@minion-stack/db 0.3.1 → 0.4.0

package/dist/crypto.d.ts

@@ -0,0 +1,19 @@
+/** Seal plaintext → { ciphertext, iv }. ciphertext = hex(encrypted || authTag). */
+export declare function sealSecret(plaintext: string): {
+    ciphertext: string;
+    iv: string;
+};
+/** Open hex(encrypted || authTag) + hex(iv) → plaintext. Throws on auth failure. */
+export declare function openSecret(ciphertext: string, iv: string): string;
+/** Alias of {@link sealSecret}. */
+export declare const encrypt: typeof sealSecret;
+/** Alias of {@link openSecret}. */
+export declare const decrypt: typeof openSecret;
+/** Seal a token → { encrypted, iv } (hub's field name for the ciphertext). */
+export declare function encryptToken(token: string): {
+    encrypted: string;
+    iv: string;
+};
+/** Open a sealed token. */
+export declare function decryptToken(encrypted: string, iv: string): string;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAiCA,mFAAmF;AACnF,wBAAgB,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CAOhF;AAED,oFAAoF;AACpF,wBAAgB,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,MAAM,CAOjE;AAMD,mCAAmC;AACnC,eAAO,MAAM,OAAO,mBAAa,CAAC;AAElC,mCAAmC;AACnC,eAAO,MAAM,OAAO,mBAAa,CAAC;AAElC,8EAA8E;AAC9E,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CAG7E;AAED,2BAA2B;AAC3B,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,MAAM,CAElE"}

package/dist/crypto.js

@@ -0,0 +1,65 @@
+// Canonical app-level secret encryption for the Minion stack (R7 of
+// specs/2026-05-26-auth-token-simplification.md). AES-256-GCM, dialect-agnostic
+// — consumed by the PG identity path (sealSecret/openSecret) and re-exported by
+// minion_hub's crypto.ts (encrypt/decrypt/encryptToken/decryptToken) so there is
+// ONE implementation and one key-derivation path instead of byte-matched copies.
+//
+// Layout (MUST stay stable — existing ciphertext at rest depends on it):
+//   key        = scryptSync(ENCRYPTION_KEY, 'minion-hub-salt', 32)
+//   ciphertext = hex(encrypted || authTag)   (16-byte GCM tag LAST)
+//   iv         = hex(12 random bytes), stored separately
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "node:crypto";
+const ALGORITHM = "aes-256-gcm";
+const IV_BYTES = 12;
+const AUTH_TAG_BYTES = 16;
+let cachedKey = null;
+function key() {
+    if (cachedKey)
+        return cachedKey;
+    const raw = process.env.ENCRYPTION_KEY;
+    if (!raw) {
+        if (process.env.NODE_ENV === "production") {
+            throw new Error("ENCRYPTION_KEY environment variable must be set in production");
+        }
+        // Dev-only fallback — never used in production.
+        cachedKey = scryptSync("minion-hub-dev-key", "minion-hub-salt", 32);
+        return cachedKey;
+    }
+    cachedKey = scryptSync(raw, "minion-hub-salt", 32);
+    return cachedKey;
+}
+/** Seal plaintext → { ciphertext, iv }. ciphertext = hex(encrypted || authTag). */
+export function sealSecret(plaintext) {
+    const iv = randomBytes(IV_BYTES);
+    const cipher = createCipheriv(ALGORITHM, key(), iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    const combined = Buffer.concat([encrypted, authTag]);
+    return { ciphertext: combined.toString("hex"), iv: iv.toString("hex") };
+}
+/** Open hex(encrypted || authTag) + hex(iv) → plaintext. Throws on auth failure. */
+export function openSecret(ciphertext, iv) {
+    const combined = Buffer.from(ciphertext, "hex");
+    const encrypted = combined.subarray(0, combined.length - AUTH_TAG_BYTES);
+    const authTag = combined.subarray(combined.length - AUTH_TAG_BYTES);
+    const decipher = createDecipheriv(ALGORITHM, key(), Buffer.from(iv, "hex"));
+    decipher.setAuthTag(authTag);
+    return decipher.update(encrypted) + decipher.final("utf8");
+}
+// --- minion_hub-compatible aliases -------------------------------------------
+// Hub's crypto.ts historically exported these names; keeping them lets hub become
+// a thin re-export of this module without touching its many call sites.
+/** Alias of {@link sealSecret}. */
+export const encrypt = sealSecret;
+/** Alias of {@link openSecret}. */
+export const decrypt = openSecret;
+/** Seal a token → { encrypted, iv } (hub's field name for the ciphertext). */
+export function encryptToken(token) {
+    const { ciphertext, iv } = sealSecret(token);
+    return { encrypted: ciphertext, iv };
+}
+/** Open a sealed token. */
+export function decryptToken(encrypted, iv) {
+    return openSecret(encrypted, iv);
+}
+//# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA,oEAAoE;AACpE,gFAAgF;AAChF,gFAAgF;AAChF,iFAAiF;AACjF,iFAAiF;AACjF,EAAE;AACF,yEAAyE;AACzE,mEAAmE;AACnE,oEAAoE;AACpE,yDAAyD;AAEzD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAExF,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,QAAQ,GAAG,EAAE,CAAC;AACpB,MAAM,cAAc,GAAG,EAAE,CAAC;AAE1B,IAAI,SAAS,GAAkB,IAAI,CAAC;AACpC,SAAS,GAAG;IACV,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC;IAChC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IACvC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CAAC,+DAA+D,CAAC,CAAC;QACnF,CAAC;QACD,gDAAgD;QAChD,SAAS,GAAG,UAAU,CAAC,oBAAoB,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAC;QACpE,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAC;IACnD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,mFAAmF;AACnF,MAAM,UAAU,UAAU,CAAC,SAAiB;IAC1C,MAAM,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;IACjC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC,CAAC;IACpD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACpF,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IACpC,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;IACrD,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AAC1E,CAAC;AAED,oFAAoF;AACpF,MAAM,UAAU,UAAU,CAAC,UAAkB,EAAE,EAAU;IACvD,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAChD,MAAM,SAAS,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,QAAQ,CAAC,MAAM,GAAG,cAAc,CAAC,CAAC;IACzE,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,cAAc,CAAC,CAAC;IACpE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC;IAC5E,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAC7B,OAAO,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;AAC7D,CAAC;AAED,gFAAgF;AAChF,kFAAkF;AAClF,wEAAwE;AAExE,mCAAmC;AACnC,MAAM,CAAC,MAAM,OAAO,GAAG,UAAU,CAAC;AAElC,mCAAmC;AACnC,MAAM,CAAC,MAAM,OAAO,GAAG,UAAU,CAAC;AAElC,8EAA8E;AAC9E,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IAC7C,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;AACvC,CAAC;AAED,2BAA2B;AAC3B,MAAM,UAAU,YAAY,CAAC,SAAiB,EAAE,EAAU;IACxD,OAAO,UAAU,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;AACnC,CAAC"}

