lazyconvex 0.0.0

package/dist/server/index.mjs

@@ -0,0 +1,2572 @@
+import { cvFileKindOf, elementOf, isArrayType, isStringType, unwrapZod } from "../zod.mjs";
+import { n as getErrorMessage, r as isRecord, t as getErrorCode } from "../error-D4GuI0ot.mjs";
+import { ConvexError, v } from "convex/values";
+import { anyApi, defineTable } from "convex/server";
+import { array, boolean, nullable, number, object, string, z } from "zod/v4";
+import { customCtx } from "convex-helpers/server/customFunctions";
+import { zCustomMutation, zCustomQuery, zid, zodOutputToConvexFields } from "convex-helpers/server/zod4";
+
+//#region src/server/check-schema.ts
+const unsupportedTypes = new Set(["pipe", "transform"]), scan = (schema, path, out) => {
+	const b = unwrapZod(schema);
+	if (b.type && unsupportedTypes.has(b.type)) out.push({
+		path,
+		zodType: b.type
+	});
+	if (isArrayType(b.type)) return scan(elementOf(b.schema), `${path}[]`, out);
+	if (b.type === "object" && b.schema && isRecord(b.schema.shape)) for (const [k, v] of Object.entries(b.schema.shape)) scan(v, path ? `${path}.${k}` : k, out);
+}, checkSchema = (schemas) => {
+	const res = [];
+	for (const [table, schema] of Object.entries(schemas)) scan(schema, table, res);
+	if (res.length) {
+		for (const f of res) process.stderr.write(`${f.path}: unsupported zod type "${f.zodType}"\n`);
+		process.exitCode = 1;
+	}
+};
+
+//#endregion
+//#region src/server/test.ts
+const TEST_EMAIL = "test@playwright.local", BATCH_SIZE = 50, isTestMode = () => process.env.CONVEX_TEST_MODE === "true", generateToken$1 = () => {
+	const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+	let token = "";
+	for (let i = 0; i < 32; i += 1) token += chars.charAt(Math.floor(Math.random() * 62));
+	return token;
+}, getOrgMembership$1 = async (db, orgId, userId) => {
+	const orgDoc = await db.get(orgId);
+	if (!orgDoc) return null;
+	const isOwner = orgDoc.userId === userId, member = await db.query("orgMember").withIndex("by_org_user", ((q) => q.eq("orgId", orgId).eq("userId", userId))).unique();
+	if (!(isOwner || member)) return null;
+	return {
+		isAdmin: isOwner || member?.isAdmin === true,
+		isOwner,
+		member,
+		orgDoc
+	};
+}, makeTestAuth = (config) => {
+	const { mutation: rawMut, query: rawQry } = config, mutation = rawMut, query = rawQry, getAuthUserIdOrTest = async (ctx) => {
+		if (!isTestMode()) return config.getAuthUserId(ctx);
+		const c = ctx, identity = await c.auth.getUserIdentity();
+		if (identity === null) return (await c.db.query("users").filter(((q) => q.eq(q.field("email"), TEST_EMAIL))).first())?._id;
+		return identity.subject.split("|")[0] ?? null;
+	}, ensureTestUser = mutation({
+		args: {},
+		handler: async (ctx) => {
+			if (!isTestMode()) return null;
+			const u = await ctx.db.query("users").filter(((q) => q.eq(q.field("email"), TEST_EMAIL))).first();
+			if (u) return u._id;
+			return ctx.db.insert("users", {
+				email: TEST_EMAIL,
+				emailVerificationTime: Date.now(),
+				name: "Test User"
+			});
+		}
+	}), getTestUser = query({
+		args: {},
+		handler: async (ctx) => {
+			if (!isTestMode()) return null;
+			return (await ctx.db.query("users").filter(((q) => q.eq(q.field("email"), TEST_EMAIL))).first())?._id ?? null;
+		}
+	}), createTestUser = mutation({
+		args: {
+			email: v.string(),
+			name: v.string()
+		},
+		handler: async (ctx, { email, name }) => {
+			if (!isTestMode()) return null;
+			const existing = await ctx.db.query("users").filter(((q) => q.eq(q.field("email"), email))).first();
+			if (existing) return existing._id;
+			return ctx.db.insert("users", {
+				email,
+				emailVerificationTime: Date.now(),
+				name
+			});
+		}
+	}), getTestUserByEmail = query({
+		args: { email: v.string() },
+		handler: async (ctx, { email }) => {
+			if (!isTestMode()) return null;
+			return (await ctx.db.query("users").filter(((q) => q.eq(q.field("email"), email))).first())?._id ?? null;
+		}
+	}), addTestOrgMember = mutation({
+		args: {
+			isAdmin: v.boolean(),
+			orgId: v.id("org"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { isAdmin, orgId, userId }) => {
+			if (!isTestMode()) return null;
+			const existing = await ctx.db.query("orgMember").withIndex("by_org_user", ((q) => q.eq("orgId", orgId).eq("userId", userId))).unique();
+			if (existing) {
+				await ctx.db.patch(existing._id, {
+					isAdmin,
+					updatedAt: Date.now()
+				});
+				return existing._id;
+			}
+			return ctx.db.insert("orgMember", {
+				isAdmin,
+				orgId,
+				updatedAt: Date.now(),
+				userId
+			});
+		}
+	}), removeTestOrgMember = mutation({
+		args: {
+			orgId: v.id("org"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { orgId, userId }) => {
+			if (!isTestMode()) return false;
+			const member = await ctx.db.query("orgMember").withIndex("by_org_user", ((q) => q.eq("orgId", orgId).eq("userId", userId))).unique();
+			if (member) {
+				await ctx.db.delete(member._id);
+				return true;
+			}
+			return false;
+		}
+	}), cleanupTestUsers = mutation({
+		args: { emailPrefix: v.string() },
+		handler: async (ctx, { emailPrefix }) => {
+			if (!isTestMode()) return { count: 0 };
+			const users = await ctx.db.query("users").collect();
+			let count = 0;
+			for (const u of users) if (u.email?.startsWith(emailPrefix) && u.email !== TEST_EMAIL) {
+				await ctx.db.delete(u._id);
+				count += 1;
+			}
+			return { count };
+		}
+	}), cleanupOrgTestData = mutation({
+		args: {
+			slugPrefix: v.string(),
+			tables: v.optional(v.array(v.string()))
+		},
+		handler: async (ctx, { slugPrefix, tables }) => {
+			if (!isTestMode()) return {
+				count: 0,
+				done: true
+			};
+			const allOrgs = await ctx.db.query("org").collect(), orgIds = [];
+			for (const o of allOrgs) if (o.slug.startsWith(slugPrefix)) orgIds.push(o._id);
+			if (orgIds.length === 0) return {
+				count: 0,
+				done: true
+			};
+			let count = 0;
+			for (const orgId of orgIds) {
+				if (tables) for (const table of tables) {
+					const docs = await ctx.db.query(table).take(BATCH_SIZE * 2);
+					for (const d of docs) if (d.orgId === orgId) {
+						await ctx.db.delete(d._id);
+						count += 1;
+					}
+				}
+				const requests = await ctx.db.query("orgJoinRequest").withIndex("by_org", ((q) => q.eq("orgId", orgId))).collect();
+				for (const r of requests) {
+					await ctx.db.delete(r._id);
+					count += 1;
+				}
+				const invites = await ctx.db.query("orgInvite").withIndex("by_org", ((q) => q.eq("orgId", orgId))).collect();
+				for (const i of invites) {
+					await ctx.db.delete(i._id);
+					count += 1;
+				}
+				const members = await ctx.db.query("orgMember").withIndex("by_org", ((q) => q.eq("orgId", orgId))).collect();
+				for (const m of members) {
+					await ctx.db.delete(m._id);
+					count += 1;
+				}
+				await ctx.db.delete(orgId);
+				count += 1;
+			}
+			return {
+				count,
+				done: true
+			};
+		}
+	}), inviteAsUser = mutation({
+		args: {
+			email: v.string(),
+			isAdmin: v.boolean(),
+			orgId: v.id("org"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { email, isAdmin, orgId, userId }) => {
+			if (!isTestMode()) return null;
+			const membership = await getOrgMembership$1(ctx.db, orgId, userId);
+			if (!membership) return { code: "NOT_ORG_MEMBER" };
+			if (!membership.isAdmin) return { code: "INSUFFICIENT_ORG_ROLE" };
+			const token = generateToken$1();
+			return {
+				inviteId: await ctx.db.insert("orgInvite", {
+					email,
+					expiresAt: Date.now() + 10080 * 60 * 1e3,
+					isAdmin,
+					orgId,
+					token
+				}),
+				token
+			};
+		}
+	}), acceptInviteAsUser = mutation({
+		args: {
+			token: v.string(),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { token, userId }) => {
+			if (!isTestMode()) return null;
+			const inviteDoc = await ctx.db.query("orgInvite").withIndex("by_token", ((q) => q.eq("token", token))).unique();
+			if (!inviteDoc) return { code: "INVALID_INVITE" };
+			if (inviteDoc.expiresAt < Date.now()) return { code: "INVITE_EXPIRED" };
+			const orgDoc = await ctx.db.get(inviteDoc.orgId);
+			if (!orgDoc) return { code: "NOT_FOUND" };
+			if (orgDoc.userId === userId) return { code: "ALREADY_ORG_MEMBER" };
+			if (await ctx.db.query("orgMember").withIndex("by_org_user", ((q) => q.eq("orgId", inviteDoc.orgId).eq("userId", userId))).unique()) return { code: "ALREADY_ORG_MEMBER" };
+			const pendingRequest = await ctx.db.query("orgJoinRequest").withIndex("by_org_status", ((q) => q.eq("orgId", inviteDoc.orgId).eq("status", "pending"))).filter(((q) => q.eq(q.field("userId"), userId))).unique();
+			if (pendingRequest) await ctx.db.patch(pendingRequest._id, { status: "approved" });
+			await ctx.db.insert("orgMember", {
+				isAdmin: inviteDoc.isAdmin,
+				orgId: inviteDoc.orgId,
+				updatedAt: Date.now(),
+				userId
+			});
+			await ctx.db.delete(inviteDoc._id);
+			return { orgId: inviteDoc.orgId };
+		}
+	}), setAdminAsUser = mutation({
+		args: {
+			isAdmin: v.boolean(),
+			memberId: v.id("orgMember"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { isAdmin, memberId, userId }) => {
+			if (!isTestMode()) return null;
+			const memberDoc = await ctx.db.get(memberId);
+			if (!memberDoc) return { code: "NOT_FOUND" };
+			const orgDoc = await ctx.db.get(memberDoc.orgId);
+			if (!orgDoc) return { code: "NOT_FOUND" };
+			if (orgDoc.userId !== userId) return { code: "INSUFFICIENT_ORG_ROLE" };
+			if (memberDoc.userId === orgDoc.userId) return { code: "CANNOT_MODIFY_OWNER" };
+			await ctx.db.patch(memberId, {
+				isAdmin,
+				updatedAt: Date.now()
+			});
+			return { success: true };
+		}
+	}), removeMemberAsUser = mutation({
+		args: {
+			memberId: v.id("orgMember"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { memberId, userId }) => {
+			if (!isTestMode()) return null;
+			const memberDoc = await ctx.db.get(memberId);
+			if (!memberDoc) return { code: "NOT_FOUND" };
+			const membership = await getOrgMembership$1(ctx.db, memberDoc.orgId, userId);
+			if (!membership) return { code: "NOT_ORG_MEMBER" };
+			if (memberDoc.userId === membership.orgDoc.userId) return { code: "CANNOT_MODIFY_OWNER" };
+			if (!membership.isAdmin) return { code: "INSUFFICIENT_ORG_ROLE" };
+			if (!membership.isOwner && memberDoc.isAdmin) return { code: "CANNOT_MODIFY_ADMIN" };
+			await ctx.db.delete(memberId);
+			return { success: true };
+		}
+	}), transferOwnershipAsUser = mutation({
+		args: {
+			newOwnerId: v.id("users"),
+			orgId: v.id("org"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { newOwnerId, orgId, userId }) => {
+			if (!isTestMode()) return null;
+			const orgDoc = await ctx.db.get(orgId);
+			if (!orgDoc) return { code: "NOT_FOUND" };
+			if (orgDoc.userId !== userId) return { code: "INSUFFICIENT_ORG_ROLE" };
+			const targetMember = await ctx.db.query("orgMember").withIndex("by_org_user", ((q) => q.eq("orgId", orgId).eq("userId", newOwnerId))).unique();
