@intx/db 0.1.2

package/src/schema/auth.ts

@@ -0,0 +1,51 @@
+import { boolean, pgTable, text, timestamp } from "drizzle-orm/pg-core";
+
+export const user = pgTable("user", {
+  id: text("id").primaryKey(),
+  name: text("name").notNull(),
+  email: text("email").notNull().unique(),
+  emailVerified: boolean("email_verified").notNull().default(false),
+  image: text("image"),
+  createdAt: timestamp("created_at").notNull().defaultNow(),
+  updatedAt: timestamp("updated_at").notNull().defaultNow(),
+});
+
+export const session = pgTable("session", {
+  id: text("id").primaryKey(),
+  userId: text("user_id")
+    .notNull()
+    .references(() => user.id, { onDelete: "cascade" }),
+  token: text("token").notNull().unique(),
+  expiresAt: timestamp("expires_at").notNull(),
+  ipAddress: text("ip_address"),
+  userAgent: text("user_agent"),
+  createdAt: timestamp("created_at").notNull().defaultNow(),
+  updatedAt: timestamp("updated_at").notNull().defaultNow(),
+});
+
+export const account = pgTable("account", {
+  id: text("id").primaryKey(),
+  userId: text("user_id")
+    .notNull()
+    .references(() => user.id, { onDelete: "cascade" }),
+  accountId: text("account_id").notNull(),
+  providerId: text("provider_id").notNull(),
+  accessToken: text("access_token"),
+  refreshToken: text("refresh_token"),
+  accessTokenExpiresAt: timestamp("access_token_expires_at"),
+  refreshTokenExpiresAt: timestamp("refresh_token_expires_at"),
+  scope: text("scope"),
+  idToken: text("id_token"),
+  password: text("password"),
+  createdAt: timestamp("created_at").notNull().defaultNow(),
+  updatedAt: timestamp("updated_at").notNull().defaultNow(),
+});
+
+export const verification = pgTable("verification", {
+  id: text("id").primaryKey(),
+  identifier: text("identifier").notNull(),
+  value: text("value").notNull(),
+  expiresAt: timestamp("expires_at").notNull(),
+  createdAt: timestamp("created_at").notNull().defaultNow(),
+  updatedAt: timestamp("updated_at").notNull().defaultNow(),
+});

package/src/schema/credentials.ts

@@ -0,0 +1,43 @@
+import { jsonb, pgTable, text, timestamp, unique } from "drizzle-orm/pg-core";
+
+import { oauthClient } from "./oauth-clients";
+import { principal } from "./principals";
+import { provider } from "./providers";
+import { tenant } from "./tenants";
+
+export const credential = pgTable(
+  "credential",
+  {
+    id: text("id").primaryKey(),
+    tenantId: text("tenant_id")
+      .notNull()
+      .references(() => tenant.id, { onDelete: "cascade" }),
+    principalId: text("principal_id").references(() => principal.id, {
+      onDelete: "set null",
+    }),
+    providerId: text("provider_id")
+      .notNull()
+      .references(() => provider.id, { onDelete: "cascade" }),
+    oauthClientId: text("oauth_client_id").references(() => oauthClient.id, {
+      onDelete: "set null",
+    }),
+    name: text("name").notNull(),
+    type: text("type", {
+      enum: ["api_key", "oauth_token", "certificate", "other"],
+    }).notNull(),
+    description: text("description"),
+    secret: text("secret").notNull(),
+    refreshSecret: text("refresh_secret"),
+    scopes: text("scopes").array(),
+    expiresAt: timestamp("expires_at"),
+    status: text("status", {
+      enum: ["active", "expired", "revoked", "error"],
+    })
+      .notNull()
+      .default("active"),
+    metadata: jsonb("metadata"),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+    updatedAt: timestamp("updated_at").notNull().defaultNow(),
+  },
+  (t) => [unique("credential_tenant_name").on(t.tenantId, t.name)],
+);

