    return { users: result.users, total: result.total, limit: result.limit, offset: result.offset };
+  }
+  /**
+   * Permanently hard-delete a user and all their data. **Admin session required.**
+   * This action is irreversible.
+   *
+   * @example
+   * ```ts
+   * await auth.hardDeleteUser({ sessionId: adminSession.sessionId, userId: user.id });
+   * ```
+   */
+  async hardDeleteUser({ sessionId, userId }) {
+    await this.http.delete(`${this.basePath}/user/hard`, { sessionId, userId });
+  }
+  /**
+   * Bulk delete multiple users. **Admin session required.**
+   *
+   * @example
+   * ```ts
+   * const result = await auth.bulkDeleteUsers({
+   *   sessionId: adminSession.sessionId,
+   *   userIds: ['usr_a', 'usr_b'],
+   * });
+   * ```
+   */
+  async bulkDeleteUsers({
+    sessionId,
+    userIds
+  }) {
+    const result = await this.http.post(
+      `${this.basePath}/users/bulk-delete`,
+      { sessionId, userIds }
+    );
+    return { deleted: result.deleted, failed: result.failed };
+  }
+  /**
+   * Lock a user account, preventing login. **Admin session required.**
+   *
+   * @param options.duration Lock duration in milliseconds. Defaults to 15 minutes.
+   *
+   * @example
+   * ```ts
+   * await auth.lockAccount({
+   *   sessionId: adminSession.sessionId,
+   *   userId: user.id,
+   *   duration: 60 * 60 * 1000, // 1 hour
+   * });
+   * ```
+   */
+  async lockAccount({
+    sessionId,
+    userId,
+    duration
+  }) {
+    const result = await this.http.post(`${this.basePath}/account/lock`, { sessionId, userId, duration });
+    return result.data;
+  }
+  /**
+   * Unlock a previously locked user account. **Admin session required.**
+   *
+   * @example
+   * ```ts
+   * await auth.unlockAccount({ sessionId: adminSession.sessionId, userId: user.id });
+   * ```
+   */
+  async unlockAccount({
+    sessionId,
+    userId
+  }) {
+    await this.http.post(`${this.basePath}/account/unlock`, { sessionId, userId });
   }
-  /** Return the current in-memory session (may be null). */
-  getSession() {
-    return this.session;
+  // ─── Password Management ──────────────────────────────────────────────────
+  /**
+   * Change a user's password. The user must supply their current password.
+   *
+   * @example
+   * ```ts
+   * await auth.changePassword({
+   *   sessionId: session.sessionId,
+   *   userId: user.id,
+   *   currentPassword: 'hunter2',
+   *   newPassword: 'correcthorsebatterystaple',
+   * });
+   * ```
+   */
+  async changePassword(options) {
+    await this.http.post(`${this.basePath}/password/change`, options);
   }
-  _sessionHeader() {
-    var _a;
-    return ((_a = this.session) == null ? void 0 : _a.accessToken) ? { "X-Session-Token": this.session.accessToken } : {};
+  /**
+   * Request a password reset email for a user.
+   * Always returns success to prevent user enumeration.
+   *
+   * @example
+   * ```ts
+   * await auth.requestPasswordReset({ email: 'alice@example.com' });
+   * ```
+   */
+  async requestPasswordReset({ email }) {
+    await this.http.post(`${this.basePath}/password/reset/request`, { email });
+  }
+  /**
+   * Complete a password reset using the token from the reset email.
+   *
+   * @example
+   * ```ts
+   * await auth.confirmPasswordReset({
+   *   resetToken: 'tok_from_email',
+   *   newPassword: 'correcthorsebatterystaple',
+   * });
+   * ```
+   */
+  async confirmPasswordReset({
+    resetToken,
+    newPassword
+  }) {
+    await this.http.post(`${this.basePath}/password/reset/confirm`, {
+      resetToken,
+      newPassword
+    });
+  }
+  // ─── Email Verification ───────────────────────────────────────────────────
+  /**
+   * Send (or resend) an email verification message to a user.
+   *
+   * @example
+   * ```ts
+   * await auth.requestEmailVerification({ userId: user.id });
+   * ```
+   */
+  async requestEmailVerification({ userId }) {
+    await this.http.post(`${this.basePath}/email/verify/request`, { userId });
+  }
+  /**
+   * Confirm an email address using the token from the verification email.
+   *
+   * @example
+   * ```ts
+   * await auth.confirmEmailVerification({ verifyToken: 'tok_from_email' });
+   * ```
+   */
+  async confirmEmailVerification({ verifyToken }) {
+    await this.http.post(`${this.basePath}/email/verify/confirm`, { verifyToken });
   }
 };
 
 // src/utils/query.ts
-function serialiseQuery(opts = {}) {
-  var _a;
-  const params = {};
-  if (opts.limit !== void 0) params["limit"] = String(opts.limit);
-  if (opts.offset !== void 0) params["offset"] = String(opts.offset);
-  if (opts.select && opts.select.length > 0) {
-    params["select"] = opts.select.join(",");
-  }
-  if (opts.orderBy) {
-    params["orderBy"] = opts.orderBy.field;
-    params["direction"] = (_a = opts.orderBy.direction) != null ? _a : "asc";
-  }
-  const filters = opts.where ? Array.isArray(opts.where) ? opts.where : [opts.where] : [];
-  if (filters.length > 0) {
-    params["where"] = JSON.stringify(filters);
-  }
-  return params;
-}
-function eq(field, value) {
-  return { field, operator: "eq", value };
-}
-function neq(field, value) {
-  return { field, operator: "neq", value };
-}
-function gt(field, value) {
-  return { field, operator: "gt", value };
+function buildQueryParams(options = {}) {
+  const params = new URLSearchParams();
+  if (options.limit !== void 0) params.set("limit", String(options.limit));
+  if (options.offset !== void 0) params.set("offset", String(options.offset));
+  if (options.orderBy !== void 0) params.set("orderBy", options.orderBy);
+  if (options.order !== void 0) params.set("order", options.order);
+  if (options.fields !== void 0) params.set("fields", options.fields);
+  if (options.startAfter !== void 0) params.set("startAfter", options.startAfter);
+  if (options.startAt !== void 0) params.set("startAt", options.startAt);
+  if (options.endAt !== void 0) params.set("endAt", options.endAt);
+  if (options.dateRange?.start !== void 0)
+    params.set("startDate", new Date(options.dateRange.start).toISOString().split("T")[0]);
+  if (options.dateRange?.end !== void 0)
+    params.set("endDate", new Date(options.dateRange.end).toISOString().split("T")[0]);
+  if (options.filters && options.filters.length > 0) {
+    params.set("filters", JSON.stringify(options.filters));
+  }
+  const str = params.toString();
+  return str ? `?${str}` : "";
 }
-function lt(field, value) {
-  return { field, operator: "lt", value };
+function guessMimeType(filename) {
+  const ext = filename.split(".").pop()?.toLowerCase();
+  const map = {
+    jpg: "image/jpeg",
+    jpeg: "image/jpeg",
+    png: "image/png",
+    gif: "image/gif",
+    webp: "image/webp",
+    svg: "image/svg+xml",
+    pdf: "application/pdf",
+    mp4: "video/mp4",
+    webm: "video/webm",
+    mp3: "audio/mpeg",
+    wav: "audio/wav",
+    txt: "text/plain",
+    html: "text/html",
+    css: "text/css",
+    js: "application/javascript",
+    json: "application/json",
+    xml: "application/xml",
+    zip: "application/zip",
+    csv: "text/csv"
+  };
+  return map[ext ?? ""] ?? "application/octet-stream";
 }
-function inArray(field, value) {
-  return { field, operator: "in", value };
+function assertSafeName(name, label = "name") {
+  if (!/^[a-zA-Z_][a-zA-Z0-9_.\-]{0,200}$/.test(name)) {
+    throw new Error(
+      `Invalid ${label} "${name}". Must start with a letter or underscore and contain only letters, numbers, underscores, dots, or hyphens.`
+    );
+  }
 }
 
 // src/records/client.ts
 var RecordsClient = class {
-  constructor(config) {
-    this.baseUrl = config.url;
-    this.headers = {
-      "Content-Type": "application/json",
-      "Authorization": `Bearer ${config.apiKey}`
-    };
+  constructor(http, bucketKey) {
+    assertSafeName(bucketKey, "bucketKey");
+    this.http = http;
+    this.bucketKey = bucketKey;
+    this.basePath = `/records/${bucketKey}`;
   }
-  // ─── SELECT ────────────────────────────────────────────────────────────────
+  // ─── Single Record Operations ─────────────────────────────────────────────
   /**
-   * Query records from a collection.
-   *
-   * @param collection - Collection name (e.g. "users")
-   * @param options    - Filters, ordering, pagination
+   * Create a new record.
    *
    * @example
-   * const { data, error } = await hydrous.records.select('users', {
-   *   where:   { field: 'role', operator: 'eq', value: 'admin' },
-   *   orderBy: { field: 'createdAt', direction: 'desc' },
-   *   limit:   20,
+   * ```ts
+   * const user = await records.create({
+   *   name: 'Alice',
+   *   email: 'alice@example.com',
+   *   score: 100,
    * });
+   * console.log(user.id); // "rec_xxxxxxxx"
+   * ```
    */
-  async select(collection, options = {}) {
-    try {
-      const params = serialiseQuery(options);
-      const url = buildUrl(this.baseUrl, `records/${collection}`, params);
-      const res = await fetch(url, { headers: this.headers });
-      const json = await parseResponse(res);
-      return { data: json.data, count: json.count, error: null };
-    } catch (err) {
-      return { data: [], count: 0, error: toHydrousError(err) };
-    }
+  async create(data) {
+    const result = await this.http.post(this.basePath, data);
+    return result.record ?? result.data;
   }
-  // ─── GET ONE ───────────────────────────────────────────────────────────────
   /**
-   * Fetch a single record by its ID.
+   * Fetch a single record by ID.
