@bothat-io/molenkopf 0.1.2

package/packages/core/src/config/provider-config.ts

@@ -0,0 +1,139 @@
+import type { ProviderConfig } from "../providers/provider-catalog.ts";
+import { validateProviderTarget } from "../security/target-policy.ts";
+
+type JsonRecord = Record<string, unknown>;
+
+const ID_RE = /^[a-z0-9][a-z0-9._:-]{0,63}$/i;
+const ENV_REF_RE = /^env:([A-Z_][A-Z0-9_]*)$/i;
+const SECRET_REF_RE = /^secret:[a-z0-9][a-z0-9._:-]{0,63}$/i;
+
+export function normalizeProvider(input: unknown, index: number): ProviderConfig {
+  const item = record(input, `$.providers[${index}]`);
+  if (item.credentialEnv !== undefined) throw new Error("use auth.credentialRef instead of credentialEnv in JSON config");
+  const id = idValue(item.id, `$.providers[${index}].id`);
+  const runtime = runtimeKind(item.kind);
+  if (runtime) return cliProvider(item, id, runtime);
+  return apiProvider(item, index, id);
+}
+
+function apiProvider(item: JsonRecord, index: number, id: string): ProviderConfig {
+  const kind = providerKind(item.kind);
+  if (item.credentialRef !== undefined) throw new Error("use auth.credentialRef instead of top-level credentialRef in JSON config");
+  if (item.authScheme !== undefined) throw new Error("use auth.scheme instead of top-level authScheme in JSON config");
+  const target = stringOrUndefined(item.baseUrl) ?? stringOrUndefined(item.target) ?? defaultTarget(item.kind);
+  if (!target) throw new Error(`missing provider baseUrl: ${id}`);
+  validateProviderTarget(target, { path: `$.providers[${index}].baseUrl`, allowPrivate: kind === "local" });
+  const auth = item.auth === undefined ? {} : record(item.auth, `$.providers[${index}].auth`);
+  if (auth.credential !== undefined) throw new Error("inline credentials are not allowed in file config; use auth.credentialRef");
+  const credentialValue = undefined;
+  const credentialRef = stringOrUndefined(auth.credentialRef) ?? "none";
+  const credentialEnv = credentialEnvFromRef(credentialRef, id);
+  return {
+    id,
+    name: stringOrUndefined(item.name) ?? id,
+    kind,
+    target,
+    credentialEnv,
+    credentialRef,
+    credentialValue,
+    authScheme: authSchemeValue(auth.scheme, target, credentialEnv || credentialValue, `$.providers[${index}].auth.scheme`),
+    protocol: protocolValue(item.protocol, item.kind, kind, target, `$.providers[${index}].protocol`),
+    enabled: item.enabled === undefined ? true : boolean(item.enabled, `$.providers[${index}].enabled`)
+  };
+}
+
+function cliProvider(item: JsonRecord, id: string, runtime: "claude" | "codex"): ProviderConfig {
+  if (item.inputMode === "argument" && item.allowUnsafeArgumentInput !== true) throw new Error(`unsafe CLI inputMode for provider: ${id}`);
+  return {
+    id,
+    name: stringOrUndefined(item.name) ?? id,
+    kind: "cli",
+    target: `cli://${id}`,
+    runtime,
+    cliCommand: stringOrUndefined(item.command) ?? runtime,
+    cliArgs: stringArray(item.args ?? (runtime === "codex" ? ["exec"] : ["--print"]), `$.providers.${id}.args`),
+    cliInputMode: item.inputMode === "argument" ? "argument" : "stdin",
+    cliTimeoutMs: positiveNumber(item.timeoutMs, 120000),
+    authScheme: "none",
+    credentialRef: "none",
+    enabled: item.enabled === undefined ? true : boolean(item.enabled, `$.providers.${id}.enabled`)
+  };
+}
+
+function runtimeKind(value: unknown): ProviderConfig["runtime"] | undefined {
+  if (value === "cli-claude") return "claude";
+  if (value === "cli-codex") return "codex";
+  return undefined;
+}
+
+function credentialEnvFromRef(ref: string, id: string): string | undefined {
+  if (ref === "none") return undefined;
+  if (ref === "json:inline") throw new Error(`inline credentials are not allowed for provider: ${id}`);
