@opentrust/db 7.1.0

package/dist/client.d.ts

@@ -0,0 +1,3 @@
+export declare const db: any;
+export type Database = any;
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAgEA,eAAO,MAAM,EAAE,EAAE,GAAsB,CAAC;AACxC,MAAM,MAAM,QAAQ,GAAG,GAAG,CAAC"}

package/dist/client.js

@@ -0,0 +1,51 @@
+import { config } from "dotenv";
+import { resolve, dirname, join } from "path";
+import { mkdirSync, existsSync } from "fs";
+import { fileURLToPath } from "url";
+import { getDialect } from "./dialect.js";
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+// Load .env from project root if DATABASE_URL is not already set
+if (!process.env.DATABASE_URL && !process.env.DB_DIALECT) {
+    config({ path: resolve(__dirname, "../../../.env") });
+}
+const dialect = getDialect();
+// Database path configuration:
+// - DASHBOARD_DATA_DIR: directory for data files (default: dashboard/data)
+// - DATABASE_URL: full path to SQLite file (overrides DASHBOARD_DATA_DIR for SQLite)
+function getDefaultDbPath() {
+    const dataDir = process.env.DASHBOARD_DATA_DIR || resolve(__dirname, "../../../data");
+    return join(dataDir, "dashboard.db");
+}
+async function createDb() {
+    if (dialect === "sqlite") {
+        const { default: Database } = await import("better-sqlite3");
+        const { drizzle } = await import("drizzle-orm/better-sqlite3");
+        const schema = await import("./schema/sqlite.js");
+        const rawUrl = process.env.DATABASE_URL || getDefaultDbPath();
+        const dbPath = rawUrl.replace(/^file:/, "");
+        // Ensure directory exists
+        const dir = dirname(dbPath);
+        if (!existsSync(dir)) {
+            mkdirSync(dir, { recursive: true });
+        }
+        const sqlite = new Database(dbPath);
+        sqlite.pragma("journal_mode = WAL");
+        sqlite.pragma("foreign_keys = ON");
+        return drizzle(sqlite, { schema });
+    }
+    if (dialect === "mysql") {
+        const mysql2 = await import("mysql2/promise");
+        const { drizzle } = await import("drizzle-orm/mysql2");
+        const schema = await import("./schema/mysql.js");
+        const pool = mysql2.createPool(process.env.DATABASE_URL);
+        return drizzle(pool, { schema, mode: "default" });
+    }
+    // postgresql (default)
+    const pg = await import("postgres");
+    const { drizzle } = await import("drizzle-orm/postgres-js");
+    const schema = await import("./schema/pg.js");
+    const queryClient = pg.default(process.env.DATABASE_URL);
+    return drizzle(queryClient, { schema });
+}
+export const db = await createDb();

package/dist/dialect.d.ts

@@ -0,0 +1,3 @@
+export type Dialect = "sqlite" | "mysql" | "postgresql";
+export declare function getDialect(): Dialect;
+//# sourceMappingURL=dialect.d.ts.map

package/dist/dialect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dialect.d.ts","sourceRoot":"","sources":["../src/dialect.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,OAAO,GAAG,QAAQ,GAAG,OAAO,GAAG,YAAY,CAAC;AAExD,wBAAgB,UAAU,IAAI,OAAO,CAUpC"}

package/dist/dialect.js

@@ -0,0 +1,12 @@
+export function getDialect() {
+    const explicit = process.env.DB_DIALECT;
+    if (explicit === "sqlite" || explicit === "mysql" || explicit === "postgresql") {
+        return explicit;
+    }
+    const url = process.env.DATABASE_URL || "";
+    if (url.startsWith("mysql://") || url.startsWith("mysql2://"))
+        return "mysql";
+    if (url.startsWith("postgres://") || url.startsWith("postgresql://"))
+        return "postgresql";
+    return "sqlite";
+}

package/dist/generate.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=generate.d.ts.map

package/dist/generate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate.d.ts","sourceRoot":"","sources":["../src/generate.ts"],"names":[],"mappings":""}

