@happyvertical/smrt-profiles 0.30.0

package/AGENTS.md

@@ -0,0 +1,53 @@
+# @happyvertical/smrt-profiles
+
+Central identity system with multi-auth, relationships, controlled metadata, and audit logging.
+
+## Models
+
+- **Profile** (STI base → Bot, Organization, Person): email (globally unique), `typeId` FK to ProfileType, plus a `metadata` `@oneToMany('ProfileMetadata')` relationship for controlled per-profile values.
+- **ProfileAsset**: dedicated owned-asset join in `profile_assets` with `relationship` and `sortOrder`.
+- **ProfileRelationship**: bidirectional — creating one auto-creates reciprocal inverse. `contextProfileId` for tertiary relationships. `ProfileRelationshipTerm` tracks start/end dates.
+- **ProfileMetafield**: controlled vocabulary with `validationSchema`. **ProfileMetadata**: per-profile values linked to metafields.
+- **AuditLog**: action, resourceType/Id, `source` (web/cli/ci/webhook/mcp), `onBehalfOfId` for CI pass-through identity. `allowSuperAdminBypass: true`.
+
+## Auth Methods
+
+| Model | Pattern |
+|-------|---------|
+| NostrIdentity | Encrypted keypair (AES-256-GCM). Requires `SERVER_MASTER_SECRET` env var for decryption. NIP-05 address generation. |
+| OidcIdentity | Multiple issuers (Keycloak/Google/GitHub). Lookup by `issuer + subject` pair. `findOrCreate()` for first login. |
+| ApiKey | SHA-256 hashed. **Plaintext returned once only** on `generate()`. `keyPrefix` for identification. Scope-based with expiry. |
+| MagicLinkToken | One-time token with expiry for passwordless auth. |
+
+## Identity Resolution
+
+Auth helpers in `src/auth/` build profiles from external identity claims:
+
+- `resolveIdentity()` — top-level dispatcher that returns/creates a Profile from Nostr signatures, OIDC claims, magic link tokens, or API keys.
+- `createProfileFromOidc(claims, provider)` — creates `Profile` + `OidcIdentity` for first-time OIDC sign-in.
+- `createProfileFromNostr(email, nostrData)` — creates `Profile` + `NostrIdentity` for Nostr-authenticated users.
+
+## Key Methods
+
+- `Profile.getAssets()` / `addAsset()` / `removeAsset()` and the matching `ProfileCollection` wrappers — canonical owned asset helpers backed by `profile_assets`.
+- `Profile.addMetadata(metafieldSlug, value)` / `Profile.getMetadata()` — validates against metafield schema. `ProfileCollection.batchGetMetadata()` / `batchUpdateMetadata()` for bulk reads/writes.
+- `Profile.getRelationships({ direction: 'from'|'to'|'all' })` — direction matters.
+- `Profile.getRelationshipsFrom()` / `getRelationshipsTo()` — R10-generated `@oneToMany` accessors. ProfileRelationship has two FKs back to Profile, so each `@oneToMany` annotates its inverse explicitly (`{ foreignKey: 'fromProfileId' }` / `'toProfileId'`). Return raw `ProfileRelationship[]`; use `getRelationships()` for slug/direction filtering.
+- AI: `generateBio()` (uses `smrtProfiles.profile.generateBio` prompt via `@happyvertical/smrt-prompts`), `matches(criteria)` (delegates to `is()`).
+
+## Prompt Registry
+
+`generateBio()` is registered with `@happyvertical/smrt-prompts` so tenants can override template/model/params at runtime:
+
+```typescript
+import { smrtProfilesGenerateBioPrompt } from '@happyvertical/smrt-profiles';
+// key: 'smrtProfiles.profile.generateBio'
+```
+
+## Gotchas
+
+- **SERVER_MASTER_SECRET required** for Nostr private key decryption — centralized key management
+- **API key never returned again**: `ApiKey.generate()` returns plaintext once; only `keyPrefix` visible later
+- **OIDC unique per issuer+subject**: same subject from different issuers = different identities
+- **Email unique across all profiles**: DB-level unique constraint, not per-tenant
+- **Optional tenancy** on Profile; AuditLog allows super-admin bypass

package/CLAUDE.md

@@ -0,0 +1 @@
+@AGENTS.md

package/LICENSE

@@ -0,0 +1,7 @@
+Copyright <2025> <Happy Vertical Corporation>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -0,0 +1,176 @@
+# @happyvertical/smrt-profiles
+
+Central identity system with multi-auth (Nostr/OIDC/API keys/magic links), relationships, controlled metadata, and audit logging.
