npm - or3-provider-sqlite - Versions diffs - 0.0.1 - Mend

or3-provider-sqlite 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

package/README.md +109 -0
package/dist/module.d.mts +5 -0
package/dist/module.json +9 -0
package/dist/module.mjs +11 -0
package/dist/runtime/server/admin/adapters/sync-sqlite.d.ts +2 -0
package/dist/runtime/server/admin/adapters/sync-sqlite.js +72 -0
package/dist/runtime/server/admin/stores/sqlite-store.d.ts +4 -0
package/dist/runtime/server/admin/stores/sqlite-store.js +336 -0
package/dist/runtime/server/auth/sqlite-auth-workspace-store.d.ts +111 -0
package/dist/runtime/server/auth/sqlite-auth-workspace-store.js +349 -0
package/dist/runtime/server/db/kysely.d.ts +32 -0
package/dist/runtime/server/db/kysely.js +62 -0
package/dist/runtime/server/db/migrate.d.ts +10 -0
package/dist/runtime/server/db/migrate.js +38 -0
package/dist/runtime/server/db/migrations/001_init.d.ts +6 -0
package/dist/runtime/server/db/migrations/001_init.js +31 -0
package/dist/runtime/server/db/migrations/002_sync_tables.d.ts +6 -0
package/dist/runtime/server/db/migrations/002_sync_tables.js +55 -0
package/dist/runtime/server/db/migrations/003_sync_hardening.d.ts +9 -0
package/dist/runtime/server/db/migrations/003_sync_hardening.js +67 -0
package/dist/runtime/server/db/migrations/004_auth_invites.d.ts +3 -0
package/dist/runtime/server/db/migrations/004_auth_invites.js +18 -0
package/dist/runtime/server/db/migrations/005_admin_stores.d.ts +7 -0
package/dist/runtime/server/db/migrations/005_admin_stores.js +12 -0
package/dist/runtime/server/db/schema.d.ts +138 -0
package/dist/runtime/server/db/schema.js +10 -0
package/dist/runtime/server/plugins/register.d.ts +2 -0
package/dist/runtime/server/plugins/register.js +48 -0
package/dist/runtime/server/sync/sqlite-sync-gateway-adapter.d.ts +36 -0
package/dist/runtime/server/sync/sqlite-sync-gateway-adapter.js +366 -0
package/dist/types.d.mts +7 -0
package/package.json +54 -0

