@minion-stack/db 0.3.0 → 0.4.0

package/src/crypto.ts

@@ -0,0 +1,73 @@
+// Canonical app-level secret encryption for the Minion stack (R7 of
+// specs/2026-05-26-auth-token-simplification.md). AES-256-GCM, dialect-agnostic
+// — consumed by the PG identity path (sealSecret/openSecret) and re-exported by
+// minion_hub's crypto.ts (encrypt/decrypt/encryptToken/decryptToken) so there is
+// ONE implementation and one key-derivation path instead of byte-matched copies.
+//
+// Layout (MUST stay stable — existing ciphertext at rest depends on it):
+//   key        = scryptSync(ENCRYPTION_KEY, 'minion-hub-salt', 32)
+//   ciphertext = hex(encrypted || authTag)   (16-byte GCM tag LAST)
+//   iv         = hex(12 random bytes), stored separately
+
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "node:crypto";
+
+const ALGORITHM = "aes-256-gcm";
+const IV_BYTES = 12;
+const AUTH_TAG_BYTES = 16;
+
+let cachedKey: Buffer | null = null;
+function key(): Buffer {
+  if (cachedKey) return cachedKey;
+  const raw = process.env.ENCRYPTION_KEY;
+  if (!raw) {
+    if (process.env.NODE_ENV === "production") {
+      throw new Error("ENCRYPTION_KEY environment variable must be set in production");
+    }
+    // Dev-only fallback — never used in production.
+    cachedKey = scryptSync("minion-hub-dev-key", "minion-hub-salt", 32);
+    return cachedKey;
+  }
+  cachedKey = scryptSync(raw, "minion-hub-salt", 32);
+  return cachedKey;
+}
+
+/** Seal plaintext → { ciphertext, iv }. ciphertext = hex(encrypted || authTag). */
+export function sealSecret(plaintext: string): { ciphertext: string; iv: string } {
+  const iv = randomBytes(IV_BYTES);
+  const cipher = createCipheriv(ALGORITHM, key(), iv);
+  const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  const combined = Buffer.concat([encrypted, authTag]);
+  return { ciphertext: combined.toString("hex"), iv: iv.toString("hex") };
+}
+
+/** Open hex(encrypted || authTag) + hex(iv) → plaintext. Throws on auth failure. */
+export function openSecret(ciphertext: string, iv: string): string {
+  const combined = Buffer.from(ciphertext, "hex");
+  const encrypted = combined.subarray(0, combined.length - AUTH_TAG_BYTES);
+  const authTag = combined.subarray(combined.length - AUTH_TAG_BYTES);
+  const decipher = createDecipheriv(ALGORITHM, key(), Buffer.from(iv, "hex"));
+  decipher.setAuthTag(authTag);
+  return decipher.update(encrypted) + decipher.final("utf8");
+}
+
+// --- minion_hub-compatible aliases -------------------------------------------
+// Hub's crypto.ts historically exported these names; keeping them lets hub become
+// a thin re-export of this module without touching its many call sites.
+
+/** Alias of {@link sealSecret}. */
+export const encrypt = sealSecret;
+
+/** Alias of {@link openSecret}. */
+export const decrypt = openSecret;
+
+/** Seal a token → { encrypted, iv } (hub's field name for the ciphertext). */
+export function encryptToken(token: string): { encrypted: string; iv: string } {
+  const { ciphertext, iv } = sealSecret(token);
+  return { encrypted: ciphertext, iv };
+}
+
+/** Open a sealed token. */
+export function decryptToken(encrypted: string, iv: string): string {
+  return openSecret(encrypted, iv);
+}

package/src/pg/crypto.ts

@@ -1,44 +1,4 @@
-import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from 'node:crypto';
-
-const ALGORITHM = 'aes-256-gcm';
-const IV_BYTES = 12;
-const AUTH_TAG_BYTES = 16;
-
-// MUST match minion_hub/src/server/auth/crypto.ts so hub + site interoperate:
-//   key = scryptSync(ENCRYPTION_KEY, 'minion-hub-salt', 32)
-//   ciphertext (hex) = encrypted || authTag   (16-byte tag LAST)
-//   iv (hex) = 12 random bytes, stored separately
-let cachedKey: Buffer | null = null;
-function key(): Buffer {
-  if (cachedKey) return cachedKey;
-  const raw = process.env.ENCRYPTION_KEY;
-  if (!raw) {
-    if (process.env.NODE_ENV === 'production') {
-      throw new Error('ENCRYPTION_KEY environment variable must be set in production');
-    }
-    cachedKey = scryptSync('minion-hub-dev-key', 'minion-hub-salt', 32);
-    return cachedKey;
-  }
-  cachedKey = scryptSync(raw, 'minion-hub-salt', 32);
-  return cachedKey;
-}
-
-/** Seal plaintext → { ciphertext, iv }. ciphertext = hex(encrypted || authTag). */
-export function sealSecret(plaintext: string): { ciphertext: string; iv: string } {
-  const iv = randomBytes(IV_BYTES);
-  const cipher = createCipheriv(ALGORITHM, key(), iv);
-  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
-  const authTag = cipher.getAuthTag();
-  const combined = Buffer.concat([encrypted, authTag]);
-  return { ciphertext: combined.toString('hex'), iv: iv.toString('hex') };
-}
-
-/** Open hex(encrypted || authTag) + hex(iv) → plaintext. Throws on auth failure. */
-export function openSecret(ciphertext: string, iv: string): string {
-  const combined = Buffer.from(ciphertext, 'hex');
-  const encrypted = combined.subarray(0, combined.length - AUTH_TAG_BYTES);
-  const authTag = combined.subarray(combined.length - AUTH_TAG_BYTES);
-  const decipher = createDecipheriv(ALGORITHM, key(), Buffer.from(iv, 'hex'));
-  decipher.setAuthTag(authTag);
-  return decipher.update(encrypted) + decipher.final('utf8');
-}
+// Re-export of the canonical crypto module (../crypto.ts). Kept as a stable
+// subpath for existing importers of the PG identity path; the implementation
+// lives in one place now (R7 of specs/2026-05-26-auth-token-simplification.md).
+export { sealSecret, openSecret } from "../crypto.js";