+
+## Installation
+
+```bash
+pnpm add @happyvertical/smrt-profiles
+```
+
+## Usage
+
+```typescript
+import {
+  Profile,
+  ProfileCollection,
+  OidcIdentity,
+  OidcIdentityCollection,
+  ApiKey,
+  ApiKeyCollection,
+  NostrIdentity,
+  generateNostrKeypair,
+  createProfileFromOidc,
+} from '@happyvertical/smrt-profiles';
+
+// Create a profile
+const profile = new Profile({
+  name: 'Alice Johnson',
+  email: 'alice@example.com',
+});
+await profile.save();
+
+// OIDC identity (Keycloak/Google/GitHub)
+const oidcProfile = await createProfileFromOidc({
+  issuer: 'https://accounts.google.com',
+  subject: 'abc123',
+  email: 'alice@example.com',
+  name: 'Alice Johnson',
+});
+
+// Nostr identity (encrypted keypair, requires SERVER_MASTER_SECRET)
+const keypair = generateNostrKeypair();
+const nostr = new NostrIdentity({
+  profileId: profile.id,
+  pubkey: keypair.pubkey,
+});
+await nostr.save();
+
+// API key (plaintext returned once only)
+const { key, apiKey } = await ApiKey.generate({
+  profileId: profile.id,
+  scope: 'read:profiles',
+  expiresAt: new Date('2025-12-31'),
+});
+// key = plaintext (store now), apiKey.keyPrefix = visible identifier
+
+// Relationships (auto-creates reciprocal inverse)
+const bob = new Profile({ name: 'Bob Smith', email: 'bob@example.com' });
+await bob.save();
+await profile.addRelationship(bob, 'friend');
+const friends = await profile.getRelationships({ direction: 'from' });
+```
+
+### Owned assets
+
+```typescript
+import { AssetCollection } from '@happyvertical/smrt-assets';
+
+const profiles = await ProfileCollection.create();
+const assets = await AssetCollection.create();
+
+const headshot = await assets.create({
+  name: 'alice-headshot.jpg',
+  sourceUri: 'file:///tmp/alice-headshot.jpg',
+  mimeType: 'image/jpeg',
+});
+
+await profile.addAsset(headshot, 'avatar');
+await profiles.addAsset(profile.id!, headshot, 'gallery', 1);
+
+const avatarAssets = await profile.getAssets('avatar');
+const galleryAssets = await profiles.getAssets(profile.id!, 'gallery');
+```
+
+## API
+
+### Models
+
+| Export | Description |
+|--------|------------|
+| `Profile` | Core identity (STI base for Bot/Organization/Person) |
+| `Bot` | STI subclass for automated agents |
+| `Organization` | STI subclass for companies/groups |
+| `Person` | STI subclass for individuals |
+| `ProfileType` | Profile classification lookup table |
+| `ProfileMetadata` | Per-profile metadata values |
+| `ProfileMetafield` | Controlled vocabulary with validation schema |
+| `ProfileRelationship` | Directional link between two profiles |
+| `ProfileRelationshipType` | Relationship classification with reciprocal flag |
+| `ProfileRelationshipTerm` | Time-bounded relationship periods |
+| `ProfileAsset` | Dedicated owned-asset join stored in `profile_assets` with `relationship` and `sortOrder` |
+
+### Auth Models
+
+| Export | Description |
+|--------|------------|
+| `OidcIdentity` | OIDC provider identity (issuer + subject) |
+| `NostrIdentity` | Nostr keypair with AES-256-GCM encryption |
+| `ApiKey` | SHA-256 hashed API key with scope and expiry |
+| `MagicLinkToken` | One-time passwordless auth token |
+| `AuditLog` | Action/resource audit trail with source tracking |
+
+### Collections
+
+| Export | Description |
+|--------|------------|
+| `ProfileCollection` | CRUD and query for profiles |
+| `ProfileAssetCollection` | Direct access to `profile_assets` rows plus asset helper wrappers |
+| `ProfileTypeCollection` | Profile type management |
+| `ProfileMetadataCollection` | Metadata value operations |
+| `ProfileMetafieldCollection` | Metafield vocabulary management |
+| `ProfileRelationshipCollection` | Relationship queries |
+| `ProfileRelationshipTypeCollection` | Relationship type management |
+| `ProfileRelationshipTermCollection` | Term period management |
+| `ApiKeyCollection` | API key lookup and management |
+| `AuditLogCollection` | Audit log queries |
+| `MagicLinkTokenCollection` | Magic link token operations |
+| `NostrIdentityCollection` | Nostr identity lookup (includes NIP-05) |
+| `OidcIdentityCollection` | OIDC identity lookup |
+
+`Profile` and `ProfileCollection` both expose `getAssets()`, `addAsset()`, and
+`removeAsset()` helpers backed by `profile_assets`. Typical relationships are
+`avatar`, `gallery`, and `attachment`.
