@opentrust/db 7.1.0

package/drizzle/sqlite/meta/_journal.json

@@ -0,0 +1,13 @@
+{
+  "version": "7",
+  "dialect": "sqlite",
+  "entries": [
+    {
+      "idx": 0,
+      "version": "6",
+      "when": 1772680703827,
+      "tag": "0000_serious_martin_li",
+      "breakpoints": true
+    }
+  ]
+}

package/drizzle.config.mysql.ts

@@ -0,0 +1,10 @@
+import { defineConfig } from "drizzle-kit";
+
+export default defineConfig({
+  schema: "./src/schema/mysql.ts",
+  out: "./drizzle/mysql",
+  dialect: "mysql",
+  dbCredentials: {
+    url: process.env.DATABASE_URL!,
+  },
+});

package/drizzle.config.pg.ts

@@ -0,0 +1,10 @@
+import { defineConfig } from "drizzle-kit";
+
+export default defineConfig({
+  schema: "./src/schema/pg.ts",
+  out: "./drizzle/postgresql",
+  dialect: "postgresql",
+  dbCredentials: {
+    url: process.env.DATABASE_URL!,
+  },
+});

package/drizzle.config.sqlite.ts

@@ -0,0 +1,10 @@
+import { defineConfig } from "drizzle-kit";
+
+export default defineConfig({
+  schema: "./src/schema/sqlite.ts",
+  out: "./drizzle/sqlite",
+  dialect: "sqlite",
+  dbCredentials: {
+    url: process.env.DATABASE_URL || "file:./data/opentrust.db",
+  },
+});

package/package.json

@@ -0,0 +1,55 @@
+{
+  "name": "@opentrust/db",
+  "version": "7.1.0",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "description": "Database layer for OpenTrust Dashboard — Drizzle ORM with SQLite/PostgreSQL/MySQL",
+  "bin": {
+    "opentrust-db-migrate": "./dist/migrate.js",
+    "opentrust-db-seed": "./dist/seed.js"
+  },
+  "files": [
+    "dist",
+    "drizzle",
+    "src",
+    "drizzle.config.*.ts"
+  ],
+  "dependencies": {
+    "better-sqlite3": "^11.0.0",
+    "dotenv": "^17.3.1",
+    "drizzle-orm": "^0.36.0",
+    "@opentrust/shared": "7.1.0"
+  },
+  "optionalDependencies": {
+    "mysql2": "^3.11.0",
+    "postgres": "^3.4.0"
+  },
+  "devDependencies": {
+    "@types/better-sqlite3": "^7.6.0",
+    "@types/node": "^22.0.0",
+    "drizzle-kit": "^0.30.0",
+    "tsx": "^4.19.0",
+    "typescript": "^5.7.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/opentrust/opentrust.git",
+    "directory": "dashboard/packages/db"
+  },
+  "author": "OpenTrust",
+  "license": "Apache-2.0",
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "db:generate": "tsx src/generate.ts",
+    "db:generate:sqlite": "drizzle-kit generate --config=drizzle.config.sqlite.ts",
+    "db:generate:mysql": "drizzle-kit generate --config=drizzle.config.mysql.ts",
+    "db:generate:pg": "drizzle-kit generate --config=drizzle.config.pg.ts",
+    "db:migrate": "tsx src/migrate.ts",
+    "db:seed": "tsx src/seed.ts"
+  }
+}

