@hasna/nopen 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (116) hide show
  1. package/README.md +52 -0
  2. package/dist/adapters/cloudflare.d.ts +136 -0
  3. package/dist/adapters/cloudflare.d.ts.map +1 -0
  4. package/dist/adapters/deployment.d.ts +50 -0
  5. package/dist/adapters/deployment.d.ts.map +1 -0
  6. package/dist/adapters/domains.d.ts +44 -0
  7. package/dist/adapters/domains.d.ts.map +1 -0
  8. package/dist/adapters/email.d.ts +20 -0
  9. package/dist/adapters/email.d.ts.map +1 -0
  10. package/dist/adapters/index.d.ts +3 -0
  11. package/dist/adapters/index.d.ts.map +1 -0
  12. package/dist/adapters/sandbox.d.ts +82 -0
  13. package/dist/adapters/sandbox.d.ts.map +1 -0
  14. package/dist/adapters/skills.d.ts +19 -0
  15. package/dist/adapters/skills.d.ts.map +1 -0
  16. package/dist/adapters/stripe.d.ts +85 -0
  17. package/dist/adapters/stripe.d.ts.map +1 -0
  18. package/dist/agents/architect.d.ts +26 -0
  19. package/dist/agents/architect.d.ts.map +1 -0
  20. package/dist/agents/autopilot.d.ts +23 -0
  21. package/dist/agents/autopilot.d.ts.map +1 -0
  22. package/dist/agents/build.d.ts +31 -0
  23. package/dist/agents/build.d.ts.map +1 -0
  24. package/dist/agents/coders.d.ts +77 -0
  25. package/dist/agents/coders.d.ts.map +1 -0
  26. package/dist/agents/deploy-guard.d.ts +18 -0
  27. package/dist/agents/deploy-guard.d.ts.map +1 -0
  28. package/dist/agents/digest.d.ts +12 -0
  29. package/dist/agents/digest.d.ts.map +1 -0
  30. package/dist/agents/goal-build.d.ts +43 -0
  31. package/dist/agents/goal-build.d.ts.map +1 -0
  32. package/dist/agents/harness.d.ts +56 -0
  33. package/dist/agents/harness.d.ts.map +1 -0
  34. package/dist/agents/index.d.ts +10 -0
  35. package/dist/agents/index.d.ts.map +1 -0
  36. package/dist/agents/launch.d.ts +23 -0
  37. package/dist/agents/launch.d.ts.map +1 -0
  38. package/dist/agents/loop.d.ts +24 -0
  39. package/dist/agents/loop.d.ts.map +1 -0
  40. package/dist/agents/models.d.ts +7 -0
  41. package/dist/agents/models.d.ts.map +1 -0
  42. package/dist/agents/moderation.d.ts +22 -0
  43. package/dist/agents/moderation.d.ts.map +1 -0
  44. package/dist/agents/planner.d.ts +40 -0
  45. package/dist/agents/planner.d.ts.map +1 -0
  46. package/dist/agents/reconciler.d.ts +7 -0
  47. package/dist/agents/reconciler.d.ts.map +1 -0
  48. package/dist/agents/reviewer.d.ts +56 -0
  49. package/dist/agents/reviewer.d.ts.map +1 -0
  50. package/dist/agents/scaffolds.d.ts +36 -0
  51. package/dist/agents/scaffolds.d.ts.map +1 -0
  52. package/dist/agents/scheduler.d.ts +19 -0
  53. package/dist/agents/scheduler.d.ts.map +1 -0
  54. package/dist/agents/seeder.d.ts +16 -0
  55. package/dist/agents/seeder.d.ts.map +1 -0
  56. package/dist/agents/tools.d.ts +70 -0
  57. package/dist/agents/tools.d.ts.map +1 -0
  58. package/dist/agents/workers.d.ts +25 -0
  59. package/dist/agents/workers.d.ts.map +1 -0
  60. package/dist/cli/index.d.ts +3 -0
  61. package/dist/cli/index.d.ts.map +1 -0
  62. package/dist/cli/index.js +68984 -0
  63. package/dist/db/client.d.ts +32 -0
  64. package/dist/db/client.d.ts.map +1 -0
  65. package/dist/db/index.d.ts +2 -0