    *
    * @example
-   * const { data, error } = await hydrous.records.get('users', 'user_abc123');
+   * ```ts
+   * const post = await records.get('rec_abc123');
+   * ```
    */
-  async get(collection, id) {
-    try {
-      const url = buildUrl(this.baseUrl, `records/${collection}/${id}`);
-      const res = await fetch(url, { headers: this.headers });
-      const json = await parseResponse(res);
-      return { data: json.data, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async get(id) {
+    const result = await this.http.get(`${this.basePath}/${id}`);
+    return result.record ?? result.data;
   }
-  // ─── INSERT ────────────────────────────────────────────────────────────────
   /**
-   * Insert one or more records into a collection.
-   *
-   * @param collection - Collection name
-   * @param payload    - A single record object or an array of record objects
+   * Overwrite a record entirely (full replace).
    *
    * @example
-   * // Single insert
-   * const { data, error } = await hydrous.records.insert('users', {
-   *   name: 'Alice', email: 'alice@example.com'
+   * ```ts
+   * const updated = await records.set('rec_abc123', {
+   *   name: 'Alice Updated',
+   *   email: 'alice2@example.com',
    * });
+   * ```
+   */
+  async set(id, data) {
+    const result = await this.http.put(`${this.basePath}/${id}`, data);
+    return result.record ?? result.data;
+  }
+  /**
+   * Partially update a record (merge by default).
    *
-   * // Bulk insert
-   * const { data, error } = await hydrous.records.insert('users', [
-   *   { name: 'Alice' }, { name: 'Bob' }
+   * @example
+   * ```ts
+   * // Merge: only the provided fields are updated
+   * const updated = await records.patch('rec_abc123', { score: 200 });
+   *
+   * // Replace: equivalent to set()
+   * const replaced = await records.patch('rec_abc123', { score: 200 }, { merge: false });
+   * ```
+   */
+  async patch(id, data, options = {}) {
+    const { merge = true } = options;
+    const result = await this.http.patch(
+      `${this.basePath}/${id}`,
+      { ...data, _merge: merge }
+    );
+    return result.record ?? result.data;
+  }
+  /**
+   * Delete a record permanently.
+   *
+   * @example
+   * ```ts
+   * await records.delete('rec_abc123');
+   * ```
+   */
+  async delete(id) {
+    await this.http.delete(`${this.basePath}/${id}`);
+  }
+  // ─── Batch Operations ─────────────────────────────────────────────────────
+  /**
+   * Create multiple records in one request.
+   *
+   * @example
+   * ```ts
+   * const created = await records.batchCreate([
+   *   { name: 'Alice', score: 100 },
+   *   { name: 'Bob',   score: 200 },
    * ]);
+   * ```
    */
-  async insert(collection, payload) {
-    try {
-      const url = buildUrl(this.baseUrl, `records/${collection}`);
-      const res = await fetch(url, {
-        method: "POST",
-        headers: this.headers,
-        body: JSON.stringify(payload)
-      });
-      const json = await parseResponse(res);
-      return { data: json.data, count: json.count, error: null };
-    } catch (err) {
-      return { data: [], count: 0, error: toHydrousError(err) };
-    }
+  async batchCreate(items) {
+    const result = await this.http.post(
+      `${this.basePath}/batch`,
+      { records: items }
+    );
+    return result.records;
+  }
+  /**
+   * Delete multiple records by ID in one request.
+   *
+   * @example
+   * ```ts
+   * await records.batchDelete(['rec_a', 'rec_b', 'rec_c']);
+   * ```
+   */
+  async batchDelete(ids) {
+    const result = await this.http.post(`${this.basePath}/batch/delete`, { ids });
+    return { deleted: result.deleted, failed: result.failed };
   }
-  // ─── UPDATE ────────────────────────────────────────────────────────────────
+  // ─── Querying ─────────────────────────────────────────────────────────────
   /**
-   * Update a record by ID.
+   * Query records with optional filters, sorting, and pagination.
    *
    * @example
-   * const { data, error } = await hydrous.records.update('users', 'user_abc123', {
-   *   name: 'Alice Smith'
+   * ```ts
+   * // Simple query
+   * const { records } = await posts.query({ limit: 10 });
+   *
+   * // Filtered query with cursor pagination
+   * const page1 = await posts.query({
+   *   filters: [
+   *     { field: 'status',    op: '==', value: 'published' },
+   *     { field: 'views',     op: '>',  value: 1000 },
+   *   ],
+   *   orderBy: 'createdAt',
+   *   order: 'desc',
+   *   limit: 20,
+   * });
+   *
+   * const page2 = await posts.query({
+   *   filters: [{ field: 'status', op: '==', value: 'published' }],
+   *   limit: 20,
+   *   startAfter: page1.nextCursor,
    * });
+   * ```
    */
-  async update(collection, id, payload) {
-    try {
-      const url = buildUrl(this.baseUrl, `records/${collection}/${id}`);
-      const res = await fetch(url, {
-        method: "PATCH",
-        headers: this.headers,
-        body: JSON.stringify(payload)
-      });
-      const json = await parseResponse(res);
-      return { data: json.data, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async query(options = {}) {
+    const qs = buildQueryParams(options);
+    const result = await this.http.get(`${this.basePath}${qs}`);
+    return {
+      records: result.records,
+      total: result.total,
+      hasMore: result.hasMore,
+      nextCursor: result.nextCursor
+    };
   }
-  // ─── DELETE ────────────────────────────────────────────────────────────────
   /**
-   * Delete a record by ID.
+   * Convenience alias: get all records up to `limit` (default 100).
    *
    * @example
-   * const { error } = await hydrous.records.delete('users', 'user_abc123');
+   * ```ts
+   * const allPosts = await posts.getAll({ limit: 500 });
+   * ```
    */
-  async delete(collection, id) {
-    try {
-      const url = buildUrl(this.baseUrl, `records/${collection}/${id}`);
-      const res = await fetch(url, { method: "DELETE", headers: this.headers });
-      await parseResponse(res);
-      return { data: void 0, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async getAll(options = {}) {
+    const { records } = await this.query(options);
+    return records;
+  }
+  /**
+   * Count records matching optional filters.
+   *
+   * @example
+   * ```ts
+   * const total = await posts.count([{ field: 'status', op: '==', value: 'published' }]);
+   * ```
+   */
+  async count(filters = []) {
+    const result = await this.http.post(
+      `${this.basePath}/count`,
+      { filters }
+    );
+    return result.count;
+  }
+  // ─── Version History ──────────────────────────────────────────────────────
+  /**
+   * Retrieve the full version history of a record.
+   * Each write creates a new version stored in GCS.
+   *
+   * @example
+   * ```ts
+   * const history = await records.getHistory('rec_abc123');
+   * console.log(history[0].data); // latest version
+   * ```
+   */
+  async getHistory(id) {
+    const result = await this.http.get(`${this.basePath}/${id}/history`);
+    return result.history;
+  }
+  /**
+   * Restore a record to a specific historical version.
+   *
+   * @example
+   * ```ts
+   * const history = await records.getHistory('rec_abc123');
+   * const restored = await records.restoreVersion('rec_abc123', history[2].version);
+   * ```
+   */
+  async restoreVersion(id, version) {
+    const result = await this.http.post(
+      `${this.basePath}/${id}/restore`,
+      { version }
+    );
+    return result.record ?? result.data;
   }
 };
 
 // src/analytics/client.ts
 var AnalyticsClient = class {
-  constructor(config) {
-    this.baseUrl = config.url;
-    this.headers = {
-      "Content-Type": "application/json",
-      "Authorization": `Bearer ${config.apiKey}`
-    };
+  constructor(http, bucketKey) {
+    assertSafeName(bucketKey, "bucketKey");
+    this.http = http;
+    this.bucketKey = bucketKey;
+    this.basePath = `/analytics/${bucketKey}`;
   }
-  // ─── TRACK ────────────────────────────────────────────────────────────────
+  /** Internal dispatcher — all queries POST to the same endpoint. */
+  async run(query) {
+    const result = await this.http.post(this.basePath, query);
+    return result.data;
+  }
+  // ─── Count ────────────────────────────────────────────────────────────────
   /**
-   * Track an analytics event.
+   * Count the total number of records in the bucket, with optional date filter.
    *
    * @example
-   * await hydrous.analytics.track({
-   *   event:      'page_view',
-   *   properties: { page: '/home', referrer: 'google.com' },
-   *   userId:     'user_abc123',
+   * ```ts
+   * const { count } = await analytics.count();
+   * // → { count: 4821 }
+   *
+   * // Count only this month's records
+   * const { count } = await analytics.count({
+   *   dateRange: { start: new Date('2025-01-01').getTime(), end: Date.now() },
    * });
+   * ```
    */
-  async track(options) {
-    var _a;
-    try {
-      const url = buildUrl(this.baseUrl, "analytics/track");
-      const res = await fetch(url, {
-        method: "POST",
-        headers: this.headers,
-        body: JSON.stringify({
-          ...options,
-          timestamp: (_a = options.timestamp) != null ? _a : Date.now()
-        })
-      });
-      await parseResponse(res);
-      return { data: void 0, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async count(opts = {}) {
+    return this.run({ queryType: "count", ...opts });
   }
-  // ─── QUERY ────────────────────────────────────────────────────────────────
+  // ─── Distribution ─────────────────────────────────────────────────────────
   /**
-   * Query recorded analytics events.
+   * Count how many records have each unique value for a given field.
+   * Great for pie charts and bar charts.
    *
    * @example
-   * const { data } = await hydrous.analytics.query({
-   *   event: 'page_view',
-   *   from:  '2024-01-01',
-   *   to:    '2024-01-31',
-   *   limit: 100,
+   * ```ts
+   * const rows = await analytics.distribution({
+   *   field: 'status',
+   *   limit: 10,
+   *   order: 'desc',
    * });
+   * // → [{ value: 'completed', count: 312 }, { value: 'pending', count: 88 }, ...]
