@agentforge-io/core 2.0.24 → 2.1.1

package/dist/domain/agent.d.ts

@@ -1,59 +0,0 @@
-import type { McpServerConfig } from '../types/config.types';
-/**
- * Visual customization shared by every embed of an agent — the public widget
- * (`/widget.js`) and the iframe view both read this. Lives on the agent so a
- * single edit ripples through every site that's embedded it; per-token
- * theming is intentionally NOT supported (was a misfeature). All fields
- * optional — widget falls back to its built-in defaults for anything omitted.
- */
-export interface AgentAppearance {
-    primaryColor?: string;
-    position?: 'bottom-right' | 'bottom-left' | 'top-right' | 'top-left';
-    title?: string;
-    greeting?: string;
-    avatarUrl?: string;
-}
-/**
- * Persisted agent configuration scoped to a Tenant. Created and edited from
- * the admin UI; resolved by the SDK at runtime via `(tenantId, slug)`.
- *
- * Shape is intentionally a superset of `AgentDefinition` (the in-process
- * config object used today) plus DB metadata. The orchestrator/runner only
- * needs the prompt/model/limits/tools — everything else here is for
- * lifecycle: who created it, when, is it still active.
- */
-export interface AgentRecord {
-    id: string;
-    /** Owner tenant — every lookup is scoped to this. */
-    tenantId: string;
-    /** Human-friendly identifier the SDK uses, e.g. `support-bot`.
-     *  Unique within a tenant, not globally. */
-    slug: string;
-    name: string;
-    description?: string;
-    /** Claude model id, e.g. `claude-sonnet-4-6`. */
-    model?: string;
-    systemPrompt: string;
-    /** Optional plain-text knowledge prepended to the system prompt at run-time.
-     *  No retrieval — this is the cheap path before RAG. */
-    context?: string;
-    temperature?: number;
-    topP?: number;
-    maxTokens?: number;
-    /** Tool ids the agent can use. Persisted but not yet exposed in the UI. */
-    tools?: string[];
-    /** MCP servers the agent can connect to. Same caveat as `tools`. */
-    mcpServers?: McpServerConfig[];
-    /** Visual customization for embeds. Single source of truth — applies to
-     *  every chat token issued for this agent. */
-    appearance?: AgentAppearance;
-    /** Soft-delete: keeps history intact while hiding from active use. */
-    isActive: boolean;
-    /** UserId of the platform user who created the agent (audit trail). */
-    createdByUserId?: string;
-    metadata?: Record<string, unknown>;
-    createdAt: Date;
-    updatedAt: Date;
-}
-export type NewAgentRecord = Pick<AgentRecord, 'id' | 'tenantId' | 'slug' | 'name' | 'systemPrompt'> & Partial<Omit<AgentRecord, 'id' | 'tenantId' | 'slug' | 'name' | 'systemPrompt' | 'createdAt' | 'updatedAt'>>;
-export type AgentRecordPatch = Partial<Omit<AgentRecord, 'id' | 'tenantId' | 'createdAt' | 'updatedAt'>>;

package/dist/domain/agent.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/domain/api-key.d.ts

@@ -1,28 +0,0 @@
-/**
- * Long-lived secret a tenant uses to authenticate machine-to-machine. Format:
- *   ak_live_<48 hex chars>     (192 bits of entropy)
- *
- * The full key is shown to the user ONLY at creation time. We store the
- * sha256 hash. The first 16 chars (`ak_live_a1b2c3d4`) are kept in plaintext
- * as a `keyPrefix` so users can identify which key in their dashboard.
- *
- * The `ak_live_` prefix is intentional — GitHub secret-scanning, Datadog and
- * similar tools detect leaked credentials by prefix.
- */
-export interface ApiKey {
-    id: string;
-    tenantId: string;
-    /** When set, the key only authorizes calls to this specific agent. NULL
-     *  means tenant-wide — any agent in the tenant resolves. */
-    agentId?: string;
-    name: string;
-    keyHash: string;
-    keyPrefix: string;
-    scopes?: string[];
-    expiresAt?: Date;
-    revokedAt?: Date;
-    lastUsedAt?: Date;
-    createdAt: Date;
-}
-export type NewApiKey = Omit<ApiKey, 'id' | 'createdAt' | 'lastUsedAt'>;
-export type ApiKeyPatch = Partial<Pick<ApiKey, 'lastUsedAt' | 'revokedAt' | 'expiresAt' | 'name'>>;

package/dist/domain/api-key.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/domain/auth-identity.d.ts

