refactor: enhance manual chunking in Vite config for better code splitting

src/services/storage-admin-repo.ts

@@ -0,0 +1,84 @@
+import type { AuditLog, Invite } from '../types';
+
+export async function createInvite(db: D1Database, invite: Invite): Promise<void> {
+  await db
+    .prepare(
+      'INSERT INTO invites(code, created_by, used_by, expires_at, status, created_at, updated_at) VALUES(?, ?, ?, ?, ?, ?, ?)'
+    )
+    .bind(invite.code, invite.createdBy, invite.usedBy, invite.expiresAt, invite.status, invite.createdAt, invite.updatedAt)
+    .run();
+}
+
+export async function getInvite(db: D1Database, code: string): Promise<Invite | null> {
+  const row = await db
+    .prepare('SELECT code, created_by, used_by, expires_at, status, created_at, updated_at FROM invites WHERE code = ?')
+    .bind(code)
+    .first<any>();
+  if (!row) return null;
+  return {
+    code: row.code,
+    createdBy: row.created_by,
+    usedBy: row.used_by ?? null,
+    expiresAt: row.expires_at,
+    status: row.status,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+  };
+}
+
+export async function listInvites(db: D1Database, includeInactive: boolean = false): Promise<Invite[]> {
+  const now = new Date().toISOString();
+  const predicate = includeInactive
+    ? '1 = 1'
+    : "(status = 'active' AND expires_at > ?)";
+  const query =
+    'SELECT code, created_by, used_by, expires_at, status, created_at, updated_at FROM invites ' +
+    `WHERE ${predicate} ORDER BY created_at DESC`;
+  const res = includeInactive
+    ? await db.prepare(query).all<any>()
+    : await db.prepare(query).bind(now).all<any>();
+
+  return (res.results || []).map((row) => ({
+    code: row.code,
+    createdBy: row.created_by,
+    usedBy: row.used_by ?? null,
+    expiresAt: row.expires_at,
+    status: row.status,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+  }));
+}
+
+export async function markInviteUsed(db: D1Database, code: string, userId: string): Promise<boolean> {
+  const now = new Date().toISOString();
+  const result = await db
+    .prepare(
+      "UPDATE invites SET status = 'used', used_by = ?, updated_at = ? WHERE code = ? AND status = 'active' AND expires_at > ?"
+    )
+    .bind(userId, now, code, now)
+    .run();
+  return (result.meta.changes ?? 0) > 0;
+}
+
+export async function revokeInvite(db: D1Database, code: string): Promise<boolean> {
+  const now = new Date().toISOString();
+  const result = await db
+    .prepare("UPDATE invites SET status = 'revoked', updated_at = ? WHERE code = ? AND status = 'active'")
+    .bind(now, code)
+    .run();
+  return (result.meta.changes ?? 0) > 0;
+}
+
+export async function deleteAllInvites(db: D1Database): Promise<number> {
+  const result = await db.prepare('DELETE FROM invites').run();
+  return Number(result.meta.changes ?? 0);
+}
+
+export async function createAuditLog(db: D1Database, log: AuditLog): Promise<void> {
+  await db
+    .prepare(
+      'INSERT INTO audit_logs(id, actor_user_id, action, target_type, target_id, metadata, created_at) VALUES(?, ?, ?, ?, ?, ?, ?)'
+    )
+    .bind(log.id, log.actorUserId, log.action, log.targetType, log.targetId, log.metadata, log.createdAt)
+    .run();
+}

src/services/storage-attachment-repo.ts

@@ -0,0 +1,143 @@
+import type { Attachment, Cipher } from '../types';
+
+type SafeBind = (stmt: D1PreparedStatement, ...values: any[]) => D1PreparedStatement;
+type SqlChunkSize = (fixedBindCount: number) => number;
+type GetCipher = (id: string) => Promise<Cipher | null>;
+type SaveCipher = (cipher: Cipher) => Promise<void>;
+type UpdateRevisionDate = (userId: string) => Promise<string>;
+
+export async function getAttachment(db: D1Database, id: string): Promise<Attachment | null> {
+  const row = await db
+    .prepare('SELECT id, cipher_id, file_name, size, size_name, key FROM attachments WHERE id = ?')
+    .bind(id)
+    .first<any>();
+  if (!row) return null;
+  return {
+    id: row.id,
+    cipherId: row.cipher_id,
+    fileName: row.file_name,
+    size: row.size,
+    sizeName: row.size_name,
+    key: row.key,
+  };
+}
+
+export async function saveAttachment(db: D1Database, safeBind: SafeBind, attachment: Attachment): Promise<void> {
+  const stmt = db.prepare(
+    'INSERT INTO attachments(id, cipher_id, file_name, size, size_name, key) VALUES(?, ?, ?, ?, ?, ?) ' +
+    'ON CONFLICT(id) DO UPDATE SET cipher_id=excluded.cipher_id, file_name=excluded.file_name, size=excluded.size, size_name=excluded.size_name, key=excluded.key'
+  );
+  await safeBind(stmt, attachment.id, attachment.cipherId, attachment.fileName, attachment.size, attachment.sizeName, attachment.key).run();
+}
+
+export async function deleteAttachment(db: D1Database, id: string): Promise<void> {
+  await db.prepare('DELETE FROM attachments WHERE id = ?').bind(id).run();
+}
+
+export async function getAttachmentsByCipher(db: D1Database, cipherId: string): Promise<Attachment[]> {
+  const res = await db
+    .prepare('SELECT id, cipher_id, file_name, size, size_name, key FROM attachments WHERE cipher_id = ?')
+    .bind(cipherId)
+    .all<any>();
+  return (res.results || []).map((r) => ({
+    id: r.id,
+    cipherId: r.cipher_id,
+    fileName: r.file_name,
+    size: r.size,
+    sizeName: r.size_name,
+    key: r.key,
+  }));
+}
+
+export async function getAttachmentsByCipherIds(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  cipherIds: string[]
+): Promise<Map<string, Attachment[]>> {
+  const grouped = new Map<string, Attachment[]>();
+  if (cipherIds.length === 0) return grouped;
+
+  const uniqueCipherIds = [...new Set(cipherIds)];
+  const chunkSize = sqlChunkSize(0);
+
+  for (let i = 0; i < uniqueCipherIds.length; i += chunkSize) {
+    const chunk = uniqueCipherIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    const res = await db
+      .prepare(`SELECT id, cipher_id, file_name, size, size_name, key FROM attachments WHERE cipher_id IN (${placeholders})`)
+      .bind(...chunk)
+      .all<any>();
+
+    for (const row of res.results || []) {
+      const item: Attachment = {
+        id: row.id,
+        cipherId: row.cipher_id,
+        fileName: row.file_name,
+        size: row.size,
+        sizeName: row.size_name,
+        key: row.key,
+      };
+      const list = grouped.get(item.cipherId);
+      if (list) list.push(item);
+      else grouped.set(item.cipherId, [item]);
+    }
+  }
+
+  return grouped;
+}
+
+export async function getAttachmentsByUserId(db: D1Database, userId: string): Promise<Map<string, Attachment[]>> {
+  const grouped = new Map<string, Attachment[]>();
+  const res = await db
+    .prepare(
+      `SELECT a.id, a.cipher_id, a.file_name, a.size, a.size_name, a.key
+       FROM attachments a
+       INNER JOIN ciphers c ON c.id = a.cipher_id
+       WHERE c.user_id = ?`
+    )
+    .bind(userId)
+    .all<any>();
+
+  for (const row of res.results || []) {
+    const item: Attachment = {
+      id: row.id,
+      cipherId: row.cipher_id,
+      fileName: row.file_name,
+      size: row.size,
+      sizeName: row.size_name,
+      key: row.key,
+    };
+    const list = grouped.get(item.cipherId);
+    if (list) list.push(item);
+    else grouped.set(item.cipherId, [item]);
+  }
+
+  return grouped;
+}
+
+export async function addAttachmentToCipher(db: D1Database, cipherId: string, attachmentId: string): Promise<void> {
+  await db.prepare('UPDATE attachments SET cipher_id = ? WHERE id = ?').bind(cipherId, attachmentId).run();
+}
+
+export async function removeAttachmentFromCipher(cipherId: string, attachmentId: string): Promise<void> {
+  void cipherId;
+  void attachmentId;
+}
+
+export async function deleteAllAttachmentsByCipher(db: D1Database, cipherId: string): Promise<void> {
+  await db.prepare('DELETE FROM attachments WHERE cipher_id = ?').bind(cipherId).run();
+}
+
+export async function updateCipherRevisionDate(
+  getCipherById: GetCipher,
+  saveCipherRecord: SaveCipher,
+  updateRevisionDate: UpdateRevisionDate,
+  cipherId: string
+): Promise<{ userId: string; revisionDate: string } | null> {
+  const cipher = await getCipherById(cipherId);
+  if (!cipher) return null;
+  cipher.updatedAt = new Date().toISOString();
+  await saveCipherRecord(cipher);
+  const revisionDate = await updateRevisionDate(cipher.userId);
+  return { userId: cipher.userId, revisionDate };
+}