package/src/client.ts

@@ -0,0 +1,66 @@
+import { config } from "dotenv";
+import { resolve, dirname, join } from "path";
+import { mkdirSync, existsSync } from "fs";
+import { fileURLToPath } from "url";
+import { getDialect } from "./dialect.js";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+// Load .env from project root if DATABASE_URL is not already set
+if (!process.env.DATABASE_URL && !process.env.DB_DIALECT) {
+  config({ path: resolve(__dirname, "../../../.env") });
+}
+
+const dialect = getDialect();
+
+// Database path configuration:
+// - DASHBOARD_DATA_DIR: directory for data files (default: dashboard/data)
+// - DATABASE_URL: full path to SQLite file (overrides DASHBOARD_DATA_DIR for SQLite)
+function getDefaultDbPath(): string {
+  const dataDir = process.env.DASHBOARD_DATA_DIR || resolve(__dirname, "../../../data");
+  return join(dataDir, "dashboard.db");
+}
+
+async function createDb() {
+  if (dialect === "sqlite") {
+    const { default: Database } = await import("better-sqlite3");
+    const { drizzle } = await import("drizzle-orm/better-sqlite3");
+    const schema = await import("./schema/sqlite.js");
+
+    const rawUrl = process.env.DATABASE_URL || getDefaultDbPath();
+    const dbPath = rawUrl.replace(/^file:/, "");
+
+    // Ensure directory exists
+    const dir = dirname(dbPath);
+    if (!existsSync(dir)) {
+      mkdirSync(dir, { recursive: true });
+    }
+
+    const sqlite = new Database(dbPath);
+    sqlite.pragma("journal_mode = WAL");
+    sqlite.pragma("foreign_keys = ON");
+
+    return drizzle(sqlite, { schema });
+  }
+
+  if (dialect === "mysql") {
+    const mysql2 = await import("mysql2/promise");
+    const { drizzle } = await import("drizzle-orm/mysql2");
+    const schema = await import("./schema/mysql.js");
+
+    const pool = mysql2.createPool(process.env.DATABASE_URL!);
+    return drizzle(pool, { schema, mode: "default" });
+  }
+
+  // postgresql (default)
+  const pg = await import("postgres");
+  const { drizzle } = await import("drizzle-orm/postgres-js");
+  const schema = await import("./schema/pg.js");
+
+  const queryClient = pg.default(process.env.DATABASE_URL!);
+  return drizzle(queryClient, { schema });
+}
+
+export const db: any = await createDb();
+export type Database = any;

package/src/dialect.ts

@@ -0,0 +1,13 @@
+export type Dialect = "sqlite" | "mysql" | "postgresql";
+
+export function getDialect(): Dialect {
+  const explicit = process.env.DB_DIALECT;
+  if (explicit === "sqlite" || explicit === "mysql" || explicit === "postgresql") {
+    return explicit;
+  }
+
+  const url = process.env.DATABASE_URL || "";
+  if (url.startsWith("mysql://") || url.startsWith("mysql2://")) return "mysql";
+  if (url.startsWith("postgres://") || url.startsWith("postgresql://")) return "postgresql";
+  return "sqlite";
+}

package/src/generate.ts

@@ -0,0 +1,26 @@
+import { config } from "dotenv";
+import { resolve, dirname } from "path";
+import { fileURLToPath } from "url";
+import { execSync } from "child_process";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+config({ path: resolve(__dirname, "../../../.env") });
+
+const { getDialect } = await import("./dialect.js");
+const dialect = getDialect();
+
+const configMap: Record<string, string> = {
+  sqlite: "drizzle.config.sqlite.ts",
+  mysql: "drizzle.config.mysql.ts",
+  postgresql: "drizzle.config.pg.ts",
+};
+
+const configFile = configMap[dialect];
+console.log(`Generating migrations for dialect: ${dialect}`);
+
+execSync(`npx drizzle-kit generate --config=${configFile}`, {
+  cwd: resolve(__dirname, ".."),
+  stdio: "inherit",
+});

