npm - @minion-stack/db - Versions diffs - 0.2.0 → 0.3.1 - Mend

@minion-stack/db 0.2.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (67) hide show

package/dist/pg/crypto.d.ts +8 -0
package/dist/pg/crypto.d.ts.map +1 -0
package/dist/pg/crypto.js +42 -0
package/dist/pg/crypto.js.map +1 -0
package/dist/pg/crypto.test.d.ts +2 -0
package/dist/pg/crypto.test.d.ts.map +1 -0
package/dist/pg/crypto.test.js +25 -0
package/dist/pg/crypto.test.js.map +1 -0
package/dist/pg/identity-mapper.d.ts +36 -0
package/dist/pg/identity-mapper.d.ts.map +1 -0
package/dist/pg/identity-mapper.js +18 -0
package/dist/pg/identity-mapper.js.map +1 -0
package/dist/pg/identity-mapper.test.d.ts +2 -0
package/dist/pg/identity-mapper.test.d.ts.map +1 -0
package/dist/pg/identity-mapper.test.js +32 -0
package/dist/pg/identity-mapper.test.js.map +1 -0
package/dist/pg/schema/gateway.d.ts +262 -0
package/dist/pg/schema/gateway.d.ts.map +1 -0
package/dist/pg/schema/gateway.js +36 -0
package/dist/pg/schema/gateway.js.map +1 -0
package/dist/pg/schema/index.d.ts +8 -0
package/dist/pg/schema/index.d.ts.map +1 -0
package/dist/pg/schema/index.js +8 -0
package/dist/pg/schema/index.js.map +1 -0
package/dist/pg/schema/join.d.ts +406 -0
package/dist/pg/schema/join.d.ts.map +1 -0
package/dist/pg/schema/join.js +37 -0
package/dist/pg/schema/join.js.map +1 -0
package/dist/pg/schema/profiles.d.ts +151 -0
package/dist/pg/schema/profiles.d.ts.map +1 -0
package/dist/pg/schema/profiles.js +23 -0
package/dist/pg/schema/profiles.js.map +1 -0
package/dist/pg/schema/user-identities.d.ts +237 -0
package/dist/pg/schema/user-identities.d.ts.map +1 -0
package/dist/pg/schema/user-identities.js +31 -0
package/dist/pg/schema/user-identities.js.map +1 -0
package/dist/schema/index.d.ts +3 -0
package/dist/schema/index.d.ts.map +1 -1
package/dist/schema/index.js +2 -0
package/dist/schema/index.js.map +1 -1
package/dist/schema/personal-agents.d.ts +1 -1
package/dist/schema/reliability-events.d.ts +1 -1
package/dist/schema/server-provision-configs.d.ts +1 -1
package/dist/schema/session-tasks.d.ts +1 -1
package/dist/schema/skill-execution-stats.d.ts +1 -1
package/dist/schema/tasks.d.ts +1 -1
package/dist/schema/user-identities.d.ts +254 -0
package/dist/schema/user-identities.d.ts.map +1 -0
package/dist/schema/user-identities.js +30 -0
package/dist/schema/user-identities.js.map +1 -0
package/dist/schema/workspace-membership.d.ts +94 -0
package/dist/schema/workspace-membership.d.ts.map +1 -0
package/dist/schema/workspace-membership.js +24 -0
package/dist/schema/workspace-membership.js.map +1 -0
package/package.json +14 -4
package/src/pg/crypto.test.ts +28 -0
package/src/pg/crypto.ts +44 -0
package/src/pg/identity-mapper.test.ts +35 -0
package/src/pg/identity-mapper.ts +48 -0
package/src/pg/schema/gateway.ts +37 -0
package/src/pg/schema/index.ts +14 -0
package/src/pg/schema/join.ts +38 -0
package/src/pg/schema/profiles.ts +23 -0
package/src/pg/schema/user-identities.ts +35 -0
package/src/schema/index.ts +3 -0
package/src/schema/user-identities.ts +34 -0
package/src/schema/workspace-membership.ts +31 -0