  66. package/dist/db/index.d.ts.map +1 -0
  67. package/dist/db/migrate.d.ts +3 -0
  68. package/dist/db/migrate.d.ts.map +1 -0
  69. package/dist/db/repo.d.ts +320 -0
  70. package/dist/db/repo.d.ts.map +1 -0
  71. package/dist/db/rls.d.ts +16 -0
  72. package/dist/db/rls.d.ts.map +1 -0
  73. package/dist/db/schema.d.ts +3391 -0
  74. package/dist/db/schema.d.ts.map +1 -0
  75. package/dist/index.d.ts +9 -0
  76. package/dist/index.d.ts.map +1 -0
  77. package/dist/index.js +85 -0
  78. package/dist/lib/auth.d.ts +65 -0
  79. package/dist/lib/auth.d.ts.map +1 -0
  80. package/dist/lib/build-agents.d.ts +81 -0
  81. package/dist/lib/build-agents.d.ts.map +1 -0
  82. package/dist/lib/checkout.d.ts +24 -0
  83. package/dist/lib/checkout.d.ts.map +1 -0
  84. package/dist/lib/client.d.ts +52 -0
  85. package/dist/lib/client.d.ts.map +1 -0
  86. package/dist/lib/config.d.ts +118 -0
  87. package/dist/lib/config.d.ts.map +1 -0
  88. package/dist/lib/connect.d.ts +14 -0
  89. package/dist/lib/connect.d.ts.map +1 -0
  90. package/dist/lib/credits.d.ts +52 -0
  91. package/dist/lib/credits.d.ts.map +1 -0
  92. package/dist/lib/doctor.d.ts +25 -0
  93. package/dist/lib/doctor.d.ts.map +1 -0
  94. package/dist/lib/ingest.d.ts +9 -0
  95. package/dist/lib/ingest.d.ts.map +1 -0
  96. package/dist/lib/iprate.d.ts +26 -0
  97. package/dist/lib/iprate.d.ts.map +1 -0
  98. package/dist/lib/mailer.d.ts +15 -0
  99. package/dist/lib/mailer.d.ts.map +1 -0
  100. package/dist/lib/oauth.d.ts +10 -0
  101. package/dist/lib/oauth.d.ts.map +1 -0
  102. package/dist/lib/ratelimit.d.ts +14 -0
  103. package/dist/lib/ratelimit.d.ts.map +1 -0
  104. package/dist/lib/site-template.d.ts +73 -0
  105. package/dist/lib/site-template.d.ts.map +1 -0
  106. package/dist/lib/task-charge.d.ts +10 -0
  107. package/dist/lib/task-charge.d.ts.map +1 -0
  108. package/dist/mcp/index.d.ts +3 -0
  109. package/dist/mcp/index.d.ts.map +1 -0
  110. package/dist/mcp/index.js +5265 -0
  111. package/dist/sdk/index.d.ts +18 -0
  112. package/dist/sdk/index.d.ts.map +1 -0
  113. package/dist/sdk/index.js +4246 -0
  114. package/dist/types/index.d.ts +51 -0
  115. package/dist/types/index.d.ts.map +1 -0
  116. package/package.json +81 -0
@@ -0,0 +1,32 @@
1
+ import { drizzle } from "drizzle-orm/postgres-js";
2
+ import postgres from "postgres";
3
+ import * as schema from "./schema.js";
4
+ type Db = ReturnType<typeof drizzle<typeof schema>>;
5
+ export declare function postgresOptions(max: number, host?: string | undefined, ssl?: string | undefined): {
6
+ ssl?: {
7
+ rejectUnauthorized: boolean;
8
+ } | undefined;
9
+ host?: string | undefined;
10
+ max: number;
11
+ };
12
+ export declare function getSql(): postgres.Sql<{}>;
13
+ /** Contextual db: the active tenant/owner tx if inside one, else the singleton. */
14
+ export declare function getDb(): Db;
15
+ export declare function closeDb(): Promise<void>;
16
+ /**
17
+ * Run `fn` scoped to a tenant. Inside a tx we `SET LOCAL ROLE nopen_tenant`
18
+ * (non-owner → RLS enforced) and set app.user_id, so only that tenant's rows
19
+ * are visible. getDb() inside fn returns the tenant-scoped tx db.