+   * ```
    */
-  async query(options = {}) {
-    try {
-      const params = {};
-      if (options.event) params["event"] = options.event;
-      if (options.from) params["from"] = options.from;
-      if (options.to) params["to"] = options.to;
-      if (options.limit) params["limit"] = String(options.limit);
-      if (options.groupBy) params["groupBy"] = options.groupBy;
-      const url = buildUrl(this.baseUrl, "analytics/events", params);
-      const res = await fetch(url, { headers: this.headers });
-      const json = await parseResponse(res);
-      return { data: json.data, count: json.count, error: null };
-    } catch (err) {
-      return { data: [], count: 0, error: toHydrousError(err) };
-    }
+  async distribution(opts) {
+    assertSafeName(opts.field, "field");
+    return this.run({ queryType: "distribution", ...opts });
   }
-  // ─── BATCH TRACK ─────────────────────────────────────────────────────────
+  // ─── Sum ──────────────────────────────────────────────────────────────────
   /**
-   * Track multiple events in a single request (more efficient than
-   * calling `track` in a loop).
+   * Sum a numeric field, optionally grouped by another field.
    *
    * @example
-   * await hydrous.analytics.trackBatch([
-   *   { event: 'signup',   userId: 'u1' },
-   *   { event: 'onboarded', userId: 'u1' },
-   * ]);
+   * ```ts
+   * // Total revenue
+   * const rows = await analytics.sum({ field: 'amount' });
+   * // → [{ sum: 198432.50 }]
+   *
+   * // Revenue by country
+   * const rows = await analytics.sum({ field: 'amount', groupBy: 'country', limit: 10 });
+   * // → [{ group: 'US', sum: 120000 }, { group: 'UK', sum: 45000 }, ...]
+   * ```
    */
-  async trackBatch(events) {
-    try {
-      const url = buildUrl(this.baseUrl, "analytics/track/batch");
-      const stamped = events.map((e) => {
-        var _a;
-        return {
-          ...e,
-          timestamp: (_a = e.timestamp) != null ? _a : Date.now()
-        };
-      });
-      const res = await fetch(url, {
-        method: "POST",
-        headers: this.headers,
-        body: JSON.stringify({ events: stamped })
-      });
-      await parseResponse(res);
-      return { data: void 0, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async sum(opts) {
+    assertSafeName(opts.field, "field");
+    if (opts.groupBy) assertSafeName(opts.groupBy, "groupBy");
+    return this.run({ queryType: "sum", ...opts });
   }
-};
-
-// src/storage/client.ts
-var isBrowser = typeof window !== "undefined" && typeof XMLHttpRequest !== "undefined";
-function bucketFromKey(key) {
-  return encodeURIComponent(key);
-}
-function storageUrl(base, bucketKey, path) {
-  const bucket = bucketFromKey(bucketKey);
-  return `${base.replace(/\/$/, "")}/storage/${bucket}/${path.replace(/^\//, "")}`;
-}
-function storageHeaders(bucketKey) {
-  return { "X-Storage-Key": bucketKey };
-}
-function drainSSEProgress(rawText, onProgress) {
-  const results = [];
-  const errors = [];
-  parseSSEText(rawText, (eventType, data) => {
-    var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l;
-    const d = data;
-    if (eventType === "progress" && onProgress) {
-      onProgress({
-        index: (_a = d["index"]) != null ? _a : 0,
-        total: (_b = d["total"]) != null ? _b : 1,
-        path: (_c = d["path"]) != null ? _c : "",
-        stage: (_d = d["stage"]) != null ? _d : "uploading",
-        bytesUploaded: (_e = d["bytesUploaded"]) != null ? _e : 0,
-        totalBytes: (_f = d["totalBytes"]) != null ? _f : 0,
-        percent: (_g = d["percent"]) != null ? _g : 0,
-        bytesPerSecond: (_h = d["bytesPerSecond"]) != null ? _h : null,
-        eta: (_i = d["eta"]) != null ? _i : null,
-        result: d["result"],
-        error: d["error"],
-        code: d["code"]
-      });
-    }
-    if (eventType === "done") {
-      if (d["path"]) {
-        results.push(d);
-      } else if (Array.isArray(d["errors"])) {
-        const succeeded = (_j = d["succeeded"]) != null ? _j : [];
-        const errs = d["errors"];
-        results.push(...succeeded);
-        errors.push(...errs);
-      }
-    }
-    if (eventType === "error") {
-      errors.push({
-        path: "",
-        error: (_k = d["error"]) != null ? _k : "Unknown error",
-        code: (_l = d["code"]) != null ? _l : "UNKNOWN"
-      });
-    }
-  });
-  return { results, errors };
-}
-var StorageClient = class {
-  constructor(config) {
-    this.baseUrl = config.url;
-  }
-  // ══════════════════════════════════════════════════════════════════════════
-  // UPLOAD
-  // ══════════════════════════════════════════════════════════════════════════
-  /**
-   * Upload a single file to a bucket.
-   *
-   * The bucket key **always comes first**.
-   * Supply an `onProgress` callback to receive live upload progress including
-   * bytes transferred, speed (bytes/sec), ETA, and lifecycle stage.
-   *
-   * ### Stages fired via `onProgress`
-   * | Stage        | Meaning                                 |
-   * |-------------|------------------------------------------|
-   * | `pending`   | Queued, not yet started                 |
-   * | `compressing` | Server is compressing the file         |
-   * | `uploading` | Bytes flowing to cloud storage           |
-   * | `done`      | Confirmed written to cloud storage       |
-   * | `error`     | Something went wrong                    |
-   *
-   * @param bucketKey  Your storage bucket key (`ssk_…`)
-   * @param file       A `File`, `Blob`, or `Buffer` (Node)
-   * @param options    Path, overwrite flag, progress callback
-   *
-   * @example
-   * const { data, error } = await hydrous.storage.upload(
-   *   'ssk_my_bucket_key',
-   *   file,
-   *   {
-   *     path:       'avatars/alice.jpg',
-   *     overwrite:  true,
-   *     onProgress: (p) => {
-   *       console.log(`${p.stage} — ${p.percent}%  ${p.bytesPerSecond} B/s  ETA ${p.eta}s`);
-   *     },
-   *   }
-   * );
+  // ─── Time Series ──────────────────────────────────────────────────────────
+  /**
+   * Count records created over time, grouped by a time granularity.
+   * Perfect for line charts and activity graphs.
+   *
+   * @example
+   * ```ts
+   * const rows = await analytics.timeSeries({
+   *   granularity: 'day',
+   *   dateRange: { start: Date.now() - 7 * 86400000, end: Date.now() },
+   * });
+   * // → [{ date: '2025-06-01', count: 42 }, { date: '2025-06-02', count: 67 }, ...]
+   * ```
    */
-  async upload(bucketKey, file, options = {}) {
-    var _a, _b;
-    const { path, overwrite = false, onProgress } = options;
-    try {
-      const url = storageUrl(this.baseUrl, bucketKey, "upload");
-      const form = new FormData();
-      if (file instanceof Uint8Array) {
-        form.append("file", new Blob([file.buffer]), path != null ? path : "file");
-      } else if (file instanceof ArrayBuffer) {
-        form.append("file", new Blob([file]), path != null ? path : "file");
-      } else {
-        form.append("file", file, path != null ? path : file instanceof File ? file.name : "file");
-      }
-      if (path) form.append("path", path);
-      if (overwrite) form.append("overwrite", "true");
-      const headers = storageHeaders(bucketKey);
-      if (isBrowser) {
-        const totalBytes = file instanceof Blob ? file.size : file instanceof Uint8Array ? file.byteLength : file.byteLength;
-        const rawBody = await xhrUpload(url, form, headers, (loaded, total) => {
-          if (onProgress) {
-            onProgress({
-              index: 0,
-              total: 1,
-              path: path != null ? path : "",
-              stage: "uploading",
-              bytesUploaded: loaded,
-              totalBytes: total || totalBytes,
-              percent: Math.min(99, Math.round(loaded / (total || totalBytes) * 100)),
-              bytesPerSecond: null,
-              eta: null
-            });
-          }
-        });
-        const { results, errors } = drainSSEProgress(rawBody, onProgress);
-        if (errors.length > 0 && results.length === 0) {
-          return { data: null, error: { message: errors[0].error, code: errors[0].code } };
-        }
-        const result = (_a = results[0]) != null ? _a : null;
-        if (result && onProgress) {
-          onProgress({
-            index: 0,
-            total: 1,
-            path: result.path,
-            stage: "done",
-            bytesUploaded: totalBytes,
-            totalBytes,
-            percent: 100,
-            bytesPerSecond: null,
-            eta: 0,
-            result
-          });
-        }
-        return { data: result, error: null };
-      }
-      const res = await fetch(url, { method: "POST", headers, body: form });
-      if (!res.ok) {
-        const err = await res.json().catch(() => ({}));
-        throw new HydrousSDKError((_b = err.error) != null ? _b : `HTTP ${res.status}`, "HTTP_ERROR", res.status);
-      }
-      let finalResult = null;
-      await readSSEStream(res, (eventType, data) => {
-        var _a2, _b2, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l;
-        const d = data;
-        if (eventType === "progress" && onProgress) {
-          onProgress({
-            index: (_a2 = d["index"]) != null ? _a2 : 0,
-            total: (_b2 = d["total"]) != null ? _b2 : 1,
-            path: (_d = (_c = d["path"]) != null ? _c : path) != null ? _d : "",
-            stage: (_e = d["stage"]) != null ? _e : "uploading",
-            bytesUploaded: (_f = d["bytesUploaded"]) != null ? _f : 0,
-            totalBytes: (_g = d["totalBytes"]) != null ? _g : 0,
-            percent: (_h = d["percent"]) != null ? _h : 0,
-            bytesPerSecond: (_i = d["bytesPerSecond"]) != null ? _i : null,
-            eta: (_j = d["eta"]) != null ? _j : null,
-            result: d["result"],
-            error: d["error"]
-          });
-        }
-        if (eventType === "done") finalResult = data;
-        if (eventType === "error") {
-          throw new HydrousSDKError(
-            (_k = d["error"]) != null ? _k : "Upload failed",
-            (_l = d["code"]) != null ? _l : "UPLOAD_ERROR"
-          );
-        }
-      });
-      return { data: finalResult, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async timeSeries(opts = {}) {
+    return this.run({ queryType: "timeSeries", granularity: "day", ...opts });
   }
-  // ══════════════════════════════════════════════════════════════════════════
-  // UPLOAD RAW (text / JSON / binary from string)
-  // ══════════════════════════════════════════════════════════════════════════
+  // ─── Field Time Series ────────────────────────────────────────────────────
   /**
-   * Upload raw text or JSON content directly — no `File` object needed.