+
+### Auth Functions
+
+| Export | Description |
+|--------|------------|
+| `resolveIdentity` | Resolve profile from any auth method |
+| `createProfileFromOidc` | Create profile + OIDC identity in one call |
+| `createProfileFromNostr` | Create profile + Nostr identity in one call |
+| `createAuthEvent` | Create a Nostr auth event |
+| `verifyAuthEvent` | Verify a Nostr auth event signature |
+| `createMagicLinkService` | Factory for magic link auth service |
+| `createNip05Handler` | Factory for NIP-05 address handler |
+
+### Nostr Crypto
+
+| Export | Description |
+|--------|------------|
+| `generateNostrKeypair` | Generate new Nostr keypair |
+| `encryptPrivkey` / `decryptPrivkey` | AES-256-GCM key encryption |
+| `deriveEncryptionKey` | Derive encryption key from master secret |
+| `getPublicKey` | Derive pubkey from privkey |
+| `signEvent` / `computeEventId` | Nostr event signing |
+| `verifyNostrSignature` | Verify Nostr signature |
+| `pubkeyToNpub` / `npubToPubkey` | Bech32 pubkey conversion |
+| `privkeyToNsec` / `nsecToPrivkey` | Bech32 privkey conversion |
+| `isValidPubkey` / `isValidPrivkey` | Key validation |
+| `parseNip05Identifier` / `isValidNip05Identifier` | NIP-05 parsing |
+
+### Key Types
+
+`ProfileOptions`, `ProfileTypeOptions`, `ProfileMetadataOptions`, `ProfileMetafieldOptions`, `ProfileRelationshipOptions`, `ProfileRelationshipTypeOptions`, `ProfileRelationshipTermOptions`, `OidcIdentityOptions`, `NostrIdentityOptions`, `ApiKeyOptions`, `GenerateKeyResult`, `MagicLinkTokenOptions`, `GenerateTokenResult`, `AuditLogOptions`, `AuditSource`, `AuthContext`, `ResolveIdentityResult`, `InitiateResult`, `VerifyResult`, `MagicLinkConfig`, `MagicLinkService`, `Nip05HandlerConfig`, `Nip05HandlerResult`, `Nip05Request`, `Nip05Response`, `NostrEvent`, `NostrKeypair`, `EncryptedKey`, `ValidationSchema`, `ValidatorFunction`, `ReciprocalHandler`
+
+## Dependencies
+
+- `@happyvertical/smrt-core` -- ORM base classes
+- `@happyvertical/ai` -- AI client (SDK)
+- `@happyvertical/sql` -- Database operations (SDK)
+- `@happyvertical/files` -- Filesystem utilities (SDK)
+- `@happyvertical/logger` -- Structured logging (SDK)
+- `@happyvertical/utils` -- Shared utilities (SDK)
+- `@noble/curves` -- Nostr cryptography
+- `bech32` -- Bech32 encoding for Nostr keys
+- Peer: `@happyvertical/smrt-tenancy`

package/dist/chunks/ApiKey-B2LKEaP8.js

@@ -0,0 +1,143 @@
+import { createHash, randomBytes } from "node:crypto";
+import { foreignKey, smrt, SmrtObject } from "@happyvertical/smrt-core";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __decorateClass = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
+  if (kind && result) __defProp(target, key, result);
+  return result;
+};
+let ApiKey = class extends SmrtObject {
+  profileId;
+  /**
+   * SHA-256 hash of the API key
+   */
+  keyHash = "";
+  /**
+   * First 8 characters of the key for identification (e.g., "sk_live_a1b2...")
