chore: improve package data typings

- Implemented App Header with lifecycle and rendering scripts.
- Created Intro Section with rendering logic.
- Developed User Dashboard with profile, comments, and chat functionalities.
- Added Admin Panel for user and content management.
- Introduced Application Builder with schemas and workflows.
- Established Super God panel for tenant management.
- Updated metadata and tests for all new components and functionalities.
- Enhanced UI Pages Bundle to include dependencies for all levels.
- Improved permission checks and constants in the permissions package.

.claude/settings.local.json

@@ -0,0 +1,43 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(git mv:*)",
+      "Bash(ls:*)",
+      "Bash(find:*)",
+      "Bash(npm run test:unit:*)",
+      "Bash(npm install:*)",
+      "Bash(xargs:*)",
+      "Bash(npm run db:generate:*)",
+      "Bash(npx prisma generate:*)",
+      "Bash(DATABASE_URL=\"file:./dev.db\" npx prisma generate:*)",
+      "Bash(git rm:*)",
+      "Bash(git log:*)",
+      "Bash(cat:*)",
+      "Bash(xargs git rm:*)",
+      "Bash(bun add:*)",
+      "Bash(bun install:*)",
+      "Bash(test -f:*)",
+      "Bash(bun run typecheck:*)",
+      "Bash(bun run test:unit:*)",
+      "Bash(echo:*)",
+      "Bash(npx prisma validate:*)",
+      "Bash(npm run typecheck:*)",
+      "Bash(npm run lint)",
+      "Bash(npm audit:*)",
+      "Bash(bun run lint)",
+      "Bash(git checkout:*)",
+      "Bash(bun audit:*)",
+      "Bash(git restore:*)",
+      "Bash(bunx playwright:*)",
+      "Bash(timeout 30 bun run build:*)",
+      "Bash(bun run lint:fix:*)",
+      "Bash(bun run format:*)",
+      "Bash(while read file)",
+      "Bash(do eslint:*)",
+      "Bash(done)",
+      "Bash(eslint:*)",
+      "Bash(bunx eslint:*)",
+      "Bash(bun test:*)"
+    ]
+  }
+}

.github/workflows/README.md

@@ -52,6 +52,19 @@ All workflows are designed to work seamlessly with **GitHub Copilot** to assist
 
 ### 🚦 Enterprise Gated Workflows (New)
 
+#### Issue and PR Triage (`triage.yml`) 🆕
+**Triggered on:** Issues (opened/edited/reopened) and Pull Requests (opened/reopened/synchronize/edited)
+
+**Purpose:** Quickly categorize inbound work so reviewers know what to look at first.
+
+- Auto-applies labels for type (bug/enhancement/docs/security/testing/performance) and area (frontend/backend/database/workflows/documentation)
+- Sets a default priority and highlights beginner-friendly issues
+- Flags missing information (repro steps, expected/actual results, versions) with a checklist comment
+- For PRs, labels areas touched, estimates risk based on change size and critical paths, and prompts for test plans/screenshots/linked issues
+- Mentions **@copilot** to sanity-check the triage with GitHub-native AI (no external Codex webhooks)
+
+This workflow runs alongside the existing PR management jobs to keep triage lightweight while preserving the richer checks in the gated pipelines.
+
 #### 1. Enterprise Gated CI/CD Pipeline (`gated-ci.yml`)
 **Triggered on:** Push to main/master/develop branches, Pull requests
 

.github/workflows/ci/cli.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Install build dependencies
         run: |

.github/workflows/ci/cpp-build.yml

@@ -28,7 +28,7 @@ jobs:
       has_sources: ${{ steps.check.outputs.has_sources }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       
       - name: Check if C++ sources exist
         id: check
@@ -56,7 +56,7 @@ jobs:
     
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -128,7 +128,7 @@ jobs:
     
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -181,7 +181,7 @@ jobs:
     
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -232,7 +232,7 @@ jobs:
     
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -273,7 +273,7 @@ jobs:
     
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       
       - name: Setup Node.js
         uses: actions/setup-node@v4

.github/workflows/ci/detect-stubs.yml

@@ -24,7 +24,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/development.yml

@@ -22,7 +22,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -180,7 +180,7 @@ jobs:
       contains(github.event.comment.body, '@copilot')
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Parse Copilot request
         uses: actions/github-script@v7
@@ -272,7 +272,7 @@ jobs:
     if: github.event_name == 'pull_request' && !github.event.pull_request.draft
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/gated-ci-atomic.yml

@@ -60,7 +60,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -104,7 +104,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -153,7 +153,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -207,7 +207,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -260,7 +260,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -301,7 +301,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -342,7 +342,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -454,7 +454,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -519,7 +519,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -574,7 +574,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -696,7 +696,7 @@ jobs:
       build-success: ${{ steps.build-step.outcome }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -756,7 +756,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/gated-ci.yml

@@ -45,7 +45,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v4.1.0
@@ -79,7 +79,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v4.1.0
@@ -111,7 +111,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v4.1.0
@@ -143,7 +143,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -206,7 +206,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v4.1.0
@@ -248,7 +248,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v4.1.0
@@ -293,7 +293,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v4.1.0
@@ -371,7 +371,7 @@ jobs:
       build-success: ${{ steps.build-step.outcome }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v4.1.0
@@ -414,7 +414,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/gated-deployment.yml

@@ -48,7 +48,7 @@ jobs:
       deployment-environment: ${{ steps.determine-env.outputs.environment }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -147,7 +147,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -283,7 +283,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -400,7 +400,7 @@ jobs:
     if: always() && (needs.deploy-staging.result == 'success' || needs.deploy-production.result == 'success')
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Determine deployed environment
         id: env
@@ -452,66 +452,166 @@ jobs:
             console.log('Note: Set up actual monitoring alerts in your observability platform');
 
   # ============================================================================
-  # Rollback Procedure (Manual Trigger)
+  # Deployment Failure Handler - Prefer Roll Forward
   # ============================================================================
 
-  rollback-preparation:
-    name: Prepare Rollback (if needed)
+  deployment-failure-handler:
+    name: Handle Deployment Failure
     runs-on: ubuntu-latest
-    needs: [deploy-production]
-    if: failure()
+    needs: [pre-deployment-validation, deploy-production]
+    if: |
+      failure() && 
+      (needs.pre-deployment-validation.result == 'failure' || needs.deploy-production.result == 'failure')
     steps:
-      - name: Rollback instructions
+      - name: Determine failure stage
+        id: failure-stage
         run: |
-          echo "🔄 ROLLBACK PROCEDURE"
-          echo "===================="
-          echo ""
-          echo "Production deployment failed or encountered issues."
-          echo ""
-          echo "Immediate actions:"
-          echo "  1. Assess the severity of the failure"
-          echo "  2. Check application logs and error rates"
-          echo "  3. Determine if immediate rollback is needed"
-          echo ""
-          echo "To rollback:"
-          echo "  1. Re-run this workflow with previous stable commit"
-          echo "  2. Or use manual rollback procedure:"
-          echo "     - Revert database migrations"
-          echo "     - Deploy previous Docker image/build"
-          echo "     - Restore from pre-deployment backup"
-          echo ""
-          echo "Emergency contacts:"
-          echo "  - Check on-call rotation"
-          echo "  - Notify engineering leads"
-          echo "  - Update status page"
+          if [ "${{ needs.pre-deployment-validation.result }}" == "failure" ]; then
+            echo "stage=pre-deployment" >> $GITHUB_OUTPUT
+            echo "severity=low" >> $GITHUB_OUTPUT
+          else
+            echo "stage=production" >> $GITHUB_OUTPUT
+            echo "severity=high" >> $GITHUB_OUTPUT
+          fi
 
-      - name: Create rollback issue
+      - name: Display roll-forward guidance
+        run: |
+          echo "⚡ DEPLOYMENT FAILURE DETECTED"
+          echo "================================"
+          echo ""
+          echo "Failure Stage: ${{ steps.failure-stage.outputs.stage }}"
+          echo "Severity: ${{ steps.failure-stage.outputs.severity }}"
+          echo ""
+          echo "🎯 RECOMMENDED APPROACH: ROLL FORWARD"
+          echo "────────────────────────────────────────"
+          echo ""
+          echo "Rolling forward is preferred because it:"
+          echo "  ✅ Fixes the root cause permanently"
+          echo "  ✅ Maintains forward progress"
+          echo "  ✅ Builds team capability"
+          echo "  ✅ Prevents recurrence"
+          echo ""
+          echo "Steps to roll forward:"
+          echo "  1. Review failure logs (link below)"
+          echo "  2. Identify and fix the root cause"
+          echo "  3. Test the fix locally"
+          echo "  4. Push fix to trigger new deployment"
+          echo ""
+          echo "⚠️  ROLLBACK ONLY IF:"
+          echo "────────────────────────"
+          echo "  • Production is actively broken"
+          echo "  • Users are experiencing outages"
+          echo "  • Critical security vulnerability"
+          echo "  • Data integrity at risk"
+          echo ""
+          if [ "${{ steps.failure-stage.outputs.stage }}" == "pre-deployment" ]; then
+            echo "✅ GOOD NEWS: Failure occurred pre-deployment"
+            echo "   → Production is NOT affected"
+            echo "   → Safe to fix and retry"
+            echo "   → No rollback needed"
+          else
+            echo "🚨 Production deployment failed"
+            echo "   → Assess production impact immediately"
+            echo "   → Check monitoring dashboards"
+            echo "   → Verify user-facing functionality"
+          fi
+
+      - name: Create fix-forward issue
         uses: actions/github-script@v7
         with:
           script: |
+            const stage = '${{ steps.failure-stage.outputs.stage }}';
+            const severity = '${{ steps.failure-stage.outputs.severity }}';
+            const isProd = stage === 'production';
+            
+            const title = isProd 
+              ? '🚨 Production Deployment Failed - Fix Required'
+              : '⚠️ Pre-Deployment Validation Failed';
+            
+            const body = `## Deployment Failure - ${stage === 'production' ? 'Production' : 'Pre-Deployment'}
+            
+            **Time:** ${new Date().toISOString()}
+            **Commit:** ${context.sha.substring(0, 7)}
+            **Workflow Run:** [View Logs](${context.payload.repository.html_url}/actions/runs/${context.runId})
+            **Failure Stage:** ${stage}
+            **Severity:** ${severity}
+            
+            ${!isProd ? '✅ **Good News:** Production is NOT affected. The failure occurred during pre-deployment checks.\n' : '🚨 **Alert:** Production deployment failed. Assess impact immediately.\n'}
+            
+            ### 🎯 Recommended Action: Roll Forward (Fix and Re-deploy)
+            
+            Rolling forward is the preferred approach because it:
+            - ✅ Fixes the root cause permanently
+            - ✅ Maintains development momentum  
+            - ✅ Prevents the same issue from recurring
+            - ✅ Builds team problem-solving skills
+            
+            ### 📋 Fix-Forward Checklist
+            
+            - [ ] **Investigate:** Review [workflow logs](${context.payload.repository.html_url}/actions/runs/${context.runId})
+            - [ ] **Diagnose:** Identify root cause of failure
+            - [ ] **Fix:** Implement fix in a new branch/commit
+            - [ ] **Test:** Verify fix locally (run relevant tests/builds)
+            - [ ] **Deploy:** Push fix to trigger new deployment
+            - [ ] **Verify:** Monitor deployment and confirm success
+            - [ ] **Document:** Update this issue with resolution details
+            
+            ${isProd ? `
+            ### 🚨 Production Impact Assessment
+            
+            **Before proceeding, verify:**
+            - [ ] Check monitoring dashboards for errors/alerts
+            - [ ] Verify critical user flows are working
+            - [ ] Check application logs for issues
+            - [ ] Assess if immediate rollback is needed
+            
+            ` : ''}
+            
+            ### ⚠️ When to Rollback Instead
+            
+            **Only rollback if:**
+            - 🔴 Production is actively broken with user impact
+            - 🔴 Critical security vulnerability exposed
+            - 🔴 Data integrity at risk
+            - 🔴 Cannot fix forward within acceptable timeframe
+            
+            ${isProd ? `
+            ### 🔄 Rollback Procedure (if absolutely necessary)
+            
+            1. **Re-run workflow** with previous stable commit SHA
+            2. **OR use manual rollback:**
+               - Rollback specific migration: \`npx prisma migrate resolve --rolled-back MIGRATION_NAME --schema=prisma/schema.prisma\`
+               - Deploy previous Docker image/build
+               - Restore from pre-deployment backup if needed
+               - ⚠️ Avoid \`prisma migrate reset\` in production (causes data loss)
+            3. **Notify:** Update team and status page
+            4. **Document:** Create post-mortem issue
+            
+            See [Rollback Procedure](docs/deployment/rollback.md) for details.
+            ` : `
+            ### 💡 Common Pre-Deployment Failures
+            
+            - **Prisma Generate:** Check schema.prisma syntax and DATABASE_URL
+            - **Build Failure:** Review TypeScript errors or missing dependencies
+            - **Test Failure:** Fix failing tests or update test snapshots
+            - **Lint Errors:** Run \`npm run lint:fix\` locally
+            `}
+            
+            ### 📚 Resources
+            
+            - [Workflow Run Logs](${context.payload.repository.html_url}/actions/runs/${context.runId})
+            - [Commit Details](${context.payload.repository.html_url}/commit/${context.sha})
+            - [Deployment Documentation](docs/deployment/)
+            `;
+            
+            const labels = isProd
+              ? ['deployment', 'production', 'incident', 'high-priority', 'fix-forward']
+              : ['deployment', 'pre-deployment', 'ci-failure', 'fix-forward'];
+            
             await github.rest.issues.create({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              title: '🚨 Production Deployment Failed - Rollback Required',
-              body: `## Production Deployment Failure
-              
-              **Time:** ${new Date().toISOString()}
-              **Commit:** ${context.sha.substring(0, 7)}
-              **Workflow:** ${context.runId}
-              
-              ### Actions Required
-              - [ ] Assess impact and severity
-              - [ ] Determine rollback necessity
-              - [ ] Execute rollback procedure if needed
-              - [ ] Investigate root cause
-              - [ ] Document incident
-              
-              ### Rollback Options
-              1. Re-deploy previous stable version
-              2. Revert problematic commits
-              3. Restore from backup
-              
-              See [Rollback Procedure](docs/deployment/rollback.md) for details.
-              `,
-              labels: ['deployment', 'production', 'incident', 'high-priority']
+              title: title,
+              body: body,
+              labels: labels
             });

.github/workflows/issue-triage.yml

@@ -109,7 +109,7 @@ jobs:
       (github.event.action == 'labeled' && github.event.label.name == 'auto-fix')
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Analyze issue and suggest fix
         uses: actions/github-script@v7
@@ -147,7 +147,7 @@ jobs:
     if: github.event.action == 'labeled' && github.event.label.name == 'create-pr'
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
         uses: actions/setup-node@v4

.github/workflows/pr/auto-merge.yml

@@ -24,7 +24,7 @@ jobs:
       }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Check PR status and merge
         uses: actions/github-script@v7

.github/workflows/pr/code-review.yml

@@ -18,7 +18,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/pr/merge-conflict-check.yml

@@ -18,7 +18,7 @@ jobs:
     
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
       

.github/workflows/pr/pr-management.yml

@@ -16,7 +16,7 @@ jobs:
     if: github.event.action == 'opened' || github.event.action == 'synchronize'
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/quality/planning.yml

@@ -17,7 +17,7 @@ jobs:
       (github.event.label.name == 'enhancement' || github.event.label.name == 'feature-request')
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Review against architecture principles
         uses: actions/github-script@v7
@@ -100,7 +100,7 @@ jobs:
     if: github.event.action == 'labeled' && github.event.label.name == 'enhancement'
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Check PRD for similar features
         uses: actions/github-script@v7
@@ -150,7 +150,7 @@ jobs:
       github.event.label.name == 'ready-to-implement'
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Generate implementation suggestion
         uses: actions/github-script@v7

.github/workflows/quality/quality-metrics.yml

@@ -23,7 +23,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -98,7 +98,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -168,7 +168,7 @@ jobs:
       security-events: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -237,7 +237,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -307,7 +307,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -379,7 +379,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -443,7 +443,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -505,7 +505,7 @@ jobs:
         working-directory: frontends/nextjs
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -591,7 +591,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2

.github/workflows/quality/size-limits.yml

@@ -20,7 +20,7 @@ jobs:
         working-directory: frontends/nextjs
     
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2

.github/workflows/todo-to-issues.yml

@@ -0,0 +1,162 @@
+name: TODO to Issues Sync
+
+# This workflow can be triggered manually to convert TODO items to GitHub issues
+# or can be run on a schedule to keep issues in sync with TODO files
+
+on:
+  workflow_dispatch:
+    inputs:
+      mode:
+        description: 'Execution mode'
+        required: true
+        type: choice
+        options:
+          - dry-run
+          - export-json
+          - create-issues
+        default: 'dry-run'
+      
+      filter_priority:
+        description: 'Filter by priority (leave empty for all)'
+        required: false
+        type: choice
+        options:
+          - ''
+          - critical
+          - high
+          - medium
+          - low
+      
+      filter_label:
+        description: 'Filter by label (e.g., security, frontend)'
+        required: false
+        type: string
+      
+      exclude_checklist:
+        description: 'Exclude checklist items'
+        required: false
+        type: boolean
+        default: true
+      
+      limit:
+        description: 'Limit number of issues (0 for no limit)'
+        required: false
+        type: number
+        default: 0
+  
+  # Uncomment to run on a schedule (e.g., weekly)
+  # schedule:
+  #   - cron: '0 0 * * 0'  # Every Sunday at midnight
+
+jobs:
+  convert-todos:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+      
+      - name: Install GitHub CLI
+        run: |
+          type -p curl >/dev/null || (sudo apt update && sudo apt install curl -y)
+          curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
+          && sudo chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
+          && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
+          && sudo apt update \
+          && sudo apt install gh -y
+      
+      - name: Authenticate GitHub CLI
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "$GH_TOKEN" | gh auth login --with-token
+          gh auth status
+      
+      - name: Build command arguments
+        id: args
+        run: |
+          ARGS=""
+          
+          # Add mode
+          if [ "${{ inputs.mode }}" = "dry-run" ]; then
+            ARGS="$ARGS --dry-run"
+          elif [ "${{ inputs.mode }}" = "export-json" ]; then
+            ARGS="$ARGS --output todos-export.json"
+          elif [ "${{ inputs.mode }}" = "create-issues" ]; then
+            ARGS="$ARGS --create"
+          fi
+          
+          # Add filters
+          if [ -n "${{ inputs.filter_priority }}" ]; then
+            ARGS="$ARGS --filter-priority ${{ inputs.filter_priority }}"
+          fi
+          
+          if [ -n "${{ inputs.filter_label }}" ]; then
+            ARGS="$ARGS --filter-label ${{ inputs.filter_label }}"
+          fi
+          
+          if [ "${{ inputs.exclude_checklist }}" = "true" ]; then
+            ARGS="$ARGS --exclude-checklist"
+          fi
+          
+          # Add limit if specified
+          if [ "${{ inputs.limit }}" != "0" ]; then
+            ARGS="$ARGS --limit ${{ inputs.limit }}"
+          fi
+          
+          echo "args=$ARGS" >> $GITHUB_OUTPUT
+          echo "Command arguments: $ARGS"
+      
+      - name: Run populate-kanban script
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          python3 tools/project-management/populate-kanban.py ${{ steps.args.outputs.args }}
+      
+      - name: Upload JSON export (if applicable)
+        if: inputs.mode == 'export-json'
+        uses: actions/upload-artifact@v4
+        with:
+          name: todos-export
+          path: todos-export.json
+          retention-days: 30
+      
+      - name: Create summary
+        if: always()
+        run: |
+          echo "## TODO to Issues Conversion" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Mode:** ${{ inputs.mode }}" >> $GITHUB_STEP_SUMMARY
+          
+          if [ -n "${{ inputs.filter_priority }}" ]; then
+            echo "**Priority Filter:** ${{ inputs.filter_priority }}" >> $GITHUB_STEP_SUMMARY
+          fi
+          
+          if [ -n "${{ inputs.filter_label }}" ]; then
+            echo "**Label Filter:** ${{ inputs.filter_label }}" >> $GITHUB_STEP_SUMMARY
+          fi
+          
+          if [ "${{ inputs.exclude_checklist }}" = "true" ]; then
+            echo "**Checklist Items:** Excluded" >> $GITHUB_STEP_SUMMARY
+          fi
+          
+          if [ "${{ inputs.limit }}" != "0" ]; then
+            echo "**Limit:** ${{ inputs.limit }} items" >> $GITHUB_STEP_SUMMARY
+          fi
+          
+          echo "" >> $GITHUB_STEP_SUMMARY
+          
+          if [ "${{ inputs.mode }}" = "export-json" ]; then
+            echo "✅ JSON export created successfully" >> $GITHUB_STEP_SUMMARY
+            echo "Download the artifact from the workflow run page" >> $GITHUB_STEP_SUMMARY
+          elif [ "${{ inputs.mode }}" = "create-issues" ]; then
+            echo "✅ GitHub issues created successfully" >> $GITHUB_STEP_SUMMARY
+            echo "View issues: https://github.com/${{ github.repository }}/issues" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "ℹ️ Dry run completed - no issues created" >> $GITHUB_STEP_SUMMARY
+          fi

.github/workflows/triage.yml

@@ -0,0 +1,198 @@
+name: Issue and PR Triage
+
+on:
+  issues:
+    types: [opened, edited, reopened]
+  pull_request:
+    types: [opened, reopened, synchronize, edited]
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
+jobs:
+  triage-issue:
+    name: Triage Issues
+    if: github.event_name == 'issues'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Categorize and label issue
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const issue = context.payload.issue;
+            const title = (issue.title || '').toLowerCase();
+            const body = (issue.body || '').toLowerCase();
+            const text = `${title}\n${body}`;
+
+            const labels = new Set();
+            const missing = [];
+
+            const typeMatchers = [
+              { regex: /bug|error|crash|broken|fail/, label: 'bug' },
+              { regex: /feature|enhancement|add|new|implement/, label: 'enhancement' },
+              { regex: /document|readme|docs|guide/, label: 'documentation' },
+              { regex: /test|testing|spec|e2e/, label: 'testing' },
+              { regex: /security|vulnerability|exploit|xss|sql/, label: 'security' },
+              { regex: /performance|slow|optimize|speed/, label: 'performance' },
+            ];
+
+            for (const match of typeMatchers) {
+              if (text.match(match.regex)) {
+                labels.add(match.label);
+              }
+            }
+
+            const areaMatchers = [
+              { regex: /frontend|react|next|ui|component|browser/, label: 'area: frontend' },
+              { regex: /api|backend|service|server/, label: 'area: backend' },
+              { regex: /database|prisma|schema|sql/, label: 'area: database' },
+              { regex: /workflow|github actions|ci|pipeline/, label: 'area: workflows' },
+              { regex: /docs|readme|guide/, label: 'area: documentation' },
+            ];
+
+            for (const match of areaMatchers) {
+              if (text.match(match.regex)) {
+                labels.add(match.label);
+              }
+            }
+
+            if (text.match(/critical|urgent|asap|blocker/)) {
+              labels.add('priority: high');
+            } else if (text.match(/minor|low|nice to have/)) {
+              labels.add('priority: low');
+            } else {
+              labels.add('priority: medium');
+            }
+
+            if (text.match(/beginner|easy|simple|starter/) || labels.size <= 2) {
+              labels.add('good first issue');
+            }
+
+            const reproductionHints = ['steps to reproduce', 'expected', 'actual'];
+            for (const hint of reproductionHints) {
+              if (!body.includes(hint)) {
+                missing.push(hint);
+              }
+            }
+
+            const supportInfo = body.includes('version') || body.match(/v\d+\.\d+/);
+            if (!supportInfo) {
+              missing.push('version information');
+            }
+
+            if (labels.size > 0) {
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: issue.number,
+                labels: Array.from(labels),
+              }).catch(e => console.log('Some labels may not exist:', e.message));
+            }
+
+            const checklist = missing.map(item => `- [ ] Add ${item}`).join('\n') || '- [x] Description includes key details.';
+            const summary = Array.from(labels).map(l => `- ${l}`).join('\n') || '- No labels inferred yet.';
+
+            const comment = [
+              '👋 Thanks for reporting an issue! I ran a quick triage:',
+              '',
+              '**Proposed labels:**',
+              summary,
+              '',
+              '**Missing details:**',
+              checklist,
+              '',
+              'Adding the missing details will help reviewers respond faster. If the proposed labels look wrong, feel free to update them.',
+              '',
+              '@copilot Please review this triage and refine labels or request any additional context needed—no Codex webhooks involved.'
+            ].join('\n');
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: issue.number,
+              body: comment,
+            });
+
+  triage-pr:
+    name: Triage Pull Requests
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Analyze PR files and label
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const pr = context.payload.pull_request;
+            const { data: files } = await github.rest.pulls.listFiles({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: pr.number,
+            });
+
+            const labels = new Set();
+
+            const fileFlags = {
+              workflows: files.some(f => f.filename.includes('.github/workflows')),
+              docs: files.some(f => f.filename.match(/\.(md|mdx)$/) || f.filename.startsWith('docs/')),
+              frontend: files.some(f => f.filename.includes('frontends/nextjs')),
+              db: files.some(f => f.filename.includes('prisma/') || f.filename.includes('dbal/')),
+              tests: files.some(f => f.filename.match(/(test|spec)\.[jt]sx?/)),
+            };
+
+            if (fileFlags.workflows) labels.add('area: workflows');
+            if (fileFlags.docs) labels.add('area: documentation');
+            if (fileFlags.frontend) labels.add('area: frontend');
+            if (fileFlags.db) labels.add('area: database');
+            if (fileFlags.tests) labels.add('tests');
+
+            const totalChanges = files.reduce((sum, f) => sum + f.additions + f.deletions, 0);
+            const highRiskPaths = files.filter(f => f.filename.includes('.github/workflows') || f.filename.includes('prisma/'));
+
+            let riskLabel = 'risk: low';
+            if (highRiskPaths.length > 0 || totalChanges >= 400) {
+              riskLabel = 'risk: high';
+            } else if (totalChanges >= 150) {
+              riskLabel = 'risk: medium';
+            }
+            labels.add(riskLabel);
+
+            const missing = [];
+            const body = (pr.body || '').toLowerCase();
+            if (!body.includes('test')) missing.push('Test plan');
+            if (fileFlags.frontend && !body.includes('screenshot')) missing.push('Screenshots for UI changes');
+            if (!body.match(/#\d+|https:\/\/github\.com/)) missing.push('Linked issue reference');
+
+            if (labels.size > 0) {
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: pr.number,
+                labels: Array.from(labels),
+              }).catch(e => console.log('Some labels may not exist:', e.message));
+            }
+
+            const labelSummary = Array.from(labels).map(l => `- ${l}`).join('\n');
+            const missingList = missing.length ? missing.map(item => `- [ ] ${item}`).join('\n') : '- [x] Description includes required context.';
+
+            const comment = [
+              '🤖 **Automated PR triage**',
+              '',
+              '**Proposed labels:**',
+              labelSummary,
+              '',
+              '**Description check:**',
+              missingList,
+              '',
+              'If any labels look incorrect, feel free to adjust them. Closing the missing items will help reviewers move faster.',
+              '',
+              '@copilot Please double-check this triage (no Codex webhook) and add any extra labels or questions for the author.'
+            ].join('\n');
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: pr.number,
+              body: comment,
+            });

