@kognitivedev/workspace-auth 0.2.29

package/dist/schema.js

@@ -0,0 +1,80 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.productSetupStates = exports.managedProjectApiKeys = exports.apiKeys = exports.projects = exports.organizations = void 0;
+const drizzle_orm_1 = require("drizzle-orm");
+const pg_core_1 = require("drizzle-orm/pg-core");
+exports.organizations = (0, pg_core_1.pgTable)("organizations", {
+    id: (0, pg_core_1.uuid)("id").defaultRandom().primaryKey(),
+    clerkOrgId: (0, pg_core_1.text)("clerk_org_id").notNull(),
+    name: (0, pg_core_1.text)("name").notNull(),
+    slug: (0, pg_core_1.text)("slug").notNull(),
+    createdAt: (0, pg_core_1.timestamp)("created_at").defaultNow().notNull(),
+    updatedAt: (0, pg_core_1.timestamp)("updated_at").defaultNow().notNull(),
+}, (table) => ({
+    clerkOrgIdIdx: (0, pg_core_1.uniqueIndex)("organizations_clerk_org_id_idx").on(table.clerkOrgId),
+    slugIdx: (0, pg_core_1.uniqueIndex)("organizations_slug_idx").on(table.slug),
+}));
+exports.projects = (0, pg_core_1.pgTable)("projects", {
+    id: (0, pg_core_1.uuid)("id").defaultRandom().primaryKey(),
+    organizationId: (0, pg_core_1.uuid)("organization_id").notNull().references(() => exports.organizations.id),
+    name: (0, pg_core_1.text)("name").notNull(),
+    slug: (0, pg_core_1.text)("slug").notNull(),
+    description: (0, pg_core_1.text)("description"),
+    isActive: (0, pg_core_1.boolean)("is_active").default(true).notNull(),
+    createdAt: (0, pg_core_1.timestamp)("created_at").defaultNow().notNull(),
+    updatedAt: (0, pg_core_1.timestamp)("updated_at").defaultNow().notNull(),
+}, (table) => ({
+    orgSlugIdx: (0, pg_core_1.uniqueIndex)("projects_org_slug_idx").on(table.organizationId, table.slug),
+    orgIdx: (0, pg_core_1.index)("projects_org_idx").on(table.organizationId),
+}));
+exports.apiKeys = (0, pg_core_1.pgTable)("api_keys", {
+    id: (0, pg_core_1.uuid)("id").defaultRandom().primaryKey(),
+    projectId: (0, pg_core_1.uuid)("project_id").notNull().references(() => exports.projects.id),
+    keyHash: (0, pg_core_1.text)("key_hash").notNull(),
+    keyPrefix: (0, pg_core_1.text)("key_prefix").notNull(),
+    name: (0, pg_core_1.text)("name"),
+    lastUsedAt: (0, pg_core_1.timestamp)("last_used_at"),
+    expiresAt: (0, pg_core_1.timestamp)("expires_at"),
+    isActive: (0, pg_core_1.boolean)("is_active").default(true).notNull(),
+    createdAt: (0, pg_core_1.timestamp)("created_at").defaultNow().notNull(),
+}, (table) => ({
+    keyHashIdx: (0, pg_core_1.uniqueIndex)("api_keys_key_hash_idx").on(table.keyHash),
+    projectIdx: (0, pg_core_1.index)("api_keys_project_idx").on(table.projectId),
+}));
+exports.managedProjectApiKeys = (0, pg_core_1.pgTable)("managed_project_api_keys", {
+    id: (0, pg_core_1.uuid)("id").defaultRandom().primaryKey(),
+    projectId: (0, pg_core_1.uuid)("project_id").notNull().references(() => exports.projects.id),
+    apiKeyId: (0, pg_core_1.uuid)("api_key_id").notNull().references(() => exports.apiKeys.id),
+    product: (0, pg_core_1.text)("product").notNull(),
+    encryptedKey: (0, pg_core_1.text)("encrypted_key").notNull(),
+    iv: (0, pg_core_1.text)("iv").notNull(),
+    authTag: (0, pg_core_1.text)("auth_tag").notNull(),
+    keyPrefix: (0, pg_core_1.text)("key_prefix").notNull(),
+    createdAt: (0, pg_core_1.timestamp)("created_at").defaultNow().notNull(),
+    updatedAt: (0, pg_core_1.timestamp)("updated_at").defaultNow().notNull(),
+    lastUsedAt: (0, pg_core_1.timestamp)("last_used_at"),
+    revokedAt: (0, pg_core_1.timestamp)("revoked_at"),
+}, (table) => ({
+    projectProductIdx: (0, pg_core_1.index)("managed_project_api_keys_project_product_idx").on(table.projectId, table.product),
+    apiKeyIdx: (0, pg_core_1.uniqueIndex)("managed_project_api_keys_api_key_idx").on(table.apiKeyId),
+    activeProjectProductIdx: (0, pg_core_1.uniqueIndex)("managed_project_api_keys_active_project_product_idx")