+			if (!targetMember) return { code: "NOT_ORG_MEMBER" };
+			if (!targetMember.isAdmin) return { code: "TARGET_MUST_BE_ADMIN" };
+			await ctx.db.patch(orgId, {
+				updatedAt: Date.now(),
+				userId: newOwnerId
+			});
+			await ctx.db.delete(targetMember._id);
+			await ctx.db.insert("orgMember", {
+				isAdmin: true,
+				orgId,
+				updatedAt: Date.now(),
+				userId
+			});
+			return { success: true };
+		}
+	}), updateOrgAsUser = mutation({
+		args: {
+			data: v.object({
+				name: v.optional(v.string()),
+				slug: v.optional(v.string())
+			}),
+			orgId: v.id("org"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { data, orgId, userId }) => {
+			if (!isTestMode()) return null;
+			const membership = await getOrgMembership$1(ctx.db, orgId, userId);
+			if (!membership) return { code: "NOT_ORG_MEMBER" };
+			if (!membership.isAdmin) return { code: "INSUFFICIENT_ORG_ROLE" };
+			if (data.slug !== void 0) {
+				const existing = await ctx.db.query("org").withIndex("by_slug", ((q) => q.eq("slug", data.slug))).unique();
+				if (existing && existing._id !== orgId) return { code: "ORG_SLUG_TAKEN" };
+			}
+			await ctx.db.patch(orgId, {
+				...data,
+				updatedAt: Date.now()
+			});
+			return { success: true };
+		}
+	}), deleteOrgAsUser = mutation({
+		args: {
+			cascadeTables: v.optional(v.array(v.string())),
+			orgId: v.id("org"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { cascadeTables, orgId, userId }) => {
+			if (!isTestMode()) return null;
+			const orgDoc = await ctx.db.get(orgId);
+			if (!orgDoc) return { code: "NOT_FOUND" };
+			if (orgDoc.userId !== userId) return { code: "INSUFFICIENT_ORG_ROLE" };
+			if (cascadeTables) for (const table of cascadeTables) {
+				const docs = await ctx.db.query(table).filter(((q) => q.eq(q.field("orgId"), orgId))).collect();
+				for (const d of docs) await ctx.db.delete(d._id);
+			}
+			const requests = await ctx.db.query("orgJoinRequest").withIndex("by_org", ((q) => q.eq("orgId", orgId))).collect();
+			for (const r of requests) await ctx.db.delete(r._id);
+			const invites = await ctx.db.query("orgInvite").withIndex("by_org", ((q) => q.eq("orgId", orgId))).collect();
+			for (const i of invites) await ctx.db.delete(i._id);
+			const orgMembers = await ctx.db.query("orgMember").withIndex("by_org", ((q) => q.eq("orgId", orgId))).collect();
+			for (const m of orgMembers) await ctx.db.delete(m._id);
+			await ctx.db.delete(orgId);
+			return { success: true };
+		}
+	}), leaveOrgAsUser = mutation({
+		args: {
+			orgId: v.id("org"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { orgId, userId }) => {
+			if (!isTestMode()) return null;
+			const orgDoc = await ctx.db.get(orgId);
+			if (!orgDoc) return { code: "NOT_FOUND" };
+			if (orgDoc.userId === userId) return { code: "MUST_TRANSFER_OWNERSHIP" };
+			const member = await ctx.db.query("orgMember").withIndex("by_org_user", ((q) => q.eq("orgId", orgId).eq("userId", userId))).unique();
+			if (!member) return { code: "NOT_ORG_MEMBER" };
+			await ctx.db.delete(member._id);
+			return { success: true };
+		}
+	}), requestJoinAsUser = mutation({
+		args: {
+			message: v.optional(v.string()),
+			orgId: v.id("org"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { message, orgId, userId }) => {
+			if (!isTestMode()) return null;
+			const orgDoc = await ctx.db.get(orgId);
+			if (!orgDoc) return { code: "NOT_FOUND" };
+			if (orgDoc.userId === userId) return { code: "ALREADY_ORG_MEMBER" };
+			if (await ctx.db.query("orgMember").withIndex("by_org_user", ((q) => q.eq("orgId", orgId).eq("userId", userId))).unique()) return { code: "ALREADY_ORG_MEMBER" };
+			if (await ctx.db.query("orgJoinRequest").withIndex("by_org_status", ((q) => q.eq("orgId", orgId).eq("status", "pending"))).filter(((q) => q.eq(q.field("userId"), userId))).unique()) return { code: "JOIN_REQUEST_EXISTS" };
+			return { requestId: await ctx.db.insert("orgJoinRequest", {
+				message,
+				orgId,
+				status: "pending",
+				userId
+			}) };
+		}
+	}), approveJoinRequestAsUser = mutation({
+		args: {
+			isAdmin: v.boolean(),
+			requestId: v.id("orgJoinRequest"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { isAdmin, requestId, userId }) => {
+			if (!isTestMode()) return null;
+			const request = await ctx.db.get(requestId);
+			if (request?.status !== "pending") return { code: "NOT_FOUND" };
+			const membership = await getOrgMembership$1(ctx.db, request.orgId, userId);
+			if (!membership) return { code: "NOT_ORG_MEMBER" };
+			if (!membership.isAdmin) return { code: "INSUFFICIENT_ORG_ROLE" };
+			if (await ctx.db.query("orgMember").withIndex("by_org_user", ((q) => q.eq("orgId", request.orgId).eq("userId", request.userId))).unique()) return { code: "ALREADY_ORG_MEMBER" };
+			await ctx.db.patch(requestId, { status: "approved" });
+			await ctx.db.insert("orgMember", {
+				isAdmin,
+				orgId: request.orgId,
+				updatedAt: Date.now(),
+				userId: request.userId
+			});
+			return { success: true };
+		}
+	}), rejectJoinRequestAsUser = mutation({
+		args: {
+			requestId: v.id("orgJoinRequest"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { requestId, userId }) => {
+			if (!isTestMode()) return null;
+			const request = await ctx.db.get(requestId);
+			if (request?.status !== "pending") return { code: "NOT_FOUND" };
+			const membership = await getOrgMembership$1(ctx.db, request.orgId, userId);
+			if (!membership) return { code: "NOT_ORG_MEMBER" };
+			if (!membership.isAdmin) return { code: "INSUFFICIENT_ORG_ROLE" };
+			await ctx.db.patch(requestId, { status: "rejected" });
+			return { success: true };
+		}
+	}), cancelJoinRequestAsUser = mutation({
+		args: {
+			requestId: v.id("orgJoinRequest"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { requestId, userId }) => {
+			if (!isTestMode()) return null;
+			const requestDoc = await ctx.db.get(requestId);
+			if (!requestDoc) return { code: "NOT_FOUND" };
+			if (requestDoc.userId !== userId) return { code: "FORBIDDEN" };
+			if (requestDoc.status !== "pending") return { code: "NOT_FOUND" };
+			await ctx.db.delete(requestId);
+			return { success: true };
+		}
+	}), pendingInvitesAsUser = query({
+		args: {
+			orgId: v.id("org"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { orgId, userId }) => {
+			if (!isTestMode()) return null;
+			const membership = await getOrgMembership$1(ctx.db, orgId, userId);
+			if (!membership) return { code: "NOT_ORG_MEMBER" };
+			if (!membership.isAdmin) return { code: "INSUFFICIENT_ORG_ROLE" };
+			return ctx.db.query("orgInvite").withIndex("by_org", ((q) => q.eq("orgId", orgId))).collect();
+		}
+	}), pendingJoinRequestsAsUser = query({
+		args: {
+			orgId: v.id("org"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { orgId, userId }) => {
+			if (!isTestMode()) return null;
+			const membership = await getOrgMembership$1(ctx.db, orgId, userId);
+			if (!membership) return { code: "NOT_ORG_MEMBER" };
+			if (!membership.isAdmin) return { code: "INSUFFICIENT_ORG_ROLE" };
+			return ctx.db.query("orgJoinRequest").withIndex("by_org_status", ((q) => q.eq("orgId", orgId).eq("status", "pending"))).collect();
+		}
+	});
+	return {
+		acceptInviteAsUser,
+		addTestOrgMember,
+		approveJoinRequestAsUser,
+		cancelJoinRequestAsUser,
+		cleanupOrgTestData,
+		cleanupTestUsers,
+		createExpiredInvite: mutation({
+			args: {
+				email: v.string(),
+				isAdmin: v.boolean(),
+				orgId: v.id("org")
+			},
+			handler: async (ctx, { email, isAdmin, orgId }) => {
+				if (!isTestMode()) return null;
+				const token = generateToken$1();
+				return {
+					inviteId: await ctx.db.insert("orgInvite", {
+						email,
+						expiresAt: Date.now() - 1e3,
+						isAdmin,
+						orgId,
+						token
+					}),
+					token
+				};
+			}
+		}),
+		createTestUser,
+		deleteOrgAsUser,
+		ensureTestUser,
+		getAuthUserIdOrTest,
+		getJoinRequest: query({
+			args: { requestId: v.id("orgJoinRequest") },
+			handler: async (ctx, { requestId }) => {
+				if (!isTestMode()) return null;
+				return ctx.db.get(requestId);
+			}
+		}),
+		getTestUser,
+		getTestUserByEmail,
+		inviteAsUser,
+		isTestMode,
+		leaveOrgAsUser,
+		pendingInvitesAsUser,
+		pendingJoinRequestsAsUser,
+		rejectJoinRequestAsUser,
+		removeMemberAsUser,
+		removeTestOrgMember,
+		requestJoinAsUser,
+		setAdminAsUser,
+		TEST_EMAIL,
+		transferOwnershipAsUser,
+		updateOrgAsUser
+	};
+};
+
+//#endregion
+//#region src/server/file.ts
+const DEFAULT_ALLOWED_TYPES = new Set([
+	"application/json",
+	"application/msword",
+	"application/pdf",
+	"application/vnd.ms-excel",
+	"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+	"application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+	"image/gif",
+	"image/jpeg",
+	"image/png",
+	"image/svg+xml",
+	"image/webp",
+	"text/csv",
+	"text/plain"
+]), DEFAULT_MAX_FILE_SIZE = 10 * 1024 * 1024, CHUNK_SIZE = 5 * 1024 * 1024, RATE_LIMIT_WINDOW = 60 * 1e3, MAX_UPLOADS_PER_WINDOW = 10, cvErr = (code, message) => new ConvexError(message ? {
+	code,
+	message
+} : { code }), makeFileUpload = (config) => {
+	const { action, allowedTypes = DEFAULT_ALLOWED_TYPES, getAuthUserId, internalMutation, internalQuery, maxFileSize = DEFAULT_MAX_FILE_SIZE, mutation, namespace, query } = config, tPath = anyApi[namespace], authUserId = async (ctx) => getAuthUserId(ctx), validateFileType = async (storage, id, contentType) => {
+		if (!allowedTypes.has(contentType ?? "")) {
+			await storage.delete(id);
+			throw cvErr("INVALID_FILE_TYPE", `File type ${contentType} not allowed`);
+		}
+	}, validateFileSize = async (storage, id, size) => {
+		if (size > maxFileSize) {
+			await storage.delete(id);
+			throw cvErr("FILE_TOO_LARGE", `File size ${size} exceeds ${maxFileSize} bytes`);
+		}
+	}, checkRateLimit = async (db, userId) => {
+		const now = Date.now(), cutoff = now - RATE_LIMIT_WINDOW;
+		if ((await db.query("uploadRateLimit").withIndex("by_user", ((q) => q.eq("userId", userId))).filter((q) => q.gte(q.field("timestamp"), cutoff)).collect()).length >= MAX_UPLOADS_PER_WINDOW) throw cvErr("RATE_LIMITED");
+		await db.insert("uploadRateLimit", {
+			timestamp: now,
+			userId
+		});
+		const old = await db.query("uploadRateLimit").withIndex("by_user", ((q) => q.eq("userId", userId))).filter((q) => q.lt(q.field("timestamp"), cutoff)).collect();
+		await Promise.all(old.map(async (r) => db.delete(r._id)));
+	}, upload = mutation({ handler: async (c) => {
+		const userId = await authUserId(c);
+		if (!userId) throw cvErr("NOT_AUTHENTICATED");
+		if (!isTestMode()) await checkRateLimit(c.db, userId);
+		return c.storage.generateUploadUrl();
+	} }), validate = mutation({
+		args: { id: v.id("_storage") },
+		handler: async (c, { id }) => {
+			if (!await authUserId(c)) throw cvErr("NOT_AUTHENTICATED");