package/src/schema/git-tokens.ts

@@ -0,0 +1,83 @@
+import { sql } from "drizzle-orm";
+import {
+  customType,
+  pgTable,
+  text,
+  timestamp,
+  uniqueIndex,
+} from "drizzle-orm/pg-core";
+
+import { user } from "./auth";
+import { principal } from "./principals";
+import { tenant } from "./tenants";
+
+const bytea = customType<{ data: Uint8Array; driverData: Buffer }>({
+  dataType() {
+    return "bytea";
+  },
+  toDriver(value) {
+    return Buffer.from(value);
+  },
+  fromDriver(value) {
+    return new Uint8Array(value);
+  },
+});
+
+// Hub-issued bearer tokens for the smart-HTTP git endpoints. Opaque
+// tokens of the form `itx_pat_<base64>` or `itx_svc_<base64>` whose
+// SHA-256 digest is stored as `tokenHashSha256` (the raw secret is
+// never persisted). Claims that bound the token's authority are
+// modeled as typed columns rather than JSONB so the lookup path can
+// rely on the database to enforce shape.
+//
+// `userId` identifies the owning user and is always set. `principalId`
+// is set for tenant-bound tokens (the user acting in a specific
+// tenant) and null for personal tokens that are not scoped to a
+// principal. `tenantId` is always set for `kind: "svc"` tokens (they
+// are inherently tenant-bound); for `kind: "pat"` it is set only when
+// the user elected a tenant restriction at mint time. `kind`
+// distinguishes interactive personal access tokens (`pat`) from
+// service tokens (`svc`).
+//
+// `actions` stores the canonical RepoStore action vocabulary
+// (`receivePack`, `createPack`, `resolveRef`, ...). The mint API
+// translates user-facing aliases to canonical names before insert.
+// `resource` is the single substrate authz resource string
+// (e.g. `agent-state:ins_xxx`, `asset:def_yyy`) that the token grants
+// access to. `refPattern` is a glob restricting which refs within the
+// resource the token may read or write.
+//
+// Revocation is soft: setting `revokedAt` prevents future use while
+// preserving the row for audit. The partial unique index on
+// `(user_id, name)` filtered by `revoked_at is null` lets a user
+// reuse a friendly name (e.g. "laptop") after revoking the old
+// token bearing that name.
+export const gitToken = pgTable(
+  "git_token",
+  {
+    id: text("id").primaryKey(),
+    tenantId: text("tenant_id").references(() => tenant.id),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    principalId: text("principal_id").references(() => principal.id, {
+      onDelete: "cascade",
+    }),
+    name: text("name").notNull(),
+    kind: text("kind", { enum: ["pat", "svc"] }).notNull(),
+    tokenHashSha256: bytea("token_hash_sha256").notNull().unique(),
+    resource: text("resource").notNull(),
+    refPattern: text("ref_pattern").notNull(),
+    actions: text("actions").array().notNull(),
+    expiresAt: timestamp("expires_at", { withTimezone: true }).notNull(),
+    revokedAt: timestamp("revoked_at", { withTimezone: true }),
+    createdAt: timestamp("created_at", { withTimezone: true })
+      .notNull()
+      .defaultNow(),
+  },
+  (t) => [
+    uniqueIndex("git_token_user_id_name_active_idx")
+      .on(t.userId, t.name)
+      .where(sql`${t.revokedAt} is null`),
+  ],
+);

package/src/schema/grants.ts

@@ -0,0 +1,26 @@
+import { jsonb, pgTable, text, timestamp } from "drizzle-orm/pg-core";
+
+import { principal } from "./principals";
+import { role } from "./roles";
+import { tenant } from "./tenants";
+
+export const grant = pgTable("grant", {
+  id: text("id").primaryKey(),
+  tenantId: text("tenant_id")
+    .notNull()
+    .references(() => tenant.id, { onDelete: "cascade" }),
+  roleId: text("role_id").references(() => role.id, { onDelete: "cascade" }),
+  principalId: text("principal_id").references(() => principal.id, {
+    onDelete: "cascade",
+  }),
+  resource: text("resource").notNull(),
+  action: text("action").notNull(),
+  effect: text("effect", { enum: ["allow", "deny", "ask"] }).notNull(),
+  conditions: jsonb("conditions"),
+  origin: text("origin", {
+    enum: ["system", "role", "creator", "invoker"],
+  }).notNull(),
+  expiresAt: timestamp("expires_at"),
+  createdAt: timestamp("created_at").notNull().defaultNow(),
+  updatedAt: timestamp("updated_at").notNull().defaultNow(),
+});