+   */
+  keyPrefix = "";
+  /**
+   * Human-readable name for the key (e.g., "CI Bot", "Local CLI")
+   */
+  name = "";
+  /**
+   * Scopes/permissions for this key
+   */
+  scopes = [];
+  /**
+   * Last time this key was used
+   */
+  lastUsedAt = null;
+  /**
+   * When this key expires (null = never)
+   */
+  expiresAt = null;
+  /**
+   * When this key was revoked (null = active)
+   */
+  revokedAt = null;
+  constructor(options = {}) {
+    super(options);
+    if (options.profileId) this.profileId = options.profileId;
+    if (options.name) this.name = options.name;
+    if (options.scopes) this.scopes = options.scopes;
+    if (options.expiresAt !== void 0) this.expiresAt = options.expiresAt;
+  }
+  /**
+   * Get the linked Profile
+   */
+  async getProfile() {
+    return await this.getRelated("profileId");
+  }
+  /**
+   * Check if this key is valid (not expired, not revoked)
+   */
+  isValid() {
+    if (this.revokedAt) return false;
+    if (this.expiresAt && this.expiresAt < /* @__PURE__ */ new Date()) return false;
+    return true;
+  }
+  /**
+   * Check if this key has a specific scope
+   */
+  hasScope(scope) {
+    return this.scopes.includes(scope) || this.scopes.includes("*");
+  }
+  /**
+   * Revoke this key
+   */
+  async revoke() {
+    this.revokedAt = /* @__PURE__ */ new Date();
+    await this.save();
+  }
+  /**
+   * Record usage of this key
+   */
+  async recordUsage() {
+    this.lastUsedAt = /* @__PURE__ */ new Date();
+    await this.save();
+  }
+  /**
+   * Hash an API key
+   */
+  static hashKey(key) {
+    return createHash("sha256").update(key).digest("hex");
+  }
+  /**
+   * Generate a new API key for a profile
+   */
+  static async generate(profile, options) {
+    const randomPart = randomBytes(32).toString("hex");
+    const key = `sk_live_${randomPart}`;
+    const keyPrefix = key.substring(0, 16);
+    const keyHash = ApiKey.hashKey(key);
+    const apiKey = new ApiKey({
+      db: options.db || profile.options?.db,
+      profileId: profile.id,
+      name: options.name,
+      scopes: options.scopes || ["*"],
+      expiresAt: options.expiresAt ?? null
+    });
+    apiKey.keyHash = keyHash;
+    apiKey.keyPrefix = keyPrefix;
+    await apiKey.initialize();
+    await apiKey.save();
+    return { key, apiKey };
+  }
+  /**
+   * Verify an API key and return the ApiKey record if valid
+   */
+  static async verify(key, options = {}) {
+    const keyHash = ApiKey.hashKey(key);
+    const { ApiKeyCollection } = await import("./ApiKeyCollection-B6Op817e.js");
+    const collection = await ApiKeyCollection.create(options);
+    const apiKey = await collection.findOne({
+      where: { keyHash }
+    });
+    if (!apiKey) return null;
+    if (!apiKey.isValid()) return null;
+    await apiKey.recordUsage();
+    return apiKey;
+  }
+};
+__decorateClass([
+  foreignKey("Profile", { required: true })
+], ApiKey.prototype, "profileId", 2);
+ApiKey = __decorateClass([
+  smrt({
+    tableName: "api_keys",
+    api: { include: ["list", "get"] },
+    mcp: { include: ["list", "get"] },
+    // create/revoke are admin operations invoked in-process via the CLI; only
+    // read-only list/get are exposed over HTTP.