package/dist/runtime/server/auth/sqlite-auth-workspace-store.js ADDED Viewed

@@ -0,0 +1,349 @@
+import { getRawDb, getSqliteDb } from "../db/kysely.js";
+import { randomUUID } from "node:crypto";
+function uid() {
+  return randomUUID();
+}
+function nowEpoch() {
+  return Math.floor(Date.now() / 1e3);
+}
+function normalizeEmail(email) {
+  return email.trim().toLowerCase();
+}
+export class SqliteAuthWorkspaceStore {
+  get db() {
+    return getSqliteDb();
+  }
+  async getOrCreateUser(input) {
+    this.db;
+    const raw = getRawDb();
+    const userId = raw.transaction(() => {
+      const existing = raw.prepare(
+        `SELECT user_id
+                         FROM auth_accounts
+                         WHERE provider = ? AND provider_user_id = ?`
+      ).get(input.provider, input.providerUserId);
+      if (existing) {
+        return existing.user_id;
+      }
+      const candidateUserId = uid();
+      const now = nowEpoch();
+      raw.prepare(
+        `INSERT OR IGNORE INTO users (id, email, display_name, active_workspace_id, created_at)
+                     VALUES (?, ?, ?, NULL, ?)`
+      ).run(
+        candidateUserId,
+        input.email ?? null,
+        input.displayName ?? null,
+        now
+      );
+      raw.prepare(
+        `INSERT OR IGNORE INTO auth_accounts (id, user_id, provider, provider_user_id, created_at)
+                     VALUES (?, ?, ?, ?, ?)`
+      ).run(
+        uid(),
+        candidateUserId,
+        input.provider,
+        input.providerUserId,
+        now
+      );
+      const winner = raw.prepare(
+        `SELECT user_id
+                         FROM auth_accounts
+                         WHERE provider = ? AND provider_user_id = ?`
+      ).get(input.provider, input.providerUserId);
+      if (!winner) {
+        throw new Error("Failed to resolve auth account after get-or-create attempt");
+      }
+      if (winner.user_id !== candidateUserId) {
+        raw.prepare(
+          `DELETE FROM users
+                         WHERE id = ?
+                           AND NOT EXISTS (
+                               SELECT 1 FROM auth_accounts WHERE user_id = ?
+                           )`
+        ).run(candidateUserId, candidateUserId);
+      }
+      return winner.user_id;
+    }).immediate();
+    return { userId };
+  }
+  async getUser(input) {
+    const db = this.db;
+    const row = await db.selectFrom("auth_accounts").innerJoin("users", "users.id", "auth_accounts.user_id").select([
+      "users.id as user_id",
+      "users.email as email",
+      "users.display_name as display_name"
+    ]).where("auth_accounts.provider", "=", input.provider).where("auth_accounts.provider_user_id", "=", input.providerUserId).executeTakeFirst();
+    if (!row) return null;
+    return {
+      userId: row.user_id,
+      email: row.email ?? void 0,
+      displayName: row.display_name ?? void 0
+    };
+  }
+  async getOrCreateDefaultWorkspace(userId) {
+    const db = this.db;
+    const activeMembership = await db.selectFrom("users").innerJoin("workspaces", "workspaces.id", "users.active_workspace_id").innerJoin(
+      "workspace_members",
+      (join) => join.onRef(
+        "workspace_members.workspace_id",
+        "=",
+        "workspaces.id"
+      ).onRef("workspace_members.user_id", "=", "users.id")
+    ).select(["workspaces.id", "workspaces.name"]).where("users.id", "=", userId).where("workspaces.deleted", "=", 0).executeTakeFirst();
+    if (activeMembership) {
+      return {
+        workspaceId: activeMembership.id,
+        workspaceName: activeMembership.name
+      };
+    }
+    const membership = await db.selectFrom("workspace_members").innerJoin("workspaces", "workspaces.id", "workspace_members.workspace_id").select([
+      "workspaces.id",
+      "workspaces.name"
+    ]).where("workspace_members.user_id", "=", userId).where("workspaces.deleted", "=", 0).orderBy("workspace_members.created_at", "asc").executeTakeFirst();
+    if (membership) {
+      await db.updateTable("users").set({ active_workspace_id: membership.id }).where("id", "=", userId).execute();
+      return { workspaceId: membership.id, workspaceName: membership.name };
+    }
+    const workspaceId = uid();
+    const memberId = uid();
+    const now = nowEpoch();
+    const name = "My Workspace";
+    await db.transaction().execute(async (tx) => {
+      await tx.insertInto("workspaces").values({
+        id: workspaceId,
+        name,
+        description: null,
+        owner_user_id: userId,
+        created_at: now,
+        deleted: 0,
+        deleted_at: null
+      }).execute();
+      await tx.insertInto("workspace_members").values({
+        id: memberId,
+        workspace_id: workspaceId,
+        user_id: userId,