+  if (SECRET_REF_RE.test(ref)) throw new Error(`unsupported credentialRef for provider: ${id}`);
+  const match = ref.match(ENV_REF_RE);
+  if (!match) throw new Error(`invalid credentialRef for provider: ${id}`);
+  return match[1];
+}
+
+function authSchemeValue(value: unknown, target: string, credential: string | undefined, path: string): ProviderConfig["authScheme"] {
+  if (value === "bearer" || value === "x-api-key" || value === "none") return value;
+  if (value !== undefined) throw new Error(`invalid provider auth.scheme: ${path}`);
+  if (!credential) return "none";
+  return target.includes("anthropic") ? "x-api-key" : "bearer";
+}
+
+function providerKind(value: unknown): ProviderConfig["kind"] {
+  if (value === undefined || value === "api" || value === "openai-compatible" || value === "anthropic") return "api";
+  if (value === "local" || value === "local-openai" || value === "ollama") return "local";
+  throw new Error("invalid provider kind");
+}
+
+function defaultTarget(value: unknown): string | undefined {
+  return value === "ollama" ? "http://127.0.0.1:11434/v1" : undefined;
+}
+
+function protocolValue(value: unknown, rawKind: unknown, kind: ProviderConfig["kind"], target: string, path: string): ProviderConfig["protocol"] {
+  if (value === "openai-responses" || value === "anthropic-messages" || value === "openai-chat" || value === "ollama-tags") return value;
+  if (value !== undefined) throw new Error(`invalid provider protocol: ${path}`);
+  if (rawKind === "ollama" || target.includes("11434")) return "ollama-tags";
+  if (kind === "local") return "openai-chat";
+  return target.includes("anthropic") || rawKind === "anthropic" ? "anthropic-messages" : "openai-responses";
+}
+
+function record(value: unknown, path: string): JsonRecord {
+  if (!value || typeof value !== "object" || Array.isArray(value)) throw new Error(`expected object: ${path}`);
+  return value as JsonRecord;
+}
+
+function idValue(value: unknown, path: string): string {
+  const id = string(value, path);
+  if (!ID_RE.test(id)) throw new Error(`invalid id: ${path}`);
+  if (id.toLowerCase() === "default") throw new Error(`reserved provider id: ${path}`);
+  return id;
+}
+
+function string(value: unknown, path: string): string {
+  if (typeof value !== "string" || !value.trim()) throw new Error(`expected string: ${path}`);
+  return value.trim();
+}
+
+function stringOrUndefined(value: unknown): string | undefined {
+  return typeof value === "string" && value.trim() ? value.trim() : undefined;
+}
+
+function stringArray(value: unknown, path: string): string[] {
+  if (!Array.isArray(value) || value.some((item) => typeof item !== "string")) throw new Error(`expected string array: ${path}`);
+  return value as string[];
+}
+
+function boolean(value: unknown, path: string): boolean {
+  if (typeof value !== "boolean") throw new Error(`expected boolean: ${path}`);
+  return value;
+}
+
+function positiveNumber(value: unknown, fallback: number): number {
+  if (value === undefined) return fallback;
+  const numberValue = Number(value);
+  if (!Number.isInteger(numberValue) || numberValue <= 0) throw new Error("invalid cli timeout");
+  return numberValue;
+}

package/packages/core/src/events/event-bus.ts

@@ -0,0 +1,88 @@
+import { randomUUID } from "node:crypto";
+import { redactSecrets } from "../security/secret-redactor.ts";
+import { shortHash } from "../utils/hash.ts";
+
+export type MolenkopfEvent = {
+  id: string;
+  type: "request_started" | "request_compressed" | "request_forwarded" | "request_finished" | "request_failed" | "request_warning" | "plugin_event" | "warning";
+  timestamp: string;