.gitignore

@@ -88,8 +88,14 @@ lint-output.txt
 stub-patterns.json
 complexity-report.json
 
+# TODO management
+todos-baseline.json
+todos-export.json
+todos*.json
+
 # Project-specific
 **/agent-eval-report*
 vite.config.ts.bak*
 .cache/
 dist-old/
+.vscode/claudesync.json

.vscode/settings.json

@@ -57,5 +57,7 @@
     "https://docs.github.com/*": true,
     "https://www.npmjs.com/*": true,
     "https://registry.npmjs.org/*": true
-}
+},
+"claudeCode.allowDangerouslySkipPermissions": true,
+"claudeCode.initialPermissionMode": "bypassPermissions"
 }

README.md

@@ -80,6 +80,29 @@ MetaBuilder is a **data-driven, multi-tenant platform** with these core features
 
 ## Refactor Plan
 
+### 🚀 Auto Code Extractor 3000™ - Automated File Splitting
+
+**NEW: One-command solution to split large files (>150 LOC) into modular structure!**
+
+We have 62 files exceeding 150 lines. The Auto Code Extractor 3000™ automatically extracts functions into individual files following the lambda-per-file pattern.
+
+#### Quick Commands
+
+```bash
+# Preview what will be extracted
+npm run extract:preview
+
+# Extract 5 files
+npm run extract:quick
+
+# Extract all high-priority files (automated)
+npm run extract:auto
+```
+
+**📖 [Quick Start Guide](./tools/refactoring/QUICK_START.md)** | **📚 [Full Documentation](./tools/refactoring/AUTO_CODE_EXTRACTOR_3000.md)**
+
+---
+
 ### Next.js to Lua Conversion TODO
 
 #### Table of Contents

dbal/development/src/adapters/acl-adapter.ts

@@ -1,258 +1,3 @@
-/**
- * @file acl-adapter.ts
- * @description ACL adapter that wraps a base adapter with access control
- */
-
-import type { DBALAdapter, AdapterCapabilities } from './adapter'
-import type { ListOptions, ListResult } from '../core/foundation/types'
-import type { User, ACLRule } from './acl/types'
-import { resolvePermissionOperation } from './acl/resolve-permission-operation'
-import { checkPermission } from './acl/check-permission'
-import { checkRowLevelAccess } from './acl/check-row-level-access'
-import { logAudit } from './acl/audit-logger'
-import { defaultACLRules } from './acl/default-rules'
-
-export class ACLAdapter implements DBALAdapter {
-  private baseAdapter: DBALAdapter
-  private user: User
-  private rules: ACLRule[]
-  private auditLog: boolean
-
-  constructor(
-    baseAdapter: DBALAdapter,
-    user: User,
-    options?: {
-      rules?: ACLRule[]
-      auditLog?: boolean
-    }
-  ) {
-    this.baseAdapter = baseAdapter
-    this.user = user
-    this.rules = options?.rules || defaultACLRules
-    this.auditLog = options?.auditLog ?? true
-  }
-
-  private log(entity: string, operation: string, success: boolean, message?: string): void {
-    if (this.auditLog) {
-      logAudit(entity, operation, success, this.user, message)
-    }
-  }
-
-  async create(entity: string, data: Record<string, unknown>): Promise<unknown> {
-    const operation = 'create'
-    checkPermission(entity, operation, this.user, this.rules, this.log.bind(this))
-    
-    try {
-      const result = await this.baseAdapter.create(entity, data)
-      this.log(entity, operation, true)
-      return result
-    } catch (error) {
-      this.log(entity, operation, false, (error as Error).message)
-      throw error
-    }
-  }
-
-  async read(entity: string, id: string): Promise<unknown | null> {
-    const operation = 'read'
-    checkPermission(entity, operation, this.user, this.rules, this.log.bind(this))
-    
-    try {
-      const result = await this.baseAdapter.read(entity, id)
-      if (result) {
-        checkRowLevelAccess(entity, operation, result as Record<string, unknown>, this.user, this.rules, this.log.bind(this))
-      }
-      this.log(entity, operation, true)
-      return result
-    } catch (error) {
-      this.log(entity, operation, false, (error as Error).message)
-      throw error
-    }
-  }
-
-  async update(entity: string, id: string, data: Record<string, unknown>): Promise<unknown> {
-    const operation = 'update'
-    checkPermission(entity, operation, this.user, this.rules, this.log.bind(this))
-    
-    const existing = await this.baseAdapter.read(entity, id)
-    if (existing) {
-      checkRowLevelAccess(entity, operation, existing as Record<string, unknown>, this.user, this.rules, this.log.bind(this))
-    }
-    
-    try {
-      const result = await this.baseAdapter.update(entity, id, data)
-      this.log(entity, operation, true)
-      return result
-    } catch (error) {
-      this.log(entity, operation, false, (error as Error).message)
-      throw error
-    }
-  }
-
-  async delete(entity: string, id: string): Promise<boolean> {
-    const operation = 'delete'
-    checkPermission(entity, operation, this.user, this.rules, this.log.bind(this))
-    
-    const existing = await this.baseAdapter.read(entity, id)
-    if (existing) {
-      checkRowLevelAccess(entity, operation, existing as Record<string, unknown>, this.user, this.rules, this.log.bind(this))
-    }
-    
-    try {
-      const result = await this.baseAdapter.delete(entity, id)
-      this.log(entity, operation, true)
-      return result
-    } catch (error) {
-      this.log(entity, operation, false, (error as Error).message)
-      throw error
-    }
-  }
-
-  async list(entity: string, options?: ListOptions): Promise<ListResult<unknown>> {
-    const operation = 'list'
-    checkPermission(entity, operation, this.user, this.rules, this.log.bind(this))
-    
-    try {
-      const result = await this.baseAdapter.list(entity, options)
-      this.log(entity, operation, true)
-      return result
-    } catch (error) {
-      this.log(entity, operation, false, (error as Error).message)
-      throw error
-    }
-  }
-
-  async findFirst(entity: string, filter?: Record<string, unknown>): Promise<unknown | null> {
-    const resolvedOperation = resolvePermissionOperation('findFirst')
-    checkPermission(entity, resolvedOperation, this.user, this.rules, this.log.bind(this))
-    
-    try {
-      const result = await this.baseAdapter.findFirst(entity, filter)
-      if (result) {
-        checkRowLevelAccess(entity, resolvedOperation, result as Record<string, unknown>, this.user, this.rules, this.log.bind(this))
-      }
-      this.log(entity, 'findFirst', true)
-      return result
-    } catch (error) {
-      this.log(entity, 'findFirst', false, (error as Error).message)
-      throw error
-    }
-  }
-
-  async findByField(entity: string, field: string, value: unknown): Promise<unknown | null> {
-    const resolvedOperation = resolvePermissionOperation('findByField')
-    checkPermission(entity, resolvedOperation, this.user, this.rules, this.log.bind(this))
-    
-    try {
-      const result = await this.baseAdapter.findByField(entity, field, value)
-      if (result) {
-        checkRowLevelAccess(entity, resolvedOperation, result as Record<string, unknown>, this.user, this.rules, this.log.bind(this))
-      }
-      this.log(entity, 'findByField', true)
-      return result
-    } catch (error) {
-      this.log(entity, 'findByField', false, (error as Error).message)
-      throw error
-    }
-  }
-
-  async upsert(
-    entity: string,
-    filter: Record<string, unknown>,
-    createData: Record<string, unknown>,
-    updateData: Record<string, unknown>
-  ): Promise<unknown> {
-    checkPermission(entity, 'create', this.user, this.rules, this.log.bind(this))
-    checkPermission(entity, 'update', this.user, this.rules, this.log.bind(this))
-    
-    try {
-      const result = await this.baseAdapter.upsert(entity, filter, createData, updateData)
-      this.log(entity, 'upsert', true)
-      return result
-    } catch (error) {
-      this.log(entity, 'upsert', false, (error as Error).message)
-      throw error
-    }
-  }
-
-  async updateByField(entity: string, field: string, value: unknown, data: Record<string, unknown>): Promise<unknown> {
-    const resolvedOperation = resolvePermissionOperation('updateByField')
-    checkPermission(entity, resolvedOperation, this.user, this.rules, this.log.bind(this))
-    
-    try {
-      const result = await this.baseAdapter.updateByField(entity, field, value, data)
-      this.log(entity, 'updateByField', true)
-      return result
-    } catch (error) {
-      this.log(entity, 'updateByField', false, (error as Error).message)
-      throw error
-    }
-  }
-
-  async deleteByField(entity: string, field: string, value: unknown): Promise<boolean> {
-    const resolvedOperation = resolvePermissionOperation('deleteByField')
-    checkPermission(entity, resolvedOperation, this.user, this.rules, this.log.bind(this))
-    
-    try {
-      const result = await this.baseAdapter.deleteByField(entity, field, value)
-      this.log(entity, 'deleteByField', true)
-      return result
-    } catch (error) {
-      this.log(entity, 'deleteByField', false, (error as Error).message)
-      throw error
-    }
-  }
-
-  async createMany(entity: string, data: Record<string, unknown>[]): Promise<number> {
-    const resolvedOperation = resolvePermissionOperation('createMany')
-    checkPermission(entity, resolvedOperation, this.user, this.rules, this.log.bind(this))
-    
-    try {
-      const result = await this.baseAdapter.createMany(entity, data)
-      this.log(entity, 'createMany', true)
-      return result
-    } catch (error) {
-      this.log(entity, 'createMany', false, (error as Error).message)
-      throw error
-    }
-  }
-
-  async updateMany(entity: string, filter: Record<string, unknown>, data: Record<string, unknown>): Promise<number> {
-    const resolvedOperation = resolvePermissionOperation('updateMany')
-    checkPermission(entity, resolvedOperation, this.user, this.rules, this.log.bind(this))
-    
-    try {
-      const result = await this.baseAdapter.updateMany(entity, filter, data)
-      this.log(entity, 'updateMany', true)
-      return result
-    } catch (error) {
-      this.log(entity, 'updateMany', false, (error as Error).message)
-      throw error
-    }
-  }
-
-  async deleteMany(entity: string, filter?: Record<string, unknown>): Promise<number> {
-    const resolvedOperation = resolvePermissionOperation('deleteMany')
-    checkPermission(entity, resolvedOperation, this.user, this.rules, this.log.bind(this))
-    
-    try {
-      const result = await this.baseAdapter.deleteMany(entity, filter)
-      this.log(entity, 'deleteMany', true)
-      return result
-    } catch (error) {
-      this.log(entity, 'deleteMany', false, (error as Error).message)
-      throw error
-    }
-  }
-
-  async getCapabilities(): Promise<AdapterCapabilities> {
-    return this.baseAdapter.getCapabilities()
-  }
-
-  async close(): Promise<void> {
-    await this.baseAdapter.close()
-  }
-}
-
-// Re-export types for convenience
-export type { User, ACLRule } from './acl/types'
+export { ACLAdapter } from './acl-adapter'
+export type { ACLAdapterOptions, ACLContext, ACLRule, User } from './acl-adapter/types'
 export { defaultACLRules } from './acl/default-rules'

dbal/development/src/adapters/acl-adapter/acl-adapter.ts

@@ -0,0 +1,86 @@
+import type { AdapterCapabilities, DBALAdapter } from '../adapter'
+import type { ListOptions, ListResult } from '../../core/foundation/types'
+import { createContext } from './context'
+import { createReadStrategy } from './read-strategy'
+import { createWriteStrategy } from './write-strategy'
+import type { ACLAdapterOptions, ACLContext, ACLRule, User } from './types'
+
+export class ACLAdapter implements DBALAdapter {
+  private readonly context: ACLContext
+  private readonly readStrategy: ReturnType<typeof createReadStrategy>
+  private readonly writeStrategy: ReturnType<typeof createWriteStrategy>
+
+  constructor(baseAdapter: DBALAdapter, user: User, options?: ACLAdapterOptions) {
+    this.context = createContext(baseAdapter, user, options)
+    this.readStrategy = createReadStrategy(this.context)
+    this.writeStrategy = createWriteStrategy(this.context)
+  }
+
+  async create(entity: string, data: Record<string, unknown>): Promise<unknown> {
+    return this.writeStrategy.create(entity, data)
+  }
+
+  async read(entity: string, id: string): Promise<unknown | null> {
+    return this.readStrategy.read(entity, id)
+  }
+
+  async update(entity: string, id: string, data: Record<string, unknown>): Promise<unknown> {
+    return this.writeStrategy.update(entity, id, data)
+  }
+
+  async delete(entity: string, id: string): Promise<boolean> {
+    return this.writeStrategy.delete(entity, id)
+  }
+
+  async list(entity: string, options?: ListOptions): Promise<ListResult<unknown>> {
+    return this.readStrategy.list(entity, options)
+  }
+
+  async findFirst(entity: string, filter?: Record<string, unknown>): Promise<unknown | null> {
+    return this.readStrategy.findFirst(entity, filter)
+  }
+
+  async findByField(entity: string, field: string, value: unknown): Promise<unknown | null> {
+    return this.readStrategy.findByField(entity, field, value)
+  }
+
+  async upsert(
+    entity: string,
+    filter: Record<string, unknown>,
+    createData: Record<string, unknown>,
+    updateData: Record<string, unknown>,
+  ): Promise<unknown> {
+    return this.writeStrategy.upsert(entity, filter, createData, updateData)
+  }
+
+  async updateByField(entity: string, field: string, value: unknown, data: Record<string, unknown>): Promise<unknown> {
+    return this.writeStrategy.updateByField(entity, field, value, data)
+  }
+
+  async deleteByField(entity: string, field: string, value: unknown): Promise<boolean> {
+    return this.writeStrategy.deleteByField(entity, field, value)
+  }
+
+  async createMany(entity: string, data: Record<string, unknown>[]): Promise<number> {
+    return this.writeStrategy.createMany(entity, data)
+  }
+
+  async updateMany(entity: string, filter: Record<string, unknown>, data: Record<string, unknown>): Promise<number> {
+    return this.writeStrategy.updateMany(entity, filter, data)
+  }
+
+  async deleteMany(entity: string, filter?: Record<string, unknown>): Promise<number> {
+    return this.writeStrategy.deleteMany(entity, filter)
+  }
+
+  async getCapabilities(): Promise<AdapterCapabilities> {
+    return this.context.baseAdapter.getCapabilities()
+  }
+
+  async close(): Promise<void> {
+    await this.context.baseAdapter.close()
+  }
+}
+
+export type { ACLAdapterOptions, ACLContext, ACLRule, User }
+export { defaultACLRules } from '../acl/default-rules'

dbal/development/src/adapters/acl-adapter/bulk.ts

@@ -0,0 +1,67 @@
+import type { ACLContext } from './context'
+import { enforceRowAccess, resolveOperation, withAudit } from './guards'
+
+export const findFirst = (context: ACLContext) => async (entity: string, filter?: Record<string, unknown>) => {
+  const operation = resolveOperation('findFirst')
+  return withAudit(context, entity, operation, async () => {
+    const result = await context.baseAdapter.findFirst(entity, filter)
+    if (result) {
+      enforceRowAccess(context, entity, operation, result as Record<string, unknown>)
+    }
+    return result
+  })
+}
+
+export const findByField = (context: ACLContext) => async (entity: string, field: string, value: unknown) => {
+  const operation = resolveOperation('findByField')
+  return withAudit(context, entity, operation, async () => {
+    const result = await context.baseAdapter.findByField(entity, field, value)
+    if (result) {
+      enforceRowAccess(context, entity, operation, result as Record<string, unknown>)
+    }
+    return result
+  })
+}
+
+export const upsert = (context: ACLContext) => async (
+  entity: string,
+  filter: Record<string, unknown>,
+  createData: Record<string, unknown>,
+  updateData: Record<string, unknown>,
+) => {
+  return withAudit(context, entity, 'upsert', () => context.baseAdapter.upsert(entity, filter, createData, updateData))
+}
+
+export const updateByField = (context: ACLContext) => async (
+  entity: string,
+  field: string,
+  value: unknown,
+  data: Record<string, unknown>,
+) => {
+  const operation = resolveOperation('updateByField')
+  return withAudit(context, entity, operation, () => context.baseAdapter.updateByField(entity, field, value, data))
+}
+
+export const deleteByField = (context: ACLContext) => async (entity: string, field: string, value: unknown) => {
+  const operation = resolveOperation('deleteByField')
+  return withAudit(context, entity, operation, () => context.baseAdapter.deleteByField(entity, field, value))
+}
+
+export const createMany = (context: ACLContext) => async (entity: string, data: Record<string, unknown>[]) => {
+  const operation = resolveOperation('createMany')
+  return withAudit(context, entity, operation, () => context.baseAdapter.createMany(entity, data))
+}
+
+export const updateMany = (context: ACLContext) => async (
+  entity: string,
+  filter: Record<string, unknown>,
+  data: Record<string, unknown>,
+) => {
+  const operation = resolveOperation('updateMany')
+  return withAudit(context, entity, operation, () => context.baseAdapter.updateMany(entity, filter, data))
+}
+
+export const deleteMany = (context: ACLContext) => async (entity: string, filter?: Record<string, unknown>) => {
+  const operation = resolveOperation('deleteMany')
+  return withAudit(context, entity, operation, () => context.baseAdapter.deleteMany(entity, filter))
+}

dbal/development/src/adapters/acl-adapter/context.ts

@@ -0,0 +1,26 @@
+import type { DBALAdapter } from '../adapter'
+import type { ACLAdapterOptions, ACLContext, ACLRule, User } from './types'
+import { logAudit } from '../acl/audit-logger'
+import { defaultACLRules } from '../acl/default-rules'
+
+export const createContext = (
+  baseAdapter: DBALAdapter,
+  user: User,
+  options?: ACLAdapterOptions,
+): ACLContext => {
+  const auditLog = options?.auditLog ?? true
+  const rules = options?.rules || defaultACLRules
+  const logger = (entity: string, operation: string, success: boolean, message?: string) => {
+    if (auditLog) {
+      logAudit(entity, operation, success, user, message)
+    }
+  }
+
+  return {
+    baseAdapter,
+    user,
+    rules,
+    auditLog,
+    logger,
+  }
+}

dbal/development/src/adapters/acl-adapter/crud.ts

@@ -0,0 +1,41 @@
+import type { ListOptions, ListResult } from '../../core/foundation/types'
+import type { ACLContext } from './context'
+import { enforceRowAccess, withAudit } from './guards'
+
+export const createEntity = (context: ACLContext) => async (entity: string, data: Record<string, unknown>) => {
+  return withAudit(context, entity, 'create', () => context.baseAdapter.create(entity, data))
+}
+
+export const readEntity = (context: ACLContext) => async (entity: string, id: string) => {
+  return withAudit(context, entity, 'read', async () => {
+    const result = await context.baseAdapter.read(entity, id)
+    if (result) {
+      enforceRowAccess(context, entity, 'read', result as Record<string, unknown>)
+    }
+    return result
+  })
+}
+
+export const updateEntity = (context: ACLContext) => async (entity: string, id: string, data: Record<string, unknown>) => {
+  return withAudit(context, entity, 'update', async () => {
+    const existing = await context.baseAdapter.read(entity, id)
+    if (existing) {
+      enforceRowAccess(context, entity, 'update', existing as Record<string, unknown>)
+    }
+    return context.baseAdapter.update(entity, id, data)
+  })
+}
+
+export const deleteEntity = (context: ACLContext) => async (entity: string, id: string) => {
+  return withAudit(context, entity, 'delete', async () => {
+    const existing = await context.baseAdapter.read(entity, id)
+    if (existing) {
+      enforceRowAccess(context, entity, 'delete', existing as Record<string, unknown>)
+    }
+    return context.baseAdapter.delete(entity, id)
+  })
+}
+
+export const listEntities = (context: ACLContext) => async (entity: string, options?: ListOptions): Promise<ListResult<unknown>> => {
+  return withAudit(context, entity, 'list', () => context.baseAdapter.list(entity, options))
+}

dbal/development/src/adapters/acl-adapter/guards.ts

@@ -0,0 +1,37 @@
+import { checkPermission } from '../acl/check-permission'
+import { checkRowLevelAccess } from '../acl/check-row-level-access'
+import { resolvePermissionOperation } from '../acl/resolve-permission-operation'
+import type { ACLContext } from './types'
+
+export const enforcePermission = (context: ACLContext, entity: string, operation: string) => {
+  checkPermission(entity, operation, context.user, context.rules, context.logger)
+}
+
+export const enforceRowAccess = (
+  context: ACLContext,
+  entity: string,
+  operation: string,
+  record: Record<string, unknown>,
+) => {
+  checkRowLevelAccess(entity, operation, record, context.user, context.rules, context.logger)
+}
+
+export const withAudit = async <T>(
+  context: ACLContext,
+  entity: string,
+  operation: string,
+  action: () => Promise<T>,
+) => {
+  enforcePermission(context, entity, operation)
+
+  try {
+    const result = await action()
+    context.logger(entity, operation, true)
+    return result
+  } catch (error) {
+    context.logger(entity, operation, false, (error as Error).message)
+    throw error
+  }
+}
+
+export const resolveOperation = resolvePermissionOperation

dbal/development/src/adapters/acl-adapter/index.ts

@@ -0,0 +1,3 @@
+export { ACLAdapter } from './acl-adapter'
+export type { ACLAdapterOptions, ACLContext, ACLRule, User } from './types'
+export { defaultACLRules } from '../acl/default-rules'

dbal/development/src/adapters/acl-adapter/read-strategy.ts

@@ -0,0 +1,48 @@
+import type { ListOptions, ListResult } from '../../core/foundation/types'
+import { enforceRowAccess, resolveOperation, withAudit } from './guards'
+import type { ACLContext } from './types'
+
+export const createReadStrategy = (context: ACLContext) => {
+  const read = async (entity: string, id: string): Promise<unknown | null> => {
+    return withAudit(context, entity, 'read', async () => {
+      const result = await context.baseAdapter.read(entity, id)
+      if (result) {
+        enforceRowAccess(context, entity, 'read', result as Record<string, unknown>)
+      }
+      return result
+    })
+  }
+
+  const list = async (entity: string, options?: ListOptions): Promise<ListResult<unknown>> => {
+    return withAudit(context, entity, 'list', () => context.baseAdapter.list(entity, options))
+  }
+
+  const findFirst = async (entity: string, filter?: Record<string, unknown>): Promise<unknown | null> => {
+    const operation = resolveOperation('findFirst')
+    return withAudit(context, entity, operation, async () => {
+      const result = await context.baseAdapter.findFirst(entity, filter)
+      if (result) {
+        enforceRowAccess(context, entity, operation, result as Record<string, unknown>)
+      }
+      return result
+    })
+  }
+
+  const findByField = async (entity: string, field: string, value: unknown): Promise<unknown | null> => {
+    const operation = resolveOperation('findByField')
+    return withAudit(context, entity, operation, async () => {
+      const result = await context.baseAdapter.findByField(entity, field, value)
+      if (result) {
+        enforceRowAccess(context, entity, operation, result as Record<string, unknown>)
+      }
+      return result
+    })
+  }
+
+  return {
+    read,
+    list,
+    findFirst,
+    findByField,
+  }
+}

dbal/development/src/adapters/acl-adapter/types.ts

@@ -0,0 +1,27 @@
+import type { DBALAdapter } from '../adapter'
+
+export interface User {
+  id: string
+  username: string
+  role: 'user' | 'admin' | 'god' | 'supergod'
+}
+
+export interface ACLRule {
+  entity: string
+  roles: string[]
+  operations: string[]
+  rowLevelFilter?: (user: User, data: Record<string, unknown>) => boolean
+}
+
+export interface ACLAdapterOptions {
+  rules?: ACLRule[]
+  auditLog?: boolean
+}
+
+export interface ACLContext {
+  baseAdapter: DBALAdapter
+  user: User
+  rules: ACLRule[]
+  auditLog: boolean
+  logger: (entity: string, operation: string, success: boolean, message?: string) => void
+}

dbal/development/src/adapters/acl-adapter/write-strategy.ts

@@ -0,0 +1,83 @@
+import { enforceRowAccess, resolveOperation, withAudit } from './guards'
+import type { ACLContext } from './types'
+
+export const createWriteStrategy = (context: ACLContext) => {
+  const create = async (entity: string, data: Record<string, unknown>): Promise<unknown> => {
+    return withAudit(context, entity, 'create', () => context.baseAdapter.create(entity, data))
+  }
+
+  const update = async (entity: string, id: string, data: Record<string, unknown>): Promise<unknown> => {
+    return withAudit(context, entity, 'update', async () => {
+      const existing = await context.baseAdapter.read(entity, id)
+      if (existing) {
+        enforceRowAccess(context, entity, 'update', existing as Record<string, unknown>)
+      }
+      return context.baseAdapter.update(entity, id, data)
+    })
+  }
+
+  const remove = async (entity: string, id: string): Promise<boolean> => {
+    return withAudit(context, entity, 'delete', async () => {
+      const existing = await context.baseAdapter.read(entity, id)
+      if (existing) {
+        enforceRowAccess(context, entity, 'delete', existing as Record<string, unknown>)
+      }
+      return context.baseAdapter.delete(entity, id)
+    })
+  }
+
+  const upsert = async (
+    entity: string,
+    filter: Record<string, unknown>,
+    createData: Record<string, unknown>,
+    updateData: Record<string, unknown>,
+  ): Promise<unknown> => {
+    return withAudit(context, entity, 'upsert', () => context.baseAdapter.upsert(entity, filter, createData, updateData))
+  }
+
+  const updateByField = async (
+    entity: string,
+    field: string,
+    value: unknown,
+    data: Record<string, unknown>,
+  ): Promise<unknown> => {
+    const operation = resolveOperation('updateByField')
+    return withAudit(context, entity, operation, () => context.baseAdapter.updateByField(entity, field, value, data))
+  }
+
+  const deleteByField = async (entity: string, field: string, value: unknown): Promise<boolean> => {
+    const operation = resolveOperation('deleteByField')
+    return withAudit(context, entity, operation, () => context.baseAdapter.deleteByField(entity, field, value))
+  }
+
+  const createMany = async (entity: string, data: Record<string, unknown>[]): Promise<number> => {
+    const operation = resolveOperation('createMany')
+    return withAudit(context, entity, operation, () => context.baseAdapter.createMany(entity, data))
+  }
+
+  const updateMany = async (
+    entity: string,
+    filter: Record<string, unknown>,
+    data: Record<string, unknown>,
+  ): Promise<number> => {
+    const operation = resolveOperation('updateMany')
+    return withAudit(context, entity, operation, () => context.baseAdapter.updateMany(entity, filter, data))
+  }
+
+  const deleteMany = async (entity: string, filter?: Record<string, unknown>): Promise<number> => {
+    const operation = resolveOperation('deleteMany')
+    return withAudit(context, entity, operation, () => context.baseAdapter.deleteMany(entity, filter))
+  }
+
+  return {
+    create,
+    update,
+    delete: remove,
+    upsert,
+    updateByField,
+    deleteByField,
+    createMany,
+    updateMany,
+    deleteMany,
+  }
+}

dbal/development/src/adapters/acl/audit-logger.ts

@@ -3,7 +3,7 @@
  * @description Audit logging for ACL operations
  */
 
-import type { User } from './types'
+import type { User } from '../acl-adapter/types'
 
