@ash-ai/server 0.0.3 → 0.0.5

package/dist/auth.d.ts

@@ -9,8 +9,12 @@ declare module 'fastify' {
         tenantId: string;
     }
 }
-/** SHA-256 hash of an API key — used to look up keys without storing the raw value. */
-export declare function hashApiKey(key: string): string;
+/**
+ * HMAC-SHA256 hash of an API key using a server-side secret.
+ * Prevents rainbow table attacks on stored key hashes.
+ * Falls back to plain SHA-256 if no secret is available (local dev mode).
+ */
+export declare function hashApiKey(key: string, secret?: string): string;
 /**
  * Multi-tenant authentication hook.
  *

package/dist/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAkB,MAAM,SAAS,CAAC;AAC/D,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,eAAe,CAAC;AAExC;;;GAGG;AACH,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,cAAc;QACtB,QAAQ,EAAE,MAAM,CAAC;KAClB;CACF;AAED,uFAAuF;AACvF,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAE9C;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,GAAG,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE,GAAG,IAAI,CA4D5F"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAkB,MAAM,SAAS,CAAC;AAC/D,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,eAAe,CAAC;AAExC;;;GAGG;AACH,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,cAAc;QACtB,QAAQ,EAAE,MAAM,CAAC;KAClB;CACF;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,CAK/D;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,GAAG,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE,GAAG,IAAI,CA0E5F"}

package/dist/auth.js

@@ -1,6 +1,13 @@
-import { createHash } from 'node:crypto';
-/** SHA-256 hash of an API key — used to look up keys without storing the raw value. */
-export function hashApiKey(key) {
+import { createHash, createHmac } from 'node:crypto';
+/**
+ * HMAC-SHA256 hash of an API key using a server-side secret.
+ * Prevents rainbow table attacks on stored key hashes.
+ * Falls back to plain SHA-256 if no secret is available (local dev mode).
+ */
+export function hashApiKey(key, secret) {
+    if (secret) {
+        return createHmac('sha256', secret).update(key).digest('hex');
+    }
     return createHash('sha256').update(key).digest('hex');
 }
 /**
@@ -15,6 +22,7 @@ export function hashApiKey(key) {
  * 6. No match → 401
  */
 export function registerAuth(app, apiKey, db) {
+    const hmacSecret = process.env.ASH_CREDENTIAL_KEY;
     // Decorate request with tenantId so it's always available
     app.decorateRequest('tenantId', 'default');
     app.addHook('onRequest', async (request, reply) => {
@@ -46,8 +54,18 @@ export function registerAuth(app, apiKey, db) {
         const bearerKey = parts[1];
         // Try api_keys table first (multi-tenant path)
         if (db) {
-            const keyHash = hashApiKey(bearerKey);
-            const apiKeyRecord = await db.getApiKeyByHash(keyHash);
+            // Try HMAC hash first (new keys), then fall back to plain SHA-256 (legacy keys)
+            const hmacHash = hmacSecret ? hashApiKey(bearerKey, hmacSecret) : null;
+            const legacyHash = hashApiKey(bearerKey);
+            if (hmacHash) {
+                const apiKeyRecord = await db.getApiKeyByHash(hmacHash);
+                if (apiKeyRecord) {
+                    request.tenantId = apiKeyRecord.tenantId;
+                    return;
+                }
+            }
+            // Fall back to legacy hash for keys created before HMAC migration
+            const apiKeyRecord = await db.getApiKeyByHash(legacyHash);
             if (apiKeyRecord) {
                 request.tenantId = apiKeyRecord.tenantId;
                 return;