+			const meta = await c.db.system.get(id);
+			if (!meta) throw cvErr("FILE_NOT_FOUND");
+			await validateFileType(c.storage, id, meta.contentType);
+			await validateFileSize(c.storage, id, meta.size);
+			return {
+				contentType: meta.contentType,
+				size: meta.size,
+				valid: true
+			};
+		}
+	}), info = query({
+		args: { id: v.id("_storage") },
+		handler: async (c, { id }) => {
+			if (!await authUserId(c)) throw cvErr("NOT_AUTHENTICATED");
+			const [meta, url] = await Promise.all([c.db.system.get(id), c.storage.getUrl(id)]);
+			return meta ? {
+				...meta,
+				url
+			} : null;
+		}
+	}), startChunkedUpload = mutation({
+		args: {
+			contentType: v.string(),
+			fileName: v.string(),
+			totalChunks: v.number(),
+			totalSize: v.number()
+		},
+		handler: async (c, { contentType, fileName, totalChunks, totalSize }) => {
+			const userId = await authUserId(c);
+			if (!userId) throw cvErr("NOT_AUTHENTICATED");
+			if (!isTestMode()) await checkRateLimit(c.db, userId);
+			if (!allowedTypes.has(contentType)) throw cvErr("INVALID_FILE_TYPE", `File type ${contentType} not allowed`);
+			if (totalSize > maxFileSize) throw cvErr("FILE_TOO_LARGE", `File size ${totalSize} exceeds ${maxFileSize} bytes`);
+			const uploadId = `${userId}_${Date.now()}_${Math.random().toString(36).slice(2)}`;
+			await c.db.insert("uploadSession", {
+				completedChunks: 0,
+				contentType,
+				fileName,
+				status: "pending",
+				totalChunks,
+				totalSize,
+				uploadId,
+				userId
+			});
+			return { uploadId };
+		}
+	}), uploadChunk = mutation({
+		args: {
+			chunkIndex: v.number(),
+			uploadId: v.string()
+		},
+		handler: async (c, { chunkIndex, uploadId }) => {
+			const userId = await authUserId(c);
+			if (!userId) throw cvErr("NOT_AUTHENTICATED");
+			const session = await c.db.query("uploadSession").withIndex("by_upload_id", ((q) => q.eq("uploadId", uploadId))).unique();
+			if (!session) throw cvErr("SESSION_NOT_FOUND");
+			if (session.userId !== userId) throw cvErr("UNAUTHORIZED");
+			if (session.status !== "pending") throw cvErr("INVALID_SESSION_STATE");
+			if (await c.db.query("uploadChunk").withIndex("by_upload", ((q) => q.eq("uploadId", uploadId))).filter((q) => q.eq(q.field("chunkIndex"), chunkIndex)).unique()) throw cvErr("CHUNK_ALREADY_UPLOADED");
+			return c.storage.generateUploadUrl();
+		}
+	}), confirmChunk = mutation({
+		args: {
+			chunkIndex: v.number(),
+			storageId: v.id("_storage"),
+			uploadId: v.string()
+		},
+		handler: async (c, { chunkIndex, storageId, uploadId }) => {
+			const userId = await authUserId(c);
+			if (!userId) throw cvErr("NOT_AUTHENTICATED");
+			const session = await c.db.query("uploadSession").withIndex("by_upload_id", ((q) => q.eq("uploadId", uploadId))).unique();
+			if (!session) throw cvErr("SESSION_NOT_FOUND");
+			if (session.userId !== userId) throw cvErr("UNAUTHORIZED");
+			await c.db.insert("uploadChunk", {
+				chunkIndex,
+				storageId,
+				totalChunks: session.totalChunks,
+				uploadId,
+				userId
+			});
+			const chunks = await c.db.query("uploadChunk").withIndex("by_upload", ((q) => q.eq("uploadId", uploadId))).collect();
+			await c.db.patch(session._id, { completedChunks: chunks.length });
+			return {
+				allUploaded: chunks.length === session.totalChunks,
+				completedChunks: chunks.length,
+				totalChunks: session.totalChunks
+			};
+		}
+	}), getSessionForAssembly = internalQuery({
+		args: { uploadId: v.string() },
+		handler: async (c, { uploadId }) => {
+			const session = await c.db.query("uploadSession").withIndex("by_upload_id", ((q) => q.eq("uploadId", uploadId))).unique();
+			if (!session) return null;
+			const chunks = await c.db.query("uploadChunk").withIndex("by_upload", ((q) => q.eq("uploadId", uploadId))).collect();
+			if (chunks.length !== session.totalChunks) throw cvErr("INCOMPLETE_UPLOAD");
+			return {
+				...session,
+				chunks
+			};
+		}
+	}), finalizeAssembly = internalMutation({
+		args: {
+			chunkStorageIds: v.array(v.id("_storage")),
+			finalStorageId: v.id("_storage"),
+			uploadId: v.string()
+		},
+		handler: async (c, { chunkStorageIds, finalStorageId, uploadId }) => {
+			const session = await c.db.query("uploadSession").withIndex("by_upload_id", ((q) => q.eq("uploadId", uploadId))).unique();
+			if (!session) throw cvErr("SESSION_NOT_FOUND");
+			await c.db.patch(session._id, {
+				finalStorageId,
+				status: "completed"
+			});
+			const chunks = await c.db.query("uploadChunk").withIndex("by_upload", ((q) => q.eq("uploadId", uploadId))).collect();
+			await Promise.all([...chunkStorageIds.map(async (id) => c.storage.delete(id)), ...chunks.map(async (chunk) => c.db.delete(chunk._id))]);
+		}
+	});
+	return {
+		assembleChunks: action({
+			args: { uploadId: v.string() },
+			handler: async (c, { uploadId }) => {
+				const session = await c.runQuery(tPath.getSessionForAssembly, { uploadId });
+				if (!session) throw cvErr("SESSION_NOT_FOUND");
+				if (session.status !== "pending") throw cvErr("INVALID_SESSION_STATE");
+				const sortedChunks = session.chunks.toSorted((a, b) => a.chunkIndex - b.chunkIndex), chunkBlobs = await Promise.all(sortedChunks.map(async (chunk) => {
+					const blob = await c.storage.get(chunk.storageId);
+					if (!blob) throw cvErr("CHUNK_NOT_FOUND");
+					return blob;
+				})), combinedBlob = new Blob(chunkBlobs, { type: session.contentType }), finalStorageId = await c.storage.store(combinedBlob);
+				await c.runMutation(tPath.finalizeAssembly, {
+					chunkStorageIds: sortedChunks.map((ch) => ch.storageId),
+					finalStorageId,
+					uploadId
+				});
+				return {
+					contentType: session.contentType,
+					size: session.totalSize,
+					storageId: finalStorageId
+				};
+			}
+		}),
+		cancelChunkedUpload: mutation({
+			args: { uploadId: v.string() },
+			handler: async (c, { uploadId }) => {
+				const userId = await authUserId(c);
+				if (!userId) throw cvErr("NOT_AUTHENTICATED");
+				const session = await c.db.query("uploadSession").withIndex("by_upload_id", ((q) => q.eq("uploadId", uploadId))).unique();
+				if (!session) throw cvErr("SESSION_NOT_FOUND");
+				if (session.userId !== userId) throw cvErr("UNAUTHORIZED");
+				const chunks = await c.db.query("uploadChunk").withIndex("by_upload", ((q) => q.eq("uploadId", uploadId))).collect();
+				await Promise.all(chunks.map(async (chunk) => c.storage.delete(chunk.storageId)));
+				await Promise.all(chunks.map(async (chunk) => c.db.delete(chunk._id)));
+				await c.db.patch(session._id, { status: "failed" });
+				return { cancelled: true };
+			}
+		}),
+		CHUNK_SIZE,
+		confirmChunk,
+		finalizeAssembly,
+		getSessionForAssembly,
+		getUploadProgress: query({
+			args: { uploadId: v.string() },
+			handler: async (c, { uploadId }) => {
+				const userId = await authUserId(c);
+				if (!userId) throw cvErr("NOT_AUTHENTICATED");
+				const session = await c.db.query("uploadSession").withIndex("by_upload_id", ((q) => q.eq("uploadId", uploadId))).unique();
+				if (!session) return null;
+				if (session.userId !== userId) throw cvErr("UNAUTHORIZED");
+				return {
+					completedChunks: session.completedChunks,
+					finalStorageId: session.finalStorageId,
+					progress: Math.round(session.completedChunks / session.totalChunks * 100),
+					status: session.status,
+					totalChunks: session.totalChunks
+				};
+			}
+		}),
+		info,
+		startChunkedUpload,
+		upload,
+		uploadChunk,
+		validate
+	};
+};
+
+//#endregion
+//#region src/server/helpers.ts
+const log = (level, msg, data) => {
+	console[level](JSON.stringify({
+		level,
+		msg,
+		ts: Date.now(),
+		...data
+	}));
+}, isRecord$1 = (v) => Boolean(v) && typeof v === "object", isComparisonOp = (val) => typeof val === "object" && val !== null && ("$gt" in val || "$gte" in val || "$lt" in val || "$lte" in val || "$between" in val), pgOpts = object({
+	cursor: nullable(string()),
+	endCursor: nullable(string()).optional(),
+	id: number().optional(),
+	maximumBytesRead: number().optional(),
+	maximumRowsRead: number().optional(),
+	numItems: number()
+}), cascadeFor = (parent, children) => {
+	const result = [];
+	for (const [table, c] of Object.entries(children)) if (c.parent === parent) result.push({
+		foreignKey: c.foreignKey,
+		table
+	});
+	return result;
+}, detectFiles = (s) => Object.keys(s).filter((k) => cvFileKindOf(s[k])), err = (code, debug) => {
+	throw new ConvexError(debug ? {
+		code,
+		debug
+	} : { code });
+}, noFetcher = () => err("NO_FETCHER"), time = () => ({ updatedAt: Date.now() }), getUser = async ({ ctx, db, getAuthUserId }) => {
+	const uid = await getAuthUserId(ctx);
+	if (!uid) return err("NOT_AUTHENTICATED");
+	return await db.get(uid) ?? err("USER_NOT_FOUND");
+}, ownGet = (db, userId) => async (id) => {
+	const d = await db.get(id);
+	return d && d.userId === userId ? d : err("NOT_FOUND");
+}, readCtx = ({ db, storage, viewerId }) => ({
+	db,
+	storage,
+	viewerId,
+	withAuthor: async (docs) => {
+		const ids = [...new Set(docs.map((d) => d.userId))], users = await Promise.all(ids.map(async (id) => db.get(id))), map = new Map(ids.map((id, i) => [id, users[i]]));
+		return docs.map((d) => ({
+			...d,
+			author: map.get(d.userId) ?? null,
+			own: viewerId ? viewerId === d.userId : null
+		}));
+	}
+}), toId = (x) => typeof x === "string" ? x : null, cleanFiles = async (opts) => {
+	const { doc, fileFields, next, storage } = opts;
+	if (!fileFields.length) return;
+	const del = /* @__PURE__ */ new Set();
+	for (const f of fileFields) {
+		const prev = doc[f];
+		if (prev === null) continue;
+		const pArr = Array.isArray(prev) ? prev : [prev];
+		if (!next) {
+			for (const p of pArr) {
+				const id = toId(p);
+				if (id) del.add(id);
+			}
+			continue;
+		}
+		if (!Object.hasOwn(next, f)) continue;
+		const nv = next[f], keep = new Set(Array.isArray(nv) ? nv : nv ? [nv] : []);
+		for (const p of pArr) if (!keep.has(p)) {
+			const id = toId(p);
+			if (id) del.add(id);
+		}
+	}
+	if (del.size) await Promise.all([...del].map(async (id) => storage.delete(id)));
+}, addUrls = async ({ doc, fileFields, storage }) => {
+	if (!fileFields.length) return doc;
+	const o = { ...doc }, getUrl = async (x) => {
+		const id = toId(x);
+		return id ? storage.getUrl(id) : null;
+	};
+	for (const f of fileFields) {
+		const fv = doc[f];
+		if (fv !== null) o[Array.isArray(fv) ? `${f}Urls` : `${f}Url`] = Array.isArray(fv) ? await Promise.all(fv.map(getUrl)) : await getUrl(fv);
+	}
+	return o;
+}, matchField = (docVal, filterVal) => {
+	if (isComparisonOp(filterVal)) {
+		const dv = docVal;
+		if (filterVal.$gt !== void 0 && !(dv > filterVal.$gt)) return false;
+		if (filterVal.$gte !== void 0 && !(dv >= filterVal.$gte)) return false;
+		if (filterVal.$lt !== void 0 && !(dv < filterVal.$lt)) return false;
+		if (filterVal.$lte !== void 0 && !(dv <= filterVal.$lte)) return false;