+  requestId?: string;
+  data?: Record<string, unknown>;
+};
+
+export class EventBus {
+  private clients = new Set<(event: MolenkopfEvent) => void>();
+  private history: MolenkopfEvent[] = [];
+
+  emit(type: MolenkopfEvent["type"], data: Omit<MolenkopfEvent, "id" | "type" | "timestamp"> = {}): MolenkopfEvent {
+    const event = deepFreeze({ id: randomUUID(), type, timestamp: new Date().toISOString(), requestId: safeString(data.requestId), data: safeData(data.data) });
+    this.history.push(event);
+    this.history = this.history.slice(-100);
+    for (const client of [...this.clients]) this.deliver(client, event);
+    return event;
+  }
+
+  subscribe(client: (event: MolenkopfEvent) => void): () => void {
+    this.clients.add(client);
+    for (const event of this.history) if (!this.deliver(client, event)) break;
+    return () => this.clients.delete(client);
+  }
+
+  private deliver(client: (event: MolenkopfEvent) => void, event: MolenkopfEvent): boolean {
+    try {
+      client(event);
+      return true;
+    } catch {
+      this.clients.delete(client);
+      return false;
+    }
+  }
+}
+
+function safeData(value: unknown, seen = new WeakSet<object>()): Record<string, unknown> | undefined {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return undefined;
+  return sanitize(value, seen) as Record<string, unknown>;
+}
+
+function sanitize(value: unknown, seen: WeakSet<object>, key?: string): unknown {
+  if (key && isSensitiveKey(key)) return sensitiveMarker(key, value);
+  if (typeof value === "string") return safeString(value);
+  if (typeof value === "number") return Number.isFinite(value) ? value : 0;
+  if (typeof value === "boolean" || value === null) return value;
+  if (!value || typeof value !== "object") return undefined;
+  if (seen.has(value)) return "[circular]";
+  seen.add(value);
+  if (Array.isArray(value)) return value.slice(0, 50).map((item) => sanitize(item, seen));
+  return Object.fromEntries(Object.entries(value).slice(0, 50).map(([itemKey, item]) => [safeString(itemKey), sanitize(item, seen, itemKey)]));
+}
+
+function safeString(value: unknown): string | undefined {
+  if (typeof value !== "string") return undefined;
+  return redactSecrets(value).text.slice(0, 512);
+}
+
+function deepFreeze<T>(value: T): T {
+  if (value && typeof value === "object") {
+    Object.freeze(value);
+    for (const child of Object.values(value as Record<string, unknown>)) deepFreeze(child);
+  }
+  return value;
+}
+
+function isSensitiveKey(key: string): boolean {
+  const normalized = key.replace(/([a-z0-9])([A-Z])/g, "$1_$2");
+  return /(?:^|[_-])(?:password|passwd|pwd|token|authorization|auth|cookie|secret|api[_-]?key|credential|private[_-]?key)(?:$|[_-])/i.test(normalized);
+}
+
+function sensitiveMarker(key: string, value: unknown): string {
+  const kind = key.toLowerCase().replace(/[^a-z0-9]+/g, "_") || "secret";
+  const text = typeof value === "string" ? value : sensitiveValueLabel(value);
+  return `[REDACTED_SECRET:event_${kind}:sha256:${shortHash(text ?? "")}]`;
+}
+
+function sensitiveValueLabel(value: unknown): string {
+  if (value === null) return "null";
+  if (Array.isArray(value)) return "[array]";
+  if (typeof value === "object") return "[object]";
+  return String(value ?? "");
+}

package/packages/core/src/identity/api-keys.ts

@@ -0,0 +1,149 @@
+import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
+import type { IdentityStore } from "./identity-store.ts";
+import { viewKey, type ApiKey, type ApiKeyView, type Budget } from "./types.ts";
+
+// Molenkopf-issued API keys. The secret is shown EXACTLY ONCE at creation; only
+// its sha256 hash is stored — never the plaintext. Node built-ins only.
