@openparachute/hub 0.5.7 → 0.5.10-rc.2

package/src/install-source.ts

@@ -0,0 +1,291 @@
+/**
+ * Detects where each service is *running from* — bun-linked against a local
+ * checkout, or installed from npm — so `parachute status` can surface the
+ * provenance alongside version/health.
+ *
+ * Motivation: hub#243. After a bun-linked rebuild, `services.json`'s cached
+ * `version` field can lag the live `package.json` version, and the operator
+ * has no way to spot the drift from `status` output alone. Surfacing
+ * install-source + a STALE flag turns a three-step diagnosis into one
+ * glance.
+ *
+ * Pure read path: filesystem + (optional) one-shot `git rev-parse` per
+ * service. No network. Every external dependency is injectable via the
+ * Deps bag so tests don't touch real bun-globals or git.
+ */
+import { execFileSync } from "node:child_process";
+import { readFileSync, realpathSync } from "node:fs";
+import { homedir } from "node:os";
+import { dirname, join, resolve } from "node:path";
+import { FIRST_PARTY_FALLBACKS, shortNameForManifest } from "./service-spec.ts";
+
+export type InstallSourceKind = "bun-linked" | "npm" | "unknown";
+
+export interface InstallSource {
+  readonly kind: InstallSourceKind;
+  /**
+   * Absolute path to the source checkout (bun-linked) or the installed
+   * package dir under bun globals (npm). Undefined when `kind === "unknown"`.
+   */
+  readonly path?: string;
+  /** Short git HEAD hash for bun-linked sources where the path is a git repo. */
+  readonly gitHead?: string;
+  /**
+   * Version from the live `package.json` at `path`. For bun-linked sources
+   * this can differ from the entry's cached `services.json.version` — that's
+   * the drift case we surface.
+   */
+  readonly livePackageVersion?: string;
+}
+
+export interface DetectInstallSourceDeps {
+  /**
+   * Returns the absolute path the bun-global symlink for `packageName` points
+   * at, or null if no symlink/install exists at any known prefix. Mirrors
+   * `defaultLinkedPath` in commands/install.ts so the contracts stay aligned.
+   */
+  readonly resolveBunGlobal?: (packageName: string) => string | null;
+  /** Returns the bun-global node_modules prefixes to consider "npm-installed". */
+  readonly bunGlobalPrefixes?: () => readonly string[];
+  /** Reads + parses a JSON file. Test seam — keeps the module synchronously testable. */
+  readonly readJson?: (path: string) => unknown;
+  /** Returns the short git HEAD at `path`, or undefined if unavailable. */
+  readonly readGitHead?: (path: string) => string | undefined;
+}
+
+export function bunGlobalPrefixes(): readonly string[] {
+  const prefixes: string[] = [];
+  const fromEnv = process.env.BUN_INSTALL;
+  if (fromEnv) prefixes.push(join(fromEnv, "install", "global", "node_modules"));
+  prefixes.push(join(homedir(), ".bun", "install", "global", "node_modules"));
+  return prefixes;
+}
+
+export function defaultResolveBunGlobal(packageName: string): string | null {
+  for (const prefix of bunGlobalPrefixes()) {
+    const pkgJson = join(prefix, ...packageName.split("/"), "package.json");
+    try {
+      return dirname(realpathSync(pkgJson));
+    } catch {
+      // Try the next prefix.
+    }
+  }
+  return null;
+}
+
+export function defaultReadJson(path: string): unknown {
+  return JSON.parse(readFileSync(path, "utf8"));
+}
+
+export function defaultReadGitHead(path: string): string | undefined {
+  try {
+    const out = execFileSync("git", ["-C", path, "rev-parse", "--short", "HEAD"], {
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "ignore"],
+      timeout: 1500,
+    });
+    const head = out.trim();
+    return head.length > 0 ? head : undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+/**
+ * True when `candidate` is under one of the bun-global prefixes. Both sides
+ * are realpath'd so symlinks in `candidate` (or in a parent of the prefix)
+ * don't make us miss the match. Used to classify "is this installed in bun
+ * globals" vs "is this a separate checkout that bun-link points at."