+        role: "owner",
+        created_at: now
+      }).execute();
+      await tx.updateTable("users").set({ active_workspace_id: workspaceId }).where("id", "=", userId).execute();
+    });
+    return { workspaceId, workspaceName: name };
+  }
+  async getWorkspaceRole(input) {
+    const db = this.db;
+    const member = await db.selectFrom("workspace_members").select("role").where("workspace_id", "=", input.workspaceId).where("user_id", "=", input.userId).executeTakeFirst();
+    if (!member) return null;
+    return member.role;
+  }
+  async listUserWorkspaces(userId) {
+    const db = this.db;
+    const user = await db.selectFrom("users").select("active_workspace_id").where("id", "=", userId).executeTakeFirst();
+    const activeId = user?.active_workspace_id ?? null;
+    const rows = await db.selectFrom("workspace_members").innerJoin("workspaces", "workspaces.id", "workspace_members.workspace_id").select([
+      "workspaces.id",
+      "workspaces.name",
+      "workspaces.description",
+      "workspaces.created_at",
+      "workspace_members.role"
+    ]).where("workspace_members.user_id", "=", userId).where("workspaces.deleted", "=", 0).execute();
+    return rows.map((r) => ({
+      id: r.id,
+      name: r.name,
+      description: r.description,
+      role: r.role,
+      createdAt: r.created_at,
+      isActive: r.id === activeId
+    }));
+  }
+  async createWorkspace(input) {
+    const db = this.db;
+    const workspaceId = uid();
+    const memberId = uid();
+    const now = nowEpoch();
+    await db.transaction().execute(async (tx) => {
+      await tx.insertInto("workspaces").values({
+        id: workspaceId,
+        name: input.name,
+        description: input.description ?? null,
+        owner_user_id: input.userId,
+        created_at: now,
+        deleted: 0,
+        deleted_at: null
+      }).execute();
+      await tx.insertInto("workspace_members").values({
+        id: memberId,
+        workspace_id: workspaceId,
+        user_id: input.userId,
+        role: "owner",
+        created_at: now
+      }).execute();
+    });
+    return { workspaceId };
+  }
+  async updateWorkspace(input) {
+    const db = this.db;
+    const member = await db.selectFrom("workspace_members").select("role").where("workspace_id", "=", input.workspaceId).where("user_id", "=", input.userId).executeTakeFirst();
+    if (!member || member.role === "viewer") {
+      throw new Error("Forbidden: insufficient workspace role");
+    }
+    await db.updateTable("workspaces").set({
+      name: input.name,
+      description: input.description ?? null
+    }).where("id", "=", input.workspaceId).where("deleted", "=", 0).execute();
+  }
+  async removeWorkspace(input) {
+    const db = this.db;
+    const member = await db.selectFrom("workspace_members").select("role").where("workspace_id", "=", input.workspaceId).where("user_id", "=", input.userId).executeTakeFirst();
+    if (!member || member.role !== "owner") {
+      throw new Error("Forbidden: only owner can remove workspace");
+    }
+    const now = nowEpoch();
+    await db.transaction().execute(async (tx) => {
+      await tx.updateTable("workspaces").set({ deleted: 1, deleted_at: now }).where("id", "=", input.workspaceId).execute();
+      const affectedUsers = await tx.selectFrom("users").select("id").where("active_workspace_id", "=", input.workspaceId).execute();
+      for (const affectedUser of affectedUsers) {
+        const next = await tx.selectFrom("workspace_members").innerJoin("workspaces", "workspaces.id", "workspace_members.workspace_id").select("workspaces.id").where("workspace_members.user_id", "=", affectedUser.id).where("workspaces.deleted", "=", 0).where("workspaces.id", "!=", input.workspaceId).executeTakeFirst();
+        await tx.updateTable("users").set({ active_workspace_id: next?.id ?? null }).where("id", "=", affectedUser.id).execute();
+      }
+    });
+  }
+  async setActiveWorkspace(input) {
+    const db = this.db;
+    const member = await db.selectFrom("workspace_members").innerJoin("workspaces", "workspaces.id", "workspace_members.workspace_id").select("workspace_members.id").where("workspace_members.workspace_id", "=", input.workspaceId).where("workspace_members.user_id", "=", input.userId).where("workspaces.deleted", "=", 0).executeTakeFirst();
+    if (!member) {
+      throw new Error("Forbidden: not a member of this workspace");
+    }
+    await db.updateTable("users").set({ active_workspace_id: input.workspaceId }).where("id", "=", input.userId).execute();
+  }
+  async createInvite(input) {
+    const db = this.db;
+    const inviteId = uid();
+    const now = nowEpoch();
+    await db.insertInto("auth_invites").values({
+      id: inviteId,
+      workspace_id: input.workspaceId,