@@ -1,10 +0,0 @@
-export interface AuthIdentity {
-    id: string;
-    userId: string;
-    provider: string;
-    providerId: string;
-    email?: string;
-    metadata?: Record<string, unknown>;
-    createdAt: Date;
-}
-export type NewAuthIdentity = Omit<AuthIdentity, 'id' | 'createdAt'>;

package/dist/domain/auth-identity.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/domain/email-token.d.ts

@@ -1,11 +0,0 @@
-export type EmailTokenPurpose = 'verify_email' | 'reset_password';
-export interface EmailToken {
-    id: string;
-    userId: string;
-    tokenHash: string;
-    purpose: EmailTokenPurpose;
-    expiresAt: Date;
-    consumedAt?: Date;
-    createdAt: Date;
-}
-export type NewEmailToken = Omit<EmailToken, 'id' | 'createdAt'>;

package/dist/domain/email-token.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/domain/external-user.d.ts

@@ -1,23 +0,0 @@
-/**
- * Map of (tenantId, externalId) → internal AgentForge userId.
- *
- * In B2B mode, the consumer service has its own user system. When it calls
- * AgentForge with `X-On-Behalf-Of: <theirUserId>`, we look up (or create) an
- * `ExternalUser` row. The internal `id` is what we store on conversations,
- * messages, usage records — so the rest of the system runs unchanged.
- *
- * Two consumers using "user_42" as an externalId get DIFFERENT internal ids,
- * because the (tenantId, externalId) tuple is unique.
- */
-export interface ExternalUser {
-    /** Internal AgentForge UUID (the userId for everything downstream). */
-    id: string;
-    tenantId: string;
-    /** The consumer's own user identifier — opaque to AgentForge. */
-    externalId: string;
-    email?: string;
-    metadata?: Record<string, unknown>;
-    createdAt: Date;
-    updatedAt: Date;
-}
-export type NewExternalUser = Pick<ExternalUser, 'id' | 'tenantId' | 'externalId'> & Partial<Pick<ExternalUser, 'email' | 'metadata'>>;

package/dist/domain/external-user.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/domain/plan.d.ts

@@ -1,20 +0,0 @@
-import type { PlanDefinition, UsageLimits } from '../types/config.types';
-/**
- * A persisted plan row. Plans live in the DB so admins can edit
- * limits/features/prices at runtime. The container seeds the table from
- * `config.billing.plans` on first boot (when the table is empty), so existing
- * deployments don't break; after that, the DB is the source of truth.
- */
-export interface Plan extends PlanDefinition {
-    /** Soft delete flag — keeps the row for historical subscriptions. */
-    isActive: boolean;
-    createdAt: Date;
-    updatedAt: Date;
-}
-export type NewPlan = Pick<PlanDefinition, 'id' | 'name' | 'limits'> & Partial<Omit<PlanDefinition, 'id' | 'name' | 'limits'>> & {
-    isActive?: boolean;
-};
-export type PlanPatch = Partial<Omit<PlanDefinition, 'id'> & {
-    isActive: boolean;
-}>;
-export type { UsageLimits };

package/dist/domain/plan.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/domain/platform-secret.d.ts

@@ -1,24 +0,0 @@
-export interface PlatformSecret {
-    id: string;
-    /** Stable identifier matching the canonical env-var name. */
-    key: string;
-    /** Encrypted blob: AES-GCM `iv | ciphertext | tag`. Persisted as bytea. */
-    valueEncrypted: Buffer;
-    /** Last 4 chars of the plaintext (or "••••" when too short). UI display. */
-    valueHint: string;
-    /** Free-form description shown next to the field in the admin UI. */
-    description?: string;
-    /** User who last wrote this row. Optional because the first import from
-     *  .env may have no user attached. */
-    updatedByUserId?: string;
-    createdAt: Date;
-    updatedAt: Date;
-}
-export interface NewPlatformSecret {
-    key: string;
-    valueEncrypted: Buffer;
-    valueHint: string;
-    description?: string;
-    updatedByUserId?: string;
-}
-export type PlatformSecretPatch = Partial<Pick<PlatformSecret, 'valueEncrypted' | 'valueHint' | 'description' | 'updatedByUserId'>>;

package/dist/domain/platform-secret.js

@@ -1,8 +0,0 @@
-"use strict";
-// Domain type for platform-wide secrets (Tavily/Brave/Stripe/Anthropic).
-//
-// Note what's MISSING: the plaintext value. The plaintext only exists at
-// two moments in the system's life — when the operator types it into the
-// UI, and during the boot-time decrypt inside SecretsService. Anything
-// else (repos, API responses, logs) must work off the hint + ciphertext.
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/domain/refresh-token.d.ts