package/src/schema/index.ts

@@ -0,0 +1,19 @@
+export * from "./auth";
+export * from "./tenants";
+export * from "./principals";
+export * from "./roles";
+export * from "./grants";
+export * from "./agents";
+export * from "./providers";
+export * from "./oauth-clients";
+export * from "./credentials";
+export * from "./assets";
+export * from "./agent-assets";
+export * from "./wallets";
+export * from "./offerings";
+export * from "./sidecar";
+export * from "./sessions";
+export * from "./instances";
+export * from "./session-assets";
+export * from "./messages";
+export * from "./git-tokens";

package/src/schema/instances.ts

@@ -0,0 +1,36 @@
+import { pgTable, text, timestamp } from "drizzle-orm/pg-core";
+
+import { agent, agentVersion } from "./agents";
+import { agentSession } from "./sessions";
+import { principal } from "./principals";
+import { sidecar } from "./sidecar";
+import { tenant } from "./tenants";
+
+export const agentInstance = pgTable("agent_instance", {
+  id: text("id").primaryKey(),
+  agentId: text("agent_id")
+    .notNull()
+    .references(() => agent.id, { onDelete: "cascade" }),
+  tenantId: text("tenant_id")
+    .notNull()
+    .references(() => tenant.id, { onDelete: "cascade" }),
+  principalId: text("principal_id")
+    .notNull()
+    .references(() => principal.id),
+  address: text("address").notNull().unique(),
+  versionId: text("version_id").references(() => agentVersion.id),
+  sessionId: text("session_id").references(() => agentSession.id),
+  status: text("status", {
+    enum: ["deployed", "running", "updating", "error", "stopped"],
+  })
+    .notNull()
+    .default("deployed"),
+  sidecarId: text("sidecar_id").references(() => sidecar.id, {
+    onDelete: "set null",
+  }),
+  publicKey: text("public_key"),
+  kernelId: text("kernel_id"),
+  createdAt: timestamp("created_at").notNull().defaultNow(),
+  updatedAt: timestamp("updated_at").notNull().defaultNow(),
+  endedAt: timestamp("ended_at"),
+});

package/src/schema/messages.ts

@@ -0,0 +1,108 @@
+import {
+  customType,
+  index,
+  integer,
+  jsonb,
+  pgTable,
+  text,
+  timestamp,
+} from "drizzle-orm/pg-core";
+
+import { agentInstance } from "./instances";
+import { agentSession } from "./sessions";
+import { tenant } from "./tenants";
+
+const bytea = customType<{ data: Uint8Array; driverData: Buffer }>({
+  dataType() {
+    return "bytea";
+  },
+  toDriver(value) {
+    return Buffer.from(value);
+  },
+  fromDriver(value) {
+    return new Uint8Array(value);
+  },
+});
+
+export const inferenceTurn = pgTable(
+  "inference_turn",
+  {
+    id: text("id").primaryKey(),
+    sessionId: text("session_id")
+      .notNull()
+      .references(() => agentSession.id, { onDelete: "cascade" }),
+    instanceId: text("instance_id")
+      .notNull()
+      .references(() => agentInstance.id, { onDelete: "cascade" }),
+    tenantId: text("tenant_id")
+      .notNull()
+      .references(() => tenant.id, { onDelete: "cascade" }),
+    model: text("model").notNull(),
+    status: text("status", { enum: ["running", "completed", "failed"] })
+      .notNull()
+      .default("running"),
+    startedAt: timestamp("started_at").notNull(),
+    endedAt: timestamp("ended_at"),
+  },
+  (t) => [
+    index("inference_turn_instance_id_started_at_idx").on(
+      t.instanceId,
+      t.startedAt,
+    ),
+  ],
+);
+
+export const turnPart = pgTable("turn_part", {
+  id: text("id").primaryKey(),
+  turnId: text("turn_id")
+    .notNull()
+    .references(() => inferenceTurn.id, { onDelete: "cascade" }),
+  sessionId: text("session_id")
+    .notNull()
+    .references(() => agentSession.id, { onDelete: "cascade" }),
+  type: text("type", {
+    enum: [
+      "text",
+      "reasoning",
+      "tool",
+      "file",
+      "error",
+      "refusal",
+      "step-start",
+      "step-finish",
+      "snapshot",
+      "patch",
+    ],
+  }).notNull(),
+  content: text("content"),
+  metadata: jsonb("metadata"),
+  ordinal: integer("ordinal").notNull(),
+});
+
+export const sessionMail = pgTable(
+  "session_mail",
+  {
+    id: text("id").primaryKey(),
+    sessionId: text("session_id")
+      .notNull()
+      .references(() => agentSession.id, { onDelete: "cascade" }),
+    instanceId: text("instance_id").references(() => agentInstance.id, {
+      onDelete: "set null",
+    }),
+    tenantId: text("tenant_id")
+      .notNull()
+      .references(() => tenant.id, { onDelete: "cascade" }),
+    direction: text("direction", { enum: ["inbound", "outbound"] }).notNull(),
+    status: text("status", { enum: ["pending", "delivered"] })
+      .notNull()
+      .default("pending"),
+    raw: bytea("raw").notNull(),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+  },
+  (t) => [
+    index("session_mail_instance_id_created_at_idx").on(
+      t.instanceId,
+      t.createdAt,
+    ),
+  ],
+);