package/dist/generate.js

@@ -0,0 +1,20 @@
+import { config } from "dotenv";
+import { resolve, dirname } from "path";
+import { fileURLToPath } from "url";
+import { execSync } from "child_process";
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+config({ path: resolve(__dirname, "../../../.env") });
+const { getDialect } = await import("./dialect.js");
+const dialect = getDialect();
+const configMap = {
+    sqlite: "drizzle.config.sqlite.ts",
+    mysql: "drizzle.config.mysql.ts",
+    postgresql: "drizzle.config.pg.ts",
+};
+const configFile = configMap[dialect];
+console.log(`Generating migrations for dialect: ${dialect}`);
+execSync(`npx drizzle-kit generate --config=${configFile}`, {
+    cwd: resolve(__dirname, ".."),
+    stdio: "inherit",
+});

package/dist/helpers.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Cross-dialect insert with returning.
+ * PostgreSQL and SQLite support .returning(), MySQL does not.
+ * All dialects generate UUID client-side for predictability.
+ */
+export declare function insertReturning<T>(db: any, table: any, values: Record<string, unknown>): Promise<T>;
+/**
+ * Cross-dialect update with returning.
+ */
+export declare function updateReturning<T>(db: any, table: any, where: any, values: Record<string, unknown>): Promise<T | null>;
+//# sourceMappingURL=helpers.d.ts.map

package/dist/helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../src/helpers.ts"],"names":[],"mappings":"AAGA;;;;GAIG;AACH,wBAAsB,eAAe,CAAC,CAAC,EACrC,EAAE,EAAE,GAAG,EACP,KAAK,EAAE,GAAG,EACV,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,OAAO,CAAC,CAAC,CAAC,CAaZ;AAED;;GAEG;AACH,wBAAsB,eAAe,CAAC,CAAC,EACrC,EAAE,EAAE,GAAG,EACP,KAAK,EAAE,GAAG,EACV,KAAK,EAAE,GAAG,EACV,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAWnB"}

package/dist/helpers.js

@@ -0,0 +1,32 @@
+import { eq } from "drizzle-orm";
+import { getDialect } from "./dialect.js";
+/**
+ * Cross-dialect insert with returning.
+ * PostgreSQL and SQLite support .returning(), MySQL does not.
+ * All dialects generate UUID client-side for predictability.
+ */
+export async function insertReturning(db, table, values) {
+    const dialect = getDialect();
+    const id = crypto.randomUUID();
+    const row = { ...values, id };
+    if (dialect === "mysql") {
+        await db.insert(table).values(row);
+        const result = await db.select().from(table).where(eq(table.id, id)).limit(1);
+        return result[0];
+    }
+    const result = await db.insert(table).values(row).returning();
+    return result[0];
+}
+/**
+ * Cross-dialect update with returning.
+ */
+export async function updateReturning(db, table, where, values) {
+    const dialect = getDialect();
+    if (dialect === "mysql") {
+        await db.update(table).set(values).where(where);
+        const result = await db.select().from(table).where(where).limit(1);
+        return result[0] ?? null;
+    }
+    const result = await db.update(table).set(values).where(where).returning();
+    return result[0] ?? null;
+}

package/dist/index.d.ts

@@ -0,0 +1,13 @@
+export { db, type Database } from "./client.js";
+export { getDialect, type Dialect } from "./dialect.js";
+export * from "./schema/index.js";
+export { insertReturning, updateReturning } from "./helpers.js";
+export { agentQueries } from "./queries/agents.js";
+export { scannerQueries } from "./queries/scanners.js";
+export { policyQueries } from "./queries/policies.js";
+export { usageQueries } from "./queries/usage.js";
+export { detectionResultQueries } from "./queries/detection-results.js";
+export { settingsQueries } from "./queries/settings.js";
+export { observationQueries, inferCategory, inferAccessPattern } from "./queries/observations.js";
+export { authQueries } from "./queries/auth.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,KAAK,QAAQ,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,KAAK,OAAO,EAAE,MAAM,cAAc,CAAC;AACxD,cAAc,mBAAmB,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,sBAAsB,EAAE,MAAM,gCAAgC,CAAC;AACxE,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAClG,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/index.js

