@hasna/logs 0.0.1 → 0.2.0

package/src/lib/diagnose.test.ts

@@ -0,0 +1,55 @@
+import { describe, expect, it } from "bun:test"
+import { createTestDb } from "../db/index.ts"
+import { ingestBatch } from "./ingest.ts"
+import { diagnose } from "./diagnose.ts"
+
+function seedProject(db: ReturnType<typeof createTestDb>) {
+  return db.prepare("INSERT INTO projects (name) VALUES ('app') RETURNING id").get() as { id: string }
+}
+
+describe("diagnose", () => {
+  it("returns empty diagnosis for project with no logs", () => {
+    const db = createTestDb()
+    const p = seedProject(db)
+    const result = diagnose(db, p.id)
+    expect(result.project_id).toBe(p.id)
+    expect(result.top_errors).toHaveLength(0)
+    expect(result.summary).toContain("No errors")
+  })
+
+  it("surfaces top errors", () => {
+    const db = createTestDb()
+    const p = seedProject(db)
+    ingestBatch(db, [
+      { level: "error", message: "DB timeout", service: "api", project_id: p.id },
+      { level: "error", message: "DB timeout", service: "api", project_id: p.id },
+      { level: "error", message: "Auth failed", service: "auth", project_id: p.id },
+    ])
+    const result = diagnose(db, p.id)
+    expect(result.top_errors.length).toBeGreaterThan(0)
+    expect(result.top_errors[0]!.message).toBe("DB timeout")
+    expect(result.top_errors[0]!.count).toBe(2)
+  })
+
+  it("populates summary with error info", () => {
+    const db = createTestDb()
+    const p = seedProject(db)
+    ingestBatch(db, [{ level: "error", message: "boom", service: "api", project_id: p.id }])
+    const result = diagnose(db, p.id)
+    expect(result.summary).toContain("error")
+  })
+
+  it("groups error_rate_by_service", () => {
+    const db = createTestDb()
+    const p = seedProject(db)
+    ingestBatch(db, [
+      { level: "error", message: "e1", service: "api", project_id: p.id },
+      { level: "info", message: "i1", service: "api", project_id: p.id },
+      { level: "warn", message: "w1", service: "db", project_id: p.id },
+    ])
+    const result = diagnose(db, p.id)
+    const api = result.error_rate_by_service.find(s => s.service === "api")
+    expect(api?.errors).toBe(1)
+    expect(api?.total).toBe(2)
+  })
+})