package/src/schema/oauth-clients.ts

@@ -0,0 +1,26 @@
+import { jsonb, pgTable, text, timestamp, unique } from "drizzle-orm/pg-core";
+
+import { provider } from "./providers";
+import { tenant } from "./tenants";
+
+export const oauthClient = pgTable(
+  "oauth_client",
+  {
+    id: text("id").primaryKey(),
+    tenantId: text("tenant_id")
+      .notNull()
+      .references(() => tenant.id, { onDelete: "cascade" }),
+    providerId: text("provider_id")
+      .notNull()
+      .references(() => provider.id, { onDelete: "cascade" }),
+    name: text("name").notNull(),
+    clientId: text("client_id").notNull(),
+    clientSecret: text("client_secret").notNull(),
+    redirectUris: text("redirect_uris").array(),
+    defaultScopes: text("default_scopes").array(),
+    metadata: jsonb("metadata"),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+    updatedAt: timestamp("updated_at").notNull().defaultNow(),
+  },
+  (t) => [unique("oauth_client_tenant_provider").on(t.tenantId, t.providerId)],
+);

package/src/schema/offerings.ts

@@ -0,0 +1,20 @@
+import { jsonb, pgTable, text, timestamp } from "drizzle-orm/pg-core";
+
+import { agent } from "./agents";
+import { tenant } from "./tenants";
+
+export const offering = pgTable("offering", {
+  id: text("id").primaryKey(),
+  agentId: text("agent_id")
+    .notNull()
+    .references(() => agent.id, { onDelete: "cascade" }),
+  tenantId: text("tenant_id")
+    .notNull()
+    .references(() => tenant.id, { onDelete: "cascade" }),
+  name: text("name").notNull(),
+  description: text("description"),
+  pricing: jsonb("pricing"),
+  schema: jsonb("schema"),
+  createdAt: timestamp("created_at").notNull().defaultNow(),
+  updatedAt: timestamp("updated_at").notNull().defaultNow(),
+});

package/src/schema/principals.ts

@@ -0,0 +1,28 @@
+import { pgTable, text, timestamp, unique } from "drizzle-orm/pg-core";
+
+import { user } from "./auth";
+import { tenant } from "./tenants";
+
+export const principal = pgTable(
+  "principal",
+  {
+    id: text("id").primaryKey(),
+    tenantId: text("tenant_id")
+      .notNull()
+      .references(() => tenant.id, { onDelete: "cascade" }),
+    kind: text("kind", { enum: ["user", "agent"] }).notNull(),
+    refId: text("ref_id").notNull(),
+    status: text("status", {
+      enum: ["active", "suspended", "invited", "deactivated"],
+    }).notNull(),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+    updatedAt: timestamp("updated_at").notNull().defaultNow(),
+  },
+  (t) => [unique().on(t.tenantId, t.kind, t.refId)],
+);
+
+// The refId on a user principal points to the auth user table.
+// We don't add a FK constraint because refId also points to agent.id
+// when kind='agent', and Postgres can't do conditional FKs.
+// The application layer enforces referential integrity.
+export { user };