@@ -0,0 +1,12 @@
+export { db } from "./client.js";
+export { getDialect } from "./dialect.js";
+export * from "./schema/index.js";
+export { insertReturning, updateReturning } from "./helpers.js";
+export { agentQueries } from "./queries/agents.js";
+export { scannerQueries } from "./queries/scanners.js";
+export { policyQueries } from "./queries/policies.js";
+export { usageQueries } from "./queries/usage.js";
+export { detectionResultQueries } from "./queries/detection-results.js";
+export { settingsQueries } from "./queries/settings.js";
+export { observationQueries, inferCategory, inferAccessPattern } from "./queries/observations.js";
+export { authQueries } from "./queries/auth.js";

package/dist/migrate.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=migrate.d.ts.map

package/dist/migrate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"migrate.d.ts","sourceRoot":"","sources":["../src/migrate.ts"],"names":[],"mappings":""}

package/dist/migrate.js

@@ -0,0 +1,61 @@
+import { config } from "dotenv";
+import { resolve, dirname, join } from "path";
+import { fileURLToPath } from "url";
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+config({ path: resolve(__dirname, "../../../.env") });
+// Database path configuration:
+// - DASHBOARD_DATA_DIR: directory for data files (default: dashboard/data)
+// - DATABASE_URL: full path to SQLite file (overrides DASHBOARD_DATA_DIR for SQLite)
+function getDefaultDbPath() {
+    const dataDir = process.env.DASHBOARD_DATA_DIR || resolve(__dirname, "../../../data");
+    return join(dataDir, "dashboard.db");
+}
+async function runMigrations() {
+    const { getDialect } = await import("./dialect.js");
+    const dialect = getDialect();
+    console.log(`Running migrations for dialect: ${dialect}`);
+    if (dialect === "sqlite") {
+        const { default: Database } = await import("better-sqlite3");
+        const { drizzle } = await import("drizzle-orm/better-sqlite3");
+        const { migrate } = await import("drizzle-orm/better-sqlite3/migrator");
+        const { mkdirSync, existsSync } = await import("fs");
+        const { dirname } = await import("path");
+        const rawUrl = process.env.DATABASE_URL || getDefaultDbPath();
+        const dbPath = rawUrl.replace(/^file:/, "");
+        const dir = dirname(dbPath);
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true });
+        const sqlite = new Database(dbPath);
+        sqlite.pragma("journal_mode = WAL");
+        const db = drizzle(sqlite);
+        migrate(db, { migrationsFolder: resolve(__dirname, "../drizzle/sqlite") });
+        console.log("SQLite migrations complete.");
+        sqlite.close();
+    }
+    else if (dialect === "mysql") {
+        const mysql2 = await import("mysql2/promise");
+        const { drizzle } = await import("drizzle-orm/mysql2");
+        const { migrate } = await import("drizzle-orm/mysql2/migrator");
+        const pool = mysql2.createPool(process.env.DATABASE_URL);
+        const db = drizzle(pool);
+        await migrate(db, { migrationsFolder: resolve(__dirname, "../drizzle/mysql") });
+        console.log("MySQL migrations complete.");
+        await pool.end();
+    }
+    else {
+        const pg = await import("postgres");
+        const { drizzle } = await import("drizzle-orm/postgres-js");
+        const { migrate } = await import("drizzle-orm/postgres-js/migrator");
+        const queryClient = pg.default(process.env.DATABASE_URL, { max: 1 });
+        const db = drizzle(queryClient);
+        await migrate(db, { migrationsFolder: resolve(__dirname, "../drizzle/postgresql") });
+        console.log("PostgreSQL migrations complete.");
+        await queryClient.end();
+    }
+    process.exit(0);
+}
+runMigrations().catch((err) => {
+    console.error("Migration failed:", err);
+    process.exit(1);
+});

package/dist/queries/agents.d.ts

@@ -0,0 +1,25 @@
+import type { Database } from "../client.js";
+export declare function agentQueries(db: Database): {
+    findById(id: string, tenantId?: string): Promise<any>;
+    findByName(name: string, tenantId?: string): Promise<any>;
+    findAll(tenantId?: string): Promise<any>;
+    countAll(tenantId?: string): Promise<any>;
+    create(data: {
+        name: string;
+        description?: string | null;
+        provider?: string;
+        metadata?: Record<string, unknown>;
+        tenantId?: string;
+    }): Promise<unknown>;
+    update(id: string, data: Partial<{
+        name: string;
+        description: string | null;
+        provider: string;
+        status: string;
+        lastSeenAt: Date | string;
+        metadata: Record<string, unknown>;
+    }>, tenantId?: string): Promise<unknown>;
+    delete(id: string, tenantId?: string): Promise<void>;
+    heartbeat(id: string, tenantId?: string): Promise<void>;
+};
+//# sourceMappingURL=agents.d.ts.map