package/src/lib/diagnose.ts

@@ -0,0 +1,76 @@
+import type { Database } from "bun:sqlite"
+
+export interface DiagnosisResult {
+  project_id: string
+  window: string
+  top_errors: { message: string; count: number; service: string | null; last_seen: string }[]
+  error_rate_by_service: { service: string | null; errors: number; warns: number; total: number }[]
+  failing_pages: { page_id: string; url: string; error_count: number }[]
+  perf_regressions: { page_id: string; url: string; score_now: number | null; score_prev: number | null; delta: number | null }[]
+  summary: string
+}
+
+export function diagnose(db: Database, projectId: string, since?: string): DiagnosisResult {
+  const window = since ?? new Date(Date.now() - 24 * 3600 * 1000).toISOString()
+
+  // Top errors by message
+  const top_errors = db.prepare(`
+    SELECT message, COUNT(*) as count, service, MAX(timestamp) as last_seen
+    FROM logs
+    WHERE project_id = $p AND level IN ('error','fatal') AND timestamp >= $since
+    GROUP BY message, service
+    ORDER BY count DESC
+    LIMIT 10
+  `).all({ $p: projectId, $since: window }) as DiagnosisResult["top_errors"]
+
+  // Error rate by service
+  const error_rate_by_service = db.prepare(`
+    SELECT service,
+      SUM(CASE WHEN level IN ('error','fatal') THEN 1 ELSE 0 END) as errors,
+      SUM(CASE WHEN level = 'warn' THEN 1 ELSE 0 END) as warns,
+      COUNT(*) as total
+    FROM logs
+    WHERE project_id = $p AND timestamp >= $since
+    GROUP BY service
+    ORDER BY errors DESC
+  `).all({ $p: projectId, $since: window }) as DiagnosisResult["error_rate_by_service"]
+
+  // Failing pages (most errors)
+  const failing_pages = db.prepare(`
+    SELECT l.page_id, p.url, COUNT(*) as error_count
+    FROM logs l
+    JOIN pages p ON p.id = l.page_id
+    WHERE l.project_id = $p AND l.level IN ('error','fatal') AND l.timestamp >= $since AND l.page_id IS NOT NULL
+    GROUP BY l.page_id, p.url
+    ORDER BY error_count DESC
+    LIMIT 10
+  `).all({ $p: projectId, $since: window }) as DiagnosisResult["failing_pages"]
+
+  // Perf regressions: compare latest vs previous snapshot per page
+  const perf_regressions = db.prepare(`
+    SELECT * FROM (
+      SELECT
+        cur.page_id,
+        p.url,
+        cur.score as score_now,
+        prev.score as score_prev,
+        (cur.score - prev.score) as delta
+      FROM performance_snapshots cur
+      JOIN pages p ON p.id = cur.page_id
+      LEFT JOIN performance_snapshots prev ON prev.page_id = cur.page_id AND prev.id != cur.id
+      WHERE cur.project_id = $p
+      AND cur.timestamp = (SELECT MAX(timestamp) FROM performance_snapshots WHERE page_id = cur.page_id)
+      AND (prev.timestamp = (SELECT MAX(timestamp) FROM performance_snapshots WHERE page_id = cur.page_id AND id != cur.id) OR prev.id IS NULL)
+    ) WHERE delta < -5 OR delta IS NULL
+    ORDER BY delta ASC
+    LIMIT 10
+  `).all({ $p: projectId }) as DiagnosisResult["perf_regressions"]
+
+  const totalErrors = top_errors.reduce((s, e) => s + e.count, 0)
+  const topService = error_rate_by_service[0]
+  const summary = totalErrors === 0
+    ? "No errors in this window. All looks good."
+    : `${totalErrors} error(s) detected. Worst service: ${topService?.service ?? "unknown"} (${topService?.errors ?? 0} errors). ${failing_pages.length} page(s) with errors. ${perf_regressions.length} perf regression(s).`
+
+  return { project_id: projectId, window, top_errors, error_rate_by_service, failing_pages, perf_regressions, summary }
+}

package/src/lib/export.test.ts

@@ -0,0 +1,66 @@
+import { describe, expect, it } from "bun:test"
+import { createTestDb } from "../db/index.ts"
+import { ingestBatch } from "./ingest.ts"
+import { exportToCsv, exportToJson } from "./export.ts"
+
+function seed(db: ReturnType<typeof createTestDb>) {
+  ingestBatch(db, [
+    { level: "error", message: "boom", service: "api" },
+    { level: "info", message: "ok", service: "web" },
+    { level: "warn", message: 'has "quotes"', service: "db" },
+  ])
+}
+
+describe("exportToJson", () => {
+  it("exports all logs as JSON array", () => {
+    const db = createTestDb()
+    seed(db)
+    const chunks: string[] = []
+    const count = exportToJson(db, {}, s => chunks.push(s))
+    expect(count).toBe(3)
+    const parsed = JSON.parse(chunks.join(""))
+    expect(Array.isArray(parsed)).toBe(true)
+    expect(parsed).toHaveLength(3)
+  })
+
+  it("filters by level", () => {
+    const db = createTestDb()
+    seed(db)
+    const chunks: string[] = []
+    const count = exportToJson(db, { level: "error" }, s => chunks.push(s))
+    expect(count).toBe(1)
+    const parsed = JSON.parse(chunks.join(""))
+    expect(parsed[0].level).toBe("error")
+  })
+})
+
+describe("exportToCsv", () => {
+  it("exports CSV with header", () => {
+    const db = createTestDb()
+    seed(db)
+    const chunks: string[] = []
+    const count = exportToCsv(db, {}, s => chunks.push(s))
+    expect(count).toBe(3)
+    const csv = chunks.join("")
+    expect(csv).toContain("id,timestamp,level")
+    expect(csv).toContain("error")
+    expect(csv).toContain("boom")
+  })
+
+  it("escapes CSV quotes", () => {
+    const db = createTestDb()
+    seed(db)
+    const chunks: string[] = []
+    exportToCsv(db, { level: "warn" }, s => chunks.push(s))
+    const csv = chunks.join("")
+    expect(csv).toContain('"has ""quotes"""')
+  })
+
+  it("filters by service", () => {
+    const db = createTestDb()
+    seed(db)
+    const chunks: string[] = []
+    const count = exportToCsv(db, { service: "api" }, s => chunks.push(s))
+    expect(count).toBe(1)
+  })
+})