+        .on(table.projectId, table.product)
+        .where((0, drizzle_orm_1.sql) `${table.revokedAt} IS NULL`),
+}));
+exports.productSetupStates = (0, pg_core_1.pgTable)("product_setup_states", {
+    id: (0, pg_core_1.uuid)("id").defaultRandom().primaryKey(),
+    organizationId: (0, pg_core_1.uuid)("organization_id").notNull().references(() => exports.organizations.id, { onDelete: "cascade" }),
+    product: (0, pg_core_1.text)("product").notNull(),
+    state: (0, pg_core_1.text)("state").default("not_started").notNull(),
+    projectId: (0, pg_core_1.uuid)("project_id").references(() => exports.projects.id, { onDelete: "set null" }),
+    setupSessionId: (0, pg_core_1.text)("setup_session_id").notNull(),
+    metadata: (0, pg_core_1.jsonb)("metadata").default({}).notNull(),
+    startedAt: (0, pg_core_1.timestamp)("started_at"),
+    completedAt: (0, pg_core_1.timestamp)("completed_at"),
+    createdAt: (0, pg_core_1.timestamp)("created_at").defaultNow().notNull(),
+    updatedAt: (0, pg_core_1.timestamp)("updated_at").defaultNow().notNull(),
+}, (table) => ({
+    orgProductIdx: (0, pg_core_1.uniqueIndex)("product_setup_states_org_product_idx").on(table.organizationId, table.product),
+    projectIdx: (0, pg_core_1.index)("product_setup_states_project_idx").on(table.projectId),
+    sessionIdx: (0, pg_core_1.uniqueIndex)("product_setup_states_setup_session_idx").on(table.setupSessionId),
+}));

package/dist/workspace.d.ts

@@ -0,0 +1,197 @@
+import { type WorkspaceAuthDb } from "./db";
+export declare const ACTIVE_PROJECT_ID_COOKIE = "active_project_id";
+export declare const ACTIVE_PROJECT_SLUG_COOKIE = "active_project_slug";
+export declare const KOGNITIV_VOICE_PRODUCT = "kognitiv-voice";
+export declare const KOGNITIV_VOICE_MANAGED_KEY_NAME = "Managed: Kognitiv Voice";
+export declare const KOGNITIV_APPOINTMENTS_PRODUCT = "kognitiv-appointments";
+export declare const KOGNITIV_APPOINTMENTS_MANAGED_KEY_NAME = "Managed: Kognitiv Appointments";
+type Db = WorkspaceAuthDb;
+export type ProductSetupStateValue = "not_started" | "in_progress" | "completed";
+export declare function slugifyWorkspaceValue(value: string, fallback?: string): string;
+export declare function ensureOrganizationForClerk(input: {
+    clerkOrgId: string;
+    name?: string | null;
+    slug?: string | null;
+    db?: Db;
+}): Promise<{
+    id: string;
+    name: string;
+    clerkOrgId: string;
+    slug: string;
+    createdAt: Date;
+    updatedAt: Date;
+}>;
+export declare function listOrganizationProjects(organizationId: string, db?: Db): Promise<{
+    id: string;
+    name: string;
+    slug: string;
+    createdAt: Date;
+    updatedAt: Date;
+    organizationId: string;
+    description: string | null;
+    isActive: boolean;
+}[]>;
+export declare function getOwnedProject(input: {
+    organizationId: string;
+    projectId: string;
+    db?: Db;
+}): Promise<{
+    id: string;
+    name: string;
+    slug: string;
+    createdAt: Date;
+    updatedAt: Date;
+    organizationId: string;
+    description: string | null;
+    isActive: boolean;
+}>;
+export declare function resolveActiveProject(input: {
+    organizationId: string;
+    activeProjectId?: string | null;
+    db?: Db;
+}): Promise<{
+    project: null;
+    projects: {
+        id: string;
+        name: string;
+        slug: string;
+        createdAt: Date;
+        updatedAt: Date;
+        organizationId: string;
+        description: string | null;
+        isActive: boolean;
+    }[];
+} | {
+    project: {
+        id: string;
+        name: string;
+        slug: string;
+        createdAt: Date;
+        updatedAt: Date;
+        organizationId: string;
+        description: string | null;
+        isActive: boolean;
+    };
+    projects: {
+        id: string;
+        name: string;
+        slug: string;
+        createdAt: Date;
+        updatedAt: Date;
+        organizationId: string;
+        description: string | null;