package/dist/pg/crypto.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/** Seal plaintext → { ciphertext, iv }. ciphertext = hex(encrypted || authTag). */
+export declare function sealSecret(plaintext: string): {
+    ciphertext: string;
+    iv: string;
+};
+/** Open hex(encrypted || authTag) + hex(iv) → plaintext. Throws on auth failure. */
+export declare function openSecret(ciphertext: string, iv: string): string;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/pg/crypto.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/pg/crypto.ts"],"names":[],"mappings":"AAyBA,mFAAmF;AACnF,wBAAgB,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CAOhF;AAED,oFAAoF;AACpF,wBAAgB,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,MAAM,CAOjE"}

package/dist/pg/crypto.js ADDED Viewed

@@ -0,0 +1,42 @@
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from 'node:crypto';
+const ALGORITHM = 'aes-256-gcm';
+const IV_BYTES = 12;
+const AUTH_TAG_BYTES = 16;
+// MUST match minion_hub/src/server/auth/crypto.ts so hub + site interoperate:
+//   key = scryptSync(ENCRYPTION_KEY, 'minion-hub-salt', 32)
+//   ciphertext (hex) = encrypted || authTag   (16-byte tag LAST)
+//   iv (hex) = 12 random bytes, stored separately
+let cachedKey = null;
+function key() {
+    if (cachedKey)
+        return cachedKey;
+    const raw = process.env.ENCRYPTION_KEY;
+    if (!raw) {
+        if (process.env.NODE_ENV === 'production') {
+            throw new Error('ENCRYPTION_KEY environment variable must be set in production');
+        }
+        cachedKey = scryptSync('minion-hub-dev-key', 'minion-hub-salt', 32);
+        return cachedKey;
+    }
+    cachedKey = scryptSync(raw, 'minion-hub-salt', 32);
+    return cachedKey;
+}
+/** Seal plaintext → { ciphertext, iv }. ciphertext = hex(encrypted || authTag). */
+export function sealSecret(plaintext) {
+    const iv = randomBytes(IV_BYTES);
+    const cipher = createCipheriv(ALGORITHM, key(), iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    const combined = Buffer.concat([encrypted, authTag]);
+    return { ciphertext: combined.toString('hex'), iv: iv.toString('hex') };
+}
+/** Open hex(encrypted || authTag) + hex(iv) → plaintext. Throws on auth failure. */
+export function openSecret(ciphertext, iv) {
+    const combined = Buffer.from(ciphertext, 'hex');
+    const encrypted = combined.subarray(0, combined.length - AUTH_TAG_BYTES);
+    const authTag = combined.subarray(combined.length - AUTH_TAG_BYTES);
+    const decipher = createDecipheriv(ALGORITHM, key(), Buffer.from(iv, 'hex'));
+    decipher.setAuthTag(authTag);
+    return decipher.update(encrypted) + decipher.final('utf8');
+}
+//# sourceMappingURL=crypto.js.map

package/dist/pg/crypto.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/pg/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAExF,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,QAAQ,GAAG,EAAE,CAAC;AACpB,MAAM,cAAc,GAAG,EAAE,CAAC;AAE1B,8EAA8E;AAC9E,4DAA4D;AAC5D,iEAAiE;AACjE,kDAAkD;AAClD,IAAI,SAAS,GAAkB,IAAI,CAAC;AACpC,SAAS,GAAG;IACV,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC;IAChC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IACvC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CAAC,+DAA+D,CAAC,CAAC;QACnF,CAAC;QACD,SAAS,GAAG,UAAU,CAAC,oBAAoB,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAC;QACpE,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAC;IACnD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,mFAAmF;AACnF,MAAM,UAAU,UAAU,CAAC,SAAiB;IAC1C,MAAM,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;IACjC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC,CAAC;IACpD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACpF,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IACpC,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;IACrD,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AAC1E,CAAC;AAED,oFAAoF;AACpF,MAAM,UAAU,UAAU,CAAC,UAAkB,EAAE,EAAU;IACvD,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAChD,MAAM,SAAS,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,QAAQ,CAAC,MAAM,GAAG,cAAc,CAAC,CAAC;IACzE,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,cAAc,CAAC,CAAC;IACpE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC;IAC5E,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAC7B,OAAO,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;AAC7D,CAAC"}

package/dist/pg/crypto.test.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=crypto.test.d.ts.map

package/dist/pg/crypto.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"crypto.test.d.ts","sourceRoot":"","sources":["../../src/pg/crypto.test.ts"],"names":[],"mappings":""}