+		if (filterVal.$between !== void 0) {
+			const [min, max] = filterVal.$between;
+			if (!(dv >= min && dv <= max)) return false;
+		}
+		return true;
+	}
+	return Object.is(docVal, filterVal);
+}, groupList = (w) => w ? [{
+	...w,
+	or: void 0
+}, ...w.or ?? []].filter((g) => g.own ?? Object.keys(g).some((k) => k !== "own" && g[k] !== void 0)) : [], matchW = (doc, w, vid) => {
+	const gs = groupList(w);
+	if (!gs.length) return true;
+	for (const g of gs) if (Object.entries(g).every(([k, vl]) => k === "own" || vl === void 0 || matchField(doc[k], vl)) && (!g.own || vid === doc.userId)) return true;
+	return false;
+}, pickFields = (data, keys) => {
+	const result = {};
+	for (const k of keys) if (k in data) result[k] = data[k];
+	return result;
+}, errValidation = (code, zodError) => {
+	const { fieldErrors } = zodError.flatten(), fields = Object.keys(fieldErrors);
+	throw new ConvexError({
+		code,
+		fields,
+		message: fields.length ? `Invalid: ${fields.join(", ")}` : "Validation failed"
+	});
+};
+
+//#endregion
+//#region src/server/org-helpers.ts
+const ROLE_LEVEL = {
+	admin: 2,
+	member: 1,
+	owner: 3
+}, getOrgRole = ({ member, org, userId }) => {
+	if (org.userId === userId) return "owner";
+	if (!member) return null;
+	return member.isAdmin ? "admin" : "member";
+}, getOrgMember = async ({ db, orgId, userId }) => db.query("orgMember").withIndex("by_org_user", ((q) => q.eq("orgId", orgId))).filter((f) => f.eq(f.field("userId"), userId)).unique(), requireOrgMember = async ({ db, orgId, userId }) => {
+	const org = await db.get(orgId);
+	if (!org) return err("NOT_FOUND");
+	const member = await getOrgMember({
+		db,
+		orgId,
+		userId
+	}), role = getOrgRole({
+		member,
+		org,
+		userId
+	});
+	if (!role) return err("NOT_ORG_MEMBER");
+	return {
+		member,
+		org,
+		role
+	};
+};
+const requireOrgRole = async ({ db, minRole, orgId, userId }) => {
+	const result = await requireOrgMember({
+		db,
+		orgId,
+		userId
+	});
+	if (ROLE_LEVEL[result.role] < ROLE_LEVEL[minRole]) return err("INSUFFICIENT_ORG_ROLE");
+	return result;
+}, canEdit = ({ acl, doc, role, userId }) => {
+	if (role === "owner" || role === "admin") return true;
+	if (doc.userId === userId) return true;
+	if (acl && doc.editors?.includes(userId)) return true;
+	return false;
+};
+
+//#endregion
+//#region src/server/org.ts
+const generateToken = () => {
+	const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+	let token = "";
+	for (let i = 0; i < 32; i += 1) token += chars.charAt(Math.floor(Math.random() * 62));
+	return token;
+}, SEVEN_DAYS_MS = 10080 * 60 * 1e3, makeOrg = ({ cascadeTables, getAuthUserId, mutation, query, schema: orgSchema }) => {
+	const mb = zCustomMutation(mutation, customCtx(async (c) => ({ user: await getUser({
+		ctx: c,
+		db: c.db,
+		getAuthUserId
+	}) }))), qb = zCustomQuery(query, customCtx(async (c) => ({ user: await getUser({
+		ctx: c,
+		db: c.db,
+		getAuthUserId
+	}) }))), pqb = zCustomQuery(query, customCtx(() => ({}))), m = mb, q = qb, pq = pqb, create = m({
+		args: { data: orgSchema },
+		handler: async (c, { data }) => {
+			if (await c.db.query("org").withIndex("by_slug", ((o) => o.eq("slug", data.slug))).unique()) return err("ORG_SLUG_TAKEN");
+			return { orgId: await c.db.insert("org", {
+				avatarId: data.avatarId ?? void 0,
+				name: data.name,
+				slug: data.slug,
+				userId: c.user._id,
+				...time()
+			}) };
+		}
+	}), update = m({
+		args: {
+			data: orgSchema.partial(),
+			orgId: zid("org")
+		},
+		handler: async (c, { data, orgId }) => {
+			await requireOrgRole({
+				db: c.db,
+				minRole: "admin",
+				orgId,
+				userId: c.user._id
+			});
+			const newSlug = data.slug;
+			if (newSlug !== void 0) {
+				const existing = await c.db.query("org").withIndex("by_slug", ((o) => o.eq("slug", newSlug))).unique();
+				if (existing && existing._id !== orgId) return err("ORG_SLUG_TAKEN");
+			}
+			const patchData = {};
+			if (data.name !== void 0) patchData.name = data.name;
+			if (newSlug !== void 0) patchData.slug = newSlug;
+			if (data.avatarId !== void 0 && data.avatarId !== null) patchData.avatarId = data.avatarId;
+			await c.db.patch(orgId, {
+				...patchData,
+				...time()
+			});
+		}
+	}), get = q({
+		args: { orgId: zid("org") },
+		handler: async (c, { orgId }) => {
+			await requireOrgMember({
+				db: c.db,
+				orgId,
+				userId: c.user._id
+			});
+			return c.db.get(orgId);
+		}
+	}), getBySlug = pq({
+		args: { slug: z.string() },
+		handler: async (c, { slug }) => c.db.query("org").withIndex("by_slug", ((o) => o.eq("slug", slug))).unique()
+	}), getPublic = pq({
+		args: { slug: z.string() },
+		handler: async (c, { slug }) => {
+			const orgDoc = await c.db.query("org").withIndex("by_slug", ((o) => o.eq("slug", slug))).unique();
+			if (!orgDoc) return null;
+			return {
+				_id: orgDoc._id,
+				avatarId: orgDoc.avatarId,
+				name: orgDoc.name,
+				slug: orgDoc.slug
+			};
+		}
+	}), myOrgs = q({
+		args: {},
+		handler: async (c) => {
+			const uid = c.user._id, db = c.db, ownedOrgs = await db.query("org").withIndex("by_user", ((o) => o.eq("userId", uid))).collect(), memberships = await db.query("orgMember").withIndex("by_user", ((o) => o.eq("userId", uid))).collect(), memberOrgIds = memberships.map((x) => x.orgId), memberOrgResults = await Promise.all(memberOrgIds.map(async (id) => db.get(id))), memberOrgs = [];
+			for (const orgDoc of memberOrgResults) if (orgDoc) memberOrgs.push(orgDoc);
+			const ownedIds = new Set(ownedOrgs.map((o) => o._id)), result = [];
+			for (const o of ownedOrgs) result.push({
+				org: o,
+				role: "owner"
+			});
+			for (const o of memberOrgs) if (!ownedIds.has(o._id)) {
+				const role = memberships.find((x) => x.orgId === o._id)?.isAdmin ? "admin" : "member";
+				result.push({
+					org: o,
+					role
+				});
+			}
+			return result;
+		}
+	}), remove = m({
+		args: { orgId: zid("org") },
+		handler: async (c, { orgId }) => {
+			const db = c.db, orgDoc = await db.get(orgId);
+			if (!orgDoc) return err("NOT_FOUND");
+			if (orgDoc.userId !== c.user._id) return err("FORBIDDEN");
+			if (cascadeTables) for (const table of cascadeTables) {
+				const docs = await db.query(table).filter((o) => o.eq(o.field("orgId"), orgId)).collect();
+				await Promise.all(docs.map(async (d) => db.delete(d._id)));
+			}
+			const joinRequests = await db.query("orgJoinRequest").withIndex("by_org", ((o) => o.eq("orgId", orgId))).collect();
+			await Promise.all(joinRequests.map(async (r) => db.delete(r._id)));
+			const invites = await db.query("orgInvite").withIndex("by_org", ((o) => o.eq("orgId", orgId))).collect();
+			await Promise.all(invites.map(async (i) => db.delete(i._id)));
+			const orgMembers = await db.query("orgMember").withIndex("by_org", ((o) => o.eq("orgId", orgId))).collect();
+			await Promise.all(orgMembers.map(async (x) => db.delete(x._id)));
+			await db.delete(orgId);
+		}
+	}), isSlugAvailable = pq({
+		args: { slug: z.string() },
+		handler: async (c, { slug }) => {
+			return { available: !await c.db.query("org").withIndex("by_slug", ((o) => o.eq("slug", slug))).unique() };
+		}
+	}), membership = q({
+		args: { orgId: zid("org") },
+		handler: async (c, { orgId }) => {
+			const db = c.db, orgDoc = await db.get(orgId);
+			if (!orgDoc) return err("NOT_FOUND");
+			const userId = c.user._id, member = await getOrgMember({
+				db,
+				orgId,
+				userId
+			}), role = getOrgRole({
+				member,
+				org: orgDoc,
+				userId
+			});
+			if (!role) return null;
+			return {
+				memberId: member?._id ?? null,
+				role
+			};
+		}
+	}), members = q({
+		args: { orgId: zid("org") },
+		handler: async (c, { orgId }) => {
+			const db = c.db, userId = c.user._id;
+			await requireOrgMember({
+				db,
+				orgId,
+				userId
+			});
+			const orgDoc = await db.get(orgId);
+			if (!orgDoc) return err("NOT_FOUND");
+			const result = [], ownerUser = await db.get(orgDoc.userId);
+			result.push({
+				role: "owner",
+				user: ownerUser,
+				userId: orgDoc.userId
+			});
+			const memberDocs = await db.query("orgMember").withIndex("by_org", ((o) => o.eq("orgId", orgId))).collect(), userDocs = await Promise.all(memberDocs.map(async (x) => db.get(x.userId)));
+			for (let i = 0; i < memberDocs.length; i += 1) {
+				const memberDoc = memberDocs[i], userDoc = userDocs[i];
+				if (memberDoc) result.push({
+					memberId: memberDoc._id,
+					role: memberDoc.isAdmin ? "admin" : "member",
+					user: userDoc ?? null,
+					userId: memberDoc.userId
+				});
+			}
+			return result;
+		}
+	}), setAdmin = m({
+		args: {
+			isAdmin: z.boolean(),
+			memberId: zid("orgMember")
+		},
+		handler: async (c, { isAdmin, memberId }) => {
+			const db = c.db, memberDoc = await db.get(memberId);
+			if (!memberDoc) return err("NOT_FOUND");
+			const orgDoc = await db.get(memberDoc.orgId);
+			if (!orgDoc) return err("NOT_FOUND");
+			if (orgDoc.userId !== c.user._id) return err("FORBIDDEN");
+			if (memberDoc.userId === orgDoc.userId) return err("CANNOT_MODIFY_OWNER");
+			await db.patch(memberId, {
+				isAdmin,
+				...time()
+			});
+		}
+	}), removeMember = m({
+		args: { memberId: zid("orgMember") },
+		handler: async (c, { memberId }) => {
+			const db = c.db, memberDoc = await db.get(memberId);
+			if (!memberDoc) return err("NOT_FOUND");
+			const orgDoc = await db.get(memberDoc.orgId);
+			if (!orgDoc) return err("NOT_FOUND");
+			if (memberDoc.userId === orgDoc.userId) return err("CANNOT_MODIFY_OWNER");
+			const { role } = await requireOrgRole({
+				db,
+				minRole: "admin",
+				orgId: memberDoc.orgId,
+				userId: c.user._id
+			});
+			if (role === "admin" && memberDoc.isAdmin) return err("CANNOT_MODIFY_ADMIN");
+			await db.delete(memberId);
+		}
+	}), leave = m({
+		args: { orgId: zid("org") },
+		handler: async (c, { orgId }) => {
+			const db = c.db, orgDoc = await db.get(orgId);
+			if (!orgDoc) return err("NOT_FOUND");
+			const userId = c.user._id;
+			if (orgDoc.userId === userId) return err("MUST_TRANSFER_OWNERSHIP");
+			const member = await getOrgMember({
+				db,
+				orgId,
+				userId
+			});
+			if (!member) return err("NOT_ORG_MEMBER");
+			await db.delete(member._id);
+		}
+	}), transferOwnership = m({
+		args: {
+			newOwnerId: zid("users"),
+			orgId: zid("org")
+		},
+		handler: async (c, { newOwnerId, orgId }) => {
+			const db = c.db, orgDoc = await db.get(orgId);
+			if (!orgDoc) return err("NOT_FOUND");
+			if (orgDoc.userId !== c.user._id) return err("FORBIDDEN");
+			const targetMember = await getOrgMember({
+				db,
+				orgId,
+				userId: newOwnerId
+			});
+			if (!targetMember) return err("NOT_ORG_MEMBER");
+			if (!targetMember.isAdmin) return err("TARGET_MUST_BE_ADMIN");
+			await db.patch(orgId, {
+				userId: newOwnerId,
+				...time()
+			});
+			await db.delete(targetMember._id);