src/services/storage-attachment-token-repo.ts

@@ -0,0 +1,46 @@
+type ShouldRunPeriodicCleanup = (lastRunAt: number, intervalMs: number) => boolean;
+
+export async function ensureUsedAttachmentDownloadTokenTable(db: D1Database): Promise<void> {
+  await db
+    .prepare(
+      'CREATE TABLE IF NOT EXISTS used_attachment_download_tokens (' +
+        'jti TEXT PRIMARY KEY, ' +
+        'expires_at INTEGER NOT NULL' +
+        ')'
+    )
+    .run();
+}
+
+export async function consumeAttachmentDownloadToken(
+  db: D1Database,
+  shouldRunPeriodicCleanup: ShouldRunPeriodicCleanup,
+  lastCleanupAt: number,
+  cleanupIntervalMs: number,
+  jti: string,
+  expUnixSeconds: number
+): Promise<{ consumed: boolean; cleanedUpAt: number | null }> {
+  const nowMs = Date.now();
+  let cleanedUpAt: number | null = null;
+
+  if (shouldRunPeriodicCleanup(lastCleanupAt, cleanupIntervalMs)) {
+    await db
+      .prepare('DELETE FROM used_attachment_download_tokens WHERE expires_at < ?')
+      .bind(nowMs)
+      .run();
+    cleanedUpAt = nowMs;
+  }
+
+  const expiresAtMs = expUnixSeconds * 1000;
+  const result = await db
+    .prepare(
+      'INSERT INTO used_attachment_download_tokens(jti, expires_at) VALUES(?, ?) ' +
+        'ON CONFLICT(jti) DO NOTHING'
+    )
+    .bind(jti, expiresAtMs)
+    .run();
+
+  return {
+    consumed: (result.meta.changes ?? 0) > 0,
+    cleanedUpAt,
+  };
+}