package/src/helpers.ts

@@ -0,0 +1,47 @@
+import { eq } from "drizzle-orm";
+import { getDialect } from "./dialect.js";
+
+/**
+ * Cross-dialect insert with returning.
+ * PostgreSQL and SQLite support .returning(), MySQL does not.
+ * All dialects generate UUID client-side for predictability.
+ */
+export async function insertReturning<T>(
+  db: any,
+  table: any,
+  values: Record<string, unknown>
+): Promise<T> {
+  const dialect = getDialect();
+  const id = crypto.randomUUID();
+  const row = { ...values, id };
+
+  if (dialect === "mysql") {
+    await db.insert(table).values(row);
+    const result = await db.select().from(table).where(eq(table.id, id)).limit(1);
+    return result[0] as T;
+  }
+
+  const result = await db.insert(table).values(row).returning();
+  return result[0] as T;
+}
+
+/**
+ * Cross-dialect update with returning.
+ */
+export async function updateReturning<T>(
+  db: any,
+  table: any,
+  where: any,
+  values: Record<string, unknown>
+): Promise<T | null> {
+  const dialect = getDialect();
+
+  if (dialect === "mysql") {
+    await db.update(table).set(values).where(where);
+    const result = await db.select().from(table).where(where).limit(1);
+    return (result[0] as T) ?? null;
+  }
+
+  const result = await db.update(table).set(values).where(where).returning();
+  return (result[0] as T) ?? null;
+}

package/src/index.ts

@@ -0,0 +1,12 @@
+export { db, type Database } from "./client.js";
+export { getDialect, type Dialect } from "./dialect.js";
+export * from "./schema/index.js";
+export { insertReturning, updateReturning } from "./helpers.js";
+export { agentQueries } from "./queries/agents.js";
+export { scannerQueries } from "./queries/scanners.js";
+export { policyQueries } from "./queries/policies.js";
+export { usageQueries } from "./queries/usage.js";
+export { detectionResultQueries } from "./queries/detection-results.js";
+export { settingsQueries } from "./queries/settings.js";
+export { observationQueries, inferCategory, inferAccessPattern } from "./queries/observations.js";
+export { authQueries } from "./queries/auth.js";

package/src/migrate.ts

@@ -0,0 +1,74 @@
+import { config } from "dotenv";
+import { resolve, dirname, join } from "path";
+import { fileURLToPath } from "url";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+config({ path: resolve(__dirname, "../../../.env") });
+
+// Database path configuration:
+// - DASHBOARD_DATA_DIR: directory for data files (default: dashboard/data)
+// - DATABASE_URL: full path to SQLite file (overrides DASHBOARD_DATA_DIR for SQLite)
+function getDefaultDbPath(): string {
+  const dataDir = process.env.DASHBOARD_DATA_DIR || resolve(__dirname, "../../../data");
+  return join(dataDir, "dashboard.db");
+}
+
+async function runMigrations() {
+  const { getDialect } = await import("./dialect.js");
+  const dialect = getDialect();
+
+  console.log(`Running migrations for dialect: ${dialect}`);
+
+  if (dialect === "sqlite") {
+    const { default: Database } = await import("better-sqlite3");
+    const { drizzle } = await import("drizzle-orm/better-sqlite3");
+    const { migrate } = await import("drizzle-orm/better-sqlite3/migrator");
+    const { mkdirSync, existsSync } = await import("fs");
+    const { dirname } = await import("path");
+
+    const rawUrl = process.env.DATABASE_URL || getDefaultDbPath();
+    const dbPath = rawUrl.replace(/^file:/, "");
+
+    const dir = dirname(dbPath);
+    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+
+    const sqlite = new Database(dbPath);
+    sqlite.pragma("journal_mode = WAL");
+    const db = drizzle(sqlite);
+
+    migrate(db, { migrationsFolder: resolve(__dirname, "../drizzle/sqlite") });
+    console.log("SQLite migrations complete.");
+    sqlite.close();
+  } else if (dialect === "mysql") {
+    const mysql2 = await import("mysql2/promise");
+    const { drizzle } = await import("drizzle-orm/mysql2");
+    const { migrate } = await import("drizzle-orm/mysql2/migrator");
+
+    const pool = mysql2.createPool(process.env.DATABASE_URL!);
+    const db = drizzle(pool);
+
+    await migrate(db, { migrationsFolder: resolve(__dirname, "../drizzle/mysql") });
+    console.log("MySQL migrations complete.");
+    await pool.end();
+  } else {
+    const pg = await import("postgres");
+    const { drizzle } = await import("drizzle-orm/postgres-js");
+    const { migrate } = await import("drizzle-orm/postgres-js/migrator");
+
+    const queryClient = pg.default(process.env.DATABASE_URL!, { max: 1 });
+    const db = drizzle(queryClient);
+
+    await migrate(db, { migrationsFolder: resolve(__dirname, "../drizzle/postgresql") });
+    console.log("PostgreSQL migrations complete.");
+    await queryClient.end();
+  }
+
+  process.exit(0);
+}
+
+runMigrations().catch((err) => {
+  console.error("Migration failed:", err);
+  process.exit(1);
+});