-   * Great for saving generated content, config files, or JSON records.
+   * Aggregate a numeric field over time (e.g. daily revenue, hourly signups).
    *
-   * @param bucketKey  Your storage bucket key (`ssk_…`)
-   * @param path       Destination path (e.g. `"configs/settings.json"`)
-   * @param content    String content to store
-   * @param options    `mimeType`, `overwrite`, `onProgress`
+   * @example
+   * ```ts
+   * const rows = await analytics.fieldTimeSeries({
+   *   field: 'amount',
+   *   aggregation: 'sum',
+   *   granularity: 'week',
+   * });
+   * // → [{ date: '2025-W22', value: 14230.50 }, ...]
+   * ```
+   */
+  async fieldTimeSeries(opts) {
+    assertSafeName(opts.field, "field");
+    return this.run({
+      queryType: "fieldTimeSeries",
+      aggregation: "sum",
+      granularity: "day",
+      ...opts
+    });
+  }
+  // ─── Top N ────────────────────────────────────────────────────────────────
+  /**
+   * Get the top N values by frequency for a field.
+   * Optionally pair with a `labelField` for human-readable labels.
    *
    * @example
-   * await hydrous.storage.uploadText(
-   *   'ssk_my_bucket_key',
-   *   'reports/summary.txt',
-   *   'Hello from Hydrous!',
-   *   { mimeType: 'text/plain' }
-   * );
+   * ```ts
+   * // Top 5 most purchased products
+   * const rows = await analytics.topN({
+   *   field: 'productId',
+   *   labelField: 'productName',
+   *   n: 5,
+   * });
+   * // → [{ value: 'prod_123', label: 'Widget Pro', count: 892 }, ...]
+   * ```
    */
-  async uploadText(bucketKey, path, content, options = {}) {
-    var _a;
-    const { mimeType = "text/plain", overwrite = false, onProgress } = options;
-    try {
-      const url = storageUrl(this.baseUrl, bucketKey, "upload-raw");
-      const headers = { ...storageHeaders(bucketKey), "Content-Type": "application/json" };
-      const res = await fetch(url, {
-        method: "POST",
-        headers,
-        body: JSON.stringify({ path, content, mimeType, overwrite })
-      });
-      if (!res.ok) {
-        const e = await res.json().catch(() => ({}));
-        throw new HydrousSDKError((_a = e.error) != null ? _a : `HTTP ${res.status}`, "HTTP_ERROR", res.status);
-      }
-      let finalResult = null;
-      await readSSEStream(res, (eventType, data) => {
-        var _a2, _b, _c, _d, _e, _f;
-        const d = data;
-        if (eventType === "progress" && onProgress) {
-          onProgress({
-            index: 0,
-            total: 1,
-            path,
-            stage: (_a2 = d["stage"]) != null ? _a2 : "uploading",
-            bytesUploaded: (_b = d["bytesUploaded"]) != null ? _b : 0,
-            totalBytes: (_c = d["totalBytes"]) != null ? _c : 0,
-            percent: (_d = d["percent"]) != null ? _d : 0,
-            bytesPerSecond: (_e = d["bytesPerSecond"]) != null ? _e : null,
-            eta: (_f = d["eta"]) != null ? _f : null
-          });
-        }
-        if (eventType === "done") finalResult = data;
-      });
-      return { data: finalResult, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async topN(opts) {
+    assertSafeName(opts.field, "field");
+    if (opts.labelField) assertSafeName(opts.labelField, "labelField");
+    return this.run({ queryType: "topN", n: 10, order: "desc", ...opts });
   }
-  // ══════════════════════════════════════════════════════════════════════════
-  // BATCH UPLOAD
-  // ══════════════════════════════════════════════════════════════════════════
+  // ─── Field Stats ──────────────────────────────────────────────────────────
   /**
-   * Upload multiple files in one request.
+   * Get statistical summary (min, max, avg, sum, count, stddev) for a numeric field.
    *
-   * `onProgress` fires for **every file individually** — the `index` field
-   * tells you which file the event belongs to (0-based, same order as `files`).
-   * All files receive a `pending` event upfront before any uploads start,
-   * so you can render all progress bars immediately.
+   * @example
+   * ```ts
+   * const stats = await analytics.stats({ field: 'orderValue' });
+   * // → { min: 4.99, max: 9999.99, avg: 87.23, sum: 420948.27, count: 4823, stddev: 143.2 }
+   * ```
+   */
+  async stats(opts) {
+    assertSafeName(opts.field, "field");
+    return this.run({ queryType: "stats", ...opts });
+  }
+  // ─── Filtered Records ─────────────────────────────────────────────────────
+  /**
+   * Query raw records with filters, field selection, and pagination.
+   * This is the analytics version of `records.query()` but powered by BigQuery.
    *
-   * @param bucketKey  Your storage bucket key (`ssk_…`)
-   * @param files      Array of `File` objects (browser) or `{ name, data }` objects (Node)
-   * @param options    Prefix, per-file paths, overwrite, concurrency, onProgress
+   * @example
+   * ```ts
+   * const { records } = await analytics.records({
+   *   filters: [{ field: 'status', op: '==', value: 'refunded' }],
+   *   selectFields: ['orderId', 'amount', 'createdAt'],
+   *   limit: 50,
+   *   orderBy: 'amount',
+   *   order: 'desc',
+   * });
+   * ```
+   */
+  async records(opts = {}) {
+    if (opts.orderBy) assertSafeName(opts.orderBy, "orderBy");
+    if (opts.selectFields) opts.selectFields.forEach((f) => assertSafeName(f, "selectField"));
+    return this.run({ queryType: "records", limit: 100, order: "desc", ...opts });
+  }
+  // ─── Multi Metric ─────────────────────────────────────────────────────────
+  /**
+   * Calculate multiple aggregations in a single query.
+   * Ideal for dashboards that need several numbers at once.
    *
    * @example
-   * await hydrous.storage.batchUpload(
-   *   'ssk_my_bucket_key',
-   *   fileArray,
-   *   {
-   *     prefix:     'uploads/2024/',
-   *     onProgress: (p) => {
-   *       console.log(`File ${p.index}: ${p.stage} ${p.percent}%`);
-   *     },
-   *   }
-   * );
+   * ```ts
+   * const result = await analytics.multiMetric({
+   *   metrics: [
+   *     { field: 'amount',   name: 'totalRevenue', aggregation: 'sum' },
+   *     { field: 'amount',   name: 'avgOrderValue', aggregation: 'avg' },
+   *     { field: 'userId',   name: 'uniqueCustomers', aggregation: 'count' },
+   *   ],
+   * });
+   * // → { totalRevenue: 198432.50, avgOrderValue: 87.23, uniqueCustomers: 2275 }
+   * ```
    */
-  async batchUpload(bucketKey, files, options = {}) {
-    var _a;
-    const { prefix = "", paths, overwrite = false, onProgress } = options;
-    try {
-      const url = storageUrl(this.baseUrl, bucketKey, "batch-upload");
-      const form = new FormData();
-      const resolvedPaths = files.map(
-        (f, i) => {
-          var _a2;
-          return (_a2 = paths == null ? void 0 : paths[i]) != null ? _a2 : `${prefix}${f.name}`;
-        }
-      );
-      files.forEach((f) => form.append("files", f, f.name));
-      form.append("paths", JSON.stringify(resolvedPaths));
-      if (overwrite) form.append("overwrite", "true");
-      const headers = storageHeaders(bucketKey);
-      if (isBrowser) {
-        const totalBytes = files.reduce((s, f) => s + f.size, 0);
-        const rawBody = await xhrUpload(url, form, headers, (loaded, total) => {
-          if (onProgress) {
-            let cursor = 0;
-            for (let i = 0; i < files.length; i++) {
-              const share = files[i].size / (totalBytes || 1);
-              const myStart = cursor;
-              const myEnd = cursor + share;
-              const fileLoaded = Math.max(0, Math.min(
-                files[i].size,
-                (loaded / (total || totalBytes) - myStart) / share * files[i].size
-              ));
-              onProgress({
-                index: i,
-                total: files.length,
-                path: resolvedPaths[i],
-                stage: "uploading",
-                bytesUploaded: Math.round(fileLoaded),
-                totalBytes: files[i].size,
-                percent: Math.min(99, Math.round(fileLoaded / files[i].size * 100)),
-                bytesPerSecond: null,
-                eta: null
-              });
-              cursor = myEnd;
-            }
-          }
-        });
-        const { results, errors } = drainSSEProgress(rawBody, onProgress);
-        return {
-          data: {
-            succeeded: results,
-            failed: errors
-          },
-          error: null
-        };
-      }
-      const res = await fetch(url, { method: "POST", headers, body: form });
-      if (!res.ok) {
-        const e = await res.json().catch(() => ({}));
-        throw new HydrousSDKError((_a = e.error) != null ? _a : `HTTP ${res.status}`, "HTTP_ERROR", res.status);
-      }
-      const succeeded = [];
-      const failed = [];
-      await readSSEStream(res, (eventType, data) => {
-        var _a2, _b, _c, _d, _e, _f, _g, _h, _i, _j;
-        const d = data;
-        if (eventType === "progress" && onProgress) {
-          onProgress({
-            index: (_a2 = d["index"]) != null ? _a2 : 0,
-            total: (_b = d["total"]) != null ? _b : files.length,
-            path: (_c = d["path"]) != null ? _c : "",
-            stage: (_d = d["stage"]) != null ? _d : "uploading",
-            bytesUploaded: (_e = d["bytesUploaded"]) != null ? _e : 0,
-            totalBytes: (_f = d["totalBytes"]) != null ? _f : 0,
-            percent: (_g = d["percent"]) != null ? _g : 0,
-            bytesPerSecond: (_h = d["bytesPerSecond"]) != null ? _h : null,
-            eta: (_i = d["eta"]) != null ? _i : null,
-            result: d["result"],
-            error: d["error"],
-            code: d["code"]
-          });
-        }
-        if (eventType === "done" && d["succeeded"]) {
-          succeeded.push(...d["succeeded"]);
-          failed.push(...(_j = d["errors"]) != null ? _j : []);
-        }
-      });
-      return { data: { succeeded, failed }, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async multiMetric(opts) {
+    opts.metrics.forEach((m) => {
+      assertSafeName(m.field, "metric.field");
+      assertSafeName(m.name, "metric.name");
+    });
+    return this.run({ queryType: "multiMetric", ...opts });
   }
-  // ══════════════════════════════════════════════════════════════════════════
-  // DOWNLOAD
-  // ══════════════════════════════════════════════════════════════════════════
+  // ─── Storage Stats ────────────────────────────────────────────────────────
   /**
-   * Download a single file and return its content as an `ArrayBuffer`.
