@opentrust/db 7.1.0

package/src/queries/observations.ts

@@ -0,0 +1,275 @@
+import { eq, and, desc, count, sql } from "drizzle-orm";
+import type { Database } from "../client.js";
+import { toolCallObservations, agentPermissions } from "../schema/index.js";
+import { DEFAULT_TENANT_ID } from "@opentrust/shared";
+
+// ─── Tool name → category / access pattern inference ────────────
+
+const ACCESS_READ_PREFIXES = ["list", "get", "search", "read", "fetch", "find", "query", "check", "view"];
+const ACCESS_WRITE_PREFIXES = ["create", "send", "write", "update", "edit", "post", "put", "add", "set"];
+const ACCESS_ADMIN_PREFIXES = ["delete", "remove", "execute", "run", "admin", "destroy", "revoke", "drop"];
+
+export function inferCategory(toolName: string): string {
+  // "github_create_issue" → "github"
+  // "slack_send_message" → "slack"
+  // "read_file" → "filesystem"
+  const lower = toolName.toLowerCase();
+
+  if (lower.startsWith("read_file") || lower.startsWith("write_file") || lower.startsWith("list_dir")) {
+    return "filesystem";
+  }
+  if (lower.startsWith("execute_command") || lower.startsWith("run_command") || lower === "bash") {
+    return "shell";
+  }
+
+  const underscoreIdx = lower.indexOf("_");
+  if (underscoreIdx > 0) {
+    return lower.slice(0, underscoreIdx);
+  }
+  return lower;
+}
+
+export function inferAccessPattern(toolName: string): "read" | "write" | "admin" | "unknown" {
+  const lower = toolName.toLowerCase();
+
+  // Strip category prefix: "github_create_issue" → "create_issue"
+  const underscoreIdx = lower.indexOf("_");
+  const action = underscoreIdx > 0 ? lower.slice(underscoreIdx + 1) : lower;
+
+  for (const prefix of ACCESS_ADMIN_PREFIXES) {
+    if (action.startsWith(prefix)) return "admin";
+  }
+  for (const prefix of ACCESS_WRITE_PREFIXES) {
+    if (action.startsWith(prefix)) return "write";
+  }
+  for (const prefix of ACCESS_READ_PREFIXES) {
+    if (action.startsWith(prefix)) return "read";
+  }
+  return "unknown";
+}
+
+// ─── Query Functions ────────────────────────────────────────────
+
+export function observationQueries(db: Database) {
+  return {
+    /**
+     * Record a tool call observation.
+     */
+    async record(data: {
+      agentId: string;
+      sessionKey?: string;
+      toolName: string;
+      params?: Record<string, unknown>;
+      phase: "before" | "after";
+      result?: unknown;
+      error?: string;
+      durationMs?: number;
+      blocked?: boolean;
+      blockReason?: string;
+      tenantId?: string;
+    }) {
+      const category = inferCategory(data.toolName);
+      const accessPattern = inferAccessPattern(data.toolName);
+      const tenantId = data.tenantId ?? DEFAULT_TENANT_ID;
+
+      await db.insert(toolCallObservations).values({
+        agentId: data.agentId,
+        sessionKey: data.sessionKey ?? null,
+        toolName: data.toolName,
+        category,
+        accessPattern,
+        paramsJson: data.params ?? null,
+        phase: data.phase,
+        resultJson: data.result ?? null,
+        error: data.error ?? null,
+        durationMs: data.durationMs ?? null,
+        blocked: data.blocked ?? false,
+        blockReason: data.blockReason ?? null,
+        tenantId,
+      });
+
+      // Upsert permission on "after" phase (or "before" if blocked)
+      if (data.phase === "after" || data.blocked) {
+        await this.upsertPermission({
+          agentId: data.agentId,
+          toolName: data.toolName,
+          category,
+          accessPattern,
+          params: data.params,
+          hasError: !!data.error,
+          tenantId,
+        });
+      }
+    },
+
+    /**
+     * Upsert an agent permission entry based on observed tool call.
+     */
+    async upsertPermission(data: {
+      agentId: string;
+      toolName: string;
+      category: string;
+      accessPattern: string;
+      params?: Record<string, unknown>;
+      hasError: boolean;
+      tenantId: string;
+    }) {
+      const now = new Date().toISOString();
+
+      // Check if permission already exists
+      const existing = await db
+        .select()
+        .from(agentPermissions)
+        .where(
+          and(
+            eq(agentPermissions.tenantId, data.tenantId),
+            eq(agentPermissions.agentId, data.agentId),
+            eq(agentPermissions.toolName, data.toolName),
+          ),
+        )
+        .limit(1);
+
+      if (existing.length > 0) {
+        const perm = existing[0]!;
+        const targets = (perm.targetsJson as string[]) || [];