 /**
  * Log audit entry for ACL operation

dbal/development/src/adapters/acl/check-permission.ts

@@ -4,7 +4,7 @@
  */
 
 import { DBALError } from '../../core/foundation/errors'
-import type { User, ACLRule } from './types'
+import type { ACLRule, User } from '../acl-adapter/types'
 
 /**
  * Check if user has permission to perform operation on entity

dbal/development/src/adapters/acl/check-row-level-access.ts

@@ -4,7 +4,7 @@
  */
 
 import { DBALError } from '../../core/foundation/errors'
-import type { User, ACLRule } from './types'
+import type { ACLRule, User } from '../acl-adapter/types'
 
 /**
  * Check row-level access for specific data

dbal/development/src/adapters/acl/default-rules.ts

@@ -3,7 +3,7 @@
  * @description Default ACL rules for entities
  */
 
-import type { ACLRule } from './types'
+import type { ACLRule } from '../acl-adapter/types'
 
 export const defaultACLRules: ACLRule[] = [
   {

dbal/development/src/adapters/prisma-adapter.ts

@@ -1,350 +0,0 @@
-import { PrismaClient } from '@prisma/client'
-import type { DBALAdapter, AdapterCapabilities } from './adapter'
-import type { ListOptions, ListResult } from '../core/foundation/types'
-import { DBALError } from '../core/foundation/errors'
-
-type PrismaAdapterDialect = 'postgres' | 'mysql' | 'sqlite' | 'generic'
-
-export interface PrismaAdapterOptions {
-  queryTimeout?: number
-  dialect?: PrismaAdapterDialect
-}
-
-export class PrismaAdapter implements DBALAdapter {
-  private prisma: PrismaClient
-  private queryTimeout: number
-  private dialect: PrismaAdapterDialect
-
-  constructor(databaseUrl?: string, options?: PrismaAdapterOptions) {
-    const inferredDialect = options?.dialect ?? PrismaAdapter.inferDialectFromUrl(databaseUrl)
-    this.dialect = inferredDialect ?? 'generic'
-    this.prisma = new PrismaClient({
-      datasources: databaseUrl ? { db: { url: databaseUrl } } : undefined,
-    })
-    this.queryTimeout = options?.queryTimeout ?? 30000
-  }
-
-  async create(entity: string, data: Record<string, unknown>): Promise<unknown> {
-    try {
-      const model = this.getModel(entity)
-      const result = await this.withTimeout(
-        model.create({ data: data as never })
-      )
-      return result
-    } catch (error) {
-      throw this.handleError(error, 'create', entity)
-    }
-  }
-
-  async read(entity: string, id: string): Promise<unknown | null> {
-    try {
-      const model = this.getModel(entity)
-      const result = await this.withTimeout(
-        model.findUnique({ where: { id } as never })
-      )
-      return result
-    } catch (error) {
-      throw this.handleError(error, 'read', entity)
-    }
-  }
-
-  async update(entity: string, id: string, data: Record<string, unknown>): Promise<unknown> {
-    try {
-      const model = this.getModel(entity)
-      const result = await this.withTimeout(
-        model.update({ 
-          where: { id } as never,
-          data: data as never
-        })
-      )
-      return result
-    } catch (error) {
-      throw this.handleError(error, 'update', entity)
-    }
-  }
-
-  async delete(entity: string, id: string): Promise<boolean> {
-    try {
-      const model = this.getModel(entity)
-      await this.withTimeout(
-        model.delete({ where: { id } as never })
-      )
-      return true
-    } catch (error) {
-      if (this.isNotFoundError(error)) {
-        return false
-      }
-      throw this.handleError(error, 'delete', entity)
-    }
-  }
-
-  async list(entity: string, options?: ListOptions): Promise<ListResult<unknown>> {
-    try {
-      const model = this.getModel(entity)
-      const page = options?.page || 1
-      const limit = options?.limit || 50
-      const skip = (page - 1) * limit
-
-      const where = options?.filter ? this.buildWhereClause(options.filter) : undefined
-      const orderBy = options?.sort ? this.buildOrderBy(options.sort) : undefined
-
-      const [data, total] = await Promise.all([
-        this.withTimeout(
-          model.findMany({
-            where: where as never,
-            orderBy: orderBy as never,
-            skip,
-            take: limit,
-          })
-        ),
-        this.withTimeout(
-          model.count({ where: where as never })
-        )
-      ]) as [unknown[], number]
-
-      return {
-        data: data as unknown[],
-        total,
-        page,
-        limit,
-        hasMore: skip + limit < total,
-      }
-    } catch (error) {
-      throw this.handleError(error, 'list', entity)
-    }
-  }
-
-  async findFirst(entity: string, filter?: Record<string, unknown>): Promise<unknown | null> {
-    try {
-      const model = this.getModel(entity)
-      const where = filter ? this.buildWhereClause(filter) : undefined
-      const result = await this.withTimeout(
-        model.findFirst({ where: where as never })
-      )
-      return result
-    } catch (error) {
-      throw this.handleError(error, 'findFirst', entity)
-    }
-  }
-
-  async findByField(entity: string, field: string, value: unknown): Promise<unknown | null> {
-    try {
-      const model = this.getModel(entity)
-      const result = await this.withTimeout(
-        model.findUnique({ where: { [field]: value } as never })
-      )
-      return result
-    } catch (error) {
-      throw this.handleError(error, 'findByField', entity)
-    }
-  }
-
-  async upsert(
-    entity: string, 
-    uniqueField: string, 
-    uniqueValue: unknown, 
-    createData: Record<string, unknown>, 
-    updateData: Record<string, unknown>
-  ): Promise<unknown> {
-    try {
-      const model = this.getModel(entity)
-      const result = await this.withTimeout(
-        model.upsert({
-          where: { [uniqueField]: uniqueValue } as never,
-          create: createData as never,
-          update: updateData as never,
-        })
-      )
-      return result
-    } catch (error) {
-      throw this.handleError(error, 'upsert', entity)
-    }
-  }
-
-  async updateByField(entity: string, field: string, value: unknown, data: Record<string, unknown>): Promise<unknown> {
-    try {
-      const model = this.getModel(entity)
-      const result = await this.withTimeout(
-        model.update({
-          where: { [field]: value } as never,
-          data: data as never,
-        })
-      )
-      return result
-    } catch (error) {
-      throw this.handleError(error, 'updateByField', entity)
-    }
-  }
-
-  async deleteByField(entity: string, field: string, value: unknown): Promise<boolean> {
-    try {
-      const model = this.getModel(entity)
-      await this.withTimeout(
-        model.delete({ where: { [field]: value } as never })
-      )
-      return true
-    } catch (error) {
-      if (this.isNotFoundError(error)) {
-        return false
-      }
-      throw this.handleError(error, 'deleteByField', entity)
-    }
-  }
-
-  async deleteMany(entity: string, filter?: Record<string, unknown>): Promise<number> {
-    try {
-      const model = this.getModel(entity)
-      const where = filter ? this.buildWhereClause(filter) : undefined
-      const result: { count: number } = await this.withTimeout(
-        model.deleteMany({ where: where as never })
-      )
-      return result.count
-    } catch (error) {
-      throw this.handleError(error, 'deleteMany', entity)
-    }
-  }
-
-  async updateMany(entity: string, filter: Record<string, unknown>, data: Record<string, unknown>): Promise<number> {
-    try {
-      const model = this.getModel(entity)
-      const where = this.buildWhereClause(filter)
-      const result: { count: number } = await this.withTimeout(
-        model.updateMany({ where: where as never, data: data as never })
-      )
-      return result.count
-    } catch (error) {
-      throw this.handleError(error, 'updateMany', entity)
-    }
-  }
-
-  async createMany(entity: string, data: Record<string, unknown>[]): Promise<number> {
-    try {
-      const model = this.getModel(entity)
-      const result: { count: number } = await this.withTimeout(
-        model.createMany({ data: data as never })
-      )
-      return result.count
-    } catch (error) {
-      throw this.handleError(error, 'createMany', entity)
-    }
-  }
-
-  async getCapabilities(): Promise<AdapterCapabilities> {
-    return this.buildCapabilities()
-  }
-
-  async close(): Promise<void> {
-    await this.prisma.$disconnect()
-  }
-
-  private getModel(entity: string): any {
-    const modelName = entity.charAt(0).toLowerCase() + entity.slice(1)
-    const model = (this.prisma as any)[modelName]
-    
-    if (!model) {
-      throw DBALError.notFound(`Entity ${entity} not found`)
-    }
-    
-    return model
-  }
-
-  private buildWhereClause(filter: Record<string, unknown>): Record<string, unknown> {
-    const where: Record<string, unknown> = {}
-    
-    for (const [key, value] of Object.entries(filter)) {
-      if (value === null || value === undefined) {
-        where[key] = null
-      } else if (typeof value === 'object' && !Array.isArray(value)) {
-        where[key] = value
-      } else {
-        where[key] = value
-      }
-    }
-    
-    return where
-  }
-
-  private buildOrderBy(sort: Record<string, 'asc' | 'desc'>): Record<string, string> {
-    return sort
-  }
-
-  private async withTimeout<T>(promise: Promise<T>): Promise<T> {
-    return Promise.race([
-      promise,
-      new Promise<T>((_, reject) => 
-        setTimeout(() => reject(DBALError.timeout()), this.queryTimeout)
-      )
-    ])
-  }
-
-  private isNotFoundError(error: unknown): boolean {
-    return error instanceof Error && error.message.includes('not found')
-  }
-
-  private handleError(error: unknown, operation: string, entity: string): DBALError {
-    if (error instanceof DBALError) {
-      return error
-    }
-
-    if (error instanceof Error) {
-      if (error.message.includes('Unique constraint')) {
-        return DBALError.conflict(`${entity} already exists`)
-      }
-      if (error.message.includes('Foreign key constraint')) {
-        return DBALError.validationError('Related resource not found')
-      }
-      if (error.message.includes('not found')) {
-        return DBALError.notFound(`${entity} not found`)
-      }
-      return DBALError.internal(`Database error during ${operation}: ${error.message}`)
-    }
-
-    return DBALError.internal(`Unknown error during ${operation}`)
-  }
-
-  private buildCapabilities(): AdapterCapabilities {
-    const fullTextSearch = this.dialect === 'postgres' || this.dialect === 'mysql'
-
-    return {
-      transactions: true,
-      joins: true,
-      fullTextSearch,
-      ttl: false,
-      jsonQueries: true,
-      aggregations: true,
-      relations: true,
-    }
-  }
-
-  private static inferDialectFromUrl(url?: string): PrismaAdapterDialect | undefined {
-    if (!url) {
-      return undefined
-    }
-
-    if (url.startsWith('postgresql://') || url.startsWith('postgres://')) {
-      return 'postgres'
-    }
-
-    if (url.startsWith('mysql://')) {
-      return 'mysql'
-    }
-
-    if (url.startsWith('file:') || url.startsWith('sqlite://')) {
-      return 'sqlite'
-    }
-
-    return undefined
-  }
-}
-
-export class PostgresAdapter extends PrismaAdapter {
-  constructor(databaseUrl?: string, options?: PrismaAdapterOptions) {
-    super(databaseUrl, { ...options, dialect: 'postgres' })
-  }
-}
-
-export class MySQLAdapter extends PrismaAdapter {
-  constructor(databaseUrl?: string, options?: PrismaAdapterOptions) {
-    super(databaseUrl, { ...options, dialect: 'mysql' })
-  }
-}

dbal/development/src/adapters/prisma/context.ts

@@ -0,0 +1,38 @@
+import { PrismaClient } from '@prisma/client'
+import { PrismaAdapterDialect, type PrismaAdapterOptions, type PrismaContext } from './types'
+
+export function createPrismaContext(
+  databaseUrl?: string,
+  options?: PrismaAdapterOptions
+): PrismaContext {
+  const inferredDialect = options?.dialect ?? inferDialectFromUrl(databaseUrl)
+  const prisma = new PrismaClient({
+    datasources: databaseUrl ? { db: { url: databaseUrl } } : undefined,
+  })
+
+  return {
+    prisma,
+    queryTimeout: options?.queryTimeout ?? 30000,
+    dialect: inferredDialect ?? 'generic'
+  }
+}
+
+export function inferDialectFromUrl(url?: string): PrismaAdapterDialect | undefined {
+  if (!url) {
+    return undefined
+  }
+
+  if (url.startsWith('postgresql://') || url.startsWith('postgres://')) {
+    return 'postgres'
+  }
+
+  if (url.startsWith('mysql://')) {
+    return 'mysql'
+  }
+
+  if (url.startsWith('file:') || url.startsWith('sqlite://')) {
+    return 'sqlite'
+  }
+
+  return undefined
+}

dbal/development/src/adapters/prisma/index.ts

@@ -0,0 +1,121 @@
+import type { DBALAdapter } from '../adapter'
+import type { ListOptions, ListResult } from '../../core/foundation/types'
+import { createPrismaContext } from './context'
+import type { PrismaAdapterOptions, PrismaAdapterDialect, PrismaContext } from './types'
+import {
+  createRecord,
+  deleteRecord,
+  readRecord,
+  updateRecord
+} from './operations/crud'
+import {
+  createMany,
+  deleteByField,
+  deleteMany,
+  updateByField,
+  updateMany,
+  upsertRecord
+} from './operations/bulk'
+import {
+  findByField,
+  findFirstRecord,
+  listRecords
+} from './operations/query'
+import { buildCapabilities } from './operations/capabilities'
+
+export class PrismaAdapter implements DBALAdapter {
+  protected context: PrismaContext
+
+  constructor(databaseUrl?: string, options?: PrismaAdapterOptions) {
+    this.context = createPrismaContext(databaseUrl, options)
+  }
+
+  create(entity: string, data: Record<string, unknown>): Promise<unknown> {
+    return createRecord(this.context, entity, data)
+  }
+
+  read(entity: string, id: string): Promise<unknown | null> {
+    return readRecord(this.context, entity, id)
+  }
+
+  update(entity: string, id: string, data: Record<string, unknown>): Promise<unknown> {
+    return updateRecord(this.context, entity, id, data)
+  }
+
+  delete(entity: string, id: string): Promise<boolean> {
+    return deleteRecord(this.context, entity, id)
+  }
+
+  list(entity: string, options?: ListOptions): Promise<ListResult<unknown>> {
+    return listRecords(this.context, entity, options)
+  }
+
+  findFirst(entity: string, filter?: Record<string, unknown>): Promise<unknown | null> {
+    return findFirstRecord(this.context, entity, filter)
+  }
+
+  findByField(entity: string, field: string, value: unknown): Promise<unknown | null> {
+    return findByField(this.context, entity, field, value)
+  }
+
+  upsert(
+    entity: string,
+    uniqueField: string,
+    uniqueValue: unknown,
+    createData: Record<string, unknown>,
+    updateData: Record<string, unknown>
+  ): Promise<unknown> {
+    return upsertRecord(this.context, entity, uniqueField, uniqueValue, createData, updateData)
+  }
+
+  updateByField(
+    entity: string,
+    field: string,
+    value: unknown,
+    data: Record<string, unknown>
+  ): Promise<unknown> {
+    return updateByField(this.context, entity, field, value, data)
+  }
+
+  deleteByField(entity: string, field: string, value: unknown): Promise<boolean> {
+    return deleteByField(this.context, entity, field, value)
+  }
+
+  deleteMany(entity: string, filter?: Record<string, unknown>): Promise<number> {
+    return deleteMany(this.context, entity, filter)
+  }
+
+  updateMany(
+    entity: string,
+    filter: Record<string, unknown>,
+    data: Record<string, unknown>
+  ): Promise<number> {
+    return updateMany(this.context, entity, filter, data)
+  }
+
+  createMany(entity: string, data: Record<string, unknown>[]): Promise<number> {
+    return createMany(this.context, entity, data)
+  }
+
+  getCapabilities() {
+    return Promise.resolve(buildCapabilities(this.context))
+  }
+
+  async close(): Promise<void> {
+    await this.context.prisma.$disconnect()
+  }
+}
+
+export class PostgresAdapter extends PrismaAdapter {
+  constructor(databaseUrl?: string, options?: PrismaAdapterOptions) {
+    super(databaseUrl, { ...options, dialect: 'postgres' })
+  }
+}
+
+export class MySQLAdapter extends PrismaAdapter {
+  constructor(databaseUrl?: string, options?: PrismaAdapterOptions) {
+    super(databaseUrl, { ...options, dialect: 'mysql' })
+  }
+}
+
+export { PrismaAdapterOptions, PrismaAdapterDialect }

dbal/development/src/adapters/prisma/operations/bulk.ts

@@ -0,0 +1,121 @@
+import type { PrismaContext } from '../types'
+import { handlePrismaError, buildWhereClause, getModel, withTimeout, isNotFoundError } from './utils'
+
+export async function upsertRecord(
+  context: PrismaContext,
+  entity: string,
+  uniqueField: string,
+  uniqueValue: unknown,
+  createData: Record<string, unknown>,
+  updateData: Record<string, unknown>
+): Promise<unknown> {
+  try {
+    const model = getModel(context, entity)
+    return await withTimeout(
+      context,
+      model.upsert({
+        where: { [uniqueField]: uniqueValue } as never,
+        create: createData as never,
+        update: updateData as never,
+      })
+    )
+  } catch (error) {
+    throw handlePrismaError(error, 'upsert', entity)
+  }
+}
+
+export async function updateByField(
+  context: PrismaContext,
+  entity: string,
+  field: string,
+  value: unknown,
+  data: Record<string, unknown>
+): Promise<unknown> {
+  try {
+    const model = getModel(context, entity)
+    return await withTimeout(
+      context,
+      model.update({
+        where: { [field]: value } as never,
+        data: data as never,
+      })
+    )
+  } catch (error) {
+    throw handlePrismaError(error, 'updateByField', entity)
+  }
+}
+
+export async function deleteByField(
+  context: PrismaContext,
+  entity: string,
+  field: string,
+  value: unknown
+): Promise<boolean> {
+  try {
+    const model = getModel(context, entity)
+    await withTimeout(
+      context,
+      model.delete({ where: { [field]: value } as never })
+    )
+    return true
+  } catch (error) {
+    if (isNotFoundError(error)) {
+      return false
+    }
+    throw handlePrismaError(error, 'deleteByField', entity)
+  }
+}
+
+export async function deleteMany(
+  context: PrismaContext,
+  entity: string,
+  filter?: Record<string, unknown>
+): Promise<number> {
+  try {
+    const model = getModel(context, entity)
+    const where = filter ? buildWhereClause(filter) : undefined
+    const result: { count: number } = await withTimeout(
+      context,
+      model.deleteMany({ where: where as never })
+    )
+    return result.count
+  } catch (error) {
+    throw handlePrismaError(error, 'deleteMany', entity)
+  }
+}
+
+export async function updateMany(
+  context: PrismaContext,
+  entity: string,
+  filter: Record<string, unknown>,
+  data: Record<string, unknown>
+): Promise<number> {
+  try {
+    const model = getModel(context, entity)
+    const where = buildWhereClause(filter)
+    const result: { count: number } = await withTimeout(
+      context,
+      model.updateMany({ where: where as never, data: data as never })
+    )
+    return result.count
+  } catch (error) {
+    throw handlePrismaError(error, 'updateMany', entity)
+  }
+}
+
+export async function createMany(
+  context: PrismaContext,
+  entity: string,
+  data: Record<string, unknown>[]
+): Promise<number> {
+  try {
+    const model = getModel(context, entity)
+    const result: { count: number } = await withTimeout(
+      context,
+      model.createMany({ data: data as never })
+    )
+    return result.count
+  } catch (error) {
+    throw handlePrismaError(error, 'createMany', entity)
+  }
+}

dbal/development/src/adapters/prisma/operations/capabilities.ts

@@ -0,0 +1,16 @@
+import type { AdapterCapabilities } from '../adapter'
+import type { PrismaContext } from '../types'
+
+export function buildCapabilities(context: PrismaContext): AdapterCapabilities {
+  const fullTextSearch = context.dialect === 'postgres' || context.dialect === 'mysql'
+
+  return {
+    transactions: true,
+    joins: true,
+    fullTextSearch,
+    ttl: false,
+    jsonQueries: true,
+    aggregations: true,
+    relations: true,
+  }
+}

dbal/development/src/adapters/prisma/operations/crud.ts

@@ -0,0 +1,71 @@
+import type { PrismaContext } from '../types'
+import { handlePrismaError, getModel, withTimeout, isNotFoundError } from './utils'
+
+export async function createRecord(
+  context: PrismaContext,
+  entity: string,
+  data: Record<string, unknown>
+): Promise<unknown> {
+  try {
+    const model = getModel(context, entity)
+    return await withTimeout(context, model.create({ data: data as never }))
+  } catch (error) {
+    throw handlePrismaError(error, 'create', entity)
+  }
+}
+
+export async function readRecord(
+  context: PrismaContext,
+  entity: string,
+  id: string
+): Promise<unknown | null> {
+  try {
+    const model = getModel(context, entity)
+    return await withTimeout(
+      context,
+      model.findUnique({ where: { id } as never })
+    )
+  } catch (error) {
+    throw handlePrismaError(error, 'read', entity)
+  }
+}
+
+export async function updateRecord(
+  context: PrismaContext,
+  entity: string,
+  id: string,
+  data: Record<string, unknown>
+): Promise<unknown> {
+  try {
+    const model = getModel(context, entity)
+    return await withTimeout(
+      context,
+      model.update({
+        where: { id } as never,
+        data: data as never
+      })
+    )
+  } catch (error) {
+    throw handlePrismaError(error, 'update', entity)
+  }
+}
+
+export async function deleteRecord(
+  context: PrismaContext,
+  entity: string,
+  id: string
+): Promise<boolean> {
+  try {
+    const model = getModel(context, entity)
+    await withTimeout(
+      context,
+      model.delete({ where: { id } as never })
+    )
+    return true
+  } catch (error) {
+    if (isNotFoundError(error)) {
+      return false
+    }
+    throw handlePrismaError(error, 'delete', entity)
+  }
+}

dbal/development/src/adapters/prisma/operations/query.ts

@@ -0,0 +1,79 @@
+import type { ListOptions, ListResult } from '../../core/foundation/types'
+import type { PrismaContext } from '../types'
+import { handlePrismaError, buildWhereClause, buildOrderBy, getModel, withTimeout } from './utils'
+
+export async function listRecords(
+  context: PrismaContext,
+  entity: string,
+  options?: ListOptions
+): Promise<ListResult<unknown>> {
+  try {
+    const model = getModel(context, entity)
+    const page = options?.page || 1
+    const limit = options?.limit || 50
+    const skip = (page - 1) * limit
+
+    const where = options?.filter ? buildWhereClause(options.filter) : undefined
+    const orderBy = options?.sort ? buildOrderBy(options.sort) : undefined
+
+    const [data, total] = await Promise.all([
+      withTimeout(
+        context,
+        model.findMany({
+          where: where as never,
+          orderBy: orderBy as never,
+          skip,
+          take: limit,
+        })
+      ),
+      withTimeout(
+        context,
+        model.count({ where: where as never })
+      )
+    ]) as [unknown[], number]
+
+    return {
+      data: data as unknown[],
+      total,
+      page,
+      limit,
+      hasMore: skip + limit < total,
+    }
+  } catch (error) {
+    throw handlePrismaError(error, 'list', entity)
+  }
+}
+
+export async function findFirstRecord(
+  context: PrismaContext,
+  entity: string,
+  filter?: Record<string, unknown>
+): Promise<unknown | null> {
+  try {
+    const model = getModel(context, entity)
+    const where = filter ? buildWhereClause(filter) : undefined
+    return await withTimeout(
+      context,
+      model.findFirst({ where: where as never })
+    )
+  } catch (error) {
+    throw handlePrismaError(error, 'findFirst', entity)
+  }
+}
+
+export async function findByField(
+  context: PrismaContext,
+  entity: string,
+  field: string,
+  value: unknown
+): Promise<unknown | null> {
+  try {
+    const model = getModel(context, entity)
+    return await withTimeout(
+      context,
+      model.findUnique({ where: { [field]: value } as never })
+    )
+  } catch (error) {
+    throw handlePrismaError(error, 'findByField', entity)
+  }
+}