+ */
+function isUnderBunGlobals(candidate: string, prefixes: readonly string[]): boolean {
+  let cand: string;
+  try {
+    cand = realpathSync(candidate);
+  } catch {
+    cand = resolve(candidate);
+  }
+  for (const prefix of prefixes) {
+    let pre: string;
+    try {
+      pre = realpathSync(prefix);
+    } catch {
+      pre = resolve(prefix);
+    }
+    if (cand === pre) return true;
+    const withSep = pre.endsWith("/") ? pre : `${pre}/`;
+    if (cand.startsWith(withSep)) return true;
+  }
+  return false;
+}
+
+function packageNameFor(entryName: string): string | undefined {
+  const short = shortNameForManifest(entryName);
+  if (short !== undefined) {
+    const fb = FIRST_PARTY_FALLBACKS[short];
+    if (fb) return fb.package;
+  }
+  return undefined;
+}
+
+function readVersion(packageDir: string, readJson: (p: string) => unknown): string | undefined {
+  try {
+    const parsed = readJson(join(packageDir, "package.json"));
+    if (parsed && typeof parsed === "object") {
+      const v = (parsed as Record<string, unknown>).version;
+      if (typeof v === "string" && v.length > 0) return v;
+    }
+  } catch {
+    // package.json missing / malformed — leave undefined so the caller can
+    // still report kind without inventing a version.
+  }
+  return undefined;
+}
+
+export interface DetectArgs {
+  /** The services.json row name (`parachute-vault`, `agent`, etc.). */
+  readonly entryName: string;
+  /** Absolute install dir from services.json, when known. */
+  readonly installDir?: string;
+}
+
+/**
+ * Classify a service's install source. Pure: no network, single optional
+ * `git rev-parse` shell-out (mock via `readGitHead` in tests).
+ *
+ * Resolution order:
+ *   1. If `installDir` is set: realpath + compare against bun globals. Under
+ *      globals → `npm`; anywhere else → `bun-linked`.
+ *   2. Else, if we can map the entry to a first-party package name: look up
+ *      the bun-global symlink target. Bare `bun add -g <pkg>` lands under
+ *      bun globals → `npm`; `bun link` lands somewhere else → `bun-linked`.
+ *   3. Else: `unknown` — third-party rows missing `installDir` (legacy
+ *      manifest from before installDir stamping) fall here. They should be
+ *      rare and the operator's signal is "re-install to refresh."
+ */
+export function detectInstallSource(
+  args: DetectArgs,
+  deps: DetectInstallSourceDeps = {},
+): InstallSource {
+  const resolveBunGlobal = deps.resolveBunGlobal ?? defaultResolveBunGlobal;
+  const prefixes = deps.bunGlobalPrefixes ?? bunGlobalPrefixes;
+  const readJson = deps.readJson ?? defaultReadJson;
+  const readGitHead = deps.readGitHead ?? defaultReadGitHead;
+
+  const candidate =
+    args.installDir ??
+    (() => {
+      const pkg = packageNameFor(args.entryName);
+      return pkg ? resolveBunGlobal(pkg) : null;
+    })();
+
+  if (!candidate) return { kind: "unknown" };
+
+  let resolvedPath: string;
+  try {
+    resolvedPath = realpathSync(candidate);
+  } catch {
+    resolvedPath = resolve(candidate);
+  }
+
+  const underGlobals = isUnderBunGlobals(resolvedPath, prefixes());
+  const livePackageVersion = readVersion(resolvedPath, readJson);
+
+  if (underGlobals) {
+    return {
+      kind: "npm",
+      path: resolvedPath,
+      ...(livePackageVersion !== undefined && { livePackageVersion }),
+    };
+  }
+
+  const gitHead = readGitHead(resolvedPath);
+  return {
+    kind: "bun-linked",
+    path: resolvedPath,
+    ...(livePackageVersion !== undefined && { livePackageVersion }),
+    ...(gitHead !== undefined && { gitHead }),
+  };
+}
+
+/**
+ * Detect the hub's own install source from the running process. The hub
+ * doesn't have a services.json row of its own, but `parachute status` still
+ * surfaces a row for it — so the same SOURCE column has to render. We
+ * climb from `import.meta.dir` (the location of the running source files)
+ * to the nearest `package.json`, then classify that path the same way we
+ * classify a service's `installDir`.
+ *
+ * `srcDir` is injectable so tests can drive the function without depending
+ * on `import.meta.dir` (which points at the test file, not at hub source).
+ */
+export function detectHubInstallSource(
+  srcDir: string,
+  deps: DetectInstallSourceDeps = {},
+): InstallSource {
+  // `import.meta.dir` is `<pkgDir>/src` in normal layouts.