+        const newTargets = extractTargets(data.params);
+        const mergedTargets = mergeTargets(targets, newTargets);
+
+        await db
+          .update(agentPermissions)
+          .set({
+            callCount: (perm.callCount ?? 0) + 1,
+            errorCount: (perm.errorCount ?? 0) + (data.hasError ? 1 : 0),
+            lastSeen: now,
+            targetsJson: mergedTargets,
+          })
+          .where(eq(agentPermissions.id, perm.id));
+      } else {
+        const targets = extractTargets(data.params);
+        await db.insert(agentPermissions).values({
+          tenantId: data.tenantId,
+          agentId: data.agentId,
+          toolName: data.toolName,
+          category: data.category,
+          accessPattern: data.accessPattern,
+          targetsJson: targets,
+          callCount: 1,
+          errorCount: data.hasError ? 1 : 0,
+          firstSeen: now,
+          lastSeen: now,
+        });
+      }
+    },
+
+    /**
+     * Get recent observations, optionally filtered by agentId.
+     */
+    async findRecent(opts: {
+      agentId?: string;
+      limit?: number;
+      tenantId?: string;
+    } = {}) {
+      const tenantId = opts.tenantId ?? DEFAULT_TENANT_ID;
+      const limit = opts.limit ?? 50;
+
+      const conditions = [eq(toolCallObservations.tenantId, tenantId)];
+      if (opts.agentId) {
+        conditions.push(eq(toolCallObservations.agentId, opts.agentId));
+      }
+
+      return db
+        .select()
+        .from(toolCallObservations)
+        .where(and(...conditions))
+        .orderBy(desc(toolCallObservations.timestamp))
+        .limit(limit);
+    },
+
+    /**
+     * Get the aggregated permission profile for an agent.
+     */
+    async getPermissions(agentId: string, tenantId: string = DEFAULT_TENANT_ID) {
+      return db
+        .select()
+        .from(agentPermissions)
+        .where(
+          and(
+            eq(agentPermissions.tenantId, tenantId),
+            eq(agentPermissions.agentId, agentId),
+          ),
+        )
+        .orderBy(desc(agentPermissions.callCount));
+    },
+
+    /**
+     * Get permissions for all agents (overview).
+     */
+    async getAllPermissions(tenantId: string = DEFAULT_TENANT_ID) {
+      return db
+        .select()
+        .from(agentPermissions)
+        .where(eq(agentPermissions.tenantId, tenantId))
+        .orderBy(agentPermissions.agentId, desc(agentPermissions.callCount));
+    },
+
+    /**
+     * Find first-seen tool calls (anomalies) — permissions with callCount = 1.
+     */
+    async findAnomalies(tenantId: string = DEFAULT_TENANT_ID, limit: number = 20) {
+      return db
+        .select()
+        .from(agentPermissions)
+        .where(
+          and(
+            eq(agentPermissions.tenantId, tenantId),
+            eq(agentPermissions.callCount, 1),
+          ),
+        )
+        .orderBy(desc(agentPermissions.firstSeen))
+        .limit(limit);
+    },
+
+    /**
+     * Get observation count summary per agent.
+     */
+    async summary(tenantId: string = DEFAULT_TENANT_ID) {
+      return db
+        .select({
+          agentId: toolCallObservations.agentId,
+          totalCalls: count(),
+          blockedCalls: sql<number>`sum(case when ${toolCallObservations.blocked} = true then 1 else 0 end)`,
+          uniqueTools: sql<number>`count(distinct ${toolCallObservations.toolName})`,
+        })
+        .from(toolCallObservations)
+        .where(eq(toolCallObservations.tenantId, tenantId))
+        .groupBy(toolCallObservations.agentId);
+    },
+  };
+}
+
+// ─── Helpers ────────────────────────────────────────────────────
+
+/** Extract likely target identifiers from tool call params. */
+function extractTargets(params?: Record<string, unknown>): string[] {
+  if (!params) return [];
+  const targets: string[] = [];
+
+  const targetKeys = ["repo", "repository", "channel", "to", "email", "path", "file", "url", "owner", "user", "org"];
+  for (const key of targetKeys) {
+    const val = params[key];
+    if (typeof val === "string" && val.length > 0 && val.length < 200) {
+      targets.push(val);
+    }
+  }
+  return targets;
+}
+
+/** Merge new targets into existing list, capped at 50 entries. */
+function mergeTargets(existing: string[], incoming: string[]): string[] {
+  const set = new Set(existing);
+  for (const t of incoming) {
+    set.add(t);
+  }
+  const merged = [...set];
+  return merged.length > 50 ? merged.slice(-50) : merged;
+}