dbal/development/src/adapters/prisma/operations/utils.ts

@@ -0,0 +1,71 @@
+import type { PrismaContext } from '../types'
+import { DBALError } from '../../core/foundation/errors'
+
+export function getModel(context: PrismaContext, entity: string): any {
+  const modelName = entity.charAt(0).toLowerCase() + entity.slice(1)
+  const model = (context.prisma as any)[modelName]
+
+  if (!model) {
+    throw DBALError.notFound(`Entity ${entity} not found`)
+  }
+
+  return model
+}
+
+export function buildWhereClause(filter: Record<string, unknown>): Record<string, unknown> {
+  const where: Record<string, unknown> = {}
+
+  for (const [key, value] of Object.entries(filter)) {
+    if (value === null || value === undefined) {
+      where[key] = null
+    } else if (typeof value === 'object' && !Array.isArray(value)) {
+      where[key] = value
+    } else {
+      where[key] = value
+    }
+  }
+
+  return where
+}
+
+export function buildOrderBy(sort: Record<string, 'asc' | 'desc'>): Record<string, string> {
+  return sort
+}
+
+export async function withTimeout<T>(context: PrismaContext, promise: Promise<T>): Promise<T> {
+  return Promise.race([
+    promise,
+    new Promise<T>((_, reject) =>
+      setTimeout(() => reject(DBALError.timeout()), context.queryTimeout)
+    )
+  ])
+}
+
+export function isNotFoundError(error: unknown): boolean {
+  return error instanceof Error && error.message.includes('not found')
+}
+
+export function handlePrismaError(
+  error: unknown,
+  operation: string,
+  entity: string
+): DBALError {
+  if (error instanceof DBALError) {
+    return error
+  }
+
+  if (error instanceof Error) {
+    if (error.message.includes('Unique constraint')) {
+      return DBALError.conflict(`${entity} already exists`)
+    }
+    if (error.message.includes('Foreign key constraint')) {
+      return DBALError.validationError('Related resource not found')
+    }
+    if (error.message.includes('not found')) {
+      return DBALError.notFound(`${entity} not found`)
+    }
+    return DBALError.internal(`Database error during ${operation}: ${error.message}`)
+  }
+
+  return DBALError.internal(`Unknown error during ${operation}`)
+}

dbal/development/src/adapters/prisma/types.ts

@@ -0,0 +1,38 @@
+import type { AdapterCapabilities } from '../adapter'
+
+export type PrismaAdapterDialect = 'postgres' | 'mysql' | 'sqlite' | 'generic'
+
+export interface PrismaAdapterOptions {
+  queryTimeout?: number
+  dialect?: PrismaAdapterDialect
+}
+
+export interface PrismaContext {
+  prisma: any
+  queryTimeout: number
+  dialect: PrismaAdapterDialect
+}
+
+export interface PrismaOperations {
+  create(entity: string, data: Record<string, unknown>): Promise<unknown>
+  read(entity: string, id: string): Promise<unknown | null>
+  update(entity: string, id: string, data: Record<string, unknown>): Promise<unknown>
+  delete(entity: string, id: string): Promise<boolean>
+  list(entity: string, options?: any): Promise<any>
+  findFirst(entity: string, filter?: Record<string, unknown>): Promise<unknown | null>
+  findByField(entity: string, field: string, value: unknown): Promise<unknown | null>
+  upsert(
+    entity: string,
+    uniqueField: string,
+    uniqueValue: unknown,
+    createData: Record<string, unknown>,
+    updateData: Record<string, unknown>
+  ): Promise<unknown>
+  updateByField(entity: string, field: string, value: unknown, data: Record<string, unknown>): Promise<unknown>
+  deleteByField(entity: string, field: string, value: unknown): Promise<boolean>
+  deleteMany(entity: string, filter?: Record<string, unknown>): Promise<number>
+  createMany(entity: string, data: Record<string, unknown>[]): Promise<number>
+  updateMany(entity: string, filter: Record<string, unknown>, data: Record<string, unknown>): Promise<number>
+  getCapabilities(): Promise<AdapterCapabilities>
+  close(): Promise<void>
+}

dbal/development/src/blob/index.ts

@@ -1,13 +1,13 @@
 export * from './blob-storage'
 export { MemoryStorage } from './providers/memory-storage'
-export { S3Storage } from './providers/s3-storage'
-export { FilesystemStorage } from './providers/filesystem-storage'
+export { S3Storage } from './providers/s3'
+export { FilesystemStorage } from './providers/filesystem'
 export { TenantAwareBlobStorage } from './providers/tenant-aware-storage'
 
 import type { BlobStorage, BlobStorageConfig } from './blob-storage'
 import { MemoryStorage } from './providers/memory-storage'
-import { S3Storage } from './providers/s3-storage'
-import { FilesystemStorage } from './providers/filesystem-storage'
+import { S3Storage } from './providers/s3'
+import { FilesystemStorage } from './providers/filesystem'
 
 /**
  * Factory function to create blob storage instances

dbal/development/src/blob/providers/filesystem-storage.ts

@@ -1,410 +0,0 @@
-import type {
-  BlobStorage,
-  BlobMetadata,
-  BlobListResult,
-  UploadOptions,
-  DownloadOptions,
-  BlobListOptions,
-  BlobStorageConfig,
-} from '../blob-storage'
-import { DBALError } from '../../core/foundation/errors'
-import { promises as fs } from 'fs'
-import { createReadStream, createWriteStream } from 'fs'
-import path from 'path'
-import { createHash } from 'crypto'
-import { pipeline } from 'stream/promises'
-
-/**
- * Filesystem blob storage implementation
- * Compatible with local filesystem, Samba/CIFS, NFS
- */
-export class FilesystemStorage implements BlobStorage {
-  private basePath: string
-
-  constructor(config: BlobStorageConfig) {
-    if (!config.filesystem) {
-      throw new Error('Filesystem configuration required')
-    }
-
-    this.basePath = config.filesystem.basePath
-
-    if (config.filesystem.createIfNotExists) {
-      this.ensureBasePath()
-    }
-  }
-
-  private async ensureBasePath() {
-    try {
-      await fs.mkdir(this.basePath, { recursive: true })
-    } catch (error: any) {
-      throw new Error(`Failed to create base path: ${error.message}`)
-    }
-  }
-
-  private getFullPath(key: string): string {
-    // Prevent directory traversal attacks
-    const normalized = path.normalize(key).replace(/^(\.\.(\/|\\|$))+/, '')
-    return path.join(this.basePath, normalized)
-  }
-
-  private getMetadataPath(key: string): string {
-    return this.getFullPath(key) + '.meta.json'
-  }
-
-  async upload(
-    key: string,
-    data: Buffer | Uint8Array,
-    options: UploadOptions = {}
-  ): Promise<BlobMetadata> {
-    const filePath = this.getFullPath(key)
-    const metaPath = this.getMetadataPath(key)
-
-    try {
-      // Create directory if needed
-      await fs.mkdir(path.dirname(filePath), { recursive: true })
-
-      // Check if file exists and overwrite is false
-      if (!options.overwrite) {
-        try {
-          await fs.access(filePath)
-          throw DBALError.conflict(`Blob already exists: ${key}`)
-        } catch (error: any) {
-          if (error.code !== 'ENOENT') {
-            throw error
-          }
-        }
-      }
-
-      // Write file
-      await fs.writeFile(filePath, data)
-
-      // Generate metadata
-      const buffer = Buffer.from(data)
-      const etag = this.generateEtag(buffer)
-      const metadata: BlobMetadata = {
-        key,
-        size: buffer.length,
-        contentType: options.contentType || 'application/octet-stream',
-        etag,
-        lastModified: new Date(),
-        customMetadata: options.metadata,
-      }
-
-      // Write metadata
-      await fs.writeFile(metaPath, JSON.stringify(metadata, null, 2))
-
-      return metadata
-    } catch (error: any) {
-      if (error instanceof DBALError) {
-        throw error
-      }
-      throw DBALError.internal(`Filesystem upload failed: ${error.message}`)
-    }
-  }
-
-  async uploadStream(
-    key: string,
-    stream: ReadableStream | NodeJS.ReadableStream,
-    size: number,
-    options: UploadOptions = {}
-  ): Promise<BlobMetadata> {
-    const filePath = this.getFullPath(key)
-    const metaPath = this.getMetadataPath(key)
-
-    try {
-      // Create directory if needed
-      await fs.mkdir(path.dirname(filePath), { recursive: true })
-
-      // Check if file exists and overwrite is false
-      if (!options.overwrite) {
-        try {
-          await fs.access(filePath)
-          throw DBALError.conflict(`Blob already exists: ${key}`)
-        } catch (error: any) {
-          if (error.code !== 'ENOENT') {
-            throw error
-          }
-        }
-      }
-
-      // Write stream to file
-      const writeStream = createWriteStream(filePath)
-
-      if ('getReader' in stream) {
-        // Web ReadableStream
-        const reader = stream.getReader()
-        while (true) {
-          const { done, value } = await reader.read()
-          if (done) break
-          writeStream.write(Buffer.from(value))
-        }
-        writeStream.end()
-      } else {
-        // Node.js ReadableStream
-        await pipeline(stream, writeStream)
-      }
-
-      // Get file stats for actual size
-      const stats = await fs.stat(filePath)
-      
-      // Generate etag from file
-      const buffer = await fs.readFile(filePath)
-      const etag = this.generateEtag(buffer)
-
-      const metadata: BlobMetadata = {
-        key,
-        size: stats.size,
-        contentType: options.contentType || 'application/octet-stream',
-        etag,
-        lastModified: stats.mtime,
-        customMetadata: options.metadata,
-      }
-
-      // Write metadata
-      await fs.writeFile(metaPath, JSON.stringify(metadata, null, 2))
-
-      return metadata
-    } catch (error: any) {
-      if (error instanceof DBALError) {
-        throw error
-      }
-      throw DBALError.internal(`Filesystem stream upload failed: ${error.message}`)
-    }
-  }
-
-  async download(
-    key: string,
-    options: DownloadOptions = {}
-  ): Promise<Buffer> {
-    const filePath = this.getFullPath(key)
-
-    try {
-      let data = await fs.readFile(filePath)
-
-      if (options.offset !== undefined || options.length !== undefined) {
-        const offset = options.offset || 0
-        const length = options.length || (data.length - offset)
-
-        if (offset >= data.length) {
-          throw DBALError.validationError('Offset exceeds blob size')
-        }
-
-        data = data.subarray(offset, offset + length)
-      }
-
-      return data
-    } catch (error: any) {
-      if (error.code === 'ENOENT') {
-        throw DBALError.notFound(`Blob not found: ${key}`)
-      }
-      if (error instanceof DBALError) {
-        throw error
-      }
-      throw DBALError.internal(`Filesystem download failed: ${error.message}`)
-    }
-  }
-
-  async downloadStream(
-    key: string,
-    options: DownloadOptions = {}
-  ): Promise<NodeJS.ReadableStream> {
-    const filePath = this.getFullPath(key)
-
-    try {
-      await fs.access(filePath)
-
-      const streamOptions: any = {}
-      if (options.offset !== undefined) {
-        streamOptions.start = options.offset
-      }
-      if (options.length !== undefined) {
-        streamOptions.end = (options.offset || 0) + options.length - 1
-      }
-
-      return createReadStream(filePath, streamOptions)
-    } catch (error: any) {
-      if (error.code === 'ENOENT') {
-        throw DBALError.notFound(`Blob not found: ${key}`)
-      }
-      throw DBALError.internal(`Filesystem download stream failed: ${error.message}`)
-    }
-  }
-
-  async delete(key: string): Promise<boolean> {
-    const filePath = this.getFullPath(key)
-    const metaPath = this.getMetadataPath(key)
-
-    try {
-      await fs.unlink(filePath)
-      
-      // Try to delete metadata (ignore if doesn't exist)
-      try {
-        await fs.unlink(metaPath)
-      } catch (error: any) {
-        // Ignore if metadata doesn't exist
-      }
-
-      return true
-    } catch (error: any) {
-      if (error.code === 'ENOENT') {
-        throw DBALError.notFound(`Blob not found: ${key}`)
-      }
-      throw DBALError.internal(`Filesystem delete failed: ${error.message}`)
-    }
-  }
-
-  async exists(key: string): Promise<boolean> {
-    const filePath = this.getFullPath(key)
-
-    try {
-      await fs.access(filePath)
-      return true
-    } catch {
-      return false
-    }
-  }
-
-  async getMetadata(key: string): Promise<BlobMetadata> {
-    const filePath = this.getFullPath(key)
-    const metaPath = this.getMetadataPath(key)
-
-    try {
-      // Check if file exists
-      const stats = await fs.stat(filePath)
-
-      // Try to read metadata file
-      try {
-        const metaContent = await fs.readFile(metaPath, 'utf-8')
-        return JSON.parse(metaContent)
-      } catch {
-        // Generate metadata from file if meta file doesn't exist
-        const data = await fs.readFile(filePath)
-        return {
-          key,
-          size: stats.size,
-          contentType: 'application/octet-stream',
-          etag: this.generateEtag(data),
-          lastModified: stats.mtime,
-        }
-      }
-    } catch (error: any) {
-      if (error.code === 'ENOENT') {
-        throw DBALError.notFound(`Blob not found: ${key}`)
-      }
-      throw DBALError.internal(`Filesystem get metadata failed: ${error.message}`)
-    }
-  }
-
-  async list(options: BlobListOptions = {}): Promise<BlobListResult> {
-    const prefix = options.prefix || ''
-    const maxKeys = options.maxKeys || 1000
-
-    try {
-      const items: BlobMetadata[] = []
-      await this.walkDirectory(this.basePath, prefix, maxKeys, items)
-
-      return {
-        items: items.slice(0, maxKeys),
-        isTruncated: items.length > maxKeys,
-        nextToken: items.length > maxKeys ? items[maxKeys].key : undefined,
-      }
-    } catch (error: any) {
-      throw DBALError.internal(`Filesystem list failed: ${error.message}`)
-    }
-  }
-
-  private async walkDirectory(
-    dir: string,
-    prefix: string,
-    maxKeys: number,
-    items: BlobMetadata[]
-  ) {
-    if (items.length >= maxKeys) return
-
-    const entries = await fs.readdir(dir, { withFileTypes: true })
-
-    for (const entry of entries) {
-      if (items.length >= maxKeys) break
-
-      const fullPath = path.join(dir, entry.name)
-      
-      if (entry.isDirectory()) {
-        await this.walkDirectory(fullPath, prefix, maxKeys, items)
-      } else if (!entry.name.endsWith('.meta.json')) {
-        const relativePath = path.relative(this.basePath, fullPath)
-        const normalizedKey = relativePath.split(path.sep).join('/')
-
-        if (!prefix || normalizedKey.startsWith(prefix)) {
-          try {
-            const metadata = await this.getMetadata(normalizedKey)
-            items.push(metadata)
-          } catch {
-            // Skip files that can't be read
-          }
-        }
-      }
-    }
-  }
-
-  async generatePresignedUrl(
-    key: string,
-    expirationSeconds: number = 3600
-  ): Promise<string> {
-    // Filesystem storage doesn't support presigned URLs
-    return ''
-  }
-
-  async copy(
-    sourceKey: string,
-    destKey: string
-  ): Promise<BlobMetadata> {
-    const sourcePath = this.getFullPath(sourceKey)
-    const destPath = this.getFullPath(destKey)
-    const sourceMetaPath = this.getMetadataPath(sourceKey)
-    const destMetaPath = this.getMetadataPath(destKey)
-
-    try {
-      // Create destination directory if needed
-      await fs.mkdir(path.dirname(destPath), { recursive: true })
-
-      // Copy file
-      await fs.copyFile(sourcePath, destPath)
-
-      // Copy or regenerate metadata
-      try {
-        await fs.copyFile(sourceMetaPath, destMetaPath)
-        
-        // Update lastModified in metadata
-        const metadata = JSON.parse(await fs.readFile(destMetaPath, 'utf-8'))
-        metadata.lastModified = new Date()
-        metadata.key = destKey
-        await fs.writeFile(destMetaPath, JSON.stringify(metadata, null, 2))
-        
-        return metadata
-      } catch {
-        // Regenerate metadata if copy fails
-        return await this.getMetadata(destKey)
-      }
-    } catch (error: any) {
-      if (error.code === 'ENOENT') {
-        throw DBALError.notFound(`Source blob not found: ${sourceKey}`)
-      }
-      throw DBALError.internal(`Filesystem copy failed: ${error.message}`)
-    }
-  }
-
-  async getTotalSize(): Promise<number> {
-    const items = await this.list({ maxKeys: Number.MAX_SAFE_INTEGER })
-    return items.items.reduce((sum, item) => sum + item.size, 0)
-  }
-
-  async getObjectCount(): Promise<number> {
-    const items = await this.list({ maxKeys: Number.MAX_SAFE_INTEGER })
-    return items.items.length
-  }
-
-  private generateEtag(data: Buffer): string {
-    const hash = createHash('md5').update(data).digest('hex')
-    return `"${hash}"`
-  }
-}

dbal/development/src/blob/providers/filesystem/context.ts

@@ -0,0 +1,28 @@
+import type { BlobStorageConfig } from '../../blob-storage'
+import { promises as fs } from 'fs'
+
+export interface FilesystemContext {
+  basePath: string
+}
+
+export function createFilesystemContext(config: BlobStorageConfig): FilesystemContext {
+  if (!config.filesystem) {
+    throw new Error('Filesystem configuration required')
+  }
+
+  const basePath = config.filesystem.basePath
+
+  if (config.filesystem.createIfNotExists) {
+    void ensureBasePath(basePath)
+  }
+
+  return { basePath }
+}
+
+async function ensureBasePath(basePath: string) {
+  try {
+    await fs.mkdir(basePath, { recursive: true })
+  } catch (error: any) {
+    throw new Error(`Failed to create base path: ${error.message}`)
+  }
+}

dbal/development/src/blob/providers/filesystem/index.ts

@@ -0,0 +1,98 @@
+import { promises as fs } from 'fs'
+import type {
+  BlobStorage,
+  BlobMetadata,
+  BlobListResult,
+  UploadOptions,
+  DownloadOptions,
+  BlobListOptions,
+  BlobStorageConfig,
+} from '../../blob-storage'
+import { createFilesystemContext, type FilesystemContext } from './context'
+import { buildFullPath } from './paths'
+import { copyBlob, deleteBlob, objectCount, totalSize } from './operations/maintenance'
+import { downloadBuffer, downloadStream } from './operations/downloads'
+import { readMetadata } from './operations/metadata'
+import { listBlobs } from './operations/listing'
+import { uploadBuffer, uploadStream } from './operations/uploads'
+
+export class FilesystemStorage implements BlobStorage {
+  private readonly context: FilesystemContext
+
+  constructor(config: BlobStorageConfig) {
+    this.context = createFilesystemContext(config)
+  }
+
+  upload(
+    key: string,
+    data: Buffer | Uint8Array,
+    options: UploadOptions = {}
+  ): Promise<BlobMetadata> {
+    return uploadBuffer(this.context, key, data, options)
+  }
+
+  uploadStream(
+    key: string,
+    stream: ReadableStream | NodeJS.ReadableStream,
+    size: number,
+    options: UploadOptions = {}
+  ): Promise<BlobMetadata> {
+    return uploadStream(this.context, key, stream, size, options)
+  }
+
+  download(
+    key: string,
+    options: DownloadOptions = {}
+  ): Promise<Buffer> {
+    return downloadBuffer(this.context, key, options)
+  }
+
+  downloadStream(
+    key: string,
+    options: DownloadOptions = {}
+  ): Promise<NodeJS.ReadableStream> {
+    return downloadStream(this.context, key, options)
+  }
+
+  delete(key: string): Promise<boolean> {
+    return deleteBlob(this.context, key)
+  }
+
+  async exists(key: string): Promise<boolean> {
+    const filePath = buildFullPath(this.context.basePath, key)
+
+    try {
+      await fs.access(filePath)
+      return true
+    } catch {
+      return false
+    }
+  }
+
+  getMetadata(key: string): Promise<BlobMetadata> {
+    return readMetadata(this.context, key)
+  }
+
+  list(options: BlobListOptions = {}): Promise<BlobListResult> {
+    return listBlobs(this.context, options)
+  }
+
+  async generatePresignedUrl(
+    key: string,
+    expirationSeconds: number = 3600
+  ): Promise<string> {
+    return ''
+  }
+
+  copy(sourceKey: string, destKey: string): Promise<BlobMetadata> {
+    return copyBlob(this.context, sourceKey, destKey)
+  }
+
+  getTotalSize(): Promise<number> {
+    return totalSize(this.context)
+  }
+
+  getObjectCount(): Promise<number> {
+    return objectCount(this.context)
+  }
+}

dbal/development/src/blob/providers/filesystem/operations/downloads.ts

@@ -0,0 +1,65 @@
+import { promises as fs, createReadStream } from 'fs'
+import type { DownloadOptions } from '../../../blob-storage'
+import { DBALError } from '../../../core/foundation/errors'
+import type { FilesystemContext } from '../context'
+import { buildFullPath } from '../paths'
+
+export async function downloadBuffer(
+  context: FilesystemContext,
+  key: string,
+  options: DownloadOptions
+): Promise<Buffer> {
+  const filePath = buildFullPath(context.basePath, key)
+
+  try {
+    let data = await fs.readFile(filePath)
+
+    if (options.offset !== undefined || options.length !== undefined) {
+      const offset = options.offset || 0
+      const length = options.length || (data.length - offset)
+
+      if (offset >= data.length) {
+        throw DBALError.validationError('Offset exceeds blob size')
+      }
+
+      data = data.subarray(offset, offset + length)
+    }
+
+    return data
+  } catch (error: any) {
+    if (error.code === 'ENOENT') {
+      throw DBALError.notFound(`Blob not found: ${key}`)
+    }
+    if (error instanceof DBALError) {
+      throw error
+    }
+    throw DBALError.internal(`Filesystem download failed: ${error.message}`)
+  }
+}
+
+export async function downloadStream(
+  context: FilesystemContext,
+  key: string,
+  options: DownloadOptions
+): Promise<NodeJS.ReadableStream> {
+  const filePath = buildFullPath(context.basePath, key)
+
+  try {
+    await fs.access(filePath)
+
+    const streamOptions: any = {}
+    if (options.offset !== undefined) {
+      streamOptions.start = options.offset
+    }
+    if (options.length !== undefined) {
+      streamOptions.end = (options.offset || 0) + options.length - 1
+    }
+
+    return createReadStream(filePath, streamOptions)
+  } catch (error: any) {
+    if (error.code === 'ENOENT') {
+      throw DBALError.notFound(`Blob not found: ${key}`)
+    }
+    throw DBALError.internal(`Filesystem download stream failed: ${error.message}`)
+  }
+}

dbal/development/src/blob/providers/filesystem/operations/listing.ts

@@ -0,0 +1,62 @@
+import { promises as fs } from 'fs'
+import path from 'path'
+import type { BlobListOptions, BlobListResult, BlobMetadata } from '../../../blob-storage'
+import { DBALError } from '../../../core/foundation/errors'
+import type { FilesystemContext } from '../context'
+import { buildFullPath } from '../paths'
+import { readMetadata } from './metadata'
+
+export async function listBlobs(
+  context: FilesystemContext,
+  options: BlobListOptions
+): Promise<BlobListResult> {
+  const prefix = options.prefix || ''
+  const maxKeys = options.maxKeys || 1000
+
+  try {
+    const items: BlobMetadata[] = []
+    await walkDirectory(context, context.basePath, prefix, maxKeys, items)
+
+    return {
+      items: items.slice(0, maxKeys),
+      isTruncated: items.length > maxKeys,
+      nextToken: items.length > maxKeys ? items[maxKeys].key : undefined,
+    }
+  } catch (error: any) {
+    throw DBALError.internal(`Filesystem list failed: ${error.message}`)
+  }
+}
+
+async function walkDirectory(
+  context: FilesystemContext,
+  dir: string,
+  prefix: string,
+  maxKeys: number,
+  items: BlobMetadata[]
+) {
+  if (items.length >= maxKeys) return
+
+  const entries = await fs.readdir(dir, { withFileTypes: true })
+
+  for (const entry of entries) {
+    if (items.length >= maxKeys) break
+
+    const fullPath = path.join(dir, entry.name)
+
+    if (entry.isDirectory()) {
+      await walkDirectory(context, fullPath, prefix, maxKeys, items)
+    } else if (!entry.name.endsWith('.meta.json')) {
+      const relativePath = path.relative(context.basePath, fullPath)
+      const normalizedKey = relativePath.split(path.sep).join('/')
+
+      if (!prefix || normalizedKey.startsWith(prefix)) {
+        try {
+          const metadata = await readMetadata(context, normalizedKey)
+          items.push(metadata)
+        } catch {
+          // Skip files that can't be read
+        }
+      }
+    }
+  }
+}

dbal/development/src/blob/providers/filesystem/operations/maintenance.ts

@@ -0,0 +1,75 @@
+import { promises as fs } from 'fs'
+import path from 'path'
+import type { BlobMetadata } from '../../../blob-storage'
+import { DBALError } from '../../../core/foundation/errors'
+import type { FilesystemContext } from '../context'
+import { buildFullPath, buildMetadataPath } from '../paths'
+import { readMetadata } from './metadata'
+import { listBlobs } from './listing'
+
+export async function deleteBlob(
+  context: FilesystemContext,
+  key: string
+): Promise<boolean> {
+  const filePath = buildFullPath(context.basePath, key)
+  const metaPath = buildMetadataPath(context.basePath, key)
+
+  try {
+    await fs.unlink(filePath)
+
+    try {
+      await fs.unlink(metaPath)
+    } catch {
+      // Ignore missing metadata files
+    }
+
+    return true
+  } catch (error: any) {
+    if (error.code === 'ENOENT') {
+      throw DBALError.notFound(`Blob not found: ${key}`)
+    }
+    throw DBALError.internal(`Filesystem delete failed: ${error.message}`)
+  }
+}
+
+export async function copyBlob(
+  context: FilesystemContext,
+  sourceKey: string,
+  destKey: string
+): Promise<BlobMetadata> {
+  const sourcePath = buildFullPath(context.basePath, sourceKey)
+  const destPath = buildFullPath(context.basePath, destKey)
+  const sourceMetaPath = buildMetadataPath(context.basePath, sourceKey)
+  const destMetaPath = buildMetadataPath(context.basePath, destKey)
+
+  try {
+    await fs.mkdir(path.dirname(destPath), { recursive: true })
+    await fs.copyFile(sourcePath, destPath)
+
+    try {
+      await fs.copyFile(sourceMetaPath, destMetaPath)
+      const metadata = JSON.parse(await fs.readFile(destMetaPath, 'utf-8'))
+      metadata.lastModified = new Date()
+      metadata.key = destKey
+      await fs.writeFile(destMetaPath, JSON.stringify(metadata, null, 2))
+      return metadata
+    } catch {
+      return await readMetadata(context, destKey)
+    }
+  } catch (error: any) {
+    if (error.code === 'ENOENT') {
+      throw DBALError.notFound(`Source blob not found: ${sourceKey}`)
+    }
+    throw DBALError.internal(`Filesystem copy failed: ${error.message}`)
+  }
+}
+
+export async function totalSize(context: FilesystemContext): Promise<number> {
+  const items = await listBlobs(context, { maxKeys: Number.MAX_SAFE_INTEGER })
+  return items.items.reduce((sum, item) => sum + item.size, 0)
+}
+
+export async function objectCount(context: FilesystemContext): Promise<number> {
+  const items = await listBlobs(context, { maxKeys: Number.MAX_SAFE_INTEGER })
+  return items.items.length
+}