package/dist/crypto.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=crypto.test.d.ts.map

package/dist/crypto.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.test.d.ts","sourceRoot":"","sources":["../src/crypto.test.ts"],"names":[],"mappings":""}

package/dist/crypto.test.js

@@ -0,0 +1,23 @@
+import { describe, it, expect } from "vitest";
+import { sealSecret, openSecret, encrypt, decrypt, encryptToken, decryptToken, } from "./crypto.js";
+describe("canonical crypto", () => {
+    it("seal/open roundtrips", () => {
+        const { ciphertext, iv } = sealSecret("hunter2");
+        expect(ciphertext).not.toContain("hunter2");
+        expect(openSecret(ciphertext, iv)).toBe("hunter2");
+    });
+    it("encrypt/decrypt are aliases of seal/open", () => {
+        const { ciphertext, iv } = encrypt("s3cret");
+        expect(decrypt(ciphertext, iv)).toBe("s3cret");
+    });
+    it("encryptToken returns { encrypted, iv } and decryptToken roundtrips", () => {
+        const { encrypted, iv } = encryptToken("tok-abc");
+        expect(decryptToken(encrypted, iv)).toBe("tok-abc");
+    });
+    it("openSecret throws on a tampered ciphertext (GCM auth)", () => {
+        const { ciphertext, iv } = sealSecret("x");
+        const tampered = (ciphertext[0] === "a" ? "b" : "a") + ciphertext.slice(1);
+        expect(() => openSecret(tampered, iv)).toThrow();
+    });
+});
+//# sourceMappingURL=crypto.test.js.map

package/dist/crypto.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.test.js","sourceRoot":"","sources":["../src/crypto.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EACL,UAAU,EACV,UAAU,EACV,OAAO,EACP,OAAO,EACP,YAAY,EACZ,YAAY,GACb,MAAM,aAAa,CAAC;AAErB,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE;QAC9B,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;QACjD,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAC5C,MAAM,CAAC,UAAU,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC7C,MAAM,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,GAAG,EAAE;QAC5E,MAAM,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;QAClD,MAAM,CAAC,YAAY,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC3E,MAAM,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IACnD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/pg/crypto.d.ts