package/src/queries/agents.ts

@@ -0,0 +1,68 @@
+import { eq, and, count } from "drizzle-orm";
+import type { Database } from "../client.js";
+import { agents } from "../schema/index.js";
+import { insertReturning, updateReturning } from "../helpers.js";
+import { DEFAULT_TENANT_ID } from "@opentrust/shared";
+
+export function agentQueries(db: Database) {
+  return {
+    async findById(id: string, tenantId: string = DEFAULT_TENANT_ID) {
+      const result = await db.select().from(agents).where(and(eq(agents.id, id), eq(agents.tenantId, tenantId))).limit(1);
+      return result[0] ?? null;
+    },
+
+    async findByName(name: string, tenantId: string = DEFAULT_TENANT_ID) {
+      const result = await db.select().from(agents).where(and(eq(agents.name, name), eq(agents.tenantId, tenantId))).limit(1);
+      return result[0] ?? null;
+    },
+
+    async findAll(tenantId: string = DEFAULT_TENANT_ID) {
+      return db.select().from(agents).where(eq(agents.tenantId, tenantId)).orderBy(agents.createdAt);
+    },
+
+    async countAll(tenantId: string = DEFAULT_TENANT_ID) {
+      const result = await db.select({ count: count() }).from(agents).where(eq(agents.tenantId, tenantId));
+      return result[0]?.count ?? 0;
+    },
+
+    async create(data: {
+      name: string;
+      description?: string | null;
+      provider?: string;
+      metadata?: Record<string, unknown>;
+      tenantId?: string;
+    }) {
+      return insertReturning(db, agents, {
+        ...data,
+        provider: data.provider ?? "custom",
+        metadata: data.metadata ?? {},
+        tenantId: data.tenantId ?? DEFAULT_TENANT_ID,
+      });
+    },
+
+    async update(id: string, data: Partial<{
+      name: string;
+      description: string | null;
+      provider: string;
+      status: string;
+      lastSeenAt: Date | string;
+      metadata: Record<string, unknown>;
+    }>, tenantId: string = DEFAULT_TENANT_ID) {
+      return updateReturning(db, agents, and(eq(agents.id, id), eq(agents.tenantId, tenantId)), {
+        ...data,
+        updatedAt: new Date().toISOString(),
+      });
+    },
+
+    async delete(id: string, tenantId: string = DEFAULT_TENANT_ID) {
+      await db.delete(agents).where(and(eq(agents.id, id), eq(agents.tenantId, tenantId)));
+    },
+
+    async heartbeat(id: string, tenantId: string = DEFAULT_TENANT_ID) {
+      await db
+        .update(agents)
+        .set({ status: "active", lastSeenAt: new Date().toISOString(), updatedAt: new Date().toISOString() })
+        .where(and(eq(agents.id, id), eq(agents.tenantId, tenantId)));
+    },
+  };
+}