package/src/schema/providers.ts

@@ -0,0 +1,23 @@
+import { jsonb, pgTable, text, timestamp, unique } from "drizzle-orm/pg-core";
+
+import { tenant } from "./tenants";
+
+export const provider = pgTable(
+  "provider",
+  {
+    id: text("id").primaryKey(),
+    tenantId: text("tenant_id")
+      .notNull()
+      .references(() => tenant.id, { onDelete: "cascade" }),
+    name: text("name").notNull(),
+    plugin: text("plugin").notNull(),
+    authorizationUrl: text("authorization_url"),
+    tokenUrl: text("token_url"),
+    userInfoUrl: text("user_info_url"),
+    scopes: text("scopes").array(),
+    metadata: jsonb("metadata"),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+    updatedAt: timestamp("updated_at").notNull().defaultNow(),
+  },
+  (t) => [unique("provider_tenant_name").on(t.tenantId, t.name)],
+);

package/src/schema/roles.ts

@@ -0,0 +1,51 @@
+import {
+  boolean,
+  pgTable,
+  primaryKey,
+  text,
+  timestamp,
+} from "drizzle-orm/pg-core";
+
+import { agent } from "./agents";
+import { principal } from "./principals";
+import { tenant } from "./tenants";
+
+export const role = pgTable("role", {
+  id: text("id").primaryKey(),
+  tenantId: text("tenant_id")
+    .notNull()
+    .references(() => tenant.id, { onDelete: "cascade" }),
+  name: text("name").notNull(),
+  description: text("description"),
+  isSystem: boolean("is_system").notNull().default(false),
+  createdAt: timestamp("created_at").notNull().defaultNow(),
+  updatedAt: timestamp("updated_at").notNull().defaultNow(),
+});
+
+export const agentRole = pgTable(
+  "agent_role",
+  {
+    agentId: text("agent_id")
+      .notNull()
+      .references(() => agent.id, { onDelete: "cascade" }),
+    roleId: text("role_id")
+      .notNull()
+      .references(() => role.id, { onDelete: "cascade" }),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+  },
+  (t) => [primaryKey({ columns: [t.agentId, t.roleId] })],
+);
+
+export const principalRole = pgTable(
+  "principal_role",
+  {
+    principalId: text("principal_id")
+      .notNull()
+      .references(() => principal.id, { onDelete: "cascade" }),
+    roleId: text("role_id")
+      .notNull()
+      .references(() => role.id, { onDelete: "cascade" }),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+  },
+  (t) => [primaryKey({ columns: [t.principalId, t.roleId] })],
+);