+      email: normalizeEmail(input.email),
+      role: input.role,
+      status: "pending",
+      invited_by_user_id: input.invitedByUserId,
+      token_hash: input.tokenHash,
+      expires_at: input.expiresAt,
+      accepted_at: null,
+      accepted_user_id: null,
+      revoked_at: null,
+      created_at: now,
+      updated_at: now
+    }).execute();
+    return { inviteId };
+  }
+  async listInvites(input) {
+    const db = this.db;
+    const now = nowEpoch();
+    await db.updateTable("auth_invites").set({ status: "expired", updated_at: now }).where("workspace_id", "=", input.workspaceId).where("status", "=", "pending").where("expires_at", "<=", now).execute();
+    let query = db.selectFrom("auth_invites").selectAll().where("workspace_id", "=", input.workspaceId).orderBy("created_at", "desc");
+    if (input.status) {
+      query = query.where("status", "=", input.status);
+    }
+    const rows = await query.limit(Math.max(1, Math.min(input.limit ?? 100, 500))).execute();
+    return rows.map((row) => ({
+      id: row.id,
+      workspaceId: row.workspace_id,
+      email: row.email,
+      role: row.role,
+      status: row.status,
+      invitedByUserId: row.invited_by_user_id,
+      expiresAt: row.expires_at,
+      tokenHash: row.token_hash,
+      acceptedAt: row.accepted_at,
+      acceptedUserId: row.accepted_user_id,
+      revokedAt: row.revoked_at,
+      createdAt: row.created_at,
+      updatedAt: row.updated_at
+    }));
+  }
+  async revokeInvite(input) {
+    const db = this.db;
+    const now = nowEpoch();
+    const row = await db.selectFrom("auth_invites").select(["id", "status"]).where("workspace_id", "=", input.workspaceId).where("id", "=", input.inviteId).executeTakeFirst();
+    if (!row) {
+      throw new Error("Invite not found");
+    }
+    if (row.status !== "pending") return;
+    await db.updateTable("auth_invites").set({
+      status: "revoked",
+      revoked_at: now,
+      updated_at: now
+    }).where("workspace_id", "=", input.workspaceId).where("id", "=", input.inviteId).execute();
+    void input.revokedByUserId;
+  }
+  async consumeInvite(input) {
+    this.db;
+    const raw = getRawDb();
+    const now = nowEpoch();
+    const normalized = normalizeEmail(input.email);
+    return raw.transaction(() => {
+      raw.prepare(
+        `UPDATE auth_invites
+                     SET status = 'expired', updated_at = ?
+                     WHERE workspace_id = ?
+                       AND status = 'pending'
+                       AND expires_at <= ?`
+      ).run(now, input.workspaceId, now);
+      const invite = raw.prepare(
+        `SELECT *
+                         FROM auth_invites
+                         WHERE workspace_id = ?
+                           AND email = ?
+                         ORDER BY created_at ASC
+                         LIMIT 1`
+      ).get(input.workspaceId, normalized);
+      if (!invite) {
+        return { ok: false, reason: "not_found" };
+      }
+      if (invite.status === "revoked") {
+        return { ok: false, reason: "revoked" };
+      }
+      if (invite.status === "accepted") {
+        return { ok: false, reason: "already_used" };
+      }
+      if (invite.status === "expired" || invite.expires_at <= now) {
+        return { ok: false, reason: "expired" };
+      }
+      if (invite.token_hash !== input.tokenHash) {
+        return { ok: false, reason: "token_mismatch" };
+      }
+      raw.prepare(
+        `UPDATE auth_invites
+                     SET status = 'accepted', accepted_at = ?, accepted_user_id = ?, updated_at = ?
+                     WHERE id = ?`
+      ).run(now, input.acceptedUserId, now, invite.id);
+      const existingMember = raw.prepare(
+        `SELECT id FROM workspace_members
+                         WHERE workspace_id = ? AND user_id = ?
+                         LIMIT 1`
+      ).get(input.workspaceId, input.acceptedUserId);
+      if (existingMember) {
+        raw.prepare(
+          `UPDATE workspace_members
+                         SET role = ?
+                         WHERE id = ?`
+        ).run(invite.role, existingMember.id);
+      } else {
+        raw.prepare(
+          `INSERT INTO workspace_members (id, workspace_id, user_id, role, created_at)
+                         VALUES (?, ?, ?, ?, ?)`
+        ).run(uid(), input.workspaceId, input.acceptedUserId, invite.role, now);
+      }
+      raw.prepare(
+        `UPDATE users
+                     SET active_workspace_id = ?
+                     WHERE id = ?`
+      ).run(input.workspaceId, input.acceptedUserId);
+      return { ok: true, role: invite.role };
+    }).immediate();
+  }
+}
+export function createSqliteAuthWorkspaceStore() {
+  return new SqliteAuthWorkspaceStore();
+}