package/dist/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAczC,uFAAuF;AACvF,MAAM,UAAU,UAAU,CAAC,GAAW;IACpC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxD,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,YAAY,CAAC,GAAoB,EAAE,MAA0B,EAAE,EAAO;IACpF,0DAA0D;IAC1D,GAAG,CAAC,eAAe,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IAE3C,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,KAAK,EAAE,OAAuB,EAAE,KAAK,EAAE,EAAE;QAChE,sCAAsC;QACtC,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACjE,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC;YAC7B,OAAO;QACT,CAAC;QAED,oEAAoE;QACpE,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC7C,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC;YAC7B,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QAE7C,iBAAiB;QACjB,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,iDAAiD;gBACjD,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC;gBAC7B,OAAO;YACT,CAAC;YACD,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;QAC5F,CAAC;QAED,uBAAuB;QACvB,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;YAChD,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qCAAqC,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;QACnG,CAAC;QACD,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAE3B,+CAA+C;QAC/C,IAAI,EAAE,EAAE,CAAC;YACP,MAAM,OAAO,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;YACtC,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;YACvD,IAAI,YAAY,EAAE,CAAC;gBACjB,OAAO,CAAC,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC;gBACzC,OAAO;YACT,CAAC;QACH,CAAC;QAED,0EAA0E;QAC1E,IAAI,MAAM,IAAI,SAAS,KAAK,MAAM,EAAE,CAAC;YACnC,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC;YAC7B,OAAO;QACT,CAAC;QAED,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;IAC/E,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM,IAAI,CAAC,EAAE,EAAE,CAAC;QACnB,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,yFAAyF,CAAC,CAAC;IAC1G,CAAC;SAAM,CAAC;QACN,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;IAC/E,CAAC;AACH,CAAC"}
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAcrD;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW,EAAE,MAAe;IACrD,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxD,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,YAAY,CAAC,GAAoB,EAAE,MAA0B,EAAE,EAAO;IACpF,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAElD,0DAA0D;IAC1D,GAAG,CAAC,eAAe,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IAE3C,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,KAAK,EAAE,OAAuB,EAAE,KAAK,EAAE,EAAE;QAChE,sCAAsC;QACtC,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACjE,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC;YAC7B,OAAO;QACT,CAAC;QAED,oEAAoE;QACpE,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC7C,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC;YAC7B,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QAE7C,iBAAiB;QACjB,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,iDAAiD;gBACjD,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC;gBAC7B,OAAO;YACT,CAAC;YACD,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;QAC5F,CAAC;QAED,uBAAuB;QACvB,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;YAChD,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qCAAqC,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;QACnG,CAAC;QACD,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAE3B,+CAA+C;QAC/C,IAAI,EAAE,EAAE,CAAC;YACP,gFAAgF;YAChF,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACvE,MAAM,UAAU,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;YAEzC,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;gBACxD,IAAI,YAAY,EAAE,CAAC;oBACjB,OAAO,CAAC,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC;oBACzC,OAAO;gBACT,CAAC;YACH,CAAC;YAED,kEAAkE;YAClE,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;YAC1D,IAAI,YAAY,EAAE,CAAC;gBACjB,OAAO,CAAC,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC;gBACzC,OAAO;YACT,CAAC;QACH,CAAC;QAED,0EAA0E;QAC1E,IAAI,MAAM,IAAI,SAAS,KAAK,MAAM,EAAE,CAAC;YACnC,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC;YAC7B,OAAO;QACT,CAAC;QAED,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;IAC/E,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM,IAAI,CAAC,EAAE,EAAE,CAAC;QACnB,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,yFAAyF,CAAC,CAAC;IAC1G,CAAC;SAAM,CAAC;QACN,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;IAC/E,CAAC;AACH,CAAC"}

package/dist/crypto.d.ts

@@ -0,0 +1,14 @@
+export interface EncryptedData {
+    encrypted: string;
+    iv: string;
+    authTag: string;
+    salt: string;
+}
+export declare function encrypt(plaintext: string, masterKey: string): EncryptedData;
+/**
+ * Decrypt credential data. If salt is provided, uses PBKDF2 key derivation.
+ * If salt is null/undefined, falls back to legacy SHA-256 derivation for
+ * backward compatibility with credentials encrypted before the PBKDF2 migration.
+ */
+export declare function decrypt(encrypted: string, iv: string, authTag: string, masterKey: string, salt?: string | null): string;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAkBA,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,aAAa,CAgB3E;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,CAWvH"}

