Internals
Service map
A pointer-only inventory of the route + service files behind every major feature, so an agent can find them without grep.
This page is a pointer-only inventory. Each line: feature → primary route / service paths → gotcha or deep-dive pointer. The four major subsystems (Auth, Realtime, Query API, Hybrid schema) have their own guides; this list is everything else.
Data plane
- Full-text & hybrid search (
services/fts.ts, DDL inpackages/db/schema-applier.ts::ensureFtsObjects) — keyword index maintained by the item-write hooks (services/items/write.ts); thePOST /:slug/searchroute +?q=upgrade live inroutes/items.ts, the backfill inroutes/collections.ts. Hybrid fuses FTS + vector with RRF. Managed collections only. Deep dive:docs/full-text-search.md. - Revisions (
routes/revisions.ts,services/revisions.ts) — change history per item.routes/items.tsalready snapshots before mutating, don’t double-write. - Comments (
routes/comments.ts) — item-scoped threads, permission-checked via the parent collection (no separate permission row). - Activity log (
routes/activity.ts,services/activity.ts) — central audit trail. Mutating routes calllogActivity(...)after success. Add it when introducing new write endpoints. - Storage + folders (
routes/storage.ts,routes/folders.ts,services/storage/*) — uploads, folder tree, signed serves, on-the-fly image transforms. Seedocs/storage.md.
Query surfaces
- GraphQL (
routes/graphql.ts,routes/graphql.openapi.ts,services/graphql.ts) — schema auto-generated from collections. Uses the L1 permission cache so deep queries don’t N+1 the resolver. Seedocs/graphql.md. - OpenAPI (
routes/openapi.ts,routes/openapi-metadata.ts,services/openapi-dynamic.ts) — spec generated dynamically from collection schemas + per-route.openapi(...)decorators (@hono/zod-openapi); a new route shows up automatically if you decorate it. - Public surfaces (
routes/i18n-public.ts,routes/shared-public.ts,routes/shared-links.ts,services/shared-links.ts) — unauthenticated endpoints used by signed share-link URLs and the public i18n bundle. Never applyrequirePermissionhere; gate via the share-link token instead. - i18n strings (
routes/i18n.ts,services/i18n.ts,services/i18n-translate.ts) — content-translation system (multilingual values for user-managed collections), distinct from the admin SPA’s Lingui chrome translations.
Automation
- Webhooks (
routes/webhooks.ts,routes/webhook-trigger.ts,services/webhooks.ts) — outbound delivery with retry. Each delivery is signed three ways: legacyX-Backlex-Signature(HMAC of body) plus the replay-safeX-Backlex-Signature-V2over{timestamp}.{body}withX-Backlex-Timestamp.applyDeliveryOutcomeis the auto-disable circuit breaker (15 consecutive failures →active=false+disabled_reason+ broadcast notification; reset on success or manual resume). SDK receiver helper:verifyWebhookfrombacklex/webhook. The trigger route is the inbound side that flows/functions hook into. Seedocs/webhooks.md. - Flows (
routes/flows.ts,services/flows.ts) — visual workflow builder. Trigger keys areevent/cron/webhook/manual; operations are a serialized DSL evaluated server-side. Admin-scoped CRUD + run is mirrored across REST, the SDK (client.flows.*), GraphQL (runFlowet al.), MCP (flows.*), and the CLI. Seedocs/flows.md. - AI agents (
routes/agents.ts,services/agents/{store,runner,memory}.ts) — reason→act AI agents over the MCP tool registry. An agent definition + threads + persisted message transcripts; a turn runs synchronously, executes allow-listed tools via an identity-carrying in-process sub-fetch, and streams steps overagent:thread:<id>. Optional per-thread vector memory. Admin-scoped CRUD + run is mirrored across REST, the SDK (client.agents.*), GraphQL (runAgentet al.), MCP (agents.*), and the CLI. Seedocs/agents.md. - Functions (
routes/functions.ts,services/functions.ts,services/sandbox/*,routes/sandbox-rpc.ts) — sandboxed JS execution. Provider picked by runtime: QuickJS on Workers, Bun Worker on self-host, optional HTTP executor. The sandbox calls back into the host (e.g.email.send,db.query) throughsandbox-rpc.ts— RPC surface, not direct imports. Seedocs/sandbox.md. - Scheduler (
services/scheduler.ts,services/scheduled-tasks.ts) — cron expression parsing + delayed-task ledger. Driven by thescheduledWorker entry and the Vercel/Netlify cron routes. - Job queue (
routes/jobs.ts,services/jobs.ts) — durable background jobs (function/webhook.deliver) with exponential backoff, dead-letter, andrunAtscheduling.processJobsdrains thejobstable inside the samecronTick; webhook dispatch enqueues here for retry. Seedocs/jobs.md. - Resumable uploads (