package/dist/runtime/server/db/kysely.d.ts ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * Kysely singleton for the SQLite provider.
+ *
+ * Creates a single Kysely instance backed by better-sqlite3.
+ * Applies WAL + NORMAL pragmas for safe concurrent reads.
+ */
+import { Kysely } from 'kysely';
+import Database from 'better-sqlite3';
+import type { Or3SqliteDb } from './schema.js';
+export interface SqliteDbOptions {
+    path: string;
+    journalMode?: string;
+    synchronous?: string;
+}
+/**
+ * Get or create the singleton Kysely DB.
+ * First call initializes the connection and sets pragmas.
+ */
+export declare function getSqliteDb(options?: SqliteDbOptions): Kysely<Or3SqliteDb>;
+/**
+ * Get the underlying better-sqlite3 instance for raw transactions.
+ * Only available after getSqliteDb() has been called.
+ */
+export declare function getRawDb(): InstanceType<typeof Database>;
+/**
+ * Destroy the connection (for tests/cleanup).
+ */
+export declare function destroySqliteDb(): Promise<void>;
+/**
+ * Reset the module-level singleton (for tests only).
+ */
+export declare function _resetForTest(): void;

package/dist/runtime/server/db/kysely.js ADDED Viewed

@@ -0,0 +1,62 @@
+import { Kysely, SqliteDialect } from "kysely";
+import Database from "better-sqlite3";
+let instance = null;
+let rawDb = null;
+function envFlag(value) {
+  if (!value) return false;
+  const normalized = value.trim().toLowerCase();
+  return normalized === "1" || normalized === "true" || normalized === "yes";
+}
+export function getSqliteDb(options) {
+  if (instance) return instance;
+  const isTestEnv = process.env.NODE_ENV === "test" || envFlag(process.env.VITEST);
+  const allowInMemory = envFlag(process.env.OR3_SQLITE_ALLOW_IN_MEMORY);
+  const strictMode = envFlag(process.env.OR3_SQLITE_STRICT);
+  const configuredPath = options?.path ?? process.env.OR3_SQLITE_DB_PATH;
+  const path = configuredPath ?? ":memory:";
+  if (!configuredPath && !isTestEnv && !allowInMemory) {
+    throw new Error(
+      "OR3_SQLITE_DB_PATH is required in non-test environments. Set OR3_SQLITE_ALLOW_IN_MEMORY=true only if you intentionally want ephemeral storage."
+    );
+  }
+  if (strictMode && path === ":memory:") {
+    throw new Error(
+      "OR3_SQLITE_STRICT=true forbids in-memory SQLite. Set OR3_SQLITE_DB_PATH to a persistent file path."
+    );
+  }
+  if (!isTestEnv && path === ":memory:" && !allowInMemory) {
+    throw new Error(
+      "Using :memory: in non-test environments requires OR3_SQLITE_ALLOW_IN_MEMORY=true."
+    );
+  }
+  if (!isTestEnv && path === ":memory:" && allowInMemory) {
+    console.warn(
+      "[or3-sqlite] OR3_SQLITE_ALLOW_IN_MEMORY=true enabled. Data will be lost on process restart."
+    );
+  }
+  const journalMode = options?.journalMode ?? process.env.OR3_SQLITE_PRAGMA_JOURNAL_MODE ?? "WAL";
+  const synchronous = options?.synchronous ?? process.env.OR3_SQLITE_PRAGMA_SYNCHRONOUS ?? "NORMAL";
+  rawDb = new Database(path);
+  rawDb.pragma(`journal_mode = ${journalMode}`);
+  rawDb.pragma(`synchronous = ${synchronous}`);
+  rawDb.pragma("foreign_keys = ON");
+  instance = new Kysely({
+    dialect: new SqliteDialect({ database: rawDb })
+  });
+  return instance;
+}
+export function getRawDb() {
+  if (!rawDb) throw new Error("SQLite DB not initialized \u2014 call getSqliteDb() first");
+  return rawDb;
+}
+export async function destroySqliteDb() {
+  if (instance) {
+    await instance.destroy();
+    instance = null;
+    rawDb = null;
+  }
+}
+export function _resetForTest() {
+  instance = null;
+  rawDb = null;
+}