20
+ */
21
+ export declare function withTenant<T>(userId: string, fn: (tx: Db) => Promise<T>): Promise<T>;
22
+ /**
23
+ * Run `fn` as the platform/system agent (table owner connection → bypasses RLS).
24
+ * No transaction/role change needed.
25
+ *
26
+ * Asserts it is NOT nested inside withTenant: there, getDb() returns the tenant tx,
27
+ * so the work would run RLS-restricted as the tenant instead of as the owner — a
28
+ * silent privilege/visibility bug. Owner work must originate outside a tenant scope.
29
+ */
30
+ export declare function withOwner<T>(fn: (tx: Db) => Promise<T>): Promise<T>;
31
+ export { schema };
32
+ //# sourceMappingURL=client.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/db/client.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAElD,OAAO,QAAQ,MAAM,UAAU,CAAC;AAEhC,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAEtC,KAAK,EAAE,GAAG,UAAU,CAAC,OAAO,OAAO,CAAC,OAAO,MAAM,CAAC,CAAC,CAAC;AAUpD,wBAAgB,eAAe,CAC7B,GAAG,EAAE,MAAM,EACX,IAAI,qBAAsB,EAC1B,GAAG,qBAAqB;;;;;;EASzB;AAED,wBAAgB,MAAM,qBAGrB;AAED,mFAAmF;AACnF,wBAAgB,KAAK,IAAI,EAAE,CAK1B;AAED,wBAAsB,OAAO,kBAM5B;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAOpF;AAED;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAOnE;AAED,OAAO,EAAE,MAAM,EAAE,CAAC"}
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/db/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC"}
@@ -0,0 +1,3 @@
1
+ #!/usr/bin/env bun
2
+ export {};
3
+ //# sourceMappingURL=migrate.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"migrate.d.ts","sourceRoot":"","sources":["../../src/db/migrate.ts"],"names":[],"mappings":""}
@@ -0,0 +1,320 @@
1
+ import { sites, agentRuns, goals, appTasks } from "./schema.js";
2
+ type NewTask = typeof appTasks.$inferInsert;
3
+ type Task = typeof appTasks.$inferSelect;
4
+ export declare function createSite(input: {
5
+ prompt: string;
6
+ kind?: string;
7
+ userId?: string | null;
8
+ }): Promise<{
9
+ workerName: string | null;
10
+ domain: string | null;
11
+ id: string;
12
+ name: string | null;
13
+ createdAt: Date;
14
+ prompt: string;
15
+ userId: string | null;
16
+ kind: string;
17
+ status: "pending" | "planning" | "buying_domain" | "generating" | "deploying" | "configuring_email" | "live" | "failed";
18
+ liveUrl: string | null;
19
+ sourceDir: string | null;
20
+ meta: Record<string, unknown> | null;
21
+ updatedAt: Date;
22
+ }>;
23
+ export declare function updateSite(id: string, patch: Partial<typeof sites.$inferInsert>): Promise<{
24
+ id: string;
25
+ userId: string | null;
26
+ prompt: string;
27
+ kind: string;
28
+ name: string | null;
29
+ domain: string | null;
30
+ status: "pending" | "planning" | "buying_domain" | "generating" | "deploying" | "configuring_email" | "live" | "failed";
31
+ workerName: string | null;
32
+ liveUrl: string | null;
33
+ sourceDir: string | null;
34
+ meta: Record<string, unknown> | null;
35
+ createdAt: Date;
36
+ updatedAt: Date;
37
+ }>;
38
+ export declare function getSite(id: string): Promise<{
39
+ workerName: string | null;
40
+ domain: string | null;
41
+ id: string;
42
+ name: string | null;
43
+ createdAt: Date;
44
+ prompt: string;
45
+ userId: string | null;
46
+ kind: string;
47
+ status: "pending" | "planning" | "buying_domain" | "generating" | "deploying" | "configuring_email" | "live" | "failed";
48
+ liveUrl: string | null;
49
+ sourceDir: string | null;
50
+ meta: Record<string, unknown> | null;
51
+ updatedAt: Date;
52
+ } | null>;
53
+ export declare function listSites(): Promise<{