package/src/queries/policies.ts

@@ -0,0 +1,59 @@
+import { eq, and } from "drizzle-orm";
+import type { Database } from "../client.js";
+import { policies } from "../schema/index.js";
+import { insertReturning, updateReturning } from "../helpers.js";
+import { DEFAULT_TENANT_ID } from "@opentrust/shared";
+
+export function policyQueries(db: Database) {
+  return {
+    async findAll(tenantId: string = DEFAULT_TENANT_ID) {
+      return db.select().from(policies).where(eq(policies.tenantId, tenantId)).orderBy(policies.createdAt);
+    },
+
+    async findById(id: string, tenantId: string = DEFAULT_TENANT_ID) {
+      const result = await db.select().from(policies).where(and(eq(policies.id, id), eq(policies.tenantId, tenantId))).limit(1);
+      return result[0] ?? null;
+    },
+
+    async create(data: {
+      name: string;
+      description?: string | null;
+      scannerIds: string[];
+      action: string;
+      sensitivityThreshold?: number;
+      tenantId?: string;
+    }) {
+      return insertReturning(db, policies, {
+        ...data,
+        sensitivityThreshold: data.sensitivityThreshold ?? 0.5,
+        tenantId: data.tenantId ?? DEFAULT_TENANT_ID,
+      });
+    },
+
+    async update(id: string, data: Partial<{
+      name: string;
+      description: string | null;
+      scannerIds: string[];
+      action: string;
+      sensitivityThreshold: number;
+      isEnabled: boolean;
+    }>, tenantId: string = DEFAULT_TENANT_ID) {
+      return updateReturning(db, policies, and(eq(policies.id, id), eq(policies.tenantId, tenantId)), {
+        ...data,
+        updatedAt: new Date().toISOString(),
+      });
+    },
+
+    async delete(id: string, tenantId: string = DEFAULT_TENANT_ID) {
+      await db.delete(policies).where(and(eq(policies.id, id), eq(policies.tenantId, tenantId)));
+    },
+
+    /** Get all enabled policies for detection flow */
+    async getEnabled(tenantId: string = DEFAULT_TENANT_ID) {
+      return db
+        .select()
+        .from(policies)
+        .where(and(eq(policies.isEnabled, true), eq(policies.tenantId, tenantId)));
+    },
+  };
+}