package/dist/runtime/server/db/migrate.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+/**
+ * Migration runner for the SQLite provider.
+ * Runs all migrations in order on module init.
+ */
+import { type Kysely } from 'kysely';
+import type { Or3SqliteDb } from './schema.js';
+/**
+ * Run all pending migrations. Safe to call repeatedly.
+ */
+export declare function runMigrations(db: Kysely<Or3SqliteDb>): Promise<void>;

package/dist/runtime/server/db/migrate.js ADDED Viewed

@@ -0,0 +1,38 @@
+import { Migrator } from "kysely";
+import * as m001 from "./migrations/001_init.js";
+import * as m002 from "./migrations/002_sync_tables.js";
+import * as m003 from "./migrations/003_sync_hardening.js";
+import * as m004 from "./migrations/004_auth_invites.js";
+import * as m005 from "./migrations/005_admin_stores.js";
+const migrations = {
+  "001_init": m001,
+  "002_sync_tables": m002,
+  "003_sync_hardening": m003,
+  "004_auth_invites": m004,
+  "005_admin_stores": m005
+};
+class StaticMigrationProvider {
+  async getMigrations() {
+    return migrations;
+  }
+}
+export async function runMigrations(db) {
+  const migrator = new Migrator({
+    db,
+    provider: new StaticMigrationProvider()
+  });
+  const { error, results } = await migrator.migrateToLatest();
+  if (results?.length) {
+    for (const r of results) {
+      if (r.status === "Success") {
+        console.log(`[or3-sqlite] migration "${r.migrationName}" applied`);
+      } else if (r.status === "Error") {
+        console.error(`[or3-sqlite] migration "${r.migrationName}" failed`);
+      }
+    }
+  }
+  if (error) {
+    console.error("[or3-sqlite] migration error:", error);
+    throw error;
+  }
+}

package/dist/runtime/server/db/migrations/001_init.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * Migration 001: Auth and workspace tables.
+ */
+import type { Kysely } from 'kysely';
+export declare function up(db: Kysely<unknown>): Promise<void>;
+export declare function down(db: Kysely<unknown>): Promise<void>;