+        isActive: boolean;
+    }[];
+}>;
+export declare function getProductSetupState(input: {
+    organizationId: string;
+    product: string;
+    db?: Db;
+}): Promise<{
+    state: ProductSetupStateValue;
+    metadata: Record<string, unknown>;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date;
+    organizationId: string;
+    projectId: string | null;
+    product: string;
+    setupSessionId: string;
+    startedAt: Date | null;
+    completedAt: Date | null;
+}>;
+export declare function updateProductSetupState(input: {
+    organizationId: string;
+    product: string;
+    state?: ProductSetupStateValue | string | null;
+    projectId?: string | null;
+    metadata?: Record<string, unknown> | null;
+    db?: Db;
+}): Promise<{
+    state: ProductSetupStateValue;
+    metadata: Record<string, unknown>;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date;
+    organizationId: string;
+    projectId: string | null;
+    product: string;
+    setupSessionId: string;
+    startedAt: Date | null;
+    completedAt: Date | null;
+}>;
+export declare function resolveProductSetupWorkspace(input: {
+    organizationId: string;
+    product: string;
+    db?: Db;
+}): Promise<{
+    setup: {
+        state: ProductSetupStateValue;
+        metadata: Record<string, unknown>;
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        organizationId: string;
+        projectId: string | null;
+        product: string;
+        setupSessionId: string;
+        startedAt: Date | null;
+        completedAt: Date | null;
+    };
+    project: {
+        id: string;
+        name: string;
+        slug: string;
+        createdAt: Date;
+        updatedAt: Date;
+        organizationId: string;
+        description: string | null;
+        isActive: boolean;
+    } | null;
+    projects: {
+        id: string;
+        name: string;
+        slug: string;
+        createdAt: Date;
+        updatedAt: Date;
+        organizationId: string;
+        description: string | null;
+        isActive: boolean;
+    }[];
+}>;
+export declare function createWorkspaceProject(input: {
+    organizationId: string;
+    name: string;
+    slug?: string | null;
+    description?: string | null;
+    db?: Db;
+}): Promise<{
+    id: string;
+    name: string;
+    slug: string;
+    createdAt: Date;
+    updatedAt: Date;
+    organizationId: string;
+    description: string | null;
+    isActive: boolean;
+}>;
+export declare function hasManagedProjectApiKey(input: {
+    projectId: string;
+    product: string;
+    db?: Db;
+}): Promise<boolean>;
+export declare function ensureManagedProjectApiKey(input: {
+    projectId: string;
+    product: string;
+    name?: string | null;
+    db?: Db;
+}): Promise<{
+    key: string;
+    keyPrefix: string;
+    action: "used";
+} | {
+    key: string;
+    keyPrefix: string;
+    action: "created";
+}>;
+export {};

package/dist/workspace.js

@@ -0,0 +1,300 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KOGNITIV_APPOINTMENTS_MANAGED_KEY_NAME = exports.KOGNITIV_APPOINTMENTS_PRODUCT = exports.KOGNITIV_VOICE_MANAGED_KEY_NAME = exports.KOGNITIV_VOICE_PRODUCT = exports.ACTIVE_PROJECT_SLUG_COOKIE = exports.ACTIVE_PROJECT_ID_COOKIE = void 0;
+exports.slugifyWorkspaceValue = slugifyWorkspaceValue;
+exports.ensureOrganizationForClerk = ensureOrganizationForClerk;
+exports.listOrganizationProjects = listOrganizationProjects;
+exports.getOwnedProject = getOwnedProject;
+exports.resolveActiveProject = resolveActiveProject;
+exports.getProductSetupState = getProductSetupState;
+exports.updateProductSetupState = updateProductSetupState;
+exports.resolveProductSetupWorkspace = resolveProductSetupWorkspace;
+exports.createWorkspaceProject = createWorkspaceProject;
+exports.hasManagedProjectApiKey = hasManagedProjectApiKey;
+exports.ensureManagedProjectApiKey = ensureManagedProjectApiKey;
+const node_crypto_1 = require("node:crypto");
+const drizzle_orm_1 = require("drizzle-orm");