+			await db.insert("orgMember", {
+				isAdmin: true,
+				orgId,
+				userId: c.user._id,
+				...time()
+			});
+		}
+	}), invite = m({
+		args: {
+			email: z.email(),
+			isAdmin: z.boolean(),
+			orgId: zid("org")
+		},
+		handler: async (c, { email, isAdmin, orgId }) => {
+			await requireOrgRole({
+				db: c.db,
+				minRole: "admin",
+				orgId,
+				userId: c.user._id
+			});
+			const token = generateToken(), expiresAt = Date.now() + SEVEN_DAYS_MS;
+			return {
+				inviteId: await c.db.insert("orgInvite", {
+					email,
+					expiresAt,
+					isAdmin,
+					orgId,
+					token
+				}),
+				token
+			};
+		}
+	}), acceptInvite = m({
+		args: { token: z.string() },
+		handler: async (c, { token }) => {
+			const db = c.db, userId = c.user._id, inviteDoc = await db.query("orgInvite").withIndex("by_token", ((o) => o.eq("token", token))).unique();
+			if (!inviteDoc) return err("INVALID_INVITE");
+			if (inviteDoc.expiresAt < Date.now()) return err("INVITE_EXPIRED");
+			const existingMember = await getOrgMember({
+				db,
+				orgId: inviteDoc.orgId,
+				userId
+			}), orgDoc = await db.get(inviteDoc.orgId);
+			if (!orgDoc) return err("NOT_FOUND");
+			if (existingMember || orgDoc.userId === userId) return err("ALREADY_ORG_MEMBER");
+			const pendingRequest = await db.query("orgJoinRequest").withIndex("by_org_status", ((o) => o.eq("orgId", inviteDoc.orgId).eq("status", "pending"))).filter((o) => o.eq(o.field("userId"), userId)).unique();
+			if (pendingRequest) await db.patch(pendingRequest._id, {
+				status: "approved",
+				...time()
+			});
+			await db.insert("orgMember", {
+				isAdmin: inviteDoc.isAdmin,
+				orgId: inviteDoc.orgId,
+				userId,
+				...time()
+			});
+			await db.delete(inviteDoc._id);
+			return { orgId: inviteDoc.orgId };
+		}
+	}), revokeInvite = m({
+		args: { inviteId: zid("orgInvite") },
+		handler: async (c, { inviteId }) => {
+			const db = c.db, inviteDoc = await db.get(inviteId);
+			if (!inviteDoc) return err("NOT_FOUND");
+			await requireOrgRole({
+				db,
+				minRole: "admin",
+				orgId: inviteDoc.orgId,
+				userId: c.user._id
+			});
+			await db.delete(inviteId);
+		}
+	}), pendingInvites = q({
+		args: { orgId: zid("org") },
+		handler: async (c, { orgId }) => {
+			await requireOrgRole({
+				db: c.db,
+				minRole: "admin",
+				orgId,
+				userId: c.user._id
+			});
+			return c.db.query("orgInvite").withIndex("by_org", ((o) => o.eq("orgId", orgId))).collect();
+		}
+	}), requestJoin = m({
+		args: {
+			message: z.string().optional(),
+			orgId: zid("org")
+		},
+		handler: async (c, { message, orgId }) => {
+			const db = c.db, userId = c.user._id, orgDoc = await db.get(orgId);
+			if (!orgDoc) return err("NOT_FOUND");
+			if (await getOrgMember({
+				db,
+				orgId,
+				userId
+			}) || orgDoc.userId === userId) return err("ALREADY_ORG_MEMBER");
+			if (await db.query("orgJoinRequest").withIndex("by_org_status", ((o) => o.eq("orgId", orgId).eq("status", "pending"))).filter((o) => o.eq(o.field("userId"), userId)).unique()) return err("JOIN_REQUEST_EXISTS");
+			return { requestId: await db.insert("orgJoinRequest", {
+				message,
+				orgId,
+				status: "pending",
+				userId
+			}) };
+		}
+	}), approveJoinRequest = m({
+		args: {
+			isAdmin: z.boolean().optional(),
+			requestId: zid("orgJoinRequest")
+		},
+		handler: async (c, { isAdmin, requestId }) => {
+			const db = c.db, requestDoc = await db.get(requestId);
+			if (!requestDoc) return err("NOT_FOUND");
+			await requireOrgRole({
+				db,
+				minRole: "admin",
+				orgId: requestDoc.orgId,
+				userId: c.user._id
+			});
+			await db.insert("orgMember", {
+				isAdmin: isAdmin ?? false,
+				orgId: requestDoc.orgId,
+				userId: requestDoc.userId,
+				...time()
+			});
+			await db.patch(requestId, { status: "approved" });
+		}
+	}), rejectJoinRequest = m({
+		args: { requestId: zid("orgJoinRequest") },
+		handler: async (c, { requestId }) => {
+			const db = c.db, requestDoc = await db.get(requestId);
+			if (!requestDoc) return err("NOT_FOUND");
+			await requireOrgRole({
+				db,
+				minRole: "admin",
+				orgId: requestDoc.orgId,
+				userId: c.user._id
+			});
+			await db.patch(requestId, { status: "rejected" });
+		}
+	}), cancelJoinRequest = m({
+		args: { requestId: zid("orgJoinRequest") },
+		handler: async (c, { requestId }) => {
+			const db = c.db, requestDoc = await db.get(requestId);
+			if (!requestDoc) return err("NOT_FOUND");
+			if (requestDoc.userId !== c.user._id) return err("FORBIDDEN");
+			if (requestDoc.status !== "pending") return err("NOT_FOUND");
+			await db.delete(requestId);
+		}
+	}), pendingJoinRequests = q({
+		args: { orgId: zid("org") },
+		handler: async (c, { orgId }) => {
+			const db = c.db;
+			await requireOrgRole({
+				db,
+				minRole: "admin",
+				orgId,
+				userId: c.user._id
+			});
+			const requests = await db.query("orgJoinRequest").withIndex("by_org_status", ((o) => o.eq("orgId", orgId).eq("status", "pending"))).collect(), users = await Promise.all(requests.map(async (r) => db.get(r.userId))), result = [];
+			for (let i = 0; i < requests.length; i += 1) {
+				const req = requests[i], usr = users[i];
+				if (req) result.push({
+					request: req,
+					user: usr ?? null
+				});
+			}
+			return result;
+		}
+	});
+	return {
+		acceptInvite,
+		approveJoinRequest,
+		cancelJoinRequest,
+		create,
+		get,
+		getBySlug,
+		getPublic,
+		invite,
+		isSlugAvailable,
+		leave,
+		members,
+		membership,
+		myJoinRequest: q({
+			args: { orgId: zid("org") },
+			handler: async (c, { orgId }) => c.db.query("orgJoinRequest").withIndex("by_org_status", ((o) => o.eq("orgId", orgId).eq("status", "pending"))).filter((o) => o.eq(o.field("userId"), c.user._id)).unique()
+		}),
+		myOrgs,
+		pendingInvites,
+		pendingJoinRequests,
+		rejectJoinRequest,
+		remove,
+		removeMember,
+		requestJoin,
+		revokeInvite,
+		setAdmin,
+		transferOwnership,
+		update
+	};
+};
+
+//#endregion
+//#region src/server/db.ts
+const dbInsert = async (db, table, data) => db.insert(table, data), dbPatch = async (db, id, data) => db.patch(id, data), dbDelete = async (db, id) => db.delete(id);
+
+//#endregion
+//#region src/server/org-crud.ts
+const getEditors = (doc) => doc.editors ?? [], requireOrgDoc = (doc, orgId, debug) => {
+	if (doc?.orgId !== orgId) return err("NOT_FOUND", debug);
+	return doc;
+}, resolveAclDoc = async (db, doc, opt) => {
+	if (opt?.aclFrom) {
+		const parentId = doc[opt.aclFrom.field], parent = parentId ? await db.get(parentId) : null;
+		return {
+			editors: parent ? getEditors(parent) : [],
+			userId: doc.userId
+		};
+	}
+	return doc;
+}, makeOrgCrud = ({ builders, options: opt, schema, table }) => {
+	const { m, q } = builders, partial = schema.partial(), bulkIdsSchema = array(zid(table)).max(100), fileFs = detectFiles(schema.shape), idArgs = { id: zid(table) }, orgIdArg = { orgId: zid("org") }, useAcl = Boolean(opt?.acl) || Boolean(opt?.aclFrom), enrich = async (c, docs) => Promise.all((await c.withAuthor(docs)).map(async (d) => addUrls({
+		doc: d,
+		fileFields: fileFs,
+		storage: c.storage
+	}))), cascadeDelete = async (db, id) => {
+		if (!opt?.cascade) return;
+		const { foreignKey, table: tbl } = opt.cascade, kids = await db.query(tbl).filter((f) => f.eq(f.field(foreignKey), id)).collect();
+		for (const kid of kids) await dbDelete(db, kid._id);
+	}, create = m({
+		args: {
+			...orgIdArg,
+			...schema.shape
+		},
+		handler: (async (c, a) => {
+			const { orgId, ...data } = a;
+			await requireOrgMember({
+				db: c.db,
+				orgId,
+				userId: c.user._id
+			});
+			return dbInsert(c.db, table, {
+				...data,
+				orgId,
+				userId: c.user._id,
+				...time()
+			});
+		})
+	}), list = q({
+		args: {
+			...orgIdArg,
+			paginationOpts: pgOpts
+		},
+		handler: (async (c, { orgId, paginationOpts }) => {
+			await requireOrgMember({
+				db: c.db,
+				orgId,
+				userId: c.user._id
+			});
+			const { page, ...rest } = await c.db.query(table).withIndex("by_org", ((o) => o.eq("orgId", orgId))).order("desc").paginate(paginationOpts);
+			return {
+				...rest,
+				page: await enrich(c, page)
+			};
+		})
+	}), all = q({
+		args: { ...orgIdArg },
+		handler: (async (c, { orgId }) => {
+			await requireOrgMember({
+				db: c.db,
+				orgId,
+				userId: c.user._id
+			});
+			return enrich(c, await c.db.query(table).withIndex("by_org", ((o) => o.eq("orgId", orgId))).order("desc").collect());
+		})
+	}), count = q({
+		args: { ...orgIdArg },
+		handler: (async (c, { orgId }) => {
+			await requireOrgMember({
+				db: c.db,
+				orgId,
+				userId: c.user._id
+			});
+			const docs = await c.db.query(table).withIndex("by_org", ((o) => o.eq("orgId", orgId))).collect();
+			if (docs.length > 1e3) log("warn", "crud:large_count", {
+				count: docs.length,
+				table,
+				tip: "Use indexed queries for large tables"
+			});
+			return docs.length;
+		})
+	}), read = q({
+		args: {
+			...orgIdArg,
+			...idArgs
+		},
+		handler: (async (c, { id, orgId }) => {
+			await requireOrgMember({
+				db: c.db,
+				orgId,
+				userId: c.user._id
+			});
+			return (await enrich(c, [requireOrgDoc(await c.db.get(id), orgId)]))[0];
+		})
+	}), update = m({
+		args: {
+			...orgIdArg,
+			...idArgs,
+			...partial.shape,
+			expectedUpdatedAt: number().optional()
+		},
+		handler: (async (c, a) => {
+			const { expectedUpdatedAt, id, orgId, ...patch } = a, { role } = await requireOrgMember({
+				db: c.db,
+				orgId,
+				userId: c.user._id
+			}), doc = requireOrgDoc(await c.db.get(id), orgId);
+			if (!canEdit({
+				acl: useAcl,
+				doc: await resolveAclDoc(c.db, doc, opt),
+				role,
+				userId: c.user._id
+			})) return err("FORBIDDEN", `${table}:update`);
+			if (expectedUpdatedAt !== void 0 && doc.updatedAt !== expectedUpdatedAt) return err("CONFLICT", `${table}:update`);
+			await dbPatch(c.db, id, {
+				...patch,
+				...time()
+			});
+			return c.db.get(id);
+		})
+	}), rm = m({
+		args: {
+			...orgIdArg,
+			...idArgs
+		},
+		handler: (async (c, { id, orgId }) => {
+			const { role } = await requireOrgMember({
+				db: c.db,
+				orgId,
+				userId: c.user._id
+			}), doc = requireOrgDoc(await c.db.get(id), orgId);
+			if (!canEdit({
+				acl: useAcl,
+				doc: await resolveAclDoc(c.db, doc, opt),
+				role,
+				userId: c.user._id
+			})) return err("FORBIDDEN", `${table}:rm`);
+			await cascadeDelete(c.db, id);
+			await dbDelete(c.db, id);
+			await cleanFiles({
+				doc,
+				fileFields: fileFs,
+				storage: c.storage
+			});
+			return doc;
+		})
+	}), bulkUpdate = m({
+		args: {
+			...orgIdArg,
+			data: partial,
+			ids: bulkIdsSchema
+		},
+		handler: (async (c, a) => {
+			const { data, ids, orgId } = a;
+			if (ids.length > 100) return err("LIMIT_EXCEEDED", `${table}:bulkUpdate`);
+			await requireOrgRole({
+				db: c.db,
+				minRole: "admin",
