Activate a user by wrapping the data key with their KEK

Add a new event link for an existing attendee with atomic capacity check. Does NOT create a new attendee or touch PII — just inserts an event_attendees row.

Record a query (no-op when logging is disabled)

Assign events to a group by updating their group_id.

Build an INSERT statement for the attendees table from encrypted fields.

Build a capacity-checked INSERT into event_attendees.

Build input key mapping from DB columns snake_case DB column → camelCase input key

Build a PII blob JSON from contact fields

Wrapper for test mocking - delegates to attendeesApi at runtime

Check a capacity-guarded write result and invalidate cache on success

Clear login attempts for an IP (on successful login)

Clear stored ticket tokens for a session (after redirect has consumed them)

Compute slug index from slug for blind index lookup

Compute slug index from slug for blind index lookup

Extract ContactInfo fields from an object

Wrapper for test mocking - delegates to attendeesApi at runtime

Create an invited user (no password yet, has invite code)

Create a new session with CSRF token, wrapped data key, and user ID Token is hashed before storage for security

Create a new user with encrypted fields

Convert nullable date to start_at/end_at (null-safe wrapper around dateToRange)

Decrypt a user's admin level

Decrypt attendee fields from the PII blob. Requires migration to be complete (admin is gated behind migration). When paidEvent is false, payment_id and refunded are skipped.

Decrypt a single raw attendee, handling null input. Used when attendee is fetched via batch query.

Decrypt a list of raw attendees (all fields). Used when attendees are fetched via batch query.

Decrypt a PII blob and extract all contact fields

Decrypt the ticket_tokens field from a processed payment record. Returns the plaintext token string (e.g. "tok1+tok2") or empty string.

Decrypt a user's username

Helper for tables whose primary key column is id.

Define a table with CRUD operations

Delete all sessions (used when password is changed)

Delete all stale reservations (unfinalized and older than STALE_RESERVATION_MS). Called from admin event views to clean up abandoned checkouts.

Delete an attendee and all its event links, payments, and answers.

Delete rows matching a field value

Delete rows from multiple tables in a single batch transaction

Delete an event and all its attendees in a single database round-trip. Uses write batch to cascade: processed_payments → attendees → event. Reduces 3 sequential HTTP round-trips to 1.

Delete all sessions except the current one Token is hashed before database comparison

Delete a session by token Token is hashed before database lookup

Delete a stale reservation to allow retry

Delete a user and all their sessions and API keys

Enable query logging and clear previous entries

Encrypt attendee fields into a PII blob, returning null if key not configured

Shared encrypted name column for tables that store a display name.

Encrypt a PII blob JSON string with the public key

Execute multiple write statements, discarding results.

Finalize a reserved session with the created attendee ID (second phase)

Get active events in a group with attendee counts.

Get aggregated statistics for active events. Filters active events from the provided list, computes attendees (sum of quantities) from cached EventWithCount data, and queries ticket count and income (sum of price_paid) via a single aggregate.

Get active holidays (end_date >= today) for date computation (from cache). "today" is computed in the configured timezone.

Get all activity log entries (most recent first)

Get all daily events with attendee counts (from cache).

Get all events with attendee counts (from cache)

Get all groups, decrypted, ordered by id (from cache)

Get all holidays, decrypted, ordered by start_date (from cache)

Get all sessions ordered by expiration (newest first)

Get all standard events with attendee counts (from cache). Used by the calendar view to include one-time events on their scheduled date.

Get all users (for admin user management page, from cache)

Get an attendee by ID (decrypted) Requires private key for decryption - only available to authenticated sessions

Get an attendee by ID without decrypting PII Used for payment callbacks and webhooks where decryption is not needed Returns the attendee with encrypted fields (id, event_id, quantity are plaintext)

Get raw attendees for a set of event IDs. Used by the calendar to load attendees for standard events whose decrypted date matches the selected calendar date.

Look up attendees by plaintext tokens, returning full booking data. Two queries: attendees by token index, then all event_attendees for those attendees. Returns results in the same order as input tokens (deduped). Bookings sorted by start_at then event_id for deterministic ordering.

Get attendees for an event without decrypting PII Used for tests and operations that don't need decrypted data

Get distinct attendee dates for daily events. Used for the calendar date picker (lightweight, no attendee data).

Get raw attendees for daily events on a specific date. Bounded query: only returns attendees matching the given date.

Get the total attendee quantity for a specific event + date

Get or create database client

Get a single event by ID (from cache)

Get activity log entries for an event (most recent first)

Get all events in a group with attendee counts (including inactive).

Get multiple events by slugs (from cache). Returns events in the same order as the input slugs. Missing or inactive events are returned as null.

Get event and its activity log in a single database round-trip. Uses batch API to reduce latency for remote databases.

Get event and a single attendee in a single database round-trip. Used for attendee management pages where we need both the event context and the specific attendee data.

Get event and all attendees in a single database round-trip. Uses batch API to execute both queries together, reducing latency for remote databases like Turso from 2 RTTs to 1. Computes attendee_count from the attendees array.

Get event with attendee count (from cache)

Get event with attendee count by slug (from cache)

Get a single group by slug_index (from cache)

Per-event view of group remaining capacity. Daily events are dropped when date is null — their cap is per-date, so a cumulative count would misreport spots that other dates still have.

Per-group remaining capacity. Groups with max_attendees <= 0 (no cap) are omitted from the map. With date = null, daily-event attendees count cumulatively — correct for booking-time enforcement after upstream date validation, misleading for display.

Returns undefined when no group cap applies: ungrouped, uncapped group, or daily event without a date.

Get the newest attendees across all events without decrypting PII. Used for the admin dashboard to show recent registrations.