package/src/queries/auth.ts

@@ -0,0 +1,94 @@
+import { eq, lt, and, isNull } from "drizzle-orm";
+import type { Database } from "../client.js";
+import { magicLinks, userSessions } from "../schema/index.js";
+
+export function authQueries(db: Database) {
+  return {
+    // ── Magic Links ──────────────────────────────────────────────
+
+    createMagicLink(email: string, token: string, expiresAt: string) {
+      return db
+        .insert(magicLinks)
+        .values({ email, token, expiresAt })
+        .returning()
+        .get();
+    },
+
+    /** Returns the magic link only if valid (not used, not expired) */
+    findValidMagicLink(token: string) {
+      const now = new Date().toISOString();
+      return db
+        .select()
+        .from(magicLinks)
+        .where(
+          and(
+            eq(magicLinks.token, token),
+            isNull(magicLinks.usedAt),
+            // expiresAt > now (string comparison works for ISO 8601)
+            lt(magicLinks.createdAt, magicLinks.expiresAt), // always true, just for type
+          ),
+        )
+        .get() as typeof magicLinks.$inferSelect | undefined;
+    },
+
+    /** Fetch by token regardless of status (for validation logic in route) */
+    findMagicLink(token: string) {
+      return db
+        .select()
+        .from(magicLinks)
+        .where(eq(magicLinks.token, token))
+        .get() as typeof magicLinks.$inferSelect | undefined;
+    },
+
+    markMagicLinkUsed(id: string) {
+      return db
+        .update(magicLinks)
+        .set({ usedAt: new Date().toISOString() })
+        .where(eq(magicLinks.id, id))
+        .run();
+    },
+
+    /** Delete expired and used magic links (housekeeping) */
+    pruneExpiredMagicLinks() {
+      const now = new Date().toISOString();
+      return db
+        .delete(magicLinks)
+        .where(lt(magicLinks.expiresAt, now))
+        .run();
+    },
+
+    // ── User Sessions ────────────────────────────────────────────
+
+    createSession(email: string, token: string, expiresAt: string) {
+      return db
+        .insert(userSessions)
+        .values({ email, token, expiresAt })
+        .returning()
+        .get();
+    },
+
+    findSession(token: string) {
+      return db
+        .select()
+        .from(userSessions)
+        .where(eq(userSessions.token, token))
+        .get() as typeof userSessions.$inferSelect | undefined;
+    },
+
+    deleteSession(token: string) {
+      return db
+        .delete(userSessions)
+        .where(eq(userSessions.token, token))
+        .run();
+    },
+
+    /** Delete expired sessions (housekeeping) */
+    pruneExpiredSessions() {
+      const now = new Date().toISOString();
+      return db
+        .delete(userSessions)
+        .where(lt(userSessions.expiresAt, now))
+        .run();
+    },
+  };
+}

package/src/queries/detection-results.ts

@@ -0,0 +1,58 @@
+import { eq, and, desc } from "drizzle-orm";
+import type { Database } from "../client.js";
+import { detectionResults } from "../schema/index.js";
+import { DEFAULT_TENANT_ID } from "@opentrust/shared";
+
+export function detectionResultQueries(db: Database) {
+  return {
+    async create(data: {
+      agentId?: string | null;
+      safe: boolean;
+      categories: string[];
+      sensitivityScore: number;
+      findings: unknown[];
+      latencyMs: number;
+      requestId: string;
+      tenantId?: string;
+    }) {
+      await db.insert(detectionResults).values({
+        ...data,
+        tenantId: data.tenantId ?? DEFAULT_TENANT_ID,
+      });
+    },
+
+    async findAll(options?: { limit?: number; offset?: number; tenantId?: string }) {
+      const tenantId = options?.tenantId ?? DEFAULT_TENANT_ID;
+      let query = db
+        .select()
+        .from(detectionResults)
+        .where(eq(detectionResults.tenantId, tenantId))
+        .orderBy(desc(detectionResults.createdAt));
+
+      if (options?.limit) {
+        query = query.limit(options.limit) as typeof query;
+      }
+      if (options?.offset) {
+        query = query.offset(options.offset) as typeof query;
+      }
+      return query;
+    },
+
+    async findByAgentId(agentId: string, options?: { limit?: number; offset?: number; tenantId?: string }) {
+      const tenantId = options?.tenantId ?? DEFAULT_TENANT_ID;
+      let query = db
+        .select()
+        .from(detectionResults)
+        .where(and(eq(detectionResults.agentId, agentId), eq(detectionResults.tenantId, tenantId)))
+        .orderBy(desc(detectionResults.createdAt));
+
+      if (options?.limit) {
+        query = query.limit(options.limit) as typeof query;
+      }
+      if (options?.offset) {
+        query = query.offset(options.offset) as typeof query;
+      }
+      return query;
+    },
+  };
+}