package/dist/pg/crypto.test.js ADDED Viewed

@@ -0,0 +1,25 @@
+import { describe, it, expect, beforeAll } from 'vitest';
+import { sealSecret, openSecret } from './crypto.js';
+beforeAll(() => {
+    process.env.ENCRYPTION_KEY = 'test-key-do-not-use-in-prod';
+});
+describe('identity secret crypto', () => {
+    it('round-trips a plaintext through seal/open', () => {
+        const plaintext = JSON.stringify({ type: 'authorized_user', refresh_token: 'abc123' });
+        const { ciphertext, iv } = sealSecret(plaintext);
+        expect(ciphertext).toMatch(/^[0-9a-f]+$/);
+        expect(iv).toMatch(/^[0-9a-f]+$/);
+        expect(openSecret(ciphertext, iv)).toBe(plaintext);
+    });
+    it('fails to open with a tampered ciphertext (GCM auth)', () => {
+        const { ciphertext, iv } = sealSecret('hello');
+        const tampered = ciphertext.slice(0, -2) + (ciphertext.endsWith('00') ? '11' : '00');
+        expect(() => openSecret(tampered, iv)).toThrow();
+    });
+    it('is wire-compatible with hub layout (ciphertext = hex(encrypted || authTag), 16-byte tag last)', () => {
+        const { ciphertext } = sealSecret('x');
+        // hex of (>=0 bytes ciphertext) + 16-byte tag → at least 32 hex chars of tag.
+        expect(ciphertext.length).toBeGreaterThanOrEqual(32);
+    });
+});
+//# sourceMappingURL=crypto.test.js.map

package/dist/pg/crypto.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"crypto.test.js","sourceRoot":"","sources":["../../src/pg/crypto.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAErD,SAAS,CAAC,GAAG,EAAE;IACb,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,6BAA6B,CAAC;AAC7D,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;IACtC,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,iBAAiB,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC,CAAC;QACvF,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;QACjD,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAC1C,MAAM,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAClC,MAAM,CAAC,UAAU,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;QAC/C,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACrF,MAAM,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+FAA+F,EAAE,GAAG,EAAE;QACvG,MAAM,EAAE,UAAU,EAAE,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QACvC,8EAA8E;QAC9E,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,EAAE,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/pg/identity-mapper.d.ts ADDED Viewed

@@ -0,0 +1,36 @@
+export interface GoTrueUserLike {
+    id: string;
+    email: string | null;
+    user_metadata?: {
+        full_name?: string;
+        name?: string;
+        provider_id?: string;
+    } | null;
+    app_metadata?: {
+        provider?: string;
+    } | null;
+}
+export interface GoogleGrant {
+    refreshToken: string | null;
+    scope: string | null;
+}
+export interface MappedProfile {
+    id: string;
+    email: string;
+    displayName: string | null;
+}
+export interface MappedIdentity {
+    userId: string;
+    provider: 'google';
+    kind: 'oauth';
+    externalId: string;
+    displayName: string | null;
+    scope: string | null;
+    hasSecret: boolean;
+}
+/** Pure mapping — no DB, no crypto. Caller seals the secret and upserts. */
+export declare function mapGoogleIdentity(user: GoTrueUserLike, grant: GoogleGrant): {
+    profile: MappedProfile;
+    identity: MappedIdentity;
+};
+//# sourceMappingURL=identity-mapper.d.ts.map

package/dist/pg/identity-mapper.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"identity-mapper.d.ts","sourceRoot":"","sources":["../../src/pg/identity-mapper.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,aAAa,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IACnF,YAAY,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;CAC7C;AAED,MAAM,WAAW,WAAW;IAC1B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,QAAQ,CAAC;IACnB,IAAI,EAAE,OAAO,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;CACpB;AAED,4EAA4E;AAC5E,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,cAAc,EACpB,KAAK,EAAE,WAAW,GACjB;IAAE,OAAO,EAAE,aAAa,CAAC;IAAC,QAAQ,EAAE,cAAc,CAAA;CAAE,CAetD"}