+   * Get storage statistics for this bucket: record counts, byte sizes.
    *
-   * @param bucketKey  Your storage bucket key (`ssk_…`)
-   * @param filePath   Path of the file within your bucket
+   * @example
+   * ```ts
+   * const stats = await analytics.storageStats();
+   * // → { totalRecords: 4821, totalBytes: 48293820, avgBytes: 10015, ... }
+   * ```
+   */
+  async storageStats(opts = {}) {
+    return this.run({ queryType: "storageStats", ...opts });
+  }
+  // ─── Cross-Bucket Comparison ──────────────────────────────────────────────
+  /**
+   * Compare the same field aggregation across multiple buckets in one query.
+   * Your security key must have read access to ALL listed buckets.
    *
    * @example
-   * const { data, error } = await hydrous.storage.download(
-   *   'ssk_my_bucket_key',
-   *   'avatars/alice.jpg'
-   * );
-   * if (data) {
-   *   const blob = new Blob([data]);
-   *   const url  = URL.createObjectURL(blob);
-   * }
+   * ```ts
+   * const rows = await analytics.crossBucket({
+   *   bucketKeys: ['orders-us', 'orders-eu', 'orders-apac'],
+   *   field: 'amount',
+   *   aggregation: 'sum',
+   * });
+   * // → [
+   * //   { bucket: 'orders-us',   value: 120000 },
+   * //   { bucket: 'orders-eu',   value: 45000 },
+   * //   { bucket: 'orders-apac', value: 33000 },
+   * // ]
+   * ```
    */
-  async download(bucketKey, filePath) {
-    var _a;
-    try {
-      const url = storageUrl(this.baseUrl, bucketKey, `download/${filePath}`);
-      const res = await fetch(url, { headers: storageHeaders(bucketKey) });
-      if (!res.ok) {
-        const e = await res.json().catch(() => ({}));
-        throw new HydrousSDKError((_a = e.error) != null ? _a : `HTTP ${res.status}`, "HTTP_ERROR", res.status);
-      }
-      const buffer = await res.arrayBuffer();
-      return { data: buffer, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async crossBucket(opts) {
+    assertSafeName(opts.field, "field");
+    opts.bucketKeys.forEach((k) => assertSafeName(k, "bucketKey"));
+    return this.run({ queryType: "crossBucket", aggregation: "sum", ...opts });
   }
-  // ══════════════════════════════════════════════════════════════════════════
-  // BATCH DOWNLOAD
-  // ══════════════════════════════════════════════════════════════════════════
+  // ─── Raw Query ────────────────────────────────────────────────────────────
   /**
-   * Download multiple files in one request.
+   * Send a raw analytics query object. Use this when you need full control
+   * over the query shape or want to use a queryType not covered by the helpers.
    *
-   * When `autoSave: true` (browser only) each file is automatically saved
-   * to the user's Downloads folder as it arrives.
+   * @example
+   * ```ts
+   * const result = await analytics.query({
+   *   queryType: 'topN',
+   *   field: 'category',
+   *   n: 3,
+   *   order: 'asc',
+   * });
+   * ```
+   */
+  async query(query) {
+    const data = await this.run(query);
+    return { queryType: query.queryType, data };
+  }
+};
+
+// src/storage/manager.ts
+var StorageManager = class {
+  constructor(http, storageKey) {
+    this.basePath = "/storage";
+    this.http = http;
+    this.storageKey = storageKey;
+  }
+  /** Headers for all storage requests — uses X-Storage-Key, not X-Api-Key. */
+  get authHeaders() {
+    return { "X-Storage-Key": this.storageKey };
+  }
+  // ─── Upload: Simple (server-buffered) ────────────────────────────────────
+  /**
+   * Upload a file to storage in one step (server-buffered, up to 500 MB).
+   * For files >10 MB or when you need upload progress, use `getUploadUrl()` instead.
    *
-   * @param bucketKey  Your storage bucket key (`ssk_…`)
-   * @param filePaths  Array of file paths within your bucket
-   * @param options    Concurrency, onProgress, autoSave
+   * @param data     File data as a Blob, Buffer, Uint8Array, or ArrayBuffer.
+   * @param path     Destination path in your storage (e.g. `"avatars/alice.jpg"`).
+   * @param options  Upload options: isPublic, overwrite, mimeType.
    *
    * @example
-   * const { data } = await hydrous.storage.batchDownload(
-   *   'ssk_my_bucket_key',
-   *   ['reports/jan.pdf', 'reports/feb.pdf'],
-   *   {
-   *     onProgress: (p) => console.log(p.path, p.status),
-   *     autoSave:   true,  // triggers browser file-save dialog per file
-   *   }
+   * ```ts
+   * // Upload a public avatar
+   * const result = await storage.upload(file, 'avatars/alice.jpg', { isPublic: true });
+   * console.log(result.publicUrl); // → https://...
+   *
+   * // Upload a private document
+   * const result = await storage.upload(pdfBuffer, 'docs/contract.pdf');
+   * console.log(result.downloadUrl); // → /storage/download/docs/contract.pdf
+   * ```
+   */
+  async upload(data, path, options = {}) {
+    const { isPublic = false, overwrite = false, mimeType } = options;
+    const mime = mimeType ?? guessMimeType(path);
+    const formData = new FormData();
+    const blob = data instanceof Blob ? data : new Blob([data], { type: mime });
+    formData.append("file", blob, path.split("/").pop() ?? "file");
+    formData.append("path", path);
+    formData.append("mimeType", mime);
+    formData.append("isPublic", String(isPublic));
+    formData.append("overwrite", String(overwrite));
+    const result = await this.http.request(`${this.basePath}/upload`, {
+      method: "POST",
+      rawBody: formData,
+      headers: this.authHeaders
+    });
+    return {
+      path: result.path,
+      mimeType: result.mimeType,
+      size: result.size,
+      isPublic: result.isPublic,
+      publicUrl: result.publicUrl,
+      downloadUrl: result.downloadUrl
+    };
+  }
+  /**
+   * Upload raw JSON or plain text data as a file.
+   *
+   * @example
+   * ```ts
+   * const result = await storage.uploadRaw(
+   *   { config: { theme: 'dark' } },
+   *   'settings/user-config.json',
+   *   { isPublic: false },
    * );
+   * ```
    */
-  async batchDownload(bucketKey, filePaths, options = {}) {
-    var _a;
-    const { concurrency = 5, onProgress, autoSave = false } = options;
-    try {
-      const url = storageUrl(this.baseUrl, bucketKey, "batch-download");
-      const res = await fetch(url, {
-        method: "POST",
-        headers: { ...storageHeaders(bucketKey), "Content-Type": "application/json" },
-        body: JSON.stringify({ paths: filePaths, concurrency })
-      });
-      if (!res.ok) {
-        const e = await res.json().catch(() => ({}));
-        throw new HydrousSDKError((_a = e.error) != null ? _a : `HTTP ${res.status}`, "HTTP_ERROR", res.status);
-      }
-      const downloadedFiles = [];
-      await readSSEStream(res, (eventType, data) => {
-        var _a2, _b, _c, _d, _e, _f, _g, _h;
-        const d = data;
-        if (eventType === "file") {
-          const base64 = d["content"];
-          const mimeType = (_a2 = d["mimeType"]) != null ? _a2 : "application/octet-stream";
-          const path = (_b = d["path"]) != null ? _b : "";
-          const size = (_c = d["size"]) != null ? _c : 0;
-          const index = (_d = d["index"]) != null ? _d : 0;
-          const binary = atob(base64);
-          const bytes = new Uint8Array(binary.length);
-          for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
-          const content = bytes.buffer;
-          downloadedFiles.push({ path, content, mimeType, size });
-          if (onProgress) {
-            onProgress({
-              index,
-              total: filePaths.length,
-              path,
-              status: "success",
-              size,
-              mimeType
-            });
-          }
-          if (autoSave && isBrowser) {
-            const blob = new Blob([content], { type: mimeType });
-            const blobUrl = URL.createObjectURL(blob);
-            const a = document.createElement("a");
-            a.href = blobUrl;
-            a.download = (_e = path.split("/").pop()) != null ? _e : "download";
-            a.click();
-            setTimeout(() => URL.revokeObjectURL(blobUrl), 5e3);
-          }
-        }
-        if (eventType === "error" && onProgress) {
-          const index = (_f = d["index"]) != null ? _f : 0;
-          onProgress({
-            index,
-            total: filePaths.length,
-            path: (_g = filePaths[index]) != null ? _g : "",
-            status: "error",
-            error: (_h = d["error"]) != null ? _h : "Download failed"
-          });
-        }
-      });
-      return { data: downloadedFiles, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async uploadRaw(data, path, options = {}) {
+    const { isPublic = false, overwrite = false, mimeType = "application/json" } = options;
+    const body = typeof data === "string" ? data : JSON.stringify(data);
+    const result = await this.http.request(`${this.basePath}/upload-raw`, {
+      method: "POST",
+      body: { path, data: body, mimeType, isPublic, overwrite },
+      headers: this.authHeaders
+    });
+    return {
+      path: result.path,
+      mimeType: result.mimeType,
+      size: result.size,
+      isPublic: result.isPublic,
+      publicUrl: result.publicUrl,
+      downloadUrl: result.downloadUrl
+    };
   }
-  // ══════════════════════════════════════════════════════════════════════════
-  // LIST
-  // ══════════════════════════════════════════════════════════════════════════
+  // ─── Upload: Direct-to-GCS (recommended for large files) ─────────────────
   /**
-   * List files and folders inside a bucket (or a folder within it).