54
+ workerName: string | null;
55
+ domain: string | null;
56
+ id: string;
57
+ name: string | null;
58
+ createdAt: Date;
59
+ prompt: string;
60
+ userId: string | null;
61
+ kind: string;
62
+ status: "pending" | "planning" | "buying_domain" | "generating" | "deploying" | "configuring_email" | "live" | "failed";
63
+ liveUrl: string | null;
64
+ sourceDir: string | null;
65
+ meta: Record<string, unknown> | null;
66
+ updatedAt: Date;
67
+ }[]>;
68
+ export declare function createRun(input: {
69
+ siteId: string;
70
+ agentName: string;
71
+ prompt: string;
72
+ }): Promise<{
73
+ error: string | null;
74
+ id: string;
75
+ prompt: string;
76
+ status: "failed" | "queued" | "running" | "succeeded" | "cancelled";
77
+ siteId: string | null;
78
+ lastHeartbeatAt: Date | null;
79
+ agentName: string;
80
+ steps: number;
81
+ costUsd: number | null;
82
+ startedAt: Date;
83
+ finishedAt: Date | null;
84
+ }>;
85
+ export declare function updateRun(id: string, patch: Partial<typeof agentRuns.$inferInsert>): Promise<{
86
+ id: string;
87
+ siteId: string | null;
88
+ agentName: string;
89
+ status: "failed" | "queued" | "running" | "succeeded" | "cancelled";
90
+ prompt: string;
91
+ steps: number;
92
+ costUsd: number | null;
93
+ lastHeartbeatAt: Date | null;
94
+ error: string | null;
95
+ startedAt: Date;
96
+ finishedAt: Date | null;
97
+ }>;
98
+ /** Heartbeat: bump the run's lastHeartbeatAt and log an event. */
99
+ export declare function heartbeat(runId: string, siteId: string, message: string): Promise<void>;
100
+ export declare function logEvent(input: {
101
+ runId?: string | null;
102
+ siteId?: string | null;
103
+ type: string;
104
+ message?: string;
105
+ data?: Record<string, unknown>;
106
+ }): Promise<void>;
107
+ /** Recent activity for a site (newest first) — drives the dashboard activity feed. */
108
+ export declare function listEvents(siteId: string, limit?: number): Promise<{
109
+ type: string;
110
+ id: string;
111
+ data: Record<string, unknown> | null;
112
+ createdAt: Date;
113
+ siteId: string | null;
114
+ runId: string | null;
115
+ message: string | null;
116
+ }[]>;
117
+ export declare function recordDeployment(input: {
118
+ siteId: string;
119
+ workerName: string;
120
+ url: string;
121
+ success: boolean;
122
+ versionId?: string | null;
123
+ }): Promise<{
124
+ workerName: string;
125
+ url: string | null;
126
+ success: boolean;
127
+ versionId: string | null;
128
+ id: string;
129
+ createdAt: Date;
130
+ siteId: string | null;
131
+ provider: string;
132
+ logs: string | null;
133
+ deployedAt: Date | null;
134
+ }>;
135
+ export declare function recordDomain(input: {
136
+ siteId: string;
137
+ domain: string;
138
+ zoneId?: string | null;
139
+ pricePaidCents?: number | null;
140
+ }): Promise<{
141
+ domain: string;
142
+ zoneId: string | null;
143
+ pricePaidCents: number | null;
144
+ id: string;
145
+ createdAt: Date;
146
+ siteId: string | null;
147
+ registrar: string;
148
+ purchasedAt: Date | null;
149
+ }>;
150
+ export declare function createGoal(input: {
151
+ siteId: string;
152
+ northStar: string;
153
+ successMetric?: string | null;
154
+ budgetCredits?: number;
155
+ dailyCapCredits?: number;
156
+ constraints?: Record<string, unknown>;
157
+ }): Promise<{
158
+ id: string;
159
+ createdAt: Date;
160
+ status: string;
161
+ updatedAt: Date;
162
+ siteId: string;
163
+ northStar: string;
164
+ successMetric: string | null;
165
+ budgetCredits: number;
166
+ dailyCapCredits: number;