package/src/schema/session-assets.ts

@@ -0,0 +1,49 @@
+import {
+  index,
+  pgTable,
+  primaryKey,
+  text,
+  timestamp,
+} from "drizzle-orm/pg-core";
+
+import { agentAsset } from "./agent-assets";
+import { agentInstance } from "./instances";
+
+// session_asset rows record per-(instance, agent_asset) pack
+// acknowledgments. A row exists iff the sidecar acked the pack that
+// materialized that asset for that instance. The launchSession flow
+// inserts each row before the corresponding pack send and rolls it
+// back if that single send fails, so each row reflects an ack the
+// hub actually observed for that attachment.
+//
+// Caveat on multi-attachment partial-success: when a session attaches
+// N assets and the fan-out succeeds for attachments 1..k-1 and fails
+// on attachment k, only attachment k's row is rolled back. Rows
+// 1..k-1 stay. The session as a whole never reached the running
+// state — attemptCleanup runs sendAgentUndeploy — but the per-
+// attachment ack invariant holds for the rows that remain.
+// Forensics queries should treat row count as "packs the sidecar
+// acked during this instance's launch," not "sessions that ran with
+// assets." Pairing with agent_instance.status (or its successor
+// session-lifecycle signal) is necessary to distinguish a row left
+// behind by a partially-successful failed launch from one belonging
+// to a fully-running session.
+export const sessionAsset = pgTable(
+  "session_asset",
+  {
+    instanceId: text("instance_id")
+      .notNull()
+      .references(() => agentInstance.id, { onDelete: "cascade" }),
+    agentAssetId: text("agent_asset_id")
+      .notNull()
+      .references(() => agentAsset.id, { onDelete: "cascade" }),
+    mountPath: text("mount_path").notNull(),
+    assetPackSha: text("asset_pack_sha").notNull(),
+    sourceCommitSha: text("source_commit_sha").notNull(),
+    materializedAt: timestamp("materialized_at").notNull().defaultNow(),
+  },
+  (t) => [
+    primaryKey({ columns: [t.instanceId, t.agentAssetId] }),
+    index("session_asset_pack_sha_idx").on(t.assetPackSha),
+  ],
+);

package/src/schema/sessions.ts

@@ -0,0 +1,26 @@
+import { pgTable, text, timestamp } from "drizzle-orm/pg-core";
+
+import { agent } from "./agents";
+import { principal } from "./principals";
+import { tenant } from "./tenants";
+
+export const agentSession = pgTable("agent_session", {
+  id: text("id").primaryKey(),
+  tenantId: text("tenant_id")
+    .notNull()
+    .references(() => tenant.id, { onDelete: "cascade" }),
+  agentId: text("agent_id")
+    .notNull()
+    .references(() => agent.id, { onDelete: "cascade" }),
+  principalId: text("principal_id")
+    .notNull()
+    .references(() => principal.id),
+  status: text("status", {
+    enum: ["active", "ending", "ended"],
+  })
+    .notNull()
+    .default("active"),
+  createdAt: timestamp("created_at").notNull().defaultNow(),
+  updatedAt: timestamp("updated_at").notNull().defaultNow(),
+  endedAt: timestamp("ended_at"),
+});

package/src/schema/sidecar.ts

@@ -0,0 +1,14 @@
+import { pgTable, text, timestamp } from "drizzle-orm/pg-core";
+
+export const sidecar = pgTable("sidecar", {
+  id: text("id").primaryKey(),
+  url: text("url").notNull(),
+  status: text("status", {
+    enum: ["online", "offline", "error"],
+  })
+    .notNull()
+    .default("online"),
+  lastHeartbeat: timestamp("last_heartbeat"),
+  createdAt: timestamp("created_at").notNull().defaultNow(),
+  updatedAt: timestamp("updated_at").notNull().defaultNow(),
+});

package/src/schema/tenants.ts

@@ -0,0 +1,41 @@
+import {
+  foreignKey,
+  jsonb,
+  pgTable,
+  text,
+  timestamp,
+  unique,
+} from "drizzle-orm/pg-core";
+
+export const tenant = pgTable(
+  "tenant",
+  {
+    id: text("id").primaryKey(),
+    name: text("name").notNull(),
+    slug: text("slug").notNull().unique(),
+    domain: text("domain").notNull().unique(),
+    parentId: text("parent_id"),
+    config: jsonb("config"),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+    updatedAt: timestamp("updated_at").notNull().defaultNow(),
+  },
+  (t) => [foreignKey({ columns: [t.parentId], foreignColumns: [t.id] })],
+);
+
+export const federationTrust = pgTable(
+  "federation_trust",
+  {
+    id: text("id").primaryKey(),
+    tenantId: text("tenant_id")
+      .notNull()
+      .references(() => tenant.id, { onDelete: "cascade" }),
+    targetTenantId: text("target_tenant_id")
+      .notNull()
+      .references(() => tenant.id, { onDelete: "cascade" }),
+    direction: text("direction", {
+      enum: ["inbound", "outbound", "bilateral"],
+    }).notNull(),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+  },
+  (t) => [unique().on(t.tenantId, t.targetTenantId)],
+);