package/dist/queries/agents.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agents.d.ts","sourceRoot":"","sources":["../../src/queries/agents.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAK7C,wBAAgB,YAAY,CAAC,EAAE,EAAE,QAAQ;iBAElB,MAAM,aAAY,MAAM;qBAKpB,MAAM,aAAY,MAAM;uBAKvB,MAAM;wBAIL,MAAM;iBAKZ;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAC5B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACnC,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB;eASgB,MAAM,QAAQ,OAAO,CAAC;QACrC,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;QAC3B,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,EAAE,IAAI,GAAG,MAAM,CAAC;QAC1B,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACnC,CAAC,aAAY,MAAM;eAOH,MAAM,aAAY,MAAM;kBAIrB,MAAM,aAAY,MAAM;EAO/C"}

package/dist/queries/agents.js

@@ -0,0 +1,46 @@
+import { eq, and, count } from "drizzle-orm";
+import { agents } from "../schema/index.js";
+import { insertReturning, updateReturning } from "../helpers.js";
+import { DEFAULT_TENANT_ID } from "@opentrust/shared";
+export function agentQueries(db) {
+    return {
+        async findById(id, tenantId = DEFAULT_TENANT_ID) {
+            const result = await db.select().from(agents).where(and(eq(agents.id, id), eq(agents.tenantId, tenantId))).limit(1);
+            return result[0] ?? null;
+        },
+        async findByName(name, tenantId = DEFAULT_TENANT_ID) {
+            const result = await db.select().from(agents).where(and(eq(agents.name, name), eq(agents.tenantId, tenantId))).limit(1);
+            return result[0] ?? null;
+        },
+        async findAll(tenantId = DEFAULT_TENANT_ID) {
+            return db.select().from(agents).where(eq(agents.tenantId, tenantId)).orderBy(agents.createdAt);
+        },
+        async countAll(tenantId = DEFAULT_TENANT_ID) {
+            const result = await db.select({ count: count() }).from(agents).where(eq(agents.tenantId, tenantId));
+            return result[0]?.count ?? 0;
+        },
+        async create(data) {
+            return insertReturning(db, agents, {
+                ...data,
+                provider: data.provider ?? "custom",
+                metadata: data.metadata ?? {},
+                tenantId: data.tenantId ?? DEFAULT_TENANT_ID,
+            });
+        },
+        async update(id, data, tenantId = DEFAULT_TENANT_ID) {
+            return updateReturning(db, agents, and(eq(agents.id, id), eq(agents.tenantId, tenantId)), {
+                ...data,
+                updatedAt: new Date().toISOString(),
+            });
+        },
+        async delete(id, tenantId = DEFAULT_TENANT_ID) {
+            await db.delete(agents).where(and(eq(agents.id, id), eq(agents.tenantId, tenantId)));
+        },
+        async heartbeat(id, tenantId = DEFAULT_TENANT_ID) {
+            await db
+                .update(agents)
+                .set({ status: "active", lastSeenAt: new Date().toISOString(), updatedAt: new Date().toISOString() })
+                .where(and(eq(agents.id, id), eq(agents.tenantId, tenantId)));
+        },
+    };
+}

package/dist/queries/auth.d.ts

@@ -0,0 +1,18 @@
+import type { Database } from "../client.js";
+import { magicLinks, userSessions } from "../schema/index.js";
+export declare function authQueries(db: Database): {
+    createMagicLink(email: string, token: string, expiresAt: string): any;
+    /** Returns the magic link only if valid (not used, not expired) */
+    findValidMagicLink(token: string): typeof magicLinks.$inferSelect | undefined;
+    /** Fetch by token regardless of status (for validation logic in route) */
+    findMagicLink(token: string): typeof magicLinks.$inferSelect | undefined;
+    markMagicLinkUsed(id: string): any;
+    /** Delete expired and used magic links (housekeeping) */
+    pruneExpiredMagicLinks(): any;
+    createSession(email: string, token: string, expiresAt: string): any;
+    findSession(token: string): typeof userSessions.$inferSelect | undefined;
+    deleteSession(token: string): any;
+    /** Delete expired sessions (housekeeping) */
+    pruneExpiredSessions(): any;
+};
+//# sourceMappingURL=auth.d.ts.map

package/dist/queries/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/queries/auth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAE9D,wBAAgB,WAAW,CAAC,EAAE,EAAE,QAAQ;2BAIb,MAAM,SAAS,MAAM,aAAa,MAAM;IAQ/D,mEAAmE;8BACzC,MAAM,GAalB,OAAO,UAAU,CAAC,YAAY,GAAG,SAAS;IAGxD,0EAA0E;yBACrD,MAAM,GAKb,OAAO,UAAU,CAAC,YAAY,GAAG,SAAS;0BAGlC,MAAM;IAQ5B,yDAAyD;;yBAWpC,MAAM,SAAS,MAAM,aAAa,MAAM;uBAQ1C,MAAM,GAKX,OAAO,YAAY,CAAC,YAAY,GAAG,SAAS;yBAGrC,MAAM;IAO3B,6CAA6C;;EAShD"}

