@minion-stack/db 0.3.1 → 0.6.0

package/dist/schema/join-requests.d.ts

@@ -0,0 +1,188 @@
+/**
+ * join_requests — users requesting to join an organization.
+ *
+ * When a user not-yet-in-an-org wants access, they submit a join request.
+ * Org admins review (approve/deny). On approval the user is added as a member.
+ *
+ * Used by:
+ *   - /join page (submission)
+ *   - /api/join-requests/* (listing, counting, review)
+ *   - notifications panel
+ */
+export declare const joinRequests: import("drizzle-orm/sqlite-core").SQLiteTableWithColumns<{
+    name: "join_requests";
+    schema: undefined;
+    columns: {
+        id: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "id";
+            tableName: "join_requests";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: true;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
+        userId: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "user_id";
+            tableName: "join_requests";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
+        orgId: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "org_id";
+            tableName: "join_requests";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
+        email: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "email";
+            tableName: "join_requests";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
+        message: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "message";
+            tableName: "join_requests";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
+        status: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "status";
+            tableName: "join_requests";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: "pending" | "approved" | "denied";
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: ["pending", "approved", "denied"];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
+        reviewedBy: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "reviewed_by";
+            tableName: "join_requests";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
+        reviewedAt: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "reviewed_at";
+            tableName: "join_requests";
+            dataType: "number";
+            columnType: "SQLiteInteger";
+            data: number;
+            driverParam: number;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        createdAt: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "created_at";
+            tableName: "join_requests";
+            dataType: "number";
+            columnType: "SQLiteInteger";
+            data: number;
+            driverParam: number;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+    };
+    dialect: "sqlite";
+}>;
+export type JoinRequest = typeof joinRequests.$inferSelect;
+export type NewJoinRequest = typeof joinRequests.$inferInsert;
+//# sourceMappingURL=join-requests.d.ts.map

package/dist/schema/join-requests.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"join-requests.d.ts","sourceRoot":"","sources":["../../src/schema/join-requests.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;GAUG;AACH,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAuBxB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG,OAAO,YAAY,CAAC,YAAY,CAAC;AAC3D,MAAM,MAAM,cAAc,GAAG,OAAO,YAAY,CAAC,YAAY,CAAC"}

package/dist/schema/join-requests.js

@@ -0,0 +1,35 @@
+import { sqliteTable, text, integer, index } from 'drizzle-orm/sqlite-core';
+import { user } from './auth/index.js';
+import { organization } from './auth/index.js';
+/**
+ * join_requests — users requesting to join an organization.
+ *
+ * When a user not-yet-in-an-org wants access, they submit a join request.
+ * Org admins review (approve/deny). On approval the user is added as a member.
+ *
+ * Used by:
+ *   - /join page (submission)
+ *   - /api/join-requests/* (listing, counting, review)
+ *   - notifications panel
+ */
+export const joinRequests = sqliteTable('join_requests', {
+    id: text('id').primaryKey(),
+    userId: text('user_id')
+        .notNull()
+        .references(() => user.id, { onDelete: 'cascade' }),
+    orgId: text('org_id')
+        .notNull()
+        .references(() => organization.id, { onDelete: 'cascade' }),
+    email: text('email').notNull(),
+    message: text('message'),
+    status: text('status', { enum: ['pending', 'approved', 'denied'] })
+        .notNull()
+        .default('pending'),
+    reviewedBy: text('reviewed_by'),
+    reviewedAt: integer('reviewed_at'),
+    createdAt: integer('created_at').notNull(),
+}, (t) => [
+    index('idx_join_requests_user').on(t.userId),
+    index('idx_join_requests_org_status').on(t.orgId, t.status),
+]);
+//# sourceMappingURL=join-requests.js.map