Get the attendee ID for an already-processed session Used to return success for idempotent webhook retries

Return a snapshot of all logged queries

Return the start time recorded by enableQueryLog()

Get a session by token (with 10s TTL cache) Token is hashed for database lookup

Get ungrouped events (group_id = 0) with attendee counts.

Get a user by ID (from cache)

Find a user by invite code hash Scans all users, decrypts invite_code_hash, and compares

Look up a user by username (using blind index, from cache)

Wrapper for test mocking - delegates to attendeesApi at runtime

Hash an invite code using SHA-256

Check if a user has set their password (password_hash is non-empty encrypted value)

Shared columns for tables with encrypted slug + blind-index slug_index.

Increment the attachment download counter for an attendee. Uses atomic SQL increment to avoid race conditions.

Initialize database tables — idempotent, safe to call on every startup. Uses an advisory lock to prevent concurrent migrations.

Build SQL placeholders for an IN clause, e.g. "?, ?, ?"

Build an INSERT statement from a table name and column→value record.

Invalidate the events cache (for testing or after writes).

Invalidate the groups cache (for testing or after writes).

Invalidate the holidays cache (for testing or after writes).

Invalidate the users cache (for testing or after writes).

Check if a group slug is already in use. Checks both events and groups for cross-table uniqueness.

Check if a user's invite has expired. Callers should skip this for users who have already set a password.

Check if a user's invite is still valid (not expired, has invite code)

Check if IP is rate limited for login

Whether query logging is currently active

Check if a reservation is stale (abandoned by a crashed process)

Check if a payment session has already been processed

Check if a slug is already in use (optionally excluding a specific event ID) Uses slug_index for lookup (blind index)

Check if a username is already taken

Log an activity

Mark an attendee as refunded for a specific event. Keeps payment_id intact so payment details can still be viewed.

Parse a PII blob JSON back into contact fields (defaults v to 1 for pre-versioned blobs)

Query all rows, returning a typed array

Execute a SQL query and map result rows through an async transformer.

Query single row, returning null if not found

Embed a raw SQL expression (e.g. last_insert_rowid())

Record a failed login attempt Returns true if the account is now locked

Register a cache stat provider (called at module load time)

Reserve a payment session for processing (first phase of two-phase lock) Inserts with NULL attendee_id to claim the session. Returns { reserved: true } if we claimed it, or { reserved: false, existing } if already claimed.

Reset the database by dropping all tables (reverse order for FK safety)

Reset group assignment on all events in a group.

Clear session cache (exported for testing)

Cast libsql ResultSet rows to a typed array (single centralized assertion)

Set database client (for testing)

Set the active flag on every event in a group. Returns the number of events affected.

Set a user's password (for invite flow)

Convert snake_case to camelCase

Convert camelCase to snake_case

Run an async DB operation and log it when tracking is active

Remove a single event link for an attendee. If the attendee has no remaining event links, deletes the attendee entirely. Returns whether the attendee was fully deleted.

Update an attendee's PII (name, email, phone, etc.) — shared across all event links. Caller must be authenticated admin (public key always exists after setup).

Update an attendee's checked_in status for a specific event. Caller must be authenticated admin (public key always exists after setup)

Update a single event link's quantity and date with atomic capacity check. Excludes this attendee's current row from the capacity calculation.

Validate that an event type is compatible with a group's existing events. Returns an error message if mismatched, null if OK. Pass excludeEventId to skip a specific event (for edit-self case).

Verify a user's password (decrypt stored hash, then verify) Returns the decrypted password hash if valid (needed for KEK derivation)

Wrap a table so that insert, update, and deleteById automatically call an invalidation callback (e.g. cache invalidation). Eliminates the repeated spread-and-override pattern in groups/holidays/events.

Encrypt closes_at for DB storage (null/empty → encrypted empty)

Encrypt event date for DB storage

Activity log entry

Table definition with CRUD operations

Aggregated statistics for active events

Activity log input for create

Input for creating an attendee atomically (one or more events)

An attendee with all their event bookings (for token resolution)

Item for batch availability check

Column definition for a table

Result of atomic attendee creation

Valid email template formats

Valid email template types

Row from event_attendees — per-event booking data

A single event booking within a multi-event attendee creation

Event input fields for create/update (camelCase)

Result type for event + activity log batch query

Result type for event + single attendee query

Result type for combined event + attendees query

Group input fields for create/update (camelCase)

Holiday input fields for create/update (camelCase)

Derive Input type from Row type and Schema

Processed payment record

A single logged query

Result of session reservation attempt

Full settings snapshot type.

Union of all string-setting snapshot keys.

Table schema definition Keys are DB column names (snake_case), values are column definitions

Input for updating attendee PII (shared across events)

Input for updating a single event link

Result of updating an event link

Activity log table definition message is encrypted - decrypted only for admin view

SELECT clause for attendee + event_attendees JOINs (INNER JOIN context). Derives date from start_at for backward compatibility with the Attendee type.

SELECT clause for LEFT JOIN context — COALESCEs nullable join columns so attendees with broken/missing event_attendees linkage still appear in results (with event_id=0 as an obvious corruption indicator).

Stubbable API for testing atomic operations

Shared failure result for capacity-exceeded

Helper to create column definitions

Default bookable days (all days of the week)

Execute multiple write statements and return their ResultSets. Statements run in order within a single transaction (Turso batch API). Ideal for cascading deletes and multi-step writes.

Groups table with CRUD operations — writes auto-invalidate the cache

Holidays table with CRUD operations — writes auto-invalidate the cache

Current PII blob schema version

Execute multiple read queries in a single round-trip using Turso batch API.

Ordered table names — matches FK dependency order (parents before children)

Threshold for abandoned payment reservations in ms (default: 300000 = 5 min)

Stubbable API for testing