package/dist/crypto.js

@@ -0,0 +1,45 @@
+import { createCipheriv, createDecipheriv, randomBytes, createHash, pbkdf2Sync } from 'node:crypto';
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const SALT_LENGTH = 16;
+const PBKDF2_ITERATIONS = 100_000;
+const PBKDF2_DIGEST = 'sha256';
+/** Derive a 32-byte key using PBKDF2 with a random salt. */
+function deriveKey(masterKey, salt) {
+    return pbkdf2Sync(masterKey, salt, PBKDF2_ITERATIONS, 32, PBKDF2_DIGEST);
+}
+/** Legacy key derivation — unsalted SHA-256. Used only for decrypting old credentials. */
+function deriveKeyLegacy(masterKey) {
+    return createHash('sha256').update(masterKey).digest();
+}
+export function encrypt(plaintext, masterKey) {
+    const salt = randomBytes(SALT_LENGTH);
+    const key = deriveKey(masterKey, salt);
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+    let encrypted = cipher.update(plaintext, 'utf8', 'base64');
+    encrypted += cipher.final('base64');
+    const authTag = cipher.getAuthTag();
+    return {
+        encrypted,
+        iv: iv.toString('base64'),
+        authTag: authTag.toString('base64'),
+        salt: salt.toString('base64'),
+    };
+}
+/**
+ * Decrypt credential data. If salt is provided, uses PBKDF2 key derivation.
+ * If salt is null/undefined, falls back to legacy SHA-256 derivation for
+ * backward compatibility with credentials encrypted before the PBKDF2 migration.
+ */
+export function decrypt(encrypted, iv, authTag, masterKey, salt) {
+    const key = salt
+        ? deriveKey(masterKey, Buffer.from(salt, 'base64'))
+        : deriveKeyLegacy(masterKey);
+    const decipher = createDecipheriv(ALGORITHM, key, Buffer.from(iv, 'base64'));
+    decipher.setAuthTag(Buffer.from(authTag, 'base64'));
+    let decrypted = decipher.update(encrypted, 'base64', 'utf8');
+    decrypted += decipher.final('utf8');
+    return decrypted;
+}
+//# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEpG,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,WAAW,GAAG,EAAE,CAAC;AACvB,MAAM,iBAAiB,GAAG,OAAO,CAAC;AAClC,MAAM,aAAa,GAAG,QAAQ,CAAC;AAE/B,4DAA4D;AAC5D,SAAS,SAAS,CAAC,SAAiB,EAAE,IAAY;IAChD,OAAO,UAAU,CAAC,SAAS,EAAE,IAAI,EAAE,iBAAiB,EAAE,EAAE,EAAE,aAAa,CAAC,CAAC;AAC3E,CAAC;AAED,0FAA0F;AAC1F,SAAS,eAAe,CAAC,SAAiB;IACxC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,EAAE,CAAC;AACzD,CAAC;AASD,MAAM,UAAU,OAAO,CAAC,SAAiB,EAAE,SAAiB;IAC1D,MAAM,IAAI,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IACvC,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAElD,IAAI,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC3D,SAAS,IAAI,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEpC,OAAO;QACL,SAAS;QACT,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACzB,OAAO,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACnC,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAC9B,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,OAAO,CAAC,SAAiB,EAAE,EAAU,EAAE,OAAe,EAAE,SAAiB,EAAE,IAAoB;IAC7G,MAAM,GAAG,GAAG,IAAI;QACd,CAAC,CAAC,SAAS,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QACnD,CAAC,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;IAC/B,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC7E,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IAEpD,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC7D,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAEpC,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/db/drizzle-db.d.ts