src/services/storage-cipher-repo.ts

@@ -0,0 +1,227 @@
+import type { Cipher } from '../types';
+
+type SafeBind = (stmt: D1PreparedStatement, ...values: any[]) => D1PreparedStatement;
+type SqlChunkSize = (fixedBindCount: number) => number;
+type UpdateRevisionDate = (userId: string) => Promise<string>;
+
+export async function getCipher(db: D1Database, id: string): Promise<Cipher | null> {
+  const row = await db.prepare('SELECT data FROM ciphers WHERE id = ?').bind(id).first<{ data: string }>();
+  if (!row?.data) return null;
+  try {
+    return JSON.parse(row.data) as Cipher;
+  } catch {
+    console.error('Corrupted cipher data, id:', id);
+    return null;
+  }
+}
+
+export async function saveCipher(db: D1Database, safeBind: SafeBind, cipher: Cipher): Promise<void> {
+  const data = JSON.stringify(cipher);
+  const stmt = db.prepare(
+    'INSERT INTO ciphers(id, user_id, type, folder_id, name, notes, favorite, data, reprompt, key, created_at, updated_at, deleted_at) ' +
+    'VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ' +
+    'ON CONFLICT(id) DO UPDATE SET ' +
+    'user_id=excluded.user_id, type=excluded.type, folder_id=excluded.folder_id, name=excluded.name, notes=excluded.notes, favorite=excluded.favorite, data=excluded.data, reprompt=excluded.reprompt, key=excluded.key, updated_at=excluded.updated_at, deleted_at=excluded.deleted_at'
+  );
+  await safeBind(
+    stmt,
+    cipher.id,
+    cipher.userId,
+    Number(cipher.type) || 1,
+    cipher.folderId,
+    cipher.name,
+    cipher.notes,
+    cipher.favorite ? 1 : 0,
+    data,
+    cipher.reprompt ?? 0,
+    cipher.key,
+    cipher.createdAt,
+    cipher.updatedAt,
+    cipher.deletedAt
+  ).run();
+}
+
+export async function deleteCipher(db: D1Database, id: string, userId: string): Promise<void> {
+  await db.prepare('DELETE FROM ciphers WHERE id = ? AND user_id = ?').bind(id, userId).run();
+}
+
+export async function bulkSoftDeleteCiphers(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  updateRevisionDate: UpdateRevisionDate,
+  ids: string[],
+  userId: string
+): Promise<string | null> {
+  if (ids.length === 0) return null;
+  const uniqueIds = Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
+  if (!uniqueIds.length) return null;
+
+  const now = new Date().toISOString();
+  const patch = JSON.stringify({ deletedAt: now, updatedAt: now });
+  const chunkSize = sqlChunkSize(4);
+
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    await db
+      .prepare(
+        `UPDATE ciphers
+         SET deleted_at = ?, updated_at = ?, data = json_patch(data, ?)
+         WHERE user_id = ? AND id IN (${placeholders})`
+      )
+      .bind(now, now, patch, userId, ...chunk)
+      .run();
+  }
+
+  return updateRevisionDate(userId);
+}
+
+export async function bulkRestoreCiphers(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  updateRevisionDate: UpdateRevisionDate,
+  ids: string[],
+  userId: string
+): Promise<string | null> {
+  if (ids.length === 0) return null;
+  const uniqueIds = Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
+  if (!uniqueIds.length) return null;
+
+  const now = new Date().toISOString();
+  const patch = JSON.stringify({ deletedAt: null, updatedAt: now });
+  const chunkSize = sqlChunkSize(3);
+
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    await db
+      .prepare(
+        `UPDATE ciphers
+         SET deleted_at = NULL, updated_at = ?, data = json_patch(data, ?)
+         WHERE user_id = ? AND id IN (${placeholders})`
+      )
+      .bind(now, patch, userId, ...chunk)
+      .run();
+  }
+
+  return updateRevisionDate(userId);
+}
+
+export async function bulkDeleteCiphers(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  updateRevisionDate: UpdateRevisionDate,
+  ids: string[],
+  userId: string
+): Promise<string | null> {
+  if (ids.length === 0) return null;
+  const uniqueIds = Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
+  if (!uniqueIds.length) return null;
+
+  const chunkSize = sqlChunkSize(1);
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    await db.prepare(`DELETE FROM ciphers WHERE user_id = ? AND id IN (${placeholders})`).bind(userId, ...chunk).run();
+  }
+
+  return updateRevisionDate(userId);
+}
+
+export async function getAllCiphers(db: D1Database, userId: string): Promise<Cipher[]> {
+  const res = await db.prepare('SELECT data FROM ciphers WHERE user_id = ? ORDER BY updated_at DESC').bind(userId).all<{ data: string }>();
+  return (res.results || []).flatMap((r) => {
+    try {
+      return [JSON.parse(r.data) as Cipher];
+    } catch {
+      return [];
+    }
+  });
+}
+
+export async function getCiphersPage(
+  db: D1Database,
+  userId: string,
+  includeDeleted: boolean,
+  limit: number,
+  offset: number
+): Promise<Cipher[]> {
+  const whereDeleted = includeDeleted ? '' : 'AND deleted_at IS NULL';
+  const res = await db
+    .prepare(
+      `SELECT data FROM ciphers
+       WHERE user_id = ?
+       ${whereDeleted}
+       ORDER BY updated_at DESC
+       LIMIT ? OFFSET ?`
+    )
+    .bind(userId, limit, offset)
+    .all<{ data: string }>();
+  return (res.results || []).flatMap((r) => {
+    try {
+      return [JSON.parse(r.data) as Cipher];
+    } catch {
+      return [];
+    }
+  });
+}
+
+export async function getCiphersByIds(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  ids: string[],
+  userId: string
+): Promise<Cipher[]> {
+  if (ids.length === 0) return [];
+  const uniqueIds = Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
+  if (!uniqueIds.length) return [];
+
+  const chunkSize = sqlChunkSize(1);
+  const out: Cipher[] = [];
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    const stmt = db.prepare(`SELECT data FROM ciphers WHERE user_id = ? AND id IN (${placeholders})`);
+    const res = await stmt.bind(userId, ...chunk).all<{ data: string }>();
+    out.push(
+      ...(res.results || []).flatMap((r) => {
+        try {
+          return [JSON.parse(r.data) as Cipher];
+        } catch {
+          return [];
+        }
+      })
+    );
+  }
+  return out;
+}
+
+export async function bulkMoveCiphers(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  updateRevisionDate: UpdateRevisionDate,
+  ids: string[],
+  folderId: string | null,
+  userId: string
+): Promise<string | null> {
+  if (ids.length === 0) return null;
+  const now = new Date().toISOString();
+  const uniqueIds = Array.from(new Set(ids));
+  const patch = JSON.stringify({ folderId, updatedAt: now });
+  const chunkSize = sqlChunkSize(4);
+
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    await db
+      .prepare(
+        `UPDATE ciphers
+         SET folder_id = ?, updated_at = ?, data = json_patch(data, ?)
+         WHERE user_id = ? AND id IN (${placeholders})`
+      )
+      .bind(folderId, now, patch, userId, ...chunk)
+      .run();
+  }
+
+  return updateRevisionDate(userId);
+}

src/services/storage-config-repo.ts

@@ -0,0 +1,22 @@
+export async function isRegistered(db: D1Database): Promise<boolean> {
+  const row = await db.prepare('SELECT value FROM config WHERE key = ?').bind('registered').first<{ value: string }>();
+  return row?.value === 'true';
+}
+
+export async function getConfigValue(db: D1Database, key: string): Promise<string | null> {
+  const row = await db.prepare('SELECT value FROM config WHERE key = ?').bind(key).first<{ value: string }>();
+  return typeof row?.value === 'string' ? row.value : null;
+}
+
+export async function setConfigValue(db: D1Database, key: string, value: string): Promise<void> {
+  await db
+    .prepare('INSERT INTO config(key, value) VALUES(?, ?) ON CONFLICT(key) DO UPDATE SET value = excluded.value')
+    .bind(key, value)
+    .run();
+}
+
+export async function setRegistered(db: D1Database): Promise<void> {
+  await db.prepare('INSERT INTO config(key, value) VALUES(?, ?) ON CONFLICT(key) DO UPDATE SET value = excluded.value')
+    .bind('registered', 'true')
+    .run();
+}