dbal/development/src/blob/providers/filesystem/operations/metadata.ts

@@ -0,0 +1,51 @@
+import { promises as fs } from 'fs'
+import { createHash } from 'crypto'
+import type { BlobMetadata } from '../../../blob-storage'
+import { DBALError } from '../../../core/foundation/errors'
+import type { FilesystemContext } from '../context'
+import { buildFullPath, buildMetadataPath } from '../paths'
+
+export async function readMetadata(
+  context: FilesystemContext,
+  key: string
+): Promise<BlobMetadata> {
+  const filePath = buildFullPath(context.basePath, key)
+  const metaPath = buildMetadataPath(context.basePath, key)
+
+  try {
+    const stats = await fs.stat(filePath)
+
+    try {
+      const metaContent = await fs.readFile(metaPath, 'utf-8')
+      return JSON.parse(metaContent)
+    } catch {
+      const data = await fs.readFile(filePath)
+      return {
+        key,
+        size: stats.size,
+        contentType: 'application/octet-stream',
+        etag: generateEtag(data),
+        lastModified: stats.mtime,
+      }
+    }
+  } catch (error: any) {
+    if (error.code === 'ENOENT') {
+      throw DBALError.notFound(`Blob not found: ${key}`)
+    }
+    throw DBALError.internal(`Filesystem get metadata failed: ${error.message}`)
+  }
+}
+
+export async function writeMetadata(
+  context: FilesystemContext,
+  key: string,
+  metadata: BlobMetadata
+) {
+  const metaPath = buildMetadataPath(context.basePath, key)
+  await fs.writeFile(metaPath, JSON.stringify(metadata, null, 2))
+}
+
+export function generateEtag(data: Buffer): string {
+  const hash = createHash('md5').update(data).digest('hex')
+  return `"${hash}"`
+}

dbal/development/src/blob/providers/filesystem/operations/uploads.ts

@@ -0,0 +1,109 @@
+import { promises as fs, createWriteStream } from 'fs'
+import path from 'path'
+import { pipeline } from 'stream/promises'
+import type { BlobMetadata, UploadOptions } from '../../../blob-storage'
+import { DBALError } from '../../../core/foundation/errors'
+import type { FilesystemContext } from '../context'
+import { buildFullPath, buildMetadataPath } from '../paths'
+import { generateEtag, writeMetadata } from './metadata'
+
+async function ensureWritableDestination(
+  filePath: string,
+  overwrite?: boolean
+) {
+  await fs.mkdir(path.dirname(filePath), { recursive: true })
+
+  if (!overwrite) {
+    try {
+      await fs.access(filePath)
+      throw DBALError.conflict(`Blob already exists: ${filePath}`)
+    } catch (error: any) {
+      if (error.code !== 'ENOENT') {
+        throw error
+      }
+    }
+  }
+}
+
+export async function uploadBuffer(
+  context: FilesystemContext,
+  key: string,
+  data: Buffer | Uint8Array,
+  options: UploadOptions
+): Promise<BlobMetadata> {
+  const filePath = buildFullPath(context.basePath, key)
+  const metaPath = buildMetadataPath(context.basePath, key)
+
+  try {
+    await ensureWritableDestination(filePath, options.overwrite)
+
+    await fs.writeFile(filePath, data)
+
+    const buffer = Buffer.from(data)
+    const metadata: BlobMetadata = {
+      key,
+      size: buffer.length,
+      contentType: options.contentType || 'application/octet-stream',
+      etag: generateEtag(buffer),
+      lastModified: new Date(),
+      customMetadata: options.metadata,
+    }
+
+    await fs.writeFile(metaPath, JSON.stringify(metadata, null, 2))
+
+    return metadata
+  } catch (error: any) {
+    if (error instanceof DBALError) {
+      throw error
+    }
+    throw DBALError.internal(`Filesystem upload failed: ${error.message}`)
+  }
+}
+
+export async function uploadStream(
+  context: FilesystemContext,
+  key: string,
+  stream: ReadableStream | NodeJS.ReadableStream,
+  size: number,
+  options: UploadOptions
+): Promise<BlobMetadata> {
+  const filePath = buildFullPath(context.basePath, key)
+
+  try {
+    await ensureWritableDestination(filePath, options.overwrite)
+
+    const writeStream = createWriteStream(filePath)
+
+    if ('getReader' in stream) {
+      const reader = stream.getReader()
+      while (true) {
+        const { done, value } = await reader.read()
+        if (done) break
+        writeStream.write(Buffer.from(value))
+      }
+      writeStream.end()
+    } else {
+      await pipeline(stream, writeStream)
+    }
+
+    const stats = await fs.stat(filePath)
+    const buffer = await fs.readFile(filePath)
+    const metadata: BlobMetadata = {
+      key,
+      size: stats.size,
+      contentType: options.contentType || 'application/octet-stream',
+      etag: generateEtag(buffer),
+      lastModified: stats.mtime,
+      customMetadata: options.metadata,
+    }
+
+    await writeMetadata(context, key, metadata)
+
+    return metadata
+  } catch (error: any) {
+    if (error instanceof DBALError) {
+      throw error
+    }
+    throw DBALError.internal(`Filesystem stream upload failed: ${error.message}`)
+  }
+}

dbal/development/src/blob/providers/filesystem/paths.ts

@@ -0,0 +1,11 @@
+import path from 'path'
+import { sanitizeKey } from './sanitize-key'
+
+export function buildFullPath(basePath: string, key: string): string {
+  const normalized = sanitizeKey(key)
+  return path.join(basePath, normalized)
+}
+
+export function buildMetadataPath(basePath: string, key: string): string {
+  return buildFullPath(basePath, key) + '.meta.json'
+}

dbal/development/src/blob/providers/filesystem/sanitize-key.ts

@@ -0,0 +1,3 @@
+export function sanitizeKey(key: string): string {
+  return key.replace(/^(\.\.(\/|\\|$))+/, '')
+}

dbal/development/src/blob/providers/memory-storage.ts

@@ -1,230 +1 @@
-import type {
-  BlobStorage,
-  BlobMetadata,
-  BlobListResult,
-  UploadOptions,
-  DownloadOptions,
-  BlobListOptions,
-} from '../blob-storage'
-import { DBALError } from '../../core/foundation/errors'
-import { createHash } from 'crypto'
-
-interface BlobData {
-  data: Buffer
-  contentType: string
-  etag: string
-  lastModified: Date
-  metadata: Record<string, string>
-}
-
-/**
- * In-memory blob storage implementation
- * Useful for testing and development
- */
-export class MemoryStorage implements BlobStorage {
-  private store: Map<string, BlobData> = new Map()
-
-  async upload(
-    key: string,
-    data: Buffer | Uint8Array,
-    options: UploadOptions = {}
-  ): Promise<BlobMetadata> {
-    const buffer = Buffer.from(data)
-
-    if (!options.overwrite && this.store.has(key)) {
-      throw DBALError.conflict(`Blob already exists: ${key}`)
-    }
-
-    const blob: BlobData = {
-      data: buffer,
-      contentType: options.contentType || 'application/octet-stream',
-      etag: this.generateEtag(buffer),
-      lastModified: new Date(),
-      metadata: options.metadata || {},
-    }
-
-    this.store.set(key, blob)
-
-    return this.makeBlobMetadata(key, blob)
-  }
-
-  async uploadStream(
-    key: string,
-    stream: ReadableStream | NodeJS.ReadableStream,
-    size: number,
-    options: UploadOptions = {}
-  ): Promise<BlobMetadata> {
-    // Collect stream data into buffer
-    const chunks: Buffer[] = []
-
-    if ('getReader' in stream) {
-      // Web ReadableStream
-      const reader = stream.getReader()
-      while (true) {
-        const { done, value } = await reader.read()
-        if (done) break
-        chunks.push(Buffer.from(value))
-      }
-    } else {
-      // Node.js ReadableStream
-      for await (const chunk of stream) {
-        chunks.push(Buffer.from(chunk))
-      }
-    }
-
-    const buffer = Buffer.concat(chunks)
-    return this.upload(key, buffer, options)
-  }
-
-  async download(
-    key: string,
-    options: DownloadOptions = {}
-  ): Promise<Buffer> {
-    const blob = this.store.get(key)
-
-    if (!blob) {
-      throw DBALError.notFound(`Blob not found: ${key}`)
-    }
-
-    let data = blob.data
-
-    if (options.offset !== undefined || options.length !== undefined) {
-      const offset = options.offset || 0
-      const length = options.length || (data.length - offset)
-
-      if (offset >= data.length) {
-        throw DBALError.validationError('Offset exceeds blob size')
-      }
-
-      data = data.subarray(offset, offset + length)
-    }
-
-    return data
-  }
-
-  async downloadStream(
-    key: string,
-    options: DownloadOptions = {}
-  ): Promise<ReadableStream | NodeJS.ReadableStream> {
-    const data = await this.download(key, options)
-
-    // Return a readable stream
-    if (typeof ReadableStream !== 'undefined') {
-      // Web ReadableStream
-      return new ReadableStream({
-        start(controller) {
-          controller.enqueue(data)
-          controller.close()
-        },
-      })
-    } else {
-      // Node.js ReadableStream
-      const { Readable } = await import('stream')
-      return Readable.from(data)
-    }
-  }
-
-  async delete(key: string): Promise<boolean> {
-    if (!this.store.has(key)) {
-      throw DBALError.notFound(`Blob not found: ${key}`)
-    }
-
-    this.store.delete(key)
-    return true
-  }
-
-  async exists(key: string): Promise<boolean> {
-    return this.store.has(key)
-  }
-
-  async getMetadata(key: string): Promise<BlobMetadata> {
-    const blob = this.store.get(key)
-
-    if (!blob) {
-      throw DBALError.notFound(`Blob not found: ${key}`)
-    }
-
-    return this.makeBlobMetadata(key, blob)
-  }
-
-  async list(options: BlobListOptions = {}): Promise<BlobListResult> {
-    const prefix = options.prefix || ''
-    const maxKeys = options.maxKeys || 1000
-
-    const items: BlobMetadata[] = []
-    let nextToken: string | undefined
-
-    for (const [key, blob] of this.store.entries()) {
-      if (!prefix || key.startsWith(prefix)) {
-        if (items.length >= maxKeys) {
-          nextToken = key
-          break
-        }
-        items.push(this.makeBlobMetadata(key, blob))
-      }
-    }
-
-    return {
-      items,
-      nextToken,
-      isTruncated: nextToken !== undefined,
-    }
-  }
-
-  async generatePresignedUrl(
-    key: string,
-    expirationSeconds: number = 3600
-  ): Promise<string> {
-    // Memory storage doesn't support presigned URLs
-    return ''
-  }
-
-  async copy(
-    sourceKey: string,
-    destKey: string
-  ): Promise<BlobMetadata> {
-    const sourceBlob = this.store.get(sourceKey)
-
-    if (!sourceBlob) {
-      throw DBALError.notFound(`Source blob not found: ${sourceKey}`)
-    }
-
-    const destBlob: BlobData = {
-      ...sourceBlob,
-      data: Buffer.from(sourceBlob.data),
-      lastModified: new Date(),
-    }
-
-    this.store.set(destKey, destBlob)
-
-    return this.makeBlobMetadata(destKey, destBlob)
-  }
-
-  async getTotalSize(): Promise<number> {
-    let total = 0
-    for (const blob of this.store.values()) {
-      total += blob.data.length
-    }
-    return total
-  }
-
-  async getObjectCount(): Promise<number> {
-    return this.store.size
-  }
-
-  private generateEtag(data: Buffer): string {
-    const hash = createHash('md5').update(data).digest('hex')
-    return `"${hash}"`
-  }
-
-  private makeBlobMetadata(key: string, blob: BlobData): BlobMetadata {
-    return {
-      key,
-      size: blob.data.length,
-      contentType: blob.contentType,
-      etag: blob.etag,
-      lastModified: blob.lastModified,
-      customMetadata: blob.metadata,
-    }
-  }
-}
+export { MemoryStorage } from './memory-storage/index'

dbal/development/src/blob/providers/memory-storage/downloads.ts

@@ -0,0 +1,48 @@
+import { DBALError } from '../../core/foundation/errors'
+import type { DownloadOptions } from '../blob-storage'
+import type { MemoryStore } from './store'
+import { getBlobOrThrow, normalizeKey } from './utils'
+
+export const downloadBuffer = (
+  store: MemoryStore,
+  key: string,
+  options: DownloadOptions = {},
+): Buffer => {
+  const normalizedKey = normalizeKey(key)
+  const blob = getBlobOrThrow(store, normalizedKey)
+
+  let data = blob.data
+
+  if (options.offset !== undefined || options.length !== undefined) {
+    const offset = options.offset || 0
+    const length = options.length || (data.length - offset)
+
+    if (offset >= data.length) {
+      throw DBALError.validationError('Offset exceeds blob size')
+    }
+
+    data = data.subarray(offset, offset + length)
+  }
+
+  return data
+}
+
+export const downloadStream = async (
+  store: MemoryStore,
+  key: string,
+  options?: DownloadOptions,
+) => {
+  const data = downloadBuffer(store, key, options)
+
+  if (typeof ReadableStream !== 'undefined') {
+    return new ReadableStream({
+      start(controller) {
+        controller.enqueue(data)
+        controller.close()
+      },
+    })
+  }
+
+  const { Readable } = await import('stream')
+  return Readable.from(data)
+}

dbal/development/src/blob/providers/memory-storage/index.ts

@@ -0,0 +1,73 @@
+import type {
+  BlobStorage,
+  BlobMetadata,
+  BlobListResult,
+  UploadOptions,
+  DownloadOptions,
+  BlobListOptions,
+} from '../blob-storage'
+import { createStore } from './store'
+import { uploadBuffer, uploadFromStream } from './uploads'
+import { downloadBuffer, downloadStream } from './downloads'
+import { copyBlob, deleteBlob, getMetadata, listBlobs, getObjectCount, getTotalSize } from './management'
+import { normalizeKey } from './utils'
+
+export class MemoryStorage implements BlobStorage {
+  private store = createStore()
+
+  async upload(key: string, data: Buffer | Uint8Array, options: UploadOptions = {}): Promise<BlobMetadata> {
+    return uploadBuffer(this.store, key, data, options)
+  }
+
+  async uploadStream(
+    key: string,
+    stream: ReadableStream | NodeJS.ReadableStream,
+    _size: number,
+    options: UploadOptions = {},
+  ): Promise<BlobMetadata> {
+    return uploadFromStream(this.store, key, stream, options)
+  }
+
+  async download(key: string, options: DownloadOptions = {}): Promise<Buffer> {
+    return downloadBuffer(this.store, key, options)
+  }
+
+  async downloadStream(
+    key: string,
+    options: DownloadOptions = {},
+  ): Promise<ReadableStream | NodeJS.ReadableStream> {
+    return downloadStream(this.store, key, options)
+  }
+
+  async delete(key: string): Promise<boolean> {
+    return deleteBlob(this.store, key)
+  }
+
+  async exists(key: string): Promise<boolean> {
+    return this.store.has(normalizeKey(key))
+  }
+
+  async getMetadata(key: string): Promise<BlobMetadata> {
+    return getMetadata(this.store, key)
+  }
+
+  async list(options: BlobListOptions = {}): Promise<BlobListResult> {
+    return listBlobs(this.store, options)
+  }
+
+  async generatePresignedUrl(_key: string, _expirationSeconds: number = 3600): Promise<string> {
+    return ''
+  }
+
+  async copy(sourceKey: string, destKey: string): Promise<BlobMetadata> {
+    return copyBlob(this.store, sourceKey, destKey)
+  }
+
+  async getTotalSize(): Promise<number> {
+    return getTotalSize(this.store)
+  }
+
+  async getObjectCount(): Promise<number> {
+    return getObjectCount(this.store)
+  }
+}

dbal/development/src/blob/providers/memory-storage/management.ts

@@ -0,0 +1,72 @@
+import { DBALError } from '../../core/foundation/errors'
+import type { BlobListOptions, BlobListResult, BlobMetadata } from '../blob-storage'
+import type { MemoryStore } from './store'
+import { toBlobMetadata } from './serialization'
+import { cleanupStoreEntry, getBlobOrThrow, normalizeKey } from './utils'
+
+export const deleteBlob = async (store: MemoryStore, key: string): Promise<boolean> => {
+  const normalizedKey = normalizeKey(key)
+
+  if (!store.has(normalizedKey)) {
+    throw DBALError.notFound(`Blob not found: ${normalizedKey}`)
+  }
+
+  cleanupStoreEntry(store, normalizedKey)
+  return true
+}
+
+export const getMetadata = (store: MemoryStore, key: string): BlobMetadata => {
+  const normalizedKey = normalizeKey(key)
+  const blob = getBlobOrThrow(store, normalizedKey)
+
+  return toBlobMetadata(normalizedKey, blob)
+}
+
+export const listBlobs = (store: MemoryStore, options: BlobListOptions = {}): BlobListResult => {
+  const prefix = options.prefix ? normalizeKey(options.prefix) : ''
+  const maxKeys = options.maxKeys || 1000
+
+  const items: BlobMetadata[] = []
+  let nextToken: string | undefined
+
+  for (const [key, blob] of store.entries()) {
+    if (!prefix || key.startsWith(prefix)) {
+      if (items.length >= maxKeys) {
+        nextToken = key
+        break
+      }
+      items.push(toBlobMetadata(key, blob))
+    }
+  }
+
+  return {
+    items,
+    nextToken,
+    isTruncated: nextToken !== undefined,
+  }
+}
+
+export const copyBlob = (store: MemoryStore, sourceKey: string, destKey: string): BlobMetadata => {
+  const normalizedSourceKey = normalizeKey(sourceKey)
+  const normalizedDestKey = normalizeKey(destKey)
+  const sourceBlob = getBlobOrThrow(store, normalizedSourceKey)
+
+  const destBlob = {
+    ...sourceBlob,
+    data: Buffer.from(sourceBlob.data),
+    lastModified: new Date(),
+  }
+
+  store.set(normalizedDestKey, destBlob)
+  return toBlobMetadata(normalizedDestKey, destBlob)
+}
+
+export const getTotalSize = (store: MemoryStore): number => {
+  let total = 0
+  for (const blob of store.values()) {
+    total += blob.data.length
+  }
+  return total
+}
+
+export const getObjectCount = (store: MemoryStore): number => store.size

dbal/development/src/blob/providers/memory-storage/serialization.ts

@@ -0,0 +1,43 @@
+import { createHash } from 'crypto'
+import type { UploadOptions, BlobMetadata } from '../blob-storage'
+import type { BlobData } from './store'
+
+export const generateEtag = (data: Buffer): string => `"${createHash('md5').update(data).digest('hex')}"`
+
+export const toBlobData = (data: Buffer, options: UploadOptions = {}): BlobData => ({
+  data,
+  contentType: options.contentType || 'application/octet-stream',
+  etag: generateEtag(data),
+  lastModified: new Date(),
+  metadata: options.metadata || {},
+})
+
+export const toBlobMetadata = (key: string, blob: BlobData): BlobMetadata => ({
+  key,
+  size: blob.data.length,
+  contentType: blob.contentType,
+  etag: blob.etag,
+  lastModified: blob.lastModified,
+  customMetadata: blob.metadata,
+})
+
+export const collectStream = async (
+  stream: ReadableStream | NodeJS.ReadableStream,
+): Promise<Buffer> => {
+  const chunks: Buffer[] = []
+
+  if ('getReader' in stream) {
+    const reader = stream.getReader()
+    while (true) {
+      const { done, value } = await reader.read()
+      if (done) break
+      chunks.push(Buffer.from(value))
+    }
+  } else {
+    for await (const chunk of stream) {
+      chunks.push(Buffer.from(chunk))
+    }
+  }
+
+  return Buffer.concat(chunks)
+}

dbal/development/src/blob/providers/memory-storage/store.ts

@@ -0,0 +1,11 @@
+export interface BlobData {
+  data: Buffer
+  contentType: string
+  etag: string
+  lastModified: Date
+  metadata: Record<string, string>
+}
+
+export type MemoryStore = Map<string, BlobData>
+
+export const createStore = (): MemoryStore => new Map()

dbal/development/src/blob/providers/memory-storage/uploads.ts

@@ -0,0 +1,34 @@
+import { DBALError } from '../../core/foundation/errors'
+import type { UploadOptions } from '../blob-storage'
+import type { MemoryStore } from './store'
+import { collectStream, toBlobData, toBlobMetadata } from './serialization'
+import { normalizeKey } from './utils'
+
+export const uploadBuffer = (
+  store: MemoryStore,
+  key: string,
+  data: Buffer | Uint8Array,
+  options: UploadOptions = {},
+) => {
+  const normalizedKey = normalizeKey(key)
+  const buffer = Buffer.from(data)
+
+  if (!options.overwrite && store.has(normalizedKey)) {
+    throw DBALError.conflict(`Blob already exists: ${normalizedKey}`)
+  }
+
+  const blob = toBlobData(buffer, options)
+
+  store.set(normalizedKey, blob)
+  return toBlobMetadata(normalizedKey, blob)
+}
+
+export const uploadFromStream = async (
+  store: MemoryStore,
+  key: string,
+  stream: ReadableStream | NodeJS.ReadableStream,
+  options?: UploadOptions,
+) => {
+  const buffer = await collectStream(stream)
+  return uploadBuffer(store, key, buffer, options)
+}

dbal/development/src/blob/providers/memory-storage/utils.ts

@@ -0,0 +1,18 @@
+import { DBALError } from '../../core/foundation/errors'
+import type { BlobData, MemoryStore } from './store'
+
+export const normalizeKey = (key: string): string => key.replace(/^\/+/, '').trim()
+
+export const getBlobOrThrow = (store: MemoryStore, key: string): BlobData => {
+  const blob = store.get(key)
+
+  if (!blob) {
+    throw DBALError.notFound(`Blob not found: ${key}`)
+  }
+
+  return blob
+}
+
+export const cleanupStoreEntry = (store: MemoryStore, key: string): void => {
+  store.delete(key)
+}

