@opentrust/db 7.1.0

package/src/schema/mysql.ts

@@ -0,0 +1,207 @@
+import {
+  mysqlTable,
+  varchar,
+  text,
+  boolean,
+  int,
+  float,
+  datetime,
+  json,
+  index,
+} from "drizzle-orm/mysql-core";
+
+// ─── Settings ─────────────────────────────────────────────────
+export const settings = mysqlTable("settings", {
+  key: varchar("key", { length: 255 }).primaryKey(),
+  value: text("value").notNull(),
+  updatedAt: datetime("updated_at").notNull().$defaultFn(() => new Date()),
+});
+
+// ─── Agents ─────────────────────────────────────────────────────
+export const agents = mysqlTable(
+  "agents",
+  {
+    id: varchar("id", { length: 36 }).primaryKey().$defaultFn(() => crypto.randomUUID()),
+    tenantId: varchar("tenant_id", { length: 64 }).notNull().default("default"),
+    name: varchar("name", { length: 255 }).notNull(),
+    description: text("description"),
+    provider: varchar("provider", { length: 50 }).notNull().default("custom"),
+    status: varchar("status", { length: 50 }).notNull().default("inactive"),
+    lastSeenAt: datetime("last_seen_at"),
+    metadata: json("metadata").notNull().default({}),
+    createdAt: datetime("created_at").notNull().$defaultFn(() => new Date()),
+    updatedAt: datetime("updated_at").notNull().$defaultFn(() => new Date()),
+  },
+  (table) => ({
+    statusIdx: index("idx_agents_status").on(table.status),
+    tenantIdIdx: index("idx_agents_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Scanner Definitions ────────────────────────────────────────
+export const scannerDefinitions = mysqlTable(
+  "scanner_definitions",
+  {
+    id: varchar("id", { length: 36 }).primaryKey().$defaultFn(() => crypto.randomUUID()),
+    tenantId: varchar("tenant_id", { length: 64 }).notNull().default("default"),
+    scannerId: varchar("scanner_id", { length: 10 }).notNull(),
+    name: varchar("name", { length: 255 }).notNull(),
+    description: text("description").notNull(),
+    config: json("config").notNull().default({}),
+    isEnabled: boolean("is_enabled").notNull().default(true),
+    isDefault: boolean("is_default").notNull().default(false),
+  },
+  (table) => ({
+    scannerIdIdx: index("idx_scanner_defs_scanner_id").on(table.scannerId),
+    tenantIdIdx: index("idx_scanner_defs_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Policies ───────────────────────────────────────────────────
+export const policies = mysqlTable(
+  "policies",
+  {
+    id: varchar("id", { length: 36 }).primaryKey().$defaultFn(() => crypto.randomUUID()),
+    tenantId: varchar("tenant_id", { length: 64 }).notNull().default("default"),
+    name: varchar("name", { length: 255 }).notNull(),
+    description: text("description"),
+    scannerIds: json("scanner_ids").notNull().default([]),
+    action: varchar("action", { length: 50 }).notNull().default("log"),
+    sensitivityThreshold: float("sensitivity_threshold").notNull().default(0.5),
+    isEnabled: boolean("is_enabled").notNull().default(true),
+    createdAt: datetime("created_at").notNull().$defaultFn(() => new Date()),
+    updatedAt: datetime("updated_at").notNull().$defaultFn(() => new Date()),
+  },
+  (table) => ({
+    tenantIdIdx: index("idx_policies_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Usage Logs ─────────────────────────────────────────────────
+export const usageLogs = mysqlTable(
+  "usage_logs",
+  {
+    id: varchar("id", { length: 36 }).primaryKey().$defaultFn(() => crypto.randomUUID()),
+    tenantId: varchar("tenant_id", { length: 64 }).notNull().default("default"),
+    agentId: varchar("agent_id", { length: 36 }),
+    endpoint: varchar("endpoint", { length: 255 }).notNull(),
+    statusCode: int("status_code").notNull(),
+    responseSafe: boolean("response_safe"),
+    categories: json("categories").notNull().default([]),
+    latencyMs: int("latency_ms").notNull(),
+    requestId: varchar("request_id", { length: 64 }).notNull(),
+    createdAt: datetime("created_at").notNull().$defaultFn(() => new Date()),