package/src/pg/schema/gateway.ts

@@ -0,0 +1,37 @@
+import { pgTable, uuid, text, boolean, timestamp, primaryKey, index, uniqueIndex } from 'drizzle-orm/pg-core';
+import { profiles } from './profiles.js';
+
+/**
+ * Supabase-backed registry of Minion gateway servers.
+ * Mirrors Turso `servers`. legacy_server_id preserves the old Turso text PK
+ * so Turso log/event rows (which still carry the old id) can join here.
+ */
+export const gateway = pgTable('gateway', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  legacyServerId: text('legacy_server_id'),
+  name: text('name').notNull(),
+  url: text('url').notNull(),
+  tokenCiphertext: text('token_ciphertext').notNull().default(''),
+  tokenIv: text('token_iv').notNull().default(''),
+  authMode: text('auth_mode', { enum: ['token', 'none'] }).notNull().default('token'),
+  lastConnectedAt: timestamp('last_connected_at', { withTimezone: true }),
+  createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+  updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
+}, (t) => [
+  uniqueIndex('gateway_uniq_url').on(t.url),
+  index('idx_gateway_legacy').on(t.legacyServerId),
+]);
+
+/**
+ * Per-user gateway link. Mirrors Turso `user_servers`.
+ * profile_id references profiles.id (== auth.users.id).
+ */
+export const userGateway = pgTable('user_gateway', {
+  profileId: uuid('profile_id').notNull().references(() => profiles.id, { onDelete: 'cascade' }),
+  gatewayId: uuid('gateway_id').notNull().references(() => gateway.id, { onDelete: 'cascade' }),
+  isDefault: boolean('is_default').notNull().default(false),
+  createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+}, (t) => [
+  primaryKey({ columns: [t.profileId, t.gatewayId] }),
+  index('idx_user_gateway_gateway').on(t.gatewayId),
+]);

package/src/pg/schema/index.ts

@@ -1,5 +1,6 @@
 export { profiles } from './profiles.js';
 export { userIdentities } from './user-identities.js';
+export { joinRequest, joinLink } from './join.js';
 
 // Identity helpers (consumed by minion_site auth path)
 export { mapGoogleIdentity } from '../identity-mapper.js';
@@ -10,3 +11,4 @@ export type {
   MappedIdentity,
 } from '../identity-mapper.js';
 export { sealSecret, openSecret } from '../crypto.js';
+export { gateway, userGateway } from './gateway.js';

package/src/pg/schema/join.ts

@@ -0,0 +1,38 @@
+import { pgTable, uuid, text, integer, boolean, timestamp } from 'drizzle-orm/pg-core';
+
+// Partial unique index (one open request per user/org) is created in the
+// hand-written migration (Task 5), since the WHERE-predicate form isn't
+// expressed cleanly here. Keep this table definition free of an index callback.
+export const joinRequest = pgTable('join_request', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  // GoTrue auth.users.id (== profiles.id). The requester's Supabase identity.
+  supabaseId: uuid('supabase_id').notNull(),
+  // Bridged hub id (profiles.legacy_user_id ?? supabaseId) — the value used as the
+  // Turso `member.user_id` key when the request is approved. Distinct from supabase_id.
+  userId: text('user_id').notNull(),
+  email: text('email').notNull(),
+  displayName: text('display_name'),
+  message: text('message'),
+  status: text('status', { enum: ['pending', 'approved', 'denied'] }).notNull().default('pending'),
+  // Turso organization id (cross-DB reference; orgs live in Turso, so no PG FK).
+  organizationId: text('organization_id').notNull(),
+  requestedRole: text('requested_role', { enum: ['user', 'admin', 'super_admin'] }).notNull().default('user'),
+  reviewedBy: text('reviewed_by'),
+  reviewedAt: timestamp('reviewed_at', { withTimezone: true }),
+  createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+  updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
+});
+
+export const joinLink = pgTable('join_link', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  token: text('token').notNull().unique(),
+  // Turso organization id (cross-DB reference; orgs live in Turso, so no PG FK).
+  organizationId: text('organization_id').notNull(),
+  role: text('role', { enum: ['user', 'admin', 'super_admin'] }).notNull(),
+  createdBy: text('created_by').notNull(),
+  expiresAt: timestamp('expires_at', { withTimezone: true }),
+  maxUses: integer('max_uses'),
+  usesCount: integer('uses_count').notNull().default(0),
+  revoked: boolean('revoked').notNull().default(false),
+  createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+});

package/src/pg/schema/profiles.ts

@@ -15,6 +15,9 @@ export const profiles = pgTable('profiles', {
     .notNull()
     .default('user'),
   personalAgentId: text('personal_agent_id'),
+  // Better Auth `user.id` (text) this profile was migrated from. Null for
+  // users created natively in Supabase. Lets Phase 2 remap legacy FKs.
+  legacyUserId: text('legacy_user_id'),
   createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
   updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
 });

package/src/schema/flows.ts

@@ -9,4 +9,6 @@ export const flows = sqliteTable('flows', {
   tenantId: text('tenant_id'), // tenant scope — null for pre-migration rows
   createdAt: integer('created_at').notNull(),
   updatedAt: integer('updated_at').notNull(),
+  active: integer('active', { mode: 'boolean' }).notNull().default(false),
+  config: text('config').notNull().default('{}'),
 });