@@ -1,15 +0,0 @@
-export interface RefreshToken {
-    id: string;
-    userId: string;
-    tokenHash: string;
-    family: string;
-    expiresAt: Date;
-    revokedAt?: Date;
-    replacedById?: string;
-    userAgent?: string;
-    ip?: string;
-    createdAt: Date;
-    lastUsedAt?: Date;
-}
-export type NewRefreshToken = Omit<RefreshToken, 'id' | 'createdAt'>;
-export type RefreshTokenPatch = Partial<Omit<RefreshToken, 'id' | 'createdAt'>>;

package/dist/domain/refresh-token.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/domain/subscription.d.ts

@@ -1,21 +0,0 @@
-import type { SubscriptionStatus } from '../types/billing.types';
-export interface Subscription {
-    id: string;
-    /** End-user subscription. Set for B2C; may be null in B2B mode where the
-     *  payer is the tenant, not an individual user. */
-    userId?: string;
-    /** Tenant subscription. Set in B2B mode; null for B2C/end-user subs. */
-    tenantId?: string;
-    planId: string;
-    status: SubscriptionStatus;
-    providerSubscriptionId?: string;
-    providerCustomerId?: string;
-    currentPeriodStart?: Date;
-    currentPeriodEnd?: Date;
-    trialEnd?: Date;
-    cancelAtPeriodEnd: boolean;
-    createdAt: Date;
-    updatedAt: Date;
-}
-export type NewSubscription = Omit<Subscription, 'id' | 'createdAt' | 'updatedAt'>;
-export type SubscriptionPatch = Partial<Omit<Subscription, 'id' | 'createdAt' | 'updatedAt'>>;

package/dist/domain/subscription.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/domain/tenant.d.ts

@@ -1,21 +0,0 @@
-/**
- * A Tenant (a.k.a. "client") is a consumer service that signed up to use
- * AgentForge as a backend. Every B2B request carries an API key that resolves
- * to one Tenant, and all data is scoped under it. The Tenant's `ownerUserId`
- * points at a User row (the human admin who manages the tenant).
- */
-export interface Tenant {
-    id: string;
-    name: string;
-    /** UserId of the human admin who manages this tenant. */
-    ownerUserId: string;
-    planId: string;
-    /** Stripe (or other provider) customer id — lazy-created on first checkout. */
-    providerCustomerId?: string;
-    metadata?: Record<string, unknown>;
-    isActive: boolean;
-    createdAt: Date;
-    updatedAt: Date;
-}
-export type NewTenant = Pick<Tenant, 'id' | 'name' | 'ownerUserId'> & Partial<Omit<Tenant, 'id' | 'name' | 'ownerUserId' | 'createdAt' | 'updatedAt'>>;
-export type TenantPatch = Partial<Omit<Tenant, 'id' | 'createdAt' | 'updatedAt'>>;

package/dist/domain/tenant.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/domain/usage-record.d.ts

@@ -1,15 +0,0 @@
-export interface UsageRecord {
-    id: string;
-    userId: string;
-    conversationId: string;
-    messageId: string;
-    agentId: string;
-    inputTokens: number;
-    outputTokens: number;
-    totalTokens: number;
-    requestCount: number;
-    /** YYYY-MM bucket used by quota counters. */
-    billingPeriod: string;
-    recordedAt: Date;
-}
-export type NewUsageRecord = Omit<UsageRecord, 'id'>;

package/dist/domain/usage-record.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/domain/user.d.ts