+    cli: { include: ["list", "get", "create", "revoke"], skipApiCheck: true }
+  })
+], ApiKey);
+export {
+  ApiKey
+};
+//# sourceMappingURL=ApiKey-B2LKEaP8.js.map

package/dist/chunks/ApiKey-B2LKEaP8.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ApiKey-B2LKEaP8.js","sources":["../../src/models/ApiKey.ts"],"sourcesContent":["/**\n * ApiKey - API keys for CLI and CI authentication\n *\n * Provides secure API key management with hashing, scopes, and expiration.\n * Keys are stored as hashes - the plaintext is only returned on creation.\n */\n\nimport { createHash, randomBytes } from 'node:crypto';\nimport {\n  foreignKey,\n  SmrtObject,\n  type SmrtObjectOptions,\n  smrt,\n} from '@happyvertical/smrt-core';\nimport type { Profile } from './Profile';\n\nexport interface ApiKeyOptions extends SmrtObjectOptions {\n  profileId?: string;\n  name?: string;\n  scopes?: string[];\n  expiresAt?: Date | null;\n}\n\nexport interface GenerateKeyResult {\n  key: string;\n  apiKey: ApiKey;\n}\n\n@smrt({\n  tableName: 'api_keys',\n  api: { include: ['list', 'get'] },\n  mcp: { include: ['list', 'get'] },\n  // create/revoke are admin operations invoked in-process via the CLI; only\n  // read-only list/get are exposed over HTTP.\n  cli: { include: ['list', 'get', 'create', 'revoke'], skipApiCheck: true },\n})\nexport class ApiKey extends SmrtObject {\n  /**\n   * Link to the Profile (Person, Organization, Bot)\n   */\n  @foreignKey('Profile', { required: true })\n  profileId?: string;\n\n  /**\n   * SHA-256 hash of the API key\n   */\n  keyHash: string = '';\n\n  /**\n   * First 8 characters of the key for identification (e.g., \"sk_live_a1b2...\")\n   */\n  keyPrefix: string = '';\n\n  /**\n   * Human-readable name for the key (e.g., \"CI Bot\", \"Local CLI\")\n   */\n  name: string = '';\n\n  /**\n   * Scopes/permissions for this key\n   */\n  scopes: string[] = [];\n\n  /**\n   * Last time this key was used\n   */\n  lastUsedAt: Date | null = null;\n\n  /**\n   * When this key expires (null = never)\n   */\n  expiresAt: Date | null = null;\n\n  /**\n   * When this key was revoked (null = active)\n   */\n  revokedAt: Date | null = null;\n\n  constructor(options: ApiKeyOptions = {}) {\n    super(options);\n    if (options.profileId) this.profileId = options.profileId;\n    if (options.name) this.name = options.name;\n    if (options.scopes) this.scopes = options.scopes;\n    if (options.expiresAt !== undefined) this.expiresAt = options.expiresAt;\n  }\n\n  /**\n   * Get the linked Profile\n   */\n  async getProfile(): Promise<Profile | null> {\n    return (await this.getRelated('profileId')) as Profile | null;\n  }\n\n  /**\n   * Check if this key is valid (not expired, not revoked)\n   */\n  isValid(): boolean {\n    if (this.revokedAt) return false;\n    if (this.expiresAt && this.expiresAt < new Date()) return false;\n    return true;\n  }\n\n  /**\n   * Check if this key has a specific scope\n   */\n  hasScope(scope: string): boolean {\n    return this.scopes.includes(scope) || this.scopes.includes('*');\n  }\n\n  /**\n   * Revoke this key\n   */\n  async revoke(): Promise<void> {\n    this.revokedAt = new Date();\n    await this.save();\n  }\n\n  /**\n   * Record usage of this key\n   */\n  async recordUsage(): Promise<void> {\n    this.lastUsedAt = new Date();\n    await this.save();\n  }\n\n  /**\n   * Hash an API key\n   */\n  static hashKey(key: string): string {\n    return createHash('sha256').update(key).digest('hex');\n  }\n\n  /**\n   * Generate a new API key for a profile\n   */\n  static async