src/services/storage-device-repo.ts

@@ -0,0 +1,165 @@
+import type { Device, TrustedDeviceTokenSummary, User } from '../types';
+
+type GetUserByEmail = (email: string) => Promise<User | null>;
+type TrustedTokenKeyFn = (token: string) => Promise<string>;
+
+function mapDeviceRow(row: any): Device {
+  return {
+    userId: row.user_id,
+    deviceIdentifier: row.device_identifier,
+    name: row.name,
+    type: row.type,
+    sessionStamp: row.session_stamp || '',
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+  };
+}
+
+export async function upsertDevice(
+  db: D1Database,
+  getDeviceById: (userId: string, deviceIdentifier: string) => Promise<Device | null>,
+  userId: string,
+  deviceIdentifier: string,
+  name: string,
+  type: number,
+  sessionStamp?: string
+): Promise<void> {
+  const now = new Date().toISOString();
+  const effectiveSessionStamp = String(sessionStamp || '').trim() || (await getDeviceById(userId, deviceIdentifier))?.sessionStamp || '';
+  await db
+    .prepare(
+      'INSERT INTO devices(user_id, device_identifier, name, type, session_stamp, banned, banned_at, created_at, updated_at) VALUES(?, ?, ?, ?, ?, 0, NULL, ?, ?) ' +
+        'ON CONFLICT(user_id, device_identifier) DO UPDATE SET name=excluded.name, type=excluded.type, session_stamp=excluded.session_stamp, updated_at=excluded.updated_at'
+    )
+    .bind(userId, deviceIdentifier, name, type, effectiveSessionStamp, now, now)
+    .run();
+}
+
+export async function isKnownDevice(db: D1Database, userId: string, deviceIdentifier: string): Promise<boolean> {
+  const row = await db
+    .prepare('SELECT 1 FROM devices WHERE user_id = ? AND device_identifier = ? LIMIT 1')
+    .bind(userId, deviceIdentifier)
+    .first<{ '1': number }>();
+  return !!row;
+}
+
+export async function isKnownDeviceByEmail(
+  getUserByEmail: GetUserByEmail,
+  isKnownDeviceForUser: (userId: string, deviceIdentifier: string) => Promise<boolean>,
+  email: string,
+  deviceIdentifier: string
+): Promise<boolean> {
+  const user = await getUserByEmail(email);
+  if (!user) return false;
+  return isKnownDeviceForUser(user.id, deviceIdentifier);
+}
+
+export async function getDevicesByUserId(db: D1Database, userId: string): Promise<Device[]> {
+  const res = await db
+    .prepare(
+      'SELECT user_id, device_identifier, name, type, session_stamp, banned, banned_at, created_at, updated_at ' +
+        'FROM devices WHERE user_id = ? ORDER BY updated_at DESC'
+    )
+    .bind(userId)
+    .all<any>();
+  return (res.results || []).map(mapDeviceRow);
+}
+
+export async function getDevice(db: D1Database, userId: string, deviceIdentifier: string): Promise<Device | null> {
+  const row = await db
+    .prepare(
+      'SELECT user_id, device_identifier, name, type, session_stamp, banned, banned_at, created_at, updated_at ' +
+        'FROM devices WHERE user_id = ? AND device_identifier = ? LIMIT 1'
+    )
+    .bind(userId, deviceIdentifier)
+    .first<any>();
+  return row ? mapDeviceRow(row) : null;
+}
+
+export async function deleteDevice(db: D1Database, userId: string, deviceIdentifier: string): Promise<boolean> {
+  const result = await db
+    .prepare('DELETE FROM devices WHERE user_id = ? AND device_identifier = ?')
+    .bind(userId, deviceIdentifier)
+    .run();
+  return Number(result.meta.changes ?? 0) > 0;
+}
+
+export async function deleteDevicesByUserId(db: D1Database, userId: string): Promise<number> {
+  const result = await db.prepare('DELETE FROM devices WHERE user_id = ?').bind(userId).run();
+  return Number(result.meta.changes ?? 0);
+}
+
+export async function getTrustedDeviceTokenSummariesByUserId(db: D1Database, userId: string): Promise<TrustedDeviceTokenSummary[]> {
+  const now = Date.now();
+  await db.prepare('DELETE FROM trusted_two_factor_device_tokens WHERE expires_at < ?').bind(now).run();
+
+  const res = await db
+    .prepare(
+      'SELECT device_identifier, MAX(expires_at) AS expires_at, COUNT(*) AS token_count ' +
+        'FROM trusted_two_factor_device_tokens WHERE user_id = ? GROUP BY device_identifier ORDER BY expires_at DESC'
+    )
+    .bind(userId)
+    .all<any>();
+
+  return (res.results || []).map((row) => ({
+    deviceIdentifier: row.device_identifier,
+    expiresAt: Number(row.expires_at || 0),
+    tokenCount: Number(row.token_count || 0),
+  }));
+}
+
+export async function deleteTrustedTwoFactorTokensByDevice(db: D1Database, userId: string, deviceIdentifier: string): Promise<number> {
+  const result = await db
+    .prepare('DELETE FROM trusted_two_factor_device_tokens WHERE user_id = ? AND device_identifier = ?')
+    .bind(userId, deviceIdentifier)
+    .run();
+  return Number(result.meta.changes ?? 0);
+}
+
+export async function deleteTrustedTwoFactorTokensByUserId(db: D1Database, userId: string): Promise<number> {
+  const result = await db
+    .prepare('DELETE FROM trusted_two_factor_device_tokens WHERE user_id = ?')
+    .bind(userId)
+    .run();
+  return Number(result.meta.changes ?? 0);
+}
+
+export async function saveTrustedTwoFactorDeviceToken(
+  db: D1Database,
+  trustedTokenKey: TrustedTokenKeyFn,
+  token: string,
+  userId: string,
+  deviceIdentifier: string,
+  expiresAtMs: number
+): Promise<void> {
+  const tokenKey = await trustedTokenKey(token);
+  await db.prepare('DELETE FROM trusted_two_factor_device_tokens WHERE expires_at < ?').bind(Date.now()).run();
+  await db
+    .prepare(
+      'INSERT INTO trusted_two_factor_device_tokens(token, user_id, device_identifier, expires_at) VALUES(?, ?, ?, ?) ' +
+        'ON CONFLICT(token) DO UPDATE SET user_id=excluded.user_id, device_identifier=excluded.device_identifier, expires_at=excluded.expires_at'
+    )
+    .bind(tokenKey, userId, deviceIdentifier, expiresAtMs)
+    .run();
+}
+
+export async function getTrustedTwoFactorDeviceTokenUserId(
+  db: D1Database,
+  trustedTokenKey: TrustedTokenKeyFn,
+  token: string,
+  deviceIdentifier: string
+): Promise<string | null> {
+  const now = Date.now();
+  const tokenKey = await trustedTokenKey(token);
+  const row = await db
+    .prepare('SELECT user_id, expires_at FROM trusted_two_factor_device_tokens WHERE token = ? AND device_identifier = ?')
+    .bind(tokenKey, deviceIdentifier)
+    .first<{ user_id: string; expires_at: number }>();
+
+  if (!row) return null;
+  if (row.expires_at && row.expires_at < now) {
+    await db.prepare('DELETE FROM trusted_two_factor_device_tokens WHERE token = ?').bind(tokenKey).run();
+    return null;
+  }
+  return row.user_id;
+}