@@ -1,43 +0,0 @@
-/**
- * Roles in AgentForge's RBAC.
- *
- *   - `user`           — default. Can own tenants, manage their own API keys,
- *                        view their billing. Bulk of signups land here.
- *   - `platform_admin` — operator of the AgentForge instance. Can edit the
- *                        plan catalog, manage users, and any other endpoint
- *                        that operates at instance scope.
- *
- * Bootstrap: the very first user registered on a fresh install is auto-
- * promoted to `platform_admin` (since there's nobody else to grant it).
- * Subsequent users default to `user`; existing platform admins can promote
- * them via the admin UI.
- */
-export type UserRole = 'user' | 'platform_admin';
-/**
- * Plain domain shape for a User. Mirrors the columns of `af_users` but is
- * deliberately decoupled from TypeORM (no decorators, no `@Entity`). Each
- * adapter is free to back this with TypeORM, Prisma, Drizzle, raw SQL, etc.
- */
-export interface User {
-    id: string;
-    email?: string;
-    name?: string;
-    passwordHash?: string;
-    authProvider?: string;
-    providerCustomerId?: string;
-    currentPlanId: string;
-    creditsBalance: number;
-    /** RBAC role. See {@link UserRole} for semantics. */
-    role: UserRole;
-    externalId?: string;
-    metadata?: Record<string, unknown>;
-    isActive: boolean;
-    failedLoginCount: number;
-    lockedUntil?: Date;
-    lastLoginAt?: Date;
-    emailVerifiedAt?: Date;
-    createdAt: Date;
-    updatedAt: Date;
-}
-export type NewUser = Pick<User, 'id'> & Partial<Omit<User, 'id' | 'createdAt' | 'updatedAt'>>;
-export type UserPatch = Partial<Omit<User, 'id' | 'createdAt' | 'updatedAt'>>;

package/dist/domain/user.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/services/agent-config.service.d.ts

@@ -1,45 +0,0 @@
-import type { AgentConfigRepository, AgentConfigListOptions, AgentConfigListResult } from '../repositories';
-import type { AgentRecord, AgentRecordPatch } from '../domain/agent';
-export declare class AgentConfigError extends Error {
-    status: number;
-    code: 'not_found' | 'duplicate_slug' | 'invalid' | 'forbidden';
-    constructor(code: AgentConfigError['code'], message: string);
-}
-export interface AgentConfigCreateInput {
-    tenantId: string;
-    slug: string;
-    name: string;
-    systemPrompt: string;
-    description?: string;
-    model?: string;
-    context?: string;
-    temperature?: number;
-    topP?: number;
-    maxTokens?: number;
-    tools?: string[];
-    isActive?: boolean;
-    createdByUserId?: string;
-    metadata?: Record<string, unknown>;
-}
-/**
- * Application-level CRUD for per-tenant agent configurations. Controllers
- * call this — they do NOT touch the repository directly so we can keep
- * validation (slug format, unique-per-tenant) in one place.
- */
-export declare class AgentConfigService {
-    private readonly repo;
-    constructor(repo: AgentConfigRepository);
-    create(input: AgentConfigCreateInput): Promise<AgentRecord>;
-    getById(id: string): Promise<AgentRecord>;
-    /**
-     * Confirms the agent belongs to `tenantId`. Used by admin endpoints so a
-     * tenant can't fetch another tenant's agent by guessing the id.
-     */
-    getByIdForTenant(id: string, tenantId: string): Promise<AgentRecord>;
-    /** SDK hot path. Returns null on miss — callers decide whether to 404 or
-     *  fall back to the legacy hardcoded array. */
-    findBySlug(tenantId: string, slug: string): Promise<AgentRecord | null>;
-    listForTenant(tenantId: string, opts?: AgentConfigListOptions): Promise<AgentConfigListResult>;
-    update(id: string, tenantId: string, patch: AgentRecordPatch): Promise<AgentRecord>;
-    deactivate(id: string, tenantId: string): Promise<void>;
-}