package/src/lib/export.ts

@@ -0,0 +1,65 @@
+import type { Database } from "bun:sqlite"
+import type { LogRow } from "../types/index.ts"
+
+export interface ExportOptions {
+  project_id?: string
+  since?: string
+  until?: string
+  level?: string
+  service?: string
+  limit?: number
+}
+
+function* iterLogs(db: Database, opts: ExportOptions): Generator<LogRow> {
+  const conditions: string[] = []
+  const params: Record<string, unknown> = {}
+  if (opts.project_id) { conditions.push("project_id = $p"); params.$p = opts.project_id }
+  if (opts.since) { conditions.push("timestamp >= $since"); params.$since = opts.since }
+  if (opts.until) { conditions.push("timestamp <= $until"); params.$until = opts.until }
+  if (opts.level) { conditions.push("level = $level"); params.$level = opts.level }
+  if (opts.service) { conditions.push("service = $service"); params.$service = opts.service }
+  const where = conditions.length ? `WHERE ${conditions.join(" AND ")}` : ""
+  const limit = opts.limit ?? 100_000
+
+  // Batch in pages of 1000 to avoid memory issues
+  let offset = 0
+  while (offset < limit) {
+    const batch = db.prepare(`SELECT * FROM logs ${where} ORDER BY timestamp ASC LIMIT 1000 OFFSET $offset`)
+      .all({ ...params, $offset: offset }) as LogRow[]
+    if (!batch.length) break
+    yield* batch
+    offset += batch.length
+    if (batch.length < 1000) break
+  }
+}
+
+export function exportToJson(db: Database, opts: ExportOptions, writeLine: (s: string) => void): number {
+  writeLine("[")
+  let count = 0
+  for (const row of iterLogs(db, opts)) {
+    writeLine((count > 0 ? "," : "") + JSON.stringify(row))
+    count++
+  }
+  writeLine("]")
+  return count
+}
+
+const CSV_HEADER = "id,timestamp,level,service,message,trace_id,url\n"
+
+export function exportToCsv(db: Database, opts: ExportOptions, writeLine: (s: string) => void): number {
+  writeLine(CSV_HEADER)
+  let count = 0
+  for (const row of iterLogs(db, opts)) {
+    const fields = [row.id, row.timestamp, row.level, row.service ?? "", escapeCSV(row.message), row.trace_id ?? "", row.url ?? ""]
+    writeLine(fields.join(",") + "\n")
+    count++
+  }
+  return count
+}
+
+function escapeCSV(s: string): string {
+  if (s.includes(",") || s.includes('"') || s.includes("\n")) {
+    return `"${s.replace(/"/g, '""')}"`
+  }
+  return s
+}

package/src/lib/health.test.ts

@@ -0,0 +1,48 @@
+import { describe, expect, it } from "bun:test"
+import { createTestDb } from "../db/index.ts"
+import { ingestBatch } from "./ingest.ts"
+import { getHealth } from "./health.ts"
+
+describe("getHealth", () => {
+  it("returns status ok", () => {
+    const db = createTestDb()
+    const h = getHealth(db)
+    expect(h.status).toBe("ok")
+  })
+
+  it("counts total logs", () => {
+    const db = createTestDb()
+    ingestBatch(db, [{ level: "info", message: "a" }, { level: "error", message: "b" }])
+    const h = getHealth(db)
+    expect(h.total_logs).toBe(2)
+  })
+
+  it("returns logs_by_level breakdown", () => {
+    const db = createTestDb()
+    ingestBatch(db, [{ level: "info", message: "a" }, { level: "error", message: "b" }, { level: "error", message: "c" }])
+    const h = getHealth(db)
+    expect(h.logs_by_level["error"]).toBe(2)
+    expect(h.logs_by_level["info"]).toBe(1)
+  })
+
+  it("counts projects", () => {
+    const db = createTestDb()
+    db.prepare("INSERT INTO projects (name) VALUES ('p1')").run()
+    db.prepare("INSERT INTO projects (name) VALUES ('p2')").run()
+    const h = getHealth(db)
+    expect(h.projects).toBe(2)
+  })
+
+  it("returns uptime_seconds >= 0", () => {
+    const h = getHealth(createTestDb())
+    expect(h.uptime_seconds).toBeGreaterThanOrEqual(0)
+  })
+
+  it("returns newest and oldest log timestamps", () => {
+    const db = createTestDb()
+    ingestBatch(db, [{ level: "info", message: "first" }, { level: "warn", message: "last" }])
+    const h = getHealth(db)
+    expect(h.oldest_log).toBeTruthy()
+    expect(h.newest_log).toBeTruthy()
+  })
+})