package/dist/queries/auth.js

@@ -0,0 +1,77 @@
+import { eq, lt, and, isNull } from "drizzle-orm";
+import { magicLinks, userSessions } from "../schema/index.js";
+export function authQueries(db) {
+    return {
+        // ── Magic Links ──────────────────────────────────────────────
+        createMagicLink(email, token, expiresAt) {
+            return db
+                .insert(magicLinks)
+                .values({ email, token, expiresAt })
+                .returning()
+                .get();
+        },
+        /** Returns the magic link only if valid (not used, not expired) */
+        findValidMagicLink(token) {
+            const now = new Date().toISOString();
+            return db
+                .select()
+                .from(magicLinks)
+                .where(and(eq(magicLinks.token, token), isNull(magicLinks.usedAt), 
+            // expiresAt > now (string comparison works for ISO 8601)
+            lt(magicLinks.createdAt, magicLinks.expiresAt)))
+                .get();
+        },
+        /** Fetch by token regardless of status (for validation logic in route) */
+        findMagicLink(token) {
+            return db
+                .select()
+                .from(magicLinks)
+                .where(eq(magicLinks.token, token))
+                .get();
+        },
+        markMagicLinkUsed(id) {
+            return db
+                .update(magicLinks)
+                .set({ usedAt: new Date().toISOString() })
+                .where(eq(magicLinks.id, id))
+                .run();
+        },
+        /** Delete expired and used magic links (housekeeping) */
+        pruneExpiredMagicLinks() {
+            const now = new Date().toISOString();
+            return db
+                .delete(magicLinks)
+                .where(lt(magicLinks.expiresAt, now))
+                .run();
+        },
+        // ── User Sessions ────────────────────────────────────────────
+        createSession(email, token, expiresAt) {
+            return db
+                .insert(userSessions)
+                .values({ email, token, expiresAt })
+                .returning()
+                .get();
+        },
+        findSession(token) {
+            return db
+                .select()
+                .from(userSessions)
+                .where(eq(userSessions.token, token))
+                .get();
+        },
+        deleteSession(token) {
+            return db
+                .delete(userSessions)
+                .where(eq(userSessions.token, token))
+                .run();
+        },
+        /** Delete expired sessions (housekeeping) */
+        pruneExpiredSessions() {
+            const now = new Date().toISOString();
+            return db
+                .delete(userSessions)
+                .where(lt(userSessions.expiresAt, now))
+                .run();
+        },
+    };
+}

package/dist/queries/detection-results.d.ts

@@ -0,0 +1,24 @@
+import type { Database } from "../client.js";
+export declare function detectionResultQueries(db: Database): {
+    create(data: {
+        agentId?: string | null;
+        safe: boolean;
+        categories: string[];
+        sensitivityScore: number;
+        findings: unknown[];
+        latencyMs: number;
+        requestId: string;
+        tenantId?: string;
+    }): Promise<void>;
+    findAll(options?: {
+        limit?: number;
+        offset?: number;
+        tenantId?: string;
+    }): Promise<any>;
+    findByAgentId(agentId: string, options?: {
+        limit?: number;
+        offset?: number;
+        tenantId?: string;
+    }): Promise<any>;
+};
+//# sourceMappingURL=detection-results.d.ts.map

package/dist/queries/detection-results.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"detection-results.d.ts","sourceRoot":"","sources":["../../src/queries/detection-results.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAI7C,wBAAgB,sBAAsB,CAAC,EAAE,EAAE,QAAQ;iBAE5B;QACjB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,IAAI,EAAE,OAAO,CAAC;QACd,UAAU,EAAE,MAAM,EAAE,CAAC;QACrB,gBAAgB,EAAE,MAAM,CAAC;QACzB,QAAQ,EAAE,OAAO,EAAE,CAAC;QACpB,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB;sBAOuB;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE;2BAiBjD,MAAM,YAAY;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE;EAiBxG"}