@@ -0,0 +1,129 @@
+import type { Agent, Session, SessionStatus, SandboxRecord, SandboxState, ApiKey, Message, SessionEvent, SessionEventType, RunnerRecord, Credential, QueueItem, QueueItemStatus, QueueStats, Attachment, UsageEvent, UsageEventType, UsageStats } from '@ash-ai/shared';
+import type { Db } from './index.js';
+import type * as sqliteSchema from './schema.sqlite.js';
+import type * as pgSchema from './schema.pg.js';
+type Schema = typeof sqliteSchema | typeof pgSchema;
+/**
+ * Unified Db implementation backed by Drizzle ORM.
+ * Works with both SQLite (better-sqlite3) and PostgreSQL (pg) drivers.
+ */
+export declare class DrizzleDb implements Db {
+    private drizzle;
+    private schema;
+    private dialect;
+    private closeFn;
+    constructor(drizzle: any, // DrizzleSQLiteDatabase | DrizzleNodePgDatabase
+    schema: Schema, dialect: 'sqlite' | 'pg', closeFn: () => Promise<void>);
+    upsertRunner(id: string, host: string, port: number, maxSandboxes: number): Promise<RunnerRecord>;
+    heartbeatRunner(id: string, activeCount: number, warmingCount: number): Promise<void>;
+    getRunner(id: string): Promise<RunnerRecord | null>;
+    listHealthyRunners(cutoffIso: string): Promise<RunnerRecord[]>;
+    listDeadRunners(cutoffIso: string): Promise<RunnerRecord[]>;
+    selectBestRunner(cutoffIso: string): Promise<RunnerRecord | null>;
+    deleteRunner(id: string): Promise<void>;
+    listAllRunners(): Promise<RunnerRecord[]>;
+    upsertAgent(name: string, path: string, tenantId?: string): Promise<Agent>;
+    getAgent(name: string, tenantId?: string): Promise<Agent | null>;
+    listAgents(tenantId?: string): Promise<Agent[]>;
+    deleteAgent(name: string, tenantId?: string): Promise<boolean>;
+    insertSession(id: string, agentName: string, sandboxId: string, tenantId?: string, parentSessionId?: string): Promise<Session>;
+    insertForkedSession(id: string, parentSession: Session, sandboxId: string): Promise<Session>;
+    updateSessionStatus(id: string, status: SessionStatus): Promise<void>;
+    updateSessionSandbox(id: string, sandboxId: string): Promise<void>;
+    updateSessionRunner(id: string, runnerId: string | null): Promise<void>;
+    getSession(id: string): Promise<Session | null>;
+    listSessions(tenantId?: string, agent?: string): Promise<Session[]>;
+    listSessionsByRunner(runnerId: string): Promise<Session[]>;
+    bulkPauseSessionsByRunner(runnerId: string): Promise<number>;
+    touchSession(id: string): Promise<void>;
+    insertSandbox(id: string, agentName: string, workspaceDir: string, sessionId?: string, tenantId?: string): Promise<void>;
+    updateSandboxState(id: string, state: SandboxState): Promise<void>;
+    updateSandboxSession(id: string, sessionId: string | null): Promise<void>;
+    touchSandbox(id: string): Promise<void>;
+    getSandbox(id: string): Promise<SandboxRecord | null>;
+    countSandboxes(): Promise<number>;
+    getBestEvictionCandidate(): Promise<SandboxRecord | null>;
+    getIdleSandboxes(olderThan: string): Promise<SandboxRecord[]>;
+    deleteSandbox(id: string): Promise<void>;
+    markAllSandboxesCold(): Promise<number>;
+    insertMessage(sessionId: string, role: 'user' | 'assistant', content: string, tenantId?: string): Promise<Message>;
+    listMessages(sessionId: string, tenantId?: string, opts?: {
+        limit?: number;
+        afterSequence?: number;
+    }): Promise<Message[]>;
+    insertSessionEvent(sessionId: string, type: SessionEventType, data: string | null, tenantId?: string): Promise<SessionEvent>;
+    insertSessionEvents(events: Array<{
+        sessionId: string;
+        type: SessionEventType;
+        data: string | null;
+        tenantId?: string;
+    }>): Promise<SessionEvent[]>;
+    listSessionEvents(sessionId: string, tenantId?: string, opts?: {
+        limit?: number;
+        afterSequence?: number;
+        type?: SessionEventType;
+    }): Promise<SessionEvent[]>;
+    getApiKeyByHash(keyHash: string): Promise<ApiKey | null>;
+    insertApiKey(id: string, tenantId: string, keyHash: string, label: string): Promise<ApiKey>;
+    listApiKeysByTenant(tenantId: string): Promise<ApiKey[]>;
+    deleteApiKey(id: string): Promise<boolean>;
+    insertCredential(id: string, tenantId: string, type: string, encryptedKey: string, iv: string, authTag: string, label: string, salt?: string | null): Promise<Credential>;
+    getCredential(id: string): Promise<{
+        id: string;
+        tenantId: string;
+        type: string;
+        encryptedKey: string;
+        iv: string;
+        authTag: string;
+        salt: string | null;
+        label: string;
+        active: boolean;
+        createdAt: string;
+        lastUsedAt: string | null;
+    } | null>;
+    listCredentials(tenantId: string): Promise<Credential[]>;
+    deleteCredential(id: string): Promise<boolean>;
+    touchCredentialUsed(id: string): Promise<void>;
+    insertQueueItem(id: string, tenantId: string, agentName: string, prompt: string, sessionId?: string, priority?: number, maxRetries?: number): Promise<QueueItem>;
+    getQueueItem(id: string): Promise<QueueItem | null>;
+    getNextPendingQueueItem(tenantId?: string): Promise<QueueItem | null>;
+    /**
+     * Atomically claim a queue item by setting status to 'processing'
+     * only if it is still 'pending'. Returns true if the claim succeeded.
+     */
+    claimQueueItem(id: string): Promise<boolean>;
+    updateQueueItemStatus(id: string, status: QueueItemStatus, error?: string): Promise<void>;
+    incrementQueueItemRetry(id: string, retryAfter?: string): Promise<void>;
+    listQueueItems(tenantId: string, status?: QueueItemStatus, limit?: number): Promise<QueueItem[]>;
+    getQueueStats(tenantId: string): Promise<QueueStats>;
+    insertAttachment(id: string, tenantId: string, messageId: string, sessionId: string, filename: string, mimeType: string, size: number, storagePath: string): Promise<Attachment>;
+    getAttachment(id: string): Promise<Attachment | null>;
+    listAttachmentsByMessage(messageId: string, tenantId?: string): Promise<Attachment[]>;
+    listAttachmentsBySession(sessionId: string, tenantId?: string): Promise<Attachment[]>;
+    deleteAttachment(id: string): Promise<boolean>;
+    insertUsageEvent(id: string, tenantId: string, sessionId: string, agentName: string, eventType: UsageEventType, value: number): Promise<UsageEvent>;
+    insertUsageEvents(events: Array<{
+        id: string;
+        tenantId: string;
+        sessionId: string;
+        agentName: string;
+        eventType: UsageEventType;
+        value: number;
+    }>): Promise<void>;
+    listUsageEvents(tenantId: string, opts?: {
+        sessionId?: string;
+        agentName?: string;
+        after?: string;
+        before?: string;
+        limit?: number;
+    }): Promise<UsageEvent[]>;
+    getUsageStats(tenantId: string, opts?: {
+        sessionId?: string;
+        agentName?: string;
+        after?: string;
+        before?: string;
+    }): Promise<UsageStats>;
+    close(): Promise<void>;
+}
+export {};
+//# sourceMappingURL=drizzle-db.d.ts.map