+   * Step 1 of the recommended upload flow.
+   * Get a signed URL to upload directly to GCS from the client (supports progress).
+   *
+   * @example
+   * ```ts
+   * const { uploadUrl, path: confirmedPath } = await storage.getUploadUrl({
+   *   path: 'videos/intro.mp4',
+   *   mimeType: 'video/mp4',
+   *   size: file.size,
+   *   isPublic: true,
+   * });
    *
-   * Results are paginated — use `pagination.nextCursor` to fetch the next page.
+   * // Upload using XHR for progress tracking
+   * await storage.uploadToSignedUrl(uploadUrl, file, 'video/mp4', (pct) => {
+   *   console.log(`${pct}% uploaded`);
+   * });
+   *
+   * // Step 3: confirm
+   * const result = await storage.confirmUpload({ path: confirmedPath, mimeType: 'video/mp4', isPublic: true });
+   * ```
+   */
+  async getUploadUrl(opts) {
+    const result = await this.http.request(`${this.basePath}/upload-url`, {
+      method: "POST",
+      body: { isPublic: false, overwrite: false, expiresInSeconds: 900, ...opts },
+      headers: this.authHeaders
+    });
+    return result;
+  }
+  /**
+   * Upload data directly to a signed GCS URL (no auth headers needed).
+   * Optionally tracks progress via a callback.
    *
-   * @param bucketKey  Your storage bucket key (`ssk_…`)
-   * @param options    `prefix`, `limit`, `cursor`
+   * @param signedUrl  The URL returned by `getUploadUrl()`.
+   * @param data       File data.
+   * @param mimeType   Must match what was used in `getUploadUrl()`.
+   * @param onProgress Optional callback called with 0–100 progress percentage.
+   */
+  async uploadToSignedUrl(signedUrl, data, mimeType, onProgress) {
+    await this.http.putToSignedUrl(signedUrl, data, mimeType, onProgress);
+  }
+  /**
+   * Step 3 of the recommended upload flow.
+   * Confirm a direct upload and register metadata on the server.
    *
    * @example
-   * const { data } = await hydrous.storage.list('ssk_my_bucket_key', {
-   *   prefix: 'avatars/',
-   *   limit:  50,
+   * ```ts
+   * const result = await storage.confirmUpload({
+   *   path: 'videos/intro.mp4',
+   *   mimeType: 'video/mp4',
+   *   isPublic: true,
    * });
-   * for (const item of data.items) {
-   *   console.log(item.type, item.path);
+   * console.log(result.publicUrl);
+   * ```
+   */
+  async confirmUpload(opts) {
+    const result = await this.http.request(`${this.basePath}/confirm`, {
+      method: "POST",
+      body: { isPublic: false, ...opts },
+      headers: this.authHeaders
+    });
+    return {
+      path: result.path,
+      mimeType: result.mimeType,
+      size: result.size,
+      isPublic: result.isPublic,
+      publicUrl: result.publicUrl,
+      downloadUrl: result.downloadUrl
+    };
+  }
+  // ─── Batch Upload ─────────────────────────────────────────────────────────
+  /**
+   * Get signed upload URLs for multiple files at once.
+   *
+   * @example
+   * ```ts
+   * const { files } = await storage.getBatchUploadUrls([
+   *   { path: 'images/photo1.jpg', mimeType: 'image/jpeg', size: 204800 },
+   *   { path: 'images/photo2.jpg', mimeType: 'image/jpeg', size: 153600 },
+   * ]);
+   *
+   * // Upload each file and confirm
+   * for (const f of files) {
+   *   await storage.uploadToSignedUrl(f.uploadUrl, blobs[f.index], f.mimeType);
+   *   await storage.confirmUpload({ path: f.path, mimeType: f.mimeType });
    * }
+   * ```
    */
-  async list(bucketKey, options = {}) {
-    const { prefix = "", limit = 50, cursor } = options;
-    try {
-      const params = {
-        prefix: prefix || void 0,
-        limit,
-        cursor: cursor || void 0
-      };
-      const url = buildUrl(
-        this.baseUrl,
-        `storage/${bucketFromKey(bucketKey)}/list`,
-        params
-      );
-      const res = await fetch(url, { headers: storageHeaders(bucketKey) });
-      const json = await parseResponse(res);
-      return { data: json, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async getBatchUploadUrls(files) {
+    const result = await this.http.request(
+      `${this.basePath}/batch-upload-urls`,
+      { method: "POST", body: { files }, headers: this.authHeaders }
+    );
+    return { files: result.files };
   }
-  // ══════════════════════════════════════════════════════════════════════════
-  // METADATA
-  // ══════════════════════════════════════════════════════════════════════════
   /**
-   * Get metadata for a specific file (size, MIME type, compression info, etc.)
+   * Confirm multiple direct uploads at once.
+   */
+  async batchConfirmUploads(items) {
+    const result = await this.http.request(
+      `${this.basePath}/batch-confirm`,
+      { method: "POST", body: { files: items }, headers: this.authHeaders }
+    );
+    return result.files.map((r) => ({
+      path: r.path,
+      mimeType: r.mimeType,
+      size: r.size,
+      isPublic: r.isPublic,
+      publicUrl: r.publicUrl,
+      downloadUrl: r.downloadUrl
+    }));
+  }
+  // ─── Download ─────────────────────────────────────────────────────────────
+  /**
+   * Download a private file as an ArrayBuffer.
+   * For public files, use the `publicUrl` directly — no SDK needed.
    *
-   * @param bucketKey  Your storage bucket key (`ssk_…`)
-   * @param filePath   Path of the file within your bucket
+   * @example
+   * ```ts
+   * const buffer = await storage.download('docs/contract.pdf');
+   * const blob = new Blob([buffer], { type: 'application/pdf' });
+   * // Open in browser:
+   * window.open(URL.createObjectURL(blob));
+   * ```
+   */
+  async download(path) {
+    const encoded = path.split("/").map(encodeURIComponent).join("/");
+    return this.http.request(`${this.basePath}/download/${encoded}`, {
+      method: "GET",
+      headers: this.authHeaders
+    });
+  }
+  /**
+   * Download multiple files at once, returned as a JSON map of `{ path: base64 }`.
    *
    * @example
-   * const { data } = await hydrous.storage.metadata(
-   *   'ssk_my_bucket_key',
-   *   'avatars/alice.jpg'
-   * );
-   * console.log(data.size, data.mimeType);
+   * ```ts
+   * const files = await storage.batchDownload(['docs/a.pdf', 'docs/b.pdf']);
+   * ```
    */
-  async metadata(bucketKey, filePath) {
-    try {
-      const url = storageUrl(this.baseUrl, bucketKey, `metadata/${filePath}`);
-      const res = await fetch(url, { headers: storageHeaders(bucketKey) });
-      const json = await parseResponse(res);
-      return { data: json.data, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async batchDownload(paths) {
+    const result = await this.http.request(
+      `${this.basePath}/batch-download`,
+      { method: "POST", body: { paths }, headers: this.authHeaders }
+    );
+    return result.files;
+  }
+  // ─── List ─────────────────────────────────────────────────────────────────
+  /**
+   * List files and folders at a given path prefix.
+   *
+   * @example
+   * ```ts
+   * // List everything in the root
+   * const { files, folders } = await storage.list();
+   *
+   * // List a specific folder
+   * const { files, folders, hasMore, nextCursor } = await storage.list({
+   *   prefix: 'avatars/',
+   *   limit: 20,
+   * });
+   *
+   * // Next page
+   * const page2 = await storage.list({ prefix: 'avatars/', cursor: nextCursor });
+   * ```
+   */
+  async list(opts = {}) {
+    const params = new URLSearchParams();
+    if (opts.prefix) params.set("prefix", opts.prefix);
+    if (opts.limit) params.set("limit", String(opts.limit));
+    if (opts.cursor) params.set("cursor", opts.cursor);
+    if (opts.recursive) params.set("recursive", "true");
+    const qs = params.toString() ? `?${params}` : "";
+    const result = await this.http.request(`${this.basePath}/list${qs}`, {
+      method: "GET",
+      headers: this.authHeaders
+    });
+    return {
+      files: result.files,
+      folders: result.folders,
+      hasMore: result.hasMore,
+      nextCursor: result.nextCursor
+    };
+  }
+  // ─── Metadata ─────────────────────────────────────────────────────────────
+  /**
+   * Get metadata for a file (size, MIME type, visibility, URLs).
+   *
+   * @example
+   * ```ts
+   * const meta = await storage.getMetadata('avatars/alice.jpg');
+   * console.log(meta.size, meta.isPublic, meta.publicUrl);
+   * ```
+   */
+  async getMetadata(path) {
+    const encoded = path.split("/").map(encodeURIComponent).join("/");
+    const result = await this.http.request(
+      `${this.basePath}/metadata/${encoded}`,
+      { method: "GET", headers: this.authHeaders }
+    );
+    return {
+      path: result.path,
+      size: result.size,
+      mimeType: result.mimeType,
+      isPublic: result.isPublic,
+      publicUrl: result.publicUrl,
+      downloadUrl: result.downloadUrl,
+      createdAt: result.createdAt,
+      updatedAt: result.updatedAt
+    };
+  }
+  // ─── Signed URL (time-limited share) ─────────────────────────────────────
+  /**
+   * Generate a time-limited download URL for a private file.