src/services/storage-folder-repo.ts

@@ -0,0 +1,120 @@
+import type { Cipher, Folder } from '../types';
+
+function mapFolderRow(row: any): Folder {
+  return {
+    id: row.id,
+    userId: row.user_id,
+    name: row.name,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+  };
+}
+
+export async function getFolder(db: D1Database, id: string): Promise<Folder | null> {
+  const row = await db
+    .prepare('SELECT id, user_id, name, created_at, updated_at FROM folders WHERE id = ?')
+    .bind(id)
+    .first<any>();
+  if (!row) return null;
+  return mapFolderRow(row);
+}
+
+export async function saveFolder(db: D1Database, folder: Folder): Promise<void> {
+  await db
+    .prepare(
+      'INSERT INTO folders(id, user_id, name, created_at, updated_at) VALUES(?, ?, ?, ?, ?) ' +
+      'ON CONFLICT(id) DO UPDATE SET user_id=excluded.user_id, name=excluded.name, updated_at=excluded.updated_at'
+    )
+    .bind(folder.id, folder.userId, folder.name, folder.createdAt, folder.updatedAt)
+    .run();
+}
+
+export async function deleteFolder(db: D1Database, id: string, userId: string): Promise<void> {
+  await db.prepare('DELETE FROM folders WHERE id = ? AND user_id = ?').bind(id, userId).run();
+}
+
+export async function clearFolderFromCiphers(
+  db: D1Database,
+  userId: string,
+  folderId: string,
+  saveCipher: (cipher: Cipher) => Promise<void>
+): Promise<void> {
+  const now = new Date().toISOString();
+  const res = await db
+    .prepare('SELECT data FROM ciphers WHERE user_id = ? AND folder_id = ?')
+    .bind(userId, folderId)
+    .all<{ data: string }>();
+
+  for (const row of (res.results || [])) {
+    let cipher: Cipher;
+    try {
+      cipher = JSON.parse(row.data) as Cipher;
+    } catch {
+      continue;
+    }
+    cipher.folderId = null;
+    cipher.updatedAt = now;
+    await saveCipher(cipher);
+  }
+}
+
+export async function bulkDeleteFolders(
+  db: D1Database,
+  userId: string,
+  ids: string[],
+  sqlChunkSize: (fixedBindCount: number) => number,
+  saveCipher: (cipher: Cipher) => Promise<void>,
+  updateRevisionDate: (userId: string) => Promise<string>
+): Promise<string | null> {
+  const uniqueIds = Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
+  if (!uniqueIds.length) return null;
+
+  const chunkSize = sqlChunkSize(1);
+  const now = new Date().toISOString();
+
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    const res = await db
+      .prepare(`SELECT data FROM ciphers WHERE user_id = ? AND folder_id IN (${placeholders})`)
+      .bind(userId, ...chunk)
+      .all<{ data: string }>();
+
+    for (const row of res.results || []) {
+      let cipher: Cipher;
+      try {
+        cipher = JSON.parse(row.data) as Cipher;
+      } catch {
+        continue;
+      }
+      cipher.folderId = null;
+      cipher.updatedAt = now;
+      await saveCipher(cipher);
+    }
+
+    await db
+      .prepare(`DELETE FROM folders WHERE user_id = ? AND id IN (${placeholders})`)
+      .bind(userId, ...chunk)
+      .run();
+  }
+
+  return updateRevisionDate(userId);
+}
+
+export async function getAllFolders(db: D1Database, userId: string): Promise<Folder[]> {
+  const res = await db
+    .prepare('SELECT id, user_id, name, created_at, updated_at FROM folders WHERE user_id = ? ORDER BY updated_at DESC')
+    .bind(userId)
+    .all<any>();
+  return (res.results || []).map((row) => mapFolderRow(row));
+}
+
+export async function getFoldersPage(db: D1Database, userId: string, limit: number, offset: number): Promise<Folder[]> {
+  const res = await db
+    .prepare(
+      'SELECT id, user_id, name, created_at, updated_at FROM folders WHERE user_id = ? ORDER BY updated_at DESC LIMIT ? OFFSET ?'
+    )
+    .bind(userId, limit, offset)
+    .all<any>();
+  return (res.results || []).map((row) => mapFolderRow(row));
+}