+  },
+  (table) => ({
+    agentIdIdx: index("idx_usage_logs_agent_id").on(table.agentId),
+    createdAtIdx: index("idx_usage_logs_created_at").on(table.createdAt),
+    tenantIdIdx: index("idx_usage_logs_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Detection Results ──────────────────────────────────────────
+export const detectionResults = mysqlTable(
+  "detection_results",
+  {
+    id: varchar("id", { length: 36 }).primaryKey().$defaultFn(() => crypto.randomUUID()),
+    tenantId: varchar("tenant_id", { length: 64 }).notNull().default("default"),
+    agentId: varchar("agent_id", { length: 36 }),
+    safe: boolean("safe").notNull(),
+    categories: json("categories").notNull().default([]),
+    sensitivityScore: float("sensitivity_score").notNull().default(0),
+    findings: json("findings").notNull().default([]),
+    latencyMs: int("latency_ms").notNull(),
+    requestId: varchar("request_id", { length: 64 }).notNull(),
+    createdAt: datetime("created_at").notNull().$defaultFn(() => new Date()),
+  },
+  (table) => ({
+    agentIdIdx: index("idx_detection_results_agent_id").on(table.agentId),
+    createdAtIdx: index("idx_detection_results_created_at").on(table.createdAt),
+    tenantIdIdx: index("idx_detection_results_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Tool Call Observations ─────────────────────────────────────
+export const toolCallObservations = mysqlTable(
+  "tool_call_observations",
+  {
+    id: varchar("id", { length: 36 }).primaryKey().$defaultFn(() => crypto.randomUUID()),
+    tenantId: varchar("tenant_id", { length: 64 }).notNull().default("default"),
+    agentId: varchar("agent_id", { length: 36 }).notNull(),
+    sessionKey: varchar("session_key", { length: 255 }),
+    toolName: varchar("tool_name", { length: 255 }).notNull(),
+    category: varchar("category", { length: 64 }),
+    accessPattern: varchar("access_pattern", { length: 32 }),
+    paramsJson: json("params_json"),
+    phase: varchar("phase", { length: 16 }).notNull(),
+    resultJson: json("result_json"),
+    error: text("error"),
+    durationMs: int("duration_ms"),
+    blocked: boolean("blocked").notNull().default(false),
+    blockReason: text("block_reason"),
+    timestamp: datetime("timestamp").notNull().$defaultFn(() => new Date()),
+  },
+  (table) => ({
+    agentIdIdx: index("idx_tool_obs_agent_id").on(table.agentId),
+    toolNameIdx: index("idx_tool_obs_tool_name").on(table.toolName),
+    timestampIdx: index("idx_tool_obs_timestamp").on(table.timestamp),
+    tenantIdIdx: index("idx_tool_obs_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Agent Permissions ────────────────────────────────────────
+export const agentPermissions = mysqlTable(
+  "agent_permissions",
+  {
+    id: varchar("id", { length: 36 }).primaryKey().$defaultFn(() => crypto.randomUUID()),
+    tenantId: varchar("tenant_id", { length: 64 }).notNull().default("default"),
+    agentId: varchar("agent_id", { length: 36 }).notNull(),
+    toolName: varchar("tool_name", { length: 255 }).notNull(),
+    category: varchar("category", { length: 64 }),
+    accessPattern: varchar("access_pattern", { length: 32 }),
+    targetsJson: json("targets_json").notNull().default([]),
+    callCount: int("call_count").notNull().default(0),
+    errorCount: int("error_count").notNull().default(0),
+    firstSeen: datetime("first_seen").notNull().$defaultFn(() => new Date()),
+    lastSeen: datetime("last_seen").notNull().$defaultFn(() => new Date()),
+  },
+  (table) => ({
+    agentIdIdx: index("idx_agent_perms_agent_id").on(table.agentId),
+    toolNameIdx: index("idx_agent_perms_tool_name").on(table.toolName),
+    tenantIdIdx: index("idx_agent_perms_tenant_id").on(table.tenantId),
+    uniqueAgentTool: index("idx_agent_perms_unique").on(table.tenantId, table.agentId, table.toolName),
+  })
+);
+
+// ─── Magic Links ─────────────────────────────────────────────
+export const magicLinks = mysqlTable(
+  "magic_links",