@@ -1,8 +1,2 @@
-/** Seal plaintext → { ciphertext, iv }. ciphertext = hex(encrypted || authTag). */
-export declare function sealSecret(plaintext: string): {
-    ciphertext: string;
-    iv: string;
-};
-/** Open hex(encrypted || authTag) + hex(iv) → plaintext. Throws on auth failure. */
-export declare function openSecret(ciphertext: string, iv: string): string;
+export { sealSecret, openSecret } from "../crypto.js";
 //# sourceMappingURL=crypto.d.ts.map

package/dist/pg/crypto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/pg/crypto.ts"],"names":[],"mappings":"AAyBA,mFAAmF;AACnF,wBAAgB,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CAOhF;AAED,oFAAoF;AACpF,wBAAgB,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,MAAM,CAOjE"}
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/pg/crypto.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC"}

package/dist/pg/crypto.js

@@ -1,42 +1,5 @@
-import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from 'node:crypto';
-const ALGORITHM = 'aes-256-gcm';
-const IV_BYTES = 12;
-const AUTH_TAG_BYTES = 16;
-// MUST match minion_hub/src/server/auth/crypto.ts so hub + site interoperate:
-//   key = scryptSync(ENCRYPTION_KEY, 'minion-hub-salt', 32)
-//   ciphertext (hex) = encrypted || authTag   (16-byte tag LAST)
-//   iv (hex) = 12 random bytes, stored separately
-let cachedKey = null;
-function key() {
-    if (cachedKey)
-        return cachedKey;
-    const raw = process.env.ENCRYPTION_KEY;
-    if (!raw) {
-        if (process.env.NODE_ENV === 'production') {
-            throw new Error('ENCRYPTION_KEY environment variable must be set in production');
-        }
-        cachedKey = scryptSync('minion-hub-dev-key', 'minion-hub-salt', 32);
-        return cachedKey;
-    }
-    cachedKey = scryptSync(raw, 'minion-hub-salt', 32);
-    return cachedKey;
-}
-/** Seal plaintext → { ciphertext, iv }. ciphertext = hex(encrypted || authTag). */
-export function sealSecret(plaintext) {
-    const iv = randomBytes(IV_BYTES);
-    const cipher = createCipheriv(ALGORITHM, key(), iv);
-    const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
-    const authTag = cipher.getAuthTag();
-    const combined = Buffer.concat([encrypted, authTag]);
-    return { ciphertext: combined.toString('hex'), iv: iv.toString('hex') };
-}
-/** Open hex(encrypted || authTag) + hex(iv) → plaintext. Throws on auth failure. */
-export function openSecret(ciphertext, iv) {
-    const combined = Buffer.from(ciphertext, 'hex');
-    const encrypted = combined.subarray(0, combined.length - AUTH_TAG_BYTES);
-    const authTag = combined.subarray(combined.length - AUTH_TAG_BYTES);
-    const decipher = createDecipheriv(ALGORITHM, key(), Buffer.from(iv, 'hex'));
-    decipher.setAuthTag(authTag);
-    return decipher.update(encrypted) + decipher.final('utf8');
-}
+// Re-export of the canonical crypto module (../crypto.ts). Kept as a stable
+// subpath for existing importers of the PG identity path; the implementation
+// lives in one place now (R7 of specs/2026-05-26-auth-token-simplification.md).
+export { sealSecret, openSecret } from "../crypto.js";
 //# sourceMappingURL=crypto.js.map