src/services/storage-refresh-token-repo.ts

@@ -0,0 +1,135 @@
+import type { RefreshTokenRecord } from '../types';
+
+type RefreshTokenKeyFn = (token: string) => Promise<string>;
+type CleanupExpiredFn = (nowMs: number) => Promise<void>;
+
+export async function saveRefreshToken(
+  db: D1Database,
+  refreshTokenKey: RefreshTokenKeyFn,
+  maybeCleanupExpiredRefreshTokens: CleanupExpiredFn,
+  token: string,
+  userId: string,
+  expiresAtMs: number,
+  deviceIdentifier?: string | null,
+  deviceSessionStamp?: string | null
+): Promise<void> {
+  await maybeCleanupExpiredRefreshTokens(Date.now());
+  const tokenKey = await refreshTokenKey(token);
+  await db
+    .prepare(
+      'INSERT INTO refresh_tokens(token, user_id, expires_at, device_identifier, device_session_stamp) VALUES(?, ?, ?, ?, ?) ' +
+        'ON CONFLICT(token) DO UPDATE SET user_id=excluded.user_id, expires_at=excluded.expires_at, device_identifier=excluded.device_identifier, device_session_stamp=excluded.device_session_stamp'
+    )
+    .bind(tokenKey, userId, expiresAtMs, deviceIdentifier ?? null, deviceSessionStamp ?? null)
+    .run();
+}
+
+export async function getRefreshTokenRecord(
+  db: D1Database,
+  refreshTokenKey: RefreshTokenKeyFn,
+  maybeCleanupExpiredRefreshTokens: CleanupExpiredFn,
+  saveRefreshTokenRecord: (
+    token: string,
+    userId: string,
+    expiresAtMs?: number,
+    deviceIdentifier?: string | null,
+    deviceSessionStamp?: string | null
+  ) => Promise<void>,
+  deleteRefreshTokenRecord: (token: string) => Promise<void>,
+  token: string
+): Promise<RefreshTokenRecord | null> {
+  const now = Date.now();
+  await maybeCleanupExpiredRefreshTokens(now);
+  const tokenKey = await refreshTokenKey(token);
+
+  let row = await db
+    .prepare('SELECT user_id, expires_at, device_identifier, device_session_stamp FROM refresh_tokens WHERE token = ?')
+    .bind(tokenKey)
+    .first<{ user_id: string; expires_at: number; device_identifier: string | null; device_session_stamp: string | null }>();
+
+  if (!row) {
+    const legacyRow = await db
+      .prepare('SELECT user_id, expires_at, device_identifier, device_session_stamp FROM refresh_tokens WHERE token = ?')
+      .bind(token)
+      .first<{ user_id: string; expires_at: number; device_identifier: string | null; device_session_stamp: string | null }>();
+
+    if (legacyRow) {
+      if (legacyRow.expires_at && legacyRow.expires_at < now) {
+        await deleteRefreshTokenRecord(token);
+        return null;
+      }
+      await saveRefreshTokenRecord(
+        token,
+        legacyRow.user_id,
+        legacyRow.expires_at,
+        legacyRow.device_identifier ?? null,
+        legacyRow.device_session_stamp ?? null
+      );
+      await db.prepare('DELETE FROM refresh_tokens WHERE token = ?').bind(token).run();
+      return {
+        userId: legacyRow.user_id,
+        expiresAt: legacyRow.expires_at,
+        deviceIdentifier: legacyRow.device_identifier ?? null,
+        deviceSessionStamp: legacyRow.device_session_stamp ?? null,
+      };
+    }
+  }
+
+  if (!row) return null;
+  if (row.expires_at && row.expires_at < now) {
+    await deleteRefreshTokenRecord(token);
+    return null;
+  }
+  return {
+    userId: row.user_id,
+    expiresAt: row.expires_at,
+    deviceIdentifier: row.device_identifier ?? null,
+    deviceSessionStamp: row.device_session_stamp ?? null,
+  };
+}
+
+export async function deleteRefreshToken(db: D1Database, refreshTokenKey: RefreshTokenKeyFn, token: string): Promise<void> {
+  const tokenKey = await refreshTokenKey(token);
+  await db.prepare('DELETE FROM refresh_tokens WHERE token = ?').bind(token).run();
+  await db.prepare('DELETE FROM refresh_tokens WHERE token = ?').bind(tokenKey).run();
+}
+
+export async function deleteRefreshTokensByUserId(db: D1Database, userId: string): Promise<number> {
+  const result = await db.prepare('DELETE FROM refresh_tokens WHERE user_id = ?').bind(userId).run();
+  return Number(result.meta.changes ?? 0);
+}
+
+export async function deleteRefreshTokensByDevice(db: D1Database, userId: string, deviceIdentifier: string): Promise<number> {
+  const result = await db
+    .prepare('DELETE FROM refresh_tokens WHERE user_id = ? AND device_identifier = ?')
+    .bind(userId, deviceIdentifier)
+    .run();
+  return Number(result.meta.changes ?? 0);
+}
+
+export async function constrainRefreshTokenExpiry(
+  db: D1Database,
+  refreshTokenKey: RefreshTokenKeyFn,
+  token: string,
+  maxExpiresAtMs: number
+): Promise<void> {
+  const tokenKey = await refreshTokenKey(token);
+
+  await db
+    .prepare(
+      'UPDATE refresh_tokens ' +
+        'SET expires_at = CASE WHEN expires_at > ? THEN ? ELSE expires_at END ' +
+        'WHERE token = ?'
+    )
+    .bind(maxExpiresAtMs, maxExpiresAtMs, tokenKey)
+    .run();
+
+  await db
+    .prepare(
+      'UPDATE refresh_tokens ' +
+        'SET expires_at = CASE WHEN expires_at > ? THEN ? ELSE expires_at END ' +
+        'WHERE token = ?'
+    )
+    .bind(maxExpiresAtMs, maxExpiresAtMs, token)
+    .run();
+}

src/services/storage-revision-repo.ts

@@ -0,0 +1,31 @@
+export async function getRevisionDate(db: D1Database, userId: string): Promise<string> {
+  const row = await db
+    .prepare('SELECT revision_date FROM user_revisions WHERE user_id = ?')
+    .bind(userId)
+    .first<{ revision_date: string }>();
+
+  if (row?.revision_date) return row.revision_date;
+
+  const date = new Date().toISOString();
+  await db
+    .prepare(
+      'INSERT INTO user_revisions(user_id, revision_date) VALUES(?, ?) ' +
+        'ON CONFLICT(user_id) DO NOTHING'
+    )
+    .bind(userId, date)
+    .run();
+
+  return date;
+}
+
+export async function updateRevisionDate(db: D1Database, userId: string): Promise<string> {
+  const date = new Date().toISOString();
+  await db
+    .prepare(
+      'INSERT INTO user_revisions(user_id, revision_date) VALUES(?, ?) ' +
+        'ON CONFLICT(user_id) DO UPDATE SET revision_date = excluded.revision_date'
+    )
+    .bind(userId, date)
+    .run();
+  return date;
+}