+  {
+    id: varchar("id", { length: 36 }).primaryKey(),
+    email: varchar("email", { length: 255 }).notNull(),
+    token: text("token").notNull(),
+    expiresAt: varchar("expires_at", { length: 32 }).notNull(),
+    usedAt: varchar("used_at", { length: 32 }),
+    createdAt: varchar("created_at", { length: 32 }).notNull(),
+  },
+  (table) => ({
+    tokenIdx: index("idx_magic_links_token").on(table.token),
+    emailIdx: index("idx_magic_links_email").on(table.email),
+  })
+);
+
+// ─── User Sessions ────────────────────────────────────────────
+export const userSessions = mysqlTable(
+  "user_sessions",
+  {
+    id: varchar("id", { length: 36 }).primaryKey(),
+    email: varchar("email", { length: 255 }).notNull(),
+    token: text("token").notNull(),
+    expiresAt: varchar("expires_at", { length: 32 }).notNull(),
+    createdAt: varchar("created_at", { length: 32 }).notNull(),
+  },
+  (table) => ({
+    tokenIdx: index("idx_user_sessions_token").on(table.token),
+    emailIdx: index("idx_user_sessions_email").on(table.email),
+  })
+);

package/src/schema/pg.ts

@@ -0,0 +1,208 @@
+import {
+  pgTable,
+  uuid,
+  varchar,
+  text,
+  boolean,
+  integer,
+  real,
+  timestamp,
+  jsonb,
+  index,
+} from "drizzle-orm/pg-core";
+
+// ─── Settings ─────────────────────────────────────────────────
+export const settings = pgTable("settings", {
+  key: varchar("key", { length: 255 }).primaryKey(),
+  value: text("value").notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow(),
+});
+
+// ─── Agents ─────────────────────────────────────────────────────
+export const agents = pgTable(
+  "agents",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    tenantId: varchar("tenant_id", { length: 64 }).notNull().default("default"),
+    name: varchar("name", { length: 255 }).notNull(),
+    description: text("description"),
+    provider: varchar("provider", { length: 50 }).notNull().default("custom"),
+    status: varchar("status", { length: 50 }).notNull().default("inactive"),
+    lastSeenAt: timestamp("last_seen_at", { withTimezone: true }),
+    metadata: jsonb("metadata").notNull().default({}),
+    createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
+    updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow(),
+  },
+  (table) => ({
+    statusIdx: index("idx_agents_status").on(table.status),
+    tenantIdIdx: index("idx_agents_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Scanner Definitions ────────────────────────────────────────
+export const scannerDefinitions = pgTable(
+  "scanner_definitions",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    tenantId: varchar("tenant_id", { length: 64 }).notNull().default("default"),
+    scannerId: varchar("scanner_id", { length: 10 }).notNull(),
+    name: varchar("name", { length: 255 }).notNull(),
+    description: text("description").notNull(),
+    config: jsonb("config").notNull().default({}),
+    isEnabled: boolean("is_enabled").notNull().default(true),
+    isDefault: boolean("is_default").notNull().default(false),
+  },
+  (table) => ({
+    scannerIdIdx: index("idx_scanner_defs_scanner_id").on(table.scannerId),
+    tenantIdIdx: index("idx_scanner_defs_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Policies ───────────────────────────────────────────────────
+export const policies = pgTable(
+  "policies",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    tenantId: varchar("tenant_id", { length: 64 }).notNull().default("default"),
+    name: varchar("name", { length: 255 }).notNull(),
+    description: text("description"),
+    scannerIds: jsonb("scanner_ids").notNull().default([]),
+    action: varchar("action", { length: 50 }).notNull().default("log"),
+    sensitivityThreshold: real("sensitivity_threshold").notNull().default(0.5),
+    isEnabled: boolean("is_enabled").notNull().default(true),
+    createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
+    updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow(),