package/dist/schema/join-requests.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"join-requests.js","sourceRoot":"","sources":["../../src/schema/join-requests.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,yBAAyB,CAAC;AAC5E,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AACvC,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAE/C;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,WAAW,CACrC,eAAe,EACf;IACE,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;IAC3B,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC;SACpB,OAAO,EAAE;SACT,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;IACrD,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC;SAClB,OAAO,EAAE;SACT,UAAU,CAAC,GAAG,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;IAC7D,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;IAC9B,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC;IACxB,MAAM,EAAE,IAAI,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,CAAC;SAChE,OAAO,EAAE;SACT,OAAO,CAAC,SAAS,CAAC;IACrB,UAAU,EAAE,IAAI,CAAC,aAAa,CAAC;IAC/B,UAAU,EAAE,OAAO,CAAC,aAAa,CAAC;IAClC,SAAS,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;CAC3C,EACD,CAAC,CAAC,EAAE,EAAE,CAAC;IACL,KAAK,CAAC,wBAAwB,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;IAC5C,KAAK,CAAC,8BAA8B,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC;CAC5D,CACF,CAAC"}

package/dist/schema/personal-agents.d.ts

@@ -195,7 +195,7 @@ export declare const personalAgents: import("drizzle-orm/sqlite-core").SQLiteTab
             tableName: "personal_agents";
             dataType: "string";
             columnType: "SQLiteText";
-            data: "pending" | "provisioning" | "active" | "error";
+            data: "active" | "error" | "pending" | "provisioning";
             driverParam: string;
             notNull: true;
             hasDefault: true;

package/dist/schema/reliability-events.d.ts

@@ -81,7 +81,7 @@ export declare const reliabilityEvents: import("drizzle-orm/sqlite-core").SQLite
             tableName: "reliability_events";
             dataType: "string";
             columnType: "SQLiteText";
-            data: "general" | "cron" | "browser" | "timezone" | "auth" | "skill" | "agent" | "gateway";
+            data: "general" | "gateway" | "cron" | "browser" | "timezone" | "auth" | "skill" | "agent";
             driverParam: string;
             notNull: true;
             hasDefault: false;

package/dist/schema/skill-execution-stats.d.ts

@@ -119,7 +119,7 @@ export declare const skillExecutionStats: import("drizzle-orm/sqlite-core").SQLi
             tableName: "skill_execution_stats";
             dataType: "string";
             columnType: "SQLiteText";
-            data: "ok" | "error" | "auth_error" | "timeout";
+            data: "ok" | "auth_error" | "timeout" | "error";
             driverParam: string;
             notNull: true;
             hasDefault: false;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@minion-stack/db",
-  "version": "0.3.1",
+  "version": "0.6.0",
   "description": "Drizzle ORM schema for the Minion shared database (LibSQL/Turso).",
   "license": "MIT",
   "repository": {
@@ -28,6 +28,10 @@
       "types": "./dist/pg/schema/index.d.ts",
       "import": "./dist/pg/schema/index.js"
     },
+    "./crypto": {
+      "types": "./dist/crypto.d.ts",
+      "import": "./dist/crypto.js"
+    },
     "./relations": {
       "types": "./dist/relations.d.ts",
       "import": "./dist/relations.js"
@@ -45,24 +49,23 @@
     "src",
     "README.md"
   ],
-  "scripts": {
-    "build": "tsc",
-    "prepublishOnly": "tsc",
-    "typecheck": "tsc --noEmit",
-    "lint": "oxlint src",
-    "db:pg:generate": "drizzle-kit generate --config=drizzle.pg.config.ts",
-    "test": "vitest run"
-  },
   "peerDependencies": {
     "drizzle-orm": ">=0.45.0"
   },
   "devDependencies": {
-    "@minion-stack/tsconfig": "workspace:*",
     "@paralleldrive/cuid2": "^3.3.0",
     "drizzle-kit": "^0.31.9",
     "drizzle-orm": "^0.45.1",
     "oxlint": "^1.66.0",
     "typescript": "^5.0.0",
-    "vitest": "^2.1.9"
+    "vitest": "^2.1.9",
+    "@minion-stack/tsconfig": "0.1.0"
+  },
+  "scripts": {
+    "build": "tsc",
+    "typecheck": "tsc --noEmit",
+    "lint": "oxlint src",
+    "db:pg:generate": "drizzle-kit generate --config=drizzle.pg.config.ts",
+    "test": "vitest run"
   }
-}
+}