+  const pkgDir = findNearestPackageDir(srcDir, deps.readJson ?? defaultReadJson);
+  if (!pkgDir) return { kind: "unknown" };
+  return detectInstallSource({ entryName: "parachute-hub", installDir: pkgDir }, deps);
+}
+
+function findNearestPackageDir(
+  start: string,
+  readJson: (p: string) => unknown,
+): string | undefined {
+  let current = resolve(start);
+  for (let i = 0; i < 16; i++) {
+    try {
+      readJson(join(current, "package.json"));
+      return current;
+    } catch {
+      // No package.json here — climb.
+    }
+    const parent = dirname(current);
+    if (parent === current) return undefined;
+    current = parent;
+  }
+  return undefined;
+}
+
+/**
+ * True when an entry's cached `services.json` version differs from the live
+ * `package.json` version at its bun-linked path. The single drift case the
+ * operator can act on — `parachute upgrade <svc>` for the bun-linked path
+ * doesn't refresh `services.json` on rebuild, so a freshly-built source can
+ * still report the pre-rebuild version through status.
+ *
+ * Only meaningful for `kind === "bun-linked"`. NPM-installed services
+ * don't have a "live" source separate from the cached version.
+ */
+export function isStale(entryVersion: string, source: InstallSource): boolean {
+  if (source.kind !== "bun-linked") return false;
+  if (!source.livePackageVersion) return false;
+  return source.livePackageVersion !== entryVersion;
+}
+
+/**
+ * Compact `SOURCE` cell label for the status table. Verbose-friendly, never
+ * wider than ~50 chars on typical inputs.
+ *
+ *   bun-linked: `bun-linked → <basename> @ <head>`     (head is the git short SHA)
+ *   npm:        `npm (0.3.15-rc.1)` / `npm`            (version when known)
+ *   unknown:    `unknown`
+ *
+ * The continuation `STALE` indicator is a separate line in the status
+ * renderer — keeps the column narrow.
+ */
+export function formatInstallSourceLabel(source: InstallSource): string {
+  if (source.kind === "bun-linked") {
+    const basename = source.path
+      ? (source.path.split("/").filter(Boolean).pop() ?? source.path)
+      : undefined;
+    if (basename && source.gitHead) return `bun-linked → ${basename} @ ${source.gitHead}`;
+    if (basename) return `bun-linked → ${basename}`;
+    return "bun-linked";
+  }
+  if (source.kind === "npm") {
+    if (source.livePackageVersion) return `npm (${source.livePackageVersion})`;
+    return "npm";
+  }
+  return "unknown";
+}

package/src/jwt-sign.ts

@@ -51,10 +51,18 @@ export interface SignAccessTokenOpts {
   jti?: string;
   /**
    * Override the default 15-minute access-token TTL. Long-lived tokens
-   * (operator-token, ~1y) pass an explicit value here.
+   * (operator-token, ~90d) pass an explicit value here.
    */
   ttlSeconds?: number;
   now?: () => Date;
+  /**
+   * Extra JWT claims merged into the payload. Used by operator-token to embed
+   * `pa_scope_set` (which scope-set the token was minted under) so an
+   * auto-rotation can preserve the operator's chosen narrowing across mints.
+   * Reserved claims (`scope`, `client_id`, `sub`, `iss`, `iat`, `exp`, `aud`,
+   * `jti`) are owned by this function and overwritten if passed here.
+   */
+  extraClaims?: Record<string, unknown>;
 }
 
 export interface SignedAccessToken {
@@ -74,6 +82,7 @@ export async function signAccessToken(
   const iat = Math.floor(nowMs / 1000);
   const exp = iat + (opts.ttlSeconds ?? ACCESS_TOKEN_TTL_SECONDS);
   const token = await new SignJWT({
+    ...(opts.extraClaims ?? {}),
     scope: opts.scopes.join(" "),
     client_id: opts.clientId,
   })
@@ -104,6 +113,15 @@ export interface SignRefreshTokenOpts {
   now?: () => Date;
 }
 
+/**
+ * Provenance of a `tokens` row — which mint path wrote it. Drives the
+ * unified token registry semantics introduced in v6 (hub#212 Phase 1):
+ * one table for refresh tokens, one for CLI-minted access tokens, one
+ * for operator tokens. Different mint paths = different rows; revocation
+ * lookup + revocation list are uniform across all of them.