package/src/lib/health.ts

@@ -0,0 +1,51 @@
+import type { Database } from "bun:sqlite"
+
+const startTime = Date.now()
+
+export interface HealthResult {
+  status: "ok"
+  uptime_seconds: number
+  db_size_bytes: number | null
+  projects: number
+  total_logs: number
+  logs_by_level: Record<string, number>
+  oldest_log: string | null
+  newest_log: string | null
+  scheduler_jobs: number
+  open_issues: number
+}
+
+export function getHealth(db: Database): HealthResult {
+  const projects = (db.prepare("SELECT COUNT(*) as c FROM projects").get() as { c: number }).c
+  const total_logs = (db.prepare("SELECT COUNT(*) as c FROM logs").get() as { c: number }).c
+  const scheduler_jobs = (db.prepare("SELECT COUNT(*) as c FROM scan_jobs WHERE enabled = 1").get() as { c: number }).c
+  const open_issues = (db.prepare("SELECT COUNT(*) as c FROM issues WHERE status = 'open'").get() as { c: number }).c
+
+  const levelRows = db.prepare("SELECT level, COUNT(*) as c FROM logs GROUP BY level").all() as { level: string; c: number }[]
+  const logs_by_level = Object.fromEntries(levelRows.map(r => [r.level, r.c]))
+
+  const oldest = db.prepare("SELECT MIN(timestamp) as t FROM logs").get() as { t: string | null }
+  const newest = db.prepare("SELECT MAX(timestamp) as t FROM logs").get() as { t: string | null }
+
+  let db_size_bytes: number | null = null
+  try {
+    const dbPath = process.env.LOGS_DB_PATH
+    if (dbPath) {
+      const { statSync } = require("node:fs")
+      db_size_bytes = statSync(dbPath).size
+    }
+  } catch { /* in-memory or not accessible */ }
+
+  return {
+    status: "ok",
+    uptime_seconds: Math.floor((Date.now() - startTime) / 1000),
+    db_size_bytes,
+    projects,
+    total_logs,
+    logs_by_level,
+    oldest_log: oldest.t,
+    newest_log: newest.t,
+    scheduler_jobs,
+    open_issues,
+  }
+}

package/src/lib/ingest.ts

@@ -1,5 +1,9 @@
 import type { Database } from "bun:sqlite"
 import type { LogEntry, LogRow } from "../types/index.ts"
+import { upsertIssue } from "./issues.ts"
+import { evaluateAlerts } from "./alerts.ts"
+
+const ERROR_LEVELS = new Set(["warn", "error", "fatal"])
 
 export function ingestLog(db: Database, entry: LogEntry): LogRow {
   const stmt = db.prepare(`
@@ -7,7 +11,7 @@ export function ingestLog(db: Database, entry: LogEntry): LogRow {
     VALUES ($project_id, $page_id, $level, $source, $service, $message, $trace_id, $session_id, $agent, $url, $stack_trace, $metadata)
     RETURNING *
   `)
-  return stmt.get({
+  const row = stmt.get({
     $project_id: entry.project_id ?? null,
     $page_id: entry.page_id ?? null,
     $level: entry.level,
@@ -21,6 +25,16 @@ export function ingestLog(db: Database, entry: LogEntry): LogRow {
     $stack_trace: entry.stack_trace ?? null,
     $metadata: entry.metadata ? JSON.stringify(entry.metadata) : null,
   }) as LogRow
+
+  // Side effects: issue grouping + alert evaluation (fire-and-forget)
+  if (ERROR_LEVELS.has(entry.level)) {
+    if (entry.project_id) {
+      upsertIssue(db, { project_id: entry.project_id, level: entry.level, service: entry.service, message: entry.message, stack_trace: entry.stack_trace })
+      evaluateAlerts(db, entry.project_id, entry.service ?? null, entry.level).catch(() => {})
+    }
+  }
+
+  return row
 }
 