+  },
+  (table) => ({
+    tenantIdIdx: index("idx_policies_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Usage Logs ─────────────────────────────────────────────────
+export const usageLogs = pgTable(
+  "usage_logs",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    tenantId: varchar("tenant_id", { length: 64 }).notNull().default("default"),
+    agentId: uuid("agent_id"),
+    endpoint: varchar("endpoint", { length: 255 }).notNull(),
+    statusCode: integer("status_code").notNull(),
+    responseSafe: boolean("response_safe"),
+    categories: jsonb("categories").notNull().default([]),
+    latencyMs: integer("latency_ms").notNull(),
+    requestId: varchar("request_id", { length: 64 }).notNull(),
+    createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
+  },
+  (table) => ({
+    agentIdIdx: index("idx_usage_logs_agent_id").on(table.agentId),
+    createdAtIdx: index("idx_usage_logs_created_at").on(table.createdAt),
+    tenantIdIdx: index("idx_usage_logs_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Detection Results ──────────────────────────────────────────
+export const detectionResults = pgTable(
+  "detection_results",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    tenantId: varchar("tenant_id", { length: 64 }).notNull().default("default"),
+    agentId: uuid("agent_id"),
+    safe: boolean("safe").notNull(),
+    categories: jsonb("categories").notNull().default([]),
+    sensitivityScore: real("sensitivity_score").notNull().default(0),
+    findings: jsonb("findings").notNull().default([]),
+    latencyMs: integer("latency_ms").notNull(),
+    requestId: varchar("request_id", { length: 64 }).notNull(),
+    createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
+  },
+  (table) => ({
+    agentIdIdx: index("idx_detection_results_agent_id").on(table.agentId),
+    createdAtIdx: index("idx_detection_results_created_at").on(table.createdAt),
+    tenantIdIdx: index("idx_detection_results_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Tool Call Observations ─────────────────────────────────────
+export const toolCallObservations = pgTable(
+  "tool_call_observations",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    tenantId: varchar("tenant_id", { length: 64 }).notNull().default("default"),
+    agentId: uuid("agent_id").notNull(),
+    sessionKey: varchar("session_key", { length: 255 }),
+    toolName: varchar("tool_name", { length: 255 }).notNull(),
+    category: varchar("category", { length: 64 }),
+    accessPattern: varchar("access_pattern", { length: 32 }),
+    paramsJson: jsonb("params_json"),
+    phase: varchar("phase", { length: 16 }).notNull(),
+    resultJson: jsonb("result_json"),
+    error: text("error"),
+    durationMs: integer("duration_ms"),
+    blocked: boolean("blocked").notNull().default(false),
+    blockReason: text("block_reason"),
+    timestamp: timestamp("timestamp", { withTimezone: true }).notNull().defaultNow(),
+  },
+  (table) => ({
+    agentIdIdx: index("idx_tool_obs_agent_id").on(table.agentId),
+    toolNameIdx: index("idx_tool_obs_tool_name").on(table.toolName),
+    timestampIdx: index("idx_tool_obs_timestamp").on(table.timestamp),
+    tenantIdIdx: index("idx_tool_obs_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Agent Permissions ────────────────────────────────────────
+export const agentPermissions = pgTable(
+  "agent_permissions",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    tenantId: varchar("tenant_id", { length: 64 }).notNull().default("default"),
+    agentId: uuid("agent_id").notNull(),
+    toolName: varchar("tool_name", { length: 255 }).notNull(),
+    category: varchar("category", { length: 64 }),
+    accessPattern: varchar("access_pattern", { length: 32 }),
+    targetsJson: jsonb("targets_json").notNull().default([]),
+    callCount: integer("call_count").notNull().default(0),
+    errorCount: integer("error_count").notNull().default(0),