dbal/development/src/blob/providers/s3-storage.ts

@@ -1,361 +0,0 @@
-import type {
-  BlobStorage,
-  BlobMetadata,
-  BlobListResult,
-  UploadOptions,
-  DownloadOptions,
-  BlobListOptions,
-  BlobStorageConfig,
-} from '../blob-storage'
-import { DBALError } from '../../core/foundation/errors'
-
-/**
- * S3-compatible blob storage implementation
- * Uses AWS SDK v3 for S3 operations
- * Compatible with MinIO and other S3-compatible services
- */
-export class S3Storage implements BlobStorage {
-  private s3Client: any
-  private bucket: string
-
-  constructor(config: BlobStorageConfig) {
-    if (!config.s3) {
-      throw new Error('S3 configuration required')
-    }
-
-    this.bucket = config.s3.bucket
-
-    // Lazy-load AWS SDK to avoid bundling if not used
-    this.initializeS3Client(config.s3)
-  }
-
-  private async initializeS3Client(s3Config: NonNullable<BlobStorageConfig['s3']>) {
-    try {
-      // Dynamic import to avoid bundling AWS SDK if not installed
-      // @ts-ignore - Optional dependency
-      const s3Module = await import('@aws-sdk/client-s3').catch(() => null)
-      if (!s3Module) {
-        throw new Error('@aws-sdk/client-s3 is not installed. Install it with: npm install @aws-sdk/client-s3')
-      }
-      const { S3Client } = s3Module
-      
-      this.s3Client = new S3Client({
-        region: s3Config.region,
-        credentials: s3Config.accessKeyId && s3Config.secretAccessKey ? {
-          accessKeyId: s3Config.accessKeyId,
-          secretAccessKey: s3Config.secretAccessKey,
-        } : undefined,
-        endpoint: s3Config.endpoint,
-        forcePathStyle: s3Config.forcePathStyle,
-      })
-    } catch (error) {
-      throw new Error('AWS SDK @aws-sdk/client-s3 not installed. Install with: npm install @aws-sdk/client-s3')
-    }
-  }
-
-  async upload(
-    key: string,
-    data: Buffer | Uint8Array,
-    options: UploadOptions = {}
-  ): Promise<BlobMetadata> {
-    try {
-      const { PutObjectCommand } = await import('@aws-sdk/client-s3')
-      
-      const command = new PutObjectCommand({
-        Bucket: this.bucket,
-        Key: key,
-        Body: data,
-        ContentType: options.contentType,
-        Metadata: options.metadata,
-      })
-
-      const response = await this.s3Client.send(command)
-
-      return {
-        key,
-        size: data.length,
-        contentType: options.contentType || 'application/octet-stream',
-        etag: response.ETag || '',
-        lastModified: new Date(),
-        customMetadata: options.metadata,
-      }
-    } catch (error: any) {
-      if (error.name === 'NoSuchBucket') {
-        throw DBALError.notFound(`Bucket not found: ${this.bucket}`)
-      }
-      throw DBALError.internal(`S3 upload failed: ${error.message}`)
-    }
-  }
-
-  async uploadStream(
-    key: string,
-    stream: ReadableStream | NodeJS.ReadableStream,
-    size: number,
-    options: UploadOptions = {}
-  ): Promise<BlobMetadata> {
-    try {
-      const { Upload } = await import('@aws-sdk/lib-storage')
-      
-      const upload = new Upload({
-        client: this.s3Client,
-        params: {
-          Bucket: this.bucket,
-          Key: key,
-          Body: stream as any, // Type compatibility between Node.js and Web streams
-          ContentType: options.contentType,
-          Metadata: options.metadata,
-        },
-      })
-
-      const response = await upload.done()
-
-      return {
-        key,
-        size,
-        contentType: options.contentType || 'application/octet-stream',
-        etag: response.ETag || '',
-        lastModified: new Date(),
-        customMetadata: options.metadata,
-      }
-    } catch (error: any) {
-      throw DBALError.internal(`S3 stream upload failed: ${error.message}`)
-    }
-  }
-
-  async download(
-    key: string,
-    options: DownloadOptions = {}
-  ): Promise<Buffer> {
-    try {
-      const { GetObjectCommand } = await import('@aws-sdk/client-s3')
-      
-      const range = this.buildRangeHeader(options)
-      
-      const command = new GetObjectCommand({
-        Bucket: this.bucket,
-        Key: key,
-        Range: range,
-      })
-
-      const response = await this.s3Client.send(command)
-
-      // Convert stream to buffer
-      const chunks: Uint8Array[] = []
-      for await (const chunk of response.Body as any) {
-        chunks.push(chunk)
-      }
-
-      return Buffer.concat(chunks)
-    } catch (error: any) {
-      if (error.name === 'NoSuchKey') {
-        throw DBALError.notFound(`Blob not found: ${key}`)
-      }
-      throw DBALError.internal(`S3 download failed: ${error.message}`)
-    }
-  }
-
-  async downloadStream(
-    key: string,
-    options: DownloadOptions = {}
-  ): Promise<ReadableStream | NodeJS.ReadableStream> {
-    try {
-      const { GetObjectCommand } = await import('@aws-sdk/client-s3')
-      
-      const range = this.buildRangeHeader(options)
-      
-      const command = new GetObjectCommand({
-        Bucket: this.bucket,
-        Key: key,
-        Range: range,
-      })
-
-      const response = await this.s3Client.send(command)
-      return response.Body as any
-    } catch (error: any) {
-      if (error.name === 'NoSuchKey') {
-        throw DBALError.notFound(`Blob not found: ${key}`)
-      }
-      throw DBALError.internal(`S3 download stream failed: ${error.message}`)
-    }
-  }
-
-  async delete(key: string): Promise<boolean> {
-    try {
-      const { DeleteObjectCommand } = await import('@aws-sdk/client-s3')
-      
-      const command = new DeleteObjectCommand({
-        Bucket: this.bucket,
-        Key: key,
-      })
-
-      await this.s3Client.send(command)
-      return true
-    } catch (error: any) {
-      throw DBALError.internal(`S3 delete failed: ${error.message}`)
-    }
-  }
-
-  async exists(key: string): Promise<boolean> {
-    try {
-      await this.getMetadata(key)
-      return true
-    } catch (error) {
-      if (error instanceof DBALError && error.code === 404) {
-        return false
-      }
-      throw error
-    }
-  }
-
-  async getMetadata(key: string): Promise<BlobMetadata> {
-    try {
-      const { HeadObjectCommand } = await import('@aws-sdk/client-s3')
-      
-      const command = new HeadObjectCommand({
-        Bucket: this.bucket,
-        Key: key,
-      })
-
-      const response = await this.s3Client.send(command)
-
-      return {
-        key,
-        size: response.ContentLength || 0,
-        contentType: response.ContentType || 'application/octet-stream',
-        etag: response.ETag || '',
-        lastModified: response.LastModified || new Date(),
-        customMetadata: response.Metadata,
-      }
-    } catch (error: any) {
-      if (error.name === 'NotFound') {
-        throw DBALError.notFound(`Blob not found: ${key}`)
-      }
-      throw DBALError.internal(`S3 head object failed: ${error.message}`)
-    }
-  }
-
-  async list(options: BlobListOptions = {}): Promise<BlobListResult> {
-    try {
-      const { ListObjectsV2Command } = await import('@aws-sdk/client-s3')
-      
-      const command = new ListObjectsV2Command({
-        Bucket: this.bucket,
-        Prefix: options.prefix,
-        ContinuationToken: options.continuationToken,
-        MaxKeys: options.maxKeys || 1000,
-      })
-
-      const response = await this.s3Client.send(command)
-
-      const items: BlobMetadata[] = (response.Contents || []).map(obj => ({
-        key: obj.Key || '',
-        size: obj.Size || 0,
-        contentType: 'application/octet-stream', // S3 list doesn't return content type
-        etag: obj.ETag || '',
-        lastModified: obj.LastModified || new Date(),
-      }))
-
-      return {
-        items,
-        nextToken: response.NextContinuationToken,
-        isTruncated: response.IsTruncated || false,
-      }
-    } catch (error: any) {
-      throw DBALError.internal(`S3 list failed: ${error.message}`)
-    }
-  }
-
-  async generatePresignedUrl(
-    key: string,
-    expirationSeconds: number = 3600
-  ): Promise<string> {
-    try {
-      const { GetObjectCommand } = await import('@aws-sdk/client-s3')
-      const { getSignedUrl } = await import('@aws-sdk/s3-request-presigner')
-      
-      const command = new GetObjectCommand({
-        Bucket: this.bucket,
-        Key: key,
-      })
-
-      return await getSignedUrl(this.s3Client, command, {
-        expiresIn: expirationSeconds,
-      })
-    } catch (error: any) {
-      throw DBALError.internal(`S3 presigned URL generation failed: ${error.message}`)
-    }
-  }
-
-  async copy(
-    sourceKey: string,
-    destKey: string
-  ): Promise<BlobMetadata> {
-    try {
-      const { CopyObjectCommand } = await import('@aws-sdk/client-s3')
-      
-      const command = new CopyObjectCommand({
-        Bucket: this.bucket,
-        CopySource: `${this.bucket}/${sourceKey}`,
-        Key: destKey,
-      })
-
-      const response = await this.s3Client.send(command)
-
-      return await this.getMetadata(destKey)
-    } catch (error: any) {
-      if (error.name === 'NoSuchKey') {
-        throw DBALError.notFound(`Source blob not found: ${sourceKey}`)
-      }
-      throw DBALError.internal(`S3 copy failed: ${error.message}`)
-    }
-  }
-
-  async getTotalSize(): Promise<number> {
-    // Note: This requires listing all objects and summing sizes
-    // For large buckets, this can be expensive
-    const result = await this.list({ maxKeys: 1000 })
-    let total = result.items.reduce((sum, item) => sum + item.size, 0)
-
-    // Handle pagination if needed
-    let nextToken = result.nextToken
-    while (nextToken) {
-      const pageResult = await this.list({ 
-        maxKeys: 1000, 
-        continuationToken: nextToken 
-      })
-      total += pageResult.items.reduce((sum, item) => sum + item.size, 0)
-      nextToken = pageResult.nextToken
-    }
-
-    return total
-  }
-
-  async getObjectCount(): Promise<number> {
-    // Similar to getTotalSize, requires listing
-    const result = await this.list({ maxKeys: 1000 })
-    let count = result.items.length
-
-    let nextToken = result.nextToken
-    while (nextToken) {
-      const pageResult = await this.list({ 
-        maxKeys: 1000, 
-        continuationToken: nextToken 
-      })
-      count += pageResult.items.length
-      nextToken = pageResult.nextToken
-    }
-
-    return count
-  }
-
-  private buildRangeHeader(options: DownloadOptions): string | undefined {
-    if (options.offset === undefined && options.length === undefined) {
-      return undefined
-    }
-
-    const offset = options.offset || 0
-    const end = options.length !== undefined ? offset + options.length - 1 : undefined
-
-    return end !== undefined ? `bytes=${offset}-${end}` : `bytes=${offset}-`
-  }
-}

dbal/development/src/blob/providers/s3/client.ts

@@ -0,0 +1,39 @@
+import type { BlobStorageConfig } from '../../blob-storage'
+
+export interface S3Context {
+  bucket: string
+  s3Client: any
+}
+
+export async function createS3Context(config: BlobStorageConfig): Promise<S3Context> {
+  if (!config.s3) {
+    throw new Error('S3 configuration required')
+  }
+
+  const { bucket, ...s3Config } = config.s3
+
+  try {
+    // @ts-ignore - optional dependency
+    const s3Module = await import('@aws-sdk/client-s3').catch(() => null)
+    if (!s3Module) {
+      throw new Error('@aws-sdk/client-s3 is not installed. Install it with: npm install @aws-sdk/client-s3')
+    }
+
+    const { S3Client } = s3Module
+
+    return {
+      bucket,
+      s3Client: new S3Client({
+        region: s3Config.region,
+        credentials: s3Config.accessKeyId && s3Config.secretAccessKey ? {
+          accessKeyId: s3Config.accessKeyId,
+          secretAccessKey: s3Config.secretAccessKey,
+        } : undefined,
+        endpoint: s3Config.endpoint,
+        forcePathStyle: s3Config.forcePathStyle,
+      })
+    }
+  } catch (error) {
+    throw new Error('AWS SDK @aws-sdk/client-s3 not installed. Install with: npm install @aws-sdk/client-s3')
+  }
+}

dbal/development/src/blob/providers/s3/index.ts

@@ -0,0 +1,114 @@
+import type {
+  BlobStorage,
+  BlobMetadata,
+  BlobListResult,
+  UploadOptions,
+  DownloadOptions,
+  BlobListOptions,
+  BlobStorageConfig,
+} from '../../blob-storage'
+import { DBALError } from '../../core/foundation/errors'
+import type { S3Context } from './client'
+import { createS3Context } from './client'
+import { downloadBuffer, downloadStream } from './operations/downloads'
+import { listBlobs, sumSizes, countObjects } from './operations/listing'
+import { getMetadata, generatePresignedUrl } from './operations/metadata'
+import { uploadBuffer, uploadStream } from './operations/uploads'
+import { copyObject, deleteObject } from './operations/maintenance'
+
+export class S3Storage implements BlobStorage {
+  private contextPromise: Promise<S3Context>
+
+  constructor(config: BlobStorageConfig) {
+    this.contextPromise = createS3Context(config)
+  }
+
+  private async context(): Promise<S3Context> {
+    return this.contextPromise
+  }
+
+  async upload(
+    key: string,
+    data: Buffer | Uint8Array,
+    options: UploadOptions = {}
+  ): Promise<BlobMetadata> {
+    const context = await this.context()
+    return uploadBuffer(context, key, data, options)
+  }
+
+  async uploadStream(
+    key: string,
+    stream: ReadableStream | NodeJS.ReadableStream,
+    size: number,
+    options: UploadOptions = {}
+  ): Promise<BlobMetadata> {
+    const context = await this.context()
+    return uploadStream(context, key, stream, size, options)
+  }
+
+  async download(
+    key: string,
+    options: DownloadOptions = {}
+  ): Promise<Buffer> {
+    const context = await this.context()
+    return downloadBuffer(context, key, options)
+  }
+
+  async downloadStream(
+    key: string,
+    options: DownloadOptions = {}
+  ): Promise<ReadableStream | NodeJS.ReadableStream> {
+    const context = await this.context()
+    return downloadStream(context, key, options)
+  }
+
+  async delete(key: string): Promise<boolean> {
+    const context = await this.context()
+    return deleteObject(context, key)
+  }
+
+  async exists(key: string): Promise<boolean> {
+    try {
+      await this.getMetadata(key)
+      return true
+    } catch (error) {
+      if (error instanceof DBALError && error.code === 404) {
+        return false
+      }
+      throw error
+    }
+  }
+
+  async getMetadata(key: string): Promise<BlobMetadata> {
+    const context = await this.context()
+    return getMetadata(context, key)
+  }
+
+  async list(options: BlobListOptions = {}): Promise<BlobListResult> {
+    const context = await this.context()
+    return listBlobs(context, options)
+  }
+
+  async generatePresignedUrl(
+    key: string,
+    expirationSeconds: number = 3600
+  ): Promise<string> {
+    const context = await this.context()
+    return generatePresignedUrl(context, key, expirationSeconds)
+  }
+
+  async copy(sourceKey: string, destKey: string): Promise<BlobMetadata> {
+    const context = await this.context()
+    return copyObject(context, sourceKey, destKey)
+  }
+
+  async getTotalSize(): Promise<number> {
+    const context = await this.context()
+    return sumSizes(context)
+  }
+
+  async getObjectCount(): Promise<number> {
+    const context = await this.context()
+    return countObjects(context)
+  }
+}

dbal/development/src/blob/providers/s3/operations/downloads.ts

@@ -0,0 +1,58 @@
+import type { DownloadOptions } from '../../../blob-storage'
+import { DBALError } from '../../../core/foundation/errors'
+import { buildRangeHeader } from '../range'
+import type { S3Context } from '../client'
+
+export async function downloadBuffer(
+  context: S3Context,
+  key: string,
+  options: DownloadOptions
+): Promise<Buffer> {
+  try {
+    const { GetObjectCommand } = await import('@aws-sdk/client-s3')
+
+    const command = new GetObjectCommand({
+      Bucket: context.bucket,
+      Key: key,
+      Range: buildRangeHeader(options),
+    })
+
+    const response = await context.s3Client.send(command)
+
+    const chunks: Uint8Array[] = []
+    for await (const chunk of response.Body as any) {
+      chunks.push(chunk)
+    }
+
+    return Buffer.concat(chunks)
+  } catch (error: any) {
+    if (error.name === 'NoSuchKey') {
+      throw DBALError.notFound(`Blob not found: ${key}`)
+    }
+    throw DBALError.internal(`S3 download failed: ${error.message}`)
+  }
+}
+
+export async function downloadStream(
+  context: S3Context,
+  key: string,
+  options: DownloadOptions
+): Promise<ReadableStream | NodeJS.ReadableStream> {
+  try {
+    const { GetObjectCommand } = await import('@aws-sdk/client-s3')
+
+    const command = new GetObjectCommand({
+      Bucket: context.bucket,
+      Key: key,
+      Range: buildRangeHeader(options),
+    })
+
+    const response = await context.s3Client.send(command)
+    return response.Body as any
+  } catch (error: any) {
+    if (error.name === 'NoSuchKey') {
+      throw DBALError.notFound(`Blob not found: ${key}`)
+    }
+    throw DBALError.internal(`S3 download stream failed: ${error.message}`)
+  }
+}

dbal/development/src/blob/providers/s3/operations/listing.ts

@@ -0,0 +1,71 @@
+import type { BlobListOptions, BlobListResult, BlobMetadata } from '../../../blob-storage'
+import { DBALError } from '../../../core/foundation/errors'
+import type { S3Context } from '../client'
+
+export async function listBlobs(
+  context: S3Context,
+  options: BlobListOptions
+): Promise<BlobListResult> {
+  try {
+    const { ListObjectsV2Command } = await import('@aws-sdk/client-s3')
+
+    const command = new ListObjectsV2Command({
+      Bucket: context.bucket,
+      Prefix: options.prefix,
+      ContinuationToken: options.continuationToken,
+      MaxKeys: options.maxKeys || 1000,
+    })
+
+    const response = await context.s3Client.send(command)
+
+    const items: BlobMetadata[] = (response.Contents || []).map(obj => ({
+      key: obj.Key || '',
+      size: obj.Size || 0,
+      contentType: 'application/octet-stream',
+      etag: obj.ETag || '',
+      lastModified: obj.LastModified || new Date(),
+    }))
+
+    return {
+      items,
+      nextToken: response.NextContinuationToken,
+      isTruncated: response.IsTruncated || false,
+    }
+  } catch (error: any) {
+    throw DBALError.internal(`S3 list failed: ${error.message}`)
+  }
+}
+
+export async function sumSizes(context: S3Context): Promise<number> {
+  const result = await listBlobs(context, { maxKeys: 1000 })
+  let total = result.items.reduce((sum, item) => sum + item.size, 0)
+
+  let nextToken = result.nextToken
+  while (nextToken) {
+    const pageResult = await listBlobs(context, {
+      maxKeys: 1000,
+      continuationToken: nextToken
+    })
+    total += pageResult.items.reduce((sum, item) => sum + item.size, 0)
+    nextToken = pageResult.nextToken
+  }
+
+  return total
+}
+
+export async function countObjects(context: S3Context): Promise<number> {
+  const result = await listBlobs(context, { maxKeys: 1000 })
+  let count = result.items.length
+
+  let nextToken = result.nextToken
+  while (nextToken) {
+    const pageResult = await listBlobs(context, {
+      maxKeys: 1000,
+      continuationToken: nextToken
+    })
+    count += pageResult.items.length
+    nextToken = pageResult.nextToken
+  }
+
+  return count
+}

dbal/development/src/blob/providers/s3/operations/maintenance.ts

@@ -0,0 +1,48 @@
+import type { BlobMetadata } from '../../../blob-storage'
+import { DBALError } from '../../../core/foundation/errors'
+import type { S3Context } from '../client'
+import { getMetadata } from './metadata'
+
+export async function deleteObject(
+  context: S3Context,
+  key: string
+): Promise<boolean> {
+  try {
+    const { DeleteObjectCommand } = await import('@aws-sdk/client-s3')
+
+    const command = new DeleteObjectCommand({
+      Bucket: context.bucket,
+      Key: key,
+    })
+
+    await context.s3Client.send(command)
+    return true
+  } catch (error: any) {
+    throw DBALError.internal(`S3 delete failed: ${error.message}`)
+  }
+}
+
+export async function copyObject(
+  context: S3Context,
+  sourceKey: string,
+  destKey: string
+): Promise<BlobMetadata> {
+  try {
+    const { CopyObjectCommand } = await import('@aws-sdk/client-s3')
+
+    const command = new CopyObjectCommand({
+      Bucket: context.bucket,
+      CopySource: `${context.bucket}/${sourceKey}`,
+      Key: destKey,
+    })
+
+    await context.s3Client.send(command)
+
+    return await getMetadata(context, destKey)
+  } catch (error: any) {
+    if (error.name === 'NoSuchKey') {
+      throw DBALError.notFound(`Source blob not found: ${sourceKey}`)
+    }
+    throw DBALError.internal(`S3 copy failed: ${error.message}`)
+  }
+}

dbal/development/src/blob/providers/s3/operations/metadata.ts

@@ -0,0 +1,55 @@
+import type { BlobMetadata } from '../../../blob-storage'
+import { DBALError } from '../../../core/foundation/errors'
+import type { S3Context } from '../client'
+
+export async function getMetadata(
+  context: S3Context,
+  key: string
+): Promise<BlobMetadata> {
+  try {
+    const { HeadObjectCommand } = await import('@aws-sdk/client-s3')
+
+    const command = new HeadObjectCommand({
+      Bucket: context.bucket,
+      Key: key,
+    })
+
+    const response = await context.s3Client.send(command)
+
+    return {
+      key,
+      size: response.ContentLength || 0,
+      contentType: response.ContentType || 'application/octet-stream',
+      etag: response.ETag || '',
+      lastModified: response.LastModified || new Date(),
+      customMetadata: response.Metadata,
+    }
+  } catch (error: any) {
+    if (error.name === 'NotFound') {
+      throw DBALError.notFound(`Blob not found: ${key}`)
+    }
+    throw DBALError.internal(`S3 head object failed: ${error.message}`)
+  }
+}
+
+export async function generatePresignedUrl(
+  context: S3Context,
+  key: string,
+  expirationSeconds: number
+): Promise<string> {
+  try {
+    const { GetObjectCommand } = await import('@aws-sdk/client-s3')
+    const { getSignedUrl } = await import('@aws-sdk/s3-request-presigner')
+
+    const command = new GetObjectCommand({
+      Bucket: context.bucket,
+      Key: key,
+    })
+
+    return await getSignedUrl(context.s3Client, command, {
+      expiresIn: expirationSeconds,
+    })
+  } catch (error: any) {
+    throw DBALError.internal(`S3 presigned URL generation failed: ${error.message}`)
+  }
+}

dbal/development/src/blob/providers/s3/operations/uploads.ts

@@ -0,0 +1,74 @@
+import type { BlobMetadata, UploadOptions } from '../../../blob-storage'
+import { DBALError } from '../../../core/foundation/errors'
+import type { S3Context } from '../client'
+
+export async function uploadBuffer(
+  context: S3Context,
+  key: string,
+  data: Buffer | Uint8Array,
+  options: UploadOptions
+): Promise<BlobMetadata> {
+  try {
+    const { PutObjectCommand } = await import('@aws-sdk/client-s3')
+
+    const command = new PutObjectCommand({
+      Bucket: context.bucket,
+      Key: key,
+      Body: data,
+      ContentType: options.contentType,
+      Metadata: options.metadata,
+    })
+
+    const response = await context.s3Client.send(command)
+
+    return {
+      key,
+      size: data.length,
+      contentType: options.contentType || 'application/octet-stream',
+      etag: response.ETag || '',
+      lastModified: new Date(),
+      customMetadata: options.metadata,
+    }
+  } catch (error: any) {
+    if (error.name === 'NoSuchBucket') {
+      throw DBALError.notFound(`Bucket not found: ${context.bucket}`)
+    }
+    throw DBALError.internal(`S3 upload failed: ${error.message}`)
+  }
+}
+
+export async function uploadStream(
+  context: S3Context,
+  key: string,
+  stream: ReadableStream | NodeJS.ReadableStream,
+  size: number,
+  options: UploadOptions
+): Promise<BlobMetadata> {
+  try {
+    const { Upload } = await import('@aws-sdk/lib-storage')
+
+    const upload = new Upload({
+      client: context.s3Client,
+      params: {
+        Bucket: context.bucket,
+        Key: key,
+        Body: stream as any,
+        ContentType: options.contentType,
+        Metadata: options.metadata,
+      },
+    })
+
+    const response = await upload.done()
+
+    return {
+      key,
+      size,
+      contentType: options.contentType || 'application/octet-stream',
+      etag: response.ETag || '',
+      lastModified: new Date(),
+      customMetadata: options.metadata,
+    }
+  } catch (error: any) {
+    throw DBALError.internal(`S3 stream upload failed: ${error.message}`)
+  }
+}

dbal/development/src/blob/providers/s3/range.ts

@@ -0,0 +1,12 @@
+import type { DownloadOptions } from '../../blob-storage'
+
+export function buildRangeHeader(options: DownloadOptions): string | undefined {
+  if (options.offset === undefined && options.length === undefined) {
+    return undefined
+  }
+
+  const offset = options.offset || 0
+  const end = options.length !== undefined ? offset + options.length - 1 : undefined
+
+  return end !== undefined ? `bytes=${offset}-${end}` : `bytes=${offset}-`
+}

dbal/development/src/blob/providers/tenant-aware-storage.ts

@@ -1,260 +1,5 @@
-/**
- * Tenant-Aware Blob Storage
- * 
- * Wraps BlobStorage with multi-tenant support including:
- * - Namespace isolation
- * - Access control
- * - Quota management
- * - Virtual root directories
- */
-
-import { BlobStorage, BlobMetadata, UploadOptions, DownloadOptions, BlobListOptions, BlobListResult } from '../blob-storage'
-import { TenantContext, TenantManager } from '../core/tenant-context'
-import { DBALError } from '../../core/foundation/errors'
-import { Readable } from 'stream'
-
-export class TenantAwareBlobStorage implements BlobStorage {
-  constructor(
-    private readonly baseStorage: BlobStorage,
-    private readonly tenantManager: TenantManager,
-    private readonly tenantId: string,
-    private readonly userId: string
-  ) {}
-  
-  private async getContext(): Promise<TenantContext> {
-    return this.tenantManager.getTenantContext(this.tenantId, this.userId)
-  }
-  
-  private getScopedKey(key: string, namespace: string): string {
-    // Remove leading slash if present
-    const cleanKey = key.startsWith('/') ? key.substring(1) : key
-    return `${namespace}${cleanKey}`
-  }
-  
-  private unscopeKey(scopedKey: string, namespace: string): string {
-    if (scopedKey.startsWith(namespace)) {
-      return scopedKey.substring(namespace.length)
-    }
-    return scopedKey
-  }
-  
-  async upload(key: string, data: Buffer, options?: UploadOptions): Promise<BlobMetadata> {
-    const context = await this.getContext()
-    
-    // Check permissions
-    if (!context.canWrite('blob')) {
-      throw DBALError.forbidden('Permission denied: cannot upload blobs')
-    }
-    
-    // Check quota
-    const size = data.length
-    if (!context.canUploadBlob(size)) {
-      throw DBALError.rateLimitExceeded()
-    }
-    
-    const scopedKey = this.getScopedKey(key, context.namespace)
-    const metadata = await this.baseStorage.upload(scopedKey, data, options)
-    
-    // Update quota
-    await this.tenantManager.updateBlobUsage(this.tenantId, size, 1)
-    
-    // Return metadata with unscoped key
-    return {
-      ...metadata,
-      key
-    }
-  }
-  
-  async uploadStream(key: string, stream: Readable, size: number, options?: UploadOptions): Promise<BlobMetadata> {
-    const context = await this.getContext()
-    
-    // Check permissions
-    if (!context.canWrite('blob')) {
-      throw DBALError.forbidden('Permission denied: cannot upload blobs')
-    }
-    
-    // Check quota
-    if (!context.canUploadBlob(size)) {
-      throw DBALError.rateLimitExceeded()
-    }
-    
-    const scopedKey = this.getScopedKey(key, context.namespace)
-    const metadata = await this.baseStorage.uploadStream(scopedKey, stream, size, options)
-    
-    // Update quota
-    await this.tenantManager.updateBlobUsage(this.tenantId, size, 1)
-    
-    // Return metadata with unscoped key
-    return {
-      ...metadata,
-      key
-    }
-  }
-  
-  async download(key: string): Promise<Buffer> {
-    const context = await this.getContext()
-    
-    // Check permissions
-    if (!context.canRead('blob')) {
-      throw DBALError.forbidden('Permission denied: cannot download blobs')
-    }
-    
-    const scopedKey = this.getScopedKey(key, context.namespace)
-    return this.baseStorage.download(scopedKey)
-  }
-  
-  async downloadStream(key: string, options?: DownloadOptions): Promise<ReadableStream | NodeJS.ReadableStream> {
-    const context = await this.getContext()
-    
-    // Check permissions
-    if (!context.canRead('blob')) {
-      throw DBALError.forbidden('Permission denied: cannot download blobs')
-    }
-    
-    const scopedKey = this.getScopedKey(key, context.namespace)
-    return this.baseStorage.downloadStream(scopedKey, options)
-  }
-  
-  async delete(key: string): Promise<boolean> {
-    const context = await this.getContext()
-    
-    // Check permissions
-    if (!context.canDelete('blob')) {
-      throw DBALError.forbidden('Permission denied: cannot delete blobs')
-    }
-    
-    const scopedKey = this.getScopedKey(key, context.namespace)
-    
-    // Get metadata before deletion to update quota
-    try {
-      const metadata = await this.baseStorage.getMetadata(scopedKey)
-      const deleted = await this.baseStorage.delete(scopedKey)
-      
-      if (deleted) {
-        // Update quota
-        await this.tenantManager.updateBlobUsage(this.tenantId, -metadata.size, -1)
-      }
-      
-      return deleted
-    } catch (error) {
-      // If metadata fetch fails, try delete anyway
-      return this.baseStorage.delete(scopedKey)
-    }
-  }
-  
-  async exists(key: string): Promise<boolean> {
-    const context = await this.getContext()
-    
-    // Check permissions
-    if (!context.canRead('blob')) {
-      throw DBALError.forbidden('Permission denied: cannot check blob existence')
-    }
-    
-    const scopedKey = this.getScopedKey(key, context.namespace)
-    return this.baseStorage.exists(scopedKey)
-  }
-  
-  async copy(sourceKey: string, destKey: string): Promise<BlobMetadata> {
-    const context = await this.getContext()
-    
-    // Check permissions
-    if (!context.canRead('blob') || !context.canWrite('blob')) {
-      throw DBALError.forbidden('Permission denied: cannot copy blobs')
-    }
-    
-    // Get source metadata to check quota
-    const sourceScoped = this.getScopedKey(sourceKey, context.namespace)
-    const sourceMetadata = await this.baseStorage.getMetadata(sourceScoped)
-    
-    // Check quota for destination
-    if (!context.canUploadBlob(sourceMetadata.size)) {
-      throw DBALError.rateLimitExceeded()
-    }
-    
-    const destScoped = this.getScopedKey(destKey, context.namespace)
-    const metadata = await this.baseStorage.copy(sourceScoped, destScoped)
-    
-    // Update quota
-    await this.tenantManager.updateBlobUsage(this.tenantId, sourceMetadata.size, 1)
-    
-    return {
-      ...metadata,
-      key: destKey
-    }
-  }
-  
-  async list(options?: BlobListOptions): Promise<BlobListResult> {
-    const context = await this.getContext()
-    
-    // Check permissions
-    if (!context.canRead('blob')) {
-      throw DBALError.forbidden('Permission denied: cannot list blobs')
-    }
-    
-    // Add namespace prefix to options
-    const scopedOptions: BlobListOptions = {
-      ...options,
-      prefix: options?.prefix 
-        ? this.getScopedKey(options.prefix, context.namespace)
-        : context.namespace
-    }
-    
-    const result = await this.baseStorage.list(scopedOptions)
-    
-    // Unscope keys in results
-    return {
-      ...result,
-      items: result.items.map(item => ({
-        ...item,
-        key: this.unscopeKey(item.key, context.namespace)
-      }))
-    }
-  }
-  
-  async getMetadata(key: string): Promise<BlobMetadata> {
-    const context = await this.getContext()
-    
-    // Check permissions
-    if (!context.canRead('blob')) {
-      throw DBALError.forbidden('Permission denied: cannot get blob metadata')
-    }
-    
-    const scopedKey = this.getScopedKey(key, context.namespace)
-    const metadata = await this.baseStorage.getMetadata(scopedKey)
-    
-    return {
-      ...metadata,
-      key
-    }
-  }
-  
-  async getStats(): Promise<{ count: number; totalSize: number }> {
-    const context = await this.getContext()
-    
-    // Return tenant's current usage from quota
-    return {
-      count: context.quota.currentBlobCount,
-      totalSize: context.quota.currentBlobStorageBytes
-    }
-  }
-  
-  async generatePresignedUrl(key: string, expiresIn: number): Promise<string> {
-    const context = await this.getContext()
-    
-    // Check permissions
-    if (!context.canRead('blob')) {
-      throw DBALError.forbidden('Permission denied: cannot generate presigned URL')
-    }
-    
-    const scopedKey = this.getScopedKey(key, context.namespace)
-    return this.baseStorage.generatePresignedUrl(scopedKey, expiresIn)
-  }
-  
-  async getTotalSize(): Promise<number> {
-    return this.baseStorage.getTotalSize()
-  }
-  
-  async getObjectCount(): Promise<number> {
-    return this.baseStorage.getObjectCount()
-  }
-}
+export { TenantAwareBlobStorage } from './tenant-aware-storage/index'
+export type { TenantAwareDeps } from './tenant-aware-storage/context'
+export { scopeKey, unscopeKey } from './tenant-aware-storage/context'
+export { ensurePermission, resolveTenantContext } from './tenant-aware-storage/tenant-context'
+export { auditCopy, auditDeletion, auditUpload } from './tenant-aware-storage/audit-hooks'