src/services/storage-send-repo.ts

@@ -0,0 +1,163 @@
+import type { Send } from '../types';
+
+type SafeBind = (stmt: D1PreparedStatement, ...values: any[]) => D1PreparedStatement;
+type SqlChunkSize = (fixedBindCount: number) => number;
+type UpdateRevisionDate = (userId: string) => Promise<string>;
+
+function mapSendRow(row: any): Send {
+  return {
+    id: row.id,
+    userId: row.user_id,
+    type: row.type,
+    name: row.name,
+    notes: row.notes,
+    data: row.data,
+    key: row.key,
+    passwordHash: row.password_hash,
+    passwordSalt: row.password_salt,
+    passwordIterations: row.password_iterations,
+    authType: row.auth_type ?? 0,
+    emails: row.emails ?? null,
+    maxAccessCount: row.max_access_count,
+    accessCount: row.access_count,
+    disabled: !!row.disabled,
+    hideEmail: row.hide_email === null || row.hide_email === undefined ? null : !!row.hide_email,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+    expirationDate: row.expiration_date,
+    deletionDate: row.deletion_date,
+  };
+}
+
+export async function getSend(db: D1Database, id: string): Promise<Send | null> {
+  const row = await db
+    .prepare(
+      'SELECT id, user_id, type, name, notes, data, key, password_hash, password_salt, password_iterations, auth_type, emails, max_access_count, access_count, disabled, hide_email, created_at, updated_at, expiration_date, deletion_date FROM sends WHERE id = ?'
+    )
+    .bind(id)
+    .first<any>();
+  if (!row) return null;
+  return mapSendRow(row);
+}
+
+export async function saveSend(db: D1Database, safeBind: SafeBind, send: Send): Promise<void> {
+  const stmt = db.prepare(
+    'INSERT INTO sends(id, user_id, type, name, notes, data, key, password_hash, password_salt, password_iterations, auth_type, emails, max_access_count, access_count, disabled, hide_email, created_at, updated_at, expiration_date, deletion_date) ' +
+    'VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ' +
+    'ON CONFLICT(id) DO UPDATE SET ' +
+    'user_id=excluded.user_id, type=excluded.type, name=excluded.name, notes=excluded.notes, data=excluded.data, key=excluded.key, ' +
+    'password_hash=excluded.password_hash, password_salt=excluded.password_salt, password_iterations=excluded.password_iterations, auth_type=excluded.auth_type, emails=excluded.emails, ' +
+    'max_access_count=excluded.max_access_count, access_count=excluded.access_count, disabled=excluded.disabled, hide_email=excluded.hide_email, ' +
+    'updated_at=excluded.updated_at, expiration_date=excluded.expiration_date, deletion_date=excluded.deletion_date'
+  );
+
+  await safeBind(
+    stmt,
+    send.id,
+    send.userId,
+    Number(send.type) || 0,
+    send.name,
+    send.notes,
+    send.data,
+    send.key,
+    send.passwordHash,
+    send.passwordSalt,
+    send.passwordIterations,
+    send.authType,
+    send.emails,
+    send.maxAccessCount,
+    send.accessCount,
+    send.disabled ? 1 : 0,
+    send.hideEmail === null || send.hideEmail === undefined ? null : send.hideEmail ? 1 : 0,
+    send.createdAt,
+    send.updatedAt,
+    send.expirationDate,
+    send.deletionDate
+  ).run();
+}
+
+export async function incrementSendAccessCount(db: D1Database, sendId: string): Promise<boolean> {
+  const now = new Date().toISOString();
+  const result = await db
+    .prepare(
+      'UPDATE sends SET access_count = access_count + 1, updated_at = ? ' +
+      'WHERE id = ? AND (max_access_count IS NULL OR access_count < max_access_count)'
+    )
+    .bind(now, sendId)
+    .run();
+  return (result.meta.changes ?? 0) > 0;
+}
+
+export async function deleteSend(db: D1Database, id: string, userId: string): Promise<void> {
+  await db.prepare('DELETE FROM sends WHERE id = ? AND user_id = ?').bind(id, userId).run();
+}
+
+export async function getSendsByIds(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  ids: string[],
+  userId: string
+): Promise<Send[]> {
+  if (ids.length === 0) return [];
+  const uniqueIds = Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
+  if (!uniqueIds.length) return [];
+  const chunkSize = sqlChunkSize(1);
+  const out: Send[] = [];
+
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    const res = await db
+      .prepare(
+        `SELECT id, user_id, type, name, notes, data, key, password_hash, password_salt, password_iterations, auth_type, emails, max_access_count, access_count, disabled, hide_email, created_at, updated_at, expiration_date, deletion_date
+         FROM sends
+         WHERE user_id = ? AND id IN (${placeholders})`
+      )
+      .bind(userId, ...chunk)
+      .all<any>();
+    out.push(...(res.results || []).map((row) => mapSendRow(row)));
+  }
+
+  return out;
+}
+
+export async function bulkDeleteSends(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  updateRevisionDate: UpdateRevisionDate,
+  ids: string[],
+  userId: string
+): Promise<string | null> {
+  if (ids.length === 0) return null;
+  const uniqueIds = Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
+  if (!uniqueIds.length) return null;
+  const chunkSize = sqlChunkSize(1);
+
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    await db.prepare(`DELETE FROM sends WHERE user_id = ? AND id IN (${placeholders})`).bind(userId, ...chunk).run();
+  }
+
+  return updateRevisionDate(userId);
+}
+
+export async function getAllSends(db: D1Database, userId: string): Promise<Send[]> {
+  const res = await db
+    .prepare(
+      'SELECT id, user_id, type, name, notes, data, key, password_hash, password_salt, password_iterations, auth_type, emails, max_access_count, access_count, disabled, hide_email, created_at, updated_at, expiration_date, deletion_date FROM sends WHERE user_id = ? ORDER BY updated_at DESC'
+    )
+    .bind(userId)
+    .all<any>();
+  return (res.results || []).map((row) => mapSendRow(row));
+}
+
+export async function getSendsPage(db: D1Database, userId: string, limit: number, offset: number): Promise<Send[]> {
+  const res = await db
+    .prepare(
+      'SELECT id, user_id, type, name, notes, data, key, password_hash, password_salt, password_iterations, auth_type, emails, max_access_count, access_count, disabled, hide_email, created_at, updated_at, expiration_date, deletion_date FROM sends WHERE user_id = ? ORDER BY updated_at DESC LIMIT ? OFFSET ?'
+    )
+    .bind(userId, limit, offset)
+    .all<any>();
+  return (res.results || []).map((row) => mapSendRow(row));
+}