package/dist/runtime/server/db/migrations/001_init.js ADDED Viewed

@@ -0,0 +1,31 @@
+import { sql } from "kysely";
+export async function up(db) {
+  await db.schema.createTable("users").ifNotExists().addColumn("id", "text", (col) => col.primaryKey()).addColumn("email", "text").addColumn("display_name", "text").addColumn("active_workspace_id", "text").addColumn(
+    "created_at",
+    "integer",
+    (col) => col.notNull().defaultTo(sql`(unixepoch())`)
+  ).execute();
+  await db.schema.createTable("auth_accounts").ifNotExists().addColumn("id", "text", (col) => col.primaryKey()).addColumn("user_id", "text", (col) => col.notNull()).addColumn("provider", "text", (col) => col.notNull()).addColumn("provider_user_id", "text", (col) => col.notNull()).addColumn(
+    "created_at",
+    "integer",
+    (col) => col.notNull().defaultTo(sql`(unixepoch())`)
+  ).execute();
+  await db.schema.createIndex("idx_auth_accounts_provider_uid").ifNotExists().on("auth_accounts").columns(["provider", "provider_user_id"]).unique().execute();
+  await db.schema.createTable("workspaces").ifNotExists().addColumn("id", "text", (col) => col.primaryKey()).addColumn("name", "text", (col) => col.notNull()).addColumn("description", "text").addColumn("owner_user_id", "text", (col) => col.notNull()).addColumn(
+    "created_at",
+    "integer",
+    (col) => col.notNull().defaultTo(sql`(unixepoch())`)
+  ).addColumn("deleted", "integer", (col) => col.notNull().defaultTo(0)).addColumn("deleted_at", "integer").execute();
+  await db.schema.createTable("workspace_members").ifNotExists().addColumn("id", "text", (col) => col.primaryKey()).addColumn("workspace_id", "text", (col) => col.notNull()).addColumn("user_id", "text", (col) => col.notNull()).addColumn("role", "text", (col) => col.notNull().defaultTo("editor")).addColumn(
+    "created_at",
+    "integer",
+    (col) => col.notNull().defaultTo(sql`(unixepoch())`)
+  ).execute();
+  await db.schema.createIndex("idx_workspace_members_ws_user").ifNotExists().on("workspace_members").columns(["workspace_id", "user_id"]).unique().execute();
+}
+export async function down(db) {
+  await db.schema.dropTable("workspace_members").ifExists().execute();
+  await db.schema.dropTable("workspaces").ifExists().execute();
+  await db.schema.dropTable("auth_accounts").ifExists().execute();
+  await db.schema.dropTable("users").ifExists().execute();
+}

package/dist/runtime/server/db/migrations/002_sync_tables.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * Migration 002: Sync infrastructure + synced entity tables.
+ */
+import type { Kysely } from 'kysely';
+export declare function up(db: Kysely<unknown>): Promise<void>;
+export declare function down(db: Kysely<unknown>): Promise<void>;