+const crypto_1 = require("./crypto");
+const db_1 = require("./db");
+const schema_1 = require("./schema");
+exports.ACTIVE_PROJECT_ID_COOKIE = "active_project_id";
+exports.ACTIVE_PROJECT_SLUG_COOKIE = "active_project_slug";
+exports.KOGNITIV_VOICE_PRODUCT = "kognitiv-voice";
+exports.KOGNITIV_VOICE_MANAGED_KEY_NAME = "Managed: Kognitiv Voice";
+exports.KOGNITIV_APPOINTMENTS_PRODUCT = "kognitiv-appointments";
+exports.KOGNITIV_APPOINTMENTS_MANAGED_KEY_NAME = "Managed: Kognitiv Appointments";
+const productSetupStateValues = new Set(["not_started", "in_progress", "completed"]);
+function dbOrDefault(db) {
+    return db !== null && db !== void 0 ? db : (0, db_1.getWorkspaceAuthDb)();
+}
+function isUniqueConstraintError(error, constraintName) {
+    var _a;
+    const candidate = error;
+    return Boolean(candidate
+        && candidate.code === "23505"
+        && (candidate.constraint === constraintName
+            || candidate.constraint_name === constraintName
+            || ((_a = candidate.message) === null || _a === void 0 ? void 0 : _a.includes(constraintName))));
+}
+function isManagedKeyUsable(row, now = new Date()) {
+    return Boolean((row === null || row === void 0 ? void 0 : row.isActive) && (!row.expiresAt || row.expiresAt > now));
+}
+function normalizeProductSetupState(value, fallback = "not_started") {
+    return typeof value === "string" && productSetupStateValues.has(value)
+        ? value
+        : fallback;
+}
+function setupSessionId(product, organizationId) {
+    return `${slugifyWorkspaceValue(product, "product")}-setup-${organizationId}-${(0, node_crypto_1.randomUUID)()}`;
+}
+function setupMetadata(value) {
+    return value && typeof value === "object" && !Array.isArray(value) ? value : {};
+}
+function toProductSetupState(row) {
+    return Object.assign(Object.assign({}, row), { state: normalizeProductSetupState(row.state), metadata: setupMetadata(row.metadata) });
+}
+async function findUnrevokedManagedProjectApiKey(db, input) {
+    return db
+        .select({
+        managedId: schema_1.managedProjectApiKeys.id,
+        encryptedKey: schema_1.managedProjectApiKeys.encryptedKey,
+        iv: schema_1.managedProjectApiKeys.iv,
+        authTag: schema_1.managedProjectApiKeys.authTag,
+        apiKeyId: schema_1.apiKeys.id,
+        isActive: schema_1.apiKeys.isActive,
+        expiresAt: schema_1.apiKeys.expiresAt,
+        keyPrefix: schema_1.managedProjectApiKeys.keyPrefix,
+    })
+        .from(schema_1.managedProjectApiKeys)
+        .innerJoin(schema_1.apiKeys, (0, drizzle_orm_1.eq)(schema_1.managedProjectApiKeys.apiKeyId, schema_1.apiKeys.id))
+        .where((0, drizzle_orm_1.and)((0, drizzle_orm_1.eq)(schema_1.managedProjectApiKeys.projectId, input.projectId), (0, drizzle_orm_1.eq)(schema_1.managedProjectApiKeys.product, input.product), (0, drizzle_orm_1.isNull)(schema_1.managedProjectApiKeys.revokedAt)))
+        .orderBy((0, drizzle_orm_1.asc)(schema_1.managedProjectApiKeys.createdAt))
+        .limit(1)
+        .then((rows) => { var _a; return (_a = rows[0]) !== null && _a !== void 0 ? _a : null; });
+}
+async function useExistingManagedProjectApiKey(db, existing) {
+    const rawKey = (0, crypto_1.decryptManagedSecret)(existing);
+    const now = new Date();
+    await Promise.all([
+        db.update(schema_1.apiKeys).set({ lastUsedAt: now }).where((0, drizzle_orm_1.eq)(schema_1.apiKeys.id, existing.apiKeyId)),
+        db.update(schema_1.managedProjectApiKeys).set({ lastUsedAt: now, updatedAt: now }).where((0, drizzle_orm_1.eq)(schema_1.managedProjectApiKeys.id, existing.managedId)),
+    ]);
+    return { key: rawKey, keyPrefix: existing.keyPrefix, action: "used" };
+}
+async function revokeManagedProjectApiKey(db, managedId) {
+    const now = new Date();
+    await db
+        .update(schema_1.managedProjectApiKeys)
+        .set({ revokedAt: now, updatedAt: now })