+
+export type IssueOptions = { agentLabel?: string; project: string; teamId?: string; scopes?: string[]; budget?: Budget };
+export type IssuedKey = { view: ApiKeyView; secret: string };
+
+export function hashSecret(secret: string): string {
+  return createHash("sha256").update(secret).digest("hex");
+}
+
+function newSecret(): string {
+  return `mk_${randomBytes(24).toString("base64url")}`;
+}
+
+export async function issueApiKey(store: IdentityStore, ownerUserId: string, opts: IssueOptions): Promise<IssuedKey | undefined> {
+  const owner = store.getUser(ownerUserId);
+  if (!owner || owner.disabled) return undefined;
+  const project = cleanKeyProject(opts.project);
+  if (!project) return undefined;
+  const teamId = resolveIssueTeam(store, owner, opts.teamId);
+  if (teamId === false) return undefined;
+  const scopes = cleanScopes(opts.scopes);
+  if (scopes === false) return undefined;
+  const secret = newSecret();
+  const key: ApiKey = {
+    id: newKeyId(store),
+    hash: hashSecret(secret),
+    prefix: secret.slice(0, 8),
+    ownerUserId,
+    teamId,
+    agentLabel: cleanKeyLabel(opts.agentLabel),
+    project,
+    scopes,
+    budget: opts.budget,
+    createdAt: new Date().toISOString()
+  };
+  store.data.keys[key.id] = key;
+  try {
+    await store.save();
+  } catch (error) {
+    delete store.data.keys[key.id];
+    throw error;
+  }
+  return { view: viewKey(key), secret };
+}
+
+// Looks up a presented secret. Constant-time hash compare; ignores disabled keys.
+export function authenticateKey(store: IdentityStore, secret: string | undefined): ApiKey | undefined {
+  if (!secret) return undefined;
+  const candidate = hashSecret(secret);
+  for (const key of Object.values(store.data.keys)) {
+    if (key.disabled) continue;
+    if (equalHex(candidate, key.hash) && keyUsable(store, key)) return key;
+  }
+  return undefined;
+}
+
+export function listKeys(store: IdentityStore, ownerUserId?: string): ApiKeyView[] {
+  return Object.values(store.data.keys)
+    .filter((k) => !ownerUserId || k.ownerUserId === ownerUserId)
+    .map(viewKey);
+}
+
+export async function revokeKey(store: IdentityStore, id: string): Promise<boolean> {
+  const key = store.data.keys[id];
+  if (!key || key.disabled) return false;
+  const previous = key.disabled;
+  key.disabled = true;
+  try {
+    await store.save();
+  } catch (error) {
+    key.disabled = previous;
+    throw error;
+  }
+  return true;
+}
+
+// Records last-used without forcing a disk write on every request (caller flushes).
+export function touchKey(store: IdentityStore, key: ApiKey, at = new Date().toISOString()): void {
+  key.lastUsedAt = at;
+}
+
+function equalHex(a: string, b: string): boolean {
+  if (!isSha256Hex(a) || !isSha256Hex(b)) return false;
+  if (a.length !== b.length) return false;
+  return timingSafeEqual(Buffer.from(a, "hex"), Buffer.from(b, "hex"));
+}
+
+function isSha256Hex(value: string): boolean {
+  return /^[a-f0-9]{64}$/.test(value);
+}
+
+function newKeyId(store: IdentityStore): string {
+  for (let attempt = 0; attempt < 10; attempt++) {
+    const id = `key_${randomBytes(5).toString("hex")}`;
+    if (!store.data.keys[id]) return id;
+  }
+  throw new Error("api_key_id_collision");
+}
+
+function cleanScopes(scopes: string[] | undefined): string[] | undefined | false {
+  if (scopes === undefined) return undefined;
+  if (!Array.isArray(scopes)) return false;
+  const out: string[] = [];
+  for (const scope of scopes) {
+    if (typeof scope !== "string" || !/^[a-z0-9][a-z0-9._:-]{0,63}$/i.test(scope)) return false;
+    if (!out.includes(scope)) out.push(scope);
+  }
+  return out.length ? out : false;
+}
+
+function resolveIssueTeam(store: IdentityStore, owner: { teamIds: string[] }, value: string | undefined): string | undefined | false {
+  const teamId = value?.trim();
+  if (teamId) {
+    if (!store.getTeam(teamId) || !owner.teamIds.includes(teamId)) return false;
+    if (teamId === "everyone" && billableTeamIds(owner.teamIds).length) return false;
+    return teamId;
+  }
+  const billingTeams = billableTeamIds(owner.teamIds);
+  if (billingTeams.length === 1) return billingTeams[0];
+  if (billingTeams.length > 1) return false;
+  return owner.teamIds.includes("everyone") ? "everyone" : undefined;
+}
+
+function keyUsable(store: IdentityStore, key: ApiKey): boolean {