package/dist/queries/detection-results.js

@@ -0,0 +1,43 @@
+import { eq, and, desc } from "drizzle-orm";
+import { detectionResults } from "../schema/index.js";
+import { DEFAULT_TENANT_ID } from "@opentrust/shared";
+export function detectionResultQueries(db) {
+    return {
+        async create(data) {
+            await db.insert(detectionResults).values({
+                ...data,
+                tenantId: data.tenantId ?? DEFAULT_TENANT_ID,
+            });
+        },
+        async findAll(options) {
+            const tenantId = options?.tenantId ?? DEFAULT_TENANT_ID;
+            let query = db
+                .select()
+                .from(detectionResults)
+                .where(eq(detectionResults.tenantId, tenantId))
+                .orderBy(desc(detectionResults.createdAt));
+            if (options?.limit) {
+                query = query.limit(options.limit);
+            }
+            if (options?.offset) {
+                query = query.offset(options.offset);
+            }
+            return query;
+        },
+        async findByAgentId(agentId, options) {
+            const tenantId = options?.tenantId ?? DEFAULT_TENANT_ID;
+            let query = db
+                .select()
+                .from(detectionResults)
+                .where(and(eq(detectionResults.agentId, agentId), eq(detectionResults.tenantId, tenantId)))
+                .orderBy(desc(detectionResults.createdAt));
+            if (options?.limit) {
+                query = query.limit(options.limit);
+            }
+            if (options?.offset) {
+                query = query.offset(options.offset);
+            }
+            return query;
+        },
+    };
+}

package/dist/queries/observations.d.ts

@@ -0,0 +1,58 @@
+import type { Database } from "../client.js";
+export declare function inferCategory(toolName: string): string;
+export declare function inferAccessPattern(toolName: string): "read" | "write" | "admin" | "unknown";
+export declare function observationQueries(db: Database): {
+    /**
+     * Record a tool call observation.
+     */
+    record(data: {
+        agentId: string;
+        sessionKey?: string;
+        toolName: string;
+        params?: Record<string, unknown>;
+        phase: "before" | "after";
+        result?: unknown;
+        error?: string;
+        durationMs?: number;
+        blocked?: boolean;
+        blockReason?: string;
+        tenantId?: string;
+    }): Promise<void>;
+    /**
+     * Upsert an agent permission entry based on observed tool call.
+     */
+    upsertPermission(data: {
+        agentId: string;
+        toolName: string;
+        category: string;
+        accessPattern: string;
+        params?: Record<string, unknown>;
+        hasError: boolean;
+        tenantId: string;
+    }): Promise<void>;
+    /**
+     * Get recent observations, optionally filtered by agentId.
+     */
+    findRecent(opts?: {
+        agentId?: string;
+        limit?: number;
+        tenantId?: string;
+    }): Promise<any>;
+    /**
+     * Get the aggregated permission profile for an agent.
+     */
+    getPermissions(agentId: string, tenantId?: string): Promise<any>;
+    /**
+     * Get permissions for all agents (overview).
+     */
+    getAllPermissions(tenantId?: string): Promise<any>;
+    /**
+     * Find first-seen tool calls (anomalies) — permissions with callCount = 1.
+     */
+    findAnomalies(tenantId?: string, limit?: number): Promise<any>;
+    /**
+     * Get observation count summary per agent.
+     */
+    summary(tenantId?: string): Promise<any>;
+};
+//# sourceMappingURL=observations.d.ts.map

package/dist/queries/observations.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"observations.d.ts","sourceRoot":"","sources":["../../src/queries/observations.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAU7C,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAkBtD;AAED,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,OAAO,GAAG,SAAS,CAiB3F;AAID,wBAAgB,kBAAkB,CAAC,EAAE,EAAE,QAAQ;IAE3C;;OAEG;iBACgB;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACjC,KAAK,EAAE,QAAQ,GAAG,OAAO,CAAC;QAC1B,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB;IAmCD;;OAEG;2BAC0B;QAC3B,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,aAAa,EAAE,MAAM,CAAC;QACtB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACjC,QAAQ,EAAE,OAAO,CAAC;QAClB,QAAQ,EAAE,MAAM,CAAC;KAClB;IAgDD;;OAEG;sBACoB;QACrB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB;IAiBD;;OAEG;4BAC2B,MAAM,aAAY,MAAM;IAatD;;OAEG;iCAC+B,MAAM;IAQxC;;OAEG;6BAC2B,MAAM,UAA6B,MAAM;IAcvE;;OAEG;uBACqB,MAAM;EAajC"}