+        .where((0, drizzle_orm_1.and)((0, drizzle_orm_1.eq)(schema_1.managedProjectApiKeys.id, managedId), (0, drizzle_orm_1.isNull)(schema_1.managedProjectApiKeys.revokedAt)));
+}
+function slugifyWorkspaceValue(value, fallback = "project") {
+    const slug = String(value || "")
+        .trim()
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, "-")
+        .replace(/^-+|-+$/g, "");
+    return slug || fallback;
+}
+async function ensureOrganizationForClerk(input) {
+    var _a;
+    const db = dbOrDefault(input.db);
+    const existing = await db
+        .select()
+        .from(schema_1.organizations)
+        .where((0, drizzle_orm_1.eq)(schema_1.organizations.clerkOrgId, input.clerkOrgId))
+        .limit(1)
+        .then((rows) => { var _a; return (_a = rows[0]) !== null && _a !== void 0 ? _a : null; });
+    if (existing)
+        return existing;
+    const name = ((_a = input.name) === null || _a === void 0 ? void 0 : _a.trim()) || input.clerkOrgId;
+    const slug = slugifyWorkspaceValue(input.slug || name || input.clerkOrgId, input.clerkOrgId.toLowerCase());
+    const inserted = await db
+        .insert(schema_1.organizations)
+        .values({ clerkOrgId: input.clerkOrgId, name, slug })
+        .returning();
+    return inserted[0];
+}
+async function listOrganizationProjects(organizationId, db) {
+    return dbOrDefault(db)
+        .select()
+        .from(schema_1.projects)
+        .where((0, drizzle_orm_1.eq)(schema_1.projects.organizationId, organizationId))
+        .orderBy((0, drizzle_orm_1.asc)(schema_1.projects.createdAt), (0, drizzle_orm_1.asc)(schema_1.projects.name));
+}
+async function getOwnedProject(input) {
+    return dbOrDefault(input.db)
+        .select()
+        .from(schema_1.projects)
+        .where((0, drizzle_orm_1.and)((0, drizzle_orm_1.eq)(schema_1.projects.id, input.projectId), (0, drizzle_orm_1.eq)(schema_1.projects.organizationId, input.organizationId)))
+        .limit(1)
+        .then((rows) => { var _a; return (_a = rows[0]) !== null && _a !== void 0 ? _a : null; });
+}
+async function resolveActiveProject(input) {
+    var _a;
+    const orgProjects = await listOrganizationProjects(input.organizationId, input.db);
+    if (orgProjects.length === 0)
+        return { project: null, projects: orgProjects };
+    const activeProject = input.activeProjectId
+        ? (_a = orgProjects.find((project) => project.id === input.activeProjectId)) !== null && _a !== void 0 ? _a : null
+        : null;
+    return { project: activeProject !== null && activeProject !== void 0 ? activeProject : orgProjects[0], projects: orgProjects };
+}
+async function getProductSetupState(input) {
+    const db = dbOrDefault(input.db);
+    const product = input.product.trim();
+    if (!product)
+        throw new Error("Product is required");
+    const existing = await db
+        .select()
+        .from(schema_1.productSetupStates)
+        .where((0, drizzle_orm_1.and)((0, drizzle_orm_1.eq)(schema_1.productSetupStates.organizationId, input.organizationId), (0, drizzle_orm_1.eq)(schema_1.productSetupStates.product, product)))
+        .limit(1)
+        .then((rows) => { var _a; return (_a = rows[0]) !== null && _a !== void 0 ? _a : null; });
+    if (existing)
+        return toProductSetupState(existing);
+    try {
+        const inserted = await db
+            .insert(schema_1.productSetupStates)
+            .values({
+            organizationId: input.organizationId,
+            product,
+            state: "not_started",
+            setupSessionId: setupSessionId(product, input.organizationId),
+        })
+            .returning();
+        return toProductSetupState(inserted[0]);
+    }
+    catch (error) {
+        if (!isUniqueConstraintError(error, "product_setup_states_org_product_idx"))
+            throw error;
+        const row = await db
+            .select()
+            .from(schema_1.productSetupStates)