+  const owner = store.getUser(key.ownerUserId);
+  if (!owner || owner.disabled) return false;
+  if (!cleanKeyProject(key.project)) return false;
+  if (key.teamId) return Boolean(store.getTeam(key.teamId) && owner.teamIds.includes(key.teamId));
+  return billableTeamIds(owner.teamIds).length <= 1;
+}
+
+function billableTeamIds(teamIds: string[]): string[] {
+  return teamIds.filter((id) => id !== "everyone");
+}
+
+export function cleanKeyLabel(value: string | undefined): string | undefined {
+  const normalized = value?.replace(/[^\w .@:-]/g, "").trim().slice(0, 64);
+  return normalized || undefined;
+}
+
+export function cleanKeyProject(value: string | undefined): string | undefined {
+  const normalized = value?.replace(/[^\w .@/-]/g, "").trim().slice(0, 80);
+  return normalized || undefined;
+}

package/packages/core/src/identity/budget.ts

@@ -0,0 +1,51 @@
+import type { Budget, BudgetAction, BudgetPeriod } from "./types.ts";
+
+export const BUDGET_PERIODS: BudgetPeriod[] = ["day", "week", "month", "total"];
+export const BUDGET_ACTIONS: BudgetAction[] = ["block", "warn"];
+export const DEFAULT_BUDGET_PERIOD: BudgetPeriod = "month";
+export const DEFAULT_BUDGET_ACTION: BudgetAction = "block";
+
+export type BudgetParseResult = { ok: true; budget?: Budget } | { ok: false; error: "invalid_budget" };
+
+export function normalizeBudget(value: unknown): BudgetParseResult {
+  if (value === undefined || value === null) return { ok: true };
+  if (!value || typeof value !== "object" || Array.isArray(value)) return { ok: false, error: "invalid_budget" };
+  const input = value as Record<string, unknown>;
+  const tokenLimit = limit(input.tokenLimit);
+  const costLimitEur = limit(input.costLimitEur);
+  if (tokenLimit === false || costLimitEur === false) return { ok: false, error: "invalid_budget" };
+  if (tokenLimit === undefined && costLimitEur === undefined) return { ok: true };
+  const period = input.period === undefined ? DEFAULT_BUDGET_PERIOD : input.period;
+  const onExceed = input.onExceed === undefined ? DEFAULT_BUDGET_ACTION : input.onExceed;
+  if (!BUDGET_PERIODS.includes(period as BudgetPeriod) || !BUDGET_ACTIONS.includes(onExceed as BudgetAction)) return { ok: false, error: "invalid_budget" };
+  return { ok: true, budget: { tokenLimit, costLimitEur, period: period as BudgetPeriod, onExceed: onExceed as BudgetAction } };
+}
+
+export function isBudget(value: unknown): value is Budget {
+  const parsed = normalizeBudget(value);
+  return parsed.ok && parsed.budget !== undefined;
+}
+
+export function budgetPeriodKey(period: BudgetPeriod, at: Date): string {
+  if (period === "total") return "total";
+  const year = at.getUTCFullYear();
+  const month = String(at.getUTCMonth() + 1).padStart(2, "0");
+  const day = String(at.getUTCDate()).padStart(2, "0");
+  if (period === "day") return `day:${year}-${month}-${day}`;
+  if (period === "month") return `month:${year}-${month}`;
+  const { weekYear, week } = isoWeek(at);
+  return `week:${weekYear}-W${String(week).padStart(2, "0")}`;
+}
+
+function limit(value: unknown): number | undefined | false {
+  if (value === undefined || value === null || value === "") return undefined;
+  return typeof value === "number" && Number.isFinite(value) && value > 0 ? value : false;
+}
+
+function isoWeek(value: Date): { weekYear: number; week: number } {
+  const date = new Date(Date.UTC(value.getUTCFullYear(), value.getUTCMonth(), value.getUTCDate()));
+  date.setUTCDate(date.getUTCDate() + 4 - (date.getUTCDay() || 7));
+  const weekYear = date.getUTCFullYear();
+  const first = new Date(Date.UTC(weekYear, 0, 1));
+  return { weekYear, week: Math.ceil((((date.getTime() - first.getTime()) / 86400000) + 1) / 7) };
+}

package/packages/core/src/identity/db.ts

@@ -0,0 +1,68 @@
+import { DatabaseSync } from "node:sqlite";
+import { existsSync, renameSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { defaultDataDir } from "../storage/local-paths.ts";
+import { chmodPrivateSync, ensurePrivateDirSync, PRIVATE_FILE_MODE } from "../storage/private-state.ts";
+
+// Real SQLite persistence via Node's BUILT-IN node:sqlite (no npm dependency —
+// honors the "core/proxy: built-ins only" invariant). One database file holds
+// identity (users/teams/api_keys/meta) and usage. Run with --experimental-sqlite.