package/dist/pg/crypto.js.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/pg/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAExF,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,QAAQ,GAAG,EAAE,CAAC;AACpB,MAAM,cAAc,GAAG,EAAE,CAAC;AAE1B,8EAA8E;AAC9E,4DAA4D;AAC5D,iEAAiE;AACjE,kDAAkD;AAClD,IAAI,SAAS,GAAkB,IAAI,CAAC;AACpC,SAAS,GAAG;IACV,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC;IAChC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IACvC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CAAC,+DAA+D,CAAC,CAAC;QACnF,CAAC;QACD,SAAS,GAAG,UAAU,CAAC,oBAAoB,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAC;QACpE,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAC;IACnD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,mFAAmF;AACnF,MAAM,UAAU,UAAU,CAAC,SAAiB;IAC1C,MAAM,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;IACjC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC,CAAC;IACpD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACpF,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IACpC,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;IACrD,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AAC1E,CAAC;AAED,oFAAoF;AACpF,MAAM,UAAU,UAAU,CAAC,UAAkB,EAAE,EAAU;IACvD,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAChD,MAAM,SAAS,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,QAAQ,CAAC,MAAM,GAAG,cAAc,CAAC,CAAC;IACzE,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,cAAc,CAAC,CAAC;IACpE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC;IAC5E,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAC7B,OAAO,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;AAC7D,CAAC"}
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/pg/crypto.ts"],"names":[],"mappings":"AAAA,4EAA4E;AAC5E,6EAA6E;AAC7E,gFAAgF;AAChF,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC"}

package/dist/schema/flows.d.ts

@@ -150,6 +150,42 @@ export declare const flows: import("drizzle-orm/sqlite-core").SQLiteTableWithCol
             identity: undefined;
             generated: undefined;
         }, {}, {}>;
+        active: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "active";
+            tableName: "flows";
+            dataType: "boolean";
+            columnType: "SQLiteBoolean";
+            data: boolean;
+            driverParam: number;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        config: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "config";
+            tableName: "flows";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
     };
     dialect: "sqlite";
 }>;

package/dist/schema/flows.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"flows.d.ts","sourceRoot":"","sources":["../../src/schema/flows.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,KAAK;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAShB,CAAC"}
+{"version":3,"file":"flows.d.ts","sourceRoot":"","sources":["../../src/schema/flows.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,KAAK;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAWhB,CAAC"}

package/dist/schema/flows.js

@@ -8,5 +8,7 @@ export const flows = sqliteTable('flows', {
     tenantId: text('tenant_id'), // tenant scope — null for pre-migration rows
     createdAt: integer('created_at').notNull(),
     updatedAt: integer('updated_at').notNull(),
+    active: integer('active', { mode: 'boolean' }).notNull().default(false),
+    config: text('config').notNull().default('{}'),
 });
 //# sourceMappingURL=flows.js.map

package/dist/schema/flows.js.map

@@ -1 +1 @@
-{"version":3,"file":"flows.js","sourceRoot":"","sources":["../../src/schema/flows.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAErE,MAAM,CAAC,MAAM,KAAK,GAAG,WAAW,CAAC,OAAO,EAAE;IACxC,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;IAC3B,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;IAC5B,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,4BAA4B;IAC1E,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,4BAA4B;IAC1E,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,0DAA0D;IACnF,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,EAAE,6CAA6C;IAC1E,SAAS,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;IAC1C,SAAS,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;CAC3C,CAAC,CAAC"}
+{"version":3,"file":"flows.js","sourceRoot":"","sources":["../../src/schema/flows.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAErE,MAAM,CAAC,MAAM,KAAK,GAAG,WAAW,CAAC,OAAO,EAAE;IACxC,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;IAC3B,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;IAC5B,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,4BAA4B;IAC1E,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,4BAA4B;IAC1E,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,0DAA0D;IACnF,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,EAAE,6CAA6C;IAC1E,SAAS,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;IAC1C,SAAS,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;IAC1C,MAAM,EAAE,OAAO,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACvE,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;CAC/C,CAAC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@minion-stack/db",
-  "version": "0.3.1",
+  "version": "0.4.0",
   "description": "Drizzle ORM schema for the Minion shared database (LibSQL/Turso).",
   "license": "MIT",
   "repository": {
@@ -28,6 +28,10 @@
       "types": "./dist/pg/schema/index.d.ts",
       "import": "./dist/pg/schema/index.js"
     },
+    "./crypto": {
+      "types": "./dist/crypto.d.ts",
+      "import": "./dist/crypto.js"
+    },
     "./relations": {
       "types": "./dist/relations.d.ts",
       "import": "./dist/relations.js"
@@ -45,24 +49,23 @@
     "src",
     "README.md"
   ],
-  "scripts": {
-    "build": "tsc",
-    "prepublishOnly": "tsc",
-    "typecheck": "tsc --noEmit",
-    "lint": "oxlint src",
-    "db:pg:generate": "drizzle-kit generate --config=drizzle.pg.config.ts",
-    "test": "vitest run"
-  },
   "peerDependencies": {
     "drizzle-orm": ">=0.45.0"
   },
   "devDependencies": {
-    "@minion-stack/tsconfig": "workspace:*",
     "@paralleldrive/cuid2": "^3.3.0",
     "drizzle-kit": "^0.31.9",
     "drizzle-orm": "^0.45.1",
     "oxlint": "^1.66.0",
     "typescript": "^5.0.0",
-    "vitest": "^2.1.9"
+    "vitest": "^2.1.9",
+    "@minion-stack/tsconfig": "0.1.0"
+  },
+  "scripts": {
+    "build": "tsc",
+    "typecheck": "tsc --noEmit",
+    "lint": "oxlint src",
+    "db:pg:generate": "drizzle-kit generate --config=drizzle.pg.config.ts",
+    "test": "vitest run"
   }
-}
+}