+    firstSeen: timestamp("first_seen", { withTimezone: true }).notNull().defaultNow(),
+    lastSeen: timestamp("last_seen", { withTimezone: true }).notNull().defaultNow(),
+  },
+  (table) => ({
+    agentIdIdx: index("idx_agent_perms_agent_id").on(table.agentId),
+    toolNameIdx: index("idx_agent_perms_tool_name").on(table.toolName),
+    tenantIdIdx: index("idx_agent_perms_tenant_id").on(table.tenantId),
+    uniqueAgentTool: index("idx_agent_perms_unique").on(table.tenantId, table.agentId, table.toolName),
+  })
+);
+
+// ─── Magic Links ─────────────────────────────────────────────
+export const magicLinks = pgTable(
+  "magic_links",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    email: varchar("email", { length: 255 }).notNull(),
+    token: text("token").notNull().unique(),
+    expiresAt: timestamp("expires_at", { withTimezone: true }).notNull(),
+    usedAt: timestamp("used_at", { withTimezone: true }),
+    createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
+  },
+  (table) => ({
+    tokenIdx: index("idx_magic_links_token").on(table.token),
+    emailIdx: index("idx_magic_links_email").on(table.email),
+  })
+);
+
+// ─── User Sessions ────────────────────────────────────────────
+export const userSessions = pgTable(
+  "user_sessions",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    email: varchar("email", { length: 255 }).notNull(),
+    token: text("token").notNull().unique(),
+    expiresAt: timestamp("expires_at", { withTimezone: true }).notNull(),
+    createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
+  },
+  (table) => ({
+    tokenIdx: index("idx_user_sessions_token").on(table.token),
+    emailIdx: index("idx_user_sessions_email").on(table.email),
+  })
+);

package/src/schema/sqlite.ts

@@ -0,0 +1,199 @@
+import { sqliteTable, text, integer, real, index } from "drizzle-orm/sqlite-core";
+
+// ─── Settings ─────────────────────────────────────────────────
+export const settings = sqliteTable("settings", {
+  key: text("key").primaryKey(),
+  value: text("value").notNull(),
+  updatedAt: text("updated_at").notNull().$defaultFn(() => new Date().toISOString()),
+});
+
+// ─── Agents ─────────────────────────────────────────────────────
+export const agents = sqliteTable(
+  "agents",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    tenantId: text("tenant_id").notNull().default("default"),
+    name: text("name").notNull(),
+    description: text("description"),
+    provider: text("provider").notNull().default("custom"),
+    status: text("status").notNull().default("inactive"),
+    lastSeenAt: text("last_seen_at"),
+    metadata: text("metadata", { mode: "json" }).notNull().default({}),
+    createdAt: text("created_at").notNull().$defaultFn(() => new Date().toISOString()),
+    updatedAt: text("updated_at").notNull().$defaultFn(() => new Date().toISOString()),
+  },
+  (table) => ({
+    statusIdx: index("idx_agents_status").on(table.status),
+    tenantIdIdx: index("idx_agents_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Scanner Definitions ────────────────────────────────────────
+export const scannerDefinitions = sqliteTable(
+  "scanner_definitions",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    tenantId: text("tenant_id").notNull().default("default"),
+    scannerId: text("scanner_id").notNull(),
+    name: text("name").notNull(),
+    description: text("description").notNull(),
+    config: text("config", { mode: "json" }).notNull().default({}),
+    isEnabled: integer("is_enabled", { mode: "boolean" }).notNull().default(true),
+    isDefault: integer("is_default", { mode: "boolean" }).notNull().default(false),
+  },
+  (table) => ({
+    scannerIdIdx: index("idx_scanner_defs_scanner_id").on(table.scannerId),
+    tenantIdIdx: index("idx_scanner_defs_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Policies ───────────────────────────────────────────────────
+export const policies = sqliteTable(
+  "policies",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    tenantId: text("tenant_id").notNull().default("default"),