+
+export type Db = DatabaseSync;
+
+export function openDb(root = defaultDataDir()): Db {
+  ensurePrivateDirSync(root);
+  const path = join(root, "molenkopf.db");
+  const marker = join(root, "molenkopf.db.quarantined");
+  if (existsSync(marker)) throw new Error("identity database unavailable: quarantined database marker exists");
+  let db: DatabaseSync | undefined;
+  try {
+    db = new DatabaseSync(path);
+    db.exec("PRAGMA busy_timeout = 4000; PRAGMA journal_mode = WAL;");
+    ensureSchema(db);
+    repairSqlitePermissions(root);
+    return db;
+  } catch (error) {
+    try { db?.close(); } catch { /* ignore */ }
+    if (isOperationalSqliteError(error)) throw new Error("identity database unavailable: busy");
+    try { if (existsSync(path)) renameSync(path, `${path}.corrupt.${Date.now()}`); } catch { /* best effort */ }
+    try { writeFileSync(marker, `${new Date().toISOString()} ${error instanceof Error ? error.message : String(error)}\n`, privateWriteOptions()); chmodPrivateSync(marker, PRIVATE_FILE_MODE); } catch { /* best effort */ }
+    throw new Error("identity database unavailable");
+  }
+}
+
+function isOperationalSqliteError(error: unknown): boolean {
+  const item = error as { code?: unknown; message?: unknown };
+  return /SQLITE_(BUSY|LOCKED)/.test(String(item.code ?? "")) || /database is (locked|busy)/i.test(String(item.message ?? ""));
+}
+
+export function markIdentityDbUnavailable(root = defaultDataDir(), reason: string): void {
+  ensurePrivateDirSync(root);
+  const marker = join(root, "molenkopf.db.quarantined");
+  try { writeFileSync(marker, `${new Date().toISOString()} ${reason}\n`, privateWriteOptions()); chmodPrivateSync(marker, PRIVATE_FILE_MODE); } catch { /* best effort */ }
+}
+
+export function repairSqlitePermissions(root = defaultDataDir()): void {
+  for (const name of ["molenkopf.db", "molenkopf.db-wal", "molenkopf.db-shm"]) {
+    const file = join(root, name);
+    if (existsSync(file)) chmodPrivateSync(file, PRIVATE_FILE_MODE);
+  }
+}
+
+function privateWriteOptions(): { mode: number } | undefined {
+  return process.platform === "win32" ? undefined : { mode: PRIVATE_FILE_MODE };
+}
+
+function ensureSchema(db: DatabaseSync): void {
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS users (id TEXT PRIMARY KEY, json TEXT NOT NULL);
+    CREATE TABLE IF NOT EXISTS teams (id TEXT PRIMARY KEY, json TEXT NOT NULL);
+    CREATE TABLE IF NOT EXISTS api_keys (
+      id TEXT PRIMARY KEY, hash TEXT, owner_user_id TEXT, disabled INTEGER DEFAULT 0, json TEXT NOT NULL
+    );
+    CREATE INDEX IF NOT EXISTS idx_api_keys_hash ON api_keys(hash);
+    CREATE INDEX IF NOT EXISTS idx_api_keys_owner ON api_keys(owner_user_id);
+    CREATE TABLE IF NOT EXISTS meta (k TEXT PRIMARY KEY, json TEXT NOT NULL);
+    CREATE TABLE IF NOT EXISTS usage (scope TEXT NOT NULL, id TEXT NOT NULL, json TEXT NOT NULL, PRIMARY KEY (scope, id));
+  `);
+}

package/packages/core/src/identity/identity-store.ts

@@ -0,0 +1,175 @@
+import { IDENTITY_SCHEMA_VERSION, emptyIdentity, type ApiKey, type IdentityData, type Team, type User } from "./types.ts";
+import { markIdentityDbUnavailable, openDb, type Db } from "./db.ts";
+import { isIdentityApiKey, isIdentityTeam, isIdentityUser, loadIdentityMeta, parseIdentityRow, validateIdentityData, type IdentityMetaRow, type IdentityRow } from "./identity-validation.ts";
+import { defaultDataDir } from "../storage/local-paths.ts";
+
+// Identity store backed by real SQLite (node:sqlite, a built-in — no dependency).