package/dist/runtime/server/db/migrations/002_sync_tables.js ADDED Viewed

@@ -0,0 +1,55 @@
+import { sql } from "kysely";
+const SYNCED_TABLES = [
+  "s_threads",
+  "s_messages",
+  "s_projects",
+  "s_posts",
+  "s_kv",
+  "s_file_meta",
+  "s_notifications"
+];
+export async function up(db) {
+  await db.schema.createTable("server_version_counter").ifNotExists().addColumn("workspace_id", "text", (col) => col.primaryKey()).addColumn("value", "integer", (col) => col.notNull().defaultTo(0)).execute();
+  await db.schema.createTable("change_log").ifNotExists().addColumn("id", "text", (col) => col.primaryKey()).addColumn("workspace_id", "text", (col) => col.notNull()).addColumn("server_version", "integer", (col) => col.notNull()).addColumn("table_name", "text", (col) => col.notNull()).addColumn("pk", "text", (col) => col.notNull()).addColumn("op", "text", (col) => col.notNull()).addColumn("payload_json", "text").addColumn("clock", "integer", (col) => col.notNull()).addColumn("hlc", "text", (col) => col.notNull()).addColumn("device_id", "text", (col) => col.notNull()).addColumn("op_id", "text", (col) => col.notNull()).addColumn(
+    "created_at",
+    "integer",
+    (col) => col.notNull().defaultTo(sql`(unixepoch())`)
+  ).execute();
+  await db.schema.createIndex("idx_change_log_ws_sv").ifNotExists().on("change_log").columns(["workspace_id", "server_version"]).execute();
+  await db.schema.createIndex("idx_change_log_op_id").ifNotExists().on("change_log").columns(["op_id"]).unique().execute();
+  await db.schema.createTable("device_cursors").ifNotExists().addColumn("id", "text", (col) => col.primaryKey()).addColumn("workspace_id", "text", (col) => col.notNull()).addColumn("device_id", "text", (col) => col.notNull()).addColumn("last_seen_version", "integer", (col) => col.notNull().defaultTo(0)).addColumn(
+    "updated_at",
+    "integer",
+    (col) => col.notNull().defaultTo(sql`(unixepoch())`)
+  ).execute();
+  await db.schema.createIndex("idx_device_cursors_ws_device").ifNotExists().on("device_cursors").columns(["workspace_id", "device_id"]).unique().execute();
+  await db.schema.createIndex("idx_device_cursors_ws_version").ifNotExists().on("device_cursors").columns(["workspace_id", "last_seen_version"]).execute();
+  await db.schema.createTable("tombstones").ifNotExists().addColumn("id", "text", (col) => col.primaryKey()).addColumn("workspace_id", "text", (col) => col.notNull()).addColumn("table_name", "text", (col) => col.notNull()).addColumn("pk", "text", (col) => col.notNull()).addColumn("deleted_at", "integer", (col) => col.notNull()).addColumn("clock", "integer", (col) => col.notNull()).addColumn("server_version", "integer", (col) => col.notNull()).addColumn(
+    "created_at",
+    "integer",
+    (col) => col.notNull().defaultTo(sql`(unixepoch())`)
+  ).execute();
+  await db.schema.createIndex("idx_tombstones_ws_sv").ifNotExists().on("tombstones").columns(["workspace_id", "server_version"]).execute();
+  await db.schema.createIndex("idx_tombstones_ws_table_pk").ifNotExists().on("tombstones").columns(["workspace_id", "table_name", "pk"]).unique().execute();
+  for (const tableName of SYNCED_TABLES) {
+    await db.schema.createTable(tableName).ifNotExists().addColumn("id", "text", (col) => col.notNull()).addColumn("workspace_id", "text", (col) => col.notNull()).addColumn("data_json", "text", (col) => col.notNull()).addColumn("clock", "integer", (col) => col.notNull().defaultTo(0)).addColumn("hlc", "text", (col) => col.notNull().defaultTo("")).addColumn("device_id", "text", (col) => col.notNull().defaultTo("")).addColumn("deleted", "integer", (col) => col.notNull().defaultTo(0)).addColumn(
+      "created_at",
+      "integer",
+      (col) => col.notNull().defaultTo(sql`(unixepoch())`)
+    ).addColumn(
+      "updated_at",
+      "integer",
+      (col) => col.notNull().defaultTo(sql`(unixepoch())`)
+    ).addPrimaryKeyConstraint(`${tableName}_pk`, ["workspace_id", "id"]).execute();
+    await db.schema.createIndex(`idx_${tableName}_ws`).ifNotExists().on(tableName).columns(["workspace_id"]).execute();
+  }
+}
+export async function down(db) {
+  for (const tableName of [...SYNCED_TABLES].reverse()) {
+    await db.schema.dropTable(tableName).ifExists().execute();
+  }
+  await db.schema.dropTable("tombstones").ifExists().execute();
+  await db.schema.dropTable("device_cursors").ifExists().execute();
+  await db.schema.dropTable("change_log").ifExists().execute();
+  await db.schema.dropTable("server_version_counter").ifExists().execute();
+}

package/dist/runtime/server/db/migrations/003_sync_hardening.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * Migration 003: Harden sync storage keys and tombstone uniqueness.
+ *
+ * - Materialized sync tables move to composite PK (workspace_id, id)
+ * - Tombstones enforce one row per (workspace_id, table_name, pk)
+ */
+import type { Kysely } from 'kysely';
+export declare function up(db: Kysely<unknown>): Promise<void>;
+export declare function down(_db: Kysely<unknown>): Promise<void>;