package/src/crypto.test.ts

@@ -0,0 +1,33 @@
+import { describe, it, expect } from "vitest";
+import {
+  sealSecret,
+  openSecret,
+  encrypt,
+  decrypt,
+  encryptToken,
+  decryptToken,
+} from "./crypto.js";
+
+describe("canonical crypto", () => {
+  it("seal/open roundtrips", () => {
+    const { ciphertext, iv } = sealSecret("hunter2");
+    expect(ciphertext).not.toContain("hunter2");
+    expect(openSecret(ciphertext, iv)).toBe("hunter2");
+  });
+
+  it("encrypt/decrypt are aliases of seal/open", () => {
+    const { ciphertext, iv } = encrypt("s3cret");
+    expect(decrypt(ciphertext, iv)).toBe("s3cret");
+  });
+
+  it("encryptToken returns { encrypted, iv } and decryptToken roundtrips", () => {
+    const { encrypted, iv } = encryptToken("tok-abc");
+    expect(decryptToken(encrypted, iv)).toBe("tok-abc");
+  });
+
+  it("openSecret throws on a tampered ciphertext (GCM auth)", () => {
+    const { ciphertext, iv } = sealSecret("x");
+    const tampered = (ciphertext[0] === "a" ? "b" : "a") + ciphertext.slice(1);
+    expect(() => openSecret(tampered, iv)).toThrow();
+  });
+});

package/src/crypto.ts

@@ -0,0 +1,73 @@
+// Canonical app-level secret encryption for the Minion stack (R7 of
+// specs/2026-05-26-auth-token-simplification.md). AES-256-GCM, dialect-agnostic
+// — consumed by the PG identity path (sealSecret/openSecret) and re-exported by
+// minion_hub's crypto.ts (encrypt/decrypt/encryptToken/decryptToken) so there is
+// ONE implementation and one key-derivation path instead of byte-matched copies.
+//
+// Layout (MUST stay stable — existing ciphertext at rest depends on it):
+//   key        = scryptSync(ENCRYPTION_KEY, 'minion-hub-salt', 32)
+//   ciphertext = hex(encrypted || authTag)   (16-byte GCM tag LAST)
+//   iv         = hex(12 random bytes), stored separately
+
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "node:crypto";
+
+const ALGORITHM = "aes-256-gcm";
+const IV_BYTES = 12;
+const AUTH_TAG_BYTES = 16;
+
+let cachedKey: Buffer | null = null;
+function key(): Buffer {
+  if (cachedKey) return cachedKey;
+  const raw = process.env.ENCRYPTION_KEY;
+  if (!raw) {
+    if (process.env.NODE_ENV === "production") {
+      throw new Error("ENCRYPTION_KEY environment variable must be set in production");
+    }
+    // Dev-only fallback — never used in production.
+    cachedKey = scryptSync("minion-hub-dev-key", "minion-hub-salt", 32);
+    return cachedKey;
+  }
+  cachedKey = scryptSync(raw, "minion-hub-salt", 32);
+  return cachedKey;
+}
+
+/** Seal plaintext → { ciphertext, iv }. ciphertext = hex(encrypted || authTag). */
+export function sealSecret(plaintext: string): { ciphertext: string; iv: string } {
+  const iv = randomBytes(IV_BYTES);
+  const cipher = createCipheriv(ALGORITHM, key(), iv);
+  const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  const combined = Buffer.concat([encrypted, authTag]);
+  return { ciphertext: combined.toString("hex"), iv: iv.toString("hex") };
+}
+
+/** Open hex(encrypted || authTag) + hex(iv) → plaintext. Throws on auth failure. */
+export function openSecret(ciphertext: string, iv: string): string {
+  const combined = Buffer.from(ciphertext, "hex");
+  const encrypted = combined.subarray(0, combined.length - AUTH_TAG_BYTES);
+  const authTag = combined.subarray(combined.length - AUTH_TAG_BYTES);
+  const decipher = createDecipheriv(ALGORITHM, key(), Buffer.from(iv, "hex"));
+  decipher.setAuthTag(authTag);
+  return decipher.update(encrypted) + decipher.final("utf8");
+}
+
+// --- minion_hub-compatible aliases -------------------------------------------
+// Hub's crypto.ts historically exported these names; keeping them lets hub become
+// a thin re-export of this module without touching its many call sites.
+
+/** Alias of {@link sealSecret}. */
+export const encrypt = sealSecret;
+
+/** Alias of {@link openSecret}. */
+export const decrypt = openSecret;
+
+/** Seal a token → { encrypted, iv } (hub's field name for the ciphertext). */
+export function encryptToken(token: string): { encrypted: string; iv: string } {
+  const { ciphertext, iv } = sealSecret(token);
+  return { encrypted: ciphertext, iv };
+}
+
+/** Open a sealed token. */
+export function decryptToken(encrypted: string, iv: string): string {
+  return openSecret(encrypted, iv);
+}