+   * The URL can be shared externally without requiring an `X-Storage-Key`.
+   *
+   * > **Note:** Downloads via signed URLs bypass the server, so download stats
+   * > are NOT tracked. Use `downloadUrl` for tracked downloads.
+   *
+   * @param path       Path to the file.
+   * @param expiresIn  URL lifetime in seconds (default 3600 = 1 hour).
+   *
+   * @example
+   * ```ts
+   * const { signedUrl, expiresAt } = await storage.getSignedUrl('docs/invoice.pdf', 1800);
+   * // Share signedUrl with the recipient — it expires in 30 minutes.
+   * ```
+   */
+  async getSignedUrl(path, expiresIn = 3600) {
+    const result = await this.http.request(`${this.basePath}/signed-url`, {
+      method: "POST",
+      body: { path, expiresIn },
+      headers: this.authHeaders
+    });
+    return {
+      signedUrl: result.signedUrl,
+      expiresAt: result.expiresAt,
+      expiresIn: result.expiresIn,
+      path: result.path
+    };
+  }
+  // ─── Visibility ───────────────────────────────────────────────────────────
+  /**
+   * Change a file's visibility between public and private after upload.
+   *
+   * @example
+   * ```ts
+   * // Make a file public
+   * const result = await storage.setVisibility('avatars/alice.jpg', true);
+   * console.log(result.publicUrl); // CDN URL
+   *
+   * // Make a file private
+   * const result = await storage.setVisibility('avatars/alice.jpg', false);
+   * console.log(result.downloadUrl); // Auth-required URL
+   * ```
+   */
+  async setVisibility(path, isPublic) {
+    const result = await this.http.request(`${this.basePath}/visibility`, {
+      method: "PATCH",
+      body: { path, isPublic },
+      headers: this.authHeaders
+    });
+    return {
+      path: result.path,
+      isPublic: result.isPublic,
+      publicUrl: result.publicUrl,
+      downloadUrl: result.downloadUrl
+    };
+  }
+  // ─── Folder Operations ────────────────────────────────────────────────────
+  /**
+   * Create a folder (a GCS prefix placeholder).
+   *
+   * @example
+   * ```ts
+   * await storage.createFolder('uploads/2025/');
+   * ```
+   */
+  async createFolder(path) {
+    const result = await this.http.request(
+      `${this.basePath}/folder`,
+      { method: "POST", body: { path }, headers: this.authHeaders }
+    );
+    return { path: result.path };
   }
-  // ══════════════════════════════════════════════════════════════════════════
-  // DELETE FILE
-  // ══════════════════════════════════════════════════════════════════════════
+  // ─── File Operations ──────────────────────────────────────────────────────
   /**
    * Delete a single file.
    *
-   * @param bucketKey  Your storage bucket key (`ssk_…`)
-   * @param filePath   Path of the file to delete
+   * @example
+   * ```ts
+   * await storage.deleteFile('avatars/old-avatar.jpg');
+   * ```
+   */
+  async deleteFile(path) {
+    await this.http.request(`${this.basePath}/file`, {
+      method: "DELETE",
+      body: { path },
+      headers: this.authHeaders
+    });
+  }
+  /**
+   * Delete a folder and all its contents recursively.
    *
    * @example
-   * await hydrous.storage.deleteFile('ssk_my_bucket_key', 'avatars/old.jpg');
+   * ```ts
+   * await storage.deleteFolder('temp/');
+   * ```
    */
-  async deleteFile(bucketKey, filePath) {
-    try {
-      const url = storageUrl(this.baseUrl, bucketKey, "file");
-      const res = await fetch(url, {
-        method: "DELETE",
-        headers: { ...storageHeaders(bucketKey), "Content-Type": "application/json" },
-        body: JSON.stringify({ path: filePath })
-      });
-      await parseResponse(res);
-      return { data: void 0, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async deleteFolder(path) {
+    await this.http.request(`${this.basePath}/folder`, {
+      method: "DELETE",
+      body: { path },
+      headers: this.authHeaders
+    });
   }
-  // ══════════════════════════════════════════════════════════════════════════
-  // DELETE FOLDER
-  // ══════════════════════════════════════════════════════════════════════════
   /**
-   * Recursively delete a folder and all of its contents.
+   * Move or rename a file.
    *
-   * @param bucketKey   Your storage bucket key (`ssk_…`)
-   * @param folderPath  Folder path to delete (e.g. `"old-uploads/"`)
+   * @example
+   * ```ts
+   * // Rename
+   * await storage.move('docs/draft.pdf', 'docs/final.pdf');
+   * // Move to a different folder
+   * await storage.move('inbox/report.xlsx', 'archive/2025/report.xlsx');
+   * ```
+   */
+  async move(from, to) {
+    const result = await this.http.request(
+      `${this.basePath}/move`,
+      { method: "POST", body: { from, to }, headers: this.authHeaders }
+    );
+    return { from: result.from, to: result.to };
+  }
+  /**
+   * Copy a file to a new path.
    *
    * @example
-   * await hydrous.storage.deleteFolder('ssk_my_bucket_key', 'temp/');
+   * ```ts
+   * await storage.copy('templates/base.html', 'sites/my-site/index.html');
+   * ```
    */
-  async deleteFolder(bucketKey, folderPath) {
-    try {
-      const url = storageUrl(this.baseUrl, bucketKey, "folder");
-      const res = await fetch(url, {
-        method: "DELETE",
-        headers: { ...storageHeaders(bucketKey), "Content-Type": "application/json" },
-        body: JSON.stringify({ path: folderPath })
-      });
-      await parseResponse(res);
-      return { data: void 0, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
-    }
+  async copy(from, to) {
+    const result = await this.http.request(
+      `${this.basePath}/copy`,
+      { method: "POST", body: { from, to }, headers: this.authHeaders }
+    );
+    return { from: result.from, to: result.to };
   }
-  // ══════════════════════════════════════════════════════════════════════════
-  // CREATE FOLDER
-  // ══════════════════════════════════════════════════════════════════════════
+  // ─── Stats ────────────────────────────────────────────────────────────────
   /**
-   * Create an empty folder.
+   * Get storage statistics for your key: total files, bytes, operation counts.
    *
-   * @param bucketKey   Your storage bucket key (`ssk_…`)
-   * @param folderPath  Path for the new folder (e.g. `"avatars/2024/"`)
+   * @example
+   * ```ts
+   * const stats = await storage.getStats();
+   * console.log(`${stats.totalFiles} files, ${(stats.totalBytes / 1e6).toFixed(1)} MB`);
+   * ```
+   */
+  async getStats() {
+    const result = await this.http.request(`${this.basePath}/stats`, {
+      method: "GET",
+      headers: this.authHeaders
+    });
+    return result.stats;
+  }
+  // ─── Info (no auth) ───────────────────────────────────────────────────────
+  /**
+   * Ping the storage service. No authentication required.
    *
    * @example
-   * await hydrous.storage.createFolder('ssk_my_bucket_key', 'avatars/2024/');
+   * ```ts
+   * const info = await storage.info();
+   * // → { ok: true, storageRoot: 'hydrous-storage' }
+   * ```
    */
-  async createFolder(bucketKey, folderPath) {
-    try {
-      const url = storageUrl(this.baseUrl, bucketKey, "folder");
-      const res = await fetch(url, {
-        method: "POST",
-        headers: { ...storageHeaders(bucketKey), "Content-Type": "application/json" },
-        body: JSON.stringify({ path: folderPath })
-      });
-      await parseResponse(res);
-      return { data: void 0, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
+  async info() {
+    return this.http.get(`${this.basePath}/info`);
+  }
+};
+
+// src/storage/scoped.ts
+var ScopedStorage = class _ScopedStorage {
+  constructor(manager, prefix) {
+    this.manager = manager;
+    this.prefix = prefix.replace(/\/+$/, "") + "/";
+  }
+  scopedPath(userPath) {
+    return `${this.prefix}${userPath.replace(/^\/+/, "")}`;
+  }
+  /** Upload a file within the scoped folder. */
+  upload(data, path, options) {
+    return this.manager.upload(data, this.scopedPath(path), options);
+  }
+  /** Upload raw JSON or text within the scoped folder. */
+  uploadRaw(data, path, options) {
+    return this.manager.uploadRaw(data, this.scopedPath(path), options);
+  }
+  /** Get a signed upload URL for a file within the scoped folder. */
+  getUploadUrl(opts) {
+    return this.manager.getUploadUrl({ ...opts, path: this.scopedPath(opts.path) });
+  }
+  /** Upload data directly to a signed GCS URL with optional progress tracking. */
+  uploadToSignedUrl(signedUrl, data, mimeType, onProgress) {
+    return this.manager.uploadToSignedUrl(signedUrl, data, mimeType, onProgress);
+  }
+  /** Confirm a direct upload within the scoped folder. */
+  confirmUpload(opts) {
+    return this.manager.confirmUpload({ ...opts, path: this.scopedPath(opts.path) });
+  }
+  /** Download a file within the scoped folder. */
+  download(path) {
+    return this.manager.download(this.scopedPath(path));
+  }
+  /** List files within the scoped folder. */
+  list(opts = {}) {
+    return this.manager.list({ ...opts, prefix: this.scopedPath(opts.prefix ?? "") });
+  }
+  /** Get metadata for a file within the scoped folder. */
+  getMetadata(path) {
+    return this.manager.getMetadata(this.scopedPath(path));
+  }
+  /** Get a time-limited signed URL for a file within the scoped folder. */
+  getSignedUrl(path, expiresIn) {
+    return this.manager.getSignedUrl(this.scopedPath(path), expiresIn);
+  }
+  /** Change visibility of a file within the scoped folder. */
+  setVisibility(path, isPublic) {
+    return this.manager.setVisibility(this.scopedPath(path), isPublic);
+  }
+  /** Delete a file within the scoped folder. */
+  deleteFile(path) {
+    return this.manager.deleteFile(this.scopedPath(path));
+  }
+  /** Delete a sub-folder within the scoped folder. */
+  deleteFolder(path) {
+    return this.manager.deleteFolder(this.scopedPath(path));
+  }
+  /** Move a file within the scoped folder. */
+  move(from, to) {
+    return this.manager.move(this.scopedPath(from), this.scopedPath(to));
+  }
+  /** Copy a file within the scoped folder. */
+  copy(from, to) {
+    return this.manager.copy(this.scopedPath(from), this.scopedPath(to));
+  }
+  /** Create a sub-folder within the scoped folder. */
+  createFolder(path) {
+    return this.manager.createFolder(this.scopedPath(path));
+  }
+  /**
+   * Create a further-scoped instance nested within this scope.