dbal/development/src/blob/providers/tenant-aware-storage/audit-hooks.ts

@@ -0,0 +1,17 @@
+import type { TenantAwareDeps } from './context'
+
+const recordUsageChange = async (deps: TenantAwareDeps, bytesChange: number, countChange: number): Promise<void> => {
+  await deps.tenantManager.updateBlobUsage(deps.tenantId, bytesChange, countChange)
+}
+
+export const auditUpload = async (deps: TenantAwareDeps, sizeBytes: number): Promise<void> => {
+  await recordUsageChange(deps, sizeBytes, 1)
+}
+
+export const auditDeletion = async (deps: TenantAwareDeps, sizeBytes: number): Promise<void> => {
+  await recordUsageChange(deps, -sizeBytes, -1)
+}
+
+export const auditCopy = async (deps: TenantAwareDeps, sizeBytes: number): Promise<void> => {
+  await recordUsageChange(deps, sizeBytes, 1)
+}

dbal/development/src/blob/providers/tenant-aware-storage/context.ts

@@ -0,0 +1,21 @@
+import type { TenantManager } from '../../core/foundation/tenant-context'
+import type { BlobStorage } from '../blob-storage'
+
+export interface TenantAwareDeps {
+  baseStorage: BlobStorage
+  tenantManager: TenantManager
+  tenantId: string
+  userId: string
+}
+
+export const scopeKey = (key: string, namespace: string): string => {
+  const cleanKey = key.startsWith('/') ? key.substring(1) : key
+  return `${namespace}${cleanKey}`
+}
+
+export const unscopeKey = (scopedKey: string, namespace: string): string => {
+  if (scopedKey.startsWith(namespace)) {
+    return scopedKey.substring(namespace.length)
+  }
+  return scopedKey
+}

dbal/development/src/blob/providers/tenant-aware-storage/index.ts

@@ -0,0 +1,66 @@
+import type { BlobListOptions, BlobListResult, BlobMetadata, BlobStorage, DownloadOptions, UploadOptions } from '../blob-storage'
+import type { TenantManager } from '../../core/foundation/tenant-context'
+import type { TenantAwareDeps } from './context'
+import { deleteBlob, exists, copyBlob, getStats } from './mutations'
+import { downloadBuffer, downloadStream, generatePresignedUrl, getMetadata, listBlobs } from './reads'
+import { uploadBuffer, uploadStream } from './uploads'
+
+export class TenantAwareBlobStorage implements BlobStorage {
+  private readonly deps: TenantAwareDeps
+
+  constructor(baseStorage: BlobStorage, tenantManager: TenantManager, tenantId: string, userId: string) {
+    this.deps = { baseStorage, tenantManager, tenantId, userId }
+  }
+
+  async upload(key: string, data: Buffer, options?: UploadOptions): Promise<BlobMetadata> {
+    return uploadBuffer(this.deps, key, data, options)
+  }
+
+  async uploadStream(key: string, stream: NodeJS.ReadableStream, size: number, options?: UploadOptions): Promise<BlobMetadata> {
+    return uploadStream(this.deps, key, stream, size, options)
+  }
+
+  async download(key: string): Promise<Buffer> {
+    return downloadBuffer(this.deps, key)
+  }
+
+  async downloadStream(key: string, options?: DownloadOptions): Promise<ReadableStream | NodeJS.ReadableStream> {
+    return downloadStream(this.deps, key, options)
+  }
+
+  async delete(key: string): Promise<boolean> {
+    return deleteBlob(this.deps, key)
+  }
+
+  async exists(key: string): Promise<boolean> {
+    return exists(this.deps, key)
+  }
+
+  async copy(sourceKey: string, destKey: string): Promise<BlobMetadata> {
+    return copyBlob(this.deps, sourceKey, destKey)
+  }
+
+  async list(options?: BlobListOptions): Promise<BlobListResult> {
+    return listBlobs(this.deps, options)
+  }
+
+  async getMetadata(key: string): Promise<BlobMetadata> {
+    return getMetadata(this.deps, key)
+  }
+
+  async getStats(): Promise<{ count: number; totalSize: number }> {
+    return getStats(this.deps)
+  }
+
+  async generatePresignedUrl(key: string, expiresIn: number): Promise<string> {
+    return generatePresignedUrl(this.deps, key, expiresIn)
+  }
+
+  async getTotalSize(): Promise<number> {
+    return this.deps.baseStorage.getTotalSize()
+  }
+
+  async getObjectCount(): Promise<number> {
+    return this.deps.baseStorage.getObjectCount()
+  }
+}

dbal/development/src/blob/providers/tenant-aware-storage/mutations.ts

@@ -0,0 +1,69 @@
+import { DBALError } from '../../core/foundation/errors'
+import type { BlobMetadata } from '../blob-storage'
+import { auditCopy, auditDeletion } from './audit-hooks'
+import type { TenantAwareDeps } from './context'
+import { scopeKey } from './context'
+import { ensurePermission, resolveTenantContext } from './tenant-context'
+
+export const deleteBlob = async (deps: TenantAwareDeps, key: string): Promise<boolean> => {
+  const context = await resolveTenantContext(deps)
+  ensurePermission(context, 'delete')
+
+  const scopedKey = scopeKey(key, context.namespace)
+
+  try {
+    const metadata = await deps.baseStorage.getMetadata(scopedKey)
+    const deleted = await deps.baseStorage.delete(scopedKey)
+
+    if (deleted) {
+      await auditDeletion(deps, metadata.size)
+    }
+
+    return deleted
+  } catch {
+    return deps.baseStorage.delete(scopedKey)
+  }
+}
+
+export const exists = async (deps: TenantAwareDeps, key: string): Promise<boolean> => {
+  const context = await resolveTenantContext(deps)
+  ensurePermission(context, 'read')
+
+  const scopedKey = scopeKey(key, context.namespace)
+  return deps.baseStorage.exists(scopedKey)
+}
+
+export const copyBlob = async (
+  deps: TenantAwareDeps,
+  sourceKey: string,
+  destKey: string,
+): Promise<BlobMetadata> => {
+  const context = await resolveTenantContext(deps)
+  ensurePermission(context, 'read')
+  ensurePermission(context, 'write')
+
+  const sourceScoped = scopeKey(sourceKey, context.namespace)
+  const sourceMetadata = await deps.baseStorage.getMetadata(sourceScoped)
+
+  if (!context.canUploadBlob(sourceMetadata.size)) {
+    throw DBALError.rateLimitExceeded()
+  }
+
+  const destScoped = scopeKey(destKey, context.namespace)
+  const metadata = await deps.baseStorage.copy(sourceScoped, destScoped)
+
+  await auditCopy(deps, sourceMetadata.size)
+
+  return {
+    ...metadata,
+    key: destKey,
+  }
+}
+
+export const getStats = async (deps: TenantAwareDeps) => {
+  const context = await resolveTenantContext(deps)
+  return {
+    count: context.quota.currentBlobCount,
+    totalSize: context.quota.currentBlobStorageBytes,
+  }
+}

dbal/development/src/blob/providers/tenant-aware-storage/reads.ts

@@ -0,0 +1,72 @@
+import type { DownloadOptions, BlobMetadata, BlobListOptions, BlobListResult } from '../blob-storage'
+import type { TenantAwareDeps } from './context'
+import { scopeKey, unscopeKey } from './context'
+import { ensurePermission, resolveTenantContext } from './tenant-context'
+
+export const downloadBuffer = async (deps: TenantAwareDeps, key: string): Promise<Buffer> => {
+  const context = await resolveTenantContext(deps)
+  ensurePermission(context, 'read')
+
+  const scopedKey = scopeKey(key, context.namespace)
+  return deps.baseStorage.download(scopedKey)
+}
+
+export const downloadStream = async (
+  deps: TenantAwareDeps,
+  key: string,
+  options?: DownloadOptions,
+): Promise<ReadableStream | NodeJS.ReadableStream> => {
+  const context = await resolveTenantContext(deps)
+  ensurePermission(context, 'read')
+
+  const scopedKey = scopeKey(key, context.namespace)
+  return deps.baseStorage.downloadStream(scopedKey, options)
+}
+
+export const listBlobs = async (
+  deps: TenantAwareDeps,
+  options: BlobListOptions = {},
+): Promise<BlobListResult> => {
+  const context = await resolveTenantContext(deps)
+  ensurePermission(context, 'read')
+
+  const scopedOptions: BlobListOptions = {
+    ...options,
+    prefix: options.prefix ? scopeKey(options.prefix, context.namespace) : context.namespace,
+  }
+
+  const result = await deps.baseStorage.list(scopedOptions)
+
+  return {
+    ...result,
+    items: result.items.map(item => ({
+      ...item,
+      key: unscopeKey(item.key, context.namespace),
+    })),
+  }
+}
+
+export const getMetadata = async (deps: TenantAwareDeps, key: string): Promise<BlobMetadata> => {
+  const context = await resolveTenantContext(deps)
+  ensurePermission(context, 'read')
+
+  const scopedKey = scopeKey(key, context.namespace)
+  const metadata = await deps.baseStorage.getMetadata(scopedKey)
+
+  return {
+    ...metadata,
+    key,
+  }
+}
+
+export const generatePresignedUrl = async (
+  deps: TenantAwareDeps,
+  key: string,
+  expiresIn: number,
+): Promise<string> => {
+  const context = await resolveTenantContext(deps)
+  ensurePermission(context, 'read')
+
+  const scopedKey = scopeKey(key, context.namespace)
+  return deps.baseStorage.generatePresignedUrl(scopedKey, expiresIn)
+}

dbal/development/src/blob/providers/tenant-aware-storage/tenant-context.ts

@@ -0,0 +1,21 @@
+import { DBALError } from '../../core/foundation/errors'
+import type { TenantContext } from '../../core/foundation/tenant-context'
+import type { TenantAwareDeps } from './context'
+
+export const resolveTenantContext = async ({ tenantManager, tenantId, userId }: TenantAwareDeps): Promise<TenantContext> => {
+  return tenantManager.getTenantContext(tenantId, userId)
+}
+
+export const ensurePermission = (context: TenantContext, action: 'read' | 'write' | 'delete'): void => {
+  const accessCheck =
+    action === 'read' ? context.canRead('blob') : action === 'write' ? context.canWrite('blob') : context.canDelete('blob')
+
+  if (!accessCheck) {
+    const verbs: Record<typeof action, string> = {
+      read: 'read',
+      write: 'write',
+      delete: 'delete',
+    }
+    throw DBALError.forbidden(`Permission denied: cannot ${verbs[action]} blobs`)
+  }
+}

dbal/development/src/blob/providers/tenant-aware-storage/uploads.ts

@@ -0,0 +1,53 @@
+import { DBALError } from '../../core/foundation/errors'
+import { auditUpload } from './audit-hooks'
+import type { TenantAwareDeps } from './context'
+import { scopeKey } from './context'
+import { ensurePermission, resolveTenantContext } from './tenant-context'
+import type { UploadOptions, BlobMetadata } from '../blob-storage'
+
+export const uploadBuffer = async (
+  deps: TenantAwareDeps,
+  key: string,
+  data: Buffer,
+  options?: UploadOptions,
+): Promise<BlobMetadata> => {
+  const context = await resolveTenantContext(deps)
+  ensurePermission(context, 'write')
+
+  if (!context.canUploadBlob(data.length)) {
+    throw DBALError.rateLimitExceeded()
+  }
+
+  const scopedKey = scopeKey(key, context.namespace)
+  const metadata = await deps.baseStorage.upload(scopedKey, data, options)
+  await auditUpload(deps, data.length)
+
+  return {
+    ...metadata,
+    key,
+  }
+}
+
+export const uploadStream = async (
+  deps: TenantAwareDeps,
+  key: string,
+  stream: NodeJS.ReadableStream,
+  size: number,
+  options?: UploadOptions,
+): Promise<BlobMetadata> => {
+  const context = await resolveTenantContext(deps)
+  ensurePermission(context, 'write')
+
+  if (!context.canUploadBlob(size)) {
+    throw DBALError.rateLimitExceeded()
+  }
+
+  const scopedKey = scopeKey(key, context.namespace)
+  const metadata = await deps.baseStorage.uploadStream(scopedKey, stream, size, options)
+  await auditUpload(deps, size)
+
+  return {
+    ...metadata,
+    key,
+  }
+}

dbal/development/src/bridges/websocket-bridge.ts

@@ -1,168 +1 @@
-/**
- * @file websocket-bridge.ts
- * @description WebSocket bridge adapter for remote DBAL daemon
- */
-
-import type { DBALAdapter, AdapterCapabilities } from '../adapters/adapter'
-import type { ListOptions, ListResult } from '../core/types'
-import { DBALError } from '../core/foundation/errors'
-import { generateRequestId } from './utils/generate-request-id'
-import type { RPCMessage, RPCResponse, PendingRequest } from './utils/rpc-types'
-
-export class WebSocketBridge implements DBALAdapter {
-  private ws: WebSocket | null = null
-  private endpoint: string
-  private auth?: { user: unknown, session: unknown }
-  private pendingRequests = new Map<string, PendingRequest>()
-
-  constructor(endpoint: string, auth?: { user: unknown, session: unknown }) {
-    this.endpoint = endpoint
-    this.auth = auth
-  }
-
-  private async connect(): Promise<void> {
-    if (this.ws?.readyState === WebSocket.OPEN) {
-      return
-    }
-
-    return new Promise((resolve, reject) => {
-      this.ws = new WebSocket(this.endpoint)
-
-      this.ws.onopen = () => {
-        resolve()
-      }
-
-      this.ws.onerror = (error) => {
-        reject(DBALError.internal(`WebSocket connection failed: ${error}`))
-      }
-
-      this.ws.onmessage = (event) => {
-        this.handleMessage(event.data)
-      }
-
-      this.ws.onclose = () => {
-        this.ws = null
-      }
-    })
-  }
-
-  private handleMessage(data: string): void {
-    try {
-      const response: RPCResponse = JSON.parse(data)
-      const pending = this.pendingRequests.get(response.id)
-
-      if (!pending) {
-        return
-      }
-
-      this.pendingRequests.delete(response.id)
-
-      if (response.error) {
-        const error = new DBALError(
-          response.error.message,
-          response.error.code,
-          response.error.details
-        )
-        pending.reject(error)
-      } else {
-        pending.resolve(response.result)
-      }
-    } catch (error) {
-      console.error('Failed to parse WebSocket message:', error)
-    }
-  }
-
-  private async call(method: string, ...params: unknown[]): Promise<unknown> {
-    await this.connect()
-
-    const id = generateRequestId()
-    const message: RPCMessage = { id, method, params }
-
-    return new Promise((resolve, reject) => {
-      this.pendingRequests.set(id, { resolve, reject })
-
-      if (this.ws?.readyState === WebSocket.OPEN) {
-        this.ws.send(JSON.stringify(message))
-      } else {
-        this.pendingRequests.delete(id)
-        reject(DBALError.internal('WebSocket connection not open'))
-      }
-
-      setTimeout(() => {
-        if (this.pendingRequests.has(id)) {
-          this.pendingRequests.delete(id)
-          reject(DBALError.timeout('Request timed out'))
-        }
-      }, 30000)
-    })
-  }
-
-  async create(entity: string, data: Record<string, unknown>): Promise<unknown> {
-    return this.call('create', entity, data)
-  }
-
-  async read(entity: string, id: string): Promise<unknown | null> {
-    return this.call('read', entity, id)
-  }
-
-  async update(entity: string, id: string, data: Record<string, unknown>): Promise<unknown> {
-    return this.call('update', entity, id, data)
-  }
-
-  async delete(entity: string, id: string): Promise<boolean> {
-    return this.call('delete', entity, id) as Promise<boolean>
-  }
-
-  async list(entity: string, options?: ListOptions): Promise<ListResult<unknown>> {
-    return this.call('list', entity, options) as Promise<ListResult<unknown>>
-  }
-
-  async findFirst(entity: string, filter?: Record<string, unknown>): Promise<unknown | null> {
-    return this.call('findFirst', entity, filter)
-  }
-
-  async findByField(entity: string, field: string, value: unknown): Promise<unknown | null> {
-    return this.call('findByField', entity, field, value)
-  }
-
-  async upsert(
-    entity: string,
-    filter: Record<string, unknown>,
-    createData: Record<string, unknown>,
-    updateData: Record<string, unknown>
-  ): Promise<unknown> {
-    return this.call('upsert', entity, filter, createData, updateData)
-  }
-
-  async updateByField(entity: string, field: string, value: unknown, data: Record<string, unknown>): Promise<unknown> {
-    return this.call('updateByField', entity, field, value, data)
-  }
-
-  async deleteByField(entity: string, field: string, value: unknown): Promise<boolean> {
-    return this.call('deleteByField', entity, field, value) as Promise<boolean>
-  }
-
-  async deleteMany(entity: string, filter?: Record<string, unknown>): Promise<number> {
-    return this.call('deleteMany', entity, filter) as Promise<number>
-  }
-
-  async createMany(entity: string, data: Record<string, unknown>[]): Promise<number> {
-    return this.call('createMany', entity, data) as Promise<number>
-  }
-
-  async updateMany(entity: string, filter: Record<string, unknown>, data: Record<string, unknown>): Promise<number> {
-    return this.call('updateMany', entity, filter, data) as Promise<number>
-  }
-
-  async getCapabilities(): Promise<AdapterCapabilities> {
-    return this.call('getCapabilities') as Promise<AdapterCapabilities>
-  }
-
-  async close(): Promise<void> {
-    if (this.ws) {
-      this.ws.close()
-      this.ws = null
-    }
-    this.pendingRequests.clear()
-  }
-}
+export { WebSocketBridge } from './websocket-bridge/index'

dbal/development/src/bridges/websocket-bridge/connection-manager.ts

@@ -0,0 +1,90 @@
+import { DBALError } from '../../core/foundation/errors'
+import type { RPCMessage } from '../utils/rpc-types'
+import type { BridgeState } from './state'
+import type { MessageRouter } from './message-router'
+
+export interface ConnectionManager {
+  ensureConnection: () => Promise<void>
+  send: (message: RPCMessage) => Promise<void>
+  close: () => Promise<void>
+}
+
+export const createConnectionManager = (
+  state: BridgeState,
+  messageRouter: MessageRouter,
+): ConnectionManager => {
+  let connectionPromise: Promise<void> | null = null
+
+  const resetConnection = () => {
+    connectionPromise = null
+    state.ws = null
+  }
+
+  const rejectPendingRequests = (error: DBALError) => {
+    state.pendingRequests.forEach(({ reject }) => reject(error))
+    state.pendingRequests.clear()
+  }
+
+  const ensureConnection = async (): Promise<void> => {
+    if (state.ws?.readyState === WebSocket.OPEN) {
+      return
+    }
+
+    if (connectionPromise) {
+      return connectionPromise
+    }
+
+    connectionPromise = new Promise((resolve, reject) => {
+      try {
+        const ws = new WebSocket(state.endpoint)
+        state.ws = ws
+
+        ws.onopen = () => resolve()
+        ws.onerror = error => {
+          const connectionError = DBALError.internal(`WebSocket connection failed: ${error}`)
+          rejectPendingRequests(connectionError)
+          resetConnection()
+          reject(connectionError)
+        }
+        ws.onclose = () => {
+          rejectPendingRequests(DBALError.internal('WebSocket connection closed'))
+          resetConnection()
+        }
+        ws.onmessage = event => messageRouter.handle(event.data)
+      } catch (error) {
+        resetConnection()
+        const connectionError =
+          error instanceof DBALError ? error : DBALError.internal('Failed to establish WebSocket connection')
+        reject(connectionError)
+      }
+    })
+
+    return connectionPromise
+  }
+
+  const send = async (message: RPCMessage): Promise<void> => {
+    await ensureConnection()
+
+    if (!state.ws || state.ws.readyState !== WebSocket.OPEN) {
+      throw DBALError.internal('WebSocket connection not open')
+    }
+
+    state.ws.send(JSON.stringify(message))
+  }
+
+  const close = async (): Promise<void> => {
+    rejectPendingRequests(DBALError.internal('WebSocket connection closed'))
+
+    if (state.ws) {
+      state.ws.close()
+    }
+
+    resetConnection()
+  }
+
+  return {
+    ensureConnection,
+    send,
+    close,
+  }
+}

dbal/development/src/bridges/websocket-bridge/index.ts

@@ -0,0 +1,84 @@
+import type { DBALAdapter, AdapterCapabilities } from '../../adapters/adapter'
+import type { ListOptions, ListResult } from '../../core/types'
+import { createConnectionManager } from './connection-manager'
+import { createMessageRouter } from './message-router'
+import { createOperations } from './operations'
+import { createBridgeState } from './state'
+
+export class WebSocketBridge implements DBALAdapter {
+  private readonly state: ReturnType<typeof createBridgeState>
+  private readonly connectionManager: ReturnType<typeof createConnectionManager>
+  private readonly operations: ReturnType<typeof createOperations>
+
+  constructor(endpoint: string, auth?: { user: unknown; session: unknown }) {
+    this.state = createBridgeState(endpoint, auth)
+    const messageRouter = createMessageRouter(this.state)
+    this.connectionManager = createConnectionManager(this.state, messageRouter)
+    this.operations = createOperations(this.state, this.connectionManager)
+  }
+
+  create(entity: string, data: Record<string, unknown>): Promise<unknown> {
+    return this.operations.create(entity, data)
+  }
+
+  read(entity: string, id: string): Promise<unknown | null> {
+    return this.operations.read(entity, id) as Promise<unknown | null>
+  }
+
+  update(entity: string, id: string, data: Record<string, unknown>): Promise<unknown> {
+    return this.operations.update(entity, id, data)
+  }
+
+  delete(entity: string, id: string): Promise<boolean> {
+    return this.operations.delete(entity, id)
+  }
+
+  list(entity: string, options?: ListOptions): Promise<ListResult<unknown>> {
+    return this.operations.list(entity, options)
+  }
+
+  findFirst(entity: string, filter?: Record<string, unknown>): Promise<unknown | null> {
+    return this.operations.findFirst(entity, filter) as Promise<unknown | null>
+  }
+
+  findByField(entity: string, field: string, value: unknown): Promise<unknown | null> {
+    return this.operations.findByField(entity, field, value) as Promise<unknown | null>
+  }
+
+  upsert(
+    entity: string,
+    filter: Record<string, unknown>,
+    createData: Record<string, unknown>,
+    updateData: Record<string, unknown>,
+  ): Promise<unknown> {
+    return this.operations.upsert(entity, filter, createData, updateData)
+  }
+
+  updateByField(entity: string, field: string, value: unknown, data: Record<string, unknown>): Promise<unknown> {
+    return this.operations.updateByField(entity, field, value, data)
+  }
+
+  deleteByField(entity: string, field: string, value: unknown): Promise<boolean> {
+    return this.operations.deleteByField(entity, field, value)
+  }
+
+  deleteMany(entity: string, filter?: Record<string, unknown>): Promise<number> {
+    return this.operations.deleteMany(entity, filter)
+  }
+
+  createMany(entity: string, data: Record<string, unknown>[]): Promise<number> {
+    return this.operations.createMany(entity, data)
+  }
+
+  updateMany(entity: string, filter: Record<string, unknown>, data: Record<string, unknown>): Promise<number> {
+    return this.operations.updateMany(entity, filter, data)
+  }
+
+  getCapabilities(): Promise<AdapterCapabilities> {
+    return this.operations.getCapabilities()
+  }
+
+  async close(): Promise<void> {
+    await this.connectionManager.close()
+  }
+}