+ */
+export type TokenCreatedVia = "oauth_refresh" | "cli_mint" | "operator_mint";
+
 export interface SignedRefreshToken {
   /** Opaque token to return to the client. NOT recoverable from the DB. */
   token: string;
@@ -138,8 +156,8 @@ export function signRefreshToken(db: Database, opts: SignRefreshTokenOpts): Sign
   const familyId = opts.familyId ?? randomUUID();
   try {
     db.prepare(
-      `INSERT INTO tokens (jti, user_id, client_id, scopes, refresh_token_hash, family_id, expires_at, created_at)
-       VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+      `INSERT INTO tokens (jti, user_id, client_id, scopes, refresh_token_hash, family_id, expires_at, created_at, created_via)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, 'oauth_refresh')`,
     ).run(
       opts.jti,
       opts.userId,
@@ -159,6 +177,208 @@ export function signRefreshToken(db: Database, opts: SignRefreshTokenOpts): Sign
   return { token, refreshTokenHash, familyId, expiresAt };
 }
 
+export interface RecordTokenMintOpts {
+  /** Same as the issued JWT's jti — keys the row. */
+  jti: string;
+  /** Provenance tag — drives admin UI grouping and the registry semantics. */
+  createdVia: Exclude<TokenCreatedVia, "oauth_refresh">;
+  /** Subject identity for non-user mints. Operator-mint rows pass "operator"; service-mint rows pass the service short name. */
+  subject: string;
+  /** Optional user_id when the mint was performed against a hub user (the mint-token CLI flow defaults to the operator's user). NULL for purely service-tied mints. */
+  userId?: string;
+  clientId: string;
+  scopes: string[];
+  /** ISO-8601 expiry. Same value as the JWT's `exp`. */
+  expiresAt: string;
+  /** Optional JSON-encoded permissions claim (per auth-architecture-shape.md §11.3). */
+  permissions?: string;
+  now?: () => Date;
+}
+
+/**
+ * Write a `tokens` row for a non-OAuth-refresh mint. The OAuth refresh
+ * path goes through `signRefreshToken` (which already inserts); this path
+ * is for CLI mint-token, the new POST /api/auth/mint-token endpoint, and
+ * operator-token mints (rotate-operator + the auto-rotation helper from
+ * #213).
+ *
+ * Every issued JWT must have a row in this table going forward — that's
+ * the contract the revocation list endpoint depends on. Pre-Phase-1
+ * tokens (already issued before this migration) are unregistered but
+ * harmless: they expire on their own (15-min access tokens drained
+ * within the hour; 365d operator tokens cap at their original expiry,
+ * with the new 90d auto-rotation taking over once an operator runs the
+ * CLI again).
+ */
+export function recordTokenMint(db: Database, opts: RecordTokenMintOpts): void {
+  const now = opts.now?.() ?? new Date();
+  try {
+    db.prepare(
+      `INSERT INTO tokens (
+        jti, user_id, client_id, scopes, expires_at, created_at,
+        permissions, created_via, subject
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+    ).run(
+      opts.jti,
+      opts.userId ?? null,
+      opts.clientId,
+      opts.scopes.join(" "),
+      opts.expiresAt,
+      now.toISOString(),
+      opts.permissions ?? null,
+      opts.createdVia,
+      opts.subject,
+    );
+  } catch (err) {
+    throw new RefreshTokenInsertError(
+      `failed to insert token registry row (jti=${opts.jti}, created_via=${opts.createdVia}): ${err instanceof Error ? err.message : String(err)}`,
+      err,
+    );
+  }
+}
+
+/**
+ * Mark a `tokens` row revoked by jti. Idempotent: a row already revoked
+ * keeps its existing `revoked_at`. Returns true when a row was updated
+ * (was un-revoked before), false when no row matches or the row was
+ * already revoked. Used by the new admin revoke path, the operator-mint
+ * rotation cleanup, and any future explicit-revoke surface.
+ */
+export function revokeTokenByJti(db: Database, jti: string, now: Date): boolean {
+  const res = db
+    .prepare("UPDATE tokens SET revoked_at = ? WHERE jti = ? AND revoked_at IS NULL")
+    .run(now.toISOString(), jti);
+  return Number(res.changes) > 0;
+}
+
+/**
+ * Snapshot of currently-revoked-and-not-yet-expired jtis. Powers the
+ * `/.well-known/parachute-revocation.json` endpoint. Already-expired jtis
+ * are filtered out (no need to advertise the obvious — every consumer
+ * checks `exp` itself; the revocation list exists for *unexpired*
+ * tokens whose validity got cut short).