167
+ constraints: Record<string, unknown> | null;
168
+ }>;
169
+ export declare function getGoal(siteId: string): Promise<{
170
+ id: string;
171
+ createdAt: Date;
172
+ status: string;
173
+ updatedAt: Date;
174
+ siteId: string;
175
+ northStar: string;
176
+ successMetric: string | null;
177
+ budgetCredits: number;
178
+ dailyCapCredits: number;
179
+ constraints: Record<string, unknown> | null;
180
+ } | null>;
181
+ export declare function updateGoal(siteId: string, patch: Partial<typeof goals.$inferInsert>): Promise<{
182
+ id: string;
183
+ siteId: string;
184
+ northStar: string;
185
+ successMetric: string | null;
186
+ budgetCredits: number;
187
+ dailyCapCredits: number;
188
+ status: string;
189
+ constraints: Record<string, unknown> | null;
190
+ createdAt: Date;
191
+ updatedAt: Date;
192
+ } | null>;
193
+ export declare function insertTasks(rows: NewTask[]): Promise<Task[]>;
194
+ export declare function listTasks(siteId: string): Promise<Task[]>;
195
+ export declare function getTask(id: string): Promise<Task | null>;
196
+ export declare function updateTask(id: string, patch: Partial<NewTask>): Promise<Task | null>;
197
+ /** Types already `done` for a site (for dependency satisfaction). */
198
+ export declare function doneTaskTypes(siteId: string): Promise<Set<string>>;
199
+ /**
200
+ * Atomically claim the next actionable task for a worker, using FOR UPDATE SKIP
201
+ * LOCKED so concurrent cycles never grab the same row. "Actionable" = pending,
202
+ * due (nextRunAt null or past), approved (if required), lease-free, and with all
203
+ * `dependsOn` types satisfied for its site. Marks it running + increments attempts.
204
+ */
205
+ export declare function claimNextTask(workerId: string, leaseMs?: number, siteIds?: string[]): Promise<Task | null>;
206
+ export declare function createProduct(input: {
207
+ siteId: string;
208
+ name: string;
209
+ priceCents: number;
210
+ currency?: string;
211
+ recurring?: string | null;
212
+ }): Promise<{
213
+ priceCents: number;
214
+ currency: string;
215
+ id: string;
216
+ name: string;
217
+ createdAt: Date;
218
+ updatedAt: Date;
219
+ siteId: string;
220
+ recurring: string | null;
221
+ active: boolean;
222
+ }>;
223
+ export declare function getActiveProduct(siteId: string): Promise<{
224
+ priceCents: number;
225
+ currency: string;
226
+ id: string;
227
+ name: string;
228
+ createdAt: Date;
229
+ updatedAt: Date;
230
+ siteId: string;
231
+ recurring: string | null;
232
+ active: boolean;
233
+ } | null>;
234
+ export declare function recordPayment(input: {
235
+ siteId: string;
236
+ userId?: string | null;
237
+ amountCents: number;
238
+ currency?: string;
239
+ kind?: string;
240
+ status?: string;
241
+ stripePaymentIntentId?: string | null;
242
+ }): Promise<{
243
+ currency: string;
244
+ id: string;
245
+ createdAt: Date;
246
+ userId: string | null;
247
+ kind: string;
248
+ status: string;
249
+ siteId: string | null;
250
+ amountCents: number;
251
+ stripePaymentIntentId: string | null;
252
+ } | null>;
253
+ /** Total paid revenue (cents) + order count for a site. */
254
+ export declare function siteRevenue(siteId: string): Promise<{
255
+ totalCents: number;
256
+ orders: number;
257
+ }>;
258
+ /** Idempotency: whether an order payment with this intent already exists. */
259
+ export declare function paymentExists(stripePaymentIntentId: string | null): Promise<boolean>;
260
+ /** Mark all still-pending tasks for a site as skipped (used when an app is killed). */