+				orgId,
+				userId: c.user._id
+			});
+			const results = [];
+			for (const id of ids) {
+				if ((await c.db.get(id))?.orgId !== orgId) continue;
+				await dbPatch(c.db, id, {
+					...data,
+					...time()
+				});
+				const updated = await c.db.get(id);
+				if (updated) results.push(updated);
+			}
+			return results;
+		})
+	}), base = {
+		all,
+		bulkRm: m({
+			args: {
+				...orgIdArg,
+				ids: bulkIdsSchema
+			},
+			handler: (async (c, a) => {
+				const { ids, orgId } = a;
+				if (ids.length > 100) return err("LIMIT_EXCEEDED", `${table}:bulkRm`);
+				await requireOrgRole({
+					db: c.db,
+					minRole: "admin",
+					orgId,
+					userId: c.user._id
+				});
+				let deleted = 0;
+				for (const id of ids) {
+					const doc = await c.db.get(id);
+					if (doc?.orgId !== orgId) continue;
+					await cascadeDelete(c.db, id);
+					await dbDelete(c.db, id);
+					await cleanFiles({
+						doc,
+						fileFields: fileFs,
+						storage: c.storage
+					});
+					deleted += 1;
+				}
+				return deleted;
+			})
+		}),
+		bulkUpdate,
+		count,
+		create,
+		list,
+		read,
+		rm,
+		update
+	}, itemIdKey = `${table}Id`, itemIdArg = { [itemIdKey]: zid(table) }, aclArgs = (a) => {
+		const args = a;
+		return {
+			editorId: args.editorId,
+			editorIds: args.editorIds,
+			itemId: args[itemIdKey],
+			orgId: args.orgId
+		};
+	}, addEditor = m({
+		args: {
+			editorId: zid("users"),
+			...orgIdArg,
+			...itemIdArg
+		},
+		handler: (async (c, a) => {
+			const { editorId, itemId, orgId } = aclArgs(a);
+			await requireOrgRole({
+				db: c.db,
+				minRole: "admin",
+				orgId,
+				userId: c.user._id
+			});
+			const doc = requireOrgDoc(await c.db.get(itemId), orgId), editorIsOwner = (await c.db.get(orgId))?.userId === editorId, editorMember = await getOrgMember({
+				db: c.db,
+				orgId,
+				userId: editorId
+			});
+			if (!(editorIsOwner || editorMember)) return err("NOT_ORG_MEMBER");
+			const eds = getEditors(doc);
+			if (eds.some((eid) => eid === editorId)) return doc;
+			if (eds.length >= 100) return err("LIMIT_EXCEEDED");
+			await dbPatch(c.db, itemId, {
+				editors: [...eds, editorId],
+				...time()
+			});
+			return c.db.get(itemId);
+		})
+	}), removeEditor = m({
+		args: {
+			editorId: zid("users"),
+			...orgIdArg,
+			...itemIdArg
+		},
+		handler: (async (c, a) => {
+			const { editorId, itemId, orgId } = aclArgs(a);
+			await requireOrgRole({
+				db: c.db,
+				minRole: "admin",
+				orgId,
+				userId: c.user._id
+			});
+			const filtered = getEditors(requireOrgDoc(await c.db.get(itemId), orgId)).filter((eid) => eid !== editorId);
+			await dbPatch(c.db, itemId, {
+				editors: filtered,
+				...time()
+			});
+			return c.db.get(itemId);
+		})
+	}), editors = q({
+		args: {
+			...orgIdArg,
+			...itemIdArg
+		},
+		handler: (async (c, a) => {
+			const { itemId, orgId } = aclArgs(a);
+			await requireOrgMember({
+				db: c.db,
+				orgId,
+				userId: c.user._id
+			});
+			const editorIds = getEditors(requireOrgDoc(await c.db.get(itemId), orgId)), users = await Promise.all(editorIds.map(async (eid) => c.db.get(eid))), result = [];
+			for (let i = 0; i < editorIds.length; i += 1) {
+				const u = users[i], eid = editorIds[i];
+				if (u && eid) result.push({
+					email: u.email ?? "",
+					name: u.name ?? "",
+					userId: eid
+				});
+			}
+			return result;
+		})
+	}), setEditors = m({
+		args: {
+			editorIds: array(zid("users")).max(100),
+			...orgIdArg,
+			...itemIdArg
+		},
+		handler: (async (c, a) => {
+			const { editorIds, itemId, orgId } = aclArgs(a);
+			await requireOrgRole({
+				db: c.db,
+				minRole: "admin",
+				orgId,
+				userId: c.user._id
+			});
+			requireOrgDoc(await c.db.get(itemId), orgId);
+			if (editorIds) for (const editorId of editorIds) {
+				const isOwner = (await c.db.get(orgId))?.userId === editorId, member = await getOrgMember({
+					db: c.db,
+					orgId,
+					userId: editorId
+				});
+				if (!(isOwner || member)) return err("NOT_ORG_MEMBER");
+			}
+			await dbPatch(c.db, itemId, {
+				editors: editorIds ?? [],
+				...time()
+			});
+			return c.db.get(itemId);
+		})
+	});
+	return {
+		...base,
+		addEditor,
+		editors,
+		removeEditor,
+		setEditors
+	};
+}, orgCascade = (config) => config;
+
+//#endregion
+//#region src/server/schema-helpers.ts
+const baseTable = (s) => defineTable({
+	...zodOutputToConvexFields(s.shape),
+	updatedAt: v.optional(v.number())
+}), ownedTable = (s) => defineTable({
+	...zodOutputToConvexFields(s.shape),
+	updatedAt: v.number(),
+	userId: v.id("users")
+}).index("by_user", ["userId"]), orgTable = (s) => defineTable({
+	...zodOutputToConvexFields(s.shape),
+	orgId: v.id("org"),
+	updatedAt: v.number(),
+	userId: v.id("users")
+}).index("by_org", ["orgId"]).index("by_org_user", ["orgId", "userId"]), orgChildTable = (s, parent) => defineTable({
+	...zodOutputToConvexFields(s.shape),
+	orgId: v.id("org"),
+	updatedAt: v.number(),
+	userId: v.id("users")
+}).index("by_org", ["orgId"]).index("by_parent", [parent.foreignKey]), childTable = (s, indexField, indexName) => defineTable({
+	...zodOutputToConvexFields(s.shape),
+	updatedAt: v.number()
+}).index(indexName ?? `by_${indexField}`, [indexField]), orgTables = () => ({
+	org: defineTable({
+		avatarId: v.optional(v.id("_storage")),
+		name: v.string(),
+		slug: v.string(),
+		updatedAt: v.number(),
+		userId: v.id("users")
+	}).index("by_slug", ["slug"]).index("by_user", ["userId"]),
+	orgInvite: defineTable({
+		email: v.string(),
+		expiresAt: v.number(),
+		isAdmin: v.boolean(),
+		orgId: v.id("org"),
+		token: v.string()
+	}).index("by_org", ["orgId"]).index("by_token", ["token"]),
+	orgJoinRequest: defineTable({
+		message: v.optional(v.string()),
+		orgId: v.id("org"),
+		status: v.union(v.literal("pending"), v.literal("approved"), v.literal("rejected")),
+		userId: v.id("users")
+	}).index("by_org", ["orgId"]).index("by_org_status", ["orgId", "status"]).index("by_user", ["userId"]),
+	orgMember: defineTable({
+		isAdmin: v.boolean(),
+		orgId: v.id("org"),
+		updatedAt: v.number(),
+		userId: v.id("users")
+	}).index("by_org", ["orgId"]).index("by_org_user", ["orgId", "userId"]).index("by_user", ["userId"])
+}), uploadTables = () => ({
+	uploadChunk: defineTable({
+		chunkIndex: v.number(),
+		storageId: v.id("_storage"),
+		totalChunks: v.number(),
+		uploadId: v.string(),
+		userId: v.id("users")
+	}).index("by_upload", ["uploadId"]).index("by_user", ["userId"]),
+	uploadRateLimit: defineTable({
+		timestamp: v.number(),
+		userId: v.id("users")
+	}).index("by_user", ["userId"]),
+	uploadSession: defineTable({
+		completedChunks: v.number(),
+		contentType: v.string(),
+		fileName: v.string(),
+		finalStorageId: v.optional(v.id("_storage")),
+		status: v.union(v.literal("pending"), v.literal("assembling"), v.literal("completed"), v.literal("failed")),
+		totalChunks: v.number(),
+		totalSize: v.number(),
+		uploadId: v.string(),
+		userId: v.id("users")
+	}).index("by_upload_id", ["uploadId"]).index("by_user", ["userId"])
+});
+
+//#endregion
+//#region src/server/cache-crud.ts
+const makeCacheCrud = ({ builders: b, fetcher, key, schema, table, ttl = 10080 * 60 * 1e3 }) => {
+	const keys = Object.keys(schema.shape), pick = (d) => pickFields(d, keys), valid = (d) => (d.updatedAt ?? d._creationTime) + ttl > Date.now(), partial = schema.partial(), idx = `by_${key}`, kArgs = zodOutputToConvexFields({ [key]: schema.shape[key] }), idArgs = { id: zid(table) }, expArgs = { includeExpired: boolean().optional() }, listArgs = {
+		includeExpired: boolean().optional(),
+		paginationOpts: pgOpts
+	}, retFields = zodOutputToConvexFields(schema.extend({ cacheHit: boolean() }).shape), kVal = kArgs[key] ?? err("INVALID_WHERE"), byK = (x) => ((i) => i.eq(key, x)), getInt = b.internalQuery({
+		args: kArgs,
+		handler: (async (c, a) => c.db.query(table).withIndex(idx, byK(a[key])).first())
+	}), get = b.query({
+		args: kArgs,
+		handler: (async (c, a) => {
+			const d = await c.db.query(table).withIndex(idx, byK(a[key])).first();
+			return d && valid(d) ? {
+				...d,
+				cacheHit: true
+			} : null;
+		})
+	}), read = b.cq({
+		args: idArgs,
+		handler: (async (c, { id }) => c.db.get(id))
+	}), all = b.cq({
+		args: expArgs,
+		handler: (async (c, { includeExpired: ie }) => {
+			const d = await c.db.query(table).order("desc").collect();
+			return ie ? d : d.filter(valid);
+		})
+	}), list = b.cq({
+		args: listArgs,
+		handler: (async (c, { includeExpired: ie, paginationOpts: op }) => {
+			const qr = c.db.query(table).order("desc");
+			if (ie) return qr.paginate(op);
+			const { page, ...rest } = await qr.paginate({
+				...op,
+				numItems: op.numItems * 2
+			});
+			return {
+				...rest,
+				page: page.filter(valid).slice(0, op.numItems)
+			};
+		})
+	}), upsert = async (c, data) => {
+		const ex = await c.db.query(table).withIndex(idx, byK(data[key])).first(), wt = {
+			...data,
+			...time()
+		};
+		if (ex) {
+			await dbPatch(c.db, ex._id, wt);
+			return ex._id;
+		}
+		return dbInsert(c.db, table, wt);
+	}, set = b.internalMutation({
+		args: { data: v.object(zodOutputToConvexFields(schema.shape)) },
+		handler: (async (c, { data }) => {
+			await upsert(c, pick(data));
+		})
+	}), create = b.cm({
+		args: schema.shape,
+		handler: (async (c, d) => upsert(c, d))
+	}), update = b.cm({
+		args: {
+			...idArgs,
+			...partial.shape
+		},
+		handler: (async (c, a) => {
+			const { id, ...d } = a, ex = await c.db.get(id), t = time();
+			if (!ex) return err("NOT_FOUND");
+			await dbPatch(c.db, id, {
+				...d,
+				...t
+			});
+			return {
+				...ex,
+				...d,
+				...t
+			};
+		})
+	}), rm = b.cm({
+		args: idArgs,
+		handler: (async (c, { id }) => {
+			const d = await c.db.get(id);
+			if (d) await c.db.delete(id);
+			return d;
+		})
+	}), invalidate = b.mutation({
+		args: kArgs,
+		handler: (async (c, a) => {
+			const d = await c.db.query(table).withIndex(idx, byK(a[key])).first();
+			if (d) await dbDelete(c.db, d._id);
+			return d;
+		})
+	}), purge = b.cm({
+		args: {},
+		handler: (async (c) => {
+			const cut = Date.now() - ttl, exp = await c.db.query(table).filter((qr) => qr.lt(qr.field("_creationTime"), cut)).collect();
+			for (const d of exp) await dbDelete(c.db, d._id);
+			return exp.length;
+		})
+	}), tPath = anyApi[table], tKArgs = { [key]: kVal }, doFetch = async (c, kv) => {
+		const d = pick(await fetcher?.(c, kv));
+		await c.runMutation(tPath.set, { data: d });
+		return {
+			...d,
+			cacheHit: false
+		};
+	};
+	return {
+		all,
+		create,
+		get,
+		getInternal: getInt,
+		invalidate,
+		list,
+		load: fetcher ? b.action({
+			args: tKArgs,
+			handler: (async (c, a) => {
+				const kv = a[key], d = await c.runQuery(tPath.getInternal, { [key]: kv });
+				return d && valid(d) ? {
+					...pick(d),
+					cacheHit: true