package/src/queries/scanners.ts

@@ -0,0 +1,74 @@
+import { eq, and } from "drizzle-orm";
+import type { Database } from "../client.js";
+import { scannerDefinitions } from "../schema/index.js";
+import { insertReturning } from "../helpers.js";
+import { DEFAULT_TENANT_ID } from "@opentrust/shared";
+
+export function scannerQueries(db: Database) {
+  return {
+    /** Get all scanners (defaults + overrides) */
+    async getAll(tenantId: string = DEFAULT_TENANT_ID) {
+      return db
+        .select()
+        .from(scannerDefinitions)
+        .where(eq(scannerDefinitions.tenantId, tenantId))
+        .orderBy(scannerDefinitions.scannerId);
+    },
+
+    /** Get all system default scanners */
+    async getDefaults(tenantId: string = DEFAULT_TENANT_ID) {
+      return db
+        .select()
+        .from(scannerDefinitions)
+        .where(and(eq(scannerDefinitions.isDefault, true), eq(scannerDefinitions.tenantId, tenantId)))
+        .orderBy(scannerDefinitions.scannerId);
+    },
+
+    /** Get enabled scanners for detection */
+    async getEnabled(tenantId: string = DEFAULT_TENANT_ID) {
+      return db
+        .select()
+        .from(scannerDefinitions)
+        .where(and(eq(scannerDefinitions.isEnabled, true), eq(scannerDefinitions.tenantId, tenantId)))
+        .orderBy(scannerDefinitions.scannerId);
+    },
+
+    /** Upsert a scanner override */
+    async upsert(data: {
+      scannerId: string;
+      name: string;
+      description: string;
+      isEnabled: boolean;
+      tenantId?: string;
+    }) {
+      const tid = data.tenantId ?? DEFAULT_TENANT_ID;
+      // Delete existing non-default with same scannerId for this tenant
+      await db
+        .delete(scannerDefinitions)
+        .where(
+          and(
+            eq(scannerDefinitions.scannerId, data.scannerId),
+            eq(scannerDefinitions.isDefault, false),
+            eq(scannerDefinitions.tenantId, tid)
+          )
+        );
+      return insertReturning(db, scannerDefinitions, {
+        scannerId: data.scannerId,
+        name: data.name,
+        description: data.description,
+        isEnabled: data.isEnabled,
+        isDefault: false,
+        tenantId: tid,
+      });
+    },
+
+    /** Create a system default scanner */
+    async createDefault(data: { scannerId: string; name: string; description: string; tenantId?: string }) {
+      return insertReturning(db, scannerDefinitions, {
+        ...data,
+        isDefault: true,
+        tenantId: data.tenantId ?? DEFAULT_TENANT_ID,
+      });
+    },
+  };
+}

package/src/queries/settings.ts

@@ -0,0 +1,34 @@
+import { eq } from "drizzle-orm";
+import type { Database } from "../client.js";
+import { settings } from "../schema/index.js";
+
+export function settingsQueries(db: Database) {
+  return {
+    async get(key: string): Promise<string | null> {
+      const result = await db.select().from(settings).where(eq(settings.key, key)).limit(1);
+      return result[0]?.value ?? null;
+    },
+
+    async set(key: string, value: string) {
+      const existing = await this.get(key);
+      if (existing !== null) {
+        await db.update(settings).set({ value, updatedAt: new Date().toISOString() }).where(eq(settings.key, key));
+      } else {
+        await db.insert(settings).values({ key, value });
+      }
+    },
+
+    async getAll(): Promise<Record<string, string>> {
+      const rows = await db.select().from(settings);
+      const result: Record<string, string> = {};
+      for (const row of rows) {
+        result[row.key] = row.value;
+      }
+      return result;
+    },
+
+    async delete(key: string) {
+      await db.delete(settings).where(eq(settings.key, key));
+    },
+  };
+}