261
+ export declare function skipPendingTasks(siteId: string): Promise<void>;
262
+ /** Capture a pre-signup lead (email gate for the planner report). */
263
+ export declare function captureLead(input: {
264
+ email: string;
265
+ prompt?: string | null;
266
+ source?: string;
267
+ }): Promise<{
268
+ id: string;
269
+ email: string;
270
+ createdAt: Date;
271
+ prompt: string | null;
272
+ source: string;
273
+ convertedUserId: string | null;
274
+ }>;
275
+ /** Add an end-user subscriber captured by a generated site. Idempotent per (site,email). */
276
+ export declare function addSubscriber(input: {
277
+ siteId: string;
278
+ email: string;
279
+ }): Promise<{
280
+ id: string;
281
+ email: string;
282
+ createdAt: Date;
283
+ siteId: string;
284
+ nurturedAt: Date | null;
285
+ } | null>;
286
+ /** Total subscribers for a site. */
287
+ export declare function countSubscribers(siteId: string): Promise<number>;
288
+ /** Subscribers not nurtured since `since` (or never), oldest first. */
289
+ export declare function listSubscribersToNurture(siteId: string, since: Date, limit?: number): Promise<{
290
+ id: string;
291
+ email: string;
292
+ createdAt: Date;
293
+ siteId: string;
294
+ nurturedAt: Date | null;
295
+ }[]>;
296
+ /** Stamp subscribers as nurtured (now). */
297
+ export declare function markSubscribersNurtured(ids: string[], at?: Date): Promise<void>;
298
+ /** Record a traffic/conversion event for a site. */
299
+ export declare function recordVisit(input: {
300
+ siteId: string;
301
+ kind?: string;
302
+ path?: string | null;
303
+ ref?: string | null;
304
+ }): Promise<{
305
+ path: string | null;
306
+ id: string;
307
+ createdAt: Date;
308
+ ref: string | null;
309
+ kind: string;
310
+ siteId: string;
311
+ }>;
312
+ /** Aggregate analytics for a site: total + last-7-day views, conversions, conversion rate. */
313
+ export declare function siteAnalytics(siteId: string): Promise<{
314
+ views: number;
315
+ views7d: number;
316
+ conversions: number;
317
+ conversionRate: number;
318
+ }>;
319
+ export {};
320
+ //# sourceMappingURL=repo.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"repo.d.ts","sourceRoot":"","sources":["../../src/db/repo.ts"],"names":[],"mappings":"AAKA,OAAO,EACL,KAAK,EACL,SAAS,EAIT,KAAK,EACL,QAAQ,EACT,MAAM,aAAa,CAAC;AAErB,KAAK,OAAO,GAAG,OAAO,QAAQ,CAAC,YAAY,CAAC;AAC5C,KAAK,IAAI,GAAG,OAAO,QAAQ,CAAC,YAAY,CAAC;AAEzC,wBAAsB,UAAU,CAAC,KAAK,EAAE;IACtC,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB;;;;;;;;;;;;;;GAMA;AAED,wBAAsB,UAAU,CAC9B,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,OAAO,CAAC,OAAO,KAAK,CAAC,YAAY,CAAC;;;;;;;;;;;;;;GAQ1C;AAED,wBAAsB,OAAO,CAAC,EAAE,EAAE,MAAM;;;;;;;;;;;;;;UAGvC;AAED,wBAAsB,SAAS;;;;;;;;;;;;;;KAE9B;AAED,wBAAsB,SAAS,CAAC,KAAK,EAAE;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;CAChB;;;;;;;;;;;;GAMA;AAED,wBAAsB,SAAS,CAC7B,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,OAAO,CAAC,OAAO,SAAS,CAAC,YAAY,CAAC;;;;;;;;;;;;GAQ9C;AAED,kEAAkE;AAClE,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,iBAG7E;AAED,wBAAsB,QAAQ,CAAC,KAAK,EAAE;IACpC,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC,iBAQA;AAED,sFAAsF;AACtF,wBAAsB,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,SAAK;;;;;;;;KAO1D;AAED,wBAAsB,gBAAgB,CAAC,KAAK,EAAE;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;;;;;;;;;;;GAaA;AAED,wBAAsB,YAAY,CAAC,KAAK,EAAE;IACxC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAChC;;;;;;;;;GAYA;AAID,wBAAsB,UAAU,CAAC,KAAK,