+ */
+export function listActiveRevocations(db: Database, now: Date): string[] {
+  const rows = db
+    .query<{ jti: string }, [string]>(
+      "SELECT jti FROM tokens WHERE revoked_at IS NOT NULL AND expires_at > ? ORDER BY jti",
+    )
+    .all(now.toISOString());
+  return rows.map((r) => r.jti);
+}
+
+/**
+ * Filter for `listTokens`. `revoked` defaults to "all"; `subject` matches
+ * either the OAuth `user_id` or the non-OAuth `subject` column (so the
+ * caller doesn't need to know which mint path created the row to filter
+ * by identity); `createdVia` narrows by mint provenance (OAuth refresh,
+ * operator-token mint, CLI / api-mint-token).
+ */
+export interface ListTokensFilter {
+  revoked?: "true" | "false" | "all";
+  subject?: string;
+  createdVia?: TokenCreatedVia;
+}
+
+/**
+ * Cursor-paginated list of `tokens` rows. Powers `GET /api/auth/tokens` and
+ * the future admin UI's list view.
+ *
+ * Order is `created_at DESC, jti DESC` (newest-first; jti tiebreaks for
+ * the rare case where two rows share a created_at, which can happen in
+ * tests or under burst issuance). The cursor is an opaque base64 of the
+ * `(created_at, jti)` composite from the previous page's last row;
+ * pagination resumes "strictly older than that pair." Page size is a
+ * hardcoded 50 — see in-function comment on the `limit` constant.
+ *
+ * Returns the page rows plus a `nextCursor` if more rows exist (we
+ * fetch `limit + 1` and detect the trailing row, avoiding a second
+ * round-trip just to ask "is there more?").
+ */
+export interface ListTokensPage {
+  rows: RefreshTokenRow[];
+  nextCursor: string | null;
+}
+
+/** Page size. Hardcoded for now — see comment in `listTokens`. */
+const LIST_TOKENS_PAGE_SIZE = 50;
+
+export function listTokens(
+  db: Database,
+  opts: { filter?: ListTokensFilter; cursor?: string | null } = {},
+): ListTokensPage {
+  // Page size is intentionally a hardcoded constant rather than an opt. The
+  // sole consumer (admin UI list view) doesn't need configurable pagination,
+  // and adding the seam invites consumers to pass arbitrary values that we'd
+  // then have to clamp + validate. When a real second consumer surfaces
+  // (e.g. a CLI `auth list-tokens` command), wire `?limit=N` then.
+  const limit = LIST_TOKENS_PAGE_SIZE;
+  const filter = opts.filter ?? {};
+
+  // Cursor decode. Malformed cursors are treated as "no cursor" rather
+  // than 400ing — the SPA may pass a stale cursor across reloads, and a
+  // silent reset to page 1 is the friendliest fallback. (If we ever need
+  // strict cursor validation for security reasons, this is the seam.)
+  let cursorCreatedAt: string | undefined;
+  let cursorJti: string | undefined;
+  if (opts.cursor) {
+    try {
+      const decoded = JSON.parse(Buffer.from(opts.cursor, "base64").toString("utf8")) as {
+        created_at?: unknown;
+        jti?: unknown;
+      };
+      if (typeof decoded.created_at === "string" && typeof decoded.jti === "string") {
+        cursorCreatedAt = decoded.created_at;
+        cursorJti = decoded.jti;
+      }
+    } catch {
+      // ignore — silent reset to page 1
+    }
+  }
+
+  const wheres: string[] = [];
+  const params: (string | number)[] = [];
+  if (filter.revoked === "true") {
+    wheres.push("revoked_at IS NOT NULL");
+  } else if (filter.revoked === "false") {
+    wheres.push("revoked_at IS NULL");
+  }
+  if (typeof filter.subject === "string" && filter.subject.length > 0) {
+    wheres.push("(user_id = ? OR subject = ?)");
+    params.push(filter.subject, filter.subject);
+  }
+  if (filter.createdVia) {
+    wheres.push("created_via = ?");
+    params.push(filter.createdVia);
+  }
+  if (cursorCreatedAt !== undefined && cursorJti !== undefined) {
+    // "strictly older than (cursor.created_at, cursor.jti)" under the
+    // composite ORDER BY created_at DESC, jti DESC. SQLite supports
+    // tuple comparison via parens.