+            .where((0, drizzle_orm_1.and)((0, drizzle_orm_1.eq)(schema_1.productSetupStates.organizationId, input.organizationId), (0, drizzle_orm_1.eq)(schema_1.productSetupStates.product, product)))
+            .limit(1)
+            .then((rows) => { var _a; return (_a = rows[0]) !== null && _a !== void 0 ? _a : null; });
+        if (!row)
+            throw error;
+        return toProductSetupState(row);
+    }
+}
+async function updateProductSetupState(input) {
+    const db = dbOrDefault(input.db);
+    const existing = await getProductSetupState(input);
+    const nextState = input.state !== undefined && input.state !== null
+        ? normalizeProductSetupState(input.state, existing.state)
+        : input.projectId !== undefined && existing.state === "not_started"
+            ? "in_progress"
+            : existing.state;
+    const now = new Date();
+    const nextMetadata = input.metadata
+        ? Object.assign(Object.assign({}, existing.metadata), input.metadata) : existing.metadata;
+    const updates = Object.assign(Object.assign(Object.assign(Object.assign(Object.assign({ state: nextState }, (input.projectId !== undefined ? { projectId: input.projectId } : {})), { metadata: nextMetadata }), (nextState !== "not_started" && !existing.startedAt ? { startedAt: now } : {})), (nextState === "completed" && !existing.completedAt ? { completedAt: now } : {})), { updatedAt: now });
+    const updated = await db
+        .update(schema_1.productSetupStates)
+        .set(updates)
+        .where((0, drizzle_orm_1.and)((0, drizzle_orm_1.eq)(schema_1.productSetupStates.organizationId, input.organizationId), (0, drizzle_orm_1.eq)(schema_1.productSetupStates.product, input.product)))
+        .returning();
+    return toProductSetupState(updated[0]);
+}
+async function resolveProductSetupWorkspace(input) {
+    var _a;
+    const db = dbOrDefault(input.db);
+    const [setup, orgProjects] = await Promise.all([
+        getProductSetupState({ organizationId: input.organizationId, product: input.product, db }),
+        listOrganizationProjects(input.organizationId, db),
+    ]);
+    const project = setup.projectId
+        ? (_a = orgProjects.find((candidate) => candidate.id === setup.projectId)) !== null && _a !== void 0 ? _a : null
+        : null;
+    return { setup, project, projects: orgProjects };
+}
+async function createWorkspaceProject(input) {
+    var _a;
+    const name = input.name.trim();
+    if (!name)
+        throw new Error("Project name is required");
+    const slug = slugifyWorkspaceValue(input.slug || name);
+    const inserted = await dbOrDefault(input.db)
+        .insert(schema_1.projects)
+        .values({
+        organizationId: input.organizationId,
+        name,
+        slug,
+        description: ((_a = input.description) === null || _a === void 0 ? void 0 : _a.trim()) || null,
+    })
+        .returning();
+    return inserted[0];
+}
+async function hasManagedProjectApiKey(input) {
+    const row = await dbOrDefault(input.db)
+        .select({ id: schema_1.managedProjectApiKeys.id })
+        .from(schema_1.managedProjectApiKeys)
+        .innerJoin(schema_1.apiKeys, (0, drizzle_orm_1.eq)(schema_1.managedProjectApiKeys.apiKeyId, schema_1.apiKeys.id))
+        .where((0, drizzle_orm_1.and)((0, drizzle_orm_1.eq)(schema_1.managedProjectApiKeys.projectId, input.projectId), (0, drizzle_orm_1.eq)(schema_1.managedProjectApiKeys.product, input.product), (0, drizzle_orm_1.isNull)(schema_1.managedProjectApiKeys.revokedAt), (0, drizzle_orm_1.eq)(schema_1.apiKeys.isActive, true)))
+        .limit(1)
+        .then((rows) => { var _a; return (_a = rows[0]) !== null && _a !== void 0 ? _a : null; });
+    return Boolean(row);
+}
+async function ensureManagedProjectApiKey(input) {
+    const db = dbOrDefault(input.db);
+    for (let attempt = 0; attempt < 3; attempt += 1) {
+        const existing = await findUnrevokedManagedProjectApiKey(db, input);
+        if (existing && isManagedKeyUsable(existing)) {
+            return useExistingManagedProjectApiKey(db, existing);