package/src/pg/crypto.ts

@@ -1,44 +1,4 @@
-import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from 'node:crypto';
-
-const ALGORITHM = 'aes-256-gcm';
-const IV_BYTES = 12;
-const AUTH_TAG_BYTES = 16;
-
-// MUST match minion_hub/src/server/auth/crypto.ts so hub + site interoperate:
-//   key = scryptSync(ENCRYPTION_KEY, 'minion-hub-salt', 32)
-//   ciphertext (hex) = encrypted || authTag   (16-byte tag LAST)
-//   iv (hex) = 12 random bytes, stored separately
-let cachedKey: Buffer | null = null;
-function key(): Buffer {
-  if (cachedKey) return cachedKey;
-  const raw = process.env.ENCRYPTION_KEY;
-  if (!raw) {
-    if (process.env.NODE_ENV === 'production') {
-      throw new Error('ENCRYPTION_KEY environment variable must be set in production');
-    }
-    cachedKey = scryptSync('minion-hub-dev-key', 'minion-hub-salt', 32);
-    return cachedKey;
-  }
-  cachedKey = scryptSync(raw, 'minion-hub-salt', 32);
-  return cachedKey;
-}
-
-/** Seal plaintext → { ciphertext, iv }. ciphertext = hex(encrypted || authTag). */
-export function sealSecret(plaintext: string): { ciphertext: string; iv: string } {
-  const iv = randomBytes(IV_BYTES);
-  const cipher = createCipheriv(ALGORITHM, key(), iv);
-  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
-  const authTag = cipher.getAuthTag();
-  const combined = Buffer.concat([encrypted, authTag]);
-  return { ciphertext: combined.toString('hex'), iv: iv.toString('hex') };
-}
-
-/** Open hex(encrypted || authTag) + hex(iv) → plaintext. Throws on auth failure. */
-export function openSecret(ciphertext: string, iv: string): string {
-  const combined = Buffer.from(ciphertext, 'hex');
-  const encrypted = combined.subarray(0, combined.length - AUTH_TAG_BYTES);
-  const authTag = combined.subarray(combined.length - AUTH_TAG_BYTES);
-  const decipher = createDecipheriv(ALGORITHM, key(), Buffer.from(iv, 'hex'));
-  decipher.setAuthTag(authTag);
-  return decipher.update(encrypted) + decipher.final('utf8');
-}
+// Re-export of the canonical crypto module (../crypto.ts). Kept as a stable
+// subpath for existing importers of the PG identity path; the implementation
+// lives in one place now (R7 of specs/2026-05-26-auth-token-simplification.md).
+export { sealSecret, openSecret } from "../crypto.js";

package/src/schema/flows.ts

@@ -9,4 +9,6 @@ export const flows = sqliteTable('flows', {
   tenantId: text('tenant_id'), // tenant scope — null for pre-migration rows
   createdAt: integer('created_at').notNull(),
   updatedAt: integer('updated_at').notNull(),
+  active: integer('active', { mode: 'boolean' }).notNull().default(false),
+  config: text('config').notNull().default('{}'),
 });