 export function ingestBatch(db: Database, entries: LogEntry[]): LogRow[] {
@@ -47,5 +61,14 @@ export function ingestBatch(db: Database, entries: LogEntry[]): LogRow[] {
       }) as LogRow
     )
   )
-  return tx(entries)
+  const rows = tx(entries)
+
+  // Issue grouping for error-level entries (outside transaction for perf)
+  for (const entry of entries) {
+    if (ERROR_LEVELS.has(entry.level) && entry.project_id) {
+      upsertIssue(db, { project_id: entry.project_id, level: entry.level, service: entry.service, message: entry.message, stack_trace: entry.stack_trace })
+    }
+  }
+
+  return rows
 }

package/src/lib/issues.test.ts

@@ -0,0 +1,79 @@
+import { describe, expect, it } from "bun:test"
+import { createTestDb } from "../db/index.ts"
+import { computeFingerprint, getIssue, listIssues, updateIssueStatus, upsertIssue } from "./issues.ts"
+
+function seedProject(db: ReturnType<typeof createTestDb>) {
+  return db.prepare("INSERT INTO projects (name) VALUES ('app') RETURNING id").get() as { id: string }
+}
+
+describe("computeFingerprint", () => {
+  it("returns consistent hash for same input", () => {
+    const a = computeFingerprint("error", "api", "DB connection failed")
+    const b = computeFingerprint("error", "api", "DB connection failed")
+    expect(a).toBe(b)
+  })
+
+  it("returns different hash for different messages", () => {
+    const a = computeFingerprint("error", "api", "timeout")
+    const b = computeFingerprint("error", "api", "DB error")
+    expect(a).not.toBe(b)
+  })
+
+  it("normalizes hex IDs in messages", () => {
+    const a = computeFingerprint("error", "api", "Error for id abc123def456")
+    const b = computeFingerprint("error", "api", "Error for id 000fffaabbcc")
+    expect(a).toBe(b)
+  })
+})
+
+describe("upsertIssue", () => {
+  it("creates a new issue", () => {
+    const db = createTestDb()
+    const p = seedProject(db)
+    const issue = upsertIssue(db, { project_id: p.id, level: "error", service: "api", message: "DB timeout" })
+    expect(issue.id).toBeTruthy()
+    expect(issue.count).toBe(1)
+    expect(issue.status).toBe("open")
+  })
+
+  it("increments count on duplicate", () => {
+    const db = createTestDb()
+    const p = seedProject(db)
+    upsertIssue(db, { project_id: p.id, level: "error", message: "Same error" })
+    upsertIssue(db, { project_id: p.id, level: "error", message: "Same error" })
+    const issue = upsertIssue(db, { project_id: p.id, level: "error", message: "Same error" })
+    expect(issue.count).toBe(3)
+  })
+
+  it("reopens resolved issues", () => {
+    const db = createTestDb()
+    const p = seedProject(db)
+    const issue = upsertIssue(db, { project_id: p.id, level: "error", message: "err" })
+    updateIssueStatus(db, issue.id, "resolved")
+    const reopened = upsertIssue(db, { project_id: p.id, level: "error", message: "err" })
+    expect(reopened.status).toBe("open")
+  })
+})
+
+describe("listIssues", () => {
+  it("filters by project and status", () => {
+    const db = createTestDb()
+    const p = seedProject(db)
+    const issue = upsertIssue(db, { project_id: p.id, level: "error", message: "database connection timed out" })
+    updateIssueStatus(db, issue.id, "resolved")
+    upsertIssue(db, { project_id: p.id, level: "error", message: "authentication service unavailable" })
+    expect(listIssues(db, p.id, "open")).toHaveLength(1)
+    expect(listIssues(db, p.id, "resolved")).toHaveLength(1)
+    expect(listIssues(db, p.id)).toHaveLength(2)
+  })
+})
+
+describe("updateIssueStatus", () => {
+  it("updates status", () => {
+    const db = createTestDb()
+    const p = seedProject(db)
+    const issue = upsertIssue(db, { project_id: p.id, level: "error", message: "x" })
+    const updated = updateIssueStatus(db, issue.id, "ignored")
+    expect(updated?.status).toBe("ignored")
+  })
+})