package/dist/pg/identity-mapper.js ADDED Viewed

@@ -0,0 +1,18 @@
+/** Pure mapping — no DB, no crypto. Caller seals the secret and upserts. */
+export function mapGoogleIdentity(user, grant) {
+    const email = user.email ?? '';
+    const displayName = user.user_metadata?.full_name ?? user.user_metadata?.name ?? null;
+    return {
+        profile: { id: user.id, email, displayName },
+        identity: {
+            userId: user.id,
+            provider: 'google',
+            kind: 'oauth',
+            externalId: email,
+            displayName,
+            scope: grant.scope,
+            hasSecret: Boolean(grant.refreshToken),
+        },
+    };
+}
+//# sourceMappingURL=identity-mapper.js.map

package/dist/pg/identity-mapper.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"identity-mapper.js","sourceRoot":"","sources":["../../src/pg/identity-mapper.ts"],"names":[],"mappings":"AA4BA,4EAA4E;AAC5E,MAAM,UAAU,iBAAiB,CAC/B,IAAoB,EACpB,KAAkB;IAElB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;IAC/B,MAAM,WAAW,GAAG,IAAI,CAAC,aAAa,EAAE,SAAS,IAAI,IAAI,CAAC,aAAa,EAAE,IAAI,IAAI,IAAI,CAAC;IACtF,OAAO;QACL,OAAO,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE;QAC5C,QAAQ,EAAE;YACR,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,QAAQ,EAAE,QAAQ;YAClB,IAAI,EAAE,OAAO;YACb,UAAU,EAAE,KAAK;YACjB,WAAW;YACX,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC;SACvC;KACF,CAAC;AACJ,CAAC"}

package/dist/pg/identity-mapper.test.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=identity-mapper.test.d.ts.map

package/dist/pg/identity-mapper.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"identity-mapper.test.d.ts","sourceRoot":"","sources":["../../src/pg/identity-mapper.test.ts"],"names":[],"mappings":""}

package/dist/pg/identity-mapper.test.js ADDED Viewed

@@ -0,0 +1,32 @@
+import { describe, it, expect } from 'vitest';
+import { mapGoogleIdentity } from './identity-mapper.js';
+const gotrueUser = {
+    id: '11111111-1111-1111-1111-111111111111',
+    email: 'nik@example.com',
+    user_metadata: { full_name: 'Nik P', provider_id: 'google-sub-123' },
+    app_metadata: { provider: 'google' },
+};
+describe('mapGoogleIdentity', () => {
+    it('produces a profile row from the GoTrue user', () => {
+        const { profile } = mapGoogleIdentity(gotrueUser, { refreshToken: 'rt', scope: 'email profile' });
+        expect(profile).toEqual({
+            id: '11111111-1111-1111-1111-111111111111',
+            email: 'nik@example.com',
+            displayName: 'Nik P',
+        });
+    });
+    it('produces a google oauth identity keyed by email as externalId', () => {
+        const { identity } = mapGoogleIdentity(gotrueUser, { refreshToken: 'rt', scope: 'email profile' });
+        expect(identity.provider).toBe('google');
+        expect(identity.kind).toBe('oauth');
+        expect(identity.externalId).toBe('nik@example.com');
+        expect(identity.userId).toBe(gotrueUser.id);
+        expect(identity.scope).toBe('email profile');
+        expect(identity.hasSecret).toBe(true);
+    });
+    it('marks hasSecret false when no refresh token present', () => {
+        const { identity } = mapGoogleIdentity(gotrueUser, { refreshToken: null, scope: null });
+        expect(identity.hasSecret).toBe(false);
+    });
+});
+//# sourceMappingURL=identity-mapper.test.js.map

package/dist/pg/identity-mapper.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"identity-mapper.test.js","sourceRoot":"","sources":["../../src/pg/identity-mapper.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAuB,MAAM,sBAAsB,CAAC;AAE9E,MAAM,UAAU,GAAmB;IACjC,EAAE,EAAE,sCAAsC;IAC1C,KAAK,EAAE,iBAAiB;IACxB,aAAa,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE;IACpE,YAAY,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE;CACrC,CAAC;AAEF,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,EAAE,OAAO,EAAE,GAAG,iBAAiB,CAAC,UAAU,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;QAClG,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC;YACtB,EAAE,EAAE,sCAAsC;YAC1C,KAAK,EAAE,iBAAiB;YACxB,WAAW,EAAE,OAAO;SACrB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,MAAM,EAAE,QAAQ,EAAE,GAAG,iBAAiB,CAAC,UAAU,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;QACnG,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACpD,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;QAC5C,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAC7C,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,MAAM,EAAE,QAAQ,EAAE,GAAG,iBAAiB,CAAC,UAAU,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACxF,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/pg/schema/gateway.d.ts ADDED Viewed