routes/uploads.ts,services/uploads.ts) — TUS 1.0.0 chunked uploads at/api/uploads, backed by native object-store multipart (R2/S3) or fs offset-append. Theuploadstable tracks session offset + parts;sweepExpiredUploadsaborts stale sessions insidecronTick. Seedocs/resumable-uploads.md. - Offline sync (
routes/items.ts/changes+/revisions,packages/client/src/sync.ts) — incremental changefeed (keyset onupdated_at,id, tombstones via_deleted) + revisions endpoint; the clientsyncmodule pulls into a pluggable local store (memory / IndexedDB), stays live over SSE, and queues offline writes (LWW). Soft- delete bumpsupdated_atso deletes reach the feed. Seedocs/offline-sync.md. - Feature flags (
routes/feature-flags.ts,services/feature-flags.ts) — per-workspace/global flags + remote config in thefeature_flagstable;evaluateFlagsresolves rollout % + permission-DSL targeting per caller; public read at/api/flags, admin CRUD at/api/admin/feature-flags. Seedocs/feature-flags.md. - Draft / publish (
routes/items.tspublish handler,services/items/scheduled-publish.ts,draftFilterinservices/items/sql-helpers.ts) — versioned collections get_status/_published_at/_publish_at; reads hide drafts from callers without thepublish/updatepermission;publishDueItemsapplies scheduled publishes insidecronTick. Seedocs/draft-publish.md. - Notifications (
routes/notifications.ts) — in-app notification feed; activity/flows write into it. - Email templates (
routes/email-templates.ts) — per-tenant overrides for transactional templates; pairs with the per-workspace email config indocs/api-keys-and-email.md.
Workspace admin
- App users + tenants (
routes/app-users.ts,routes/tenants.ts,routes/tenant-auth.ts) — multi-tenant end-user pool (distinct from the control-plane admin pool): invite flow, tenant switching, per-tenant sign-in routes. - Settings + workspace config (
routes/settings.ts,services/settings.ts,routes/workspace-config.ts,services/workspace-config.ts) —settingsis theapp_settingswhitelist (i18n defaults, timezone, …);workspace-configis per-tenant overrides for runtime knobs. - Roles admin + collection rename (
routes/roles.ts,services/collection-rename.ts) — roles admin is the editor for the permission DSL.collection-renameis the only safe path to rename a collection (renames the physical table + updates permission rows in one transaction). - Advisor (
routes/advisor.ts,services/advisor.ts) — security / performance / config rule checks surfaced in the admin UI with fix recommendations. Seedocs/advisor.md. - Panels (
routes/panels.ts) — dashboard widget definitions. - Metrics (
routes/metrics.ts) — request / error counters + time-series rollups for the admin dashboard. - Realtime admin + DB admin (
routes/realtime-admin.ts,routes/db-admin.ts) — subscriber counts + test-publish, and schema introspection + diagnostics. Both admin-only. - Backup / restore (
services/backup.ts) — logical JSONL dumps (runBackup), additiverestoreBackup(ON CONFLICT DO NOTHING, recreates missingc_*tables), and the scheduled-backup sweep + retention (maybeRunScheduledBackups, hooked intoservices/scheduler.ts). Routes inroutes/db-admin.ts:/backups,/backups/now,/backups/{id}/download,/backups/{id}/restore(confirm-gated),/backups/config(GET/PUT schedule). Seedocs/backup-restore.md. - Per-collection export / import (
routes/items.ts+services/items/csv.ts) —GET /:slug/export?format=json|csv(reuses the list read-filter stack) andPOST /:slug/import(per-rowperformCreate, system columns stripped, errors captured). SDKexportItems/importItems. - External-DB migration (
routes/migrate.ts+services/migrate.ts+services/migrate-ingest.ts) —POST /api/admin/migrate/ingest/:slug(bulk, PK-preserving, idempotent, side-effect-free row copy; D1 param-budget chunking; the CLI pump’s write path) + the server-side connector:/sourcesCRUD (URL encrypted at rest + SSRF guard),/sources/:id/tables|plan,/runslifecycle. Runs advance on the scheduler tick in lease-reclaimed, cursor-resumable slices. Full parity: SDKclient.migrate.*, GraphQLmigrate*, MCPmigrate.*, CLIbacklex import-db, admin Data → Database import. Seedocs/migrating-in.md.
Cross-cutting helpers worth knowing
services/permissions-cache.ts— per-request L1 cache on top of the permissions resolver. Bulk loops hit it for free, no opt-in needed.services/cors-origins.ts— per-tenant allow-list reused by SAML relayState validation as the open-redirect guard.