generate(\n    profile: Profile,\n    options: {\n      name: string;\n      scopes?: string[];\n      expiresAt?: Date | null;\n      db?: SmrtObjectOptions['db'];\n    },\n  ): Promise<GenerateKeyResult> {\n    // Generate a random key: sk_live_<32 random bytes as hex>\n    const randomPart = randomBytes(32).toString('hex');\n    const key = `sk_live_${randomPart}`;\n    const keyPrefix = key.substring(0, 16);\n    const keyHash = ApiKey.hashKey(key);\n\n    const apiKey = new ApiKey({\n      db: options.db || profile.options?.db,\n      profileId: profile.id as string,\n      name: options.name,\n      scopes: options.scopes || ['*'],\n      expiresAt: options.expiresAt ?? null,\n    });\n    apiKey.keyHash = keyHash;\n    apiKey.keyPrefix = keyPrefix;\n\n    await apiKey.initialize();\n    await apiKey.save();\n\n    return { key, apiKey };\n  }\n\n  /**\n   * Verify an API key and return the ApiKey record if valid\n   */\n  static async verify(\n    key: string,\n    options: SmrtObjectOptions = {},\n  ): Promise<ApiKey | null> {\n    const keyHash = ApiKey.hashKey(key);\n\n    const { ApiKeyCollection } = await import(\n      '../collections/ApiKeyCollection'\n    );\n    const collection = await (ApiKeyCollection as any).create(options);\n\n    const apiKey = await collection.findOne({\n      where: { keyHash },\n    });\n\n    if (!apiKey) return null;\n    if (!apiKey.isValid()) return null;\n\n    // Record usage\n    await apiKey.recordUsage();\n\n    return apiKey;\n  }\n}\n"],"names":[],"mappings":";;;;;;;;;;;;AAoCO,IAAM,SAAN,cAAqB,WAAW;AAAA,EAKrC;AAAA;AAAA;AAAA;AAAA,EAKA,UAAkB;AAAA;AAAA;AAAA;AAAA,EAKlB,YAAoB;AAAA;AAAA;AAAA;AAAA,EAKpB,OAAe;AAAA;AAAA;AAAA;AAAA,EAKf,SAAmB,CAAA;AAAA;AAAA;AAAA;AAAA,EAKnB,aAA0B;AAAA;AAAA;AAAA;AAAA,EAK1B,YAAyB;AAAA;AAAA;AAAA;AAAA,EAKzB,YAAyB;AAAA,EAEzB,YAAY,UAAyB,IAAI;AACvC,UAAM,OAAO;AACb,QAAI,QAAQ,UAAW,MAAK,YAAY,QAAQ;AAChD,QAAI,QAAQ,KAAM,MAAK,OAAO,QAAQ;AACtC,QAAI,QAAQ,OAAQ,MAAK,SAAS,QAAQ;AAC1C,QAAI,QAAQ,cAAc,OAAW,MAAK,YAAY,QAAQ;AAAA,EAChE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aAAsC;AAC1C,WAAQ,MAAM,KAAK,WAAW,WAAW;AAAA,EAC3C;AAAA;AAAA;AAAA;AAAA,EAKA,UAAmB;AACjB,QAAI,KAAK,UAAW,QAAO;AAC3B,QAAI,KAAK,aAAa,KAAK,YAAY,oBAAI,KAAA,EAAQ,QAAO;AAC1D,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,SAAS,OAAwB;AAC/B,WAAO,KAAK,OAAO,SAAS,KAAK,KAAK,KAAK,OAAO,SAAS,GAAG;AAAA,EAChE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,SAAwB;AAC5B,SAAK,gCAAgB,KAAA;AACrB,UAAM,KAAK,KAAA;AAAA,EACb;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cAA6B;AACjC,SAAK,iCAAiB,KAAA;AACtB,UAAM,KAAK,KAAA;AAAA,EACb;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,QAAQ,KAAqB;AAClC,WAAO,WAAW,QAAQ,EAAE,OAAO,GAAG,EAAE,OAAO,KAAK;AAAA,EACtD;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,SACX,SACA,SAM4B;AAE5B,UAAM,aAAa,YAAY,EAAE,EAAE,SAAS,KAAK;AACjD,UAAM,MAAM,WAAW,UAAU;AACjC,UAAM,YAAY,IAAI,UAAU,GAAG,EAAE;AACrC,UAAM,UAAU,OAAO,QAAQ,GAAG;AAElC,UAAM,SAAS,IAAI,OAAO;AAAA,MACxB,IAAI,QAAQ,MAAM,QAAQ,SAAS;AAAA,MACnC,WAAW,QAAQ;AAAA,MACnB,MAAM,QAAQ;AAAA,MACd,QAAQ,QAAQ,UAAU,CAAC,GAAG;AAAA,MAC9B,WAAW,QAAQ,aAAa;AAAA,IAAA,CACjC;AACD,WAAO,UAAU;AACjB,WAAO,YAAY;AAEnB,UAAM,OAAO,WAAA;AACb,UAAM,OAAO,KAAA;AAEb,WAAO,EAAE,KAAK,OAAA;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,OACX,KACA,UAA6B,IACL;AACxB,UAAM,UAAU,OAAO,QAAQ,GAAG;AAElC,UAAM,EAAE,iBAAA,IAAqB,MAAM,OACjC,gCACF;AACA,UAAM,aAAa,MAAO,iBAAyB,OAAO,OAAO;AAEjE,UAAM,SAAS,MAAM,WAAW,QAAQ;AAAA,MACtC,OAAO,EAAE,QAAA;AAAA,IAAQ,CAClB;AAED,QAAI,CAAC,OAAQ,QAAO;AACpB,QAAI,CAAC,OAAO,QAAA,EAAW,QAAO;AAG9B,UAAM,OAAO,YAAA;AAEb,WAAO;AAAA,EACT;AACF;AAvJE,gBAAA;AAAA,EADC,WAAW,WAAW,EAAE,UAAU,MAAM;AAAA,GAJ9B,OAKX,WAAA,aAAA,CAAA;AALW,SAAN,gBAAA;AAAA,EARN,KAAK;AAAA,IACJ,WAAW;AAAA,IACX,KAAK,EAAE,SAAS,CAAC,QAAQ,KAAK,EAAA;AAAA,IAC9B,KAAK,EAAE,SAAS,CAAC,QAAQ,KAAK,EAAA;AAAA;AAAA;AAAA,IAG9B,KAAK,EAAE,SAAS,CAAC,QAAQ,OAAO,UAAU,QAAQ,GAAG,cAAc,KAAA;AAAA,EAAK,CACzE;AAAA,GACY,MAAA;"}