package/dist/services/agent-config.service.js

@@ -1,114 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AgentConfigService = exports.AgentConfigError = void 0;
-const crypto_1 = require("crypto");
-class AgentConfigError extends Error {
-    constructor(code, message) {
-        super(message);
-        this.code = code;
-        this.status =
-            code === 'forbidden'
-                ? 403
-                : code === 'not_found'
-                    ? 404
-                    : code === 'duplicate_slug'
-                        ? 409
-                        : 400;
-    }
-}
-exports.AgentConfigError = AgentConfigError;
-// Slug rules are deliberately strict so they're URL-safe and predictable for
-// SDK callers: lowercase letters, digits, hyphen, underscore. Length 2..64.
-const SLUG_RE = /^[a-z0-9][a-z0-9_-]{1,62}[a-z0-9]$/;
-/**
- * Application-level CRUD for per-tenant agent configurations. Controllers
- * call this — they do NOT touch the repository directly so we can keep
- * validation (slug format, unique-per-tenant) in one place.
- */
-class AgentConfigService {
-    constructor(repo) {
-        this.repo = repo;
-    }
-    async create(input) {
-        if (!input.tenantId)
-            throw new AgentConfigError('invalid', 'tenantId is required');
-        if (!input.name?.trim())
-            throw new AgentConfigError('invalid', 'name is required');
-        if (!input.systemPrompt?.trim())
-            throw new AgentConfigError('invalid', 'systemPrompt is required');
-        const slug = input.slug.trim().toLowerCase();
-        if (!SLUG_RE.test(slug)) {
-            throw new AgentConfigError('invalid', 'slug must be 3–64 chars, lowercase letters/digits/hyphen/underscore, start and end alphanumeric');
-        }
-        const existing = await this.repo.findBySlug(input.tenantId, slug);
-        if (existing) {
-            throw new AgentConfigError('duplicate_slug', `An agent with slug "${slug}" already exists for this tenant.`);
-        }
-        const record = {
-            id: (0, crypto_1.randomUUID)(),
-            tenantId: input.tenantId,
-            slug,
-            name: input.name.trim(),
-            systemPrompt: input.systemPrompt,
-            description: input.description?.trim(),
-            model: input.model,
-            context: input.context,
-            temperature: input.temperature,
-            topP: input.topP,
-            maxTokens: input.maxTokens,
-            tools: input.tools,
-            isActive: input.isActive ?? true,
-            createdByUserId: input.createdByUserId,
-            metadata: input.metadata,
-        };
-        return this.repo.create(record);
-    }
-    async getById(id) {
-        const a = await this.repo.findById(id);
-        if (!a)
-            throw new AgentConfigError('not_found', 'Agent not found');
-        return a;
-    }
-    /**
-     * Confirms the agent belongs to `tenantId`. Used by admin endpoints so a
-     * tenant can't fetch another tenant's agent by guessing the id.
-     */
-    async getByIdForTenant(id, tenantId) {
-        const a = await this.getById(id);
-        if (a.tenantId !== tenantId) {
-            // Don't reveal existence — return not_found.
-            throw new AgentConfigError('not_found', 'Agent not found');
-        }
-        return a;
-    }
-    /** SDK hot path. Returns null on miss — callers decide whether to 404 or
-     *  fall back to the legacy hardcoded array. */
-    async findBySlug(tenantId, slug) {
-        return this.repo.findBySlug(tenantId, slug.toLowerCase());
-    }
-    async listForTenant(tenantId, opts = {}) {
-        return this.repo.listForTenant(tenantId, opts);
-    }
-    async update(id, tenantId, patch) {
-        const current = await this.getByIdForTenant(id, tenantId);
-        // Slug changes need re-validation + uniqueness check.
-        if (patch.slug !== undefined && patch.slug !== current.slug) {
-            const nextSlug = patch.slug.trim().toLowerCase();
-            if (!SLUG_RE.test(nextSlug)) {
-                throw new AgentConfigError('invalid', 'slug must be 3–64 chars, lowercase letters/digits/hyphen/underscore');
-            }
-            const dup = await this.repo.findBySlug(tenantId, nextSlug);
-            if (dup && dup.id !== id) {
-                throw new AgentConfigError('duplicate_slug', `An agent with slug "${nextSlug}" already exists for this tenant.`);
-            }
-            patch.slug = nextSlug;
-        }
-        await this.repo.update(id, patch);
-        return this.getById(id);
-    }
-    async deactivate(id, tenantId) {
-        await this.getByIdForTenant(id, tenantId);
-        await this.repo.deactivate(id);
-    }
-}
-exports.AgentConfigService = AgentConfigService;