+    wheres.push("(created_at, jti) < (?, ?)");
+    params.push(cursorCreatedAt, cursorJti);
+  }
+
+  const whereSql = wheres.length > 0 ? `WHERE ${wheres.join(" AND ")}` : "";
+  const sql = `SELECT * FROM tokens ${whereSql} ORDER BY created_at DESC, jti DESC LIMIT ?`;
+  params.push(limit + 1); // fetch one extra to detect "more pages"
+
+  const rows = db.query<TokenRowDb, (string | number)[]>(sql).all(...params);
+  const hasMore = rows.length > limit;
+  const pageRows = (hasMore ? rows.slice(0, limit) : rows).map(rowToRefreshToken);
+
+  let nextCursor: string | null = null;
+  if (hasMore && pageRows.length > 0) {
+    const last = pageRows[pageRows.length - 1]!;
+    nextCursor = Buffer.from(
+      JSON.stringify({ created_at: last.createdAt, jti: last.jti }),
+      "utf8",
+    ).toString("base64");
+  }
+
+  return { rows: pageRows, nextCursor };
+}
+
 export interface ValidatedAccessToken {
   payload: JWTPayload;
   kid: string;
@@ -209,9 +429,29 @@ export async function validateAccessToken(
  * decides what to do with `revokedAt` — the rotation path treats a revoked
  * row as theft (RFC 6819 §5.2.2.3).
  */
+/**
+ * Generic shape of a `tokens` row, post-v6. Covers OAuth refresh tokens
+ * (`createdVia === "oauth_refresh"`, `userId` set, `subject` null) and
+ * the new non-OAuth mint paths (`createdVia === "cli_mint" |
+ * "operator_mint"`, may have `userId` set if minted against a hub user,
+ * `subject` always set to the operator/service name).
+ *
+ * `identity` is the canonical "who is this token for" — `userId ??
+ * subject`. Use it when you don't care about the OAuth-vs-non distinction.
+ */
 export interface RefreshTokenRow {
   jti: string;
-  userId: string;
+  /**
+   * Hub user id when the row was OAuth-issued or minted against a hub
+   * user. Null for service-tied mints (where `subject` carries the
+   * service name).
+   */
+  userId: string | null;
+  /**
+   * Non-user subject: operator name, service short name, agent id. Null
+   * for OAuth refresh-token rows (those use `userId` directly).
+   */
+  subject: string | null;
   clientId: string;
   scopes: string[];
   /** Family identifier — shared across rotated descendants (#73). */
@@ -219,29 +459,49 @@ export interface RefreshTokenRow {
   expiresAt: string;
   revokedAt: string | null;
   createdAt: string;
+  /** Provenance tag — drives admin UI grouping. v6 onward this is set on every row. */
+  createdVia: TokenCreatedVia;
+  /** JSON-encoded fine-grained constraints (auth-architecture-shape.md §11.3). */
+  permissions: string | null;
+}
+
+/**
+ * Convenience: returns the canonical identity string for a tokens row,
+ * collapsing the OAuth-vs-non-OAuth distinction. OAuth rows return
+ * `userId`; CLI/operator-minted rows return `subject`. At least one is
+ * always set post-v6.
+ */
+export function tokenRowIdentity(row: RefreshTokenRow): string {
+  return row.userId ?? row.subject ?? "";
 }
 
 interface TokenRowDb {
   jti: string;
-  user_id: string;
+  user_id: string | null;
   client_id: string;
   scopes: string;
   family_id: string | null;
   expires_at: string;
   revoked_at: string | null;
   created_at: string;
+  permissions: string | null;
+  created_via: string;
+  subject: string | null;
 }
 
 function rowToRefreshToken(row: TokenRowDb): RefreshTokenRow {
   return {
     jti: row.jti,
     userId: row.user_id,
+    subject: row.subject,
     clientId: row.client_id,
     scopes: row.scopes.split(" ").filter((s) => s.length > 0),
     familyId: row.family_id ?? row.jti,
     expiresAt: row.expires_at,
     revokedAt: row.revoked_at,
     createdAt: row.created_at,
+    createdVia: (row.created_via as TokenCreatedVia) ?? "oauth_refresh",
+    permissions: row.permissions,
   };
 }