package/src/crypto.test.ts

@@ -0,0 +1,33 @@
+import { describe, it, expect } from "vitest";
+import {
+  sealSecret,
+  openSecret,
+  encrypt,
+  decrypt,
+  encryptToken,
+  decryptToken,
+} from "./crypto.js";
+
+describe("canonical crypto", () => {
+  it("seal/open roundtrips", () => {
+    const { ciphertext, iv } = sealSecret("hunter2");
+    expect(ciphertext).not.toContain("hunter2");
+    expect(openSecret(ciphertext, iv)).toBe("hunter2");
+  });
+
+  it("encrypt/decrypt are aliases of seal/open", () => {
+    const { ciphertext, iv } = encrypt("s3cret");
+    expect(decrypt(ciphertext, iv)).toBe("s3cret");
+  });
+
+  it("encryptToken returns { encrypted, iv } and decryptToken roundtrips", () => {
+    const { encrypted, iv } = encryptToken("tok-abc");
+    expect(decryptToken(encrypted, iv)).toBe("tok-abc");
+  });
+
+  it("openSecret throws on a tampered ciphertext (GCM auth)", () => {
+    const { ciphertext, iv } = sealSecret("x");
+    const tampered = (ciphertext[0] === "a" ? "b" : "a") + ciphertext.slice(1);
+    expect(() => openSecret(tampered, iv)).toThrow();
+  });
+});

package/src/crypto.ts

@@ -0,0 +1,73 @@
+// Canonical app-level secret encryption for the Minion stack (R7 of
+// specs/2026-05-26-auth-token-simplification.md). AES-256-GCM, dialect-agnostic
+// — consumed by the PG identity path (sealSecret/openSecret) and re-exported by
+// minion_hub's crypto.ts (encrypt/decrypt/encryptToken/decryptToken) so there is
+// ONE implementation and one key-derivation path instead of byte-matched copies.
+//
+// Layout (MUST stay stable — existing ciphertext at rest depends on it):
+//   key        = scryptSync(ENCRYPTION_KEY, 'minion-hub-salt', 32)
+//   ciphertext = hex(encrypted || authTag)   (16-byte GCM tag LAST)
+//   iv         = hex(12 random bytes), stored separately
+
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "node:crypto";
+
+const ALGORITHM = "aes-256-gcm";
+const IV_BYTES = 12;
+const AUTH_TAG_BYTES = 16;
+
+let cachedKey: Buffer | null = null;
+function key(): Buffer {
+  if (cachedKey) return cachedKey;
+  const raw = process.env.ENCRYPTION_KEY;
+  if (!raw) {
+    if (process.env.NODE_ENV === "production") {
+      throw new Error("ENCRYPTION_KEY environment variable must be set in production");
+    }
+    // Dev-only fallback — never used in production.
+    cachedKey = scryptSync("minion-hub-dev-key", "minion-hub-salt", 32);
+    return cachedKey;
+  }
+  cachedKey = scryptSync(raw, "minion-hub-salt", 32);
+  return cachedKey;
+}
+
+/** Seal plaintext → { ciphertext, iv }. ciphertext = hex(encrypted || authTag). */
+export function sealSecret(plaintext: string): { ciphertext: string; iv: string } {
+  const iv = randomBytes(IV_BYTES);
+  const cipher = createCipheriv(ALGORITHM, key(), iv);
+  const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  const combined = Buffer.concat([encrypted, authTag]);
+  return { ciphertext: combined.toString("hex"), iv: iv.toString("hex") };
+}
+
+/** Open hex(encrypted || authTag) + hex(iv) → plaintext. Throws on auth failure. */
+export function openSecret(ciphertext: string, iv: string): string {
+  const combined = Buffer.from(ciphertext, "hex");
+  const encrypted = combined.subarray(0, combined.length - AUTH_TAG_BYTES);
+  const authTag = combined.subarray(combined.length - AUTH_TAG_BYTES);
+  const decipher = createDecipheriv(ALGORITHM, key(), Buffer.from(iv, "hex"));
+  decipher.setAuthTag(authTag);
+  return decipher.update(encrypted) + decipher.final("utf8");
+}
+
+// --- minion_hub-compatible aliases -------------------------------------------
+// Hub's crypto.ts historically exported these names; keeping them lets hub become
+// a thin re-export of this module without touching its many call sites.
+
+/** Alias of {@link sealSecret}. */
+export const encrypt = sealSecret;
+
+/** Alias of {@link openSecret}. */
+export const decrypt = openSecret;
+
+/** Seal a token → { encrypted, iv } (hub's field name for the ciphertext). */
+export function encryptToken(token: string): { encrypted: string; iv: string } {
+  const { ciphertext, iv } = sealSecret(token);
+  return { encrypted: ciphertext, iv };
+}
+
+/** Open a sealed token. */
+export function decryptToken(encrypted: string, iv: string): string {
+  return openSecret(encrypted, iv);
+}