+				} : doFetch(c, kv);
+			}),
+			returns: v.object(retFields)
+		}) : b.action(noFetcher),
+		purge,
+		read,
+		refresh: fetcher ? b.action({
+			args: tKArgs,
+			handler: (async (c, a) => {
+				const kv = a[key];
+				await c.runMutation(tPath.invalidate, { [key]: kv });
+				return doFetch(c, kv);
+			}),
+			returns: v.object(retFields)
+		}) : b.action(noFetcher),
+		rm,
+		set,
+		update
+	};
+};
+
+//#endregion
+//#region src/server/child.ts
+const makeChildCrud = ({ builders, meta, table }) => {
+	const { m, q } = builders, { foreignKey, index, parent, schema } = meta, getFK = (doc) => doc[foreignKey], schemaKeys = Object.keys(schema.shape), partial = schema.partial(), idArgs = { id: zid(table) }, verifyParentOwnership = async (ctx, parentId) => {
+		const p = await ctx.db.get(parentId);
+		return p && p.userId === ctx.user._id ? p : null;
+	}, create = m({
+		args: {
+			...schema.shape,
+			[foreignKey]: zid(parent)
+		},
+		handler: (async (ctx, a) => {
+			const args = a, parentId = args[foreignKey], data = schema.parse(pickFields(args, schemaKeys));
+			if (!await verifyParentOwnership(ctx, parentId)) return err("NOT_FOUND", `${table}:create`);
+			return dbInsert(ctx.db, table, {
+				...data,
+				[foreignKey]: parentId,
+				...time()
+			});
+		})
+	}), update = m({
+		args: {
+			...idArgs,
+			...partial.shape
+		},
+		handler: (async (ctx, a) => {
+			const { id, ...rest } = a, data = partial.parse(pickFields(rest, schemaKeys)), doc = await ctx.db.get(id);
+			if (!doc) return err("NOT_FOUND", `${table}:update`);
+			if (!await verifyParentOwnership(ctx, getFK(doc))) return err("NOT_FOUND", `${table}:update`);
+			await dbPatch(ctx.db, id, {
+				...data,
+				...time()
+			});
+			return ctx.db.get(id);
+		})
+	}), rm = m({
+		args: idArgs,
+		handler: (async (ctx, { id }) => {
+			const doc = await ctx.db.get(id);
+			if (!doc) return err("NOT_FOUND", `${table}:rm`);
+			if (!await verifyParentOwnership(ctx, getFK(doc))) return err("NOT_FOUND", `${table}:rm`);
+			await dbDelete(ctx.db, id);
+			return doc;
+		})
+	}), list = q({
+		args: { [foreignKey]: zid(parent) },
+		handler: (async (ctx, a) => {
+			const parentId = a[foreignKey];
+			if (!await verifyParentOwnership(ctx, parentId)) return err("NOT_AUTHORIZED", `${table}:list`);
+			return ctx.db.query(table).withIndex(index, ((i) => i.eq(foreignKey, parentId))).order("asc").collect();
+		})
+	});
+	return {
+		create,
+		get: q({
+			args: idArgs,
+			handler: (async (ctx, { id }) => {
+				const doc = await ctx.db.get(id);
+				if (!doc) return null;
+				if (!await verifyParentOwnership(ctx, getFK(doc))) return err("NOT_AUTHORIZED", `${table}:get`);
+				return doc;
+			})
+		}),
+		list,
+		rm,
+		update
+	};
+};
+
+//#endregion
+//#region src/server/crud.ts
+const makeCrud = ({ builders, options: opt, schema, table }) => {
+	const { m, pq, q } = builders, stringFields = [];
+	for (const k in schema.shape) if (Object.hasOwn(schema.shape, k) && isStringType(unwrapZod(schema.shape[k]).type)) stringFields.push(k);
+	const partial = schema.partial(), bulkIdsSchema = array(zid(table)).max(100), fileFs = detectFiles(schema.shape), wgSchema = partial.extend({ own: boolean().optional() }), wSchema = wgSchema.extend({ or: array(wgSchema).optional() }), wArgs = { where: wSchema.optional() }, ownArg = { own: boolean().optional() }, idArgs = { id: zid(table) }, parseW = (i, fb) => {
+		if (i === void 0) return fb;
+		const r = wSchema.safeParse(i);
+		return r.success ? r.data : errValidation("INVALID_WHERE", r.error);
+	}, defaults = {
+		auth: parseW(opt?.auth?.where),
+		pub: parseW(opt?.pub?.where)
+	}, enrich = async (c, docs) => Promise.all((await c.withAuthor(docs)).map(async (d) => addUrls({
+		doc: d,
+		fileFields: fileFs,
+		storage: c.storage
+	}))), buildExpr = (fb, w, vid) => {
+		let e = null;
+		const and = (x) => {
+			e = e ? fb.and(e, x) : x;
+		};
+		for (const k in w) {
+			if (k === "own") continue;
+			const fv = w[k];
+			if (fv === void 0) continue;
+			const field = fb.field(k);
+			if (isComparisonOp(fv)) {
+				if (fv.$gt !== void 0) and(fb.gt(field, fv.$gt));
+				if (fv.$gte !== void 0) and(fb.gte(field, fv.$gte));
+				if (fv.$lt !== void 0) and(fb.lt(field, fv.$lt));
+				if (fv.$lte !== void 0) and(fb.lte(field, fv.$lte));
+				if (fv.$between !== void 0) {
+					and(fb.gte(field, fv.$between[0]));
+					and(fb.lte(field, fv.$between[1]));
+				}
+			} else and(fb.eq(field, fv));
+		}
+		if (w.own) and(vid ? fb.eq(fb.field("userId"), vid) : fb.eq(true, false));
+		return e;
+	}, canUseOwnIndex = (w) => {
+		if (!w || w.or?.length) return false;
+		const gs = groupList(w);
+		return gs.length === 1 && gs[0]?.own === true;
+	}, startQ = (c, w) => canUseOwnIndex(w) && c.viewerId ? c.db.query(table).withIndex("by_user", ((o) => o.eq("userId", c.viewerId))) : c.db.query(table), applyW = (qr, w, vid) => {
+		let qry = qr;
+		if (opt?.softDelete) qry = qry.filter((fb) => fb.eq(fb.field("deletedAt"), null));
+		const gs = groupList(w);
+		if (!gs.length) return qry;
+		return qry.filter((f) => {
+			let e = null;
+			for (const g of gs) {
+				const ge = buildExpr(f, g, vid);
+				if (ge) e = e ? f.or(e, ge) : ge;
+			}
+			return e ?? true;
+		});
+	}, allH = (fb) => async (c, { where }) => {
+		const w = parseW(where, fb), docs = await applyW(startQ(c, w), w, c.viewerId).order("desc").collect();
+		if (docs.length > 1e3) log("warn", "crud:large_result", {
+			count: docs.length,
+			table,
+			tip: "Use pagination or indexed queries"
+		});
+		return enrich(c, docs);
+	}, listH = (fb) => async (c, { paginationOpts: op, where }) => {
+		const w = parseW(where, fb), { page, ...rest } = await applyW(startQ(c, w), w, c.viewerId).order("desc").paginate(op);
+		return {
+			...rest,
+			page: await enrich(c, page)
+		};
+	}, readH = (fb) => async (c, { id, own, where }) => {
+		const doc = await c.db.get(id), w = parseW(where, fb);
+		if (!doc) return null;
+		if (!matchW(doc, w, c.viewerId)) return null;
+		if (own) {
+			if (!c.viewerId) return null;
+			if (doc.userId !== c.viewerId) return null;
+		}
+		return (await enrich(c, [doc]))[0] ?? null;
+	}, countH = (fb) => async (c, { where }) => {
+		const w = parseW(where, fb), docs = await applyW(startQ(c, w), w, c.viewerId).collect();
+		if (docs.length > 1e3) log("warn", "crud:large_count", {
+			count: docs.length,
+			table,
+			tip: "Use indexed queries for large tables"
+		});
+		return docs.length;
+	}, searchIndexed = async (c, qry, w) => {
+		const filtered = (await c.db.query(table).withSearchIndex("search_field", ((sb) => sb.search("text", qry))).collect()).filter((d) => matchW(d, w, c.viewerId));
+		if (opt?.softDelete) return enrich(c, filtered.filter((d) => !d.deletedAt));
+		return enrich(c, filtered);
+	}, searchH = (fb) => async (c, { fields: fs, query: qry, where }) => {
+		const w = parseW(where, fb);
+		if (opt?.search === "index") return searchIndexed(c, qry, w);
+		const searchFs = fs?.length ? fs : stringFields, lower = qry.toLowerCase(), docs = await applyW(startQ(c, w), w, c.viewerId).order("desc").collect(), matches = docs.filter((d) => {
+			const rec = d;
+			return searchFs.some((f) => {
+				const val = rec[f];
+				if (typeof val !== "string") return false;
+				return val.toLowerCase().includes(lower);
+			});
+		});
+		if (docs.length > 1e3) log("warn", "crud:search_scan", {
+			count: docs.length,
+			table,
+			tip: "Add search: \"index\" for large tables"
+		});
+		return enrich(c, matches);
+	}, readApi = (wrap, fb) => ({
+		all: wrap({
+			args: wArgs,
+			handler: allH(fb)
+		}),
+		count: wrap({
+			args: wArgs,
+			handler: countH(fb)
+		}),
+		list: wrap({
+			args: {
+				paginationOpts: pgOpts,
+				...wArgs
+			},
+			handler: listH(fb)
+		}),
+		read: wrap({
+			args: {
+				...idArgs,
+				...ownArg,
+				...wArgs
+			},
+			handler: readH(fb)
+		}),
+		search: wrap({
+			args: {
+				fields: array(string()).optional(),
+				query: string(),
+				...wArgs
+			},
+			handler: searchH(fb)
+		})
+	}), indexedH = (fb) => async (c, { index, key, value, where }) => {
+		const w = parseW(where, fb);
+		return enrich(c, await applyW(c.db.query(table).withIndex(index, ((i) => i.eq(key, value))), w, c.viewerId).order("desc").collect());
+	}, rmHandler = async (c, { id }) => {
+		if (opt?.cascade !== false) for (const { foreignKey: fk, table: tbl } of cascadeFor(table, builders.children)) for (const r of await c.db.query(tbl).filter((f) => f.eq(f.field(fk), id)).collect()) await dbDelete(c.db, r._id);
+		if (opt?.softDelete) {
+			const doc = await c.db.get(id);
+			if (!doc) {
+				log("warn", "crud:not_found", {
+					id,
+					table
+				});
+				return err("NOT_FOUND", `${table}:rm`);
+			}
+			await dbPatch(c.db, id, { deletedAt: Date.now() });
+			log("info", "crud:delete", {
+				id,
+				soft: true,
+				table
+			});
+			return doc;
+		}
+		const d = await c.delete(id);
+		await cleanFiles({
+			doc: d,
+			fileFields: fileFs,
+			storage: c.storage
+		});
+		log("info", "crud:delete", {
+			id,
+			table
+		});
+		return d;
+	};
+	return {
+		auth: readApi(q, defaults.auth),
+		authIndexed: q({
+			args: {
+				index: string(),
+				key: string(),
+				value: string(),
+				...wArgs
+			},
+			handler: indexedH(defaults.auth)
+		}),
+		bulkRm: m({
+			args: { ids: bulkIdsSchema },
+			handler: (async (c, { ids }) => {
+				if (ids.length > 100) return err("LIMIT_EXCEEDED", `${table}:bulkRm`);
+				let deleted = 0;
+				for (const id of ids) {
+					await rmHandler(c, { id });
+					deleted += 1;
+				}
+				return deleted;
+			})
+		}),
+		bulkUpdate: m({
+			args: {
+				data: partial,
+				ids: bulkIdsSchema
+			},
+			handler: (async (c, args) => {
+				const { data, ids } = args;
+				if (ids.length > 100) return err("LIMIT_EXCEEDED", `${table}:bulkUpdate`);
+				const results = [];
+				for (const id of ids) {
+					const prev = await c.get(id), ret = await c.patch(id, data);
+					await cleanFiles({
+						doc: prev,
+						fileFields: fileFs,
+						next: data,
+						storage: c.storage
+					});
+					results.push(ret);
+				}
+				return results;
+			})
+		}),
+		create: m({
+			args: schema.shape,
+			handler: (async (c, a) => {
+				const id = await c.create(table, a);
+				log("info", "crud:create", {
+					table,
+					userId: c.user._id
+				});
+				return id;
+			})
+		}),
+		pub: readApi(pq, defaults.pub),
+		pubIndexed: pq({
+			args: {
+				index: string(),
+				key: string(),
+				value: string(),
+				...wArgs
+			},
+			handler: indexedH(defaults.pub)
+		}),
+		restore: opt?.softDelete ? m({
+			args: idArgs,
+			handler: (async (c, { id }) => {
+				const doc = await c.get(id);
+				await dbPatch(c.db, id, { deletedAt: null });
+				return {
+					...doc,
+					deletedAt: null
+				};
+			})
+		}) : void 0,
+		rm: m({
+			args: idArgs,