package/src/lib/issues.ts

@@ -0,0 +1,70 @@
+import type { Database } from "bun:sqlite"
+import { createHash } from "node:crypto"
+
+export interface Issue {
+  id: string
+  project_id: string | null
+  fingerprint: string
+  level: string
+  service: string | null
+  message_template: string
+  first_seen: string
+  last_seen: string
+  count: number
+  status: "open" | "resolved" | "ignored"
+}
+
+export function computeFingerprint(level: string, service: string | null, message: string, stackTrace?: string | null): string {
+  // Normalize message: strip hex IDs, numbers, timestamps
+  const normalized = message
+    .replace(/[0-9a-f]{8,}/gi, "<id>")
+    .replace(/\d+/g, "<n>")
+    .replace(/https?:\/\/[^\s]+/g, "<url>")
+    .trim()
+  const stackFrame = stackTrace ? stackTrace.split("\n").slice(0, 3).join("|") : ""
+  const raw = `${level}|${service ?? ""}|${normalized}|${stackFrame}`
+  return createHash("sha256").update(raw).digest("hex").slice(0, 16)
+}
+
+export function upsertIssue(db: Database, data: {
+  project_id?: string
+  level: string
+  service?: string | null
+  message: string
+  stack_trace?: string | null
+}): Issue {
+  const fingerprint = computeFingerprint(data.level, data.service ?? null, data.message, data.stack_trace)
+  return db.prepare(`
+    INSERT INTO issues (project_id, fingerprint, level, service, message_template)
+    VALUES ($project_id, $fingerprint, $level, $service, $message_template)
+    ON CONFLICT(project_id, fingerprint) DO UPDATE SET
+      count = count + 1,
+      last_seen = strftime('%Y-%m-%dT%H:%M:%fZ','now'),
+      status = CASE WHEN status = 'resolved' THEN 'open' ELSE status END
+    RETURNING *
+  `).get({
+    $project_id: data.project_id ?? null,
+    $fingerprint: fingerprint,
+    $level: data.level,
+    $service: data.service ?? null,
+    $message_template: data.message.slice(0, 500),
+  }) as Issue
+}
+
+export function listIssues(db: Database, projectId?: string, status?: string, limit = 50): Issue[] {
+  const conditions: string[] = []
+  const params: Record<string, unknown> = { $limit: limit }
+  if (projectId) { conditions.push("project_id = $p"); params.$p = projectId }
+  if (status) { conditions.push("status = $status"); params.$status = status }
+  const where = conditions.length ? `WHERE ${conditions.join(" AND ")}` : ""
+  return db.prepare(`SELECT * FROM issues ${where} ORDER BY last_seen DESC LIMIT $limit`).all(params) as Issue[]
+}
+
+export function getIssue(db: Database, id: string): Issue | null {
+  return db.prepare("SELECT * FROM issues WHERE id = $id").get({ $id: id }) as Issue | null
+}
+
+export function updateIssueStatus(db: Database, id: string, status: "open" | "resolved" | "ignored"): Issue | null {
+  return db.prepare("UPDATE issues SET status = $status WHERE id = $id RETURNING *")
+    .get({ $id: id, $status: status }) as Issue | null
+}