package/src/pg/crypto.ts

@@ -1,44 +1,4 @@
-import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from 'node:crypto';
-
-const ALGORITHM = 'aes-256-gcm';
-const IV_BYTES = 12;
-const AUTH_TAG_BYTES = 16;
-
-// MUST match minion_hub/src/server/auth/crypto.ts so hub + site interoperate:
-//   key = scryptSync(ENCRYPTION_KEY, 'minion-hub-salt', 32)
-//   ciphertext (hex) = encrypted || authTag   (16-byte tag LAST)
-//   iv (hex) = 12 random bytes, stored separately
-let cachedKey: Buffer | null = null;
-function key(): Buffer {
-  if (cachedKey) return cachedKey;
-  const raw = process.env.ENCRYPTION_KEY;
-  if (!raw) {
-    if (process.env.NODE_ENV === 'production') {
-      throw new Error('ENCRYPTION_KEY environment variable must be set in production');
-    }
-    cachedKey = scryptSync('minion-hub-dev-key', 'minion-hub-salt', 32);
-    return cachedKey;
-  }
-  cachedKey = scryptSync(raw, 'minion-hub-salt', 32);
-  return cachedKey;
-}
-
-/** Seal plaintext → { ciphertext, iv }. ciphertext = hex(encrypted || authTag). */
-export function sealSecret(plaintext: string): { ciphertext: string; iv: string } {
-  const iv = randomBytes(IV_BYTES);
-  const cipher = createCipheriv(ALGORITHM, key(), iv);
-  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
-  const authTag = cipher.getAuthTag();
-  const combined = Buffer.concat([encrypted, authTag]);
-  return { ciphertext: combined.toString('hex'), iv: iv.toString('hex') };
-}
-
-/** Open hex(encrypted || authTag) + hex(iv) → plaintext. Throws on auth failure. */
-export function openSecret(ciphertext: string, iv: string): string {
-  const combined = Buffer.from(ciphertext, 'hex');
-  const encrypted = combined.subarray(0, combined.length - AUTH_TAG_BYTES);
-  const authTag = combined.subarray(combined.length - AUTH_TAG_BYTES);
-  const decipher = createDecipheriv(ALGORITHM, key(), Buffer.from(iv, 'hex'));
-  decipher.setAuthTag(authTag);
-  return decipher.update(encrypted) + decipher.final('utf8');
-}
+// Re-export of the canonical crypto module (../crypto.ts). Kept as a stable
+// subpath for existing importers of the PG identity path; the implementation
+// lives in one place now (R7 of specs/2026-05-26-auth-token-simplification.md).
+export { sealSecret, openSecret } from "../crypto.js";

package/src/pg/schema/agent-groups.ts

@@ -0,0 +1,30 @@
+import { pgTable, uuid, text, integer, timestamp, index, primaryKey } from 'drizzle-orm/pg-core';
+import { profiles } from './profiles.js';
+
+/** User-defined agent groupings. Mirrors Turso `agent_groups`. user_id → profile_id, tenant_id → organizations.id. */
+export const agentGroups = pgTable(
+  'agent_groups',
+  {
+    id: text('id').primaryKey(),
+    profileId: uuid('profile_id')
+      .notNull()
+      .references(() => profiles.id, { onDelete: 'cascade' }),
+    tenantId: uuid('tenant_id').notNull(),
+    name: text('name').notNull(),
+    sortOrder: integer('sort_order').default(0),
+    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+  },
+  (t) => [index('idx_agent_groups_profile').on(t.profileId, t.tenantId)],
+);
+
+export const agentGroupMembers = pgTable(
+  'agent_group_members',
+  {
+    groupId: text('group_id')
+      .notNull()
+      .references(() => agentGroups.id, { onDelete: 'cascade' }),
+    agentId: text('agent_id').notNull(),
+    sortOrder: integer('sort_order').default(0),
+  },
+  (t) => [primaryKey({ columns: [t.groupId, t.agentId] })],
+);