@@ -0,0 +1,262 @@
+/**
+ * Supabase-backed registry of Minion gateway servers.
+ * Mirrors Turso `servers`. legacy_server_id preserves the old Turso text PK
+ * so Turso log/event rows (which still carry the old id) can join here.
+ */
+export declare const gateway: import("drizzle-orm/pg-core").PgTableWithColumns<{
+    name: "gateway";
+    schema: undefined;
+    columns: {
+        id: import("drizzle-orm/pg-core").PgColumn<{
+            name: "id";
+            tableName: "gateway";
+            dataType: "string";
+            columnType: "PgUUID";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: true;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        legacyServerId: import("drizzle-orm/pg-core").PgColumn<{
+            name: "legacy_server_id";
+            tableName: "gateway";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        name: import("drizzle-orm/pg-core").PgColumn<{
+            name: "name";
+            tableName: "gateway";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        url: import("drizzle-orm/pg-core").PgColumn<{
+            name: "url";
+            tableName: "gateway";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        tokenCiphertext: import("drizzle-orm/pg-core").PgColumn<{
+            name: "token_ciphertext";
+            tableName: "gateway";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        tokenIv: import("drizzle-orm/pg-core").PgColumn<{
+            name: "token_iv";
+            tableName: "gateway";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        authMode: import("drizzle-orm/pg-core").PgColumn<{
+            name: "auth_mode";
+            tableName: "gateway";
+            dataType: "string";
+            columnType: "PgText";
+            data: "token" | "none";
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: ["token", "none"];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        lastConnectedAt: import("drizzle-orm/pg-core").PgColumn<{
+            name: "last_connected_at";
+            tableName: "gateway";
+            dataType: "date";
+            columnType: "PgTimestamp";
+            data: Date;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        createdAt: import("drizzle-orm/pg-core").PgColumn<{
+            name: "created_at";
+            tableName: "gateway";
+            dataType: "date";
+            columnType: "PgTimestamp";
+            data: Date;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        updatedAt: import("drizzle-orm/pg-core").PgColumn<{
+            name: "updated_at";
+            tableName: "gateway";
+            dataType: "date";
+            columnType: "PgTimestamp";
+            data: Date;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+    };
+    dialect: "pg";
+}>;
+/**
+ * Per-user gateway link. Mirrors Turso `user_servers`.
+ * profile_id references profiles.id (== auth.users.id).
+ */
+export declare const userGateway: import("drizzle-orm/pg-core").PgTableWithColumns<{
+    name: "user_gateway";
+    schema: undefined;
+    columns: {
+        profileId: import("drizzle-orm/pg-core").PgColumn<{
+            name: "profile_id";
+            tableName: "user_gateway";
+            dataType: "string";
+            columnType: "PgUUID";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        gatewayId: import("drizzle-orm/pg-core").PgColumn<{
+            name: "gateway_id";
+            tableName: "user_gateway";
+            dataType: "string";
+            columnType: "PgUUID";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        isDefault: import("drizzle-orm/pg-core").PgColumn<{
+            name: "is_default";
+            tableName: "user_gateway";
+            dataType: "boolean";
+            columnType: "PgBoolean";
+            data: boolean;
+            driverParam: boolean;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        createdAt: import("drizzle-orm/pg-core").PgColumn<{
+            name: "created_at";
+            tableName: "user_gateway";
+            dataType: "date";
+            columnType: "PgTimestamp";
+            data: Date;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+    };
+    dialect: "pg";
+}>;
+//# sourceMappingURL=gateway.d.ts.map

package/dist/pg/schema/gateway.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"gateway.d.ts","sourceRoot":"","sources":["../../../src/pg/schema/gateway.ts"],"names":[],"mappings":"AAGA;;;;GAIG;AACH,eAAO,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAclB,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAQtB,CAAC"}