package/src/lib/page-auth.test.ts

@@ -0,0 +1,54 @@
+import { describe, expect, it } from "bun:test"
+import { createTestDb } from "../db/index.ts"
+import { deletePageAuth, getPageAuth, setPageAuth } from "./page-auth.ts"
+
+function seedPage(db: ReturnType<typeof createTestDb>) {
+  const p = db.prepare("INSERT INTO projects (name) VALUES ('app') RETURNING id").get() as { id: string }
+  const page = db.prepare("INSERT INTO pages (project_id, url) VALUES (?, 'https://app.com') RETURNING id").get(p.id) as { id: string }
+  return { projectId: p.id, pageId: page.id }
+}
+
+describe("page auth", () => {
+  it("sets and retrieves bearer auth", () => {
+    const db = createTestDb()
+    const { pageId } = seedPage(db)
+    setPageAuth(db, pageId, "bearer", "my-token-123")
+    const auth = getPageAuth(db, pageId)
+    expect(auth?.type).toBe("bearer")
+    expect(auth?.credentials).toBe("my-token-123")
+  })
+
+  it("credentials are encrypted at rest", () => {
+    const db = createTestDb()
+    const { pageId } = seedPage(db)
+    setPageAuth(db, pageId, "bearer", "secret-token")
+    const raw = db.prepare("SELECT credentials FROM page_auth WHERE page_id = ?").get(pageId) as { credentials: string }
+    // Raw value should NOT be the plaintext token
+    expect(raw.credentials).not.toBe("secret-token")
+    expect(raw.credentials).toContain(":")  // IV:encrypted format
+  })
+
+  it("upserts on duplicate page_id", () => {
+    const db = createTestDb()
+    const { pageId } = seedPage(db)
+    setPageAuth(db, pageId, "bearer", "token-v1")
+    setPageAuth(db, pageId, "bearer", "token-v2")
+    const auth = getPageAuth(db, pageId)
+    expect(auth?.credentials).toBe("token-v2")
+    const { c } = db.prepare("SELECT COUNT(*) as c FROM page_auth WHERE page_id = ?").get(pageId) as { c: number }
+    expect(c).toBe(1)
+  })
+
+  it("returns null for unknown page", () => {
+    const db = createTestDb()
+    expect(getPageAuth(db, "nope")).toBeNull()
+  })
+
+  it("deletes auth", () => {
+    const db = createTestDb()
+    const { pageId } = seedPage(db)
+    setPageAuth(db, pageId, "basic", "user:pass")
+    deletePageAuth(db, pageId)
+    expect(getPageAuth(db, pageId)).toBeNull()
+  })
+})

package/src/lib/page-auth.ts

@@ -0,0 +1,48 @@
+import type { Database } from "bun:sqlite"
+import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto"
+
+const SECRET_KEY = Buffer.from((process.env.LOGS_SECRET_KEY ?? "open-logs-default-key-32bytesXXX").padEnd(32).slice(0, 32))
+
+export interface PageAuth {
+  id: string
+  page_id: string
+  type: "cookie" | "bearer" | "basic"
+  credentials: string
+  created_at: string
+}
+
+function encrypt(text: string): string {
+  const iv = randomBytes(16)
+  const cipher = createCipheriv("aes-256-cbc", SECRET_KEY, iv)
+  const encrypted = Buffer.concat([cipher.update(text, "utf8"), cipher.final()])
+  return iv.toString("hex") + ":" + encrypted.toString("hex")
+}
+
+function decrypt(text: string): string {
+  const [ivHex, encHex] = text.split(":")
+  if (!ivHex || !encHex) return text
+  const iv = Buffer.from(ivHex, "hex")
+  const enc = Buffer.from(encHex, "hex")
+  const decipher = createDecipheriv("aes-256-cbc", SECRET_KEY, iv)
+  return Buffer.concat([decipher.update(enc), decipher.final()]).toString("utf8")
+}
+
+export function setPageAuth(db: Database, pageId: string, type: PageAuth["type"], credentials: string): PageAuth {
+  const encrypted = encrypt(credentials)
+  return db.prepare(`
+    INSERT INTO page_auth (page_id, type, credentials)
+    VALUES ($page_id, $type, $credentials)
+    ON CONFLICT(page_id) DO UPDATE SET type = excluded.type, credentials = excluded.credentials
+    RETURNING *
+  `).get({ $page_id: pageId, $type: type, $credentials: encrypted }) as PageAuth
+}
+
+export function getPageAuth(db: Database, pageId: string): { type: PageAuth["type"]; credentials: string } | null {
+  const row = db.prepare("SELECT * FROM page_auth WHERE page_id = $id").get({ $id: pageId }) as PageAuth | null
+  if (!row) return null
+  return { type: row.type, credentials: decrypt(row.credentials) }
+}
+
+export function deletePageAuth(db: Database, pageId: string): void {
+  db.run("DELETE FROM page_auth WHERE page_id = $id", { $id: pageId })
+}