package/dist/db/drizzle-db.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"drizzle-db.d.ts","sourceRoot":"","sources":["../../src/db/drizzle-db.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,YAAY,EAAE,UAAU,EAAE,SAAS,EAAE,eAAe,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACxQ,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,YAAY,CAAC;AAErC,OAAO,KAAK,KAAK,YAAY,MAAM,oBAAoB,CAAC;AACxD,OAAO,KAAK,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAGhD,KAAK,MAAM,GAAG,OAAO,YAAY,GAAG,OAAO,QAAQ,CAAC;AAEpD;;;GAGG;AACH,qBAAa,SAAU,YAAW,EAAE;IAEhC,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,OAAO;gBAHP,OAAO,EAAE,GAAG,EAAE,gDAAgD;IAC9D,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,QAAQ,GAAG,IAAI,EACxB,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC;IAMhC,YAAY,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAejG,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASrF,SAAS,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IAYnD,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAa9D,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAa3D,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IAiBjE,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOvC,cAAc,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;IAezC,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAkB,GAAG,OAAO,CAAC,KAAK,CAAC;IAyBrF,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAkB,GAAG,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC;IAY3E,UAAU,CAAC,QAAQ,GAAE,MAAkB,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC;IAU1D,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAkB,GAAG,OAAO,CAAC,OAAO,CAAC;IAiBzE,aAAa,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAkB,EAAE,eAAe,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAUzI,mBAAmB,CAAC,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAiC5F,mBAAmB,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IASrE,oBAAoB,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASlE,mBAAmB,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IASvE,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAY/C,YAAY,CAAC,QAAQ,GAAE,MAAkB,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;IAkB9E,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;IAc1D,yBAAyB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAa5D,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAWvC,aAAa,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAkB,GAAG,OAAO,CAAC,IAAI,CAAC;IAQnI,kBAAkB,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;IAQlE,oBAAoB,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAQzE,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASvC,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAYrD,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC;IASjC,wBAAwB,IAAI,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAgBzD,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAa7D,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOxC,oBAAoB,IAAI,OAAO,CAAC,MAAM,CAAC;IAWvC,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,WAAW,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAkB,GAAG,OAAO,CAAC,OAAO,CAAC;IA+B7H,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAkB,EAAE,IAAI,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,aAAa,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;IAwBpI,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,EAAE,QAAQ,GAAE,MAAkB,GAAG,OAAO,CAAC,YAAY,CAAC;IA8BvI,mBAAmB,CAAC,MAAM,EAAE,KAAK,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,gBAAgB,CAAC;QAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAuDlJ,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAkB,EAAE,IAAI,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,aAAa,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,gBAAgB,CAAA;KAAE,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IA6BvK,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAYxD,YAAY,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAS3F,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAUxD,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAU1C,gBAAgB,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,UAAU,CAAC;IASzK,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,OAAO,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,GAAG,IAAI,CAAC;IAY/O,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAYxD,gBAAgB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQ9C,mBAAmB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAW9C,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAQhK,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IAOnD,uBAAuB,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IAc3E;;;OAGG;IACG,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAU5C,qBAAqB,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUzF,uBAAuB,CAAC,EAAE,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUvE,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,eAAe,EAAE,KAAK,SAAK,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAQ5F,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAkBpD,gBAAgB,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAQhL,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAOrD,wBAAwB,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAQrF,wBAAwB,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAQrF,gBAAgB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQ9C,gBAAgB,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,cAAc,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAQnJ,iBAAiB,CAAC,MAAM,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,cAAc,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAOjK,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAY5J,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,UAAU,CAAC;IA2CxI,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAG7B"}