+    name: text("name").notNull(),
+    description: text("description"),
+    scannerIds: text("scanner_ids", { mode: "json" }).notNull().default([]),
+    action: text("action").notNull().default("log"),
+    sensitivityThreshold: real("sensitivity_threshold").notNull().default(0.5),
+    isEnabled: integer("is_enabled", { mode: "boolean" }).notNull().default(true),
+    createdAt: text("created_at").notNull().$defaultFn(() => new Date().toISOString()),
+    updatedAt: text("updated_at").notNull().$defaultFn(() => new Date().toISOString()),
+  },
+  (table) => ({
+    tenantIdIdx: index("idx_policies_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Usage Logs ─────────────────────────────────────────────────
+export const usageLogs = sqliteTable(
+  "usage_logs",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    tenantId: text("tenant_id").notNull().default("default"),
+    agentId: text("agent_id"),
+    endpoint: text("endpoint").notNull(),
+    statusCode: integer("status_code").notNull(),
+    responseSafe: integer("response_safe", { mode: "boolean" }),
+    categories: text("categories", { mode: "json" }).notNull().default([]),
+    latencyMs: integer("latency_ms").notNull(),
+    requestId: text("request_id").notNull(),
+    createdAt: text("created_at").notNull().$defaultFn(() => new Date().toISOString()),
+  },
+  (table) => ({
+    agentIdIdx: index("idx_usage_logs_agent_id").on(table.agentId),
+    createdAtIdx: index("idx_usage_logs_created_at").on(table.createdAt),
+    tenantIdIdx: index("idx_usage_logs_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Detection Results ──────────────────────────────────────────
+export const detectionResults = sqliteTable(
+  "detection_results",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    tenantId: text("tenant_id").notNull().default("default"),
+    agentId: text("agent_id"),
+    safe: integer("safe", { mode: "boolean" }).notNull(),
+    categories: text("categories", { mode: "json" }).notNull().default([]),
+    sensitivityScore: real("sensitivity_score").notNull().default(0),
+    findings: text("findings", { mode: "json" }).notNull().default([]),
+    latencyMs: integer("latency_ms").notNull(),
+    requestId: text("request_id").notNull(),
+    createdAt: text("created_at").notNull().$defaultFn(() => new Date().toISOString()),
+  },
+  (table) => ({
+    agentIdIdx: index("idx_detection_results_agent_id").on(table.agentId),
+    createdAtIdx: index("idx_detection_results_created_at").on(table.createdAt),
+    tenantIdIdx: index("idx_detection_results_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Tool Call Observations ─────────────────────────────────────
+export const toolCallObservations = sqliteTable(
+  "tool_call_observations",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    tenantId: text("tenant_id").notNull().default("default"),
+    agentId: text("agent_id").notNull(),
+    sessionKey: text("session_key"),
+    toolName: text("tool_name").notNull(),
+    category: text("category"),
+    accessPattern: text("access_pattern"),
+    paramsJson: text("params_json", { mode: "json" }),
+    phase: text("phase").notNull(),
+    resultJson: text("result_json", { mode: "json" }),
+    error: text("error"),
+    durationMs: integer("duration_ms"),
+    blocked: integer("blocked", { mode: "boolean" }).notNull().default(false),
+    blockReason: text("block_reason"),
+    timestamp: text("timestamp").notNull().$defaultFn(() => new Date().toISOString()),
+  },
+  (table) => ({
+    agentIdIdx: index("idx_tool_obs_agent_id").on(table.agentId),
+    toolNameIdx: index("idx_tool_obs_tool_name").on(table.toolName),
+    timestampIdx: index("idx_tool_obs_timestamp").on(table.timestamp),
+    tenantIdIdx: index("idx_tool_obs_tenant_id").on(table.tenantId),
+  })
+);
+
+// ─── Magic Links ─────────────────────────────────────────────
+// One-time login tokens sent via email (15-min TTL)