package/dist/chunks/ApiKeyCollection-B6Op817e.js

@@ -0,0 +1,91 @@
+import { SmrtCollection } from "@happyvertical/smrt-core";
+import { ApiKey } from "./ApiKey-B2LKEaP8.js";
+class ApiKeyCollection extends SmrtCollection {
+  static _itemClass = ApiKey;
+  /**
+   * Find all keys for a profile
+   */
+  async findByProfile(profileId) {
+    return await this.list({
+      where: { profileId }
+    });
+  }
+  /**
+   * Find active (non-revoked, non-expired) keys for a profile
+   */
+  async findActiveByProfile(profileId) {
+    const keys = await this.findByProfile(profileId);
+    return keys.filter((key) => key.isValid());
+  }
+  /**
+   * Find key by hash
+   */
+  async findByHash(keyHash) {
+    return await this.findOne({
+      where: { keyHash }
+    });
+  }
+  /**
+   * Verify an API key string and return the record if valid
+   */
+  async verify(key) {
+    const keyHash = ApiKey.hashKey(key);
+    const apiKey = await this.findByHash(keyHash);
+    if (!apiKey) return null;
+    if (!apiKey.isValid()) return null;
+    await apiKey.recordUsage();
+    return apiKey;
+  }
+  /**
+   * Generate a new key for a profile
+   */
+  async generateForProfile(profile, options) {
+    return await ApiKey.generate(profile, {
+      ...options,
+      db: this.options.db
+    });
+  }
+  /**
+   * Revoke all keys for a profile
+   */
+  async revokeAllForProfile(profileId) {
+    const keys = await this.findActiveByProfile(profileId);
+    for (const key of keys) {
+      await key.revoke();
+    }
+    return keys.length;
+  }
+  /**
+   * Revoke a specific key by prefix
+   */
+  async revokeByPrefix(keyPrefix) {
+    const key = await this.findOne({
+      where: { keyPrefix }
+    });
+    if (key && key.isValid()) {
+      await key.revoke();
+      return true;
+    }
+    return false;
+  }
+  /**
+   * Clean up expired keys (soft delete by setting revokedAt)
+   */
+  async cleanupExpired() {
+    const now = /* @__PURE__ */ new Date();
+    const allKeys = await this.list({});
+    let cleaned = 0;
+    for (const key of allKeys) {
+      if (key.expiresAt && key.expiresAt < now && !key.revokedAt) {
+        key.revokedAt = now;
+        await key.save();
+        cleaned++;
+      }
+    }
+    return cleaned;
+  }
+}
+export {
+  ApiKeyCollection
+};
+//# sourceMappingURL=ApiKeyCollection-B6Op817e.js.map

package/dist/chunks/ApiKeyCollection-B6Op817e.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ApiKeyCollection-B6Op817e.js","sources":["../../src/collections/ApiKeyCollection.ts"],"sourcesContent":["/**\n * ApiKeyCollection - Collection for managing API keys\n */\n\nimport { SmrtCollection } from '@happyvertical/smrt-core';\nimport { ApiKey, type GenerateKeyResult } from '../models/ApiKey';\nimport type { Profile } from '../models/Profile';\n\nexport class ApiKeyCollection extends SmrtCollection<ApiKey> {\n  static readonly _itemClass = ApiKey;\n\n  /**\n   * Find all keys for a profile\n   */\n  async findByProfile(profileId: string): Promise<ApiKey[]> {\n    return await this.list({\n      where: { profileId },\n    });\n  }\n\n  /**\n   * Find active (non-revoked, non-expired) keys for a profile\n   */\n  async findActiveByProfile(profileId: string): Promise<ApiKey[]> {\n    const keys = await this.findByProfile(profileId);\n    return keys.filter((key) => key.isValid());\n  }\n\n  /**\n   * Find key by hash\n   */\n  async findByHash(keyHash: string): Promise<ApiKey | null> {\n    return await this.findOne({\n      where: { keyHash },\n    });\n  }\n\n  /**\n   * Verify an API key string and return the record if valid\n   */\n  async verify(key: string): Promise<ApiKey | null> {\n    const keyHash = ApiKey.hashKey(key);\n    const apiKey = await this.findByHash(keyHash);\n\n    if (!apiKey) return null;\n    if (!apiKey.isValid()) return null;\n\n    // Record usage\n    await apiKey.recordUsage();\n\n    return apiKey;\n  }\n\n  /**\n   * Generate a new key for a profile\n   */\n  async generateForProfile(\n    profile: Profile,\n    options: {\n      name: string;\n      scopes?: string[];\n      expiresAt?: Date | null;\n    },\n  ): Promise<GenerateKeyResult> {\n    return await ApiKey.generate(profile, {\n      ...options,\n      db: this.options.db,\n    });\n  }\n\n  /**\n   * Revoke all keys for a profile\n   */\n  async revokeAllForProfile(profileId: string): Promise<number> {\n    const keys = await this.findActiveByProfile(profileId);\n    for (const key of keys) {\n      await key.revoke();\n    }\n    return keys.length;\n  }\n\n  /**\n   * Revoke a specific key by prefix\n   */\n  async revokeByPrefix(keyPrefix: string): Promise<boolean> {\n    const key = await this.findOne({\n      where: { keyPrefix },\n    });\n\n    if (key && key.isValid()) {\n      await key.revoke();\n      return true;\n    }\n    return false;\n  }\n\n  /**\n   * Clean up expired keys (soft delete by setting revokedAt)\n   */\n  async cleanupExpired(): Promise<number> {\n    const now = new Date();\n    const allKeys = await this.list({});\n    let cleaned = 0;\n\n    for (const key of allKeys) {\n      if (key.expiresAt && key.expiresAt < now && !key.revokedAt) {\n        key.revokedAt = now;\n        await key.save();\n        cleaned++;\n      }\n    }\n\n    return cleaned;\n  }\n}\n"],"names":[],"mappings":";;AAQO,MAAM,yBAAyB,eAAuB;AAAA,EAC3D,OAAgB,aAAa;AAAA;AAAA;AAAA;AAAA,EAK7B,MAAM,cAAc,WAAsC;AACxD,WAAO,MAAM,KAAK,KAAK;AAAA,MACrB,OAAO,EAAE,UAAA;AAAA,IAAU,CACpB;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,oBAAoB,WAAsC;AAC9D,UAAM,OAAO,MAAM,KAAK,cAAc,SAAS;AAC/C,WAAO,KAAK,OAAO,CAAC,QAAQ,IAAI,SAAS;AAAA,EAC3C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAAW,SAAyC;AACxD,WAAO,MAAM,KAAK,QAAQ;AAAA,MACxB,OAAO,EAAE,QAAA;AAAA,IAAQ,CAClB;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OAAO,KAAqC;AAChD,UAAM,UAAU,OAAO,QAAQ,GAAG;AAClC,UAAM,SAAS,MAAM,KAAK,WAAW,OAAO;AAE5C,QAAI,CAAC,OAAQ,QAAO;AACpB,QAAI,CAAC,OAAO,QAAA,EAAW,QAAO;AAG9B,UAAM,OAAO,YAAA;AAEb,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,mBACJ,SACA,SAK4B;AAC5B,WAAO,MAAM,OAAO,SAAS,SAAS;AAAA,MACpC,GAAG;AAAA,MACH,IAAI,KAAK,QAAQ;AAAA,IAAA,CAClB;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,oBAAoB,WAAoC;AAC5D,UAAM,OAAO,MAAM,KAAK,oBAAoB,SAAS;AACrD,eAAW,OAAO,MAAM;AACtB,YAAM,IAAI,OAAA;AAAA,IACZ;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,eAAe,WAAqC;AACxD,UAAM,MAAM,MAAM,KAAK,QAAQ;AAAA,MAC7B,OAAO,EAAE,UAAA;AAAA,IAAU,CACpB;AAED,QAAI,OAAO,IAAI,WAAW;AACxB,YAAM,IAAI,OAAA;AACV,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,iBAAkC;AACtC,UAAM,0BAAU,KAAA;AAChB,UAAM,UAAU,MAAM,KAAK,KAAK,CAAA,CAAE;AAClC,QAAI,UAAU;AAEd,eAAW,OAAO,SAAS;AACzB,UAAI,IAAI,aAAa,IAAI,YAAY,OAAO,CAAC,IAAI,WAAW;AAC1D,YAAI,YAAY;AAChB,cAAM,IAAI,KAAA;AACV;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;"}