+// Keeps an in-memory `data` mirror for fast logic; `save()` syncs it to the DB in
+// one transaction. Same public interface as before, so all callers are unchanged.
+
+export class IdentityStore {
+  private root: string;
+  private db?: Db;
+  private closed = false;
+  private ephemeralUserIds = new Set<string>();
+  data: IdentityData = emptyIdentity();
+
+  constructor(root = defaultDataDir()) {
+    this.root = root;
+  }
+
+  private handle(): Db {
+    if (!this.db) this.db = openDb(this.root);
+    return this.db;
+  }
+
+  async load(): Promise<IdentityData> {
+    const db = this.handle();
+    const data = emptyIdentity();
+    try {
+      for (const row of db.prepare("SELECT id, json FROM users").all() as IdentityRow[]) data.users[row.id] = parseIdentityRow(row, isIdentityUser, "user");
+      for (const row of db.prepare("SELECT id, json FROM teams").all() as IdentityRow[]) data.teams[row.id] = parseIdentityRow(row, isIdentityTeam, "team");
+      for (const row of db.prepare("SELECT id, json FROM api_keys").all() as IdentityRow[]) data.keys[row.id] = parseIdentityRow(row, isIdentityApiKey, "api_key");
+      for (const row of db.prepare("SELECT k, json FROM meta").all() as IdentityMetaRow[]) loadIdentityMeta(data, row);
+      normalizeDefaultTeam(data);
+      data.schemaVersion = IDENTITY_SCHEMA_VERSION;
+      validateIdentityData(data);
+      this.data = data;
+      return this.data;
+    } catch (error) {
+      try { this.db?.close(); } catch { /* ignore */ }
+      this.db = undefined;
+      markIdentityDbUnavailable(this.root, error instanceof Error ? error.message : "invalid identity data");
+      throw new Error("identity database unavailable: invalid identity data");
+    }
+  }
+
+  async save(): Promise<void> {
+    if (this.closed) throw new Error("identity_store_closed");
+    const persisted = persistedIdentity(this.data, this.ephemeralUserIds);
+    validateIdentityData(persisted);
+    const db = this.handle();
+    db.exec("BEGIN");
+    try {
+      db.exec("DELETE FROM users; DELETE FROM teams; DELETE FROM api_keys; DELETE FROM meta;");
+      const u = db.prepare("INSERT INTO users(id, json) VALUES(?, ?)");
+      for (const user of Object.values(persisted.users)) u.run(user.id, JSON.stringify(user));
+      const t = db.prepare("INSERT INTO teams(id, json) VALUES(?, ?)");
+      for (const team of Object.values(persisted.teams)) t.run(team.id, JSON.stringify(team));
+      const k = db.prepare("INSERT INTO api_keys(id, hash, owner_user_id, disabled, json) VALUES(?, ?, ?, ?, ?)");
+      for (const key of Object.values(persisted.keys)) k.run(key.id, key.hash, key.ownerUserId, key.disabled ? 1 : 0, JSON.stringify(key));
+      const m = db.prepare("INSERT INTO meta(k, json) VALUES(?, ?)");
+      if (persisted.orgBudget) m.run("orgBudget", JSON.stringify(persisted.orgBudget));
+      if (persisted.pricing) m.run("pricing", JSON.stringify(persisted.pricing));
+      db.exec("COMMIT");
+    } catch (error) {
+      db.exec("ROLLBACK");
+      throw error;
+    }
+  }
+
+  // ---- users ----
+  listUsers(): User[] { return Object.values(this.data.users); }
+  getUser(id: string): User | undefined { return this.data.users[id]; }
+  markEphemeralUser(id: string): void { this.ephemeralUserIds.add(id); }
+  async putUser(user: User): Promise<User> {
+    const previous = this.data;
+    this.data = cloneIdentity(previous);
+    try {
+      this.data.users[user.id] = normalizeUser({ ...user, teamIds: [...(user.teamIds ?? [])] }, this.data);
+      await this.save();