+			handler: (async (c, { id }) => rmHandler(c, { id }))
+		}),
+		update: m({
+			args: {
+				...idArgs,
+				...partial.shape,
+				expectedUpdatedAt: number().optional()
+			},
+			handler: (async (c, a) => {
+				const { expectedUpdatedAt, id, ...rest } = a, patch = rest, prev = await c.get(id), ret = await c.patch(id, patch, expectedUpdatedAt);
+				await cleanFiles({
+					doc: prev,
+					fileFields: fileFs,
+					next: patch,
+					storage: c.storage
+				});
+				log("info", "crud:update", {
+					id,
+					table
+				});
+				return ret;
+			})
+		})
+	};
+};
+
+//#endregion
+//#region src/server/unique.ts
+const makeUnique = ({ field, pq, table }) => pq({
+	args: {
+		exclude: zid(table).optional(),
+		value: string()
+	},
+	handler: (async (c, { exclude, value }) => {
+		const existing = await c.db.query(table).filter((f) => f.eq(f.field(field), value)).first();
+		return !existing || existing._id === exclude;
+	})
+});
+
+//#endregion
+//#region src/server/setup.ts
+const setup = (config) => {
+	const { getAuthUserId } = config, authId = async (c) => getAuthUserId(c), asDb = (c) => c.db, pq = zCustomQuery(config.query, customCtx(async (c) => {
+		const vid = await authId(c), { withAuthor } = readCtx({
+			db: asDb(c),
+			storage: c.storage,
+			viewerId: vid
+		});
+		return {
+			viewerId: vid,
+			withAuthor
+		};
+	})), q = zCustomQuery(config.query, customCtx(async (c) => {
+		const db = asDb(c), user = await getUser({
+			ctx: c,
+			db,
+			getAuthUserId
+		}), { viewerId, withAuthor } = readCtx({
+			db,
+			storage: c.storage,
+			viewerId: user._id
+		});
+		return {
+			get: ownGet(db, user._id),
+			user,
+			viewerId,
+			withAuthor
+		};
+	})), m = zCustomMutation(config.mutation, customCtx(async (c) => {
+		const db = asDb(c), now = time(), user = await getUser({
+			ctx: c,
+			db,
+			getAuthUserId
+		}), get = ownGet(db, user._id);
+		return {
+			create: async (t, d) => dbInsert(db, t, {
+				...d,
+				...now,
+				userId: user._id
+			}),
+			delete: async (id) => {
+				const d = await get(id);
+				await db.delete(id);
+				return d;
+			},
+			get,
+			patch: async (id, data, expectedUpdatedAt) => {
+				const doc = await get(id);
+				if (expectedUpdatedAt !== void 0 && doc.updatedAt !== expectedUpdatedAt) return err("CONFLICT");
+				const up = typeof data === "function" ? await data(doc) : data;
+				await dbPatch(db, id, {
+					...up,
+					...now
+				});
+				return {
+					...doc,
+					...up,
+					...now
+				};
+			},
+			user
+		};
+	})), cq = zCustomQuery(config.query, customCtx(() => ({}))), cm = zCustomMutation(config.mutation, customCtx(() => ({}))), children = config.children ?? {}, crud = (table, schema, opt) => makeCrud({
+		builders: {
+			children,
+			cm,
+			cq,
+			m,
+			pq,
+			q
+		},
+		options: opt,
+		schema,
+		table
+	}), childCrud = (table, meta) => makeChildCrud({
+		builders: {
+			m,
+			q
+		},
+		meta,
+		table
+	}), orgCrud = (table, schema, opt) => makeOrgCrud({
+		builders: {
+			m,
+			q
+		},
+		options: opt,
+		schema,
+		table
+	}), cacheCrud = (opts) => makeCacheCrud({
+		...opts,
+		builders: {
+			action: config.action,
+			cm,
+			cq,
+			internalMutation: config.internalMutation,
+			internalQuery: config.internalQuery,
+			mutation: config.mutation,
+			query: config.query
+		}
+	}), uniqueCheck = (table, field) => makeUnique({
+		field,
+		pq,
+		table
+	});
+	return {
+		cacheCrud,
+		childCrud,
+		cm,
+		cq,
+		crud,
+		m,
+		org: config.orgSchema ? makeOrg({
+			cascadeTables: config.orgCascadeTables,
+			getAuthUserId: config.getAuthUserId,
+			mutation: config.mutation,
+			query: config.query,
+			schema: config.orgSchema
+		}) : void 0,
+		orgCrud,
+		pq,
+		q,
+		uniqueCheck,
+		user: { me: q({ handler: (c) => c.user }) }
+	};
+};
+
+//#endregion
+//#region src/server/test-crud.ts
+const getOrgMembership = async (db, orgId, userId) => {
+	const orgDoc = await db.get(orgId);
+	if (!orgDoc) return null;
+	const isOwner = orgDoc.userId === userId, member = await db.query("orgMember").withIndex("by_org_user", ((q) => q.eq("orgId", orgId).eq("userId", userId))).unique();
+	if (!(isOwner || member)) return null;
+	return {
+		isAdmin: isOwner || member?.isAdmin === true,
+		isOwner,
+		member,
+		orgDoc
+	};
+}, checkAclPermission = (doc, userId, membership) => {
+	const isCreator = doc.userId === userId, isEditor = (doc.editors ?? []).includes(userId);
+	return isCreator || membership.isAdmin || isEditor;
+}, checkChildAclPermission = async (db, doc, parentField, userId, membership) => {
+	if (doc.userId === userId || membership.isAdmin) return true;
+	const parentId = doc[parentField], parent = parentId ? await db.get(parentId) : null;
+	return (parent ? parent.editors ?? [] : []).some((eid) => eid === userId);
+}, addEditorToDoc = async (db, itemId, editorId, orgId) => {
+	const doc = await db.get(itemId);
+	if (doc?.orgId !== orgId) return { code: "NOT_FOUND" };
+	const editors = doc.editors ?? [];
+	if (editors.some((id) => id === editorId)) return doc;
+	await db.patch(itemId, {
+		editors: [...editors, editorId],
+		updatedAt: Date.now()
+	});
+	return db.get(itemId);
+}, removeEditorFromDoc = async (db, itemId, editorId, orgId) => {
+	const doc = await db.get(itemId);
+	if (doc?.orgId !== orgId) return { code: "NOT_FOUND" };
+	const editors = doc.editors ?? [], filtered = [];
+	for (const id of editors) if (id !== editorId) filtered.push(id);
+	await db.patch(itemId, {
+		editors: filtered,
+		updatedAt: Date.now()
+	});
+	return db.get(itemId);
+}, makeOrgTestCrud = (config) => {
+	const { acl, aclFrom, cascade, mutation: rawMut, query: rawQry, table } = config, mutation = rawMut, query = rawQry, hasAcl = acl || Boolean(aclFrom), createAsUser = mutation({
+		args: {
+			data: v.any(),
+			orgId: v.id("org"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { data, orgId, userId }) => {
+			if (!isTestMode()) return null;
+			if (!await getOrgMembership(ctx.db, orgId, userId)) return { code: "NOT_ORG_MEMBER" };
+			return ctx.db.insert(table, {
+				...data,
+				orgId,
+				updatedAt: Date.now(),
+				userId
+			});
+		}
+	}), updateAsUser = mutation({
+		args: {
+			data: v.any(),
+			id: v.string(),
+			orgId: v.id("org"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { data, id, orgId, userId }) => {
+			if (!isTestMode()) return null;
+			const doc = await ctx.db.get(id);
+			if (doc?.orgId !== orgId) return { code: "NOT_FOUND" };
+			const membership = await getOrgMembership(ctx.db, orgId, userId);
+			if (!membership) return { code: "NOT_ORG_MEMBER" };
+			if (hasAcl) {
+				if (!(aclFrom ? await checkChildAclPermission(ctx.db, doc, aclFrom.field, userId, membership) : checkAclPermission(doc, userId, membership))) return { code: "FORBIDDEN" };
+			}
+			await ctx.db.patch(id, {
+				...data,
+				updatedAt: Date.now()
+			});
+			return { success: true };
+		}
+	}), rmAsUser = mutation({
+		args: {
+			id: v.string(),
+			orgId: v.id("org"),
+			userId: v.id("users")
+		},
+		handler: async (ctx, { id, orgId, userId }) => {
+			if (!isTestMode()) return null;
+			const doc = await ctx.db.get(id);
+			if (doc?.orgId !== orgId) return { code: "NOT_FOUND" };
+			const membership = await getOrgMembership(ctx.db, orgId, userId);
+			if (!membership) return { code: "NOT_ORG_MEMBER" };
+			if (hasAcl) {
+				if (!(aclFrom ? await checkChildAclPermission(ctx.db, doc, aclFrom.field, userId, membership) : checkAclPermission(doc, userId, membership))) return { code: "FORBIDDEN" };
+			}
+			if (cascade) for (const { foreignKey, table: childTable } of cascade) {
+				const children = await ctx.db.query(childTable).withIndex("by_parent", ((q) => q.eq(foreignKey, id))).collect();
+				for (const c of children) await ctx.db.delete(c._id);
+			}
+			await ctx.db.delete(id);
+			return { success: true };
+		}
+	}), result = {
+		bulkRmAsUser: mutation({
+			args: {
+				ids: v.array(v.string()),
+				orgId: v.id("org"),
+				userId: v.id("users")
+			},
+			handler: async (ctx, { ids, orgId, userId }) => {
+				if (!isTestMode()) return null;
+				const orgDoc = await ctx.db.get(orgId);
+				if (!orgDoc) return { code: "NOT_FOUND" };
+				const isOwner = orgDoc.userId === userId, member = await ctx.db.query("orgMember").withIndex("by_org_user", ((q) => q.eq("orgId", orgId).eq("userId", userId))).unique();
+				if (!(isOwner || member)) return { code: "NOT_ORG_MEMBER" };
+				if (!(isOwner || member?.isAdmin)) return { code: "INSUFFICIENT_ORG_ROLE" };
+				let count = 0;
+				for (const id of ids) if ((await ctx.db.get(id))?.orgId === orgId) {
+					if (cascade) for (const { foreignKey, table: childTable } of cascade) {
+						const children = await ctx.db.query(childTable).withIndex("by_parent", ((q) => q.eq(foreignKey, id))).collect();
+						for (const c of children) await ctx.db.delete(c._id);
+					}
+					await ctx.db.delete(id);
+					count += 1;
+				}
+				return { count };
+			}
+		}),
+		createAsUser,
+		listAsUser: query({
+			args: {
+				orgId: v.id("org"),
+				userId: v.id("users")
+			},
+			handler: async (ctx, { orgId, userId }) => {
+				if (!isTestMode()) return null;
+				if (!await getOrgMembership(ctx.db, orgId, userId)) return { code: "NOT_ORG_MEMBER" };
+				return ctx.db.query(table).withIndex("by_org", ((q) => q.eq("orgId", orgId))).collect();
+			}
+		}),
+		rmAsUser,
+		updateAsUser
+	};
+	if (hasAcl) {
+		result.addEditorAsUser = mutation({
+			args: {
+				editorId: v.id("users"),
+				itemId: v.string(),
+				orgId: v.id("org"),
+				userId: v.id("users")
+			},
+			handler: async (ctx, { editorId, itemId, orgId, userId }) => {
+				if (!isTestMode()) return null;
+				const membership = await getOrgMembership(ctx.db, orgId, userId);
+				if (!membership) return { code: "NOT_ORG_MEMBER" };
+				if (!membership.isAdmin) return { code: "INSUFFICIENT_ORG_ROLE" };
+				return addEditorToDoc(ctx.db, itemId, editorId, orgId);
+			}
+		});
+		result.removeEditorAsUser = mutation({
+			args: {
+				editorId: v.id("users"),
+				itemId: v.string(),
+				orgId: v.id("org"),
+				userId: v.id("users")
+			},
+			handler: async (ctx, { editorId, itemId, orgId, userId }) => {
+				if (!isTestMode()) return null;
+				const membership = await getOrgMembership(ctx.db, orgId, userId);
+				if (!membership) return { code: "NOT_ORG_MEMBER" };
+				if (!membership.isAdmin) return { code: "INSUFFICIENT_ORG_ROLE" };
+				return removeEditorFromDoc(ctx.db, itemId, editorId, orgId);
+			}
+		});
+	}
+	return result;
+};
+
+//#endregion
+export { baseTable, canEdit, checkSchema, err, getErrorCode, getErrorMessage, getOrgMember, getOrgMembership, getOrgRole, isRecord, makeFileUpload, makeOrg, makeOrgTestCrud, makeTestAuth, orgCascade, orgChildTable, orgTable, orgTables, ownedTable, requireOrgMember, requireOrgRole, setup, time, uploadTables };