package/dist/services/api-key.service.d.ts

@@ -1,41 +0,0 @@
-import type { ApiKeyRepository } from '../repositories';
-import type { ApiKey } from '../domain/api-key';
-export interface MintedApiKey {
-    /** Plaintext key. Only available at creation time — never persisted. */
-    key: string;
-    entity: ApiKey;
-}
-/** Operational errors. Adapters map `.status` to an HTTP code. */
-export declare class ApiKeyError extends Error {
-    status: number;
-    code: 'invalid' | 'revoked' | 'expired';
-    constructor(code: 'invalid' | 'revoked' | 'expired', message: string);
-}
-export declare class ApiKeyService {
-    private readonly repo;
-    constructor(repo: ApiKeyRepository);
-    /** Mint a new API key for a tenant. Returns the plaintext key (one-time).
-     *  Pass `agentId` to scope the key to a specific agent in the tenant —
-     *  calls with that key only resolve when the requested agent matches. */
-    issue(input: {
-        tenantId: string;
-        agentId?: string;
-        name: string;
-        scopes?: string[];
-        expiresAt?: Date;
-    }): Promise<MintedApiKey>;
-    /**
-     * Validate a presented key. Returns the matching ApiKey row (without
-     * touching the plaintext) or throws ApiKeyError. Updates lastUsedAt as a
-     * best-effort side-effect (never blocks on the write).
-     */
-    validate(rawKey: string): Promise<ApiKey>;
-    listForTenant(tenantId: string): Promise<ApiKey[]>;
-    listForAgent(tenantId: string, agentId: string): Promise<ApiKey[]>;
-    revoke(id: string): Promise<void>;
-    /** Tells callers (HTTP middleware) whether a header value looks like an API key. */
-    static isApiKeyToken(token: string | undefined | null): boolean;
-    private hash;
-}
-/** Convenience for `randomUUID` access from external callers. */
-export declare const newApiKeyId: () => `${string}-${string}-${string}-${string}-${string}`;

package/dist/services/api-key.service.js

@@ -1,80 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.newApiKeyId = exports.ApiKeyService = exports.ApiKeyError = void 0;
-const crypto_1 = require("crypto");
-const API_KEY_PREFIX_LIVE = 'ak_live_';
-/** Operational errors. Adapters map `.status` to an HTTP code. */
-class ApiKeyError extends Error {
-    constructor(code, message) {
-        super(message);
-        this.code = code;
-        this.status = 401;
-    }
-}
-exports.ApiKeyError = ApiKeyError;
-class ApiKeyService {
-    constructor(repo) {
-        this.repo = repo;
-    }
-    /** Mint a new API key for a tenant. Returns the plaintext key (one-time).
-     *  Pass `agentId` to scope the key to a specific agent in the tenant —
-     *  calls with that key only resolve when the requested agent matches. */
-    async issue(input) {
-        const random = (0, crypto_1.randomBytes)(24).toString('hex'); // 192-bit
-        const key = `${API_KEY_PREFIX_LIVE}${random}`;
-        const keyHash = this.hash(key);
-        const keyPrefix = key.slice(0, 16); // "ak_live_a1b2c3d4"
-        const entity = await this.repo.create({
-            tenantId: input.tenantId,
-            agentId: input.agentId,
-            name: input.name,
-            keyHash,
-            keyPrefix,
-            scopes: input.scopes,
-            expiresAt: input.expiresAt,
-        });
-        return { key, entity };
-    }
-    /**
-     * Validate a presented key. Returns the matching ApiKey row (without
-     * touching the plaintext) or throws ApiKeyError. Updates lastUsedAt as a
-     * best-effort side-effect (never blocks on the write).
-     */
-    async validate(rawKey) {
-        if (!rawKey?.startsWith(API_KEY_PREFIX_LIVE)) {
-            throw new ApiKeyError('invalid', 'Invalid API key');
-        }
-        const keyHash = this.hash(rawKey);
-        const apiKey = await this.repo.findByHash(keyHash);
-        if (!apiKey)
-            throw new ApiKeyError('invalid', 'Invalid API key');
-        if (apiKey.revokedAt)
-            throw new ApiKeyError('revoked', 'API key has been revoked');
-        if (apiKey.expiresAt && apiKey.expiresAt <= new Date()) {
-            throw new ApiKeyError('expired', 'API key has expired');
-        }
-        // Best-effort lastUsedAt update — fire and forget.
-        this.repo.update(apiKey.id, { lastUsedAt: new Date() }).catch(() => { });
-        return apiKey;
-    }
-    async listForTenant(tenantId) {
-        return this.repo.listByTenant(tenantId);
-    }
-    async listForAgent(tenantId, agentId) {
-        return this.repo.listByAgent(tenantId, agentId);
-    }
-    async revoke(id) {
-        await this.repo.update(id, { revokedAt: new Date() });
-    }
-    /** Tells callers (HTTP middleware) whether a header value looks like an API key. */
-    static isApiKeyToken(token) {
-        return !!token && token.startsWith(API_KEY_PREFIX_LIVE);
-    }
-    hash(raw) {
-        return (0, crypto_1.createHash)('sha256').update(raw).digest('hex');
-    }
-}
-exports.ApiKeyService = ApiKeyService;
-/** Convenience for `randomUUID` access from external callers. */
-const newApiKeyId = () => (0, crypto_1.randomUUID)();
-exports.newApiKeyId = newApiKeyId;