src/services/storage-user-repo.ts

@@ -0,0 +1,135 @@
+import type { User } from '../types';
+
+type SafeBind = (stmt: D1PreparedStatement, ...values: any[]) => D1PreparedStatement;
+
+function mapUserRow(row: any): User {
+  return {
+    id: row.id,
+    email: row.email,
+    name: row.name,
+    masterPasswordHash: row.master_password_hash,
+    key: row.key,
+    privateKey: row.private_key,
+    publicKey: row.public_key,
+    kdfType: row.kdf_type,
+    kdfIterations: row.kdf_iterations,
+    kdfMemory: row.kdf_memory ?? undefined,
+    kdfParallelism: row.kdf_parallelism ?? undefined,
+    securityStamp: row.security_stamp,
+    role: row.role === 'admin' ? 'admin' : 'user',
+    status: row.status === 'banned' ? 'banned' : 'active',
+    totpSecret: row.totp_secret ?? null,
+    totpRecoveryCode: row.totp_recovery_code ?? null,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+  };
+}
+
+export async function getUser(db: D1Database, email: string): Promise<User | null> {
+  const row = await db
+    .prepare(
+      'SELECT id, email, name, master_password_hash, key, private_key, public_key, kdf_type, kdf_iterations, kdf_memory, kdf_parallelism, security_stamp, role, status, totp_secret, totp_recovery_code, created_at, updated_at FROM users WHERE email = ?'
+    )
+    .bind(email.toLowerCase())
+    .first<any>();
+  if (!row) return null;
+  return mapUserRow(row);
+}
+
+export async function getUserById(db: D1Database, id: string): Promise<User | null> {
+  const row = await db
+    .prepare(
+      'SELECT id, email, name, master_password_hash, key, private_key, public_key, kdf_type, kdf_iterations, kdf_memory, kdf_parallelism, security_stamp, role, status, totp_secret, totp_recovery_code, created_at, updated_at FROM users WHERE id = ?'
+    )
+    .bind(id)
+    .first<any>();
+  if (!row) return null;
+  return mapUserRow(row);
+}
+
+export async function getUserCount(db: D1Database): Promise<number> {
+  const row = await db.prepare('SELECT COUNT(*) AS count FROM users').first<{ count: number }>();
+  return Number(row?.count || 0);
+}
+
+export async function getAllUsers(db: D1Database): Promise<User[]> {
+  const res = await db
+    .prepare(
+      'SELECT id, email, name, master_password_hash, key, private_key, public_key, kdf_type, kdf_iterations, kdf_memory, kdf_parallelism, security_stamp, role, status, totp_secret, totp_recovery_code, created_at, updated_at FROM users ORDER BY created_at ASC'
+    )
+    .all<any>();
+  return (res.results || []).map((row) => mapUserRow(row));
+}
+
+export async function saveUser(db: D1Database, safeBind: SafeBind, user: User): Promise<void> {
+  const email = user.email.toLowerCase();
+  const stmt = db.prepare(
+    'INSERT INTO users(id, email, name, master_password_hash, key, private_key, public_key, kdf_type, kdf_iterations, kdf_memory, kdf_parallelism, security_stamp, role, status, totp_secret, totp_recovery_code, created_at, updated_at) ' +
+    'VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ' +
+    'ON CONFLICT(id) DO UPDATE SET ' +
+    'email=excluded.email, name=excluded.name, master_password_hash=excluded.master_password_hash, key=excluded.key, private_key=excluded.private_key, public_key=excluded.public_key, ' +
+    'kdf_type=excluded.kdf_type, kdf_iterations=excluded.kdf_iterations, kdf_memory=excluded.kdf_memory, kdf_parallelism=excluded.kdf_parallelism, security_stamp=excluded.security_stamp, role=excluded.role, status=excluded.status, totp_secret=excluded.totp_secret, totp_recovery_code=excluded.totp_recovery_code, updated_at=excluded.updated_at'
+  );
+  await safeBind(
+    stmt,
+    user.id,
+    email,
+    user.name,
+    user.masterPasswordHash,
+    user.key,
+    user.privateKey,
+    user.publicKey,
+    user.kdfType,
+    user.kdfIterations,
+    user.kdfMemory,
+    user.kdfParallelism,
+    user.securityStamp,
+    user.role,
+    user.status,
+    user.totpSecret,
+    user.totpRecoveryCode,
+    user.createdAt,
+    user.updatedAt
+  ).run();
+}
+
+export async function createUser(db: D1Database, safeBind: SafeBind, user: User): Promise<void> {
+  await saveUser(db, safeBind, user);
+}
+
+export async function createFirstUser(db: D1Database, safeBind: SafeBind, user: User): Promise<boolean> {
+  const email = user.email.toLowerCase();
+  const stmt = db.prepare(
+    'INSERT INTO users(id, email, name, master_password_hash, key, private_key, public_key, kdf_type, kdf_iterations, kdf_memory, kdf_parallelism, security_stamp, role, status, totp_secret, totp_recovery_code, created_at, updated_at) ' +
+    'SELECT ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ' +
+    'WHERE NOT EXISTS (SELECT 1 FROM users LIMIT 1)'
+  );
+  const result = await safeBind(
+    stmt,
+    user.id,
+    email,
+    user.name,
+    user.masterPasswordHash,
+    user.key,
+    user.privateKey,
+    user.publicKey,
+    user.kdfType,
+    user.kdfIterations,
+    user.kdfMemory,
+    user.kdfParallelism,
+    user.securityStamp,
+    user.role,
+    user.status,
+    user.totpSecret,
+    user.totpRecoveryCode,
+    user.createdAt,
+    user.updatedAt
+  ).run();
+
+  return (result.meta.changes ?? 0) > 0;
+}
+
+export async function deleteUserById(db: D1Database, id: string): Promise<boolean> {
+  const result = await db.prepare('DELETE FROM users WHERE id = ?').bind(id).run();
+  return (result.meta.changes ?? 0) > 0;
+}