+   *
+   * @example
+   * ```ts
+   * const uploads = db.storage.scope('user-uploads');
+   * const images  = uploads.scope('images'); // → "user-uploads/images/"
+   * ```
+   */
+  scope(subPrefix) {
+    return new _ScopedStorage(this.manager, this.scopedPath(subPrefix));
+  }
+};
+
+// src/client.ts
+var HydrousClient = class {
+  constructor(config) {
+    this._storage = null;
+    this._recordsCache = /* @__PURE__ */ new Map();
+    this._authCache = /* @__PURE__ */ new Map();
+    this._analyticsCache = /* @__PURE__ */ new Map();
+    if (!config.securityKey) {
+      throw new Error(
+        "[HydrousDB] securityKey is required. Get yours from https://hydrousdb.com/dashboard."
+      );
     }
+    const baseUrl = config.baseUrl ?? DEFAULT_BASE_URL;
+    this.http = new HttpClient(baseUrl, config.securityKey);
+    this._storageKey = config.securityKey;
   }
-  // ══════════════════════════════════════════════════════════════════════════
-  // MOVE
-  // ══════════════════════════════════════════════════════════════════════════
+  // ─── Records ─────────────────────────────────────────────────────────────
   /**
-   * Move (rename) a file to a new path.
+   * Get a typed records client for the given bucket.
+   *
+   * The generic type parameter `T` describes the shape of records in this
+   * bucket. Leave it unset for a generic `Record<string, unknown>` shape.
    *
-   * @param bucketKey  Your storage bucket key (`ssk_…`)
-   * @param fromPath   Current path of the file
-   * @param toPath     New path for the file
+   * @param bucketKey  The name of your bucket (must match what you created in the dashboard).
    *
    * @example
-   * await hydrous.storage.move(
-   *   'ssk_my_bucket_key',
-   *   'drafts/report.pdf',
-   *   'published/report.pdf'
-   * );
+   * ```ts
+   * interface Post { title: string; body: string; published: boolean }
+   * const posts = db.records<Post>('blog-posts');
+   *
+   * const post = await posts.create({ title: 'Hello', body: '...', published: false });
+   * // post.id, post.createdAt, post.updatedAt are added automatically
+   * ```
    */
-  async move(bucketKey, fromPath, toPath) {
-    try {
-      const url = storageUrl(this.baseUrl, bucketKey, "move");
-      const res = await fetch(url, {
-        method: "POST",
-        headers: { ...storageHeaders(bucketKey), "Content-Type": "application/json" },
-        body: JSON.stringify({ from: fromPath, to: toPath })
-      });
-      await parseResponse(res);
-      return { data: void 0, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
+  records(bucketKey) {
+    if (!this._recordsCache.has(bucketKey)) {
+      this._recordsCache.set(bucketKey, new RecordsClient(this.http, bucketKey));
     }
+    return this._recordsCache.get(bucketKey);
   }
-  // ══════════════════════════════════════════════════════════════════════════
-  // COPY
-  // ══════════════════════════════════════════════════════════════════════════
+  // ─── Auth ─────────────────────────────────────────────────────────────────
   /**
-   * Copy a file to a new path (original is kept).
+   * Get an auth client for the given user bucket.
    *
-   * @param bucketKey  Your storage bucket key (`ssk_…`)
-   * @param fromPath   Source path
-   * @param toPath     Destination path
+   * @param bucketKey  The name of your user bucket (e.g. `"app-users"`).
    *
    * @example
-   * await hydrous.storage.copy(
-   *   'ssk_my_bucket_key',
-   *   'templates/invoice.pdf',
-   *   'invoices/invoice-001.pdf'
-   * );
+   * ```ts
+   * const auth = db.auth('app-users');
+   * const { user, session } = await auth.login({ email: '...', password: '...' });
+   * ```
    */
-  async copy(bucketKey, fromPath, toPath) {
-    try {
-      const url = storageUrl(this.baseUrl, bucketKey, "copy");
-      const res = await fetch(url, {
-        method: "POST",
-        headers: { ...storageHeaders(bucketKey), "Content-Type": "application/json" },
-        body: JSON.stringify({ from: fromPath, to: toPath })
-      });
-      await parseResponse(res);
-      return { data: void 0, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
+  auth(bucketKey) {
+    if (!this._authCache.has(bucketKey)) {
+      this._authCache.set(bucketKey, new AuthClient(this.http, bucketKey));
     }
+    return this._authCache.get(bucketKey);
   }
-  // ══════════════════════════════════════════════════════════════════════════
-  // SIGNED URL
-  // ══════════════════════════════════════════════════════════════════════════
+  // ─── Analytics ────────────────────────────────────────────────────────────
   /**
-   * Generate a time-limited public URL for a private file.
+   * Get an analytics client for the given bucket.
    *
-   * @param bucketKey  Your storage bucket key (`ssk_…`)
-   * @param filePath   Path of the file
-   * @param options    `expiresIn` seconds (default: 3600)
+   * @param bucketKey  The name of the bucket to analyse.
    *
    * @example
-   * const { data } = await hydrous.storage.signedUrl(
-   *   'ssk_my_bucket_key',
-   *   'private/contract.pdf',
-   *   { expiresIn: 300 }   // 5 minutes
-   * );
-   * console.log(data.signedUrl);  // share this URL
+   * ```ts
+   * const analytics = db.analytics('orders');
+   * const { count } = await analytics.count();
+   * ```
    */
-  async signedUrl(bucketKey, filePath, options = {}) {
-    const { expiresIn = 3600 } = options;
-    try {
-      const url = storageUrl(this.baseUrl, bucketKey, "signed-url");
-      const res = await fetch(url, {
-        method: "POST",
-        headers: { ...storageHeaders(bucketKey), "Content-Type": "application/json" },
-        body: JSON.stringify({ path: filePath, expiresInSeconds: expiresIn })
-      });
-      const json = await parseResponse(res);
-      return { data: json, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
+  analytics(bucketKey) {
+    if (!this._analyticsCache.has(bucketKey)) {
+      this._analyticsCache.set(bucketKey, new AnalyticsClient(this.http, bucketKey));
     }
+    return this._analyticsCache.get(bucketKey);
   }
-  // ══════════════════════════════════════════════════════════════════════════
-  // STATS
-  // ══════════════════════════════════════════════════════════════════════════
+  // ─── Storage ──────────────────────────────────────────────────────────────
   /**
-   * Get usage and billing statistics for this bucket key.
+   * The storage manager for uploading, downloading, listing, and managing files.
    *
-   * @param bucketKey  Your storage bucket key (`ssk_…`)
+   * Scoped to your project — you can never access another project's files.
    *
    * @example
-   * const { data } = await hydrous.storage.stats('ssk_my_bucket_key');
-   * console.log(`${data.totalFiles} files, ${data.totalSizeBytes} bytes stored`);
+   * ```ts
+   * // Upload a file
+   * const result = await db.storage.upload(file, 'images/photo.jpg', { isPublic: true });
+   *
+   * // Scope to a folder
+   * const avatars = db.storage.scope('user-avatars');
+   * await avatars.upload(blob, `${userId}.jpg`, { isPublic: true });
+   * ```
    */
-  async stats(bucketKey) {
-    try {
-      const url = buildUrl(this.baseUrl, `storage/${bucketFromKey(bucketKey)}/stats`);
-      const res = await fetch(url, { headers: storageHeaders(bucketKey) });
-      const json = await parseResponse(res);
-      return { data: json.data, error: null };
-    } catch (err) {
-      return { data: null, error: toHydrousError(err) };
+  get storage() {
+    if (!this._storage) {
+      this._storage = new StorageManager(this.http, this._storageKey);
     }
+    const mgr = this._storage;
+    const extended = mgr;
+    if (!extended.scope) {
+      extended.scope = (prefix) => new ScopedStorage(mgr, prefix);
+    }
+    return extended;
   }
 };
-
-// src/client.ts
-var HydrousClient = class {
-  constructor(config) {
-    if (!config.url) throw new Error("[Hydrous] config.url is required");
-    if (!config.apiKey) throw new Error("[Hydrous] config.apiKey is required");
-    this.auth = new AuthClient(config);
-    this.records = new RecordsClient(config);
-    this.analytics = new AnalyticsClient(config);
-    this.storage = new StorageClient(config);
-  }
-};
-
-// src/index.ts
 function createClient(config) {
   return new HydrousClient(config);
 }
 
-exports.AnalyticsClient = AnalyticsClient;
-exports.AuthClient = AuthClient;
-exports.HydrousClient = HydrousClient;
-exports.HydrousSDKError = HydrousSDKError;
-exports.RecordsClient = RecordsClient;
-exports.StorageClient = StorageClient;
-exports.createClient = createClient;
-exports.eq = eq;
-exports.gt = gt;
-exports.inArray = inArray;
-exports.isHydrousError = isHydrousError;
-exports.lt = lt;
-exports.neq = neq;
+export { AnalyticsClient, AnalyticsError, AuthClient, AuthError, HydrousClient, HydrousError, NetworkError, RecordError, RecordsClient, ScopedStorage, StorageError, StorageManager, ValidationError, createClient };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map