+      return this.data.users[user.id];
+    } catch (error) {
+      this.data = previous;
+      throw error;
+    }
+  }
+  async removeUser(id: string): Promise<boolean> {
+    if (!this.data.users[id]) return false;
+    const previous = this.data;
+    this.data = cloneIdentity(previous);
+    try {
+      delete this.data.users[id];
+      for (const key of Object.values(this.data.keys)) if (key.ownerUserId === id) delete this.data.keys[key.id];
+      for (const team of Object.values(this.data.teams)) team.managerIds = team.managerIds.filter((managerId) => managerId !== id);
+      await this.save();
+      return true;
+    } catch (error) {
+      this.data = previous;
+      throw error;
+    }
+  }
+
+  // ---- teams ----
+  listTeams(): Team[] { return Object.values(this.data.teams); }
+  getTeam(id: string): Team | undefined { return this.data.teams[id]; }
+  async putTeam(team: Team): Promise<Team> {
+    const previous = this.data;
+    this.data = cloneIdentity(previous);
+    try {
+      this.data.teams[team.id] = { ...team, managerIds: [...team.managerIds] };
+      if (team.id === "everyone") normalizeDefaultTeam(this.data);
+      await this.save();
+      return this.data.teams[team.id];
+    } catch (error) {
+      this.data = previous;
+      throw error;
+    }
+  }
+  async removeTeam(id: string): Promise<boolean> {
+    if (id === "everyone") return false;
+    if (!this.data.teams[id]) return false;
+    const previous = this.data;
+      this.data = cloneIdentity(previous);
+      try {
+        delete this.data.teams[id];
+        for (const user of Object.values(this.data.users)) user.teamIds = user.teamIds.filter((t) => t !== id);
+      for (const key of Object.values(this.data.keys)) if (key.teamId === id) {
+        key.disabled = true;
+        delete key.teamId;
+      }
+      await this.save();
+      return true;
+    } catch (error) {
+      this.data = previous;
+      throw error;
+    }
+  }
+
+  usersInTeam(teamId: string): User[] { return teamId === "everyone" && this.data.teams.everyone ? this.listUsers() : this.listUsers().filter((u) => u.teamIds.includes(teamId)); }
+
+  close(): void {
+    this.closed = true;
+    try { this.db?.close(); } catch { /* ignore */ }
+    this.db = undefined;
+  }
+}
+
+function normalizeDefaultTeam(data: IdentityData): void {
+  if (!data.teams.everyone) return;
+  for (const user of Object.values(data.users)) normalizeUser(user, data);
+}
+
+function normalizeUser(user: User, data: IdentityData): User {
+  user.teamIds = Array.isArray(user.teamIds) ? user.teamIds.filter((id) => Boolean(data.teams[id])) : [];
+  if (data.teams.everyone && !user.teamIds.includes("everyone")) user.teamIds = ["everyone", ...user.teamIds];
+  return user;
+}
+
+function persistedTeam(team: Team, ephemeralUserIds: Set<string>): Team {
+  return { ...team, managerIds: team.managerIds.filter((id) => !ephemeralUserIds.has(id)) };
+}
+
+function persistedIdentity(data: IdentityData, ephemeralUserIds: Set<string>): IdentityData {
+  const persisted = cloneIdentity(data);
+  for (const id of ephemeralUserIds) delete persisted.users[id];
+  for (const key of Object.values(persisted.keys)) if (ephemeralUserIds.has(key.ownerUserId)) delete persisted.keys[key.id];
+  for (const team of Object.values(persisted.teams)) persisted.teams[team.id] = persistedTeam(team, ephemeralUserIds);
+  return persisted;
+}
+
+function cloneIdentity(data: IdentityData): IdentityData {
+  return JSON.parse(JSON.stringify(data)) as IdentityData;
+}
+
+export type { ApiKey };