+export const magicLinks = sqliteTable(
+  "magic_links",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    email: text("email").notNull(),
+    token: text("token").notNull().unique(),
+    expiresAt: text("expires_at").notNull(),
+    usedAt: text("used_at"),
+    createdAt: text("created_at").notNull().$defaultFn(() => new Date().toISOString()),
+  },
+  (table) => ({
+    tokenIdx: index("idx_magic_links_token").on(table.token),
+    emailIdx: index("idx_magic_links_email").on(table.email),
+  })
+);
+
+// ─── User Sessions ────────────────────────────────────────────
+// Persistent sessions created after magic link verification (30-day TTL)
+export const userSessions = sqliteTable(
+  "user_sessions",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    email: text("email").notNull(),
+    token: text("token").notNull().unique(),
+    expiresAt: text("expires_at").notNull(),
+    createdAt: text("created_at").notNull().$defaultFn(() => new Date().toISOString()),
+  },
+  (table) => ({
+    tokenIdx: index("idx_user_sessions_token").on(table.token),
+    emailIdx: index("idx_user_sessions_email").on(table.email),
+  })
+);
+
+// ─── Agent Permissions ────────────────────────────────────────
+export const agentPermissions = sqliteTable(
+  "agent_permissions",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    tenantId: text("tenant_id").notNull().default("default"),
+    agentId: text("agent_id").notNull(),
+    toolName: text("tool_name").notNull(),
+    category: text("category"),
+    accessPattern: text("access_pattern"),
+    targetsJson: text("targets_json", { mode: "json" }).notNull().default([]),
+    callCount: integer("call_count").notNull().default(0),
+    errorCount: integer("error_count").notNull().default(0),
+    firstSeen: text("first_seen").notNull().$defaultFn(() => new Date().toISOString()),
+    lastSeen: text("last_seen").notNull().$defaultFn(() => new Date().toISOString()),
+  },
+  (table) => ({
+    agentIdIdx: index("idx_agent_perms_agent_id").on(table.agentId),
+    toolNameIdx: index("idx_agent_perms_tool_name").on(table.toolName),
+    tenantIdIdx: index("idx_agent_perms_tenant_id").on(table.tenantId),
+    uniqueAgentTool: index("idx_agent_perms_unique").on(table.tenantId, table.agentId, table.toolName),
+  })
+);

package/src/seed.ts

@@ -0,0 +1,56 @@
+import { config } from "dotenv";
+import { resolve, dirname } from "path";
+import { fileURLToPath } from "url";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+config({ path: resolve(__dirname, "../../../.env") });
+
+async function seed() {
+  const { db } = await import("./client.js");
+  const { scannerDefinitions } = await import("./schema/index.js");
+  const { DEFAULT_SCANNERS, DEFAULT_TENANT_ID } = await import("@opentrust/shared");
+  const { getDialect } = await import("./dialect.js");
+  const { eq } = await import("drizzle-orm");
+
+  console.log(`Seeding default scanners (dialect: ${getDialect()})...`);
+
+  for (const scanner of DEFAULT_SCANNERS) {
+    const id = crypto.randomUUID();
+    const values = {
+      id,
+      scannerId: scanner.scannerId,
+      name: scanner.name,
+      description: scanner.description,
+      isEnabled: true,
+      isDefault: true,
+      tenantId: DEFAULT_TENANT_ID,
+    };
+
+    try {
+      const existing = await db
+        .select()
+        .from(scannerDefinitions)
+        .where(eq(scannerDefinitions.scannerId, scanner.scannerId))
+        .limit(1);
+
+      if (existing.length === 0) {
+        await db.insert(scannerDefinitions).values(values);
+        console.log(`  Seeded ${scanner.scannerId}: ${scanner.name}`);
+      } else {
+        console.log(`  Skipped ${scanner.scannerId}: already exists`);
+      }
+    } catch (err) {
+      console.warn(`  Warning: ${scanner.scannerId} seed failed:`, err);
+    }
+  }
+
+  console.log("Seeding complete.");
+  process.exit(0);
+}
+
+seed().catch((err) => {
+  console.error("Seed failed:", err);
+  process.exit(1);
+});