package/src/queries/usage.ts

@@ -0,0 +1,69 @@
+import { eq, gte, lte, sql, count, and } from "drizzle-orm";
+import type { Database } from "../client.js";
+import { usageLogs } from "../schema/index.js";
+import { DEFAULT_TENANT_ID } from "@opentrust/shared";
+
+export function usageQueries(db: Database) {
+  return {
+    async log(data: {
+      agentId?: string | null;
+      endpoint: string;
+      statusCode: number;
+      responseSafe: boolean | null;
+      categories?: string[];
+      latencyMs: number;
+      requestId: string;
+      tenantId?: string;
+    }) {
+      await db.insert(usageLogs).values({
+        ...data,
+        categories: data.categories ?? [],
+        tenantId: data.tenantId ?? DEFAULT_TENANT_ID,
+      });
+    },
+
+    async countInPeriod(start: Date | string, end: Date | string, tenantId: string = DEFAULT_TENANT_ID) {
+      const result = await db
+        .select({ count: count() })
+        .from(usageLogs)
+        .where(and(gte(usageLogs.createdAt, start), lte(usageLogs.createdAt, end), eq(usageLogs.tenantId, tenantId)));
+      return result[0]?.count ?? 0;
+    },
+
+    async summary(start: Date | string, end: Date | string, tenantId: string = DEFAULT_TENANT_ID) {
+      const result = await db
+        .select({
+          totalCalls: count(),
+          safeCount: sql<number>`sum(case when ${usageLogs.responseSafe} = true then 1 else 0 end)`,
+          unsafeCount: sql<number>`sum(case when ${usageLogs.responseSafe} = false then 1 else 0 end)`,
+        })
+        .from(usageLogs)
+        .where(and(gte(usageLogs.createdAt, start), lte(usageLogs.createdAt, end), eq(usageLogs.tenantId, tenantId)));
+      return result[0] ?? { totalCalls: 0, safeCount: 0, unsafeCount: 0 };
+    },
+
+    async daily(start: Date | string, end: Date | string, tenantId: string = DEFAULT_TENANT_ID) {
+      const result = await db
+        .select({
+          date: sql<string>`date(${usageLogs.createdAt})`,
+          count: count(),
+          safeCount: sql<number>`sum(case when ${usageLogs.responseSafe} = true then 1 else 0 end)`,
+          unsafeCount: sql<number>`sum(case when ${usageLogs.responseSafe} = false then 1 else 0 end)`,
+        })
+        .from(usageLogs)
+        .where(and(gte(usageLogs.createdAt, start), lte(usageLogs.createdAt, end), eq(usageLogs.tenantId, tenantId)))
+        .groupBy(sql`date(${usageLogs.createdAt})`)
+        .orderBy(sql`date(${usageLogs.createdAt})`);
+      return result;
+    },
+
+    async countRecent(minutes: number = 1, tenantId: string = DEFAULT_TENANT_ID) {
+      const since = new Date(Date.now() - minutes * 60_000).toISOString();
+      const result = await db
+        .select({ count: count() })
+        .from(usageLogs)
+        .where(and(gte(usageLogs.createdAt, since), eq(usageLogs.tenantId, tenantId)));
+      return result[0]?.count ?? 0;
+    },
+  };
+}

package/src/schema/index.ts

@@ -0,0 +1,22 @@
+import { getDialect } from "../dialect.js";
+
+const dialect = getDialect();
+
+// Dynamic schema loading based on dialect
+// Using top-level await (Node 22+)
+const mod = dialect === "sqlite"
+  ? await import("./sqlite.js")
+  : dialect === "mysql"
+    ? await import("./mysql.js")
+    : await import("./pg.js");
+
+export const settings = mod.settings;
+export const agents = mod.agents;
+export const scannerDefinitions = mod.scannerDefinitions;
+export const policies = mod.policies;
+export const usageLogs = mod.usageLogs;
+export const detectionResults = mod.detectionResults;
+export const toolCallObservations = mod.toolCallObservations;
+export const agentPermissions = mod.agentPermissions;
+export const magicLinks = mod.magicLinks;
+export const userSessions = mod.userSessions;