package/dist/pg/schema/gateway.js ADDED Viewed

@@ -0,0 +1,36 @@
+import { pgTable, uuid, text, boolean, timestamp, primaryKey, index, uniqueIndex } from 'drizzle-orm/pg-core';
+import { profiles } from './profiles.js';
+/**
+ * Supabase-backed registry of Minion gateway servers.
+ * Mirrors Turso `servers`. legacy_server_id preserves the old Turso text PK
+ * so Turso log/event rows (which still carry the old id) can join here.
+ */
+export const gateway = pgTable('gateway', {
+    id: uuid('id').primaryKey().defaultRandom(),
+    legacyServerId: text('legacy_server_id'),
+    name: text('name').notNull(),
+    url: text('url').notNull(),
+    tokenCiphertext: text('token_ciphertext').notNull().default(''),
+    tokenIv: text('token_iv').notNull().default(''),
+    authMode: text('auth_mode', { enum: ['token', 'none'] }).notNull().default('token'),
+    lastConnectedAt: timestamp('last_connected_at', { withTimezone: true }),
+    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+    updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
+}, (t) => [
+    uniqueIndex('gateway_uniq_url').on(t.url),
+    index('idx_gateway_legacy').on(t.legacyServerId),
+]);
+/**
+ * Per-user gateway link. Mirrors Turso `user_servers`.
+ * profile_id references profiles.id (== auth.users.id).
+ */
+export const userGateway = pgTable('user_gateway', {
+    profileId: uuid('profile_id').notNull().references(() => profiles.id, { onDelete: 'cascade' }),
+    gatewayId: uuid('gateway_id').notNull().references(() => gateway.id, { onDelete: 'cascade' }),
+    isDefault: boolean('is_default').notNull().default(false),
+    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+}, (t) => [
+    primaryKey({ columns: [t.profileId, t.gatewayId] }),
+    index('idx_user_gateway_gateway').on(t.gatewayId),
+]);
+//# sourceMappingURL=gateway.js.map

package/dist/pg/schema/gateway.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"gateway.js","sourceRoot":"","sources":["../../../src/pg/schema/gateway.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAC9G,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAEzC;;;;GAIG;AACH,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,EAAE;IACxC,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,CAAC,aAAa,EAAE;IAC3C,cAAc,EAAE,IAAI,CAAC,kBAAkB,CAAC;IACxC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;IAC5B,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE;IAC1B,eAAe,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IAC/D,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IAC/C,QAAQ,EAAE,IAAI,CAAC,WAAW,EAAE,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;IACnF,eAAe,EAAE,SAAS,CAAC,mBAAmB,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;IACvE,SAAS,EAAE,SAAS,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,EAAE;IACjF,SAAS,EAAE,SAAS,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,EAAE;CAClF,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC;IACR,WAAW,CAAC,kBAAkB,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;IACzC,KAAK,CAAC,oBAAoB,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC;CACjD,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,OAAO,CAAC,cAAc,EAAE;IACjD,SAAS,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;IAC9F,SAAS,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;IAC7F,SAAS,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACzD,SAAS,EAAE,SAAS,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,EAAE;CAClF,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC;IACR,UAAU,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC;IACnD,KAAK,CAAC,0BAA0B,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;CAClD,CAAC,CAAC"}

package/dist/pg/schema/index.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+export { profiles } from './profiles.js';
+export { userIdentities } from './user-identities.js';
+export { joinRequest, joinLink } from './join.js';
+export { mapGoogleIdentity } from '../identity-mapper.js';
+export type { GoTrueUserLike, GoogleGrant, MappedProfile, MappedIdentity, } from '../identity-mapper.js';
+export { sealSecret, openSecret } from '../crypto.js';
+export { gateway, userGateway } from './gateway.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/pg/schema/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/pg/schema/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAGlD,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,YAAY,EACV,cAAc,EACd,WAAW,EACX,aAAa,EACb,cAAc,GACf,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC"}

package/dist/pg/schema/index.js ADDED Viewed

@@ -0,0 +1,8 @@
+export { profiles } from './profiles.js';
+export { userIdentities } from './user-identities.js';
+export { joinRequest, joinLink } from './join.js';
+// Identity helpers (consumed by minion_site auth path)
+export { mapGoogleIdentity } from '../identity-mapper.js';
+export { sealSecret, openSecret } from '../crypto.js';
+export { gateway, userGateway } from './gateway.js';
+//# sourceMappingURL=index.js.map

package/dist/pg/schema/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/pg/schema/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAElD,uDAAuD;AACvD,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAO1D,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC"}