+        }
+        if (existing) {
+            await revokeManagedProjectApiKey(db, existing.managedId);
+            continue;
+        }
+        const rawKey = (0, crypto_1.createRawApiKey)();
+        const keyPrefix = (0, crypto_1.getApiKeyPrefix)(rawKey);
+        const encrypted = (0, crypto_1.encryptManagedSecret)(rawKey);
+        try {
+            const inserted = await db.transaction(async (tx) => {
+                var _a;
+                const [apiKey] = await tx
+                    .insert(schema_1.apiKeys)
+                    .values({
+                    projectId: input.projectId,
+                    keyHash: (0, crypto_1.hashApiKey)(rawKey),
+                    keyPrefix,
+                    name: ((_a = input.name) === null || _a === void 0 ? void 0 : _a.trim()) || null,
+                })
+                    .returning();
+                const [managed] = await tx
+                    .insert(schema_1.managedProjectApiKeys)
+                    .values({
+                    projectId: input.projectId,
+                    apiKeyId: apiKey.id,
+                    product: input.product,
+                    encryptedKey: encrypted.encryptedKey,
+                    iv: encrypted.iv,
+                    authTag: encrypted.authTag,
+                    keyPrefix,
+                })
+                    .returning();
+                return { apiKey, managed };
+            });
+            return { key: rawKey, keyPrefix: inserted.managed.keyPrefix, action: "created" };
+        }
+        catch (error) {
+            if (!isUniqueConstraintError(error, "managed_project_api_keys_active_project_product_idx")) {
+                throw error;
+            }
+            const raced = await findUnrevokedManagedProjectApiKey(db, input);
+            if (raced && isManagedKeyUsable(raced)) {
+                return useExistingManagedProjectApiKey(db, raced);
+            }
+            if (raced) {
+                await revokeManagedProjectApiKey(db, raced.managedId);
+            }
+        }
+    }
+    const existing = await findUnrevokedManagedProjectApiKey(db, input);
+    if (existing && isManagedKeyUsable(existing)) {
+        return useExistingManagedProjectApiKey(db, existing);
+    }
+    throw new Error("Unable to ensure managed project API key");
+}

package/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "@kognitivedev/workspace-auth",
+  "version": "0.2.29",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc -w --noCheck",
+    "test": "vitest run",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "drizzle-orm": "^0.36.4",
+    "postgres": "^3.4.8"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "typescript": "^5.0.0",
+    "vitest": "^4.0.18"
+  },
+  "description": "Shared workspace auth, project selection, and managed credential helpers for Kognitive apps",
+  "license": "MIT"
+}

package/src/__tests__/crypto.test.ts

@@ -0,0 +1,29 @@
+import { describe, expect, it } from "vitest";
+import {
+  createRawApiKey,
+  decryptManagedSecret,
+  encryptManagedSecret,
+  getApiKeyPrefix,
+  hashApiKey,
+} from "../crypto";
+
+const secret = "12345678901234567890123456789012";
+
+describe("workspace auth crypto helpers", () => {
+  it("creates backend-compatible API keys and hashes", () => {
+    const rawKey = createRawApiKey();
+    expect(rawKey).toMatch(/^kog_[a-f0-9]{32}$/);
+    expect(getApiKeyPrefix(rawKey)).toBe(rawKey.slice(0, 8));
+    expect(hashApiKey(rawKey)).toMatch(/^[a-f0-9]{64}$/);
+  });
+
+  it("encrypts and decrypts managed secrets", () => {
+    const encrypted = encryptManagedSecret("kog_secret", secret);
+    expect(encrypted.encryptedKey).not.toBe("kog_secret");
+    expect(decryptManagedSecret(encrypted, secret)).toBe("kog_secret");
+  });
+
+  it("requires a stable 32+ byte secret", () => {
+    expect(() => encryptManagedSecret("kog_secret", "short")).toThrow("KOGNITIVE_MANAGED_CREDENTIAL_SECRET");
+  });
+});