EAAE;IACtC,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACvC;;;;;;;;;;;GAaA;AAED,wBAAsB,OAAO,CAAC,MAAM,EAAE,MAAM;;;;;;;;;;;UAG3C;AAED,wBAAsB,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,OAAO,KAAK,CAAC,YAAY,CAAC;;;;;;;;;;;UAOzF;AAED,wBAAsB,WAAW,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,CAGlE;AAED,wBAAsB,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,CAM/D;AAED,wBAAsB,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAG9D;AAED,wBAAsB,UAAU,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAO1F;AAED,qEAAqE;AACrE,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAMxE;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,SAAU,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CA8CjH;AAKD,wBAAsB,aAAa,CAAC,KAAK,EAAE;IACzC,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;;;;;;;;;;GAYA;AAED,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,MAAM;;;;;;;;;;UAMpD;AAED,wBAAsB,aAAa,CAAC,KAAK,EAAE;IACzC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qBAAqB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvC;;;;;;;;;;UAeA;AAED,2DAA2D;AAC3D,wBAAsB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CASjG;AAED,6EAA6E;AAC7E,wBAAsB,aAAa,CAAC,qBAAqB,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAQ1F;AAED,uFAAuF;AACvF,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAKpE;AAKD,qEAAqE;AACrE,wBAAsB,WAAW,CAAC,KAAK,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE;;;;;;;GAMlG;AAKD,4FAA4F;AAC5F,wBAAsB,aAAa,CAAC,KAAK,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE;;;;;;UAO3E;AAED,oCAAoC;AACpC,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAMtE;AAED,uEAAuE;AACvE,wBAAsB,wBAAwB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,SAAK;;;;;;KAYrF;AAED,2CAA2C;AAC3C,wBAAsB,uBAAuB,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,OAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAM3F;AAKD,oDAAoD;AACpD,wBAAsB,WAAW,CAAC,KAAK,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE;;;;;;;GAMpH;AAED,8FAA8F;AAC9F,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;IAC3D,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;CACxB,CAAC,CAYD"}
@@ -0,0 +1,16 @@
1
+ /**
2
+ * Postgres Row-Level Security for multi-tenancy.
3
+ *
4
+ * Strategy: ENABLE RLS (not FORCE) + a dedicated non-owner role `nopen_tenant`.
5
+ * - Platform/agent code connects as the table owner → bypasses RLS naturally
6
+ * (withOwner / getDb singleton). No wrapping needed.
7
+ * - Tenant-facing reads run via withTenant, which does `SET LOCAL ROLE
8
+ * nopen_tenant` + `app.user_id` inside a tx → policies enforced.
9
+ *
10
+ * Policies key on current_setting('app.user_id').
11
+ */
12
+ import type postgres from "postgres";
13
+ export declare const RLS_DIRECT_USER_TABLES: readonly ["sites", "subscriptions", "payments", "api_tokens", "credit_ledger", "checkout_sessions"];
14
+ export declare const RLS_SITE_SCOPED_TABLES: readonly ["domains", "deployments", "agent_runs", "events", "goals", "app_tasks", "products", "subscribers", "visits"];
15
+ export declare function applyRls(sql: ReturnType<typeof postgres>): Promise<void>;
16
+ //# sourceMappingURL=rls.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"rls.d.ts","sourceRoot":"","sources":["../../src/db/rls.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,KAAK,QAAQ,MAAM,UAAU,CAAC;AAErC,eAAO,MAAM,sBAAsB,qGAAsG,CAAC;AAC1I,eAAO,MAAM,sBAAsB,wHAAyH,CAAC;AAI7J,wBAAsB,QAAQ,CAAC,GAAG,EAAE,UAAU,CAAC,OAAO,QAAQ,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAwD9E"}