dbal/development/src/bridges/websocket-bridge/message-router.ts

@@ -0,0 +1,68 @@
+import { DBALError } from '../../core/foundation/errors'
+import type { RPCResponse } from '../utils/rpc-types'
+import type { BridgeState } from './state'
+
+export interface MessageRouter {
+  handle: (rawMessage: unknown) => void
+}
+
+const isRecord = (value: unknown): value is Record<string, unknown> =>
+  typeof value === 'object' && value !== null && !Array.isArray(value)
+
+const isRPCError = (value: unknown): value is NonNullable<RPCResponse['error']> =>
+  isRecord(value) &&
+  typeof value.code === 'number' &&
+  typeof value.message === 'string' &&
+  (value.details === undefined || isRecord(value.details))
+
+const isRPCResponse = (value: unknown): value is RPCResponse => {
+  if (!isRecord(value)) {
+    return false
+  }
+
+  const hasId = typeof value.id === 'string'
+  const hasResult = Object.prototype.hasOwnProperty.call(value, 'result')
+  const hasError = isRPCError(value.error) || value.error === undefined
+
+  return hasId && (hasResult || isRPCError(value.error)) && hasError
+}
+
+const parseResponse = (rawMessage: string): RPCResponse => {
+  const parsed = JSON.parse(rawMessage) as unknown
+
+  if (!isRPCResponse(parsed)) {
+    throw new Error('Invalid RPC response shape')
+  }
+
+  return parsed
+}
+
+export const createMessageRouter = (state: BridgeState): MessageRouter => ({
+  handle: (rawMessage: unknown) => {
+    if (typeof rawMessage !== 'string') {
+      console.warn('Ignoring non-string WebSocket message')
+      return
+    }
+
+    try {
+      const response = parseResponse(rawMessage)
+      const pending = state.pendingRequests.get(response.id)
+
+      if (!pending) {
+        console.warn(`No pending request for response ${response.id}`)
+        return
+      }
+
+      state.pendingRequests.delete(response.id)
+
+      if (response.error) {
+        const error = new DBALError(response.error.message, response.error.code, response.error.details)
+        pending.reject(error)
+      } else {
+        pending.resolve(response.result)
+      }
+    } catch (error) {
+      console.error('Failed to process WebSocket message', error)
+    }
+  },
+})

dbal/development/src/bridges/websocket-bridge/operations.ts

@@ -0,0 +1,36 @@
+import type { AdapterCapabilities } from '../../adapters/adapter'
+import type { ListOptions, ListResult } from '../../core/types'
+import type { ConnectionManager } from './connection-manager'
+import type { BridgeState } from './state'
+import { rpcCall } from './rpc'
+
+export const createOperations = (state: BridgeState, connectionManager: ConnectionManager) => ({
+  create: (entity: string, data: Record<string, unknown>) => rpcCall(state, connectionManager, 'create', entity, data),
+  read: (entity: string, id: string) => rpcCall(state, connectionManager, 'read', entity, id),
+  update: (entity: string, id: string, data: Record<string, unknown>) =>
+    rpcCall(state, connectionManager, 'update', entity, id, data),
+  delete: (entity: string, id: string) => rpcCall(state, connectionManager, 'delete', entity, id) as Promise<boolean>,
+  list: (entity: string, options?: ListOptions) =>
+    rpcCall(state, connectionManager, 'list', entity, options) as Promise<ListResult<unknown>>,
+  findFirst: (entity: string, filter?: Record<string, unknown>) =>
+    rpcCall(state, connectionManager, 'findFirst', entity, filter),
+  findByField: (entity: string, field: string, value: unknown) =>
+    rpcCall(state, connectionManager, 'findByField', entity, field, value),
+  upsert: (
+    entity: string,
+    filter: Record<string, unknown>,
+    createData: Record<string, unknown>,
+    updateData: Record<string, unknown>,
+  ) => rpcCall(state, connectionManager, 'upsert', entity, filter, createData, updateData),
+  updateByField: (entity: string, field: string, value: unknown, data: Record<string, unknown>) =>
+    rpcCall(state, connectionManager, 'updateByField', entity, field, value, data),
+  deleteByField: (entity: string, field: string, value: unknown) =>
+    rpcCall(state, connectionManager, 'deleteByField', entity, field, value) as Promise<boolean>,
+  deleteMany: (entity: string, filter?: Record<string, unknown>) =>
+    rpcCall(state, connectionManager, 'deleteMany', entity, filter) as Promise<number>,
+  createMany: (entity: string, data: Record<string, unknown>[]) =>
+    rpcCall(state, connectionManager, 'createMany', entity, data) as Promise<number>,
+  updateMany: (entity: string, filter: Record<string, unknown>, data: Record<string, unknown>) =>
+    rpcCall(state, connectionManager, 'updateMany', entity, filter, data) as Promise<number>,
+  getCapabilities: () => rpcCall(state, connectionManager, 'getCapabilities') as Promise<AdapterCapabilities>,
+})

dbal/development/src/bridges/websocket-bridge/rpc.ts

@@ -0,0 +1,34 @@
+import { DBALError } from '../../core/foundation/errors'
+import { generateRequestId } from '../utils/generate-request-id'
+import type { RPCMessage } from '../utils/rpc-types'
+import type { ConnectionManager } from './connection-manager'
+import type { BridgeState } from './state'
+
+export const rpcCall = async (
+  state: BridgeState,
+  connectionManager: ConnectionManager,
+  method: string,
+  ...params: unknown[]
+): Promise<unknown> => {
+  const id = generateRequestId()
+  const message: RPCMessage = { id, method, params }
+
+  return new Promise((resolve, reject) => {
+    state.pendingRequests.set(id, { resolve, reject })
+
+    connectionManager
+      .send(message)
+      .catch(error => {
+        state.pendingRequests.delete(id)
+        reject(error)
+        return
+      })
+
+    setTimeout(() => {
+      if (state.pendingRequests.has(id)) {
+        state.pendingRequests.delete(id)
+        reject(DBALError.timeout('Request timed out'))
+      }
+    }, 30000)
+  })
+}

dbal/development/src/bridges/websocket-bridge/state.ts

@@ -0,0 +1,18 @@
+import type { PendingRequest } from '../utils/rpc-types'
+
+export interface BridgeState {
+  ws: WebSocket | null
+  endpoint: string
+  auth?: { user: unknown; session: unknown }
+  pendingRequests: Map<string, PendingRequest>
+}
+
+export const createBridgeState = (
+  endpoint: string,
+  auth?: { user: unknown; session: unknown },
+): BridgeState => ({
+  ws: null,
+  endpoint,
+  auth,
+  pendingRequests: new Map<string, PendingRequest>(),
+})

dbal/development/src/core/client.ts

@@ -0,0 +1,8 @@
+import type { DBALConfig } from '../runtime/config'
+import { DBALClient } from './client/client'
+export { buildAdapter, buildEntityOperations } from './client/builders'
+export { normalizeClientConfig, validateClientConfig } from './client/mappers'
+
+export const createDBALClient = (config: DBALConfig) => new DBALClient(config)
+
+export { DBALClient }

dbal/development/src/core/client/adapter-factory.ts

@@ -6,7 +6,7 @@
 import type { DBALConfig } from '../../runtime/config'
 import type { DBALAdapter } from '../../adapters/adapter'
 import { DBALError } from '../foundation/errors'
-import { PrismaAdapter, PostgresAdapter, MySQLAdapter } from '../../adapters/prisma-adapter'
+import { PrismaAdapter, PostgresAdapter, MySQLAdapter } from '../../adapters/prisma'
 import { ACLAdapter } from '../../adapters/acl-adapter'
 import { WebSocketBridge } from '../../bridges/websocket-bridge'
 

dbal/development/src/core/client/builders.ts

@@ -0,0 +1,24 @@
+import type { DBALAdapter } from '../../adapters/adapter'
+import type { DBALConfig } from '../../runtime/config'
+import { createAdapter } from './adapter-factory'
+import {
+  createComponentOperations,
+  createLuaScriptOperations,
+  createPackageOperations,
+  createPageOperations,
+  createSessionOperations,
+  createUserOperations,
+  createWorkflowOperations
+} from '../entities'
+
+export const buildAdapter = (config: DBALConfig): DBALAdapter => createAdapter(config)
+
+export const buildEntityOperations = (adapter: DBALAdapter) => ({
+  users: createUserOperations(adapter),
+  pages: createPageOperations(adapter),
+  components: createComponentOperations(adapter),
+  workflows: createWorkflowOperations(adapter),
+  luaScripts: createLuaScriptOperations(adapter),
+  packages: createPackageOperations(adapter),
+  sessions: createSessionOperations(adapter)
+})

dbal/development/src/core/client/client.ts

@@ -1,7 +1,7 @@
 /**
  * @file client.ts
  * @description DBAL Client - Main interface for database operations
- * 
+ *
  * Provides CRUD operations for all entities through modular operation handlers.
  * Each entity type has its own dedicated operations module following the
  * single-responsibility pattern.
@@ -9,82 +9,67 @@
 
 import type { DBALConfig } from '../../runtime/config'
 import type { DBALAdapter } from '../../adapters/adapter'
-import { createAdapter } from './adapter-factory'
-import {
-  createUserOperations,
-  createPageOperations,
-  createComponentOperations,
-  createWorkflowOperations,
-  createLuaScriptOperations,
-  createPackageOperations,
-  createSessionOperations,
-} from '../entities'
+import { buildAdapter, buildEntityOperations } from './builders'
+import { normalizeClientConfig, validateClientConfig } from './mappers'
 
 export class DBALClient {
   private adapter: DBALAdapter
   private config: DBALConfig
+  private operations: ReturnType<typeof buildEntityOperations>
 
   constructor(config: DBALConfig) {
-    this.config = config
-    
-    // Validate configuration
-    if (!config.adapter) {
-      throw new Error('Adapter type must be specified')
-    }
-    if (config.mode !== 'production' && !config.database?.url) {
-      throw new Error('Database URL must be specified for non-production mode')
-    }
-    
-    this.adapter = createAdapter(config)
+    this.config = normalizeClientConfig(validateClientConfig(config))
+    this.adapter = buildAdapter(this.config)
+    this.operations = buildEntityOperations(this.adapter)
   }
 
   /**
    * User entity operations
    */
   get users() {
-    return createUserOperations(this.adapter)
+    return this.operations.users
   }
 
   /**
    * Page entity operations
    */
   get pages() {
-    return createPageOperations(this.adapter)
+    return this.operations.pages
   }
 
   /**
    * Component hierarchy entity operations
    */
   get components() {
-    return createComponentOperations(this.adapter)
+    return this.operations.components
   }
 
   /**
    * Workflow entity operations
    */
   get workflows() {
-    return createWorkflowOperations(this.adapter)
+    return this.operations.workflows
   }
 
   /**
    * Lua script entity operations
    */
   get luaScripts() {
-    return createLuaScriptOperations(this.adapter)
+    return this.operations.luaScripts
   }
 
   /**
    * Package entity operations
    */
   get packages() {
-    return createPackageOperations(this.adapter)
+    return this.operations.packages
   }
 
   /**
    * Session entity operations
    */
   get sessions() {
-    return createSessionOperations(this.adapter)
+    return this.operations.sessions
   }
 
   /**

dbal/development/src/core/client/mappers.ts

@@ -0,0 +1,25 @@
+import type { DBALConfig } from '../../runtime/config'
+import { DBALError } from '../foundation/errors'
+
+export const validateClientConfig = (config: DBALConfig): DBALConfig => {
+  if (!config.adapter) {
+    throw DBALError.validationError('Adapter type must be specified', [])
+  }
+
+  if (config.mode !== 'production' && !config.database?.url) {
+    throw DBALError.validationError('Database URL must be specified for non-production mode', [])
+  }
+
+  return config
+}
+
+export const normalizeClientConfig = (config: DBALConfig): DBALConfig => ({
+  ...config,
+  security: {
+    sandbox: config.security?.sandbox ?? 'strict',
+    enableAuditLog: config.security?.enableAuditLog ?? true
+  },
+  performance: {
+    ...config.performance
+  }
+})

dbal/development/src/core/entities/index.ts

@@ -12,13 +12,13 @@ export * as luaScript from './lua-script';
 export * as pkg from './package';
 
 // Legacy factory exports (for backward compatibility)
-export { createUserOperations } from './user-operations';
-export { createPageOperations } from './page-operations';
-export { createComponentOperations } from './component-operations';
-export { createWorkflowOperations } from './workflow-operations';
-export { createLuaScriptOperations } from './lua-script-operations';
-export { createPackageOperations } from './package-operations';
-export { createSessionOperations } from './session-operations';
+export { createUserOperations } from './operations/core/user-operations';
+export { createPageOperations } from './operations/system/page-operations';
+export { createComponentOperations } from './operations/system/component-operations';
+export { createWorkflowOperations } from './operations/core/workflow-operations';
+export { createLuaScriptOperations } from './operations/core/lua-script-operations';
+export { createPackageOperations } from './operations/system/package-operations';
+export { createSessionOperations } from './operations/core/session-operations';
 
 // Validation utilities
 export * from '../validation';

dbal/development/src/core/entities/operations/core/user-operations.ts

@@ -1,185 +1,11 @@
-/**
- * @file user-operations.ts
- * @description User entity CRUD operations for DBAL client
- * 
- * Single-responsibility module following the small-function-file pattern.
- */
+export { createUserOperations } from './user'
+export type { UserOperations } from './user'
 
-import type { DBALAdapter } from '../../adapters/adapter'
-import type { User, ListOptions, ListResult } from '../types'
-import { DBALError } from '../errors'
-import { validateUserCreate, validateUserUpdate, validateId } from '../validation'
-
-/**
- * Create user operations object for the DBAL client
- */
-export const createUserOperations = (adapter: DBALAdapter) => ({
-  /**
-   * Create a new user
-   */
-  create: async (data: Omit<User, 'id' | 'createdAt' | 'updatedAt'>): Promise<User> => {
-    const validationErrors = validateUserCreate(data)
-    if (validationErrors.length > 0) {
-      throw DBALError.validationError(
-        'Invalid user data',
-        validationErrors.map(error => ({ field: 'user', error }))
-      )
-    }
-
-    try {
-      return adapter.create('User', data) as Promise<User>
-    } catch (error) {
-      if (error instanceof DBALError && error.code === 409) {
-        throw DBALError.conflict(`User with username or email already exists`)
-      }
-      throw error
-    }
-  },
-
-  /**
-   * Read a user by ID
-   */
-  read: async (id: string): Promise<User | null> => {
-    const validationErrors = validateId(id)
-    if (validationErrors.length > 0) {
-      throw DBALError.validationError(
-        'Invalid user ID',
-        validationErrors.map(error => ({ field: 'id', error }))
-      )
-    }
-
-    const result = await adapter.read('User', id) as User | null
-    if (!result) {
-      throw DBALError.notFound(`User not found: ${id}`)
-    }
-    return result
-  },
-
-  /**
-   * Update an existing user
-   */
-  update: async (id: string, data: Partial<User>): Promise<User> => {
-    const idErrors = validateId(id)
-    if (idErrors.length > 0) {
-      throw DBALError.validationError(
-        'Invalid user ID',
-        idErrors.map(error => ({ field: 'id', error }))
-      )
-    }
-
-    const validationErrors = validateUserUpdate(data)
-    if (validationErrors.length > 0) {
-      throw DBALError.validationError(
-        'Invalid user update data',
-        validationErrors.map(error => ({ field: 'user', error }))
-      )
-    }
-
-    try {
-      return adapter.update('User', id, data) as Promise<User>
-    } catch (error) {
-      if (error instanceof DBALError && error.code === 409) {
-        throw DBALError.conflict(`Username or email already exists`)
-      }
-      throw error
-    }
-  },
-
-  /**
-   * Delete a user by ID
-   */
-  delete: async (id: string): Promise<boolean> => {
-    const validationErrors = validateId(id)
-    if (validationErrors.length > 0) {
-      throw DBALError.validationError(
-        'Invalid user ID',
-        validationErrors.map(error => ({ field: 'id', error }))
-      )
-    }
-
-    const result = await adapter.delete('User', id)
-    if (!result) {
-      throw DBALError.notFound(`User not found: ${id}`)
-    }
-    return result
-  },
-
-  /**
-   * List users with filtering and pagination
-   */
-  list: async (options?: ListOptions): Promise<ListResult<User>> => {
-    return adapter.list('User', options) as Promise<ListResult<User>>
-  },
-
-  /**
-   * Batch create multiple users
-   */
-  createMany: async (data: Array<Omit<User, 'id' | 'createdAt' | 'updatedAt'>>): Promise<number> => {
-    if (!data || data.length === 0) {
-      return 0
-    }
-
-    const validationErrors = data.flatMap((item, index) =>
-      validateUserCreate(item).map(error => ({ field: `users[${index}]`, error }))
-    )
-    if (validationErrors.length > 0) {
-      throw DBALError.validationError('Invalid user batch', validationErrors)
-    }
-
-    try {
-      return adapter.createMany('User', data as Record<string, unknown>[])
-    } catch (error) {
-      if (error instanceof DBALError && error.code === 409) {
-        throw DBALError.conflict('Username or email already exists')
-      }
-      throw error
-    }
-  },
-
-  /**
-   * Bulk update users matching a filter
-   */
-  updateMany: async (filter: Record<string, unknown>, data: Partial<User>): Promise<number> => {
-    if (!filter || Object.keys(filter).length === 0) {
-      throw DBALError.validationError('Bulk update requires a filter', [
-        { field: 'filter', error: 'Filter is required' },
-      ])
-    }
-
-    if (!data || Object.keys(data).length === 0) {
-      throw DBALError.validationError('Bulk update requires data', [
-        { field: 'data', error: 'Update data is required' },
-      ])
-    }
-
-    const validationErrors = validateUserUpdate(data)
-    if (validationErrors.length > 0) {
-      throw DBALError.validationError(
-        'Invalid user update data',
-        validationErrors.map(error => ({ field: 'user', error }))
-      )
-    }
-
-    try {
-      return adapter.updateMany('User', filter, data as Record<string, unknown>)
-    } catch (error) {
-      if (error instanceof DBALError && error.code === 409) {
-        throw DBALError.conflict('Username or email already exists')
-      }
-      throw error
-    }
-  },
-
-  /**
-   * Bulk delete users matching a filter
-   */
-  deleteMany: async (filter: Record<string, unknown>): Promise<number> => {
-    if (!filter || Object.keys(filter).length === 0) {
-      throw DBALError.validationError('Bulk delete requires a filter', [
-        { field: 'filter', error: 'Filter is required' },
-      ])
-    }
-
-    return adapter.deleteMany('User', filter)
-  },
-})
+export { createUser } from './user/create'
+export { deleteUser } from './user/delete'
+export { updateUser } from './user/update'
+export {
+  assertValidUserCreate,
+  assertValidUserId,
+  assertValidUserUpdate,
+} from './user/validation'

dbal/development/src/core/entities/operations/core/user/batch.ts

@@ -0,0 +1,71 @@
+import type { DBALAdapter } from '../../../../adapters/adapter'
+import type { User } from '../../../../foundation/types'
+import { DBALError } from '../../../../foundation/errors'
+import { validateUserCreate, validateUserUpdate } from '../../../../foundation/validation'
+
+export const createManyUsers = async (
+  adapter: DBALAdapter,
+  data: Array<Omit<User, 'id' | 'createdAt' | 'updatedAt'>>,
+): Promise<number> => {
+  if (!data || data.length === 0) {
+    return 0
+  }
+
+  const validationErrors = data.flatMap((item, index) =>
+    validateUserCreate(item).map(error => ({ field: `users[${index}]`, error })),
+  )
+  if (validationErrors.length > 0) {
+    throw DBALError.validationError('Invalid user batch', validationErrors)
+  }
+
+  try {
+    return adapter.createMany('User', data as Record<string, unknown>[])
+  } catch (error) {
+    if (error instanceof DBALError && error.code === 409) {
+      throw DBALError.conflict('Username or email already exists')
+    }
+    throw error
+  }
+}
+
+export const updateManyUsers = async (
+  adapter: DBALAdapter,
+  filter: Record<string, unknown>,
+  data: Partial<User>,
+): Promise<number> => {
+  if (!filter || Object.keys(filter).length === 0) {
+    throw DBALError.validationError('Bulk update requires a filter', [
+      { field: 'filter', error: 'Filter is required' },
+    ])
+  }
+
+  if (!data || Object.keys(data).length === 0) {
+    throw DBALError.validationError('Bulk update requires data', [
+      { field: 'data', error: 'Update data is required' },
+    ])
+  }
+
+  const validationErrors = validateUserUpdate(data)
+  if (validationErrors.length > 0) {
+    throw DBALError.validationError('Invalid user update data', validationErrors.map(error => ({ field: 'user', error })))
+  }
+
+  try {
+    return adapter.updateMany('User', filter, data as Record<string, unknown>)
+  } catch (error) {
+    if (error instanceof DBALError && error.code === 409) {
+      throw DBALError.conflict('Username or email already exists')
+    }
+    throw error
+  }
+}
+
+export const deleteManyUsers = async (adapter: DBALAdapter, filter: Record<string, unknown>): Promise<number> => {
+  if (!filter || Object.keys(filter).length === 0) {
+    throw DBALError.validationError('Bulk delete requires a filter', [
+      { field: 'filter', error: 'Filter is required' },
+    ])
+  }
+
+  return adapter.deleteMany('User', filter)
+}

dbal/development/src/core/entities/operations/core/user/create.ts

@@ -0,0 +1,20 @@
+import type { DBALAdapter } from '../../../../adapters/adapter'
+import { DBALError } from '../../../../foundation/errors'
+import type { User } from '../../../../foundation/types'
+import { assertValidUserCreate } from './validation'
+
+export const createUser = async (
+  adapter: DBALAdapter,
+  data: Omit<User, 'id' | 'createdAt' | 'updatedAt'>,
+): Promise<User> => {
+  assertValidUserCreate(data)
+
+  try {
+    return adapter.create('User', data) as Promise<User>
+  } catch (error) {
+    if (error instanceof DBALError && error.code === 409) {
+      throw DBALError.conflict('User with username or email already exists')
+    }
+    throw error
+  }
+}

dbal/development/src/core/entities/operations/core/user/delete.ts

@@ -0,0 +1,13 @@
+import type { DBALAdapter } from '../../../../adapters/adapter'
+import { DBALError } from '../../../../foundation/errors'
+import { assertValidUserId } from './validation'
+
+export const deleteUser = async (adapter: DBALAdapter, id: string): Promise<boolean> => {
+  assertValidUserId(id)
+
+  const result = await adapter.delete('User', id)
+  if (!result) {
+    throw DBALError.notFound(`User not found: ${id}`)
+  }
+  return result
+}

dbal/development/src/core/entities/operations/core/user/index.ts

@@ -0,0 +1,29 @@
+import type { DBALAdapter } from '../../../../adapters/adapter'
+import type { User, ListOptions, ListResult } from '../../../../foundation/types'
+import { createUser } from './create'
+import { deleteUser } from './delete'
+import { updateUser } from './update'
+import { createManyUsers, deleteManyUsers, updateManyUsers } from './batch'
+import { listUsers, readUser } from './reads'
+
+export interface UserOperations {
+  create: (data: Omit<User, 'id' | 'createdAt' | 'updatedAt'>) => Promise<User>
+  read: (id: string) => Promise<User | null>
+  update: (id: string, data: Partial<User>) => Promise<User>
+  delete: (id: string) => Promise<boolean>
+  list: (options?: ListOptions) => Promise<ListResult<User>>
+  createMany: (data: Array<Omit<User, 'id' | 'createdAt' | 'updatedAt'>>) => Promise<number>
+  updateMany: (filter: Record<string, unknown>, data: Partial<User>) => Promise<number>
+  deleteMany: (filter: Record<string, unknown>) => Promise<number>
+}
+
+export const createUserOperations = (adapter: DBALAdapter): UserOperations => ({
+  create: data => createUser(adapter, data),
+  read: id => readUser(adapter, id),
+  update: (id, data) => updateUser(adapter, id, data),
+  delete: id => deleteUser(adapter, id),
+  list: options => listUsers(adapter, options),
+  createMany: data => createManyUsers(adapter, data),
+  updateMany: (filter, data) => updateManyUsers(adapter, filter, data),
+  deleteMany: filter => deleteManyUsers(adapter, filter),
+})

dbal/development/src/core/entities/operations/core/user/reads.ts

@@ -0,0 +1,21 @@
+import type { DBALAdapter } from '../../../../adapters/adapter'
+import type { User, ListOptions, ListResult } from '../../../../foundation/types'
+import { DBALError } from '../../../../foundation/errors'
+import { validateId } from '../../../../foundation/validation'
+
+export const readUser = async (adapter: DBALAdapter, id: string): Promise<User | null> => {
+  const validationErrors = validateId(id)
+  if (validationErrors.length > 0) {
+    throw DBALError.validationError('Invalid user ID', validationErrors.map(error => ({ field: 'id', error })))
+  }
+
+  const result = await adapter.read('User', id) as User | null
+  if (!result) {
+    throw DBALError.notFound(`User not found: ${id}`)
+  }
+  return result
+}
+
+export const listUsers = (adapter: DBALAdapter, options?: ListOptions): Promise<ListResult<User>> => {
+  return adapter.list('User', options) as Promise<ListResult<User>>
+}